[Secure-testing-commits] r23363 - in data: . CVE

Tue Aug 20 17:52:13 UTC 2013

Author: jmm
Date: 2013-08-20 17:52:13 +0000 (Tue, 20 Aug 2013)
New Revision: 23363

Modified:
   data/CVE/list
   data/dsa-needed.txt
Log:
no-dsa; hawtjni, filezilla, eglibc, lcms
distribute unimportant
DSA needed: chrony, nas


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2013-08-20 13:45:25 UTC (rev 23362)
+++ data/CVE/list	2013-08-20 17:52:13 UTC (rev 23363)
@@ -991,7 +991,9 @@
 	RESERVED
 	{DSA-2736-1}
 	- putty 0.63-1 (bug #718779)
-	- filezilla <unfixed> (bug #718800)
+	- filezilla <unfixed> (low; bug #718800)
+	[squeeze] - filezilla <no-dsa> (Minor issue)
+	[wheezy] - filezilla <no-dsa> (Minor issue)
 	NOTE: http://www.securityfocus.com/archive/1/527763/30/0
 	NOTE: http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896
 CVE-2013-4851 (The vfs_hang_addrlist function in sys/kern/vfs_export.c in the NFS ...)
@@ -2345,6 +2347,8 @@
 CVE-2013-4237 [Buffer overwrite when using readdir_r on file systems returning file names longer than NAME_MAX characters]
 	RESERVED
 	- eglibc <unfixed> (bug #719558)
+	[wheezy] - eglibc <unfixed> (low; bug #719558)
+	[squeeze] - eglibc <unfixed> (low; bug #719558)
 	NOTE: http://sourceware.org/bugzilla/show_bug.cgi?id=14699
 	NOTE: http://sourceware.org/ml/libc-alpha/2013-05/msg00445.html
 CVE-2013-4236
@@ -2443,19 +2447,25 @@
 	RESERVED
 	{DSA-2736-1}
 	- putty 0.63-1
-	- filezilla <unfixed> (bug #719070)
+	- filezilla <unfixed> (low; bug #719070)
+	[squeeze] - filezilla <no-dsa> (Minor issue)
+	[wheezy] - filezilla <no-dsa> (Minor issue)
 	NOTE: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html
 CVE-2013-4207 [non-coprime values in DSA signatures can cause buffer overflow in modular inverse]
 	RESERVED
 	{DSA-2736-1}
 	- putty 0.63-1
-	- filezilla <unfixed> (bug #719070)
+	- filezilla <unfixed> (low; bug #719070)
+	[squeeze] - filezilla <no-dsa> (Minor issue)
+	[wheezy] - filezilla <no-dsa> (Minor issue)
 	NOTE: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-division-by-zero.html
 CVE-2013-4206 [buffer underrun in modmul can corrupt the heap]
 	RESERVED
 	{DSA-2736-1}
 	- putty 0.63-1
-	- filezilla <unfixed> (bug #719070)
+	- filezilla <unfixed> (low; bug #719070)
+	[squeeze] - filezilla <no-dsa> (Minor issue)
+	[wheezy] - filezilla <no-dsa> (Minor issue)
 	NOTE: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modmul.html
 CVE-2013-4205 [CLONE_NEWUSER local DoS]
 	RESERVED
@@ -2594,9 +2604,11 @@
 	- gksu-polkit <not-affected> (CVE for improperly applied fix for CVE-2012-5617 on Red Hat)
 CVE-2013-4160
 	RESERVED
-	- lcms <unfixed>
-	TODO: The version for lcms in Debian is very old, most affected code apparently not present, needs to be checked
+	- lcms <unfixed> (low)
+	[squeeze] - lcms <no-dsa> (Minor issue)
+	[wheezy] - lcms <no-dsa> (Minor issue)
 	- lcms2 <unfixed> (bug #714529)
+	[wheezy] - lcms2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/mm2/Little-CMS/commit/91c2db7f2559be504211b283bc3a2c631d6f06d9
 	NOTE: https://bugzilla.novell.com/show_bug.cgi?id=826097#c9
 CVE-2013-4159
@@ -4198,7 +4210,8 @@
 	NOT-FOR-US: Infotecs ViPNet Client
 CVE-2013-3495 [Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts]
 	RESERVED
-	- xen <unfixed>
+	- xen <unfixed> (unimportant)
+	NOTE: Hardware design flaw, no software solution
 CVE-2013-3494
 	RESERVED
 CVE-2013-3493
@@ -7986,7 +7999,8 @@
 	NOT-FOR-US: Drupal module Filebrowser
 CVE-2013-2035
 	RESERVED
-	- hawtjni <unfixed> (bug #708293)
+	- hawtjni <unfixed> (low; bug #708293)
+	[wheezy] - hawtjni <unfixed> (low; bug #708293)
 CVE-2013-2034 [jenkins CSRF]
 	RESERVED
 	- jenkins 1.509.2+dfsg-1 (bug #706725)
@@ -9391,8 +9405,8 @@
 CVE-2013-1634
 	RESERVED
 CVE-2013-1633 (easy_install in setuptools before 0.7 uses HTTP to retrieve packages ...)
-	- distribute <unfixed>
-	TODO: check
+	- distribute <unfixed> (unimportant)
+	NOTE: Lack of a security feature, not a vulnerability
 CVE-2013-1632
 	RESERVED
 CVE-2013-1631

Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt	2013-08-20 13:45:25 UTC (rev 23362)
+++ data/dsa-needed.txt	2013-08-20 17:52:13 UTC (rev 23363)
@@ -17,14 +17,14 @@
 --
 cacti
 --
+chrony
+--
 drupal6/oldstable
 --
 gimp/oldstable
 --
 gnutls26/oldstable
 --
-hawtjni
---
 iceape (jmm)
 --
 icedove (jmm)
@@ -53,6 +53,8 @@
 --
 mysql-5.5/stable
 --
+nas
+--
 openoffice.org/oldstable only
 --
 openswan


