[Secure-testing-commits] r32136 - in data: . CVE
Moritz Muehlenhoff
jmm at moszumanska.debian.org
Tue Feb 10 19:14:14 UTC 2015
Author: jmm
Date: 2015-02-10 19:14:14 +0000 (Tue, 10 Feb 2015)
New Revision: 32136
Modified:
data/CVE/list
data/dsa-needed.txt
Log:
add sudo to dsa-needed
no-dsa: rope, byzanz, mantis, shadow, libhtp, suricata
update/clarify vlc/liblivemedia
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2015-02-10 18:42:23 UTC (rev 32135)
+++ data/CVE/list 2015-02-10 19:14:14 UTC (rev 32136)
@@ -7,6 +7,7 @@
TODO: check
CVE-2015-XXXX [XSS]
- mantis <removed>
+ [wheezy] - mantis <no-dsa> (Minor issue)
[squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts)
NOTE: Upstream patch: https://github.com/mantisbt/mantisbt/commit/6defeed5 (1.2.x)
NOTE: https://www.mantisbt.org/bugs/view.php?id=19301
@@ -17,9 +18,13 @@
- lame 3.99.5+repack1-6 (bug #775959; bug #777160; bug #777161)
CVE-2015-XXXX [denial of service under memory stress]
- libhtp <unfixed> (bug #777522)
+ [squeeze] - libhtp <no-dsa> (Minor issue)
+ [wheezy] - libhtp <no-dsa> (Minor issue)
NOTE: https://github.com/inliniac/libhtp/commit/c7c03843cd6b1cbf44eb435d160ba53aec948828
CVE-2015-XXXX [evasion issues]
- suricata <unfixed> (bug #777523)
+ [wheezy] - suricata <no-dsa> (Minor issue)
+ [squeeze] - suricata <no-dsa> (Minor issue)
NOTE: https://redmine.openinfosecfoundation.org/issues/1364
CVE-2014-XXXX [preserves TZ by default]
- sudo <unfixed> (bug #772707)
@@ -65,13 +70,14 @@
TODO: check
CVE-2012-XXXX [Out-of heap-based buffer write in GIF encoder]
- byzanz <unfixed>
+ [squeeze] - byzanz <no-dsa> (Minor issue)
+ [wheezy] - byzanz <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=852481
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/06/11
- TODO: check
CVE-2012-6687 [Stack smashing while using a lot of connections]
- libfcgi 2.4.0-8.3 (bug #681591)
[wheezy] - libfcgi <no-dsa> (Minor issue)
- NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/06/4
+ NOTE: http://www.openwall.com/lists/oss-security/2015/02/06/4
CVE-2012-XXXX [Stack-based buffer overflow when scanning directory structure for absolute path entries]
- fuseiso <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=863091
@@ -1921,7 +1927,7 @@
- chicken <unfixed> (bug #775346)
[wheezy] - chicken <no-dsa> (Minor issue)
[squeeze] - chicken <no-dsa> (Minor issue)
- NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/12/3
+ NOTE: http://www.openwall.com/lists/oss-security/2015/01/12/3
NOTE: Patch: http://lists.nongnu.org/archive/html/chicken-hackers/2014-12/txt2UqAS9CtvH.txt
CVE-2015-XXXX [Crashes due to fuzzed input]
- sqlite3 <undetermined>
@@ -19438,8 +19444,9 @@
CVE-2014-3539 [pickle.load of remotely supplied data with no authentication required]
RESERVED
- rope <unfixed> (bug #777525)
+ [squeeze] - rope <no-dsa> (Minor issue)
+ [wheezy] - rope <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1116485
- TODO: check
CVE-2014-3538 (file before 5.19 does not properly restrict the amount of data read ...)
{DSA-3021-1 DSA-3008-1 DLA-67-1 DLA-50-1}
- file 1:5.19-1
@@ -28841,12 +28848,14 @@
{DSA-3156-1}
- liblivemedia 2014.01.13-1
[squeeze] - liblivemedia <not-affected> (vuln. code introduced in 2011.08.13)
- - vlc 2.1.2-2+b1
+ - vlc 2.1.4-1
+ [wheezy] - vlc 2.0.3-5+deb7u2
[squeeze] - vlc <not-affected> (not built against vuln. liblivemedia)
- mplayer <removed> (low)
[squeeze] - mplayer <no-dsa> (Minor issue)
- mplayer2 <not-affected> (b-d's on liblivemedia but doesn't actually build the support for it)
- NOTE: vlc fixed by the binnmu - recording it even if it's not a source pkg version
+ NOTE: vlc fixed by binNMU 2.1.2-2+b1, but since binNMUs are not visible to the security tracker, the subsequent sid upload is tracked
+ NOTE: for wheezy the version present at release of DSA 3156 is used (2.0.3-5+deb7u2), although strictly speaking it's 2.0.3-5+deb7u2+b1
CVE-2013-6932 (Buffer overflow in IrfanView before 4.37, when a multibyte-character ...)
NOT-FOR-US: IrfanView
CVE-2013-6931 (SQL injection vulnerability in the API in Cybozu Garoon 3.7.x before ...)
@@ -37128,7 +37137,8 @@
CVE-2013-4235 [TOCTOU race conditions by copying and removing directory trees]
RESERVED
- shadow <unfixed>
- TODO: check
+ [wheezy] - shadow <no-dsa> (Minor issue)
+ [squeeze] - shadow <no-dsa> (Minor issue)
CVE-2013-4234 (Multiple heap-based buffer overflows in the (1) abc_MIDI_drum and (2) ...)
{DSA-2751-1}
- libmodplug 1:0.8.8.4-4 (bug #719462)
Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt 2015-02-10 18:42:23 UTC (rev 32135)
+++ data/dsa-needed.txt 2015-02-10 19:14:14 UTC (rev 32136)
@@ -44,9 +44,6 @@
RH has moved to 3.16 even in EL5, Ubuntu uses 3.17 across the LTSes, maybe we should follow that approach
Debdiff applied against current version for interim update: https://people.debian.org/~carnil/tmp/nss/
--
-ntp (carnil)
- NOTE: for follow-up update for incomplete patch for CVE-2014-9297
---
openswan (corsac)
NOTE: regression fix needed for CVE-2013-2053 (#743332) and CVE-2013-6466
(#744717)
@@ -63,6 +60,8 @@
--
smarty3
--
+sudo
+--
tiff
NOTE: At time of last check: three issues not fixed, see #776185 for details
--
More information about the Secure-testing-commits
mailing list