new ntp issue

NFUs add and take ffmpeg
author: Moritz Muehlenhoff <jmm@debian.org> 2020-05-28 19:02:51 +0200
committer: Moritz Muehlenhoff <jmm@debian.org> 2020-05-28 19:02:51 +0200
commit: ec043d7c5e9615c93836f6ab6ea5234b53e2ff66 (patch)
tree: 9bd48eb2d16b1aa69ad32f2c8af287459d9eae62 /data/CVE
parent: db3201bcb1f7aa0b3e74651b02482b240c6da8cf (diff)
4 files changed, 10 insertions, 4 deletions
diff --git a/data/CVE/2013.list b/data/CVE/2013.list
index 927f853020..44ea8b402e 100644
--- a/data/CVE/2013.list
+++ b/data/CVE/2013.list
@@ -14801,7 +14801,7 @@ CVE-2013-1868 (Multiple buffer overflows in VideoLAN VLC media player 2.0.4 and
 CVE-2013-1867 (Gemalto Tokend 2013 has an Arbitrary File Creation/Overwrite Vulnerabi ...)
 	NOT-FOR-US: Gemalto Tokend
 CVE-2013-1866 (OpenSC OpenSC.tokend has an Arbitrary File Creation/Overwrite Vulnerab ...)
-	TODO: check
+	NOT-FOR-US: OpenSC.tokend (different from src:opensc)
 CVE-2013-1865 (OpenStack Keystone Folsom (2012.2) does not properly perform revocatio ...)
 	- keystone <not-affected> (only affects folsom)
 	NOTE: fixed in experimental with keystone/2012.2.3-2
diff --git a/data/CVE/2014.list b/data/CVE/2014.list
index fb33ed7771..0e49d906c4 100644
--- a/data/CVE/2014.list
+++ b/data/CVE/2014.list
@@ -23698,7 +23698,7 @@ CVE-2014-1424 (apparmor_parser in the apparmor package before 2.8.95~2430-0ubunt
 	NOTE: affected one that we ever had in Debian (2.8.96~2652) did not
 	NOTE: include the faulty patch.
 CVE-2014-1423 (signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch ...)
-	TODO: check
+	NOT-FOR-US: signond from Ubuntu Touch
 CVE-2014-1422
 	RESERVED
 CVE-2014-1421 (mountall 1.54, as used in Ubuntu 14.10, does not properly handle the u ...)
diff --git a/data/CVE/2015.list b/data/CVE/2015.list
index 74a64d335d..50db83ee19 100644
--- a/data/CVE/2015.list
+++ b/data/CVE/2015.list
@@ -4978,7 +4978,7 @@ CVE-2015-7948
 CVE-2015-7947
 	REJECTED
 CVE-2015-7946 (Information Exposure vulnerability in Unity8 as used on the Ubuntu pho ...)
-	TODO: check
+	NOT-FOR-US: Unity8 (predates Lomiri)
 CVE-2015-7945 (The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti befo ...)
 	{DSA-3431-1}
 	- ganeti 2.15.2-1 (bug #809538)
diff --git a/data/CVE/2018.list b/data/CVE/2018.list
index 5118ef55dc..75edfe207d 100644
--- a/data/CVE/2018.list
+++ b/data/CVE/2018.list
@@ -32449,7 +32449,13 @@ CVE-2018-8958
 CVE-2018-8957 (CoverCMS v1.1.6 has XSS via the fourth input box to index.php, related ...)
 	NOT-FOR-US: CoverCMS
 CVE-2018-8956 (ntpd in ntp 4.2.8p10, 4.2.8p11, 4.2.8p12 and 4.2.8p13 allow remote att ...)
-	TODO: check
+	- ntp <unfixed> (low)
+	[buster] - ntp <no-dsa> (Minor issue)
+	[stretch] - ntp <no-dsa> (Minor issue)
+	NOTE: MISC:https://arxiv.org/abs/2005.01783
+	NOTE: MISC:https://nikhiltripathi.in/NTP_attack.pdf
+	NOTE: MISC:https://tools.ietf.org/html/rfc5905
+	TODO: check ntpsec
 CVE-2018-8955 (The installer for BitDefender GravityZone relies on an encoded string  ...)
 	NOT-FOR-US: BitDefender GravityZone
 CVE-2018-8954 (CA Workload Control Center before r11.4 SP6 allows remote attackers to ...)
author	Moritz Muehlenhoff <jmm@debian.org>	2020-05-28 19:02:51 +0200
committer	Moritz Muehlenhoff <jmm@debian.org>	2020-05-28 19:02:51 +0200
commit	ec043d7c5e9615c93836f6ab6ea5234b53e2ff66 (patch)
tree	9bd48eb2d16b1aa69ad32f2c8af287459d9eae62 /data/CVE
parent	db3201bcb1f7aa0b3e74651b02482b240c6da8cf (diff)