[Secure-testing-commits] r37523 - data/CVE
Raphaël Hertzog
hertzog at moszumanska.debian.org
Tue Nov 3 13:58:21 UTC 2015
Author: hertzog
Date: 2015-11-03 13:58:21 +0000 (Tue, 03 Nov 2015)
New Revision: 37523
Modified:
data/CVE/list
Log:
Reclassify CVE-2015-8035 as XZ support is enabled in the Debian package
wheezy/jessie are affected.
Thanks to Sander Bos who reported the mistake.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2015-11-03 10:48:25 UTC (rev 37522)
+++ data/CVE/list 2015-11-03 13:58:21 UTC (rev 37523)
@@ -3,10 +3,12 @@
CVE-2015-8032
RESERVED
CVE-2015-8035 [DoS if xz enabled]
- - libxml2 <unfixed> (unimportant)
- NOTE: Debian binary package not built with --with-lzma
+ - libxml2 <unfixed> (bug #803942)
+ [squeeze] - libxml2 <not-affected> (Not compiled with LZMA/XZ support)
+ NOTE: Upstream patch: https://git.gnome.org/browse/libxml2/commit/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63
+ NOTE: You can use "xmllint --version" to verify if libxml2 is compiled with "Lzma" support.
+ NOTE: sid's 2.9.2+zdfsg1-4 claims to have "Lzma" support but it's broken in fact... so it barfs on the problematic file (parser error : Start tag expected, '<' not found) even though it does not have the fix yet. The next usptream release will fix this issue and will restore XZ support.
NOTE: http://www.openwall.com/lists/oss-security/2015/11/02/2
- TODO: check affected versions, possibly fixed source wise in 2.9.2 already
CVE-2015-XXXX [Multiple CSRF Vulnerabilities]
- php-horde 5.2.8+debian0-1 (bug #803641)
NOTE: https://www.htbridge.com/advisory/HTB23272
More information about the Secure-testing-commits
mailing list