Author: jmm
Date: 2012-01-31 07:52:14 +0000 (Tue, 31 Jan 2012)
New Revision: 18339
Modified:
data/CVE/list
data/next-point-update.txt
Log:
squeeze 6.0.4, part 3
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2012-01-31 07:46:07 UTC (rev 18338)
+++ data/CVE/list 2012-01-31 07:52:14 UTC (rev 18339)
@@ -3218,10 +3218,13 @@
[lenny] - linux-2.6 <not-affected> (Vulnerable code not present)
CVE-2011-4603 (The silc_channel_message function in ops.c in the SILC protocol
plugin ...)
- pidgin 2.10.1-1 (low)
+ [squeeze] - pidgin 2.7.3-1+squeeze2
CVE-2011-4602 (The XMPP protocol plugin in libpurple in Pidgin before 2.10.1
does not ...)
- pidgin 2.10.1-1 (low)
+ [squeeze] - pidgin 2.7.3-1+squeeze2
CVE-2011-4601 (family_feedbag.c in the oscar protocol plugin in libpurple in
Pidgin ...)
- pidgin 2.10.1-1 (low)
+ [squeeze] - pidgin 2.7.3-1+squeeze2
CVE-2011-4600
RESERVED
CVE-2011-4599
@@ -4888,15 +4891,14 @@
CVE-2011-4029
RESERVED
- xorg-server 2:1.11.1.901-2 (low)
- [squeeze] - xorg-server <no-dsa> (Minor issue, will be fixed in a point
update)
+ [squeeze] - xorg-server 2:1.7.7-14
[lenny] - xorg-server <no-dsa> (Minor issue)
NOTE:
http://cgit.freedesktop.org/xorg/xserver/commit/?id=b67581cf825940fdf52bf2e0af4330e695d724a4
NOTE: this has a poc now:
http://vladz.devzero.fr/Xorg-CVE-2011-4029.txt
- TODO: max impact is info disclosure, which tends to be treated w low
urgency, but this allows reading of any file, e.g. /etc/shadow, so should
urgency be higher?
CVE-2011-4028
RESERVED
- xorg-server 2:1.11.1.901-2 (low)
- [squeeze] - xorg-server <no-dsa> (Minor issue, will be fixed in a point
update)
+ [squeeze] - xorg-server 2:1.7.7-14
[lenny] - xorg-server <no-dsa> (Minor issue)
NOTE:
http://cgit.freedesktop.org/xorg/xserver/commit/?id=6ba44b91e37622ef8c146d8f2ac92d708a18ed34
CVE-2011-4027
@@ -6311,7 +6313,7 @@
- joomla <itp> (bug #571794)
CVE-2011-3594 (The g_markup_escape_text function in the SILC protocol plug-in
in ...)
- pidgin 2.10.1-1 (unimportant)
- NOTE: http://developer.pidgin.im/ticket/14636
+ [squeeze] - pidgin 2.7.3-1+squeeze2
NOTE: relatively obscure client crash
CVE-2011-3593
RESERVED
@@ -6934,7 +6936,7 @@
[lenny] - php5 <not-affected> (Introduced in 5.3.7)
CVE-2011-3378 (RPM 4.4.x through 4.9.x, probably before 4.9.1.2, allows remote
...)
- rpm 4.9.1.2-1 (low; bug #645325)
- [squeeze] - rpm <no-dsa> (rpm isn't used a a package manager, very
limited attack vector)
+ [squeeze] - rpm 4.8.1-6+squeeze1
[lenny] - rpm <no-dsa> (rpm isn't used a a package manager, very
limited attack vector)
CVE-2011-3377
RESERVED
@@ -7527,7 +7529,7 @@
CVE-2010-4818 [X.org multiple input sanitization flaws]
RESERVED
- xorg-server 2:1.9.99.902-1
- [squeeze] - xorg-server <no-dsa> (Minor issue, will be fixed in a point
update)
+ [squeeze] - xorg-server 2:1.7.7-4
[lenny] - xorg-server <no-dsa> (Minor issue)
NOTE: As per https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4818
three commits with theoretical sec impact:
NOTE:
http://cgit.freedesktop.org/xorg/xserver/commit/?id=6c69235a9dfc52e4b4e47630ff4bab1a820eb543
@@ -8316,7 +8318,7 @@
RESERVED
- xpdf 3.02-19 (low; bug #635849)
[lenny] - xpdf <no-dsa> (zxpdf script is indeed affected, but it's not
associated with pdf handling by default, so not a concern for remote abuse)
- [squeeze] - xpdf <no-dsa> (zxpdf script is indeed affected, but it's
not associated with pdf handling by default, so not a concern for remote abuse)
+ [squeeze] - xpdf 3.02-12+squeeze1
CVE-2011-2901 Xen <= 3.3 DoS due to incorrect virtual address validation
RESERVED
- xen <not-affected> (Only affects Xen <= 3.3)
@@ -11230,6 +11232,7 @@
NOT-FOR-US: Silverlight
CVE-2011-1843 (Integer overflow in conf.c in Tinyproxy before 1.8.3 might
allow ...)
- tinyproxy 1.8.2-2 (unimportant; bug #627503)
+ [squeeze] - tinyproxy 1.8.2-1squeeze2
NOTE: Only exploitable through config files, which are under admin
control
CVE-2011-1842 (dbus_backend/lsd.py in the D-Bus backend in language-selector
before ...)
NOT-FOR-US: Ubuntu-specific language-selector package
@@ -12038,7 +12041,7 @@
NOTE: "...code path in question is no longer reachable..." not sure
when this was fixed
CVE-2011-1575 (The STARTTLS implementation in ftp_parser.c in Pure-FTPd before
1.0.30 ...)
- pure-ftpd 1.0.30-1 (low)
- [squeeze] - pure-ftpd <no-dsa> (Will be fixed in stable point update)
+ [squeeze] - pure-ftpd 1.0.28-3+squeeze1
[lenny] - pure-ftpd <no-dsa> (Minor issue)
CVE-2011-1574 (Stack-based buffer overflow in the ReadS3M method in
load_s3m.cpp in ...)
{DSA-2226-1}
Modified: data/next-point-update.txt
===================================================================
--- data/next-point-update.txt 2012-01-31 07:46:07 UTC (rev 18338)
+++ data/next-point-update.txt 2012-01-31 07:52:14 UTC (rev 18339)
@@ -1,25 +1,3 @@
-CVE-2011-4029
- [squeeze] - xorg-server 2:1.7.7-14
-CVE-2011-4028
- [squeeze] - xorg-server 2:1.7.7-14
-CVE-2010-4818
- [squeeze] - xorg-server 2:1.7.7-14
-CVE-2011-3378
- [squeeze] - rpm 4.8.1-6+squeeze1
-CVE-2011-2902
- [squeeze] - xpdf 3.02-12+squeeze1
-CVE-2011-1843
- [squeeze] - tinyproxy 1.8.2-1squeeze2
CVE-2011-4617
[squeeze] - python-virtualenv 1.4.9-3squeeze1
-CVE-2011-3594
- [squeeze] - pidgin 2.7.3-1+squeeze2
-CVE-2011-4601
- [squeeze] - pidgin 2.7.3-1+squeeze2
-CVE-2011-4602
- [squeeze] - pidgin 2.7.3-1+squeeze2
-CVE-2011-4603
- [squeeze] - pidgin 2.7.3-1+squeeze2
-CVE-2011-1575
- [squeeze] - pure-ftpd 1.0.28-3+squeeze1
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
