[Secure-testing-commits] r25259 - in data: . CVE
Moritz Muehlenhoff
jmm at moszumanska.debian.org
Fri Jan 17 15:53:07 UTC 2014
Author: jmm
Date: 2014-01-17 15:53:07 +0000 (Fri, 17 Jan 2014)
New Revision: 25259
Modified:
data/CVE/list
data/dsa-needed.txt
Log:
pgwen unimportant
spice-gtk fixed / no-dsa
pywbem no-dsa
gambas3 fixed
iceweasel DoS unimportant
update DSA-needed
NFUs
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2014-01-17 15:47:08 UTC (rev 25258)
+++ data/CVE/list 2014-01-17 15:53:07 UTC (rev 25259)
@@ -117,7 +117,7 @@
CVE-2013-7294 (The ikev2parent_inI1outR1 function in pluto/ikev2_parent.c in ...)
NOT-FOR-US: libreswan, strongSwan not affected (pluto never supported ikev2)
CVE-2013-7293 (The ASUS WL-330NUL router has a configuration process that relies on ...)
- TODO: check
+ NOT-FOR-US: ASUS router
CVE-2013-XXXX [DoS]
- poppler <not-affected> (Introduced in d768204e51e6bdbcac4d6b43537297616cbedbf3)
NOTE: http://cgit.freedesktop.org/poppler/poppler/commit/?id=58e04a08afee
@@ -488,7 +488,7 @@
CVE-2014-1237
RESERVED
CVE-2014-1232 (Cross-site scripting (XSS) vulnerability in the Foliopress WYSIWYG ...)
- TODO: check
+ NOT-FOR-US: Foliopress
CVE-2014-1231
RESERVED
CVE-2014-1230
@@ -1380,7 +1380,7 @@
CVE-2014-0666
RESERVED
CVE-2014-0665 (The RBAC implementation in Cisco Identity Services Engine (ISE) ...)
- TODO: check
+ NOT-FOR-US: Cisco Identity Services Engine
CVE-2014-0664 (The server in Cisco Unity Connection allows remote authenticated users ...)
NOT-FOR-US: Cisco Unity Connection
CVE-2014-0663 (Cross-site scripting (XSS) vulnerability in the web framework in Cisco ...)
@@ -2065,21 +2065,21 @@
CVE-2014-0446
RESERVED
CVE-2014-0445 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools ...)
- TODO: check
+ NOT-FOR-US: PeopleSoft Enterprise
CVE-2014-0444 (Unspecified vulnerability in the Oracle AutoVue Electro-Mechanical ...)
TODO: check
CVE-2014-0443 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools ...)
- TODO: check
+ NOT-FOR-US: PeopleSoft Enterprise
CVE-2014-0442
RESERVED
CVE-2014-0441 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools ...)
- TODO: check
+ NOT-FOR-US: PeopleSoft Enterprise
CVE-2014-0440 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools ...)
- TODO: check
+ NOT-FOR-US: PeopleSoft Enterprise
CVE-2014-0439 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools ...)
- TODO: check
+ NOT-FOR-US: PeopleSoft Enterprise
CVE-2014-0438 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools ...)
- TODO: check
+ NOT-FOR-US: PeopleSoft Enterprise
CVE-2014-0437 (Unspecified vulnerability in the MySQL Server component in Oracle ...)
- mariadb-5.5 <unfixed>
- mysql-5.5 <unfixed>
@@ -2112,7 +2112,7 @@
CVE-2014-0426
RESERVED
CVE-2014-0425 (Unspecified vulnerability in the PeopleSoft Enterprise SCM Services ...)
- TODO: check
+ NOT-FOR-US: PeopleSoft Enterprise
CVE-2014-0424 (Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows ...)
- openjdk-6 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
- openjdk-7 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
@@ -2194,16 +2194,16 @@
CVE-2014-0397
RESERVED
CVE-2014-0396 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools ...)
- TODO: check
+ NOT-FOR-US: PeopleSoft Enterprise
CVE-2014-0395 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools ...)
- TODO: check
+ NOT-FOR-US: PeopleSoft Enterprise
CVE-2014-0394 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools ...)
- TODO: check
+ NOT-FOR-US: PeopleSoft Enterprise
CVE-2014-0393 (Unspecified vulnerability in the MySQL Server component in Oracle ...)
- mysql-5.5 <unfixed>
- mysql-5.1 <unfixed>
CVE-2014-0392 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...)
- TODO: check
+ NOT-FOR-US: PeopleSoft Enterprise
CVE-2014-0391 (Unspecified vulnerability in the Oracle Identity Manager component in ...)
TODO: check
CVE-2014-0390 (Unspecified vulnerability in Oracle Solaris 10 allows remote attackers ...)
