[Secure-testing-commits] r23910 - data/CVE
Author: jmm Date: 2013-10-08 06:34:57 + (Tue, 08 Oct 2013) New Revision: 23910 Modified: data/CVE/list Log: record some libav fixes (currently only uploaded to exp, but will trickle into sid after libav transition is finished) Modified: data/CVE/list === --- data/CVE/list 2013-10-08 04:30:55 UTC (rev 23909) +++ data/CVE/list 2013-10-08 06:34:57 UTC (rev 23910) @@ -13126,24 +13126,25 @@ CVE-2013-0858 [libavcodec/atrac3.c] RESERVED - ffmpeg removed - - libav unfixed (bug #717009) + - libav 6:9.9-1 (bug #717009) NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=13451f5520ce6b0afde861b2285dda659f8d4fb4 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=50cf5a7fb78846fc39b3ecdaa896a10bcd74da2a CVE-2013-0857 [libavcodec/iff.c] RESERVED - ffmpeg not-affected (IFF PBM/ILBM bitmap decoder not present in 0.5 ffmpeg) - - libav unfixed (bug #717009) + - libav 6:9.9-1 (bug #717009) NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=2fbb37b51bbea891392ad357baf8f3dff00bac05 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=7d65e960c72f36b73ae7fe84f8e427d758e61da9 CVE-2013-0856 [libavcodec/alac.c] RESERVED - ffmpeg removed - libav unfixed (bug #717009) - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=fd4f4923cce6a2cbf4f48640b4ac706e614a1594 + NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=fd4f4923cce6a2cbf4f48640b4ac706e614a1594 + NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=78aa2ed620178044a227fbbe48f749c0dc86023f CVE-2013-0855 [libavcodec/alac.c out of array accesses] RESERVED - ffmpeg removed - - libav unfixed (bug #717009) + - libav 6:9.9-1 (bug #717009) NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3920d1387834e2bc334aff9f518f4beb24e470bd NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=f7c5883126f9440547933eefcf000aa78af4821c NOTE: Needed in ffmpeg 0.5 @@ -13176,8 +13177,8 @@ RESERVED - ffmpeg removed - libav 6:0.8.7-1 (bug #717009) - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d6c184880ee2e09fd68c0ae217173832cee5afc1 - NOTE: This seems to be the corresponding libav commit: http://git.libav.org/?p=libav.git;a=commit;h=6e5cdf26281945ddea3aaf5eca4d127791f23ca8 + NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d6c184880ee2e09fd68c0ae217173832cee5afc1 + NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=6e5cdf26281945ddea3aaf5eca4d127791f23ca8 CVE-2013-0849 [libavcodec/roqvideodec.c] RESERVED - ffmpeg removed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23911 - data/DSA
Author: aurel32 Date: 2013-10-08 06:45:39 + (Tue, 08 Oct 2013) New Revision: 23911 Modified: data/DSA/list Log: DSA-2769-1 kfreebsd-9 Modified: data/DSA/list === --- data/DSA/list 2013-10-08 06:34:57 UTC (rev 23910) +++ data/DSA/list 2013-10-08 06:45:39 UTC (rev 23911) @@ -1,3 +1,6 @@ +[08 Oct 2013] DSA-2769-1 kfreebsd-9 - several + {CVE-2013-5691 CVE-2013-5710} + [wheezy] - 9.0-10+deb70.4 [04 Oct 2013] DSA-2768-1 icedtea-web - heap-based buffer overflow {CVE-2013-4349} [wheezy] - icedtea-web 1.4-3~deb7u2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23912 - data/CVE
Author: joeyh Date: 2013-10-08 09:14:29 + (Tue, 08 Oct 2013) New Revision: 23912 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2013-10-08 06:45:39 UTC (rev 23911) +++ data/CVE/list 2013-10-08 09:14:29 UTC (rev 23912) @@ -587,6 +587,7 @@ [squeeze] - wireshark not-affected (Only affects 1.10.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2013-54.html CVE-2013-5710 (The nullfs implementation in sys/fs/nullfs/null_vnops.c in the kernel ...) + {DSA-2769-1} - kfreebsd-9 9.2~svn255465-1 (bug #722337) - kfreebsd-8 removed CVE-2013-5709 (The authentication implementation in the web server on Siemens ...) @@ -630,6 +631,7 @@ CVE-2013-5692 (Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows ...) NOT-FOR-US: X2CRM CVE-2013-5691 (The (1) IPv6 and (2) ATM ioctl request handlers in the kernel in ...) + {DSA-2769-1} - kfreebsd-9 9.2~svn255465-1 (bug #722338) - kfreebsd-8 removed CVE-2013-5690 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23913 - data/CVE
