[Secure-testing-commits] r39101 - in data: . CVE

Salvatore Bonaccorso carnil at moszumanska.debian.org
Sat Jan 23 14:18:04 UTC 2016 

Author: carnil
Date: 2016-01-23 14:18:04 +0000 (Sat, 23 Jan 2016)
New Revision: 39101

Modified:
   data/CVE/list
   data/next-point-update.txt
Log:
First round of merges for Jessie 8.3

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-01-23 13:20:54 UTC (rev 39100)
+++ data/CVE/list	2016-01-23 14:18:04 UTC (rev 39101)
@@ -318,9 +318,10 @@
 	TODO: check
 CVE-2016-1903 (The gdImageRotateInterpolated function in ...)
 	- php5 5.6.17+dfsg-1
+	[jessie] - php5 5.6.14+dfsg-0+deb8u1
+	[squeeze] - php5 <not-affected> (Vulnerable code not present, check in gdImageRotate() already available)
 	- php5.6 5.6.17+dfsg-1
 	- php7.0 7.0.2-1
-	[squeeze] - php5 <not-affected> (Vulnerable code not present, check in gdImageRotate() already available)
 	NOTE: https://bugs.php.net/bug.php?id=70976
 	TODO: check
 CVE-2016-1901 (Integer overflow in the authenticate_post function in CGit before 0.12 ...)
@@ -6076,7 +6077,7 @@
 	NOTE: http://www.openwall.com/lists/oss-security/2015/11/24/6
 CVE-2015-8381 (The compile_regex function in pcre_compile.c in PCRE before 8.38 and ...)
 	- pcre3 2:8.38-1 (bug #796762; bug #795539)
-	[jessie] - pcre3 <no-dsa> (Minor issue)
+	[jessie] - pcre3 2:8.35-3.3+deb8u2
 	[wheezy] - pcre3 <not-affected> (Vulnerable code introduced later)
 	[squeeze] - pcre3 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://bugs.exim.org/show_bug.cgi?id=1672
@@ -6088,7 +6089,7 @@
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1250943
 CVE-2015-8380 (The pcre_exec function in pcre_exec.c in PCRE before 8.38 mishandles a ...)
 	- pcre3 2:8.38-1 (bug #806467)
-	[jessie] - pcre3 <no-dsa> (Minor issue)
+	[jessie] - pcre3 2:8.35-3.3+deb8u2
 	[wheezy] - pcre3 <not-affected> (Vulnerable code not present)
 	NOTE: For wheezy: same code looks present around patched lines, though the
 	NOTE: reproducer does not lead to a crash, and just gives
@@ -13095,7 +13096,7 @@
 	TODO: check
 CVE-2015-8395 (PCRE before 8.38 mishandles certain references, which allows remote ...)
 	- pcre3 2:8.38-1
-	[jessie] - pcre3 <no-dsa> (Minor issue)
+	[jessie] - pcre3 2:8.35-3.3+deb8u2
 	[wheezy] - pcre3 <not-affected> (Vulnerable code introduced later)
 	[squeeze] - pcre3 <not-affected> (Vulnerable code introduced later)
 	NOTE: Fixed in 8.38
@@ -13104,21 +13105,21 @@
 	NOTE: Same fix as used for CVE-2015-8381
 CVE-2015-8394 (PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) ...)
 	- pcre3 2:8.38-1
-	[jessie] - pcre3 <no-dsa> (Minor issue)
+	[jessie] - pcre3 2:8.35-3.3+deb8u2
 	[wheezy] - pcre3 <no-dsa> (Minor issue)
 	[squeeze] - pcre3 <no-dsa> (Minor issue)
 	NOTE: Fixed in 8.38
 	NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1589
 CVE-2015-8393 (pcregrep in PCRE before 8.38 mishandles the -q option for binary ...)
 	- pcre3 2:8.38-1
-	[jessie] - pcre3 <no-dsa> (Minor issue)
+	[jessie] - pcre3 2:8.35-3.3+deb8u2
 	[wheezy] - pcre3 <no-dsa> (Minor issue)
 	[squeeze] - pcre3 <no-dsa> (Minor issue)
 	NOTE: Fixed in 8.38
 	NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1586
 CVE-2015-8392 (PCRE before 8.38 mishandles certain instances of the (?| substring, ...)
 	- pcre3 2:8.38-1
-	[jessie] - pcre3 <no-dsa> (Minor issue)
+	[jessie] - pcre3 2:8.35-3.3+deb8u2
 	[wheezy] - pcre3 <not-affected> (Vulnerable code introduced later)
 	[squeeze] - pcre3 <not-affected> (Vulnerable code introduced later)
 	NOTE: Fixed in 8.38
@@ -13126,7 +13127,7 @@
 	NOTE: related issue to CVE-2015-8384 and CVE-2015-8395
 CVE-2015-8391 (The pcre_compile function in pcre_compile.c in PCRE before 8.38 ...)
 	- pcre3 2:8.38-1
-	[jessie] - pcre3 <no-dsa> (Minor issue)
+	[jessie] - pcre3 2:8.35-3.3+deb8u2
 	[wheezy] - pcre3 <no-dsa> (Minor issue)
 	[squeeze] - pcre3 <not-affected> (Vulnerable code introduced later)
 	NOTE: Fixed in 8.38
@@ -13134,14 +13135,14 @@
 	NOTE: First bad commit: http://vcs.pcre.org/pcre?view=revision&revision=640
 CVE-2015-8390 (PCRE before 8.38 mishandles the [: and \\ substrings in character ...)
 	- pcre3 2:8.38-1
-	[jessie] - pcre3 <no-dsa> (Minor issue)
+	[jessie] - pcre3 2:8.35-3.3+deb8u2
 	[wheezy] - pcre3 <no-dsa> (Minor issue)
 	[squeeze] - pcre3 <no-dsa> (Minor issue)
 	NOTE: Fixed in 8.38
 	NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1578
 CVE-2015-8389 (PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related ...)
 	- pcre3 2:8.38-1
-	[jessie] - pcre3 <no-dsa> (Minor issue, --enable-jit not set during build anyway)
+	[jessie] - pcre3 2:8.35-3.3+deb8u2
 	[wheezy] - pcre3 <not-affected> (Vulnerable code not present)
 	[squeeze] - pcre3 <not-affected> (Vulnerable code not present)
 	NOTE: Fixed in 8.38
@@ -13159,14 +13160,14 @@
 	NOTE: Different issue than CVE-2015-5073 but same fixing commit
 CVE-2015-8387 (PCRE before 8.38 mishandles (?123) subroutine calls and related ...)
 	- pcre3 2:8.38-1
-	[jessie] - pcre3 <no-dsa> (Minor issue)
+	[jessie] - pcre3 2:8.35-3.3+deb8u2
 	[wheezy] - pcre3 <no-dsa> (Minor issue)
 	[squeeze] - pcre3 <no-dsa> (Minor issue)
 	NOTE: Fixed in 8.38
 	NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1563
 CVE-2015-8386 (PCRE before 8.38 mishandles the interaction of lookbehind assertions ...)
 	- pcre3 2:8.38-1
-	[jessie] - pcre3 <no-dsa> (Minor issue)
+	[jessie] - pcre3 2:8.35-3.3+deb8u2
 	[wheezy] - pcre3 <not-affected> (Vulnerable code introduced later)
 	[squeeze] - pcre3 <not-affected> (Vulnerable code introduced later)
 	NOTE: Fixed in 8.38
@@ -13175,7 +13176,7 @@
 	NOTE: but the patched code is as well already present in wheezy at least.
 CVE-2015-8385 (PCRE before 8.38 mishandles the /(?|(\k'Pm')|(?'Pm'))/ pattern and ...)
 	- pcre3 2:8.38-1
-	[jessie] - pcre3 <no-dsa> (Minor issue)
+	[jessie] - pcre3 2:8.35-3.3+deb8u2
 	[wheezy] - pcre3 <no-dsa> (Minor issue)
 	[squeeze] - pcre3 <no-dsa> (Minor issue)
 	NOTE: Fixed in 8.38
@@ -13192,7 +13193,7 @@
 	NOTE: Same fixing commit as CVE-2015-3210 but different issues
 CVE-2015-8383 (PCRE before 8.38 mishandles certain repeated conditional groups, which ...)
 	- pcre3 2:8.38-1
-	[jessie] - pcre3 <no-dsa> (Minor issue)
+	[jessie] - pcre3 2:8.35-3.3+deb8u2
 	[wheezy] - pcre3 <not-affected> (vulnerable coded introduce in 8.34)
 	[squeeze] - pcre3 <not-affected> (vulnerable code introduced in 8.34)
 	NOTE: Fixed in 8.38
@@ -13201,7 +13202,7 @@
 	NOTE: Introduced by/first bad commit: http://vcs.pcre.org/pcre?view=revision&revision=1365
 CVE-2015-8382 (The match function in pcre_exec.c in PCRE before 8.37 mishandles the ...)
 	- pcre3 2:8.35-7.2 (bug #794589)
-	[jessie] - pcre3 <no-dsa> (Minor issue)
+	[jessie] - pcre3 2:8.35-3.3+deb8u2
 	[wheezy] - pcre3 <no-dsa> (Minor issue)
 	[squeeze] - pcre3 <no-dsa> (Minor issue)
 	NOTE: http://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502&r2=1510
@@ -20396,7 +20397,7 @@
 	NOTE: http://git.savannah.gnu.org/cgit/libunwind.git/commit/?id=396b6c7ab737e2bff244d640601c436a26260ca1
 CVE-2015-3238 (The _unix_run_helper_binary function in the pam_unix module in ...)
 	- pam 1.1.8-3.2 (bug #789986)
-	[jessie] - pam <no-dsa> (Minor issue e.g. in combination with enabled SELinux)
+	[jessie] - pam 1.1.8-3.1+deb8u1
 	[wheezy] - pam <no-dsa> (Minor issue e.g. in combination with enabled SELinux)
 	[squeeze] - pam <no-dsa> (Minor issue e.g. in combination with enabled SELinux)
 	NOTE: https://git.fedorahosted.org/cgit/linux-pam.git/commit/?id=e89d4c97385ff8180e6e81e84c5aa745daf28a79
@@ -23233,7 +23234,7 @@
 	NOTE: https://jira.mongodb.org/browse/SERVER-17252
 	NOTE: Since 1:2.0.0-1 mongodb uses the system pcre3
 	- pcre3 2:8.35-7.2 (low)
-	[jessie] - pcre3 <no-dsa> (Minor issue)
+	[jessie] - pcre3 2:8.35-3.3+deb8u2
 	[wheezy] - pcre3 <no-dsa> (Minor issue)
 	[squeeze] - pcre3 <no-dsa> (Minor issue)
 	NOTE: https://bugs.exim.org/show_bug.cgi?id=1515

Modified: data/next-point-update.txt
===================================================================
--- data/next-point-update.txt	2016-01-23 13:20:54 UTC (rev 39100)
+++ data/next-point-update.txt	2016-01-23 14:18:04 UTC (rev 39101)
@@ -107,37 +107,3 @@
 	[jessie] - owncloud 7.0.4+dfsg-4~deb8u4
 CVE-2016-1501
 	[jessie] - owncloud 7.0.4+dfsg-4~deb8u4
-CVE-2015-2328
-	[jessie] - pcre3 2:8.35-3.3+deb8u2
-CVE-2015-8382
-	[jessie] - pcre3 2:8.35-3.3+deb8u2
-CVE-2015-8383
-	[jessie] - pcre3 2:8.35-3.3+deb8u2
-CVE-2015-8385
-	[jessie] - pcre3 2:8.35-3.3+deb8u2
-CVE-2015-8386
-	[jessie] - pcre3 2:8.35-3.3+deb8u2
-CVE-2015-8387
-	[jessie] - pcre3 2:8.35-3.3+deb8u2
-CVE-2015-8380
-	[jessie] - pcre3 2:8.35-3.3+deb8u2
-CVE-2015-8389
-	[jessie] - pcre3 2:8.35-3.3+deb8u2
-CVE-2015-8390
-	[jessie] - pcre3 2:8.35-3.3+deb8u2
-CVE-2015-8391
-	[jessie] - pcre3 2:8.35-3.3+deb8u2
-CVE-2015-8392
-	[jessie] - pcre3 2:8.35-3.3+deb8u2
-CVE-2015-8393
-	[jessie] - pcre3 2:8.35-3.3+deb8u2
-CVE-2015-8394
-	[jessie] - pcre3 2:8.35-3.3+deb8u2
-CVE-2015-8381
-	[jessie] - pcre3 2:8.35-3.3+deb8u2
-CVE-2015-8395
-	[jessie] - pcre3 2:8.35-3.3+deb8u2
-CVE-2015-3238
-	[jessie] - pam 1.1.8-3.1+deb8u1
-CVE-2016-1903 [Memory Read via gdImageRotateInterpolated Array Index Out of Bounds]
-	[jessie] - php5 5.6.14+dfsg-0+deb8u1

More information about the Secure-testing-commits mailing list