Author: hle Date: 2016-11-19 08:21:13 +0000 (Sat, 19 Nov 2016) New Revision: 46336
Modified: data/CVE/list Log: CVE triage for Xen in wheezy. Modified: data/CVE/list =================================================================== --- data/CVE/list 2016-11-19 06:57:40 UTC (rev 46335) +++ data/CVE/list 2016-11-19 08:21:13 UTC (rev 46336) @@ -27695,9 +27695,13 @@ - qemu-kvm <removed> [squeeze] - qemu-kvm <end-of-life> (Unsupported in squeeze-lts) [wheezy] - qemu-kvm <no-dsa> (Minor issue) + - xen 4.4.0-1 + [wheezy] - xen <not-affected> (Vulnerable code introduced after 0.14.50, embedded version is 0.10.2) + NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: Upstream commit: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d9a3b33d2c9f996537b7f1d0246dee2d0120cefb (v2.5.0-rc1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283722 NOTE: http://www.openwall.com/lists/oss-security/2015/12/24/1 + NOTE: Vulnerable code introduced after 0.14.50: http://git.qemu.org/?p=qemu.git;a=commit;h=23910d3f669d46073b403876e30a7314599633af CVE-2016-1130 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe Reader and Acrobat CVE-2016-1129 (Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC ...) @@ -31541,6 +31545,8 @@ [jessie] - qemu-kvm <no-dsa> (Minor issue, can be fixed along in a later DSA) [wheezy] - qemu-kvm <no-dsa> (Minor issue, can be fixed along in a later DSA) [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS) + - xen 4.4.0-1 + NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html NOTE: http://www.openwall.com/lists/oss-security/2015/11/25/3 CVE-2015-8346 (app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before ...) @@ -34174,6 +34180,8 @@ [squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS) - qemu-kvm <removed> [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS) + - xen 4.4.0-1 + NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-11/msg06341.html CVE-2015-7511 (Libgcrypt before 1.6.5 does not properly perform elliptic-point curve ...) {DSA-3478-1 DSA-3474-1} @@ -34240,6 +34248,7 @@ - qemu-kvm <removed> [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-11/msg06342.html + NOTE: Xen not affected in wheezy, CVE covered by XSA-162: https://marc.info/?l=oss-security&m=144888089404618&w=2 CVE-2015-7503 [Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey] RESERVED NOT-FOR-US: php-zend-crypt @@ -88641,6 +88650,9 @@ [wheezy] - qemu <not-affected> (Introduced in 1.4) [squeeze] - qemu <not-affected> (Introduced in 1.4) - qemu-kvm <not-affected> (Introduced in 1.4) + - xen 4.4.0-1 + [wheezy] - xen <not-affected> (Vulnerable code introduced in 1.4, embedded version is 0.10.2) + NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: see BTS bug #744213 CVE-2013-4543 REJECTED @@ -89294,6 +89306,9 @@ [wheezy] - qemu <not-affected> (Introduced in 1.4) [squeeze] - qemu <not-affected> (Introduced in 1.4) - qemu-kvm <not-affected> (Introduced in 1.4) + - xen 4.4.0-1 + [wheezy] - xen <not-affected> (Vulnerable code introduced in 1.4, embedded version is 0.10.2) + NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: patches: http://thread.gmane.org/gmane.comp.emulators.qemu/234440 CVE-2013-4376 (The setgid wrapper libx2go-server-db-sqlite3-wrapper.c in X2Go Server ...) - x2goserver <itp> (bug #465821) @@ -95701,6 +95716,9 @@ [wheezy] - qemu <not-affected> (vulnerability introduced in 1.3.0) [squeeze] - qemu <not-affected> (vulnerability introduced in 1.3.0) - qemu-kvm <not-affected> (vulnerability introduced in 1.3.0) + - xen 4.4.0-1 + [wheezy] - xen <not-affected> (Vulnerable code introduced in 1.3.0, embedded version is 0.10.2) + NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg05013.html NOTE: https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg05254.html NOTE: http://marc.info/?l=oss-security&m=136722323931507&w=2 @@ -95738,6 +95756,9 @@ CVE-2013-2007 (The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when ...) - qemu <not-affected> (qemu guest agent introduced in 1.4, vulnerable versions were only in experimental) - qemu-kvm <not-affected> (qemu guest agent introduced in 1.4) + - xen 4.4.0-1 + [wheezy] - xen <not-affected> (Vulnerable code introduced in 1.4, embedded version is 0.10.2) + NOTE: Xen switched to qemu-system in 4.4.0-1 CVE-2013-2006 (OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode ...) - keystone 2013.1.1-2 [wheezy] - keystone <no-dsa> (Minor issue) _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits