[Secure-testing-commits] r33460 - in data: . CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2015-04-09 17:18:05 +0000 (Thu, 09 Apr 2015)
New Revision: 33460

Modified:
   data/CVE/list
   data/dsa-needed.txt
Log:
no-dsa: n-m, kfreebsd9
dsa-needed: nbd
one php issue was fixed in the 5.4.39 release, so fixed in wheezy
remove no-dsa entries for now resolved kfreebsd10 issues
mark one kernel issue as undetermined
qemu/qemu-kvm n/a in wheezy/squeeze


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2015-04-09 15:44:28 UTC (rev 33459)
+++ data/CVE/list	2015-04-09 17:18:05 UTC (rev 33460)
@@ -399,10 +399,15 @@
 CVE-2015-2924 [IPv6 Hop limit lowering via RA messages]
 	RESERVED
 	- network-manager <unfixed>
+	[squeeze] - network-manager <no-dsa> (Minor issue)
+	[wheezy] - network-manager <no-dsa> (Minor issue)
+	[jessie] - network-manager <no-dsa> (Minor issue)
 CVE-2015-2923 [IPv6 Hop limit lowering via RA messages]
 	RESERVED
 	- kfreebsd-10 10.1~svn274115-4 (bug #782107)
+	[jessie] - kfreebsd-10 <no-dsa> (kfreebsd not a release arch)
 	- kfreebsd-9 <removed>
+	[wheezy] - kfreebsd-9 <no-dsa> (Minor issue)
 	- kfreebsd-8 <removed>
 	[wheezy] - kfreebsd-8 <no-dsa> (kfreebsd-8 only a test kernel, will be fixed in a point update)
 	[squeeze] - kfreebsd-8 <not-affected> (kfreebsd-i386/amd64 not supported in Squeeze LTS)
@@ -665,9 +670,10 @@
 CVE-2015-2756 (QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict ...)
 	- xen 4.2.0~rc2-1 (bug #781620)
 	- qemu <unfixed>
-	- qemu-kvm <removed>
+	[wheezy] - qemu <not-affected> (Vulnerable code not present)
+	[squeeze] - qemu <not-affected> (Vulnerable code not present)
+	- qemu-kvm <not-affected> (Vulnerable code not present)
 	NOTE: http://xenbits.xen.org/xsa/advisory-126.html
-	TODO: check qemu versions
 CVE-2015-2755 (Multiple cross-site request forgery (CSRF) vulnerabilities in the AB ...)
 	NOT-FOR-US: AB Google Map Travel (AB-MAP) plugin for WordPress
 CVE-2015-2752 (The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x, ...)
@@ -1550,6 +1556,7 @@
 	NOTE: http://www.openwall.com/lists/oss-security/2015/03/30/4
 CVE-2015-XXXX [SoapClient's __call() type confusion through unserialize()]
 	- php5 5.6.7+dfsg-1
+	[wheezy] - php5 5.4.39-0+deb7u1
 	NOTE: https://bugs.php.net/bug.php?id=69085
 	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/20/14
 CVE-2015-2779
@@ -7499,10 +7506,9 @@
 	NOT-FOR-US: Smoothwall
 CVE-2010-5321 [v4l: videobuf: hotfix a bug on multiple calls to mmap()]
 	RESERVED
-	- linux <unfixed>
-	- linux-2.6 <removed>
+	- linux <undetermined>
+	- linux-2.6 <undetermined>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=620629#c0
-	TODO: check
 CVE-2010-5320 (Multiple cross-site request forgery (CSRF) vulnerabilities in MemHT ...)
 	NOT-FOR-US: MemHT Portal
 CVE-2010-5319 (Multiple cross-site request forgery (CSRF) vulnerabilities in Kandidat ...)
@@ -11114,7 +11120,6 @@
 	REJECTED
 CVE-2014-8613 (The sctp module in FreeBSD 10.1 before p5, 10.0 before p17, 9.3 before ...)
 	- kfreebsd-10 10.1~svn274115-2 (bug #776416)
-	[jessie] - kfreebsd-10 <no-dsa> (kfreebsd not a release arch)
 	- kfreebsd-9 <removed>
 	[wheezy] - kfreebsd-9 9.0-10+deb70.8
 	NOTE: kfreebsd-9/9.0-10+deb70.8 disabled SCTP protocol
@@ -11125,7 +11130,6 @@
 CVE-2014-8612 (Multiple array index errors in the Stream Control Transmission ...)
 	[experimental] - kfreebsd-11 <unfixed>
 	- kfreebsd-10 10.1~svn274115-2 (bug #776415)
-	[jessie] - kfreebsd-10 <no-dsa> (kfreebsd not a release arch)
 	- kfreebsd-9 <removed>
 	[wheezy] - kfreebsd-9 9.0-10+deb70.8
 	NOTE: kfreebsd-9/9.0-10+deb70.8 disabled SCTP protocol

Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt	2015-04-09 15:44:28 UTC (rev 33459)
+++ data/dsa-needed.txt	2015-04-09 17:18:05 UTC (rev 33460)
@@ -38,6 +38,8 @@
 --
 mediawiki
 --
+nbd
+--
 nss
   Red Hat has moved to 3.16 even in EL5, Ubuntu uses 3.17 across the LTSes, maybe we should follow that approach
 --