Author: jmm-guest
Date: 2010-06-09 16:50:43 +0000 (Wed, 09 Jun 2010)
New Revision: 14834

Modified:
   data/CVE/list
   data/embedded-code-copies
   data/mops.txt
Log:
- readd bugnumber to kfreebsd entry
- xmail no-dsa
- pyfits code copy of zlib fixed
- more MOPS assignments
- NFUs
- new kernel issue
- new issues in emesene and beanstalkd


Modified: data/CVE/list
===================================================================
--- data/CVE/list       2010-06-08 21:14:16 UTC (rev 14833)
+++ data/CVE/list       2010-06-09 16:50:43 UTC (rev 14834)
@@ -9,9 +9,11 @@
 CVE-2010-2192
        RESERVED
 CVE-2010-2191 (The (1) parse_str, (2) preg_match, (3) unpack, and (4) pack 
functions; ...)
-       TODO: check
+       - php5 <unfixed> (unimportant)
+       NOTE: Only triggerable through malicious script
 CVE-2010-2190 (The (1) trim, (2) ltrim, (3) rtrim, and (4) substr_replace 
functions ...)
-       TODO: check
+       - php5 <unfixed> (unimportant)
+       NOTE: Only triggerable through malicious script
 CVE-2010-2189
        RESERVED
 CVE-2010-2188
@@ -73,11 +75,11 @@
 CVE-2010-2160
        RESERVED
 CVE-2010-2159 (Dameng DM Database Server allows remote authenticated users to 
cause a ...)
-       TODO: check
+       NOT-FOR-US: Dameng DM Database
 CVE-2010-2158 (Multiple cross-site scripting (XSS) vulnerabilities in the 
Storm ...)
-       TODO: check
+       NOT-FOR-US: Storm module for Drupal
 CVE-2010-2157 (Unspecified vulnerability in CA ARCserve Backup r11.5 SP4, 
r12.0 SP2, ...)
-       TODO: check
+       NOT-FOR-US: CA ARCserve
 CVE-2010-2156 (ISC DHCP 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1 allows 
remote ...)
        - isc-dhcp 4.1.1-P1-1
        - dhcp3 <not-affected> (Only affects DHCP 4.x)
@@ -305,6 +307,8 @@
        RESERVED
 CVE-2010-2066
        RESERVED
+       - linux-2.6 <unfixed>
+       [lenny] - linux-2.6 <not-affected> (Vulnerable code introduced in 
2.6.31)
 CVE-2010-2065
        RESERVED
 CVE-2010-2064
@@ -325,7 +329,10 @@
 CVE-2010-2061
        RESERVED
 CVE-2010-2060 (The put command functionality in beanstalkd 1.4.5 and earlier 
allows ...)
-       TODO: check
+       - beanstalkd <unfixed>
+       NOTE: Package description reads: "Beanstalkd is meant to be ran in a 
trusted network,
+       NOTE: "as it has no authorisation/authentication mechanisms". So this 
is likely a non-issue
+       TODO: File bug
 CVE-2010-2059
        RESERVED
 CVE-2010-2058 (setup.py in Prewikka 0.9.14 installs prewikka.conf with 
world-readable ...)
@@ -339,7 +346,8 @@
 CVE-2010-2054
        RESERVED
 CVE-2010-2053 (emesenelib/ProfileManager.py in emesene before 1.6.2 allows 
local ...)
-       TODO: check
+       - emesene 1.6.2-1 (low)
+       [lenny] - emesene <not-affected> (Introduced in 1.6.1) 
 CVE-2010-2052
        REJECTED
 CVE-2010-2051 (SQL injection vulnerability in article.php in Debliteck DBCart 
allows ...)
@@ -403,9 +411,9 @@
        - exim4 <unfixed> (low)
        NOTE: Fixed in experimental, both seem no-dsa, but should be checked 
with maintainers
 CVE-2010-2022 (jail.c in jail in FreeBSD 8.0 and 8.1-PRERELEASE, when the 
&quot;-l -U ...)
-       - kfreebsd-6 <removed>
-       - kfreebsd-7 <not-affected>
-       - kfreebsd-8 <not-affected>
+       - kfreebsd-6 <not-affected> (jail binary not yet provided, see bug 
#584930)
+       - kfreebsd-7 <not-affected> (jail binary not yet provided, see bug 
#584930)
+       - kfreebsd-8 <not-affected> (jail binary not yet provided, see bug 
#584930)
 CVE-2010-2021
        RESERVED
 CVE-2010-2020 (sys/nfsclient/nfs_vfsops.c in the NFS client in the kernel in 
FreeBSD ...)
@@ -542,9 +550,9 @@
 CVE-2010-1964
        RESERVED
 CVE-2010-1963 (Cross-site scripting (XSS) vulnerability in HP ServiceCenter 
allows ...)
-       TODO: check
+       NOT-FOR-US: HP ServiceCenter
 CVE-2010-1962 (Unspecified vulnerability in HP StorageWorks Storage Mirroring 
5 ...)
-       TODO: check
+       NOT-FOR-US: HP StorageWorks 
 CVE-2010-1961
        RESERVED
 CVE-2010-1960
@@ -651,7 +659,7 @@
 CVE-2010-1905 (Multiple cross-site scripting (XSS) vulnerabilities in Consona 
Live ...)
        NOT-FOR-US: Consona
 CVE-2010-1904 (SQL injection vulnerability in EMC RSA Key Manager Client 1.5.x 
allows ...)
-       TODO: check
+       NOT-FOR-US: EMC RSA key manager
 CVE-2010-1903
        RESERVED
 CVE-2010-1902
@@ -1275,7 +1283,7 @@
 CVE-2010-1650 (IBM WebSphere Application Server (WAS) 6.0.x before 6.0.2.41, 
6.1.x ...)
        NOT-FOR-US: IBM WebSphere Application Server
 CVE-2010-1649 (Multiple cross-site scripting (XSS) vulnerabilities in the back 
end in ...)
-       TODO: check
+       NOT-FOR-US: Joomla
 CVE-2010-1648 (Cross-site request forgery (CSRF) vulnerability in the login 
interface ...)
        - mediawiki <unfixed>
        NOTE: 
http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
@@ -2364,7 +2372,8 @@
        NOTE: http://seclists.org/fulldisclosure/2010/Apr/104
        NOTE: setting K_TCPDF_CALLS_IN_HTML to false mitigates the problem
 CVE-2010-XXXX [xmail insecure temp files handling]
-       - xmail 1.27-1
+       - xmail 1.27-1 (low)
+       [lenny] - xmail <no-dsa> (Minor issue)
        NOTE: http://www.xmailserver.org/ChangeLog.html#feb_25__2010_v_1_27
 CVE-2010-XXXX [dovecot wrong Mail dir permissions]
        - dovecot 1:1.2.11-1 (low)

