SVN is up again, but the commit bot fails with
Warnung: post-commit hook failed (exit code 1) with output:
/usr/share/subversion/hook-scripts/commit-email.pl: error in closing
`/usr/sbin/sendmail -f'jmm' secure-testing-comm...@lists.alioth.debian.org' for
writing:
svn: No repository found in 'svn://anonscm.debian.org/secure-testing'
To keep people in the loop here's my fake commit mail until
this is fixed in Alioth.
Cheers,
Moritz
mark three java issues as oracle-specific
new issues in staden-io-lib and binutils-h8300-hms (no-dsa)
new samba issue (fixed)
dnsmasq fixed
icu no-dsa
one older mysql issue unimportant
openoffice unimportant, remove from dsa-needed
bug filed for openldap
add note on kdeplasma-addons
new xen issue (not in stable/oldstable)
new chromium (fixed), jpeg, jpeg-turbo issues
libxslt regression N/A
xen N/A, ocaml version not used
new mediawiki issues
new kernel issues
new nss issues
condor n/a
new perdition issue
Index: dsa-needed.txt
===================================================================
--- dsa-needed.txt (Revision 24348)
+++ dsa-needed.txt (Arbeitskopie)
@@ -57,8 +57,6 @@
--
openjdk7/stable
--
-openoffice.org/oldstable
---
openswan
--
phpmyadmin (thijs)
Index: CVE/list
===================================================================
--- CVE/list (Revision 24348)
+++ CVE/list (Arbeitskopie)
@@ -1,7 +1,67 @@
CVE-2013-6766
- NOT-FOR-US: OpenVAS Administrator
+ NOT-FOR-US: OpenVAS Administrator (only uploaded to experimental 2.5
years ago)
CVE-2013-6765
- NOT-FOR-US: OpenVAS Manager
+ NOT-FOR-US: OpenVAS Manager (only uploaded to experimental 2.5 years
ago)
+CVE-2013-XXXX [binutils-h8300-hms buffer overflow]
+ - binutils-h8300-hms <unfixed> (low; bug #729274)
+ [squeeze] - binutils-h8300-hms <no-dsa> (Minor issue)
+ [wheezy] - binutils-h8300-hms <no-dsa> (Minor issue)
+CVE-2013-XXXX [staden-io-lib buffer overflow]
+ - staden-io-lib <unfixed> (low; bug #729276)
+ [squeeze] - staden-io-lib <no-dsa> (Minor issue)
+ [wheezy] - staden-io-lib <no-dsa> (Minor issue)
+CVE-2013-6632
+ - chromium-browser 31.0.1650.57-1
+ [squeeze] - chromium-browser <end-of-life>
+CVE-2013-6631
+ - chromium-browser 31.0.1650.57-1
+ [squeeze] - chromium-browser <end-of-life>
+CVE-2013-6630
+ - chromium-browser 31.0.1650.57-1
+ [squeeze] - chromium-browser <end-of-life>
+ - libjpeg-turbo <unfixed> (low; bug #729873)
+ - libjpeg6b <unfixed> (low; bug #729867)
+ [squeeze] - libjpeg6b <no-dsa> (Minor issue)
+ [wheezy] - libjpeg6b <no-dsa> (Minor issue)
+ - libjpeg8 <unfixed> (low; bug #729867)
+ [squeeze] - libjpeg8 <no-dsa> (Minor issue)
+ [wheezy] - libjpeg8 <no-dsa> (Minor issue)
+ NOTE:
http://packetstormsecurity.com/files/123989/IJG-jpeg6b-libjpeg-turbo-Uninitialized-Memory.html
+CVE-2013-6629
+ - chromium-browser 31.0.1650.57-1
+ [squeeze] - chromium-browser <end-of-life>
+ - libjpeg-turbo <unfixed> (low; bug #729873)
+ - libjpeg6b <unfixed> (low; bug #729867)
+ [squeeze] - libjpeg6b <no-dsa> (Minor issue)
+ [wheezy] - libjpeg6b <no-dsa> (Minor issue)
+ - libjpeg8 <unfixed> (low; bug #729867)
+ [squeeze] - libjpeg8 <no-dsa> (Minor issue)
+ [wheezy] - libjpeg8 <no-dsa> (Minor issue)
+ NOTE:
http://packetstormsecurity.com/files/123989/IJG-jpeg6b-libjpeg-turbo-Uninitialized-Memory.html
+CVE-2013-6628
+ - chromium-browser 31.0.1650.57-1
+ [squeeze] - chromium-browser <end-of-life>
+CVE-2013-6627
+ - chromium-browser 31.0.1650.57-1
+ [squeeze] - chromium-browser <end-of-life>
+CVE-2013-6626
+ - chromium-browser 31.0.1650.57-1
+ [squeeze] - chromium-browser <end-of-life>
+CVE-2013-6625
+ - chromium-browser 31.0.1650.57-1
+ [squeeze] - chromium-browser <end-of-life>
+CVE-2013-6624
+ - chromium-browser 31.0.1650.57-1
+ [squeeze] - chromium-browser <end-of-life>
+CVE-2013-6623
+ - chromium-browser 31.0.1650.57-1
+ [squeeze] - chromium-browser <end-of-life>
+CVE-2013-6622
+ - chromium-browser 31.0.1650.57-1
+ [squeeze] - chromium-browser <end-of-life>
+CVE-2013-6621
+ - chromium-browser 31.0.1650.57-1
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-6616
RESERVED
CVE-2013-6615
@@ -689,6 +749,8 @@
TODO: check, seems not to affect 2.1.0-2
CVE-2013-6282
RESERVED
+ - linux <unfixed>
+ - linux-2.6 <unfixed>
CVE-2013-6281 (Cross-site scripting (XSS) vulnerability in
codebase/spreadsheet.php ...)
TODO: check
CVE-2013-6280 (Cross-site scripting (XSS) vulnerability in Social Sharing
Toolkit ...)
@@ -1144,7 +1206,7 @@
CVE-2013-6064
RESERVED
CVE-2009-5136 (The policy definition evaluator in Condor before 7.4.2 does not
...)
- TODO: check
+ - condor <not-affected> (Fixed before initial upload)
CVE-2007-6755 (The NIST SP 800-90A default statement of the Dual Elliptic
Curve ...)
TODO: check
CVE-2013-6243 (SQL injection vulnerability in the Landing Pages plugin 1.2.3,
before ...)
@@ -1623,9 +1685,9 @@
- openjdk-6 <not-affected> (JavaFX not part of OpenJDK)
- openjdk-7 <not-affected> (JavaFX not part of OpenJDK)
CVE-2013-5843 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier,
Java SE ...)
- - openjdk-6 <undetermined>
- - openjdk-7 <undetermined>
- NOTE: This issue was fixed in Oracle Java, but not in OpenJDK. Likely
not-affected, but needs further check
+ - openjdk-6 <not-affected> (Specific to Oracle Java, not present in
IcedTea)
+ - openjdk-7 <not-affected> (Specific to Oracle Java, not present in
IcedTea)
+ NOTE: Due to the vague disclosure policy by Oracle the exact nature is
unknown but since no patch landed in icedtea, we consider it not-affected
CVE-2013-5842 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier,
Java SE ...)
- openjdk-6 <unfixed>
- openjdk-7 <unfixed>
@@ -1650,9 +1712,9 @@
CVE-2013-5833
RESERVED
CVE-2013-5832 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier,
Java SE ...)
- - openjdk-6 <undetermined>
- - openjdk-7 <undetermined>
- NOTE: This issue was fixed in Oracle Java, but not in OpenJDK. Likely
not-affected, but needs further check
+ - openjdk-6 <not-affected> (Specific to Oracle Java, not present in
IcedTea)
+ - openjdk-7 <not-affected> (Specific to Oracle Java, not present in
IcedTea)
+ NOTE: Due to the vague disclosure policy by Oracle the exact nature is
unknown but since no patch landed in icedtea, we consider it not-affected
CVE-2013-5831 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier,
Java SE ...)
- openjdk-6 <not-affected> (Deployment components not part of OpenJDK,
only present in Oracle Java)
- openjdk-7 <not-affected> (Deployment components not part of OpenJDK,
only present in Oracle Java)
@@ -1740,9 +1802,9 @@
- openjdk-6 <unfixed>
- openjdk-7 <unfixed>
CVE-2013-5801 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier,
Java SE ...)
- - openjdk-6 <undetermined>
- - openjdk-7 <undetermined>
- NOTE: This issue was fixed in Oracle Java, but not in OpenJDK. Likely
not-affected, but needs further check
+ - openjdk-6 <not-affected> (Specific to Oracle Java, not present in
IcedTea)
+ - openjdk-7 <not-affected> (Specific to Oracle Java, not present in
IcedTea)
+ NOTE: Due to the vague disclosure policy by Oracle the exact nature is
unknown but since no patch landed in icedtea, we consider it not-affected
CVE-2013-5800 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier
and Java ...)
- openjdk-6 <not-affected> (Only affects Java 7)
- openjdk-7 <unfixed>
@@ -2256,8 +2318,10 @@
RESERVED
CVE-2013-5606
RESERVED
+ - nss 2:3.15.3-1
CVE-2013-5605
RESERVED
+ - nss 2:3.15.3-1
CVE-2013-5604 (The txXPathNodeUtils::getBaseURI function in the XSLT processor
in ...)
{DSA-2788-1}
- iceweasel 24.1.0esr-1
@@ -2918,8 +2982,10 @@
RESERVED
CVE-2013-5330
RESERVED
+ NOT-FOR-US: Adobe Flash
CVE-2013-5329
RESERVED
+ NOT-FOR-US: Adobe Flash
CVE-2013-5328
RESERVED
CVE-2013-5327 (MDBMS.dll in Adobe RoboHelp 10 allows attackers to execute
arbitrary ...)
@@ -4559,14 +4625,21 @@
RESERVED
CVE-2013-4592
RESERVED
+ - linux 3.8-1
+ - linux-2.6 <removed>
CVE-2013-4591
RESERVED
+ - linux 3.8-1
+ [wheezy] - linux <not-affected> (Introduced in 3.6)
+ - linux-2.6 <not-affected> (Introduced in 3.6)
CVE-2013-4590
RESERVED
CVE-2013-4589
RESERVED
CVE-2013-4588
RESERVED
+ - linux 2.6.33-1
+ - linux-2.6 <removed>
CVE-2013-4587
RESERVED
CVE-2013-4586
@@ -4575,6 +4648,9 @@
RESERVED
CVE-2013-4584
RESERVED
+ - perdition <unfixed> (low; bug #729028)
+ [wheezy] - perdition <no-dsa> (Minor issue)
+ [squeeze] - perdition <no-dsa> (Minor issue)
CVE-2013-4583
RESERVED
CVE-2013-4582
@@ -4585,6 +4661,8 @@
RESERVED
CVE-2013-4579
RESERVED
+ - linux <unfixed>
+ - linux-2.6 <removed>
CVE-2013-4578
RESERVED
CVE-2013-4577
@@ -4597,18 +4675,23 @@
RESERVED
CVE-2013-4573
RESERVED
+ NOT-FOR-US: mediawiki extension ZeroRatedMobileAccess
CVE-2013-4572
RESERVED
+ - mediawiki <unfixed>
CVE-2013-4571
RESERVED
CVE-2013-4570
RESERVED
CVE-2013-4569
RESERVED
+ NOT-FOR-US: mediawiki extension CleanChanges
CVE-2013-4568
RESERVED
+ - mediawiki <unfixed>
CVE-2013-4567
RESERVED
+ - mediawiki <unfixed>
CVE-2013-4566
RESERVED
CVE-2013-4565
@@ -4643,9 +4726,12 @@
CVE-2013-4551 [Host crash due to guest VMX instruction execution]
RESERVED
- xen <unfixed>
+ [wheezy] - xen <not-affected> (Only affects 4.2.x and later)
+ [squeeze] - xen <not-affected> (Only affects 4.2.x and later)
+CVE-2013-4550 [denial of service via resource leak]
+ - xen <unfixed>
[wheezy] - xen <not-affected> (affects only Xen 4.2.x and later)
[squeeze] - xen <not-affected> (affects only Xen 4.2.x and later)
-CVE-2013-4550 [denial of service via resource leak]
RESERVED
- bip 0.8.9-1
NOTE: Upstream commit:
https://projects.duckcorp.org/projects/bip/repository/revisions/df45c4c2d6f892e3e1dec23ce0ed2575b53a7d8c
@@ -4713,9 +4799,7 @@
RESERVED
CVE-2013-4520
RESERVED
- - libxslt <undetermined>
- NOTE: additional fix for CVE-2012-2825 libxslt crash
- TODO: check if additional commit was also applied
+ - libxslt <not-affected> (The versions in wheezy and squeeze contain
the full patch)
CVE-2013-4519 [XSS vulnerabilities]
RESERVED
- reviewboard <itp> (bug #653113)
@@ -4815,6 +4899,7 @@
RESERVED
CVE-2013-4495
RESERVED
+ - torque 2.4.16+dfsg-1.3
CVE-2013-4494 (Xen before 4.1.x, 4.2.x, and 4.3.x does not take the
page_alloc_lock ...)
- xen <unfixed>
CVE-2013-4493
@@ -4836,6 +4921,7 @@
CVE-2013-4487
RESERVED
- gnutls28 <not-affected> (libdane is not built; original patch for
CVE-2013-4466 not applied)
+ - gnutls26 <not-affected> (only 3.1.x and 3.2.x)
NOTE: off-by one issue in original fix for CVE-2013-4466
CVE-2013-4486
RESERVED
@@ -4868,24 +4954,27 @@
NOTE: https://bugs.launchpad.net/keystone/+bug/1242855
CVE-2013-4476
RESERVED
+ - samba 2:4.0.11+dfsg-1 (low)
+ [wheezy] - samba <not-affected> (Doesn't provide AD functionality)
+ [squeeze] - samba <not-affected> (Doesn't provide AD functionality)
+ - samba4 <removed> (low)
CVE-2013-4475 [no ACL checks for alternate data streams in Samba]
RESERVED
- - samba <unfixed> (low)
+ - samba 2:4.0.11+dfsg-1 (low)
[wheezy] - samba <no-dsa> (Minor issue)
[squeeze] - samba <no-dsa> (Minor issue)
- samba4 <removed> (low)
[wheezy] - samba4 <no-dsa> (Minor issue)
CVE-2013-4474 [User controlled format string]
RESERVED
- - poppler <unfixed> (low; bug #729064)
+ - poppler 0.18.4-9 (low; bug #729064)
[squeeze] - poppler <not-affected> (pdfseparate not yet present)
- [wheezy] - poppler <no-dsa> (cli tool)
- NOTE: check
+ [wheezy] - poppler <no-dsa> (Minor issue, cli tool)
CVE-2013-4473 [Stack based buffer overflow]
RESERVED
- - poppler <unfixed> (low; bug #729064)
+ - poppler 0.18.4-9 (low; bug #729064)
[squeeze] - poppler <not-affected> (pdfseparate not yet present)
- [wheezy] - poppler <no-dsa> (cli tool)
+ [wheezy] - poppler <no-dsa> (Minor issue, cli tool)
CVE-2013-4472 [Race condition on temporary file]
RESERVED
- poppler <unfixed> (unimportant)
@@ -4967,7 +5056,7 @@
NOTE: http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/
CVE-2013-4449 [slapd segfaults on certain queries with rwm overlay enabled]
RESERVED
- - openldap <unfixed> (low)
+ - openldap <unfixed> (low; bug #729367)
[wheezy] - openldap <no-dsa> (Minor issue)
[squeeze] - openldap <no-dsa> (Minor issue)
NOTE: http://www.openldap.org/its/index.cgi/Incoming?id=7723
@@ -5073,8 +5162,7 @@
CVE-2013-4417
RESERVED
CVE-2013-4416 (The Ocaml xenstored implementation (oxenstored) in Xen 4.1.x,
4.2.x, ...)
- - xen <unfixed>
- TODO: check if oxenstored is used
+ - xen <not-affected> (ocaml version of the xenstore daemon not used in
Debian)
CVE-2013-4415
RESERVED
CVE-2013-4414
@@ -8772,6 +8860,8 @@
RESERVED
CVE-2013-2931
RESERVED
+ - chromium-browser 31.0.1650.57-1
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-2930
RESERVED
CVE-2013-2929
@@ -10859,9 +10949,10 @@
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=701974
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=954054
CVE-2013-2189 (Apache OpenOffice.org (OOo) before 4.0 allows remote attackers
to ...)
- - libreoffice 1:3.4.3-1
- - openoffice.org 1:3.3.0-1 (low)
+ - libreoffice 1:3.4.3-1 (unimportant)
+ - openoffice.org 1:3.3.0-1 (unimportant)
NOTE: Since 3.3.0 openoffice.org is a transitional source package
+ NOTE: Plain crasher, not treated as security issue
CVE-2013-2188 (A certain Red Hat patch to the do_filp_open function in
fs/namei.c in ...)
