[Secure-testing-commits] r26489 - in data: . CVE DSA

Moritz Muehlenhoff jmm at moszumanska.debian.org
Wed Apr 9 20:42:19 UTC 2014 

Author: jmm
Date: 2014-04-09 20:42:19 +0000 (Wed, 09 Apr 2014)
New Revision: 26489

Modified:
   data/CVE/list
   data/DSA/list
   data/dsa-needed.txt
Log:
tomcat updates
dsa needed for cacti, wordpress, chromium, actionpack 23, jbigkit
no-dsa: php-openid, py32, ruby1.9.1, elfutils
glibc unimportant
N/A: horizon, psql
Limit affected src packages for jenkins issue


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-04-09 19:42:24 UTC (rev 26488)
+++ data/CVE/list	2014-04-09 20:42:19 UTC (rev 26489)
@@ -218,6 +218,7 @@
 	{DSA-2865-1}
 	- postgresql-9.1 <removed>
 	- postgresql-8.4 <removed>
+	[wheezy] - postgresql-8.4 <not-affected> (9.x branch only)
 	[squeeze] - postgresql-8.4 <not-affected> (9.x branch only)
 	- postgresql-9.3 9.3.3-1
 CVE-2014-2668 (Apache CouchDB 1.5.0 and earlier allows remote attackers to cause a ...)
@@ -228,7 +229,8 @@
 CVE-2014-2667 [race condition]
 	RESERVED
 	- python3.1 <removed>
-	- python3.2 <removed>
+	- python3.2 <removed> (low)
+	[wheezy] - python3.2 <no-dsa> (Minor issue)
 	- python3.3 <unfixed>
 	- python3.4 <unfixed>
 	- python2.5 <not-affected> (Only affects Python 3.x)
@@ -1694,7 +1696,6 @@
 CVE-2014-2060 [SECURITY-106]
 	RESERVED
 	- jenkins <unfixed> (bug #739067)
-	- jenkins-winstone <unfixed>
 	NOTE: https://github.com/jenkinsci/jenkins/commit/29351af4bd01f61715418916fc12c52be46bd9b0
 CVE-2014-2059 (Directory traversal vulnerability in the CLI job creation ...)
 	- jenkins <unfixed> (bug #739067)
@@ -2309,6 +2310,7 @@
 	- python2.7 2.7.6-6 (low)
 	- python3.1 <removed> (low)
 	- python3.2 <removed> (low)
+	[wheezy] - python3.2 <no-dsa> (Minor issue)
 	- python3.3 3.3.5-1 (low)
 	- python3.4 3.4.0-1 (low)
 	NOTE: http://bugs.python.org/issue20246
@@ -2389,6 +2391,7 @@
 	- python3.1 <removed> (low)
 	[squeeze] - python3.1 <no-dsa> (Minor issue)
 	- python3.2 <removed> (low)
+	[wheezy] - python3.2 <no-dsa> (Minor issue)
 	- python3.3 3.3.4-1 (low)
 	- python3.4 3.4~b3-1 (low)
 	NOTE: http://bugs.python.org/issue20078
@@ -6838,7 +6841,9 @@
 	RESERVED
 CVE-2014-0172 [integer overflow, leading to a heap-based buffer overflow in libdw]
 	RESERVED
-	- elfutils <unfixed> (bug #744017)
+	- elfutils <unfixed> (low; bug #744017)
+	[squeeze] - elfutils <no-dsa> (Minor issue)
+	[wheezy] - elfutils <no-dsa> (Minor issue)
 CVE-2014-0171
 	RESERVED
 CVE-2014-0170
@@ -6880,6 +6885,7 @@
 CVE-2014-0157
 	RESERVED
 	- horizon 2013.2.3-1 (bug #744019)
+	[wheezy] - horizon <not-affected> (Vulnerable code not present)
 CVE-2014-0156
 	RESERVED
 CVE-2014-0155
@@ -12899,7 +12905,8 @@
 CVE-2013-4702 (Multiple directory traversal vulnerabilities in the doApiAction ...)
 	NOT-FOR-US: EC-CUBE
 CVE-2013-4701 (Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows ...)
-	- php-openid 2.2.2-1.2 (bug #721221)
+	- php-openid 2.2.2-1.2 (low; bug #721221)
+	[wheezy] - php-openid <no-dsa> (Minor issue)
 	TODO: check, potentially also simplesamlphp, typo3-src and wordpress-openid (including a Auth/Yadis/XML.php in source)
 CVE-2013-4700 (The Yahoo! Japan Shopping application 1.4 and earlier for Android does ...)
 	NOT-FOR-US: Yahoo shopping app
@@ -13156,8 +13163,11 @@
 	NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=12d6e7538e2d418c08f082b1b44ffa5fb7270ed8
 	NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e40f193f5bb022e927a57a4f5d5194e4f12ddb74
 CVE-2013-4590 (Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before ...)
-	- tomcat6 6.0.39
-	- tomcat7 7.0.50
+	- tomcat6 6.0.39 (low)
+	[squeeze] - tomcat6 <no-dsa> (Minor issue)
+	[wheezy] - tomcat6 <no-dsa> (Minor issue)
+	- tomcat7 7.0.50 (low)
+	[wheezy] - tomcat7 <no-dsa> (Minor issue)
 	- tomcat8 <itp> (bug #722675)
 CVE-2013-4589 (The ExportAlphaQuantumType function in export.c in GraphicsMagick ...)
 	- graphicsmagick 1.3.18-1 (low; bug #729661)
@@ -14034,9 +14044,8 @@
 	NOTE: libav fix: http://git.libav.org/?p=libav.git;a=commit;h=072be3e8969f24113d599444be4d6a0ed04a6602
 CVE-2013-4357 [getaddrinfo() stack overflow]
 	RESERVED
-	- eglibc <unfixed> (low; bug #742925)
+	- eglibc <unfixed> (unimportant; bug #742925)
 	NOTE: http://sourceware.org/bugzilla/show_bug.cgi?id=12671
-	NOTE: unimportant?
 CVE-2013-4356 (Xen 4.3.x writes hypervisor mappings to certain shadow pagetables when ...)
 	- xen <unfixed>
 	[wheezy] - xen <not-affected> (Only affects 4.3+)
@@ -20076,7 +20085,8 @@
 	{DSA-2674-1}
 	- libxv 2:1.0.7-1+deb7u1
 CVE-2013-2065 ((1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 ...)
-	- ruby1.9.1 1.9.3.448-1
+	- ruby1.9.1 1.9.3.448-1 (low)
+	[wheezy] - ruby1.9.1 <no-dsa> (Minor issue)
 	- ruby1.8 <not-affected> (Only affects 1.9 and 2.x)
 CVE-2013-2064 (Integer overflow in X.org libxcb 1.9 and earlier allows X servers to ...)
 	{DSA-2686-1}
@@ -28438,11 +28448,10 @@
 CVE-2012-5569 (Multiple cross-site scripting (XSS) vulnerabilities in the Basic ...)
 	NOT-FOR-US: Drupal Webmail module
 CVE-2012-5568 (Apache Tomcat through 7.0.x allows remote attackers to cause a denial ...)
-	- tomcat6 <unfixed> (low)
-	[squeeze] - tomcat6 <no-dsa> (Minor issue)
-	[wheezy] - tomcat6 <no-dsa> (Minor issue)
-	- tomcat7 <unfixed> (low)
-	[wheezy] - tomcat7 <no-dsa> (Minor issue)
+	- tomcat6 <unfixed> (unimportant)
+	- tomcat7 <unfixed> (unimportant)
+	NOTE: No fix planned, can be mitigated by config changes:
+	NOTE: http://mail-archives.apache.org/mod_mbox/tomcat-users/200906.mbox/%3C4A3D0884.5080309@apache.org%3E
 CVE-2012-5567 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith ...)
 	- kronolith2 <not-affected> (Vulnerable code not present in 2.x codebase and later versions not yet packaged in sid)
 CVE-2012-5566 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith ...)

