Re: pkg/50082 (suse131 packages are outdated)

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost,okuyama%flex.phys.tohoku.ac.jp@localhost
Subject: Re: pkg/50082 (suse131 packages are outdated)
From: Rin Okuyama <okuyama%flex.phys.tohoku.ac.jp@localhost>
Date: Wed, 29 Jul 2015 05:45:01 +0000 (UTC)

The following reply was made to PR pkg/50082; it has been noted by GNATS.

From: Rin Okuyama <okuyama%flex.phys.tohoku.ac.jp@localhost>
To: gnats-bugs%NetBSD.org@localhost, pkg-manager%netbsd.org@localhost, pkgsrc-bugs%netbsd.org@localhost,
 gnats-admin%netbsd.org@localhost, wiz%NetBSD.org@localhost
Cc: 
Subject: Re: pkg/50082 (suse131 packages are outdated)
Date: Wed, 29 Jul 2015 14:42:34 +0900

 This is a multi-part message in MIME format.
 --------------060606070001050201090007
 Content-Type: text/plain; charset=us-ascii; format=flowed
 Content-Transfer-Encoding: 7bit
 
 Collecting myself, I examined whether vulnerabilities are resolved or
 not. There are 4 entries for suse_base in pkg_vulnerabilities file.
 
 (1) denial-of-service (CVE-2014-4043)
    http://support.novell.com/security/cve/CVE-2014-4043.html
 
 This is still open. See the previous mail.
 
 (2) invalid-file-descriptor-reuse (CVE-2013-7423)
    http://www.openwall.com/lists/oss-security/2015/01/28/20
 
 This is resolved:
    http://lists.opensuse.org/opensuse-updates/2015-02/msg00089.html
 
 (3) buffer-overrun (CVE-2015-1472/1473)
    http://www.openwall.com/lists/oss-security/2015/02/04/1
 
 This is resolved:
    https://www.suse.com/security/cve/CVE-2015-1472.html
 
 (4) privilege-escalation (CVE-2012-6656/2013-4357/2014-5119/6040)
  
 http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00020.html
 
 CVE-2012-6656 is for glibc < 2.16, and we are not affected:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6656
 
 CVE-2013-4357 seems withdrawn:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4357
 
 CVE-2014-5119/6040 are resolved:
  
 http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00009.html
    http://lists.opensuse.org/opensuse-updates/2014-09/msg00017.html
 
 So, we are free from (2), (3), and (4). I attached a patch below.
 I also removed deprecated statements.
 
 I will report (1) to the upstream later.
 
 --------------060606070001050201090007
 Content-Type: text/plain; charset=UTF-8; x-mac-type="0"; x-mac-creator="0";
  name="pkg-vulnerabilities.patch"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
  filename="pkg-vulnerabilities.patch"
 
 --- pkg-vulnerabilities.orig	2015-07-24 16:29:52.000000000 +0000
 +++ pkg-vulnerabilities	2015-07-24 17:28:47.000000000 +0000
 @@ -8841,12 +8841,8 @@
  python34<3.4.0 			denial-of-service		http://seclists.org/oss-sec/2013/q4/558
  drupal>=6<6.35 			spoofing-attacks		https://www.drupal.org/SA-CORE-2015-001
  drupal>=7<7.35 			spoofing-attacks		https://www.drupal.org/SA-CORE-2015-001
 -suse{,32}_base>=10.0 		invalid-file-descriptor-reuse	http://www.openwall.com/lists/oss-security/2015/01/28/20
 -suse{,32}_base>=12.1 		invalid-file-descriptor-reuse	http://www.openwall.com/lists/oss-security/2015/01/28/20
 -suse{,32}_base>=13.1 		invalid-file-descriptor-reuse	http://www.openwall.com/lists/oss-security/2015/01/28/20
 -suse{,32}_base>=10.0 		buffer-overrun			http://www.openwall.com/lists/oss-security/2015/02/04/1
 -suse{,32}_base>=12.1 		buffer-overrun			http://www.openwall.com/lists/oss-security/2015/02/04/1
 -suse{,32}_base>=13.1 		buffer-overrun			http://www.openwall.com/lists/oss-security/2015/02/04/1
 +suse{,32}_base>=10.0<13.1nb9	invalid-file-descriptor-reuse	http://www.openwall.com/lists/oss-security/2015/01/28/20
 +suse{,32}_base>=10.0<13.1nb9	buffer-overrun			http://www.openwall.com/lists/oss-security/2015/02/04/1
  libzip<0.11.2nb1 		integer-overflow		http://www.openwall.com/lists/oss-security/2015/03/18/1
  py{26,27}-mercurial<3.2.4		command-injection		http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html
  php>5.5<5.5.22 			use-after-free			https://bugs.php.net/bug.php?id=68901
 @@ -9102,7 +9098,7 @@
  ffmpeg2<2.7			denial-of-service		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3417
  sqlite3<3.8.9			stack-overflow			https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3416
  p7zip-9.20.1			directory-traversal		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1038
 -suse{,32}_base>=13.1 		privilege-escalation		http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00020.html
 +suse{,32}_base>=13.1<13.1nb9	privilege-escalation		http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00020.html
  drupal>=6<6.36 			multiple-vulnerabilities	https://www.drupal.org/SA-CORE-2015-002
  drupal>=7<7.38 			multiple-vulnerabilities	https://www.drupal.org/SA-CORE-2015-002
  cacti<0.8.8d			sql-injection			http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2665
 
 --------------060606070001050201090007--

Prev by Date: Re: pkg/50082 (suse131 packages are outdated)
Next by Date: Re: pkg/50097 (p5-Perl4-CoreLibs installation failure)
Previous by Thread: Re: pkg/50082 (suse131 packages are outdated)
Next by Thread: Re: pkg/50082 (suse131 packages are outdated)
Indexes:

Home | Main Index | Thread Index | Old Index