[Secure-testing-commits] r23100 - in data: . CVE

Moritz Muehlenhoff jmm at alioth.debian.org
Fri Jul 26 15:04:26 UTC 2013 

Author: jmm
Date: 2013-07-26 15:04:26 +0000 (Fri, 26 Jul 2013)
New Revision: 23100

Modified:
   data/CVE/list
   data/dsa-needed.txt
Log:
clutter/eglibc no-dsa
new openoffice/libreoffice issues (one important, one only in oldstable)
swift not-affected


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2013-07-26 11:00:36 UTC (rev 23099)
+++ data/CVE/list	2013-07-26 15:04:26 UTC (rev 23100)
@@ -1587,8 +1587,11 @@
 	NOTE: Debian package applied already the more complete fix, see #659899
 CVE-2013-4157
 	RESERVED
-CVE-2013-4156
+CVE-2013-4156 [OpenOffice DOCM Memory Corruption Vulnerability]
 	RESERVED
+	- libreoffice 1:4.1.0-1 (unimportant)
+	- openoffice.org <removed> (unimportant)
+	NOTE: Harmless crash
 CVE-2013-4155
 	RESERVED
 CVE-2013-4154 [libvirt: crash of libvirtd without guest agent configuration]
@@ -2031,7 +2034,7 @@
 CVE-2013-4000
 	RESERVED
 CVE-2013-3999 (Cross-site scripting (XSS) vulnerability in IBM Social Media Analytics ...)
-	TODO: check
+	NOT-FOR-US: IBM Social Media Analytics
 CVE-2013-3998
 	RESERVED
 CVE-2013-3997
@@ -2071,7 +2074,7 @@
 CVE-2013-3980
 	RESERVED
 CVE-2013-3979 (Multiple cross-site scripting (XSS) vulnerabilities in the help pages ...)
-	TODO: check
+	NOT-FOR-US: IBM Cognos Command Center
 CVE-2013-3978
 	RESERVED
 CVE-2013-3977
@@ -3281,7 +3284,7 @@
 CVE-2013-3441 (Cisco Aironet 3600 access points allow remote attackers to cause a ...)
 	NOT-FOR-US: Cisco
 CVE-2013-3440 (Multiple cross-site scripting (XSS) vulnerabilities in the ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2013-3439 (Cross-site scripting (XSS) vulnerability in Cisco Unified Operations ...)
 	NOT-FOR-US: Cisco
 CVE-2013-3438 (The web framework in the server in Cisco Unified MeetingPlace Web ...)
@@ -6146,8 +6149,8 @@
 	- keystone <unfixed>
 	- nova <unfixed>
 	- quantum <unfixed>
-	- swift <unfixed>
-	TODO: check if complete and possibly report to BTS
+	- swift <not-affected> (See https://bugs.launchpad.net/keystone/+bug/1188189/comments/5)
+	TODO: check if complete and possibly report to BTS, sec announcement from upstream in preparation
 CVE-2013-2254
 	RESERVED
 CVE-2013-2253
@@ -6325,6 +6328,8 @@
 CVE-2013-2207
 	RESERVED
 	- eglibc <unfixed> (low; bug #717544)
+	[squeeze] - eglibc <no-dsa> (Minor issue)
+	[wheezy] - eglibc <no-dsa> (Minor issue)
 CVE-2013-2206 (The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in ...)
 	- linux-2.6 <removed>
 	- linux 3.9.4-1
@@ -6374,11 +6379,15 @@
 	NOT-FOR-US: python-bugzilla
 CVE-2013-2190
 	RESERVED
-	- clutter-1.0 <unfixed> (bug #714264)
+	- clutter-1.0 <unfixed> (low; bug #714264)
+	[squeeze] - clutter-1.0 <no-dsa> (Minor issue)
+	[wheezy] - clutter-1.0 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=701974
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=954054
-CVE-2013-2189
+CVE-2013-2189 [OpenOffice DOC Memory Corruption Vulnerability]
 	RESERVED
+	- libreoffice 1:3.4.3-1
+	- openoffice.org <removed>
 CVE-2013-2188 (A certain Red Hat patch to the do_filp_open function in fs/namei.c in ...)
 	- linux-2.6 <not-affected> (RHEL-specific issue)
 	- linux <not-affected> (RHEL-specific issue)
@@ -7067,10 +7076,9 @@
 	- qemu <not-affected> (qemu guest agent introduced in 1.4, vulnerable versions were only in experimental)
 	- qemu-kvm <not-affected> (qemu guest agent introduced in 1.4)
 CVE-2013-2006 (OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode ...)
-	- keystone <undetermined>
+	- keystone <unfixed>
 	NOTE: https://review.openstack.org/#/c/26826/2/keystone/common/config.py
 	NOTE: https://bugs.launchpad.net/keystone/+bug/1172195
-	TODO: check
 CVE-2013-2005 (X.org libXt 1.1.3 and earlier does not check the return value of the ...)
 	{DSA-2680-1}
 	- libxt 1:1.1.3-1+deb7u1
@@ -24785,8 +24793,9 @@
 CVE-2012-1897 (Multiple cross-site request forgery (CSRF) vulnerabilities in Wolf CMS ...)
 	NOT-FOR-US: Wolf CMS
 CVE-2012-1586 (mount.cifs in cifs-utils 2.6 allows local users to determine the ...)
-	- cifs-utils 2:5.3-2 (low; bug #665923)
-	[squeeze] - cifs-utils <no-dsa> (Minor issue)
+	- cifs-utils 2:5.3-2 (unimportant; bug #665923)
+	NOTE: Harmless information leak, if a user can perform arbitrary CIFS mounts they probably
+	NOTE: can do a lot more with this
 CVE-2012-1896 (Microsoft .NET Framework 2.0 SP2 and 3.5.1 does not properly consider ...)
 	NOT-FOR-US: Microsoft .NET Framework
 CVE-2012-1895 (The reflection implementation in Microsoft .NET Framework 1.0 SP3, 1.1 ...)

Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt	2013-07-26 11:00:36 UTC (rev 23099)
+++ data/dsa-needed.txt	2013-07-26 15:04:26 UTC (rev 23100)
@@ -15,9 +15,6 @@
 --
 chromium-browser
 --
-clutter-1.0
-  Not sure if this actually deserves a DSA, someone who uses Gnome should dig into it
---
 drupal6/oldstable
 --
 gimp/oldstable
@@ -58,6 +55,8 @@
 --
 openafs
 --
+openoffice.org/oldstable only
+--
 openswan
 --
 otrs2 (carnil)

More information about the Secure-testing-commits mailing list