[Secure-testing-commits] r50891 - in data: . CVE

Fri, 21 Apr 2017 10:33:07 -0700 

Author: pochu
Date: 2017-04-21 17:32:11 +0000 (Fri, 21 Apr 2017)
New Revision: 50891

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
CVE-2016-6711 / CVE-2017-0393: mark as no-dsa for wheezy

These won't cause a device hang or reboot on non-Android, so they aren't
high for us. Also the wheezy version is too old and the codebase has
changed, making it difficult to backport the fix for CVE-2016-6711.



Modified: data/CVE/list
===================================================================
--- data/CVE/list       2017-04-21 17:29:21 UTC (rev 50890)
+++ data/CVE/list       2017-04-21 17:32:11 UTC (rev 50891)
@@ -20330,6 +20330,7 @@
        NOT-FOR-US: Android Telephony
 CVE-2017-0393 (A denial of service vulnerability in libvpx in Mediaserver 
could ...)
        - libvpx 1.6.1-1
+       [wheezy] - libvpx <no-dsa> (Minor issue)
        NOTE: probably fixed earlier, but this was the version checked
        NOTE: The wheezy source is confirmed (by code inspection) to be 
vulnerable.
        NOTE: 
https://android.googlesource.com/platform/external/libvpx/+/6886e8e0a9db2dbad723dc37a548233e004b33bc
@@ -30269,6 +30270,7 @@
        NOTE: probably fixed earlier, but this was the version checked
 CVE-2016-6711 (A remote denial of service vulnerability in libvpx in 
Mediaserver in ...)
        - libvpx 1.6.1-1
+       [wheezy] - libvpx <no-dsa> (Minor issue)
        NOTE: probably fixed earlier, but this was the version checked
        NOTE: Wheezy is confirmed (by code inspection) to have vulnerable 
source.
        NOTE: 
https://android.googlesource.com/platform/external/libvpx/+/063be1485e0099bc81ace3a08b0ec9186dcad693

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt 2017-04-21 17:29:21 UTC (rev 50890)
+++ data/dla-needed.txt 2017-04-21 17:32:11 UTC (rev 50891)
@@ -54,9 +54,6 @@
 --
 libsndfile
 --
-libvpx (Emilio Pozuelo)
-  NOTE: The CVEs needs further triaging.
---
 linux
 --
 mcollective


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

Reply via email to