Author: jmm
Date: 2017-07-11 18:24:47 +0000 (Tue, 11 Jul 2017)
New Revision: 53387
Modified:
data/CVE/list
data/dsa-needed.txt
Log:
yaws duplicate
thrift-compiler n/a
glance, hexchat, radare, ruby: no-dsa
add imagemagick to dsa-needed
NFUs
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-07-11 15:27:48 UTC (rev 53386)
+++ data/CVE/list 2017-07-11 18:24:47 UTC (rev 53387)
@@ -605,7 +605,7 @@
CVE-2017-10975 (Cross-site scripting (XSS) vulnerability in Lutim before 0.8
might ...)
NOT-FOR-US: Lutim
CVE-2017-10974 (Yaws 1.91 allows Unauthenticated Remote File Disclosure via
HTTP ...)
- TODO: check
+ NOTE: Looks like a duplicate of CVE-2011-4350, contacted MITRE for
rejection
CVE-2017-10973 (In FineCMS before 2017-07-06,
application/lib/ajax/get_image_data.php ...)
NOT-FOR-US: FineCMS
CVE-2017-10970 (Cross-site scripting (XSS) vulnerability in link.php in Cacti
1.1.12 ...)
@@ -775,7 +775,7 @@
NOTE: NetBSD Problem report:
https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
CVE-2017-10929 (The grub_memmove function in shlr/grub/kern/misc.c in radare2
1.5.0 ...)
{DLA-1016-1}
- - radare2 <unfixed> (bug #867369)
+ - radare2 <unfixed> (low; bug #867369)
[stretch] - radare2 <no-dsa> (Minor issue)
[jessie] - radare2 <no-dsa> (Minor issue)
NOTE: https://github.com/radare/radare2/issues/7855
@@ -3348,6 +3348,8 @@
CVE-2017-9763 (The grub_ext2_read_block function in fs/ext2.c in GNU GRUB
before ...)
- grub2 2.02~beta2-8 (unimportant)
- radare2 <unfixed>
+ [stretch] - radare2 <no-dsa> (Minor issue)
+ [jessie] - radare2 <no-dsa> (Minor issue)
[wheezy] - radare2 <no-dsa> (Minor issue)
NOTE:
https://github.com/radare/radare2/commit/65000a7fd9eea62359e6d6714f17b94a99a82edd
NOTE: https://github.com/radare/radare2/issues/7723
@@ -3951,7 +3953,9 @@
NOT-FOR-US: Synology Photo Station
CVE-2015-9096 (Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command
injection ...)
- ruby2.3 <unfixed> (bug #864860)
+ [stretch] - ruby2.3 <no-dsa> (Minor issue)
- ruby2.1 <removed>
+ [jessie] - ruby2.1 <no-dsa> (Minor issue)
- ruby1.9.1 <removed>
[wheezy] - ruby1.9.1 <no-dsa> (Minor issue, Net::SMTP users should
validate data they send too)
- ruby1.8 <removed>
@@ -7338,7 +7342,7 @@
CVE-2017-8388 (GeniXCMS 1.0.2 allows remote attackers to bypass the
alertDanger ...)
NOT-FOR-US: GeniXCMS
CVE-2017-8387 (STDU Viewer version 1.6.375 might allow user-assisted attackers
to ...)
- TODO: check
+ NOT-FOR-US: STDU Viewer
CVE-2017-8386 (git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x
before ...)
{DSA-3848-1 DLA-938-1}
- git 1:2.11.0-3
@@ -8311,7 +8315,7 @@
CVE-2017-8033
RESERVED
CVE-2017-8032 (In Cloud Foundry cf-release versions prior to v264; UAA release
all ...)
- TODO: check
+ NOT-FOR-US: Cloud Foundry
CVE-2017-8031
RESERVED
CVE-2017-8030
@@ -8779,7 +8783,7 @@
CVE-2014-9960 (In all Android releases from CAF using the Linux kernel, a
buffer ...)
NOT-FOR-US: Qualcomm component for Android
CVE-2017-7894 (WinDjView 2.1 might allow user-assisted attackers to execute
code via a ...)
- TODO: check
+ NOT-FOR-US: WinDjView
CVE-2017-7893
RESERVED
CVE-2017-7892 (Sandstorm Cap'n Proto before 0.5.3.1 allows remote crashes
related to a ...)
