[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2016-5405 as no-dsa for Jessie

Thorsten Alteholz alteholz at debian.org
Tue Jul 10 14:17:49 BST 2018 

Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e079c03d by Thorsten Alteholz at 2018-07-10T15:14:17+02:00
mark CVE-2016-5405 as no-dsa for Jessie

- - - - -
ef7c97a1 by Thorsten Alteholz at 2018-07-10T15:14:17+02:00
add fix for CVE-2017-15134

- - - - -
7a6de499 by Thorsten Alteholz at 2018-07-10T15:14:18+02:00
mark CVE-2017-15135 as no-dsa for Jessie

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -43679,8 +43679,10 @@ CVE-2017-15136 (When registering and activating a new system with Red Hat Satell
 	NOT-FOR-US: Red Hat Satellite 6
 CVE-2017-15135 (It was found that 389-ds-base since 1.3.6.1 up to and including ...)
 	- 389-ds-base 1.3.7.9-1 (bug #888451)
+	[jessie] - 389-ds-base <no-dsa> (vulnerable code (patch for CVE-2016-5405) not yet applied)
 CVE-2017-15134 (A stack buffer overflow flaw was found in the way 389-ds-base 1.3.6.x ...)
 	- 389-ds-base 1.3.7.9-1 (bug #888452)
+	NOTE: Fixed by: https://pagure.io/389-ds-base/c/6aa2acdc3cad9
 CVE-2017-15133 (A denial of service flaw was found in miekg-dns before 1.0.4. A remote ...)
 	- golang-github-miekg-dns 0.0~git20170501.0.f282f80-3 (bug #888777)
 	[stretch] - golang-github-miekg-dns <no-dsa> (Minor issue)
@@ -101783,6 +101785,10 @@ CVE-2016-5406 (The domain controller in Red Hat JBoss Enterprise Application Pla
 	NOT-FOR-US: JBoss EAP
 CVE-2016-5405 (389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, ...)
 	- 389-ds-base 1.3.5.15-1 (bug #842121)
+	[jessie] - 389-ds-base <no-dsa> (minor issue)
+	NOTE: This affects systems storing passwords in plain text.
+	NOTE: Systems using unsalted hashes might be unsafe as well if using weak
+	NOTE: hash algorithms, however the attack would be very time-consuming.
 CVE-2016-5404 (The cert_revoke command in FreeIPA does not check for the "revoke ...)
 	- freeipa 4.3.2-5 (bug #835131)
 	NOTE: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=cf74584d0f772f3f5eccc1d30c001e4212a104fd (master)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/993e0d39de4bd937769887934839ed7f7c8fcedd...7a6de499683a3d41f1f09588bff3a21a370b945c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/993e0d39de4bd937769887934839ed7f7c8fcedd...7a6de499683a3d41f1f09588bff3a21a370b945c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180710/314bb73f/attachment.html>

More information about the debian-security-tracker-commits mailing list