[Secure-testing-commits] r23995 - in data: . CVE DSA
Moritz Muehlenhoff
jmm at alioth.debian.org
Tue Oct 15 15:11:00 UTC 2013
Author: jmm
Date: 2013-10-15 15:11:00 +0000 (Tue, 15 Oct 2013)
New Revision: 23995
Modified:
data/CVE/list
data/DSA/list
data/dsa-needed.txt
Log:
stable triage:
one kfreebsd issue N/A for stable
one kernel issue fixed in point release
one kernel issue fixed in previous DSA
one issue doesn't affect icedove, remove from DSA/list
one iceweasel issue N/A for stable
one systemd issue N/A for stable
no-dsa: scipy, mediawiki-extensions, php5, polkit
dsa needed for libhttp-body-perl
cleanup some undetermined webkit entries as NFU (like the existing ones)
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2013-10-15 05:15:59 UTC (rev 23994)
+++ data/CVE/list 2013-10-15 15:11:00 UTC (rev 23995)
@@ -826,6 +826,7 @@
RESERVED
CVE-2013-5666 (The sendfile system-call implementation in sys/kern/uipc_syscalls.c in ...)
- kfreebsd-9 9.2~svn255465-1 (bug #722336)
+ [wheezy] - kfreebsd-9 <not-affected> (Only affects 9.2.x)
CVE-2013-5665
RESERVED
CVE-2013-5664 (Cross-site scripting (XSS) vulnerability in the web-based ...)
@@ -3686,6 +3687,7 @@
CVE-2013-4392 [systemd: TOCTOU race condition when updating file permissions and SELinux security contexts]
RESERVED
- systemd <unfixed> (bug #725357)
+ [wheezy] - systemd <not-affected> (/etc/tmpfiles.d not supported in Wheezy)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=859060
CVE-2013-4391 [systemd: Integer overflow, leading to heap-based buffer overflow by processing native messages]
RESERVED
@@ -3980,6 +3982,7 @@
CVE-2013-4305 [mediawiki SyntaxHighlight_GeSHi XSS]
RESERVED
- mediawiki-extensions <unfixed> (low)
+ [wheezy] - mediawiki-extensions <no-dsa> (Minor issue)
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=49070
CVE-2013-4304 [mediawiki CentralAuth auth bypass]
RESERVED
@@ -4043,7 +4046,9 @@
RESERVED
- openjpeg <unfixed> (bug #722540)
CVE-2013-4288 (Race condition in PolicyKit (aka polkit) allows local users to bypass ...)
- - policykit-1 0.105-3+nmu1 (bug #723717)
+ - policykit-1 0.105-3+nmu1 (low; bug #723717)
+ [squeeze] - policykit-1 <no-dsa> (The update only deprecates an API and introduces a new option for pkcheck, no src package uses this API)
+ [wheezy] - policykit-1 <no-dsa> (The update only deprecates an API and introduces a new option for pkcheck, no src package uses this API)
CVE-2013-4287 [Algorithmic complexity vulnerability]
RESERVED
- rubygems <unfixed> (unimportant; bug #722361)
@@ -4151,6 +4156,7 @@
[wheezy] - condor <no-dsa> (Minor issue)
CVE-2013-4254 (The validate_event function in arch/arm/kernel/perf_event.c in the ...)
- linux 3.10.11-1
+ [wheezy] - linux 3.2.51-1
- linux-2.6 <not-affected> (No perf support on arm)
CVE-2013-4253
RESERVED
@@ -4159,6 +4165,8 @@
CVE-2013-4251 [weave /tmp and current directory issues]
RESERVED
- python-scipy <unfixed> (bug #726093)
+ [wheezy] - python-scipy <no-dsa> (Minor issue)
+ [squeeze] - python-scipy <no-dsa> (Minor issue)
NOTE: https://github.com/scipy/scipy/commit/bd296e0336420b840fcd2faabb97084fd252a973
CVE-2013-4250 [Vulnerable subcomponent: Backend File Upload / File Abstraction Layer]
RESERVED
@@ -11053,10 +11061,9 @@
- icedove <not-affected> (Windows-specific)
- iceape <not-affected> (Windows-specific)
CVE-2013-1705 (Heap-based buffer underflow in the cryptojs_interpret_key_gen_type ...)
- {DSA-2762-1}
- iceweasel 23.0-1
- - iceape <unfixed>
- TODO: check
+ [wheezy] - iceweasel <not-affected> (Only affects Firefox > 17)
+ - iceape <not-affected> (Only affects Firefox > 17)
CVE-2013-1704 (Use-after-free vulnerability in the nsINode::GetParentNode function in ...)
- iceweasel <not-affected> (Only affects Firefox > 17)
- iceape <not-affected> (Only affects Firefox > 17)
@@ -12980,7 +12987,7 @@
CVE-2013-0969 (Login Window in Apple Mac OS X before 10.8.3 does not prevent ...)
NOT-FOR-US: Mac OS X
CVE-2013-0968 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ...)
- - webkit <undetermined> (bug #700164)
+ NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
CVE-2013-0967 (CoreTypes in Apple Mac OS X before 10.8.3 includes JNLP files in the ...)
NOT-FOR-US: Mac OS X
CVE-2013-0966 (The Apple mod_hfs_apple module for the Apache HTTP Server in Apple Mac ...)
@@ -12988,39 +12995,39 @@
CVE-2013-0965
RESERVED
CVE-2013-0964 (The kernel in Apple iOS before 6.1 and Apple TV before 5.2 does not ...)
- - webkit <undetermined> (bug #700164)
+ NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
CVE-2013-0963 (Identity Services in Apple iOS before 6.1 does not properly handle ...)
NOT-FOR-US: Identity Services in Apple iOS
CVE-2013-0962 (Cross-site scripting (XSS) vulnerability in WebKit in Apple iOS before ...)
- - webkit <undetermined> (bug #700164)
+ NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
CVE-2013-0961 (WebKit in Apple Safari before 6.0.3 allows remote attackers to execute ...)
NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
CVE-2013-0960 (WebKit in Apple Safari before 6.0.3 allows remote attackers to execute ...)
NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
CVE-2013-0959 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ...)
- - webkit <undetermined> (bug #700164)
+ NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
CVE-2013-0958 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ...)
- - webkit <undetermined> (bug #700164)
+ NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
CVE-2013-0957 (Data Protection in Apple iOS before 7 allows attackers to bypass ...)
NOT-FOR-US: Apple iOS
CVE-2013-0956 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ...)
- - webkit <undetermined> (bug #700164)
+ NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
CVE-2013-0955 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ...)
- - webkit <undetermined> (bug #700164)
+ NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
CVE-2013-0954 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ...)
- - webkit <undetermined> (bug #700164)
+ NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
CVE-2013-0953 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ...)
- - webkit <undetermined> (bug #700164)
+ NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
CVE-2013-0952 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ...)
- - webkit <undetermined> (bug #700164)
+ NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
CVE-2013-0951 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ...)
- - webkit <undetermined> (bug #700164)
+ NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
CVE-2013-0950 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ...)
- - webkit <undetermined> (bug #700164)
+ NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
CVE-2013-0949 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ...)
- - webkit <undetermined> (bug #700164)
+ NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
CVE-2013-0948 (WebKit, as used in Apple iOS before 6.1, allows remote attackers to ...)
- - webkit <undetermined> (bug #700164)
+ NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
CVE-2013-0947 (EMC RSA Authentication Manager 8.0 before P1 allows local users to ...)
NOT-FOR-US: EMC
CVE-2013-0946 (Buffer overflow in the Library Control Program (LCP) in EMC AlphaStor ...)
@@ -33316,7 +33323,9 @@
- webkit <not-affected>
NOTE: Duplicate for chromebooks
CVE-2011-4718 (Session fixation vulnerability in the Sessions subsystem in PHP before ...)
- - php5 5.5.2+dfsg-1
+ - php5 5.5.2+dfsg-1 (low)
+ [wheezy] - php5 <no-dsa> (Too intrusive to backport, mitigations exists)
+ [squeeze] - php5 <no-dsa> (Too intrusive to backport, mitigations exists)
NOTE: 5.5.2 implements strict sessions RFC (https://wiki.php.net/rfc/strict_sessions)
CVE-2011-4717 (Directory traversal vulnerability in zFTPServer Suite 6.0.0.52 allows ...)
NOT-FOR-US: zFTPServer Suite
Modified: data/DSA/list
===================================================================
--- data/DSA/list 2013-10-15 05:15:59 UTC (rev 23994)
+++ data/DSA/list 2013-10-15 15:11:00 UTC (rev 23995)
@@ -59,7 +59,7 @@
[squeeze] - pyopenssl 0.10-1+squeeze1
[wheezy] - pyopenssl 0.13-2+deb7u1
[23 Sep 2013] DSA-2762-1 icedove - several
- {CVE-2013-1705 CVE-2013-1718 CVE-2013-1722 CVE-2013-1725 CVE-2013-1730 CVE-2013-1732 CVE-2013-1735 CVE-2013-1736 CVE-2013-1737}
+ {CVE-2013-1718 CVE-2013-1722 CVE-2013-1725 CVE-2013-1730 CVE-2013-1732 CVE-2013-1735 CVE-2013-1736 CVE-2013-1737}
[wheezy] - icedove 17.0.9-1~deb7u1
[19 Sep 2013] DSA-2761-1 puppet - several
{CVE-2013-4761 CVE-2013-4956}
@@ -400,7 +400,7 @@
{CVE-2013-3368 CVE-2013-3369 CVE-2013-3370 CVE-2013-3371 CVE-2013-3372 CVE-2013-3373 CVE-2013-3374}
[squeeze] - request-tracker3.8 3.8.8-7+squeeze7
[15 May 2013] DSA-2669-1 linux - several
- {CVE-2013-0160 CVE-2013-1796 CVE-2013-1929 CVE-2013-1979 CVE-2013-2015 CVE-2013-2094 CVE-2013-3076 CVE-2013-3222 CVE-2013-3223 CVE-2013-3224 CVE-2013-3225 CVE-2013-3227 CVE-2013-3228 CVE-2013-3229 CVE-2013-3231 CVE-2013-3234 CVE-2013-3235 CVE-2013-3301}
+ {CVE-2013-0160 CVE-2013-1796 CVE-2013-1929 CVE-2013-1979 CVE-2013-2015 CVE-2013-2094 CVE-2013-3076 CVE-2013-3222 CVE-2013-3223 CVE-2013-3224 CVE-2013-3225 CVE-2013-3227 CVE-2013-3228 CVE-2013-3229 CVE-2013-3231 CVE-2013-3234 CVE-2013-3235 CVE-2013-3301 CVE-2013-2141}
[wheezy] - linux 3.2.41-2+deb7u2
[14 May 2013] DSA-2668-1 linux-2.6 - several
{CVE-2012-2121 CVE-2012-3552 CVE-2012-4461 CVE-2012-4508 CVE-2012-6537 CVE-2012-6539 CVE-2012-6540 CVE-2012-6542 CVE-2012-6544 CVE-2012-6545 CVE-2012-6546 CVE-2012-6548 CVE-2012-6549 CVE-2013-0349 CVE-2013-0914 CVE-2013-1767 CVE-2013-1773 CVE-2013-1774 CVE-2013-1792 CVE-2013-1796 CVE-2013-1798 CVE-2013-1826 CVE-2013-1860 CVE-2013-1928 CVE-2013-1929 CVE-2013-2015 CVE-2013-2634 CVE-2013-3222 CVE-2013-3223 CVE-2013-3224 CVE-2013-3225 CVE-2013-3228 CVE-2013-3229 CVE-2013-3231 CVE-2013-3234 CVE-2013-3235}
Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt 2013-10-15 05:15:59 UTC (rev 23994)
+++ data/dsa-needed.txt 2013-10-15 15:11:00 UTC (rev 23995)
@@ -40,6 +40,8 @@
--
ffmpeg/oldstable (geissert)
--
+libhttp-body-perl
+--
librack-ruby/oldstable (thijs)
Package to review was already prepared
--
@@ -72,8 +74,6 @@
--
polarssl
--
-policykit-1
---
quagga
--
qt4-x11/oldstable
More information about the Secure-testing-commits
mailing list