[Git][security-tracker-team/security-tracker][master] openssh in jessie: ignore CVE-2016-8858, postpone the remaining issues

Santiago R.R. santiago at debian.org
Thu Aug 30 19:50:12 BST 2018 

Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2aaef820 by Santiago Ruano Rincón at 2018-08-30T18:49:15Z
openssh in jessie: ignore CVE-2016-8858, postpone the remaining issues

Signed-off-by: Santiago Ruano Rincón <santiagorr at riseup.net>

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -27338,10 +27338,11 @@ CVE-2016-10709 (pfSense before 2.3 allows remote authenticated users to execute
 CVE-2016-10708 (sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of ...)
 	{DLA-1257-1}
 	- openssh 1:7.4p1-1
-	[jessie] - openssh <no-dsa> (Minor issue)
+	[jessie] - openssh <postponed> (Minor issue)
 	NOTE: https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737
 	NOTE: http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html
 	NOTE: Flaw is not crashing the whole sshd daemon, rather the privsep process
+	NOTE: patched in https://salsa.debian.org/santiago/openssh/tree/jessie
 CVE-2018-5954 (phpFreeChat 1.7 and earlier allows remote attackers to cause a denial ...)
 	NOT-FOR-US: phpFreeChat
 CVE-2018-5953 (The swiotlb_print_info function in lib/swiotlb.c in the Linux kernel ...)
@@ -48025,9 +48026,10 @@ CVE-2017-15907 (SQL injection vulnerability in phpCollab 2.5.1 and earlier allow
 CVE-2017-15906 (The process_open function in sftp-server.c in OpenSSH before 7.6 does ...)
 	- openssh 1:7.6p1-1 (low)
 	[stretch] - openssh 1:7.4p1-10+deb9u3
-	[jessie] - openssh <no-dsa> (Minor issue)
+	[jessie] - openssh <postponed> (Minor issue)
 	[wheezy] - openssh <no-dsa> (Minor issue)
 	NOTE: https://github.com/openbsd/src/commit/a6981567e8e215acc1ef690c8dbb30f2d9b00a19
+	NOTE: patched in https://salsa.debian.org/santiago/openssh/tree/jessie
 CVE-2017-15905
 	RESERVED
 CVE-2017-15904
@@ -85219,17 +85221,19 @@ CVE-2016-10013 (Xen through 4.8.x allows local 64-bit x86 HVM guest OS users to
 	NOTE: https://xenbits.xen.org/xsa/advisory-204.html
 CVE-2016-10012 (The shared memory manager (associated with pre-authentication ...)
 	- openssh 1:7.4p1-1 (low; bug #848717)
-	[jessie] - openssh <no-dsa> (Minor issue)
+	[jessie] - openssh <postponed> (Minor issue)
 	[wheezy] - openssh <no-dsa> (Minor issue)
 	NOTE: Fixed in upstream 7.4: https://www.openssh.com/txt/release-7.4
 	NOTE: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.c.diff?r1=1.165&r2=1.166
 	NOTE: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.h.diff?r1=1.19&r2=1.20
+	NOTE: patched in https://salsa.debian.org/santiago/openssh/tree/jessie
 CVE-2016-10011 (authfile.c in sshd in OpenSSH before 7.4 does not properly consider ...)
 	- openssh 1:7.4p1-1 (low; bug #848716)
-	[jessie] - openssh <no-dsa> (Minor issue)
+	[jessie] - openssh <postponed> (Minor issue)
 	[wheezy] - openssh <no-dsa> (Minor issue)
 	NOTE: Fixed in upstream 7.4: https://www.openssh.com/txt/release-7.4
 	NOTE: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/authfile.c.diff?r1=1.121&r2=1.122
+	NOTE: patched in https://salsa.debian.org/santiago/openssh/tree/jessie
 CVE-2016-10010 (sshd in OpenSSH before 7.4, when privilege separation is not used, ...)
 	- openssh 1:7.4p1-1 (unimportant; bug #848715)
 	NOTE: Fixed in upstream 7.4: https://www.openssh.com/txt/release-7.4
@@ -85237,10 +85241,11 @@ CVE-2016-10010 (sshd in OpenSSH before 7.4, when privilege separation is not use
 	NOTE: Privilege separation is enabled in the Debian package
 CVE-2016-10009 (Untrusted search path vulnerability in ssh-agent.c in ssh-agent in ...)
 	- openssh 1:7.4p1-1 (low; bug #848714)
-	[jessie] - openssh <no-dsa> (Minor issue)
+	[jessie] - openssh <postponed> (Minor issue)
 	[wheezy] - openssh <no-dsa> (Minor issue)
 	NOTE: Fixed in upstream 7.4: https://www.openssh.com/txt/release-7.4
 	NOTE: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-agent.c.diff?r1=1.214&r2=1.215
+	NOTE: patched in https://salsa.debian.org/santiago/openssh/tree/jessie
 CVE-2016-9998 (SPIP 3.1.x suffer from a Reflected Cross Site Scripting Vulnerability ...)
 	{DLA-760-1}
 	- spip 3.1.4-2 (bug #848641)
@@ -97380,7 +97385,7 @@ CVE-2016-8859 (Multiple integer overflows in the TRE library and musl libc allow
 	NOTE: musl patch: http://git.musl-libc.org/cgit/musl/commit/?id=c3edc06d1e1360f3570db9155d6b318ae0d0f0f7, not released yet
 CVE-2016-8858 (** DISPUTED ** The kex_input_kexinit function in kex.c in OpenSSH 6.x ...)
 	- openssh 1:7.3p1-2 (bug #841884)
-	[jessie] - openssh <no-dsa> (Minor issue)
+	[jessie] - openssh <ignored> (Minor issue)
 	[wheezy] - openssh <no-dsa> (Minor issue)
 	NOTE: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c?rev=1.127&content-type=text/x-cvsweb-markup
 	NOTE: Only thing the attacker could do here is self-dos own connection
@@ -104507,8 +104512,9 @@ CVE-2016-6517 (Directory traversal vulnerability in Liferay 5.1.0 allows remote
 CVE-2016-6515 (The auth_password function in auth-passwd.c in sshd in OpenSSH before ...)
 	{DLA-594-1}
 	- openssh 1:7.3p1-1 (bug #833823)
-	[jessie] - openssh <no-dsa> (Minor issue; can be included in future DSA or via point release)
+	[jessie] - openssh <postponed> (Minor issue; can be included in future DSA or via point release)
 	NOTE: Fixed by: https://anongit.mindrot.org/openssh.git/commit/?id=fcd135c9df440bcd2d5870405ad3311743d78d97
+	NOTE: patched in https://salsa.debian.org/santiago/openssh/tree/jessie
 CVE-2016-6514
 	RESERVED
 CVE-2016-6502
@@ -116187,12 +116193,13 @@ CVE-2016-3116 (CRLF injection vulnerability in Dropbear SSH before 2016.72 allow
 	NOTE: Fixed in 2016.72 upstream
 CVE-2016-3115 (Multiple CRLF injection vulnerabilities in session.c in sshd in ...)
 	- openssh 1:7.2p2-1
-	[jessie] - openssh <no-dsa> (Minor issue)
+	[jessie] - openssh <postponed> (Minor issue)
 	[wheezy] - openssh <no-dsa> (Minor issue)
 	NOTE: http://www.openssh.com/txt/x11fwd.adv
 	NOTE: Portable OpenSSH 7.2p2 contains a fix for this vulnerability.
 	NOTE: http://www.openwall.com/lists/oss-security/2016/03/10/8
 	NOTE: Upstream fix: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.281&r2=1.282&sortby=date&f=h
+	NOTE: patched in https://salsa.debian.org/santiago/openssh/tree/jessie
 CVE-2016-3134 (The netfilter subsystem in the Linux kernel through 4.5.2 does not ...)
 	{DSA-3607-1 DLA-516-1}
 	- linux 4.5.1-1
@@ -120530,7 +120537,7 @@ CVE-2016-1716 (AppleGraphicsPowerManagement in Apple OS X before 10.11.3 allows
 	NOT-FOR-US: Apple
 CVE-2016-1908 (The client in OpenSSH before 7.2 mishandles failed cookie generation ...)
 	- openssh 1:7.2p1-1
-	[jessie] - openssh <no-dsa> (Minor issue)
+	[jessie] - openssh <postponed> (Minor issue)
 	[wheezy] - openssh <no-dsa> (Minor issue)
 	[squeeze] - openssh <no-dsa> (Minor issue)
 	NOTE: Upstream commit: https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
@@ -120541,6 +120548,7 @@ CVE-2016-1908 (The client in OpenSSH before 7.2 mishandles failed cookie generat
 	NOTE: vulnerability is partly due to /etc/X11/Xsession.d/35x11-common_xhost-local introduced in x11-common in 1:7.6+9 (wheezy and up)
 	NOTE: https://lists.debian.org/debian-lts/2016/01/msg00029.html
