[Secure-testing-commits] r21549 - data/CVE

Moritz Muehlenhoff jmm at alioth.debian.org
Thu Mar 7 21:28:28 UTC 2013 

Author: jmm
Date: 2013-03-07 21:28:28 +0000 (Thu, 07 Mar 2013)
New Revision: 21549

Modified:
   data/CVE/list
Log:
new nova issue (no-dsa)
new issues in qid-cpp
no-dsa: bouncycastle, nagios-nrpe, libwebp, redis
Red Hat NFU
mark some java issues as specific to Oracle Java


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2013-03-07 21:14:28 UTC (rev 21548)
+++ data/CVE/list	2013-03-07 21:28:28 UTC (rev 21549)
@@ -1852,6 +1852,7 @@
 CVE-2013-1624 (The TLS implementation in the Bouncy Castle Java library before 1.48 ...)
 	- bouncycastle <unfixed> (low; bug #699885)
 	[squeeze] - bouncycastle <no-dsa> (Minor issue)
+	[wheezy] - bouncycastle <no-dsa> (Minor issue)
 CVE-2013-1623 (The TLS and DTLS implementations in wolfSSL CyaSSL before 2.5.0 do not ...)
 	- mysql-5.1 <unfixed>
 	- mysql-5.5 <unfixed> (bug #699886)
@@ -2518,7 +2519,8 @@
 	RESERVED
 CVE-2013-1362 [Allows passing of $() as command arguments and executing shell commands]
 	RESERVED
-	- nagios-nrpe <unfixed> (bug #701227)
+	- nagios-nrpe <unfixed> (low; bug #701227)
+	[squeeze] - nagios-nrpe <no-dsa> (Minor issue)
 CVE-2013-1361
 	RESERVED
 CVE-2013-1360
@@ -4955,9 +4957,9 @@
 CVE-2013-0410
 	RESERVED
 CVE-2013-0409 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
-	- openjdk-6 <unfixed>
-	- openjdk-7 <unfixed>
-	NOTE: No fix listed for icedtea, is this component (JMX) included in Icedtea?
+	- openjdk-6 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+	- openjdk-7 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+	NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected
 CVE-2013-0408
 	RESERVED
 CVE-2013-0407 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local ...)
@@ -5163,6 +5165,8 @@
 	- jenkins <unfixed> (bug #700761)
 CVE-2013-0326
 	RESERVED
+	- nova <unfixed> (low)
+	[wheezy] - nova <no-dsa> (Minor issue)
 CVE-2013-0325
 	RESERVED
 	NOT-FOR-US: Drupal addon
@@ -5660,9 +5664,10 @@
 	NOTE: https://code.google.com/p/memcached/issues/attachmentText?id=306&aid=3060004000&name=0001-Fix-buffer-overrun-when-logging-key-to-delete-in-bin.patch
 CVE-2013-0178 [redis 2.4: Insecure temporary flaw use for redis service's vm swap file]
 	RESERVED
-	- redis <unfixed>
+	- redis 2:2.6.0-1 (low)
+	[squeeze] - redis <no-dsa> (Minor issue)
+	[wheezy] - redis <no-dsa> (Minor issue)
 	NOTE: RedHat bugreport mentions 2.4 is affected, but not 2.6
-	TODO: check
 CVE-2013-0177
 	RESERVED
 	NOT-FOR-US: OFBiz
@@ -5694,6 +5699,7 @@
 	{DSA-2622-1 DSA-2621-1}
 	- openssl 1.0.1e-1 (bug #699889)
 	- bouncycastle <unfixed> (low; bug #699885)
+	[wheezy] - bouncycastle <no-dsa> (Minor issue)
 	[squeeze] - bouncycastle <no-dsa> (Minor issue)
 	- mysql-5.1 <unfixed>
 	- mysql-5.5 <unfixed> (bug #699886)
@@ -6246,6 +6252,7 @@
 	RESERVED
 CVE-2012-6136
 	RESERVED
+	NOT-FOR-US: tuned (RH-specific powersaving tool)
 CVE-2012-6135
 	RESERVED
 	- ruby-passenger (low; bug #702219)
@@ -9125,7 +9132,9 @@
 	- libv8 <not-affected> (Doesn't affect 3.8.9, see bug #694808)
 CVE-2012-5127 (Integer overflow in Google Chrome before 23.0.1271.64 allows remote ...)
 	- chromium-browser 24.0.1312.68-1
-	- libwebp 0.2.1-1
+	- libwebp 0.2.1-1 (low)
+	[squeeze] - libwebp <no-dsa> (Minor issue)
+	[wheezy] - libwebp <no-dsa> (Minor issue)
 	NOTE: https://bugs.gentoo.org/show_bug.cgi?id=442152
 	NOTE: Upstream announce: https://groups.google.com/a/webmproject.org/forum/?fromgroups=#!topic/webp-discuss/QTtgi8YfgkE
 CVE-2012-5126 (Use-after-free vulnerability in Google Chrome before 23.0.1271.64 ...)
@@ -11098,10 +11107,13 @@
 	- linux 3.2.35-1
 CVE-2012-4460
 	RESERVED
+	- qpid-cpp <unfixed>
 CVE-2012-4459
 	RESERVED
+	- qpid-cpp <unfixed>
 CVE-2012-4458
 	RESERVED
+	- qpid-cpp <unfixed>
 CVE-2012-4457 (OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 ...)
 	- keystone 2012.1.1-9 (bug #689210)
 CVE-2012-4456 (The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone ...)
@@ -14355,9 +14367,9 @@
 CVE-2012-3214 (Unspecified vulnerability in the Oracle Outside In Technology ...)
 	NOT-FOR-US: Oracle Fusion Middleware
 CVE-2012-3213 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
-	- openjdk-6 <unfixed>
-	- openjdk-7 <unfixed>
-	NOTE: No fix listed for icedtea, is this component (Scripting) included in Icedtea?
+	- openjdk-6 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+	- openjdk-7 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+	NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected
 CVE-2012-3212 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11, when ...)
 	NOT-FOR-US: Oracle Sun Solaris
 CVE-2012-3211 (Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local ...)
@@ -14519,8 +14531,9 @@
 CVE-2012-3144 (Unspecified vulnerability in the MySQL Server component in Oracle ...)
 	- mysql-5.5 5.5.28+dfsg-1 (bug #690778)
 CVE-2012-3143 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
-	- openjdk-6 <unfixed> (bug #690774)
-	- openjdk-7 <unfixed> (bug #690774)
+	- openjdk-6 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+	- openjdk-7 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+	NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected
 CVE-2012-3142 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking ...)
 	NOT-FOR-US: Oracle Financial Services Software
 CVE-2012-3141 (Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking ...)
@@ -18563,8 +18576,9 @@
 	- openjdk-6 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
 	- openjdk-7 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
 CVE-2012-1531 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
-	- openjdk-6 <unfixed> (bug #690774)
-	- openjdk-7 <unfixed> (bug #690774)
+	- openjdk-6 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+	- openjdk-7 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+	NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected
 CVE-2012-1530 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and ...)
 	NOT-FOR-US: Adobe Reader and Acrobat
 CVE-2012-1529 (Use-after-free vulnerability in Microsoft Internet Explorer 8 and 9 ...)

More information about the Secure-testing-commits mailing list