[Git][security-tracker-team/security-tracker][master] 3 commits: CVE/list: sort release entries after their package entry

Emilio Pozuelo Monfort pochu at debian.org
Thu Nov 5 12:57:38 GMT 2020



Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
320c7a32 by Emilio Pozuelo Monfort at 2020-11-05T13:52:05+01:00
CVE/list: sort release entries after their package entry

- - - - -
d596daa6 by Emilio Pozuelo Monfort at 2020-11-05T13:52:06+01:00
CVE/list: sort release entries in reverse order

- - - - -
f354d196 by Emilio Pozuelo Monfort at 2020-11-05T13:52:06+01:00
bugs.py: add some checks for package notes

- - - - -


2 changed files:

- data/CVE/list
- lib/python/bugs.py


Changes:

=====================================
data/CVE/list
=====================================
@@ -41522,9 +41522,9 @@ CVE-2020-10731 (A flaw was found in the nova_libvirt container provided by the R
 CVE-2020-10730 (A NULL pointer dereference, or possible use-after-free flaw was found  ...)
 	- ldb 2:2.1.4-1
 	[buster] - ldb <no-dsa> (Minor issue)
+	[stretch] - ldb <not-affected> (Vulnerable code introduced later)
 	- samba 2:4.12.5+dfsg-1
 	[buster] - samba <postponed> (Minor issue, fix along in next DSA)
-	[stretch] - ldb <not-affected> (Vulnerable code introduced later)
 	NOTE: https://www.samba.org/samba/security/CVE-2020-10730.html
 	NOTE: https://git.samba.org/?p=samba.git;a=commitdiff;h=9dd458956d7af1b4bbe505ba2ab72235e81c27d0 (for ldb)
 CVE-2020-10729 [two random password lookups in same task return same value]
@@ -50014,8 +50014,8 @@ CVE-2020-7248 (libubox in OpenWrt before 18.06.7 and 19.x before 19.07.1 has a t
 	NOT-FOR-US: libubox in OpenWrt
 CVE-2020-XXXX [opensmtpd DoS via opportunistic TLS downgrade]
 	- opensmtpd 6.6.2p1-1 (bug #950121)
-	[stretch] - opensmtpd 6.0.2p1-2+deb9u2
 	[buster] - opensmtpd 6.0.3p1-5+deb10u3
+	[stretch] - opensmtpd 6.0.2p1-2+deb9u2
 	NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/018_smtpd_tls.patch.sig
 CVE-2020-7247 (smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6 ...)
 	{DSA-4611-1}
@@ -156215,9 +156215,9 @@ CVE-2018-8037 (If an async request was completed by the application at the same
 	NOTE: https://svn.apache.org/r1833907 (8.5.x)
 CVE-2018-8036 (In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully c ...)
 	- libpdfbox-java 1:1.8.15-1 (low; bug #902776)
-	- libpdfbox2-java 2.0.11-1 (low)
 	[stretch] - libpdfbox-java <no-dsa> (Minor issue)
 	[jessie] - libpdfbox-java <no-dsa> (Minor issue)
+	- libpdfbox2-java 2.0.11-1 (low)
 	NOTE: https://www.openwall.com/lists/oss-security/2018/06/29/2
 CVE-2018-8035 (This vulnerability relates to the user's browser processing of DUCC we ...)
 	NOT-FOR-US: UIMA DUCC (subproject of Apache UIMA)
@@ -172671,9 +172671,9 @@ CVE-2018-2642 (Vulnerability in the Oracle Argus Safety component of Oracle Heal
 	NOT-FOR-US: Oracle
 CVE-2018-2641 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...)
 	{DSA-4166-1 DSA-4144-1 DLA-1339-1}
-	[experimental] - openjdk-7 7u171-2.6.13-1
 	- openjdk-9 9.0.4+12-1
 	- openjdk-8 8u162-b12-1
+	[experimental] - openjdk-7 7u171-2.6.13-1
 	- openjdk-7 <removed>
 	- openjdk-6 <removed>
 	[wheezy] - openjdk-6 <end-of-life>
@@ -234738,8 +234738,8 @@ CVE-2016-8332 (A buffer overflow in OpenJPEG 2.1.1 causes arbitrary code executi
 CVE-2016-8331 (An exploitable remote code execution vulnerability exists in the handl ...)
 	{DLA-693-1}
 	- tiff 4.0.6-3
-	- tiff3 <removed>
 	[jessie] - tiff 4.0.3-12.3+deb8u2
+	- tiff3 <removed>
 	[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
 	NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0190/
 	NOTE: thumbnail(1) was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package
@@ -254244,9 +254244,9 @@ CVE-2016-XXXX [exec functions ignore length but look for NULL termination]
 	- php5 5.6.18+dfsg-1
 	[jessie] - php5 5.6.19+dfsg-0+deb8u1
 	[wheezy] - php5 5.4.45-0+deb7u7
+	[squeeze] - php5 5.3.3.1-7+squeeze29
 	- php5.6 5.6.18+dfsg-1
 	- php7.0 7.0.3-1
-	[squeeze] - php5 5.3.3.1-7+squeeze29
 	NOTE: temporary workaround until CVE assigned to explitly tag for squeeze
 	NOTE: https://bugs.php.net/bug.php?id=71039
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305494
@@ -254266,9 +254266,9 @@ CVE-2016-XXXX [Integer overflow in iptcembed()]
 	- php5 5.6.18+dfsg-1
 	[jessie] - php5 5.6.19+dfsg-0+deb8u1
 	[wheezy] - php5 5.4.45-0+deb7u7
+	[squeeze] - php5 5.3.3.1-7+squeeze29
 	- php5.6 5.6.18+dfsg-1
 	- php7.0 7.0.3-1
-	[squeeze] - php5 5.3.3.1-7+squeeze29
 	NOTE: temporary workaround until CVE assigned to explitly tag for squeeze
 	NOTE: https://bugs.php.net/bug.php?id=71459
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305518
@@ -254321,9 +254321,9 @@ CVE-2016-XXXX [NULL Pointer Dereference in phar_tar_setupmetadata()]
 	- php5 5.6.18+dfsg-1
 	[jessie] - php5 5.6.19+dfsg-0+deb8u1
 	[wheezy] - php5 5.4.45-0+deb7u7
+	[squeeze] - php5 5.3.3.1-7+squeeze29
 	- php5.6 5.6.18+dfsg-1
 	- php7.0 7.0.3-1
-	[squeeze] - php5 5.3.3.1-7+squeeze29
 	NOTE: temporary workaround until CVE assigned to explitly tag for squeeze
 	NOTE: https://bugs.php.net/bug.php?id=71391
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305540
@@ -254355,9 +254355,9 @@ CVE-2016-XXXX [Crash on bad SOAP request]
 	- php5 5.6.18+dfsg-1
 	[jessie] - php5 5.6.19+dfsg-0+deb8u1
 	[wheezy] - php5 5.4.45-0+deb7u7
+	[squeeze] - php5 5.3.3.1-7+squeeze29
 	- php5.6 5.6.18+dfsg-1
 	- php7.0 7.0.3-1
-	[squeeze] - php5 5.3.3.1-7+squeeze29
 	NOTE: temporary workaround until CVE assigned to explitly tag for squeeze
 	NOTE: https://bugs.php.net/bug.php?id=70979
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1305551
@@ -255734,10 +255734,10 @@ CVE-2016-1980
 CVE-2016-1979 (Use-after-free vulnerability in the PK11_ImportDERPrivateKeyInfoAndRet ...)
 	{DSA-3688-1 DSA-3576-1 DLA-480-1 DLA-472-1}
 	- iceweasel <removed>
-	- firefox-esr 45.0esr-1
-	- firefox 45.0-1
 	[jessie] - iceweasel <not-affected> (Only affects Firefox 44.x)
 	[wheezy] - iceweasel <not-affected> (Only affects Firefox 44.x)
+	- firefox-esr 45.0esr-1
+	- firefox 45.0-1
 	- icedove 38.8.0-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-36/
 	- nss 2:3.21-1
@@ -255772,10 +255772,10 @@ CVE-2016-1974 (The nsScannerString::AppendUnicodeTo function in Mozilla Firefox
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-34/
 CVE-2016-1973 (Race condition in the GetStaticInstance function in the WebRTC impleme ...)
 	- iceweasel <removed>
-	- firefox-esr 45.0esr-1
-	- firefox 45.0-1
 	[jessie] - iceweasel <not-affected> (Only affects Firefox 44.x)
 	[wheezy] - iceweasel <not-affected> (Only affects Firefox 44.x)
+	- firefox-esr 45.0esr-1
+	- firefox 45.0-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-33/
 CVE-2016-1972 (Race condition in libvpx in Mozilla Firefox before 45.0 on Windows mig ...)
 	- iceweasel <not-affected> (Windows-specific)
@@ -255793,19 +255793,19 @@ CVE-2016-1969 (The setAttr function in Graphite 2 before 1.3.6, as used in Mozil
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-38/
 CVE-2016-1968 (Integer underflow in Brotli, as used in Mozilla Firefox before 45.0, a ...)
 	- iceweasel <removed>
-	- firefox-esr 45.0esr-1
-	- firefox 45.0-1
 	[jessie] - iceweasel <not-affected> (Only affects Firefox 44.x)
 	[wheezy] - iceweasel <not-affected> (Only affects Firefox 44.x)
+	- firefox-esr 45.0esr-1
+	- firefox 45.0-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-30/
 	- brotli 0.3.0+dfsg-3 (bug #817233)
 	NOTE: https://github.com/google/brotli/commit/37a320dd81db8d546cd24a45b4c61d87b45dcade
 CVE-2016-1967 (Mozilla Firefox before 45.0 does not properly restrict the availabilit ...)
 	- iceweasel <removed>
-	- firefox-esr 45.0esr-1
-	- firefox 45.0-1
 	[jessie] - iceweasel <not-affected> (Only affects Firefox 44.x)
 	[wheezy] - iceweasel <not-affected> (Only affects Firefox 44.x)
+	- firefox-esr 45.0esr-1
+	- firefox 45.0-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-29/
 CVE-2016-1966 (The nsNPObjWrapper::GetNewOrUsed function in dom/plugins/base/nsJSNPRu ...)
 	{DSA-3520-1 DSA-3510-1}
@@ -255829,10 +255829,10 @@ CVE-2016-1964 (Use-after-free vulnerability in the AtomicBaseIncDec function in
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-27/
 CVE-2016-1963 (The FileReader class in Mozilla Firefox before 45.0 allows local users ...)
 	- iceweasel <removed>
-	- firefox-esr 45.0esr-1
-	- firefox 45.0-1
 	[jessie] - iceweasel <not-affected> (Only affects Firefox 44.x)
 	[wheezy] - iceweasel <not-affected> (Only affects Firefox 44.x)
+	- firefox-esr 45.0esr-1
+	- firefox 45.0-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-26/
 CVE-2016-1962 (Use-after-free vulnerability in the mozilla::DataChannelConnection::Cl ...)
 	{DSA-3520-1 DSA-3510-1}
@@ -255877,17 +255877,17 @@ CVE-2016-1957 (Memory leak in libstagefright in Mozilla Firefox before 45.0 and
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-20/
 CVE-2016-1956 (Mozilla Firefox before 45.0 on Linux, when an Intel video driver is us ...)
 	- iceweasel <removed>
-	- firefox-esr 45.0esr-1
-	- firefox 45.0-1
 	[jessie] - iceweasel <not-affected> (Only affects Firefox 44.x)
 	[wheezy] - iceweasel <not-affected> (Only affects Firefox 44.x)
+	- firefox-esr 45.0esr-1
+	- firefox 45.0-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-19/
 CVE-2016-1955 (Mozilla Firefox before 45.0 allows remote attackers to bypass the Same ...)
 	- iceweasel <removed>
-	- firefox-esr 45.0esr-1
-	- firefox 45.0-1
 	[jessie] - iceweasel <not-affected> (Only affects Firefox 44.x)
 	[wheezy] - iceweasel <not-affected> (Only affects Firefox 44.x)
+	- firefox-esr 45.0esr-1
+	- firefox 45.0-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-18/
 CVE-2016-1954 (The nsCSPContext::SendReports function in dom/security/nsCSPContext.cp ...)
 	{DSA-3520-1 DSA-3510-1}
@@ -255898,10 +255898,10 @@ CVE-2016-1954 (The nsCSPContext::SendReports function in dom/security/nsCSPConte
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-17/
 CVE-2016-1953 (Multiple unspecified vulnerabilities in the browser engine in Mozilla  ...)
 	- iceweasel <removed>
-	- firefox-esr 45.0esr-1
-	- firefox 45.0-1
 	[jessie] - iceweasel <not-affected> (Only affects Firefox 44.x)
 	[wheezy] - iceweasel <not-affected> (Only affects Firefox 44.x)
+	- firefox-esr 45.0esr-1
+	- firefox 45.0-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-16/
 CVE-2016-1952 (Multiple unspecified vulnerabilities in the browser engine in Mozilla  ...)
 	{DSA-3510-1}
@@ -255929,11 +255929,11 @@ CVE-2016-1950 (Heap-based buffer overflow in Mozilla Network Security Services (
 	NOTE: NSS fixed in 3.21.1
 CVE-2016-1949 (Mozilla Firefox before 44.0.2 does not properly restrict the interacti ...)
 	- iceweasel <removed>
-	- firefox-esr 45.0esr-1
-	- firefox 45.0-1
 	[jessie] - iceweasel <not-affected> (Only affects Firefox 43.x)
 	[wheezy] - iceweasel <not-affected> (Only affects Firefox 43.x)
 	[squeeze] - iceweasel <not-affected> (Only affects Firefox 43.x)
+	- firefox-esr 45.0esr-1
+	- firefox 45.0-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-13/
 CVE-2016-1948 (Mozilla Firefox before 44.0 on Android does not ensure that HTTPS is u ...)
 	- iceweasel <not-affected> (Only affects Firefox for Android)
@@ -258399,8 +258399,8 @@ CVE-2014-9761 (Multiple stack-based buffer overflows in the GNU C Library (aka g
 	{DLA-411-1}
 	- glibc 2.23-1 (bug #813187)
 	[jessie] - glibc <no-dsa> (Minor issue)
-	[wheezy] - eglibc <no-dsa> (Minor issue)
 	- eglibc <removed>
+	[wheezy] - eglibc <no-dsa> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=16962
 	NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e02cabecf0d025ec4f4ddee290bdf7aadb873bb3
 	NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f5e8b01a1da2a207228f2072c934fa5918554b8
@@ -263567,8 +263567,8 @@ CVE-2015-8104 (The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.
 	{DSA-3454-1 DSA-3426-1 DSA-3414-1 DLA-479-1}
 	- linux 4.2.6-2
 	- linux-2.6 <removed>
-	- xen 4.8.0~rc3-1 (bug #823620)
 	[squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS)
+	- xen 4.8.0~rc3-1 (bug #823620)
 	[squeeze] - xen <end-of-life> (Not supported in Squeeze LTS)
 	NOTE: http://xenbits.xen.org/xsa/advisory-156.html
 	NOTE: Upstream patch: https://lkml.org/lkml/2015/11/10/218
@@ -264032,8 +264032,8 @@ CVE-2015-7995 (The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 d
 CVE-2015-8982 (Integer overflow in the strxfrm function in the GNU C Library (aka gli ...)
 	- glibc 2.21-1 (bug #803927)
 	[jessie] - glibc 2.19-18+deb8u2
-	[wheezy] - eglibc 2.13-38+deb7u9
 	- eglibc <removed>
+	[wheezy] - eglibc 2.13-38+deb7u9
 	[squeeze] - eglibc 2.11.3-4+deb6u8
 	NOTE: workaround entry for DLA-350-1 until/if CVE assigned
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=16009
@@ -264444,7 +264444,6 @@ CVE-2013-7445 (The Direct Rendering Manager (DRM) subsystem in the Linux kernel
 	[stretch] - linux <ignored> (Minor issue, requires invasive changes)
 	[jessie] - linux <ignored> (Minor issue, requires invasive changes)
 	[wheezy] - linux <no-dsa> (Minor issue, requires invasive changes)
-	[jessie] - linux-4.9 <ignored> (Minor issue, requires invasive changes)
 	- linux-2.6 <removed>
 	NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=60533
 CVE-2015-8011 (Buffer overflow in the lldp_decode function in daemon/protocols/lldp.c ...)
@@ -267108,8 +267107,8 @@ CVE-2014-9747 (The t42_parse_encoding function in type42/t42parse.c in FreeType
 CVE-2015-6855 (hw/ide/core.c in QEMU does not properly restrict the commands accepted ...)
 	{DSA-3362-1 DSA-3361-1}
 	- qemu 1:2.4+dfsg-2
-	- qemu-kvm <removed>
 	[squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS)
+	- qemu-kvm <removed>
 	[squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
 	NOTE: https://www.openwall.com/lists/oss-security/2015/09/10/1
 	NOTE: Fix commit: http://git.qemu.org/?p=qemu.git;a=commit;h=d9033e1d3aa666c5071580617a57bd853c5d794a
@@ -271295,8 +271294,8 @@ CVE-2015-5307 (The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.
 	{DSA-3454-1 DSA-3414-1 DSA-3396-1 DLA-479-1}
 	- linux 4.2.6-1
 	- linux-2.6 <removed>
-	- xen 4.8.0~rc3-1 (bug #823620)
 	[squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS)
+	- xen 4.8.0~rc3-1 (bug #823620)
 	[squeeze] - xen <end-of-life> (Not supported in Squeeze LTS)
 	NOTE: http://xenbits.xen.org/xsa/advisory-156.html
 	- virtualbox 5.0.10-dfsg-1
@@ -273681,23 +273680,23 @@ CVE-2015-4490 (The nsCSPHostSrc::permits function in dom/security/nsCSPUtils.cpp
 CVE-2015-4489 (The nsTArray_Impl class in Mozilla Firefox before 40.0, Firefox ESR 38 ...)
 	{DSA-3410-1 DSA-3333-1}
 	- iceweasel 38.2.0esr-1
+	[squeeze] - iceweasel <end-of-life>
 	- icedove 38.3.0-1
 	[squeeze] - icedove <end-of-life>
-	[squeeze] - iceweasel <end-of-life>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/
 CVE-2015-4488 (Use-after-free vulnerability in the StyleAnimationValue class in Mozil ...)
 	{DSA-3410-1 DSA-3333-1}
 	- iceweasel 38.2.0esr-1
+	[squeeze] - iceweasel <end-of-life>
 	- icedove 38.3.0-1
 	[squeeze] - icedove <end-of-life>
-	[squeeze] - iceweasel <end-of-life>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/
 CVE-2015-4487 (The nsTSubstring::ReplacePrep function in Mozilla Firefox before 40.0, ...)
 	{DSA-3410-1 DSA-3333-1}
 	- iceweasel 38.2.0esr-1
+	[squeeze] - iceweasel <end-of-life>
 	- icedove 38.3.0-1
 	[squeeze] - icedove <end-of-life>
-	[squeeze] - iceweasel <end-of-life>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/
 CVE-2015-4486 (The decrease_ref_count function in libvpx in Mozilla Firefox before 40 ...)
 	- libvpx 1.4.0-1
@@ -273760,9 +273759,9 @@ CVE-2015-4474 (Multiple unspecified vulnerabilities in the browser engine in Moz
 CVE-2015-4473 (Multiple unspecified vulnerabilities in the browser engine in Mozilla  ...)
 	{DSA-3410-1 DSA-3333-1}
 	- iceweasel 38.2.0esr-1
+	[squeeze] - iceweasel <end-of-life>
 	- icedove 38.3.0-1
 	[squeeze] - icedove <end-of-life>
-	[squeeze] - iceweasel <end-of-life>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/
 CVE-2015-4466
 	RESERVED
@@ -277380,12 +277379,13 @@ CVE-2015-3209 (Heap-based buffer overflow in the PCNET controller in QEMU allows
 	{DSA-3286-1 DSA-3285-1 DSA-3284-1}
 	- qemu 1:2.3+dfsg-6 (bug #788460)
 	[wheezy] - qemu 1.1.2+dfsg-6a+deb7u8
+	[squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS)
 	- qemu-kvm <removed>
+	[squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
 	- xen 4.4.0-1
 	[squeeze] - xen <end-of-life> (Not supported in Squeeze LTS)
+        - xen-qemu-dm-4.0 <removed>
 	[squeeze] - xen-qemu-dm-4.0 <end-of-life> (Not supported in Squeeze LTS)
-	[squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS)
-	[squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
 	NOTE: Xen switched to qemu-system in 4.4.0-1
 	NOTE: http://xenbits.xen.org/xsa/advisory-135.html
 CVE-2015-3208 (XML external entity (XXE) vulnerability in the XPath selector componen ...)
@@ -280696,10 +280696,10 @@ CVE-2015-2156 (Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x befor
 	- netty 1:4.0.31-1 (bug #796114)
 	[jessie] - netty <ignored> (Minor issue, invasive patch)
 	[wheezy] - netty <no-dsa> (Minor issue)
+	[squeeze] - netty <no-dsa> (Minor issue)
 	- netty-3.9 3.9.9.Final-1 (bug #793770)
 	[jessie] - netty-3.9 <ignored> (Minor issue, invasive patch)
 	- playframework <itp> (bug #646523)
-	[squeeze] - netty <no-dsa> (Minor issue)
 	NOTE: http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
 	NOTE: https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
 	NOTE: http://web.archive.org/web/20150925094949/http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156
@@ -283391,8 +283391,8 @@ CVE-2015-1370 (Incomplete blacklist vulnerability in marked 0.3.2 and earlier fo
 CVE-2013-7423 (The send_dg function in resolv/res_send.c in GNU C Library (aka glibc  ...)
 	{DLA-165-1}
 	- glibc 2.19-1 (bug #722075)
-	[wheezy] - eglibc 2.13-38+deb7u5
 	- eglibc <removed>
+	[wheezy] - eglibc 2.13-38+deb7u5
 	NOTE: Fix: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f9d2d03254a58d92635a311a42253eeed5a40a47
 	NOTE: Upstream report: https://sourceware.org/bugzilla/show_bug.cgi?id=15946
 	NOTE: https://www.openwall.com/lists/oss-security/2015/01/28/16
@@ -289545,11 +289545,11 @@ CVE-2014-8873 (A .desktop file in the Debian openjdk-7 package 7u79-2.5.5-1~deb8
 	{DSA-3316-1 DSA-3235-1}
 	- openjdk-8 8u45-b14-1 (high)
 	- openjdk-7 7u79-2.5.5-1 (high)
+	[wheezy] - openjdk-7 <not-affected> (MIME type setting is harmless on wheezy)
+	[squeeze] - openjdk-7 <not-affected> (MIME type setting is harmless on this squeeze)
 	- openjdk-6 <removed> (high)
-	[squeeze] - openjdk-6 <not-affected> (MIME type setting is harmless on squeeze)
 	[wheezy] - openjdk-6 <not-affected> (MIME type setting is harmless on wheezy)
-	[squeeze] - openjdk-7 <not-affected> (MIME type setting is harmless on this squeeze)
-	[wheezy] - openjdk-7 <not-affected> (MIME type setting is harmless on wheezy)
+	[squeeze] - openjdk-6 <not-affected> (MIME type setting is harmless on squeeze)
 	NOTE: Starting with mime-support 3.53, MimeType entries in desktop
 	NOTE: files end up in /etc/mailcap, which introduces the user-initiated
 	NOTE: code execution.
