[Secure-testing-commits] r33360 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Fri Apr 3 15:22:52 UTC 2015
Author: carnil
Date: 2015-04-03 15:22:52 +0000 (Fri, 03 Apr 2015)
New Revision: 33360
Modified:
data/CVE/list
Log:
Mark CVE-2014-8119/netcf as not-affected
Issues only in the drv_{redhat,suse}.c code. In principle vulnerable
code is present, but on Debian systems the redhat and suse drivers are
not built.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2015-04-03 12:43:32 UTC (rev 33359)
+++ data/CVE/list 2015-04-03 15:22:52 UTC (rev 33360)
@@ -12173,17 +12173,15 @@
NOT-FOR-US: Thermostat Hotspot instrumentation
CVE-2014-8119 [augeas path expression injection via interface name]
RESERVED
- - netcf <unfixed>
- [jessie] - netcf <no-dsa> (too intrusive to backport)
- [wheezy] - netcf <no-dsa> (too intrusive to backport)
+ - netcf <not-affected> (suse and redhat driver are not built on Debian)
NOTE: Issue is in the way the netcf's find_ifcfg_path() function processed
NOTE: certain XPath expressions according to Red Hat bugzilla.
NOTE: The fix consists in augeas getting a new API aug_escape_name which
NOTE: netcf needs to use.
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1172176#c3
NOTE: https://www.redhat.com/archives/augeas-devel/2014-December/msg00000.html
- NOTE: The affected code is only in drv_redhat.c and drv_suse.c, maybe
- NOTE: Debian isn't affected after all, need further investigation
+ NOTE: The affected code is only in drv_redhat.c and drv_suse.c and the Debian
+ NOTE: build not affected.
CVE-2014-8118 (Integer overflow in RPM 4.12 and earlier allows remote attackers to ...)
{DSA-3129-1 DLA-140-1}
- rpm 4.11.3-1.1 (bug #773101)
More information about the Secure-testing-commits
mailing list