Author: jmm
Date: 2017-03-29 17:05:42 +0000 (Wed, 29 Mar 2017)
New Revision: 50177
Modified:
data/CVE/list
Log:
various jessie triage
remove one n/a for wavpack in wheezy, seems affected
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-03-29 16:49:53 UTC (rev 50176)
+++ data/CVE/list 2017-03-29 17:05:42 UTC (rev 50177)
@@ -461,6 +461,7 @@
NOT-FOR-US: MISP (Malware Information Sharing Platform and Threat
Sharing)
CVE-2017-7214 (An issue was discovered in exception_wrapper.py in OpenStack
Nova 13.x ...)
- nova <unfixed> (bug #858568)
+ [jessie] - nova <not-affected> (Vulnerable code not present)
NOTE: https://bugs.launchpad.net/nova/+bug/1673569
CVE-2017-7213
RESERVED
@@ -1380,6 +1381,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2016/10/16/20
CVE-2017-XXXX [Server certificates are not verified]
- profanity <unfixed> (bug #857546)
+ [jessie] - profanity <no-dsa> (Minor issue)
NOTE: https://github.com/boothj5/profanity/issues/280
CVE-2017-7191 (The netjoin processing in Irssi 1.x before 1.0.2 allows
attackers to ...)
- irssi 1.0.2-1 (bug #857502)
@@ -4890,22 +4892,25 @@
NOTE: https://bugzilla.opensuse.org/show_bug.cgi?id=1021740
CVE-2016-10172 (The read_new_config_info function in open_utils.c in Wavpack
before ...)
- wavpack 5.0.0-2 (bug #853076)
+ [jessie] - wavpack <not-affected> (Vulnerable code not present)
[wheezy] - wavpack <not-affected> (Vulnerable code not present)
NOTE: https://sourceforge.net/p/wavpack/mailman/message/35561951/
NOTE: Fixed by:
https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc
(5.1.0)
CVE-2016-10171 (The unreorder_channels function in cli/wvunpack.c in Wavpack
before ...)
- wavpack 5.0.0-2 (bug #853076)
+ [jessie] - wavpack <not-affected> (Vulnerable code not present)
[wheezy] - wavpack <not-affected> (Vulnerable code not present)
NOTE: https://sourceforge.net/p/wavpack/mailman/message/35561939/
NOTE: Fixed by:
https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc
(5.1.0)
CVE-2016-10170 (The WriteCaffHeader function in cli/caff.c in Wavpack before
5.1.0 ...)
- wavpack 5.0.0-2 (bug #853076)
+ [jessie] - wavpack <not-affected> (Vulnerable code not present)
[wheezy] - wavpack <not-affected> (Vulnerable code not present)
NOTE: https://sourceforge.net/p/wavpack/mailman/message/35561921/
NOTE: Fixed by:
https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc
(5.1.0)
CVE-2016-10169 (The read_code function in read_words.c in Wavpack before 5.1.0
allows ...)
- wavpack 5.0.0-2 (bug #853076)
- [wheezy] - wavpack <not-affected> (Vulnerable code not present)
+ [jessie] - wavpack <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/wavpack/mailman/message/35557889/
NOTE: Fixed by:
https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc
(5.1.0)
CVE-2016-10166 (Integer underflow in the _gdContributionsAlloc function in ...)
@@ -12385,11 +12390,13 @@
NOTE: https://bugzilla.libav.org/show_bug.cgi?id=984
CVE-2016-9824 (Integer overflow in libswscale/x86/swscale.c in libav 11.8
allows ...)
- libav <removed>
+ [jessie] - libav <no-dsa> (Minor issue)
NOTE:
https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer
NOTE:
https://github.com/asarubbo/poc/blob/master/00039-libav-signedintoverflow-swscale_c
NOTE: https://bugzilla.libav.org/show_bug.cgi?id=983
CVE-2016-9823 (libavcodec/x86/mpegvideo.c in libav 11.8 allows remote
attackers to ...)
- libav <removed>
+ [jessie] - libav <no-dsa> (Minor issue)
NOTE:
https://blogs.gentoo.org/ago/2016/12/01/libav-multiple-crashes-from-the-undefined-behavior-sanitizer
NOTE:
https://github.com/asarubbo/poc/blob/master/00038-libav-uint8_t64-outofbounds-mpegvideo
NOTE: https://bugzilla.libav.org/show_bug.cgi?id=982
@@ -12743,6 +12750,7 @@
RESERVED
- mbedtls 2.4.2-1 (bug #857560)
- polarssl <removed> (bug #857561)
+ [jessie] - polarssl <no-dsa> (Minor issue)
[wheezy] - polarssl <not-affected> (Vulnerable code not present)
NOTE:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-01
NOTE: Wheezy do not have any elliptic curve functionality. Jessie is
affected however.
@@ -29760,6 +29768,7 @@
RESERVED
CVE-2016-6225 (xbcrypt in Percona XtraBackup before 2.3.6 and 2.4.x before
2.4.5 does ...)
- percona-xtrabackup <unfixed> (bug #851244)
+ [jessie] - percona-xtrabackup <no-dsa> (Minor issue)
NOTE:
https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly
NOTE: https://github.com/percona/percona-xtrabackup/pull/266
NOTE: https://github.com/percona/percona-xtrabackup/pull/267
@@ -47940,7 +47949,8 @@
CVE-2016-0808 (Integer overflow in the getCoverageFormat12 function in ...)
NOT-FOR-US: Android
CVE-2016-0807 (The get_build_id function in elf_utils.cpp in Debuggerd in
Android 6.x ...)
- - android-platform-system-core 1:7.0.0+r1-1
+ - android-platform-system-core 1:7.0.0+r1-1 (unimportant)
+ NOTE: debuggerd not included, see bug #858177
CVE-2016-0806 (The Qualcomm Wi-Fi driver in the kernel in Android 4.x before
4.4.4, ...)
NOT-FOR-US: Android drivers
CVE-2016-0805 (The performance event manager for Qualcomm ARM processors in
Android ...)
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
