Author: jmm-guest
Date: 2009-09-16 20:51:08 +0000 (Wed, 16 Sep 2009)
New Revision: 12830
Modified:
data/CVE/list
data/ospu-candidates.txt
data/spu-candidates.txt
Log:
cleanups from issue review, new issues, no-dsas,
not-affected, etc. pp
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2009-09-16 19:56:27 UTC (rev 12829)
+++ data/CVE/list 2009-09-16 20:51:08 UTC (rev 12830)
@@ -346,10 +346,13 @@
[lenny] - rails <no-dsa> (Minor issue)
CVE-2009-3085 (The XMPP protocol plugin in libpurple in Pidgin before 2.6.2
does not ...)
- pidgin 2.6.2-1 (low)
+ [lenny] - pidgin <no-dsa> (Minor issue)
CVE-2009-3084 (The msn_slp_process_msg function in
libpurple/protocols/msn/slpcall.c ...)
- pidgin 2.6.2-1 (low)
+ [lenny] - pidgin <no-dsa> (Minor issue)
CVE-2009-3083 (The msn_slp_sip_recv function in libpurple/protocols/msn/slp.c
in the ...)
- pidgin 2.6.2-1 (low)
+ [lenny] - pidgin <no-dsa> (Minor issue)
CVE-2008-7185 (GNOME Rhythmbox 0.11.5 allows remote attackers to cause a
denial of ...)
- rhythmbox <unfixed> (unimportant)
NOTE: No practical security impact
@@ -509,7 +512,9 @@
- silc-server 1.1.2-1 (low)
NOTE: silc-client/silc-server use libsilc from silc-toolkit since 1.1-2
CVE-2009-3050 (Buffer overflow in the set_page_size function in util.cxx in
HTMLDOC ...)
- - htmldoc <unfixed> (medium; bug #537637)
+ - htmldoc <unfixed> (low; bug #537637)
+ [etch] - htmldoc <no-dsa> (Minor issue)
+ [lenny] - htmldoc <no-dsa> (Minor issue)
CVE-2009-3049 (Opera before 10.00 does not properly display all characters in
...)
NOT-FOR-US: Opera
CVE-2009-3048 (Opera before 10.00 on Linux, Solaris, and FreeBSD does not
properly ...)
@@ -1530,9 +1535,11 @@
NOT-FOR-US: DD-WRT
CVE-2009-3040 (Multiple SQL injection vulnerabilities in Open Computer and
Software ...)
- ocsinventory-server 1.02.1-2 (low; bug #541995)
+ [lenny] - ocsinventory-server <no-dsa> (Minor issue)
NOTE: Authentication is needed
CVE-2009-3042 (SQL injection vulnerability in machine.php in Open Computer and
...)
- ocsinventory-server 1.02.1-2 (low; bug #541995)
+ [lenny] - ocsinventory-server <no-dsa> (Minor issue)
NOTE: Authentication is needed
CVE-2009-2763
RESERVED
@@ -1902,7 +1909,7 @@
CVE-2009-2702 (KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly
handle a ...)
- kdelibs <unfixed> (low; bug #546212)
- kde4libs <unfixed> (low; bug #546218)
- NOTE: kde4libs no-dsa candidate, probably affected code is no longer
used
+ [lenny] - kde4libs <no-dsa> (Minor issue)
CVE-2009-2701 (Unspecified vulnerability in the Zope Enterprise Objects (ZEO)
...)
TODO: check
CVE-2009-2700 (src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x
does not ...)
@@ -2112,12 +2119,7 @@
- poppler <unfixed> (low; bug #534680)
CVE-2009-2408 (Mozilla Network Security Services (NSS) before 3.12.3, Firefox
before ...)
{DSA-1874-1}
- - openssl <unfixed> (medium; bug #539449)
- - openssl097 <removed>
- nss 3.12.3-1 (medium; bug #539934)
- NOTE: asked maintainer to check whether openssl affected
- NOTE: fixed in iceweasel 3.0.13 and 3.5.2, which have yet to be uploaded
- TODO: check whether other web browsers are affected and file bugs
CVE-2009-2651 (main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows
remote ...)
- asterisk 1:1.6.2.0~dfsg~rc1-1 (low; bug #539473)
[etch] - asterisk <not-affected> (Vulnerable code not present)
@@ -2552,9 +2554,12 @@
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
- openjdk-6 <unfixed> (medium; bug #542210)
CVE-2009-2474 (neon before 0.28.6, when OpenSSL is used, does not properly
handle a ...)
- - neon27 0.28.6-1 (medium; bug #542926)
- - neon26 <unfixed> (medium; bug #542926)
- - neon <removed> (medium; bug #542926)
+ - neon27 0.28.6-1 (low; bug #542926)
+ [lenny] - neon27 <no-dsa> (Minor issue)
+ - neon26 <unfixed> (low; bug #542926)
+ [lenny] - neon26 <no-dsa> (Minor issue)
+ - neon <removed> (low; bug #542926)
+ [etch] - neon <no-dsa> (Minor issue)
- gnome-vfs2 <unfixed>
NOTE: affected neon code copy present in gnome-vfs2 [./imported/*]
- litmus <removed>
@@ -2782,7 +2787,7 @@
CVE-2009-2417 (lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when
OpenSSL is ...)
{DSA-1869-1}
- curl 7.19.5-1.1 (medium; bug #541991)
- - wget <unfixed>
+ TODO: - wget <unfixed>
TODO: check whether wget affected [src/openssl.c]; not an embed, but
similar functionality
CVE-2009-2416 (Multiple use-after-free vulnerabilities in libxml2 2.5.10,
2.6.16, ...)
{DSA-1861-1 DSA-1859-1}
@@ -2943,7 +2948,7 @@
{DSA-1835-1}
- tiff 3.8.2-13
CVE-2009-2346 (The IAX2 protocol implementation in Asterisk Open Source 1.2.x
before ...)
- - asterisk 1:1.6.2.0~dfsg~beta3-1 (low)
+ - asterisk 1:1.6.2.0~dfsg~beta3-1 (bug #539473)
CVE-2009-2345 (Multiple SQL injection vulnerabilities in ClanSphere before
2009.0.1 ...)
NOT-FOR-US: ClanSphere
CVE-2009-2344 (The web-based management interfaces in Sourcefire Defense
Center (DC) ...)
@@ -3432,6 +3437,7 @@
- request-tracker3.4 <removed> (low; bug #534498)
[etch] - request-tracker3.4 <not-affected> (flaw introduced in 3.6.2)
- request-tracker3.6 3.6.8-1 (low; bug #534497)
+ [lenny] - request-tracker3.6 <no-dsa> (Targeted for stable point update)
[etch] - request-tracker3.6 <not-affected> (flaw introduced in 3.6.2)
- request-tracker3.8 3.8.4-1
CVE-2009-2184 (Absolute path traversal vulnerability in forcedownload.php in
Gravy ...)
@@ -3458,6 +3464,8 @@
[lenny] - xcftools 1.0.4-1+lenny1
CVE-2009-2174 (GUPnP 0.12.7 allows remote attackers to cause a denial of
service ...)
- gupnp 0.12.6-3.1 (low; bug #534594)
+ [etch] - gupnp <no-dsa> (Minor issue)
+ [lenny] - gupnp <no-dsa> (Minor issue)
CVE-2009-2173 (The LAN game feature in Carom3D 5.06 allows remote
authenticated users ...)
NOT-FOR-US: Carom3D
CVE-2009-2172 (Cross-site scripting (XSS) vulnerability in
forum/radioandtv.php in ...)
@@ -3571,6 +3579,7 @@
- mahara 1.1.5-1 (low)
CVE-2009-2171 (Mahara 1.1 before 1.1.5 does not apply permission checks when
saving a ...)
- mahara 1.1.5-1 (low)
+ [lenny] - mahara <no-dsa> (Minor issue)
CVE-2009-2120 (Multiple SQL injection vulnerabilities in TekBase All-in-One
3.1 allow ...)
NOT-FOR-US: TekBase
CVE-2009-2119 (Cross-site scripting (XSS) vulnerability in the login interface
...)
@@ -4159,6 +4168,7 @@
[lenny] - apache2 2.2.9-10+lenny4
CVE-2009-1889 (The OSCAR protocol implementation in Pidgin before 2.5.8
misinterprets ...)
- pidgin 2.5.8-1 (low; bug #535790)
+ [lenny] - pidgin <no-dsa> (Minor issue)
NOTE: http://developer.pidgin.im/ticket/9483
NOTE:
http://developer.pidgin.im/viewmtn/revision/info/9bac0a540156fb1848eedd61c8630737dee752c7
CVE-2009-1888 (The acl_group_override function in smbd/posix_acls.c in smbd in
Samba ...)
@@ -4176,6 +4186,8 @@
NOTE: Only the 3.2.x branch was affected, so marking 3.3 as affected
CVE-2009-1885 (Stack consumption vulnerability in
validators/DTD/DTDScanner.cpp in ...)
- xerces-c 3.0.1-2 (low; bug #540297)
+ [etch] - xerces-c <no-dsa> (Minor issue)
+ [lenny] - xerces-c <no-dsa> (Minor issue)
- xerces-c2 2.8.0+deb1-2 (low; bug #541986)
- xerces27 <removed>
CVE-2009-1884 (Off-by-one error in the bzinflate function in Bzip2.xs in the
...)
