Author: jmm-guest
Date: 2010-08-16 15:16:45 +0000 (Mon, 16 Aug 2010)
New Revision: 15154

Modified:
   data/CVE/list
Log:
- new issues in webkitkde and rekonq, both fixed
- record mapserver fixes in sid
- tiff fixed
- mark some xulrunner issues only in experimental as not-affected
- jboss issues don't affect Debian
- NFUs
- remove historic TODOs


Modified: data/CVE/list
===================================================================
--- data/CVE/list       2010-08-15 03:59:29 UTC (rev 15153)
+++ data/CVE/list       2010-08-16 15:16:45 UTC (rev 15154)
@@ -105,9 +105,9 @@
 CVE-2010-2927 (The slapi_printmessage function in IBM Tivoli Directory Server 
(ITDS) ...)
        NOT-FOR-US: Tivoli
 CVE-2009-4976 (Cross-site scripting (XSS) vulnerability in webkitpart.cpp in 
...)
-       TODO: check
+       - webkitkde 0.4svn1059630-1
 CVE-2009-4975 (Cross-site scripting (XSS) vulnerability in webview.cpp in ...)
-       TODO: check
+       - rekonq 0.5.0-1
 CVE-2010-XXXX [Insufficient stripping of CR/LF allows arbitrary IRC command 
execution]
        - libpoe-component-irc-perl 6.32+dfsg-1
        [lenny] - libpoe-component-irc-perl <no-dsa> (#581194)
@@ -892,7 +892,7 @@
 CVE-2010-2634
        RESERVED
 CVE-2010-2633 (Unspecified vulnerability in EMC Disk Library (EDL) before 
3.2.7, ...)
-       TODO: check
+       NOT-FOR-US: EMC
 CVE-2010-2632
        RESERVED
 CVE-2010-2631 (LibTIFF 3.9.0 ignores tags in certain situations during the 
first ...)
@@ -1097,10 +1097,10 @@
        RESERVED
 CVE-2010-2540 (mapserv.c in mapserv in MapServer before 4.10.6 and 5.x before 
5.6.4 ...)
        {DSA-2079-1}
-       TODO: check
+       - mapserver 5.6.4-1
 CVE-2010-2539 (Buffer overflow in the msTmpFile function in maputil.c in 
mapserv in ...)
        {DSA-2079-1}
-       TODO: check
+       - mapserver 5.6.4-1
 CVE-2010-2538 [btrfs issue]
        RESERVED
        - linux-2.6 <unfixed>
@@ -1901,7 +1901,7 @@
 CVE-2010-2234
        RESERVED
 CVE-2010-2233 (tif_getimage.c in LibTIFF 3.9.0 and 3.9.2 on 64-bit platforms, 
as used ...)
-       - tiff <unfixed>
+       - tiff 3.9.1-1
        [lenny] - tiff <not-affected> (Only affects 3.9.x)
 CVE-2010-2232
        RESERVED
@@ -2771,7 +2771,7 @@
 CVE-2010-1914 (The Zend Engine in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 
allows ...)
        - php5 <unfixed> (unimportant)
 CVE-2010-1871 (JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise 
Application ...)
-       TODO: check
+       - jbossas4 <not-affected> (Only builds a few libraries, not the full 
application server, #581226)
 CVE-2010-1870
        RESERVED
 CVE-2010-1869 (Stack-based buffer overflow in the parser function in 
GhostScript 8.70 ...)
@@ -3002,7 +3002,7 @@
 CVE-2010-1795
        RESERVED
 CVE-2010-1794 (The webdav_mount function in webdav_vfsops.c in the WebDAV 
kernel ...)
-       TODO: check
+       NOT-FOR-US: Apple
 CVE-2010-1793 (Multiple use-after-free vulnerabilities in WebKit in Apple 
Safari ...)
        - webkit <undetermined>
        - chromium-browser <undetermined>
@@ -3767,9 +3767,9 @@
 CVE-2010-1519
        RESERVED
 CVE-2010-1518 (Array index error in the SetDLInfo method in the GIGABYTE 
Dldrv2 ...)
-       TODO: check
+       NOT-FOR-US: GIGABYTE Dldrv2 ActiveX control
 CVE-2010-1517 (The GIGABYTE Dldrv2 ActiveX control 1.4.206.11 allows remote 
attackers ...)
-       TODO: check
+       NOT-FOR-US: GIGABYTE Dldrv2 ActiveX control
 CVE-2010-1516
        RESERVED
 CVE-2010-1515 (Multiple cross-site scripting (XSS) vulnerabilities in 
index.php in ...)
@@ -4799,7 +4799,7 @@
        - icedove 3.0.6-1
        [lenny] - iceape <not-affected> (Only a stub package)
 CVE-2010-1210 (intl/uconv/util/nsUnicodeDecodeHelper.cpp in Mozilla Firefox 
before ...)
-       TODO: check
+       - xulrunner <not-affected> (Only affects 1.9.2 and above)
 CVE-2010-1209 (Use-after-free vulnerability in the NodeIterator implementation 
in ...)
        - xulrunner 1.9.1.11-1
        [lenny] - xulrunner <not-affected> (Only affects 1.9.1 and above)
@@ -4811,7 +4811,7 @@
        - iceape 2.0.6-1
        [lenny] - iceape <not-affected> (Only a stub package)
 CVE-2010-1207 (Mozilla Firefox before 3.6.7 and Thunderbird before 3.1.1 do 
not ...)
-       TODO: check
+       - xulrunner <not-affected> (Only affects 1.9.2 and above)
 CVE-2010-1206 (The startDocumentLoad function in 
browser/base/content/browser.js in ...)
        - iceweasel 3.5.11-1
        [lenny] - iceweasel <not-affected> (Vulnerable code not present)
@@ -16302,7 +16302,6 @@
        - libpng 1.2.37-1 (low; bug #533676)
        [etch] - libpng <no-dsa> (Minor issue, only exploitable in rare setups)
