[Secure-testing-commits] r23910 - data/CVE
Author: jmm Date: 2013-10-08 06:34:57 + (Tue, 08 Oct 2013) New Revision: 23910 Modified: data/CVE/list Log: record some libav fixes (currently only uploaded to exp, but will trickle into sid after libav transition is finished) Modified: data/CVE/list === --- data/CVE/list 2013-10-08 04:30:55 UTC (rev 23909) +++ data/CVE/list 2013-10-08 06:34:57 UTC (rev 23910) @@ -13126,24 +13126,25 @@ CVE-2013-0858 [libavcodec/atrac3.c] RESERVED - ffmpeg removed - - libav unfixed (bug #717009) + - libav 6:9.9-1 (bug #717009) NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=13451f5520ce6b0afde861b2285dda659f8d4fb4 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=50cf5a7fb78846fc39b3ecdaa896a10bcd74da2a CVE-2013-0857 [libavcodec/iff.c] RESERVED - ffmpeg not-affected (IFF PBM/ILBM bitmap decoder not present in 0.5 ffmpeg) - - libav unfixed (bug #717009) + - libav 6:9.9-1 (bug #717009) NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=2fbb37b51bbea891392ad357baf8f3dff00bac05 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=7d65e960c72f36b73ae7fe84f8e427d758e61da9 CVE-2013-0856 [libavcodec/alac.c] RESERVED - ffmpeg removed - libav unfixed (bug #717009) - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=fd4f4923cce6a2cbf4f48640b4ac706e614a1594 + NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=fd4f4923cce6a2cbf4f48640b4ac706e614a1594 + NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=78aa2ed620178044a227fbbe48f749c0dc86023f CVE-2013-0855 [libavcodec/alac.c out of array accesses] RESERVED - ffmpeg removed - - libav unfixed (bug #717009) + - libav 6:9.9-1 (bug #717009) NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3920d1387834e2bc334aff9f518f4beb24e470bd NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=f7c5883126f9440547933eefcf000aa78af4821c NOTE: Needed in ffmpeg 0.5 @@ -13176,8 +13177,8 @@ RESERVED - ffmpeg removed - libav 6:0.8.7-1 (bug #717009) - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d6c184880ee2e09fd68c0ae217173832cee5afc1 - NOTE: This seems to be the corresponding libav commit: http://git.libav.org/?p=libav.git;a=commit;h=6e5cdf26281945ddea3aaf5eca4d127791f23ca8 + NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d6c184880ee2e09fd68c0ae217173832cee5afc1 + NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=6e5cdf26281945ddea3aaf5eca4d127791f23ca8 CVE-2013-0849 [libavcodec/roqvideodec.c] RESERVED - ffmpeg removed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23911 - data/DSA
Author: aurel32
Date: 2013-10-08 06:45:39 + (Tue, 08 Oct 2013)
New Revision: 23911
Modified:
data/DSA/list
Log:
DSA-2769-1 kfreebsd-9
Modified: data/DSA/list
===
--- data/DSA/list 2013-10-08 06:34:57 UTC (rev 23910)
+++ data/DSA/list 2013-10-08 06:45:39 UTC (rev 23911)
@@ -1,3 +1,6 @@
+[08 Oct 2013] DSA-2769-1 kfreebsd-9 - several
+ {CVE-2013-5691 CVE-2013-5710}
+ [wheezy] - 9.0-10+deb70.4
[04 Oct 2013] DSA-2768-1 icedtea-web - heap-based buffer overflow
{CVE-2013-4349}
[wheezy] - icedtea-web 1.4-3~deb7u2
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23912 - data/CVE
Author: joeyh
Date: 2013-10-08 09:14:29 + (Tue, 08 Oct 2013)
New Revision: 23912
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2013-10-08 06:45:39 UTC (rev 23911)
+++ data/CVE/list 2013-10-08 09:14:29 UTC (rev 23912)
@@ -587,6 +587,7 @@
[squeeze] - wireshark not-affected (Only affects 1.10.x)
NOTE: https://www.wireshark.org/security/wnpa-sec-2013-54.html
CVE-2013-5710 (The nullfs implementation in sys/fs/nullfs/null_vnops.c in the
kernel ...)
+ {DSA-2769-1}
- kfreebsd-9 9.2~svn255465-1 (bug #722337)
- kfreebsd-8 removed
CVE-2013-5709 (The authentication implementation in the web server on Siemens
...)
@@ -630,6 +631,7 @@
CVE-2013-5692 (Directory traversal vulnerability in X2Engine X2CRM before 3.5
allows ...)
NOT-FOR-US: X2CRM
CVE-2013-5691 (The (1) IPv6 and (2) ATM ioctl request handlers in the kernel
in ...)
+ {DSA-2769-1}
- kfreebsd-9 9.2~svn255465-1 (bug #722338)
- kfreebsd-8 removed
CVE-2013-5690
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23913 - data/CVE
Author: atomo64-guest Date: 2013-10-08 10:02:22 + (Tue, 08 Oct 2013) New Revision: 23913 Modified: data/CVE/list Log: Http::Body issue CVEified Modified: data/CVE/list === --- data/CVE/list 2013-10-08 09:14:29 UTC (rev 23912) +++ data/CVE/list 2013-10-08 10:02:22 UTC (rev 23913) @@ -1,6 +1,3 @@ -CVE-2013- [remote command-injection] - - libhttp-body-perl unfixed (bug #721634) - [squeeze] - libhttp-body-perl not-affected (Vulnerable code introduced in 1.08) CVE-2013-5987 RESERVED CVE-2013-5986 @@ -3466,8 +3463,10 @@ RESERVED CVE-2013-4408 RESERVED -CVE-2013-4407 +CVE-2013-4407 [remote command-injection] RESERVED + - libhttp-body-perl unfixed (bug #721634) + [squeeze] - libhttp-body-perl not-affected (Vulnerable code introduced in 1.08) CVE-2013-4406 RESERVED NOT-FOR-US: Quick Tabs Drupal contributed module ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23914 - data/CVE
Author: fgeek-guest
Date: 2013-10-08 14:12:39 + (Tue, 08 Oct 2013)
New Revision: 23914
Modified:
data/CVE/list
Log:
Removed libav BTS references, which was not fixed in that bug item.
Modified: data/CVE/list
===
--- data/CVE/list 2013-10-08 10:02:22 UTC (rev 23913)
+++ data/CVE/list 2013-10-08 14:12:39 UTC (rev 23914)
@@ -5465,19 +5465,19 @@
- libav not-affected (Smush codec not present in libav)
CVE-2013-3674 (The cdg_decode_frame function in cdgraphics.c in libavcodec in
FFmpeg ...)
- ffmpeg not-affected (CD Graphics Video Decoder not present in 0.5
ffmpeg)
- - libav unfixed (bug #717009)
+ - libav unfixed
CVE-2013-3673 (The gif_decode_frame function in gifdec.c in libavcodec in
FFmpeg ...)
- ffmpeg not-affected (Doesn't affect libav, specific to current
ffmpeg)
- libav not-affected (Doesn't affect libav, specific to current
ffmpeg)
CVE-2013-3672 (The mm_decode_inter function in mmvideo.c in libavcodec in
FFmpeg ...)
- ffmpeg removed
- - libav unfixed (bug #717009)
+ - libav unfixed
CVE-2013-3671 (The format_line function in log.c in libavutil in FFmpeg before
1.2.1 ...)
- ffmpeg not-affected (Doesn't affect libav, specific to current
ffmpeg)
- libav not-affected (Doesn't affect libav, specific to current
ffmpeg)
CVE-2013-3670 (The rle_unpack function in vmdav.c in libavcodec in FFmpeg git
...)
- ffmpeg removed
- - libav unfixed (bug #717009)
+ - libav unfixed
CVE-2013-3669
RESERVED
CVE-2013-3668
@@ -13078,13 +13078,13 @@
CVE-2013-0868 [libavcodec/huffyuvdec.c out of array writes]
RESERVED
- ffmpeg removed
- - libav unfixed (bug #717009)
+ - libav unfixed
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f67a0d115254461649470452058fa3c28c0df294
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0dfc01c2bbf4b71bb56201bc4a393321e15d1b31
CVE-2013-0867 [libavcodec/h264.c out of array accesses]
RESERVED
- ffmpeg removed
- - libav unfixed (bug #717009)
+ - libav unfixed
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=11c99c78bafa77f679a1a3ba06ad00984b9a4cae
CVE-2013-0866 [libavcodec/aacdec.c out of array accesses]
RESERVED
@@ -13118,7 +13118,7 @@
CVE-2013-0860 [libavcodec/error_resilience.c state inconsistency and null
pointer deref]
RESERVED
- ffmpeg removed
- - libav unfixed (bug #717009)
+ - libav unfixed
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=23318a57358358e7a4dc551e830e4503f0638cfe
CVE-2013-0859 [libavcodec/tiff.c out of array access:
6d1c5ea04af3e345232aa70c944de961061dab2d]
RESERVED
@@ -13139,7 +13139,7 @@
CVE-2013-0856 [libavcodec/alac.c]
RESERVED
- ffmpeg removed
- - libav unfixed (bug #717009)
+ - libav unfixed
NOTE: Fix in ffmpeg:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=fd4f4923cce6a2cbf4f48640b4ac706e614a1594
NOTE: Fix in libav:
http://git.libav.org/?p=libav.git;a=commit;h=78aa2ed620178044a227fbbe48f749c0dc86023f
CVE-2013-0855 [libavcodec/alac.c out of array accesses]
@@ -13165,13 +13165,13 @@
CVE-2013-0852 [libavcodec/pgssubdec.c out of array accesses]
RESERVED
- ffmpeg not-affected (PGS subtitle decoder not present)
- - libav unfixed (bug #717009)
+ - libav unfixed
NOTE: That change seems needed in libav
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=c0d68be555f5858703383040e04fcd6529777061
CVE-2013-0851 [libavcodec/eamad.c out of array accesses]
RESERVED
- ffmpeg not-affected (Electronic Arts Madcow Video decoder not
present in ffmpeg 0.5)
- - libav unfixed (bug #717009)
+ - libav unfixed
NOTE: looks valid as if (buf_size 17) { ... error... } but at least
buf[21] is used.
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=63ac64864c6e0e84355aa3caa5b92208997a9a8d
CVE-2013-0850 [libavcodec/h264.c out of array accesses]
@@ -13190,7 +13190,7 @@
CVE-2013-0848 [libavcodec/huffyuv.c out of array accesses]
RESERVED
- ffmpeg removed
- - libav unfixed (bug #717009)
+ - libav unfixed
NOTE: No related changes in libav git so far
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=6abb9a901fca27da14d4fffbb01948288b5da3ba
NOTE: Needed in ffmpeg 0.5
@@ -13209,7 +13209,7 @@
CVE-2013-0845 [libavcodec/alsdec.c]
RESERVED
- ffmpeg not-affected (MPEG-4 ALS decoder not present in ffmpeg/0.5)
- - libav unfixed (bug #717009)
+ - libav unfixed
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0ceca269b66ec12a23bf0907bd2c220513cdbf16
NOTE: No change in libav git
CVE-2013-0844 [libavcodec/adpcm.c out of array access]
[Secure-testing-commits] r23915 - data/DSA
Author: carnil
Date: 2013-10-08 14:35:12 + (Tue, 08 Oct 2013)
New Revision: 23915
Modified:
data/DSA/list
Log:
Add source package name for DSA-2769-1
Modified: data/DSA/list
===
--- data/DSA/list 2013-10-08 14:12:39 UTC (rev 23914)
+++ data/DSA/list 2013-10-08 14:35:12 UTC (rev 23915)
@@ -1,6 +1,6 @@
[08 Oct 2013] DSA-2769-1 kfreebsd-9 - several
{CVE-2013-5691 CVE-2013-5710}
- [wheezy] - 9.0-10+deb70.4
+ [wheezy] - kfreebsd-9 9.0-10+deb70.4
[04 Oct 2013] DSA-2768-1 icedtea-web - heap-based buffer overflow
{CVE-2013-4349}
[wheezy] - icedtea-web 1.4-3~deb7u2
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23916 - data
Author: carnil Date: 2013-10-08 17:29:25 + (Tue, 08 Oct 2013) New Revision: 23916 Modified: data/dsa-needed.txt Log: Add note about torque Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-10-08 14:35:12 UTC (rev 23915) +++ data/dsa-needed.txt 2013-10-08 17:29:25 UTC (rev 23916) @@ -96,6 +96,7 @@ tomcat7/stable (jmm) -- torque + testing packages for unstable and wheezy (not yet squeeze) -- vlc it probably makes sense to update to the 2.0.x point releases ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23917 - data/CVE
Author: carnil Date: 2013-10-08 20:34:50 + (Tue, 08 Oct 2013) New Revision: 23917 Modified: data/CVE/list Log: Add CVE-2013-4396/xorg Modified: data/CVE/list === --- data/CVE/list 2013-10-08 17:29:25 UTC (rev 23916) +++ data/CVE/list 2013-10-08 20:34:50 UTC (rev 23917) @@ -3494,8 +3494,9 @@ RESERVED CVE-2013-4397 RESERVED -CVE-2013-4396 +CVE-2013-4396 [Use after free in Xserver handling of ImageText requests] RESERVED + - xorg unfixed CVE-2013-4395 RESERVED NOT-FOR-US: Simple Machines Forum ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23918 - data/CVE
Author: carnil Date: 2013-10-08 20:38:38 + (Tue, 08 Oct 2013) New Revision: 23918 Modified: data/CVE/list Log: Correct source package name and add fixed verison Modified: data/CVE/list === --- data/CVE/list 2013-10-08 20:34:50 UTC (rev 23917) +++ data/CVE/list 2013-10-08 20:38:38 UTC (rev 23918) @@ -3496,7 +3496,7 @@ RESERVED CVE-2013-4396 [Use after free in Xserver handling of ImageText requests] RESERVED - - xorg unfixed + - xorg-server 2:1.14.3-4 CVE-2013-4395 RESERVED NOT-FOR-US: Simple Machines Forum ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23919 - data
Author: carnil Date: 2013-10-08 21:42:35 + (Tue, 08 Oct 2013) New Revision: 23919 Modified: data/dsa-needed.txt Log: Take DSA for torque Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-10-08 20:38:38 UTC (rev 23918) +++ data/dsa-needed.txt 2013-10-08 21:42:35 UTC (rev 23919) @@ -95,8 +95,7 @@ -- tomcat7/stable (jmm) -- -torque - testing packages for unstable and wheezy (not yet squeeze) +torque (carnil) -- vlc it probably makes sense to update to the 2.0.x point releases ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
