Author: jmm
Date: 2015-03-09 17:02:44 +0000 (Mon, 09 Mar 2015)
New Revision: 32712
Modified:
data/CVE/list
Log:
libav triage
horizon n/a
one freetype issue n/a
remove sqlite issue, plain bug w/o security implications
remove several older no-dsa entries for eglibc which have been fixed in DLA/DSA
rhn-client-tools no-dsa for jessie
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2015-03-09 15:51:47 UTC (rev 32711)
+++ data/CVE/list 2015-03-09 17:02:44 UTC (rev 32712)
@@ -368,7 +368,7 @@
NOTE: be handled correctly then by the tracker.
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=13138
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/02/26/2
- TODO: check
+ NOTE:
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=3f8cc204fdd0
CVE-2015-2079
RESERVED
CVE-2015-2078 (The SDK for Komodia Redirector with SSL Digestor, as used in
Lavasoft ...)
@@ -437,13 +437,11 @@
- xen <unfixed>
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
NOTE: http://xenbits.xen.org/xsa/advisory-122.html
- TODO: check
CVE-2015-2044 [Information leak via internal x86 system device emulation]
RESERVED
- xen <unfixed>
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
NOTE: http://xenbits.xen.org/xsa/advisory-121.html
- TODO: check
CVE-2015-2043 (Multiple cross-site scripting (XSS) vulnerabilities in
Visualware ...)
NOT-FOR-US: Visualware
CVE-2015-2040 (Cross-site scripting (XSS) vulnerability in the Contact Form DB
(aka ...)
@@ -456,7 +454,6 @@
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=17269
NOTE: Fixed by:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/02/22/15
- TODO: check
CVE-2015-XXXX [Potential XSS vulnerability when rendering some flash messages]
- redmine 3.0~20140825-5
NOTE: https://www.redmine.org/projects/redmine/wiki/Changelog_2_6
@@ -1009,6 +1006,7 @@
CVE-2015-1777 [rhnreg_ks fails to properly validate SSL/TLS certificates]
RESERVED
- rhn-client-tools <unfixed> (bug #779817)
+ [jessie] - rhn-client-tools <no-dsa> (Minor issue)
[wheezy] - rhn-client-tools <no-dsa> (Minor issue)
CVE-2015-1776
RESERVED
@@ -1784,6 +1782,8 @@
NOTE:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=257c270bd25e15890190a28a1456e7623bba4439
CVE-2014-9665 (The Load_SBit_Png function in sfnt/pngshim.c in FreeType before
2.5.4 ...)
- freetype 2.5.2-3 (bug #777656)
+ [wheezy] - freetype <not-affected> (Vulnerable code not present)
+ [squeeze] - freetype <not-affected> (Vulnerable code not present)
NOTE:
http://code.google.com/p/google-security-research/issues/detail?id=168
NOTE:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=54abd22891bd51ef8b533b24df53b3019b5cee81
NOTE:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=b3500af717010137046ec4076d1e1c0641e33727
@@ -1986,7 +1986,7 @@
CVE-2015-1475 (Multiple cross-site scripting (XSS) vulnerabilities in my
little forum ...)
NOT-FOR-US: My Little Forum
CVE-2015-1474 (Multiple integer overflows in the GraphicBuffer::unflatten
function in ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2015-1471 (SQL injection vulnerability in userprofile.lib.php in Pragyan
CMS 3.0 ...)
NOT-FOR-US: Pragyan CMS
CVE-2015-1470
@@ -3314,8 +3314,9 @@
[squeeze] - ffmpeg <end-of-life>
- libav <unfixed> (bug #775593)
NOTE: Applies to 0.8, but in different file (utvideo.c)
- NOTE: libav: needed (confirmed)
+ NOTE: libav:
https://git.libav.org/?p=libav.git;a=commit;h=0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d
NOTE: ffmpeg:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3881606240953b9275a247a1c98a567f3c44890f
+ NOTE: Pending for 11.3
CVE-2014-9603 (The vmd_decode function in libavcodec/vmdvideo.c in FFmpeg
before ...)
- ffmpeg 7:2.5.1-1
[squeeze] - ffmpeg <end-of-life>
@@ -3904,11 +3905,6 @@
[squeeze] - chicken <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2015/01/12/3
NOTE: Patch:
http://lists.nongnu.org/archive/html/chicken-hackers/2014-12/txt2UqAS9CtvH.txt
-CVE-2015-XXXX [Crashes due to fuzzed input]
- [experimental] - sqlite3 3.8.8.2-1
- - sqlite3 <unfixed>
- NOTE: https://www.sqlite.org/src/info/a59ae93ee990a55
- NOTE: Patch: https://www.sqlite.org/src/info/fe5788633131281a
CVE-2015-1194 (pax 1:20140703 allows remote attackers to write to arbitrary
files via ...)
- pax <unfixed> (low; bug #774716)
[jessie] - pax <no-dsa> (Minor issue)
@@ -4027,7 +4023,7 @@
CVE-2015-0886 (Integer overflow in the crypt_raw method in the key-stretching
...)
- libjbcrypt-java <unfixed> (bug #780102)
CVE-2015-0885 (checkpw 1.02 and earlier allows remote attackers to cause a
denial of ...)
- TODO: check
+ - checkpw <unfixed>
CVE-2015-0884 (Unquoted Windows search path vulnerability in Toshiba Bluetooth
Stack ...)
NOT-FOR-US: Toshiba Bluetooth Stack
CVE-2015-0883 (SYNCK GRAPHICA Mailform Pro CGI 4.1.4 and 4.1.5, when the
mailauth ...)
@@ -7334,8 +7330,7 @@
RESERVED
CVE-2015-0271 [OpenStack dashboard: log file arbitrary file retrieval]
RESERVED
- - horizon <unfixed>
- TODO: check, duplicate bug from Red Hat Bugzilla has restricted access
+ - horizon <not-affected> (RedHat-specific plugin)
CVE-2015-0270
RESERVED
CVE-2015-0269
@@ -9059,7 +9054,8 @@
[squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too
many checks missing)
- libav <unfixed> (bug #773626)
NOTE: ffmpeg:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e1c0cfaa419aa5d320540d5a1b3f8fd9b82ab7e5
- NOTE: needed (confirmed)
+ NOTE: libav:
https://git.libav.org/?p=libav.git;a=commit;h=ae5e1f3d663a8c9a532d89e588cbc61f171c9186
+ NOTE: Pending for 0.8.17 and 11.3
CVE-2014-8543 (libavcodec/mmvideo.c in FFmpeg before 2.4.2 does not consider
all ...)
- ffmpeg 7:2.4.3-1
[squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too
many checks missing)
@@ -20127,8 +20123,6 @@
{DSA-3169-1 DLA-165-1}
- eglibc <removed>
- glibc 2.19-2 (low; bug #751774)
- [wheezy] - eglibc <no-dsa> (Minor issue)
- [squeeze] - eglibc <no-dsa> (Minor issue)
CVE-2014-4040 (snap in powerpc-utils 1.2.20 produces an archive with fstab and
...)
- ppc64-diag <itp> (bug #740179)
CVE-2014-4021 (Xen 3.2.x through 4.4.x does not properly clean memory pages
recovered ...)
@@ -37417,7 +37411,6 @@
- glibc 2.17-94 (low; bug #717178)
- eglibc <removed>
[wheezy] - eglibc 2.13-38+deb7u1
- [squeeze] - eglibc <no-dsa> (Incorrect hardening, only applies to
statically linked binaries)
CVE-2013-4787 (Android 1.6 Donut through 4.2 Jelly Bean does not properly
check ...)
NOT-FOR-US: Android
CVE-2013-4786 (The IPMI 2.0 specification supports RMCP+ Authenticated
Key-Exchange ...)
@@ -38449,7 +38442,6 @@
- eglibc <removed>
- glibc 2.18-1 (low; bug #727181)
[wheezy] - eglibc 2.13-38+deb7u1
- [squeeze] - eglibc <no-dsa> (Minor issue)
NOTE: https://sourceware.org/ml/libc-alpha/2013-10/msg00733.html
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=16072
CVE-2013-4457 (The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows
context-dependent ...)
@@ -38905,7 +38897,6 @@
- glibc 2.17-93 (bug #722536)
- eglibc <removed>
[wheezy] - eglibc 2.13-38+deb7u1
- [squeeze] - eglibc <no-dsa> (Will be fixed in next point update)
CVE-2013-4331 (Light Display Manager (aka LightDM) 1.4.x before 1.4.3, 1.6.x
before ...)
- lightdm 1.6.2-1 (bug #721744)
[wheezy] - lightdm <not-affected> (Introduced in 1.4)
@@ -39246,7 +39237,6 @@
- eglibc <removed>
- glibc 2.17-94 (bug #719558)
[wheezy] - eglibc 2.13-38+deb7u1
- [squeeze] - eglibc <no-dsa> (Will be fixed in next point update)
NOTE: http://sourceware.org/bugzilla/show_bug.cgi?id=14699
NOTE: http://sourceware.org/ml/libc-alpha/2013-05/msg00445.html
CVE-2013-4236 (VDSM in Red Hat Enterprise Virtualization 3 and 3.2 allows
privileged ...)
@@ -45432,7 +45422,6 @@
- eglibc <removed>
- glibc 2.17-2 (low; bug #704623)
[wheezy] - eglibc 2.13-38+deb7u1
- [squeeze] - eglibc <no-dsa> (Minor issue)
CVE-2013-1913 (Integer overflow in the load_image function in file-xwd.c in
the X ...)
{DSA-2813-1}
- gimp 2.8.10-0.1 (bug #731305)
@@ -50674,7 +50663,6 @@
- eglibc <removed>
- glibc 2.17-2 (low; bug #699399)
[wheezy] - eglibc 2.13-38+deb7u1
- [squeeze] - eglibc <no-dsa> (Minor issue)
NOTE: http://seclists.org/oss-sec/2013/q1/202
CVE-2013-0241 (The QXL display driver in QXL Virtual GPU 0.1.0 allows local
users to ...)
- xserver-xorg-video-qxl 0.0.17-1 (bug #699396)
@@ -56600,7 +56588,6 @@
- eglibc <removed>
- glibc 2.17-94 (low; bug #689423)
[wheezy] - eglibc 2.13-38+deb7u1
- [squeeze] - eglibc <no-dsa> (Minor issue)
CVE-2012-4423 (The virNetServerProgramDispatchCall function in libvirt before
0.10.2 ...)
- libvirt 0.9.12-5 (bug #687598)
[squeeze] - libvirt <not-affected> (Vulnerable code not present)
@@ -56645,7 +56632,6 @@
- eglibc <removed>
- glibc 2.17-94 (low; bug #687530)
[wheezy] - eglibc 2.13-38+deb7u1
- [squeeze] - eglibc <no-dsa> (Minor issue)
CVE-2012-4411 (The graphical console in Xen 4.0, 4.1 and 4.2 allows local OS
guest ...)
{DSA-2543-1}
- xen 4.1.3-2
@@ -59023,7 +59009,6 @@
CVE-2012-3480 (Multiple integer overflows in the (1) strtod, (2) strtof, (3)
strtold, ...)
{DLA-165-1}
- eglibc 2.13-36 (bug #684889)
- [squeeze] - eglibc <no-dsa> (Minor issue)
- glibc 2.13-36
CVE-2012-3479 (lisp/files.el in Emacs 23.2, 23.3, 23.4, and 24.1 automatically
...)
{DSA-2603-1}
@@ -59259,8 +59244,6 @@
{DSA-3169-1 DLA-165-1}
- eglibc <removed>
- glibc 2.19-14 (low; bug #681888)
- [squeeze] - eglibc <no-dsa> (Minor issue)
- [wheezy] - eglibc <no-dsa> (Minor issue)
NOTE: Upstream fix:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5985c6ea868db23380977a35a2167549f9a3653b
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=826943
NOTE: http://www.openwall.com/lists/oss-security/2012/07/11/5
@@ -59269,7 +59252,6 @@
{DLA-165-1}
- glibc 2.13-35 (low; bug #681473)
- eglibc 2.13-35 (low; bug #681473)
- [squeeze] - eglibc <no-dsa> (Minor issue)
NOTE: http://sourceware.org/bugzilla/show_bug.cgi?id=13446
NOTE:
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=a4647e727a2a52e1259474c13f4b13288938bed4
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=833704
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
