[Secure-testing-commits] r50417 - data/CVE
Moritz Muehlenhoff
jmm at moszumanska.debian.org
Thu Apr 6 19:06:16 UTC 2017
Author: jmm
Date: 2017-04-06 19:06:16 +0000 (Thu, 06 Apr 2017)
New Revision: 50417
Modified:
data/CVE/list
Log:
ntp n/a
ghostscript n/a
mupdf n/a
yara no-dsa
radare2 no-dsa or n/a
foreman ITP
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-04-06 18:37:46 UTC (rev 50416)
+++ data/CVE/list 2017-04-06 19:06:16 UTC (rev 50417)
@@ -2968,6 +2968,7 @@
CVE-2017-6448 (The dalvik_disassemble function in libr/asm/p/asm_dalvik.c in radare2 ...)
[experimental] - radare2 1.3.0+dfsg-1
- radare2 <unfixed> (bug #859447)
+ [jessie] - radare2 <no-dsa> (Minor issue)
NOTE: https://github.com/radare/radare2/commit/f41e941341e44aa86edd4483c4487ec09a074257 (1.3.0-git)
NOTE: https://github.com/radare/radare2/issues/6885
CVE-2017-6447
@@ -3849,6 +3850,7 @@
CVE-2017-6194 (The relocs function in libr/bin/p/bin_bflt.c in radare2 1.2.1 allows ...)
[experimental] - radare2 1.3.0+dfsg-1
- radare2 <unfixed> (bug #859448)
+ [jessie] - radare2 <not-affected> (Vulnerable code not present)
[wheezy] - radare2 <not-affected> (Vulnerable code not present)
NOTE: https://github.com/radare/radare2/commit/72794dc3523bbd5bb370de3c5857cb736c387e18 (1.3.0-git)
NOTE: https://github.com/radare/radare2/issues/6829
@@ -4500,9 +4502,8 @@
- webkitgtk <unfixed> (unimportant)
NOTE: Not covered by security support
CVE-2016-10221 (The count_entries function in pdf-layer.c in Artifex Software, Inc. ...)
- - mupdf <undetermined>
+ - mupdf <not-affected> (Vulnerable code not yet present)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697400
- TODO: check
CVE-2016-10220 (The gs_makewordimagedevice function in base/gsdevmem.c in Artifex ...)
- ghostscript <unfixed> (bug #859694)
[jessie] - ghostscript <no-dsa> (Minor issue)
@@ -4520,7 +4521,8 @@
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697444
CVE-2016-10217 (The pdf14_open function in base/gdevp14.c in Artifex Software, Inc. ...)
- ghostscript <unfixed> (bug #859662)
- [wheezy] - ghostscript <not-affected> (Unreproducible in wheezy)
+ [jessie] - ghostscript <not-affected> (pdf14_cleanup_parent_color_profiles not yet present)
+ [wheezy] - ghostscript <not-affected> (pdf14_cleanup_parent_color_profiles not yet present)
NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=90fd0c7ca3efc1ddff64a86f4104b13b3ac969eb
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697456
NOTE: I can reproduce the issue in stretch/sid with valgrind (ghostscript 9.20~dfsg-3) but not in wheezy and not in jessie -- Raphael Hertzog
@@ -4589,8 +4591,10 @@
NOT-FOR-US: Hardware issue in some Intel CPUs
CVE-2017-5924 (libyara/grammar.y in YARA 3.5.0 allows remote attackers to cause a ...)
- yara <unfixed>
+ [jessie] - yara <no-dsa> (Minor issue)
CVE-2017-5923 (libyara/grammar.y in YARA 3.5.0 allows remote attackers to cause a ...)
- yara <unfixed>
+ [jessie] - yara <no-dsa> (Minor issue)
CVE-2017-5922
RESERVED
CVE-2017-5921
@@ -4599,8 +4603,10 @@
RESERVED
CVE-2016-10211 (libyara/grammar.y in YARA 3.5.0 allows remote attackers to cause a ...)
- yara <unfixed>
+ [jessie] - yara <no-dsa> (Minor issue)
CVE-2016-10210 (libyara/lexer.l in YARA 3.5.0 allows remote attackers to cause a denial ...)
- yara <unfixed>
+ [jessie] - yara <no-dsa> (Minor issue)
CVE-2016-10209 (The archive_wstring_append_from_mbs function in archive_string.c in ...)
- libarchive <unfixed> (bug #859456)
[jessie] - libarchive <no-dsa> (Minor issue)
@@ -21364,7 +21370,13 @@
CVE-2016-9042
RESERVED
- ntp 1:4.2.8p10+dfsg-1
+ [jessie] - ntp <not-affected> (Doesn't use the affected upstream patch)
+ NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0260/
NOTE: http://support.ntp.org/bin/view/Main/NtpBug3361
+ NOTE: This vulnerability affects the upstream fix for CVE-2015-8138, but Debian
+ NOTE: jessie (and probably also wheezy) use a less invasive patch by Miroslav Lichvar
+ NOTE: of Red Hat, as available here:
+ NOTE: http://pkgs.fedoraproject.org/cgit/rpms/ntp.git/tree/ntp-4.2.6p5-cve-2015-8138.patch?h=f24
CVE-2016-9041
REJECTED
CVE-2016-9040
More information about the Secure-testing-commits
mailing list