diff options
author | security tracker role <sectracker@debian.org> | 2016-05-02 21:10:11 +0000 |
---|---|---|
committer | security tracker role <sectracker@debian.org> | 2016-05-02 21:10:11 +0000 |
commit | f14dd7f229b4545766ebf3186b1d93e458e359ee (patch) | |
tree | a391601895609c1612082ca0c6be366f1d13f92e | |
parent | 158a8e3377e972f426b8e069310cd39cdcf55621 (diff) |
automatic update
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@41361 e39458fd-73e7-0310-bf30-c45bca0a0e42
-rw-r--r-- | data/CVE/2003.list | 3 | ||||
-rw-r--r-- | data/CVE/2008.list | 3 | ||||
-rw-r--r-- | data/CVE/2011.list | 3 | ||||
-rw-r--r-- | data/CVE/2012.list | 6 | ||||
-rw-r--r-- | data/CVE/2014.list | 5 | ||||
-rw-r--r-- | data/CVE/2015.list | 49 | ||||
-rw-r--r-- | data/CVE/2016.list | 265 |
7 files changed, 208 insertions, 126 deletions
diff --git a/data/CVE/2003.list b/data/CVE/2003.list index d63de5326c..8f530ed5e5 100644 --- a/data/CVE/2003.list +++ b/data/CVE/2003.list @@ -1,7 +1,6 @@ CVE-2003-1603 (GE Healthcare Discovery VH has a default password of (1) interfile for ...) NOT-FOR-US: GE Healthcare Discovery VH -CVE-2003-1604 [oops in ipt_REDIRECT] - RESERVED +CVE-2003-1604 (The redirect_target function in net/ipv4/netfilter/ipt_REDIRECT.c in ...) - linux <not-affected> (Fixed before rename to src:linux) - linux-2.6 <not-affected> (Fixed before initial upload of linux-2.6 in Debian) NOTE: https://marc.info/?l=netfilter-devel&m=106668497403047&w=2 diff --git a/data/CVE/2008.list b/data/CVE/2008.list index ed9b7721bb..2f53fd1564 100644 --- a/data/CVE/2008.list +++ b/data/CVE/2008.list @@ -1,5 +1,4 @@ -CVE-2008-7316 - RESERVED +CVE-2008-7316 (mm/filemap.c in the Linux kernel before 2.6.25 allows local users to ...) - linux <not-affected> (Issue fixed before the src:linux-2.6 rename) - linux-2.6 2.6.25-1 NOTE: https://git.kernel.org/linus/124d3b7041f9a0ca7c43a6293e1cae4576c32fd5 (v2.6.25-rc1) diff --git a/data/CVE/2011.list b/data/CVE/2011.list index ab5b8d711c..f57b65f1b7 100644 --- a/data/CVE/2011.list +++ b/data/CVE/2011.list @@ -16,8 +16,7 @@ CVE-2011-5323 (GE Healthcare Centricity PACS-IW 3.7.3.7, 3.7.3.8, and possibly o NOT-FOR-US: GE Healthcare Centricity PACS-IW CVE-2011-5322 (GE Healthcare Centricity Analytics Server 1.1 has a default password ...) NOT-FOR-US: GE Healthcare Centricity Analytics Server -CVE-2011-5321 [tty: kobject reference leakage in tty_open] - RESERVED +CVE-2011-5321 (The tty_open function in drivers/tty/tty_io.c in the Linux kernel ...) {DLA-246-1} - linux 3.2.20-1 - linux-2.6 3.2.1-1 diff --git a/data/CVE/2012.list b/data/CVE/2012.list index 68e3f620aa..47c484cb75 100644 --- a/data/CVE/2012.list +++ b/data/CVE/2012.list @@ -1,7 +1,6 @@ CVE-2012-XXXX [Option -localhost seems to fail to restrict ipv6 access] - x11vnc <unfixed> (bug #672435) -CVE-2012-6701 [vfs: make AIO use the proper rw_verify_area() area helpers] - RESERVED +CVE-2012-6701 (Integer overflow in fs/aio.c in the Linux kernel before 3.4.1 allows ...) - linux <not-affected> (Fixed in v3.2.19; which was before src:linux rename) - linux-2.6 3.2.19-1 NOTE: https://git.kernel.org/linus/a70b52ec1aaeaf60f4739edb1b422827cb6f3893 (v3.5-rc1) @@ -47,8 +46,7 @@ CVE-2012-6690 RESERVED CVE-2012-6688 RESERVED -CVE-2012-6689 [incorrect validation of netlink message origin allows attackers to spoof netlink messages] - RESERVED +CVE-2012-6689 (The netlink_sendmsg function in net/netlink/af_netlink.c in the Linux ...) {DLA-246-1} - linux 3.6.4-1 [wheezy] - linux 3.2.30-1 diff --git a/data/CVE/2014.list b/data/CVE/2014.list index 7ddf7d9393..c039be38c5 100644 --- a/data/CVE/2014.list +++ b/data/CVE/2014.list @@ -241,8 +241,7 @@ CVE-2014-9721 (libzmq before 4.0.6 and 4.1.x before 4.1.1 allows remote attacker NOTE: https://github.com/zeromq/libzmq/issues/1273 NOTE: https://github.com/zeromq/zeromq4-x/commit/b6e3e0f601e2c1ec1f3aac880ed6a3fe63043e51 NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/8 -CVE-2014-9717 [USERNS allows circumventing MNT_LOCKED] - RESERVED +CVE-2014-9717 (fs/namespace.c in the Linux kernel before 4.0.2 processes MNT_DETACH ...) - linux 4.0.2-1 (low) [jessie] - linux <no-dsa> (Too intrusive to backport) [wheezy] - linux <not-affected> (user namespaces known broken before 3.5, see kernel-sec info) @@ -3978,7 +3977,7 @@ CVE-2014-8488 (Cross-site scripting (XSS) vulnerability in the administrator pan CVE-2014-8487 (Kony Management (aka Enterprise Mobile Management or EMM) 1.2 and ...) NOT-FOR-US: Kony Management CVE-2014-8486 - RESERVED + REJECTED CVE-2014-8482 RESERVED CVE-2014-8479 (The FTP server on Siemens SCALANCE X-300 switches with firmware before ...) diff --git a/data/CVE/2015.list b/data/CVE/2015.list index 76b4f89ec3..7eeae253ff 100644 --- a/data/CVE/2015.list +++ b/data/CVE/2015.list @@ -1,4 +1,5 @@ CVE-2015-8869 [buffer overflow and information leak] + RESERVED - ocaml <unfixed> NOTE: https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762 NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/1 @@ -143,8 +144,7 @@ CVE-2015-8865 [Buffer over-write in finfo_open with malformed magic file] NOTE: http://git.php.net/?p=php-src.git;a=commit;h=fe13566c93f118a15a96320a546c7878fd0cfc5e NOTE: PHP fixed in 7.0.5, 5.6.20, 5.5.34 NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/7 -CVE-2015-8839 [ext4 data corruption due to punch hole races] - RESERVED +CVE-2015-8839 (Multiple race conditions in the ext4 filesystem implementation in the ...) - linux 4.5.1-1 NOTE: https://git.kernel.org/linus/ea3d7209ca01da209cda6f0dea8be9cc4b7a933b (v4.5-rc1) NOTE: https://git.kernel.org/linus/17048e8a083fec7ad841d88ef0812707fbc7e39f (v4.5-rc1) @@ -289,8 +289,7 @@ CVE-2015-XXXX [SQL injection due to unescaped object keys] NOTE: https://github.com/felixge/node-mysql/issues/342 NOTE: https://nodesecurity.io/advisories/66 NOTE: nodejs not covered by security support -CVE-2015-8830 [aio write triggers integer overflow in some network protocols] - RESERVED +CVE-2015-8830 (Integer overflow in the aio_setup_single_vector function in fs/aio.c ...) - linux 4.1.3-1 [jessie] - linux 3.16.7-ckt20-1+deb8u4 [wheezy] - linux <not-affected> (Vulnerable code not present) @@ -609,8 +608,7 @@ CVE-2015-8748 (Radicale before 1.1 allows remote authenticated users to bypass . CVE-2015-8747 (The multifilesystem storage backend in Radicale before 1.1 allows ...) {DSA-3462-1 DLA-403-1} - radicale 1.1.1-1 (bug #809920) -CVE-2015-8746 [when NFSv4 migration is executed, kernel oops occurs at NFS client] - RESERVED +CVE-2015-8746 (fs/nfs/nfs4proc.c in the NFS client in the Linux kernel before 4.2.2 ...) - linux 4.3.1-1 [jessie] - linux 3.16.7-ckt20-1 [wheezy] - linux <not-affected> (Vulnerable code not present) @@ -2162,8 +2160,7 @@ CVE-2015-8327 (Incomplete blacklist vulnerability in util.c in foomatic-rip in . - cups-filters 1.2.0-1 [wheezy] - cups-filters <not-affected> (Vulnerable code not present; introduced in 1.0.42) - foomatic-filters 4.0.17-7 (bug #806886) -CVE-2015-8325 [ignore PAM environment vars when UseLogin=yes] - RESERVED +CVE-2015-8325 (The do_setup_env function in session.c in sshd in OpenSSH through ...) {DSA-3550-1} - openssh 1:7.2p2-3 NOTE: Upstream fix: https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755 @@ -2281,8 +2278,7 @@ CVE-2015-8302 RESERVED CVE-2015-8301 RESERVED -CVE-2015-8324 [Null pointer dereference when mounting ext4 filesystem] - RESERVED +CVE-2015-8324 (The ext4 implementation in the Linux kernel before 2.6.34 does not ...) {DLA-360-1} - linux 2.6.37-1 - linux-2.6 <removed> @@ -3190,8 +3186,7 @@ CVE-2015-XXXX [buffer overflow with handling pop3_deleted_flag setting] [squeeze] - dovecot <not-affected> (Bug with pop3_deleted_flag introduced in 2.2.10) NOTE: http://hg.dovecot.org/dovecot-2.2/rev/05e0700daea3 TODO: The link in the previous line is broken. Please, consider replacing it. Error: 404 -CVE-2015-8019 [Buffer overflow when copying data from skbuff to userspace] - RESERVED +CVE-2015-8019 (The skb_copy_and_csum_datagram_iovec function in net/core/datagram.c ...) - linux <not-affected> (Vulnerable code not present) - linux-2.6 <not-affected> (Vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2015/10/27/11 @@ -3743,7 +3738,7 @@ CVE-2015-7828 (SAP HANA Database 1.00 SPS10 and earlier do not require ...) NOT-FOR-US: SAP HANA CVE-2015-7827 [PKCS #1 v1.5 decoding was not constant time] RESERVED - {DLA-449-1} + {DSA-3565-1 DLA-449-1} - botan1.10 <unfixed> (bug #817932) NOTE: Fixed in 1.11.22. Affected all previous versions NOTE: http://botan.randombit.net/security.html @@ -9195,13 +9190,13 @@ CVE-2015-5728 RESERVED CVE-2015-5727 [Excess memory allocation in BER decoder] RESERVED - {DLA-449-1} + {DSA-3565-1 DLA-449-1} - botan1.10 1.10.10-1 NOTE: Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11 NOTE: http://botan.randombit.net/security.html CVE-2015-5726 [Crash in BER decoder] RESERVED - {DLA-449-1} + {DSA-3565-1 DLA-449-1} - botan1.10 1.10.10-1 NOTE: Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11 NOTE: http://botan.randombit.net/security.html @@ -13840,8 +13835,7 @@ CVE-2015-6593 CVE-2015-4179 RESERVED NOT-FOR-US: WordPress plugin codestyling-localization -CVE-2015-4176 - RESERVED +CVE-2015-4176 (fs/namespace.c in the Linux kernel before 4.0.2 does not properly ...) - linux <not-affected> (Introducing commit was applied to 4.0.2 but e0c9c0afd2fc958ffa34b697972721d81df8a56f as well backported into 4.0.2) - linux-2.6 <not-affected> (Introduced and fixed in 4.1-rc1 upstream) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce07d891a0891d3c0d0c2d73d577490486b809e1 (v4.1-rc1) @@ -13968,8 +13962,7 @@ CVE-2015-4128 RESERVED CVE-2015-4127 (Cross-site scripting (XSS) vulnerability in the church_admin plugin ...) NOT-FOR-US: church_admin plugin for WordPress -CVE-2015-4178 [ns: user namespaces panic -- lack of internal consistency of a data structure] - RESERVED +CVE-2015-4178 (The fs_pin implementation in the Linux kernel before 4.0.5 does not ...) - linux <not-affected> (Commit was applied to 4.0.2 as well but fixed in Debian by two subsequent commits) NOTE: Debian both applies "mnt: Fail collect_mounts when applied to unmounted mounts" NOTE: and "fs_pin: Allow for the possibility that m_list or s_list go unused." in @@ -13978,8 +13971,7 @@ CVE-2015-4178 [ns: user namespaces panic -- lack of internal consistency of a da NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce07d891a0891d3c0d0c2d73d577490486b809e1 (v4.1-rc1) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=820f9f147dcce2602eefd9b575bbbd9ea14f0953 (v4.1-rc1) NOTE: http://www.openwall.com/lists/oss-security/2015/05/29/5 -CVE-2015-4177 [ns: user namespaces panic -- lack of state identification] - RESERVED +CVE-2015-4177 (The collect_mounts function in fs/namespace.c in the Linux kernel ...) - linux <not-affected> (Commit was applied to 4.0.2 as well but fixed in Debian by two subsequent commits) NOTE: Debian both applies "mnt: Fail collect_mounts when applied to unmounted mounts" NOTE: and "fs_pin: Allow for the possibility that m_list or s_list go unused." in @@ -14169,8 +14161,7 @@ CVE-2015-4082 [encrypted backups attack] NOTE: https://github.com/jborg/attic/issues/271 NOTE: https://github.com/jborg/attic/commit/78f9ad1faba7193ca7f0acccbc13b1ff6ebf9072 NOTE: http://www.openwall.com/lists/oss-security/2015/05/25/3 -CVE-2015-4170 [vulnerability in the kernel tty subsystem] - RESERVED +CVE-2015-4170 (Race condition in the ldsem_cmpxchg function in ...) - linux 3.13.4-1 [wheezy] - linux <not-affected> (commit 4898e640caf03fdbaf2122d5a33949bf3e4a5b34 not backported) - linux-2.6 <not-affected> (commit 4898e640caf03fdbaf2122d5a33949bf3e4a5b34 not backported) @@ -19127,8 +19118,7 @@ CVE-2015-2350 (Cross-site request forgery (CSRF) vulnerability in MikroTik Route NOT-FOR-US: MikroTik RouterOS CVE-2015-2349 (Cross-site scripting (XSS) vulnerability in defaultnewsletter.php in ...) NOT-FOR-US: SuperWebMailer -CVE-2015-2686 [sys_sendto/sys_recvfrom does not validate the user provided ubuf pointer] - RESERVED +CVE-2015-2686 (net/socket.c in the Linux kernel 3.19 before 3.19.3 does not validate ...) - linux <not-affected> (Introduced in 3.19, never uploaded to unstable) - linux-2.6 <not-affected> (Introduced in 3.19, never uploaded to unstable) NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4de930efc23b92ddf88ce91c405ee645fe6e27ea @@ -19319,8 +19309,7 @@ CVE-2015-2684 (Shibboleth Service Provider (SP) before 2.5.4 allows remote ...) {DSA-3207-1 DLA-259-1} - shibboleth-sp2 2.5.3+dfsg-2 NOTE: http://shibboleth.net/community/advisories/secadv_20150319.txt -CVE-2015-2672 [unprivileged denial-of-service due to mis-protected xsave/xrstor instructions] - RESERVED +CVE-2015-2672 (The xsave/xrstor implementation in arch/x86/include/asm/xsave.h in the ...) - linux <not-affected> - linux-2.6 <not-affected> NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f31a9f7c71691569359fa7fb8b0acaa44bce0324 (v3.17-rc1) @@ -21600,8 +21589,7 @@ CVE-2015-1484 (Unquoted Windows search path vulnerability in the agent in Symant NOT-FOR-US: Symantec Workspace Streaming CVE-2015-1483 (Symantec NetBackup OpsCenter 7.6.0.2 through 7.6.1 on Linux and UNIX ...) NOT-FOR-US: Symantec NetBackup OpsCenter -CVE-2015-1573 [nft flush ruleset crashes kernel] - RESERVED +CVE-2015-1573 (The nft_flush_table function in net/netfilter/nf_tables_api.c in the ...) - linux <not-affected> (Vulnerable code introduced in v3.18-rc1, never in the archive outside of experimental) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/pablo/nf.git/commit/?id=a2f18db0c68fec96631c10cad9384c196e9008ac (v3.19-rc5) NOTE: Introduced by http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9ac12ef099707f405d7478009564302d7ed8393 (v3.18-rc1) @@ -23086,8 +23074,7 @@ CVE-2015-1195 (The V2 API in OpenStack Image Registry and Delivery Service (Glan - glance 2014.1.3-11 (bug #775926) [wheezy] - glance <not-affected> (Vulnerable code not present) NOTE: up to 2014.1.3 and 2014.2 versions up to 2014.2.1 -CVE-2015-1350 [chown removes security.capability xattr on other users' files] - RESERVED +CVE-2015-1350 (The VFS subsystem in the Linux kernel 3.x provides an incomplete set ...) - linux <unfixed> (bug #770492) - linux-2.6 <removed> CVE-2015-1164 (Open redirect vulnerability in the serve-static plugin before 1.7.2 ...) diff --git a/data/CVE/2016.list b/data/CVE/2016.list index d118097734..cb41a1c6ac 100644 --- a/data/CVE/2016.list +++ b/data/CVE/2016.list @@ -1,3 +1,121 @@ +CVE-2016-4413 + RESERVED +CVE-2016-4412 + RESERVED +CVE-2016-4411 + RESERVED +CVE-2016-4410 + RESERVED +CVE-2016-4409 + RESERVED +CVE-2016-4408 + RESERVED +CVE-2016-4407 + RESERVED +CVE-2016-4406 + RESERVED +CVE-2016-4405 + RESERVED +CVE-2016-4404 + RESERVED +CVE-2016-4403 + RESERVED +CVE-2016-4402 + RESERVED +CVE-2016-4401 + RESERVED +CVE-2016-4400 + RESERVED +CVE-2016-4399 + RESERVED +CVE-2016-4398 + RESERVED +CVE-2016-4397 + RESERVED +CVE-2016-4396 + RESERVED +CVE-2016-4395 + RESERVED +CVE-2016-4394 + RESERVED +CVE-2016-4393 + RESERVED +CVE-2016-4392 + RESERVED +CVE-2016-4391 + RESERVED +CVE-2016-4390 + RESERVED +CVE-2016-4389 + RESERVED +CVE-2016-4388 + RESERVED +CVE-2016-4387 + RESERVED +CVE-2016-4386 + RESERVED +CVE-2016-4385 + RESERVED +CVE-2016-4384 + RESERVED +CVE-2016-4383 + RESERVED +CVE-2016-4382 + RESERVED +CVE-2016-4381 + RESERVED +CVE-2016-4380 + RESERVED +CVE-2016-4379 + RESERVED +CVE-2016-4378 + RESERVED +CVE-2016-4377 + RESERVED +CVE-2016-4376 + RESERVED +CVE-2016-4375 + RESERVED +CVE-2016-4374 + RESERVED +CVE-2016-4373 + RESERVED +CVE-2016-4372 + RESERVED +CVE-2016-4371 + RESERVED +CVE-2016-4370 + RESERVED +CVE-2016-4369 + RESERVED +CVE-2016-4368 + RESERVED +CVE-2016-4367 + RESERVED +CVE-2016-4366 + RESERVED +CVE-2016-4365 + RESERVED +CVE-2016-4364 + RESERVED +CVE-2016-4363 + RESERVED +CVE-2016-4362 + RESERVED +CVE-2016-4361 + RESERVED +CVE-2016-4360 + RESERVED +CVE-2016-4359 + RESERVED +CVE-2016-4358 + RESERVED +CVE-2016-4357 + RESERVED +CVE-2016-4351 + RESERVED +CVE-2016-4350 + RESERVED CVE-2016-XXXX [A remote attacker could change Atheme's behavior by registering/dropping certain accounts/nicks] - atheme-services <unfixed> NOTE: https://github.com/atheme/atheme/issues/397 @@ -12,11 +130,13 @@ CVE-2016-4425 [stack exhaustion parsing a JSON file] NOTE: https://github.com/akheron/jansson/issues/282 NOTE: http://www.openwall.com/lists/oss-security/2016/05/01/5 CVE-2016-4422 [local root privilege escalation] + RESERVED - libpam-sshauth 0.4.1-2 NOTE: Introduced in: https://bazaar.launchpad.net/~ltsp-upstream/ltsp/libpam-sshauth/revision/93/src/pam_sshauth.c NOTE: Fixed in: https://bazaar.launchpad.net/~ltsp-upstream/ltsp/libpam-sshauth/revision/114 NOTE: http://www.openwall.com/lists/oss-security/2016/05/01/2 CVE-2016-4414 [denial of service] + RESERVED - quassel 1:0.12.4-2 [wheezy] - quassel <not-affected> (Vulnerable code introduced with 0.10.0) NOTE: https://github.com/quassel/quassel/blob/f64ac93/src/core/coreauthhandler.cpp#L100 @@ -26,6 +146,7 @@ CVE-2016-4414 [denial of service] CVE-2016-4349 (Untrusted search path vulnerability in Cisco WebEx Productivity Tools ...) NOT-FOR-US: Cisco CVE-2016-4352 [Mplayer/Mencoder integer overflow parsing gif files] + RESERVED - mplayer <unfixed> NOTE: https://trac.mplayerhq.hu/ticket/2295 NOTE: Fixed in Revision r37857 upstream @@ -1014,8 +1135,7 @@ CVE-2016-3953 RESERVED CVE-2016-3952 RESERVED -CVE-2016-3951 [usbnet: memory corruption triggered by invalid USB descriptor] - RESERVED +CVE-2016-3951 (Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux ...) - linux 4.5.1-1 NOTE: https://git.kernel.org/linus/4d06dd537f95683aba3651098ae288b7cbff8274 (v4.5) NOTE: https://git.kernel.org/linus/1666984c8625b3db19a9abc298931d35ab7bc64b (v4.5) @@ -1602,8 +1722,7 @@ CVE-2016-3684 RESERVED CVE-2016-3683 RESERVED -CVE-2016-3689 [crash on invalid USB device descriptors (ims-pcu driver)] - RESERVED +CVE-2016-3689 (The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in ...) - linux 4.5.1-1 NOTE: Upstream fix: https://git.kernel.org/linus/a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff (v4.6-rc1) NOTE: https://bugzilla.novell.com/show_bug.cgi?id=971628 @@ -3031,8 +3150,7 @@ CVE-2016-XXXX [A missing null termination of a string causes an out of bounds me NOTE: http://bugs.proftpd.org/show_bug.cgi?id=4193 NOTE: https://github.com/proftpd/proftpd/commit/d9f9d469ce1da09c7935f509797d488fa2d08697 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/03/11/12 -CVE-2016-3140 [crash on invalid USB device descriptors (digi_acceleport driver)] - RESERVED +CVE-2016-3140 (The digi_port_init function in drivers/usb/serial/digi_acceleport.c in ...) - linux 4.5.1-1 (low) [jessie] - linux <no-dsa> (Minor issue) [wheezy] - linux <no-dsa> (Minor issue) @@ -3044,23 +3162,20 @@ CVE-2016-3139 (The wacom_probe function in drivers/input/tablet/wacom_sys.c in t NOTE: http://seclists.org/bugtraq/2016/Mar/60 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283375 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283377 -CVE-2016-3138 [crash on invalid USB device descriptors (cdc_acm driver)] - RESERVED +CVE-2016-3138 (The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux ...) - linux 4.5.1-1 (low) [jessie] - linux <no-dsa> (Minor issue) [wheezy] - linux <no-dsa> (Minor issue) NOTE: http://seclists.org/bugtraq/2016/Mar/54 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283366 NOTE: http://marc.info/?l=linux-usb&m=145803342320160&w=2 -CVE-2016-3137 [crash on invalid USB device descriptors (cypress_m8 driver)] - RESERVED +CVE-2016-3137 (drivers/usb/serial/cypress_m8.c in the Linux kernel before 4.5.1 ...) - linux 4.5.1-1 (low) [jessie] - linux <no-dsa> (Minor issue) [wheezy] - linux <no-dsa> (Minor issue) NOTE: http://seclists.org/bugtraq/2016/Mar/55 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283368 -CVE-2016-3136 [crash on invalid USB device descriptors (mct_u232 driver)] - RESERVED +CVE-2016-3136 (The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in ...) - linux 4.5.1-1 (low) [jessie] - linux <no-dsa> (Minor issue) [wheezy] - linux <no-dsa> (Minor issue) @@ -3559,7 +3674,7 @@ CVE-2016-2850 NOTE: Introduced in 1.11.0, fixed in 1.11.29 CVE-2016-2849 [ECDSA side channel attack] RESERVED - {DLA-449-1} + {DSA-3565-1 DLA-449-1} - botan1.10 <unfixed> (bug #822698) NOTE: http://botan.randombit.net/security.html NOTE: Introduced in 1.7.15, fixed in 1.11.29 @@ -3645,14 +3760,12 @@ CVE-2016-2857 (The net_checksum_calculate function in net/checksum.c in QEMU all NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-03/msg00671.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1296567 NOTE: http://www.openwall.com/lists/oss-security/2016/03/03/9 -CVE-2016-2854 [AUFS Xattr Setgid Privilege Escalation] - RESERVED +CVE-2016-2854 (The aufs module for the Linux kernel 3.x and 4.x does not properly ...) - linux <unfixed> NOTE: http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/ NOTE: https://sourceforge.net/p/aufs/mailman/message/34864744/ TODO: doublecheck with Ben, aufs is available as udebs, but not as a standard kernel module (possibly only in use for live images) -CVE-2016-2853 [AUFS Over Fuse: Loss of Nosuid] - RESERVED +CVE-2016-2853 (The aufs module for the Linux kernel 3.x and 4.x does not properly ...) - linux <unfixed> NOTE: http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/ NOTE: https://sourceforge.net/p/aufs/mailman/message/34864744/ @@ -3695,8 +3808,7 @@ CVE-2016-2822 RESERVED CVE-2016-2821 RESERVED -CVE-2016-2820 - RESERVED +CVE-2016-2820 (The Firefox Health Reports (aka FHR or about:healthreport) feature in ...) - iceweasel <not-affected> (Only Firefox 46) - firefox-esr <not-affected> (Only Firefox 46) - firefox 46.0-1 @@ -3705,86 +3817,73 @@ CVE-2016-2819 RESERVED CVE-2016-2818 RESERVED -CVE-2016-2817 - RESERVED +CVE-2016-2817 (The WebExtension sandbox feature in ...) - iceweasel <not-affected> (Only Firefox 46) - firefox-esr <not-affected> (Only Firefox 46) - firefox 46.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-46/ -CVE-2016-2816 - RESERVED +CVE-2016-2816 (Mozilla Firefox before 46.0 allows remote attackers to bypass the ...) - iceweasel <not-affected> (Only Firefox 46) - firefox-esr <not-affected> (Only Firefox 46) - firefox 46.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-45/ CVE-2016-2815 RESERVED -CVE-2016-2814 - RESERVED +CVE-2016-2814 (Heap-based buffer overflow in the ...) {DSA-3559-1} - iceweasel <removed> - firefox-esr 45.1.0esr-1 - firefox 46.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-44/ -CVE-2016-2813 - RESERVED +CVE-2016-2813 (Mozilla Firefox before 46.0 on Android does not properly restrict ...) - iceweasel <not-affected> (Only Firefox on Android) - firefox-esr <not-affected> (Only Firefox on Android) - firefox <not-affected> (Only Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-43/ -CVE-2016-2812 - RESERVED +CVE-2016-2812 (Race condition in the get implementation in the ServiceWorkerManager ...) - iceweasel <not-affected> (Only Firefox 46) - firefox-esr <not-affected> (Only Firefox 46) - firefox 46.