Author: jmm-guest Date: 2005-12-18 12:21:13 +0000 (Sun, 18 Dec 2005) New Revision: 3085
Modified: data/CVE/list doc/narrative_introduction Log: more syntax conversions note in narrative-introduction that oldstable is now fully supported Modified: data/CVE/list =================================================================== --- data/CVE/list 2005-12-18 12:02:31 UTC (rev 3084) +++ data/CVE/list 2005-12-18 12:21:13 UTC (rev 3085) @@ -16124,10 +16124,14 @@ [sarge] - kernel-source-2.6.8 2.6.8-8 - kernel-source-2.4.27 2.4.27-7 CVE-2004-0813 (Unknown vulnerability in the SG_IO functionality in ide-cd allows ...) - NOTE: ide-cd SG_IO vulnerability - NOTE: fixed in recent 2.6 and 2.4 kernels + - linux-2.6 <not-affected> (Fixed before upload into archive) + - kernel-source-2.4.27 <not-affected> (Fixed before upload into archive) + TODO: Check, when this was fixed in 2.4 + TOOD: Check, when this was fixed in 2.6 CVE-2004-0812 (Unknown vulnerability in the Linux kernel before 2.4.23, on the AMD ...) - NOTE: only affects kernels before 2.4.23 on amd64 + - linux-2.6 <not-affected> + - kernel-source-2.4.27 <not-affected> (Fixed before upload into archive) + TODO: Check, when this was fixed in 2.4 CVE-2004-0811 (Unknown vulnerability in Apache 2.0.51 prevents "the merging of the ...) - apache2 2.0.52 CVE-2004-0810 (Buffer overflow in Netopia Timbuktu 7.0.3 allows remote attackers to ...) @@ -16179,8 +16183,8 @@ {DSA-538} - rsync 2.6.2-3 CVE-2004-0791 (Multiple TCP/IP and ICMP implementations allow remote attackers to ...) - NOTE: All 2.4 and 2.6 kernels verify the TCP sequence numbering when errors occur - NOTE: Kernel will never abort due to an ICMP packet + - kernel-source-2.4.27 <not-affected> (Kernel verifies the TCP sequence nr. on errors, will never abort) + - linux-2.6 <not-affected> (Kernel verifies the TCP sequence nr. on errors, will never abort) CVE-2004-0790 (Multiple TCP/IP and ICMP implementations allow remote attackers to ...) - kernel-source-2.6.8 2.6.8-16 (bug #305664) - kernel-source-2.4.27 2.4.27-10 (bug #305664) @@ -16191,9 +16195,9 @@ - gtk+2.0 2.4.9-2 - gdk-pixbuf 0.22.0-7 CVE-2004-0787 (Cross-site scripting (XSS) vulnerability in the web frontend in OpenCA ...) - NOT-FOR-US: seems OpenCA is + NOT-FOR-US: OpenCA CVE-2004-0786 (The IPv6 URI parsing routines in the apr-util library for Apache ...) - NOTE: not vulnerable according to http://www.debian.org/security/nonvulns-sarge + - apache <not-affected> (not vulnerable according to http://www.debian.org/security/nonvulns-sarge) - apache2 2.0.51 CVE-2004-0785 (Multiple buffer overflows in Gaim before 0.82 allow remote attackers ...) - gaim 1:0.82 @@ -16217,7 +16221,7 @@ CVE-2004-0778 (CVS 1.11.x before 1.11.17, and 1.12.x before 1.12.9, allows remote ...) - cvs 1:1.12.9 CVE-2004-0777 (Format string vulnerability in the auth_debug function in Courier-IMAP ...) - NOTE: not vulnerable according to http://www.debian.org/security/nonvulns-sarge + [sarge] - courier <not-affected> (not vulnerable; #266723) - courier-imap 2.2.2 CVE-2004-0776 RESERVED @@ -16292,11 +16296,11 @@ CVE-2004-0748 (mod_ssl in Apache 2.0.50 and earlier allows remote attackers to cause ...) - apache2 2.0.51 CVE-2004-0747 (Buffer overflow in Apache 2.0.50 and earlier allows local users to ...) - NOTE: not vulnerable according to http://www.debian.org/security/nonvulns-sarge + [sarge] - apache2 <not-affected> - apache2 2.0.51 CVE-2004-0746 (Konqueror in KDE 3.2.3 and earlier allows web sites to set cookies for ...) - - kdelibs 4:3.2.3-3.sarge.1 - NOTE: in t-p-u; 4.3.3 in unstable also fixes it + [sarge] - kdelibs 4:3.2.3-3.sarge.1 + - kdelibs 4:3.3 CVE-2004-0745 (LHA 1.14 and earlier allows attackers to execute arbitrary commands ...) - lha 1.14i-10 (bug #279870) CVE-2004-0744 (The TCP/IP Networking component in Mac OS X before 10.3.5 allows ...) @@ -16346,13 +16350,14 @@ CVE-2004-0722 (Integer overflow in the SOAPParameter object constructor in (1) ...) - mozilla 2:1.6 CVE-2004-0721 (Konqueror 3.1.3, 3.2.2, and possibly other versions does not properly ...) - - konqueror 4:3.2.3-1.sarge.1 - - kdelibs 4:3.2.3-3.sarge.1 - NOTE: in t-p-u; also fixed in 4.3.3 in unstable + [sarge] - kdebase 4:3.2.3-1.sarge.1 + [sarge] - kdelibs 4:3.2.3-3.sarge.1 + - kdelibs 4:3.3.0-1 + - kdebase 4:3.3.0-1 CVE-2004-0720 (Safari 1.2.2 does not properly prevent a frame in one domain from ...) NOT-FOR-US: Safari CVE-2004-0719 (Internet Explorer for Mac 5.2.3, Internet Explorer 6 on Windows XP, ...) - NOTE: not-fos-us (Microsoft) + NOT-FOR-US: Microsoft CVE-2004-0718 (The (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4) ...) {DSA-810-1 DSA-777-1 DSA-775-1 DTSA-7-1 DTSA-8-2 DTSA-14-1} NOTE: This has been fixed in mozilla-firefox 0.8 and mozilla 1.6, but recent @@ -16384,15 +16389,21 @@ CVE-2004-0707 (SQL injection vulnerability in editusers.cgi in Bugzilla 2.16.x before ...) - bugzilla 2.16.7-0.1 CVE-2004-0706 (Bugzilla 2.17.5 through 2.17.7 embeds the password in an image URL, ...) - NOTE: bugzilla 2.16.x is not affected, only 2.17 which is not yet in Debian + [woody] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable) + [sarge] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable) + - bugzilla 2.18-1 CVE-2004-0705 (Multiple cross-site scripting (XSS) vulnerabilities in (1) ...) - bugzilla 2.16.7-0.1 CVE-2004-0704 (Unknown vulnerability in (1) duplicates.cgi and (2) buglist.cgi in ...) - bugzilla 2.16.7-0.1 CVE-2004-0703 (Unknown vulnerability in the administrative controls in Bugzilla ...) - NOTE: bugzilla 2.16.x is not affected, only 2.17 which is not yet in Debian + [woody] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable) + [sarge] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable) + - bugzilla 2.18-1 CVE-2004-0702 (DBI in Bugzilla 2.17.1 through 2.17.7 displays the database password ...) - NOTE: bugzilla 2.16.x is not affected, only 2.17 which is not yet in Debian + [woody] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable) + [sarge] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable) + - bugzilla 2.18-1 CVE-2004-0701 (Sun Ray Server Software (SRSS) 1.3 and 2.0 for Solaris 2.6, 7 and 8 ...) NOT-FOR-US: Solaris CVE-2004-0700 (Format string vulnerability in the mod_proxy hook functions function ...) @@ -16424,8 +16435,8 @@ - qt-x11-free 3:3.3.3-4 - qt-copy <removed> CVE-2004-0690 (The DCOPServer in KDE 3.2.3 and earlier allows local users to gain ...) - - kdelibs 4:3.2.3-3.sarge.1 - NOTE: in t-p-u, 4.3.3 in unstable is also fixed + [sarge] - kdelibs 4:3.2.3-3.sarge.1 + - kdelibs 4:3.3.0-1 CVE-2004-0689 (KDE before 3.3.0 does not properly handle when certain symbolic links ...) {DSA-539} - kdelibs 4:3.3.0-1 @@ -16433,7 +16444,6 @@ {DSA-561-1 DSA-560-1} NOTE: Matej Vela has checked that these are backported to lesstif1 as well - lesstif1-1 1:0.93.94-10 - NOTE: openmotif is non-free - openmotif 2.2.3-1.1 (bug #308819; low) - xfree86 4.3.0.dfsg.1-8 - xorg-x11 <not-affected> (Fixed before introduction into archive) @@ -16441,14 +16451,13 @@ {DSA-561-1 DSA-560-1} NOTE: Matej Vela has checked that these are backported to lesstif1 as well - lesstif1-1 1:0.93.94-10 - NOTE: openmotif is non-free - openmotif 2.2.3-1.1 (bug #308819; low) - xfree86 4.3.0.dfsg.1-8 - xorg-x11 <not-affected> (Fixed before introduction into archive) CVE-2004-0686 (Buffer overflow in Samba 2.2.x to 2.2.9, and 3.0.0 to 3.0.4, when the ...) - samba 3.0.5 (bug #260839; bug #260838) CVE-2004-0685 (Certain USB drivers in the Linux 2.4 kernel use the copy_to_user ...) - NOTE: Fixed in upstream 2.4.27 + - kernel-source-2.4.27 2.4.27-1 CVE-2004-0684 (WebSphere Edge Component Caching Proxy in WebSphere Edge Server 5.02, ...) NOT-FOR-US: WebSphere Edge Server CVE-2004-0683 (Symantec Norton AntiVirus 2002 and 2003 allows remote attackers to ...) Modified: doc/narrative_introduction =================================================================== --- doc/narrative_introduction 2005-12-18 12:02:31 UTC (rev 3084) +++ doc/narrative_introduction 2005-12-18 12:21:13 UTC (rev 3085) @@ -320,7 +320,7 @@ thus be used to - Present the security history of a package - Provide overviews of vulnerable packages in stable, testing, sid and - soon oldstable (it still has some false positives, wrt packages in + oldstable (it still has some false positives, wrt packages in stable that are present in stable, but not vulnerable, but these will be ironed out soon) - Generate a list of packages that are subject to security problems, but _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits