[Secure-testing-commits] r32998 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Fri Mar 20 09:18:48 UTC 2015 

Author: jmm
Date: 2015-03-20 09:18:12 +0000 (Fri, 20 Mar 2015)
New Revision: 32998

Modified:
   data/CVE/list
Log:
wss4j n/a
pound, xen, redmine, ecryptfs no-dsa
node-express unimportant


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2015-03-20 05:54:52 UTC (rev 32997)
+++ data/CVE/list	2015-03-20 09:18:12 UTC (rev 32998)
@@ -272,6 +272,7 @@
 	TODO: check
 CVE-2015-XXXX [Doesn't Validate TLS]
 	- python-restkit <unfixed>
+	[jessie] - python-restkit <no-dsa> (Minor issue)
 	[wheezy] - python-restkit <no-dsa> (Minor issue)
 	[squeeze] - python-restkit <no-dsa> (Minor issue)
 	NOTE: https://github.com/benoitc/restkit/issues/140
@@ -642,10 +643,10 @@
 	[squeeze] - tcpdump <not-affected> (Vulnerable code not present)
 	NOTE: http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch
 CVE-2015-2152 (Xen 4.5.x and earlier enables certain default backends when emulating ...)
-	- xen <unfixed>
+	- xen <unfixed> (low)
+	[wheezy] - xen <no-dsa> (Can be fixed along with a future DSA)
 	[squeeze] - xen <end-of-life> (Not supported in Squeeze LTS)
 	NOTE: http://xenbits.xen.org/xsa/advisory-119.html
-	TODO: check: vulnerable code seems present
 CVE-2015-2151 (The x86 emulator in Xen 3.2.x through 4.5.x does not properly ignore ...)
 	{DSA-3181-1}
 	- xen 4.4.1-8 (bug #780227)
@@ -828,6 +829,7 @@
 	NOT-FOR-US: Panopoly Magic module for Drupal
 CVE-2014-9687 (eCryptfs 104 and earlier uses a default salt to encrypt the mount ...)
 	- ecryptfs-utils <unfixed> (bug #780385)
+	[wheezy] - ecryptfs-utils <no-dsa> (Minor issue)
 	NOTE: http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/839
 CVE-2014-9686
 	RESERVED
@@ -957,7 +959,8 @@
 	NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33
 	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/22/15
 CVE-2015-XXXX [Potential XSS vulnerability when rendering some flash messages]
-	- redmine 3.0~20140825-5
+	- redmine 3.0~20140825-5 (low)
+	[wheezy] - redmine <no-dsa> (Minor issue)
 	NOTE: https://www.redmine.org/projects/redmine/wiki/Changelog_2_6
 	NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories
 	NOTE: https://www.redmine.org/issues/19117 (private)
@@ -8066,9 +8069,13 @@
 	NOTE: https://github.com/apache/httpd/commit/643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef
 CVE-2015-0227 (Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote ...)
 	- wss4j 1.6.15-2 (bug #777741)
+	[wheezy] - wss4j <not-affected> (Vulnerable code not present)
+	[squeeze] - wss4j <not-affected> (Vulnerable code not present)
 CVE-2015-0226
 	RESERVED
 	- wss4j 1.6.15-2 (bug #777741)
+	[wheezy] - wss4j <not-affected> (Vulnerable code not present)
+	[squeeze] - wss4j <not-affected> (Vulnerable code not present)
 CVE-2015-0225
 	RESERVED
 CVE-2015-0224 [qpidd can be crashed by unauthenticated user]
@@ -14989,7 +14996,8 @@
 	NOTE: https://nodesecurity.io/advisories/send-directory-traversal
 CVE-2014-6393 [cross-site scripting via content-type header]
 	RESERVED
-	- node-express <unfixed>
+	- node-express <unfixed> (unimportant)
+	NOTE: libv8 is not covered by security support
 CVE-2014-6392 (** DISPUTED ** Cross-site scripting (XSS) vulnerability in the ...)
 	NOT-FOR-US: Facebook app and Facebook Messenger app for iOS
 CVE-2014-6391
@@ -55536,7 +55544,6 @@
 	[squeeze] - openssl 0.9.8o-4squeeze16
 	NOTE: openssl redhat announcement https://rhn.redhat.com/errata/RHSA-2013-0587.html
 	- pound 2.6-3 (bug #727197)
-	[wheezy] - pound <unfixed>
 CVE-2012-4928 (Cross-site scripting (XSS) vulnerability in ow_updates/index.php in ...)
 	NOT-FOR-US: Oxwall 1.1.1
 CVE-2012-4927 (SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before ...)
@@ -99941,6 +99948,7 @@
 	[lenny] - zorp <no-dsa> (Minor issue)
 	- lighttpd 1.4.30-1
 	- pound <unfixed> (bug #765649)
+	[jessie] - pound <no-dsa> (Minor issue)
 	NOTE: the anti_beast.patch in pound 2.6-2 has some provision for this issue too but it seems to be broken, cf #765649
 	NOTE: for any of the currently unfixed implementations, you can solve the problem by disabling renegotiation
 	NOTE: the following implement RFC 5746:

More information about the Secure-testing-commits mailing list