[Secure-testing-commits] r22651 - data/CVE

Moritz Muehlenhoff jmm at alioth.debian.org
Mon Jun 17 16:53:39 UTC 2013 

Author: jmm
Date: 2013-06-17 16:53:39 +0000 (Mon, 17 Jun 2013)
New Revision: 22651

Modified:
   data/CVE/list
Log:
kernel updates
no-dsa for squeeze: telepathy-gabble, cacti, rpm
rrdtool non-issue


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2013-06-17 16:52:51 UTC (rev 22650)
+++ data/CVE/list	2013-06-17 16:53:39 UTC (rev 22651)
@@ -3728,7 +3728,7 @@
 	- linux-2.6 <removed> (low)
 CVE-2013-2850 (Heap-based buffer overflow in the iscsi_add_notunderstood_response ...)
 	- linux 3.9.4-1
-	- linux-2.6 <removed>
+	- linux-2.6 <not-affected> (Introduced in 3.1)
 	[wheezy] - linux 3.2.46-1
 	[jessie] - linux 3.2.46-1
 CVE-2013-2849 (Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome ...)
@@ -4292,7 +4292,9 @@
 CVE-2013-2597
 	RESERVED
 CVE-2013-2596 (Integer overflow in the fb_mmap function in drivers/video/fbmem.c in ...)
-	TODO: check implications for our linux kernels
+	- linux 3.9-1
+	[wheezy] - linux 3.2.46-1
+	[jessie] - linux 3.2.46-1
 	NOTE: the issue comes from fbmem code from linux mainline, the exploit was just targetting motorola
 	NOTE: phones that ship code that is based on the original linux code, but both are affected.
 	NOTE: an exploit needs access to /dev/fb0 which is not world readable/writable on Debian
@@ -5407,7 +5409,7 @@
 CVE-2013-2162 [mysql insecure conffile creation]
 	RESERVED
 	- mysql-5.5 <unfixed> (low; bug #711600)
-	- mysql-5.1 <removed>
+	- mysql-5.1 <removed> (low)
 CVE-2013-2161 [Unchecked user input in Swift XML responses]
 	RESERVED
 	- swift <unfixed> (bug #712202)
@@ -5506,7 +5508,8 @@
 	NOTE: https://github.com/mongodb/mongo-python-driver/commit/a060c15ef87e0f0e72974c7c0e57fe811bbd06a2
 CVE-2013-2131 [format string vulnerability]
 	RESERVED
-	- rrdtool <unfixed> (bug #708866)
+	- rrdtool <unfixed> (unimportant; bug #708866)
+	NOTE: Non-issue, calling application need to perform sanitising
 CVE-2013-2130 [null pointer dereference in webadmin]
 	RESERVED
 	- znc <unfixed>
@@ -6827,7 +6830,8 @@
 	NOTE: Upstream non-verified fix https://github.com/ganglia/ganglia-web/commit/552965f33bf79d41ccbec3f1f26840c8bab54ad6
 CVE-2013-1769 [Crashes when trying to hash caps containing pathological data forms]
 	RESERVED
-	- telepathy-gabble 0.16.5-1 (bug #702252)
+	- telepathy-gabble 0.16.5-1 (low; bug #702252)
+	[squeeze] - telepathy-gabble <no-dsa> (Minor issue)
 CVE-2013-1768
 	RESERVED
 CVE-2013-1767 (Use-after-free vulnerability in the shmem_remount_fs function in ...)
@@ -13519,7 +13523,8 @@
 CVE-2011-5224 (SQL injection vulnerability in the Sentinel plugin 1.0.0 for WordPress ...)
 	NOT-FOR-US: WordPress plugin Sentinel
 CVE-2011-5223 (Cross-site request forgery (CSRF) vulnerability in logout.php in Cacti ...)
-	- cacti 0.8.7i-1
+	- cacti 0.8.7i-1 (low)
+	[squeeze] - cacti <no-dsa> (Minor issue)
 CVE-2011-5222 (SQL injection vulnerability in rub2_w.php in PHP Flirt-Projekt 4.8 and ...)
 	NOT-FOR-US: PHP Flirt-Projekt
 CVE-2011-5221 (Cross-site scripting (XSS) vulnerability in the getLog function in ...)
@@ -14889,7 +14894,6 @@
 	- libv8 <not-affected> (bug #702261; kMinFixedIndex and kMaxFixedIndex are hard-coded to the correct values in 3.8.9.20, a later commit introduced a caclulation that produced incorrect values)
 	- chromium-browser 24.0.1312.68-1
 	[squeeze] - chromium-browser <end-of-life>
-	TODO: re-check uploads newer than 3.8.9.20
 CVE-2012-5152 (Google Chrome before 24.0.1312.52 allows remote attackers to cause a ...)
 	[squeeze] - chromium-browser <end-of-life>
 	- chromium-browser 24.0.1312.68-1
@@ -21285,7 +21289,6 @@
 	- libav 6:0.8.4-1 (bug #688847)
 	- ffmpeg <removed>
 	NOTE: duplicate of CVE-2012-2777
-	TODO: mark this properly as duplicate
 CVE-2012-2783 (Unspecified vulnerability in libavcodec/vp56.c in FFmpeg before 0.11, ...)
 	{DSA-2624-1}
 	- ffmpeg <removed> (bug #688849)
@@ -26244,6 +26247,7 @@
 	RESERVED
 CVE-2012-0815 (The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 ...)
 	- rpm 4.9.1.3-1 (bug #667031)
+	[squeeze] - rpm <no-dsa> (Minor issue)
 CVE-2012-0814 (The auth_parse_options function in auth-options.c in sshd in OpenSSH ...)
 	- openssh 1:5.6p1-1 (low; bug #657445)
 	[squeeze] - openssh 1:5.5p1-6+squeeze2
@@ -29161,8 +29165,10 @@
 	NOT-FOR-US: JBoss Operations Network
 CVE-2012-0061 (The headerLoad function in lib/header.c in RPM before 4.9.1.3 does not ...)
 	- rpm 4.9.1.3-1 (bug #667031)
+	[squeeze] - rpm <no-dsa> (Minor issue)
 CVE-2012-0060 (RPM before 4.9.1.3 does not properly validate region tags, which ...)
 	- rpm 4.9.1.3-1 (bug #667031)
+	[squeeze] - rpm <no-dsa> (Minor issue)
 CVE-2012-0059
 	RESERVED
 	NOT-FOR-US: RHN Satellite

More information about the Secure-testing-commits mailing list