Author: jmm
Date: 2017-11-24 17:37:26 +0000 (Fri, 24 Nov 2017)
New Revision: 57998
Modified:
data/CVE/list
Log:
scala non-issue
convert otrs issue to NOTE, apparently bogus
fix pnp4nagios entry, all suites are n/a
libraw, lame, libcatalyst-plugin-static-simple-perl, lynx, ohcount no-dsa
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-11-24 15:40:28 UTC (rev 57997)
+++ data/CVE/list 2017-11-24 17:37:26 UTC (rev 57998)
@@ -44,6 +44,8 @@
NOTE: https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA
CVE-2017-16926 (Ohcount 3.0.0 is prone to a command injection via specially
crafted ...)
- ohcount <unfixed> (bug #882372)
+ [stretch] - ohcount <no-dsa> (Minor issue)
+ [jessie] - ohcount <no-dsa> (Minor issue)
CVE-2017-16925
RESERVED
CVE-2017-16924
@@ -249,7 +251,9 @@
CVE-2017-1000211 (Lynx before 2.8.9dev.16 is vulnerable to a use after free in
the HTML ...)
{DLA-1175-1}
- lynx 2.8.9dev16-1
+ [stretch] - lynx <no-dsa> (Minor issue)
- lynx-cur <removed>
+ [jessie] - lynx-cur <no-dsa> (Minor issue)
NOTE:
https://github.com/ThomasDickey/lynx-snapshots/commit/280a61b300a1614f6037efc0902ff7ecf17146e9
CVE-2017-1000206 (samtools htslib library version 1.4.0 and earlier is
vulnerable to ...)
- htslib 1.4.1-1
@@ -648,8 +652,7 @@
CVE-2017-16835
RESERVED
CVE-2017-16834 (PNP4Nagios through 0.6.26 has /usr/bin/npcd and npcd.cfg owned
by an ...)
- - pnp4nagios <removed>
- [wheezy] - pnp4nagios <not-affected> (/etc/pnp4nagios and its content
is installed as root by the Debian package)
+ - pnp4nagios <not-affected> (/etc/pnp4nagios and its content is
installed as root by the Debian package)
NOTE: https://github.com/lingej/pnp4nagios/issues/140
CVE-2017-16833 (Stored cross-site scripting (XSS) vulnerability in Gemirro
before ...)
NOT-FOR-US: Gemirro
@@ -2148,6 +2151,8 @@
NOTE:
https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8
CVE-2017-16248 (The Catalyst-Plugin-Static-Simple module before 0.34 for Perl
allows ...)
- libcatalyst-plugin-static-simple-perl 0.34-1 (bug #880458)
+ [stretch] - libcatalyst-plugin-static-simple-perl <no-dsa> (Minor issue)
+ [jessie] - libcatalyst-plugin-static-simple-perl <no-dsa> (Minor issue)
NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=120558
CVE-2017-16241
RESERVED
@@ -4795,12 +4800,12 @@
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg02557.html
NOTE: Fixed by:
https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=eb38e1bc3740725ca29a535351de94107ec58d51
CVE-2017-15288 (The compilation daemon in Scala before 2.10.7, 2.11.x before
2.11.12, ...)
- - scala <unfixed>
+ - scala <unfixed> (unimportant)
NOTE: http://scala-lang.org/news/security-update-nov17.html
NOTE: For 2.11.x: https://github.com/scala/scala/pull/6108
NOTE: For 2.12.x: https://github.com/scala/scala/pull/6120
NOTE: For 2.10.x: https://github.com/scala/scala/pull/6128
- TODO: check
+ NOTE: Neutralised by kernel hardening
CVE-2017-15287 (There is XSS in the BouquetEditor WebPlugin for Dream
Multimedia ...)
NOT-FOR-US: BouquetEditor WebPlugin
CVE-2017-15286 (SQLite 3.20.1 has a NULL pointer dereference in
tableColumnList in ...)
@@ -5622,6 +5627,8 @@
NOTE:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1da5c9a485f3dcac4c45e96ef4b7dae5948314b5
CVE-2017-15019 (LAME 3.99.5 has a NULL Pointer Dereference in the
hip_decode_init ...)
- lame <unfixed>
+ [stretch] - lame <ignored> (Minor issue)
+ [jessie] - lame <ignored> (Minor issue)
NOTE: https://sourceforge.net/p/lame/bugs/477/
CVE-2017-15018 (LAME 3.99.5 has a heap-based buffer over-read when handling a
malformed ...)
- lame 3.99.5+repack1-8
@@ -9386,6 +9393,8 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484192
CVE-2017-13735 (There is a floating point exception in the kodak_radc_load_raw
function ...)
- libraw 0.18.5-1 (low; bug #874729)
+ [stretch] - libraw <no-dsa> (Minor issue)
+ [jessie] - libraw <no-dsa> (Minor issue)
[wheezy] - libraw <no-dsa> (Minor issue)
NOTE: https://github.com/LibRaw/LibRaw/issues/96
NOTE: Isolated patch:
https://github.com/LibRaw/LibRaw/files/1276421/radc_divbyzero.txt
@@ -22463,11 +22472,7 @@
[wheezy] - vlc <end-of-life> (Not supported in wheezy LTS)
NOTE:
https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commit;h=55a82442cfea9dab8b853f3a4610f2880c5fadf3
CVE-2017-9299 (Open Ticket Request System (OTRS) 3.3.9 has XSS in ...)
- - otrs2 <unfixed> (unimportant)
- NOTE: The issue is most likely fixed in the 3.x series already before
3.3.17.
- NOTE: The exact issue, fixing commits and upstream version was not yet
tracked
- NOTE: down.
- NOTE: Furthermore the original report is quite vague/unclear and
upstream can
+ NOTE: This report for OTRS is quite vague/unclear and upstream can
NOTE: not track the issue down to a specific fixed release claims
though that
NOTE: it should not be reproducible with versions later than 3.3.17.
CVE-2017-9298 (Cross-site scripting vulnerability in Hitachi Device Manager
before ...)
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
