[Secure-testing-commits] r30497 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Tue Dec 2 22:28:53 UTC 2014 

Author: jmm
Date: 2014-12-02 22:28:53 +0000 (Tue, 02 Dec 2014)
New Revision: 30497

Modified:
   data/CVE/list
Log:
rails fixed
openjdk, util-linux no-dsa
older mcollective issues fixed
mark offlineimap as fixed
mark xorg as fixed
NFUs


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-12-02 21:56:40 UTC (rev 30496)
+++ data/CVE/list	2014-12-02 22:28:53 UTC (rev 30497)
@@ -495,6 +495,8 @@
 CVE-2014-9114 [blkid command injection]
 	RESERVED
 	- util-linux <unfixed> (bug #771274)
+	[squeeze] - util-linux <no-dsa> (Minor issue)
+	[wheezy] - util-linux <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2014/11/26/13
 	NOTE: https://github.com/karelzak/util-linux/commit/89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc
 CVE-2014-9112 [heap-based buffer overflow]
@@ -2797,7 +2799,6 @@
 	RESERVED
 	- glpi <unfixed> (unimportant)
 	NOTE: Only supported behind an authenticated HTTP zone
-	TODO: check
 	NOTE: original bug: https://forge.indepnet.net/issues/5101
 	NOTE: followup: https://forge.indepnet.net/issues/5113
 	NOTE: appears to be a generic autoloading abuse; possibly with
@@ -4062,13 +4063,12 @@
 	- moodle <unfixed>
 	[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
 	NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47766
-	TODO: check, possibly affects only 2.7.x
 CVE-2014-7830 (Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php ...)
 	- moodle <unfixed>
 	[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
 	NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47865
 CVE-2014-7829 (Directory traversal vulnerability in ...)
-	- rails <unfixed> (bug #770934)
+	- rails 2:4.1.8-1 (bug #770934)
 	[wheezy] - rails <not-affected> (src:rails in wheezy is just a transition package)
 	[squeeze] - rails <not-affected> (Only affects >= 3)
 	- rails-3.2 <removed>
@@ -4114,7 +4114,7 @@
 	- ruby-sprockets 2.12.3-1
 	[wheezy] - ruby-sprockets <no-dsa> (Minor issue)
 CVE-2014-7818 (Directory traversal vulnerability in ...)
-	- rails <unfixed> (bug #770934)
+	- rails 2:4.1.8-1 (bug #770934)
 	[wheezy] - rails <not-affected> (src:rails in wheezy is just a transition package)
 	[squeeze] - rails <not-affected> (Only affects >= 3)
 	- rails-3.2 <removed>
@@ -11883,13 +11883,13 @@
 CVE-2014-4463 (Apple iOS before 8.1.1 allows physically proximate attackers to bypass ...)
 	NOT-FOR-US: Apple
 CVE-2014-4462 (WebKit, as used in Apple iOS before 8.1.1 and Apple TV before 7.0.2, ...)
-	TODO: check
+	NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
 CVE-2014-4461 (The kernel in Apple iOS before 8.1.1 and Apple TV before 7.0.2 does ...)
 	NOT-FOR-US: Apple
 CVE-2014-4460 (CFNetwork in Apple iOS before 8.1.1 and OS X before 10.10.1 does not ...)
 	NOT-FOR-US: Apple
 CVE-2014-4459 (Use-after-free vulnerability in WebKit, as used in Apple OS X before ...)
-	TODO: check
+	NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
 CVE-2014-4458 (The "System Profiler About This Mac" component in Apple OS X before ...)
 	NOT-FOR-US: Apple
 CVE-2014-4457 (The Sandbox Profiles subsystem in Apple iOS before 8.1.1 does not ...)
@@ -11903,7 +11903,7 @@
 CVE-2014-4453 (Apple iOS before 8.1.1 and OS X before 10.10.1 include location data ...)
 	NOT-FOR-US: Apple
 CVE-2014-4452 (WebKit, as used in Apple iOS before 8.1.1 and Apple TV before 7.0.2, ...)
-	TODO: check
+	NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix
 CVE-2014-4451 (Apple iOS before 8.1.1 does not properly enforce the failed-passcode ...)
 	NOT-FOR-US: Apple
 CVE-2014-4450 (The QuickType feature in the Keyboards subsystem in Apple iOS before ...)
@@ -14177,6 +14177,7 @@
 	[wheezy] - openjdk-6 <no-dsa> (Upstream doesn't plan to disable SSLv3, stick with that)
 	- openjdk-7 <unfixed>
 	[wheezy] - openjdk-7 <no-dsa> (Upstream doesn't plan to disable SSLv3, stick with that)
+	[jessie] - openjdk-7 <no-dsa> (Upstream doesn't plan to disable SSLv3, stick with that)
 	- openjdk-8 <unfixed>
 	- polarssl 1.3.9-2
 	- surf <unfixed> (unimportant)
@@ -15100,7 +15101,7 @@
 CVE-2014-3252
 	RESERVED
 CVE-2014-3251 (The MCollective aes_security plugin, as used in Puppet Enterprise ...)
-	- mcollective <unfixed> (low; bug #758701)
+	- mcollective 2.6.0+dfsg-1 (low; bug #758701)
 	[wheezy] - mcollective <no-dsa> (Minor issue)
 	NOTE: Mcollective are not configured to use the plugin and are not vulnerable by default.
 	NOTE: http://puppetlabs.com/security/cve/cve-2014-3251
@@ -15123,7 +15124,7 @@
 	- facter 2.0.1-1 (low)
 	[wheezy] - facter <no-dsa> (Minor issue)
 	[squeeze] - facter <no-dsa> (Minor issue)
-	- mcollective <unfixed> (low)
+	- mcollective 2.5.2+dfsg-1 (low)
 	[wheezy] - mcollective <no-dsa> (Minor issue)
 	NOTE: http://puppetlabs.com/security/cve/cve-2014-3248
 	NOTE: problem in combination with ruby <= 1.9.1
@@ -26135,7 +26136,10 @@
 	- pixman 0.30.2-2
 CVE-2013-6424 (Integer underflow in the xTrapezoidValid macro in render/picture.h in ...)
 	{DSA-2822-1}
-	- xorg-server <unfixed> (low; bug #742922)
+	- xorg-server 2:1.14.2.901-1 (low; bug #742922)
+	NOTE: Band-aid fix in Wheezy not applicable to upstream code, fixed post-Wheezy
+	NOTE: in pixman: http://cgit.freedesktop.org/pixman/commit/?id=5e14da97f16e421d084a9e735be21b1025150f0c
+	NOTE: Mark the first post-wheezy xorg-server as a pseudo fixed version
 CVE-2013-6423
 	RESERVED
 CVE-2013-6422 (The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling ...)
@@ -65565,7 +65569,8 @@
 	- gnutls26 <unfixed> (unimportant)
 	- gnutls28 <unfixed> (unimportant)
 	NOTE: No mitigation for gnutls, it is recommended to use TLS 1.1 or 1.2 which is supported since 2.0.0
-	- haskell-tls <unfixed>
+	- haskell-tls <unfixed> (unimportant)
+	NOTE: No mitigation for haskell-tls, it is recommended to use TLS 1.1, which is supported since 0.2
 	- matrixssl <removed> (low)
 	[squeeze] - matrixssl <no-dsa> (Minor issue)
 	[wheezy] - matrixssl <no-dsa> (Minor issue)
@@ -75796,8 +75801,8 @@
 	NOTE: http://www.djangoproject.com/weblog/2010/dec/22/security/
 CVE-2010-4533 [offlineimap uses SSLv2]
 	RESERVED
-	- offlineimap <unfixed> (low; bug #606962)
-	[wheezy] - offlineimap <no-dsa> (Long-standing, documented behaviour, can be updated in spu if needed)
+	- offlineimap 6.3.4-1 (low; bug #606962)
+	NOTE: offlineimap uses the "ssl" standard lib in Python, marking the version of offlineimap in wheezy as fixed
 	[squeeze] - offlineimap <no-dsa> (Long-standing, documented behaviour, can be updated in spu if needed)
 	[lenny] - offlineimap <no-dsa> (Long-standing, documented behaviour, can be updated in spu if needed)
 CVE-2010-4532 [no SSL cert validation]

More information about the Secure-testing-commits mailing list