Author: jmm
Date: 2017-03-03 17:38:29 +0000 (Fri, 03 Mar 2017)
New Revision: 49394
Modified:
data/CVE/list
Log:
profanity n/a in jessie
more qemu triage
NFUs
hostoric validator.js issues
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-03-03 16:08:46 UTC (rev 49393)
+++ data/CVE/list 2017-03-03 17:38:29 UTC (rev 49394)
@@ -2497,6 +2497,7 @@
- psi-plus <not-affected> (vulnerable code not present, XEP-0280 not
implemented)
CVE-2017-5592 (An incorrect implementation of "XEP-0280: Message
Carbons" in multiple ...)
- profanity <unfixed> (bug #854735)
+ [jessie] - profanity <not-affected> (Vulnerable code not present)
[stretch] - profanity 0.4.7-1.1
CVE-2017-5591 (An incorrect implementation of "XEP-0280: Message
Carbons" in multiple ...)
- sleekxmpp <unfixed> (bug #854739)
@@ -9003,6 +9004,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/11
CVE-2016-9915 (Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator)
allows ...)
- qemu 1:2.8+dfsg-1 (bug #847496)
+ [jessie] - qemu <no-dsa> (Minor issue)
[wheezy] - qemu <no-dsa> (handle driver not included during compilation)
- qemu-kvm <removed>
[wheezy] - qemu-kvm <no-dsa> (handle driver not included during
compilation)
@@ -9013,6 +9015,7 @@
NOTE: proxy driver not included during compilation in wheezy, see
debian-lts ML: https://lists.debian.org/debian-lts/2016/12/msg00136.html
CVE-2016-9914 (Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows
local ...)
- qemu 1:2.8+dfsg-1 (bug #847496)
+ [jessie] - qemu <no-dsa> (Minor issue)
[wheezy] - qemu <no-dsa> (proxy and handle drivers not included during
compilation)
- qemu-kvm <removed>
[wheezy] - qemu-kvm <no-dsa> (proxy and handle drivers not included
during compilation)
@@ -19087,6 +19090,7 @@
CVE-2016-8669 (The serial_update_parameters function in hw/char/serial.c in
QEMU (aka ...)
{DLA-679-1 DLA-678-1}
- qemu 1:2.8+dfsg-1 (bug #840945)
+ [jessie] - qemu <no-dsa> (Minor issue)
- qemu-kvm <removed>
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02461.html
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1384909
@@ -19100,6 +19104,7 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1384896
CVE-2016-8667 (The rc4030_write function in hw/dma/rc4030.c in QEMU (aka Quick
...)
- qemu <unfixed> (bug #840950)
+ [jessie] - qemu <no-dsa> (Minor issue)
[wheezy] - qemu <no-dsa> (minor issue)
- qemu-kvm <removed>
[wheezy] - qemu-kvm <not-affected> (Code only affects mips platform)
@@ -19724,6 +19729,7 @@
CVE-2016-8578 (The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c in
QEMU ...)
{DLA-679-1 DLA-678-1}
- qemu 1:2.8+dfsg-1 (bug #840340)
+ [jessie] - qemu <no-dsa> (Minor issue)
- qemu-kvm <removed>
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg07143.html
NOTE:
http://git.qemu.org/?p=qemu.git;a=commit;h=ba42ebb863ab7d40adc79298422ed9596df8f73a
@@ -20506,6 +20512,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2016/09/16/4
CVE-2016-7421 (The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c
in QEMU ...)
- qemu 1:2.7+dfsg-1 (bug #838147)
+ [jessie] - qemu <no-dsa> (Minor issue)
[wheezy] - qemu <not-affected> (Vulnerable code not present, introduced
after 1.5)
- qemu-kvm <not-affected> (Vulnerable code not present, introduced
after 1.5)
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03609.html
@@ -23746,6 +23753,7 @@
CVE-2016-7170 (The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU
(aka ...)
{DLA-653-1 DLA-652-1}
- qemu 1:2.8+dfsg-1 (bug #837316)
+ [jessie] - qemu <no-dsa> (Minor issue)
- qemu-kvm <removed>
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg01764.html
NOTE:
http://git.qemu.org/?p=qemu.git;a=commit;h=167d97a3def77ee2dbf6e908b0ecbfe2103977db
@@ -23782,6 +23790,7 @@
CVE-2016-7161 (Heap-based buffer overflow in the .receive callback of ...)
{DLA-653-1 DLA-652-1}
- qemu 1:2.7+dfsg-1 (bug #838850)
+ [jessie] - qemu <no-dsa> (Minor issue)
- qemu-kvm <removed>
NOTE:
http://git.qemu.org/?p=qemu.git;a=commit;h=a0d1cbdacff5df4ded16b753b38fdd9da6092968
(2.7.0-rc3)
NOTE: http://patchwork.ozlabs.org/patch/657076/
@@ -33921,7 +33930,7 @@
CVE-2016-4327 (Cross-site scripting (XSS) vulnerability in WSO2 SOA Enablement
Server ...)
NOT-FOR-US: WSO2 SOA Enablement Server
CVE-2016-4326 (The Chef Manage (formerly opscode-manage) add-on before 1.12.0
for ...)
- TODO: check
+ NOT-FOR-US: Chef Manage addon
CVE-2016-4325 (Lantronix xPrintServer devices with firmware before 5.0.1-65
have ...)
NOT-FOR-US: Lantronix xPrintServer
CVE-2016-4324 (Use-after-free vulnerability in LibreOffice before 5.1.4 allows
remote ...)
@@ -34589,15 +34598,15 @@
NOTE: https://github.com/chjj/marked/issues/497
NOTE: libv8 is not covered by security support
CVE-2014-9772 (The validator package before 2.0.0 for Node.js allows remote
attackers ...)
- TODO: check
+ - validator.js <not-affected> (Fixed before initial release)
CVE-2013-7454 (The validator module before 1.1.0 for Node.js allows remote
attackers ...)
- TODO: check
+ - validator.js <not-affected> (Fixed before initial release)
CVE-2013-7453 (The validator module before 1.1.0 for Node.js allows remote
attackers ...)
- TODO: check
+ - validator.js <not-affected> (Fixed before initial release)
CVE-2013-7452 (The validator module before 1.1.0 for Node.js allows remote
attackers ...)
- TODO: check
+ - validator.js <not-affected> (Fixed before initial release)
CVE-2013-7451 (The validator module before 1.1.0 for Node.js allows remote
attackers ...)
- TODO: check
+ - validator.js <not-affected> (Fixed before initial release)
CVE-2015-8866 (ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before
5.6.6, when ...)
{DLA-499-1}
- php5 5.6.6+dfsg-1
@@ -41796,7 +41805,7 @@
CVE-2016-1884
RESERVED
CVE-2016-1883 (The issetugid system call in the Linux compatibility layer in
FreeBSD ...)
- - kfreebsd-10 10.3~svn300087-1
+ - kfreebsd-10 10.3~svn300087-1 (unimportant)
- kfreebsd-9 <removed> (unimportant)
NOTE: kfreebsd not covered by security support in Jessie
CVE-2016-1882 (FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9
allow ...)
@@ -45357,57 +45366,57 @@
CVE-2016-0851 (Advantech WebAccess before 8.1 allows remote attackers to cause
a ...)
NOT-FOR-US: Advantech
CVE-2016-0850 (The PORCHE_PAIRING_CONFLICT feature in Bluetooth in Android 4.x
before ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2016-0849 (Multiple integer overflows in minzip/SysUtil.c in the Recovery
...)
TODO: check
CVE-2016-0848 (Race condition in Download Manager in Android 4.x before 4.4.4,
5.0.x ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2016-0847 (The Telecom Component in Android 5.0.x before 5.0.2, 5.1.x
before ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2016-0846 (libs/binder/IMemory.cpp in the IMemory Native Interface in
Android 4.x ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2016-0845
RESERVED
CVE-2016-0844 (The Qualcomm RF driver in Android 6.x before 2016-04-01 does
not ...)
- TODO: check
+ NOT-FOR-US: Qualcomm driver for Android
CVE-2016-0843 (The Qualcomm ARM processor performance-event manager in Android
4.x ...)
- TODO: check
+ NOT-FOR-US: Qualcomm driver for Android
CVE-2016-0842 (The H.264 decoder in libstagefright in Android 6.x before
2016-04-01 ...)
NOT-FOR-US: libstagefright
CVE-2016-0841 (media/libmedia/mediametadataretriever.cpp in mediaserver in
Android ...)
- TODO: check
+ NOT-FOR-US: Android Mediaserver
CVE-2016-0840 (Multiple stack-based buffer underflows in
decoder/ih264d_parse_cavlc.c ...)
TODO: check
CVE-2016-0839 (post_proc/volume_listener.c in mediaserver in Android 6.x
before ...)
- TODO: check
+ NOT-FOR-US: Android Mediaserver
CVE-2016-0838 (Sonivox in mediaserver in Android 4.x before 4.4.4, 5.0.x
before ...)
- TODO: check
+ NOT-FOR-US: Android Mediaserver
CVE-2016-0837 (MPEG4Extractor.cpp in libstagefright in mediaserver in Android
4.x ...)
NOT-FOR-US: libstagefright
CVE-2016-0836 (Stack-based buffer overflow in decoder/impeg2d_vld.c in
mediaserver in ...)
- TODO: check
+ NOT-FOR-US: Android Mediaserver
CVE-2016-0835 (decoder/impeg2d_dec_hdr.c in mediaserver in Android 6.x before
...)
- TODO: check
+ NOT-FOR-US: Android Mediaserver
CVE-2016-0834 (An unspecified media codec in mediaserver in Android 6.x before
...)
- TODO: check
+ NOT-FOR-US: Android Mediaserver
CVE-2016-0833
RESERVED
CVE-2016-0832 (Setup Wizard in Android 5.1.x before LMY49H and 6.x before
2016-03-01 ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2016-0831 (The getDeviceIdForPhone function in ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2016-0830 (btif_config.c in Bluetooth in Android 6.x before 2016-03-01
allows ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2016-0829 (The BnGraphicBufferProducer::onTransact function in ...)
- TODO: check
+ NOT-FOR-US: Android Mediaserver
CVE-2016-0828 (The BnGraphicBufferConsumer::onTransact function in ...)
- TODO: check
+ NOT-FOR-US: Android Mediaserver
CVE-2016-0827 (Multiple integer overflows in libeffects in mediaserver in
Android 4.x ...)
- TODO: check
+ NOT-FOR-US: Android Mediaserver
CVE-2016-0826 (libcameraservice in mediaserver in Android 4.x before 4.4.4,
5.x ...)
- TODO: check
+ NOT-FOR-US: Android Mediaserver
CVE-2016-0825 (The Widevine Trusted Application in Android 6.0.1 before
2016-03-01 ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2016-0824 (libmpeg2 in libstagefright in Android 6.x before 2016-03-01
allows ...)
NOT-FOR-US: libstagefright
CVE-2016-0823 (The pagemap_open function in fs/proc/task_mmu.c in the Linux
kernel ...)
@@ -45423,9 +45432,9 @@
- linux 4.3.1-1
NOTE: Upstream patch:
https://git.kernel.org/linus/8a5e5e02fc83aaf67053ab53b359af08c6c49aaf (v4.3-rc1)
CVE-2016-0820 (The MediaTek Wi-Fi kernel driver in Android 6.0.1 before
2016-03-01 ...)
- TODO: check
+ NOT-FOR-US: MediaTek driver for Android
CVE-2016-0819 (The Qualcomm performance component in Android 4.x before 4.4.4,
5.x ...)
- TODO: check
+ NOT-FOR-US: Qualcomm driver for Android
CVE-2016-0818 (The caching functionality in the TrustManagerImpl class in ...)
TODO: check
CVE-2016-0817
@@ -51182,7 +51191,7 @@
CVE-2015-7474
RESERVED
CVE-2015-7473 (runmqsc in IBM WebSphere MQ 8.x before 8.0.0.5 allows local
users to ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2015-7472 (IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through
6.1.5.3 ...)
