[Secure-testing-commits] r49373 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Thu Mar 2 17:51:14 UTC 2017 

Author: jmm
Date: 2017-03-02 17:51:14 +0000 (Thu, 02 Mar 2017)
New Revision: 49373

Modified:
   data/CVE/list
Log:
more qemu triage
NFUs


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-03-02 16:36:04 UTC (rev 49372)
+++ data/CVE/list	2017-03-02 17:51:14 UTC (rev 49373)
@@ -1148,6 +1148,7 @@
 CVE-2017-5987 [sd: infinite loop issue in multi block transfers]
 	RESERVED
 	- qemu 1:2.8+dfsg-3 (bug #855159)
+	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <not-affected> (Vulnerable code not present)
 	- qemu-kvm <removed>
 	[wheezy] - qemu-kvm <not-affected> (Vulnerable code not present)
@@ -1202,6 +1203,7 @@
 	RESERVED
 	{DLA-845-1 DLA-842-1}
 	- qemu 1:2.8+dfsg-3 (bug #855611)
+	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01101.html
 	NOTE: http://www.openwall.com/lists/oss-security/2017/02/13/11
@@ -8898,6 +8900,7 @@
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/12
 CVE-2016-9916 (Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows ...)
 	- qemu 1:2.8+dfsg-1 (bug #847496)
+	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <no-dsa> (Minor issue, virtfs-proxy-helper not present)
 	- qemu-kvm <removed>
 	[wheezy] - qemu-kvm <no-dsa> (Minor issue, virtfs-proxy-helper not present)
@@ -8927,9 +8930,9 @@
 	NOTE: see debian-lts ML: https://lists.debian.org/debian-lts/2016/12/msg00136.html
 CVE-2016-9913 (Memory leak in the v9fs_device_unrealize_common function in ...)
 	- qemu 1:2.8+dfsg-1 (bug #847496)
+	[jessie] - qemu <not-affected> (Vulnerable code not present)
 	[wheezy] - qemu <not-affected> (Vulnerable code not present)
-	- qemu-kvm <removed>
-	[wheezy] - qemu-kvm <not-affected> (Vulnerable code not present)
+	- qemu-kvm <not-affected> (Vulnerable code not present)
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg03278.html
 	NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=4774718e5c194026ba5ee7a28d9be49be3080e42 (v2.8.0-rc2)
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/11
@@ -8942,6 +8945,7 @@
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/06/10
 CVE-2016-9907 (Quick Emulator (Qemu) built with the USB redirector usb-guest support ...)
 	- qemu 1:2.8+dfsg-1 (bug #847953)
+	[jessie] - qemu <no-dsa> (Minor issue)
 	[wheezy] - qemu <not-affected> (Vulnerable code not present)
 	- qemu-kvm <removed>
 	[wheezy] - qemu-kvm <not-affected> (Vulnerable code not present)
@@ -10510,6 +10514,7 @@
 	RESERVED
 	{DLA-845-1 DLA-842-1}
 	- qemu 1:2.8+dfsg-3 (bug #855791)
+	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
 	- xen 4.4.0-1
 	NOTE: Xen switched to qemu-system in 4.4.0-1
@@ -15680,6 +15685,7 @@
 CVE-2016-9602 [9p: virtfs allows guest to access host filesystem]
 	RESERVED
 	- qemu 1:2.8+dfsg-3 (bug #853006)
+	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1413929
 	NOTE: The original proposed patch does not fix the issue, cf.
@@ -17728,12 +17734,14 @@
 CVE-2016-9105 (Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka ...)
 	{DLA-698-1 DLA-689-1}
 	- qemu 1:2.8+dfsg-1 (bug #842463)
+	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02608.html
 	NOTE: http://www.openwall.com/lists/oss-security/2016/10/28/3
 	NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=4c1586787ff43c9acd18a56c12d720e3e6be9f7c
 CVE-2016-9104 (Multiple integer overflows in the (1) v9fs_xattr_read and (2) ...)
 	{DLA-698-1 DLA-689-1}
+	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu 1:2.8+dfsg-1 (bug #842463)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02942.html
@@ -17741,6 +17749,7 @@
 CVE-2016-9103 (The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick ...)
 	{DLA-698-1 DLA-689-1}
 	- qemu 1:2.8+dfsg-1 (bug #842463)
+	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg01790.html
 	NOTE: http://www.openwall.com/lists/oss-security/2016/10/28/1
@@ -17748,6 +17757,7 @@
 CVE-2016-9102 (Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU ...)
 	{DLA-698-1 DLA-689-1}
