[Secure-testing-commits] r26787 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Fri May 2 16:25:19 UTC 2014 

Author: jmm
Date: 2014-05-02 16:25:19 +0000 (Fri, 02 May 2014)
New Revision: 26787

Modified:
   data/CVE/list
Log:
no-dsa: fish, mahara, eglibc/oldstable
kronolith2 not-affected
old otrs issue unimportant
add no-dsa for pidgin issues not fixed in recent DSA
one squeeze kernel issue N/A


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-05-02 12:53:54 UTC (rev 26786)
+++ data/CVE/list	2014-05-02 16:25:19 UTC (rev 26787)
@@ -480,10 +480,14 @@
 CVE-2014-2906 [unsafe temporary file creationg leading to privilege escalation]
 	RESERVED
 	- fish <unfixed> (low; bug #746259)
+	[squeeze] - fish <no-dsa> (Minor issue)
+	[wheezy] - fish <no-dsa> (Minor issue)
 	NOTE: https://github.com/fish-shell/fish-shell/issues/1437
 CVE-2014-2905 [permission bypass leading to privilege escalation]
 	RESERVED
 	- fish <unfixed> (low; bug #746259)
+	[squeeze] - fish <no-dsa> (Minor issue)
+	[wheezy] - fish <no-dsa> (Minor issue)
 	NOTE: https://github.com/fish-shell/fish-shell/issues/1436
 CVE-2014-2895
 	RESERVED
@@ -1100,6 +1104,7 @@
 	- linux 3.13.7-1 (low)
 	[wheezy] - linux 3.2.57-1
 	- linux-2.6 <removed> (low)
+	[squeeze] - linux-2.6 <not-affected> (Introduced in 2.6.33)
 	NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1d147bfa64293b2723c4fec50922168658e613ba
 CVE-2014-2686
 	RESERVED
@@ -4407,7 +4412,7 @@
 	NOT-FOR-US: GetSimple CMS
 CVE-2012-6620 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) tasks ...)
 	- php-horde-kronolith 4.0.2-1
-	- kronolith2 <removed>
+	- kronolith2 <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/horde/horde/commit/1228a6825a8dab3333d0a8c8986fc10d1f3d11b2
 	NOTE: fixed upstream in 3.0.17
 CVE-2011-5271 [configure creates temp files insecurely]
@@ -8494,6 +8499,7 @@
 CVE-2014-0020 (The IRC protocol plugin in libpurple in Pidgin before 2.10.8 does not ...)
 	{DSA-2859-1}
 	- pidgin 2.10.8-1
+	[squeeze] - pidgin <no-dsa> (Not suitable for code injection)
 CVE-2014-0019 (Stack-based buffer overflow in socat 1.3.0.0 through 1.7.2.2 and ...)
 	- socat 1.7.2.3-1 (low; bug #736993)
 	[squeeze] - socat <no-dsa> (Minor issue)
@@ -9647,6 +9653,7 @@
 CVE-2013-6483 (The XMPP protocol plugin in libpurple in Pidgin before 2.10.8 does not ...)
 	{DSA-2859-1}
 	- pidgin 2.10.8-1
+	[squeeze] - pidgin <no-dsa> (Not suitable for code injection)
 CVE-2013-6482 (Pidgin before 2.10.8 allows remote MSN servers to cause a denial of ...)
 	{DSA-2859-1}
 	- pidgin 2.10.8-1
@@ -9661,6 +9668,7 @@
 CVE-2013-6479 (util.c in libpurple in Pidgin before 2.10.8 does not properly allocate ...)
 	{DSA-2859-1}
 	- pidgin 2.10.8-1
+	[squeeze] - pidgin <no-dsa> (Not suitable for code injection)
 CVE-2013-6478 (gtkimhtml.c in Pidgin before 2.10.8 does not properly interact with ...)
 	{DSA-2859-1}
 	- pidgin 2.10.8-1
@@ -9668,6 +9676,7 @@
 CVE-2013-6477 (Multiple integer signedness errors in libpurple in Pidgin before ...)
 	{DSA-2859-1}
 	- pidgin 2.10.8-1
+	[squeeze] - pidgin <no-dsa> (Not suitable for code injection)
 CVE-2013-6476 (The OPVPWrapper::loadDriver function in oprs/OPVPWrapper.cxx in the ...)
 	{DSA-2876-1 DSA-2875-1}
 	- cups-filters 1.0.47-1 (bug #741318)
@@ -10171,7 +10180,7 @@
 	RESERVED
 	- php-horde 5.1.5+debian0-1 (bug #730110)
 	- php-horde-kronolith 4.1.4-1 (bug #730980)
-	- kronolith2 <removed>
+	- kronolith2 <not-affected> (Vulnerable code not present)
 	- horde3 <removed>
 	NOTE: https://github.com/horde/horde/commit/b79114d08ee8c8e43e74a179741749529f6d885c
 CVE-2013-6364 [XSS and CSRF search.php]
@@ -14046,7 +14055,7 @@
 CVE-2013-4701 (Auth/Yadis/XML.php in PHP OpenID Library 2.2.2 and earlier allows ...)
 	- php-openid 2.2.2-1.2 (low; bug #721221)
 	[wheezy] - php-openid <no-dsa> (Minor issue)
-	TODO: check, potentially also simplesamlphp, typo3-src and wordpress-openid (including a Auth/Yadis/XML.php in source)
+	[squeeze] - php-openid <no-dsa> (Minor issue)
 CVE-2013-4700 (The Yahoo! Japan Shopping application 1.4 and earlier for Android does ...)
 	NOT-FOR-US: Yahoo shopping app
 CVE-2013-4699 (The Yahoo! Japan Yafuoku! application 4.3.0 and earlier for iOS and ...)
@@ -23520,7 +23529,9 @@
 	- lighttpd 1.4.31-4
 CVE-2013-1426 [mahara: stored XSS in tinyMCE editor]
 	RESERVED
-	- mahara <removed>
+	- mahara <removed> (low)
+	[wheezy] - mahara <no-dsa> (Minor issue)
+	[squeeze] - mahara <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/mahara/+bug/1153423
 CVE-2013-1425 [ldap-git-backup: Incorrect directory permissions exposes password hashes]
 	RESERVED
@@ -26828,6 +26839,7 @@
 	[squeeze] - pidgin <end-of-life> (Support in oldstable is limited to IRC, Jabber/XMPP, Sametime and SIMPLE)
 CVE-2013-0273 (sametime.c in the Sametime protocol plugin in libpurple in Pidgin ...)
 	- pidgin 2.10.6-3
+	[squeeze] - pidgin <no-dsa> (Not suitable for code injection)
 	NOTE: http://pidgin.im/news/security/?id=67
 CVE-2013-0272 (Buffer overflow in http.c in the MXit protocol plugin in libpurple in ...)
 	- pidgin 2.10.6-3
@@ -29472,7 +29484,8 @@
 CVE-2012-5614 (Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier, and MariaDB ...)
 	- mariadb-5.5 <not-affected> (Fixed before initial upload to archive)
 	- mysql-5.5 <not-affected> (The affected versions were only in experimental)
-	- mysql-5.1 <removed>
+	- mysql-5.1 <removed> (low)
+	[squeeze] - mysql-5.1 <no-dsa> (Minor issue, currently not fixed in MySQL, can be included once fixed in 5.1.x)
 	NOTE: https://mariadb.atlassian.net/browse/MDEV-3910
 	NOTE: http://seclists.org/fulldisclosure/2012/Dec/7
 	NOTE: http://www.openwall.com/lists/oss-security/2013/02/28/10
@@ -35267,6 +35280,7 @@
 	NOTE: https://bugzilla.novell.com/show_bug.cgi?id=776572
 CVE-2012-3480 (Multiple integer overflows in the (1) strtod, (2) strtof, (3) strtold, ...)
 	- eglibc 2.13-36 (bug #684889)
+	[squeeze] - eglibc <no-dsa> (Minor issue)
 	- glibc <removed> 
 CVE-2012-3479 (lisp/files.el in Emacs 23.2, 23.3, 23.4, and 24.1 automatically ...)
 	{DSA-2603-1}
@@ -35507,6 +35521,7 @@
 	NOTE: http://www.openwall.com/lists/oss-security/2012/07/11/17
 CVE-2012-3405 (The vfprintf function in stdio-common/vfprintf.c in libc in GNU C ...)
 	- eglibc 2.13-35 (low; bug #681473)
+	[squeeze] - eglibc <no-dsa> (Minor issue)
 	NOTE: http://sourceware.org/bugzilla/show_bug.cgi?id=13446 
 	NOTE: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=a4647e727a2a52e1259474c13f4b13288938bed4
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=833704
@@ -35515,6 +35530,7 @@
 	NOTE: http://www.openwall.com/lists/oss-security/2012/07/11/17
 CVE-2012-3404 (The vfprintf function in stdio-common/vfprintf.c in libc in GNU C ...)
 	- eglibc 2.13-35 (low; bug #681473)
+	[squeeze] - eglibc <no-dsa> (Minor issue)
 	NOTE: http://sourceware.org/bugzilla/show_bug.cgi?id=12445 
 	NOTE: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=84a4211850e3d23a9d3a4f3b294752a3b30bc0ff
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=833703
@@ -54799,7 +54815,7 @@
 	[squeeze] - chromium-browser <end-of-life>
 	- webkit <not-affected> (chromium specific)
 CVE-2011-1433 (The (1) AgentInterface and (2) CustomerInterface components in Open ...)
-	- otrs2 3.0.8+dfsg1-1
+	- otrs2 3.0.8+dfsg1-1 (unimportant)
 	NOTE: Negligable security impact
 CVE-2010-4768 (Open Ticket Request System (OTRS) before 2.3.5 does not properly ...)
 	- otrs2 2.4.5-1 (low)

More information about the Secure-testing-commits mailing list