[Secure-testing-commits] r48888 - data/CVE

Mon, 13 Feb 2017 13:57:35 -0800 

Author: jmm
Date: 2017-02-13 21:57:12 +0000 (Mon, 13 Feb 2017)
New Revision: 48888

Modified:
   data/CVE/list
Log:
libwebp unimportant


Modified: data/CVE/list
===================================================================
--- data/CVE/list       2017-02-13 21:55:06 UTC (rev 48887)
+++ data/CVE/list       2017-02-13 21:57:12 UTC (rev 48888)
@@ -5487,7 +5487,7 @@
 CVE-2017-3903
        RESERVED
 CVE-2017-3902 (Cross-site scripting (XSS) vulnerability in the Web user 
interface ...)
-       TODO: check
+       NOT-FOR-US: Intel Security ePO
 CVE-2017-3901
        RESERVED
 CVE-2017-3900
@@ -5499,7 +5499,7 @@
 CVE-2017-3897
        RESERVED
 CVE-2017-3896 (Unvalidated parameter vulnerability in the remote log viewing 
...)
-       TODO: check
+       NOT-FOR-US: Intel McAfee
 CVE-2017-3895
        RESERVED
 CVE-2016-10087 (The png_set_text_2 function in libpng 0.71 before 1.0.67, 
1.2.x before ...)
@@ -16621,13 +16621,14 @@
 CVE-2016-9031 (An exploitable integer overflow exists in the Joyent SmartOS 
...)
        NOT-FOR-US: Joyent SmartOS
 CVE-2016-9085 (Multiple integer overflows in libwebp allows attackers to have 
...)
-       - libwebp <unfixed> (bug #842714)
+       - libwebp <unfixed> (unimportant; bug #842714)
        [wheezy] - libwebp <not-affected> (vulnerable code not present)
        NOTE: 
https://chromium.googlesource.com/webm/libwebp/+/e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83
        NOTE: Report: https://bugs.chromium.org/p/webp/issues/detail?id=314 
(private)
        NOTE: For libwebp only in examples, but other projects seem to use the 
gifdec.c
        NOTE: Origin of the file seems to be from libav
-       TODO: check: 0.5.1-3 claims the upload fixed CVE-2016-8888 and 
CVE-2016-9085 but the taken patch looks different, needs investigation
+       NOTE: 0.5.1-3 claims the upload fixed CVE-2016-8888 and CVE-2016-9085 
but the taken patches
+       NOTE: look different, needs further investigation before marking as 
fixed
 CVE-2016-9084 (drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 
4.8.11 ...)
        - linux 4.8.11-1
        [jessie] - linux 3.16.39-1


_______________________________________________
Secure-testing-commits mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

Reply via email to