Author: atomo64-guest Date: 2013-10-08 10:02:22 + (Tue, 08 Oct 2013) New Revision: 23913 Modified: data/CVE/list Log: Http::Body issue CVEified Modified: data/CVE/list === --- data/CVE/list 2013-10-08 09:14:29 UTC (rev 23912) +++ data/CVE/list 2013-10-08 10:02:22 UTC (rev 23913) @@ -1,6 +1,3 @@ -CVE-2013- [remote command-injection] - - libhttp-body-perl unfixed (bug #721634) - [squeeze] - libhttp-body-perl not-affected (Vulnerable code introduced in 1.08) CVE-2013-5987 RESERVED CVE-2013-5986 @@ -3466,8 +3463,10 @@ RESERVED CVE-2013-4408 RESERVED -CVE-2013-4407 +CVE-2013-4407 [remote command-injection] RESERVED + - libhttp-body-perl unfixed (bug #721634) + [squeeze] - libhttp-body-perl not-affected (Vulnerable code introduced in 1.08) CVE-2013-4406 RESERVED NOT-FOR-US: Quick Tabs Drupal contributed module ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23914 - data/CVE
Author: fgeek-guest Date: 2013-10-08 14:12:39 + (Tue, 08 Oct 2013) New Revision: 23914 Modified: data/CVE/list Log: Removed libav BTS references, which was not fixed in that bug item. Modified: data/CVE/list === --- data/CVE/list 2013-10-08 10:02:22 UTC (rev 23913) +++ data/CVE/list 2013-10-08 14:12:39 UTC (rev 23914) @@ -5465,19 +5465,19 @@ - libav not-affected (Smush codec not present in libav) CVE-2013-3674 (The cdg_decode_frame function in cdgraphics.c in libavcodec in FFmpeg ...) - ffmpeg not-affected (CD Graphics Video Decoder not present in 0.5 ffmpeg) - - libav unfixed (bug #717009) + - libav unfixed CVE-2013-3673 (The gif_decode_frame function in gifdec.c in libavcodec in FFmpeg ...) - ffmpeg not-affected (Doesn't affect libav, specific to current ffmpeg) - libav not-affected (Doesn't affect libav, specific to current ffmpeg) CVE-2013-3672 (The mm_decode_inter function in mmvideo.c in libavcodec in FFmpeg ...) - ffmpeg removed - - libav unfixed (bug #717009) + - libav unfixed CVE-2013-3671 (The format_line function in log.c in libavutil in FFmpeg before 1.2.1 ...) - ffmpeg not-affected (Doesn't affect libav, specific to current ffmpeg) - libav not-affected (Doesn't affect libav, specific to current ffmpeg) CVE-2013-3670 (The rle_unpack function in vmdav.c in libavcodec in FFmpeg git ...) - ffmpeg removed - - libav unfixed (bug #717009) + - libav unfixed CVE-2013-3669 RESERVED CVE-2013-3668 @@ -13078,13 +13078,13 @@ CVE-2013-0868 [libavcodec/huffyuvdec.c out of array writes] RESERVED - ffmpeg removed - - libav unfixed (bug #717009) + - libav unfixed NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f67a0d115254461649470452058fa3c28c0df294 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0dfc01c2bbf4b71bb56201bc4a393321e15d1b31 CVE-2013-0867 [libavcodec/h264.c out of array accesses] RESERVED - ffmpeg removed - - libav unfixed (bug #717009) + - libav unfixed NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=11c99c78bafa77f679a1a3ba06ad00984b9a4cae CVE-2013-0866 [libavcodec/aacdec.c out of array accesses] RESERVED @@ -13118,7 +13118,7 @@ CVE-2013-0860 [libavcodec/error_resilience.c state inconsistency and null pointer deref] RESERVED - ffmpeg removed - - libav unfixed (bug #717009) + - libav unfixed NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=23318a57358358e7a4dc551e830e4503f0638cfe CVE-2013-0859 [libavcodec/tiff.c out of array access: 6d1c5ea04af3e345232aa70c944de961061dab2d] RESERVED @@ -13139,7 +13139,7 @@ CVE-2013-0856 [libavcodec/alac.c] RESERVED - ffmpeg removed - - libav unfixed (bug #717009) + - libav unfixed NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=fd4f4923cce6a2cbf4f48640b4ac706e614a1594 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=78aa2ed620178044a227fbbe48f749c0dc86023f CVE-2013-0855 [libavcodec/alac.c out of array accesses] @@ -13165,13 +13165,13 @@ CVE-2013-0852 [libavcodec/pgssubdec.c out of array accesses] RESERVED - ffmpeg not-affected (PGS subtitle decoder not present) - - libav unfixed (bug #717009) + - libav unfixed NOTE: That change seems needed in libav NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=c0d68be555f5858703383040e04fcd6529777061 