Author: jmm
Date: 2014-12-02 22:28:53 +0000 (Tue, 02 Dec 2014)
New Revision: 30497
Modified:
data/CVE/list
Log:
rails fixed
openjdk, util-linux no-dsa
older mcollective issues fixed
mark offlineimap as fixed
mark xorg as fixed
NFUs
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2014-12-02 21:56:40 UTC (rev 30496)
+++ data/CVE/list 2014-12-02 22:28:53 UTC (rev 30497)
@@ -495,6 +495,8 @@
CVE-2014-9114 [blkid command injection]
RESERVED
- util-linux <unfixed> (bug #771274)
+ [squeeze] - util-linux <no-dsa> (Minor issue)
+ [wheezy] - util-linux <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2014/11/26/13
NOTE:
https://github.com/karelzak/util-linux/commit/89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc
CVE-2014-9112 [heap-based buffer overflow]
@@ -2797,7 +2799,6 @@
RESERVED
- glpi <unfixed> (unimportant)
NOTE: Only supported behind an authenticated HTTP zone
- TODO: check
NOTE: original bug: https://forge.indepnet.net/issues/5101
NOTE: followup: https://forge.indepnet.net/issues/5113
NOTE: appears to be a generic autoloading abuse; possibly with
@@ -4062,13 +4063,12 @@
- moodle <unfixed>
[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
NOTE:
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47766
- TODO: check, possibly affects only 2.7.x
CVE-2014-7830 (Cross-site scripting (XSS) vulnerability in
mod/feedback/mapcourse.php ...)
- moodle <unfixed>
[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
NOTE:
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47865
CVE-2014-7829 (Directory traversal vulnerability in ...)
- - rails <unfixed> (bug #770934)
+ - rails 2:4.1.8-1 (bug #770934)
[wheezy] - rails <not-affected> (src:rails in wheezy is just a
transition package)
[squeeze] - rails <not-affected> (Only affects >= 3)
- rails-3.2 <removed>
@@ -4114,7 +4114,7 @@
- ruby-sprockets 2.12.3-1
[wheezy] - ruby-sprockets <no-dsa> (Minor issue)
CVE-2014-7818 (Directory traversal vulnerability in ...)
- - rails <unfixed> (bug #770934)
+ - rails 2:4.1.8-1 (bug #770934)
[wheezy] - rails <not-affected> (src:rails in wheezy is just a
transition package)
[squeeze] - rails <not-affected> (Only affects >= 3)
- rails-3.2 <removed>
@@ -11883,13 +11883,13 @@
CVE-2014-4463 (Apple iOS before 8.1.1 allows physically proximate attackers to
bypass ...)
NOT-FOR-US: Apple
CVE-2014-4462 (WebKit, as used in Apple iOS before 8.1.1 and Apple TV before
7.0.2, ...)
- TODO: check
+ NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome
sec team will know and fix
CVE-2014-4461 (The kernel in Apple iOS before 8.1.1 and Apple TV before 7.0.2
does ...)
NOT-FOR-US: Apple
CVE-2014-4460 (CFNetwork in Apple iOS before 8.1.1 and OS X before 10.10.1
does not ...)
NOT-FOR-US: Apple
CVE-2014-4459 (Use-after-free vulnerability in WebKit, as used in Apple OS X
before ...)
- TODO: check
+ NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome
sec team will know and fix
CVE-2014-4458 (The "System Profiler About This Mac" component in
Apple OS X before ...)
NOT-FOR-US: Apple
CVE-2014-4457 (The Sandbox Profiles subsystem in Apple iOS before 8.1.1 does
not ...)
@@ -11903,7 +11903,7 @@
CVE-2014-4453 (Apple iOS before 8.1.1 and OS X before 10.10.1 include location
data ...)
NOT-FOR-US: Apple
CVE-2014-4452 (WebKit, as used in Apple iOS before 8.1.1 and Apple TV before
7.0.2, ...)
- TODO: check
+ NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome
sec team will know and fix
CVE-2014-4451 (Apple iOS before 8.1.1 does not properly enforce the
failed-passcode ...)
