[Secure-testing-commits] r42205 - in data: . CVE

Ben Hutchings benh at moszumanska.debian.org
Wed Jun 1 00:57:08 UTC 2016 

Author: benh
Date: 2016-06-01 00:57:08 +0000 (Wed, 01 Jun 2016)
New Revision: 42205

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Triage new issues for wheezy; add links to bug reports and fixes where available


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-06-01 00:06:26 UTC (rev 42204)
+++ data/CVE/list	2016-06-01 00:57:08 UTC (rev 42205)
@@ -39,7 +39,9 @@
 CVE-2016-5126 [block: iscsi: buffer overflow in iscsi_aio_ioctl]
 	RESERVED
 	- qemu <unfixed>
+	[wheezy] - qemu <not-affected> (Vulnerable code not present)
 	- qemu-kvm <removed>
+	[wheezy] - qemu-kvm <not-affected> (Vulnerable code not present)
 	NOTE: https://lists.gnu.org/archive/html/qemu-block/2016-05/msg00779.html
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1340924
 	NOTE: http://www.openwall.com/lists/oss-security/2016/05/30/6
@@ -1910,6 +1912,7 @@
 CVE-2016-4450
 	RESERVED
 	- nginx 1.10.1-1 (bug #825960)
+	[wheezy] - nginx <not-affected> (Introduced in 1.3.9)
 CVE-2016-4449
 	RESERVED
 	- libxml2 <unfixed>
@@ -8486,6 +8489,8 @@
 CVE-2016-2175
 	RESERVED
 	- libpdfbox-java <unfixed>
+	NOTE: Fixed on upstream 1.8 branch in https://svn.apache.org/viewvc?view=revision&revision=1739564
+	NOTE: Fixed on upstream 2.0 branch in https://svn.apache.org/viewvc?view=revision&revision=1739565
 CVE-2016-2174
 	RESERVED
 CVE-2016-2173
@@ -10296,11 +10301,13 @@
 	- libxslt <unfixed>
 	- chromium-browser 51.0.2704.63-1
 	[wheezy] - chromium-browser <end-of-life> (Not supported in Wheezy)
+	NOTE: Chromium bug report: https://code.google.com/p/chromium/issues/detail?id=583171
 CVE-2016-1683
 	RESERVED
 	- libxslt <unfixed>
 	- chromium-browser 51.0.2704.63-1
 	[wheezy] - chromium-browser <end-of-life> (Not supported in Wheezy)
+	NOTE: Chromium bug report: https://code.google.com/p/chromium/issues/detail?id=583156
 CVE-2016-1682
 	RESERVED
 	- chromium-browser 51.0.2704.63-1
@@ -46047,12 +46054,12 @@
 	RESERVED
 CVE-2014-7913 (The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as ...)
 	- dhcpcd5 <unfixed>
-	NOTE: android's dhcpd is a fork of dhcpcd5, and code very similar to the vulnerable section exists in dhcpcd5, but i didn't have time to check whether it too is vulnerable to the problem
-	TODO: check
+	NOTE: Fixed for Android in https://android.googlesource.com/platform/external/dhcpcd/+/73c09dd8067250734511d955d8f792b41c7213f0%5E!/
+	NOTE: Fixed on upstream trunk in http://roy.marples.name/projects/dhcpcd/ci/528541c4c619520e?sbs=0
 CVE-2014-7912 (The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in ...)
 	- dhcpcd5 <unfixed>
-	NOTE: android's dhcpd is a fork of dhcpcd5, and code very similar to the vulnerable section exists in dhcpcd5, but i didn't have time to check whether it too is vulnerable to the problem
-	TODO: check
+	NOTE: Fixed for Android in https://android.googlesource.com/platform/external/dhcpcd/+/73c09dd8067250734511d955d8f792b41c7213f0%5E!/
+	NOTE: Fixed on upstream trunk in http://roy.marples.name/projects/dhcpcd/ci/d71cfd8aa203bffe?sbs=0
 CVE-2014-7911 (luni/src/main/java/java/io/ObjectInputStream.java in the ...)
 	NOT-FOR-US: Android
 CVE-2014-7910 (Multiple unspecified vulnerabilities in Google Chrome before ...)

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt	2016-06-01 00:06:26 UTC (rev 42204)
+++ data/dla-needed.txt	2016-06-01 00:57:08 UTC (rev 42205)
@@ -18,6 +18,8 @@
 cakephp
   NOTE: CVE-2015-8379 No official solution is currently available, 20160425
 --
+dhcpcd5
+--
 extplorer
   NOTE: 20160529, no fix yet
 --
@@ -34,6 +36,8 @@
 --
 libjackson-json-java
 --
+libpdfbox-java
+--
 libspring-java
   The JSON/JaF doesn't appear to be present in wheezy but the
   content-disposition stuff might be.
@@ -43,6 +47,8 @@
   NOTE: carnil is looking in partially triaging the libxml2 issues as well for wheezy
   NOTE: and publish preliminary work on https://people.debian.org/~carnil/tmp/libxml2/wheezy
 --
+libxslt
+--
 libxstream-java (jmm)
   Emmanuel Bourg proposed debdiff for both wheezy- and jessie-security
   waiting an additional to solicit regression feedback from change in sid

More information about the Secure-testing-commits mailing list