Author: jmm Date: 2014-12-05 18:01:39 +0000 (Fri, 05 Dec 2014) New Revision: 30560
Modified: data/CVE/list Log: record jenkins documentation/fix speech-dispatcher fixed two kernel issues n/a for squeeze mark kvm issues as no-dsa for squeeze hivex no-dsa Modified: data/CVE/list =================================================================== --- data/CVE/list 2014-12-05 15:53:03 UTC (rev 30559) +++ data/CVE/list 2014-12-05 18:01:39 UTC (rev 30560) @@ -548,7 +548,9 @@ NOTE: https://www.mantisbt.org/bugs/view.php?id=17841 NOTE: http://github.com/mantisbt/mantisbt/commit/b0021673 CVE-2014-9273 [does not properly handle small-sized hive files] - - hivex 1.3.11-1 + - hivex 1.3.11-1 (low) + [wheezy] - hivex <no-dsa> (Minor issue) + [squeeze] - hivex <no-dsa> (Minor issue) NOTE: https://github.com/libguestfs/hivex/commit/357f26fa64fd1d9ccac2331fe174a8ee9c607adb NOTE: https://github.com/libguestfs/hivex/commit/4bbdf555f88baeae0fa804a369a81a83908bd705 CVE-2014-9087 (Integer underflow in the ksba_oid_to_str function in Libksba before ...) @@ -4073,6 +4075,7 @@ CVE-2014-7842 (Race condition in arch/x86/kvm/x86.c in the Linux kernel before 3.17.4 ...) - linux <unfixed> - linux-2.6 <removed> + [squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a2b9e6c1a35a (v3.18-rc1) CVE-2014-7841 (The sctp_process_param function in net/sctp/sm_make_chunk.c in the ...) - linux <unfixed> @@ -13779,6 +13782,7 @@ {DSA-3060-1} - linux 3.16.7-1 - linux-2.6 <removed> + [squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS) NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d974baa398f34393db76be45f7d4d04fbdbb4a0a (v3.18-rc1) CVE-2014-3689 (The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local ...) {DSA-3067-1 DSA-3066-1} @@ -13863,6 +13867,9 @@ CVE-2014-3665 RESERVED - jenkins <unfixed> (bug #767541) + [jessie] - jenkins 1.565.3-3 + NOTE: For jessie, the backport is too intrusive and since it's a cornercase, it's only documented, + NOTE: marking that version as fixed, for unstable we'll record the actual new version with the code fix NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30 CVE-2014-3664 (Directory traversal vulnerability in CloudBees Jenkins before 1.583 ...) - jenkins 1.565.3-1 (bug #763899) @@ -13920,6 +13927,7 @@ {DSA-3060-1} - linux 3.16.7-1 - linux-2.6 <removed> + [squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS) NOTE: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=234f3ce485d54017f15cf5e0699cff4100121601 NOTE: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=d1442d85cc30ea75f7d399474ca738e0bc96f715 CVE-2014-3646 (arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through ...) @@ -13931,6 +13939,7 @@ {DSA-3060-1} - linux 3.12.6-1 - linux-2.6 <removed> + [squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS) NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bfd0a56b90005f8c8a004baf407ad90045c2b11e (v3.12-rc1) CVE-2014-3644 RESERVED @@ -14066,11 +14075,13 @@ {DSA-3060-1} - linux 3.16.7-1 - linux-2.6 <removed> + [squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS) NOTE: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=2febc839133280d5a5e8e1179c94ea674489dae2 CVE-2014-3610 (The WRMSR processing functionality in the KVM subsystem in the Linux ...) {DSA-3060-1} - linux 3.16.7-1 - linux-2.6 <removed> + [squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS) NOTE: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=854e8bb1aa06c578c2c9145fa6bfe3680ef63b23 NOTE: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=8b3c3104c3f4f706e99365c3e0d2aa61b95f969f NOTE: Enabling CONFIG_PARAVIRT when building the kernel mitigates this issue. @@ -15444,7 +15455,7 @@ CVE-2014-3183 (Heap-based buffer overflow in the logi_dj_ll_raw_request function in ...) - linux 3.16.2-2 [wheezy] - linux 3.2.63-1 - - linux-2.6 <removed> + - linux-2.6 <not-affected> (Vulnerable code not present) NOTE: https://code.google.com/p/google-security-research/issues/detail?id=90 NOTE: Upstream fix: https://git.kernel.org/linus/51217e69697fba92a06e07e16f55c9a52d8e8945 (v3.17-rc2) CVE-2014-3182 (Array index error in the logi_dj_raw_event function in ...) @@ -19487,7 +19498,7 @@ {DSA-2905-1} - chromium-browser 34.0.1847.116-1 [squeeze] - chromium-browser <end-of-life> - - speech-dispatcher <unfixed> (low; bug #745808) + - speech-dispatcher 0.8-7 (low; bug #745808) [squeeze] - speech-dispatcher <no-dsa> (Minor issue) [wheezy] - speech-dispatcher <no-dsa> (Minor issue) NOTE: no specific information available (possibly already be fixed in 0.8), the fix in chromium was to disable speechd by default _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits