[Secure-testing-commits] r30345 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Wed Nov 26 06:58:43 UTC 2014 

Author: jmm
Date: 2014-11-26 06:58:43 +0000 (Wed, 26 Nov 2014)
New Revision: 30345

Modified:
   data/CVE/list
Log:
ffmpeg/libav triage
drop tomcatjss, it relies on jss, so once nss is fixed, it is fixed as well


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-11-26 05:29:31 UTC (rev 30344)
+++ data/CVE/list	2014-11-26 06:58:43 UTC (rev 30345)
@@ -1708,39 +1708,49 @@
 	RESERVED
 CVE-2014-8549 (libavcodec/on2avc.c in FFmpeg before 2.4.2 does not constrain the ...)
 	- ffmpeg 7:2.4.3-1
-	- libav <undetermined>
+	[squeeze] - ffmpeg <not-affected> (Vulnerable code not present)
+	- libav <unfixed>
+	[wheezy] - libav <not-affected> (Vulnerable code not present)
 	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=550f3e9df3410b3dd975e590042c0d83e20a8da3
 CVE-2014-8548 (Off-by-one error in libavcodec/smc.c in FFmpeg before 2.4.2 allows ...)
 	- ffmpeg 7:2.4.3-1
-	- libav <undetermined>
+	[squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing)
+	- libav <unfixed>
 	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=c727401aa9d62335e89d118a5b4e202edf39d905
 CVE-2014-8547 (libavcodec/gifdec.c in FFmpeg before 2.4.2 does not properly compute ...)
 	- ffmpeg 7:2.4.3-1
-	- libav <undetermined>
+	[squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing)
+	- libav <unfixed>
 	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=8f1457864be8fb9653643519dea1c6492f1dde57
 CVE-2014-8546 (Integer underflow in libavcodec/cinepak.c in FFmpeg before 2.4.2 ...)
 	- ffmpeg <undetermined>
-	- libav <undetermined>
+	- libav <unfixed>
 	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e7e5114c506957f40aafd794e06de1a7e341e9d5
 	TODO: check, not sure if patch correct, is applied in 7:2.4.3-1
 CVE-2014-8545 (libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the ...)
 	- ffmpeg 7:2.4.3-1
-	- libav <undetermined>
+	[squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing)
+	- libav <unfixed>
 	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3e2b745020c2dbf0201fe7df3dad9e7e0b2e1bb6
 CVE-2014-8544 (libavcodec/tiff.c in FFmpeg before 2.4.2 does not properly validate ...)
 	- ffmpeg 7:2.4.3-1
-	- libav <undetermined>
+	[squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing)
+	- libav <unfixed>
 	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e1c0cfaa419aa5d320540d5a1b3f8fd9b82ab7e5
 CVE-2014-8543 (libavcodec/mmvideo.c in FFmpeg before 2.4.2 does not consider all ...)
 	- ffmpeg 7:2.4.3-1
-	- libav <undetermined>
+	[squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing)
+	- libav <unfixed>
 	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e
 CVE-2014-8542 (libavcodec/utils.c in FFmpeg before 2.4.2 omits a certain codec ID ...)
 	- ffmpeg 7:2.4.3-1
-	- libav <undetermined>
+	[squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing)
+	- libav <unfixed>
+	[wheezy] - libav <not-affected> (Vulnerable code not present)
 	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=105654e376a736d243aef4a1d121abebce912e6b
 CVE-2014-8541 (libavcodec/mjpegdec.c in FFmpeg before 2.4.2 considers only dimension ...)
 	- ffmpeg 7:2.4.3-1
+	[squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing)
 	- libav <undetermined>
 	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=5c378d6a6df8243f06c87962b873bd563e58cd39
 CVE-2014-8539
@@ -13672,7 +13682,6 @@
 	- surf <unfixed> (unimportant)
 	- tlslite <removed>
 	[wheezy] - tlslite <no-dsa> (Minor issue)
-	- tomcatjss <unfixed>
 	- uzbl <unfixed> (unimportant)
 	- yaws <unfixed>
 	[wheezy] - yaws <no-dsa> (Minor issue)
@@ -43061,7 +43070,6 @@
 	NOTE: matrixssl fixed this upstream in 3.4.1
 	- tlslite <removed>
 	[wheezy] - tlslite <no-dsa> (Minor issue)
-	- tomcatjss <unfixed>
 	NOTE: http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
 CVE-2013-0168 (The MoveDisk command in Red Hat Enterprise Virtualization Manager ...)
 	NOTE: RHEV management tool
@@ -65032,7 +65040,6 @@
 	- polarssl <unfixed>
 	- tlslite <removed>
 	[wheezy] - tlslite <no-dsa> (Minor issue)
-	- tomcatjss <unfixed>
 CVE-2011-3388 (Opera before 11.51 allows remote attackers to cause an insecure site ...)
 	NOT-FOR-US: Opera
 CVE-2011-3387 (The class file parser in IBM Java 1.4.2 SR13 FP9 allows remote ...)

More information about the Secure-testing-commits mailing list