@@ -5923,7 +5935,9 @@
RESERVED
CVE-2009-1297
RESERVED
- - open-iscsi <unfixed> (low)
+ - open-iscsi <unfixed> (low; bug filed)
+ [lenny] - open-iscsi <no-dsa> (Minor issue)
+ [etch] - open-iscsi <not-affected> (Vulnerable script not yet present)
CVE-2009-1296 (The eCryptfs support utilities (ecryptfs-utils) 73-0ubuntu6.1
on ...)
- ecryptfs-utils 75-2 (unimportant; bug #532372)
NOTE: this is a non-issue as the debian installer doesn't support per
user
@@ -7885,6 +7899,7 @@
- libapache2-mod-perl2 <unfixed>
- apache <removed>
[etch] - apache <no-dsa> (minor issue)
+ TODO: File bug
CVE-2009-0795
REJECTED
CVE-2009-0794 (Integer overflow in the PulseAudioTargetDataL class in ...)
@@ -9816,6 +9831,8 @@
- barnowl 1.0.5-1
[lenny] - barnowl 1.0.1-4
- owl 2.2.2-1 (bug #515118)
+ [lenny] - owl <no-dsa> (Minor issue)
+ [etch] - owl <no-dsa> (Minor issue)
CVE-2009-0362 (filter.d/wuftpd.conf in Fail2ban 0.8.3 uses an incorrect
regular ...)
- fail2ban 0.8.3-2sid1 (low; bug #514163)
CVE-2009-0361 (Russ Allbery pam-krb5 before 3.13, as used by libpam-heimdal,
su in ...)
Modified: data/ospu-candidates.txt
===================================================================
--- data/ospu-candidates.txt 2009-09-16 19:56:27 UTC (rev 12829)
+++ data/ospu-candidates.txt 2009-09-16 20:51:08 UTC (rev 12830)
@@ -289,12 +289,22 @@
--
+gupnp (CVE-2009-2174)
+#534594
+
+--
+
hplip (CVE-2008-2940/CVE-2008-2941)
#499842
notified maintainer
--
+htmldoc (CVE-2009-3050)
+#537637
+
+--
+
ipsec-tools (CVE-2008-3651)
http://sourceforge.net/mailarchive/forum.php?thread_name=48a0c7a0.qPeWZAE0PY8bDDq%2B%25olel%40ans.pl&forum_name=ipsec-tools-devel
notified maintainer
@@ -481,6 +491,11 @@
--
+neon (CVE-2009-2474)
+#542926
+
+--
+
net-snmp (CVE-2008-6123)
Noah will see to it.
@@ -513,6 +528,11 @@
--
+owl (CVE-2009-0363)
+#515118
+
+--
+
p3nfs (CVE-2008-5154)
bug #506270
notified maintainer
@@ -795,6 +815,11 @@
--
+xerces-c (CVE-2009-1885)
+#540297
+
+--
+
xfce4 (CVE-2007-6351 CVE-2007-6352)
notified maintainer
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2009-09-16 19:56:27 UTC (rev 12829)
+++ data/spu-candidates.txt 2009-09-16 20:51:08 UTC (rev 12830)
@@ -68,6 +68,21 @@
--
+gupnp (CVE-2009-2174)
+#534594
+
+--
+
+htmldoc (CVE-2009-3050)
+#537637
+
+--
+
+kde4libs (CVE-2009-2702)
+#546218
+
+--
+
kfreebsd-6
[freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl]
http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc
@@ -146,6 +161,16 @@
--
+neon27 (CVE-2009-2474)
+#542926
+
+--
+
+neon26 (CVE-2009-2474)
+#542926
+
+--
+
ntop (CVE-2009-2732)
#543312
@@ -166,18 +191,40 @@
--
+ocsinventory-server (CVE-2009-3040, CVE-2009-3042, CVE-2009-1443)
+#541995
+
+--
+
+open-iscsi (CVE-2009-1297)
+notified maintainer in initial bug report
+
+--
+
openldap
#253838
notified maintainer
--
+owl (CVE-2009-0363)
+#515118
+
+--
+
pam (CVE-2009-0579)
#514437
asked maintainer in mail
--
+pidgin (CVE-2009-1889, CVE-2009-3083, CVE-2009-3084, CVE-2009-3085)
+#535790
+http://developer.pidgin.im/ticket/9483
+http://developer.pidgin.im/viewmtn/revision/info/9bac0a540156fb1848eedd61c8630737dee752c7
+
+--
+
pptp-linux (no CVE)
#523476
Ola will prepare a fix in a point update
@@ -237,6 +284,11 @@
--
+xerces-c (CVE-2009-1885)
+#540297
+
+--
+
xfig
25_mkstemp added in 1:3.2.5.a-1
notified maintainer
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
