diff options
author | Moritz Muehlenhoff <jmm@debian.org> | 2014-06-04 16:51:15 +0000 |
---|---|---|
committer | Moritz Muehlenhoff <jmm@debian.org> | 2014-06-04 16:51:15 +0000 |
commit | 22e286f7a676abf1790e7b97a7753ab8d395e3c6 (patch) | |
tree | da37a2ed6fd4835d4fc5d94f734db69974cc0479 /data | |
parent | 5df323c4d5ed9a8edf45416efa3ef810744baf74 (diff) |
mark libv8 as no-dsa, only obscure rev depds w/o security impact in stable
no-dsa: pulseaudio, boinc, quantum
mark one libav issue as undetermined
remove py26 from dsa-needed, that was for oldstable, in wheezy it's not the default interpreter
fixup another s3 entry
remove old no-dsa entries for a2ps DSA
four kernel no-dsa for squeeze kernel issues (mostly KVM)
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@27146 e39458fd-73e7-0310-bf30-c45bca0a0e42
Diffstat (limited to 'data')
-rw-r--r-- | data/CVE/2001.list | 2 | ||||
-rw-r--r-- | data/CVE/2011.list | 7 | ||||
-rw-r--r-- | data/CVE/2013.list | 23 | ||||
-rw-r--r-- | data/CVE/2014.list | 15 | ||||
-rw-r--r-- | data/dsa-needed.txt | 4 |
5 files changed, 36 insertions, 15 deletions
diff --git a/data/CVE/2001.list b/data/CVE/2001.list index 19cd2bcfba..76d7dfe520 100644 --- a/data/CVE/2001.list +++ b/data/CVE/2001.list @@ -1,8 +1,6 @@ CVE-2001-1593 (The tempname_ensure function in lib/routines.h in a2ps 4.14 and ...) {DSA-2892-1} - a2ps 1:4.14-1.2 (low; bug #737385) - [wheezy] - a2ps <no-dsa> (Minor issue) - [squeeze] - a2ps <no-dsa> (Minor issue) CVE-2001-1592 RESERVED CVE-2001-1591 diff --git a/data/CVE/2011.list b/data/CVE/2011.list index aac6ac4133..96d205a0f6 100644 --- a/data/CVE/2011.list +++ b/data/CVE/2011.list @@ -3222,10 +3222,9 @@ CVE-2011-3936 (The dv_extract_audio function in libavcodec in FFmpeg 0.7.x befor - libav 4:0.8.1-1 - ffmpeg <removed> CVE-2011-3935 (The codec_get_buffer function in ffmpeg.c in FFmpeg before 0.10 allows ...) - - libav <unfixed> (bug #738572) - - ffmpeg <not-affected> (vuln. code not present) - NOTE: Seems needed for libav in cmdutils.c - NOTE: code introduced with 484e59a0a0329c4005ddacd05051925345f4362f, in 0.10 + - libav <undetermined> + - ffmpeg <not-affected> (vuln. code not present, introduced later) + NOTE: libav and ffmpeg code bases have diverged too much, unclear whether libav is affected CVE-2011-3934 (Double free vulnerability in the vp3_update_thread_context function in ...) - libav <unfixed> (unimportant) - ffmpeg <removed> (unimportant) diff --git a/data/CVE/2013.list b/data/CVE/2013.list index 54bdfa2f90..6f288a48e0 100644 --- a/data/CVE/2013.list +++ b/data/CVE/2013.list @@ -1,5 +1,7 @@ CVE-2013-7386 [boinc: format string vulnerability] - - boinc 7.1.10+dfsg-1 + - boinc 7.1.10+dfsg-1 (low) + [squeeze] - boinc <no-dsa> (Minor issue) + [wheezy] - boinc <no-dsa> (Minor issue) CVE-2013-7385 (LiveZilla 5.1.2.1 and earlier includes the MD5 hash of the operator ...) NOT-FOR-US: LiveZilla CVE-2013-7384 (UnrealIRCd 3.2.10 before 3.2.10.2 allows remote attackers to cause a ...) @@ -1401,9 +1403,9 @@ CVE-2013-6877 (Heap-based buffer overflow in RealNetworks RealPlayer before 17.0 NOT-FOR-US: RealPlayer CVE-2013-6876 RESERVED - - s3d <unfixed> + - s3d 0.2.2-9 (unimportant) NOTE: http://hmarco.org/bugs/s3dvt_0.2.2-root-shell.html - TODO: check + NOTE: Not running with elevated privileges in Debian packaging CVE-2013-6875 (SQL injection vulnerability in functions/prepend_adm.php in Nagios ...) NOT-FOR-US: Nagios XI CVE-2013-6874 (Stack-based buffer overflow in Vortex Light Alloy before 4.7.4 allows ...) @@ -1870,6 +1872,7 @@ CVE-2013-6668 (Multiple unspecified vulnerabilities in Google V8 before 3.24.35. - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser <end-of-life> - libv8 <removed> + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) - libv8-3.14 <unfixed> CVE-2013-6667 (Multiple unspecified vulnerabilities in Google Chrome before ...) @@ -1939,6 +1942,7 @@ CVE-2013-6650 (The StoreBuffer::ExemptPopularPages function in store-buffer.cc i - chromium-browser 32.0.1700.123-1 [squeeze] - chromium-browser <end-of-life> - libv8 <removed> + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) - libv8-3.14 <unfixed> CVE-2013-6649 (Use-after-free vulnerability in the RenderSVGImage::paint function in ...) @@ -1946,6 +1950,7 @@ CVE-2013-6649 (Use-after-free vulnerability in the RenderSVGImage::paint functio - chromium-browser 32.0.1700.123-1 [squeeze] - chromium-browser <end-of-life> - libv8 <removed> + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) - libv8-3.14 <unfixed> CVE-2013-6648 @@ -1977,6 +1982,7 @@ CVE-2013-6641 (Use-after-free vulnerability in the ...) CVE-2013-6640 (The DehoistArrayIndex function in hydrogen-dehoist.cc (aka ...) {DSA-2811-1} - libv8 <removed> + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) - libv8-3.14 3.14.5.8-5 - chromium-browser 31.0.1650.63-1 @@ -1984,6 +1990,7 @@ CVE-2013-6640 (The DehoistArrayIndex function in hydrogen-dehoist.cc (aka ...) CVE-2013-6639 (The DehoistArrayIndex function in hydrogen-dehoist.cc (aka ...) {DSA-2811-1} - libv8 <removed> + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) - libv8-3.14 3.14.5.8-5 - chromium-browser 31.0.1650.63-1 @@ -1991,6 +1998,7 @@ CVE-2013-6639 (The DehoistArrayIndex function in hydrogen-dehoist.cc (aka ...) CVE-2013-6638 (Multiple buffer overflows in runtime.cc in Google V8 before 3.22.24.7, ...) {DSA-2811-1} - libv8 <removed> + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) - libv8-3.14 <unfixed> - chromium-browser 31.0.1650.63-1 @@ -2582,8 +2590,8 @@ CVE-2013-6434 (The remote-viewer in Red Hat Enterprise Virtualization Manager .. CVE-2013-6433 [rootwrap sudo config allows potential privilege escalation] RESERVED - quantum <removed> + [wheezy] - quantum <no-dsa> (Minor issue) - neutron <unfixed> - TODO: check CVE-2013-6432 (The ping_recvmsg function in net/ipv4/ping.c in the Linux kernel ...) - linux 3.12.6-1 [wheezy] - linux <not-affected> (Vulnerable code introduced in 3.11) @@ -2839,6 +2847,7 @@ CVE-2013-6369 (Stack-based buffer overflow in the jbg_dec_in function in ...) - jbigkit 2.0-2.1 (bug #743960) CVE-2013-6368 (The KVM subsystem in the Linux kernel through 3.12.5 allows local ...) - linux 3.12.5-1 + [squeeze] - linux-2.6 <no-dsa> (Too intrusive to backport, KVM server not supported in squeeze-lts) - linux-2.6 <removed> [wheezy] - linux 3.2.54-1 CVE-2013-6367 (The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM ...) @@ -6895,6 +6904,7 @@ CVE-2013-4593 CVE-2013-4592 (Memory leak in the __kvm_set_memory_region function in ...) - linux 3.8-1 - linux-2.6 <removed> + [squeeze] - linux-2.6 <no-dsa> (Too intrusive to backport, KVM server not supported in squeeze-lts) [wheezy] - linux 3.2.53-1 CVE-2013-4591 (Buffer overflow in the __nfs4_get_acl_uncached function in ...) - linux 3.8-1 @@ -11321,6 +11331,7 @@ CVE-2013-2919 (Google