Re: pkg/50082 (suse131 packages are outdated)

[Rin Okuyama <okuyama%flex.phys.tohoku.ac.jp@localhost>]

Collecting myself, I examined whether vulnerabilities are resolved or
not. There are 4 entries for suse_base in pkg_vulnerabilities file.

(1) denial-of-service (CVE-2014-4043)
  http://support.novell.com/security/cve/CVE-2014-4043.html

This is still open. See the previous mail.

(2) invalid-file-descriptor-reuse (CVE-2013-7423)
  http://www.openwall.com/lists/oss-security/2015/01/28/20

This is resolved:
  http://lists.opensuse.org/opensuse-updates/2015-02/msg00089.html

(3) buffer-overrun (CVE-2015-1472/1473)
  http://www.openwall.com/lists/oss-security/2015/02/04/1

This is resolved:
  https://www.suse.com/security/cve/CVE-2015-1472.html

(4) privilege-escalation (CVE-2012-6656/2013-4357/2014-5119/6040)

http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00020.html

CVE-2012-6656 is for glibc < 2.16, and we are not affected:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6656

CVE-2013-4357 seems withdrawn:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4357

CVE-2014-5119/6040 are resolved:

http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00009.html
  http://lists.opensuse.org/opensuse-updates/2014-09/msg00017.html

So, we are free from (2), (3), and (4). I attached a patch below.
I also removed deprecated statements.

I will report (1) to the upstream later.

--- pkg-vulnerabilities.orig	2015-07-24 16:29:52.000000000 +0000
+++ pkg-vulnerabilities	2015-07-24 17:28:47.000000000 +0000
@@ -8841,12 +8841,8 @@
 python34<3.4.0 			denial-of-service		http://seclists.org/oss-sec/2013/q4/558
 drupal>=6<6.35 			spoofing-attacks		https://www.drupal.org/SA-CORE-2015-001
 drupal>=7<7.35 			spoofing-attacks		https://www.drupal.org/SA-CORE-2015-001
-suse{,32}_base>=10.0 		invalid-file-descriptor-reuse	http://www.openwall.com/lists/oss-security/2015/01/28/20
-suse{,32}_base>=12.1 		invalid-file-descriptor-reuse	http://www.openwall.com/lists/oss-security/2015/01/28/20
-suse{,32}_base>=13.1 		invalid-file-descriptor-reuse	http://www.openwall.com/lists/oss-security/2015/01/28/20
-suse{,32}_base>=10.0 		buffer-overrun			http://www.openwall.com/lists/oss-security/2015/02/04/1
-suse{,32}_base>=12.1 		buffer-overrun			http://www.openwall.com/lists/oss-security/2015/02/04/1
-suse{,32}_base>=13.1 		buffer-overrun			http://www.openwall.com/lists/oss-security/2015/02/04/1
+suse{,32}_base>=10.0<13.1nb9	invalid-file-descriptor-reuse	http://www.openwall.com/lists/oss-security/2015/01/28/20
+suse{,32}_base>=10.0<13.1nb9	buffer-overrun			http://www.openwall.com/lists/oss-security/2015/02/04/1
 libzip<0.11.2nb1 		integer-overflow		http://www.openwall.com/lists/oss-security/2015/03/18/1
 py{26,27}-mercurial<3.2.4		command-injection		http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html
 php>5.5<5.5.22 			use-after-free			https://bugs.php.net/bug.php?id=68901
@@ -9102,7 +9098,7 @@
 ffmpeg2<2.7			denial-of-service		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3417
 sqlite3<3.8.9			stack-overflow			https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3416
 p7zip-9.20.1			directory-traversal		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1038
-suse{,32}_base>=13.1 		privilege-escalation		http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00020.html
+suse{,32}_base>=13.1<13.1nb9	privilege-escalation		http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00020.html
 drupal>=6<6.36 			multiple-vulnerabilities	https://www.drupal.org/SA-CORE-2015-002
 drupal>=7<7.38 			multiple-vulnerabilities	https://www.drupal.org/SA-CORE-2015-002
 cacti<0.8.8d			sql-injection			http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2665