[Git][security-tracker-team/security-tracker][master] 3 commits: claim golang 1.7 and 1.8

Thorsten Alteholz alteholz at debian.org
Fri Oct 30 15:54:19 GMT 2020



Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
546bb076 by Thorsten Alteholz at 2020-10-30T16:27:19+01:00
claim golang 1.7 and 1.8

- - - - -
230cb540 by Thorsten Alteholz at 2020-10-30T16:28:34+01:00
some no-dsa CVEs will be fixed as well

- - - - -
bf7fd429 by Thorsten Alteholz at 2020-10-30T16:54:08+01:00
Reserve DLA-2421-1 for cimg

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -156852,35 +156852,30 @@ CVE-2018-7642 (The swap_std_reloc_in function in aoutx.h in the Binary File Desc
 CVE-2018-7641 (An issue was discovered in CImg v.220. A heap-based buffer over-read i ...)
 	{DLA-1934-1}
 	- cimg 2.3.6+dfsg-1 (low; bug #892780)
-	[stretch] - cimg <no-dsa> (Minor issue)
 	[wheezy] - cimg <no-dsa> (Minor issue)
 	NOTE: https://github.com/dtschump/CImg/issues/185
 	NOTE: https://github.com/dtschump/CImg/commit/10af1e8c1ad2a58a0a3342a856bae63e8f257abb
 CVE-2018-7640 (An issue was discovered in CImg v.220. A heap-based buffer over-read i ...)
 	{DLA-1934-1}
 	- cimg 2.3.6+dfsg-1 (low; bug #892780)
-	[stretch] - cimg <no-dsa> (Minor issue)
 	[wheezy] - cimg <no-dsa> (Minor issue)
 	NOTE: https://github.com/dtschump/CImg/issues/185
 	NOTE: https://github.com/dtschump/CImg/commit/10af1e8c1ad2a58a0a3342a856bae63e8f257abb
 CVE-2018-7639 (An issue was discovered in CImg v.220. A heap-based buffer over-read i ...)
 	{DLA-1934-1}
 	- cimg 2.3.6+dfsg-1 (low; bug #892780)
-	[stretch] - cimg <no-dsa> (Minor issue)
 	[wheezy] - cimg <no-dsa> (Minor issue)
 	NOTE: https://github.com/dtschump/CImg/issues/185
 	NOTE: https://github.com/dtschump/CImg/commit/10af1e8c1ad2a58a0a3342a856bae63e8f257abb
 CVE-2018-7638 (An issue was discovered in CImg v.220. A heap-based buffer over-read i ...)
 	{DLA-1934-1}
 	- cimg 2.3.6+dfsg-1 (low; bug #892780)
-	[stretch] - cimg <no-dsa> (Minor issue)
 	[wheezy] - cimg <no-dsa> (Minor issue)
 	NOTE: https://github.com/dtschump/CImg/issues/185
 	NOTE: https://github.com/dtschump/CImg/commit/10af1e8c1ad2a58a0a3342a856bae63e8f257abb
 CVE-2018-7637 (An issue was discovered in CImg v.220. A heap-based buffer over-read i ...)
 	{DLA-1934-1}
 	- cimg 2.3.6+dfsg-1 (low; bug #892780)
-	[stretch] - cimg <no-dsa> (Minor issue)
 	[wheezy] - cimg <no-dsa> (Minor issue)
 	NOTE: https://github.com/dtschump/CImg/issues/185
 	NOTE: https://github.com/dtschump/CImg/commit/10af1e8c1ad2a58a0a3342a856bae63e8f257abb
@@ -156983,14 +156978,12 @@ CVE-2018-7590 (CSRF exists in Hoosk 1.7.0 via /admin/users/new/add, resulting in
 CVE-2018-7589 (An issue was discovered in CImg v.220. A double free in load_bmp in CI ...)
 	{DLA-1934-1}
 	- cimg 2.3.6+dfsg-1 (low; bug #892780)
-	[stretch] - cimg <no-dsa> (Minor issue)
 	[wheezy] - cimg <no-dsa> (Minor issue)
 	NOTE: https://github.com/dtschump/CImg/issues/184
 	NOTE: https://github.com/dtschump/CImg/commit/8447076ef22322a14a0ce130837e44c5ba8095f4
 CVE-2018-7588 (An issue was discovered in CImg v.220. A heap-based buffer over-read i ...)
 	{DLA-1934-1}
 	- cimg 2.3.6+dfsg-1 (low; bug #892780)
-	[stretch] - cimg <no-dsa> (Minor issue)
 	[wheezy] - cimg <no-dsa> (Minor issue)
 	NOTE: https://github.com/dtschump/CImg/issues/183
 	NOTE: https://github.com/dtschump/CImg/commit/8447076ef22322a14a0ce130837e44c5ba8095f4


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[30 Oct 2020] DLA-2421-1 cimg - security update
+	{CVE-2018-7588 CVE-2018-7589 CVE-2018-7637 CVE-2018-7638 CVE-2018-7639 CVE-2018-7640 CVE-2018-7641 CVE-2019-1010174}
+	[stretch] - cimg 1.7.9+dfsg-1+deb9u1
 [29 Oct 2020] DLA-2420-1 linux - security update
 	{CVE-2019-9445 CVE-2019-19073 CVE-2019-19074 CVE-2019-19448 CVE-2020-12351 CVE-2020-12352 CVE-2020-12655 CVE-2020-12771 CVE-2020-12888 CVE-2020-14305 CVE-2020-14314 CVE-2020-14331 CVE-2020-14356 CVE-2020-14386 CVE-2020-14390 CVE-2020-15393 CVE-2020-16166 CVE-2020-24490 CVE-2020-25211 CVE-2020-25212 CVE-2020-25220 CVE-2020-25284 CVE-2020-25285 CVE-2020-25641 CVE-2020-25643 CVE-2020-26088}
 	[stretch] - linux 4.9.240-1


=====================================
data/dla-needed.txt
=====================================
@@ -45,13 +45,6 @@ ceph
   NOTE: 20200928: Packages prepared and available at http://apt.inguza.net/stretch-lts/ceph/
   NOTE: 20200928: If someone know how to test the packages please take this build and upload (after testing it).
 --
-cimg (Thorsten Alteholz)
-  NOTE: 20200709: Upstream patch is against a newer "load_network_external"
-  NOTE: 20200709: method (vs "load_network") but is still missing the argument
-  NOTE: 20200709: sanitisation. (lamby)
-  NOTE: 20201005: checking whether reverse dependencies still build/work
-  NOTE: 20201018: recovering from a broken computer :-(
---
 condor
   NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
   NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
@@ -72,9 +65,9 @@ fossil
 --
 freerdp
 --
-golang-1.7
+golang-1.7 (Thorsten Alteholz)
 --
-golang-1.8
+golang-1.8 (Thorsten Alteholz)
 --
 golang-github-dgrijalva-jwt-go
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9c8031fa96ce14fb3f07c40a43667ae71c441a64...bf7fd429fa6f274e1edda022cd2b635e116f0b91

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9c8031fa96ce14fb3f07c40a43667ae71c441a64...bf7fd429fa6f274e1edda022cd2b635e116f0b91
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201030/8b1029fb/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list