Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
320c7a32 by Emilio Pozuelo Monfort at 2020-11-05T13:52:05+01:00
CVE/list: sort release entries after their package entry
- - - - -
d596daa6 by Emilio Pozuelo Monfort at 2020-11-05T13:52:06+01:00
CVE/list: sort release entries in reverse order
- - - - -
f354d196 by Emilio Pozuelo Monfort at 2020-11-05T13:52:06+01:00
bugs.py: add some checks for package notes
- - - - -
2 changed files:
- data/CVE/list
- lib/python/bugs.py
Changes:
=====================================
data/CVE/list
=====================================
@@ -41522,9 +41522,9 @@ CVE-2020-10731 (A flaw was found in the nova_libvirt
container provided by the R
CVE-2020-10730 (A NULL pointer dereference, or possible use-after-free flaw
was found ...)
- ldb 2:2.1.4-1
[buster] - ldb <no-dsa> (Minor issue)
+ [stretch] - ldb <not-affected> (Vulnerable code introduced later)
- samba 2:4.12.5+dfsg-1
[buster] - samba <postponed> (Minor issue, fix along in next DSA)
- [stretch] - ldb <not-affected> (Vulnerable code introduced later)
NOTE: https://www.samba.org/samba/security/CVE-2020-10730.html
NOTE:
https://git.samba.org/?p=samba.git;a=commitdiff;h=9dd458956d7af1b4bbe505ba2ab72235e81c27d0
(for ldb)
CVE-2020-10729 [two random password lookups in same task return same value]
@@ -50014,8 +50014,8 @@ CVE-2020-7248 (libubox in OpenWrt before 18.06.7 and
19.x before 19.07.1 has a t
NOT-FOR-US: libubox in OpenWrt
CVE-2020-XXXX [opensmtpd DoS via opportunistic TLS downgrade]
- opensmtpd 6.6.2p1-1 (bug #950121)
- [stretch] - opensmtpd 6.0.2p1-2+deb9u2
[buster] - opensmtpd 6.0.3p1-5+deb10u3
+ [stretch] - opensmtpd 6.0.2p1-2+deb9u2
NOTE:
https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/018_smtpd_tls.patch.sig
CVE-2020-7247 (smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in
OpenBSD 6 ...)
{DSA-4611-1}
@@ -156215,9 +156215,9 @@ CVE-2018-8037 (If an async request was completed by
the application at the same
NOTE: https://svn.apache.org/r1833907 (8.5.x)
CVE-2018-8036 (In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a
carefully c ...)
- libpdfbox-java 1:1.8.15-1 (low; bug #902776)
- - libpdfbox2-java 2.0.11-1 (low)
[stretch] - libpdfbox-java <no-dsa> (Minor issue)
[jessie] - libpdfbox-java <no-dsa> (Minor issue)
+ - libpdfbox2-java 2.0.11-1 (low)
NOTE: https://www.openwall.com/lists/oss-security/2018/06/29/2
CVE-2018-8035 (This vulnerability relates to the user's browser processing of
DUCC we ...)
NOT-FOR-US: UIMA DUCC (subproject of Apache UIMA)
@@ -172671,9 +172671,9 @@ CVE-2018-2642 (Vulnerability in the Oracle Argus
Safety component of Oracle Heal
NOT-FOR-US: Oracle
CVE-2018-2641 (Vulnerability in the Java SE, Java SE Embedded component of
Oracle Jav ...)
{DSA-4166-1 DSA-4144-1 DLA-1339-1}
- [experimental] - openjdk-7 7u171-2.6.13-1
- openjdk-9 9.0.4+12-1
- openjdk-8 8u162-b12-1
+ [experimental] - openjdk-7 7u171-2.6.13-1
- openjdk-7 <removed>
- openjdk-6 <removed>
[wheezy] - openjdk-6 <end-of-life>
@@ -234738,8 +234738,8 @@ CVE-2016-8332 (A buffer overflow in OpenJPEG 2.1.1
causes arbitrary code executi
CVE-2016-8331 (An exploitable remote code execution vulnerability exists in
the handl ...)
{DLA-693-1}
- tiff 4.0.6-3
- - tiff3 <removed>
[jessie] - tiff 4.0.3-12.3+deb8u2
+ - tiff3 <removed>
[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0190/
NOTE: thumbnail(1) was removed in 4.0.6-3 and DSA 3762, marking as
fixed although technically still present in the source package
@@ -254244,9 +254244,9 @@ CVE-2016-XXXX [exec functions ignore length but look
for NULL termination]
- php5 5.6.18+dfsg-1
[jessie] - php5 5.6.19+dfsg-0+deb8u1
[wheezy] - php5 5.4.45-0+deb7u7
+ [squeeze] - php5 5.3.3.1-7+squeeze29
- php5.6 5.6.18+dfsg-1
- php7.0 7.0.3-1
- [squeeze] - php5 5.3.3.1-7+squeeze29
NOTE: temporary workaround until CVE assigned to explitly tag for
squeeze
NOTE: https://bugs.php.net/bug.php?id=71039
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305494
@@ -254266,9 +254266,9 @@ CVE-2016-XXXX [Integer overflow in iptcembed()]
- php5 5.6.18+dfsg-1
[jessie] - php5 5.6.19+dfsg-0+deb8u1
[wheezy] - php5 5.4.45-0+deb7u7
+ [squeeze] - php5 5.3.3.1-7+squeeze29
- php5.6 5.6.18+dfsg-1
- php7.0 7.0.3-1
- [squeeze] - php5 5.3.3.1-7+squeeze29
NOTE: temporary workaround until CVE assigned to explitly tag for
squeeze
NOTE: https://bugs.php.net/bug.php?id=71459
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305518
@@ -254321,9 +254321,9 @@ CVE-2016-XXXX [NULL Pointer Dereference in
phar_tar_setupmetadata()]
- php5 5.6.18+dfsg-1
[jessie] - php5 5.6.19+dfsg-0+deb8u1
[wheezy] - php5 5.4.45-0+deb7u7
+ [squeeze] - php5 5.3.3.1-7+squeeze29
- php5.6 5.6.18+dfsg-1
- php7.0 7.0.3-1
- [squeeze] - php5 5.3.3.1-7+squeeze29
NOTE: temporary workaround until CVE assigned to explitly tag for
squeeze
NOTE: https://bugs.php.net/bug.php?id=71391
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305540
@@ -254355,9 +254355,9 @@ CVE-2016-XXXX [Crash on bad SOAP request]
- php5 5.6.18+dfsg-1
[jessie] - php5 5.6.19+dfsg-0+deb8u1
[wheezy] - php5 5.4.45-0+deb7u7
+ [squeeze] - php5 5.3.3.1-7+squeeze29
- php5.6 5.6.18+dfsg-1
- php7.0 7.0.3-1
- [squeeze] - php5 5.3.3.1-7+squeeze29
NOTE: temporary workaround until CVE assigned to explitly tag for
squeeze
NOTE: https://bugs.php.net/bug.php?id=70979
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305551
@@ -255734,10 +255734,10 @@ CVE-2016-1980
CVE-2016-1979 (Use-after-free vulnerability in the
PK11_ImportDERPrivateKeyInfoAndRet ...)
{DSA-3688-1 DSA-3576-1 DLA-480-1 DLA-472-1}
- iceweasel <removed>
- - firefox-esr 45.0esr-1
- - firefox 45.0-1
[jessie] - iceweasel <not-affected> (Only affects Firefox 44.x)
[wheezy] - iceweasel <not-affected> (Only affects Firefox 44.x)
+ - firefox-esr 45.0esr-1
+ - firefox 45.0-1
- icedove 38.8.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-36/
- nss 2:3.21-1
@@ -255772,10 +255772,10 @@ CVE-2016-1974 (The nsScannerString::AppendUnicodeTo
function in Mozilla Firefox
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-34/
CVE-2016-1973 (Race condition in the GetStaticInstance function in the WebRTC
impleme ...)
- iceweasel <removed>
- - firefox-esr 45.0esr-1
- - firefox 45.0-1
[jessie] - iceweasel <not-affected> (Only affects Firefox 44.x)
[wheezy] - iceweasel <not-affected> (Only affects Firefox 44.x)
+ - firefox-esr 45.0esr-1
+ - firefox 45.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-33/
CVE-2016-1972 (Race condition in libvpx in Mozilla Firefox before 45.0 on
Windows mig ...)
- iceweasel <not-affected> (Windows-specific)
@@ -255793,19 +255793,19 @@ CVE-2016-1969 (The setAttr function in Graphite 2
before 1.3.6, as used in Mozil
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-38/
CVE-2016-1968 (Integer underflow in Brotli, as used in Mozilla Firefox before
45.0, a ...)
- iceweasel <removed>
- - firefox-esr 45.0esr-1
- - firefox 45.0-1
[jessie] - iceweasel <not-affected> (Only affects Firefox 44.x)
[wheezy] - iceweasel <not-affected> (Only affects Firefox 44.x)
+ - firefox-esr 45.0esr-1
+ - firefox 45.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-30/
- brotli 0.3.0+dfsg-3 (bug #817233)
NOTE:
https://github.com/google/brotli/commit/37a320dd81db8d546cd24a45b4c61d87b45dcade
CVE-2016-1967 (Mozilla Firefox before 45.0 does not properly restrict the
availabilit ...)
- iceweasel <removed>
- - firefox-esr 45.0esr-1
- - firefox 45.0-1
[jessie] - iceweasel <not-affected> (Only affects Firefox 44.x)
[wheezy] - iceweasel <not-affected> (Only affects Firefox 44.x)
+ - firefox-esr 45.0esr-1
+ - firefox 45.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-29/
CVE-2016-1966 (The nsNPObjWrapper::GetNewOrUsed function in
dom/plugins/base/nsJSNPRu ...)
{DSA-3520-1 DSA-3510-1}
@@ -255829,10 +255829,10 @@ CVE-2016-1964 (Use-after-free vulnerability in the
AtomicBaseIncDec function in
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-27/
CVE-2016-1963 (The FileReader class in Mozilla Firefox before 45.0 allows
local users ...)
- iceweasel <removed>
- - firefox-esr 45.0esr-1
- - firefox 45.0-1
[jessie] - iceweasel <not-affected> (Only affects Firefox 44.x)
[wheezy] - iceweasel <not-affected> (Only affects Firefox 44.x)
+ - firefox-esr 45.0esr-1
+ - firefox 45.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-26/
CVE-2016-1962 (Use-after-free vulnerability in the
mozilla::DataChannelConnection::Cl ...)
{DSA-3520-1 DSA-3510-1}
@@ -255877,17 +255877,17 @@ CVE-2016-1957 (Memory leak in libstagefright in
Mozilla Firefox before 45.0 and
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-20/
CVE-2016-1956 (Mozilla Firefox before 45.0 on Linux, when an Intel video
driver is us ...)
- iceweasel <removed>
- - firefox-esr 45.0esr-1
- - firefox 45.0-1
[jessie] - iceweasel <not-affected> (Only affects Firefox 44.x)
[wheezy] - iceweasel <not-affected> (Only affects Firefox 44.x)
+ - firefox-esr 45.0esr-1
+ - firefox 45.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-19/
CVE-2016-1955 (Mozilla Firefox before 45.0 allows remote attackers to bypass
the Same ...)
- iceweasel <removed>
- - firefox-esr 45.0esr-1
- - firefox 45.0-1
[jessie] - iceweasel <not-affected> (Only affects Firefox 44.x)
[wheezy] - iceweasel <not-affected> (Only affects Firefox 44.x)
+ - firefox-esr 45.0esr-1
+ - firefox 45.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-18/
CVE-2016-1954 (The nsCSPContext::SendReports function in
dom/security/nsCSPContext.cp ...)
{DSA-3520-1 DSA-3510-1}
@@ -255898,10 +255898,10 @@ CVE-2016-1954 (The nsCSPContext::SendReports
function in dom/security/nsCSPConte
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-17/
CVE-2016-1953 (Multiple unspecified vulnerabilities in the browser engine in
Mozilla ...)
