Author: anarcat Date: 2017-08-31 14:00:27 +0000 (Thu, 31 Aug 2017) New Revision: 55316
Modified: data/CVE/list data/dla-needed.txt Log: CVE-2017-7506 not present in wheezy I have audited the code and the vulnerability is specifically bound to the reds_on_main_agent_monitors_config function, which is simply not present. a hostile message would fall through the code and not provoke memory allocation or out of bounds access. Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-08-31 13:48:46 UTC (rev 55315) +++ data/CVE/list 2017-08-31 14:00:27 UTC (rev 55316) @@ -18429,6 +18429,7 @@ CVE-2017-7506 (spice versions though 0.13 are vulnerable to out-of-bounds memory ...) {DSA-3907-1} - spice 0.12.8-2.2 (bug #868083) + [wheezy] - spice <not-affected> (Vulnerable code not introduced later) CVE-2017-7505 (Foreman since version 1.5 is vulnerable to an incorrect authorization ...) - foreman <itp> (bug #663101) CVE-2017-7504 (HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the ...) Modified: data/dla-needed.txt =================================================================== --- data/dla-needed.txt 2017-08-31 13:48:46 UTC (rev 55315) +++ data/dla-needed.txt 2017-08-31 14:00:27 UTC (rev 55316) @@ -155,12 +155,6 @@ NOTE: No patches. Contacted upstream. Waiting for feedback NOTE: > 12% of sponsors use sox hence I have decided to add it here. -- -spice (anarcat) - NOTE: CVE-2017-7506 already fixed in jessie. Can take patch there. - NOTE: (Markus Koschany) Patch from Jessie does not apply. Function - NOTE: reds_on_main_agent_monitors_config does not exist. Unclear how issue - NOTE: can be triggered/verified in this version --- tcpdump (Guido Günther) NOTE: Contacted upstream regarding CVE-2017-11543 NOTE: package otherwise ready for upload _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits