[Secure-testing-commits] r22198 - data/CVE

Moritz Muehlenhoff jmm at alioth.debian.org
Tue May 7 16:15:49 UTC 2013


Author: jmm
Date: 2013-05-07 16:15:49 +0000 (Tue, 07 May 2013)
New Revision: 22198

Modified:
   data/CVE/list
Log:
libytnef no-dsa
mark issues specific to Oracle Java as not-affected
mark cairo/Firefox as not-affected


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2013-05-07 14:01:48 UTC (rev 22197)
+++ data/CVE/list	2013-05-07 16:15:49 UTC (rev 22198)
@@ -1987,12 +1987,15 @@
 	- openjdk-7 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
 CVE-2013-2434 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
 	- openjdk-6 <not-affected> (Only affects Java 7)
-	TODO: might affect icedtea7
+	- openjdk-7 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+	NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected
 CVE-2013-2433 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
 	- openjdk-6 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
 	- openjdk-7 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
 CVE-2013-2432 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
-	TODO: might affect icedtea6 and iced7
+	- openjdk-6 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+	- openjdk-7 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+	NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected
 CVE-2013-2431 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
 	- openjdk-7 7u21-2.3.9-1
 	- openjdk-6 <not-affected> (Only affects Java7)
@@ -2087,7 +2090,9 @@
 	- mysql-5.5 <not-affected> (Only affects MySQL 5.6)
 	- mysql-5.1 <not-affected> (Only affects MySQL 5.6)
 CVE-2013-2394 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
-	TODO: might affect icedtea6 and icedtea7
+	- openjdk-6 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+	- openjdk-7 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+	NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected
 CVE-2013-2393 (Unspecified vulnerability in the Oracle Outside In Technology ...)
 	NOT-FOR-US: Oracle Fusion Middleware
 CVE-2013-2392 (Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 ...)
@@ -3093,8 +3098,9 @@
 	NOTE: http://www.videolan.org/security/sa1302.html
 CVE-2013-1953 [stack-based buffer overflow in bmp parser]
 	RESERVED
-	- autotrace <unfixed>
-	- gimp <undetermined>
+	- autotrace <unfixed> (low)
+	- gimp 2.6.10-1
+	NOTE: Gimp was fixed earlier, but only Squeeze version was checked
 	NOTE: In gimp code introduced with d9c6f88141aecf956c5d721168f795de0e3027b8
 	NOTE: and fixed with 57f805a159874107c6c98065f9aa648c3634b8fd
 	NOTE: https://git.gnome.org/browse/gimp/commit/?h=d9c6f88141aecf956c5d7
@@ -3391,8 +3397,8 @@
 	NOTE: http://www.samba.org/samba/security/CVE-2013-1863
 CVE-2013-1862
 	RESERVED
-	- apache2 <unfixed> (low)
-	NOTE: if not unimportant
+	- apache2 <unfixed> (unimportant)
+	NOTE: Such injection issues are not treated as security issues
 CVE-2013-1861 (MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15, ...)
 	- mysql-5.5 <unfixed> (bug #706715)
 	- mysql-5.1 <removed>
@@ -4360,7 +4366,9 @@
 	- libyassl <itp> (bug #664533)
 	NOTE: https://blogs.oracle.com/sunsecurity/entry/cve_2013_1492_buffer_overflow
 CVE-2013-1491 (The Java Runtime Environment (JRE) component in Oracle Java SE 7 ...)
-	TODO: might affect icedtea6 and icedtea7
+	- openjdk-6 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+	- openjdk-7 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+	NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected
 CVE-2013-1490 (Unspecified vulnerability in Oracle Java SE 7 Update 11 (JRE ...)
 	- openjdk-6 <not-affected> (Not exploitable in OpenJDK6)
 	- openjdk-7 <unfixed>
@@ -5930,12 +5938,13 @@
 CVE-2013-0801
 	RESERVED
 CVE-2013-0800 (Integer signedness error in the pixman_fill_sse2 function in ...)
-	- pixman <unfixed>
 	- iceweasel 17.0.5esr-1
 	- icedove <unfixed>
 	- iceape <unfixed>
 	- wine-gecko-1.4 <unfixed> (unimportant)
-	TODO: check, whether ice* are affected, xulrunner links against system copy of pixman
+	NOTE: The description is misleading: Firefox embeds a copy of Cairo, the interdiff
+	NOTE: shows the respective change at mozilla-esr17/gfx/cairo/cairo/src/cairo-image-surface.c
+	NOTE: Apparently the forked copy has changed, the code isn't present in vanilla Cairo
 CVE-2013-0799 (Buffer overflow in the Mozilla Maintenance Service in Mozilla Firefox ...)
 	- iceweasel <not-affected> (Only affects Firefox on Windows)
 CVE-2013-0798 (Mozilla Firefox before 20.0 on Android uses world-writable and ...)
@@ -7620,6 +7629,7 @@
 	- linux-2.6 2.6.32-48squeeze1
 CVE-2013-0267
 	RESERVED
+	NOT-FOR-US: Apache VCL
 CVE-2013-0266 (manifests/base.pp in the puppetlabs-cinder module, as used in ...)
 	NOT-FOR-US: Openstack Packstack
 CVE-2013-0265 (The redirect_stderr function in xnbd_common.c in xnbd-server and ...)
@@ -18590,8 +18600,12 @@
 	RESERVED
 CVE-2010-5109 [libytnef: buffer overflow]
 	RESERVED
-	- libytnef <unfixed> (bug #705468)
-	- claws-mail-extra-plugins <unfixed>
+	- libytnef <unfixed> (low; bug #705468)
+	[squeeze] - libytnef <no-dsa> (Minor issue)
+	[wheezy] - libytnef <no-dsa> (Minor issue)
+	- claws-mail-extra-plugins <unfixed> (low)
+	[squeeze] - claws-mail-extra-plugins <no-dsa> (Minor issue)
+	[wheezy] - claws-mail-extra-plugins <no-dsa> (Minor issue)
 CVE-2010-5108 [Trac Ticket Modification Workflow Permission Restriction Bypass]
 	RESERVED
 	- trac 0.11.7-1 (bug #573260)




More information about the Secure-testing-commits mailing list