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-42/ -CVE-2016-2811 - RESERVED +CVE-2016-2811 (Use-after-free vulnerability in the ServiceWorkerInfo class in the ...) - iceweasel <not-affected> (Only Firefox 46) - firefox-esr <not-affected> (Only Firefox 46) - firefox 46.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-42/ -CVE-2016-2810 - RESERVED +CVE-2016-2810 (Mozilla Firefox before 46.0 on Android before 5.0 allows attackers to ...) - iceweasel <not-affected> (Only Firefox on Android) - firefox-esr <not-affected> (Only Firefox on Android) - firefox <not-affected> (Only Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-41/ -CVE-2016-2809 - RESERVED +CVE-2016-2809 (The Mozilla Maintenance Service updater in Mozilla Firefox before 46.0 ...) - iceweasel <not-affected> (Only Firefox on Windows) - firefox-esr <not-affected> (Only Firefox on Windows) - firefox <not-affected> (Only Firefox on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-40/ -CVE-2016-2808 - RESERVED +CVE-2016-2808 (The watch implementation in the JavaScript engine in Mozilla Firefox ...) {DSA-3559-1} - iceweasel <removed> - firefox-esr 45.1.0esr-1 - firefox 46.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-47/ -CVE-2016-2807 [Memory safety bugs fixed in Firefox ESR 45.1, Firefox ESR 38.8 and Firefox 46] - RESERVED +CVE-2016-2807 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3559-1} - iceweasel <removed> - firefox-esr 45.1.0esr-1 - firefox 46.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-39/ -CVE-2016-2806 [Memory safety bugs fixed in Firefox ESR 45.1 and Firefox 46] - RESERVED +CVE-2016-2806 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel <not-affected> (Only Firefox 45.x) - firefox-esr 45.1.0esr-1 - firefox 46.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-39/ -CVE-2016-2805 [Memory safety bug fixed in Firefox ESR 38.8] - RESERVED +CVE-2016-2805 (Unspecified vulnerability in the browser engine in Mozilla Firefox ESR ...) {DSA-3559-1} - iceweasel <removed> - firefox-esr <not-affected> (Only affects Firefox ESR 38.x) - firefox <not-affected> (Only affects Firefox ESR 38.x) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-39/ -CVE-2016-2804 [Memory safety bugs fixed in Firefox 46] - RESERVED +CVE-2016-2804 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel <not-affected> (Only Firefox 46) - firefox-esr <not-affected> (Only Firefox 46) - firefox 46.0-1 @@ -4620,46 +4719,46 @@ CVE-2016-2535 RESERVED CVE-2016-2534 RESERVED -CVE-2016-4421 [another ASN.1 BER dissector crash] +CVE-2016-4421 (epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark ...) {DSA-3516-1} - wireshark 2.0.2+ga16e22e-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-18.html NOTE: Affected versions: 2.0.0 to 2.0.1, 1.12.0 to 1.12.9 NOTE: Fixed versions: 2.0.2, 1.12.10 -CVE-2016-4420 [NFS dissector crash] +CVE-2016-4420 (The NFS dissector in Wireshark 2.x before 2.0.2 allows remote ...) - wireshark 2.0.2+ga16e22e-1 [jessie] - wireshark <not-affected> (Vulnerable code not present) [wheezy] - wireshark <not-affected> (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-17.html NOTE: Affected versions: 2.0.0 to 2.0.1 NOTE: Fixed versions: 2.0.2 -CVE-2016-4419 [SPICE dissector large loop] +CVE-2016-4419 (epan/dissectors/packet-spice.c in the SPICE dissector in Wireshark 2.x ...) - wireshark 2.0.2+ga16e22e-1 [jessie] - wireshark <not-affected> (Vulnerable code not present) [wheezy] - wireshark <not-affected> (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-16.html NOTE: Affected versions: 2.0.0 to 2.0.1 NOTE: Fixed versions: 2.0.2 -CVE-2016-4418 [ASN.1 BER dissector crash] +CVE-2016-4418 (epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark ...) {DSA-3516-1} - wireshark 2.0.2+ga16e22e-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-15.html NOTE: Affected versions: 2.0.0 to 2.0.1, 1.12.0 to 1.12.9 NOTE: Fixed versions: 2.0.2, 1.12.10 -CVE-2016-4417 [GSM A-bis OML dissector crash] +CVE-2016-4417 (Off-by-one error in epan/dissectors/packet-gsm_abis_oml.c in the GSM ...) {DSA-3516-1} - wireshark 2.0.2+ga16e22e-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2016-14.html NOTE: Affected versions: 2.0.0 to 2.0.1, 1.12.0 to 1.12.9 NOTE: Fixed versions: 2.0.2, 1.12.10 -CVE-2016-4416 [IEEE 802.11 dissector crash] +CVE-2016-4416 (epan/dissectors/packet-ieee80211.c in the IEEE 802.11 dissector in ...) - wireshark 2.0.2+ga16e22e-1 [jessie] - wireshark <not-affected> (Vulnerable code not present) [wheezy] - wireshark <not-affected> (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2016-13.html NOTE: Affected versions: 2.0.0 to 2.0.1 NOTE: Fixed versions: 2.0.2 -CVE-2016-4415 [Ixia IxVeriWave file parser crash] +CVE-2016-4415 (wiretap/vwr.c in the Ixia IxVeriWave file parser in Wireshark 2.x ...) - wireshark 2.0.2+ga16e22e-1 [jessie] - wireshark <not-affected> (Vulnerable code not present) [wheezy] - wireshark <not-affected> (Vulnerable code not present) @@ -5698,13 +5797,13 @@ CVE-2016-2196 [Overwrite in P-521 reduction] NOTE: http://botan.randombit.net/security.html CVE-2016-2195 [Heap overflow on invalid ECC point] RESERVED - {DLA-449-1} + {DSA-3565-1 DLA-449-1} - botan1.10 1.10.12-1 NOTE: Introduced in 1.9.18, fixed in 1.11.27 and 1.10.11 NOTE: http://botan.randombit.net/security.html CVE-2016-2194 [Infinite loop in modulur square root algorithm] RESERVED - {DLA-449-1} + {DSA-3565-1 DLA-449-1} - botan1.10 1.10.12-1 NOTE: Introduced in 1.7.15, fixed in 1.11.27 and 1.10.11 NOTE: http://botan.randombit.net/security.html @@ -5727,8 +5826,7 @@ CVE-2016-2190 [MSA-16-0011: Add no referrer to links with _blank target attribut - moodle 2.7.13+dfsg-1 CVE-2016-2189 RESERVED -CVE-2016-2188 [Kernel panic on invalid USB device descriptor (iowarrior driver)] - RESERVED +CVE-2016-2188 (The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the ...) - linux <unfixed> [jessie] - linux <no-dsa> (Minor issue) [wheezy] - linux <no-dsa> (Minor issue) @@ -5736,13 +5834,11 @@ CVE-2016-2188 [Kernel panic on invalid USB device descriptor (iowarrior driver)] NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283390 NOTE: http://seclists.org/bugtraq/2016/Mar/87 NOTE: http://marc.info/?l=linux-usb&m=145796659429788&w=2 -CVE-2016-2187 [Kernel panic on invalid USB device descriptor (gtco driver)] - RESERVED +CVE-2016-2187 (The gtco_probe function in drivers/input/tablet/gtco.c in the Linux ...) - linux 4.5.2-1 NOTE: Upstream commit: https://git.kernel.org/linus/162f98dea487206d9ab79fc12ed64700667a894d (v4.6-rc5) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1317017 -CVE-2016-2186 [Kernel panic on invalid USB device descriptor (powermate driver)] - RESERVED +CVE-2016-2186 (The powermate_probe function in drivers/input/misc/powermate.c in the ...) - linux 4.5.1-1 (low) [jessie] - linux <no-dsa> (Minor issue) [wheezy] - linux <no-dsa> (Minor issue) @@ -5750,8 +5846,7 @@ CVE-2016-2186 [Kernel panic on invalid USB device descriptor (powermate driver)] NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283384 NOTE: http://seclists.org/bugtraq/2016/Mar/85 NOTE: http://marc.info/?l=linux-usb&m=145796479528669&w=2 -CVE-2016-2185 [Kernel panic on invalid USB device descriptor (ati_remote2 driver)] - RESERVED +CVE-2016-2185 (The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in ...) - linux 4.5.1-1 (low) [jessie] - linux <no-dsa> (Minor issue) [wheezy] - linux <no-dsa> (Minor issue) @@ -5940,8 +6035,7 @@ CVE-2016-2118 (The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and - samba 2:4.3.7+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2016-2118.html NOTE: http://badlock.org/ -CVE-2016-2117 [memory disclosure to ethernet due to unchecked scatter/gather IO] - RESERVED +CVE-2016-2117 (The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in ...) - linux 4.5.2-1 [wheezy] - linux <not-affected> (Issue introduced with v3.10-rc1) NOTE: Introduced in https://git.kernel.org/linus/ec5f061564238892005257c83565a0b58ec79295 (v3.10-rc1) @@ -6176,8 +6270,7 @@ CVE-2016-2073 (The htmlParseNameComplex function in HTMLparser.c in libxml2 allo - libxml2 <unfixed> (bug #812807) NOTE: http://www.openwall.com/lists/oss-security/2016/01/25/6 NOTE: http://www.openwall.com/lists/oss-security/2016/01/26/8 has details -CVE-2016-2070 [division by zero in TCP code] - RESERVED +CVE-2016-2070 (The tcp_cwnd_reduction function in net/ipv4/tcp_input.c in the Linux ...) - linux 4.3.5-1 [jessie] - linux <not-affected> (Vulnerable code introduced later) [wheezy] - linux <not-affected> (Vulnerable code introduced later) @@ -6295,8 +6388,7 @@ CVE-2016-2069 (Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4. NOTE: http://www.openwall.com/lists/oss-security/2016/01/25/1 NOTE: https://git.kernel.org/linus/71b3c126e61177eb693423f2e18a1914205b165e (v4.5-rc1) NOTE: https://git.kernel.org/linus/4eaffdd5a5fe6ff9f95e1ab4de1ac904d5e0fa8b (v4.5-rc1) -CVE-2016-2053 [Denial of service with specially crafted key file] - RESERVED +CVE-2016-2053 (The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux ...) - linux 4.3.1-1 [jessie] - linux <no-dsa> (Vulnerable code not built in Debian configuration) [wheezy] - linux <not-affected> (Vulnerable code not present) @@ -7367,32 +7459,39 @@ CVE-2016-1667 RESERVED CVE-2016-1666 RESERVED + {DSA-3564-1} - chromium-browser 50.0.2661.94-1 [wheezy] - chromium-browser <end-of-life> (Not supported in