NOT-FOR-US: IBM
CVE-2015-7471
@@ -51204,7 +51213,7 @@
CVE-2015-7463
RESERVED
CVE-2015-7462 (IBM WebSphere MQ 8.0.0.4 on IBM i platforms allows local users
to ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2015-7461
RESERVED
CVE-2015-7460
@@ -51220,7 +51229,7 @@
CVE-2015-7455 (IBM WebSphere Portal 7.x through 7.0.0.2 CF29, 8.0.x before
8.0.0.1 ...)
NOT-FOR-US: IBM
CVE-2015-7454 (Business Space in IBM WebSphere Process Server 6.1.2.0 through
7.0.0.5 ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2015-7453
RESERVED
CVE-2015-7452 (IBM Maximo Asset Management 7.5 before 7.5.0.9 FP9 and 7.6
before ...)
@@ -51232,11 +51241,11 @@
CVE-2015-7449
RESERVED
CVE-2015-7448 (SQL injection vulnerability in IBM Maximo Asset Management 7.1
through ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2015-7447 (IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through
6.1.5.3 ...)
NOT-FOR-US: IBM
CVE-2015-7446 (Cross-site request forgery (CSRF) vulnerability in IBM Flash
System ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2015-7445 (IBM Multi-Enterprise Integration Gateway 1.0 through 1.0.0.1
and B2B ...)
NOT-FOR-US: IBM
CVE-2015-7444 (The Update Installer in IBM WebSphere Commerce Enterprise
7.0.0.8 and ...)
@@ -51292,7 +51301,7 @@
CVE-2015-7419 (IBM WebSphere Portal 8.0.0.1 before CF19 and 8.5.0 before CF09
allows ...)
NOT-FOR-US: IBM
CVE-2015-7418 (IBM WebSphere eXtreme Scale and the WebSphere DataPower XC10
Appliance ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2015-7417 (Cross-site scripting (XSS) vulnerability in IBM WebSphere
Application ...)
NOT-FOR-US: IBM WebSphere Application Server
CVE-2015-7416 (AFP Workbench Viewer in IBM i Access 7.1 on Windows allows
remote ...)
@@ -51306,7 +51315,7 @@
CVE-2015-7412 (The GatewayScript modules on IBM DataPower Gateways with
software ...)
NOT-FOR-US: IBM
CVE-2015-7411 (The portal client in IBM Tivoli Monitoring (ITM) 6.2.2 through
FP9, ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2015-7410 (The Health Check tool in IBM Sterling B2B Integrator 5.2 does
not ...)
NOT-FOR-US: IBM
CVE-2015-7409 (Cross-site scripting (XSS) vulnerability in IBM Security QRadar
SIEM ...)
@@ -51382,7 +51391,7 @@
CVE-2015-7379
RESERVED
CVE-2015-7378 (Panda Security URL Filtering before 4.3.1.9 uses a weak ACL for
the ...)
- TODO: check
+ NOT-FOR-US: Panda Security
CVE-2015-7377 (Cross-site scripting (XSS) vulnerability in ...)
NOT-FOR-US: Pie Register plugin for WordPress
CVE-2015-7376
@@ -51412,13 +51421,13 @@
CVE-2015-7364 (The HTML_Quickform library, as used in Revive Adserver before
3.2.2, ...)
NOT-FOR-US: Revive Adserver
CVE-2015-7363 (Cross-site scripting (XSS) vulnerability in the advanced
settings page ...)
- TODO: check
+ NOT-FOR-US: Fortinet
CVE-2015-7362 (Fortinet FortiClient Linux SSLVPN before build 2313, when
installed on ...)
- TODO: check
+ NOT-FOR-US: Fortinet
CVE-2015-7361 (FortiOS 5.2.3, when configured to use High Availability (HA)
and the ...)
NOT-FOR-US: FortiOS
CVE-2015-7360 (Multiple cross-site scripting (XSS) vulnerabilities in the Web
User ...)
- TODO: check
+ NOT-FOR-US: Fortinet
CVE-2015-XXXX [DoS]
- libemail-address-perl 1.908-1
[jessie] - libemail-address-perl <no-dsa> (Minor issue vs. usability
impact of module)
@@ -51530,7 +51539,7 @@
CVE-2015-7310 (McAfee Enterprise Security Manager (ESM), Enterprise Security
...)
NOT-FOR-US: McAfee
CVE-2015-7309 (The theme editor in Bolt before 2.2.5 does not check the file
...)
- TODO: check
+ NOT-FOR-US: Bolt CMS
CVE-2015-7314 (The Precious module in gollum before 4.0.1 allows remote
attackers to ...)
NOT-FOR-US: Gollum wiki
CVE-2015-7308
@@ -51552,7 +51561,7 @@
CVE-2015-7300
RESERVED
CVE-2015-7299 (SQL injection vulnerability in Runtime/Runtime/AjaxCall.ashx in
K2 ...)
- TODO: check
+ NOT-FOR-US: K2
CVE-2015-7298 (ownCloud Desktop Client before 2.0.1, when compiled with a Qt
release ...)
- owncloud-client 2.0.0+dfsg-1
[jessie] - owncloud-client <not-affected> (not compiled with a Qt
release greater than 5.3.x)
@@ -51687,11 +51696,11 @@
CVE-2015-7245
RESERVED
CVE-2015-7244 (The default configuration of the server in MobaXterm before 8.3
has a ...)
- TODO: check
+ NOT-FOR-US: MobaXterm
CVE-2015-7243 (Buffer overflow in Boxoft WAV to MP3 Converter allows remote
attackers ...)
NOT-FOR-US: Boxoft
CVE-2015-7242 (Cross-site scripting (XSS) vulnerability in the
Push-Service-Mails ...)
- TODO: check
+ NOT-FOR-US: AVM
CVE-2015-7241
RESERVED
CVE-2015-7240
@@ -52178,7 +52187,7 @@
CVE-2015-7083 (The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS
before ...)
NOT-FOR-US: Apple
CVE-2015-7082 (Multiple unspecified vulnerabilities in Git before 2.5.4, as
used in ...)
- TODO: check
+ NOT-FOR-US: Apple-specific git extension for Xcode
CVE-2015-7081 (iBooks in Apple iOS before 9.2 and OS X before 10.11.2 allows
remote ...)
NOT-FOR-US: Apple
CVE-2015-7080 (Siri in Apple iOS before 9.2 allows physically proximate
attackers to ...)
@@ -52316,11 +52325,11 @@
CVE-2015-7014 (WebKit, as used in Apple iOS before 9.1, Safari before 9.0.1,
and ...)
NOT-FOR-US: Apple
CVE-2015-7013 (WebKit, as used in Apple Safari before 9.0.1 and iTunes before
12.3.1, ...)
- TODO: check
+ NOT-FOR-US: Webkit as used by Apple
CVE-2015-7012 (WebKit, as used in Apple iOS before 9.1, Safari before 9.0.1,
and ...)
NOT-FOR-US: Apple
CVE-2015-7011 (WebKit, as used in Apple Safari before 9.0.1 and iTunes before
12.3.1, ...)
- TODO: check
+ NOT-FOR-US: Webkit as used by Apple
CVE-2015-7010 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1
allows ...)
NOT-FOR-US: Apple
CVE-2015-7009 (FontParser in Apple iOS before 9.1 and OS X before 10.11.1
allows ...)
@@ -52660,7 +52669,7 @@
CVE-2015-6857 (Unspecified vulnerability in Virtual Table Server (VTS) in HP
...)
NOT-FOR-US: HP Performance Center
CVE-2015-6856 (Dell Pre-Boot Authentication Driver (PBADRV.sys) 1.0.1.5 allows
local ...)
- TODO: check
+ NOT-FOR-US: Dell
CVE-2015-6854 (The non-Domino web agents in CA Single Sign-On (aka SSO,
formerly ...)
TODO: check
CVE-2015-6853 (The Domino web agent in CA Single Sign-On (aka SSO, formerly
...)
_______________________________________________
Secure-testing-commits mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
