[Secure-testing-commits] r33141 - in data: . CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Wed Mar 25 17:17:46 UTC 2015 

Author: jmm
Date: 2015-03-25 17:17:46 +0000 (Wed, 25 Mar 2015)
New Revision: 33141

Modified:
   data/CVE/list
   data/dsa-needed.txt
Log:
gd2 issue n/a for php since wheezy
mark one tiff issue as unimportant
wheezy no-dsa: nova, oss4
dsa-needed: shib2, inspircd, batik


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2015-03-25 17:15:24 UTC (rev 33140)
+++ data/CVE/list	2015-03-25 17:17:46 UTC (rev 33141)
@@ -37,9 +37,9 @@
 	NOTE: https://trac.torproject.org/projects/tor/ticket/15083
 CVE-2015-2687 [information leak when live-migration failed]
 	RESERVED
-	- nova <unfixed>
+	- nova <unfixed> (low)
+	[wheezy] - nova <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/nova/+bug/1419577
-	TODO: check
 CVE-2015-2673
 	RESERVED
 CVE-2015-2671
@@ -954,12 +954,12 @@
 CVE-2014-9709 [gd: buffer read overflow in gd_gif_in.c]
 	RESERVED
 	- libgd2 2.1.0-5
-	- php5 5.6.5+dfsg-1 (low)
-	[wheezy] - php5 <no-dsa> (Minor issue, can be fixed in a future DSA)
+	- php5 5.4.0-1
 	NOTE: https://bugs.php.net/bug.php?id=68601
 	NOTE: Fix in libgd2: https://bitbucket.org/libgd/gd-libgd/commits/47eb44b2e90ca88a08dca9f9a1aa9041e9587f43
 	NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=07b5896a1389c3e865cbd2fb353806b2cefe4f5c
 	NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=5fc2fede9c7c963c950d8b96dcc0f7af88b4d695
+	NOTE: Starting with 5.4.0-1 Debian uses the system copy of libgd, the embedded copy was fixed upstream in 5.6.5
 CVE-2009-5146 [memory leak in hostname TLS extension]
 	RESERVED
 	- openssl 0.9.8k-1
@@ -4698,6 +4698,7 @@
 	NOTE: up to 2014.1.3 and 2014.2 versions up to 2014.2.1
 CVE-2012-XXXX [Insufficient validation of USB device descriptors]
 	- oss4 4.2-build2010-2 (bug #775662)
+	[wheezy] - oss4 <no-dsa> (Minor issue)
 CVE-2015-1350 [chown removes security.capability xattr on other users' files]
 	RESERVED
 	- linux <unfixed> (bug #770492)
@@ -11699,7 +11700,7 @@
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2501 (tiffdither)
 CVE-2014-8127 [out-of-bound reads]
 	RESERVED
-	- tiff <unfixed> (bug #776185)
+	- tiff <unfixed> (unimportant; bug #776185)
 	- tiff3 <not-affected> (The tiff3 source package doesn't build the TIFF tools)
 	NOTE: Advisory: http://www.conostix.com/pub/adv/CVE-2014-8127-LibTIFF-Out-of-bounds_Reads.txt
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2484 (thumbnail)
@@ -11709,6 +11710,7 @@
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2497 (tiffmedian)
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2500 (tiffset) [not fixed yet in CVS HEAD]
 	NOTE: 4.0.3-12.1 fixes all issues except 2500
+	NOTE: Crash in a frontend tool w/o potential for code injection, marked as unimportant
 CVE-2014-8126 [mailx invocation enables code execution as condor user]
 	RESERVED
 	{DSA-3149-1}

Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt	2015-03-25 17:15:24 UTC (rev 33140)
+++ data/dsa-needed.txt	2015-03-25 17:17:46 UTC (rev 33141)
@@ -14,6 +14,8 @@
 --
 asterisk
 --
+batik
+--
 dulwich (carnil)
   NOTE: not yet released due to checking for the issue other than CVE-2015-0838
 --
@@ -28,6 +30,8 @@
   no-dsa bugs CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716
   should be fixed along
 --
+inspircd
+--
 jqueryui
 --
 libphp-snoopy
@@ -52,6 +56,8 @@
 --
 pound (thijs)
 --
+shibboleth-sp2
+--
 smarty3
 --
 tiff (jmm)

More information about the Secure-testing-commits mailing list