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2014-04-09 19:42:24 UTC (rev 26488)
+++ data/DSA/list	2014-04-09 20:42:19 UTC (rev 26489)
@@ -7,7 +7,7 @@
 	[squeeze] - imagemagick 8:6.6.0.4-3+squeeze4
 	[wheezy] - imagemagick 8:6.7.7.10-5+deb7u3
 [08 Apr 2014] DSA-2897-1 tomcat7 - security update
-	{CVE-2013-2067 CVE-2013-2071 CVE-2013-4286 CVE-2013-4322 CVE-2014-0050}
+	{CVE-2012-3544 CVE-2013-2067 CVE-2013-2071 CVE-2013-4286 CVE-2013-4322 CVE-2014-0050}
 	[wheezy] - tomcat7 7.0.28-4+deb7u1
 [07 Apr 2014] DSA-2896-1 openssl - security update
 	{CVE-2014-0160}

Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt	2014-04-09 19:42:24 UTC (rev 26488)
+++ data/dsa-needed.txt	2014-04-09 20:42:19 UTC (rev 26489)
@@ -15,6 +15,10 @@
 --
 asterisk
 --
+cacti
+--
+chromium-browser
+--
 curl
 --
 fail2ban
@@ -23,6 +27,8 @@
 --
 icinga
 --
+jbigkit
+--
 jquery/oldstable
   Maintainer prepared an update
 --
@@ -31,6 +37,8 @@
 liblivemedia/stable (geissert)
 --
 libplrpc-perl
+  To be removed in unstable, only rev dep is libdbi-perl, maybe fix that up in a point update
+  and remove it from stable as well?
 --
 libv8
 --
@@ -50,20 +58,22 @@
 --
 phpmyadmin (thijs)
 --
-php-openid (jmm)
---
 python2.6
 --
 python-gnupg
 --
 qt4-x11/oldstable
 --
+ruby-actionpack-2.3
+--
 ruby-actionpack-3.2
 --
 virtualbox
 --
 vlc
 --
+wordpress
+--
 xen
  ijc prepared updates
 --

More information about the Secure-testing-commits mailing list