[Secure-testing-commits] r51803 - in data: . CVE
Ola Lundqvist
opal at moszumanska.debian.org
Sun May 21 21:10:54 UTC 2017
Author: opal
Date: 2017-05-21 21:10:54 +0000 (Sun, 21 May 2017)
New Revision: 51803
Modified:
data/CVE/list
data/dla-needed.txt
Log:
Triaging work.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-05-21 21:10:21 UTC (rev 51802)
+++ data/CVE/list 2017-05-21 21:10:54 UTC (rev 51803)
@@ -689,10 +689,12 @@
NOT-FOR-US: Allen Disk
CVE-2017-8847 (The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in ...)
- lrzip <unfixed>
+ [wheezy] - lrzip <no-dsa> (Minor issue)
NOTE: https://github.com/ckolivas/lrzip/issues/67
NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-bufreadget-libzpaq-h/
CVE-2017-8846 (The read_stream function in stream.c in liblrzip.so in lrzip 0.631 ...)
- lrzip <unfixed>
+ [wheezy] - lrzip <no-dsa> (Minor issue)
NOTE: https://github.com/ckolivas/lrzip/issues/71
NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-use-after-free-in-read_stream-stream-c/
CVE-2017-8845 (The lzo1x_decompress function in lzo1x_d.ch in LZO 2.08, as used in ...)
@@ -706,10 +708,12 @@
NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-heap-based-buffer-overflow-write-in-read_1g-stream-c/
CVE-2017-8843 (The join_pthread function in stream.c in liblrzip.so in lrzip 0.631 ...)
- lrzip <unfixed>
+ [wheezy] - lrzip <no-dsa> (Minor issue)
NOTE: https://github.com/ckolivas/lrzip/issues/69
NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-join_pthread-stream-c/
CVE-2017-8842 (The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in ...)
- lrzip <unfixed>
+ [wheezy] - lrzip <no-dsa> (Minor issue)
NOTE: https://github.com/ckolivas/lrzip/issues/66
NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-divide-by-zero-in-bufreadget-libzpaq-h/
CVE-2017-8841
Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt 2017-05-21 21:10:21 UTC (rev 51802)
+++ data/dla-needed.txt 2017-05-21 21:10:54 UTC (rev 51803)
@@ -58,6 +58,8 @@
--
libytnef (Thorsten Alteholz)
--
+lintian
+--
linux
--
lzo2
@@ -67,6 +69,8 @@
mcollective
NOTE: See https://lists.debian.org/debian-lts/2017/03/msg00008.html
--
+miniupnpc
+--
mp3splt
NOTE: 2017-02-28: No patch available. Reproducer doesn't work with Debian
NOTE: packages (tested on Stretch, Jessie and Wheezy). It's claimed to
@@ -95,6 +99,8 @@
potrace
NOTE: This CVE is for an incomplete fix of CVE-2016-8698
--
+puppet
+--
putty
NOTE: 2017-04-14: CVE-2017-6542 is only exploitable by a malicious server
NOTE: with SSH agent forwarding enabled. In this case, the client is in
@@ -109,6 +115,8 @@
rzip
NOTE: 2017-05-09: No patch
--
+smb4k
+--
tiff
NOTE: https://people.debian.org/~apo/tiff/tiff.debdiff
NOTE: Waiting for more issues until the end of the month
More information about the Secure-testing-commits
mailing list