[Secure-testing-commits] r32437 - in data: CVE DSA
Moritz Muehlenhoff
jmm at moszumanska.debian.org
Mon Feb 23 15:27:03 UTC 2015
Author: jmm
Date: 2015-02-23 15:27:03 +0000 (Mon, 23 Feb 2015)
New Revision: 32437
Modified:
data/CVE/list
data/DSA/list
Log:
one libbluray issue unimportant
puppet-module-puppetlabs-stdlib fixed in jessie
one tiff issue unimportant
hack vlc version number; we cannot record binNMUs, but it should be marked as resolved in wheezy
radare2 no-dsa for jessie
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2015-02-23 15:20:00 UTC (rev 32436)
+++ data/CVE/list 2015-02-23 15:27:03 UTC (rev 32437)
@@ -1067,6 +1067,7 @@
NOTE: Only exploitable through virusdb updates, which need to be trusted anywaya
- knews <not-affected> (Uses system regex code, see #778401)
- radare2 <unfixed> (low; bug #778402)
+ [jessie] - radare2 <no-dsa> (Minor issue)
[wheezy] - radare2 <no-dsa> (Minor issue)
- efl <not-affected> (Only used when building on Windows, see #778414)
- ptlib <unfixed> (unimportant; bug #778404)
@@ -1419,14 +1420,16 @@
[experimental] - noise <unfixed> (bug #759868)
CVE-2013-XXXX [Directory traversal when expanding certain JAR files]
- libbluray <unfixed>
+ [jessie] - libbluray <no-dsa> (Minor issue)
+ [wheezy] - libbluray <no-dsa> (Minor issue)
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/06/9
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=959434
- TODO: check
CVE-2013-XXXX [TOCTOU race when expanding JAR files]
- - libbluray <unfixed>
+ - libbluray <unfixed> (unimportant)
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/06/9
- NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=959434
- TODO: check
+ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=959433
+ NOTE: libbluray is only in wheezy and later and the issue is neutered by the kernel hardening for /tmp
+ NOTE: Affected code removed in 0.7.0-1 in experimental
CVE-2013-XXXX [possible heap overflow]
- potrace <unfixed> (bug #778646)
[wheezy] - potrace <no-dsa> (Minor issue)
@@ -2889,7 +2892,9 @@
NOTE: See https://bugs.debian.org/763321
CVE-2015-1029 (The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x ...)
- puppet-module-puppetlabs-stdlib <unfixed> (bug #775535)
+ [jessie] - puppet-module-puppetlabs-stdlib <not-affected> (The jessie version of facter is recent enough)
NOTE: http://puppetlabs.com/security/cve/cve-2015-1029
+ NOTE: http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/2015-January/009318.html
CVE-2015-1028 (Multiple cross-site scripting (XSS) vulnerabilities in D-Link ...)
NOT-FOR-US: D-Link router
CVE-2015-1027
@@ -9635,10 +9640,11 @@
NOTE: https://www.redhat.com/archives/libvir-list/2014-December/msg00600.html
CVE-2014-8130 [divide by zero]
RESERVED
- - tiff <unfixed> (bug #776185)
+ - tiff <unfixed> (unimportant; bug #776185)
- tiff3 <not-affected> (The tiff3 source package doesn't build the TIFF tools)
NOTE: Advisory: http://www.conostix.com/pub/adv/CVE-2014-8130-LibTIFF-Division_By_Zero.txt
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2483
+ NOTE: Crash in a frontend tool w/o potential for code injection, marked as unimportant
CVE-2014-8129 [out-of-bound read and write]
RESERVED
- tiff 4.0.3-12.1 (bug #776185)
Modified: data/DSA/list
===================================================================
--- data/DSA/list 2015-02-23 15:20:00 UTC (rev 32436)
+++ data/DSA/list 2015-02-23 15:27:03 UTC (rev 32437)
@@ -46,7 +46,7 @@
[07 Feb 2015] DSA-3156-1 liblivemedia - security update
{CVE-2013-6933}
[wheezy] - liblivemedia 2012.05.17-1+wheezy1
- [wheezy] - vlc 2.0.3-5+deb7u2+b1
+ [wheezy] - vlc 2.0.3-5+deb7u2
[wheezy] - mplayer 2:1.0~rc4.dfsg1+svn34540-1+deb7u1
[07 Feb 2015] DSA-3154-2 ntp - incomplete fix
{CVE-2014-9297}
More information about the Secure-testing-commits
mailing list