Author: benh Date: 2017-10-06 01:09:20 +0000 (Fri, 06 Oct 2017) New Revision: 56437
Modified: data/CVE/list Log: Mark CVE-2017-14496 as not affecting wheezy and jessie Some of the added checks in the upstream fix for CVE-2017-14496 do seem to apply to these versions of dnsmasq (in different files and functions). However the author says that prior to version 2.76 the buffers used are always large enough to make the 'overrun' harmless. Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-10-05 21:10:17 UTC (rev 56436) +++ data/CVE/list 2017-10-06 01:09:20 UTC (rev 56437) @@ -1513,6 +1513,8 @@ CVE-2017-14496 (Integer underflow in the add_pseudoheader function in dnsmasq before ...) - dnsmasq 2.78-1 [stretch] - dnsmasq 2.76-5+deb9u1 + [jessie] - dnsmasq <not-affected> (Vulnerable code introduced later) + [wheezy] - dnsmasq <not-affected> (Vulnerable code introduced later) NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=897c113fda0886a28a986cc6ba17bb93bd6cb1c7 CVE-2017-14495 (Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id ...) _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits