[Secure-testing-commits] r46336 - data/CVE
Hugo Lefeuvre
hle at moszumanska.debian.org
Sat Nov 19 08:21:13 UTC 2016
Author: hle
Date: 2016-11-19 08:21:13 +0000 (Sat, 19 Nov 2016)
New Revision: 46336
Modified:
data/CVE/list
Log:
CVE triage for Xen in wheezy.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-11-19 06:57:40 UTC (rev 46335)
+++ data/CVE/list 2016-11-19 08:21:13 UTC (rev 46336)
@@ -27695,9 +27695,13 @@
- qemu-kvm <removed>
[squeeze] - qemu-kvm <end-of-life> (Unsupported in squeeze-lts)
[wheezy] - qemu-kvm <no-dsa> (Minor issue)
+ - xen 4.4.0-1
+ [wheezy] - xen <not-affected> (Vulnerable code introduced after 0.14.50, embedded version is 0.10.2)
+ NOTE: Xen switched to qemu-system in 4.4.0-1
NOTE: Upstream commit: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d9a3b33d2c9f996537b7f1d0246dee2d0120cefb (v2.5.0-rc1)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283722
NOTE: http://www.openwall.com/lists/oss-security/2015/12/24/1
+ NOTE: Vulnerable code introduced after 0.14.50: http://git.qemu.org/?p=qemu.git;a=commit;h=23910d3f669d46073b403876e30a7314599633af
CVE-2016-1130 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...)
NOT-FOR-US: Adobe Reader and Acrobat
CVE-2016-1129 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...)
@@ -31541,6 +31545,8 @@
[jessie] - qemu-kvm <no-dsa> (Minor issue, can be fixed along in a later DSA)
[wheezy] - qemu-kvm <no-dsa> (Minor issue, can be fixed along in a later DSA)
[squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
+ - xen 4.4.0-1
+ NOTE: Xen switched to qemu-system in 4.4.0-1
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html
NOTE: http://www.openwall.com/lists/oss-security/2015/11/25/3
CVE-2015-8346 (app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before ...)
@@ -34174,6 +34180,8 @@
[squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS)
- qemu-kvm <removed>
[squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
+ - xen 4.4.0-1
+ NOTE: Xen switched to qemu-system in 4.4.0-1
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-11/msg06341.html
CVE-2015-7511 (Libgcrypt before 1.6.5 does not properly perform elliptic-point curve ...)
{DSA-3478-1 DSA-3474-1}
@@ -34240,6 +34248,7 @@
- qemu-kvm <removed>
[squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-11/msg06342.html
+ NOTE: Xen not affected in wheezy, CVE covered by XSA-162: https://marc.info/?l=oss-security&m=144888089404618&w=2
CVE-2015-7503 [Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey]
RESERVED
NOT-FOR-US: php-zend-crypt
@@ -88641,6 +88650,9 @@
[wheezy] - qemu <not-affected> (Introduced in 1.4)
[squeeze] - qemu <not-affected> (Introduced in 1.4)
- qemu-kvm <not-affected> (Introduced in 1.4)
+ - xen 4.4.0-1
+ [wheezy] - xen <not-affected> (Vulnerable code introduced in 1.4, embedded version is 0.10.2)
+ NOTE: Xen switched to qemu-system in 4.4.0-1
NOTE: see BTS bug #744213
CVE-2013-4543
REJECTED
@@ -89294,6 +89306,9 @@
[wheezy] - qemu <not-affected> (Introduced in 1.4)
[squeeze] - qemu <not-affected> (Introduced in 1.4)
- qemu-kvm <not-affected> (Introduced in 1.4)
+ - xen 4.4.0-1
+ [wheezy] - xen <not-affected> (Vulnerable code introduced in 1.4, embedded version is 0.10.2)
+ NOTE: Xen switched to qemu-system in 4.4.0-1
NOTE: patches: http://thread.gmane.org/gmane.comp.emulators.qemu/234440
CVE-2013-4376 (The setgid wrapper libx2go-server-db-sqlite3-wrapper.c in X2Go Server ...)
- x2goserver <itp> (bug #465821)
@@ -95701,6 +95716,9 @@
[wheezy] - qemu <not-affected> (vulnerability introduced in 1.3.0)
[squeeze] - qemu <not-affected> (vulnerability introduced in 1.3.0)
- qemu-kvm <not-affected> (vulnerability introduced in 1.3.0)
+ - xen 4.4.0-1
+ [wheezy] - xen <not-affected> (Vulnerable code introduced in 1.3.0, embedded version is 0.10.2)
+ NOTE: Xen switched to qemu-system in 4.4.0-1
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg05013.html
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg05254.html
NOTE: http://marc.info/?l=oss-security&m=136722323931507&w=2
@@ -95738,6 +95756,9 @@
CVE-2013-2007 (The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when ...)
- qemu <not-affected> (qemu guest agent introduced in 1.4, vulnerable versions were only in experimental)
- qemu-kvm <not-affected> (qemu guest agent introduced in 1.4)
+ - xen 4.4.0-1
+ [wheezy] - xen <not-affected> (Vulnerable code introduced in 1.4, embedded version is 0.10.2)
+ NOTE: Xen switched to qemu-system in 4.4.0-1
CVE-2013-2006 (OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode ...)
- keystone 2013.1.1-2
[wheezy] - keystone <no-dsa> (Minor issue)
More information about the Secure-testing-commits
mailing list