diff options
author | Ben Hutchings <benh@debian.org> | 2015-09-25 00:57:49 +0000 |
---|---|---|
committer | Ben Hutchings <benh@debian.org> | 2015-09-25 00:57:49 +0000 |
commit | 45cec759561417d184cd2c8d4d2d9227ad52c83d (patch) | |
tree | f693836db9222a33bf0b5b46008112041aa48d10 /data | |
parent | 4b80429f5a83e2ac2a48807d79e6cf7f74ea53a5 (diff) |
Triage linux/linux-2.6 issues
Various issues are in code we don't ship, or were fixed without a DSA.
Several unimportant, unfixed issues in linux-2.6 still apply to linux.
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@36825 e39458fd-73e7-0310-bf30-c45bca0a0e42
Diffstat (limited to 'data')
-rw-r--r-- | data/CVE/2004.list | 1 | ||||
-rw-r--r-- | data/CVE/2005.list | 1 | ||||
-rw-r--r-- | data/CVE/2006.list | 8 | ||||
-rw-r--r-- | data/CVE/2007.list | 1 | ||||
-rw-r--r-- | data/CVE/2008.list | 1 | ||||
-rw-r--r-- | data/CVE/2009.list | 5 | ||||
-rw-r--r-- | data/CVE/2010.list | 1 | ||||
-rw-r--r-- | data/CVE/2011.list | 2 | ||||
-rw-r--r-- | data/CVE/2013.list | 1 | ||||
-rw-r--r-- | data/CVE/2014.list | 1 | ||||
-rw-r--r-- | data/CVE/2015.list | 1 |
11 files changed, 17 insertions, 6 deletions
diff --git a/data/CVE/2004.list b/data/CVE/2004.list index 86a033c0e8..f4769b27a2 100644 --- a/data/CVE/2004.list +++ b/data/CVE/2004.list @@ -5660,6 +5660,7 @@ CVE-2004-0231 (Multiple vulnerabilities in Midnight Commander (mc) before 4.6.0, {DSA-497} - mc 1:4.6.0-4.6.1-pre1-2 CVE-2004-0230 (TCP, when using a large Window Size, makes it easier for remote ...) + - linux <unfixed> (unimportant) - linux-2.6 <unfixed> (unimportant) - linux-2.6.24 <removed> (unimportant) NOTE: the attack works with a certain non-negligible probability, but even diff --git a/data/CVE/2005.list b/data/CVE/2005.list index cebbdd9536..d7191c435c 100644 --- a/data/CVE/2005.list +++ b/data/CVE/2005.list @@ -2723,6 +2723,7 @@ CVE-2005-3662 (Off-by-one buffer overflow in pnmtopng before 2.39, when using th CVE-2005-3661 (Dell TrueMobile 2300 Wireless Broadband Router running firmware ...) NOT-FOR-US: Dell hardware issue CVE-2005-3660 (Linux kernel 2.4 and 2.6 allows attackers to cause a denial of service ...) + - linux <unfixed> (unimportant) - linux-2.6 <unfixed> (unimportant) NOTE: Design limitation, for rare corner cases, where this poses a problem advanced NOTE: resource management systems can be deployed diff --git a/data/CVE/2006.list b/data/CVE/2006.list index 8f12221b88..1a310d9e64 100644 --- a/data/CVE/2006.list +++ b/data/CVE/2006.list @@ -2519,8 +2519,10 @@ CVE-2006-XXXX [smb4k security issue] CVE-2006-6129 (Integer overflow in the fatfile_getarch2 in Apple Mac OS X allows ...) NOT-FOR-US: Apple Mac OS X CVE-2006-6128 (The ReiserFS functionality in Linux kernel 2.6.18, and possibly other ...) - - linux-2.6 <unfixed> (unimportant) - NOTE: Mounting filesystem partitions should be limited to root + - linux <not-affected> (Kernel rejects the malformed filesystem) + - linux-2.6 <removed> + [squeeze] - linux-2.6 <not-affected> (Kernel rejects the malformed filesystem) + NOTE: It's not obvious when or how this was fixed CVE-2006-6127 (Apple Mac OS X kernel allows local users to cause a denial of service ...) NOT-FOR-US: Apple Mac OS X CVE-2006-6126 (Apple Mac OS X allows local users to cause a denial of service (memory ...) @@ -3463,7 +3465,7 @@ CVE-2006-5703 (Cross-site scripting (XSS) vulnerability in tiki-featured_link.ph CVE-2006-5702 (Tikiwiki 1.9.5 allows remote attackers to obtain sensitive information ...) - tikiwiki 1.9.6+dfsg-1 (medium) CVE-2006-5701 (Double free vulnerability in squashfs module in the Linux kernel ...) - - linux-2.6 <unfixed> (unimportant) + - linux-2.6 <not-affected> (Vulnerable code not present) - squashfs 1:3.1r2-6.1 NOTE: Mounting filesystem partitions should be limited to root CVE-2006-5700 diff --git a/data/CVE/2007.list b/data/CVE/2007.list index 434658f5d1..7c1053e0a8 100644 --- a/data/CVE/2007.list +++ b/data/CVE/2007.list @@ -7257,6 +7257,7 @@ CVE-2007-3721 (The ULE process scheduler in the FreeBSD kernel gives preference CVE-2007-3720 (The process scheduler in the Linux kernel 2.4 performs scheduling ...) - linux-2.6 <not-affected> (There's a separate ID for 2.6, see CVE-2007-3719) CVE-2007-3719 (The process scheduler in the Linux kernel 2.6.16 gives preference to ...) + - linux <unfixed> (unimportant) - linux-2.6 <unfixed> (unimportant) NOTE: This is the existing default behaviour of the scheduler, can be tuned NOTE: to suit individual needs diff --git a/data/CVE/2008.list b/data/CVE/2008.list index 3ec9f57eac..a1c54c1c4b 100644 --- a/data/CVE/2008.list +++ b/data/CVE/2008.list @@ -6144,6 +6144,7 @@ CVE-2008-4610 (MPlayer allows remote attackers to cause a denial of service ...) NOTE: just a crasher, no security implications known so far NOTE: http://sam.zoy.org/blog/2007-01-16-exposing-file-parsing-vulnerabilities CVE-2008-4609 (The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, ...) + - linux <unfixed> (unimportant) - linux-2.6 <unfixed> (unimportant) - linux-2.6.24 <removed> (unimportant) NOTE: this is a design flaw in TCP itself; maximum impact is a denial-of-service diff --git a/data/CVE/2009.list b/data/CVE/2009.list index 019dd35ba9..0f523156a9 100644 --- a/data/CVE/2009.list +++ b/data/CVE/2009.list @@ -3062,9 +3062,8 @@ CVE-2009-3889 (The dbg_lvl file for the megaraid_sas driver in the Linux kernel [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 <removed> (low) CVE-2009-3888 (The do_mmap_pgoff function in mm/nommu.c in the Linux kernel before ...) - - linux-2.6 <unfixed> (unimportant) - - linux-2.6.24 <unfixed> (unimportant) - NOTE: All Debian kernels have MMU support enabled + - linux-2.6 <not-affected> (Vulnerable code not built) + - linux-2.6.24 <not-affected> (Vulnerable code not built) CVE-2009-3887 [ytnef path traversal] RESERVED - ytnef <removed> (bug #567631) diff --git a/data/CVE/2010.list b/data/CVE/2010.list index b9590d97eb..db19a4fb8d 100644 --- a/data/CVE/2010.list +++ b/data/CVE/2010.list @@ -1737,6 +1737,7 @@ CVE-2010-4565 (The bcm_connect function in net/can/bcm.c (aka the Broadcast Mana CVE-2010-4564 RESERVED CVE-2010-4563 (The Linux kernel, when using IPv6, allows remote attackers to ...) + - linux <unfixed> (unimportant) - linux-2.6 <unfixed> (unimportant) NOTE: http://seclists.org/fulldisclosure/2011/Apr/254 CVE-2010-4562 (Microsoft Windows 2008, 7, Vista, 2003, 2000, and XP, when using IPv6, ...) diff --git a/data/CVE/2011.list b/data/CVE/2011.list index eb699d064c..528deb3ee5 100644 --- a/data/CVE/2011.list +++ b/data/CVE/2011.list @@ -962,12 +962,14 @@ CVE-2011-4918 (Multiple cross-site scripting (XSS) vulnerabilities in Elxis CMS NOT-FOR-US: Elxis CMS, Aphrodite CVE-2011-4917 RESERVED + - linux <unfixed> (unimportant) - linux-2.6 <unfixed> (unimportant) NOTE: Minor info leak, unlikely to be fixed upstream CVE-2011-4916 RESERVED CVE-2011-4915 RESERVED + - linux <unfixed> (unimportant) - linux-2.6 <unfixed> (unimportant) NOTE: Minor info leak, unlikely to be fixed upstream CVE-2011-4914 (The ROSE protocol implementation in the Linux kernel before 2.6.39 ...) diff --git a/data/CVE/2013.list b/data/CVE/2013.list index ae1a2a43db..e7400d7968 100644 --- a/data/CVE/2013.list +++ b/data/CVE/2013.list @@ -1145,6 +1145,7 @@ CVE-2013-7028 RESERVED CVE-2013-7027 (The ieee80211_radiotap_iterator_init function in ...) - linux 3.11.7-1 (unimportant) + [wheezy] - linux 3.2.53-1 - linux-2.6 <removed> (unimportant) NOTE: Non-issue: https://bugzilla.redhat.com/show_bug.cgi?id=1040010#c1 CVE-2013-7026 (Multiple race conditions in ipc/shm.c in the Linux kernel before ...) diff --git a/data/CVE/2014.list b/data/CVE/2014.list index a35151f282..9459210c8d 100644 --- a/data/CVE/2014.list +++ b/data/CVE/2014.list @@ -13242,6 +13242,7 @@ CVE-2014-4608 (** DISPUTED ** Multiple integer overflows in the lzo1x_decompress - linux 3.14.9-1 (unimportant) [wheezy] - linux 3.2.63-1 - linux-2.6 <removed> (unimportant) + [squeeze] - linux-2.6 2.6.32-48squeeze9 NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=206a81c18401c0cde6e579164f752c4b147324ce NOTE: Not exploitable with the block sizes used in kernel images CVE-2014-4607 diff --git a/data/CVE/2015.list b/data/CVE/2015.list index dfc4fead34..a690a0b407 100644 --- a/data/CVE/2015.list +++ b/data/CVE/2015.list @@ -2468,6 +2468,7 @@ CVE-2015-6252 [linux kernel:fd leak in vhost ioctl VHOST_SET_LOG_FD] {DSA-3364-1} - linux <unfixed> - linux-2.6 <removed> + [squeeze] - linux-2.6 <not-affected> (Vulnerable code not present) NOTE: https://lkml.org/lkml/2015/8/10/375 NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7932c0bd7740f4cd2aa168d3ce0199e7af7d72d5 (v4.2-rc5) CVE-2015-6239 |