Salvatore Bonaccorso · Salvatore Bonaccorso · Salvatore Bonaccorso · Salvatore Bonaccorso · Salvatore Bonaccorso · Salvatore Bonaccorso
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -103789,8 +103789,7 @@ CVE-2018-9147 (Cross-site scripting (XSS) vulnerabilities in version 7.5.7 of Ge
 CVE-2018-9146
 	REJECTED
 CVE-2018-9145 (In the DataBuf class in include/exiv2/types.hpp in Exiv2 0.26, an issu ...)
-	[experimental] - exiv2 <unfixed> (bug #910909)
-	- exiv2 <not-affected> (Vulnerable code introduced later)
+	- exiv2 <not-affected> (Vulnerable code introduced later; only affected experimental; bug #910909)
 	NOTE: https://github.com/xiaoqx/pocs/tree/master/exiv2
 	NOTE: https://github.com/Exiv2/exiv2/pull/470
 	NOTE: Fixed with: https://github.com/Exiv2/exiv2/commit/c03f73268f65c73f9d3d7b670f13e48e92692750
@@ -104210,8 +104209,7 @@ CVE-2018-8979 (Open-AudIT Professional 2.1 has CSRF, as demonstrated by modifyin
 CVE-2018-8978 (Open-AudIT Professional 2.1 has XSS via a crafted src attribute of an  ...)
 	NOT-FOR-US: Open-AudIT Professional
 CVE-2018-8977 (In Exiv2 0.26, the Exiv2::Internal::printCsLensFFFF function in canonm ...)
-	[experimental] - exiv2 <unfixed> (bug #894179)
-	- exiv2 <not-affected> (Vulnerable code introduced after 0.25)
+	- exiv2 <not-affected> (Vulnerable code introduced after 0.25; only affected experimental, bug #)
 	NOTE: https://github.com/Exiv2/exiv2/issues/247
 CVE-2018-8976 (In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial  ...)
 	- exiv2 0.27.2-6 (low; bug #903813)
@@ -120676,26 +120674,22 @@ CVE-2017-17727 (DedeCMS through 5.6 allows arbitrary file upload and PHP code ex
 CVE-2017-17726
 	RESERVED
 CVE-2017-17725 (In Exiv2 0.26, there is an integer overflow leading to a heap-based bu ...)
-	[experimental] - exiv2 <unfixed>
-	- exiv2 <not-affected> (Introduced in 0.26)
+	- exiv2 <not-affected> (Introduced in 0.26; only affected experimental)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1525055
 	NOTE: https://github.com/Exiv2/exiv2/issues/188
 	NOTE: https://github.com/Exiv2/exiv2/pull/193
 CVE-2017-17724 (In Exiv2 0.26, there is a heap-based buffer over-read in the Exiv2::Ip ...)
-	[experimental] - exiv2 <unfixed> (bug #891783)
-	- exiv2 <not-affected> (Introduced in 0.26)
+	- exiv2 <not-affected> (Introduced in 0.26; only affected experimental; bug #891783)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524107
 	NOTE: https://github.com/Exiv2/exiv2/issues/210
 	NOTE: https://github.com/Exiv2/exiv2/commit/962962a8e9885ccbca28f624492f1427152a0695
 CVE-2017-17723 (In Exiv2 0.26, there is a heap-based buffer over-read in the Exiv2::Im ...)
-	[experimental] - exiv2 <unfixed>
-	- exiv2 <not-affected> (Introduced in 0.26)
+	- exiv2 <not-affected> (Introduced in 0.26; only affected experimental)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524104
 	NOTE: https://github.com/Exiv2/exiv2/issues/229
 	NOTE: https://github.com/Exiv2/exiv2/commit/36df4bc997d74ecc447e4541e2fc3fda10586103
 CVE-2017-17722 (In Exiv2 0.26, there is a reachable assertion in the readHeader functi ...)
-	[experimental] - exiv2 <unfixed> (low; bug #891044)
-	- exiv2 <not-affected> (Vulnerable code introduced in 0.26)
+	- exiv2 <not-affected> (Vulnerable code introduced in 0.26; only affected experimental; bug #891044)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524116
 	NOTE: https://github.com/Exiv2/exiv2/issues/208
 	NOTE: https://github.com/Exiv2/exiv2/issues/228 (duplicate)
@@ -131173,18 +131167,15 @@ CVE-2017-1000190 (SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulne
 CVE-2017-1000163 (The Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1. ...)
 	NOT-FOR-US: Phoenix Framework
 CVE-2017-1000128 (Exiv2 0.26 contains a stack out of bounds read in JPEG2000 parser ...)
-	[experimental] - exiv2 <unfixed>
-	- exiv2 <not-affected> (Vulnerable code introduced in 0.26)
+	- exiv2 <not-affected> (Vulnerable code introduced in 0.26; only affected experimental)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/06/30/1
 	NOTE: https://github.com/Exiv2/exiv2/issues/177
 CVE-2017-1000127 (Exiv2 0.26 contains a heap buffer overflow in tiff parser ...)
-	[experimental] - exiv2 <unfixed> (low; bug #888863)
-	- exiv2 <not-affected> (Vulnerable code introduced after 0.25)
+	- exiv2 <not-affected> (Vulnerable code introduced after 0.25; only affected experimental; bug #888863)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/06/30/1
 	NOTE: https://github.com/Exiv2/exiv2/issues/176
 CVE-2017-1000126 (exiv2 0.26 contains a Stack out of bounds read in webp parser ...)
-	[experimental] - exiv2 <unfixed> (low; bug #888864)
-	- exiv2 <not-affected> (WebP support introduced in 0.26)
+	- exiv2 <not-affected> (WebP support introduced in 0.26; only affected experimental; bug #888864)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/06/30/1
 	NOTE: https://github.com/Exiv2/exiv2/issues/175
 CVE-2017-16879 (Stack-based buffer overflow in the _nc_write_entry function in tinfo/w ...)
@@ -137681,20 +137672,14 @@ CVE-2017-14869 (In Android for MSM, Firefox OS for MSM, QRD Android, with all An
 CVE-2017-14868 (Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows  ...)
 	- restlet <itp> (bug #596472)
 CVE-2017-14866 (There is a heap-based buffer overflow in the Exiv2::s2Data function of ...)
-	[experimental] - exiv2 <unfixed> (bug #880015)
-	- exiv2 <not-affected> (Versions prior to 0.26 don't parse ICC profiles yet)
+	- exiv2 <not-affected> (Versions prior to 0.26 don't parse ICC profiles yet; only affected experimental; bug #880015)
 	NOTE: https://github.com/Exiv2/exiv2/issues/140
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494781
-	NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
-	NOTE: Reproducible in experimental(0.26-1) with valgrind (and "free(): corrupted unsorted chunks" without valgrind).
 CVE-2017-14865 (There is a heap-based buffer overflow in the Exiv2::us2Data function o ...)
-	[experimental] - exiv2 <unfixed> (bug #888865)
-	- exiv2 <not-affected> (Vulnerable code introduced after 0.25)
+	- exiv2 <not-affected> (Vulnerable code introduced after 0.25; only affected experimental; bug #888865)
 	NOTE: https://github.com/Exiv2/exiv2/issues/134
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494778
 	NOTE: Patch: https://github.com/Exiv2/exiv2/commit/d3c2b9938583440f87ce9115de5a7e8cd8f8db57
-	NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
-	NOTE: Reproducible in experimental(0.26-1) with valgrind (and "free(): corrupted unsorted chunks" without valgrind).
 CVE-2017-14864 (An Invalid memory address dereference was discovered in Exiv2::getULon ...)
 	{DLA-1147-1}
 	- exiv2 0.27.2-6
@@ -137706,12 +137691,9 @@ CVE-2017-14864 (An Invalid memory address dereference was discovered in Exiv2::g
 	NOTE: Patches here: https://github.com/Exiv2/exiv2/pull/110
 	NOTE: Depends on: https://github.com/Exiv2/exiv2/commit/65f45a350516bfde4941d7906f2d67462f48d1ca
 CVE-2017-14863 (A NULL pointer dereference was discovered in Exiv2::Image::printIFDStr ...)
-	[experimental] - exiv2 <unfixed> (low; bug #888866)
-	- exiv2 <not-affected> (Vulnerable code introduced after 0.25)
+	- exiv2 <not-affected> (Vulnerable code introduced after 0.25; only affected experimental; bug #888866)
 	NOTE: https://github.com/Exiv2/exiv2/issues/132
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494443
-	NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
-	NOTE: Reproducible in experimental(0.26-1) with valgrind (and "free(): invalid next size (fast)" without valgrind).
 CVE-2017-14862 (An Invalid memory address dereference was discovered in Exiv2::DataVal ...)
 	{DLA-1147-1}
 	- exiv2 0.27.2-6
@@ -137723,20 +137705,14 @@ CVE-2017-14862 (An Invalid memory address dereference was discovered in Exiv2::D
 	NOTE: Patches here: https://github.com/Exiv2/exiv2/pull/110
 	NOTE: Depends on: https://github.com/Exiv2/exiv2/commit/65f45a350516bfde4941d7906f2d67462f48d1ca
 CVE-2017-14861 (There is a stack consumption vulnerability in the Exiv2::Internal::str ...)
-	[experimental] - exiv2 <unfixed> (bug #880027)
-	- exiv2 <not-affected> (printIFDStructure introduced in 0.26)
+	- exiv2 <not-affected> (printIFDStructure introduced in 0.26; only affected experimental; bug #880027)
 	NOTE: https://github.com/Exiv2/exiv2/issues/139
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494787
-	NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
-	NOTE: Reproducible in experimental(0.26-1) with valgrind (and segfault without valgrind).
 CVE-2017-14860 (There is a heap-based buffer over-read in the Exiv2::Jp2Image::readMet ...)
-	[experimental] - exiv2 <unfixed> (low; bug #888867)
-	- exiv2 <not-affected> (Vulnerable code introduced after 0.25)
+	- exiv2 <not-affected> (Vulnerable code introduced after 0.25; only affected experimental; bug #888867)
 	NOTE: https://github.com/Exiv2/exiv2/issues/71
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494776
 	NOTE: Patch: https://github.com/Exiv2/exiv2/pull/108
-	NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
-	NOTE: Reproducible in experimental(0.26-1) with valgrind (and segfault without valgrind).
 CVE-2017-14859 (An Invalid memory address dereference was discovered in Exiv2::StringV ...)
 	{DLA-1147-1}
 	- exiv2 0.27.2-6
@@ -137752,13 +137728,10 @@ CVE-2017-14858 (There is a heap-based buffer overflow in the Exiv2::l2Data funct
 	NOTE: https://github.com/Exiv2/exiv2/issues/138
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494782
 CVE-2017-14857 (In Exiv2 0.26, there is an invalid free in the Image class in image.cp ...)
-	[experimental] - exiv2 <unfixed> (low; bug #888869)
-	- exiv2 <not-affected> (Vulnerable code not present)
+	- exiv2 <not-affected> (Vulnerable code not present; only affected experimental; bug #888869)
 	NOTE: https://github.com/Exiv2/exiv2/issues/76
 	NOTE: https://github.com/Exiv2/exiv2/issues/124
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1495043
-	NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
-	NOTE: Reproducible in experimental(0.26-1).
 CVE-2017-14856
 	RESERVED
 CVE-2017-14855 (Red Lion HMI panels allow remote attackers to cause a denial of servic ...)
@@ -143016,19 +142989,13 @@ CVE-2017-12957 (There is a heap-based buffer over-read in libexiv2 in Exiv2 0.26
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482423
 	NOTE: Experimental is affected, tracking as #876242
 CVE-2017-12956 (There is an illegal address access in Exiv2::FileIo::path[abi:cxx11]() ...)
-	[experimental] - exiv2 <unfixed> (low; bug #888872)
-	- exiv2 <not-affected> (Vulnerable code introduced after 0.25)
+	- exiv2 <not-affected> (Vulnerable code introduced after 0.25; only affected experimental; bug #888872)
 	NOTE: https://github.com/Exiv2/exiv2/issues/59
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482296
-	NOTE: Not reproducible in wheezy/jessie/stretch/sid(0.25-3.1) => "The file contains data of an unknown image type"
-	NOTE: Reproducible in experimental (0.26-1).
 CVE-2017-12955 (There is a heap-based buffer overflow in basicio.cpp of Exiv2 0.26. Th ...)
-	[experimental] - exiv2 <unfixed> (bug #888873)
-	- exiv2 <not-affected> (Vulnerable code introduced after 0.25)
+	- exiv2 <not-affected> (Vulnerable code introduced after 0.25; only affected experimental; bug #888873)
 	NOTE: https://github.com/Exiv2/exiv2/issues/58
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482295
-	NOTE: Not reproducible in wheezy/jessie/stretch/sid(0.25-3.1) => "The memory contains data of an unknown image type"
-	NOTE: Reproducible in experimental (0.26-1).
 CVE-2017-12954 (The gig::Region::GetSampleFromWavePool function in gig.cpp in libgig 4 ...)
 	- libgig 4.0.0-5 (low; bug #877652)
 	[stretch] - libgig <no-dsa> (Minor issue)