[Secure-testing-commits] r53229 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Thu Jul 6 18:04:23 UTC 2017 

Author: jmm
Date: 2017-07-06 18:04:22 +0000 (Thu, 06 Jul 2017)
New Revision: 53229

Modified:
   data/CVE/list
Log:
two openvswitch issue unimportant
dolibarr, faad2, ntopng, libjgroups-java no-dsa


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-07-06 18:03:01 UTC (rev 53228)
+++ data/CVE/list	2017-07-06 18:04:22 UTC (rev 53229)
@@ -1233,6 +1233,8 @@
 	NOTE: http://phpunit.vulnbusters.com/
 CVE-2017-9840 (Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload ...)
 	- dolibarr <unfixed>
+	[stretch] - dolibarr <no-dsa> (Minor issue)
+	[jessie] - dolibarr <no-dsa> (Minor issue)
 CVE-2017-9839
 	RESERVED
 CVE-2017-9838
@@ -4250,15 +4252,17 @@
 	[wheezy] - openvswitch <not-affected> (Vulnerable code not present)
 	NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-May/332965.html
 CVE-2017-9264 (In lib/conntrack.c in the firewall implementation in Open vSwitch (OvS) ...)
-	- openvswitch <unfixed> (bug #863661)
+	- openvswitch <unfixed> (unimportant; bug #863661)
 	[jessie] - openvswitch <not-affected> (Vulnerable code not present; connection tracking support introduced in 2.6.0)
 	[wheezy] - openvswitch <not-affected> (Vulnerable code not present; connection tracking support introduced in 2.6.0)
 	NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329323.html
+	NOTE: Userspace data path not enabled in Debian packaging
 CVE-2017-9263 (In Open vSwitch (OvS) 2.7.0, while parsing an OpenFlow role status ...)
-	- openvswitch <unfixed> (bug #863655)
+	- openvswitch <unfixed> (unimportant; bug #863655)
 	[jessie] - openvswitch <not-affected> (No controllers implemented, cf. #863655)
 	[wheezy] - openvswitch <not-affected> (No controllers implemented, cf. #863655)
 	NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-May/332966.html
+	NOTE: Controllers shipped in Debian not vulnerable, see #863655
 CVE-2017-9262 (In ImageMagick 7.0.5-6 Q16, the ReadJNGImage function in coders/png.c ...)
 	{DLA-1000-1}
 	- imagemagick 8:6.9.7.4+dfsg-10 (low; bug #863834)
@@ -4278,15 +4282,25 @@
 CVE-2017-9258
 	RESERVED
 CVE-2017-9257 (The mp4ff_read_ctts function in common/mp4ff/mp4atom.c in Freeware ...)
-	- faad2 <unfixed>
+	- faad2 <unfixed> (low)
+	[stretch] - faad2 <no-dsa> (Minor issue)
+	[jessie] - faad2 <no-dsa> (Minor issue)
 CVE-2017-9256 (The mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware ...)
-	- faad2 <unfixed>
+	- faad2 <unfixed> (low)
+	[stretch] - faad2 <no-dsa> (Minor issue)
+	[jessie] - faad2 <no-dsa> (Minor issue)
 CVE-2017-9255 (The mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware ...)
-	- faad2 <unfixed>
+	- faad2 <unfixed> (low)
+	[stretch] - faad2 <no-dsa> (Minor issue)
+	[jessie] - faad2 <no-dsa> (Minor issue)
 CVE-2017-9254 (The mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware ...)
-	- faad2 <unfixed>
+	- faad2 <unfixed> (low)
+	[stretch] - faad2 <no-dsa> (Minor issue)
+	[jessie] - faad2 <no-dsa> (Minor issue)
 CVE-2017-9253 (The mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware ...)
-	- faad2 <unfixed>
+	- faad2 <unfixed> (low)
+	[stretch] - faad2 <no-dsa> (Minor issue)
+	[jessie] - faad2 <no-dsa> (Minor issue)
 CVE-2016-10377 (In Open vSwitch (OvS) 2.5.0, a malformed IP packet can cause the switch ...)
 	- openvswitch 2.6.1+git20161123-1
 	[jessie] - openvswitch <not-affected> (Vulnerable code using tot_len introduced later)
@@ -4406,17 +4420,29 @@
 	NOTE: https://github.com/kkos/oniguruma/commit/690313a061f7a4fa614ec5cc8368b4f2284e059b
 	NOTE: https://github.com/kkos/oniguruma/issues/57
 CVE-2017-9223 (The mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware ...)
-	- faad2 <unfixed>
+	- faad2 <unfixed> (low)
+	[stretch] - faad2 <no-dsa> (Minor issue)
+	[jessie] - faad2 <no-dsa> (Minor issue)
 CVE-2017-9222 (The mp4ff_parse_tag function in common/mp4ff/mp4meta.c in Freeware ...)
-	- faad2 <unfixed>
+	- faad2 <unfixed> (low)
+	[stretch] - faad2 <no-dsa> (Minor issue)
+	[jessie] - faad2 <no-dsa> (Minor issue)
 CVE-2017-9221 (The mp4ff_read_mdhd function in common/mp4ff/mp4atom.c in Freeware ...)
-	- faad2 <unfixed>
+	- faad2 <unfixed> (low)
+	[stretch] - faad2 <no-dsa> (Minor issue)
+	[jessie] - faad2 <no-dsa> (Minor issue)
 CVE-2017-9220 (The mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware ...)
-	- faad2 <unfixed>
+	- faad2 <unfixed> (low)
+	[stretch] - faad2 <no-dsa> (Minor issue)
+	[jessie] - faad2 <no-dsa> (Minor issue)
 CVE-2017-9219 (The mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware ...)
-	- faad2 <unfixed>
+	- faad2 <unfixed> (low)
+	[stretch] - faad2 <no-dsa> (Minor issue)
+	[jessie] - faad2 <no-dsa> (Minor issue)
 CVE-2017-9218 (The mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware ...)
-	- faad2 <unfixed>
+	- faad2 <unfixed> (low)
+	[stretch] - faad2 <no-dsa> (Minor issue)
+	[jessie] - faad2 <no-dsa> (Minor issue)
 CVE-2017-9217 (systemd-resolved through 233 allows remote attackers to cause a denial ...)
 	[experimental] - systemd 233-8
 	- systemd 232-24 (bug #863277)
@@ -9602,9 +9628,13 @@
 	RESERVED
 CVE-2017-7459 (ntopng before 3.0 allows HTTP Response Splitting. ...)
 	- ntopng <unfixed> (bug #866719)
+	[stretch] - ntopng <no-dsa> (Minor issue)
+	[jessie] - ntopng <no-dsa> (Minor issue)
 	NOTE: https://github.com/ntop/ntopng/commit/9469e58f07e043da712e6d6c41244852a11bcaeb
 CVE-2017-7458 (The NetworkInterface::getHost function in NetworkInterface.cpp in ...)
 	- ntopng <unfixed> (bug #866721)
+	[stretch] - ntopng <no-dsa> (Minor issue)
+	[jessie] - ntopng <no-dsa> (Minor issue)
 	NOTE: https://github.com/ntop/ntopng/commit/01f47e04fd7c8d54399c9e465f823f0017069f8f
 CVE-2017-7457 (XML External Entity via ".AOP" files used by Moxa MX-AOPC Server 1.5 ...)
 	NOT-FOR-US: Moxa
@@ -9706,6 +9736,8 @@
 	RESERVED
 CVE-2017-7416 (ntopng before 3.0 allows XSS because GET and POST parameters are ...)
 	- ntopng <unfixed> (bug #866722)
+	[stretch] - ntopng <no-dsa> (Minor issue)
+	[jessie] - ntopng <no-dsa> (Minor issue)
 CVE-2017-7415 (Atlassian Confluence 6.x before 6.0.7 allows remote attackers to bypass ...)
 	NOT-FOR-US: Atlassian Confluence
 CVE-2016-10318 (A missing authorization check in the fscrypt_process_policy function in ...)
@@ -54042,6 +54074,7 @@
 	NOT-FOR-US: OpenShift
 CVE-2016-2141 (JGroups before 4.0 does not require the proper headers for the ENCRYPT ...)
 	- libjgroups-java <unfixed> (low)
+	[stretch] - libjgroups-java <no-dsa> (Minor issue)
 	[jessie] - libjgroups-java <no-dsa> (Minor issue)
 	[wheezy] - libjgroups-java <no-dsa> (Minor issue, only used as build dependency)
 CVE-2016-2140 (The libvirt driver in OpenStack Compute (Nova) before 2015.1.4 (kilo) ...)

More information about the Secure-testing-commits mailing list