[Secure-testing-commits] r30362 - in data: . CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Wed Nov 26 18:42:44 UTC 2014 

Author: jmm
Date: 2014-11-26 18:42:44 +0000 (Wed, 26 Nov 2014)
New Revision: 30362

Modified:
   data/CVE/list
   data/dsa-needed.txt
Log:
dpkg issue neutralised by toolchain hardening
no-dsa for ntop and sprockets
add smarty3 to dsa-needed
older psql issue fixed
erlang has its own ssl, which yaws uses
remove older bogus phpbb issue
no security impact for gdb/bfd



Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-11-26 17:26:53 UTC (rev 30361)
+++ data/CVE/list	2014-11-26 18:42:44 UTC (rev 30362)
@@ -1652,8 +1652,9 @@
 	NOTE: http://git.php.net/?p=php-src.git;a=commit;h=c818d0d01341907fee82bdb81cab07b7d93bb9db
 CVE-2014-8625 [format string vulnerability]
 	RESERVED
-	- dpkg <unfixed> (bug #768485)
+	- dpkg <unfixed> (unimportant; bug #768485)
 	[squeeze] - dpkg <not-affected> (Regression introduced in 1.16.2)
+	NOTE: Rendered non-exploitable by toolchain hardening
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135
 	NOTE: Regression introduced with https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?id=0b8652b226a7601dfd71471797d15168a7337242 (1.16.2)
 CVE-2014-8598 (The XML Import/Export plugin in MantisBT 1.2.x does not restrict ...)
@@ -1894,7 +1895,7 @@
 CVE-2014-8501 [out-of-bounds write when parsing specially crafted PE executable]
 	RESERVED
 	- binutils 2.24.90.20141104-1
-	- gdb <unfixed>
+	- gdb <unfixed> (unimportant)
 	NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e1e19887abd24aeb15066b141cdff5541e0ec8e
 CVE-2014-8500
 	RESERVED
@@ -3646,6 +3647,7 @@
 	RESERVED
 CVE-2014-7819 (Multiple directory traversal vulnerabilities in server.rb in Sprockets ...)
 	- ruby-sprockets 2.12.3-1
+	[wheezy] - ruby-sprockets <no-dsa> (Minor issue)
 CVE-2014-7818 (Directory traversal vulnerability in ...)
 	- rails <unfixed> (bug #770934)
 	[wheezy] - rails <not-affected> (src:rails in wheezy is just a transition package)
@@ -12111,6 +12113,7 @@
 	NOT-FOR-US: SHOUTcast DNAS
 CVE-2014-4165 (Cross-site scripting (XSS) vulnerability in ntop allows remote ...)
 	- ntop <unfixed> (bug #751946)
+	[jessie] - ntop <no-dsa> (Minor issue)
 	[wheezy] - ntop <no-dsa> (Minor issue)
 CVE-2014-4164 (Cross-site scripting (XSS) vulnerability in AlgoSec FireFlow 6.3-b230 ...)
 	NOT-FOR-US: AlogoSec FireFlow
@@ -13705,9 +13708,7 @@
 	- tlslite <removed>
 	[wheezy] - tlslite <no-dsa> (Minor issue)
 	- uzbl <unfixed> (unimportant)
-	- yaws <unfixed>
-	[wheezy] - yaws <no-dsa> (Minor issue)
-	[squeeze] - yaws <no-dsa> (Minor issue)
+	- erlang <unfixed>
 	NOTE: https://www.openssl.org/~bodo/ssl-poodle.pdf
 	NOTE: http://googleonlinesecurity.blogspot.fr/2014/10/this-poodle-bites-exploiting-ssl-30.html
 	NOTE: This is only about the SSLv3 CBC padding, not about any downgrade attack or support for the fallback SCSV
@@ -18224,11 +18225,6 @@
 	NOTE: squeeze: DecodePSDPixels not present but there was a rewrite from DecodeImage?
 	NOTE: http://secunia.com/advisories/56844/
 	NOTE: http://trac.imagemagick.org/changeset/14801
-CVE-2014-XXXX [phpbb3: denial of service vulnerability]
-	- phpbb3 <unfixed> (low)
-	[wheezy] - phpbb3 <no-dsa> (Minor issue)
-	[squeeze] - phpbb3 <no-dsa> (Minor issue)
-	NOTE: http://seclists.org/bugtraq/2014/Feb/33
 CVE-2014-1950 (Use-after-free vulnerability in the xc_cpupool_getinfo function in Xen ...)
 	{DSA-3006-1}
 	- xen 4.4.0-1
@@ -24094,7 +24090,7 @@
 	{DSA-2865-1 DSA-2864-1}
 	- postgresql-9.1 9.1.12-1 (low)
 	- postgresql-8.4 <removed>
-	[wheezy] - postgresql-8.4 <no-dsa> (Minor issue)
+	[wheezy] - postgresql-8.4 8.4.20-0wheezy1
 	- postgresql-9.3 9.3.3-1
 	- postgresql-plsh 1.20140221-1
 	[wheezy] - postgresql-plsh <no-dsa> (Minor issue)
@@ -65052,13 +65048,16 @@
 	- cyassl <unfixed>
 	- gnutls26 <unfixed> (unimportant)
 	- gnutls28 <unfixed> (unimportant)
-	NOTE: No mitigation for gnutls, it is recommended to use TLS 1.1 or 1.2 which is supported 2.0.0
+	NOTE: No mitigation for gnutls, it is recommended to use TLS 1.1 or 1.2 which is supported since 2.0.0
 	- haskell-tls <unfixed>
 	- matrixssl <removed> (low)
 	[squeeze] - matrixssl <no-dsa> (Minor issue)
 	[wheezy] - matrixssl <no-dsa> (Minor issue)
 	NOTE: matrixssl fix this upstream in 3.2.2
-	- bouncycastle <unfixed>
+	- bouncycastle 1.49+dfsg-1
+	[squeeze] - bouncycastle <no-dsa> (Minor issue)
+	[wheezy] - bouncycastle <no-dsa> (Minor issue)
+	NOTE: No mitigation for bouncycastle, it is recommended to use TLS 1.1, which is supported since 1.4.9
 	- nss 3.13.1.with.ckbi.1.88-1
 	- polarssl <unfixed>
 	- tlslite <removed>

Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt	2014-11-26 17:26:53 UTC (rev 30361)
+++ data/dsa-needed.txt	2014-11-26 18:42:44 UTC (rev 30362)
@@ -41,6 +41,8 @@
 ruby1.9.1
   (no-dsa issues CVE-2013-2065 and CVE-2014-4975 could be fixed along)
 --
+smarty3
+--
 wordpress
 --
 zendframework

More information about the Secure-testing-commits mailing list