- iceweasel <removed>
- - firefox-esr 45.0esr-1
- - firefox 45.0-1
[jessie] - iceweasel <not-affected> (Only affects Firefox 44.x)
[wheezy] - iceweasel <not-affected> (Only affects Firefox 44.x)
+ - firefox-esr 45.0esr-1
+ - firefox 45.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-16/
CVE-2016-1952 (Multiple unspecified vulnerabilities in the browser engine in
Mozilla ...)
{DSA-3510-1}
@@ -255929,11 +255929,11 @@ CVE-2016-1950 (Heap-based buffer overflow in
Mozilla Network Security Services (
NOTE: NSS fixed in 3.21.1
CVE-2016-1949 (Mozilla Firefox before 44.0.2 does not properly restrict the
interacti ...)
- iceweasel <removed>
- - firefox-esr 45.0esr-1
- - firefox 45.0-1
[jessie] - iceweasel <not-affected> (Only affects Firefox 43.x)
[wheezy] - iceweasel <not-affected> (Only affects Firefox 43.x)
[squeeze] - iceweasel <not-affected> (Only affects Firefox 43.x)
+ - firefox-esr 45.0esr-1
+ - firefox 45.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-13/
CVE-2016-1948 (Mozilla Firefox before 44.0 on Android does not ensure that
HTTPS is u ...)
- iceweasel <not-affected> (Only affects Firefox for Android)
@@ -258399,8 +258399,8 @@ CVE-2014-9761 (Multiple stack-based buffer overflows
in the GNU C Library (aka g
{DLA-411-1}
- glibc 2.23-1 (bug #813187)
[jessie] - glibc <no-dsa> (Minor issue)
- [wheezy] - eglibc <no-dsa> (Minor issue)
- eglibc <removed>
+ [wheezy] - eglibc <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=16962
NOTE:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e02cabecf0d025ec4f4ddee290bdf7aadb873bb3
NOTE:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f5e8b01a1da2a207228f2072c934fa5918554b8
@@ -263567,8 +263567,8 @@ CVE-2015-8104 (The KVM subsystem in the Linux kernel
through 4.2.6, and Xen 4.3.
{DSA-3454-1 DSA-3426-1 DSA-3414-1 DLA-479-1}
- linux 4.2.6-2
- linux-2.6 <removed>
- - xen 4.8.0~rc3-1 (bug #823620)
[squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS)
+ - xen 4.8.0~rc3-1 (bug #823620)
[squeeze] - xen <end-of-life> (Not supported in Squeeze LTS)
NOTE: http://xenbits.xen.org/xsa/advisory-156.html
NOTE: Upstream patch: https://lkml.org/lkml/2015/11/10/218
@@ -264032,8 +264032,8 @@ CVE-2015-7995 (The xsltStylePreCompute function in
preproc.c in libxslt 1.1.28 d
CVE-2015-8982 (Integer overflow in the strxfrm function in the GNU C Library
(aka gli ...)
- glibc 2.21-1 (bug #803927)
[jessie] - glibc 2.19-18+deb8u2
- [wheezy] - eglibc 2.13-38+deb7u9
- eglibc <removed>
+ [wheezy] - eglibc 2.13-38+deb7u9
[squeeze] - eglibc 2.11.3-4+deb6u8
NOTE: workaround entry for DLA-350-1 until/if CVE assigned
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=16009
@@ -264444,7 +264444,6 @@ CVE-2013-7445 (The Direct Rendering Manager (DRM)
subsystem in the Linux kernel
[stretch] - linux <ignored> (Minor issue, requires invasive changes)
[jessie] - linux <ignored> (Minor issue, requires invasive changes)
[wheezy] - linux <no-dsa> (Minor issue, requires invasive changes)
- [jessie] - linux-4.9 <ignored> (Minor issue, requires invasive changes)
- linux-2.6 <removed>
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=60533
CVE-2015-8011 (Buffer overflow in the lldp_decode function in
daemon/protocols/lldp.c ...)
@@ -267108,8 +267107,8 @@ CVE-2014-9747 (The t42_parse_encoding function in
type42/t42parse.c in FreeType
CVE-2015-6855 (hw/ide/core.c in QEMU does not properly restrict the commands
accepted ...)
