[Secure-testing-commits] r28957 - in data: . CVE

Raphaël Hertzog hertzog at moszumanska.debian.org
Mon Sep 22 15:50:45 UTC 2014 

Author: hertzog
Date: 2014-09-22 15:50:45 +0000 (Mon, 22 Sep 2014)
New Revision: 28957

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Update CVE-2014-4945 & CVE-2014-4946, add a bunch of packages to dla-needed.txt

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-09-22 13:54:14 UTC (rev 28956)
+++ data/CVE/list	2014-09-22 15:50:45 UTC (rev 28957)
@@ -3834,13 +3834,19 @@
 CVE-2014-4947 (Buffer overflow in the HVM graphics console support in Citrix ...)
 	NOT-FOR-US: Citrix XenServer
 CVE-2014-4946 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet ...)
-	- php-horde-imp <unfixed>
+	- php-horde-imp 6.2.0-1
 	- horde3 <removed>
-	TODO: check
+	[squeeze] - horde3 <not-affected>
+	NOTE: Upstream patches:
+	NOTE: https://github.com/horde/horde/commit/578ff073724d9c179663098d8ff0076e8b361cfb
+	NOTE: https://github.com/horde/horde/commit/2f1f4b10dec90fb67797ea80be0e029ead90f168
+	NOTE: The bugs are in javascript files that do not exist in the version in Squeeze.
 CVE-2014-4945 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet ...)
-	- php-horde-imp <unfixed>
+	- php-horde-imp 6.2.0-1
 	- horde3 <removed>
-	TODO: check
+	[squeeze] - horde3 <not-affected>
+	NOTE: Upstream patch: https://github.com/horde/horde/commit/71633e649afc0704b72098a6e2530377dd67eb0c
+	NOTE: The bug is in PHP template file that does not exist in the version in Squeeze.
 CVE-2014-4944 (Multiple SQL injection vulnerabilities in inc/bsk-pdf-dashboard.php in ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2014-4943 (The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel ...)
@@ -45161,6 +45167,7 @@
 	- mysql-5.5 5.5.28+dfsg-1 (bug #690778)
 CVE-2012-3155 (Unspecified vulnerability in the CORBA ORB component in Sun GlassFish ...)
 	- glassfish <unfixed> (bug #692035)
+	NOTE: Oracle doesn't provide any useful public information to fix the package without importing a new upstream version.
 CVE-2012-3154 (Unspecified vulnerability in the Oracle Agile PLM Framework component ...)
 	NOT-FOR-US: Oracle Supply Chain Products Suite
 CVE-2012-3153 (Unspecified vulnerability in the Oracle Reports Developer component in ...)

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt	2014-09-22 13:54:14 UTC (rev 28956)
+++ data/dla-needed.txt	2014-09-22 15:50:45 UTC (rev 28957)
@@ -19,8 +19,16 @@
 --
 curl (Thorsten Alteholz)
 --
+dbus
+--
+drupal6
+--
+eglibc
+--
 evince
 --
+fckeditor
+--
 fex (non-free)
 --
 graphicsmagick

More information about the Secure-testing-commits mailing list