[Secure-testing-commits] r52298 - data/CVE
Moritz Muehlenhoff
jmm at moszumanska.debian.org
Sun Jun 4 21:27:23 UTC 2017
Author: jmm
Date: 2017-06-04 21:27:23 +0000 (Sun, 04 Jun 2017)
New Revision: 52298
Modified:
data/CVE/list
Log:
further stretch triage
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-06-04 21:10:16 UTC (rev 52297)
+++ data/CVE/list 2017-06-04 21:27:23 UTC (rev 52298)
@@ -49,7 +49,8 @@
[jessie] - imagemagick <no-dsa> (Minor issue, wait until more severe issues arise)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/458
CVE-2017-9408 (In Poppler 0.54.0, a memory leak vulnerability was found in the ...)
- - poppler <unfixed> (bug #864009)
+ - poppler <unfixed> (low; bug #864009)
+ [stretch] - poppler <no-dsa> (Minor issue)
[jessie] - poppler <no-dsa> (Minor issue)
NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100776
NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=b21b041f7948680c03109f0c404400a9dbc4544c
@@ -58,7 +59,8 @@
[jessie] - imagemagick <no-dsa> (Minor issue, wait until more severe issues arise)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/459
CVE-2017-9406 (In Poppler 0.54.0, a memory leak vulnerability was found in the ...)
- - poppler <unfixed> (bug #864010)
+ - poppler <unfixed> (low; bug #864010)
+ [stretch] - poppler <no-dsa> (Minor issue)
[jessie] - poppler <no-dsa> (Minor issue)
NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100775
NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=278439531b13b0b047dbe3a75aa3f1b3407c8bd4
@@ -475,6 +477,8 @@
CVE-2017-9310 [net: infinite loop in e1000e NIC emulation]
RESERVED
- qemu <unfixed> (bug #863840)
+ [stretch] - qemu <no-dsa> (Minor issue)
+ [jessie] - qemu <no-dsa> (Minor issue)
- qemu-kvm <removed>
NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4154c7e03fa55b4cf52509a83d50d6c09d743b7
CVE-2017-9303 (Laravel 5.4.x before 5.4.22 does not properly constrain the host ...)
@@ -904,19 +908,22 @@
[wheezy] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/0d0e57697f162da4aa218b5feafe614fb666db07
CVE-2017-9210 (libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of ...)
- - qpdf <unfixed> (bug #863390)
+ - qpdf <unfixed> (low; bug #863390)
+ [stretch] - qpdf <no-dsa> (Minor issue)
[jessie] - qpdf <no-dsa> (Minor issue)
[wheezy] - qpdf <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/05/23/10
NOTE: https://github.com/qpdf/qpdf/issues/101
CVE-2017-9209 (libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of ...)
- - qpdf <unfixed> (bug #863390)
+ - qpdf <unfixed> (low; bug #863390)
+ [stretch] - qpdf <no-dsa> (Minor issue)
[jessie] - qpdf <no-dsa> (Minor issue)
[wheezy] - qpdf <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/05/23/10
NOTE: https://github.com/qpdf/qpdf/issues/100
CVE-2017-9208 (libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of ...)
- - qpdf <unfixed> (bug #863390)
+ - qpdf <unfixed> (low; bug #863390)
+ [stretch] - qpdf <no-dsa> (Minor issue)
[jessie] - qpdf <no-dsa> (Minor issue)
[wheezy] - qpdf <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/05/23/10
@@ -2822,9 +2829,10 @@
CVE-2017-8402 (PivotX 2.3.11 allows remote authenticated users to execute arbitrary ...)
NOT-FOR-US: PivotX
CVE-2017-8401 (In SWFTools 0.9.2, an out-of-bounds read of heap data can occur in the ...)
- - swftools <unfixed> (bug #861998)
+ - swftools <unfixed> (unimportant; bug #861998)
NOTE: https://github.com/matthiaskramm/swftools/issues/14
NOTE: https://github.com/matthiaskramm/swftools/commit/392fb1f3cd9a5b167787c551615c651c3f5326f2
+ NOTE: Crash in CLI tool not considered a security issue
CVE-2017-8400 (In SWFTools 0.9.2, an out-of-bounds write of heap data can occur in the ...)
- swftools 0.9.2+git20130725-4.1 (bug #861693)
NOTE: https://github.com/matthiaskramm/swftools/issues/13
@@ -5455,7 +5463,8 @@
NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cad15943225adbcadea51602b38b04d71d1183d2
NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=935e77d527a018b652f247c7374c558871210db6
CVE-2017-7483 (Rxvt 2.7.10 is vulnerable to a denial of service attack by passing the ...)
- - rxvt <unfixed> (bug #861694)
+ - rxvt <unfixed> (low; bug #861694)
+ [stretch] - rxvt <no-dsa> (Minor issue)
[jessie] - rxvt <no-dsa> (Minor issue)
[wheezy] - rxvt <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/05/01/15
@@ -10140,6 +10149,7 @@
NOTE: https://github.com/VirusTotal/yara/issues/576
CVE-2016-10209 (The archive_wstring_append_from_mbs function in archive_string.c in ...)
- libarchive <unfixed> (bug #859456)
+ [stretch] - libarchive <no-dsa> (Minor issue)
[jessie] - libarchive <no-dsa> (Minor issue)
[wheezy] - libarchive <no-dsa> (Minor issue, not reproducible in Debian)
NOTE: https://github.com/libarchive/libarchive/issues/842
@@ -12786,7 +12796,8 @@
CVE-2016-10125 (D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a hardcoded ...)
NOT-FOR-US: D-Link
CVE-2016-10127 (PySAML2 allows remote attackers to conduct XML external entity (XXE) ...)
- - python-pysaml2 <unfixed> (bug #859135)
+ - python-pysaml2 <unfixed> (low; bug #859135)
+ [stretch] - python-pysaml2 <no-dsa> (Minor issue)
[jessie] - python-pysaml2 <no-dsa> (Minor issue)
NOTE: https://github.com/rohe/pysaml2/issues/366
NOTE: A proper fix for this issue would be to fix the underlying issue in src:libxml2
@@ -44380,6 +44391,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2016/04/09/5
CVE-2012-XXXX [Option -localhost seems to fail to restrict ipv6 access]
- x11vnc <unfixed> (bug #672435)
+ [stretch] - x11vnc <no-dsa> (Minor issue; workaround exits)
[jessie] - x11vnc <no-dsa> (Minor issue; workaround exits)
[wheezy] - x11vnc <no-dsa> (Minor issue; workaround exits)
CVE-2016-3948 (Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform bounds ...)
@@ -46604,11 +46616,10 @@
NOT-FOR-US: Cygwin
CVE-2016-3066 [hijacks clipboard and sends contents to remote servers]
RESERVED
- - spice-gtk <unfixed>
- [jessie] - spice-gtk <no-dsa> (Minor issue)
- [wheezy] - spice-gtk <no-dsa> (Minor issue)
+ - spice-gtk <unfixed> (unimportant)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1320263
- NOTE: No easy fix/tricky to address
+ NOTE: Hardly a security issue per se, but a design limitation/risky feature
+ NOTE: It's up to applications using spice-gtk to use it as appropriate
CVE-2016-3065 (The (1) brin_page_type and (2) brin_metapage_info functions in the ...)
- postgresql-9.5 9.5.2-1
- postgresql-9.4 <not-affected> (Only affects 9.5.x)
More information about the Secure-testing-commits
mailing list