[Secure-testing-commits] r46336 - data/CVE

[Hugo Lefeuvre]

Author: hle
Date: 2016-11-19 08:21:13 +0000 (Sat, 19 Nov 2016)
New Revision: 46336

Modified:
   data/CVE/list
Log:
CVE triage for Xen in wheezy.

Modified: data/CVE/list
===================================================================
--- data/CVE/list       2016-11-19 06:57:40 UTC (rev 46335)
+++ data/CVE/list       2016-11-19 08:21:13 UTC (rev 46336)
@@ -27695,9 +27695,13 @@
        - qemu-kvm <removed>
        [squeeze] - qemu-kvm <end-of-life> (Unsupported in squeeze-lts)
        [wheezy] - qemu-kvm <no-dsa> (Minor issue)
+       - xen 4.4.0-1
+       [wheezy] - xen <not-affected> (Vulnerable code introduced after 
0.14.50, embedded version is 0.10.2)
+       NOTE: Xen switched to qemu-system in 4.4.0-1
        NOTE: Upstream commit: 
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d9a3b33d2c9f996537b7f1d0246dee2d0120cefb
 (v2.5.0-rc1)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283722
        NOTE: http://www.openwall.com/lists/oss-security/2015/12/24/1
+        NOTE: Vulnerable code introduced after 0.14.50: 
http://git.qemu.org/?p=qemu.git;a=commit;h=23910d3f669d46073b403876e30a7314599633af
 CVE-2016-1130 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat 
Reader DC ...)
        NOT-FOR-US: Adobe Reader and Acrobat
 CVE-2016-1129 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat 
Reader DC ...)
@@ -31541,6 +31545,8 @@
        [jessie] - qemu-kvm <no-dsa> (Minor issue, can be fixed along in a 
later DSA)
        [wheezy] - qemu-kvm <no-dsa> (Minor issue, can be fixed along in a 
later DSA)
        [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
+       - xen 4.4.0-1
+       NOTE: Xen switched to qemu-system in 4.4.0-1
        NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html
        NOTE: http://www.openwall.com/lists/oss-security/2015/11/25/3
 CVE-2015-8346 (app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x 
before ...)
@@ -34174,6 +34180,8 @@
        [squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS)
        - qemu-kvm <removed>
        [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
+       - xen 4.4.0-1
+       NOTE: Xen switched to qemu-system in 4.4.0-1
        NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2015-11/msg06341.html
 CVE-2015-7511 (Libgcrypt before 1.6.5 does not properly perform elliptic-point 
curve ...)
        {DSA-3478-1 DSA-3474-1}
@@ -34240,6 +34248,7 @@
        - qemu-kvm <removed>
        [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
        NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2015-11/msg06342.html
+        NOTE: Xen not affected in wheezy, CVE covered by XSA-162: 
https://marc.info/?l=oss-security&m=144888089404618&w=2
 CVE-2015-7503 [Potential Information Disclosure in 
Zend\Crypt\PublicKey\Rsa\PublicKey]
        RESERVED
        NOT-FOR-US: php-zend-crypt
@@ -88641,6 +88650,9 @@
        [wheezy] - qemu <not-affected> (Introduced in 1.4)
        [squeeze] - qemu <not-affected> (Introduced in 1.4)
        - qemu-kvm <not-affected> (Introduced in 1.4)
+       - xen 4.4.0-1
+       [wheezy] - xen <not-affected> (Vulnerable code introduced in 1.4, 
embedded version is 0.10.2)
+       NOTE: Xen switched to qemu-system in 4.4.0-1
        NOTE: see BTS bug #744213
 CVE-2013-4543
        REJECTED
@@ -89294,6 +89306,9 @@
        [wheezy] - qemu <not-affected> (Introduced in 1.4)
        [squeeze] - qemu <not-affected> (Introduced in 1.4)
        - qemu-kvm <not-affected> (Introduced in 1.4)
+       - xen 4.4.0-1
+       [wheezy] - xen <not-affected> (Vulnerable code introduced in 1.4, 
embedded version is 0.10.2)
+       NOTE: Xen switched to qemu-system in 4.4.0-1
        NOTE: patches: http://thread.gmane.org/gmane.comp.emulators.qemu/234440
 CVE-2013-4376 (The setgid wrapper libx2go-server-db-sqlite3-wrapper.c in X2Go 
Server ...)
        - x2goserver <itp> (bug #465821)
@@ -95701,6 +95716,9 @@
        [wheezy] - qemu <not-affected> (vulnerability introduced in 1.3.0)
        [squeeze] - qemu <not-affected> (vulnerability introduced in 1.3.0)
        - qemu-kvm <not-affected> (vulnerability introduced in 1.3.0)
+       - xen 4.4.0-1
+       [wheezy] - xen <not-affected> (Vulnerable code introduced in 1.3.0, 
embedded version is 0.10.2)
+       NOTE: Xen switched to qemu-system in 4.4.0-1
        NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg05013.html
        NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg05254.html
        NOTE: http://marc.info/?l=oss-security&m=136722323931507&w=2
@@ -95738,6 +95756,9 @@
 CVE-2013-2007 (The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, 
when ...)
        - qemu <not-affected> (qemu guest agent introduced in 1.4, vulnerable 
versions were only in experimental)
        - qemu-kvm <not-affected> (qemu guest agent introduced in 1.4)
+       - xen 4.4.0-1
+       [wheezy] - xen <not-affected> (Vulnerable code introduced in 1.4, 
embedded version is 0.10.2)
+       NOTE: Xen switched to qemu-system in 4.4.0-1
 CVE-2013-2006 (OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode 
...)
        - keystone 2013.1.1-2
        [wheezy] - keystone <no-dsa> (Minor issue)


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits