[Secure-testing-commits] r26517 - in data: . CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Fri Apr 11 14:42:07 UTC 2014 

Author: jmm
Date: 2014-04-11 14:42:07 +0000 (Fri, 11 Apr 2014)
New Revision: 26517

Modified:
   data/CVE/list
   data/dsa-needed.txt
Log:
one pygpg issue fixed
mark several older libav issues as undetermined
one kernel issue not affected
multiple psql 9.1 issue n/a in sid
one mediawiki extension issue unimportant
one java issue N/A


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-04-11 14:37:58 UTC (rev 26516)
+++ data/CVE/list	2014-04-11 14:42:07 UTC (rev 26517)
@@ -28,8 +28,8 @@
 CVE-2014-2730 (The XML parser in Microsoft Office 2007 SP3, 2010 SP1 and SP2, and ...)
 	NOT-FOR-US: Microsoft Office
 CVE-2014-2739 [IB/core: crash while resolving passive side RoCE L2 address in cma req handler]
-	- linux <unfixed> (low)
-	- linux-2.6 <removed> (low)
+	- linux <not-affected> (Introduced and fixed in 3.14)
+	- linux-2.6 <not-affected> ((Introduced and fixed in 3.14)
 CVE-2014-2729
 	RESERVED
 CVE-2014-2728
@@ -2066,7 +2066,7 @@
 	- php5 5.5.10+dfsg-1 (bug #739012)
 CVE-2014-1929 [option injection through positional arguments]
 	RESERVED
-	- python-gnupg <unfixed> (bug #738509)
+	- python-gnupg 0.3.6-1 (bug #738509)
 CVE-2014-1926
 	RESERVED
 CVE-2014-1920
@@ -5611,8 +5611,9 @@
 	- openjdk-6 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
 	- openjdk-7 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
 CVE-2014-0417 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; ...)
-	- openjdk-6 <unfixed>
-	- openjdk-7 <unfixed>
+	- openjdk-6 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+	- openjdk-7 <not-affected> (Specific to Oracle Java, not present in IcedTea)
+	NOTE: Due to the vague disclosure policy by Oracle the exact nature is unknown but since no patch landed in icedtea, we consider it not-affected
 CVE-2014-0416 (Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; ...)
 	- openjdk-6 6b30-1.13.1-1
 	- openjdk-7 7u51-2.4.4-1
@@ -6304,8 +6305,9 @@
 	NOTE: https://trac.ffmpeg.org/ticket/2905
 CVE-2013-7020 (The read_header function in libavcodec/ffv1dec.c in FFmpeg before 2.1 ...)
 	- ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing)
-	- libav <unfixed>
+	- libav <undetermined>
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/b05cd1ea7e45a836f7f6071a716c38bb30326e0f
+	NOTE: libav and ffmpeg code bases have diverged too much, unclear whether libav is affected
 CVE-2013-7019 (The get_cox function in libavcodec/jpeg2000dec.c in FFmpeg before 2.1 ...)
 	- ffmpeg <not-affected> (Vulnerable code not present)
 	- libav <not-affected> (Vulnerable code not present)
@@ -7213,43 +7215,43 @@
 	NOT-FOR-US: OpenShift
 CVE-2014-0067 (The "make check" command for the test suites in PostgreSQL 9.3.3 and ...)
 	{DSA-2865-1 DSA-2864-1}
-	- postgresql-9.1 <removed>
+	- postgresql-9.1 9.1.11-2
 	- postgresql-8.4 <removed>
 	[wheezy] - postgresql-8.4 <not-affected> (postgresql-8.4 in wheezy only provides PL/Perl)
 	- postgresql-9.3 9.3.3-1
 CVE-2014-0066 (The chkpass extension in PostgreSQL before 8.4.20, 9.0.x before ...)
 	{DSA-2865-1 DSA-2864-1}
-	- postgresql-9.1 <removed>
+	- postgresql-9.1 9.1.11-2
 	- postgresql-8.4 <removed>
 	[wheezy] - postgresql-8.4 <not-affected> (postgresql-8.4 in wheezy only provides PL/Perl)
 	- postgresql-9.3 9.3.3-1
 CVE-2014-0065 (Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before ...)
 	{DSA-2865-1 DSA-2864-1}
-	- postgresql-9.1 <removed>
+	- postgresql-9.1 9.1.11-2
 	- postgresql-8.4 <removed>
 	[wheezy] - postgresql-8.4 <not-affected> (postgresql-8.4 in wheezy only provides PL/Perl)
 	- postgresql-9.3 9.3.3-1
 CVE-2014-0064 (Multiple integer overflows in the path_in and other unspecified ...)
 	{DSA-2865-1 DSA-2864-1}
-	- postgresql-9.1 <removed>
+	- postgresql-9.1 9.1.11-2
 	- postgresql-8.4 <removed>
 	[wheezy] - postgresql-8.4 <not-affected> (postgresql-8.4 in wheezy only provides PL/Perl)
 	- postgresql-9.3 9.3.3-1
 CVE-2014-0063 (Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, ...)
 	{DSA-2865-1 DSA-2864-1}
-	- postgresql-9.1 <removed>
+	- postgresql-9.1 9.1.11-2
 	- postgresql-8.4 <removed>
 	[wheezy] - postgresql-8.4 <not-affected> (postgresql-8.4 in wheezy only provides PL/Perl)
 	- postgresql-9.3 9.3.3-1
 CVE-2014-0062 (Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE ...)
 	{DSA-2865-1 DSA-2864-1}
-	- postgresql-9.1 <removed>
+	- postgresql-9.1 9.1.11-2
 	- postgresql-8.4 <removed>
 	[wheezy] - postgresql-8.4 <not-affected> (postgresql-8.4 in wheezy only provides PL/Perl)
 	- postgresql-9.3 9.3.3-1
 CVE-2014-0061 (The validator functions for the procedural languages (PLs) in ...)
 	{DSA-2865-1 DSA-2864-1}
-	- postgresql-9.1 <removed>
+	- postgresql-9.1 <unfixed> (low)
 	- postgresql-8.4 <removed>
 	[wheezy] - postgresql-8.4 <no-dsa> (Minor issue)
 	- postgresql-9.3 9.3.3-1
@@ -7258,7 +7260,7 @@
 	[squeeze] - postgresql-plsh <no-dsa> (Minor issue)
 CVE-2014-0060 (PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, ...)
 	{DSA-2865-1 DSA-2864-1}
-	- postgresql-9.1 <removed>
+	- postgresql-9.1 9.1.11-2
 	- postgresql-8.4 <removed>
 	[wheezy] - postgresql-8.4 <not-affected> (postgresql-8.4 in wheezy only provides PL/Perl)
 	- postgresql-9.3 9.3.3-1
@@ -14235,9 +14237,9 @@
 CVE-2013-4306 (Cross-site request forgery (CSRF) vulnerability in ...)
 	NOT-FOR-US: Mediawiki CheckUser extension
 CVE-2013-4305 (Cross-site scripting (XSS) vulnerability in contrib/example.php in the ...)
-	- mediawiki-extensions <unfixed> (low)
-	[wheezy] - mediawiki-extensions <no-dsa> (Minor issue)
+	- mediawiki-extensions <unfixed> (unimportant)
 	NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=49070
+	NOTE: Just an example file
 CVE-2013-4304 (The CentralAuth extension for MediaWiki 1.19.x before 1.19.8, 1.20.x ...)
 	NOT-FOR-US: Mediawiki CentralAuth extension
 CVE-2013-4303 [mediawiki XSS with IE6]
@@ -14387,8 +14389,9 @@
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/2960576378d17d71cc8dccc926352ce568b5eec1
 CVE-2013-4263 (libavfilter in FFmpeg before 2.0.1 has unspecified impact and remote ...)
 	- ffmpeg <not-affected> (Affected video filters not present in ffmpeg 0.5)
-	- libav <unfixed>
+	- libav <undetermined>
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/e43a0a232dbf6d3c161823c2e07c52e76227a1bc
+	NOTE: libav and ffmpeg code bases have diverged too much, unclear whether libav is affected
 CVE-2013-4262 [svnwcsub.py and irkerbridge.py are vulnerable to symlink attack]
 	RESERVED
 	- subversion <not-affected> (Optional admin-side utilities in Subversion 1.8.x)
@@ -15922,22 +15925,25 @@
 	- libav <not-affected> (Smush codec not present in libav)
 CVE-2013-3674 (The cdg_decode_frame function in cdgraphics.c in libavcodec in FFmpeg ...)
 	- ffmpeg <not-affected> (CD Graphics Video Decoder not present in 0.5 ffmpeg)
-	- libav <unfixed>
+	- libav <undetermined>
 	NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7ef2dbd2392e3e4d430e0173e1e5c4df9f18b6dd
+	NOTE: libav and ffmpeg code bases have diverged too much, unclear whether libav is affected
 CVE-2013-3673 (The gif_decode_frame function in gifdec.c in libavcodec in FFmpeg ...)
 	- ffmpeg <not-affected> (Doesn't affect libav, specific to current ffmpeg)
 	- libav <not-affected> (Doesn't affect libav, specific to current ffmpeg)
 CVE-2013-3672 (The mm_decode_inter function in mmvideo.c in libavcodec in FFmpeg ...)
 	- ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing)
-	- libav <unfixed>
+	- libav <undetermined>
 	NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7fa6db2545643efb4fe2e0bb501fa50af35a6330
+	NOTE: libav and ffmpeg code bases have diverged too much, unclear whether libav is affected
 CVE-2013-3671 (The format_line function in log.c in libavutil in FFmpeg before 1.2.1 ...)
 	- ffmpeg <not-affected> (Doesn't affect libav, specific to current ffmpeg)
 	- libav <not-affected> (Doesn't affect libav, specific to current ffmpeg)
 CVE-2013-3670 (The rle_unpack function in vmdav.c in libavcodec in FFmpeg git ...)
 	- ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing)
-	- libav <unfixed>
+	- libav <undetermined>
 	NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=0baa0a5a02e16ef097ed9f72bc8a7d7b585c7652
+	NOTE: libav and ffmpeg code bases have diverged too much, unclear whether libav is affected
 CVE-2013-3669
 	RESERVED
 CVE-2013-3668
@@ -23648,9 +23654,10 @@
 	NOTE: Fix needed in ffmpeg 0.5
 CVE-2013-0868 (libavcodec/huffyuvdec.c in FFmpeg before 1.1.2 allows remote attackers ...)
 	- ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing)
-	- libav <unfixed>
+	- libav <undetermined>
 	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f67a0d115254461649470452058fa3c28c0df294
 	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0dfc01c2bbf4b71bb56201bc4a393321e15d1b31
+	NOTE: libav and ffmpeg code bases have diverged too much, unclear whether libav is affected
 CVE-2013-0867 (The decode_slice_header function in libavcodec/h264.c in FFmpeg before ...)
 	- ffmpeg <removed>
 	- libav <not-affected> (Code in libav is different/not affect as per libav h264 maintainer)
@@ -23682,8 +23689,9 @@
 	NOTE: Affects the libav version in experimental
 CVE-2013-0860 (The ff_er_frame_end function in libavcodec/error_resilience.c in ...)
 	- ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing)
-	- libav <unfixed>
+	- libav <undetermined>
 	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=23318a57358358e7a4dc551e830e4503f0638cfe
+	NOTE: libav and ffmpeg code bases have diverged too much, unclear whether libav is affected
 CVE-2013-0859 (The add_doubles_metadata function in libavcodec/tiff.c in FFmpeg ...)
 	- ffmpeg <not-affected> (These changes are specific to current ffmpeg and don't affect ffmpeg 0.5)
 	- libav <not-affected> ((These changes are specific to ffmpeg and don't affect libav)

Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt	2014-04-11 14:37:58 UTC (rev 26516)
+++ data/dsa-needed.txt	2014-04-11 14:42:07 UTC (rev 26517)
@@ -48,7 +48,8 @@
 --
 nss (geissert)
 --
-openjdk-6
+openjdk-6 (jmm)
+  -> Wait for next CPU on 15 April
 --
 openjdk-7/stable
 --

More information about the Secure-testing-commits mailing list