[Secure-testing-commits] r50891 - in data: . CVE

Fri Apr 21 17:32:11 UTC 2017

Author: pochu
Date: 2017-04-21 17:32:11 +0000 (Fri, 21 Apr 2017)
New Revision: 50891

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
CVE-2016-6711 / CVE-2017-0393: mark as no-dsa for wheezy

These won't cause a device hang or reboot on non-Android, so they aren't
high for us. Also the wheezy version is too old and the codebase has
changed, making it difficult to backport the fix for CVE-2016-6711.



Modified: data/CVE/list
===================================================================

--- data/CVE/list	2017-04-21 17:29:21 UTC (rev 50890)
+++ data/CVE/list	2017-04-21 17:32:11 UTC (rev 50891)
@@ -20330,6 +20330,7 @@
 	NOT-FOR-US: Android Telephony
 CVE-2017-0393 (A denial of service vulnerability in libvpx in Mediaserver could ...)
 	- libvpx 1.6.1-1
+	[wheezy] - libvpx <no-dsa> (Minor issue)
 	NOTE: probably fixed earlier, but this was the version checked
 	NOTE: The wheezy source is confirmed (by code inspection) to be vulnerable.
 	NOTE: https://android.googlesource.com/platform/external/libvpx/+/6886e8e0a9db2dbad723dc37a548233e004b33bc
@@ -30269,6 +30270,7 @@
 	NOTE: probably fixed earlier, but this was the version checked
 CVE-2016-6711 (A remote denial of service vulnerability in libvpx in Mediaserver in ...)
 	- libvpx 1.6.1-1
+	[wheezy] - libvpx <no-dsa> (Minor issue)
 	NOTE: probably fixed earlier, but this was the version checked
 	NOTE: Wheezy is confirmed (by code inspection) to have vulnerable source.
 	NOTE: https://android.googlesource.com/platform/external/libvpx/+/063be1485e0099bc81ace3a08b0ec9186dcad693

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt	2017-04-21 17:29:21 UTC (rev 50890)
+++ data/dla-needed.txt	2017-04-21 17:32:11 UTC (rev 50891)
@@ -54,9 +54,6 @@
 --
 libsndfile
 --
-libvpx (Emilio Pozuelo)
-  NOTE: The CVEs needs further triaging.
---
 linux
 --
 mcollective


