Author: benh
Date: 2016-06-17 18:30:27 +0000 (Fri, 17 Jun 2016)
New Revision: 42605
Modified:
data/CVE/list
Log:
Mark various kernel issues fixed or not-affected
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-06-17 17:45:55 UTC (rev 42604)
+++ data/CVE/list 2016-06-17 18:30:27 UTC (rev 42605)
@@ -2531,6 +2531,7 @@
NOTE: PHP bug: https://bugs.php.net/bug.php?id=69793
CVE-2016-4805 (Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c
in the ...)
- linux 4.5.2-1
+ [wheezy] - linux 3.2.81-1
NOTE: Fixed by:
https://git.kernel.org/linus/1f461dcdd296eecedaffffc6bae2bfa90bd7eb89 (v4.6-rc1)
NOTE: Introduced by:
https://git.kernel.org/linus/273ec51dd7ceaa76e038875d85061ec856d8905e (v2.6.30)
CVE-2016-4804 (The read_boot function in boot.c in dosfstools before 4.0
allows ...)
@@ -7843,7 +7844,7 @@
CVE-2016-2854 (The aufs module for the Linux kernel 3.x and 4.x does not
properly ...)
- linux 3.18-1~exp1
[jessie] - linux <no-dsa> (Not exploitable in default configuration)
- [wheezy] - linux <no-dsa> (User namespaces are non-functional)
+ [wheezy] - linux <not-affected> (Vulnerable code is not present)
NOTE:
http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/
NOTE: https://sourceforge.net/p/aufs/mailman/message/34864744/
NOTE: This depends on a user namespace creator being able to mount aufs.
@@ -7852,7 +7853,7 @@
CVE-2016-2853 (The aufs module for the Linux kernel 3.x and 4.x does not
properly ...)
- linux 3.18-1~exp1
[jessie] - linux <no-dsa> (Not exploitable in default configuration)
- [wheezy] - linux <no-dsa> (User namespaces are non-functional)
+ [wheezy] - linux <not-affected> (Vulnerable code is not present)
NOTE:
http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/
NOTE: https://sourceforge.net/p/aufs/mailman/message/34864744/
NOTE: This depends on a user namespace creator being able to mount aufs.
@@ -17929,7 +17930,7 @@
CVE-2015-8374 (fs/btrfs/inode.c in the Linux kernel before 4.3.3 mishandles
...)
- linux 4.2.6-2
[jessie] - linux 3.16.7-ckt20-1+deb8u1
- [wheezy] - linux <no-dsa> (Minor issue, BTRFS only tech-preview in
wheezy; can be fixed in a point release)
+ [wheezy] - linux 3.2.78-1
- linux-2.6 <removed>
[squeeze] - linux-2.6 <no-dsa> (btrfs in 2.6.32 is just a tech preview
and not usable for production)
NOTE:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0305cd5f7fca85dae392b9ba85b116896eb7c1c7
(v4.4-rc1)
@@ -20590,7 +20591,7 @@
CVE-2015-7515 (The aiptek_probe function in drivers/input/tablet/aiptek.c in
the ...)
- linux 4.4.2-1
[jessie] - linux <no-dsa> (Minor issue)
- [wheezy] - linux <no-dsa> (Minor issue)
+ [wheezy] - linux 3.2.81-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1285326
NOTE: https://os-s.net/advisories/OSS-2016-05_aiptek.pdf
NOTE: Upstream commit:
https://git.kernel.org/linus/8e20cf2bce122ce9262d6034ee5d5b76fbb92f96 (v4.4-rc6)
@@ -23838,8 +23839,7 @@
CVE-2015-6526 (The perf_callchain_user_64 function in
arch/powerpc/perf/callchain.c ...)
- linux 4.1.3-1
[jessie] - linux 3.16.7-ckt11-1
- [jessie] - linux 3.2.73-2+deb7u1
- [wheezy] - linux <no-dsa> (Will be fixed in next point release)
+ [wheezy] - linux 3.2.71-1
- linux-2.6 <removed>
[squeeze] - linux-2.6 <not-affected> (powerpc not supported in Squeeze
LTS)
NOTE: http://www.openwall.com/lists/oss-security/2015/08/18/4
@@ -37581,8 +37581,8 @@
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/02/20/14
CVE-2015-XXXX [Linux ASLR mmap weakness: Reducing entropy by half]
- linux 4.0.2-1
- [wheezy] - linux <no-dsa> (Minor issue)
- [jessie] - linux <no-dsa> (Minor issue)
+ [wheezy] - linux 3.2.71-1
+ [jessie] - linux 3.16.7-ckt17-1
- linux-2.6 <removed>
[squeeze] - linux-2.6 <not-affected> (powerpc not supported in Squeeze
LTS)
NOTE: http://hmarco.org/bugs/linux-ASLR-reducing-mmap-by-half.html
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
