[Secure-testing-commits] r51803 - in data: . CVE

Ola Lundqvist opal at moszumanska.debian.org
Sun May 21 21:10:54 UTC 2017 

Author: opal
Date: 2017-05-21 21:10:54 +0000 (Sun, 21 May 2017)
New Revision: 51803

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Triaging work.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-05-21 21:10:21 UTC (rev 51802)
+++ data/CVE/list	2017-05-21 21:10:54 UTC (rev 51803)
@@ -689,10 +689,12 @@
 	NOT-FOR-US: Allen Disk
 CVE-2017-8847 (The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in ...)
 	- lrzip <unfixed>
+	[wheezy] - lrzip <no-dsa> (Minor issue)
 	NOTE: https://github.com/ckolivas/lrzip/issues/67
 	NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-bufreadget-libzpaq-h/
 CVE-2017-8846 (The read_stream function in stream.c in liblrzip.so in lrzip 0.631 ...)
 	- lrzip <unfixed>
+	[wheezy] - lrzip <no-dsa> (Minor issue)
 	NOTE: https://github.com/ckolivas/lrzip/issues/71
 	NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-use-after-free-in-read_stream-stream-c/
 CVE-2017-8845 (The lzo1x_decompress function in lzo1x_d.ch in LZO 2.08, as used in ...)
@@ -706,10 +708,12 @@
 	NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-heap-based-buffer-overflow-write-in-read_1g-stream-c/
 CVE-2017-8843 (The join_pthread function in stream.c in liblrzip.so in lrzip 0.631 ...)
 	- lrzip <unfixed>
+	[wheezy] - lrzip <no-dsa> (Minor issue)
 	NOTE: https://github.com/ckolivas/lrzip/issues/69
 	NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-join_pthread-stream-c/
 CVE-2017-8842 (The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in ...)
 	- lrzip <unfixed>
+	[wheezy] - lrzip <no-dsa> (Minor issue)
 	NOTE: https://github.com/ckolivas/lrzip/issues/66
 	NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-divide-by-zero-in-bufreadget-libzpaq-h/
 CVE-2017-8841

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt	2017-05-21 21:10:21 UTC (rev 51802)
+++ data/dla-needed.txt	2017-05-21 21:10:54 UTC (rev 51803)
@@ -58,6 +58,8 @@
 --
 libytnef (Thorsten Alteholz)
 --
+lintian
+--
 linux
 --
 lzo2
@@ -67,6 +69,8 @@
 mcollective
   NOTE: See https://lists.debian.org/debian-lts/2017/03/msg00008.html
 --
+miniupnpc
+--
 mp3splt
   NOTE: 2017-02-28: No patch available. Reproducer doesn't work with Debian
   NOTE: packages (tested on Stretch, Jessie and Wheezy). It's claimed to
@@ -95,6 +99,8 @@
 potrace
   NOTE: This CVE is for an incomplete fix of CVE-2016-8698
 --
+puppet
+--
 putty
   NOTE: 2017-04-14: CVE-2017-6542 is only exploitable by a malicious server
   NOTE: with SSH agent forwarding enabled. In this case, the client is in
@@ -109,6 +115,8 @@
 rzip
   NOTE: 2017-05-09: No patch
 --
+smb4k
+--
 tiff
   NOTE: https://people.debian.org/~apo/tiff/tiff.debdiff
   NOTE: Waiting for more issues until the end of the month

More information about the Secure-testing-commits mailing list