Author: jmm-guest
Date: 2010-06-04 17:30:30 +0000 (Fri, 04 Jun 2010)
New Revision: 14797

Modified:
   data/CVE/list
Log:
"Unfixed in sid" cleanup:

- aircrack-ng, shibboleth-sp2 fixed
- asterisk design issue fixed by documenting best practices
- remove duped asterisk entry, already tracked as CVE-2010-2214
- marking fcron as unimportant, limited by system groups
- mark two older Mozilla issues as unimportant; the impact is
  negligable
- kdegraphics from KDE 4.4 uses Okular which links dynamically
  against poppler
- linux-ftpd not-affected


Modified: data/CVE/list
===================================================================
--- data/CVE/list       2010-06-04 15:13:34 UTC (rev 14796)
+++ data/CVE/list       2010-06-04 17:30:30 UTC (rev 14797)
@@ -2205,7 +2205,7 @@
        NOTE: 
http://git.kernel.org/linus/b525c06cdbd8a3963f0173ccd23f9147d4c384b5
 CVE-2010-1159 [aircrack-ng EAPOL buffer overflow]
        RESERVED
-       - aircrack-ng <unfixed> (low; bug #577758)
+       - aircrack-ng 1:1.1-1 (low; bug #577758)
        [lenny] - aircrack-ng <no-dsa> (low)
        [etch] - aircrack-ng <no-dsa> (low)
        NOTE: http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.py
@@ -3517,7 +3517,7 @@
 CVE-2010-XXXX [irssi emote leak]
        - irssi-plugin-otr <unfixed> (unimportant; bug #569506)
 CVE-2010-XXXX [shibboleth-sp2: world-readable key]
-       - shibboleth-sp2 <unfixed> (low; bug #571631)
+       - shibboleth-sp2 2.3.1+dfsg-2 (low; bug #571631)
        [lenny] - shibboleth-sp2 <no-dsa> (Minor issue)
        - shibboleth-sp <not-affected> (Vulnerable code not present)
 CVE-2010-1192 (libESMTP, probably 1.0.4 and earlier, does not properly handle 
a '\0' ...)
@@ -3539,8 +3539,7 @@
        [lenny] - drupal6 6.6-3lenny5
        NOTE: http://drupal.org/node/731710
 CVE-2010-XXXX [linux-ftpd: null ptr dereference]
-       - linux-ftpd <unfixed> (low; bug #572813)
-       [lenny] - linux-ftpd <no-dsa> (Minor issue)
+       - linux-ftpd <not-affected> (Performs proper length checks, see #572813)
 CVE-2010-0824
        RESERVED
 CVE-2010-0823
@@ -3607,9 +3606,9 @@
        {DSA-2049-1}
        - barnowl 1.5.1-1 (bug #574418)
 CVE-2010-0792 (fcrontab in fcron before 3.0.5 allows local users to read 
arbitrary ...)
-       - fcron <unfixed> (low; bug #572587)
-       [lenny] - fcron <no-dsa> (Minor issue)
-       NOTE: http://seclists.org/fulldisclosure/2010/Mar/97
+       - fcron <unfixed> (unimportant; bug #572587)
+       NOTE: On Debian runs suid/sgid fcron and the issue is limited to the 
exposure
+       NOTE: of the content of crontabs
 CVE-2010-0791 (The (1) ncpmount, (2) ncpumount, and (3) ncplogin programs in 
ncpfs ...)
        - ncpfs 2.2.6-7 (bug #572937)
        [lenny] - ncpfs <no-dsa> (Minor issue)
@@ -3876,7 +3875,8 @@
 CVE-2010-0686 (WebAccess in VMware VirtualCenter 2.0.2 and 2.5, VMware Server 
2.0, ...)
        NOT-FOR-US: VMware Server
 CVE-2010-0685 (The design of the dialplan functionality in Asterisk Open 
Source ...)
-       - asterisk <unfixed>
+       - asterisk 1:1.6.2.6-1
+       NOTE: Design limitation documented in that version
        [lenny] - asterisk <no-dsa> (Unfixable design issue, best practice docs 
need to be followed)
        [squeeze] - asterisk <no-dsa> (Unfixable design issue, best practice 
docs need to be followed)
 CVE-2010-0684 (Cross-site scripting (XSS) vulnerability in 
createDestination.action ...)
@@ -3886,9 +3886,6 @@
 CVE-2010-0682 (WordPress 2.9 before 2.9.2 allows remote authenticated users to 
read ...)
        - wordpress 2.9.2-1 (low)
        [lenny] - wordpress <not-affected> (Only affects Wordpress >= 2.9)
-CVE-2010-XXXX [http://downloads.digium.com/pub/security/AST-2010-003.pdf]
-       - asterisk <unfixed>
-       [lenny] - asterisk <not-affected> (Only affects Asterisk 1.6)
 CVE-2010-XXXX [multiple typo issues]
        - typo3-src 4.3.2-1 (bug #571151)
        [lenny] - typo3-src 4.2.5-1+lenny3
@@ -4732,14 +4729,12 @@
        [lenny] - iceape <not-affected> (dns prefetching implemented in 
xulrunner 1.9.1)
        NOTE: mozilla's dns prefetching leads to disclosure of the user's 
network location
 CVE-2009-4629 (Mozilla Necko, as used in Thunderbird 3.0.1, SeaMonkey, and 
other ...)
-       - icedove 3.0.2-1 (low)
+       - icedove 3.0.2-1 (unimportant)
        [etch] - icedove <not-affected> (dns prefetching implemented in 
xulrunner 1.9.1)
        [lenny] - icedove <not-affected> (dns prefetching implemented in 
xulrunner 1.9.1)
-       - iceape <unfixed> (low)
+       - iceape <unfixed> (unimportant)
        [etch] - iceape <not-affected> (dns prefetching implemented in 
xulrunner 1.9.1)
        [lenny] - iceape <not-affected> (dns prefetching implemented in 
xulrunner 1.9.1)
-       NOTE: mozilla's dns prefetching leads to disclosure of the user's 
network location
-       TODO: this may be unimportant since mozilla has chosen to ignore the 
issue
 CVE-2005-4885 (Unspecified vulnerability on certain Sun StorEdge 6130 (SE6130) 
...)
        NOT-FOR-US: Sun StorEdge 6130
 CVE-2004-2766 (Webmail in Sun ONE Messaging Server 6.1 and iPlanet Messaging 
Server ...)
@@ -20743,9 +20738,8 @@
 CVE-2008-5914 (An unspecified function in the JavaScript implementation in 
Apple ...)
        NOT-FOR-US: Apple
 CVE-2008-5913 (An unspecified function in the JavaScript implementation in 
Mozilla ...)
-       - xulrunner <unfixed> (low; bug #559792)
-       [lenny] - xulrunner <no-dsa> (Minor issue)
-       - iceape <unfixed>
+       - xulrunner <unfixed> (unimportant; bug #559792)
+       - iceape <unfixed> (unimportant)
        [lenny] - iceape <not-affected> (Just a stub package)
        NOTE: fixed upstream 
https://bugzilla.mozilla.org/show_bug.cgi?id=cve-2008-5913
        TODO: check next set of MFSA's
@@ -20786,7 +20780,7 @@
        {DSA-1793-1 DSA-1790-1}
        - xpdf 3.02-1.4+lenny1 (low; bug #524809)
        [squeeze] - xpdf 3.02-1.4+lenny1
-       - kdegraphics <unfixed> (low; bug #528369)
+       - kdegraphics 4:4.0 (low; bug #528369)
 CVE-2009-0164 (The web interface for CUPS before 1.3.10 does not validate the 
HTTP ...)
        - cups 1.3.10-1 (low)
        [lenny] - cups <no-dsa> (Minor issue, needs several prerequirements for 
attack)


_______________________________________________
Secure-testing-commits mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits

Reply via email to