[Secure-testing-commits] r48763 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Tue Feb 7 21:52:57 UTC 2017 

Author: jmm
Date: 2017-02-07 21:52:57 +0000 (Tue, 07 Feb 2017)
New Revision: 48763

Modified:
   data/CVE/list
Log:
cgiemail scheduled for removal
jasper triage
kgb-bot no-dsa


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-02-07 21:10:16 UTC (rev 48762)
+++ data/CVE/list	2017-02-07 21:52:57 UTC (rev 48763)
@@ -1059,13 +1059,15 @@
 	NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/114
 	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/25/10
 CVE-2017-XXXX [jasper: NULL pointer dereference in jp2_cdef_destroy (jp2_cod.c)]
-	- jasper <unfixed>
+	- jasper <unfixed> (unimportant)
 	NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/112
 	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/25/8
+	NOTE: Not suitable for code injection, hardly denial of service
 CVE-2017-XXXX [jasper: invalid memory read in jas_matrix_bindsub (jas_seq.c)]
-	- jasper <unfixed>
+	- jasper <unfixed> (unimportant)
 	NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/113
 	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/01/25/9
+	NOTE: Not suitable for code injection, hardly denial of service
 CVE-2017-5618 [screen privilege escalation]
 	RESERVED
 	- screen 4.5.0-3 (bug #852484)
@@ -1278,18 +1280,22 @@
 CVE-2017-5616 [Reflected XSS vulnerability]
 	RESERVED
 	- cgiemail <removed> (bug #852031)
+	[jessie] - cgiemail <no-dsa> (Will be removed in next point update)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/01/20/6
 CVE-2017-5615 [SEC-215 HTTP header injection]
 	RESERVED
 	- cgiemail <removed> (bug #852031)
+	[jessie] - cgiemail <no-dsa> (Will be removed in next point update)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/01/20/6
 CVE-2017-5614 [SEC-214 Open redirect]
 	RESERVED
 	- cgiemail <removed> (bug #852031)
+	[jessie] - cgiemail <no-dsa> (Will be removed in next point update)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/01/20/6
 CVE-2017-5613 [SEC-212 Format string injection]
 	RESERVED
 	- cgiemail <removed> (bug #852031)
+	[jessie] - cgiemail <no-dsa> (Will be removed in next point update)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/01/20/6
 CVE-2016-10155 [watchdog: memory leakage in virtual hardware watchdog wdt_i6300esb; CVE for the memory consumption issue, not an information disclosure issue]
 	RESERVED
@@ -1840,9 +1846,10 @@
 	NOTE: Not suitable for code injection, hardly denial of service
 CVE-2017-5504
 	RESERVED
-	- jasper <removed>
+	- jasper <removed> (unimportant)
 	NOTE: https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-read-in-jpc_undo_roi-jpc_dec-c
 	NOTE: https://github.com/mdadams/jasper/issues/89
+	NOTE: Not suitable for code injection, hardly denial of service
 CVE-2017-5503
 	RESERVED
 	- jasper <removed>
@@ -14717,6 +14724,7 @@
 CVE-2016-9557 [signed integer overflow in jas_image.c]
 	RESERVED
 	- jasper <removed>
+	[jessie] - jasper <no-dsa> (Minor issue)
 	[wheezy] - jasper <no-dsa> (the fix is too invasive)
 	NOTE: https://blogs.gentoo.org/ago/2016/11/19/jasper-signed-integer-overflow-in-jas_image-c
 	NOTE: Fixed by: https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a
@@ -15694,13 +15702,13 @@
 CVE-2016-9262 [use after free in jas_realloc (jas_malloc.c)]
 	RESERVED
 	- jasper <removed>
+	[jessie] - jasper <not-affected> (Vulnerable code introduced later)
 	[wheezy] - jasper <not-affected> (Vulnerable code introduced later)
 	NOTE: Fixed by: https://github.com/mdadams/jasper/commit/634ce8e8a5accc0fa05dd2c20d42b4749d4b2735
 	NOTE: The use-afer-free seems to be introduced in a version later tha 1.900.1 but the
 	NOTE: CVE is assigned for everything fixed in the above commit, a such seems till
-	NOTE: present in the 1.900.1 based versions.
+	NOTE: present in the 1.900.1 based versions. Still ok to mark as not-affected
 	NOTE: https://blogs.gentoo.org/ago/2016/11/07/jasper-use-after-free-in-jas_realloc-jas_malloc-c
-	TODO: double-check again
 CVE-2016-9258
 	RESERVED
 CVE-2016-9257
@@ -67434,7 +67442,8 @@
 	NOT-FOR-US: typo3 extension
 CVE-2015-1554 [can be crashed by some network traffic]
 	RESERVED
-	- kgb-bot <unfixed> (bug #776424)
+	- kgb-bot <unfixed> (low; bug #776424)
+	[jessie] - kgb-bot <no-dsa> (Minor issue)
 CVE-2015-1369 (SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js ...)
 	NOT-FOR-US: sequelize
 CVE-2015-1354

More information about the Secure-testing-commits mailing list