[Secure-testing-commits] r32762 - data/CVE
Ben Hutchings
benh at moszumanska.debian.org
Tue Mar 10 21:07:09 UTC 2015
Author: benh
Date: 2015-03-10 21:07:09 +0000 (Tue, 10 Mar 2015)
New Revision: 32762
Modified:
data/CVE/list
Log:
Mark several linux/linux-2.6 issues as <unfixed> or <not-affected>
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2015-03-10 20:37:43 UTC (rev 32761)
+++ data/CVE/list 2015-03-10 21:07:09 UTC (rev 32762)
@@ -880,12 +880,14 @@
RESERVED
- linux <unfixed>
- linux-2.6 <removed>
+ [squeeze] - linux-2.6 <no-dsa> (Minor issue)
NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=db27ebb111e9f69efece08e4cb6a34ff980f8896 (v3.19)
NOTE: (earliest) introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3e5048495c8569bfdd552750e0315973c61e7c93 (v2.6.30-rc1)
CVE-2015-2041 [incorrect data type in llc2_timeout_table]
RESERVED
- linux <unfixed>
- linux-2.6 <removed>
+ [squeeze] - linux-2.6 <no-dsa> (Minor issue)
NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49 (v3.19-rc7)
NOTE: (earliest) introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=590232a7150674b2036291eaefce085f3f9659c8 (v2.6.14-rc3)
CVE-2015-2035 (SQL injection vulnerability in the administrative backend in Piwigo ...)
@@ -1478,7 +1480,7 @@
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/20/14
CVE-2015-XXXX [Linux ASLR mmap weakness: Reducing entropy by half]
- linux <unfixed>
- - linux-2.6 <removed>
+ - linux-2.6 <not-affected>
NOTE: http://hmarco.org/bugs/linux-ASLR-reducing-mmap-by-half.html
NOTE: arm64 affected from v3.7 to v3.18
NOTE: powerpc affected from v2.6.30 to 3.2
@@ -1504,6 +1506,7 @@
{DSA-3170-1}
- linux 3.16.7-ckt4-1
- linux-2.6 <removed>
+ [squeeze] - linux-2.6 <unfixed>
NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=942080643bce061c3dd9d5718d3b745dcb39a8bc (v3.19-rc1)
CVE-2013-XXXX [session hijack through insecurely set session token cookies]
- novnc 1:0.4+dfsg+1+20131010+gitf68af8af3d-4 (bug #778618)
@@ -2043,6 +2046,7 @@
- linux 3.6.4-1
[wheezy] - linux 3.2.30-1
- linux-2.6 <removed>
+ [squeeze] - linux-2.6 <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=848949
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/06/13
NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=20e1db19db5d6b9e4e83021595eab0dc8f107bef (v3.6-rc5)
@@ -3058,12 +3062,12 @@
- fex 20150120-1 (low; bug #773751)
[squeeze] - fex <no-dsa> (Minor issue as it does not affect default setups)
CVE-2015-XXXX [information leak in event device handling]
- - linux <unfixed>
- - linux-2.6 <removed>
+ - linux 3.16.7-ckt7-1
+ [wheezy] - linux <not-affected>
+ - linux-2.6 <not-affected>
NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7c4f56070fde2367766fa1fb04852599b5e1ad35 (v3.18-rc1)
- NOTE: (Possibly) introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=483180281f0ac60d1138710eb21f4b9961901294
+ NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=483180281f0ac60d1138710eb21f4b9961901294 (v3.11-rc1)
NOTE: CVE Request: http://article.gmane.org/gmane.comp.security.oss.general/15457
- TODO: check in which version the issue was introduced exactly
CVE-2015-1346 (Multiple unspecified vulnerabilities in Google V8 before 3.30.33.15, ...)
- chromium-browser 40.0.2214.91-1
[wheezy] - chromium-browser <end-of-life>
@@ -3485,6 +3489,7 @@
RESERVED
- linux <unfixed> (bug #770492)
- linux-2.6 <removed>
+ [squeeze] - linux-2.6 <unfixed>
CVE-2014-XXXX [TYPO3-CORE-SA-2014-002: Multiple Vulnerabilities in TYPO3 CMS]
- typo3-src 4.5.40+dfsg1-1 (bug #766502)
[squeeze] - typo3-src <end-of-life> (Unsupported in squeeze-lts)
@@ -5372,7 +5377,7 @@
CVE-2014-9529 (Race condition in the key_gc_unused_keys function in ...)
{DSA-3128-1}
- linux 3.16.7-ckt4-1
- - linux-2.6 <removed>
+ - linux-2.6 <not-affected>
NOTE: http://marc.info/?l=linux-kernel&m=141986398232547&w=2
NOTE: http://marc.info/?l=linux-kernel&m=142047362307894&w=2
CVE-2014-9513 [insecure use of temporary files]
@@ -6044,7 +6049,9 @@
{DSA-3128-1}
- linux 3.16.7-ckt4-1
- linux-2.6 <removed>
+ [squeeze] - linux-2.6 <unfixed>
NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/x86?id=f647d7c155f069c1a068030255c300663516420e (v3.19-rc1)
+ NOTE: No plan to fix in squeeze as it is too risky to backport
CVE-2014-9420 (The rock_continue function in fs/isofs/rock.c in the Linux kernel ...)
{DLA-155-1}
- linux 3.16.7-ckt4-1
@@ -7044,7 +7051,9 @@
CVE-2010-5313 (Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 ...)
- linux 2.6.38-1
- linux-2.6 2.6.38-1
+ [squeeze] - linux-2.6 <unfixed>
NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fc3a9157d314 (v2.6.38-rc1)
+ NOTE: KVM not supported in Squeeze LTS
CVE-2014-9156 (The FileField module 6.x-3.x before 6.x-3.13 for Drupal does not ...)
NOT-FOR-US: Drupal module FileField
CVE-2014-9129 (Cross-site request forgery (CSRF) vulnerability in the CreativeMinds ...)
@@ -7398,7 +7407,8 @@
CVE-2015-0275 [ext4: fallocate zero range page size > block size BUG()]
RESERVED
- linux <unfixed>
- - linux-2.6 <removed>
+ [wheezy] - linux <not-affected> (Introduced in v3.15)
+ - linux-2.6 <not-affected> (Introduced in v3.15)
NOTE: Proposed upstream patch: http://www.spinics.net/lists/linux-ext4/msg47193.html
CVE-2015-0274 [xfs: replacing remote attributes memory corruption]
RESERVED
@@ -7514,9 +7524,11 @@
{DSA-3170-1}
- linux 3.16.7-ckt4-2
- linux-2.6 <removed>
+ [squeeze] - linux-2.6 <unfixed>
NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8c60435261deaefeb53ce3222d04d7d5bea81296
NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f3747379accba8e95d70cec0eae0582c8c182050
NOTE: http://permalink.gmane.org/gmane.linux.kernel.commits.head/502245
+ NOTE: KVM not supported in Squeeze LTS
CVE-2015-0238
RESERVED
NOT-FOR-US: selinux-policy as shipped with Red Hat OpenShift 2
More information about the Secure-testing-commits
mailing list