[Secure-testing-commits] r46201 - data/CVE
Hugo Lefeuvre
hle at moszumanska.debian.org
Mon Nov 14 21:40:56 UTC 2016
Author: hle
Date: 2016-11-14 21:40:56 +0000 (Mon, 14 Nov 2016)
New Revision: 46201
Modified:
data/CVE/list
Log:
CVE triage for Xen in wheezy.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-11-14 21:18:28 UTC (rev 46200)
+++ data/CVE/list 2016-11-14 21:40:56 UTC (rev 46201)
@@ -22030,6 +22030,8 @@
- qemu-kvm <removed>
[wheezy] - qemu-kvm <no-dsa> (Minor issue)
[squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
+ - xen 4.4.0-1
+ NOTE: Xen switched to qemu-system in 4.4.0-1
NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=80eecda8e5d09c442c24307f340840a5b70ea3b9 (v2.6.0-rc0)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1302299
CVE-2016-2391 (The ohci_bus_start function in the USB OHCI emulation support ...)
@@ -22040,6 +22042,8 @@
- qemu-kvm <removed>
[wheezy] - qemu-kvm <no-dsa> (Minor issue)
[squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
+ - xen 4.4.0-1
+ NOTE: Xen switched to qemu-system in 4.4.0-1
NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=fa1298c2d623522eda7b4f1f721fcb935abb7360 (v2.6.0-rc0)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1304794
NOTE: http://www.openwall.com/lists/oss-security/2016/02/16/2
@@ -24133,6 +24137,8 @@
[squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS)
- qemu-kvm <removed>
[squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
+ - xen 4.4.0-1
+ NOTE: Xen switched to qemu-system in 4.4.0-1
NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg03454.html
NOTE: Introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=7c23b8920329180f48b8a147b629d8837709d201 (v0.10.0)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1298570
@@ -27580,10 +27586,14 @@
[squeeze] - qemu <end-of-life> (Unsupported in squeeze-lts)
- qemu-kvm <removed>
[squeeze] - qemu-kvm <end-of-life> (Unsupported in squeeze-lts)
+ - xen 4.4.0-1
+ [wheezy] - xen <not-affected> (Vulnerable code introduced after 1.0.50, embedded version is 0.10.2)
+ NOTE: Xen switched to qemu-system in 4.4.0-1
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg02812.html
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283934
NOTE: http://www.openwall.com/lists/oss-security/2016/01/16/1
NOTE: Possibly introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=4917cf44326a1bda2fd7f27303aff7a25ad86518 (v1.6.0-rc0)
+ NOTE: kvmapic introduced after 1.0.50 (http://git.qemu.org/?p=qemu.git;a=commit;h=e5ad936b0fd7dfd7fd7908be6f9f1ca88f63b96b)
CVE-2016-0930 (Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.19 and 1.7.x before ...)
TODO: check
CVE-2016-0929 (The metrics-collection component in RabbitMQ for Pivotal Cloud Foundry ...)
@@ -39769,6 +39779,9 @@
[wheezy] - qemu <not-affected> (Vulnerable code introduced in 2.1.0)
[squeeze] - qemu <not-affected> (Vulnerable code introduced in 2.1.0)
- qemu-kvm <not-affected> (Vulnerable code introduced in 2.1.0)
+ - xen 4.4.0-1
+ [wheezy] - xen <not-affected> (Vulnerable code introduced in 2.1.0, embedded version is 0.10.2)
+ NOTE: Xen switched to qemu-system in 4.4.0-1
NOTE: Fix: https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg02495.html
NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commit;h=bea60dd7679364493a0d7f5b (v2.1.0-rc0)
CVE-2015-5224 [login-utils: file name collision due to incorrect mkstemp use]
@@ -40057,6 +40070,9 @@
[wheezy] - qemu <not-affected> (Vulnerable code not present)
[squeeze] - qemu <not-affected> (Vulnerable code not present)
- qemu-kvm <not-affected> (Vulnerable code not present)
+ - xen 4.4.0-1
+ [wheezy] - xen <not-affected> (Vulnerable code not present)
+ NOTE: Xen switched to qemu-system in 4.4.0-1
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2015-07/msg04558.html
NOTE: Introduced in http://git.qemu.org/?p=qemu.git;a=commitdiff;h=1894df02811f6b79ea3ffbf1084599d96f316173 (v2.2.0-rc0)
CVE-2015-5157 (arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the ...)
@@ -50052,6 +50068,9 @@
[wheezy] - qemu <not-affected> (Websocket protocol support introduced in v1.4.0-rc0)
[squeeze] - qemu <not-affected> (Websocket protocol support introduced in v1.4.0-rc0)
- qemu-kvm <not-affected> (Websocket protocol support introduced in v1.4.0-rc0)
+ - xen 4.4.0-1
+ [wheezy] - xen <not-affected> (Vulnerable code introduced in 1.4.0-rc0, embedded version is 0.10.2)
+ NOTE: Xen switched to qemu-system in 4.4.0-1
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04894.html
NOTE: Original patches have problem: https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04995.html
NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=a2bebfd6e09d
@@ -66474,6 +66493,9 @@
- qemu-kvm <removed>
[squeeze] - qemu-kvm <not-affected> (Introduced in 1.7)
[wheezy] - qemu-kvm <not-affected> (Introduced in 1.7)
+ - xen 4.4.0-1
+ [wheezy] - xen <not-affected> (Vulnerable code introduced in 1.7, embedded version is 0.10.2)
+ NOTE: Xen switched to qemu-system in 4.4.0-1
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2014-08/msg03338.html
NOTE: Introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=db4728e6fec0364b866d3106125974eedc00e091
CVE-2014-5382 (Multiple cross-site scripting (XSS) vulnerabilities in the web ...)
@@ -66875,6 +66897,9 @@
[wheezy] - qemu <not-affected> (Vulnerable code introduced in v1.6.0)
[squeeze] - qemu <not-affected> (Vulnerable code introduced in v1.6.0)
- qemu-kvm <not-affected> (Vulnerable code not present)
+ - xen 4.4.0-1
+ [wheezy] - xen <not-affected> (Vulnerable code introduced in 1.6.0, embedded version is 0.10.2)
+ NOTE: Xen switched to qemu-system in 4.4.0-1
NOTE: patch http://git.qemu.org/?p=qemu.git;a=commit;h=3afca1d6d413592c2b78cf28f52fa24a586d8f56
CVE-2014-5269 (Plack::App::File in Plack before 1.0031 removes trailing slash ...)
{DLA-61-1}
@@ -81378,6 +81403,9 @@
[squeeze] - qemu <not-affected> (vhdx support introduced in 1.5)
[wheezy] - qemu <not-affected> (vhdx support introduced in 1.5)
- qemu-kvm <not-affected> (vhdx support introduced in 1.5)
+ - xen 4.4.0-1
+ [wheezy] - xen <not-affected> (Vulnerable code introduced in 1.5, embedded version is 0.10.2)
+ NOTE: Xen switched to qemu-system in 4.4.0-1
CVE-2014-0147
RESERVED
{DSA-3045-1 DSA-3044-1}
More information about the Secure-testing-commits
mailing list