Commit a0680139 authored by Moritz Muehlenhoff's avatar Moritz Muehlenhoff

dpkg issue neutralised by toolchain hardening

no-dsa for ntop and sprockets
add smarty3 to dsa-needed
older psql issue fixed
erlang has its own ssl, which yaws uses
remove older bogus phpbb issue
no security impact for gdb/bfd



git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@30362 e39458fd-73e7-0310-bf30-c45bca0a0e42
parent 3dea9351
......@@ -1652,8 +1652,9 @@ CVE-2014-8626 [xmlrpc date_from_ISO8601() buffer overflow]
NOTE: http://git.php.net/?p=php-src.git;a=commit;h=c818d0d01341907fee82bdb81cab07b7d93bb9db
CVE-2014-8625 [format string vulnerability]
RESERVED
- dpkg <unfixed> (bug #768485)
- dpkg <unfixed> (unimportant; bug #768485)
[squeeze] - dpkg <not-affected> (Regression introduced in 1.16.2)
NOTE: Rendered non-exploitable by toolchain hardening
NOTE: https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135
NOTE: Regression introduced with https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?id=0b8652b226a7601dfd71471797d15168a7337242 (1.16.2)
CVE-2014-8598 (The XML Import/Export plugin in MantisBT 1.2.x does not restrict ...)
......@@ -1894,7 +1895,7 @@ CVE-2014-8502 [heap overflow in objdump]
CVE-2014-8501 [out-of-bounds write when parsing specially crafted PE executable]
RESERVED
- binutils 2.24.90.20141104-1
- gdb <unfixed>
- gdb <unfixed> (unimportant)
NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e1e19887abd24aeb15066b141cdff5541e0ec8e
CVE-2014-8500
RESERVED
......@@ -3646,6 +3647,7 @@ CVE-2014-7820
RESERVED
CVE-2014-7819 (Multiple directory traversal vulnerabilities in server.rb in Sprockets ...)
- ruby-sprockets 2.12.3-1
[wheezy] - ruby-sprockets <no-dsa> (Minor issue)
CVE-2014-7818 (Directory traversal vulnerability in ...)
- rails <unfixed> (bug #770934)
[wheezy] - rails <not-affected> (src:rails in wheezy is just a transition package)
......@@ -12111,6 +12113,7 @@ CVE-2014-4166 (Cross-site scripting (XSS) vulnerability in the song history in .
NOT-FOR-US: SHOUTcast DNAS
CVE-2014-4165 (Cross-site scripting (XSS) vulnerability in ntop allows remote ...)
- ntop <unfixed> (bug #751946)
[jessie] - ntop <no-dsa> (Minor issue)
[wheezy] - ntop <no-dsa> (Minor issue)
CVE-2014-4164 (Cross-site scripting (XSS) vulnerability in AlgoSec FireFlow 6.3-b230 ...)
NOT-FOR-US: AlogoSec FireFlow
......@@ -13705,9 +13708,7 @@ CVE-2014-3566 (The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
- tlslite <removed>
[wheezy] - tlslite <no-dsa> (Minor issue)
- uzbl <unfixed> (unimportant)
- yaws <unfixed>
[wheezy] - yaws <no-dsa> (Minor issue)
[squeeze] - yaws <no-dsa> (Minor issue)
- erlang <unfixed>
NOTE: https://www.openssl.org/~bodo/ssl-poodle.pdf
NOTE: http://googleonlinesecurity.blogspot.fr/2014/10/this-poodle-bites-exploiting-ssl-30.html
NOTE: This is only about the SSLv3 CBC padding, not about any downgrade attack or support for the fallback SCSV
......@@ -18224,11 +18225,6 @@ CVE-2014-1958 [PSD Images Processing RLE Decoding Buffer Overflow Vulnerability]
NOTE: squeeze: DecodePSDPixels not present but there was a rewrite from DecodeImage?
NOTE: http://secunia.com/advisories/56844/
NOTE: http://trac.imagemagick.org/changeset/14801
CVE-2014-XXXX [phpbb3: denial of service vulnerability]
- phpbb3 <unfixed> (low)
[wheezy] - phpbb3 <no-dsa> (Minor issue)
[squeeze] - phpbb3 <no-dsa> (Minor issue)
NOTE: http://seclists.org/bugtraq/2014/Feb/33
CVE-2014-1950 (Use-after-free vulnerability in the xc_cpupool_getinfo function in Xen ...)
{DSA-3006-1}
- xen 4.4.0-1
......@@ -24094,7 +24090,7 @@ CVE-2014-0061 (The validator functions for the procedural languages (PLs) in ...
{DSA-2865-1 DSA-2864-1}
- postgresql-9.1 9.1.12-1 (low)
- postgresql-8.4 <removed>
[wheezy] - postgresql-8.4 <no-dsa> (Minor issue)
[wheezy] - postgresql-8.4 8.4.20-0wheezy1
- postgresql-9.3 9.3.3-1
- postgresql-plsh 1.20140221-1
[wheezy] - postgresql-plsh <no-dsa> (Minor issue)
......@@ -65052,13 +65048,16 @@ CVE-2011-3389 (The SSL protocol, as used in certain configurations in Microsoft
- cyassl <unfixed>
- gnutls26 <unfixed> (unimportant)
- gnutls28 <unfixed> (unimportant)
NOTE: No mitigation for gnutls, it is recommended to use TLS 1.1 or 1.2 which is supported 2.0.0
NOTE: No mitigation for gnutls, it is recommended to use TLS 1.1 or 1.2 which is supported since 2.0.0
- haskell-tls <unfixed>
- matrixssl <removed> (low)
[squeeze] - matrixssl <no-dsa> (Minor issue)
[wheezy] - matrixssl <no-dsa> (Minor issue)
NOTE: matrixssl fix this upstream in 3.2.2
- bouncycastle <unfixed>
- bouncycastle 1.49+dfsg-1
[squeeze] - bouncycastle <no-dsa> (Minor issue)
[wheezy] - bouncycastle <no-dsa> (Minor issue)
NOTE: No mitigation for bouncycastle, it is recommended to use TLS 1.1, which is supported since 1.4.9
- nss 3.13.1.with.ckbi.1.88-1
- polarssl <unfixed>
- tlslite <removed>
......@@ -41,6 +41,8 @@ openswan (corsac)
ruby1.9.1
(no-dsa issues CVE-2013-2065 and CVE-2014-4975 could be fixed along)
--
smarty3
--
wordpress
--
zendframework
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment