[Git][security-tracker-team/security-tracker][master] 2 commits: Strip no-dsa tags for wavpack for stretch

Utkarsh Gupta utkarsh at debian.org
Fri Jan 15 10:05:45 GMT 2021 


Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5e732fb8 by Utkarsh Gupta at 2021-01-15T15:34:26+05:30
Strip no-dsa tags for wavpack for stretch

- - - - -
a53fa4eb by Utkarsh Gupta at 2021-01-15T15:35:34+05:30
Reserve DLA-2525-1 for wavpack

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -115092,7 +115092,6 @@ CVE-2019-11499 (In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submiss
 	NOTE: https://dovecot.org/pipermail/dovecot/2019-April/115758.html
 CVE-2019-11498 (WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack t ...)
 	- wavpack 5.1.0-6 (low; bug #927903)
-	[stretch] - wavpack <no-dsa> (Minor issue)
 	[jessie] - wavpack <not-affected> (Vulnerable code not present, introduced in 5.0.0)
 	NOTE: https://github.com/dbry/WavPack/issues/67
 	NOTE: https://github.com/dbry/WavPack/commit/bc6cba3f552c44565f7f1e66dc1580189addb2b4
@@ -119662,7 +119661,6 @@ CVE-2019-9888
 CVE-2019-1010319 (WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialize ...)
 	- wavpack 5.1.0-7 (low; bug #932061)
 	[buster] - wavpack <no-dsa> (Minor issue)
-	[stretch] - wavpack <no-dsa> (Minor issue)
 	NOTE: https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe
 	NOTE: https://github.com/dbry/WavPack/issues/68
 CVE-2019-1010318
@@ -119670,14 +119668,12 @@ CVE-2019-1010318
 CVE-2019-1010317 (WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialize ...)
 	- wavpack 5.1.0-7 (low; bug #932060)
 	[buster] - wavpack <no-dsa> (Minor issue)
-	[stretch] - wavpack <no-dsa> (Minor issue)
 	NOTE: https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b
 	NOTE: https://github.com/dbry/WavPack/issues/66
 CVE-2019-1010316 (pyxtrlock 0.3 and earlier is affected by: Incorrect Access Control. Th ...)
 	NOT-FOR-US: pyxtrlock
 CVE-2019-1010315 (WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The i ...)
 	- wavpack 5.1.0-6 (low)
-	[stretch] - wavpack <no-dsa> (Minor issue)
 	NOTE: https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc
 	NOTE: https://github.com/dbry/WavPack/issues/65
 CVE-2019-1010314 (Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The imp ...)
@@ -143847,12 +143843,10 @@ CVE-2018-19842 (getToken in libr/asm/p/asm_x86_nz.c in radare2 before 3.1.0 allo
 	NOTE: https://github.com/radare/radare2/issues/12239
 CVE-2018-19841 (The function WavpackVerifySingleBlock in open_utils.c in libwavpack.a  ...)
 	- wavpack 5.1.0-5 (bug #915565)
-	[stretch] - wavpack <no-dsa> (Minor issue)
 	NOTE: https://github.com/dbry/WavPack/commit/bba5389dc598a92bdf2b297c3ea34620b6679b5b
 	NOTE: https://github.com/dbry/WavPack/issues/54
 CVE-2018-19840 (The function WavpackPackInit in pack_utils.c in libwavpack.a in WavPac ...)
 	- wavpack 5.1.0-5 (bug #915564)
-	[stretch] - wavpack <no-dsa> (Minor issue)
 	NOTE: https://github.com/dbry/WavPack/commit/070ef6f138956d9ea9612e69586152339dbefe51
 	NOTE: https://github.com/dbry/WavPack/issues/53
 CVE-2018-19839 (In LibSass prior to 3.5.5, the function handle_error in sass_context.c ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[15 Jan 2021] DLA-2525-1 wavpack - security update
+	{CVE-2018-19840 CVE-2018-19841 CVE-2019-11498 CVE-2019-1010315 CVE-2019-1010317 CVE-2019-1010319 CVE-2020-35738}
+	[stretch] - wavpack 5.0.0-2+deb9u3
 [13 Jan 2021] DLA-2524-1 spice-vdagent - security update
 	{CVE-2017-15108 CVE-2020-25650 CVE-2020-25651 CVE-2020-25652 CVE-2020-25653}
 	[stretch] - spice-vdagent 0.17.0-1+deb9u1


=====================================
data/dla-needed.txt
=====================================
@@ -135,11 +135,6 @@ spotweb
   NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands.
   NOTE: 20201220: Yes, this is a dumpster fire.  Claim this package at your own peril. (roberto)
 --
-wavpack (Utkarsh)
-  NOTE: 20210104: Upstream patch does not cleanly apply, possibly because
-  NOTE: 20210104: it is missing previously-added overflow checks on the
-  NOTE: 20210104: value of config->num_channels which may need to be added. (lamby)
---
 wireshark
   NOTE: 20201007: during last triage, I marked some CVEs as no-dsa, it'd be great to include
   NOTE: 20201007: those fixes as well! \o/ (utkarsh)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6f36659990e56636ffbdb58766c501fb1e57e1d2...a53fa4eb0f2bcacedf475e50e0f6c4e0075e5370

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6f36659990e56636ffbdb58766c501fb1e57e1d2...a53fa4eb0f2bcacedf475e50e0f6c4e0075e5370
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210115/1db31d20/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list