[Secure-testing-commits] r50575 - data/CVE
Moritz Muehlenhoff
jmm at moszumanska.debian.org
Tue Apr 11 16:05:20 UTC 2017
Author: jmm
Date: 2017-04-11 16:05:19 +0000 (Tue, 11 Apr 2017)
New Revision: 50575
Modified:
data/CVE/list
Log:
libnl unimportant
golang-go.crypto no-dsa
elfutils n/a
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-04-11 14:08:38 UTC (rev 50574)
+++ data/CVE/list 2017-04-11 16:05:19 UTC (rev 50575)
@@ -90,6 +90,7 @@
NOTE: https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_group-elflint-c/
CVE-2017-7609 (elf_compress.c in elfutils 0.168 does not validate the zlib compression ...)
- elfutils <unfixed> (bug #859994)
+ [jessie] - elfutils <not-affected> (Vulnerable code not present)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21301
NOTE: https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-__libelf_decompress-elf_compress-c/
CVE-2017-7608 (The ebl_object_note_type_name function in eblobjnotetypename.c in ...)
@@ -12725,6 +12726,7 @@
RESERVED
CVE-2017-3204 (The Go SSH library (x/crypto/ssh) by default does not verify host ...)
- golang-go.crypto <unfixed> (bug #859655)
+ [jessie] - golang-go.crypto <no-dsa> (In jessie no rdeps using SSH, that version doesn't even support host key validation)
NOTE: https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
NOTE: https://github.com/golang/go/issues/19767
CVE-2017-3203
@@ -18698,10 +18700,12 @@
NOT-FOR-US: Android
CVE-2017-0553 (An elevation of privilege vulnerability in libnl could enable a local ...)
{DLA-892-1 DLA-891-1}
- - libnl3 3.2.27-2 (bug #859948)
- - libnl <removed>
+ - libnl3 3.2.27-2 (unimportant; bug #859948)
+ - libnl <removed> (unimportant)
NOTE: Fixed by: http://git.infradead.org/users/tgr/libnl.git/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb
NOTE: Fix via Android: https://android.googlesource.com/platform/external/libnl/+/f83d9c1c67b6be69a96995e384f50b572b667df0
+ NOTE: Not a security issue by itself, the upstream patch protects against API misuse,
+ NOTE: this still requires missing input validation in the application using libnl
CVE-2017-0552 (A remote denial of service vulnerability in libavc in Mediaserver ...)
NOT-FOR-US: Android Mediaserver / libavc
CVE-2017-0551 (A remote denial of service vulnerability in libavc in Mediaserver ...)
More information about the Secure-testing-commits
mailing list