[Secure-testing-commits] r6238 - data/CVE
Author: white Date: 2007-08-05 09:38:37 + (Sun, 05 Aug 2007) New Revision: 6238 Modified: data/CVE/list Log: * inkspace CVEs are fixed in testing and unstable Modified: data/CVE/list === --- data/CVE/list 2007-08-04 17:20:25 UTC (rev 6237) +++ data/CVE/list 2007-08-05 09:38:37 UTC (rev 6238) @@ -6123,10 +6123,10 @@ CVE-2007-1465 (Stack-based buffer overflow in dproxy.c for dproxy 0.1 through 0.5 ...) NOT-FOR-US: dproxy CVE-2007-1464 (Format string vulnerability in the whiteboard Jabber protocol in ...) - - inkscape unfixed (medium) + - inkscape 0.45.1-1 (medium) TODO: File bug CVE-2007-1463 (Format string vulnerability in Inkscape before 0.45.1 allows ...) - - inkscape unfixed (low) + - inkscape 0.45.1-1 (low) TODO: File bug CVE-2007-1462 (The luci server component in conga preserves the password between page ...) NOT-FOR-US: conga ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r6239 - data/CVE
Author: white Date: 2007-08-05 12:19:41 + (Sun, 05 Aug 2007) New Revision: 6239 Modified: data/CVE/list Log: * Add cupsys with debian bug to CVE-2007-3387 Modified: data/CVE/list === --- data/CVE/list 2007-08-05 09:38:37 UTC (rev 6238) +++ data/CVE/list 2007-08-05 12:19:41 UTC (rev 6239) @@ -1619,6 +1619,7 @@ - koffice unfixed - pdftohtml removed - tetex-bin 3.0-12 + - cupsys unfixed (bug #436099) NOTE: links to poppler since 3.0-12, thus marking as fixed - pdfkit.framework 0.8-4 NOTE: links to poppler since 0.8-4, thus marking as fixed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r6240 - data/DSA
Author: jmm-guest Date: 2007-08-05 19:07:41 + (Sun, 05 Aug 2007) New Revision: 6240 Modified: data/DSA/list Log: - add the last DSAs (everyone is encouraged to add these, it's a straight-forward format) - add a CVE for one issue fixed in the icefoo DSAs, which later got an additional CVE assigned Modified: data/DSA/list === --- data/DSA/list 2007-08-05 12:19:41 UTC (rev 6239) +++ data/DSA/list 2007-08-05 19:07:41 UTC (rev 6240) @@ -1,3 +1,26 @@ +[04 Aug 2007] DSA-1348-1 poppler + {CVE-2007-3387} + [etch] - poppler 0.4.5-5.1etch1 +[04 Aug 2007] DSA-1347-1 xpdf + {CVE-2007-3387} + [etch] - xpdf 3.01-9etch1 + [sarge] - xpdf 3.00-13.7 +[04 Aug 2007] DSA-1346-1 iceape + {CVE-2007-3844 CVE-2007-3845 CVE-2007-4041} + [etch] - iceape 1.0.10~pre070720-0etch3 +[04 Aug 2007] DSA-1345-1 xulrunner + {CVE-2007-3844 CVE-2007-3845 CVE-2007-4041} + [etch] - xulrunner 1.8.0.13~pre070720-0etch3 +[03 Aug 2007] DSA-1344-1 iceweasel + {CVE-2007-3844 CVE-2007-3845 CVE-2007-4041} + [etch] - iceweasel 2.0.0.6-0etch1 +[02 Aug 2007] DSA-1343-1 file + {CVE-2007-2799} + [sarge] - file 4.12-1sarge2 + [etch] - file 4.17-5etch2 +[30 Jul 2007] DSA-1342-1 xfs + {CVE-2007-3103} + [etch] - xfs 1.0.1-6 [25 Jul 2007] DSA-1341-2 bind9 - DNS cache poisoning vulnerability {CVE-2007-2926} [etch] - bind9 1:9.3.4-2etch1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r6241 - data/CVE
Author: jmm-guest Date: 2007-08-05 19:09:59 + (Sun, 05 Aug 2007) New Revision: 6241 Modified: data/CVE/list Log: smbd regression in SuSE another icefoo issue fixed reported kernel issue isn't sufficiently attacker controllable to warrant calling it a security problem Modified: data/CVE/list === --- data/CVE/list 2007-08-05 19:07:41 UTC (rev 6240) +++ data/CVE/list 2007-08-05 19:09:59 UTC (rev 6241) @@ -155,13 +155,13 @@ CVE-2007-4045 (The CUPS service on SUSE Linux before 20070720 allows remote attackers ...) TODO: check CVE-2007-4044 (Incomplete blacklist vulnerability in the MS-RPC functionality in smbd ...) - TODO: check + NOTE: I've contacted SuSE: It's a functional regression in SuSE, not a security problem CVE-2007-4043 (file.cgi in Secure Computing SecurityReporter (aka Network Security ...) NOT-FOR-US: Secure Computing SecurityReporter CVE-2007-4042 (Multiple argument injection vulnerabilities in Netscape Navigator 9 ...) - TODO: check + NOT-FOR-US: Netscape Navigator CVE-2007-4041 (Multiple argument injection vulnerabilities in Mozilla Firefox 2.0.0.5 ...) - TODO: check + - iceweasel 2.0.0.6-1 CVE-2007-4040 (Argument injection vulnerability involving Microsoft Outlook and ...) NOT-FOR-US: Micrsoft Outlook CVE-2007-4039 (Argument injection vulnerability involving Mozilla, when certain URIs ...) @@ -2307,7 +2307,8 @@ CVE-2007-3108 RESERVED CVE-2007-3107 (The signal handling in the Linux kernel 2.6.2 and later, when run on ...) - - linux-2.6 unfixed + - linux-2.6 unfixed (unimportant) + NOTE: Not reproducibly reliably by an attacker, mostly a bug CVE-2007-3106 (libvorbis 1.1.2, and possibly other versions before 1.2.0, allows ...) TODO: check CVE-2007-3105 (Stack-based buffer overflow in the random number generator (RNG) ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r6242 - data/CVE
Author: jmm-guest Date: 2007-08-05 19:13:30 + (Sun, 05 Aug 2007) New Revision: 6242 Modified: data/CVE/list Log: more xpdf status updates Modified: data/CVE/list === --- data/CVE/list 2007-08-05 19:09:59 UTC (rev 6241) +++ data/CVE/list 2007-08-05 19:13:30 UTC (rev 6242) @@ -1619,11 +1619,13 @@ - koffice unfixed - pdftohtml removed - tetex-bin 3.0-12 - - cupsys unfixed (bug #436099) - NOTE: links to poppler since 3.0-12, thus marking as fixed + NOTE: pdftex links to poppler since 3.0-12, thus marking as fixed + - cupsys unfixed (unimportant; bug #436099) + NOTE: cups uses xpdf-utils - pdfkit.framework 0.8-4 NOTE: links to poppler since 0.8-4, thus marking as fixed - TODO: check libextractor/sarge (uses internal pdf decoder since 0.5.12-1) + - libextractor 0.5.12-1 + NOTE: libextractor uses internal pdf decoder since 0.5.12-1, thus marking as fixed TODO: check ipe (only small parts, but with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp) CVE-2007-3386 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r6243 - data/CVE
Author: joeyh Date: 2007-08-05 21:14:09 + (Sun, 05 Aug 2007) New Revision: 6243 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2007-08-05 19:13:30 UTC (rev 6242) +++ data/CVE/list 2007-08-05 21:14:09 UTC (rev 6243) @@ -161,6 +161,7 @@ CVE-2007-4042 (Multiple argument injection vulnerabilities in Netscape Navigator 9 ...) NOT-FOR-US: Netscape Navigator CVE-2007-4041 (Multiple argument injection vulnerabilities in Mozilla Firefox 2.0.0.5 ...) + {DSA-1346-1 DSA-1345-1 DSA-1344-1} - iceweasel 2.0.0.6-1 CVE-2007-4040 (Argument injection vulnerability involving Microsoft Outlook and ...) NOT-FOR-US: Micrsoft Outlook @@ -566,12 +567,14 @@ RESERVED CVE-2007-3845 [firefox external URI handler escaping vulnerability] RESERVED + {DSA-1346-1 DSA-1345-1 DSA-1344-1} - iceweasel 2.0.0.6-1 (medium) - xulrunner 1.8.1.6-1 (medium) - iceape 1.1.3-2 (medium) - icedove unfixed (medium) CVE-2007-3844 [firefox about:blank regression] RESERVED + {DSA-1346-1 DSA-1345-1 DSA-1344-1} - iceweasel 2.0.0.6-1 (medium) - xulrunner 1.8.1.6-1 (medium) - iceape 1.1.3-2 (medium) @@ -1612,6 +1615,7 @@ - qt4-x11 4.3.0-5 NOTE: there is some dissagreement whether qt4 is affected CVE-2007-3387 (Integer overflow in the StreamPredictor::StreamPredictor function in ...) + {DSA-1348-1 DSA-1347-1} - poppler unfixed (bug #435460) - gpdf removed - xpdf unfixed (bug #435462) @@ -2318,6 +2322,7 @@ CVE-2007-3104 (The sysfs_readdir function in the Linux kernel in Red Hat Enterprise ...) - linux-2.6 unfixed CVE-2007-3103 (The init.d script for the X.Org X11 xfs font server on Red Hat ...) + {DSA-1342-1} - xfs 1:1.0.4-2 CVE-2007-3102 RESERVED @@ -3020,6 +3025,7 @@ CVE-2007-2800 (index.php in eTicket 1.5.5.1 and earlier allows remote attackers to ...) NOT-FOR-US: eTicket CVE-2007-2799 (Integer overflow in the quot;filequot; program 4.20, when running on 32-bit ...) + {DSA-1343-1} - file 4.21-1 (medium) CVE-2007-2798 (Stack-based buffer overflow in the rename_principal_2_svc function in ...) {DSA-1323-1} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits