[Secure-testing-commits] r32726 - data/CVE

Raphaël Hertzog hertzog at moszumanska.debian.org
Tue Mar 10 09:08:14 UTC 2015


Author: hertzog
Date: 2015-03-10 09:08:13 +0000 (Tue, 10 Mar 2015)
New Revision: 32726

Modified:
   data/CVE/list
Log:
Mark CVE-2015-1427 as not affecting facter/squeeze

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2015-03-10 05:00:48 UTC (rev 32725)
+++ data/CVE/list	2015-03-10 09:08:13 UTC (rev 32726)
@@ -2143,9 +2143,10 @@
 	NOTE: Problem in the Groovy scripting engine.
 CVE-2015-1426 (Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to obtains ...)
 	- facter <unfixed> (bug #778265)
+	[squeeze] - facter <not-affected> (Uses version 2008-02-01 of the EC2 API which does not expose security credentials)
 	[wheezy] - facter <no-dsa> (Minor issue)
-	NOTE: for squeeze (unverified) might be not-affected as upstream claims 1.6.0 - 2.4.0 affected
 	NOTE: http://puppetlabs.com/security/cve/cve-2015-1426
+	NOTE: The assessment for Squeeze being unaffected is based on the fact that the code accesses http://169.254.169.254/2008-02-01/meta-data/ and that http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html mentions the iam/security-credentials/role key as being introduced in version 2012-01-12.
 CVE-2015-1493 [MDL-48980 Security: Always clean the result  from min_get_slash_argument]
 	RESERVED
 	- moodle 2.7.5+dfsg-1




More information about the Secure-testing-commits mailing list