[Git][security-tracker-team/security-tracker][master] 2 commits: Track fixes for three CVEs for libpodofo via experimental

Wed May 4 20:51:26 BST 2022


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2ad72a39 by Salvatore Bonaccorso at 2022-05-04T21:49:37+02:00
Track fixes for three CVEs for libpodofo via experimental

- - - - -
4c7da628 by Salvatore Bonaccorso at 2022-05-04T21:50:30+02:00
Reference upstream commit for CVE-2019-10723

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -167039,6 +167039,7 @@ CVE-2019-20094 (An issue was discovered in libsixel 1.8.4. There is a heap-based
 	NOTE: https://github.com/saitoha/libsixel/issues/125
 	NOTE: https://github.com/saitoha/libsixel/commit/a18b3789cfd147028403c17fe79a43b169d8f034
 CVE-2019-20093 (The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo ...)
+	[experimental] - libpodofo 0.9.8+dfsg-1
 	- libpodofo <unfixed> (bug #977302)
 	[bullseye] - libpodofo <ignored> (Minor issue)
 	[buster] - libpodofo <ignored> (Minor issue)
@@ -203976,12 +203977,14 @@ CVE-2019-10725
 CVE-2019-10724 (There is a vulnerability with the Dolby DAX2 API system services in wh ...)
 	NOT-FOR-US: Dolby
 CVE-2019-10723 (An issue was discovered in PoDoFo 0.9.6. The PdfPagesTreeCache class i ...)
+	[experimental] - libpodofo 0.9.8+dfsg-1
 	- libpodofo <unfixed> (low; bug #926667)
 	[bullseye] - libpodofo <ignored> (Minor issue)
 	[buster] - libpodofo <ignored> (Minor issue)
 	[stretch] - libpodofo <no-dsa> (Minor issue)
 	[jessie] - libpodofo <postponed> (clean exception quit/DoS, low popcon)
 	NOTE: https://sourceforge.net/p/podofo/tickets/46/
+	NOTE: https://sourceforge.net/p/podofo/code/2038/
 CVE-2019-1003099 (A missing permission check in Jenkins openid Plugin in the OpenIdSsoSe ...)
 	NOT-FOR-US: Jenkins openid Plugin
 CVE-2019-1003098 (A cross-site request forgery vulnerability in Jenkins openid Plugin in ...)
@@ -251589,6 +251592,7 @@ CVE-2018-12985
 CVE-2018-12984 (Hycus CMS 1.0.4 allows Authentication Bypass via "'=' 'OR'" credential ...)
 	NOT-FOR-US: Hycus CMS
 CVE-2018-12983 (A stack-based buffer over-read in the PdfEncryptMD5Base::ComputeEncryp ...)
+	[experimental] - libpodofo 0.9.8+dfsg-1
 	- libpodofo <unfixed> (low; bug #916580)
 	[bullseye] - libpodofo <no-dsa> (Minor issue)
 	[buster] - libpodofo <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f52e20d45094febb047c02d4cf6c81b435c2e471...4c7da628c35da17b106bfe821a4f627fd3d6419e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f52e20d45094febb047c02d4cf6c81b435c2e471...4c7da628c35da17b106bfe821a4f627fd3d6419e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220504/8950547d/attachment.htm>
