[Secure-testing-commits] r29663 - data/CVE

Sun Oct 26 12:51:10 UTC 2014

Author: jmm
Date: 2014-10-26 12:51:10 +0000 (Sun, 26 Oct 2014)
New Revision: 29663

Modified:
   data/CVE/list
Log:
fix source package name for konqueror in oldstable
mark unsupported browsers as unimportant; they can still be fixed up
  for jessie to disable ssl3 as their maintainers see fit


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2014-10-26 12:31:44 UTC (rev 29662)
+++ data/CVE/list	2014-10-26 12:51:10 UTC (rev 29663)
@@ -11377,20 +11377,20 @@
 CVE-2014-3566 (The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other ...)
 	- aolserver4-nsopenssl <unfixed>
 	- apache2 2.4.10-6
-	- arora <unfixed>
+	- arora <unfixed> (unimportant)
 	- bouncycastle <unfixed>
 	- chromium-browser <unfixed>
-	- conkeror <unfixed>
+	- conkeror <unfixed> (unimportant)
 	- cyassl <unfixed>
 	- dwb <unfixed>
 	- openssl 1.0.1j-1
 	- galeon <unfixed>
 	- gnutls26 <unfixed>
 	- gnutls28 <unfixed>
-	- kazehakase <unfixed>
-	[squeeze] - kdebase <unfixed>
-	- kde-baseapps <unfixed>
-	- epiphany-browser <unfixed>
+	- kazehakase <unfixed> (unimportant)
+	- kdebase <removed> (unimportant)
+	- kde-baseapps <unfixed> (unimportant)
+	- epiphany-browser <unfixed> (unimportant)
 	- fossil <unfixed>
 	- gatling <unfixed>
 	- haskell-tls <unfixed>
@@ -11400,9 +11400,9 @@
 	[squeeze] - iceweasel <end-of-life>
 	- lighttpd <unfixed>
 	- matrixssl <unfixed>
-	- midori <unfixed>
+	- midori <unfixed> (unimportant)
 	- mini-httpd <unfixed>
-	- netsurf <unfixed>
+	- netsurf <unfixed> (unimportant)
 	- nginx <unfixed>
 	- nss <unfixed>
 	- ocsigenserver <unfixed>
@@ -11410,17 +11410,18 @@
 	- openjdk-7 <unfixed>
 	- openjdk-8 <unfixed>
 	- polarssl <unfixed>
-	- surf <unfixed>
+	- surf <unfixed> (unimportant)
 	- tlslite <unfixed>
 	- tntnet <unfixed>
 	- tomcatjss <unfixed>
-	- uzbl <unfixed>
+	- uzbl <unfixed> (unimportant)
 	- webfs <unfixed>
 	- yaws <unfixed>
 	NOTE: https://www.openssl.org/~bodo/ssl-poodle.pdf
 	NOTE: http://googleonlinesecurity.blogspot.fr/2014/10/this-poodle-bites-exploiting-ssl-30.html
 	NOTE: This is only about the SSLv3 CBC padding, not about any downgrade attack or support for the fallback SCSV
 	NOTE: Fix is to disable SSLv3 in library or application configurations 
+        NOTE: Browsers based on webkit (with the exception of Chromium) or khtml are not covered by security support
 CVE-2014-3565 (snmplib/mib.c in net-snmp 5.7.0 and earlier, when the -OQ option is ...)
 	- net-snmp 5.7.2.1~dfsg-7 (bug #760132)
 	[wheezy] - net-snmp <no-dsa> (Minor issue)


