[Secure-testing-commits] r58602 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Fri Dec 15 10:04:45 UTC 2017
Author: carnil
Date: 2017-12-15 10:04:45 +0000 (Fri, 15 Dec 2017)
New Revision: 58602
Modified:
data/CVE/list
Log:
Update passenger CVEs, the CVE-2017-1000384 will likely be rejected instead and CVE-2017-16355 kept.
This is due to http://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf requiring
"PREFER THE MOST COMMONLY REFERENCED IDENTIFIER. This is roughly gauged by
searching for all affected identifiers on a search engine and
comparing results."
The CVE-2017-16355 will be prefered. What for the official MITRE update
later the day.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-12-15 09:33:44 UTC (rev 58601)
+++ data/CVE/list 2017-12-15 10:04:45 UTC (rev 58602)
@@ -8492,9 +8492,9 @@
[wheezy] - ruby-passenger <not-affected> (Vulnerable code introduced later)
NOTE: https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/
NOTE: https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf
+ NOTE: http://www.openwall.com/lists/oss-security/2017/11/21/2 and following.
NOTE: Problem mitigated in versions prior to 5.0.10 where root privileges were required to
NOTE: get the status information.
- TODO: check, possibly a duplicate of CVE-2017-1000384, clarification with MITRE pending
CVE-2017-16354
RESERVED
CVE-2017-16353 (GraphicsMagick 1.3.26 is vulnerable to a memory information disclosure ...)
@@ -8747,6 +8747,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2017/11/21/2 and following.
NOTE: Problem mitigated in versions prior to 5.0.10 where root privileges were required to
NOTE: get the status information.
+ NOTE: Will be rejected likely by MITRE
CVE-2017-1000383 (GNU Emacs version 25.3.1 (and other versions most likely) ignores ...)
NOTE: This CVE assignment is nonsense, GNU emacs reuses the umask of the original
NOTE: file when creating a backup file. That's hardly incorrect behaviour
More information about the Secure-testing-commits
mailing list