[Git][security-tracker-team/security-tracker][master] reserve DLA-3265-1 for exiv2
Helmut Grohne (@helmutg)
helmutg at debian.org
Tue Jan 10 16:44:50 GMT 2023
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker
Commits:
64c3ca93 by Helmut Grohne at 2023-01-10T17:44:15+01:00
reserve DLA-3265-1 for exiv2
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1506,7 +1506,7 @@ CVE-2018-25061 (A vulnerability was found in rgb2hex up to 0.1.5. It has been ra
CVE-2017-20160 (A vulnerability was found in flitto express-param up to 0.x. It has be ...)
NOT-FOR-US: express-param
CVE-2014-125029 (A vulnerability was found in ttskch PaginationServiceProvider up to 0. ...)
- NOT-FOR-US: ttskch/PaginationServiceProvider
+ NOT-FOR-US: ttskch/PaginationServiceProvider
CVE-2014-125028 (A vulnerability was found in valtech IDP Test Client and classified as ...)
NOT-FOR-US: valtech IDP Test Client
CVE-2022-4868 (Improper Authorization in GitHub repository froxlor/froxlor prior to 2 ...)
@@ -108652,21 +108652,18 @@ CVE-2021-37623 (Exiv2 is a command-line utility and C++ library for reading, wri
CVE-2021-37622 (Exiv2 is a command-line utility and C++ library for reading, writing, ...)
- exiv2 0.27.5-1
[bullseye] - exiv2 <ignored> (Minor issue)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <no-dsa> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-9jh3-fcc3-g6hv
NOTE: https://github.com/Exiv2/exiv2/pull/1788
CVE-2021-37621 (Exiv2 is a command-line utility and C++ library for reading, writing, ...)
- exiv2 0.27.5-1
[bullseye] - exiv2 <ignored> (Minor issue)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <no-dsa> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-m479-7frc-gqqg
NOTE: https://github.com/Exiv2/exiv2/pull/1778
CVE-2021-37620 (Exiv2 is a command-line utility and C++ library for reading, writing, ...)
- exiv2 0.27.5-1
[bullseye] - exiv2 <ignored> (Minor issue)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <ignored> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-v5g7-46xf-h728
NOTE: https://github.com/Exiv2/exiv2/pull/1769
@@ -116527,7 +116524,6 @@ CVE-2021-34335 (Exiv2 is a command-line utility and C++ library for reading, wri
CVE-2021-34334 (Exiv2 is a command-line utility and C++ library for reading, writing, ...)
- exiv2 0.27.5-1 (bug #992706)
[bullseye] - exiv2 <ignored> (Minor issue)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <no-dsa> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-hqjh-hpv8-8r9p
NOTE: https://github.com/Exiv2/exiv2/pull/1766
@@ -120321,7 +120317,6 @@ CVE-2021-32816 (ProtonMail Web Client is the official AngularJS web client for t
CVE-2021-32815 (Exiv2 is a command-line utility and C++ library for reading, writing, ...)
- exiv2 0.27.5-1 (bug #992705)
[bullseye] - exiv2 <ignored> (Minor issue)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <no-dsa> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-mv9g-fxh2-m49m
NOTE: https://github.com/Exiv2/exiv2/pull/1739
@@ -129479,7 +129474,6 @@ CVE-2021-29459 (XWiki Platform is a generic wiki platform offering runtime servi
CVE-2021-29458 (Exiv2 is a command-line utility and C++ library for reading, writing, ...)
- exiv2 0.27.5-1 (bug #987277)
[bullseye] - exiv2 <no-dsa> (Minor issue)
- [buster] - exiv2 <no-dsa> (Minor issue)
[stretch] - exiv2 <no-dsa> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-57jj-75fm-9rq5
NOTE: https://github.com/Exiv2/exiv2/issues/1530
@@ -185933,7 +185927,6 @@ CVE-2020-18772
RESERVED
CVE-2020-18771 (Exiv2 0.27.99.0 has a global buffer over-read in Exiv2::Internal::Niko ...)
- exiv2 0.27.2-6
- [buster] - exiv2 <no-dsa> (Minor issue)
[stretch] - exiv2 <no-dsa> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/issues/756
CVE-2020-18770
@@ -240883,7 +240876,6 @@ CVE-2019-17403 (Nokia IMPACT < 18A: An unrestricted File Upload vulnerability
CVE-2019-17402 (Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in ...)
{DLA-2019-1}
- exiv2 0.27.3-1 (bug #946341)
- [buster] - exiv2 <no-dsa> (Minor issue)
[stretch] - exiv2 <no-dsa> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/issues/1019
NOTE: https://github.com/Exiv2/exiv2/commit/88054239e3c914862d13f6ac89a19a104fa2c076 (master)
@@ -250712,7 +250704,6 @@ CVE-2019-14371 (An issue was discovered in Libav 12.3. There is an infinite loop
NOTE: fixed through CVE-2018-11102 / https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/7abf394814d818973db562102f21ab9d10540840
CVE-2019-14370 (In Exiv2 0.27.99.0, there is an out-of-bounds read in Exiv2::MrwImage: ...)
- exiv2 0.27.2-6
- [buster] - exiv2 <no-dsa> (Minor issue)
[stretch] - exiv2 <no-dsa> (Minor issue)
[jessie] - exiv2 <not-affected> (poc not triggered with asan/valgrind, different MemIo::seek bound check)
NOTE: https://github.com/Exiv2/exiv2/issues/954
@@ -250720,7 +250711,6 @@ CVE-2019-14370 (In Exiv2 0.27.99.0, there is an out-of-bounds read in Exiv2::Mrw
NOTE: https://github.com/Exiv2/exiv2/commit/bd0afe0390439b2c424d881c8c6eb0c5624e31d9
CVE-2019-14369 (Exiv2::PngImage::readMetadata() in pngimage.cpp in Exiv2 0.27.99.0 all ...)
- exiv2 0.27.2-6
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <ignored> (Minor issue)
[jessie] - exiv2 <not-affected> (poc not triggered with asan/valgrind, different MemIo::seek bound check)
NOTE: https://github.com/Exiv2/exiv2/issues/953
@@ -254043,7 +254033,6 @@ CVE-2019-13505 (The Appointment Hour Booking plugin 1.1.44 for WordPress allows
CVE-2019-13504 (There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrw ...)
{DLA-1855-1}
- exiv2 0.27.2-6 (low; bug #932467)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <ignored> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/pull/943 (fuzzer infrastructure)
NOTE: https://github.com/Exiv2/exiv2/pull/944
@@ -255148,7 +255137,6 @@ CVE-2019-13115 (In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchang
NOTE: https://github.com/libssh2/libssh2/commit/ff1b155731ff8f790f12d980911d9fd84d0e1598
CVE-2019-13114 (http.c in Exiv2 through 0.27.1 allows a malicious http server to cause ...)
- exiv2 0.27.2-6 (low)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <ignored> (Minor issue)
[jessie] - exiv2 <not-affected> (HTTP support yet added in 0.25)
NOTE: https://github.com/Exiv2/exiv2/commit/ccde30afa8ca787a3fe17388a15977f107a53b72
@@ -255162,7 +255150,6 @@ CVE-2019-13113 (Exiv2 through 0.27.1 allows an attacker to cause a denial of ser
NOTE: Negligible security impact
CVE-2019-13112 (A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2 ...)
- exiv2 0.27.2-6 (low)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <ignored> (Minor issue)
[jessie] - exiv2 <ignored> (Minor issue, clean exception / local DoS)
NOTE: https://github.com/Exiv2/exiv2/commit/d3e69f6d2c60bd06bf1c0564b919989ecfc89ec1
@@ -255173,7 +255160,6 @@ CVE-2019-13111 (A WebPImage::decodeChunks integer overflow in Exiv2 through 0.27
NOTE: https://github.com/Exiv2/exiv2/pull/797/commits
CVE-2019-13110 (A CiffDirectory::readDirectory integer overflow and out-of-bounds read ...)
- exiv2 0.27.2-6 (low)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <ignored> (Minor issue)
[jessie] - exiv2 <ignored> (Minor issue, read segfault)
NOTE: https://github.com/Exiv2/exiv2/issues/843
@@ -285956,7 +285942,6 @@ CVE-2018-20098 (There is a heap-based buffer over-read in Exiv2::Jp2Image::encod
CVE-2018-20097 (There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroup ...)
{DLA-1691-1}
- exiv2 0.27.2-6 (low)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <ignored> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/issues/590
NOTE: proposed: https://github.com/Exiv2/exiv2/commit/203ab0db28c9666b16069d4056ac5f66f753a51d
@@ -292084,7 +292069,6 @@ CVE-2018-19536
CVE-2018-19535 (In Exiv2 0.26 and previous versions, PngChunk::readRawProfile in pngch ...)
{DLA-1691-1}
- exiv2 0.27.2-6 (bug #915135)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <ignored> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/issues/428
NOTE: https://github.com/Exiv2/exiv2/pull/430
@@ -293666,7 +293650,6 @@ CVE-2018-19109 (tianti 2.3 allows remote authenticated users to bypass intended
CVE-2018-19108 (In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in the PS ...)
{DLA-1691-1}
- exiv2 0.27.2-6 (bug #913272)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <ignored> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/issues/426
NOTE: https://github.com/Exiv2/exiv2/pull/518
@@ -293675,7 +293658,6 @@ CVE-2018-19108 (In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in
CVE-2018-19107 (In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp (called from psdi ...)
{DLA-1691-1}
- exiv2 0.27.2-6 (low; bug #913273)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <ignored> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/issues/427
NOTE: https://github.com/Exiv2/exiv2/pull/518
@@ -297683,7 +297665,6 @@ CVE-2018-17582 (Tcpreplay v4.3.0 beta1 contains a heap-based buffer over-read. T
CVE-2018-17581 (CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has e ...)
{DLA-1691-1}
- exiv2 0.27.2-6 (low; bug #910060)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <ignored> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/issues/460
NOTE: Fixed in: https://github.com/Exiv2/exiv2/commit/b3d077dcaefb6747fff8204490f33eba5a144edb
@@ -320732,7 +320713,6 @@ CVE-2018-8977 (In Exiv2 0.26, the Exiv2::Internal::printCsLensFFFF function in c
NOTE: https://github.com/Exiv2/exiv2/issues/247
CVE-2018-8976 (In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial ...)
- exiv2 0.27.2-6 (low; bug #903813)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <ignored> (Minor issue)
[wheezy] - exiv2 <not-affected> (Vulnerable code not present)
NOTE: https://github.com/Exiv2/exiv2/issues/246
@@ -335680,7 +335660,6 @@ CVE-2017-18006 (netpub/server.np in Extensis Portfolio NetPublish has XSS in the
NOT-FOR-US: Extensis Portfolio NetPublish
CVE-2017-18005 (Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toL ...)
- exiv2 0.27.2-6 (low; bug #885981)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <ignored> (Minor issue)
[jessie] - exiv2 <ignored> (Minor issue)
[wheezy] - exiv2 <no-dsa> (Minor issue)
@@ -342320,7 +342299,6 @@ CVE-2017-17670 (In VideoLAN VLC media player through 2.2.8, there is a type conv
NOTE: POC: https://gist.github.com/dyntopia/194d912287656f66dd502158b0cd2e68
CVE-2017-17669 (There is a heap-based buffer over-read in the Exiv2::Internal::PngChun ...)
- exiv2 0.27.2-6 (bug #886006)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <ignored> (Minor issue)
[jessie] - exiv2 <ignored> (Minor issue)
[wheezy] - exiv2 <ignored> (Minor issue)
@@ -354187,7 +354165,6 @@ CVE-2017-14865 (There is a heap-based buffer overflow in the Exiv2::us2Data func
CVE-2017-14864 (An Invalid memory address dereference was discovered in Exiv2::getULon ...)
{DLA-1147-1}
- exiv2 0.27.2-6 (low)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <ignored> (Minor issue)
[jessie] - exiv2 <ignored> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/issues/73
@@ -354201,7 +354178,6 @@ CVE-2017-14863 (A NULL pointer dereference was discovered in Exiv2::Image::print
CVE-2017-14862 (An Invalid memory address dereference was discovered in Exiv2::DataVal ...)
{DLA-1147-1}
- exiv2 0.27.2-6 (low)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <ignored> (Minor issue)
[jessie] - exiv2 <ignored> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/issues/75
@@ -354220,7 +354196,6 @@ CVE-2017-14860 (There is a heap-based buffer over-read in the Exiv2::Jp2Image::r
CVE-2017-14859 (An Invalid memory address dereference was discovered in Exiv2::StringV ...)
{DLA-1147-1}
- exiv2 0.27.2-6 (low)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <ignored> (Minor issue)
[jessie] - exiv2 <ignored> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/issues/74
@@ -363950,7 +363925,6 @@ CVE-2017-11592 (There is a Mismatched Memory Management Routines vulnerability i
CVE-2017-11591 (There is a Floating point exception in the Exiv2::ValueType function i ...)
{DLA-1147-1}
- exiv2 0.27.2-6 (low; bug #876893)
- [buster] - exiv2 <ignored> (Minor issue)
[stretch] - exiv2 <ignored> (Minor issue)
[jessie] - exiv2 <ignored> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/issues/55
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[10 Jan 2023] DLA-3265-1 exiv2 - security update
+ {CVE-2017-11591 CVE-2017-14859 CVE-2017-14862 CVE-2017-14864 CVE-2017-17669 CVE-2017-18005 CVE-2018-8976 CVE-2018-17581 CVE-2018-19107 CVE-2018-19108 CVE-2018-19535 CVE-2018-20097 CVE-2019-13110 CVE-2019-13112 CVE-2019-13114 CVE-2019-13504 CVE-2019-14369 CVE-2019-14370 CVE-2019-17402 CVE-2020-18771 CVE-2021-29458 CVE-2021-32815 CVE-2021-34334 CVE-2021-37620 CVE-2021-37621 CVE-2021-37622}
+ [buster] - exiv2 0.25-4+deb10u4
[10 Jan 2023] DLA-3264-1 ruby-sinatra - security update
{CVE-2022-45442}
[buster] - ruby-sinatra 2.0.5-4+deb10u2
=====================================
data/dla-needed.txt
=====================================
@@ -53,9 +53,6 @@ erlang
NOTE: 20221119: Programming language: Erlang.
NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch)
--
-exiv2
- NOTE: 20221119: Programming language: C.
---
fig2dev
NOTE: 20230105: Programming language: C.
NOTE: 20230105: Harmonize with bullseye 11.5 and stretch (Beuc/front-desk)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64c3ca939330f98cea767592dbd2a11e06895bb6
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64c3ca939330f98cea767592dbd2a11e06895bb6
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230110/1419db48/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list