[Secure-testing-commits] r53200 - in data: CVE DSA

Salvatore Bonaccorso carnil at moszumanska.debian.org
Thu Jul 6 03:23:17 UTC 2017 

Author: carnil
Date: 2017-07-06 03:23:16 +0000 (Thu, 06 Jul 2017)
New Revision: 53200

Modified:
   data/CVE/list
   data/DSA/list
Log:
Slightly adjust listing for CVEs in DSA-3903-1

Reasoning some of the CVEs were fixed already before the stretch release
and not in DSA-3903-1. To have the fixed version information ocrrect as
well via the files list the 4 CVEs only addressed in jessie separately.
The webfrontend will show anyway correctly fixed (althouh would list
additionally the DSA listed version). Workaround this issue which is
present when both releases are supported and different sets of CVEs
fixed.

For reviwers: I a agree one could live as well with the previous commit
and would be enough to show on webfront the issues as fixed in stretch,
but preferred to add the workaround to get the version informations
correctly if one would look in detail.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-07-05 21:27:30 UTC (rev 53199)
+++ data/CVE/list	2017-07-06 03:23:16 UTC (rev 53200)
@@ -3569,6 +3569,7 @@
 CVE-2017-9404 (In LibTIFF 4.0.7, a memory leak vulnerability was found in the function ...)
 	{DSA-3903-1 DLA-984-1 DLA-983-1}
 	- tiff 4.0.8-1
+	[jessie] - tiff 4.0.3-12.3+deb8u4
 	- tiff3 <removed>
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2688
 	NOTE: Fixed by: https://github.com/vadz/libtiff/commit/2ea32f7372b65c24b2816f11c04bf59b5090d05b
@@ -3585,6 +3586,7 @@
 CVE-2017-9403 (In LibTIFF 4.0.7, a memory leak vulnerability was found in the function ...)
 	{DSA-3903-1 DLA-984-1 DLA-983-1}
 	- tiff 4.0.8-1
+	[jessie] - tiff 4.0.3-12.3+deb8u4
 	- tiff3 <removed>
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2689
 	NOTE: Fixed by: https://github.com/vadz/libtiff/commit/fb3dc46a2fcf6197ff3b93fc76f0c37fddc0333b
@@ -4496,6 +4498,7 @@
 CVE-2017-9147 (LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function in ...)
 	{DSA-3903-1 DLA-984-1 DLA-983-1}
 	- tiff 4.0.8-2 (bug #863185)
+	[jessie] - tiff 4.0.3-12.3+deb8u4
 	- tiff3 <removed>
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2693
 CVE-2017-9146 (The TNEFFillMapi function in lib/ytnef.c in libytnef in ytnef through ...)
@@ -17635,6 +17638,7 @@
 CVE-2016-10095 (Stack-based buffer overflow in the _TIFFVGetField function in ...)
 	{DSA-3903-1 DLA-984-1 DLA-983-1}
 	- tiff 4.0.8-2 (bug #850316)
+	[jessie] - tiff 4.0.3-12.3+deb8u4
 	- tiff3 <removed>
 	NOTE: This is a duplicate of CVE-2015-7554, both were reported against tiffsplit
 	NOTE: While the _TIFFVGetField function is a generic function, CVE IDs seem to be

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2017-07-05 21:27:30 UTC (rev 53199)
+++ data/DSA/list	2017-07-06 03:23:16 UTC (rev 53200)
@@ -1,5 +1,5 @@
 [05 Jul 2017] DSA-3903-1 tiff - security update
-	{CVE-2016-10095 CVE-2017-9147 CVE-2017-9403 CVE-2017-9404 CVE-2017-9936 CVE-2017-10688}
+	{CVE-2017-9936 CVE-2017-10688}
 	[jessie] - tiff 4.0.3-12.3+deb8u4
 	[stretch] - tiff 4.0.8-2+deb9u1
 [05 Jul 2017] DSA-3902-1 jabberd2 - security update

More information about the Secure-testing-commits mailing list