        - xulrunner <not-affected> (xulrunner dynamically linked against 
libpng; embeded code copy not used)
-       TODO: check tuxonice-userui
 CVE-2009-2041 (Cross-site scripting (XSS) vulnerability in A51 D.O.O. 
activeCollab ...)
        NOT-FOR-US: activeCollab
 CVE-2009-2040 (admin/options.php in Grestul 1.2 does not properly restrict 
access, ...)
@@ -21417,7 +21416,6 @@
 CVE-2008-6218 (Memory leak in the png_handle_tEXt function in pngrutil.c in 
libpng ...)
        {DSA-1750-1}
        - libpng 1.2.33-1
-       TODO: check tuxonice-userui
 CVE-2008-6217 (Cross-site scripting (XSS) vulnerability in index.php in 
Extrakt ...)
        NOT-FOR-US: Extrakt Framework
 CVE-2008-6216 (SQL injection vulnerability in cadena_ofertas_ext.php in 
Venalsur ...)
@@ -23213,7 +23211,6 @@
        {DSA-1790-1}
        - xpdf 3.02-1.4+lenny1 (medium; bug #524809)
        [squeeze] - xpdf 3.02-1.4+lenny1
-       TODO: check poppler cups kdegraphics swftools
 CVE-2009-0194 (The domain-locking implementation in the ...)
        NOT-FOR-US: Garmin Communicator Plug-In
 CVE-2009-0193 (Heap-based buffer overflow in Adobe Acrobat Reader 9 before 
9.1, 8 ...)
@@ -23442,7 +23439,6 @@
 CVE-2008-5907 (The png_check_keyword function in pngwutil.c in libpng before 
1.0.42, ...)
        {DSA-1750-1}
        - libpng 1.2.35-1 (bug #512665)
-       TODO: check tuxonice-userui
        NOTE: Only an issues when using libpng to create out-of-spec images
 CVE-2008-5906 (Eval injection vulnerability in the web interface plugin in 
KTorrent ...)
        - ktorrent2.2 2.2.8.dfsg.1-1 (bug #504178)
@@ -23654,7 +23650,7 @@
 CVE-2009-0067
        RESERVED
 CVE-2009-0066 (Multiple unspecified vulnerabilities in Intel system software 
for ...)
-       TODO: will be presented at Black Hat
+       NOT-FOR-US: Intel system software for TXT
 CVE-2009-0065 (Buffer overflow in net/sctp/sm_statefuns.c in the Stream 
Control ...)
        {DSA-1794-1 DSA-1787-1 DSA-1749-1}
        - linux-2.6 2.6.29-1
@@ -24335,7 +24331,6 @@
        - icedove 2.0.0.22-1 (bug #535124)
        [squeeze] - icedove 2.0.0.22-0lenny1
        - libpng 1.2.35-1 (bug #516256)
-       TODO: check tuxonice-userui
 CVE-2009-0039 (Multiple cross-site request forgery (CSRF) vulnerabilities in 
the web ...)
        - geronimo <itp> (bug #481869)
 CVE-2009-0038 (Multiple cross-site scripting (XSS) vulnerabilities in the web 
...)
@@ -42081,7 +42076,6 @@
 CVE-2007-5377 (The (1) tramp-make-temp-file and (2) tramp-make-tramp-temp-file 
...)
        - tramp <not-affected> (the version we ship still uses make-temp-file)
        - emacs22 <not-affected> (the version we ship still uses make-temp-file)
-       TODO: check if upstream release > 22.1 gets uploaded
 CVE-2007-5376
        RESERVED
 CVE-2007-5375 (Interpretation conflict in the Sun Java Virtual Machine (JVM) 
allows ...)
@@ -49472,7 +49466,6 @@
        NOTE: only be considered vunerabile if they process confidential data.
        NOTE: The frameworks should be fixed in any case.
 CVE-2007-2384 (The Script.aculo.us framework exchanges data using JavaScript 
Object ...)
-       TODO: check glpi knowledgeroot mt-daapd op-panel python-webhelpers qwik 
rails wordpress
        NOTE: see 
http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
        NOTE: This allows to steal data from affected websites. Therefore web 
applications should
        NOTE: only be considered vunerabile if they process confidential data.
@@ -49542,7 +49535,6 @@
        NOTE: only be considered vunerabile if they process confidential data.
        NOTE: The frameworks should be fixed in any case.
 CVE-2007-2381 (The MochiKit framework exchanges data using JavaScript Object 
Notation ...)
-       TODO: check python-paste
        NOTE: see 
http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
        NOTE: This allows to steal data from affected websites. Therefore web 
applications should
        NOTE: only be considered vunerabile if they process confidential data.
@@ -90161,7 +90153,6 @@
 CVE-2004-0433 (Multiple buffer overflows in the Real-Time Streaming Protocol 
(RTSP) ...)
        - mplayer 1.0~pre6a-1
        - xine-lib 1-rc4
-       TODO: check vlc (a problem in the xine-lib rtsp code copy.  this was 
likely fixed a long time ago, but i can't find a link to the relevant code 
anymore to compare to)
 CVE-2004-0432 (ProFTPD 1.2.9 treats the Allow and Deny directives for CIDR 
based ACL ...)
        - proftpd 1.2.9-4
 CVE-2004-0431 (Integer overflow in Apple QuickTime (QuickTime.qts) before 
6.5.1 ...)


_______________________________________________
Secure-testing-commits mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits

Reply via email to