@@ -290108,6 +290108,7 @@ CVE-2014-8601 (PowerDNS Recursor before 3.6.2 does not limit delegation chaining
 CVE-2014-8600 (Multiple cross-site scripting (XSS) vulnerabilities in KDE-Runtime 4.1 ...)
 	- kde-runtime 4:4.14.2-2 (bug #769632)
 	[wheezy] - kde-runtime <no-dsa> (Minor issue)
+	- kdebase-runtime <removed>
 	[squeeze] - kdebase-runtime <no-dsa> (Minor issue)
 	- webkitkde 1.3.4-2 (unimportant)
 	NOTE: webkitpart: http://quickgit.kde.org/?p=kwebkitpart.git&a=commit&h=641aa7c75631084260ae89aecbdb625e918c6689
@@ -290996,8 +290997,8 @@ CVE-2013-7406 (SQL injection vulnerability in the MRBS module for Drupal allows
 CVE-2014-8350 (Smarty before 3.1.21 allows remote attackers to bypass the secure mode ...)
 	{DLA-452-1}
 	- smarty3 3.1.21-1 (bug #765920)
-	- smarty <not-affected> (Only affects 3.x series)
 	[squeeze] - smarty3 <end-of-life> (Unsupported in squeeze-lts)
+	- smarty <not-affected> (Only affects 3.x series)
 	NOTE: https://github.com/smarty-php/smarty/commit/279bdbd3521cd717cae6a3ba48f1c3c6823f439d.patch
 CVE-2014-8399 (The default configuration in systemd-shim 8 enables the Abandon debugg ...)
 	- systemd-shim 8-4
@@ -295381,9 +295382,9 @@ CVE-2014-6541 (Unspecified vulnerability in the Recovery component in Oracle Dat
 	NOT-FOR-US: Oracle
 CVE-2014-6540 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...)
 	- virtualbox-guest-additions <removed>
+	[squeeze] - virtualbox-guest-additions <no-dsa> (Non-free not supported)
 	- virtualbox-guest-additions-iso 4.3.14-1
 	[wheezy] - virtualbox-guest-additions-iso <no-dsa> (Non-free not supported)
-	[squeeze] - virtualbox-guest-additions <no-dsa> (Non-free not supported)
 	NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
 CVE-2014-6539 (Unspecified vulnerability in the Oracle Applications Framework compone ...)
 	NOT-FOR-US: Oracle E-Business Suite
@@ -301850,10 +301851,10 @@ CVE-2014-3874
 	RESERVED
 CVE-2014-3873 (The ktrace utility in the FreeBSD kernel 8.4 before p11, 9.1 before p1 ...)
 	- kfreebsd-8 <removed>
-	- kfreebsd-9 <removed> (bug #750493)
+	[wheezy] - kfreebsd-8 <no-dsa> (Non standard kernel, will be fixed in a point update)
 	[squeeze] - kfreebsd-8 <end-of-life> (Unsupported in squeeze-lts)
+	- kfreebsd-9 <removed> (bug #750493)
 	[wheezy] - kfreebsd-9 <not-affected> (introduced by the merge of r237663)
-	[wheezy] - kfreebsd-8 <no-dsa> (Non standard kernel, will be fixed in a point update)
 CVE-2014-3872 (Multiple SQL injection vulnerabilities in the administration login pag ...)
 	NOT-FOR-US: D-Link firmware
 CVE-2014-3871 (Multiple SQL injection vulnerabilities in register.php in Geodesic Sol ...)
@@ -302275,9 +302276,9 @@ CVE-2014-3690 (arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel befor
 CVE-2014-3689 (The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local g ...)
 	{DSA-3067-1 DSA-3066-1}
 	- qemu 2.1+dfsg-6 (bug #765496)
+	[squeeze] - qemu <end-of-life>
 	- qemu-kvm <removed>
 	[squeeze] - qemu-kvm <end-of-life>
-	[squeeze] - qemu <end-of-life>
 	NOTE: Upstream's quick and easy stopgap for this issue: compile out the hardware acceleration functions which lack sanity checks.
 	NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=83afa38eb20ca27e30683edc7729880e091387fc
 CVE-2014-3688 (The SCTP implementation in the Linux kernel before 3.17.4 allows remot ...)
@@ -302442,9 +302443,9 @@ CVE-2014-3641 (The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder
 CVE-2014-3640 (The sosendto function in slirp/udp.c in QEMU before 2.1.2 allows local ...)
 	{DSA-3045-1 DSA-3044-1}
 	- qemu 2.1+dfsg-5 (bug #762532)
+	[squeeze] - qemu <end-of-life>
 	- qemu-kvm <removed>
 	[squeeze] - qemu-kvm <end-of-life>
-	[squeeze] - qemu <end-of-life>
 	NOTE: http://lists.nongnu.org/archive/html/qemu-devel/2014-09/msg03543.html
 CVE-2014-3639 (The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not ...)
 	{DSA-3026-1 DLA-87-1}


=====================================
lib/python/bugs.py
=====================================
@@ -557,20 +557,23 @@ class FileBase(debian_support.PackageFile):
                 if handle_xref(self.re_xref_required, self.re_xref,
                                self.re_xref_entry, xref):
                     continue
-                
+
+                def addPackageNote(note):
+                    self.checkPackageNote(pkg_notes, note, lineno)
+                    pkg_notes.append(note)
+
                 if self.re_package_required.match(r):
                     match = self.re_package_version.match(r)
                     if match:
                         (release, p, v, d) = match.groups()
-                        pkg_notes.append(
-                            PackageNoteParsed(p, v, d, release=release))
+                        addPackageNote(PackageNoteParsed(p, v, d, release=release))
                         continue
 
                     match = self.re_package_no_version.match(r)
                     if match:
                         (release, p, v, d) = match.groups()
                         if v == 'not-affected':
-                            pkg_notes.append(PackageNoteParsed
+                            addPackageNote(PackageNoteParsed
                                              (p, '0', 'unimportant',
                                               release=release))
                             if d:
@@ -581,7 +584,7 @@ class FileBase(debian_support.PackageFile):
                                     r = r[:-1]
                                 comments.append(('NOTE', r))
                         elif v == 'end-of-life':
-                            pkg_notes.append(PackageNoteParsed
+                            addPackageNote(PackageNoteParsed
                                              (p, None, 'end-of-life',
                                               release=release))
                             if d:
@@ -604,7 +607,7 @@ class FileBase(debian_support.PackageFile):
                                 reason = v
                             else:
                                 reason = None
-                            pkg_notes.append(PackageNoteNoDSA(
+                            addPackageNote(PackageNoteNoDSA(
                                 release=release,
                                 package=p,
                                 comment=d,
@@ -623,16 +626,16 @@ class FileBase(debian_support.PackageFile):
                                 self.raiseSyntaxError(
                                     "ITP note needs Debian bug reference",
                                     lineno)
-                            pkg_notes.append(x)
+                            addPackageNote(x)
                         elif v == 'unfixed':
-                            pkg_notes.append(PackageNoteParsed
+                            addPackageNote(PackageNoteParsed
                                              (p, None, d, release=release))
                         elif v == 'removed':
-                            pkg_notes.append(PackageNoteParsed
+                            addPackageNote(PackageNoteParsed
                                              (p, None, d, release=release))
                             self.removed_packages[p] = True
                         elif v == 'undetermined':
-                            pkg_notes.append(PackageNoteParsed
+                            addPackageNote(PackageNoteParsed
                                              (p, 'undetermined', d, release=release))
                         else:
                             self.raiseSyntaxError(
@@ -741,6 +744,22 @@ class FileBase(debian_support.PackageFile):
         parsed, or adds some additional checking."""
         return bug
 
+    def checkPackageNote(self, notes, note, lineno):
+        if not notes:
+            return
+
+        prev_note = notes[-1]
+        if prev_note.package != note.package:
+            if prev_note.release and prev_note.release == debian_support.internRelease('experimental'):
+                #self.raiseSyntaxError("experimental release note must come before the package note")
+                pass
+            elif note.release and note.release != debian_support.internRelease('experimental'):
+                self.raiseSyntaxError("release note must follow its package note", lineno)
+        else:
+            if prev_note.release and note.release and prev_note.release < note.release:
+                self.raiseSyntaxError("release notes not ordered properly", lineno)
+
+
 class CVEFile(FileBase):
     """A CVE file, as used by the Debian testing security team."""
     
@@ -777,6 +796,14 @@ class CVEFile(FileBase):
         bug.mergeNotes()
         return bug
 
+    def checkPackageNote(self, notes, note, lineno):
+        # dont check old entries for now
+        if self.lineno >= 100000:
+            return
+
+        super().checkPackageNote(notes, note, lineno)
+
+
 class CVEExtendFile(CVEFile):
     # This is an extend file. The main CVEFile can have a 'CVE-2018-XXXX' (sic)
     # identifier, which will get converted to TEMP-* automatically. However to
@@ -795,6 +822,10 @@ class CVEExtendFile(CVEFile):
 
         return CVEFile.isUniqueName(self, name)
 
+    def checkPackageNote(self, notes, note, lineno):
+        pass
+
+
 class DSAFile(FileBase):
     """A DSA file.
 
@@ -840,6 +871,9 @@ class DSAFile(FileBase):
         bug.mergeNotes()
         return bug
 
+    def checkPackageNote(self, notes, note, lineno):
+        pass
+
 
 class DTSAFile(FileBase):
     """A DTSA file.
@@ -884,6 +918,10 @@ class DTSAFile(FileBase):
                     lineno=bug.source_line)
         return bug
 
+    def checkPackageNote(self, notes, note, lineno):
+        pass
+
+
 def test():
     assert internUrgency("high") > internUrgency("medium")
 



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f2673f0f2b006103ed62fe7fdd668d6f8fb264fd...f354d19660ce40506eac504b91b153a631b505c2

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f2673f0f2b006103ed62fe7fdd668d6f8fb264fd...f354d19660ce40506eac504b91b153a631b505c2
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201105/cefa5c0a/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list