[Secure-testing-commits] r45183 - in data: . CVE
Moritz Muehlenhoff
jmm at moszumanska.debian.org
Mon Oct 10 17:34:39 UTC 2016
Author: jmm
Date: 2016-10-10 17:34:38 +0000 (Mon, 10 Oct 2016)
New Revision: 45183
Modified:
data/CVE/list
data/dsa-needed.txt
Log:
add and take icedove
glance no-dsa
radare2 fixed
fix CVE assignment for libbluray issue
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-10-10 16:55:24 UTC (rev 45182)
+++ data/CVE/list 2016-10-10 17:34:38 UTC (rev 45183)
@@ -29733,11 +29733,15 @@
RESERVED
CVE-2015-7810
RESERVED
+ - libbluray 1:0.9.1-1 (low)
+ [jessie] - libbluray <no-dsa> (Minor issue, too intrusive to backport)
+ [wheezy] - libbluray <no-dsa> (Minor issue)
NOTE: CVE was assigned specific to the Fedora packages, cf.
NOTE: http://www.openwall.com/lists/oss-security/2015/10/12/7
- NOTE: question if Debian needs a separate CVE is in
+ NOTE: Salvatored asked if Debian needs a separate CVE:
NOTE: http://www.openwall.com/lists/oss-security/2015/10/13/6
- NOTE: (unreplied so far)
+ NOTE: No reply, so we'll just use the same ID
+ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=959434
CVE-2015-7808 (The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 ...)
NOT-FOR-US: vBulletin
CVE-2015-7807
@@ -37230,7 +37234,8 @@
CVE-2015-5162 [Malicious image causes OOM on the compute host]
RESERVED
- cinder <unfixed>
- - glance <unfixed>
+ - glance <unfixed> (low)
+ [jessie] - glance <no-dsa> (Minor issue)
- nova <unfixed> (low)
[jessie] - nova <no-dsa> (Minor issue)
[wheezy] - nova <no-dsa> (Minor issue)
@@ -47830,7 +47835,7 @@
[squeeze] - clamav 0.98.7+dfsg-0+deb6u1
NOTE: Only exploitable through virusdb updates, which need to be trusted anywaya
- knews <not-affected> (Uses system regex code, see #778401)
- - radare2 <unfixed> (low; bug #778402)
+ - radare2 0.10.5+dfsg-1 (low; bug #778402)
[jessie] - radare2 <no-dsa> (Minor issue)
[wheezy] - radare2 <no-dsa> (Minor issue)
- efl <not-affected> (Only used when building on Windows, see #778414)
@@ -48216,18 +48221,12 @@
NOTE: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=2f1a2dd329b91afe561cd06b872d09630d4edb6a
CVE-2014-XXXX [RPATH set to untrusted directory]
[experimental] - noise <unfixed> (bug #759868)
-CVE-2013-XXXX [Directory traversal when expanding certain JAR files]
- - libbluray <unfixed>
- [jessie] - libbluray <no-dsa> (Minor issue)
- [wheezy] - libbluray <no-dsa> (Minor issue)
- NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/06/9
- NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=959434
CVE-2013-XXXX [TOCTOU race when expanding JAR files]
- - libbluray <unfixed> (unimportant)
+ - libbluray 0.7.0-1 (unimportant)
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/06/9
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=959433
NOTE: libbluray is only in wheezy and later and the issue is neutered by the kernel hardening for /tmp
- NOTE: Affected code removed in 0.7.0-1 in experimental
+ NOTE: Affected code removed in 0.7.0-1
CVE-2013-7437 (Multiple integer overflows in potrace 1.11 allow remote attackers to ...)
- potrace 1.12-1 (bug #778646)
[wheezy] - potrace <no-dsa> (Minor issue)
Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt 2016-10-10 16:55:24 UTC (rev 45182)
+++ data/dsa-needed.txt 2016-10-10 17:34:38 UTC (rev 45183)
@@ -18,6 +18,8 @@
--
graphicsmagick (luciano)
--
+icedove
+--
icu
NOTE: In trying to address CVE-2016-7415 for wheezy/lts, I (Roberto C. Sanchez)
have been unable to reproduce the crash as described in the PHP bug report
More information about the Secure-testing-commits
mailing list