[Secure-testing-commits] r24331 - data/CVE

Moritz Muehlenhoff jmm at alioth.debian.org
Fri Nov 8 13:56:08 UTC 2013 

Author: jmm
Date: 2013-11-08 13:56:07 +0000 (Fri, 08 Nov 2013)
New Revision: 24331

Modified:
   data/CVE/list
Log:
two poppler issues not in oldstable, filed bug
filed bug for dovecot, needs more research on impact
filed bug for ibus, needs more research on affected packages


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2013-11-08 07:38:47 UTC (rev 24330)
+++ data/CVE/list	2013-11-08 13:56:07 UTC (rev 24331)
@@ -922,8 +922,7 @@
 	NOTE: http://trac.roundcube.net/ticket/1489382
 CVE-2013-6171
 	RESERVED
-	- dovecot <unfixed>
-	TODO: check
+	- dovecot <unfixed> (low; bug #729063)
 CVE-2013-6170 (Juniper Junos 10.0 before 10.0S28, 10.4 before 10.4R7, 11.1 before ...)
 	NOT-FOR-US: Juniper Junos
 CVE-2013-6169 (The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2) ...)
@@ -4752,9 +4751,11 @@
 	NOTE: https://bugs.tryton.org/issue3446
 CVE-2013-4509 [showing passwords during password input]
 	RESERVED
-	- ibus <unfixed>
-	TODO: check
+	- ibus <unfixed> (low; bug #729065)
 	NOTE: http://www.openwall.com/lists/oss-security/2013/11/04/2
+	NOTE: This is rather a bug in the various IBus engines not in ibus itself, asked maintainers to investigate affected engines,
+	NOTE: can be assigned to affected engines once more info is available
+	NOTE: Introduced in 1.5, so stable/oldstable not affected
 CVE-2013-4508
 	RESERVED
 	- lighttpd <unfixed>
@@ -4829,10 +4830,9 @@
 	- varnish <unfixed> (medium; bug #728989)
 	NOTE: https://www.varnish-cache.org/trac/ticket/1367
 CVE-2013-4483 (The ipc_rcu_putref function in ipc/util.c in the Linux kernel before ...)
-	- linux <unfixed>
-	- linux-2.6 <removed>
+	- linux <unfixed> (low)
+	- linux-2.6 <removed> (low)
 	NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6062a8
-	TODO: check
 CVE-2013-4482
 	RESERVED
 CVE-2013-4481
@@ -4862,16 +4862,15 @@
 	[wheezy] - samba4 <no-dsa> (Minor issue)
 CVE-2013-4474 [User controlled format string]
 	RESERVED
-	- poppler <unfixed>
-	[squeeze] - poppler <no-dsa> (cli tool)
+	- poppler <unfixed> (low; bug #729064)
+	[squeeze] - poppler <not-affected> (pdfseparate not yet present)
 	[wheezy] - poppler <no-dsa> (cli tool)
 	NOTE: check
 CVE-2013-4473 [Stack based buffer overflow]
 	RESERVED
-	- poppler <unfixed>
-	[squeeze] - poppler <no-dsa> (cli tool)
+	- poppler <unfixed> (low; bug #729064)
+	[squeeze] - poppler <not-affected> (pdfseparate not yet present)
 	[wheezy] - poppler <no-dsa> (cli tool)
-	NOTE: check
 CVE-2013-4472 [Race condition on temporary file]
 	RESERVED
 	- poppler <unfixed> (unimportant)
@@ -7113,18 +7112,21 @@
 CVE-2013-3674 (The cdg_decode_frame function in cdgraphics.c in libavcodec in FFmpeg ...)
 	- ffmpeg <not-affected> (CD Graphics Video Decoder not present in 0.5 ffmpeg)
 	- libav <unfixed>
+	NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7ef2dbd2392e3e4d430e0173e1e5c4df9f18b6dd
 CVE-2013-3673 (The gif_decode_frame function in gifdec.c in libavcodec in FFmpeg ...)
 	- ffmpeg <not-affected> (Doesn't affect libav, specific to current ffmpeg)
 	- libav <not-affected> (Doesn't affect libav, specific to current ffmpeg)
 CVE-2013-3672 (The mm_decode_inter function in mmvideo.c in libavcodec in FFmpeg ...)
 	- ffmpeg <removed>
 	- libav <unfixed>
+	NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7fa6db2545643efb4fe2e0bb501fa50af35a6330
 CVE-2013-3671 (The format_line function in log.c in libavutil in FFmpeg before 1.2.1 ...)
 	- ffmpeg <not-affected> (Doesn't affect libav, specific to current ffmpeg)
 	- libav <not-affected> (Doesn't affect libav, specific to current ffmpeg)
 CVE-2013-3670 (The rle_unpack function in vmdav.c in libavcodec in FFmpeg git ...)
 	- ffmpeg <removed>
 	- libav <unfixed>
+	NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=0baa0a5a02e16ef097ed9f72bc8a7d7b585c7652
 CVE-2013-3669
 	RESERVED
 CVE-2013-3668
@@ -7229,7 +7231,7 @@
 	- moodle <unfixed>
 	NOTE: https://tracker.moodle.org/browse/MDL-41449
 	NOTE: https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats
-	TODO: check
+	TODO: check, bug is currently private
 CVE-2013-3629
 	RESERVED
 CVE-2013-3628

More information about the Secure-testing-commits mailing list