Author: benh
Date: 2017-10-06 01:09:20 +0000 (Fri, 06 Oct 2017)
New Revision: 56437
Modified:
data/CVE/list
Log:
Mark CVE-2017-14496 as not affecting wheezy and jessie
Some of the added checks in the upstream fix for CVE-2017-14496 do
seem to apply to these versions of dnsmasq (in different files and
functions). However the author says that prior to version 2.76 the
buffers used are always large enough to make the 'overrun' harmless.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-10-05 21:10:17 UTC (rev 56436)
+++ data/CVE/list 2017-10-06 01:09:20 UTC (rev 56437)
@@ -1513,6 +1513,8 @@
CVE-2017-14496 (Integer underflow in the add_pseudoheader function in dnsmasq
before ...)
- dnsmasq 2.78-1
[stretch] - dnsmasq 2.76-5+deb9u1
+ [jessie] - dnsmasq <not-affected> (Vulnerable code introduced later)
+ [wheezy] - dnsmasq <not-affected> (Vulnerable code introduced later)
NOTE:
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
NOTE:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=897c113fda0886a28a986cc6ba17bb93bd6cb1c7
CVE-2017-14495 (Memory leak in dnsmasq before 2.78, when the --add-mac,
--add-cpe-id ...)
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
