[Secure-testing-commits] r32183 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Thu Feb 12 15:45:57 UTC 2015 

Author: jmm
Date: 2015-02-12 15:45:57 +0000 (Thu, 12 Feb 2015)
New Revision: 32183

Modified:
   data/CVE/list
Log:
jessie triage:
 tpu fixes for libgit2, 
 no-dsa: kfreebsd, shadow, socat
 n/a: nova, neutron
 record fix for python-oslo.utils and nova

separate CVE ID for regex chromium/icu issue


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2015-02-12 15:17:07 UTC (rev 32182)
+++ data/CVE/list	2015-02-12 15:45:57 UTC (rev 32183)
@@ -890,6 +890,7 @@
 CVE-2015-1379 [DoS with fork]
 	RESERVED
 	- socat <unfixed> (bug #776234)
+	[jessie] - socat <no-dsa> (Minor issue)
 	[wheezy] - socat <no-dsa> (Minor issue)
 	[squeeze] - socat <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2015/01/24/6
@@ -1540,7 +1541,7 @@
 	- chromium-browser 40.0.2214.91-1
 	[wheezy] - chromium-browser <end-of-life>
 	[squeeze] - chromium-browser <end-of-life>
-	- icu <unfixed> (bug #776719)
+	NOTE: See CVE-2014-9654 for the bug in src:icu
 CVE-2015-1203 [stack allocation with an attacker-controlled size -- modules/access/ftp.c]
 	RESERVED
 	NOTE: VLC issue disputed by upstream, see bug #775866
@@ -4237,6 +4238,7 @@
 	[wheezy] - git <no-dsa> (Minor issue)
 	[squeeze] - git <no-dsa> (Minor issue)
 	- libgit2 0.21.3-1 (bug #774048)
+	[jessie] - libgit2 0.21.1-3
 	- jgit <unfixed> (bug #774050)
 	[wheezy] - jgit <no-dsa> (Minor issue)
 	- mercurial 3.1.2-2 (bug #773640)
@@ -6985,6 +6987,7 @@
 	REJECTED
 CVE-2014-8613 (The sctp module in FreeBSD 10.1 before p5, 10.0 before p17, 9.3 before ...)
 	- kfreebsd-10 10.1~svn274115-2 (bug #776416)
+	[jessie] - kfreebsd-10 <no-dsa> (kfreebsd not a release arch)
 	- kfreebsd-9 <removed>
 	[wheezy] - kfreebsd-9 9.0-10+deb70.8
 	NOTE: kfreebsd-9/9.0-10+deb70.8 disabled SCTP protocol
@@ -6994,6 +6997,7 @@
 CVE-2014-8612 (Multiple array index errors in the Stream Control Transmission ...)
 	[experimental] - kfreebsd-11 <unfixed>
 	- kfreebsd-10 10.1~svn274115-2 (bug #776415)
+	[jessie] - kfreebsd-10 <no-dsa> (kfreebsd not a release arch)
 	- kfreebsd-9 <removed>
 	[wheezy] - kfreebsd-9 9.0-10+deb70.8
 	NOTE: kfreebsd-9/9.0-10+deb70.8 disabled SCTP protocol
@@ -8675,8 +8679,7 @@
 CVE-2014-8765 (Multiple cross-site scripting (XSS) vulnerabilities in the Project ...)
 	NOT-FOR-US: Drupal module Project Issue File Review
 CVE-2014-8750 (Race condition in the VMware driver in OpenStack Compute (Nova) before ...)
-	- nova <unfixed>
-	[wheezy] - nova <not-affected> (Vulnerable code not present)
+	- nova <not-affected> (ESX driver not enabled in libvirt)
 	NOTE: https://launchpad.net/bugs/1357372
 CVE-2014-XXXX [rsync collision attack]
 	- rsync <unfixed> (low)
@@ -10766,10 +10769,9 @@
 	NOTE: Therefore, the product must limit the aggregate memory consumption of
 	NOTE: all active requests, and the lack of this limit is a vulnerability.
 CVE-2014-7231 (The strutils.mask_password function in the OpenStack Oslo utility ...)
-	- python-oslo.utils <unfixed>
+	- python-oslo.utils 0.2.0-1
 	NOTE: https://launchpad.net/bugs/1345233
 	NOTE: https://review.openstack.org/gitweb?p=openstack%2Foslo.utils.git;a=commitdiff;h=e0425691d90bce0bbe847a9ff49468ce0fab5486
-	NOTE: fixed in 0.2.0.
 CVE-2014-7230 (The processutils.execute function in OpenStack oslo-incubator, Cinder, ...)
 	- cinder 2014.1.3-4 (low; bug #765704)
 	- nova 2014.1.3-5 (low; bug #765714)
@@ -19311,8 +19313,8 @@
 	NOTE: Introduced in http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=eca96694a7f992be633d48d5ca03cedc9bbc3c9a (v0.9.8)
 	NOTE: Upstream advisory: http://security.libvirt.org/2014/0004.html
 CVE-2014-3632 (The default configuration in a sudoers file in the Red Hat ...)
-	- neutron <unfixed>
-	NOTE: Regression of fix for CVE-2013-6433, possibly Red Hat specific in RedHat Enterprise Open Stack Platform 5.0
+	- neutron <not-affected> (Red Hat-specific)
+	NOTE: Regression of fix for CVE-2013-6433, Red Hat specific in RedHat Enterprise Open Stack Platform 5.0
 CVE-2014-3631 (The assoc_array_gc function in the associative-array implementation in ...)
 	- linux 3.16.3-1
 	[wheezy] - linux <not-affected> (Vulnerable code introduced later)
@@ -31349,7 +31351,7 @@
 CVE-2013-6492 (The Piranha Configuration Tool in Piranha 0.8.6 does not properly ...)
 	NOT-FOR-US: Pirhana
 CVE-2013-6491 (The python-qpid client (common/rpc/impl_qpid.py) in OpenStack Oslo ...)
-	- nova <unfixed>
+	- nova 2013.2.3-1
 	[wheezy] - nova <no-dsa> (Minor issue)
 CVE-2013-6490 (The SIMPLE protocol functionality in Pidgin before 2.10.8 allows ...)
 	{DSA-2859-2 DSA-2859-1}
@@ -37411,6 +37413,7 @@
 CVE-2013-4235 [TOCTOU race conditions by copying and removing directory trees]
 	RESERVED
 	- shadow <unfixed>
+	[jessie] - shadow <no-dsa> (Minor issue)
 	[wheezy] - shadow <no-dsa> (Minor issue)
 	[squeeze] - shadow <no-dsa> (Minor issue)
 CVE-2013-4234 (Multiple heap-based buffer overflows in the (1) abc_MIDI_drum and (2) ...)
@@ -43191,6 +43194,7 @@
 CVE-2013-2027 [creates executables class files with wrong permissions]
 	RESERVED
 	- jython <unfixed> (low; bug #777079)
+	[jessie] - jython <no-dsa> (Minor issue)
 	[wheezy] - jython <no-dsa> (Minor issue)
 	[squeeze] - jython <no-dsa> (Minor issue)
 CVE-2013-2026
@@ -48559,8 +48563,8 @@
 	- jenkins 1.480.3+dfsg-1 (bug #700761)
 CVE-2013-0326 [_base images permissions world readable]
 	RESERVED
-	- nova <unfixed> (low)
-	[wheezy] - nova <no-dsa> (Minor issue)
+	- nova <unfixed> (unimportant)
+	NOTE: Unfixed upstream, typical installation not multi-user anyway
 CVE-2013-0325 (Multiple cross-site scripting (XSS) vulnerabilities in the Varnish ...)
 	NOT-FOR-US: Drupal addon
 CVE-2013-0324 (Cross-site scripting (XSS) vulnerability in the Rendered links ...)

More information about the Secure-testing-commits mailing list