[Secure-testing-commits] r31191 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Thu Jan 8 06:30:03 UTC 2015 

Author: jmm
Date: 2015-01-08 06:30:03 +0000 (Thu, 08 Jan 2015)
New Revision: 31191

Modified:
   data/CVE/list
Log:
track kernel fix for AMD CPU erratum instead of unclear amd64-microcode
arc no-dsa
cabextract fixed nby moving to system-copy of mspack
solr n/a


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2015-01-08 05:31:58 UTC (rev 31190)
+++ data/CVE/list	2015-01-08 06:30:03 UTC (rev 31191)
@@ -331,6 +331,7 @@
 	[squeeze] - zoo <no-dsa> (Minor issue)
 CVE-2015-XXXX [buffer over-read]
 	- arc <unfixed> (low; bug #774439)
+	[jessie] - arc <no-dsa> (Minor issue)
 	[wheezy] - arc <no-dsa> (Minor issue)
 	[squeeze] - arc <no-dsa> (Minor issue)
 CVE-2015-0557 [directory traversal via //multiple/leading/slash]
@@ -418,7 +419,7 @@
 	NOTE: Plain bug, security implications rather far-fetched
 CVE-2014-9556 [DoS; infinite loop]
 	- libmspack 0.4-2 (bug #773041)
-	- cabextract <unfixed> (bug #772891)
+	- cabextract 1.4-5 (bug #772891)
 	[wheezy] - cabextract <no-dsa> (Minor issue)
 	[squeeze] - cabextract <no-dsa> (Minor issue)
 CVE-2012-6685 [ruby-nokogiri XXE]
@@ -15632,8 +15633,8 @@
 	NOTE: https://issues.apache.org/jira/secure/attachment/12680198/QPID-6218.patch
 CVE-2014-3628 [Cross-site scripting (XSS) vulnerability via the fieldvaluecache object]
 	RESERVED
-	- lucene-solr <unfixed>
-	TODO: check, search for more details
+	- lucene-solr <not-affected> (Only affects later 4.x releases)
+	NOTE: https://issues.apache.org/jira/browse/SOLR-6738
 CVE-2014-3627 (The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 ...)
 	NOT-FOR-US: Apache Hadoop
 CVE-2014-3626
@@ -26630,10 +26631,11 @@
 CVE-2012-6608 (Cross-site scripting (XSS) vulnerability in xmlservices/E_book.php in ...)
 	NOT-FOR-US: Elastix
 CVE-2013-6885 (The microcode on AMD 16h 00h through 0Fh processors does not properly ...)
-	- amd64-microcode <unfixed>
-	[wheezy] - amd64-microcode <no-dsa> (Non-free not supported)
-	NOTE: Workaround in Linux via https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/commit/?id=3b56496865f9f7d9bcb2f93b44c63f274f08e3b6 (v3.14-rc1)
-	NOTE: http://www.openwall.com/lists/oss-security/2013/11/28/1
+	- linux 3.14.2-1
+	- linux-2.6 <removed>
+	NOTE: https://lkml.org/lkml/2014/1/14/198
+	NOTE: Might also be fixed in amd64-microcode, but details are not published (https://packages.qa.debian.org/a/amd64-microcode/news/20141218T224849Z.html)
+	NOTE: and since this is fixed on the kernel-side, only track the kernel packages
 CVE-2013-6857
 	RESERVED
 CVE-2013-6856

More information about the Secure-testing-commits mailing list