[Secure-testing-commits] r50226 - data/CVE

Fri, 31 Mar 2017 07:50:40 -0700 

Author: jmm
Date: 2017-03-31 14:50:12 +0000 (Fri, 31 Mar 2017)
New Revision: 50226

Modified:
   data/CVE/list
Log:
initial ntp triage
libgit no-dsa/not-affected


Modified: data/CVE/list
===================================================================
--- data/CVE/list       2017-03-31 11:14:25 UTC (rev 50225)
+++ data/CVE/list       2017-03-31 14:50:12 UTC (rev 50226)
@@ -2440,23 +2440,25 @@
        - ntp 1:4.2.8p10+dfsg-1
        NOTE: http://support.ntp.org/bin/view/Main/NtpBug3387
 CVE-2017-6462 (Buffer overflow in the legacy Datum Programmable Time Server 
(DPTS) ...)
-       - ntp 1:4.2.8p10+dfsg-1
-       [wheezy] - ntp <no-dsa> (Minor issue)
+       - ntp 1:4.2.8p10+dfsg-1 (unimportant)
        NOTE: http://support.ntp.org/bin/view/Main/NtpBug3388
+       NOTE: Obscure legacy feature, no real impact
 CVE-2017-6461
        REJECTED
 CVE-2017-6460 (Stack-based buffer overflow in the reslist function in ntpq in 
NTP ...)
        - ntp 1:4.2.8p10+dfsg-1
+       [jessie] - ntp <not-affected> (Vulnerable code not present)
+       [wheezy] - ntp <not-affected> (Vulnerable code not present)
        NOTE: http://support.ntp.org/bin/view/Main/NtpBug3377
+       NOTE: https://cure53.de/pentest-report_ntp.pdf
 CVE-2017-6459 (The Windows installer for NTP before 4.2.8p10 and 4.3.x before 
4.3.94 ...)
        - ntp <not-affected> (NTP on Windows)
        NOTE: http://support.ntp.org/bin/view/Main/NtpBug3382
 CVE-2017-6458 (Multiple buffer overflows in the ctl_put* functions in NTP 
before ...)
-       - ntp 1:4.2.8p10+dfsg-1
-       [wheezy] - ntp <no-dsa> (Minor issue)
+       - ntp 1:4.2.8p10+dfsg-1 (unimportant)
        NOTE: http://support.ntp.org/bin/view/Main/NtpBug3379
-       NOTE: The vulnerability can only be triggered by adding very long
-       NOTE: variable names (200 bytes or more) in ntpd.conf file.
+       NOTE: https://cure53.de/pentest-report_ntp.pdf
+       NOTE: This is not a vulnerability per se, but a weakness in an internal 
helper function
 CVE-2017-6457
        REJECTED
 CVE-2017-6456
@@ -6505,14 +6507,17 @@
        NOTE: 
https://github.com/libgit2/libgit2/commit/ca531956619f021913ac01669b3818a705b7b676
 (v0.24.6)
 CVE-2016-10130 (The http_connect function in transports/http.c in libgit2 
before ...)
        - libgit2 <unfixed> (bug #851406)
+       [jessie] - libgit2 <not-affected> (Vulnerable code not present)
        NOTE: 
https://github.com/libgit2/libgit2/commit/9a64e62f0f20c9cf9b2e1609f037060eb2d8eb22
 (v0.25.1)
        NOTE: 
https://github.com/libgit2/libgit2/commit/b5c6a1b407b7f8b952bded2789593b68b1876211
 (v0.24.6)
 CVE-2016-10129 (The Git Smart Protocol support in libgit2 before 0.24.6 and 
0.25.x ...)
        - libgit2 <unfixed> (bug #851406)
+       [jessie] - libgit2 <no-dsa> (Minor issue)
        NOTE: 
https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a
 (v0.25.1)
        NOTE: 
https://github.com/libgit2/libgit2/commit/84d30d569ada986f3eef527cbdb932643c2dd037
 (v0.24.6)
 CVE-2016-10128 (Buffer overflow in the git_pkt_parse_line function in ...)
        - libgit2 <unfixed> (bug #851406)
+       [jessie] - libgit2 <no-dsa> (Minor issue)
        NOTE: 
https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834
 (v0.25.1)
        NOTE: 
https://github.com/libgit2/libgit2/commit/4ac39c76c0153d1ee6889a0984c39e97731684b2
 (v0.24.6)
 CVE-2016-10126 (Splunk Web in Splunk Enterprise 5.0.x before 5.0.17, 6.0.x 
before ...)


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

Reply via email to