[Secure-testing-commits] r32726 - data/CVE
Raphaël Hertzog
hertzog at moszumanska.debian.org
Tue Mar 10 09:08:14 UTC 2015
Author: hertzog
Date: 2015-03-10 09:08:13 +0000 (Tue, 10 Mar 2015)
New Revision: 32726
Modified:
data/CVE/list
Log:
Mark CVE-2015-1427 as not affecting facter/squeeze
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2015-03-10 05:00:48 UTC (rev 32725)
+++ data/CVE/list 2015-03-10 09:08:13 UTC (rev 32726)
@@ -2143,9 +2143,10 @@
NOTE: Problem in the Groovy scripting engine.
CVE-2015-1426 (Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to obtains ...)
- facter <unfixed> (bug #778265)
+ [squeeze] - facter <not-affected> (Uses version 2008-02-01 of the EC2 API which does not expose security credentials)
[wheezy] - facter <no-dsa> (Minor issue)
- NOTE: for squeeze (unverified) might be not-affected as upstream claims 1.6.0 - 2.4.0 affected
NOTE: http://puppetlabs.com/security/cve/cve-2015-1426
+ NOTE: The assessment for Squeeze being unaffected is based on the fact that the code accesses http://169.254.169.254/2008-02-01/meta-data/ and that http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html mentions the iam/security-credentials/role key as being introduced in version 2012-01-12.
CVE-2015-1493 [MDL-48980 Security: Always clean the result from min_get_slash_argument]
RESERVED
- moodle 2.7.5+dfsg-1
More information about the Secure-testing-commits
mailing list