[Secure-testing-commits] r40542 - in data: . CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Wed Mar 23 22:37:08 UTC 2016 

Author: jmm
Date: 2016-03-23 22:37:07 +0000 (Wed, 23 Mar 2016)
New Revision: 40542

Modified:
   data/CVE/list
   data/next-point-update.txt
Log:
record php spu update
remove three PHP issues which are plain bugs and not security-relevant


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-03-23 22:13:08 UTC (rev 40541)
+++ data/CVE/list	2016-03-23 22:37:07 UTC (rev 40542)
@@ -1729,6 +1729,8 @@
 CVE-2016-3142 [Out-of-Bound Read in phar_parse_zipfile()]
 	RESERVED
 	- php5 5.6.19+dfsg-1
+	[wheezy] - php5 <no-dsa> (Minor issue, can be fixed in next update round)
+	[jessie] - php5 <no-dsa> (Minor issue, will be fixed in point update)
 	NOTE: https://bugs.php.net/bug.php?id=71498
 	NOTE: Fixed in 5.5.33, 5.6.19
 	NOTE: http://www.openwall.com/lists/oss-security/2016/03/10/5
@@ -1737,6 +1739,8 @@
 CVE-2016-3141 [Use-After-Free / Double-Free in WDDX Deserialize]
 	RESERVED
 	- php5 5.6.19+dfsg-1
+	[wheezy] - php5 <no-dsa> (Minor issue, can be fixed in next update round)
+	[jessie] - php5 <no-dsa> (Minor issue, will be fixed in point update)
 	NOTE: https://bugs.php.net/bug.php?id=71587
 	NOTE: Fixed in 5.5.33, 5.6.19
 	NOTE: http://www.openwall.com/lists/oss-security/2016/03/10/5
@@ -3395,6 +3399,8 @@
 	NOTE: http://www.openwall.com/lists/oss-security/2016/02/14/1
 CVE-2016-XXXX [exec functions ignore length but look for NULL termination]
 	- php5 5.6.18+dfsg-1
+	[wheezy] - php5 <no-dsa> (Minor issue, can be fixed in next update round)
+	[jessie] - php5 <no-dsa> (Minor issue, will be fixed in point update)
 	- php5.6 5.6.18+dfsg-1
 	- php7.0 7.0.3-1
 	[squeeze] - php5 5.3.3.1-7+squeeze29
@@ -3403,27 +3409,10 @@
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305494
 	NOTE: https://git.php.net/?p=php-src.git;a=commit;h=c527549e899bf211aac7d8ab5ceb1bdfedf07f14
 	NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3
-CVE-2016-XXXX [No check to duplicate zend_extension]
-	- php5 5.6.18+dfsg-1
-	- php5.6 5.6.18+dfsg-1
-	- php7.0 7.0.3-1
-	[squeeze] - php5 5.3.3.1-7+squeeze29
-	NOTE: temporary workaround until CVE assigned to explitly tag for squeeze
-	NOTE: https://bugs.php.net/bug.php?id=71089
-	NOTE: Fixed in 5.6.18, 7.0.3
-CVE-2016-XXXX [round() segfault on 64-bit builds]
-	- php5 5.6.18+dfsg-1
-	- php5.6 5.6.18+dfsg-1
-	- php7.0 7.0.3-1
-	[squeeze] - php5 5.3.3.1-7+squeeze29
-	NOTE: temporary workaround until CVE assigned to explitly tag for squeeze
-	NOTE: https://bugs.php.net/bug.php?id=71201
-	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305504
-	NOTE: https://git.php.net/?p=php-src.git;a=commit;h=0d822f6df946764f3f0348b82efae2e1eaa83aa0
-	NOTE: Fixed in 5.6.18, 7.0.3
-	NOTE: can be possibly considered a plain bug not a security issue
 CVE-2016-XXXX [Output of stream_get_meta_data can be falsified by its input]
 	- php5 5.6.18+dfsg-1
+	[wheezy] - php5 <no-dsa> (Minor issue, can be fixed in next update round)
+	[jessie] - php5 <no-dsa> (Minor issue, will be fixed in point update)
 	- php5.6 5.6.18+dfsg-1
 	- php7.0 7.0.3-1
 	NOTE: https://bugs.php.net/bug.php?id=71323
@@ -3432,6 +3421,8 @@
 	NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3
 CVE-2016-XXXX [Integer overflow in iptcembed()]
 	- php5 5.6.18+dfsg-1
+	[wheezy] - php5 <no-dsa> (Minor issue, can be fixed in next update round)
+	[jessie] - php5 <no-dsa> (Minor issue, will be fixed in point update)
 	- php5.6 5.6.18+dfsg-1
 	- php7.0 7.0.3-1
 	[squeeze] - php5 5.3.3.1-7+squeeze29
@@ -3442,6 +3433,8 @@
 	NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3
 CVE-2016-XXXX [Heap corruption in tar/zip/phar parser]
 	- php5 5.6.18+dfsg-1
+	[wheezy] - php5 <no-dsa> (Minor issue, can be fixed in next update round)
+	[jessie] - php5 <no-dsa> (Minor issue, will be fixed in point update)
 	- php5.6 5.6.18+dfsg-1
 	- php7.0 7.0.3-1
 	[squeeze] - php5 5.3.3.1-7+squeeze29
@@ -3452,6 +3445,8 @@
 	NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3
 CVE-2016-XXXX [NULL Pointer Dereference in phar_tar_setupmetadata()]
 	- php5 5.6.18+dfsg-1
+	[wheezy] - php5 <no-dsa> (Minor issue, can be fixed in next update round)
+	[jessie] - php5 <no-dsa> (Minor issue, will be fixed in point update)
 	- php5.6 5.6.18+dfsg-1
 	- php7.0 7.0.3-1
 	[squeeze] - php5 5.3.3.1-7+squeeze29
@@ -3463,6 +3458,8 @@
 CVE-2016-2554 [Stack overflow when decompressing tar archives]
 	RESERVED
 	- php5 5.6.18+dfsg-1
+	[wheezy] - php5 <no-dsa> (Minor issue, can be fixed in next update round)
+	[jessie] - php5 <no-dsa> (Minor issue, will be fixed in point update)
 	- php5.6 5.6.18+dfsg-1
 	- php7.0 7.0.3-1
 	NOTE: https://bugs.php.net/bug.php?id=71488
@@ -3472,6 +3469,8 @@
 	NOTE: http://www.openwall.com/lists/oss-security/2016/02/22/5
 CVE-2016-XXXX [Type confusion vulnerability in WDDX packet deserialization]
 	- php5 5.6.18+dfsg-1
+	[wheezy] - php5 <no-dsa> (Minor issue, can be fixed in next update round)
+	[jessie] - php5 <no-dsa> (Minor issue, will be fixed in point update)
 	- php5.6 5.6.18+dfsg-1
 	- php7.0 7.0.3-1
 	NOTE: https://bugs.php.net/bug.php?id=71335
@@ -3480,6 +3479,8 @@
 	NOTE: Fixed in 5.6.18, 5.5.32, 7.0.3
 CVE-2016-XXXX [Crash on bad SOAP request]
 	- php5 5.6.18+dfsg-1
+	[wheezy] - php5 <no-dsa> (Minor issue, can be fixed in next update round)
+	[jessie] - php5 <no-dsa> (Minor issue, will be fixed in point update)
 	- php5.6 5.6.18+dfsg-1
 	- php7.0 7.0.3-1
 	[squeeze] - php5 5.3.3.1-7+squeeze29
@@ -3488,13 +3489,6 @@
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305551
 	NOTE: https://git.php.net/?p=php-src.git;a=commit;h=4308c868f94df1f2b99e80038ba5ea1076d919a7
 	NOTE: Fixed in 5.6.18, 7.0.3
-CVE-2016-XXXX [Segmentation fault in clean spl_autoload functions while autoloading]
-	- php5 5.6.18+dfsg-1
-	- php5.6 5.6.18+dfsg-1
-	- php7.0 7.0.3-1
-	NOTE: https://bugs.php.net/bug.php?id=71204
-	NOTE: https://git.php.net/?p=php-src.git;a=commit;h=620ccc9b1a0a593786a364af15d45fd797a6cf1f
-	NOTE: Fixed in 5.6.18, 7.0.3
 CVE-2016-2330 (libavcodec/gif.c in FFmpeg before 2.8.6 does not properly calculate a ...)
 	- ffmpeg 2.8.6-1
 	- libav <undetermined>

Modified: data/next-point-update.txt
===================================================================
--- data/next-point-update.txt	2016-03-23 22:13:08 UTC (rev 40541)
+++ data/next-point-update.txt	2016-03-23 22:37:07 UTC (rev 40542)
@@ -53,3 +53,24 @@
 	[jessie] - dolibarr 3.5.5+dfsg1-1+deb8u1
 CVE-2016-1494
 	[jessie] - python-rsa 3.1.4-1+deb8u1
+CVE-2016-2554
+	[jessie] - php5 5.6.19+dfsg-0+deb8u1
+CVE-2016-3141
+	[jessie] - php5 5.6.19+dfsg-0+deb8u1
+CVE-2016-3142
+	[jessie] - php5 5.6.19+dfsg-0+deb8u1
+CVE-2016-XXXX [Heap corruption in tar/zip/phar parser]
+	[jessie] - php5 5.6.19+dfsg-0+deb8u1
+CVE-2016-XXXX [Output of stream_get_meta_data can be falsified by its input]
+	[jessie] - php5 5.6.19+dfsg-0+deb8u1
+CVE-2016-XXXX [Crash on bad SOAP request]
+	[jessie] - php5 5.6.19+dfsg-0+deb8u1
+CVE-2016-XXXX [exec functions ignore length but look for NULL termination]
+	[jessie] - php5 5.6.19+dfsg-0+deb8u1
+CVE-2016-XXXX [Integer overflow in iptcembed()]
+	[jessie] - php5 5.6.19+dfsg-0+deb8u1
+CVE-2016-XXXX [NULL Pointer Dereference in phar_tar_setupmetadata()]
+	[jessie] - php5 5.6.19+dfsg-0+deb8u1
+CVE-2016-XXXX [Type confusion vulnerability in WDDX packet deserialization]
+	[jessie] - php5 5.6.19+dfsg-0+deb8u1
+

More information about the Secure-testing-commits mailing list