[Secure-testing-commits] r39383 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Sun Jan 31 18:06:15 UTC 2016 

Author: jmm
Date: 2016-01-31 18:06:15 +0000 (Sun, 31 Jan 2016)
New Revision: 39383

Modified:
   data/CVE/list
Log:
add some upstream fixes to ntp
at least one rails issue EOL in wheezy


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-01-31 14:34:04 UTC (rev 39382)
+++ data/CVE/list	2016-01-31 18:06:15 UTC (rev 39383)
@@ -46,6 +46,7 @@
 	[jessie] - libbsd <no-dsa> (Minor issue)
 	[wheezy] - libbsd <not-affected> (Vulnerable code not present)
 	[squeeze] - libbsd <not-affected> (Vulnerable code not present)
+	NOTE: Not used anywhere in Debian according to codesearch.debian.net
 	NOTE: https://blog.fuzzing-project.org/36-Heap-buffer-overflow-in-fgetwln-function-of-libbsd.html
 	NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=93881
 	NOTE: Fixed by: http://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 (0.8.2)
@@ -1062,6 +1063,8 @@
 CVE-2016-1908 [Eliminate the fallback from untrusted X11-forwarding to trusted forwarding for cases when the X server disables the SECURITY extension]
 	RESERVED
 	- openssh <unfixed>
+	[jessie] - openssh <no-dsa> (Minor issue)
+	[wheezy] - openssh <no-dsa> (Minor issue)
 	NOTE: Upstream commit: https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
 	NOTE: which needs to be applied after: https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f
 	NOTE: Background information on X11 SECURITY extension and SSH: https://thejh.net/written-stuff/openssh-6.8-xsecurity
@@ -3994,6 +3997,7 @@
 	[squeeze] - rails <end-of-life> (Not supported in Squeeze LTS)
 	- ruby-activerecord-3.2 <removed>
 	- ruby-activerecord-2.3 <removed>
+	[wheezy] - ruby-activerecord-2.3 <end-of-life>
 	- ruby-activesupport-3.2 <removed>
 	- ruby-activesupport-2.3 <removed>
 	- ruby-activemodel-3.2 <removed>
@@ -7516,25 +7520,26 @@
 	- ntp <unfixed>
 	NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit
 	NOTE: http://support.ntp.org/bin/view/Main/NtpBug2942
-	TODO: check
+	NOTE: https://github.com/ntp-project/ntp/commit/fe46889f7baa75fc8e6c0fcde87706d396ce1461
 CVE-2015-7978 [Stack exhaustion in recursive traversal of restriction list]
 	RESERVED
 	- ntp <unfixed>
 	NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit
 	NOTE: http://support.ntp.org/bin/view/Main/NtpBug2940
-	TODO: check
+	NOTE: https://github.com/ntp-project/ntp/commit/8a0c765f3c47633fa262356b0818788d1cf249b1
 CVE-2015-7977 [reslist NULL pointer dereference]
 	RESERVED
 	- ntp <unfixed>
 	NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit
 	NOTE: http://support.ntp.org/bin/view/Main/NtpBug2939
-	TODO: check
+	NOTE: https://github.com/ntp-project/ntp/commit/8a0c765f3c47633fa262356b0818788d1cf249b1
 CVE-2015-7976 [ntpq saveconfig command allows dangerous characters in filenames]
 	RESERVED
 	- ntp <unfixed>
 	NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit
 	NOTE: http://support.ntp.org/bin/view/Main/NtpBug2938
-	TODO: check
+	NOTE: https://github.com/ntp-project/ntp/commit/3680c2e4d5f88905ce062c7b43305d610a2c9796
+        NOTE: https://github.com/ntp-project/ntp/commit/7fe04606062ed674db3b9553d32dedad29504d61
 CVE-2015-7975 [nextvar() missing length check]
 	RESERVED
 	- ntp <unfixed>

More information about the Secure-testing-commits mailing list