[Secure-testing-commits] r21549 - data/CVE

Thu, 07 Mar 2013 13:28:36 -0800 

Author: jmm
Date: 2013-03-07 21:28:28 +0000 (Thu, 07 Mar 2013)
New Revision: 21549

Modified:
   data/CVE/list
Log:
new nova issue (no-dsa)
new issues in qid-cpp
no-dsa: bouncycastle, nagios-nrpe, libwebp, redis
Red Hat NFU
mark some java issues as specific to Oracle Java


Modified: data/CVE/list
===================================================================
--- data/CVE/list       2013-03-07 21:14:28 UTC (rev 21548)
+++ data/CVE/list       2013-03-07 21:28:28 UTC (rev 21549)
@@ -1852,6 +1852,7 @@
 CVE-2013-1624 (The TLS implementation in the Bouncy Castle Java library before 
1.48 ...)
        - bouncycastle <unfixed> (low; bug #699885)
        [squeeze] - bouncycastle <no-dsa> (Minor issue)
+       [wheezy] - bouncycastle <no-dsa> (Minor issue)
 CVE-2013-1623 (The TLS and DTLS implementations in wolfSSL CyaSSL before 2.5.0 
do not ...)
        - mysql-5.1 <unfixed>
        - mysql-5.5 <unfixed> (bug #699886)
@@ -2518,7 +2519,8 @@
        RESERVED
 CVE-2013-1362 [Allows passing of $() as command arguments and executing shell 
commands]
        RESERVED
-       - nagios-nrpe <unfixed> (bug #701227)
+       - nagios-nrpe <unfixed> (low; bug #701227)
+       [squeeze] - nagios-nrpe <no-dsa> (Minor issue)
 CVE-2013-1361
        RESERVED
 CVE-2013-1360
@@ -4955,9 +4957,9 @@
 CVE-2013-0410
        RESERVED
 CVE-2013-0409 (Unspecified vulnerability in the Java Runtime Environment (JRE) 
...)
-       - openjdk-6 <unfixed>
-       - openjdk-7 <unfixed>
-       NOTE: No fix listed for icedtea, is this component (JMX) included in 
Icedtea?
+       - openjdk-6 <not-affected> (Specific to Oracle Java, not present in 
IcedTea)
+       - openjdk-7 <not-affected> (Specific to Oracle Java, not present in 
IcedTea)
+       NOTE: Due to the vague disclosure policy by Oracle the exact nature is 
unknown but since no patch landed in icedtea, we consider it not-affected
 CVE-2013-0408
        RESERVED
 CVE-2013-0407 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 
allows local ...)
@@ -5163,6 +5165,8 @@
        - jenkins <unfixed> (bug #700761)
 CVE-2013-0326
        RESERVED
+       - nova <unfixed> (low)
+       [wheezy] - nova <no-dsa> (Minor issue)
 CVE-2013-0325
        RESERVED
        NOT-FOR-US: Drupal addon
@@ -5660,9 +5664,10 @@
        NOTE: 
https://code.google.com/p/memcached/issues/attachmentText?id=306&aid=3060004000&name=0001-Fix-buffer-overrun-when-logging-key-to-delete-in-bin.patch
 CVE-2013-0178 [redis 2.4: Insecure temporary flaw use for redis service's vm 
swap file]
        RESERVED
-       - redis <unfixed>
+       - redis 2:2.6.0-1 (low)
+       [squeeze] - redis <no-dsa> (Minor issue)
+       [wheezy] - redis <no-dsa> (Minor issue)
        NOTE: RedHat bugreport mentions 2.4 is affected, but not 2.6
-       TODO: check
 CVE-2013-0177
        RESERVED
        NOT-FOR-US: OFBiz
@@ -5694,6 +5699,7 @@
        {DSA-2622-1 DSA-2621-1}
        - openssl 1.0.1e-1 (bug #699889)
        - bouncycastle <unfixed> (low; bug #699885)
+       [wheezy] - bouncycastle <no-dsa> (Minor issue)
        [squeeze] - bouncycastle <no-dsa> (Minor issue)
        - mysql-5.1 <unfixed>
        - mysql-5.5 <unfixed> (bug #699886)
@@ -6246,6 +6252,7 @@
        RESERVED
 CVE-2012-6136
        RESERVED
+       NOT-FOR-US: tuned (RH-specific powersaving tool)
 CVE-2012-6135
        RESERVED
        - ruby-passenger (low; bug #702219)
@@ -9125,7 +9132,9 @@
        - libv8 <not-affected> (Doesn't affect 3.8.9, see bug #694808)
 CVE-2012-5127 (Integer overflow in Google Chrome before 23.0.1271.64 allows 
remote ...)
        - chromium-browser 24.0.1312.68-1
-       - libwebp 0.2.1-1
+       - libwebp 0.2.1-1 (low)
+       [squeeze] - libwebp <no-dsa> (Minor issue)
+       [wheezy] - libwebp <no-dsa> (Minor issue)
        NOTE: https://bugs.gentoo.org/show_bug.cgi?id=442152
        NOTE: Upstream announce: 
https://groups.google.com/a/webmproject.org/forum/?fromgroups=#!topic/webp-discuss/QTtgi8YfgkE
 CVE-2012-5126 (Use-after-free vulnerability in Google Chrome before 
23.0.1271.64 ...)
@@ -11098,10 +11107,13 @@
        - linux 3.2.35-1
 CVE-2012-4460
        RESERVED
+       - qpid-cpp <unfixed>
 CVE-2012-4459
        RESERVED
+       - qpid-cpp <unfixed>
 CVE-2012-4458
        RESERVED
+       - qpid-cpp <unfixed>
 CVE-2012-4457 (OpenStack Keystone Essex before 2012.1.2 and Folsom before 
folsom-3 ...)
        - keystone 2012.1.1-9 (bug #689210)
 CVE-2012-4456 (The (1) OS-KSADM/services and (2) tenant APIs in OpenStack 
Keystone ...)
@@ -14355,9 +14367,9 @@
 CVE-2012-3214 (Unspecified vulnerability in the Oracle Outside In Technology 
...)
        NOT-FOR-US: Oracle Fusion Middleware
 CVE-2012-3213 (Unspecified vulnerability in the Java Runtime Environment (JRE) 
...)
-       - openjdk-6 <unfixed>
-       - openjdk-7 <unfixed>
-       NOTE: No fix listed for icedtea, is this component (Scripting) included 
in Icedtea?
+       - openjdk-6 <not-affected> (Specific to Oracle Java, not present in 
IcedTea)
+       - openjdk-7 <not-affected> (Specific to Oracle Java, not present in 
IcedTea)
+       NOTE: Due to the vague disclosure policy by Oracle the exact nature is 
unknown but since no patch landed in icedtea, we consider it not-affected
 CVE-2012-3212 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11, when 
...)
        NOT-FOR-US: Oracle Sun Solaris
 CVE-2012-3211 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 
allows local ...)
@@ -14519,8 +14531,9 @@
 CVE-2012-3144 (Unspecified vulnerability in the MySQL Server component in 
Oracle ...)
        - mysql-5.5 5.5.28+dfsg-1 (bug #690778)
 CVE-2012-3143 (Unspecified vulnerability in the Java Runtime Environment (JRE) 
...)
-       - openjdk-6 <unfixed> (bug #690774)
-       - openjdk-7 <unfixed> (bug #690774)
+       - openjdk-6 <not-affected> (Specific to Oracle Java, not present in 
IcedTea)
+       - openjdk-7 <not-affected> (Specific to Oracle Java, not present in 
IcedTea)
+       NOTE: Due to the vague disclosure policy by Oracle the exact nature is 
unknown but since no patch landed in icedtea, we consider it not-affected
 CVE-2012-3142 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking 
...)
        NOT-FOR-US: Oracle Financial Services Software
 CVE-2012-3141 (Unspecified vulnerability in the Oracle FLEXCUBE Universal 
Banking ...)
@@ -18563,8 +18576,9 @@
        - openjdk-6 <not-affected> (Deployment components not part of OpenJDK, 
only present in Oracle Java)
        - openjdk-7 <not-affected> (Deployment components not part of OpenJDK, 
only present in Oracle Java)
 CVE-2012-1531 (Unspecified vulnerability in the Java Runtime Environment (JRE) 
...)
-       - openjdk-6 <unfixed> (bug #690774)
-       - openjdk-7 <unfixed> (bug #690774)
+       - openjdk-6 <not-affected> (Specific to Oracle Java, not present in 
IcedTea)
+       - openjdk-7 <not-affected> (Specific to Oracle Java, not present in 
IcedTea)
+       NOTE: Due to the vague disclosure policy by Oracle the exact nature is 
unknown but since no patch landed in icedtea, we consider it not-affected
 CVE-2012-1530 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, 
and ...)
        NOT-FOR-US: Adobe Reader and Acrobat
 CVE-2012-1529 (Use-after-free vulnerability in Microsoft Internet Explorer 8 
and 9 ...)


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

Reply via email to