[Secure-testing-commits] r30594 - in data: CVE DSA

Mon Dec 8 17:43:52 UTC 2014

Author: jmm
Date: 2014-12-08 17:43:52 +0000 (Mon, 08 Dec 2014)
New Revision: 30594

Modified:
   data/CVE/list
   data/DSA/list
Log:
jenkins, cinder,nova no-dsa for jessie
add missing CVE ID to icedove DSA
ganglia unimportant
xen n/a


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2014-12-08 17:40:39 UTC (rev 30593)
+++ data/CVE/list	2014-12-08 17:43:52 UTC (rev 30594)
@@ -568,13 +568,13 @@
 CVE-2014-9066 [XSA-111]
 	RESERVED
 	- xen <unfixed>
-	[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
-	TODO: check
+	[wheezy] - xen <not-affected> (Only affects 4.2 and later)
+	[squeeze] - xen <not-affected> (Only affects 4.2 and later)
 CVE-2014-9065 [XSA-114]
 	RESERVED
 	- xen <unfixed>
-	[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
-	TODO: check
+	[wheezy] - xen <not-affected> (Only affects 4.2 and later)
+	[squeeze] - xen <not-affected> (Only affects 4.2 and later)
 CVE-2014-9064
 	RESERVED
 CVE-2014-9063
@@ -14111,9 +14111,8 @@
 CVE-2014-3665
 	RESERVED
 	- jenkins <unfixed> (bug #767541)
-	[jessie] - jenkins 1.565.3-3
+	[jessie] - jenkins <no-dsa> (Backport not feasible, insecure feature is documented as such)
 	NOTE: For jessie, the backport is too intrusive and since it's a cornercase, it's only documented, 
-	NOTE: marking that version as fixed, for unstable we'll record the actual new version with the code fix
 	NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30
 CVE-2014-3664 (Directory traversal vulnerability in CloudBees Jenkins before 1.583 ...)
 	- jenkins 1.565.3-1 (bug #763899)
@@ -26610,9 +26609,9 @@
 	- python-swiftclient 1:2.0.2-1 (bug #730626)
 	NOTE: https://bugs.launchpad.net/python-swiftclient/+bug/1199783
 CVE-2013-6395 (Cross-site scripting (XSS) vulnerability in header.php in Ganglia Web ...)
-	- ganglia-web <unfixed> (bug #730507)
+	- ganglia-web <unfixed> (unimportant; bug #730507)
 	[squeeze] - ganglia <not-affected> (Vulnerable code not present)
-	[wheezy] - ganglia <no-dsa> (Minor issue)
+	NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone, #702776
 	- ganglia 3.6.0-1
 	NOTE: ganglia-web and ganglia are now two separate source packages
 	NOTE: starting with 3.6.0-1 the web front is no longer built from src:ganglia so marking this version as fixed
@@ -37290,10 +37289,12 @@
 CVE-2013-2255 [Inconsistent and non-validating HTTPS client]
 	RESERVED
 	- cinder <unfixed>
+	[jessie] - cinder <no-dsa> (Minor issue)
 	- keystone 2014.1-1
 	[wheezy] - keystone <no-dsa> (Minor issue)
 	- nova <unfixed>
 	[wheezy] - nova <no-dsa> (Minor issue)
+	[jessie] - nova <no-dsa> (Minor issue)
 	- quantum <unfixed>
 	[wheezy] - quantum <no-dsa> (Minor issue)
 	- swift <not-affected> (See https://bugs.launchpad.net/keystone/+bug/1188189/comments/5)

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2014-12-08 17:40:39 UTC (rev 30593)
+++ data/DSA/list	2014-12-08 17:43:52 UTC (rev 30594)
@@ -1,5 +1,5 @@
 [07 Dec 2014] DSA-3092-1 icedove - security update
-	{CVE-2014-1587 CVE-2014-1590 CVE-2014-1592 CVE-2014-1593 CVE-2014-1594}
+	{CVE-2014-1587 CVE-2014-1590 CVE-2014-1592 CVE-2014-1593 CVE-2014-1594 CVE-2014-3566}
 	[wheezy] - icedove 31.3.0-1~deb7u1
 [07 Dec 2014] DSA-3091-1 getmail4 - security update
 	{CVE-2014-7273 CVE-2014-7274 CVE-2014-7275}


