[Secure-testing-commits] r26316 - in data: . CVE
Moritz Muehlenhoff
jmm at moszumanska.debian.org
Fri Mar 28 15:32:32 UTC 2014
Author: jmm
Date: 2014-03-28 15:32:31 +0000 (Fri, 28 Mar 2014)
New Revision: 26316
Modified:
data/CVE/list
data/dsa-needed.txt
Log:
further openstack cleanups, mostly not-affected or some no-dsa
no-dsa: openssl, numpy, mplayer, pam, phpbb, janssson, yui
libvirt not-affected
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2014-03-28 14:20:14 UTC (rev 26315)
+++ data/CVE/list 2014-03-28 15:32:31 UTC (rev 26316)
@@ -146,7 +146,9 @@
RESERVED
CVE-2014-2583 [path traversal issue]
RESERVED
- - pam <unfixed>
+ - pam <unfixed> (low)
+ [wheezy] - pam <no-dsa> (Minor issue)
+ [squeeze] - pam <no-dsa> (Minor issue)
CVE-2014-2582
RESERVED
CVE-2014-2579
@@ -773,6 +775,8 @@
CVE-2013-7336 [libvirt: unprivileged user can crash libvirtd during spice migration]
RESERVED
- libvirt 1.1.4-1
+ [wheezy] - libvirt <not-affected> (Vulnerable code not present)
+ [squeeze] - libvirt <not-affected> (Vulnerable code not present)
NOTE: http://www.redhat.com/archives/libvir-list/2013-September/msg01208.html
CVE-2013-7335 (Open redirect vulnerability in DotNetNuke (DNN) before 6.2.9 and 7.x ...)
NOT-FOR-US: DotNetNuke
@@ -1459,7 +1463,6 @@
- owncloud 6.0.2+dfsg-1
- phpdocx <undetermined>
NOTE: http://owncloud.org/about/security/advisories/oC-SA-2014-006/
- TODO: verify if complete
CVE-2014-2055 [XML External Entity Injection vulnerability]
RESERVED
- owncloud 6.0.2+dfsg-1
@@ -1759,8 +1762,9 @@
NOTE: http://secunia.com/advisories/56844/
NOTE: http://trac.imagemagick.org/changeset/14801
CVE-2014-XXXX [phpbb3: denial of service vulnerability]
- - phpbb3 <unfixed>
- TODO: check
+ - phpbb3 <unfixed> (low)
+ [wheezy] - phpbb3 <no-dsa> (Minor issue)
+ [squeeze] - phpbb3 <no-dsa> (Minor issue)
NOTE: http://seclists.org/bugtraq/2014/Feb/33
CVE-2014-1950 (Use-after-free vulnerability in the xc_cpupool_getinfo function in Xen ...)
- xen <unfixed>
@@ -1771,6 +1775,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2014/02/12/7
CVE-2014-1948 (OpenStack Image Registry and Delivery Service (Glance) 2013.2 through ...)
- glance 2013.2.2-1 (bug #738924)
+ [wheezy] - glance <not-affected> (Only affects Havana)
NOTE: https://launchpad.net/bugs/1275062
CVE-2014-1947 [Buffer overflow vulnerability]
RESERVED
@@ -1999,11 +2004,15 @@
NOT-FOR-US: Jetro COCKPIT Secure Browsing
CVE-2014-1859 [insecure temporary file use]
RESERVED
- - python-numpy 1:1.8.1~rc1-1 (bug #737778)
+ - python-numpy 1:1.8.1~rc1-1 (low; bug #737778)
+ [squeeze] - python-numpy <no-dsa> (Minor issue)
+ [wheezy] - python-numpy <no-dsa> (Minor issue)
NOTE: issue fixed by https://github.com/numpy/numpy/commit/0bb46c1448b0d3f5453d5182a17ea7ac5854ee15
CVE-2014-1858 [insecure temporary file use in __init__.py]
RESERVED
- - python-numpy 1:1.8.1~rc1-1 (bug #737778)
+ - python-numpy 1:1.8.1~rc1-1 (low; bug #737778)
+ [squeeze] - python-numpy <no-dsa> (Minor issue)
+ [wheezy] - python-numpy <no-dsa> (Minor issue)
CVE-2014-1857
RESERVED
CVE-2014-1856
@@ -5528,7 +5537,8 @@
CVE-2013-7131
RESERVED
CVE-2013-7130 (The i_create_images_and_backing (aka create_images_and_backing) method ...)
- - nova 2013.2.2 (bug #736465)
+ - nova 2013.2.2 (low; bug #736465)
+ [wheezy] - nova <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/nova/+bug/1251590
CVE-2013-7129 (Cross-site scripting (XSS) vulnerability in ThemeBeans Blooog theme ...)
NOT-FOR-US: WordPress theme
@@ -6192,7 +6202,9 @@
[squeeze] - liblivemedia <not-affected> (vuln. code introduced in 2011.08.13)
- vlc 2.1.2-2+b1
[squeeze] - vlc <not-affected> (not built against vuln. liblivemedia)
- - mplayer <unfixed>
+ - mplayer <unfixed> (low)
+ [wheezy] - mplayer <no-dsa> (Minor issue)
+ [squeeze] - mplayer <no-dsa> (Minor issue)
- mplayer2 <not-affected> (b-d's on liblivemedia but doesn't actually build the support for it)
NOTE: vlc fixed by the binnmu - recording it even if it's not a source pkg version
TODO: request binnmus
@@ -6633,6 +6645,7 @@
CVE-2014-0134 [Nova host data leak to vm instance in rescue mode]
RESERVED
- nova <unfixed>
+ [wheezy] - nova <not-affected> (Introduced in Grizzly)
NOTE: https://launchpad.net/bugs/1221190
CVE-2014-0133 [nginx: SPDY heap buffer overflow]
RESERVED
@@ -6722,7 +6735,8 @@
NOTE: http://www.sudo.ws/sudo/alerts/env_add.html
CVE-2014-0105 [Potential context confusion in Keystone middleware]
RESERVED
- - python-keystoneclient <unfixed>
+ - python-keystoneclient <unfixed> (low)
+ [wheezy] - python-keystoneclient <no-dsa> (Minor issue)
CVE-2014-0104
RESERVED
CVE-2014-0103
@@ -6823,7 +6837,8 @@
- linux <unfixed>
- linux-2.6 <not-affected> (Vulnerable code not present)
CVE-2014-0076 (The Montgomery ladder implementation in OpenSSL through 1.0.0l does ...)
- - openssl <unfixed>
+ - openssl <unfixed> (low)
+ [wheezy] - openssl <no-dsa> (Minor issue, local attack)
NOTE: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=f9b6c0ba4c02497782f801e3c45688f3efaac55c
CVE-2014-0075
RESERVED
@@ -7076,7 +7091,8 @@
CVE-2014-0007
RESERVED
CVE-2014-0006 (The TempURL middleware in OpenStack Object Storage (Swift) 1.4.6 ...)
- - swift 1.11.0-2 (bug #735582)
+ - swift 1.11.0-2 (low; bug #735582)
+ [wheezy] - swift <no-dsa> (Minor issue)
CVE-2014-0005
RESERVED
CVE-2014-0004 (Stack-based buffer overflow in udisks before 1.0.5 and 2.x before ...)
@@ -7363,6 +7379,7 @@
NOT-FOR-US: SAP Sybase Adaptive Server Enterprise
CVE-2013-6858 (Multiple cross-site scripting (XSS) vulnerabilities in OpenStack ...)
- horizon 2013.2-2 (bug #730752)
+ [wheezy] - horizon <not-affected> (Vulnerable code not present)
NOTE: https://github.com/openstack/horizon/commit/6179f70290783e55b10bbd4b3b7ee74db3f8ef70
CVE-2013-6807
RESERVED
@@ -7423,7 +7440,9 @@
CVE-2013-6781
RESERVED
CVE-2013-6780 (Cross-site scripting (XSS) vulnerability in uploader.swf in the ...)
- - yui <unfixed> (bug #730104)
+ - yui <unfixed> (low; bug #730104)
+ [squeeze] - yui <no-dsa> (Not backportable, doesn't build from source in oldstable/stable)
+ [wheezy] - yui <no-dsa> (Not backportable, doesn't build from source in oldstable/stable)
- yui3 <not-affected>
- moodle 2.5.3-1
CVE-2013-6779
@@ -8152,6 +8171,7 @@
NOT-FOR-US: Pirhana
CVE-2013-6491 (The python-qpid client (common/rpc/impl_qpid.py) in OpenStack Oslo ...)
- nova <unfixed>
+ [wheezy] - nova <no-dsa> (Minor issue)
CVE-2013-6490 (The SIMPLE protocol functionality in Pidgin before 2.10.8 allows ...)
{DSA-2859-2 DSA-2859-1}
- pidgin 2.10.8-1
@@ -8355,6 +8375,7 @@
- apache2 <unfixed>
CVE-2013-6437 (The libvirt driver in OpenStack Compute (Nova) before 2013.2.2 and ...)
- nova 2013.2.2
+ [wheezy] - nova <not-affected> (Vulnerable code not present)
CVE-2013-6436 (The lxcDomainGetMemoryParameters method in lxc/lxc_driver.c in libvirt ...)
- libvirt 1.2.0-1
[squeeze] - libvirt <not-affected> (vulnerable code not present, introduced in 1.1)
@@ -8498,6 +8519,7 @@
NOTE: https://bugzilla.novell.com/show_bug.cgi?id=852368
CVE-2013-6401 (Jansson, possibly 2.4 and earlier, does not restricting the ability to ...)
- jansson 2.6-1 (bug #738647)
+ [wheezy] - jansson <no-dsa> (Minor issue)
CVE-2013-6400 (Xen 4.2.x and 4.3.x, when using Intel VT-d and a PCI device has been ...)
- xen <unfixed>
[wheezy] - xen <not-affected> (4.2.x and later are vulnerable)
@@ -13253,6 +13275,7 @@
NOTE: https://github.com/sup-heliotrope/sup/commit/8b46cdbfc14e07ca07d403aa28b0e7bc1c544785
CVE-2013-4477 (The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, ...)
- keystone 2013.2-2 (bug #728233)
+ [wheezy] - keystone <not-affected> (Vulnerable code not present)
NOTE: https://bugs.launchpad.net/keystone/+bug/1242855
CVE-2013-4476 (Samba 4.0.x before 4.0.11 and 4.1.x before 4.1.1, when LDAP or HTTP is ...)
- samba 2:4.0.11+dfsg-1 (low)
@@ -13280,13 +13303,15 @@
CVE-2013-4471 [password reset vulnerability]
RESERVED
- horizon 2013.2-1
+ [wheezy] - horizon <not-affected> (v3 API introduced in Grizzly)
NOTE: https://bugs.launchpad.net/horizon/+bug/1237989
CVE-2013-4470 (The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is ...)
- linux 3.11.7-1
- linux-2.6 <removed>
[wheezy] - linux 3.2.53-1
CVE-2013-4469 (OpenStack Compute (Nova) Folsom, Grizzly, and Havana, when ...)
- - nova 2013.2-3 (bug #728605)
+ - nova 2013.2-3 (low; bug #728605)
+ [wheezy] - nova <no-dsa> (Minor issue)
NOTE: CVE for incomplete fix of CVE-2013-2096
CVE-2013-4468
RESERVED
@@ -13303,7 +13328,8 @@
CVE-2013-4464
RESERVED
CVE-2013-4463 (OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly ...)
- - nova 2013.2-3 (bug #728605)
+ - nova 2013.2-3 (low; bug #728605)
+ [wheezy] - nova <no-dsa> (Minor issue)
CVE-2013-4462
RESERVED
NOT-FOR-US: WordPress plugin
@@ -13668,7 +13694,7 @@
CVE-2013-4355 (Xen 4.3.x and earlier does not properly handle certain errors, which ...)
- xen <unfixed>
CVE-2013-4354 (The API before 2.1 in OpenStack Image Registry and Delivery Service ...)
- - glance <unfixed>
+ - glance <unfixed> (unimportant)
NOTE: https://bugs.launchpad.net/glance/+bug/1226078
NOTE: according to upstream bug there will probably not be a patch for this issue
CVE-2013-4353 (The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before ...)
@@ -14243,7 +14269,8 @@
CVE-2013-4186
RESERVED
CVE-2013-4185 (Algorithmic complexity vulnerability in OpenStack Compute (Nova) ...)
- - nova 2013.1.2-3 (bug #718907)
+ - nova 2013.1.2-3 (low; bug #718907)
+ [wheezy] - nova <no-dsa> (Minor issue)
CVE-2013-4184 [symlink attacks]
RESERVED
- libdata-uuid-perl <unfixed> (low; bug #718949)
@@ -14257,6 +14284,7 @@
- foreman <itp> (bug #663101)
CVE-2013-4179 (The security group extension in OpenStack Compute (Nova) Grizzly ...)
- nova 2013.1.3-1
+ [wheezy] - nova <not-affected> (Vulnerable code not present)
NOTE: CVE for incomplete fix applied for CVE-2013-1664
CVE-2013-4178
RESERVED
@@ -19036,7 +19064,9 @@
- keystone <unfixed>
[wheezy] - keystone <no-dsa> (Minor issue)
- nova <unfixed>
+ [wheezy] - nova <no-dsa> (Minor issue)
- quantum <unfixed>
+ [wheezy] - quantum <no-dsa> (Minor issue)
- swift <not-affected> (See https://bugs.launchpad.net/keystone/+bug/1188189/comments/5)
CVE-2013-2254 (The deepGetOrCreateNode function in ...)
NOT-FOR-US: Apache Sling
@@ -19358,6 +19388,7 @@
NOT-FOR-US: Services Drupal contributed modules
CVE-2013-2157 (OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when ...)
- keystone 2013.1.2-1 (bug #712160)
+ [wheezy] - keystone <not-affected> (Vulnerable code not present)
CVE-2013-2156 (Heap-based buffer overflow in the Exclusive Canonicalization ...)
{DSA-2710-1}
- xml-security-c 1.6.1-6
@@ -25268,6 +25299,7 @@
NOTE: http://pidgin.im/news/security/?id=65
CVE-2013-0270 (OpenStack Keystone Grizzly before 2013.1, Folsom, and possibly earlier ...)
- keystone 2013.1.1-2
+ [wheezy] - keystone <no-dsa> (Too intrusive to backport)
NOTE: https://bugs.launchpad.net/keystone/+bug/1099025
NOTE: See notes on ubuntu security tracker, change too intrusive to be backported
CVE-2013-0269 (The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 ...)
Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt 2014-03-28 14:20:14 UTC (rev 26315)
+++ data/dsa-needed.txt 2014-03-28 15:32:31 UTC (rev 26316)
@@ -74,6 +74,8 @@
--
ruby-activesupport-3.2
--
+tiff
+--
tomcat7/stable (jmm)
--
vlc
More information about the Secure-testing-commits
mailing list