[Secure-testing-commits] r22198 - data/CVE
Moritz Muehlenhoff
jmm at alioth.debian.org
Tue May 7 16:15:49 UTC 2013
Author: jmm
Date: 2013-05-07 16:15:49 +0000 (Tue, 07 May 2013)
New Revision: 22198
Modified:
data/CVE/list
Log:
libytnef no-dsa
mark issues specific to Oracle Java as not-affected
mark cairo/Firefox as not-affected
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2013-05-07 14:01:48 UTC (rev 22197)
+++ data/CVE/list 2013-05-07 16:15:49 UTC (rev 22198)
@@ -1987,12 +1987,15 @@
- openjdk-7 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
CVE-2013-2434 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
- openjdk-6 <not-affected> (Only affects Java 7)
- TODO: might affect icedtea7
+ - openjdk-7 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+ NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected
CVE-2013-2433 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
- openjdk-6 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
- openjdk-7 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
CVE-2013-2432 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
- TODO: might affect icedtea6 and iced7
+ - openjdk-6 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+ - openjdk-7 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+ NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected
CVE-2013-2431 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
- openjdk-7 7u21-2.3.9-1
- openjdk-6 <not-affected> (Only affects Java7)
@@ -2087,7 +2090,9 @@
- mysql-5.5 <not-affected> (Only affects MySQL 5.6)
- mysql-5.1 <not-affected> (Only affects MySQL 5.6)
CVE-2013-2394 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
- TODO: might affect icedtea6 and icedtea7
+ - openjdk-6 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+ - openjdk-7 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+ NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected
CVE-2013-2393 (Unspecified vulnerability in the Oracle Outside In Technology ...)
NOT-FOR-US: Oracle Fusion Middleware
CVE-2013-2392 (Unspecified vulnerability in Oracle MySQL 5.1.68 and earlier, 5.5.30 ...)
@@ -3093,8 +3098,9 @@
NOTE: http://www.videolan.org/security/sa1302.html
CVE-2013-1953 [stack-based buffer overflow in bmp parser]
RESERVED
- - autotrace <unfixed>
- - gimp <undetermined>
+ - autotrace <unfixed> (low)
+ - gimp 2.6.10-1
+ NOTE: Gimp was fixed earlier, but only Squeeze version was checked
NOTE: In gimp code introduced with d9c6f88141aecf956c5d721168f795de0e3027b8
NOTE: and fixed with 57f805a159874107c6c98065f9aa648c3634b8fd
NOTE: https://git.gnome.org/browse/gimp/commit/?h=d9c6f88141aecf956c5d7
@@ -3391,8 +3397,8 @@
NOTE: http://www.samba.org/samba/security/CVE-2013-1863
CVE-2013-1862
RESERVED
- - apache2 <unfixed> (low)
- NOTE: if not unimportant
+ - apache2 <unfixed> (unimportant)
+ NOTE: Such injection issues are not treated as security issues
CVE-2013-1861 (MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15, ...)
- mysql-5.5 <unfixed> (bug #706715)
- mysql-5.1 <removed>
@@ -4360,7 +4366,9 @@
- libyassl <itp> (bug #664533)
NOTE: https://blogs.oracle.com/sunsecurity/entry/cve_2013_1492_buffer_overflow
CVE-2013-1491 (The Java Runtime Environment (JRE) component in Oracle Java SE 7 ...)
- TODO: might affect icedtea6 and icedtea7
+ - openjdk-6 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+ - openjdk-7 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+ NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected
CVE-2013-1490 (Unspecified vulnerability in Oracle Java SE 7 Update 11 (JRE ...)
- openjdk-6 <not-affected> (Not exploitable in OpenJDK6)
- openjdk-7 <unfixed>
@@ -5930,12 +5938,13 @@
CVE-2013-0801
RESERVED
CVE-2013-0800 (Integer signedness error in the pixman_fill_sse2 function in ...)
- - pixman <unfixed>
- iceweasel 17.0.5esr-1
- icedove <unfixed>
- iceape <unfixed>
- wine-gecko-1.4 <unfixed> (unimportant)
- TODO: check, whether ice* are affected, xulrunner links against system copy of pixman
+ NOTE: The description is misleading: Firefox embeds a copy of Cairo, the interdiff
+ NOTE: shows the respective change at mozilla-esr17/gfx/cairo/cairo/src/cairo-image-surface.c
+ NOTE: Apparently the forked copy has changed, the code isn't present in vanilla Cairo
CVE-2013-0799 (Buffer overflow in the Mozilla Maintenance Service in Mozilla Firefox ...)
- iceweasel <not-affected> (Only affects Firefox on Windows)
CVE-2013-0798 (Mozilla Firefox before 20.0 on Android uses world-writable and ...)
@@ -7620,6 +7629,7 @@
- linux-2.6 2.6.32-48squeeze1
CVE-2013-0267
RESERVED
+ NOT-FOR-US: Apache VCL
CVE-2013-0266 (manifests/base.pp in the puppetlabs-cinder module, as used in ...)
NOT-FOR-US: Openstack Packstack
CVE-2013-0265 (The redirect_stderr function in xnbd_common.c in xnbd-server and ...)
@@ -18590,8 +18600,12 @@
RESERVED
CVE-2010-5109 [libytnef: buffer overflow]
RESERVED
- - libytnef <unfixed> (bug #705468)
- - claws-mail-extra-plugins <unfixed>
+ - libytnef <unfixed> (low; bug #705468)
+ [squeeze] - libytnef <no-dsa> (Minor issue)
+ [wheezy] - libytnef <no-dsa> (Minor issue)
+ - claws-mail-extra-plugins <unfixed> (low)
+ [squeeze] - claws-mail-extra-plugins <no-dsa> (Minor issue)
+ [wheezy] - claws-mail-extra-plugins <no-dsa> (Minor issue)
CVE-2010-5108 [Trac Ticket Modification Workflow Permission Restriction Bypass]
RESERVED
- trac 0.11.7-1 (bug #573260)
More information about the Secure-testing-commits
mailing list