[Secure-testing-commits] r43583 - data/CVE
Moritz Muehlenhoff
jmm at moszumanska.debian.org
Thu Jul 28 21:01:28 UTC 2016
Author: jmm
Date: 2016-07-28 21:01:28 +0000 (Thu, 28 Jul 2016)
New Revision: 43583
Modified:
data/CVE/list
Log:
one linux issue no-dsa
more httpoxy triage
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-07-28 20:59:52 UTC (rev 43582)
+++ data/CVE/list 2016-07-28 21:01:28 UTC (rev 43583)
@@ -3314,14 +3314,18 @@
NOTE: https://github.com/klacke/yaws/commit/9d8fb070e782c95821c90d0ca7372fc6d7316c78#diff-54053c47eb173a90c26ed19bd9d106c1
CVE-2016-1000104
RESERVED
- - libapache2-mod-fcgid <unfixed>
+ NOTE: libapache2-mod-fcgid does not set HTTP_PROXY based on Proxy: header unless
+ NOTE: explicitly configured so and mitigations for Apache in CVE-2016-5387 prevent
+ NOTE: exploitation anyway
CVE-2016-5387 (The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 ...)
{DSA-3623-1 DLA-553-1}
- apache2 2.4.23-2
NOTE: https://www.apache.org/security/asf-httpoxy-response.txt
NOTE: https://httpoxy.org
CVE-2016-5386 (The net/http package in Go through 1.6 does not attempt to address RFC ...)
- - golang <unfixed>
+ - golang <unfixed> (unimportant)
+ NOTE: No part of Go does set HTTP_PROXY based on a Proxy: header, 1.6.3 and 1.7
+ NOTE: provide hardening to discard HTTP_PROXY
CVE-2016-5385 (PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 ...)
{DSA-3631-1}
- php7.0 7.0.9-1
@@ -22998,6 +23002,7 @@
NOTE: http://xenbits.xen.org/xsa/advisory-145.html
CVE-2013-7445 (The Direct Rendering Manager (DRM) subsystem in the Linux kernel ...)
- linux <unfixed>
+ [jessie] - linux <no-dsa> (Minor issue, requires invasive changes)
- linux-2.6 <removed>
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=60533
CVE-2015-8011 [lldpd: buffer overflow when handling management address TLV]
More information about the Secure-testing-commits
mailing list