[Secure-testing-commits] r58339 - in data: . CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Thu Dec 7 20:59:36 UTC 2017 

Author: jmm
Date: 2017-12-07 20:59:36 +0000 (Thu, 07 Dec 2017)
New Revision: 58339

Modified:
   data/CVE/list
   data/dsa-needed.txt
Log:
various no-dsa
add two openssl and sqlite to dsa-needed


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-12-07 19:29:48 UTC (rev 58338)
+++ data/CVE/list	2017-12-07 20:59:36 UTC (rev 58339)
@@ -1,8 +1,12 @@
 CVE-2017-17457 (The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1 may lead ...)
-	- libsndfile <unfixed>
+	- libsndfile <unfixed> (low)
+	[stretch] - libsndfile <no-dsa> (Minor issue)
+	[jessie] - libsndfile <no-dsa> (Minor issue)
 	NOTE: https://github.com/erikd/libsndfile/issues/344
 CVE-2017-17456 (The function d2alaw_array() in alaw.c of libsndfile 1.0.29pre1 may lead ...)
-	- libsndfile <unfixed>
+	- libsndfile <unfixed> (low)
+	[stretch] - libsndfile <no-dsa> (Minor issue)
+	[jessie] - libsndfile <no-dsa> (Minor issue)
 	NOTE: https://github.com/erikd/libsndfile/issues/344
 CVE-2017-17455
 	RESERVED
@@ -3605,7 +3609,9 @@
 CVE-2017-16934 (The web server on DBL DBLTek devices allows remote attackers to execute ...)
 	NOT-FOR-US: DBL DBLTek devices
 CVE-2017-16933 (etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.0 has a chown ...)
-	- icinga2 <unfixed> (bug #883247)
+	- icinga2 <unfixed> (low; bug #883247)
+	[stretch] - icinga2 <no-dsa> (Minor issue)
+	[jessie] - icinga2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/Icinga/icinga2/issues/5793
 CVE-2016-10700 (auth_login.php in Cacti before 1.0.0 allows remote authenticated users ...)
 	- cacti 0.8.8h+ds1-5 (bug #833420)
@@ -3936,8 +3942,9 @@
 	NOTE: https://github.com/upx/upx/issues/146
 	NOTE: crash in CLI tool, no security impact
 CVE-2017-16868 (In SWFTools 0.9.2, the wav_convert2mono function in lib/wav.c does not ...)
-	- swftools <unfixed>
+	- swftools <unfixed> (unimportant)
 	NOTE: https://github.com/matthiaskramm/swftools/issues/52
+	NOTE: Crash in CLI tool, no security impact
 CVE-2017-16867 (Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 ...)
 	NOT-FOR-US: Amazon Key
 CVE-2017-1000248 (Redis-store <=v1.3.0 allows unsafe objects to be loaded from redis ...)
@@ -4020,23 +4027,31 @@
 CVE-2017-1000188 (nodejs ejs version older than 2.5.5 is vulnerable to a ...)
 	NOT-FOR-US: nodejs ejs
 CVE-2017-1000187 (In SWFTools, an address access exception was found in pdf2swf. ...)
-	- swftools <unfixed>
+	- swftools <unfixed> (unimportant)
 	NOTE: https://github.com/matthiaskramm/swftools/issues/36
+	NOTE: Crash in CLI tool, no security implications
 CVE-2017-1000186 (In SWFTools, a stack overflow was found in pdf2swf. ...)
-	- swftools <unfixed>
+	- swftools <unfixed> (unimportant)
 	NOTE: https://github.com/matthiaskramm/swftools/issues/34
+	NOTE: Crash in CLI tool, no security implications
 CVE-2017-1000185 (In SWFTools, a memcpy buffer overflow was found in gif2swf. ...)
 	- swftools <unfixed>
+	[stretch] - swftools <no-dsa> (Minor issue)
+	[jessie] - swftools <no-dsa> (Minor issue)
 	NOTE: https://github.com/matthiaskramm/swftools/issues/33
 CVE-2017-1000182 (In SWFTools, a memory leak was found in wav2swf. ...)
-	- swftools <unfixed>
+	- swftools <unfixed> (unimportant)
 	NOTE: https://github.com/matthiaskramm/swftools/issues/30
+	NOTE: Crash in CLI tool, no security implications
 CVE-2017-1000176 (In SWFTools, a memcpy buffer overflow was found in swfc. ...)
 	- swftools <unfixed>
+	[stretch] - swftools <no-dsa> (Minor issue)
+	[jessie] - swftools <no-dsa> (Minor issue)
 	NOTE: https://github.com/matthiaskramm/swftools/issues/23
 CVE-2017-1000174 (In SWFTools, an address access exception was found in swfdump ...)
-	- swftools <unfixed>
+	- swftools <unfixed> (unimportant)
 	NOTE: https://github.com/matthiaskramm/swftools/issues/21
+	NOTE: Crash in CLI tool, no security implications
 CVE-2017-1000173 (Creolabs Gravity Version: 1.0 Heap Overflow Potential Code Execution. ...)
 	NOT-FOR-US: Creolabs Gravity
 CVE-2017-1000172 (Creolabs Gravity Version: 1.0 Use-After-Free Possible code execution. ...)
@@ -4449,17 +4464,23 @@
 	NOT-FOR-US: CMS Made Simple
 CVE-2017-16797 (In SWFTools 0.9.2, the png_load function in lib/png.c does not properly ...)
 	- swftools <unfixed>
+	[stretch] - swftools <no-dsa> (Minor issue)
+	[jessie] - swftools <no-dsa> (Minor issue)
 	NOTE: https://github.com/matthiaskramm/swftools/issues/51
 CVE-2017-16796 (In SWFTools 0.9.2, the png_load function in lib/png.c does not check ...)
-	- swftools <unfixed>
+	- swftools <unfixed> (unimportant)
 	NOTE: https://github.com/matthiaskramm/swftools/issues/51
+	NOTE: Crash in CLI tool, no security implications
 CVE-2017-16795
 	RESERVED
 CVE-2017-16794 (The png_load function in lib/png.c in SWFTools 0.9.2 does not properly ...)
-	- swftools <unfixed>
+	- swftools <unfixed> (unimportant)
 	NOTE: https://github.com/matthiaskramm/swftools/issues/50
+	NOTE: Crash in CLI tool, no security implications
 CVE-2017-16793 (The wav_convert2mono function in lib/wav.c in SWFTools 0.9.2 does not ...)
 	- swftools <unfixed>
+	[stretch] - swftools <no-dsa> (Minor issue)
+	[jessie] - swftools <no-dsa> (Minor issue)
 	NOTE: https://github.com/matthiaskramm/swftools/issues/47
 CVE-2017-16792 (Stored cross-site scripting (XSS) vulnerability in "geminabox" (Gem in ...)
 	NOT-FOR-US: geminabox
@@ -4630,9 +4651,9 @@
 CVE-2017-16712
 	RESERVED
 CVE-2017-16711 (The swf_DefineLosslessBitsTagToImage function in lib/modules/swfbits.c ...)
-	- swftools <unfixed> (bug #881390)
-	[wheezy] - swftools <no-dsa> (Minor issue)
+	- swftools <unfixed> (unimportant; bug #881390)
 	NOTE: https://github.com/matthiaskramm/swftools/issues/46
+	NOTE: Crash in CLI tool, no security implications
 CVE-2017-16710
 	RESERVED
 CVE-2017-16709
@@ -5569,6 +5590,8 @@
 	NOTE: https://blogs.securiteam.com/index.php/archives/3494
 CVE-2017-1001001 (PluXml version 5.6 is vulnerable to stored cross-site scripting ...)
 	- pluxml <unfixed> (bug #881796)
+	[jessie] - pluxml <no-dsa> (Minor issue)
+	[stretch] - pluxml <no-dsa> (Minor issue)
 	NOTE: https://github.com/pluxml/PluXml/issues/253
 CVE-2017-1000244 (Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF ...)
 	NOT-FOR-US: Jenkins plugin

Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt	2017-12-07 19:29:48 UTC (rev 58338)
+++ data/dsa-needed.txt	2017-12-07 20:59:36 UTC (rev 58339)
@@ -31,6 +31,8 @@
 linux
   Wait until more issues have piled up
 --
+openssl1.0/stable
+--
 otrs2
 --
 php-horde-image
@@ -51,6 +53,8 @@
 --
 simplesamlphp
 --
+sqlite3/oldstable
+--
 tiff
   wait until more issues are around
 --

More information about the Secure-testing-commits mailing list