[Secure-testing-commits] r41120 - data/CVE

Salvatore Bonaccorso carnil at moszumanska.debian.org
Sun Apr 24 14:53:32 UTC 2016 

Author: carnil
Date: 2016-04-24 14:53:32 +0000 (Sun, 24 Apr 2016)
New Revision: 41120

Modified:
   data/CVE/list
Log:
Another batch of CVEs from external check

Note for reviewers: please in particular double-check CVE-2015-7501.
According to the oss-ecurity post there was mentioned that the issue
would not get a CVE. Red Hat apparently though associates that CVE for
the unserialization issue on commons-collections.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-04-24 14:28:57 UTC (rev 41119)
+++ data/CVE/list	2016-04-24 14:53:32 UTC (rev 41120)
@@ -5759,10 +5759,16 @@
 	NOTE: https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003028.html
 	NOTE: https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d
 CVE-2015-8797 (Cross-site scripting (XSS) vulnerability in ...)
+	- lucene-solr <undetermined>
+	NOTE: https://issues.apache.org/jira/browse/SOLR-7949
 	TODO: check
 CVE-2015-8796 (Cross-site scripting (XSS) vulnerability in ...)
+	- lucene-solr <undetermined>
+	NOTE: https://issues.apache.org/jira/browse/SOLR-7920
 	TODO: check
 CVE-2015-8795 (Multiple cross-site scripting (XSS) vulnerabilities in the Admin UI in ...)
+	- lucene-solr <undetermined>
+	NOTE: https://issues.apache.org/jira/browse/SOLR-7346
 	TODO: check
 CVE-2015-8794 (Absolute path traversal vulnerability in ...)
 	- roundcube 1.1.2+dfsg.1-1
@@ -13065,6 +13071,7 @@
 	TODO: check
 CVE-2015-8315
 	RESERVED
+	NOT-FOR-US: ms for Node.js
 CVE-2015-8314
 	RESERVED
 CVE-2015-8313 [fail to check the first byte of the padding in CBC modes]
@@ -13733,7 +13740,7 @@
 CVE-2015-8103 (The Jenkins CLI subsystem in CloudBees Jenkins before 1.638 and LTS ...)
 	- jenkins <removed> (bug #804522)
 	NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
-CVE-2015-XXXX [java unserialisation issues]
+CVE-2015-7501 [java unserialisation issues]
 	- libcommons-collections3-java 3.2.2-1 (unimportant)
 	[jessie] - libcommons-collections3-java 3.2.1-7+deb8u1
 	[wheezy] - libcommons-collections3-java 3.2.1-5+deb7u1
@@ -13755,6 +13762,7 @@
 	NOTE: https://github.com/apache/commons-collections/commit/3eee44cf63b1ebb0da6925e98b3dcc6ef1e4d610
 	NOTE: https://github.com/apache/commons-collections/commit/78d47d4d098ab814a7a00a0b1c81646b27f050cf
 	NOTE: https://github.com/apache/commons-collections/commit/b2b8f4adc557e4ef1ee2fe5e0ab46866c06ec55b
+	TODO: double-check this CVE assignment, since it has been said earlier on oss-security that it would not get a CVE
 CVE-2015-8079
 	RESERVED
 CVE-2015-8080 (Integer overflow in the getnum function in lua_struct.c in Redis 2.8.x ...)
@@ -15458,6 +15466,7 @@
 	RESERVED
 CVE-2015-7561
 	RESERVED
+	NOT-FOR-US: OpenShift
 CVE-2015-7560 (The SMB1 implementation in smbd in Samba 3.x and 4.x before 4.1.23, ...)
 	{DSA-3514-1}
 	- samba 2:4.3.6+dfsg-1
@@ -15562,6 +15571,8 @@
 	NOTE: https://quickgit.kde.org/?p=kdelibs.git&a=blobdiff&h=8c0f6401271c495c68e340e06b09239eb755ce5e&hp=45b72f0d5c3421b571e9515497352a0a9942a075&hb=cc5515ed7ce8884c9b18169158ba29ab2f7a3db7&f=kinit%2Flnusertemp.c
 CVE-2015-7542
 	RESERVED
+	- libgwenhywfar <undetermined>
+	TODO: check, possibly Red Hat specific
 CVE-2015-7541 (The initialize method in the Histogram class in ...)
 	NOT-FOR-US: colorscore gem for Ruby
 CVE-2015-7540 (The LDAP server in the AD domain controller in Samba 4.x before 4.1.22 ...)
@@ -15571,13 +15582,13 @@
 	[squeeze] - samba <not-affected> (Only affects 4.0.0 to 4.1.21)
 	NOTE: https://www.samba.org/samba/security/CVE-2015-7540.html
 CVE-2015-7539 (The Plugins Manager in CloudBees Jenkins before 1.640 and LTS before ...)
-	TODO: check
+	- jenkins <removed>
 CVE-2015-7538 (CloudBees Jenkins before 1.640 and LTS before 1.625.2 allow remote ...)
-	TODO: check
+	- jenkins <removed>
 CVE-2015-7537 (Cross-site request forgery (CSRF) vulnerability in CloudBees Jenkins ...)
-	TODO: check
+	- jenkins <removed>
 CVE-2015-7536 (Cross-site scripting (XSS) vulnerability in CloudBees Jenkins before ...)
-	TODO: check
+	- jenkins <removed>
 CVE-2015-7535
 	RESERVED
 CVE-2015-7534
@@ -15657,8 +15668,12 @@
 	NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=de7db12fa04016e12dffb2b678632f45eba15ec4 (libgcrypt-1.6.5)
 	NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=28eb424e4427b320ec1c9c4ce56af25d495230bd (libgcrypt-1.6.5)
 	NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=88e1358962e902ff1cbec8d53ba3eee46407851a (master)
-CVE-2015-7510
+CVE-2015-7510 [Stack overflow in nss-mymachines]
 	RESERVED
+	- systemd <undetermined>
+	NOTE: https://github.com/keszybz/systemd/commit/cb31827d62066a04b02111df3052949fda4b6888
+	NOTE: https://github.com/systemd/systemd/issues/2002
+	TODO: check
 CVE-2015-7509 (fs/ext4/namei.c in the Linux kernel before 3.7 allows physically ...)
 	- linux 3.8-1~experimental.1
 	[wheezy] - linux 3.2.68-1
@@ -15712,9 +15727,7 @@
 	NOT-FOR-US: php-zend-crypt
 	NOTE: http://framework.zend.com/security/advisory/ZF2015-10
 CVE-2015-7502 (Red Hat CloudForms 3.2 Management Engine (CFME) 5.4.4 and CloudForms ...)
-	TODO: check
-CVE-2015-7501
-	RESERVED
+	NOT-FOR-US: Red Hat CloudForms
 CVE-2015-7500 (The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows ...)
 	{DSA-3430-1 DLA-373-1}
 	- libxml2 2.9.3+dfsg1-1

More information about the Secure-testing-commits mailing list