Author: jmm
Date: 2011-07-04 16:58:01 +0000 (Mon, 04 Jul 2011)
New Revision: 16887
Modified:
data/CVE/list
data/DSA/list
data/next-point-update.txt
data/spu-candidates.txt
Log:
evince and php5 fixed
new chrome issue
new torque issue (FD, please file bug/create ticket)
php/sockets issue doesn't affect Lenny
dbus CVEfied, fix old entry
remove spu updates from candidate list, which have been released
add dokuwiki spu upload
CVE-2011-2605 was also fixed by recent iceweasel/iceape/xulrunner DSA
NFUs
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2011-07-04 07:28:33 UTC (rev 16886)
+++ data/CVE/list 2011-07-04 16:58:01 UTC (rev 16887)
@@ -3,79 +3,86 @@
[squeeze] - stardict <no-dsa> (minor information disclosure)
[lenny] - stardict <no-dsa> (minor information disclosure)
CVE-2011-2641 (Opera 11.11 allows remote attackers to cause a denial of
service ...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2640 (Opera before 11.10 allows remote attackers to cause a denial of
...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2639 (Opera before 11.10 does not properly handle hidden animated GIF
...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2638 (Unspecified vulnerability in Opera before 11.10 allows remote
...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2637 (Unspecified vulnerability in Opera before 11.10 allows remote
...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2636 (Unspecified vulnerability in Opera before 11.10 allows remote
...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2635 (The Cascading Style Sheets (CSS) implementation in Opera before
11.10 ...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2634 (Opera before 11.10 allows remote attackers to hijack (1)
searches and ...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2633 (Unspecified vulnerability in Opera before 11.11 allows remote
...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2632 (Opera before 11.11 does not properly handle destruction of a
...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2631 (The Cascading Style Sheets (CSS) implementation in Opera before
11.11 ...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2630 (Opera before 11.11 allows user-assisted remote attackers to
cause a ...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2629 (Unspecified vulnerability in Opera before 11.11 allows remote
...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2628 (Opera before 11.11 does not properly implement FRAMESET
elements, ...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2627 (Unspecified vulnerability in the DOM implementation in Opera
before ...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2626 (Opera before 11.50 allows remote attackers to cause a denial of
...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2625 (Opera before 11.50 allows remote attackers to cause a denial of
...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2624 (Opera before 11.50 allows user-assisted remote attackers to
cause a ...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2623 (Unspecified vulnerability in the SVG BiDi implementation in
Opera ...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2622 (Unspecified vulnerability in the Web Workers implementation in
Opera ...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2621 (Unspecified vulnerability in Opera before 11.50 allows remote
...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2620 (Unspecified vulnerability in Opera before 11.50 allows remote
...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2619 (Opera before 11.50 allows remote attackers to cause a denial of
...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2618 (Opera before 11.50 allows remote attackers to cause a denial of
...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2617 (Unspecified vulnerability in Opera before 11.50 allows remote
...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2616 (Unspecified vulnerability in Opera before 11.50 allows remote
...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2615 (Unspecified vulnerability in Opera before 11.50 allows remote
...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2614 (The SVG implementation in Opera before 11.50 allows remote
attackers ...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2613 (The Array.prototype.join method in Opera before 11.50 allows
remote ...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2612 (Unspecified vulnerability in Opera before 11.50 allows remote
...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2611 (Unspecified vulnerability in the printing functionality in
Opera ...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2610 (Unspecified vulnerability in Opera before 11.50 has unknown
impact and ...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2609 (Opera before 11.50 does not properly restrict data: URIs, which
makes ...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2608 (ovbbccb.exe 6.20.50.0 and earlier in HP OpenView Performance
Agent ...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2011-2607 (Cross-site scripting (XSS) vulnerability in IBM Rational Team
Concert ...)
NOT-FOR-US: IBM Rational Team Concert
CVE-2011-2606 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM
Rational ...)
NOT-FOR-US: IBM Rational Team Concert
CVE-2011-2605 (CRLF injection vulnerability in the ...)
