pkgsrc-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: pkg/50082 (suse131 packages are outdated)
The following reply was made to PR pkg/50082; it has been noted by GNATS.
From: Rin Okuyama <okuyama%flex.phys.tohoku.ac.jp@localhost>
To: gnats-bugs%NetBSD.org@localhost, pkg-manager%netbsd.org@localhost, pkgsrc-bugs%netbsd.org@localhost,
gnats-admin%netbsd.org@localhost, wiz%NetBSD.org@localhost
Cc:
Subject: Re: pkg/50082 (suse131 packages are outdated)
Date: Wed, 29 Jul 2015 14:42:34 +0900
This is a multi-part message in MIME format.
--------------060606070001050201090007
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Collecting myself, I examined whether vulnerabilities are resolved or
not. There are 4 entries for suse_base in pkg_vulnerabilities file.
(1) denial-of-service (CVE-2014-4043)
http://support.novell.com/security/cve/CVE-2014-4043.html
This is still open. See the previous mail.
(2) invalid-file-descriptor-reuse (CVE-2013-7423)
http://www.openwall.com/lists/oss-security/2015/01/28/20
This is resolved:
http://lists.opensuse.org/opensuse-updates/2015-02/msg00089.html
(3) buffer-overrun (CVE-2015-1472/1473)
http://www.openwall.com/lists/oss-security/2015/02/04/1
This is resolved:
https://www.suse.com/security/cve/CVE-2015-1472.html
(4) privilege-escalation (CVE-2012-6656/2013-4357/2014-5119/6040)
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00020.html
CVE-2012-6656 is for glibc < 2.16, and we are not affected:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6656
CVE-2013-4357 seems withdrawn:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4357
CVE-2014-5119/6040 are resolved:
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00009.html
http://lists.opensuse.org/opensuse-updates/2014-09/msg00017.html
So, we are free from (2), (3), and (4). I attached a patch below.
I also removed deprecated statements.
I will report (1) to the upstream later.
--------------060606070001050201090007
Content-Type: text/plain; charset=UTF-8; x-mac-type="0"; x-mac-creator="0";
name="pkg-vulnerabilities.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="pkg-vulnerabilities.patch"
--- pkg-vulnerabilities.orig 2015-07-24 16:29:52.000000000 +0000
+++ pkg-vulnerabilities 2015-07-24 17:28:47.000000000 +0000
@@ -8841,12 +8841,8 @@
python34<3.4.0 denial-of-service http://seclists.org/oss-sec/2013/q4/558
drupal>=6<6.35 spoofing-attacks https://www.drupal.org/SA-CORE-2015-001
drupal>=7<7.35 spoofing-attacks https://www.drupal.org/SA-CORE-2015-001
-suse{,32}_base>=10.0 invalid-file-descriptor-reuse http://www.openwall.com/lists/oss-security/2015/01/28/20
-suse{,32}_base>=12.1 invalid-file-descriptor-reuse http://www.openwall.com/lists/oss-security/2015/01/28/20
-suse{,32}_base>=13.1 invalid-file-descriptor-reuse http://www.openwall.com/lists/oss-security/2015/01/28/20
-suse{,32}_base>=10.0 buffer-overrun http://www.openwall.com/lists/oss-security/2015/02/04/1
-suse{,32}_base>=12.1 buffer-overrun http://www.openwall.com/lists/oss-security/2015/02/04/1
-suse{,32}_base>=13.1 buffer-overrun http://www.openwall.com/lists/oss-security/2015/02/04/1
+suse{,32}_base>=10.0<13.1nb9 invalid-file-descriptor-reuse http://www.openwall.com/lists/oss-security/2015/01/28/20
+suse{,32}_base>=10.0<13.1nb9 buffer-overrun http://www.openwall.com/lists/oss-security/2015/02/04/1
libzip<0.11.2nb1 integer-overflow http://www.openwall.com/lists/oss-security/2015/03/18/1
py{26,27}-mercurial<3.2.4 command-injection http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html
php>5.5<5.5.22 use-after-free https://bugs.php.net/bug.php?id=68901
@@ -9102,7 +9098,7 @@
ffmpeg2<2.7 denial-of-service https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3417
sqlite3<3.8.9 stack-overflow https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3416
p7zip-9.20.1 directory-traversal https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1038
-suse{,32}_base>=13.1 privilege-escalation http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00020.html
+suse{,32}_base>=13.1<13.1nb9 privilege-escalation http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00020.html
drupal>=6<6.36 multiple-vulnerabilities https://www.drupal.org/SA-CORE-2015-002
drupal>=7<7.38 multiple-vulnerabilities https://www.drupal.org/SA-CORE-2015-002
cacti<0.8.8d sql-injection http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2665
--------------060606070001050201090007--
Home |
Main Index |
Thread Index |
Old Index