[Secure-testing-commits] r51370 - in data: . CVE

Salvatore Bonaccorso carnil at moszumanska.debian.org
Sat May 6 12:42:55 UTC 2017 

Author: carnil
Date: 2017-05-06 12:42:55 +0000 (Sat, 06 May 2017)
New Revision: 51370

Modified:
   data/CVE/list
   data/next-point-update.txt
Log:
Add more fixed included in 8.8

The remaining ones tracked in next-point-update.txt did not made it
unfortunately to the point release, keep them for the next round (and
drop them possibly on next time if no progress)

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-05-06 12:35:04 UTC (rev 51369)
+++ data/CVE/list	2017-05-06 12:42:55 UTC (rev 51370)
@@ -16779,14 +16779,14 @@
 CVE-2016-9844 (Buffer overflow in the zi_short function in zipinfo.c in Info-Zip ...)
 	{DLA-741-1}
 	- unzip 6.0-21 (bug #847486)
-	[jessie] - unzip <no-dsa> (Minor issue)
+	[jessie] - unzip 6.0-16+deb8u3
 	NOTE: https://launchpad.net/bugs/1643750
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/05/13
 	NOTE: Proposed patch in http://www.openwall.com/lists/oss-security/2016/12/05/19
 CVE-2014-9913 (Buffer overflow in the list_files function in list.c in Info-Zip UnZip ...)
 	{DLA-741-1}
 	- unzip 6.0-21 (bug #847485)
-	[jessie] - unzip <no-dsa> (Minor issue)
+	[jessie] - unzip 6.0-16+deb8u3
 	NOTE: Upstream bug: http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
 	NOTE: Same reproducer as in https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1643750
 	NOTE: can be used to verify a fix (which trigger the issue in unzip -l but crash
@@ -24536,7 +24536,7 @@
 	NOTE: https://ticketbleed.com/
 CVE-2016-9243 (HKDF in cryptography before 1.5.2 returns an empty byte-string if used ...)
 	- python-cryptography 1.5.3-1
-	[jessie] - python-cryptography <no-dsa> (Minor issue)
+	[jessie] - python-cryptography 0.6.1-1+deb8u1
 	NOTE: Upstream bug: https://github.com/pyca/cryptography/issues/3211
 	NOTE: Upstream commit: https://github.com/pyca/cryptography/commit/b924696b2e8731f39696584d12cceeb3aeb2d874
 	NOTE: http://www.openwall.com/lists/oss-security/2016/11/08/6
@@ -26007,7 +26007,7 @@
 	NOTE: https://blogs.gentoo.org/ago/2016/10/18/jasper-memory-allocation-failure-in-jas_malloc-jas_malloc-c
 CVE-2016-XXXX [sendmail: Privilege escalation from group smmsp to root]
 	- sendmail 8.15.2-7 (bug #841257)
-	[jessie] - sendmail <no-dsa> (Minor issue)
+	[jessie] - sendmail 8.14.4-8+deb8u2
 	[wheezy] - sendmail <no-dsa> (Minor issue)
 	NOTE: no unprivileged user should be in smmsp group and there is no known vulnerability to gain smmsp group membership
 CVE-2016-8885 (The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer before ...)
@@ -26588,13 +26588,13 @@
 CVE-2016-8606 (The REPL server (--listen) in GNU Guile 2.0.12 allows an attacker to ...)
 	{DLA-666-1}
 	- guile-2.0 2.0.13+1-1 (low; bug #840555)
-	[jessie] - guile-2.0 <no-dsa> (Minor issue)
+	[jessie] - guile-2.0 2.0.11+1-9+deb8u1
 	- guile-1.8 <not-affected> (repl server introduced in 2.0)
 	NOTE: Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=08c021916dbd3a235a9f9cc33df4c418c0724e03
 CVE-2016-8605 (The mkdir procedure of GNU Guile temporarily changed the process' ...)
 	{DLA-666-1}
 	- guile-2.0 2.0.13+1-1 (low; bug #840556)
-	[jessie] - guile-2.0 <no-dsa> (Minor issue)
+	[jessie] - guile-2.0 2.0.11+1-9+deb8u1
 	- guile-1.8 <removed> (low; bug #841494)
 	[jessie] - guile-1.8 <no-dsa> (Minor issue)
 	[wheezy] - guile-1.8 <no-dsa> (Minor issue)
@@ -33244,7 +33244,7 @@
 	NOT-FOR-US: Citrix
 CVE-2016-XXXX [bruteforcable challenge responses in unprotected logfile]
 	- mongodb 1:2.6.12-1 (bug #833087)
-	[jessie] - mongodb <no-dsa> (Minor issue, can be fixed via point release)
+	[jessie] - mongodb 1:2.4.10-5+deb8u1
 	[wheezy] - mongodb 1:2.0.6-1.1+deb7u1
 	NOTE: Fixed in experimental 1:2.6.11-1, first version in unstable 1:2.6.12-1
 	NOTE: https://jira.mongodb.org/browse/SERVER-9476
@@ -33261,7 +33261,7 @@
 CVE-2016-6494 (The client in MongoDB uses world-readable permissions on .dbshell ...)
 	{DLA-588-1}
 	- mongodb 1:2.6.12-3 (bug #832908)
-	[jessie] - mongodb <no-dsa> (Minor issue, can be fixed via point release)
+	[jessie] - mongodb 1:2.4.10-5+deb8u1
 	NOTE: http://www.openwall.com/lists/oss-security/2016/07/29/4
 CVE-2016-6491 (Buffer overflow in the Get8BIMProperty function in ...)
 	{DSA-3652-1 DLA-731-1}

Modified: data/next-point-update.txt
===================================================================
--- data/next-point-update.txt	2017-05-06 12:35:04 UTC (rev 51369)
+++ data/next-point-update.txt	2017-05-06 12:42:55 UTC (rev 51370)
@@ -32,24 +32,6 @@
 	[jessie] - libxrender 1:0.9.8-1+deb8u1
 CVE-2016-7953
 	[jessie] - libxvmc 2:1.0.8-2+deb8u1
-CVE-2016-8605
-	[jessie] - guile-2.0 2.0.11+1-9+deb8u1
-CVE-2016-8606
-	[jessie] - guile-2.0 2.0.11+1-9+deb8u1
-CVE-2016-9243
-	[jessie] - python-cryptography 0.6.1-1+deb8u1
 CVE-2017-XXXX [w3m]
 	[jessie] - w3m 0.5.3-19+deb8u2
 	NOTE: For #850432
-CVE-2016-6494
-	[jessie] - mongodb 1:2.4.10-5+deb8u1
-CVE-2016-XXXX [mongodb]
-	[jessie] - mongodb 1:2.4.10-5+deb8u1
-	NOTE: For #833087
-CVE-2016-XXXX [sendmail: Privilege escalation from group smmsp to root]
-	[jessie] - sendmail 8.14.4-8+deb8u2
-	NOTE: For #841257
-CVE-2014-9913
-	[jessie] - unzip 6.0-16+deb8u3
-CVE-2016-9844
-	[jessie] - unzip 6.0-16+deb8u3

More information about the Secure-testing-commits mailing list