[Secure-testing-commits] r25182 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Mon Jan 13 18:12:16 UTC 2014 

Author: jmm
Date: 2014-01-13 18:12:16 +0000 (Mon, 13 Jan 2014)
New Revision: 25182

Modified:
   data/CVE/list
Log:
"new" libav issues
fix flite entry
dash/bash hardening
fix glibc entries; spu fixed versions are only added once the point update has been released
dovecot, pam, kwallet, ntp, libraw, libkcdraw: no-dsa
polarssl was fixed earlier, so fixed in oldstable/stable
mark one of the pwgen issues was unimportant


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-01-13 17:22:38 UTC (rev 25181)
+++ data/CVE/list	2014-01-13 18:12:16 UTC (rev 25182)
@@ -1,6 +1,7 @@
 CVE-2013-XXXX [drop privileges when effective uid != uid]
-	- dash <unfixed> (low; bug #734869)
-	- bash <unfixed> (low; bug #734866)
+	- dash <unfixed> (unimportant; bug #734869)
+	- bash <unfixed> (unimportant; bug #734866)
+	NOTE: Hardening, not a vulnerability
 CVE-2014-1408
 	NOT-FOR-US: Conceptronic C54APM access point
 CVE-2014-1407
@@ -13,7 +14,7 @@
 	- jinja2 2.7.2-1 (bug #734747)
 	NOTE: 2.7.2 does not create safely temporary files, new CVE-2014-0012 was assigned for this issue
 CVE-2014-1401
-	TODO: check
+	NOT-FOR-US: CamScanner
 CVE-2014-1400
 	NOT-FOR-US: Drupal 7 Entity module
 CVE-2014-1399
@@ -937,10 +938,12 @@
 	NOT-FOR-US: Ops View
 CVE-2013-7253
 	RESERVED
-CVE-2013-7252 [crypto misuse]
+CVE-2013-7252 [kwallet crypto misuse]
 	RESERVED
 	- kde-runtime <unfixed>
+	[wheezy] - kde-runtime <no-dsa> (4.12 introduces a GnuPG backend, no backport planned)
 	- kdebase-runtime <removed>
+	[squeeze] - kdebase-runtime <no-dsa> (4.12 introduces a GnuPG backend, no backport planned)
 	NOTE: http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/
 CVE-2013-7233 (Cross-site request forgery (CSRF) vulnerability in the retrospam ...)
 	- wordpress <unfixed> (unimportant)
@@ -2070,9 +2073,11 @@
 	RESERVED
 CVE-2014-0326
 	RESERVED
-CVE-2013-7041 [password hashes aren't compared case-sensitively]
+CVE-2013-7041 [pam_userdb: password hashes aren't compared case-sensitively]
 	RESERVED
-	- pam <unfixed> (bug #731368)
+	- pam <unfixed> (low; bug #731368)
+	[squeeze] - pam <no-dsa> (Minor issue)
+	[wheezy] - pam <no-dsa> (Minor issue)
 CVE-2013-7040
 	RESERVED
 	- python2.5 <removed> (low)
@@ -2962,8 +2967,8 @@
 CVE-2014-0027
 	RESERVED
 	- flite 1.4-release-8 (low; bug #734746)
-	[stable] - flite <no-dsa> (Minor issue)
-	[oldstable] - flite <no-dsa> (Minor issue)
+	[wheezy] - flite <no-dsa> (Minor issue)
+	[squeeze] - flite <no-dsa> (Minor issue)
 CVE-2014-0026
 	RESERVED
 CVE-2014-0025
@@ -4869,6 +4874,8 @@
 	NOTE: http://trac.roundcube.net/ticket/1489382
 CVE-2013-6171 (checkpassword-reply in Dovecot before 2.2.7 performs setuid operations ...)
 	- dovecot <unfixed> (low; bug #729063)
+	[wheezy] - dovecot <no-dsa> (Minor issue)
+	[squeeze] - dovecot <no-dsa> (Minor issue)
 CVE-2013-6170 (Juniper Junos 10.0 before 10.0S28, 10.4 before 10.4R7, 11.1 before ...)
 	NOT-FOR-US: Juniper Junos
 CVE-2013-6169 (The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2) ...)
@@ -7147,7 +7154,9 @@
 	RESERVED
 	NOT-FOR-US: easyXDM
 CVE-2013-5211 (The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 ...)
-	- ntp <unfixed> (bug #733940)
+	- ntp <unfixed> (low; bug #733940)
+	[wheezy] - ntp <no-dsa> (No backportable code fix exists, default configuration is safe, tiny subsection of affected users can run a backport)
+	[squeeze] - ntp <no-dsa> (No backportable code fix exists, default configuration is safe, tiny subsection of affected users can run a backport)
 	NOTE: http://bugs.ntp.org/show_bug.cgi?id=1532
 	NOTE: mitigated if noquery used. Only a problem for (public) ntp servers allowing
