[Secure-testing-commits] r58602 - data/CVE

Salvatore Bonaccorso carnil at moszumanska.debian.org
Fri Dec 15 10:04:45 UTC 2017


Author: carnil
Date: 2017-12-15 10:04:45 +0000 (Fri, 15 Dec 2017)
New Revision: 58602

Modified:
   data/CVE/list
Log:
Update passenger CVEs, the CVE-2017-1000384 will likely be rejected instead and CVE-2017-16355 kept.

This is due to http://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf requiring
"PREFER THE MOST COMMONLY REFERENCED IDENTIFIER. This is roughly gauged by
searching for all affected identifiers on a search engine and
comparing results."

The CVE-2017-16355 will be prefered. What for the official MITRE update
later the day.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-12-15 09:33:44 UTC (rev 58601)
+++ data/CVE/list	2017-12-15 10:04:45 UTC (rev 58602)
@@ -8492,9 +8492,9 @@
 	[wheezy] - ruby-passenger <not-affected> (Vulnerable code introduced later)
 	NOTE: https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/
 	NOTE: https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf
+	NOTE: http://www.openwall.com/lists/oss-security/2017/11/21/2 and following.
 	NOTE: Problem mitigated in versions prior to 5.0.10 where root privileges were required to
 	NOTE: get the status information.
-	TODO: check, possibly a duplicate of CVE-2017-1000384, clarification with MITRE pending
 CVE-2017-16354
 	RESERVED
 CVE-2017-16353 (GraphicsMagick 1.3.26 is vulnerable to a memory information disclosure ...)
@@ -8747,6 +8747,7 @@
 	NOTE: http://www.openwall.com/lists/oss-security/2017/11/21/2 and following.
 	NOTE: Problem mitigated in versions prior to 5.0.10 where root privileges were required to
 	NOTE: get the status information.
+	NOTE: Will be rejected likely by MITRE
 CVE-2017-1000383 (GNU Emacs version 25.3.1 (and other versions most likely) ignores ...)
 	NOTE: This CVE assignment is nonsense, GNU emacs reuses the umask of the original
 	NOTE: file when creating a backup file. That's hardly incorrect behaviour




More information about the Secure-testing-commits mailing list