Wheezy) CVE-2016-1665 RESERVED + {DSA-3564-1} - chromium-browser 50.0.2661.94-1 [wheezy] - chromium-browser <end-of-life> (Not supported in Wheezy) - libv8 <unfixed> (unimportant) NOTE: libv8 not covered by security support CVE-2016-1664 RESERVED + {DSA-3564-1} - chromium-browser 50.0.2661.94-1 [wheezy] - chromium-browser <end-of-life> (Not supported in Wheezy) CVE-2016-1663 RESERVED + {DSA-3564-1} - chromium-browser 50.0.2661.94-1 [wheezy] - chromium-browser <end-of-life> (Not supported in Wheezy) CVE-2016-1662 RESERVED + {DSA-3564-1} - chromium-browser 50.0.2661.94-1 [wheezy] - chromium-browser <end-of-life> (Not supported in Wheezy) CVE-2016-1661 RESERVED + {DSA-3564-1} - chromium-browser 50.0.2661.94-1 [wheezy] - chromium-browser <end-of-life> (Not supported in Wheezy) CVE-2016-1660 RESERVED + {DSA-3564-1} - chromium-browser 50.0.2661.94-1 [wheezy] - chromium-browser <end-of-life> (Not supported in Wheezy) CVE-2016-1659 (Multiple unspecified vulnerabilities in Google Chrome before ...) @@ -7697,16 +7796,14 @@ CVE-2016-1577 (Double free vulnerability in the jas_iccattrval_destroy function {DSA-3508-1} - jasper <unfixed> (bug #816625) NOTE: http://www.openwall.com/lists/oss-security/2016/03/03/12 -CVE-2016-1576 - RESERVED +CVE-2016-1576 (The overlayfs implementation in the Linux kernel through 4.5.2 does ...) - linux <unfixed> [jessie] - linux <not-affected> (Vulnerable code not present) [wheezy] - linux <not-affected> (Vulnerable code not present) - linux-2.6 <not-affected> (Vulnerable code not present) NOTE: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1535150 NOTE: http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/ -CVE-2016-1575 - RESERVED +CVE-2016-1575 (The overlayfs implementation in the Linux kernel through 4.5.2 does ...) - linux <unfixed> [jessie] - linux <not-affected> (Vulnerable code not present) [wheezy] - linux <not-affected> (Vulnerable code not present) @@ -8296,8 +8393,8 @@ CVE-2016-1345 (Cisco FireSIGHT System Software 5.4.0 through 6.0.1 and ASA with NOT-FOR-US: Cisco Firepower CVE-2016-1344 (The IKEv2 implementation in Cisco IOS 15.0 through 15.6 and IOS XE 3.3 ...) NOT-FOR-US: Cisco IOS -CVE-2016-1343 - RESERVED +CVE-2016-1343 (The XML parser in Cisco Information Server (CIS) 6.2 allows remote ...) + TODO: check CVE-2016-1342 (The device login page in Cisco FirePOWER Management Center 5.3 through ...) NOT-FOR-US: Cisco CVE-2016-1341 (Cisco NX-OS 7.0(1)N1(1), 7.0(1)N1(3), and 7.0(4)N1(1) on Nexus 2000 ...) @@ -8619,12 +8716,12 @@ CVE-2016-1203 RESERVED CVE-2016-1202 (Untrusted search path vulnerability in Atom Electron before 0.33.5 ...) TODO: check -CVE-2016-1201 - RESERVED -CVE-2016-1200 - RESERVED -CVE-2016-1199 - RESERVED +CVE-2016-1201 (Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE ...) + TODO: check +CVE-2016-1200 (The management screen in LOCKON EC-CUBE 3.0.7 through 3.0.9 allows ...) + TODO: check +CVE-2016-1199 (The login page in the management screen in LOCKON EC-CUBE 3.0.0 ...) + TODO: check CVE-2016-1198 RESERVED CVE-2016-1197 @@ -8799,8 +8896,8 @@ CVE-2016-1113 RESERVED CVE-2016-1112 RESERVED -CVE-2016-1111 - RESERVED +CVE-2016-1111 (Double free vulnerability in Adobe Reader and Acrobat before 11.0.14, ...) + TODO: check CVE-2016-1110 RESERVED CVE-2016-1109 @@ -11445,6 +11542,7 @@ CVE-2016-0002 (The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5. CVE-2016-0001 RESERVED CVE-2016-4353 [denial of service due to stack overflow in src/ber-decoder.c] + RESERVED - libksba 1.3.3-1 (low) [squeeze] - libksba <no-dsa> (Minor issue) [wheezy] - libksba <no-dsa> (Minor issue) @@ -11453,6 +11551,7 @@ CVE-2016-4353 [denial of service due to stack overflow in src/ber-decoder.c] NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/5 NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=07116a314f4dcd4d96990bbd74db95a03a9f650a CVE-2016-4355 + RESERVED - libksba 1.3.3-1 (low) [squeeze] - libksba <no-dsa> (Minor issue) [wheezy] - libksba <no-dsa> (Minor issue) @@ -11461,6 +11560,7 @@ CVE-2016-4355 NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/5 NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=aea7b6032865740478ca4b706850a5217f1c3887 CVE-2016-4354 + RESERVED - libksba 1.3.3-1 (low) [squeeze] - libksba <no-dsa> (Minor issue) [wheezy] - libksba <no-dsa> (Minor issue) @@ -11469,6 +11569,7 @@ CVE-2016-4354 NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/5 NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=aea7b6032865740478ca4b706850a5217f1c3887 CVE-2016-4356 + RESERVED - libksba 1.3.3-1 (low) [squeeze] - libksba <no-dsa> (Minor issue) [wheezy] - libksba <no-dsa> (Minor issue) |