@@ -2211,7 +2211,7 @@
CVE-2014-0389 (Unspecified vulnerability in Oracle iLearning 6.0 allows remote ...)
TODO: check
CVE-2014-0388 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS Human ...)
- TODO: check
+ NOT-FOR-US: PeopleSoft Enterprise
CVE-2014-0387 (Unspecified vulnerability in Oracle Java SE 6u65 and Java SE 7u45, ...)
- openjdk-6 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
- openjdk-7 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
@@ -2229,9 +2229,9 @@
- openjdk-6 <not-affected> (JavaFX not part of OpenJDK)
- openjdk-7 <not-affected> (JavaFX not part of OpenJDK)
CVE-2014-0381 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools ...)
- TODO: check
+ NOT-FOR-US: PeopleSoft Enterprise
CVE-2014-0380 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools ...)
- TODO: check
+ NOT-FOR-US: PeopleSoft Enterprise
CVE-2014-0379 (Unspecified vulnerability in the Oracle Demantra Demand Management ...)
TODO: check
CVE-2014-0378 (Unspecified vulnerability in the Spatial component in Oracle Database ...)
@@ -4874,6 +4874,8 @@
CVE-2013-6444 [failure to check certificate hostname]
RESERVED
- pywbem <unfixed> (bug #732594)
+ [squeeze] - pywbem <no-dsa> (Minor issue)
+ [wheezy] - pywbem <no-dsa> (Minor issue)
NOTE: Fix: https://bugzilla.redhat.com/attachment.cgi?id=851357
CVE-2013-6443
RESERVED
@@ -4964,6 +4966,8 @@
CVE-2013-6418 [TOCTOU vulnerability in certificate validation]
RESERVED
- pywbem <unfixed> (low; bug #732594)
+ [squeeze] - pywbem <no-dsa> (Minor issue)
+ [wheezy] - pywbem <no-dsa> (Minor issue)
NOTE: fix: https://bugzilla.redhat.com/attachment.cgi?id=851357
CVE-2013-6417 (actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before ...)
- rails-4.0 4.0.2+dfsg-1 (bug #731290)
@@ -5807,7 +5811,7 @@
NOT-FOR-US: WordPress Landing Pages Plugin
CVE-2013-6167
RESERVED
- - iceweasel <unfixed> (low)
+ - iceweasel <unfixed> (unimportant)
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=858215
CVE-2013-6166
RESERVED
@@ -9799,10 +9803,12 @@
NOTE: where it's not available that opens a far bigger can of worms
CVE-2013-4441 [Phonemes mode has heavy bias and is enabled by default]
RESERVED
- - pwgen <unfixed> (bug #726578)
+ - pwgen <unfixed> (unimportant; bug #726578)
+ NOTE: pwgen is documented to generate memorable passwords, so this is by design
CVE-2013-4440 [non-tty passwords are trivially weak by default]
RESERVED
- - pwgen <unfixed> (bug #726578)
+ - pwgen <unfixed> (unimportant; bug #726578)
+ NOTE: Documented shortcoming
CVE-2013-4439 (Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote ...)
- salt 0.17.1+dfsg-1 (bug #726480)
CVE-2013-4438 (Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute ...)
@@ -10211,7 +10217,8 @@
{DSA-2829-1}
- hplip 3.13.9-1 (bug #723716)
CVE-2013-4324 (spice-gtk 0.14, and possibly other versions, invokes the polkit ...)
- - spice-gtk <unfixed>
+ - spice-gtk 0.21-0nocelt1 (low)
+ [wheezy] - spice-gtk <no-dsa> (Minor issue)
CVE-2013-4323
RESERVED
CVE-2013-4322
@@ -17022,7 +17029,7 @@
- mantis <not-affected> (only affects MantisBT 1.2.12)
CVE-2013-1809 [Gambas creates hijackable directory in /tmp]
RESERVED
- - gambas3 <unfixed> (low; bug #702184)
+ - gambas3 3.5.1-1 (low; bug #702184)
- gambas2 <removed>
[wheezy] - gambas3 <no-dsa> (Minor issue)
[squeeze] - gambas2 <no-dsa> (Minor issue)
Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt 2014-01-17 15:47:08 UTC (rev 25258)
+++ data/dsa-needed.txt 2014-01-17 15:53:07 UTC (rev 25259)
@@ -39,7 +39,7 @@
libplrpc-perl
--
libtar (luciano)
- CVE-2013-4420 still pending
+ CVE-2013-4420 still pending, proposed patch in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731860
--
libv8
--
@@ -54,7 +54,6 @@
moodle/oldstable
--
mysql-5.5/stable
- needs some more information on impact to decide whether DSA needed
--
openjpeg
patches are not yet avaialble
More information about the Secure-testing-commits
mailing list