 	NOTE: Upstream announce: http://www.openssh.com/txt/release-7.2
+	NOTE: patched in https://salsa.debian.org/santiago/openssh/tree/jessie
 CVE-2016-1907 (The ssh_packet_read_poll2 function in packet.c in OpenSSH before 7.1p2 ...)
 	- openssh 1:7.1p2-1
 	[jessie] - openssh <not-affected> (Vulnerable code not present; Introduced in OpenSSH 6.8)
@@ -133183,18 +133191,20 @@ CVE-2015-6565 (sshd in OpenSSH 6.8 and 6.9 uses world-writable permissions for T
 	NOTE: http://www.openwall.com/lists/oss-security/2015/08/12/1
 CVE-2015-6563 (The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD ...)
 	- openssh 1:6.9p1-1 (bug #795711)
-	[jessie] - openssh <no-dsa> (Minor issue)
+	[jessie] - openssh <postponed> (Minor issue)
 	[wheezy] - openssh <no-dsa> (Minor issue)
 	[squeeze] - openssh <no-dsa> (Minor issue)
 	NOTE: https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
 	NOTE: http://www.openwall.com/lists/oss-security/2015/08/11/9
+	NOTE: patched in https://salsa.debian.org/santiago/openssh/tree/jessie
 CVE-2015-6564 (Use-after-free vulnerability in the mm_answer_pam_free_ctx function in ...)
 	- openssh 1:6.9p1-1 (bug #795711)
-	[jessie] - openssh <no-dsa> (Minor issue)
+	[jessie] - openssh <postponed> (Minor issue)
 	[wheezy] - openssh <no-dsa> (Minor issue)
 	[squeeze] - openssh <no-dsa> (Minor issue)
 	NOTE: https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7
 	NOTE: http://www.openwall.com/lists/oss-security/2015/08/11/9
+	NOTE: patched in https://salsa.debian.org/santiago/openssh/tree/jessie
 CVE-2015-6737 (Cross-site scripting (XSS) vulnerability in the Widgets extension for ...)
 	NOT-FOR-US: Widgets extension for MediaWiki
 	NOTE: https://phabricator.wikimedia.org/T88964
@@ -134302,13 +134312,14 @@ CVE-2015-5601
 CVE-2015-5600 (The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH ...)
 	{DLA-288-1}
 	- openssh 1:6.9p1-1 (bug #793616)
-	[jessie] - openssh <no-dsa> (Minor issue; not in default configurations)
+	[jessie] - openssh <postponed> (Minor issue; not in default configurations)
 	[wheezy] - openssh <no-dsa> (Minor issue; not in default configurations)
 	NOTE: http://seclists.org/fulldisclosure/2015/Jul/92
 	NOTE: Affects configurations that have KbdInteractiveAuthentication set
 	NOTE: to yes. Default for KbdInteractiveAuthentication is to use whatever
 	NOTE: value ChallengeResponseAuthentication is set to, which is 'no' in
 	NOTE: default configurations in Debian.
+	NOTE: patched in https://salsa.debian.org/santiago/openssh/tree/jessie
 CVE-2015-5599 (Multiple SQL injection vulnerabilities in upload.php in the Powerplay ...)
 	NOT-FOR-US: Powerplay Gallery plugin for WordPress
 CVE-2015-5598
@@ -136015,7 +136026,7 @@ CVE-2015-5146 (ntpd in ntp before 4.2.8p3 with remote configuration enabled allo
 CVE-2015-5352 (The x11_open_helper function in channels.c in ssh in OpenSSH before ...)
 	{DLA-288-1}
 	- openssh 1:6.9p1-1 (bug #790798)
-	[jessie] - openssh <no-dsa> (Minor issue)
+	[jessie] - openssh <postponed> (Minor issue)
 	[wheezy] - openssh <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2015/07/01/7
 	NOTE: https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=1bf477d3cdf1a864646d59820878783d42357a1d



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2aaef820680058a7618b9d6a868ec7a74a5324e6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2aaef820680058a7618b9d6a868ec7a74a5324e6
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180830/3b5ca69a/attachment.html>

More information about the debian-security-tracker-commits mailing list