[Secure-testing-commits] r50417 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Thu Apr 6 19:06:16 UTC 2017 

Author: jmm
Date: 2017-04-06 19:06:16 +0000 (Thu, 06 Apr 2017)
New Revision: 50417

Modified:
   data/CVE/list
Log:
ntp n/a
ghostscript n/a
mupdf n/a
yara no-dsa
radare2 no-dsa or n/a
foreman ITP


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-04-06 18:37:46 UTC (rev 50416)
+++ data/CVE/list	2017-04-06 19:06:16 UTC (rev 50417)
@@ -2968,6 +2968,7 @@
 CVE-2017-6448 (The dalvik_disassemble function in libr/asm/p/asm_dalvik.c in radare2 ...)
 	[experimental] - radare2 1.3.0+dfsg-1
 	- radare2 <unfixed> (bug #859447)
+	[jessie] - radare2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/radare/radare2/commit/f41e941341e44aa86edd4483c4487ec09a074257 (1.3.0-git)
 	NOTE: https://github.com/radare/radare2/issues/6885
 CVE-2017-6447
@@ -3849,6 +3850,7 @@
 CVE-2017-6194 (The relocs function in libr/bin/p/bin_bflt.c in radare2 1.2.1 allows ...)
 	[experimental] - radare2 1.3.0+dfsg-1
 	- radare2 <unfixed> (bug #859448)
+	[jessie] - radare2 <not-affected> (Vulnerable code not present)
 	[wheezy] - radare2 <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/radare/radare2/commit/72794dc3523bbd5bb370de3c5857cb736c387e18 (1.3.0-git)
 	NOTE: https://github.com/radare/radare2/issues/6829
@@ -4500,9 +4502,8 @@
 	- webkitgtk <unfixed> (unimportant)
 	NOTE: Not covered by security support
 CVE-2016-10221 (The count_entries function in pdf-layer.c in Artifex Software, Inc. ...)
-	- mupdf <undetermined>
+	- mupdf <not-affected> (Vulnerable code not yet present)
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697400
-	TODO: check
 CVE-2016-10220 (The gs_makewordimagedevice function in base/gsdevmem.c in Artifex ...)
 	- ghostscript <unfixed> (bug #859694)
 	[jessie] - ghostscript <no-dsa> (Minor issue)
@@ -4520,7 +4521,8 @@
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697444
 CVE-2016-10217 (The pdf14_open function in base/gdevp14.c in Artifex Software, Inc. ...)
 	- ghostscript <unfixed> (bug #859662)
-	[wheezy] - ghostscript <not-affected> (Unreproducible in wheezy)
+	[jessie] - ghostscript <not-affected> (pdf14_cleanup_parent_color_profiles not yet present)
+	[wheezy] - ghostscript <not-affected> (pdf14_cleanup_parent_color_profiles not yet present)
 	NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=90fd0c7ca3efc1ddff64a86f4104b13b3ac969eb
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697456
 	NOTE: I can reproduce the issue in stretch/sid with valgrind (ghostscript 9.20~dfsg-3) but not in wheezy and not in jessie -- Raphael Hertzog
@@ -4589,8 +4591,10 @@
 	NOT-FOR-US: Hardware issue in some Intel CPUs
 CVE-2017-5924 (libyara/grammar.y in YARA 3.5.0 allows remote attackers to cause a ...)
 	- yara <unfixed>
+	[jessie] - yara <no-dsa> (Minor issue)
 CVE-2017-5923 (libyara/grammar.y in YARA 3.5.0 allows remote attackers to cause a ...)
 	- yara <unfixed>
+	[jessie] - yara <no-dsa> (Minor issue)
 CVE-2017-5922
 	RESERVED
 CVE-2017-5921
@@ -4599,8 +4603,10 @@
 	RESERVED
 CVE-2016-10211 (libyara/grammar.y in YARA 3.5.0 allows remote attackers to cause a ...)
 	- yara <unfixed>
+	[jessie] - yara <no-dsa> (Minor issue)
 CVE-2016-10210 (libyara/lexer.l in YARA 3.5.0 allows remote attackers to cause a denial ...)
 	- yara <unfixed>
+	[jessie] - yara <no-dsa> (Minor issue)
 CVE-2016-10209 (The archive_wstring_append_from_mbs function in archive_string.c in ...)
 	- libarchive <unfixed> (bug #859456)
 	[jessie] - libarchive <no-dsa> (Minor issue)
@@ -21364,7 +21370,13 @@
 CVE-2016-9042
 	RESERVED
 	- ntp 1:4.2.8p10+dfsg-1
+	[jessie] - ntp <not-affected> (Doesn't use the affected upstream patch)
+	NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0260/
 	NOTE: http://support.ntp.org/bin/view/Main/NtpBug3361
+	NOTE: This vulnerability affects the upstream fix for CVE-2015-8138, but Debian
+	NOTE: jessie (and probably also wheezy) use a less invasive patch by Miroslav Lichvar
+	NOTE: of Red Hat, as available here:
+	NOTE: http://pkgs.fedoraproject.org/cgit/rpms/ntp.git/tree/ntp-4.2.6p5-cve-2015-8138.patch?h=f24
 CVE-2016-9041
 	REJECTED
 CVE-2016-9040

More information about the Secure-testing-commits mailing list