[Secure-testing-commits] r30560 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Fri Dec 5 18:01:40 UTC 2014 

Author: jmm
Date: 2014-12-05 18:01:39 +0000 (Fri, 05 Dec 2014)
New Revision: 30560

Modified:
   data/CVE/list
Log:
record jenkins documentation/fix
speech-dispatcher fixed
two kernel issues n/a for squeeze
mark kvm issues as no-dsa for squeeze
hivex no-dsa


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-12-05 15:53:03 UTC (rev 30559)
+++ data/CVE/list	2014-12-05 18:01:39 UTC (rev 30560)
@@ -548,7 +548,9 @@
 	NOTE: https://www.mantisbt.org/bugs/view.php?id=17841
 	NOTE: http://github.com/mantisbt/mantisbt/commit/b0021673
 CVE-2014-9273 [does not properly handle small-sized hive files]
-	- hivex 1.3.11-1
+	- hivex 1.3.11-1 (low)
+	[wheezy] - hivex <no-dsa> (Minor issue)
+	[squeeze] - hivex <no-dsa> (Minor issue)
 	NOTE: https://github.com/libguestfs/hivex/commit/357f26fa64fd1d9ccac2331fe174a8ee9c607adb
 	NOTE: https://github.com/libguestfs/hivex/commit/4bbdf555f88baeae0fa804a369a81a83908bd705
 CVE-2014-9087 (Integer underflow in the ksba_oid_to_str function in Libksba before ...)
@@ -4073,6 +4075,7 @@
 CVE-2014-7842 (Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 ...)
 	- linux <unfixed>
 	- linux-2.6 <removed>
+	[squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS)
 	NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a2b9e6c1a35a (v3.18-rc1)
 CVE-2014-7841 (The sctp_process_param function in net/sctp/sm_make_chunk.c in the ...)
 	- linux <unfixed>
@@ -13779,6 +13782,7 @@
 	{DSA-3060-1}
 	- linux 3.16.7-1
 	- linux-2.6 <removed>
+	[squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS)
 	NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d974baa398f34393db76be45f7d4d04fbdbb4a0a (v3.18-rc1)
 CVE-2014-3689 (The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local ...)
 	{DSA-3067-1 DSA-3066-1}
@@ -13863,6 +13867,9 @@
 CVE-2014-3665
 	RESERVED
 	- jenkins <unfixed> (bug #767541)
+	[jessie] - jenkins 1.565.3-3
+	NOTE: For jessie, the backport is too intrusive and since it's a cornercase, it's only documented, 
+	NOTE: marking that version as fixed, for unstable we'll record the actual new version with the code fix
 	NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30
 CVE-2014-3664 (Directory traversal vulnerability in CloudBees Jenkins before 1.583 ...)
 	- jenkins 1.565.3-1 (bug #763899)
@@ -13920,6 +13927,7 @@
 	{DSA-3060-1}
 	- linux 3.16.7-1
 	- linux-2.6 <removed>
+	[squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS)
 	NOTE: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=234f3ce485d54017f15cf5e0699cff4100121601
 	NOTE: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=d1442d85cc30ea75f7d399474ca738e0bc96f715
 CVE-2014-3646 (arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through ...)
@@ -13931,6 +13939,7 @@
 	{DSA-3060-1}
 	- linux 3.12.6-1
 	- linux-2.6 <removed>
+	[squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS)
 	NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bfd0a56b90005f8c8a004baf407ad90045c2b11e (v3.12-rc1)
 CVE-2014-3644
 	RESERVED
@@ -14066,11 +14075,13 @@
 	{DSA-3060-1}
 	- linux 3.16.7-1
 	- linux-2.6 <removed>
+	[squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS)
 	NOTE: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=2febc839133280d5a5e8e1179c94ea674489dae2
 CVE-2014-3610 (The WRMSR processing functionality in the KVM subsystem in the Linux ...)
 	{DSA-3060-1}
 	- linux 3.16.7-1
 	- linux-2.6 <removed>
+	[squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS)
 	NOTE: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=854e8bb1aa06c578c2c9145fa6bfe3680ef63b23
 	NOTE: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=8b3c3104c3f4f706e99365c3e0d2aa61b95f969f
 	NOTE: Enabling CONFIG_PARAVIRT when building the kernel mitigates this issue.
@@ -15444,7 +15455,7 @@
 CVE-2014-3183 (Heap-based buffer overflow in the logi_dj_ll_raw_request function in ...)
 	- linux 3.16.2-2
 	[wheezy] - linux 3.2.63-1
-	- linux-2.6 <removed>
+	- linux-2.6 <not-affected> (Vulnerable code not present)
 	NOTE: https://code.google.com/p/google-security-research/issues/detail?id=90
 	NOTE: Upstream fix: https://git.kernel.org/linus/51217e69697fba92a06e07e16f55c9a52d8e8945 (v3.17-rc2)
 CVE-2014-3182 (Array index error in the logi_dj_raw_event function in ...)
@@ -19487,7 +19498,7 @@
 	{DSA-2905-1}
 	- chromium-browser 34.0.1847.116-1
 	[squeeze] - chromium-browser <end-of-life>
-	- speech-dispatcher <unfixed> (low; bug #745808)
+	- speech-dispatcher 0.8-7 (low; bug #745808)
 	[squeeze] - speech-dispatcher <no-dsa> (Minor issue)
 	[wheezy] - speech-dispatcher <no-dsa> (Minor issue)
 	NOTE: no specific information available (possibly already be fixed in 0.8), the fix in chromium was to disable speechd by default

More information about the Secure-testing-commits mailing list