V8, as used in Google Chrome before 30.0.1599.66, allows r - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser <end-of-life> - libv8 <unfixed> + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) - libv8-3.14 <unfixed> CVE-2013-2918 (Use-after-free vulnerability in the ...) @@ -11474,6 +11485,7 @@ CVE-2013-2882 (Google V8, as used in Google Chrome before 28.0.1500.95, allows r - chromium-browser 28.0.1500.95-1 [squeeze] - chromium-browser <end-of-life> - libv8 <removed> + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) - libv8-3.14 <unfixed> CVE-2013-2881 (Google Chrome before 28.0.1500.95 does not properly handle frames, ...) @@ -11645,6 +11657,7 @@ CVE-2013-2838 (Google V8, as used in Google Chrome before 27.0.1453.93, allows r - chromium-browser 27.0.1453.93-1 [squeeze] - chromium-browser <end-of-life> - libv8 <removed> + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) - libv8-3.14 <unfixed> CVE-2013-2837 (Use-after-free vulnerability in the SVG implementation in Google ...) @@ -12088,6 +12101,7 @@ CVE-2013-2633 (Piwik before 1.11 accepts input from a POST request instead of a CVE-2013-2632 (Google V8 before 3.17.13, as used in Google Chrome before 27.0.1444.3, ...) - libv8 <removed> [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) - libv8-3.14 <unfixed> CVE-2013-2631 RESERVED @@ -14636,6 +14650,7 @@ CVE-2013-1798 (The ioapic_read_indirect function in virt/kvm/ioapic.c in the Lin CVE-2013-1797 (Use-after-free vulnerability in arch/x86/kvm/x86.c in the Linux kernel ...) - linux 3.2.41-2 - linux-2.6 <removed> + [squeeze] - linux-2.6 <no-dsa> (Too intrusive to backport, KVM server not supported in squeeze-lts) NOTE: http://www.openwall.com/lists/oss-security/2013/03/20/9 CVE-2013-1796 (The kvm_set_msr_common function in arch/x86/kvm/x86.c in the Linux ...) {DSA-2669-1 DSA-2668-1} diff --git a/data/CVE/2014.list b/data/CVE/2014.list index c1d08a0c40..6f2fec3fc7 100644 --- a/data/CVE/2014.list +++ b/data/CVE/2014.list @@ -1,7 +1,9 @@ CVE-2014-3969 [XSA-98] - xen <not-affected> (Only ARM systems are affected from Xen 4.4 onwards) CVE-2014-3970 [pulseaudio: crash due to empty UDP packet] - - pulseaudio <unfixed> + - pulseaudio <unfixed> (low) + [squeeze] - pulseaudio <no-dsa> (Minor issue) + [wheezy] - pulseaudio <no-dsa> (Minor issue) NOTE: http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-May/020740.html CVE-2014-3966 [mediawiki Javascript inject by anonymous users on private wikis with $wgRawHtml enabled] - mediawiki <unfixed> (low; bug #750527) @@ -1712,6 +1714,7 @@ CVE-2014-3152 (Integer underflow in the LCodeGen::PrepareKeyedOperand function i - chromium-browser 35.0.1916.114-1 [squeeze] - chromium-browser <end-of-life> - libv8 <removed> + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) - libv8-3.14 <unfixed> CVE-2014-3151 @@ -4915,6 +4918,7 @@ CVE-2014-1912 (Buffer overflow in the socket.recvfrom_into function in ...) {DSA-2880-1} - python2.5 <removed> (low) - python2.6 <removed> (low) + [wheezy] - python2.6 <no-dsa> (Minor issue) - python2.7 2.7.6-6 (low) - python3.1 <removed> (low) - python3.2 <removed> (low) @@ -5210,6 +5214,7 @@ CVE-2014-1736 (Integer overflow in api.cc in Google V8, as used in Google Chrome - chromium-browser 34.0.1847.132-1 [squeeze] - chromium-browser <end-of-life> - libv8 <removed> + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) - libv8-3.14 <unfixed> CVE-2014-1735 (Multiple unspecified vulnerabilities in Google V8 before 3.24.35.33, ...) @@ -5217,6 +5222,7 @@ CVE-2014-1735 (Multiple unspecified vulnerabilities in Google V8 before 3.24.35. - chromium-browser 34.0.1847.132-1 [squeeze] - chromium-browser <end-of-life> - libv8 <removed> + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) - libv8-3.14 <unfixed> CVE-2014-1734 (Multiple unspecified vulnerabilities in Google Chrome before ...) @@ -5240,6 +5246,7 @@ CVE-2014-1730 (Google V8, as used in Google Chrome before 34.0.1847.131 on Windo - chromium-browser 34.0.1847.132-1 [squeeze] - chromium-browser <end-of-life> - libv8 <removed> + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) - libv8-3.14 <unfixed> CVE-2014-1729 (Multiple unspecified vulnerabilities in Google V8 before 3.24.35.22, ...) @@ -5247,6 +5254,7 @@ CVE-2014-1729 (Multiple unspecified vulnerabilities in Google V8 before 3.24.35. - chromium-browser 34.0.1847.116-1 [squeeze] - chromium-browser <end-of-life> - libv8 <removed> + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) - libv8-3.14 <unfixed> CVE-2014-1728 (Multiple unspecified vulnerabilities in Google Chrome before ...) @@ -5302,6 +5310,7 @@ CVE-2014-1717 (Google V8, as used in Google Chrome before 34.0.1847.116, does no - chromium-browser 34.0.1847.116-1 [squeeze] - chromium-browser <end-of-life> - libv8 <removed> + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) - libv8-3.14 <unfixed> CVE-2014-1716 (Cross-site scripting (XSS) vulnerability in the Runtime_SetPrototype ...) @@ -5309,6 +5318,7 @@ CVE-2014-1716 (Cross-site scripting (XSS) vulnerability in the Runtime_SetProtot - chromium-browser 34.0.1847.116-1 [squeeze] - chromium-browser <end-of-life> - libv8 <removed> + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) - libv8-3.14 <unfixed> CVE-2014-1715 (Directory traversal vulnerability in Google Chrome before ...) @@ -5339,6 +5349,7 @@ CVE-2014-1705 (Google V8, as used in Google Chrome before 33.0.1750.152 on OS X {DSA-2883-1} - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser <end-of-life> + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) - libv8 <removed> [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) - libv8-3.14 <unfixed> @@ -5347,6 +5358,7 @@ CVE-2014-1704 (Multiple unspecified vulnerabilities in Google V8 before 3.23.17. - chromium-browser 33.0.1750.152-1 [squeeze] - chromium-browser <end-of-life> - libv8 <removed> + [wheezy] - libv8 <no-dsa> (Minor issue, Chromium in Wheezy uses its own fixed copy) [squeeze] - libv8 <end-of-life> (Unsupported in squeeze-lts) - libv8-3.14 <unfixed> CVE-2014-1703 (Use-after-free vulnerability in the ...) @@ -8459,6 +8471,7 @@ CVE-2014-0182 [virtio: out-of-bounds buffer write on state load with invalid con CVE-2014-0181 (The Netlink implementation in the Linux kernel through 3.14.1 does not ...) - linux <unfixed> (bug #746738) - linux-2.6 <removed> + [squeeze] - linux-2.6 <no-dsa> (Too intrusive to backport to 2.6.32) CVE-2014-0180 RESERVED CVE-2014-0179 [Unsafe parsing of XML documents allows arbitrary file read] diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt index 62b78c89ea..eb6217b65c 100644 --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -31,8 +31,6 @@ libplrpc-perl -- libtasn1-3 -- -libv8 --- libxml2 -- libxml-security-java @@ -53,8 +51,6 @@ openswan (corsac) -- phpmyadmin (thijs) -- -python2.6 --- qemu-kvm (jmm) -- ruby-actionpack-2.3 |