[Secure-testing-commits] r45183 - in data: . CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Mon Oct 10 17:34:39 UTC 2016


Author: jmm
Date: 2016-10-10 17:34:38 +0000 (Mon, 10 Oct 2016)
New Revision: 45183

Modified:
   data/CVE/list
   data/dsa-needed.txt
Log:
add and take icedove
glance no-dsa
radare2 fixed
fix CVE assignment for libbluray issue


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-10-10 16:55:24 UTC (rev 45182)
+++ data/CVE/list	2016-10-10 17:34:38 UTC (rev 45183)
@@ -29733,11 +29733,15 @@
 	RESERVED
 CVE-2015-7810
 	RESERVED
+	- libbluray 1:0.9.1-1 (low)
+	[jessie] - libbluray <no-dsa> (Minor issue, too intrusive to backport)
+	[wheezy] - libbluray <no-dsa> (Minor issue)
 	NOTE: CVE was assigned specific to the Fedora packages, cf.
 	NOTE: http://www.openwall.com/lists/oss-security/2015/10/12/7
-	NOTE: question if Debian needs a separate CVE is in
+	NOTE: Salvatored asked if Debian needs a separate CVE:
 	NOTE: http://www.openwall.com/lists/oss-security/2015/10/13/6
-	NOTE: (unreplied so far)
+	NOTE: No reply, so we'll just use the same ID
+	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=959434
 CVE-2015-7808 (The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 ...)
 	NOT-FOR-US: vBulletin
 CVE-2015-7807
@@ -37230,7 +37234,8 @@
 CVE-2015-5162 [Malicious image causes OOM on the compute host]
 	RESERVED
 	- cinder <unfixed>
-	- glance <unfixed>
+	- glance <unfixed> (low)
+	[jessie] - glance <no-dsa> (Minor issue)
 	- nova <unfixed> (low)
 	[jessie] - nova <no-dsa> (Minor issue)
 	[wheezy] - nova <no-dsa> (Minor issue)
@@ -47830,7 +47835,7 @@
 	[squeeze] - clamav 0.98.7+dfsg-0+deb6u1
 	NOTE: Only exploitable through virusdb updates, which need to be trusted anywaya
 	- knews <not-affected> (Uses system regex code, see #778401)
-	- radare2 <unfixed> (low; bug #778402)
+	- radare2 0.10.5+dfsg-1 (low; bug #778402)
 	[jessie] - radare2 <no-dsa> (Minor issue)
 	[wheezy] - radare2 <no-dsa> (Minor issue)
 	- efl <not-affected> (Only used when building on Windows, see #778414)
@@ -48216,18 +48221,12 @@
 	NOTE: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=2f1a2dd329b91afe561cd06b872d09630d4edb6a
 CVE-2014-XXXX [RPATH set to untrusted directory]
 	[experimental] - noise <unfixed> (bug #759868)
-CVE-2013-XXXX [Directory traversal when expanding certain JAR files]
-	- libbluray <unfixed>
-	[jessie] - libbluray <no-dsa> (Minor issue)
-	[wheezy] - libbluray <no-dsa> (Minor issue)
-	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/06/9
-	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=959434
 CVE-2013-XXXX [TOCTOU race when expanding JAR files]
-	- libbluray <unfixed> (unimportant)
+	- libbluray 0.7.0-1 (unimportant)
 	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/06/9
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=959433
 	NOTE: libbluray is only in wheezy and later and the issue is neutered by the kernel hardening for /tmp
-	NOTE: Affected code removed in 0.7.0-1 in experimental
+	NOTE: Affected code removed in 0.7.0-1
 CVE-2013-7437 (Multiple integer overflows in potrace 1.11 allow remote attackers to ...)
 	- potrace 1.12-1 (bug #778646)
 	[wheezy] - potrace <no-dsa> (Minor issue)

Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt	2016-10-10 16:55:24 UTC (rev 45182)
+++ data/dsa-needed.txt	2016-10-10 17:34:38 UTC (rev 45183)
@@ -18,6 +18,8 @@
 --
 graphicsmagick (luciano)
 --
+icedove
+--
 icu
   NOTE: In trying to address CVE-2016-7415 for wheezy/lts, I (Roberto C. Sanchez)
   have been unable to reproduce the crash as described in the PHP bug report




More information about the Secure-testing-commits mailing list