[Secure-testing-commits] r30414 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Fri Nov 28 19:35:08 UTC 2014 

Author: jmm
Date: 2014-11-28 19:35:08 +0000 (Fri, 28 Nov 2014)
New Revision: 30414

Modified:
   data/CVE/list
Log:
remove nginx, only uses openssl, so relies on it
no-dsa: commons-beanutils, libhibernate-validator-java
remove konversation non-issue
elfutils n/a
mark darktable as unimportant
fix source package name: jquery -> jqueryui
record older net-snmp spu fix


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-11-28 19:17:17 UTC (rev 30413)
+++ data/CVE/list	2014-11-28 19:35:08 UTC (rev 30414)
@@ -1590,10 +1590,9 @@
 	RESERVED
 CVE-2010-5312 [Title XSS Vulnerability]
 	RESERVED
-	- jquery <unfixed>
+	- jqueryui 1.10.1+dfsg-1
 	NOTE: http://bugs.jqueryui.com/ticket/6016
 	NOTE: https://github.com/jquery/jquery-ui/commit/7e9060c109b928769a664dbcc2c17bd21231b6f3
-	TODO: check
 CVE-2010-5311
 	RESERVED
 CVE-2014-8738 [Out-of-bounds memory write while processing a crafted "ar" archive]
@@ -1606,9 +1605,6 @@
 	- binutils 2.24.90.20141124-1
 	NOTE: Upstream tracker: https://sourceware.org/bugzilla/show_bug.cgi?id=17552
 	NOTE: Upstream patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dd9b91de2149ee81d47f708e7b0bbf57da10ad42
-CVE-2014-XXXX [Buffer overflow while trying to send a file as base64 with /query]
-	- konversation <unfixed> (bug #768656)
-	TODO: check
 CVE-2014-8732 (Cross-site scripting (XSS) vulnerability in phpMemcachedAdmin 1.2.2 ...)
 	NOT-FOR-US: phpMemcachedAdmin
 CVE-2014-8731 [remote code execution flaw]
@@ -3651,7 +3647,8 @@
 	NOTE: Support for SOFT_DISABLE to syscall events was added in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d562aff93bfb530b0992141500a402d17081189d (v3.13-rc1)
 CVE-2014-7825 (kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does ...)
 	- linux <unfixed>
-	- linux-2.6 <removed>
+	- linux-2.6 <removed> (unimportant)
+	NOTE: CONFIG_FTRACE_SYSCALL not enabled in squeeze
 	NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=086ba77a6db00ed858ff07451bedee197df868c9 (v3.18-rc3)
 CVE-2014-7824 (D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and ...)
 	- dbus 1.8.10-1
@@ -4951,10 +4948,9 @@
 	RESERVED
 CVE-2012-6662 [Tooltip: XSS vulnerability in default content]
 	RESERVED
-	- jquery <unfixed>
+	- jqueryui 1.10.1+dfsg-1
 	NOTE: http://bugs.jqueryui.com/ticket/8861
 	NOTE: https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde
-	TODO: check
 CVE-2012-6661 (Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta ...)
 	- zope2.12 2.12.26-1
 	- zope2.13 <not-affected> (Fixed before initial upload in upstream version 2.13.19)
@@ -13738,10 +13734,12 @@
 	[wheezy] - matrixssl <no-dsa> (Minor issue)
 	- midori <unfixed> (unimportant)
 	- netsurf <unfixed> (unimportant)
-	- nginx <unfixed> (bug #767456)
 	- nss <unfixed>
 	- openjdk-6 <unfixed>
+	[squeeze] - openjdk-6 <no-dsa> (Upstream doesn't plan to disable SSLv3, stick with that)
+	[wheezy] - openjdk-6 <no-dsa> (Upstream doesn't plan to disable SSLv3, stick with that)
 	- openjdk-7 <unfixed>
+	[wheezy] - openjdk-7 <no-dsa> (Upstream doesn't plan to disable SSLv3, stick with that)
 	- openjdk-8 <unfixed>
 	- polarssl 1.3.9-2
 	- surf <unfixed> (unimportant)
@@ -13756,7 +13754,7 @@
 	NOTE: Browsers based on webkit (with the exception of Chromium) or khtml are not covered by security support
 CVE-2014-3565 (snmplib/mib.c in net-snmp 5.7.0 and earlier, when the -OQ option is ...)
 	- net-snmp 5.7.2.1~dfsg-7 (bug #760132)
-	[wheezy] - net-snmp <no-dsa> (Minor issue)
+	[wheezy] - net-snmp 5.4.3~dfsg-2.8+deb7u1
 	[squeeze] - net-snmp <no-dsa> (Minor issue)
 CVE-2014-3564 (Multiple heap-based buffer overflows in the status_handler function in ...)
 	{DSA-3005-1 DLA-39-1}
@@ -13778,6 +13776,7 @@
 	NOT-FOR-US: ovirt-engine-backend
 CVE-2014-3558 (ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in ...)
 	- libhibernate-validator-java <unfixed> (low; bug #762690)
+	[wheezy] - libhibernate-validator-java <no-dsa> (Only used as a build dependency for libhibernate3-java)
 	NOTE: RedHat upgraded to new upstream versions in their security
 	NOTE: updates. No patches are available for the 4.0.x branch we
 	NOTE: have in Debian. Known fixed versions are 4.2.1, 4.3.2, and 5.1.2.
@@ -23699,8 +23698,8 @@
 	NOT-FOR-US: WordPress plugin Jetpack
 CVE-2014-0172 (Integer overflow in the check_section function in dwarf_begin_elf.c in ...)
 	- elfutils 0.158-1 (low; bug #744017)
-	[squeeze] - elfutils <no-dsa> (Minor issue)
-	[wheezy] - elfutils <no-dsa> (Minor issue)
+	[squeeze] - elfutils <not-affected> (Affected code introduced in 0.153)
+	[wheezy] - elfutils <no-dsa> (Affected code introduced in 0.153)
 CVE-2014-0171
 	RESERVED
 CVE-2014-0170 (Teiid before 8.4.3 and before 8.7 and Red Hat JBoss Data ...)
@@ -23916,7 +23915,9 @@
 	{DSA-2940-1 DLA-57-1}
 	- libstruts1.2-java 1.2.9-9 (bug #745897)
 	NOTE: http://mail-archives.apache.org/mod_mbox/struts-announcements/201404.mbox/%3C535F5F52.4040108%40apache.org%3E
-	- commons-beanutils 1.9.2-1
+	- commons-beanutils 1.9.2-1 (low)
+	[wheezy] - commons-beanutils <no-dsa> (Too intrusive to backport; might break existing apps)
+	[squeeze] - commons-beanutils <no-dsa> (Too intrusive to backport; might break existing apps)
 	NOTE: https://issues.apache.org/jira/browse/BEANUTILS-463
 CVE-2014-0113 (CookieInterceptor in Apache Struts before 2.3.16.2, when a wildcard ...)
 	- libstruts1.2-java <not-affected> (Affects Struts 2.0.0 - Struts 2.3.16)
@@ -36905,9 +36906,8 @@
 	[wheezy] - libraw <no-dsa> (Not suitable for code injection, minor issue)
 	[squeeze] - libraw <not-affected> (Vulnerable code not present)
 	- libkdcraw 4:4.8.4-2 (low; bug #711317)
-	- darktable 1.2.1-2 (low; bug #711316)
-	[wheezy] - darktable <no-dsa> (minor issue)
-	[wheezy] - libkdcraw <no-dsa> (minor issue)
+	- darktable 1.2.1-2 (unimportant; bug #711316)
+	NOTE: Not suitable for code injection, no security impact for an enduser application like Darktable
 	- kdegraphics <removed>
 	[squeeze] - kdegraphics <not-affected> (embedded version of kdcraw+libraw too old)
 	NOTE: http://www.openwall.com/lists/oss-security/2013/05/28/3

More information about the Secure-testing-commits mailing list