[Secure-testing-commits] r30542 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Thu Dec 4 15:21:14 UTC 2014 

Author: jmm
Date: 2014-12-04 15:21:14 +0000 (Thu, 04 Dec 2014)
New Revision: 30542

Modified:
   data/CVE/list
Log:
procmail bug not a security issue
nss no-dsa
mountall n/a
keystone fixed


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-12-04 15:04:58 UTC (rev 30541)
+++ data/CVE/list	2014-12-04 15:21:14 UTC (rev 30542)
@@ -9,10 +9,6 @@
 	- mediawiki <unfixed>
 	[squeeze] - mediawiki <end-of-life>
 	NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=71478
-CVE-2014-XXXX [heap overflow in getlline()]
-	- procmail 3.22-23 (bug #771958)
-	[wheezy] - procmail <no-dsa> (Problem happens with specifically-crafted user-controlled ~/.procmailrc)
-	[squeeze] - procmail <no-dsa> (Problem happens with specifically-crafted user-controlled ~/.procmailrc)
 CVE-2015-0360
 	RESERVED
 CVE-2015-0359
@@ -14240,6 +14236,9 @@
 	- midori <unfixed> (unimportant)
 	- netsurf <unfixed> (unimportant)
 	- nss <unfixed>
+	[jessie] - nss <no-dsa> (Upstream doesn't plan to disable SSLv3, stick with that)
+	[squeeze] - nss <no-dsa> (Upstream doesn't plan to disable SSLv3, stick with that)
+	[wheezy] - nss <no-dsa> (Upstream doesn't plan to disable SSLv3, stick with that)
 	- openjdk-6 <unfixed>
 	[squeeze] - openjdk-6 <no-dsa> (Upstream doesn't plan to disable SSLv3, stick with that)
 	[wheezy] - openjdk-6 <no-dsa> (Upstream doesn't plan to disable SSLv3, stick with that)
@@ -20646,13 +20645,9 @@
 CVE-2014-1422
 	RESERVED
 CVE-2014-1421 (mountall 1.54, as used in Ubuntu 14.10, does not properly handle the ...)
-	- mountall <unfixed>
-	[wheezy] - mountall <not-affected> (Only affected when using more recent mount versions)
+	- mountall <not-affected> (partman-efi in jessies uses ecure umask, mount in older releases not affected)
 	NOTE: See https://bugs.launchpad.net/ubuntu/+source/partman-efi/+bug/1390183
 	NOTE: and http://www.ubuntu.com/usn/usn-2411-1
-	NOTE: There is a note in ubuntu's tracker mentioning that this is an issue
-	NOTE: only in combination with newer mount utilities.
-	TODO: check which combination vulnerable
 CVE-2014-1420
 	RESERVED
 CVE-2014-1419 (Race condition in the power policy functions in policy-funcs in ...)
@@ -37027,13 +37022,14 @@
 CVE-2013-2255 [Inconsistent and non-validating HTTPS client]
 	RESERVED
 	- cinder <unfixed>
-	- keystone <unfixed>
+	- keystone 2014.1-1
 	[wheezy] - keystone <no-dsa> (Minor issue)
 	- nova <unfixed>
 	[wheezy] - nova <no-dsa> (Minor issue)
 	- quantum <unfixed>
 	[wheezy] - quantum <no-dsa> (Minor issue)
 	- swift <not-affected> (See https://bugs.launchpad.net/keystone/+bug/1188189/comments/5)
+	NOTE: Fixes for keystone: https://review.openstack.org/#/c/76476/
 CVE-2013-2254 (The deepGetOrCreateNode function in ...)
 	NOT-FOR-US: Apache Sling
 CVE-2013-2253

More information about the Secure-testing-commits mailing list