[Secure-testing-commits] r21507 - data/CVE
Moritz Muehlenhoff
jmm at alioth.debian.org
Mon Mar 4 17:58:14 UTC 2013
Author: jmm
Date: 2013-03-04 17:58:14 +0000 (Mon, 04 Mar 2013)
New Revision: 21507
Modified:
data/CVE/list
Log:
no-dsa: eglibc, ganglia, lindancer-perl, webfs, nginx
mark some java issues specific to Oracle Java as not-affected
gnutls28 fixed
one ffmpeg issue doesn't affect libav
fix one java dupe
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2013-03-04 16:30:44 UTC (rev 21506)
+++ data/CVE/list 2013-03-04 17:58:14 UTC (rev 21507)
@@ -34,8 +34,8 @@
- ffmpeg <removed>
- libav <unfixed>
CVE-2013-2276 (The avcodec_decode_audio4 function in utils.c in libavcodec in FFmpeg ...)
- - ffmpeg <removed>
- - libav <unfixed>
+ - ffmpeg <not-affected> (Doesn't affect libav, specific to current ffmpeg)
+ - libav <not-affected> (Doesn't affect libav, specific to current ffmpeg)
CVE-2013-2275
RESERVED
CVE-2013-2274
@@ -1092,7 +1092,9 @@
NOTE: http://www.openwall.com/lists/oss-security/2013/02/24/5
CVE-2013-1770 [XSS issues in views_view.php]
RESERVED
- - ganglia <unfixed> (bug #700158)
+ - ganglia <unfixed> (low; bug #700158)
+ [squeeze] - ganglia <no-dsa> (Minor issue)
+ [wheezy] - ganglia <no-dsa> (Minor issue)
- ganglia-web <unfixed> (bug #700159)
NOTE: ganglia-web only in experimental, security-tracker does not handle experimental versions
CVE-2013-1769 [Crashes when trying to hash caps containing pathological data forms]
@@ -1539,13 +1541,11 @@
[squeeze] - wireshark <not-affected> (Vulnerable code not present)
NOTE: Upstream bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7945
NOTE: http://anonsvn.wireshark.org/viewvc?view=revision&revision=46579
- TODO: check
CVE-2013-1583 (The dissect_version_4_primary_header function in ...)
- wireshark <unfixed>
[squeeze] - wireshark <not-affected> (Vulnerable code not present)
NOTE: Upstream bug: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7945
NOTE: http://anonsvn.wireshark.org/viewvc?view=revision&revision=46577
- TODO: check
CVE-2013-1582 (The dissect_clnp function in epan/dissectors/packet-clnp.c in the CLNP ...)
{DSA-2625-1}
- wireshark <unfixed>
@@ -4435,9 +4435,10 @@
- openjdk-6 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
- openjdk-7 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
CVE-2013-0445 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
- - openjdk-6 <unfixed>
+ - openjdk-6 6b27-1.12.1-1
- openjdk-7 <unfixed>
NOTE: icedtea fix: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/6527ae06da69
+ NOTE: openjdk-7 fixed in experimental: 7u13-2.3.6-1
CVE-2013-0444 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
- openjdk-6 <not-affected> (Only affects Java7)
- openjdk-7 7u3-2.1.6-1
@@ -4463,8 +4464,7 @@
- openjdk-7 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
CVE-2013-0437 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
- openjdk-6 <not-affected> (Only affects Java7)
- - openjdk-7 <unfixed>
- NOTE: Affects the 2D component according to Oracle advisory, but no fix in IcedTea
+ - openjdk-7 <not-affected> (JavaFX not part of OpenJDK)
CVE-2013-0436 (Unspecified vulnerability in the JavaFX component in Oracle Java SE ...)
- openjdk-6 <not-affected> (JavaFX not part of OpenJDK)
- openjdk-7 <not-affected> (JavaFX not part of OpenJDK)
@@ -4681,8 +4681,8 @@
CVE-2013-0347 [webfs world-readable logdir]
RESERVED
- webfs <unfixed> (low; bug #701638)
+ [wheezy] - webfs <no-dsa> (Minor issue)
[squeeze] - webfs <no-dsa> (Minor issue)
- NOTE: CVE request http://www.openwall.com/lists/oss-security/2013/02/22/16
CVE-2013-0346 [tomcat world-readable logdir]
RESERVED
- tomcat6 <not-affected> (Log files are owned by tomcat:tomcat)
@@ -4705,11 +4705,9 @@
CVE-2013-0339 [CPU consumption DoS when performing string substitutions during external entities expansion]
RESERVED
- libxml2 <unfixed> (bug #702260)
- TODO: check and report
CVE-2013-0338 [CPU consumption DoS when performing string substitutions during entities expansion]
RESERVED
- libxml2 <unfixed> (bug #702260)
- TODO: check and report
CVE-2013-0337 [Directory /var/log/nginx is world readable]
RESERVED
- nginx <unfixed> (low; bug #701112)
@@ -4894,6 +4892,7 @@
RESERVED
- pacemaker <unfixed> (low; bug #700923)
[squeeze] - pacemaker <no-dsa> (Minor issue)
+ [wheezy] - pacemaker <no-dsa> (Minor issue)
CVE-2013-0280
RESERVED
NOTE: To be rejected
@@ -4917,7 +4916,9 @@
NOTE: The fix for 3.2 is present in ruby-activemodel-3.2, not ruby-activerecord-3.2
CVE-2013-0275 [ganglia: XSS]
RESERVED
- - ganglia <unfixed> (bug #700158)
+ - ganglia <unfixed> (low; bug #700158)
+ [squeeze] - ganglia <no-dsa> (Minor issue)
+ [wheezy] - ganglia <no-dsa> (Minor issue)
- ganglia-web <unfixed> (bug #700159)
NOTE: https://github.com/ganglia/ganglia-web/commit/31d348947419058c43b8dfcd062e2988abd5058e
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=892823
@@ -5286,7 +5287,7 @@
- polarssl 1.1.4-2 (bug #699887)
- nss <unfixed> (bug #699888)
- gnutls26 2.12.20-4
- - gnutls28 <unfixed>
+ - gnutls28 3.0.22-3
- openjdk-7 7u3-2.1.6-1
- openjdk-6 6b27-1.12.3-1
NOTE: http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
@@ -7636,7 +7637,8 @@
[squeeze] - tor <no-dsa> (Minor issue)
CVE-2012-5572 [Dancer::Cookie: Cookie name CRLF injection]
RESERVED
- - libdancer-perl <unfixed> (bug #694279)
+ - libdancer-perl <unfixed> (low; bug #694279)
+ [wheezy] - libdancer-perl <unfixed> (low; bug #694279)
NOTE: https://github.com/PerlDancer/Dancer/issues/859
CVE-2012-5571 (OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not ...)
- keystone 2012.1.1-11 (bug #694433)
@@ -8854,7 +8856,7 @@
- openjdk-6 6b24-1.11.5-0ubuntu1 (bug #690774)
- openjdk-7 7u3-2.1.3-1 (bug #690774)
CVE-2012-5067 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
- - openjdk-7 <unfixed> (bug #690774)
+ - openjdk-7 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
CVE-2012-5066 (Unspecified vulnerability in the Oracle Central Designer component in ...)
NOT-FOR-US: Oracle Industry Applications
CVE-2012-5065 (Unspecified vulnerability in the Oracle WebCenter Sites component in ...)
@@ -10829,10 +10831,8 @@
- wordpress 3.4.2+dfsg-1
CVE-2012-4421 (The create_post function in wp-includes/class-wp-atom-server.php in ...)
- wordpress 3.4.2+dfsg-1
-CVE-2012-4420
+CVE-2012-4420 [Duplicate of CVE-2012-4416]
RESERVED
- - openjdk-7 <unfixed> (bug #687486)
- - openjdk-6 <not-affected> (Only affects Java 7)
CVE-2012-4419 (The compare_tor_addr_to_addr_policy function in or/policies.c in Tor ...)
{DSA-2548-1}
- tor 0.2.3.22-rc-1
@@ -13441,6 +13441,8 @@
CVE-2012-3406 [glibc formatted printing vulnerabilities]
RESERVED
- eglibc <unfixed> (low; bug #681888)
+ [squeeze] - eglibc <no-dsa> (Minor issue)
+ [wheezy] - eglibc <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=826943
NOTE: https://bugzilla.redhat.com/attachment.cgi?id=594722&action=diff
NOTE: https://bugzilla.redhat.com/attachment.cgi?id=594727&action=diff
@@ -14066,8 +14068,8 @@
- mysql-5.1 <removed>
- mysql-5.5 5.5.28+dfsg-1 (bug #690778)
CVE-2012-3159 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
- - openjdk-6 <unfixed> (bug #690774)
- - openjdk-7 <unfixed> (bug #690774)
+ - openjdk-6 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
+ - openjdk-7 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
CVE-2012-3158 (Unspecified vulnerability in the MySQL Server component in Oracle ...)
{DSA-2581-1}
- mysql-5.1 <removed>
@@ -18141,11 +18143,11 @@
CVE-2012-1534
REJECTED
CVE-2012-1533 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
- - openjdk-6 <unfixed> (bug #690774)
- - openjdk-7 <unfixed> (bug #690774)
+ - openjdk-6 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
+ - openjdk-7 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
CVE-2012-1532 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
- - openjdk-6 <unfixed> (bug #690774)
- - openjdk-7 <unfixed> (bug #690774)
+ - openjdk-6 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
+ - openjdk-7 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
CVE-2012-1531 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
- openjdk-6 <unfixed> (bug #690774)
- openjdk-7 <unfixed> (bug #690774)
@@ -21562,6 +21564,7 @@
RESERVED
- nginx <unfixed> (low; bug #697940)
[squeeze] - nginx <no-dsa> (Minor issue)
+ [wheezy] - nginx <no-dsa> (Minor issue)
NOTE: http://trac.nginx.org/nginx/ticket/13
CVE-2011-4967
RESERVED
More information about the Secure-testing-commits
mailing list