[Secure-testing-commits] r46385 - data/CVE

[Hugo Lefeuvre]

Author: hle
Date: 2016-11-21 18:08:48 +0000 (Mon, 21 Nov 2016)
New Revision: 46385

Modified:
   data/CVE/list
Log:
CVE triage for Xen in wheezy.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-11-21 16:17:56 UTC (rev 46384)
+++ data/CVE/list	2016-11-21 18:08:48 UTC (rev 46385)
@@ -34948,6 +34948,8 @@
 	- qemu-kvm <removed>
 	[wheezy] - qemu-kvm <no-dsa> (Minor issue; can be fixed along in a later DSA)
 	[squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
+	- xen 4.4.0-1
+	NOTE: Xen switched to qemu-system in 4.4.0-1
 	NOTE: http://www.openwall.com/lists/oss-security/2015/09/18/5
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg04729.html
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg04730.html
@@ -35953,7 +35955,12 @@
 	- qemu-kvm <removed>
 	[squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS)
 	[squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
+	- xen 4.4.0-1
+	NOTE: Xen switched to qemu-system in 4.4.0-1
 	NOTE: http://www.openwall.com/lists/oss-security/2015/09/10/1
+        NOTE: Fix commit: http://git.qemu.org/?p=qemu.git;a=commit;h=d9033e1d3aa666c5071580617a57bd853c5d794a
+        NOTE: exec_cmd introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=7cff87ff6ab117799e32e42c2e4dc4c0588e583a
+        NOTE: cmd_table introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=844505b12e722d9ba7060480e766351fc6313501
 CVE-2015-6927 (vzctl before 4.9.4 determines the virtual environment (VE) layout ...)
 	{DSA-3357-1}
 	- vzctl 4.9.4-1
@@ -36095,6 +36102,8 @@
 	[squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS)
 	- qemu-kvm <removed>
 	[squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
+	- xen 4.4.0-1
+	NOTE: Xen switched to qemu-system in 4.4.0-1
 	NOTE: http://www.openwall.com/lists/oss-security/2015/09/04/4
 	NOTE: Upstream fix: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg01199.html
 CVE-2015-6816 [Ganglia-web auth bypass]
@@ -38683,6 +38692,9 @@
 	[squeeze] - qemu <not-affected> (Vulnerable code introduced later)
 	- qemu-kvm <removed>
 	[squeeze] - qemu-kvm <not-affected> (Vulnerable code introduced later)
+	- xen 4.4.0-1
+	[wheezy] - xen <not-affected> (Vulnerable code introduced later)
+	NOTE: Xen switched to qemu-system in 4.4.0-1
 	NOTE: http://www.openwall.com/lists/oss-security/2015/08/06/3
 	NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=7882080388be5088e72c425b02223c02e6cb4295 (v2.4.0-rc3)
 	NOTE: Introduced in: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=98b19252cf1bd97c54bc4613f3537c5ec0aae263 (v0.13.0-rc0)
@@ -121312,6 +121324,10 @@
 	- qemu 0.15.1+dfsg-2
 	[lenny] - qemu <not-affected> (Vulnerable CCID code not present)
 	[squeeze] - qemu <not-affected> (Vulnerable CCID code not present)
+	- xen 4.4.0-1
+	[wheezy] - xen <not-affected> (Vulnerable code introduced after 0.14.50, embedded version is 0.10.2)
+	NOTE: Xen switched to qemu-system in 4.4.0-1
+        NOTE: Vulnerable code introduced after 0.14.50: http://git.qemu.org/?p=qemu.git;a=commit;h=edbb21363fbfe40e050f583df921484cbc31c79d
 CVE-2011-4110 (The user_update function in security/keys/user_defined.c in the Linux ...)
 	{DSA-2389-1}
 	- linux-2.6 3.1.4-1