@@ -12452,25 +12456,25 @@
CVE-2017-6736
RESERVED
CVE-2017-6735 (A vulnerability in the backup and restore functionality of
Cisco ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-6734 (A vulnerability in the web-based management interface of Cisco
Identity ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-6733 (A vulnerability in the web-based application interface of the
Cisco ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-6732 (A vulnerability in the installation procedure for Cisco Prime
Network ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-6731 (A vulnerability in Multicast Source Discovery Protocol (MSDP)
ingress ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-6730 (A vulnerability in the web-based GUI of Cisco Wide Area
Application ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-6729 (A vulnerability in the Border Gateway Protocol (BGP) processing
...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-6728 (A vulnerability in the CLI of Cisco IOS XR Software could allow
an ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-6727 (A vulnerability in the Server Message Block (SMB) protocol of
Cisco ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-6726 (A vulnerability in the CLI of the Cisco Prime Network Gateway
could ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2017-6725 (A vulnerability in the web framework code of Cisco Prime
Infrastructure ...)
NOT-FOR-US: Cisco
CVE-2017-6724 (A vulnerability in the web framework code of Cisco Prime
Infrastructure ...)
@@ -13988,9 +13992,9 @@
CVE-2017-6249
RESERVED
CVE-2017-6248 (An elevation of privilege vulnerability in the NVIDIA sound
driver ...)
- TODO: check
+ NOT-FOR-US: NVIDIA driver for Android
CVE-2017-6247 (An elevation of privilege vulnerability in the NVIDIA sound
driver ...)
- TODO: check
+ NOT-FOR-US: NVIDIA driver for Android
CVE-2017-6246
RESERVED
CVE-2017-6245
@@ -18433,7 +18437,7 @@
CVE-2017-4977 (EMC RSA Archer Security Operations Management with RSA Unified
...)
NOT-FOR-US: EMC
CVE-2017-4976 (EMC ESRS Policy Manager prior to 6.8 contains an undocumented
account ...)
- TODO: check
+ NOT-FOR-US: EMC
CVE-2017-4975 (An issue was discovered in Pivotal PCF Tile Generator versions
prior to ...)
NOT-FOR-US: Pivotal PCF Tile Generator
CVE-2017-4974 (An issue was discovered in Cloud Foundry Foundation cf-release
versions ...)
@@ -25683,7 +25687,7 @@
CVE-2017-2218 (Untrusted search path vulnerability in Installer of QuickTime
for ...)
NOT-FOR-US: Installer of QuickTime for Windows
CVE-2017-2217 (Open redirect vulnerability in WordPress Download Manager prior
to ...)
- TODO: check
+ NOT-FOR-US: WordPress Download Manager
CVE-2017-2216 (Cross-site scripting vulnerability in WordPress Download
Manager prior ...)
TODO: check
CVE-2017-2215 (Untrusted search path vulnerability in Installer of "Setup
file of ...)
@@ -47966,6 +47970,8 @@
NOT-FOR-US: HPE Performance Center
CVE-2016-4383 (The glance-manage db in all versions of HPE Helion Openstack
Glance ...)
- glance <unfixed>
+ [stretch] - glance <no-dsa> (Minor issue)
+ [jessie] - glance <no-dsa> (Minor issue)
[wheezy] - glance <end-of-life> (Not supported in Wheezy LTS)
NOTE: https://bugs.launchpad.net/glance/+bug/1593799/
NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0075
@@ -55084,6 +55090,7 @@
NOTE: https://kb.isc.org/article/AA-01351
CVE-2016-2087 (Directory traversal vulnerability in the client in HexChat
2.11.0 ...)
- hexchat <unfixed> (bug #852275)
+ [stretch] - hexchat <no-dsa> (Minor issue)
[jessie] - hexchat <no-dsa> (Minor issue)
NOTE: https://www.exploit-db.com/exploits/39656/
NOTE: https://github.com/hexchat/hexchat/issues/1933
@@ -76982,7 +76989,7 @@
[squeeze] - policykit-1 <no-dsa> (Minor issue)
NOTE:
http://cgit.freedesktop.org/polkit/commit/?id=9f5e0c731784003bd4d6fc75ab739ff8b2ea269f
CVE-2015-3254 (The client libraries in Apache Thrift before 0.9.3 might allow
remote ...)
- - thrift-compiler <unfixed>
+ - thrift-compiler <not-affected> (Vulnerable code not present)
NOTE: Affects src:thrift, which is only in experimental. The issue is
fixed upstream in 0.9.3
NOTE: so any future upload of thrift to unstable can mark this item as
<not-affected> (fixed
NOTE: before the initial upload to Debian unstable)
Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt 2017-07-11 15:27:48 UTC (rev 53386)
+++ data/dsa-needed.txt 2017-07-11 18:24:47 UTC (rev 53387)
@@ -20,6 +20,8 @@
--
icedove
--
+imagemagick
+--
ipsec-tools
--
libxml-libxml-perl
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