- linux-2.6 <not-affected> (RHEL-specific issue)
- linux <not-affected> (RHEL-specific issue)
@@ -11101,6 +11192,7 @@
- kdeplasma-addons <unfixed> (low; bug #710497)
[wheezy] - kdeplasma-addons <no-dsa> (Minor issue)
[squeeze] - kdeplasma-addons <no-dsa> (Minor issue)
+ NOTE: Original fix
https://projects.kde.org/projects/kde/kdeplasma-addons/repository/revisions/36a1fe49cb70f717c4a6e9eeee2c9186503a8dce
not sufficient
CVE-2013-2119
RESERVED
- ruby-passenger 3.0.13debian-1.1 (low; bug #710351)
@@ -12391,6 +12483,7 @@
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=924802
CVE-2013-1741
RESERVED
+ - nss 2:3.15.3-1
CVE-2013-1740
RESERVED
CVE-2013-1739 (Mozilla Network Security Services (NSS) before 3.15.2 does not
ensure ...)
@@ -14699,6 +14792,7 @@
- chromium-browser 25.0.1364.97-1
[squeeze] - chromium-browser <end-of-life>
- icu 4.8.1.1-12 (low; bug #702346)
+ [squeeze] - icu <no-dsa> (Minor issue for standalone ICU outside of
browser context)
CVE-2013-0899 (Integer overflow in the padding implementation in the ...)
- chromium-browser 25.0.1364.97-1
[squeeze] - chromium-browser <end-of-life>
@@ -17102,7 +17196,7 @@
RESERVED
NOT-FOR-US: FreeIPA
CVE-2013-0198 (Dnsmasq before 2.66test2, when used with certain libvirt ...)
- - dnsmasq <unfixed> (low)
+ - dnsmasq 2.66-1 (low)
[wheezy] - dnsmasq <no-dsa> (Minor issue)
[squeeze] - dnsmasq <no-dsa> (Minor issue)
NOTE: CVE request
http://www.openwall.com/lists/oss-security/2013/01/18/2
@@ -19419,12 +19513,11 @@
[squeeze] - thttpd <no-dsa> (Minor issue)
CVE-2012-5639
RESERVED
- - libreoffice <unfixed> (low)
- [wheezy] - libreoffice <no-dsa> (Minor issue)
- - openoffice.org 1:3.3.0-1 (low)
- [squeeze] - openoffice.org <no-dsa> (Minor issue)
+ - libreoffice <unfixed> (unimportant)
+ - openoffice.org 1:3.3.0-1 (unimportant)
NOTE: Since 3.3.0 openoffice.org is a transitional source package
NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=58295
+ NOTE: Additional hardening/UI improvement, not a direct vulnerability
CVE-2012-5638 (The setup_logging function in log.h in SANLock uses
world-writable ...)
- sanlock 2.2-2 (bug #696424)
CVE-2012-5637
@@ -19455,9 +19548,8 @@
RESERVED
NOT-FOR-US: gofer component of PULP project
CVE-2012-5627 (Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before
5.3.12, and ...)
- - mysql-5.1 <unfixed> (low)
- - mysql-5.5 <unfixed> (low)
- [wheezy] - mysql-5.5 <no-dsa> (Minor issue, currently not fixed in
MySQL, can be included once fixed in 5.5.x)
+ - mysql-5.1 <unfixed> (unimportant)
+ - mysql-5.5 <unfixed> (unimportant)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=883719
CVE-2012-5626
RESERVED
@@ -20086,6 +20178,7 @@
NOT-FOR-US: Mediawiki extension CentralAuth
CVE-2012-5394
RESERVED
+ NOT-FOR-US: mediawiki extension CentralAuth
CVE-2012-5393
RESERVED
CVE-2012-5392
@@ -22521,6 +22614,7 @@
CVE-2012-4542 (block/scsi_ioctl.c in the Linux kernel through 3.8 does not
properly ...)
- linux <unfixed>
- linux-2.6 <removed>
+ [squeeze] - linux-2.6 <no-dsa> (Too intrusive to backport)
CVE-2012-4541 (Cross-site scripting (XSS) vulnerability in Piwik before 1.9
allows ...)
- piwik <itp> (bug #506933)
CVE-2012-4540 (Off-by-one error in the invoke function in ...)
--
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131120123220.ga26...@inutil.org
