Author: jmm
Date: 2014-01-10 16:41:11 +0000 (Fri, 10 Jan 2014)
New Revision: 25148
Modified:
data/CVE/list
Log:
"new" ffmpeg/libav issues
NFUs
clean up some older TODOs
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2014-01-10 15:24:58 UTC (rev 25147)
+++ data/CVE/list 2014-01-10 16:41:11 UTC (rev 25148)
@@ -6761,7 +6761,7 @@
CVE-2013-5386
RESERVED
CVE-2013-5385 (The OSPF implementation in IBM i 6.1 and 7.1, and in z/OS on
zSeries ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2013-5384
RESERVED
CVE-2013-5383 (IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 before
7.1.1.12, ...)
@@ -9180,7 +9180,6 @@
- systemd <unfixed> (low; bug #725357)
[wheezy] - systemd <not-affected> (/etc/tmpfiles.d not supported in
Wheezy)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=859060
- TODO: no useful information available yet, recheck later
CVE-2013-4391 (Integer overflow in the valid_user_field function in ...)
{DSA-2777-1}
- systemd 204-5 (bug #725357)
@@ -9907,7 +9906,6 @@
CVE-2013-4179 (The security group extension in OpenStack Compute (Nova)
Grizzly ...)
- nova 2013.1.3-1
NOTE: CVE for incomplete fix applied for CVE-2013-1664
- TODO: check if fix applied in #700949 was already complete
CVE-2013-4178
RESERVED
NOT-FOR-US: GA Login Drupal contributed module
@@ -11080,7 +11078,7 @@
CVE-2013-3710 (SUSE Lifecycle Management Server (SLMS) before 1.3.7 does not
generate ...)
NOT-FOR-US: SUSE Lifecycle Management Server
CVE-2013-3709 (WebYaST 1.3 uses weak permissions for ...)
- TODO: check
+ NOT-FOR-US: WebYast
CVE-2013-3708 (The id1.GetPrinterURLList function in Novell iPrint Client
before 5.93 ...)
NOT-FOR-US: Novell iPrint Client
CVE-2013-3707 (The HTTPSTK service in the novell-nrm package before ...)
@@ -11175,7 +11173,7 @@
CVE-2013-3668
RESERVED
CVE-2013-3667 (The software update mechanism as used in Bare Bones Software
Yojimbo ...)
- TODO: check
+ NOT-FOR-US: Various proprietary software updaters
CVE-2013-3666 (The LG Hidden Menu component for Android on the LG Optimus G
E973 ...)
NOT-FOR-US: LG Hidden Menu
CVE-2013-3665 (Unspecified vulnerability in Autodesk AutoCAD through 2014,
AutoCAD LT ...)
@@ -14681,7 +14679,6 @@
- nova <unfixed>
- quantum <unfixed>
- swift <not-affected> (See
https://bugs.launchpad.net/keystone/+bug/1188189/comments/5)
- TODO: check if complete and possibly report to BTS, sec announcement
from upstream in preparation
CVE-2013-2254 (The deepGetOrCreateNode function in ...)
NOT-FOR-US: Apache Sling
CVE-2013-2253
@@ -19067,7 +19064,6 @@
- chromium-browser 24.0.1312.68-1
[squeeze] - chromium-browser <end-of-life>
- libv8 <not-affected> (bug #702261; vulnerablility was fixed by
reverting to old implementation as found in version 3.8.9.20)
- TODO: re-check uploads newer than 3.8.9.20
CVE-2013-0835 (Unspecified vulnerability in the Geolocation implementation in
Google ...)
- chromium-browser 24.0.1312.68-1
[squeeze] - chromium-browser <end-of-life>
@@ -38112,13 +38108,13 @@
{DSA-2289-1}
- typo3-src 4.5.4+dfsg1-1 (bug #635937)
CVE-2012-0264 (op5 Monitor and op5 Appliance before 5.5.0 do not properly
manage ...)
- TODO: check
+ NOT-FOR-US: op5
CVE-2012-0263 (monitor/index.php in op5 Monitor and op5 Appliance before 5.5.1
allows ...)
- TODO: check
+ NOT-FOR-US: op5
CVE-2012-0262 (op5config/welcome in system-op5config before 2.0.3 in op5
Monitor and ...)
- TODO: check
+ NOT-FOR-US: op5
CVE-2012-0261 (license.php in system-portal before 1.6.2 in op5 Monitor and
op5 ...)
- TODO: check
+ NOT-FOR-US: op5
CVE-2012-0260 (The JPEGWarningHandler function in coders/jpeg.c in ImageMagick
before ...)
{DSA-2462-1}
- imagemagick 8:6.7.4.0-4 (bug #667635)
@@ -41614,9 +41610,11 @@
- libav 4:0.8.1-1
- ffmpeg <removed>
CVE-2011-3950 (The dirac_decode_data_unit function in libavcodec/diracdec.c in
FFmpeg ...)
- TODO: check
+ - libav <not-affected> (Specific to newer ffmpeg after split)
+ - ffmpeg <not-affected> (Specific to newer ffmpeg after split)
CVE-2011-3949 (The dirac_unpack_idwt_params function in libavcodec/diracdec.c
in ...)
- TODO: check
+ - libav <not-affected> (Specific to newer ffmpeg after split)
+ - ffmpeg <not-affected> (Specific to newer ffmpeg after split)
CVE-2011-3948
RESERVED
CVE-2011-3947 (Buffer overflow in mjpegbdec.c in libavcodec in FFmpeg 0.7.x
before ...)
@@ -41624,12 +41622,16 @@
- libav 4:0.8.1-1
- ffmpeg <removed>
CVE-2011-3946 (The ff_h264_decode_sei function in libavcodec/h264_sei.c in
FFmpeg ...)
- TODO: check
+ - libav <unfixed> (unimportant)
+ - ffmpeg <removed> (unimportant)
+ NOTE: Not suitable for code injection, not treated as security issue
CVE-2011-3945 (The decode_frame function in the KVG1 decoder (kgv1dec.c) in
...)
- libav 4:0.8.1-1
- ffmpeg <not-affected> (Vulnerable code not present)
CVE-2011-3944 (The smacker_decode_header_tree function in libavcodec/smacker.c
in ...)
- TODO: check
+ - libav <unfixed>
+ - ffmpeg <removed>
+ NOTE: Fix in libav:
http://git.libav.org/?p=libav.git;a=commitdiff;h=0679cec6e8802643bbe6d5f68ca1110a7d3171da
CVE-2011-3943
RESERVED
CVE-2011-3942
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