 	NOTE: querying ntpd status, so allowing monlist
@@ -9004,7 +9013,7 @@
 	- lightdm <not-affected> (Only in combination with guest profile, apparmor and 1.8.x branch)
 CVE-2013-4458 (Stack-based buffer overflow in the getaddrinfo function in ...)
 	- eglibc <unfixed> (low; bug #727181)
-	[wheezy] - eglibc 2.13-38+deb7u1
+	[wheezy] - eglibc <no-dsa> (Will be fixed in next point update)
 	[squeeze] - eglibc <no-dsa> (Minor issue)
 	NOTE: https://sourceware.org/ml/libc-alpha/2013-10/msg00733.html
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=16072
@@ -9053,7 +9062,9 @@
 	REJECTED
 CVE-2013-4442 [Silent fallback to insecure entropy]
 	RESERVED
-	- pwgen <unfixed> (bug #726578)
+	- pwgen <unfixed> (unimportant; bug #726578)
+	NOTE: /dev/random is universally available, if an attacker can create an environment
+	NOTE: where it's not available that opens a far bigger can of worms
 CVE-2013-4441 [Phonemes mode has heavy bias and is enabled by default]
 	RESERVED
 	- pwgen <unfixed> (bug #726578)
@@ -9445,7 +9456,8 @@
 	NOT-FOR-US: OpenPNE
 CVE-2013-4332 (Multiple integer overflows in malloc/malloc.c in the GNU C Library ...)
 	- eglibc 2.17-93 (bug #722536)
-	[wheezy] - eglibc 2.13-38+deb7u1
+	[wheezy] - eglibc <no-dsa> (Will be fixed in next point update)
+	[squeeze] - eglibc <no-dsa> (Will be fixed in next point update)
 CVE-2013-4331 [incorrect .Xauthority permissions]
 	RESERVED
 	- lightdm 1.6.2-1 (bug #721744)
@@ -9767,7 +9779,8 @@
 	NOTE: https://bugs.mageia.org/show_bug.cgi?id=10989
 CVE-2013-4237 (sysdeps/posix/readdir_r.c in the GNU C Library (aka glibc or libc6) ...)
 	- eglibc 2.17-94 (bug #719558)
-	[wheezy] - eglibc 2.13-38+deb7u1
+	[wheezy] - eglibc <no-dsa> (Will be fixed in next point update)
+	[squeeze] - eglibc <no-dsa> (Will be fixed in next point update)
 	NOTE: http://sourceware.org/bugzilla/show_bug.cgi?id=14699
 	NOTE: http://sourceware.org/ml/libc-alpha/2013-05/msg00445.html
 CVE-2013-4236 (VDSM in Red Hat Enterprise Virtualization 3 and 3.2 allows privileged ...)
@@ -17608,14 +17621,18 @@
 	RESERVED
 CVE-2013-1439 (The "faster LJPEG decoder" in libraw 0.13.x, 0.14.x, and 0.15.x before ...)
 	- libraw 0.15.4-1 (bug #721338)
+	[wheezy] - libraw <no-dsa> (Minor issue)
 	- libkdcraw 4:4.10.5-2 (bug #721340)
+	[wheezy] - libkdcraw <no-dsa> (Minor issue)
 	- darktable 1.2.2-2 (bug #721339)
 	[wheezy] - darktable 1.0.4-1+deb7u2
 CVE-2013-1438 [dcraw: multiple DoS]
 	RESERVED
 	{DSA-2748-1}
 	- libraw 0.15.4-1 (bug #721231)
+	[wheezy] - libraw <no-dsa> (Minor issue)
 	- libkdcraw 4:4.10.5-2 (bug #721239)
+	[wheezy] - libkdcraw <no-dsa> (Minor issue)
 	- darktable 1.2.2-2 (bug #721233)
 	[wheezy] - darktable 1.0.4-1+deb7u2
 	- dcraw <unfixed> (unimportant; bug #721232)
@@ -41703,9 +41720,13 @@
 	- libav 4:0.8.1-1
 	- ffmpeg <removed>
 CVE-2011-3935 (The codec_get_buffer function in ffmpeg.c in FFmpeg before 0.10 allows ...)
-	TODO: check
+	- libav <unfixed>
+	- ffmpeg <removed>
 CVE-2011-3934 (Double free vulnerability in the vp3_update_thread_context function in ...)
-	TODO: check
+	- libav <unfixed>
+	- ffmpeg <removed>
+	NOTE: Fixed in libav trunk http://git.libav.org/?p=libav.git;a=commit;h=759001c534287a96dc96d1e274665feb7059145d
+	NOTE: Fixes for 0.8.x and 0.9.x still needed
 CVE-2011-3933
 	RESERVED
 CVE-2011-3932
@@ -69649,7 +69670,7 @@
 	- tomcat-native 1.1.18-1
 	[lenny] - tomcat-native <no-dsa> (Minor issue)
 	- gnutls26 <not-affected> (safely handles renegotiation; however support for RFC 5746 would be useful)
-	- polarssl 1.3.1-1 (bug #704946)
+	- polarssl 1.2.0-1 (bug #704946)
 	- classpath <removed>
 	- zorp 3.9.2-1
 	[squeeze] - zorp <no-dsa> (Minor issue)

More information about the Secure-testing-commits mailing list