{DSA-3362-1 DSA-3361-1}
- qemu 1:2.4+dfsg-2
- - qemu-kvm <removed>
[squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS)
+ - qemu-kvm <removed>
[squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
NOTE: https://www.openwall.com/lists/oss-security/2015/09/10/1
NOTE: Fix commit:
http://git.qemu.org/?p=qemu.git;a=commit;h=d9033e1d3aa666c5071580617a57bd853c5d794a
@@ -271295,8 +271294,8 @@ CVE-2015-5307 (The KVM subsystem in the Linux kernel
through 4.2.6, and Xen 4.3.
{DSA-3454-1 DSA-3414-1 DSA-3396-1 DLA-479-1}
- linux 4.2.6-1
- linux-2.6 <removed>
- - xen 4.8.0~rc3-1 (bug #823620)
[squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS)
+ - xen 4.8.0~rc3-1 (bug #823620)
[squeeze] - xen <end-of-life> (Not supported in Squeeze LTS)
NOTE: http://xenbits.xen.org/xsa/advisory-156.html
- virtualbox 5.0.10-dfsg-1
@@ -273681,23 +273680,23 @@ CVE-2015-4490 (The nsCSPHostSrc::permits function
in dom/security/nsCSPUtils.cpp
CVE-2015-4489 (The nsTArray_Impl class in Mozilla Firefox before 40.0, Firefox
ESR 38 ...)
{DSA-3410-1 DSA-3333-1}
- iceweasel 38.2.0esr-1
+ [squeeze] - iceweasel <end-of-life>
- icedove 38.3.0-1
[squeeze] - icedove <end-of-life>
- [squeeze] - iceweasel <end-of-life>
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/
CVE-2015-4488 (Use-after-free vulnerability in the StyleAnimationValue class
in Mozil ...)
{DSA-3410-1 DSA-3333-1}
- iceweasel 38.2.0esr-1
+ [squeeze] - iceweasel <end-of-life>
- icedove 38.3.0-1
[squeeze] - icedove <end-of-life>
- [squeeze] - iceweasel <end-of-life>
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/
CVE-2015-4487 (The nsTSubstring::ReplacePrep function in Mozilla Firefox
before 40.0, ...)
{DSA-3410-1 DSA-3333-1}
- iceweasel 38.2.0esr-1
+ [squeeze] - iceweasel <end-of-life>
- icedove 38.3.0-1
[squeeze] - icedove <end-of-life>
- [squeeze] - iceweasel <end-of-life>
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/
CVE-2015-4486 (The decrease_ref_count function in libvpx in Mozilla Firefox
before 40 ...)
- libvpx 1.4.0-1
@@ -273760,9 +273759,9 @@ CVE-2015-4474 (Multiple unspecified vulnerabilities
in the browser engine in Moz
CVE-2015-4473 (Multiple unspecified vulnerabilities in the browser engine in
Mozilla ...)
{DSA-3410-1 DSA-3333-1}
- iceweasel 38.2.0esr-1
+ [squeeze] - iceweasel <end-of-life>
- icedove 38.3.0-1
[squeeze] - icedove <end-of-life>
- [squeeze] - iceweasel <end-of-life>
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/
CVE-2015-4466
RESERVED
@@ -277380,12 +277379,13 @@ CVE-2015-3209 (Heap-based buffer overflow in the
PCNET controller in QEMU allows
{DSA-3286-1 DSA-3285-1 DSA-3284-1}
- qemu 1:2.3+dfsg-6 (bug #788460)
[wheezy] - qemu 1.1.2+dfsg-6a+deb7u8
+ [squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS)
- qemu-kvm <removed>
+ [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
- xen 4.4.0-1
[squeeze] - xen <end-of-life> (Not supported in Squeeze LTS)
+ - xen-qemu-dm-4.0 <removed>
[squeeze] - xen-qemu-dm-4.0 <end-of-life> (Not supported in Squeeze LTS)
- [squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS)
- [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
NOTE: Xen switched to qemu-system in 4.4.0-1
NOTE: http://xenbits.xen.org/xsa/advisory-135.html
CVE-2015-3208 (XML external entity (XXE) vulnerability in the XPath selector
componen ...)
@@ -280696,10 +280696,10 @@ CVE-2015-2156 (Netty before 3.9.8.Final, 3.10.x
before 3.10.3.Final, 4.0.x befor
- netty 1:4.0.31-1 (bug #796114)
[jessie] - netty <ignored> (Minor issue, invasive patch)
[wheezy] - netty <no-dsa> (Minor issue)
+ [squeeze] - netty <no-dsa> (Minor issue)
- netty-3.9 3.9.9.Final-1 (bug #793770)
[jessie] - netty-3.9 <ignored> (Minor issue, invasive patch)
- playframework <itp> (bug #646523)
- [squeeze] - netty <no-dsa> (Minor issue)
NOTE: http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
NOTE:
https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
NOTE:
http://web.archive.org/web/20150925094949/http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156
@@ -283391,8 +283391,8 @@ CVE-2015-1370 (Incomplete blacklist vulnerability in
marked 0.3.2 and earlier fo
CVE-2013-7423 (The send_dg function in resolv/res_send.c in GNU C Library (aka
glibc ...)
{DLA-165-1}
- glibc 2.19-1 (bug #722075)
- [wheezy] - eglibc 2.13-38+deb7u5
- eglibc <removed>
+ [wheezy] - eglibc 2.13-38+deb7u5
NOTE: Fix:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f9d2d03254a58d92635a311a42253eeed5a40a47
NOTE: Upstream report:
https://sourceware.org/bugzilla/show_bug.cgi?id=15946
NOTE: https://www.openwall.com/lists/oss-security/2015/01/28/16
@@ -289545,11 +289545,11 @@ CVE-2014-8873 (A .desktop file in the Debian
openjdk-7 package 7u79-2.5.5-1~deb8
{DSA-3316-1 DSA-3235-1}
- openjdk-8 8u45-b14-1 (high)
- openjdk-7 7u79-2.5.5-1 (high)
+ [wheezy] - openjdk-7 <not-affected> (MIME type setting is harmless on
wheezy)
+ [squeeze] - openjdk-7 <not-affected> (MIME type setting is harmless on
this squeeze)
- openjdk-6 <removed> (high)
- [squeeze] - openjdk-6 <not-affected> (MIME type setting is harmless on
squeeze)
[wheezy] - openjdk-6 <not-affected> (MIME type setting is harmless on
wheezy)
- [squeeze] - openjdk-7 <not-affected> (MIME type setting is harmless on
this squeeze)
- [wheezy] - openjdk-7 <not-affected> (MIME type setting is harmless on
wheezy)
+ [squeeze] - openjdk-6 <not-affected> (MIME type setting is harmless on
squeeze)
NOTE: Starting with mime-support 3.53, MimeType entries in desktop
NOTE: files end up in /etc/mailcap, which introduces the user-initiated
NOTE: code execution.
@@ -290108,6 +290108,7 @@ CVE-2014-8601 (PowerDNS Recursor before 3.6.2 does
not limit delegation chaining
CVE-2014-8600 (Multiple cross-site scripting (XSS) vulnerabilities in
KDE-Runtime 4.1 ...)
- kde-runtime 4:4.14.2-2 (bug #769632)
[wheezy] - kde-runtime <no-dsa> (Minor issue)
+ - kdebase-runtime <removed>
[squeeze] - kdebase-runtime <no-dsa> (Minor issue)
- webkitkde 1.3.4-2 (unimportant)
NOTE: webkitpart:
http://quickgit.kde.org/?p=kwebkitpart.git&a=commit&h=641aa7c75631084260ae89aecbdb625e918c6689
@@ -290996,8 +290997,8 @@ CVE-2013-7406 (SQL injection vulnerability in the
MRBS module for Drupal allows
CVE-2014-8350 (Smarty before 3.1.21 allows remote attackers to bypass the
secure mode ...)
{DLA-452-1}
- smarty3 3.1.21-1 (bug #765920)
- - smarty <not-affected> (Only affects 3.x series)
[squeeze] - smarty3 <end-of-life> (Unsupported in squeeze-lts)
+ - smarty <not-affected> (Only affects 3.x series)
NOTE:
https://github.com/smarty-php/smarty/commit/279bdbd3521cd717cae6a3ba48f1c3c6823f439d.patch
CVE-2014-8399 (The default configuration in systemd-shim 8 enables the Abandon
debugg ...)
- systemd-shim 8-4
@@ -295381,9 +295382,9 @@ CVE-2014-6541 (Unspecified vulnerability in the
Recovery component in Oracle Dat
NOT-FOR-US: Oracle
CVE-2014-6540 (Unspecified vulnerability in the Oracle VM VirtualBox component
in Ora ...)
- virtualbox-guest-additions <removed>
+ [squeeze] - virtualbox-guest-additions <no-dsa> (Non-free not supported)
- virtualbox-guest-additions-iso 4.3.14-1
[wheezy] - virtualbox-guest-additions-iso <no-dsa> (Non-free not
supported)
- [squeeze] - virtualbox-guest-additions <no-dsa> (Non-free not supported)
NOTE:
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
CVE-2014-6539 (Unspecified vulnerability in the Oracle Applications Framework
compone ...)
NOT-FOR-US: Oracle E-Business Suite
@@ -301850,10 +301851,10 @@ CVE-2014-3874
RESERVED
CVE-2014-3873 (The ktrace utility in the FreeBSD kernel 8.4 before p11, 9.1
before p1 ...)
- kfreebsd-8 <removed>
- - kfreebsd-9 <removed> (bug #750493)
+ [wheezy] - kfreebsd-8 <no-dsa> (Non standard kernel, will be fixed in a
point update)
[squeeze] - kfreebsd-8 <end-of-life> (Unsupported in squeeze-lts)
+ - kfreebsd-9 <removed> (bug #750493)
[wheezy] - kfreebsd-9 <not-affected> (introduced by the merge of
r237663)
- [wheezy] - kfreebsd-8 <no-dsa> (Non standard kernel, will be fixed in a
point update)
CVE-2014-3872 (Multiple SQL injection vulnerabilities in the administration
login pag ...)
NOT-FOR-US: D-Link firmware
CVE-2014-3871 (Multiple SQL injection vulnerabilities in register.php in
Geodesic Sol ...)
@@ -302275,9 +302276,9 @@ CVE-2014-3690 (arch/x86/kvm/vmx.c in the KVM
subsystem in the Linux kernel befor
CVE-2014-3689 (The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows
local g ...)
{DSA-3067-1 DSA-3066-1}
- qemu 2.1+dfsg-6 (bug #765496)
+ [squeeze] - qemu <end-of-life>
- qemu-kvm <removed>
[squeeze] - qemu-kvm <end-of-life>
- [squeeze] - qemu <end-of-life>
NOTE: Upstream's quick and easy stopgap for this issue: compile out the
hardware acceleration functions which lack sanity checks.
NOTE:
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=83afa38eb20ca27e30683edc7729880e091387fc
CVE-2014-3688 (The SCTP implementation in the Linux kernel before 3.17.4
allows remot ...)
@@ -302442,9 +302443,9 @@ CVE-2014-3641 (The (1) GlusterFS and (2) Linux Smbfs
drivers in OpenStack Cinder
CVE-2014-3640 (The sosendto function in slirp/udp.c in QEMU before 2.1.2
allows local ...)
{DSA-3045-1 DSA-3044-1}
- qemu 2.1+dfsg-5 (bug #762532)
+ [squeeze] - qemu <end-of-life>
- qemu-kvm <removed>
[squeeze] - qemu-kvm <end-of-life>
- [squeeze] - qemu <end-of-life>
NOTE:
http://lists.nongnu.org/archive/html/qemu-devel/2014-09/msg03543.html
CVE-2014-3639 (The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8
does not ...)
{DSA-3026-1 DLA-87-1}
=====================================
lib/python/bugs.py
=====================================
@@ -557,20 +557,23 @@ class FileBase(debian_support.PackageFile):
if handle_xref(self.re_xref_required, self.re_xref,
self.re_xref_entry, xref):
continue
-
+
+ def addPackageNote(note):
+ self.checkPackageNote(pkg_notes, note, lineno)
+ pkg_notes.append(note)
+
if self.re_package_required.match(r):
match = self.re_package_version.match(r)
if match:
(release, p, v, d) = match.groups()
- pkg_notes.append(
- PackageNoteParsed(p, v, d, release=release))
+ addPackageNote(PackageNoteParsed(p, v, d,
release=release))
continue
match = self.re_package_no_version.match(r)
if match:
(release, p, v, d) = match.groups()
if v == 'not-affected':
- pkg_notes.append(PackageNoteParsed
+ addPackageNote(PackageNoteParsed
(p, '0', 'unimportant',
release=release))
if d:
@@ -581,7 +584,7 @@ class FileBase(debian_support.PackageFile):
r = r[:-1]
comments.append(('NOTE', r))
elif v == 'end-of-life':
- pkg_notes.append(PackageNoteParsed
+ addPackageNote(PackageNoteParsed
(p, None, 'end-of-life',
release=release))
if d:
@@ -604,7 +607,7 @@ class FileBase(debian_support.PackageFile):
reason = v
else:
reason = None
- pkg_notes.append(PackageNoteNoDSA(
+ addPackageNote(PackageNoteNoDSA(
release=release,
package=p,
comment=d,
@@ -623,16 +626,16 @@ class FileBase(debian_support.PackageFile):
self.raiseSyntaxError(
"ITP note needs Debian bug reference",
lineno)
- pkg_notes.append(x)
+ addPackageNote(x)
elif v == 'unfixed':
- pkg_notes.append(PackageNoteParsed
+ addPackageNote(PackageNoteParsed
(p, None, d, release=release))
elif v == 'removed':
- pkg_notes.append(PackageNoteParsed
+ addPackageNote(PackageNoteParsed
(p, None, d, release=release))
self.removed_packages[p] = True
elif v == 'undetermined':
- pkg_notes.append(PackageNoteParsed
+ addPackageNote(PackageNoteParsed
(p, 'undetermined', d,
release=release))
else:
self.raiseSyntaxError(
@@ -741,6 +744,22 @@ class FileBase(debian_support.PackageFile):
parsed, or adds some additional checking."""
return bug
+ def checkPackageNote(self, notes, note, lineno):
+ if not notes:
+ return
+
+ prev_note = notes[-1]
+ if prev_note.package != note.package:
+ if prev_note.release and prev_note.release ==
debian_support.internRelease('experimental'):
+ #self.raiseSyntaxError("experimental release note must come
before the package note")
+ pass
+ elif note.release and note.release !=
debian_support.internRelease('experimental'):
+ self.raiseSyntaxError("release note must follow its package
note", lineno)
+ else:
+ if prev_note.release and note.release and prev_note.release <
note.release:
+ self.raiseSyntaxError("release notes not ordered properly",
lineno)
+
+
class CVEFile(FileBase):
"""A CVE file, as used by the Debian testing security team."""
@@ -777,6 +796,14 @@ class CVEFile(FileBase):
bug.mergeNotes()
return bug
+ def checkPackageNote(self, notes, note, lineno):
+ # dont check old entries for now
+ if self.lineno >= 100000:
+ return
+
+ super().checkPackageNote(notes, note, lineno)
+
+
class CVEExtendFile(CVEFile):
# This is an extend file. The main CVEFile can have a 'CVE-2018-XXXX' (sic)
# identifier, which will get converted to TEMP-* automatically. However to
@@ -795,6 +822,10 @@ class CVEExtendFile(CVEFile):
return CVEFile.isUniqueName(self, name)
+ def checkPackageNote(self, notes, note, lineno):
+ pass
+
+
class DSAFile(FileBase):
"""A DSA file.
@@ -840,6 +871,9 @@ class DSAFile(FileBase):
bug.mergeNotes()
return bug
+ def checkPackageNote(self, notes, note, lineno):
+ pass
+
class DTSAFile(FileBase):
"""A DTSA file.
@@ -884,6 +918,10 @@ class DTSAFile(FileBase):
lineno=bug.source_line)
return bug
+ def checkPackageNote(self, notes, note, lineno):
+ pass
+
+
def test():
assert internUrgency("high") > internUrgency("medium")
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f2673f0f2b006103ed62fe7fdd668d6f8fb264fd...f354d19660ce40506eac504b91b153a631b505c2
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f2673f0f2b006103ed62fe7fdd668d6f8fb264fd...f354d19660ce40506eac504b91b153a631b505c2
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
