[Secure-testing-commits] r32136 - in data: . CVE

Tue Feb 10 19:14:14 UTC 2015

Author: jmm
Date: 2015-02-10 19:14:14 +0000 (Tue, 10 Feb 2015)
New Revision: 32136

Modified:
   data/CVE/list
   data/dsa-needed.txt
Log:
add sudo to dsa-needed
no-dsa: rope, byzanz, mantis, shadow, libhtp, suricata
update/clarify vlc/liblivemedia


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2015-02-10 18:42:23 UTC (rev 32135)
+++ data/CVE/list	2015-02-10 19:14:14 UTC (rev 32136)
@@ -7,6 +7,7 @@
 	TODO: check
 CVE-2015-XXXX [XSS]
 	- mantis <removed>
+	[wheezy] - mantis <no-dsa> (Minor issue)
 	[squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts)
 	NOTE: Upstream patch: https://github.com/mantisbt/mantisbt/commit/6defeed5 (1.2.x)
 	NOTE: https://www.mantisbt.org/bugs/view.php?id=19301
@@ -17,9 +18,13 @@
 	- lame 3.99.5+repack1-6 (bug #775959; bug #777160; bug #777161)
 CVE-2015-XXXX [denial of service under memory stress]
 	- libhtp <unfixed> (bug #777522)
+	[squeeze] - libhtp <no-dsa> (Minor issue)
+	[wheezy] - libhtp <no-dsa> (Minor issue)
 	NOTE: https://github.com/inliniac/libhtp/commit/c7c03843cd6b1cbf44eb435d160ba53aec948828
 CVE-2015-XXXX [evasion issues]
 	- suricata <unfixed> (bug #777523)
+	[wheezy] - suricata <no-dsa> (Minor issue)
+	[squeeze] - suricata <no-dsa> (Minor issue)
 	NOTE: https://redmine.openinfosecfoundation.org/issues/1364
 CVE-2014-XXXX [preserves TZ by default]
 	- sudo <unfixed> (bug #772707)
@@ -65,13 +70,14 @@
 	TODO: check
 CVE-2012-XXXX [Out-of heap-based buffer write in GIF encoder]
 	- byzanz <unfixed>
+	[squeeze] - byzanz <no-dsa> (Minor issue)
+	[wheezy] - byzanz <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=852481
 	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/06/11
-	TODO: check
 CVE-2012-6687 [Stack smashing while using a lot of connections]
 	- libfcgi 2.4.0-8.3 (bug #681591)
 	[wheezy] - libfcgi <no-dsa> (Minor issue)
-	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/06/4
+	NOTE: http://www.openwall.com/lists/oss-security/2015/02/06/4
 CVE-2012-XXXX [Stack-based buffer overflow when scanning directory structure for absolute path entries]
 	- fuseiso <unfixed>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=863091
@@ -1921,7 +1927,7 @@
 	- chicken <unfixed> (bug #775346)
 	[wheezy] - chicken <no-dsa> (Minor issue)
 	[squeeze] - chicken <no-dsa> (Minor issue)
-	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/12/3
+	NOTE: http://www.openwall.com/lists/oss-security/2015/01/12/3
 	NOTE: Patch: http://lists.nongnu.org/archive/html/chicken-hackers/2014-12/txt2UqAS9CtvH.txt
 CVE-2015-XXXX [Crashes due to fuzzed input]
 	- sqlite3 <undetermined>
@@ -19438,8 +19444,9 @@
 CVE-2014-3539 [pickle.load of remotely supplied data with no authentication required]
 	RESERVED
 	- rope <unfixed> (bug #777525)
+	[squeeze] - rope <no-dsa> (Minor issue)
+	[wheezy] - rope <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1116485
-	TODO: check
 CVE-2014-3538 (file before 5.19 does not properly restrict the amount of data read ...)
 	{DSA-3021-1 DSA-3008-1 DLA-67-1 DLA-50-1}
 	- file 1:5.19-1
@@ -28841,12 +28848,14 @@
 	{DSA-3156-1}
 	- liblivemedia 2014.01.13-1
 	[squeeze] - liblivemedia <not-affected> (vuln. code introduced in 2011.08.13)
-	- vlc 2.1.2-2+b1
+	- vlc 2.1.4-1
+	[wheezy] - vlc 2.0.3-5+deb7u2
 	[squeeze] - vlc <not-affected> (not built against vuln. liblivemedia)
 	- mplayer <removed> (low)
 	[squeeze] - mplayer <no-dsa> (Minor issue)
 	- mplayer2 <not-affected> (b-d's on liblivemedia but doesn't actually build the support for it)
-	NOTE: vlc fixed by the binnmu - recording it even if it's not a source pkg version
+	NOTE: vlc fixed by binNMU 2.1.2-2+b1, but since binNMUs are not visible to the security tracker, the subsequent sid upload is tracked
+	NOTE: for wheezy the version present at release of DSA 3156 is used (2.0.3-5+deb7u2), although strictly speaking it's 2.0.3-5+deb7u2+b1
 CVE-2013-6932 (Buffer overflow in IrfanView before 4.37, when a multibyte-character ...)
 	NOT-FOR-US: IrfanView
 CVE-2013-6931 (SQL injection vulnerability in the API in Cybozu Garoon 3.7.x before ...)
@@ -37128,7 +37137,8 @@
 CVE-2013-4235 [TOCTOU race conditions by copying and removing directory trees]
 	RESERVED
 	- shadow <unfixed>
-	TODO: check
+	[wheezy] - shadow <no-dsa> (Minor issue)
+	[squeeze] - shadow <no-dsa> (Minor issue)
 CVE-2013-4234 (Multiple heap-based buffer overflows in the (1) abc_MIDI_drum and (2) ...)
 	{DSA-2751-1}
 	- libmodplug 1:0.8.8.4-4 (bug #719462)

Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt	2015-02-10 18:42:23 UTC (rev 32135)
+++ data/dsa-needed.txt	2015-02-10 19:14:14 UTC (rev 32136)
@@ -44,9 +44,6 @@
  RH has moved to 3.16 even in EL5, Ubuntu uses 3.17 across the LTSes, maybe we should follow that approach
  Debdiff applied against current version for interim update: https://people.debian.org/~carnil/tmp/nss/
 --
-ntp (carnil)
-  NOTE: for follow-up update for incomplete patch for CVE-2014-9297
---
 openswan (corsac)
   NOTE: regression fix needed for CVE-2013-2053 (#743332) and CVE-2013-6466
   (#744717)
@@ -63,6 +60,8 @@
 --
 smarty3
 --
+sudo
+--
 tiff
   NOTE: At time of last check: three issues not fixed, see #776185 for details
 --