- TODO: check
+ {DSA-2269-1 DSA-2268-1}
+ - xulrunner <removed>
+ [lenny] - xulrunner 1.9.0.19-12
+ - iceweasel 3.5.19-3
+ [lenny] - iceweasel <not-affected> (Lenny's iceweasel uses Xulrunner
from the xulrunner source pkg)
+ - iceape 2.0.14-3
+ [lenny] - iceape <not-affected> (Only a stub package)
+ - icedove 3.1.11-1
CVE-2011-2604 (The Intel G41 driver 6.14.10.5355 on Windows XP SP3 allows
remote ...)
NOT-FOR-US: Windows XP
CVE-2011-2603 (The NVIDIA 9400M driver 6.2.6 on Mac OS X 10.6.7 allows remote
...)
@@ -87,7 +94,8 @@
CVE-2011-2600 (The GPU support functionality in Windows XP does not properly
restrict ...)
NOT-FOR-US: Windows XP
CVE-2011-2599 (Google Chrome 11 does not block use of a cross-domain image as
a WebGL ...)
- TODO: check
+ - chromium-browser <unfixed>
+ - webkit <undetermined>
CVE-2011-2598 (The WebGL implementation in Mozilla Firefox 4.x allows remote
...)
- xulrunner <not-affected> (Only affects Firefox 4.0, not yet in
unstable)
- iceweasel <not-affected> (Only affects Firefox 4.0, not yet in
unstable)
@@ -307,7 +315,7 @@
CVE-2011-2510 [dokuwiki XSS in RSS code]
RESERVED
- dokuwiki 0.0.20110525a-1 (low; bug #631818)
- [squeeze] - dokuwiki <no-dsa> (Minor issue)
+ [squeeze] - dokuwiki <no-dsa> (Minor issue, will be fixed in point
update)
[lenny] - dokuwiki <no-dsa> (Minor issue)
CVE-2011-2509
RESERVED
@@ -378,7 +386,7 @@
- libcrypt-eksblowfish-perl <not-affected> (discovered and corrected in
initial release in 2007)
- php5-suhosin <unfixed> (bug #631283)
- postgresql <unfixed> (bug #631285)
- - php5 <unfixed> (bug #631347)
+ - php5 5.3.6-13 (bug #631347)
NOTE: http://openwall.com/lists/oss-security/2011/06/20/2
CVE-2011-2482
RESERVED
@@ -987,7 +995,9 @@
CVE-2011-2201
RESERVED
CVE-2011-2200 (The _dbus_header_byteswap function in dbus-marshal-header.c in
D-Bus ...)
- TODO: check
+ - dbus 1.4.12-1 (low; bug #629938)
+ [squeeze] - dbus 1.2.24-4+squeeze1
+ [lenny] - dbus <no-dsa> (Minor issue)
CVE-2011-2197 (The cross-site scripting (XSS) prevention feature in Ruby on
Rails 2.x ...)
TODO: check
CVE-2011-2196
@@ -995,7 +1005,7 @@
CVE-2011-2195
RESERVED
CVE-2011-2193 (Multiple buffer overflows in Terascale Open-Source Resource and
Queue ...)
- TODO: check
+ - torque <unfixed>
CVE-2011-2192 [libcurl inappropriate GSSAPI delegation]
RESERVED
{DSA-2271-1}
@@ -1716,7 +1726,8 @@
CVE-2011-1939
RESERVED
CVE-2011-1938 (Stack-based buffer overflow in the socket_connect function in
...)
- - php5 <unfixed> (low)
+ - php5 5.3.6-13 (low)
+ [lenny] - php5 <not-affected> (The Lenny version doesn't use memcpy)
CVE-2011-1937 (Cross-site scripting (XSS) vulnerability in Webmin 1.540 and
earlier ...)
NOT-FOR-US: Webmin
CVE-2011-1936
@@ -1815,7 +1826,7 @@
CVE-2011-1909
RESERVED
CVE-2011-1908 (Integer overflow in the Type 1 font decoder in the FreeType
engine in ...)
- TODO: check
+ NOT-FOR-US: Foxit Reader
CVE-2011-1906 (Trustwave WebDefend Enterprise before 5.0 7.01.903-1.4 stores
specific ...)
NOT-FOR-US: Trustwave WebDefend Enterprise
CVE-2011-1905 (Multiple cross-site request forgery (CSRF) vulnerabilities in
...)
@@ -2233,7 +2244,7 @@
{DSA-2264-1 DSA-2240-1}
- linux-2.6 <unfixed> (low)
CVE-2011-1775 (The CSecurityTLS::processMsg function in
common/rfb/CSecurityTLS.cxx ...)
- TODO: check
+ NOT-FOR-US: TigerVNC
CVE-2011-1774
RESERVED
- xmlsec1 1.2.14-1.1
@@ -2287,7 +2298,7 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=700867
NOTE:
http://git.fedorahosted.org/git/?p=sssd.git;a=commitdiff;h=fffdae81651b460f3d2c119c56d5caa09b4de42a
CVE-2011-1757 (DJabberd 0.84 and earlier does not properly detect recursion
during ...)
- TODO: check
+ NOTE: DJabberd
CVE-2011-1756 (modules/xmpp/serv_xmpp.c in Citadel 7.86 and earlier does not
properly ...)
{DSA-2250-1}
- citadel <unfixed> (medium)
@@ -6175,7 +6186,7 @@
- dtc 0.32.10-1
CVE-2011-0433 [linetoken() buffer overflow]
RESERVED
- - evince <unfixed> (bug #614668)
+ - evince 2.32.0-1 (bug #614668)
- vftool <unfixed> (low; bug #614669)
[squeeze] - vftool <no-dsa> (Minor issue)
[lenny] - vftool <no-dsa> (Minor issue)
@@ -14208,9 +14219,6 @@
NOT-FOR-US: Adobe Reader
CVE-2010-2200
RESERVED
- - dbus 1.4.12-1 (low; bug #629938)
- [squeeze] - dbus 1.2.24-4+squeeze1
- [lenny] - dbus <no-dsa> (Minor issue)
CVE-2010-2199 (lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the
...)
- rpm <unfixed> (bug #584257; unimportant)
NOTE: Marking as unimportant since rpm isn't used as a package manager
Modified: data/DSA/list
===================================================================
--- data/DSA/list 2011-07-04 07:28:33 UTC (rev 16886)
+++ data/DSA/list 2011-07-04 16:58:01 UTC (rev 16887)
@@ -9,7 +9,7 @@
{CVE-2011-0083 CVE-2011-0085 CVE-2011-2362 CVE-2011-2363 CVE-2011-2365
CVE-2011-2371 CVE-2011-2373 CVE-2011-2374 CVE-2011-2376 }
[squeeze] - iceape 2.0.11-6
[01 Jul 2011] DSA-2268-1 iceweasel - several
- {CVE-2011-0083 CVE-2011-0085 CVE-2011-2362 CVE-2011-2363 CVE-2011-2365
CVE-2011-2371 CVE-2011-2373 CVE-2011-2374 CVE-2011-2376 }
+ {CVE-2011-0083 CVE-2011-0085 CVE-2011-2362 CVE-2011-2363 CVE-2011-2365
CVE-2011-2371 CVE-2011-2373 CVE-2011-2374 CVE-2011-2376 CVE-2011-2605 }
[squeeze] - iceweasel 3.5.16-8
[lenny] - xulrunner 1.9.0.19-12
[01 Jul 2011] DSA-2267-1 perl - restriction bypass
Modified: data/next-point-update.txt
===================================================================
--- data/next-point-update.txt 2011-07-04 07:28:33 UTC (rev 16886)
+++ data/next-point-update.txt 2011-07-04 16:58:01 UTC (rev 16887)
@@ -1,3 +1,5 @@
CVE-2011-1498
[squeeze] - httpcomponents-client 4.0.1-1squeeze1
+CVE-2011-2510
+ [squeeze] - dokuwiki 0.0.20091225c-10+squeeze2
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2011-07-04 07:28:33 UTC (rev 16886)
+++ data/spu-candidates.txt 2011-07-04 16:58:01 UTC (rev 16887)
@@ -21,11 +21,6 @@
--
-dokuwiki (XML-RPC vulns)
-maintainer is working on uploads
-
---
-
fail2ban [fail2ban: Insecure creating/writing to tmpfile]
#544232
@@ -68,13 +63,6 @@
--
-openldap (CVE-2011-1024/CVE-2011-1025/CVE-2011-1081)
-#617606
-maintainer preparing upload
-thijs prepared upload
-
---
-
tesseract (CVE-2011-1136)
#612032
awaiting maintainer response
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
