Thanks for clearing that up. If it will be a while until you can fully document the <undetermined> flag in the narrative_introduction, could you at least clarify over email how it should be used? It seems like it's the same as "TODO: check" but where the package has been identified.
-Johnathan On Tue, Jul 26, 2011 at 8:22 PM, Michael Gilbert < [email protected]> wrote: > Author: gilbert-guest > Date: 2011-07-27 03:22:14 +0000 (Wed, 27 Jul 2011) > New Revision: 17007 > > Modified: > data/CVE/list > Log: > rfps=itps in security tracking sense; a kernel issue fixed earlier than > currently tracked > > Modified: data/CVE/list > =================================================================== > --- data/CVE/list 2011-07-27 00:49:58 UTC (rev 17006) > +++ data/CVE/list 2011-07-27 03:22:14 UTC (rev 17007) > @@ -798,7 +798,7 @@ > {DSA-2276-2 DSA-2276-1} > - asterisk 1:1.8.4.4~dfsg-1 (bug #632029) > CVE-2011-2534 (Buffer overflow in the clusterip_proc_write function in > ...) > - - linux-2.6 2.6.39-1 (low) > + - linux-2.6 2.6.32-34 (low) > CVE-2011-2533 (The configure script in D-Bus (aka DBus) 1.2.x before > 1.2.28 allows ...) > - dbus 1.3.2~git20100715.821f99c-1 (unimportant) > NOTE: Compile-time only > @@ -5934,8 +5934,7 @@ > CVE-2011-0746 (Cross-site request forgery (CSRF) vulnerability in ...) > NOT-FOR-US: ZyXEL O2 DSL Router > CVE-2011-0745 (SugarCRM before 6.1.3 does not properly handle reloads and > direct ...) > - NOT-FOR-US: SugarCRM > - NOTE: there is an RFP for SugarCRM #457876 > + - sugarcrm-ce-5.0 <itp> (bug #457876) > CVE-2011-0744 > RESERVED > CVE-2011-0743 > @@ -20062,7 +20061,7 @@ > CVE-2010-0466 > RESERVED > CVE-2010-0465 (Cross-site scripting (XSS) vulnerability in the online > Documents ...) > - NOT-FOR-US: SugarCRM > + - sugarcrm-ce-5.0 <itp> (bug #457876) > CVE-2010-0464 (Roundcube 0.3.1 and earlier does not request that the web > browser ...) > - roundcube 0.3.1-3 (bug #569660) > CVE-2010-0463 (Horde IMP 4.3.6 and earlier does not request that the web > browser ...) > @@ -20144,6 +20143,7 @@ > CVE-2010-0431 (QEMU-KVM, as used in the Hypervisor (aka rhev-hypervisor) > in Red Hat ...) > - qemu-kvm <not-affected> (QXL support not yet present in Debian > packages) > - kvm <not-affected> (QXL support not yet present in Debian > packages) > + TODO: recheck newer uploads > CVE-2010-0430 > RESERVED > CVE-2010-0429 (libspice, as used in QEMU-KVM in the Hypervisor (aka > rhev-hypervisor) ...) > @@ -26347,7 +26347,7 @@ > CVE-2009-2979 (Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, > and ...) > NOT-FOR-US: Adobe > CVE-2009-2978 (SQL injection vulnerability in SugarCRM 4.5.1o and earlier, > 5.0.0k and ...) > - NOT-FOR-US: SugarCRM > + - sugarcrm-ce-5.0 <itp> (bug #457876) > CVE-2009-2977 (The Cisco Security Monitoring, Analysis and Response System > (CS-MARS) ...) > NOT-FOR-US: Cisco > CVE-2009-2976 (Cisco Aironet Lightweight Access Point (AP) devices send > the contents ...) > @@ -29193,7 +29193,7 @@ > CVE-2009-2147 (SQL injection vulnerability in fdown.php in phpWebThings > 1.5.2 and ...) > NOT-FOR-US: phpWebThings > CVE-2009-2146 (Unrestricted file upload vulnerability in the Compose Email > feature in ...) > - NOT-FOR-US: SugarCRM > + - sugarcrm-ce-5.0 <itp> (bug #457876) > CVE-2009-2145 (Multiple cross-site scripting (XSS) vulnerabilities in > transLucid 1.75 ...) > NOT-FOR-US: transLucid > CVE-2009-2144 (SQL injection vulnerability in the FireStats plugin before > ...) > @@ -33376,11 +33376,11 @@ > CVE-2009-0895 (Integer overflow in Novell eDirectory 8.7.3.x before > 8.7.3.10 ftf2 and ...) > NOT-FOR-US: Novell eDirectory > CVE-2009-0894 (Heap-based buffer overflow in the decoder_create function > in the ...) > + - xvidcore <undetermined> > TODO: check > - NOTE: xvidcore ITP (bug #531040) accepted in unstable on > 2011-07-26. > CVE-2009-0893 (Multiple heap-based buffer overflows in > xvidcore/src/decoder.c in the ...) > + - xvidcore <undetermined> > TODO: check > - NOTE: xvidcore ITP (bug #531040) accepted in unstable on > 2011-07-26. > CVE-2009-0892 (The administrative console in IBM WebSphere Application > Server (WAS) ...) > NOT-FOR-US: IBM WebSphere > CVE-2009-0891 (The Web Services Security component in IBM WebSphere > Application ...) > @@ -46290,7 +46290,7 @@ > CVE-2008-2046 (Cross-site scripting (XSS) vulnerability in index.php in > Softpedia ...) > NOT-FOR-US: Softpedia > CVE-2008-2045 (Absolute path traversal vulnerability in SugarCRM Sugar > Community ...) > - NOT-FOR-US: SugarCRM > + - sugarcrm-ce-5.0 <itp> (bug #457876) > CVE-2008-2044 (includes/library.php in netOffice Dwins 1.3 p2 compares the > ...) > NOT-FOR-US: netOffice Dwins > CVE-2008-2043 (Multiple cross-site request forgery (CSRF) vulnerabilities > in cPanel, ...) > @@ -49195,11 +49195,9 @@ > CVE-2008-0852 (freeSSHd 1.2 and earlier allows remote attackers to cause a > denial of ...) > NOT-FOR-US: freeSSHd > CVE-2008-0851 (Multiple cross-site scripting (XSS) vulnerabilities in > Dokeos 1.8.4 ...) > - NOT-FOR-US: Dokeos > - NOTE: there is an RFP for Dokeos #433352 > + - dokeos <itp> (bug #433352) > CVE-2008-0850 (Multiple SQL injection vulnerabilities in Dokeos 1.8.4 > allow remote ...) > - NOT-FOR-US: Dokeos > - NOTE: there is an RFP for Dokeos #433352 > + - dokeos <itp> (bug #433352) > CVE-2008-0849 (SQL injection vulnerability in index.php in the Downloads > ...) > NOT-FOR-US: com_downloads component for Mambo and Joomla! > CVE-2008-0848 (Cross-site scripting (XSS) vulnerability in lostsheep.php > in Crafty ...) > @@ -69362,7 +69360,7 @@ > CVE-2006-6713 (Buffer overflow in Hitachi Directory Server 2 P-2444-A124 > before ...) > NOT-FOR-US: Hitachi Directory Server > CVE-2006-6712 (Cross-site scripting (XSS) vulnerability in SugarCRM Open > Source ...) > - NOT-FOR-US: SugarCRM Open Source > + - sugarcrm-ce-5.0 <itp> (bug #457876) > CVE-2006-6711 (PHP remote file inclusion vulnerability in > compteur/mapage.php in ...) > NOT-FOR-US: Newxooper > CVE-2006-6710 (Multiple PHP remote file inclusion vulnerabilities in > PgmReloaded ...) > @@ -73058,7 +73056,7 @@ > CVE-2006-5083 (PHP remote file inclusion vulnerability in ...) > NOT-FOR-US: Integrated MODs (IM) Portal > CVE-2006-5082 (Unspecified vulnerability in Sugar Suite Open Source > (SugarCRM) before ...) > - NOT-FOR-US: Sugar Suite Open Source (SugarCRM) > + - sugarcrm-ce-5.0 <itp> (bug #457876) > CVE-2006-5081 (PHP remote file inclusion vulnerability in acc.php in > QuickBlogger ...) > NOT-FOR-US: QuickBlogger > CVE-2006-5080 (Cross-site scripting (XSS) vulnerability in the search > function in Six ...) > @@ -78872,7 +78870,7 @@ > CVE-2006-2557 (PHP remote file inclusion vulnerability in > extras/poll/poll.php in ...) > NOT-FOR-US: Newsportal > CVE-2006-2556 (Cross-site scripting (XSS) vulnerability in Florian Amrhein > NewsPortal ...) > - NOT-FOR-US: newsportal > + - newsportal <itp> (bug #149069) > NOTE: RFP #149069 closed after no activity since too long time > CVE-2006-2555 (The parse_command function in Genecys 0.2 and earlier > allows remote ...) > NOT-FOR-US: Genecys > @@ -79092,7 +79090,7 @@ > CVE-2006-2461 (BEA WebLogic Server before 8.1 Service Pack 4 does not > properly set ...) > NOT-FOR-US: BEA > CVE-2006-2460 (Sugar Suite Open Source (SugarCRM) 4.2 and earlier, when > ...) > - NOT-FOR-US: SugarCRM > + - sugarcrm-ce-5.0 <itp> (bug #457876) > CVE-2006-2459 (SQL injection vulnerability in messages.php in PHP-Fusion > 6.00.307 and ...) > NOT-FOR-US: PHP-Fusion > CVE-2006-2458 (Multiple heap-based buffer overflows in Libextractor 0.5.13 > and ...) > @@ -86360,9 +86358,9 @@ > CVE-2005-4088 (SQL injection vulnerability in index.php in phpForumPro 2.2 > allows ...) > NOT-FOR-US: phpForumPro > CVE-2005-4087 (PHP remote file include vulnerability in acceptDecline.php > in Sugar ...) > - NOT-FOR-US: SugarCRM > + - sugarcrm-ce-5.0 <itp> (bug #457876) > CVE-2005-4086 (Directory traversal vulnerability in acceptDecline.php in > Sugar Suite ...) > - NOT-FOR-US: SugarCRM > + - sugarcrm-ce-5.0 <itp> (bug #457876) > CVE-2005-4085 (Buffer overflow in BlueCoat (a) WinProxy before 6.1a and > (b) the web ...) > NOT-FOR-US: BlueCoat WinProxy > CVE-2005-4084 (xs_edit.php in the phpBB eXtreme Styles module 2.2.1 and > earlier ...) > @@ -100242,7 +100240,7 @@ > CVE-2005-0267 (index.php in FlatNuke 2.5.1 allows remote attackers to > create an ...) > NOT-FOR-US: FlatNuke > CVE-2005-0266 (Cross-site scripting (XSS) vulnerability in index.php in > SugarCRM 1.X ...) > - NOT-FOR-US: SugerCRM > + - sugarcrm-ce-5.0 <itp> (bug #457876) > CVE-2005-0265 (Multiple SQL injection vulnerabilities in browse.php in OWL > 0.7 and ...) > NOT-FOR-US: OWL intranet > CVE-2005-0264 (Multiple cross-site scripting (XSS) vulnerabilities in > browse.php in ...) > @@ -101348,13 +101346,13 @@ > CVE-2004-1229 (Cross-site scripting vulnerability in the parser for > Gadu-Gadu allows ...) > NOT-FOR-US: Gadu-Gadu > CVE-2004-1228 (The install scripts in SugarCRM Sugar Sales 2.0.1c and > earlier are not ...) > - NOT-FOR-US: SugarCRM Sugar Sales > + - sugarcrm-ce-5.0 <itp> (bug #457876) > CVE-2004-1227 (Directory traversal vulnerability in SugarCRM Sugar Sales > 2.0.1c and ...) > - NOT-FOR-US: SugarCRM Sugar Sales > + - sugarcrm-ce-5.0 <itp> (bug #457876) > CVE-2004-1226 (SugarCRM Sugar Sales 2.0.1c and earlier allows remote > attackers to ...) > - NOT-FOR-US: SugarCRM Sugar Sales > + - sugarcrm-ce-5.0 <itp> (bug #457876) > CVE-2004-1225 (SQL injection vulnerability in SugarCRM Sugar Sales before > 2.0.1a ...) > - NOT-FOR-US: SugarCRM Sugar Sales > + - sugarcrm-ce-5.0 <itp> (bug #457876) > CVE-2004-1224 (Off-by-one error in the mtr_curses_keyaction function for > mtr 0.55 ...) > - mtr 0.67-1 > CVE-2004-1223 (The Management Agent in F-Secure Policy Manager 5.11.2810 > allows ...) > > > _______________________________________________ > Secure-testing-commits mailing list > [email protected] > > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits >
