[Secure-testing-commits] r34237 - data/CVE

Raphaël Hertzog hertzog at moszumanska.debian.org
Wed May 13 13:42:06 UTC 2015


Author: hertzog
Date: 2015-05-13 13:42:06 +0000 (Wed, 13 May 2015)
New Revision: 34237

Modified:
   data/CVE/list
Log:
Mark haproxy's issues as not affecting squeeze (which has version 1.4.x)

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2015-05-13 13:16:25 UTC (rev 34236)
+++ data/CVE/list	2015-05-13 13:42:06 UTC (rev 34237)
@@ -863,12 +863,15 @@
 CVE-2015-XXXX [BUG/MAJOR: http: don't read past buffer's end in http_replace_value]
 	- haproxy 1.5.12-1
 	[jessie] - haproxy <no-dsa> (Minor issue)
+	[squeeze] - haproxy <not-affected> (Vulnerable code not present)
 	NOTE: Upstream fix: http://git.haproxy.org/?p=haproxy-1.5.git;a=commit;h=8e05ac2044c6523c867ceaaae1f10486370eec89
 	NOTE: Introduced by: http://git.haproxy.org/?p=haproxy-1.5.git;a=commit;h=c9c2daf283011e9b9ab0af57629af47862e14e0e
 CVE-2015-XXXX [BUG/MAJOR: http: prevent risk of reading past end with balance url_param]
 	- haproxy 1.5.12-1
 	[jessie] - haproxy <no-dsa> (Minor issue)
+	[squeeze] - haproxy <not-affected> (Similar check was already present)
 	NOTE: Upstream fix: http://git.haproxy.org/?p=haproxy-1.5.git;a=commit;h=522aab39753e8ed13786bc57b03ef7ae4ffe6c87
+	NOTE: For squeeze, the above commit message implies that the fix does not need to be backported to version 1.4 and indeed, the code already contains a (different) check that limits the value of "len".
 CVE-2015-XXXX [Insecure permission on directory when using spacewalk inventory]
 	- ansible <unfixed> (unimportant)
 	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/05/02/3




More information about the Secure-testing-commits mailing list