[Secure-testing-commits] r32315 - in data: . CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Wed Feb 18 16:44:20 UTC 2015 

Author: jmm
Date: 2015-02-18 16:44:20 +0000 (Wed, 18 Feb 2015)
New Revision: 32315

Modified:
   data/CVE/list
   data/dsa-needed.txt
Log:
libav triage
one trafficserver issue was fixed earlier, so jessie is fixed
chicken no-dsa for jessie


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2015-02-18 14:43:11 UTC (rev 32314)
+++ data/CVE/list	2015-02-18 16:44:20 UTC (rev 32315)
@@ -2,7 +2,8 @@
 	- linux <unfixed>
 	- linux-2.6 <removed>
 	NOTE: http://hmarco.org/bugs/linux-ASLR-reducing-mmap-by-half.html
-	TODO: check
+	NOTE: arm64 affected from v3.7 to v3.18
+	NOTE: powerpc affected from v2.6.30 to 3.2
 CVE-2015-XXXX [directory traversal; related to overlong utf-8 encoding for /]
 	- cabextract <unfixed>
 	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/18/3
@@ -132,7 +133,8 @@
 	- clamav <unfixed> (unimportant; bug #778406)
 	NOTE: Only exploitable through virusdb updates, which need to be trusted anywaya
 	- knews <not-affected> (Uses system regex code, see #778401)
-	- radare2 <unfixed> (bug #778402)
+	- radare2 <unfixed> (low; bug #778402)
+	[wheezy] - radare2 <no-dsa> (Minor issue)
 	- efl <not-affected> (Only used when building on Windows, see #778414)
 	- ptlib <unfixed> (unimportant; bug #778404)
 	NOTE: ptlib uses the regex code from glibc, local fallback code not used
@@ -1814,19 +1816,17 @@
 CVE-2014-9599 (Cross-site scripting (XSS) vulnerability in the filemanager in ...)
 	NOT-FOR-US: b2evolution
 CVE-2014-9598 (The picture_Release function in misc/picture.c in VideoLAN VLC media ...)
-	- ffmpeg <not-affected> (Not reproducible with any ffmpeg release series)
-	[squeeze] - ffmpeg <end-of-life>
-	- libav <unfixed>
-	TODO: check, this was originally reported for VLC; but upstream states that it is in libavcodec
 	NOTE: https://trac.videolan.org/vlc/ticket/13390
 	NOTE: http://seclists.org/fulldisclosure/2015/Jan/72
+	NOTE: This was originally reported for VLC; but upstream states that it is in libavcodec
+	NOTE: This seems to be Windows-specific issue, the reported error couldn't be reproduced
+	NOTE: with any ffmpeg release and libav/0.8. 
 CVE-2014-9597 (The picture_pool_Delete function in misc/picture_pool.c in VideoLAN ...)
-	- ffmpeg <not-affected> (Not reproducible with any ffmpeg release series)
-	[squeeze] - ffmpeg <end-of-life>
-	- libav <unfixed>
-	TODO: check, this was originally reported for VLC; but upstream states that it is in libavcodec
 	NOTE: https://trac.videolan.org/vlc/ticket/13389
 	NOTE: http://seclists.org/fulldisclosure/2015/Jan/72
+	NOTE: This was originally reported for VLC; but upstream states that it is in libavcodec
+	NOTE: This seems to be Windows-specific issue, the reported error couldn't be reproduced
+	NOTE: with any ffmpeg release and libav/0.8. 
 CVE-2014-9596 (Panasonic Arbitrator Back-End Server (BES) MK 2.0 VPU before 9.3.1 ...)
 	NOT-FOR-US: Panasonic Arbitrator Back-End Server
 CVE-2014-9595 (Buffer overflow in the SAP NetWeaver Dispatcher in SAP Kernel 7.00 ...)
@@ -2368,6 +2368,7 @@
 CVE-2014-9651 [buffer overrun in CHICKEN Scheme's substring-index[-ci] procedures]
 	RESERVED
 	- chicken <unfixed> (bug #775346)
+	[jessie] - chicken <no-dsa> (Minor issue)
 	[wheezy] - chicken <no-dsa> (Minor issue)
 	[squeeze] - chicken <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2015/01/12/3
@@ -3676,9 +3677,10 @@
 	- gcab 0.4-2 (bug #774580)
 CVE-2015-XXXX [use after free in seg_write_packet()]
 	- ffmpeg <not-affected> (Vulnerable code not present in a ffmpeg version in the archive)
-	- libav <unfixed> (bug #775593)
+	- libav 6:11.2-1
 	NOTE: Patch in http://www.openwall.com/lists/oss-security/2015/01/04/10 seem to apply for libav
-	NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=169065fbfb3da1ab776379c333aebc54bb1f1bc4
+	NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=169065fbfb3da1ab776379c333aebc54bb1f1bc4
+	NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=b3f04657368a32a9903406395f865e230b1de348
 	NOTE: CVE Request: https://marc.info/?l=oss-security&m=142034472712971&w=2
 CVE-2015-XXXX [Zoo directory traversal]
 	- zoo <unfixed> (low; bug #774453)
@@ -9209,7 +9211,7 @@
 	- ffmpeg 7:2.5.1-1
 	[squeeze] - ffmpeg <end-of-life>
 	- libav <unfixed>
-	NOTE: Pending for 0.8.17
+	NOTE: Pending for 0.8.17 and 11.3
 	NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=490a3ebf36821b81f73e34ad3f554cb523dd2682
 	NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=490a3ebf36821b81f73e34ad3f554cb523dd2682
 CVE-2014-7932 (Use-after-free vulnerability in the Element::detach function in ...)
@@ -19531,8 +19533,9 @@
 	NOTE: Fixed in experimental with 3.2.12-1
 CVE-2014-3624 [Ensure remap requests are properly tunneled using CONNECT requests to avoid an open relay]
 	RESERVED
-	- trafficserver 5.1.1-1
+	- trafficserver 5.0.0-1
 	[wheezy] - trafficserver <not-affected> (Only affects 4.0.2 to 4.1.2)
+	NOTE: https://issues.apache.org/jira/browse/TS-2677
 CVE-2014-3623 (Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF ...)
 	NOT-FOR-US: Apache CXF
 CVE-2014-3622 [Posthandler Potential Illegal efree() vulnerability]

Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt	2015-02-18 14:43:11 UTC (rev 32314)
+++ data/dsa-needed.txt	2015-02-18 16:44:20 UTC (rev 32315)
@@ -16,7 +16,7 @@
 --
 cups
 --
-eglibc
+eglibc (aurel32)
   we should fix at least CVE-2013-7423/CVE-2015-1472, some of the other no-dsa bugs could be fixed along
 --
 freetype (jmm)

More information about the Secure-testing-commits mailing list