Author: carnil Date: 2017-01-14 13:48:56 +0000 (Sat, 14 Jan 2017) New Revision: 48030
Modified: data/CVE/list Log: More fixes recorded from the jessie 8.7 release Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-01-14 13:20:01 UTC (rev 48029) +++ data/CVE/list 2017-01-14 13:48:56 UTC (rev 48030) @@ -5976,7 +5976,7 @@ CVE-2016-9839 (In MapServer before 7.0.3, OGR driver error messages are too verbose ...) {DLA-734-1} - mapserver 7.0.3-1 - [jessie] - mapserver <no-dsa> (Minor issue) + [jessie] - mapserver 6.4.1-5+deb8u1 NOTE: https://lists.osgeo.org/pipermail/mapserver-dev/2016-December/014979.html NOTE: https://github.com/mapserver/mapserver/pull/4928 NOTE: https://github.com/mapserver/mapserver/pull/5356 @@ -14421,7 +14421,7 @@ RESERVED {DLA-694-1} - libwmf 0.2.8.4-10.6 (bug #842090) - [jessie] - libwmf <no-dsa> (Minor issue) + [jessie] - libwmf 0.2.8.4-10.3+deb8u2 NOTE: http://www.openwall.com/lists/oss-security/2016/10/18/9 NOTE: https://blogs.gentoo.org/ago/2016/10/18/libwmf-memory-allocation-failure-in-wmf_malloc-api-c NOTE: Reproducer: https://github.com/asarubbo/poc/blob/master/00015-libwmf-memalloc-wmf_malloc @@ -14579,12 +14579,11 @@ NOT-FOR-US: NVIDIA GeForce Experience CVE-2016-8826 (All versions of NVIDIA GPU Display Driver contain a vulnerability in ...) - nvidia-graphics-drivers 375.26-1 (bug #848195) - [jessie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) + [jessie] - nvidia-graphics-drivers 340.101-1 [wheezy] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.101-1 (bug #848196) - nvidia-graphics-drivers-legacy-304xx 304.134-1 (bug #848197) - [jessie] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported) - [wheezy] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported) + [jessie] - nvidia-graphics-drivers-legacy-304xx 304.134-0~deb8u1 NOTE: http://nvidia.custhelp.com/app/answers/detail/a_id/4278 CVE-2016-8825 (All versions of NVIDIA Windows GPU Display Driver contain a ...) NOT-FOR-US: Nvidia Windows driver @@ -14986,9 +14985,9 @@ RESERVED {DLA-687-1} - tre 0.8.0-5 (bug #842169) - [jessie] - tre <no-dsa> (Minor issue) + [jessie] - tre 0.8.0-4+deb8u1 - musl 1.1.15-2 (bug #842171) - [jessie] - musl <no-dsa> (Minor issue) + [jessie] - musl 1.1.5-2+deb8u1 NOTE: http://www.openwall.com/lists/oss-security/2016/10/19/1 NOTE: other issues may still be present in tre after this: https://github.com/laurikari/tre/issues/37 NOTE: musl patch: http://git.musl-libc.org/cgit/musl/commit/?id=c3edc06d1e1360f3570db9155d6b318ae0d0f0f7, not released yet @@ -15052,61 +15051,61 @@ RESERVED {DLA-675-1} - potrace 1.13-1 - [jessie] - potrace <no-dsa> (Minor issue) + [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-multiplesix-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c/ CVE-2016-8702 RESERVED {DLA-675-1} - potrace 1.13-1 - [jessie] - potrace <no-dsa> (Minor issue) + [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-multiplesix-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c/ CVE-2016-8701 RESERVED {DLA-675-1} - potrace 1.13-1 - [jessie] - potrace <no-dsa> (Minor issue) + [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-multiplesix-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c/ CVE-2016-8700 RESERVED {DLA-675-1} - potrace 1.13-1 - [jessie] - potrace <no-dsa> (Minor issue) + [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-multiplesix-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c/ CVE-2016-8699 RESERVED {DLA-675-1} - potrace 1.13-1 - [jessie] - potrace <no-dsa> (Minor issue) + [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-multiplesix-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c/ CVE-2016-8698 RESERVED {DLA-675-1} - potrace 1.13-1 - [jessie] - potrace <no-dsa> (Minor issue) + [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-multiplesix-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c/ CVE-2016-8697 [AddressSanitizer: FPE on unknown address 0x508d51 in bm_new ... bitmap.h] RESERVED {DLA-675-1} - potrace 1.13-1 - [jessie] - potrace <no-dsa> (Minor issue) + [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-divide-by-zero-in-bm_new-bitmap-h/ CVE-2016-8696 RESERVED {DLA-675-1} - potrace 1.13-1 - [jessie] - potrace <no-dsa> (Minor issue) + [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-multiple-three-null-pointer-dereference-in-bm_readbody_bmp-bitmap_io-c/ CVE-2016-8695 RESERVED {DLA-675-1} - potrace 1.13-1 - [jessie] - potrace <no-dsa> (Minor issue) + [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-multiple-three-null-pointer-dereference-in-bm_readbody_bmp-bitmap_io-c/ CVE-2016-8694 RESERVED {DLA-675-1} - potrace 1.13-1 - [jessie] - potrace <no-dsa> (Minor issue) + [jessie] - potrace 1.12-1+deb8u1 NOTE: https://blogs.gentoo.org/ago/2016/08/08/potrace-multiple-three-null-pointer-dereference-in-bm_readbody_bmp-bitmap_io-c/ CVE-2016-8693 [attempting double-free ... mem_close ... jas_stream.c] RESERVED @@ -15276,7 +15275,7 @@ CVE-2016-8649 [lxc-attach to malicious container allows access to host] RESERVED - lxc 1:2.0.6-1 (bug #845465) - [jessie] - lxc <no-dsa> (Minor issue) + [jessie] - lxc 1:1.0.6-6+deb8u5 [wheezy] - lxc <no-dsa> (Minor issue) NOTE: Fixed by: https://github.com/lxc/lxc/commit/81f466d05f2a89cb4f122ef7f593ff3f279b165c NOTE: Details: https://launchpad.net/bugs/1639345 @@ -19297,12 +19296,11 @@ TODO: check CVE-2016-7389 (For the NVIDIA Quadro, NVS, GeForce, and Tesla products, NVIDIA GPU ...) - nvidia-graphics-drivers 367.57-1 (bug #846331) - [jessie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) + [jessie] - nvidia-graphics-drivers 340.101-1 [wheezy] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.98-1 (bug #846332) - nvidia-graphics-drivers-legacy-304xx 304.132-1 (bug #846333) - [jessie] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported) - [wheezy] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported) + [jessie] - nvidia-graphics-drivers-legacy-304xx 304.134-0~deb8u1 NOTE: http://nvidia.custhelp.com/app/answers/detail/a_id/4246 CVE-2016-7388 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) TODO: check @@ -19318,11 +19316,11 @@ TODO: check CVE-2016-7382 (For the NVIDIA Quadro, NVS, GeForce, and Tesla products, NVIDIA GPU ...) - nvidia-graphics-drivers 367.57-1 (bug #846331) - [jessie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) + [jessie] - nvidia-graphics-drivers 340.101-1 [wheezy] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.98-1 (bug #846332) - nvidia-graphics-drivers-legacy-304xx 304.132-1 (bug #846333) - [jessie] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported) + [jessie] - nvidia-graphics-drivers-legacy-304xx 304.134-0~deb8u1 NOTE: http://nvidia.custhelp.com/app/answers/detail/a_id/4246 CVE-2016-7381 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) TODO: check @@ -22249,7 +22247,7 @@ RESERVED {DLA-593-1} - nettle 3.3-1 (bug #832983) - [jessie] - nettle <no-dsa> (Minor issue; Can be fixed via point release) + [jessie] - nettle 2.7.1-5+deb8u2 NOTE: https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003093.html NOTE: https://git.lysator.liu.se/nettle/nettle/commit/3fe1d6549765ecfb24f0b80b2ed086fdc818bff3 NOTE: Original patch had some unintended side effects: https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003104.html @@ -80048,7 +80046,7 @@ RESERVED {DLA-713-1} - sniffit 0.3.7.beta-20 (bug #845122) - [jessie] - sniffit <no-dsa> (Can be fixed via point release, not installed setuid in Debian) + [jessie] - sniffit 0.3.7.beta-17+deb8u1 NOTE: http://hmarco.org/bugs/CVE-2014-5439-sniffit_0.3.7-stack-buffer-overflow.html CVE-2014-5438 (Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT ...) NOT-FOR-US: Arris Touchstone _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits