Author: jmm-guest
Date: 2005-12-18 12:21:13 +0000 (Sun, 18 Dec 2005)
New Revision: 3085
Modified:
data/CVE/list
doc/narrative_introduction
Log:
more syntax conversions
note in narrative-introduction that oldstable is now fully supported
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2005-12-18 12:02:31 UTC (rev 3084)
+++ data/CVE/list 2005-12-18 12:21:13 UTC (rev 3085)
@@ -16124,10 +16124,14 @@
[sarge] - kernel-source-2.6.8 2.6.8-8
- kernel-source-2.4.27 2.4.27-7
CVE-2004-0813 (Unknown vulnerability in the SG_IO functionality in ide-cd
allows ...)
- NOTE: ide-cd SG_IO vulnerability
- NOTE: fixed in recent 2.6 and 2.4 kernels
+ - linux-2.6 <not-affected> (Fixed before upload into archive)
+ - kernel-source-2.4.27 <not-affected> (Fixed before upload into archive)
+ TODO: Check, when this was fixed in 2.4
+ TOOD: Check, when this was fixed in 2.6
CVE-2004-0812 (Unknown vulnerability in the Linux kernel before 2.4.23, on the
AMD ...)
- NOTE: only affects kernels before 2.4.23 on amd64
+ - linux-2.6 <not-affected>
+ - kernel-source-2.4.27 <not-affected> (Fixed before upload into archive)
+ TODO: Check, when this was fixed in 2.4
CVE-2004-0811 (Unknown vulnerability in Apache 2.0.51 prevents "the
merging of the ...)
- apache2 2.0.52
CVE-2004-0810 (Buffer overflow in Netopia Timbuktu 7.0.3 allows remote
attackers to ...)
@@ -16179,8 +16183,8 @@
{DSA-538}
- rsync 2.6.2-3
CVE-2004-0791 (Multiple TCP/IP and ICMP implementations allow remote attackers
to ...)
- NOTE: All 2.4 and 2.6 kernels verify the TCP sequence numbering when
errors occur
- NOTE: Kernel will never abort due to an ICMP packet
+ - kernel-source-2.4.27 <not-affected> (Kernel verifies the TCP sequence
nr. on errors, will never abort)
+ - linux-2.6 <not-affected> (Kernel verifies the TCP sequence nr. on
errors, will never abort)
CVE-2004-0790 (Multiple TCP/IP and ICMP implementations allow remote attackers
to ...)
- kernel-source-2.6.8 2.6.8-16 (bug #305664)
- kernel-source-2.4.27 2.4.27-10 (bug #305664)
@@ -16191,9 +16195,9 @@
- gtk+2.0 2.4.9-2
- gdk-pixbuf 0.22.0-7
CVE-2004-0787 (Cross-site scripting (XSS) vulnerability in the web frontend in
OpenCA ...)
- NOT-FOR-US: seems OpenCA is
+ NOT-FOR-US: OpenCA
CVE-2004-0786 (The IPv6 URI parsing routines in the apr-util library for
Apache ...)
- NOTE: not vulnerable according to
http://www.debian.org/security/nonvulns-sarge
+ - apache <not-affected> (not vulnerable according to
http://www.debian.org/security/nonvulns-sarge)
- apache2 2.0.51
CVE-2004-0785 (Multiple buffer overflows in Gaim before 0.82 allow remote
attackers ...)
- gaim 1:0.82
@@ -16217,7 +16221,7 @@
CVE-2004-0778 (CVS 1.11.x before 1.11.17, and 1.12.x before 1.12.9, allows
remote ...)
- cvs 1:1.12.9
CVE-2004-0777 (Format string vulnerability in the auth_debug function in
Courier-IMAP ...)
- NOTE: not vulnerable according to
http://www.debian.org/security/nonvulns-sarge
+ [sarge] - courier <not-affected> (not vulnerable; #266723)
- courier-imap 2.2.2
CVE-2004-0776
RESERVED
@@ -16292,11 +16296,11 @@
CVE-2004-0748 (mod_ssl in Apache 2.0.50 and earlier allows remote attackers to
cause ...)
- apache2 2.0.51
CVE-2004-0747 (Buffer overflow in Apache 2.0.50 and earlier allows local users
to ...)
- NOTE: not vulnerable according to
http://www.debian.org/security/nonvulns-sarge
+ [sarge] - apache2 <not-affected>
- apache2 2.0.51
CVE-2004-0746 (Konqueror in KDE 3.2.3 and earlier allows web sites to set
cookies for ...)
- - kdelibs 4:3.2.3-3.sarge.1
- NOTE: in t-p-u; 4.3.3 in unstable also fixes it
+ [sarge] - kdelibs 4:3.2.3-3.sarge.1
+ - kdelibs 4:3.3
CVE-2004-0745 (LHA 1.14 and earlier allows attackers to execute arbitrary
commands ...)
- lha 1.14i-10 (bug #279870)
CVE-2004-0744 (The TCP/IP Networking component in Mac OS X before 10.3.5
allows ...)
@@ -16346,13 +16350,14 @@
CVE-2004-0722 (Integer overflow in the SOAPParameter object constructor in (1)
...)
- mozilla 2:1.6
CVE-2004-0721 (Konqueror 3.1.3, 3.2.2, and possibly other versions does not
properly ...)
- - konqueror 4:3.2.3-1.sarge.1
- - kdelibs 4:3.2.3-3.sarge.1
- NOTE: in t-p-u; also fixed in 4.3.3 in unstable
+ [sarge] - kdebase 4:3.2.3-1.sarge.1
+ [sarge] - kdelibs 4:3.2.3-3.sarge.1
+ - kdelibs 4:3.3.0-1
+ - kdebase 4:3.3.0-1
CVE-2004-0720 (Safari 1.2.2 does not properly prevent a frame in one domain
from ...)
NOT-FOR-US: Safari
CVE-2004-0719 (Internet Explorer for Mac 5.2.3, Internet Explorer 6 on Windows
XP, ...)
- NOTE: not-fos-us (Microsoft)
+ NOT-FOR-US: Microsoft
CVE-2004-0718 (The (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4)
...)
{DSA-810-1 DSA-777-1 DSA-775-1 DTSA-7-1 DTSA-8-2 DTSA-14-1}
NOTE: This has been fixed in mozilla-firefox 0.8 and mozilla 1.6, but
recent
@@ -16384,15 +16389,21 @@
CVE-2004-0707 (SQL injection vulnerability in editusers.cgi in Bugzilla 2.16.x
before ...)
- bugzilla 2.16.7-0.1
CVE-2004-0706 (Bugzilla 2.17.5 through 2.17.7 embeds the password in an image
URL, ...)
- NOTE: bugzilla 2.16.x is not affected, only 2.17 which is not yet in
Debian
+ [woody] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable)
+ [sarge] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable)
+ - bugzilla 2.18-1
CVE-2004-0705 (Multiple cross-site scripting (XSS) vulnerabilities in (1) ...)
- bugzilla 2.16.7-0.1
CVE-2004-0704 (Unknown vulnerability in (1) duplicates.cgi and (2) buglist.cgi
in ...)
- bugzilla 2.16.7-0.1
CVE-2004-0703 (Unknown vulnerability in the administrative controls in
Bugzilla ...)
- NOTE: bugzilla 2.16.x is not affected, only 2.17 which is not yet in
Debian
+ [woody] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable)
+ [sarge] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable)
+ - bugzilla 2.18-1
CVE-2004-0702 (DBI in Bugzilla 2.17.1 through 2.17.7 displays the database
password ...)
- NOTE: bugzilla 2.16.x is not affected, only 2.17 which is not yet in
Debian
+ [woody] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable)
+ [sarge] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable)
+ - bugzilla 2.18-1
CVE-2004-0701 (Sun Ray Server Software (SRSS) 1.3 and 2.0 for Solaris 2.6, 7
and 8 ...)
NOT-FOR-US: Solaris
CVE-2004-0700 (Format string vulnerability in the mod_proxy hook functions
function ...)
@@ -16424,8 +16435,8 @@
- qt-x11-free 3:3.3.3-4
- qt-copy <removed>
CVE-2004-0690 (The DCOPServer in KDE 3.2.3 and earlier allows local users to
gain ...)
- - kdelibs 4:3.2.3-3.sarge.1
- NOTE: in t-p-u, 4.3.3 in unstable is also fixed
+ [sarge] - kdelibs 4:3.2.3-3.sarge.1
+ - kdelibs 4:3.3.0-1
CVE-2004-0689 (KDE before 3.3.0 does not properly handle when certain symbolic
links ...)
{DSA-539}
- kdelibs 4:3.3.0-1
@@ -16433,7 +16444,6 @@
{DSA-561-1 DSA-560-1}
NOTE: Matej Vela has checked that these are backported to lesstif1 as
well
- lesstif1-1 1:0.93.94-10
- NOTE: openmotif is non-free
- openmotif 2.2.3-1.1 (bug #308819; low)
- xfree86 4.3.0.dfsg.1-8
- xorg-x11 <not-affected> (Fixed before introduction into archive)
@@ -16441,14 +16451,13 @@
{DSA-561-1 DSA-560-1}
NOTE: Matej Vela has checked that these are backported to lesstif1 as
well
- lesstif1-1 1:0.93.94-10
- NOTE: openmotif is non-free
- openmotif 2.2.3-1.1 (bug #308819; low)
- xfree86 4.3.0.dfsg.1-8
- xorg-x11 <not-affected> (Fixed before introduction into archive)
CVE-2004-0686 (Buffer overflow in Samba 2.2.x to 2.2.9, and 3.0.0 to 3.0.4,
when the ...)
- samba 3.0.5 (bug #260839; bug #260838)
CVE-2004-0685 (Certain USB drivers in the Linux 2.4 kernel use the
copy_to_user ...)
- NOTE: Fixed in upstream 2.4.27
+ - kernel-source-2.4.27 2.4.27-1
CVE-2004-0684 (WebSphere Edge Component Caching Proxy in WebSphere Edge Server
5.02, ...)
NOT-FOR-US: WebSphere Edge Server
CVE-2004-0683 (Symantec Norton AntiVirus 2002 and 2003 allows remote attackers
to ...)
Modified: doc/narrative_introduction
===================================================================
--- doc/narrative_introduction 2005-12-18 12:02:31 UTC (rev 3084)
+++ doc/narrative_introduction 2005-12-18 12:21:13 UTC (rev 3085)
@@ -320,7 +320,7 @@
thus be used to
- Present the security history of a package
- Provide overviews of vulnerable packages in stable, testing, sid and
- soon oldstable (it still has some false positives, wrt packages in
+ oldstable (it still has some false positives, wrt packages in
stable that are present in stable, but not vulnerable, but these
will be ironed out soon)
- Generate a list of packages that are subject to security problems, but
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
