[Secure-testing-commits] r50226 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Fri Mar 31 14:50:12 UTC 2017 

Author: jmm
Date: 2017-03-31 14:50:12 +0000 (Fri, 31 Mar 2017)
New Revision: 50226

Modified:
   data/CVE/list
Log:
initial ntp triage
libgit no-dsa/not-affected


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-03-31 11:14:25 UTC (rev 50225)
+++ data/CVE/list	2017-03-31 14:50:12 UTC (rev 50226)
@@ -2440,23 +2440,25 @@
 	- ntp 1:4.2.8p10+dfsg-1
 	NOTE: http://support.ntp.org/bin/view/Main/NtpBug3387
 CVE-2017-6462 (Buffer overflow in the legacy Datum Programmable Time Server (DPTS) ...)
-	- ntp 1:4.2.8p10+dfsg-1
-	[wheezy] - ntp <no-dsa> (Minor issue)
+	- ntp 1:4.2.8p10+dfsg-1 (unimportant)
 	NOTE: http://support.ntp.org/bin/view/Main/NtpBug3388
+	NOTE: Obscure legacy feature, no real impact
 CVE-2017-6461
 	REJECTED
 CVE-2017-6460 (Stack-based buffer overflow in the reslist function in ntpq in NTP ...)
 	- ntp 1:4.2.8p10+dfsg-1
+	[jessie] - ntp <not-affected> (Vulnerable code not present)
+	[wheezy] - ntp <not-affected> (Vulnerable code not present)
 	NOTE: http://support.ntp.org/bin/view/Main/NtpBug3377
+	NOTE: https://cure53.de/pentest-report_ntp.pdf
 CVE-2017-6459 (The Windows installer for NTP before 4.2.8p10 and 4.3.x before 4.3.94 ...)
 	- ntp <not-affected> (NTP on Windows)
 	NOTE: http://support.ntp.org/bin/view/Main/NtpBug3382
 CVE-2017-6458 (Multiple buffer overflows in the ctl_put* functions in NTP before ...)
-	- ntp 1:4.2.8p10+dfsg-1
-	[wheezy] - ntp <no-dsa> (Minor issue)
+	- ntp 1:4.2.8p10+dfsg-1 (unimportant)
 	NOTE: http://support.ntp.org/bin/view/Main/NtpBug3379
-	NOTE: The vulnerability can only be triggered by adding very long
-	NOTE: variable names (200 bytes or more) in ntpd.conf file.
+	NOTE: https://cure53.de/pentest-report_ntp.pdf
+	NOTE: This is not a vulnerability per se, but a weakness in an internal helper function
 CVE-2017-6457
 	REJECTED
 CVE-2017-6456
@@ -6505,14 +6507,17 @@
 	NOTE: https://github.com/libgit2/libgit2/commit/ca531956619f021913ac01669b3818a705b7b676 (v0.24.6)
 CVE-2016-10130 (The http_connect function in transports/http.c in libgit2 before ...)
 	- libgit2 <unfixed> (bug #851406)
+	[jessie] - libgit2 <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/libgit2/libgit2/commit/9a64e62f0f20c9cf9b2e1609f037060eb2d8eb22 (v0.25.1)
 	NOTE: https://github.com/libgit2/libgit2/commit/b5c6a1b407b7f8b952bded2789593b68b1876211 (v0.24.6)
 CVE-2016-10129 (The Git Smart Protocol support in libgit2 before 0.24.6 and 0.25.x ...)
 	- libgit2 <unfixed> (bug #851406)
+	[jessie] - libgit2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a (v0.25.1)
 	NOTE: https://github.com/libgit2/libgit2/commit/84d30d569ada986f3eef527cbdb932643c2dd037 (v0.24.6)
 CVE-2016-10128 (Buffer overflow in the git_pkt_parse_line function in ...)
 	- libgit2 <unfixed> (bug #851406)
+	[jessie] - libgit2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834 (v0.25.1)
 	NOTE: https://github.com/libgit2/libgit2/commit/4ac39c76c0153d1ee6889a0984c39e97731684b2 (v0.24.6)
 CVE-2016-10126 (Splunk Web in Splunk Enterprise 5.0.x before 5.0.17, 6.0.x before ...)

More information about the Secure-testing-commits mailing list