[Secure-testing-commits] r45971 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Fri Nov 4 14:11:13 UTC 2016 

Author: jmm
Date: 2016-11-04 14:11:13 +0000 (Fri, 04 Nov 2016)
New Revision: 45971

Modified:
   data/CVE/list
Log:
two jasper no-dsa
new libv8 issue


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-11-04 09:27:25 UTC (rev 45970)
+++ data/CVE/list	2016-11-04 14:11:13 UTC (rev 45971)
@@ -1089,7 +1089,8 @@
 	NOTE: and include the fix to not make jasper vulnerable to the incomplete fix.
 CVE-2016-8886 [memory allocation failure in jas_malloc (jas_malloc.c)]
 	RESERVED
-	- jasper <unfixed>
+	- jasper <unfixed> (low)
+	[jessie] - jasper <no-dsa> (Minor issue)
 	NOTE: https://blogs.gentoo.org/ago/2016/10/18/jasper-memory-allocation-failure-in-jas_malloc-jas_malloc-c
 CVE-2016-XXXX [sendmail: Privilege escalation from group smmsp to root]
 	- sendmail <unfixed> (bug #841257)
@@ -1254,9 +1255,10 @@
 	- jasper <unfixed> (bug #841110)
 	NOTE: https://blogs.gentoo.org/ago/2016/10/16/jasper-double-free-in-mem_close-jas_stream-c/
 	NOTE: https://github.com/mdadams/jasper/issues/32
+	NOTE: https://github.com/mdadams/jasper/commit/33cc2cfa51a8d0fc3116d16cc1d8fc581b3f9e8d
 CVE-2016-8692 [FPE on unknown address ... jpc_dec_process_siz ... jpc_dec.c]
 	RESERVED
-	- jasper <unfixed> (bug #841111)
+	- jasper <unfixed> (low; bug #841111)
 	NOTE: https://blogs.gentoo.org/ago/2016/10/16/jasper-two-divide-by-zero-in-jpc_dec_process_siz-jpc_dec-c/
 	NOTE: Fixed by: https://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020 (version-1.900.4)
 CVE-2016-8691 [FPE on unknown address ... jpc_dec_process_siz ... jpc_dec.c]
@@ -1266,7 +1268,8 @@
 	NOTE: Fixed by: https://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020 (version-1.900.4)
 CVE-2016-8690 [SEGV on unknown address ... bmp_getdata ... bmp_dec.c]
 	RESERVED
-	- jasper <unfixed> (bug #841112)
+	- jasper <unfixed> (low; bug #841112)
+	[jessie] - jasper <no-dsa> (Minor issue)
 	NOTE: CVE ID for the first and fifth items of http://www.openwall.com/lists/oss-security/2016/08/23/6 post
 	NOTE: https://blogs.gentoo.org/ago/2016/10/16/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c/
 	NOTE: The original fix is incomplete resulting in two follow ups CVE-2016-8884 and
@@ -12900,6 +12903,8 @@
 	RESERVED
 	- chromium-browser <unfixed>
 	[wheezy] - chromium-browser <end-of-life> (Not supported in Wheezy)
+	- libv8 <unfixed> (unimportant)
+	NOTE: libv8 not covered by security support
 CVE-2016-5197
 	RESERVED
 CVE-2016-5196

More information about the Secure-testing-commits mailing list