[Secure-testing-commits] r27146 - in data: . CVE
Moritz Muehlenhoff
jmm at moszumanska.debian.org
Wed Jun 4 16:51:15 UTC 2014
Author: jmm
Date: 2014-06-04 16:51:15 +0000 (Wed, 04 Jun 2014)
New Revision: 27146
Modified:
data/CVE/list
data/dsa-needed.txt
Log:
mark libv8 as no-dsa, only obscure rev depds w/o security impact in stable
no-dsa: pulseaudio, boinc, quantum
mark one libav issue as undetermined
remove py26 from dsa-needed, that was for oldstable, in wheezy it's not the default interpreter
fixup another s3 entry
remove old no-dsa entries for a2ps DSA
four kernel no-dsa for squeeze kernel issues (mostly KVM)
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2014-06-04 15:54:06 UTC (rev 27145)
+++ data/CVE/list 2014-06-04 16:51:15 UTC (rev 27146)
@@ -1,7 +1,9 @@
CVE-2014-3969 [XSA-98]
- xen <not-affected> (Only ARM systems are affected from Xen 4.4 onwards)
CVE-2014-3970 [pulseaudio: crash due to empty UDP packet]
- - pulseaudio <unfixed>
+ - pulseaudio <unfixed> (low)
+ [squeeze] - pulseaudio <no-dsa> (Minor issue)
+ [wheezy] - pulseaudio <no-dsa> (Minor issue)
NOTE: http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-May/020740.html
CVE-2014-3966 [mediawiki Javascript inject by anonymous users on private wikis with $wgRawHtml enabled]
- mediawiki <unfixed> (low; bug #750527)
@@ -331,7 +333,9 @@
CVE-2014-3787 (SAP NetWeaver 7.20 and earlier allows remote attackers to read ...)
NOT-FOR-US: SAP NetWeaver
CVE-2013-7386 [boinc: format string vulnerability]
- - boinc 7.1.10+dfsg-1
+ - boinc 7.1.10+dfsg-1 (low)
+ [squeeze] - boinc <no-dsa> (Minor issue)
+ [wheezy] - boinc <no-dsa> (Minor issue)
CVE-2013-7385 (LiveZilla 5.1.2.1 and earlier includes the MD5 hash of the operator ...)
NOT-FOR-US: LiveZilla
CVE-2013-7384 (UnrealIRCd 3.2.10 before 3.2.10.2 allows remote attackers to cause a ...)
@@ -1740,6 +1744,7 @@
- chromium-browser 35.0.1916.114-1
[squeeze] - chromium-browser <end-of-life>
- libv8 <removed>
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
- libv8-3.14 <unfixed>
CVE-2014-3151
@@ -5157,6 +5162,7 @@
{DSA-2880-1}
- python2.5 <removed> (low)
- python2.6 <removed> (low)
+ [wheezy] - python2.6 <no-dsa> (Minor issue)
- python2.7 2.7.6-6 (low)
- python3.1 <removed> (low)
- python3.2 <removed> (low)
@@ -5199,8 +5205,6 @@
CVE-2001-1593 (The tempname_ensure function in lib/routines.h in a2ps 4.14 and ...)
{DSA-2892-1}
- a2ps 1:4.14-1.2 (low; bug #737385)
- [wheezy] - a2ps <no-dsa> (Minor issue)
- [squeeze] - a2ps <no-dsa> (Minor issue)
CVE-2014-1845 [hardening to the defaults]
RESERVED
- e17 0.17.3-3 (bug #737705)
@@ -5487,6 +5491,7 @@
- chromium-browser 34.0.1847.132-1
[squeeze] - chromium-browser <end-of-life>
- libv8 <removed>
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
- libv8-3.14 <unfixed>
CVE-2014-1735 (Multiple unspecified vulnerabilities in Google V8 before 3.24.35.33, ...)
@@ -5494,6 +5499,7 @@
- chromium-browser 34.0.1847.132-1
[squeeze] - chromium-browser <end-of-life>
- libv8 <removed>
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
- libv8-3.14 <unfixed>
CVE-2014-1734 (Multiple unspecified vulnerabilities in Google Chrome before ...)
@@ -5517,6 +5523,7 @@
- chromium-browser 34.0.1847.132-1
[squeeze] - chromium-browser <end-of-life>
- libv8 <removed>
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
- libv8-3.14 <unfixed>
CVE-2014-1729 (Multiple unspecified vulnerabilities in Google V8 before 3.24.35.22, ...)
@@ -5524,6 +5531,7 @@
- chromium-browser 34.0.1847.116-1
[squeeze] - chromium-browser <end-of-life>
- libv8 <removed>
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
- libv8-3.14 <unfixed>
CVE-2014-1728 (Multiple unspecified vulnerabilities in Google Chrome before ...)
@@ -5579,6 +5587,7 @@
- chromium-browser 34.0.1847.116-1
[squeeze] - chromium-browser <end-of-life>
- libv8 <removed>
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
- libv8-3.14 <unfixed>
CVE-2014-1716 (Cross-site scripting (XSS) vulnerability in the Runtime_SetPrototype ...)
@@ -5586,6 +5595,7 @@
- chromium-browser 34.0.1847.116-1
[squeeze] - chromium-browser <end-of-life>
- libv8 <removed>
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
- libv8-3.14 <unfixed>
CVE-2014-1715 (Directory traversal vulnerability in Google Chrome before ...)
@@ -5616,6 +5626,7 @@
{DSA-2883-1}
- chromium-browser 33.0.1750.152-1
[squeeze] - chromium-browser <end-of-life>
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
- libv8 <removed>
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
- libv8-3.14 <unfixed>
@@ -5624,6 +5635,7 @@
- chromium-browser 33.0.1750.152-1
[squeeze] - chromium-browser <end-of-life>
- libv8 <removed>
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
- libv8-3.14 <unfixed>
CVE-2014-1703 (Use-after-free vulnerability in the ...)
@@ -9907,6 +9919,7 @@
CVE-2014-0181 (The Netlink implementation in the Linux kernel through 3.14.1 does not ...)
- linux <unfixed> (bug #746738)
- linux-2.6 <removed>
+ [squeeze] - linux-2.6 <no-dsa> (Too intrusive to backport to 2.6.32)
CVE-2014-0180
RESERVED
CVE-2014-0179 [Unsafe parsing of XML documents allows arbitrary file read]
@@ -10656,9 +10669,9 @@
NOT-FOR-US: RealPlayer
CVE-2013-6876
RESERVED
- - s3d <unfixed>
+ - s3d 0.2.2-9 (unimportant)
NOTE: http://hmarco.org/bugs/s3dvt_0.2.2-root-shell.html
- TODO: check
+ NOTE: Not running with elevated privileges in Debian packaging
CVE-2013-6875 (SQL injection vulnerability in functions/prepend_adm.php in Nagios ...)
NOT-FOR-US: Nagios XI
CVE-2013-6874 (Stack-based buffer overflow in Vortex Light Alloy before 4.7.4 allows ...)
@@ -11137,6 +11150,7 @@
- chromium-browser 33.0.1750.152-1
[squeeze] - chromium-browser <end-of-life>
- libv8 <removed>
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
- libv8-3.14 <unfixed>
CVE-2013-6667 (Multiple unspecified vulnerabilities in Google Chrome before ...)
@@ -11206,6 +11220,7 @@
- chromium-browser 32.0.1700.123-1
[squeeze] - chromium-browser <end-of-life>
- libv8 <removed>
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
- libv8-3.14 <unfixed>
CVE-2013-6649 (Use-after-free vulnerability in the RenderSVGImage::paint function in ...)
@@ -11213,6 +11228,7 @@
- chromium-browser 32.0.1700.123-1
[squeeze] - chromium-browser <end-of-life>
- libv8 <removed>
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
- libv8-3.14 <unfixed>
CVE-2013-6648
@@ -11244,6 +11260,7 @@
CVE-2013-6640 (The DehoistArrayIndex function in hydrogen-dehoist.cc (aka ...)
{DSA-2811-1}
- libv8 <removed>
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
- libv8-3.14 3.14.5.8-5
- chromium-browser 31.0.1650.63-1
@@ -11251,6 +11268,7 @@
CVE-2013-6639 (The DehoistArrayIndex function in hydrogen-dehoist.cc (aka ...)
{DSA-2811-1}
- libv8 <removed>
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
- libv8-3.14 3.14.5.8-5
- chromium-browser 31.0.1650.63-1
@@ -11258,6 +11276,7 @@
CVE-2013-6638 (Multiple buffer overflows in runtime.cc in Google V8 before 3.22.24.7, ...)
{DSA-2811-1}
- libv8 <removed>
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
- libv8-3.14 <unfixed>
- chromium-browser 31.0.1650.63-1
@@ -11851,8 +11870,8 @@
CVE-2013-6433 [rootwrap sudo config allows potential privilege escalation]
RESERVED
- quantum <removed>
+ [wheezy] - quantum <no-dsa> (Minor issue)
- neutron <unfixed>
- TODO: check
CVE-2013-6432 (The ping_recvmsg function in net/ipv4/ping.c in the Linux kernel ...)
- linux 3.12.6-1
[wheezy] - linux <not-affected> (Vulnerable code introduced in 3.11)
@@ -12108,6 +12127,7 @@
- jbigkit 2.0-2.1 (bug #743960)
CVE-2013-6368 (The KVM subsystem in the Linux kernel through 3.12.5 allows local ...)
- linux 3.12.5-1
+ [squeeze] - linux-2.6 <no-dsa> (Too intrusive to backport, KVM server not supported in squeeze-lts)
- linux-2.6 <removed>
[wheezy] - linux 3.2.54-1
CVE-2013-6367 (The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM ...)
@@ -16298,6 +16318,7 @@
CVE-2013-4592 (Memory leak in the __kvm_set_memory_region function in ...)
- linux 3.8-1
- linux-2.6 <removed>
+ [squeeze] - linux-2.6 <no-dsa> (Too intrusive to backport, KVM server not supported in squeeze-lts)
[wheezy] - linux 3.2.53-1
CVE-2013-4591 (Buffer overflow in the __nfs4_get_acl_uncached function in ...)
- linux 3.8-1
@@ -20752,6 +20773,7 @@
- chromium-browser 30.0.1599.101-1
[squeeze] - chromium-browser <end-of-life>
- libv8 <unfixed>
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
- libv8-3.14 <unfixed>
CVE-2013-2918 (Use-after-free vulnerability in the ...)
@@ -20905,6 +20927,7 @@
- chromium-browser 28.0.1500.95-1
[squeeze] - chromium-browser <end-of-life>
- libv8 <removed>
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
- libv8-3.14 <unfixed>
CVE-2013-2881 (Google Chrome before 28.0.1500.95 does not properly handle frames, ...)
@@ -21076,6 +21099,7 @@
- chromium-browser 27.0.1453.93-1
[squeeze] - chromium-browser <end-of-life>
- libv8 <removed>
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
- libv8-3.14 <unfixed>
CVE-2013-2837 (Use-after-free vulnerability in the SVG implementation in Google ...)
@@ -21524,6 +21548,7 @@
CVE-2013-2632 (Google V8 before 3.17.13, as used in Google Chrome before 27.0.1444.3, ...)
- libv8 <removed>
[squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts)
+ [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy)
- libv8-3.14 <unfixed>
CVE-2013-2631
RESERVED
@@ -24139,6 +24164,7 @@
CVE-2013-1797 (Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel ...)
- linux 3.2.41-2
- linux-2.6 <removed>
+ [squeeze] - linux-2.6 <no-dsa> (Too intrusive to backport, KVM server not supported in squeeze-lts)
NOTE: http://www.openwall.com/lists/oss-security/2013/03/20/9
CVE-2013-1796 (The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux ...)
{DSA-2669-1 DSA-2668-1}
@@ -49481,10 +49507,9 @@
- libav 4:0.8.1-1
- ffmpeg <removed>
CVE-2011-3935 (The codec_get_buffer function in ffmpeg.c in FFmpeg before 0.10 allows ...)
- - libav <unfixed> (bug #738572)
- - ffmpeg <not-affected> (vuln. code not present)
- NOTE: Seems needed for libav in cmdutils.c
- NOTE: code introduced with 484e59a0a0329c4005ddacd05051925345f4362f, in 0.10
+ - libav <undetermined>
+ - ffmpeg <not-affected> (vuln. code not present, introduced later)
+ NOTE: libav and ffmpeg code bases have diverged too much, unclear whether libav is affected
CVE-2011-3934 (Double free vulnerability in the vp3_update_thread_context function in ...)
- libav <unfixed> (unimportant)
- ffmpeg <removed> (unimportant)
Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt 2014-06-04 15:54:06 UTC (rev 27145)
+++ data/dsa-needed.txt 2014-06-04 16:51:15 UTC (rev 27146)
@@ -31,8 +31,6 @@
--
libtasn1-3
--
-libv8
---
libxml2
--
libxml-security-java
@@ -53,8 +51,6 @@
--
phpmyadmin (thijs)
--
-python2.6
---
qemu-kvm (jmm)
--
ruby-actionpack-2.3
More information about the Secure-testing-commits
mailing list