[Secure-testing-commits] r52298 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Sun Jun 4 21:27:23 UTC 2017 

Author: jmm
Date: 2017-06-04 21:27:23 +0000 (Sun, 04 Jun 2017)
New Revision: 52298

Modified:
   data/CVE/list
Log:
further stretch triage


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-06-04 21:10:16 UTC (rev 52297)
+++ data/CVE/list	2017-06-04 21:27:23 UTC (rev 52298)
@@ -49,7 +49,8 @@
 	[jessie] - imagemagick <no-dsa> (Minor issue, wait until more severe issues arise)
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/458
 CVE-2017-9408 (In Poppler 0.54.0, a memory leak vulnerability was found in the ...)
-	- poppler <unfixed> (bug #864009)
+	- poppler <unfixed> (low; bug #864009)
+	[stretch] - poppler <no-dsa> (Minor issue)
 	[jessie] - poppler <no-dsa> (Minor issue)
 	NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100776
 	NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=b21b041f7948680c03109f0c404400a9dbc4544c
@@ -58,7 +59,8 @@
 	[jessie] - imagemagick <no-dsa> (Minor issue, wait until more severe issues arise)
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/459
 CVE-2017-9406 (In Poppler 0.54.0, a memory leak vulnerability was found in the ...)
-	- poppler <unfixed> (bug #864010)
+	- poppler <unfixed> (low; bug #864010)
+	[stretch] - poppler <no-dsa> (Minor issue)
 	[jessie] - poppler <no-dsa> (Minor issue)
 	NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100775
 	NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=278439531b13b0b047dbe3a75aa3f1b3407c8bd4
@@ -475,6 +477,8 @@
 CVE-2017-9310 [net: infinite loop in e1000e NIC emulation]
 	RESERVED
 	- qemu <unfixed> (bug #863840)
+	[stretch] - qemu <no-dsa> (Minor issue)
+	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
 	NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4154c7e03fa55b4cf52509a83d50d6c09d743b7
 CVE-2017-9303 (Laravel 5.4.x before 5.4.22 does not properly constrain the host ...)
@@ -904,19 +908,22 @@
 	[wheezy] - linux <not-affected> (Vulnerable code not present)
 	NOTE: https://git.kernel.org/linus/0d0e57697f162da4aa218b5feafe614fb666db07
 CVE-2017-9210 (libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of ...)
-	- qpdf <unfixed> (bug #863390)
+	- qpdf <unfixed> (low; bug #863390)
+	[stretch] - qpdf <no-dsa> (Minor issue)
 	[jessie] - qpdf <no-dsa> (Minor issue)
 	[wheezy] - qpdf <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/05/23/10
 	NOTE: https://github.com/qpdf/qpdf/issues/101
 CVE-2017-9209 (libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of ...)
-	- qpdf <unfixed> (bug #863390)
+	- qpdf <unfixed> (low; bug #863390)
+	[stretch] - qpdf <no-dsa> (Minor issue)
 	[jessie] - qpdf <no-dsa> (Minor issue)
 	[wheezy] - qpdf <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/05/23/10
 	NOTE: https://github.com/qpdf/qpdf/issues/100
 CVE-2017-9208 (libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of ...)
-	- qpdf <unfixed> (bug #863390)
+	- qpdf <unfixed> (low; bug #863390)
+	[stretch] - qpdf <no-dsa> (Minor issue)
 	[jessie] - qpdf <no-dsa> (Minor issue)
 	[wheezy] - qpdf <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/05/23/10
@@ -2822,9 +2829,10 @@
 CVE-2017-8402 (PivotX 2.3.11 allows remote authenticated users to execute arbitrary ...)
 	NOT-FOR-US: PivotX
 CVE-2017-8401 (In SWFTools 0.9.2, an out-of-bounds read of heap data can occur in the ...)
-	- swftools <unfixed> (bug #861998)
+	- swftools <unfixed> (unimportant; bug #861998)
 	NOTE: https://github.com/matthiaskramm/swftools/issues/14
 	NOTE: https://github.com/matthiaskramm/swftools/commit/392fb1f3cd9a5b167787c551615c651c3f5326f2
+	NOTE: Crash in CLI tool not considered a security issue
 CVE-2017-8400 (In SWFTools 0.9.2, an out-of-bounds write of heap data can occur in the ...)
 	- swftools 0.9.2+git20130725-4.1 (bug #861693)
 	NOTE: https://github.com/matthiaskramm/swftools/issues/13
@@ -5455,7 +5463,8 @@
 	NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cad15943225adbcadea51602b38b04d71d1183d2
 	NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=935e77d527a018b652f247c7374c558871210db6
 CVE-2017-7483 (Rxvt 2.7.10 is vulnerable to a denial of service attack by passing the ...)
-	- rxvt <unfixed> (bug #861694)
+	- rxvt <unfixed> (low; bug #861694)
+	[stretch] - rxvt <no-dsa> (Minor issue)
 	[jessie] - rxvt <no-dsa> (Minor issue)
 	[wheezy] - rxvt <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/05/01/15
@@ -10140,6 +10149,7 @@
 	NOTE: https://github.com/VirusTotal/yara/issues/576
 CVE-2016-10209 (The archive_wstring_append_from_mbs function in archive_string.c in ...)
 	- libarchive <unfixed> (bug #859456)
+	[stretch] - libarchive <no-dsa> (Minor issue)
 	[jessie] - libarchive <no-dsa> (Minor issue)
 	[wheezy] - libarchive <no-dsa> (Minor issue, not reproducible in Debian)
 	NOTE: https://github.com/libarchive/libarchive/issues/842
@@ -12786,7 +12796,8 @@
 CVE-2016-10125 (D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a hardcoded ...)
 	NOT-FOR-US: D-Link
 CVE-2016-10127 (PySAML2 allows remote attackers to conduct XML external entity (XXE) ...)
-	- python-pysaml2 <unfixed> (bug #859135)
+	- python-pysaml2 <unfixed> (low; bug #859135)
+	[stretch] - python-pysaml2 <no-dsa> (Minor issue)
 	[jessie] - python-pysaml2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/rohe/pysaml2/issues/366
 	NOTE: A proper fix for this issue would be to fix the underlying issue in src:libxml2
@@ -44380,6 +44391,7 @@
 	NOTE: http://www.openwall.com/lists/oss-security/2016/04/09/5
 CVE-2012-XXXX [Option -localhost seems to fail to restrict ipv6 access]
 	- x11vnc <unfixed> (bug #672435)
+	[stretch] - x11vnc <no-dsa> (Minor issue; workaround exits)
 	[jessie] - x11vnc <no-dsa> (Minor issue; workaround exits)
 	[wheezy] - x11vnc <no-dsa> (Minor issue; workaround exits)
 CVE-2016-3948 (Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform bounds ...)
@@ -46604,11 +46616,10 @@
 	NOT-FOR-US: Cygwin
 CVE-2016-3066 [hijacks clipboard and sends contents to remote servers]
 	RESERVED
-	- spice-gtk <unfixed>
-	[jessie] - spice-gtk <no-dsa> (Minor issue)
-	[wheezy] - spice-gtk <no-dsa> (Minor issue)
+	- spice-gtk <unfixed> (unimportant)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1320263
-	NOTE: No easy fix/tricky to address
+	NOTE: Hardly a security issue per se, but a design limitation/risky feature
+	NOTE: It's up to applications using spice-gtk to use it as appropriate
 CVE-2016-3065 (The (1) brin_page_type and (2) brin_metapage_info functions in the ...)
 	- postgresql-9.5 9.5.2-1
 	- postgresql-9.4 <not-affected> (Only affects 9.5.x)

More information about the Secure-testing-commits mailing list