[Secure-testing-commits] r40398 - data/CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2016-03-15 20:38:10 +0000 (Tue, 15 Mar 2016)
New Revision: 40398

Modified:
   data/CVE/list
Log:
ntp, icinga, nova no-dsa


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-03-15 20:33:55 UTC (rev 40397)
+++ data/CVE/list	2016-03-15 20:38:10 UTC (rev 40398)
@@ -173,37 +173,32 @@
 	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/03/11/12
 CVE-2016-3140 [crash on invalid USB device descriptors (digi_acceleport driver)]
 	RESERVED
-	- linux <unfixed>
+	- linux <unfixed> (low)
 	NOTE: http://seclists.org/bugtraq/2016/Mar/61
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283378
 	NOTE: https://marc.info/?l=linux-usb&m=145796765030590&w=2
-	TODO: check
 CVE-2016-3139 [crash on invalid USB device descriptors (wacom driver)]
 	RESERVED
-	- linux <unfixed>
+	- linux <unfixed> (low)
 	NOTE: http://seclists.org/bugtraq/2016/Mar/60
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283375
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283377
-	TODO: check
 CVE-2016-3138 [crash on invalid USB device descriptors (cdc_acm driver)]
 	RESERVED
-	- linux <unfixed>
+	- linux <unfixed> (low)
 	NOTE: http://seclists.org/bugtraq/2016/Mar/54
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283366
 	NOTE: http://marc.info/?l=linux-usb&m=145803342320160&w=2
-	TODO: check
 CVE-2016-3137 [crash on invalid USB device descriptors (cypress_m8 driver)]
 	RESERVED
-	- linux <unfixed>
+	- linux <unfixed> (low)
 	NOTE: http://seclists.org/bugtraq/2016/Mar/55
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283368
-	TODO: check
 CVE-2016-3136 [crash on invalid USB device descriptors (mct_u232 driver)]
 	RESERVED
-	- linux <unfixed>
+	- linux <unfixed> (low)
 	NOTE: http://seclists.org/bugtraq/2016/Mar/57
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283370
-	TODO: check
 CVE-2016-3125 [TLSDHParamFile directive ignored]
 	RESERVED
 	- proftpd-dfsg <unfixed>
@@ -2193,10 +2188,11 @@
 	NOTE: https://github.com/wycats/handlebars.js/pull/1083
 	NOTE: https://nodesecurity.io/advisories/61
 CVE-2015-XXXX [quoteless attributes in templates can lead to content injection]
-	- mustache.js <unfixed>
+	- mustache.js <unfixed> (unimportant)
 	NOTE: fixed in 2.2.1
 	NOTE: https://github.com/janl/mustache.js/commit/378bcca8a5cfe4058f294a3dbb78e8755e8e0da5
 	NOTE: https://nodesecurity.io/advisories/62
+	NOTE: Security hardening, not a vulnerability
 CVE-2015-XXXX [SQL injection due to unescaped object keys]
 	- node-mysql 2.0.0~alpha8-1 (unimportant)
 	NOTE: https://github.com/felixge/node-mysql/issues/342
@@ -7791,7 +7787,9 @@
 	NOTE: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
 CVE-2016-0727 [NTP statsdir cleanup cronjob insecure]
 	RESERVED
-	- ntp <unfixed>
+	- ntp <unfixed> (low)
+	[jessie] - ntp <no-dsa> (Minor issue)
+	[wheezy] - ntp <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1528050
 	NOTE: http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/
 CVE-2016-0726
@@ -11495,6 +11493,8 @@
 CVE-2015-8010 [XSS in the Icinga Classic-UI]
 	RESERVED
 	- icinga <unfixed> (bug #803432)
+	[jessie] - icinga <no-dsa> (Minor issue)
+	[wheezy] - icinga <no-dsa> (Minor issue)
 	[squeeze] - icinga <not-affected> (Vulnerable code not present)
 	NOTE: Introduced by: https://dev.icinga.org/issues/593 in 1.3.
 	NOTE: Upstream issue: https://dev.icinga.org/issues/10453
@@ -19414,8 +19414,9 @@
 	[wheezy] - glance <not-affected> (Affects Glance 2015.1 versions trough 2015.1.1)
 CVE-2015-5162 [Malicious image causes OOM on the compute host]
 	RESERVED
-	- nova <unfixed>
-	TODO: check
+	- nova <unfixed> (low)
+	[jessie] - nova <no-dsa> (Minor issue)
+	[wheezy] - nova <no-dsa> (Minor issue)
 CVE-2015-5161 (The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework ...)
 	{DSA-3340-1 DLA-302-1}
 	- zendframework 1.12.14+dfsg-1