Modified: data/embedded-code-copies
===================================================================
--- data/embedded-code-copies   2010-06-08 21:14:16 UTC (rev 14833)
+++ data/embedded-code-copies   2010-06-09 16:50:43 UTC (rev 14834)
@@ -108,6 +108,7 @@
        - tra <unfixed>
        - sash <unfixed>
        - nsis <unfixed>
+       - pyfits 1:2.3.1-1
        - mseide-msegui <unfixed>
        NOTE: mseide
        - mirrordir <unfixed>

Modified: data/mops.txt
===================================================================
--- data/mops.txt       2010-06-08 21:14:16 UTC (rev 14833)
+++ data/mops.txt       2010-06-09 16:50:43 UTC (rev 14834)
@@ -46,15 +46,15 @@
 044: CVE-2010-2101; Only triggerable by malicious script
 045: CVE-2010-2101; Only triggerable by malicious script
 046: CVE-2010-2101; Only triggerable by malicious script
-047: No CVE yet; Only triggerable by malicious script
-048: No CVE yet; Only triggerable by malicious script
-049: No CVE yet; Only triggerable by malicious script
-050: No CVE yet; Only triggerable by malicious script
-051: No CVE yet; Only triggerable by malicious script
-052: No CVE yet; Only triggerable by malicious script
-053: No CVE yet; Only triggerable by malicious script
-054: No CVE yet; Only triggerable by malicious script
-055: No CVE yet; Only triggerable by malicious script
+047: CVE-2010-2190; Only triggerable by malicious script
+048: CVE-2010-2190; Only triggerable by malicious script
+049: CVE-2010-2191; Only triggerable by malicious script
+050: CVE-2010-2191; Only triggerable by malicious script
+051: CVE-2010-2191; Only triggerable by malicious script
+052: CVE-2010-2191; Only triggerable by malicious script
+053: CVE-2010-2191; Only triggerable by malicious script
+054: CVE-2010-2191; Only triggerable by malicious script
+055: CVE-2010-2191; Only triggerable by malicious script
 056: No CVE yet; Does not affect Lenny; should be fixed in unstable
 057: No CVE yet; Does not affect Lenny; should be fixed in unstable
 058: No CVE yet; Does not affect Lenny; should be fixed in unstable


_______________________________________________
Secure-testing-commits mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits

Reply via email to