[Secure-testing-commits] r26704 - in data: . CVE DSA

Moritz Muehlenhoff jmm at moszumanska.debian.org
Fri Apr 25 15:35:54 UTC 2014 

Author: jmm
Date: 2014-04-25 15:35:54 +0000 (Fri, 25 Apr 2014)
New Revision: 26704

Modified:
   data/CVE/list
   data/DSA/list
   data/dsa-needed.txt
Log:
dsa-needed: qemu-kvm, mupdf, libmms
n/A: keystone, nova
no-dsa: php, redmine
add missing CVE ID for icedove
CVE-2014-2734 is a non-issue


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-04-25 13:54:21 UTC (rev 26703)
+++ data/CVE/list	2014-04-25 15:35:54 UTC (rev 26704)
@@ -528,13 +528,9 @@
 	NOT-FOR-US: MODX Revolution
 CVE-2014-2735 (WinSCP before 5.5.3, when FTP with TLS is used, does not verify that ...)
 	TODO: check
-CVE-2014-2734 [Ruby OpenSSL private key spoofing]
+CVE-2014-2734
 	RESERVED
-	- ruby1.8 <unfixed>
-	- ruby1.9.1 <unfixed>
-	- ruby2.0 <unfixed>
-	- ruby2.1 <unfixed>
-	TODO: check
+	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1091156#c1
 	NOTE: https://gist.github.com/gdisneyleugers/10446549
 CVE-2014-2733 (Siemens SINEMA Server before 12 SP1 allows remote attackers to cause a ...)
 	TODO: check
@@ -620,6 +616,7 @@
 	NOTE: cifscreds PAM not built in unstable
 CVE-2014-2828 (The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and ...)
 	- keystone 2014.1-1
+	[wheezy] - keystone <not-affected> (Only affects 2013.1 to 2013.2.3)
 	NOTE: https://launchpad.net/bugs/1300274
 CVE-2014-2746 (net/IOService.java in Tigase before 5.2.1 does not properly restrict ...)
 	NOT-FOR-US: Tigase XMPP Server
@@ -660,6 +657,8 @@
 	[squeeze] - horde3 <no-dsa> (Minor issue)
 CVE-2014-1985 (Open redirect vulnerability in the redirect_back_or_default function ...)
 	- redmine <unfixed> (bug #743828)
+	[wheezy] - redmine <no-dsa> (Minor issue)
+	[squeeze] - redmine <no-dsa> (Minor issue)
 	NOTE: https://github.com/redmine/redmine/commit/7567c3d8b21fe67e5f04e6839c1fce061600f2f3
 CVE-2014-2726
 	RESERVED
@@ -2241,6 +2240,8 @@
 	NOTE: http://bugs.gw.com/view.php?id=313
 	NOTE: https://github.com/glensc/file/commit/447558595a3650db2886cd2f416ad0beba965801
 	- php5 5.5.10+dfsg-1 (bug #740960)
+	[wheezy] - php5 <no-dsa> (Minor issue, can be fixed along with a future DSA)
+	[squeeze] - php5 <no-dsa> (Minor issue, can be fixed along with a future DSA)
 	NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=a33759fd275b32ed0bbe89796fe2953b3cb0b41f
 CVE-2013-7345 (The BEGIN regular expression in the awk script detector in ...)
 	{DSA-2873-1}
@@ -3328,7 +3329,7 @@
 	{DSA-2905-1}
 	- chromium-browser 34.0.1847.116-1
 	[squeeze] - chromium-browser <end-of-life>
-	- speech-dispatcher <unfixed> (low)
+	- speech-dispatcher <unfixed> (low; bug #745808)
 	NOTE: no specific information available (possibly already be fixed in 0.8), the fix in chromium was to disable speechd by default
 CVE-2014-1723 (The UnescapeURLWithOffsetsImpl function in net/base/escape.cc in ...)
 	{DSA-2905-1}
@@ -7605,6 +7606,7 @@
 	RESERVED
 CVE-2014-0167 (The Nova EC2 API security group implementation in OpenStack Compute ...)
 	- nova 2013.2.3-1 (bug #744051)
+	[wheezy] - nova <not-affected> (Only affects 2013.1 to 2013.2.3)
 CVE-2014-0166 (The wp_validate_auth_cookie function in wp-includes/pluggable.php in ...)
 	{DSA-2901-1}
 	- wordpress 3.8.2+dfsg-1 (bug #744018)

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2014-04-25 13:54:21 UTC (rev 26703)
+++ data/DSA/list	2014-04-25 15:35:54 UTC (rev 26704)
@@ -6,7 +6,7 @@
 	[squeeze] - openjpeg 1.3+dfsg-4+squeeze3
 	[wheezy] - openjpeg 1.3+dfsg-4.8
 [22 Apr 2014] DSA-2911-1 icedove - security update
-	{CVE-2014-1493 CVE-2014-1497 CVE-2014-1505 CVE-2014-1508 CVE-2014-1510 CVE-2014-1511 CVE-2014-1512 CVE-2014-1513 CVE-2014-1514}
+	{CVE-2014-1493 CVE-2014-1497 CVE-2014-1505 CVE-2014-1508 CVE-2014-1509 CVE-2014-1510 CVE-2014-1511 CVE-2014-1512 CVE-2014-1513 CVE-2014-1514}
 	[wheezy] - icedove 24.4.0-1~deb7u1
 [18 Apr 2014] DSA-2910-1 qemu-kvm - security update
 	{CVE-2014-0150}

Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt	2014-04-25 13:54:21 UTC (rev 26703)
+++ data/dsa-needed.txt	2014-04-25 15:35:54 UTC (rev 26704)
@@ -30,6 +30,8 @@
 --
 liblivemedia/stable (geissert)
 --
+libmms
+--
 libplrpc-perl
   To be removed in unstable, only rev dep is libdbi-perl, maybe fix that up in a point update
   and remove it from stable as well?
@@ -42,6 +44,8 @@
 --
 mantis
 --
+mupdf
+--
 moodle/oldstable
 --
 mysql-5.5/stable
@@ -59,6 +63,8 @@
 --
 python-gnupg
 --
+qemu-kvm
+--
 qt4-x11/oldstable
 --
 ruby-actionpack-2.3

More information about the Secure-testing-commits mailing list