Author: pochu Date: 2017-04-21 17:32:11 +0000 (Fri, 21 Apr 2017) New Revision: 50891
Modified: data/CVE/list data/dla-needed.txt Log: CVE-2016-6711 / CVE-2017-0393: mark as no-dsa for wheezy These won't cause a device hang or reboot on non-Android, so they aren't high for us. Also the wheezy version is too old and the codebase has changed, making it difficult to backport the fix for CVE-2016-6711. Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-04-21 17:29:21 UTC (rev 50890) +++ data/CVE/list 2017-04-21 17:32:11 UTC (rev 50891) @@ -20330,6 +20330,7 @@ NOT-FOR-US: Android Telephony CVE-2017-0393 (A denial of service vulnerability in libvpx in Mediaserver could ...) - libvpx 1.6.1-1 + [wheezy] - libvpx <no-dsa> (Minor issue) NOTE: probably fixed earlier, but this was the version checked NOTE: The wheezy source is confirmed (by code inspection) to be vulnerable. NOTE: https://android.googlesource.com/platform/external/libvpx/+/6886e8e0a9db2dbad723dc37a548233e004b33bc @@ -30269,6 +30270,7 @@ NOTE: probably fixed earlier, but this was the version checked CVE-2016-6711 (A remote denial of service vulnerability in libvpx in Mediaserver in ...) - libvpx 1.6.1-1 + [wheezy] - libvpx <no-dsa> (Minor issue) NOTE: probably fixed earlier, but this was the version checked NOTE: Wheezy is confirmed (by code inspection) to have vulnerable source. NOTE: https://android.googlesource.com/platform/external/libvpx/+/063be1485e0099bc81ace3a08b0ec9186dcad693 Modified: data/dla-needed.txt =================================================================== --- data/dla-needed.txt 2017-04-21 17:29:21 UTC (rev 50890) +++ data/dla-needed.txt 2017-04-21 17:32:11 UTC (rev 50891) @@ -54,9 +54,6 @@ -- libsndfile -- -libvpx (Emilio Pozuelo) - NOTE: The CVEs needs further triaging. --- linux -- mcollective _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits