Author: jmm
Date: 2017-02-07 21:52:57 +0000 (Tue, 07 Feb 2017)
New Revision: 48763
Modified:
data/CVE/list
Log:
cgiemail scheduled for removal
jasper triage
kgb-bot no-dsa
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-02-07 21:10:16 UTC (rev 48762)
+++ data/CVE/list 2017-02-07 21:52:57 UTC (rev 48763)
@@ -1059,13 +1059,15 @@
NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/114
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2017/01/25/10
CVE-2017-XXXX [jasper: NULL pointer dereference in jp2_cdef_destroy
(jp2_cod.c)]
- - jasper <unfixed>
+ - jasper <unfixed> (unimportant)
NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/112
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2017/01/25/8
+ NOTE: Not suitable for code injection, hardly denial of service
CVE-2017-XXXX [jasper: invalid memory read in jas_matrix_bindsub (jas_seq.c)]
- - jasper <unfixed>
+ - jasper <unfixed> (unimportant)
NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/113
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2017/01/25/9
+ NOTE: Not suitable for code injection, hardly denial of service
CVE-2017-5618 [screen privilege escalation]
RESERVED
- screen 4.5.0-3 (bug #852484)
@@ -1278,18 +1280,22 @@
CVE-2017-5616 [Reflected XSS vulnerability]
RESERVED
- cgiemail <removed> (bug #852031)
+ [jessie] - cgiemail <no-dsa> (Will be removed in next point update)
NOTE: http://www.openwall.com/lists/oss-security/2017/01/20/6
CVE-2017-5615 [SEC-215 HTTP header injection]
RESERVED
- cgiemail <removed> (bug #852031)
+ [jessie] - cgiemail <no-dsa> (Will be removed in next point update)
NOTE: http://www.openwall.com/lists/oss-security/2017/01/20/6
CVE-2017-5614 [SEC-214 Open redirect]
RESERVED
- cgiemail <removed> (bug #852031)
+ [jessie] - cgiemail <no-dsa> (Will be removed in next point update)
NOTE: http://www.openwall.com/lists/oss-security/2017/01/20/6
CVE-2017-5613 [SEC-212 Format string injection]
RESERVED
- cgiemail <removed> (bug #852031)
+ [jessie] - cgiemail <no-dsa> (Will be removed in next point update)
NOTE: http://www.openwall.com/lists/oss-security/2017/01/20/6
CVE-2016-10155 [watchdog: memory leakage in virtual hardware watchdog
wdt_i6300esb; CVE for the memory consumption issue, not an information
disclosure issue]
RESERVED
@@ -1840,9 +1846,10 @@
NOTE: Not suitable for code injection, hardly denial of service
CVE-2017-5504
RESERVED
- - jasper <removed>
+ - jasper <removed> (unimportant)
NOTE:
https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-read-in-jpc_undo_roi-jpc_dec-c
NOTE: https://github.com/mdadams/jasper/issues/89
+ NOTE: Not suitable for code injection, hardly denial of service
CVE-2017-5503
RESERVED
- jasper <removed>
@@ -14717,6 +14724,7 @@
CVE-2016-9557 [signed integer overflow in jas_image.c]
RESERVED
- jasper <removed>
+ [jessie] - jasper <no-dsa> (Minor issue)
[wheezy] - jasper <no-dsa> (the fix is too invasive)
NOTE:
https://blogs.gentoo.org/ago/2016/11/19/jasper-signed-integer-overflow-in-jas_image-c
NOTE: Fixed by:
https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a
@@ -15694,13 +15702,13 @@
CVE-2016-9262 [use after free in jas_realloc (jas_malloc.c)]
RESERVED
- jasper <removed>
+ [jessie] - jasper <not-affected> (Vulnerable code introduced later)
[wheezy] - jasper <not-affected> (Vulnerable code introduced later)
NOTE: Fixed by:
https://github.com/mdadams/jasper/commit/634ce8e8a5accc0fa05dd2c20d42b4749d4b2735
NOTE: The use-afer-free seems to be introduced in a version later tha
1.900.1 but the
NOTE: CVE is assigned for everything fixed in the above commit, a such
seems till
- NOTE: present in the 1.900.1 based versions.
+ NOTE: present in the 1.900.1 based versions. Still ok to mark as
not-affected
NOTE:
https://blogs.gentoo.org/ago/2016/11/07/jasper-use-after-free-in-jas_realloc-jas_malloc-c
- TODO: double-check again
CVE-2016-9258
RESERVED
CVE-2016-9257
@@ -67434,7 +67442,8 @@
NOT-FOR-US: typo3 extension
CVE-2015-1554 [can be crashed by some network traffic]
RESERVED
- - kgb-bot <unfixed> (bug #776424)
+ - kgb-bot <unfixed> (low; bug #776424)
+ [jessie] - kgb-bot <no-dsa> (Minor issue)
CVE-2015-1369 (SQL injection vulnerability in Sequelize before 2.0.0-rc7 for
Node.js ...)
NOT-FOR-US: sequelize
CVE-2015-1354
_______________________________________________
Secure-testing-commits mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