CVE-2013-0851 [libavcodec/eamad.c out of array accesses] RESERVED - ffmpeg not-affected (Electronic Arts Madcow Video decoder not present in ffmpeg 0.5) - - libav unfixed (bug #717009) + - libav unfixed NOTE: looks valid as if (buf_size 17) { ... error... } but at least buf[21] is used. NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=63ac64864c6e0e84355aa3caa5b92208997a9a8d CVE-2013-0850 [libavcodec/h264.c out of array accesses] @@ -13190,7 +13190,7 @@ CVE-2013-0848 [libavcodec/huffyuv.c out of array accesses] RESERVED - ffmpeg removed - - libav unfixed (bug #717009) + - libav unfixed NOTE: No related changes in libav git so far NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=6abb9a901fca27da14d4fffbb01948288b5da3ba NOTE: Needed in ffmpeg 0.5 @@ -13209,7 +13209,7 @@ CVE-2013-0845 [libavcodec/alsdec.c] RESERVED - ffmpeg not-affected (MPEG-4 ALS decoder not present in ffmpeg/0.5) - - libav unfixed (bug #717009) + - libav unfixed NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0ceca269b66ec12a23bf0907bd2c220513cdbf16 NOTE: No change in libav git CVE-2013-0844 [libavcodec/adpcm.c out of array access]
[Secure-testing-commits] r23915 - data/DSA
Author: carnil Date: 2013-10-08 14:35:12 + (Tue, 08 Oct 2013) New Revision: 23915 Modified: data/DSA/list Log: Add source package name for DSA-2769-1 Modified: data/DSA/list === --- data/DSA/list 2013-10-08 14:12:39 UTC (rev 23914) +++ data/DSA/list 2013-10-08 14:35:12 UTC (rev 23915) @@ -1,6 +1,6 @@ [08 Oct 2013] DSA-2769-1 kfreebsd-9 - several {CVE-2013-5691 CVE-2013-5710} - [wheezy] - 9.0-10+deb70.4 + [wheezy] - kfreebsd-9 9.0-10+deb70.4 [04 Oct 2013] DSA-2768-1 icedtea-web - heap-based buffer overflow {CVE-2013-4349} [wheezy] - icedtea-web 1.4-3~deb7u2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23916 - data
Author: carnil Date: 2013-10-08 17:29:25 + (Tue, 08 Oct 2013) New Revision: 23916 Modified: data/dsa-needed.txt Log: Add note about torque Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-10-08 14:35:12 UTC (rev 23915) +++ data/dsa-needed.txt 2013-10-08 17:29:25 UTC (rev 23916) @@ -96,6 +96,7 @@ tomcat7/stable (jmm) -- torque + testing packages for unstable and wheezy (not yet squeeze) -- vlc it probably makes sense to update to the 2.0.x point releases ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23917 - data/CVE
Author: carnil Date: 2013-10-08 20:34:50 + (Tue, 08 Oct 2013) New Revision: 23917 Modified: data/CVE/list Log: Add CVE-2013-4396/xorg Modified: data/CVE/list === --- data/CVE/list 2013-10-08 17:29:25 UTC (rev 23916) +++ data/CVE/list 2013-10-08 20:34:50 UTC (rev 23917) @@ -3494,8 +3494,9 @@ RESERVED CVE-2013-4397 RESERVED -CVE-2013-4396 +CVE-2013-4396 [Use after free in Xserver handling of ImageText requests] RESERVED + - xorg unfixed CVE-2013-4395 RESERVED NOT-FOR-US: Simple Machines Forum ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23918 - data/CVE
Author: carnil Date: 2013-10-08 20:38:38 + (Tue, 08 Oct 2013) New Revision: 23918 Modified: data/CVE/list Log: Correct source package name and add fixed verison Modified: data/CVE/list === --- data/CVE/list 2013-10-08 20:34:50 UTC (rev 23917) +++ data/CVE/list 2013-10-08 20:38:38 UTC (rev 23918) @@ -3496,7 +3496,7 @@ RESERVED CVE-2013-4396 [Use after free in Xserver handling of ImageText requests] RESERVED - - xorg unfixed + - xorg-server 2:1.14.3-4 CVE-2013-4395 RESERVED NOT-FOR-US: Simple Machines Forum ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23919 - data
Author: carnil Date: 2013-10-08 21:42:35 + (Tue, 08 Oct 2013) New Revision: 23919 Modified: data/dsa-needed.txt Log: Take DSA for torque Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-10-08 20:38:38 UTC (rev 23918) +++ data/dsa-needed.txt 2013-10-08 21:42:35 UTC (rev 23919) @@ -95,8 +95,7 @@ -- tomcat7/stable (jmm) -- -torque - testing packages for unstable and wheezy (not yet squeeze) +torque (carnil) -- vlc it probably makes sense to update to the 2.0.x point releases ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits