[Secure-testing-commits] r57998 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Fri Nov 24 17:37:26 UTC 2017 

Author: jmm
Date: 2017-11-24 17:37:26 +0000 (Fri, 24 Nov 2017)
New Revision: 57998

Modified:
   data/CVE/list
Log:
scala non-issue
convert otrs issue to NOTE, apparently bogus
fix pnp4nagios entry, all suites are n/a
libraw, lame, libcatalyst-plugin-static-simple-perl, lynx, ohcount no-dsa


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-11-24 15:40:28 UTC (rev 57997)
+++ data/CVE/list	2017-11-24 17:37:26 UTC (rev 57998)
@@ -44,6 +44,8 @@
 	NOTE: https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA
 CVE-2017-16926 (Ohcount 3.0.0 is prone to a command injection via specially crafted ...)
 	- ohcount <unfixed> (bug #882372)
+	[stretch] - ohcount <no-dsa> (Minor issue)
+	[jessie] - ohcount <no-dsa> (Minor issue)
 CVE-2017-16925
 	RESERVED
 CVE-2017-16924
@@ -249,7 +251,9 @@
 CVE-2017-1000211 (Lynx before 2.8.9dev.16 is vulnerable to a use after free in the HTML ...)
 	{DLA-1175-1}
 	- lynx 2.8.9dev16-1
+	[stretch] - lynx <no-dsa> (Minor issue)
 	- lynx-cur <removed>
+	[jessie] - lynx-cur <no-dsa> (Minor issue)
 	NOTE: https://github.com/ThomasDickey/lynx-snapshots/commit/280a61b300a1614f6037efc0902ff7ecf17146e9
 CVE-2017-1000206 (samtools htslib library version 1.4.0 and earlier is vulnerable to ...)
 	- htslib 1.4.1-1
@@ -648,8 +652,7 @@
 CVE-2017-16835
 	RESERVED
 CVE-2017-16834 (PNP4Nagios through 0.6.26 has /usr/bin/npcd and npcd.cfg owned by an ...)
-	- pnp4nagios <removed>
-	[wheezy] - pnp4nagios <not-affected> (/etc/pnp4nagios and its content is installed as root by the Debian package)
+	- pnp4nagios <not-affected> (/etc/pnp4nagios and its content is installed as root by the Debian package)
 	NOTE: https://github.com/lingej/pnp4nagios/issues/140
 CVE-2017-16833 (Stored cross-site scripting (XSS) vulnerability in Gemirro before ...)
 	NOT-FOR-US: Gemirro
@@ -2148,6 +2151,8 @@
 	NOTE: https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8
 CVE-2017-16248 (The Catalyst-Plugin-Static-Simple module before 0.34 for Perl allows ...)
 	- libcatalyst-plugin-static-simple-perl 0.34-1 (bug #880458)
+	[stretch] - libcatalyst-plugin-static-simple-perl <no-dsa> (Minor issue)
+	[jessie] - libcatalyst-plugin-static-simple-perl <no-dsa> (Minor issue)
 	NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=120558
 CVE-2017-16241
 	RESERVED
@@ -4795,12 +4800,12 @@
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg02557.html
 	NOTE: Fixed by: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=eb38e1bc3740725ca29a535351de94107ec58d51
 CVE-2017-15288 (The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, ...)
-	- scala <unfixed>
+	- scala <unfixed> (unimportant)
 	NOTE: http://scala-lang.org/news/security-update-nov17.html
 	NOTE: For 2.11.x: https://github.com/scala/scala/pull/6108
 	NOTE: For 2.12.x: https://github.com/scala/scala/pull/6120
 	NOTE: For 2.10.x: https://github.com/scala/scala/pull/6128
-	TODO: check
+	NOTE: Neutralised by kernel hardening
 CVE-2017-15287 (There is XSS in the BouquetEditor WebPlugin for Dream Multimedia ...)
 	NOT-FOR-US: BouquetEditor WebPlugin
 CVE-2017-15286 (SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in ...)
@@ -5622,6 +5627,8 @@
 	NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1da5c9a485f3dcac4c45e96ef4b7dae5948314b5
 CVE-2017-15019 (LAME 3.99.5 has a NULL Pointer Dereference in the hip_decode_init ...)
 	- lame <unfixed>
+	[stretch] - lame <ignored> (Minor issue)
+	[jessie] - lame <ignored> (Minor issue)
 	NOTE: https://sourceforge.net/p/lame/bugs/477/
 CVE-2017-15018 (LAME 3.99.5 has a heap-based buffer over-read when handling a malformed ...)
 	- lame 3.99.5+repack1-8
@@ -9386,6 +9393,8 @@
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484192
 CVE-2017-13735 (There is a floating point exception in the kodak_radc_load_raw function ...)
 	- libraw 0.18.5-1 (low; bug #874729)
+	[stretch] - libraw <no-dsa> (Minor issue)
+	[jessie] - libraw <no-dsa> (Minor issue)
 	[wheezy] - libraw <no-dsa> (Minor issue)
 	NOTE: https://github.com/LibRaw/LibRaw/issues/96
 	NOTE: Isolated patch: https://github.com/LibRaw/LibRaw/files/1276421/radc_divbyzero.txt
@@ -22463,11 +22472,7 @@
 	[wheezy] - vlc <end-of-life> (Not supported in wheezy LTS)
 	NOTE: https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commit;h=55a82442cfea9dab8b853f3a4610f2880c5fadf3
 CVE-2017-9299 (Open Ticket Request System (OTRS) 3.3.9 has XSS in ...)
-	- otrs2 <unfixed> (unimportant)
-	NOTE: The issue is most likely fixed in the 3.x series already before 3.3.17.
-	NOTE: The exact issue, fixing commits and upstream version was not yet tracked
-	NOTE: down.
-	NOTE: Furthermore the original report is quite vague/unclear and upstream can
+	NOTE: This report for OTRS is quite vague/unclear and upstream can
 	NOTE: not track the issue down to a specific fixed release claims though that
 	NOTE: it should not be reproducible with versions later than 3.3.17.
 CVE-2017-9298 (Cross-site scripting vulnerability in Hitachi Device Manager before ...)

More information about the Secure-testing-commits mailing list