NOT-FOR-US: Apple
CVE-2014-4450 (The QuickType feature in the Keyboards subsystem in Apple iOS
before ...)
@@ -14177,6 +14177,7 @@
[wheezy] - openjdk-6 <no-dsa> (Upstream doesn't plan to disable SSLv3,
stick with that)
- openjdk-7 <unfixed>
[wheezy] - openjdk-7 <no-dsa> (Upstream doesn't plan to disable SSLv3,
stick with that)
+ [jessie] - openjdk-7 <no-dsa> (Upstream doesn't plan to disable SSLv3,
stick with that)
- openjdk-8 <unfixed>
- polarssl 1.3.9-2
- surf <unfixed> (unimportant)
@@ -15100,7 +15101,7 @@
CVE-2014-3252
RESERVED
CVE-2014-3251 (The MCollective aes_security plugin, as used in Puppet
Enterprise ...)
- - mcollective <unfixed> (low; bug #758701)
+ - mcollective 2.6.0+dfsg-1 (low; bug #758701)
[wheezy] - mcollective <no-dsa> (Minor issue)
NOTE: Mcollective are not configured to use the plugin and are not
vulnerable by default.
NOTE: http://puppetlabs.com/security/cve/cve-2014-3251
@@ -15123,7 +15124,7 @@
- facter 2.0.1-1 (low)
[wheezy] - facter <no-dsa> (Minor issue)
[squeeze] - facter <no-dsa> (Minor issue)
- - mcollective <unfixed> (low)
+ - mcollective 2.5.2+dfsg-1 (low)
[wheezy] - mcollective <no-dsa> (Minor issue)
NOTE: http://puppetlabs.com/security/cve/cve-2014-3248
NOTE: problem in combination with ruby <= 1.9.1
@@ -26135,7 +26136,10 @@
- pixman 0.30.2-2
CVE-2013-6424 (Integer underflow in the xTrapezoidValid macro in
render/picture.h in ...)
{DSA-2822-1}
- - xorg-server <unfixed> (low; bug #742922)
+ - xorg-server 2:1.14.2.901-1 (low; bug #742922)
+ NOTE: Band-aid fix in Wheezy not applicable to upstream code, fixed
post-Wheezy
+ NOTE: in pixman:
http://cgit.freedesktop.org/pixman/commit/?id=5e14da97f16e421d084a9e735be21b1025150f0c
+ NOTE: Mark the first post-wheezy xorg-server as a pseudo fixed version
CVE-2013-6423
RESERVED
CVE-2013-6422 (The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when
disabling ...)
@@ -65565,7 +65569,8 @@
- gnutls26 <unfixed> (unimportant)
- gnutls28 <unfixed> (unimportant)
NOTE: No mitigation for gnutls, it is recommended to use TLS 1.1 or 1.2
which is supported since 2.0.0
- - haskell-tls <unfixed>
+ - haskell-tls <unfixed> (unimportant)
+ NOTE: No mitigation for haskell-tls, it is recommended to use TLS 1.1,
which is supported since 0.2
- matrixssl <removed> (low)
[squeeze] - matrixssl <no-dsa> (Minor issue)
[wheezy] - matrixssl <no-dsa> (Minor issue)
@@ -75796,8 +75801,8 @@
NOTE: http://www.djangoproject.com/weblog/2010/dec/22/security/
CVE-2010-4533 [offlineimap uses SSLv2]
RESERVED
- - offlineimap <unfixed> (low; bug #606962)
- [wheezy] - offlineimap <no-dsa> (Long-standing, documented behaviour,
can be updated in spu if needed)
+ - offlineimap 6.3.4-1 (low; bug #606962)
+ NOTE: offlineimap uses the "ssl" standard lib in Python, marking the
version of offlineimap in wheezy as fixed
[squeeze] - offlineimap <no-dsa> (Long-standing, documented behaviour,
can be updated in spu if needed)
[lenny] - offlineimap <no-dsa> (Long-standing, documented behaviour,
can be updated in spu if needed)
CVE-2010-4532 [no SSL cert validation]
_______________________________________________
Secure-testing-commits mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