 	- qemu 1:2.8+dfsg-1 (bug #842463)
+	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg01861.html
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1389550
@@ -19638,6 +19648,7 @@
 CVE-2016-8576 (The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick ...)
 	{DLA-679-1 DLA-678-1}
 	- qemu 1:2.8+dfsg-1 (bug #840343)
+	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg01265.html
 	NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=05f43d44e4bc26611ce25fd7d726e483f73363ce
@@ -21842,6 +21853,7 @@
 CVE-2016-7908 (The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick ...)
 	{DLA-653-1 DLA-652-1}
 	- qemu 1:2.8+dfsg-1 (bug #839835)
+	[jessie] - qemu <no-dsa> (Minor issue)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05557.html
 	NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=070c4b92b8cd5390889716677a0b92444d6e087a
@@ -41755,9 +41767,9 @@
 CVE-2016-1860 (Intel Graphics Driver in Apple OS X before 10.11.5 allows attackers to ...)
 	NOT-FOR-US: Apple
 CVE-2016-1859 (The WebKit Canvas implementation in Apple iOS before 9.3.2, Safari ...)
-	TODO: check
+	NOT-FOR-US: Webkit as used by Apple
 CVE-2016-1858 (WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and ...)
-	TODO: check
+	NOT-FOR-US: Webkit as used by Apple
 CVE-2016-1857 (WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and ...)
 	- webkitgtk 2.12.3-1 (unimportant)
 	NOTE: Not covered by security support
@@ -41765,9 +41777,9 @@
 	- webkitgtk 2.12.3-1 (unimportant)
 	NOTE: Not covered by security support
 CVE-2016-1855 (WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and ...)
-	TODO: check
+	NOT-FOR-US: Webkit as used by Apple
 CVE-2016-1854 (WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and ...)
-	TODO: check
+	NOT-FOR-US: Webkit as used by Apple
 CVE-2016-1853 (Tcl in Apple OS X before 10.11.5 allows remote attackers to obtain ...)
 	NOT-FOR-US: Apple
 CVE-2016-1852 (Siri in Apple iOS before 9.3.2 does not block data detectors within ...)
@@ -42664,7 +42676,7 @@
 CVE-2016-1593 (Directory traversal vulnerability in the import users feature in Micro ...)
 	NOT-FOR-US: Micro Focus
 CVE-2016-1592 (XSS in NetIQ Designer for Identity Manager before 4.5.3 allows remote ...)
-	TODO: check
+	NOT-FOR-US: NetIQ Designer
 CVE-2016-1591
 	RESERVED
 CVE-2016-1590
@@ -42689,7 +42701,7 @@
 CVE-2016-1581 (LXD before 2.0.2 uses world-readable permissions for ...)
 	- lxd <itp> (bug #768073)
 CVE-2016-1580 (The setup_snappy_os_mounts function in the ubuntu-core-launcher ...)
-	TODO: check
+	NOT-FOR-US: ubuntu-core-launcher
 CVE-2016-1579
 	RESERVED
 CVE-2016-1578 (Use-after-free vulnerability in Oxide allows remote attackers to cause ...)
@@ -44080,23 +44092,23 @@
 	[squeeze] - prosody <not-affected> (Vulnerable code not present)
 	NOTE: https://prosody.im/security/advisory_20160108-1/
 CVE-2016-1230 (Cross-site scripting (XSS) vulnerability in NTT PC Communications ...)
-	TODO: check
+	NOT-FOR-US: NTT
 CVE-2016-1229 (Cross-site scripting (XSS) vulnerability in HumHub 0.20.0-beta.1 ...)
-	TODO: check
+	NOT-FOR-US: HumHub
 CVE-2016-1228 (Cross-site request forgery (CSRF) vulnerability on NTT EAST Hikari ...)
-	TODO: check
+	NOT-FOR-US: NTT
 CVE-2016-1227 (NTT EAST Hikari Denwa routers with firmware PR-400MI, RT-400MI, and ...)
-	TODO: check
+	NOT-FOR-US: NTT
 CVE-2016-1226 (Cross-site scripting (XSS) vulnerability in Trend Micro Internet ...)
-	TODO: check
+	NOT-FOR-US: Trend Micro
 CVE-2016-1225 (Trend Micro Internet Security 8 and 10 allows remote attackers to read ...)
-	TODO: check
+	NOT-FOR-US: Trend Micro
 CVE-2016-1224 (CRLF injection vulnerability in Trend Micro Worry-Free Business ...)
-	TODO: check
+	NOT-FOR-US: Trend Micro
 CVE-2016-1223 (Directory traversal vulnerability in Trend Micro Office Scan 11.0, ...)
-	TODO: check
+	NOT-FOR-US: Trend Micro
 CVE-2016-1222 (Cross-site scripting (XSS) vulnerability in Kobe Beauty ...)
-	TODO: check
+	NOT-FOR-US: Kobe Beauty
 CVE-2016-1221
 	RESERVED
 CVE-2016-1220

More information about the Secure-testing-commits mailing list