action #47561

Security Audit

Added by lnussel 7 months ago. Updated 5 months ago.

Status:ResolvedStart date:11/04/2019
Priority:NormalDue date:26/04/2019
Assignee:jsegitz% Done:

100%

Category:Security
Target version:RC
Duration: 12

Description

Security needs to take a look at the current snapshot


Related issues

Copied from openSUSE Leap 15.0 - action #24884: Security Audit Closed 26/04/2018 11/05/2018

History

#1 Updated by lnussel 7 months ago

#2 Updated by lnussel 5 months ago

  • Assignee set to jsegitz

15.1 enters RC phase this week. time for 2nd round of audit

#3 Updated by jsegitz 5 months ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 80

almost done from our side. I'm still working on a comparison of the fixes that went into Factory and what we might have missed for 15.1., but that will take a little bit longer anyway. For your planning purposes you can consider this done

#4 Updated by jsegitz 5 months ago

  • Status changed from In Progress to Resolved
  • % Done changed from 80 to 100

Missing fixes compared to Factory:
Needs checking:
- 389-ds: CVE-2017-15134 CVE-2018-1054 CVE-2018-10850 CVE-2018-10871 CVE-2018-1089 CVE-2018-10935 CVE-2018-14624 CVE-2018-14638 CVE-2018-14648 - gthumb: CVE-2018-18718
- icecast: CVE-2018-18820
- kcodecs: CVE-2013-0779
- python-colander: CVE-2017-18361
- rdesktop: CVE-2018-20174 CVE-2018-20175 CVE-2018-20176 CVE-2018-20177 CVE-2018-20178 CVE-2018-20179 CVE-2018-20180 CVE-2018-20181 CVE-2018-20182 CVE-2018-8791 CVE-2018-8792 CVE-2018-8793 CVE-2018-8794 CVE-2018-8795 CVE-2018-8796 CVE-2018-8797 CVE-2018-8798 CVE-2018-8799 CVE-2018-8800
- rust: CVE-2018-1000622
- taglib: CVE-2017-12678 CVE-2018-11439

maybe needs checking:
- GraphicsMagick: CVE-2016-2317
- NetworkManager-vpnc: CVE-2018-10900
- arc: CVE-2015-9275
- cacti: CVE-2009-4112 CVE-2018-20723 CVE-2018-20724 CVE-2018-20725 CVE-2018-20726
- cobbler: CVE-2017-1000469 CVE-2018-1000225 CVE-2018-1000226 CVE-2018-10931
- docker-distribution: CVE-2017-11468
- epiphany: CVE-2018-11396 CVE-2018-12016
- exim: CVE-2017-1000369 CVE-2017-16943 CVE-2017-16944 CVE-2018-6789
- ffmpeg-4: CVE-2017-17555 CVE-2018-13305
- freeimage: CVE-2015-0852 CVE-2016-5684
- hostapd: CVE-2017-13082 CVE-2018-14526
- leptonica: CVE-2017-18196 CVE-2018-3836 CVE-2018-7186 CVE-2018-7247 CVE-2018-7440 CVE-2018-7441 CVE-2018-7442
- libqt5-qtwebengine: CVE-2018-6033 CVE-2019-5786
- libuser: CVE-2015-3245 CVE-2015-3246
- live555: CVE-2019-7314
- mailman: CVE-2011-0707 CVE-2015-2775 CVE-2018-0618
- matrix-synapse: CVE-2018-12291 CVE-2019-5885
- mbedtls: CVE-2018-19608
- miniupnpc: CVE-2017-1000494
- mobidict: CVE-2018-11724 CVE-2018-11725 CVE-2018-11726
- mp3gain: CVE-2017-12911 CVE-2017-14407
- nagios: CVE-2018-13441 CVE-2018-13457 CVE-2018-13458 CVE-2018-18245
- netdata: CVE-2018-18836 CVE-2018-18837 CVE-2018-18838 CVE-2018-18839
- obs-service-refresh_patches: CVE-2018-12477
- otrs: CVE-2017-17476 CVE-2018-16586 CVE-2018-19141
- podofo: CVE-2017-7381 CVE-2017-7382 CVE-2017-7383 CVE-2017-8054 CVE-2018-11255 CVE-2018-11256 CVE-2018-12982 CVE-2018-14320 CVE-2018-20751 CVE-2018-5783
- postgresql96: CVE-2018-10915 CVE-2018-10925 CVE-2018-1115
- proftpd: CVE-2017-7418
- python-Django: CVE-2018-14574 CVE-2018-16984 CVE-2019-3498 CVE-2019-6975
- python-Django1: CVE-2018-14574 CVE-2019-3498 CVE-2019-6975
- python-bokeh: CVE-2017-18342
- python-buku: no CVEs found, please check the diff manually. Usually "CVE" is mentioned somewhere
- python-marshmallow: CVE-2018-17175
- python-rope: CVE-2014-3539
- python-semantic_version: no CVEs found, please check the diff manually. Usually "CVE" is mentioned somewhere
- python-slixmpp: CVE-2019-1000021
- python-websockets: CVE-2018-1000518
- rocksndiamonds: CVE-2011-4606
- rubygem-sinatra: CVE-2018-11627
- rust-packaging: no CVEs found, please check the diff manually. Usually "CVE" is mentioned somewhere
- sysdig: no CVEs found, please check the diff manually. Usually "CVE" is mentioned somewhere
- tcpreplay: CVE-2018-17580 CVE-2018-17582 CVE-2018-17974 CVE-2018-18407 CVE-2018-18408 CVE-2019-8376 CVE-2019-8377 CVE-2019-8381
- thttpd: CVE-2017-17663
- tmux: CVE-2018-19387
- ufraw: CVE-2015-8366 CVE-2018-19655
- vdr: no CVEs found, please check the diff manually. Usually "CVE" is mentioned somewhere
- wesnoth: CVE-2018-1999023
- znc: CVE-2019-9917

I'm going to weed out false positives and hand the remaining issues to reactive security for checking

Also available in: Atom PDF