[Secure-testing-commits] r3085 - data/CVE doc

Moritz Muehlenhoff jmm-guest at costa.debian.org
Sun Dec 18 12:21:18 UTC 2005 

Author: jmm-guest
Date: 2005-12-18 12:21:13 +0000 (Sun, 18 Dec 2005)
New Revision: 3085

Modified:
   data/CVE/list
   doc/narrative_introduction
Log:
more syntax conversions
note in narrative-introduction that oldstable is now fully supported


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2005-12-18 12:02:31 UTC (rev 3084)
+++ data/CVE/list	2005-12-18 12:21:13 UTC (rev 3085)
@@ -16124,10 +16124,14 @@
 	[sarge] - kernel-source-2.6.8 2.6.8-8
 	- kernel-source-2.4.27 2.4.27-7
 CVE-2004-0813 (Unknown vulnerability in the SG_IO functionality in ide-cd allows ...)
-	NOTE: ide-cd SG_IO vulnerability
-	NOTE: fixed in recent 2.6 and 2.4 kernels
+	- linux-2.6 <not-affected> (Fixed before upload into archive)
+	- kernel-source-2.4.27 <not-affected> (Fixed before upload into archive)
+	TODO: Check, when this was fixed in 2.4
+	TOOD: Check, when this was fixed in 2.6
 CVE-2004-0812 (Unknown vulnerability in the Linux kernel before 2.4.23, on the AMD ...)
-	NOTE: only affects kernels before 2.4.23 on amd64
+	- linux-2.6 <not-affected>
+	- kernel-source-2.4.27 <not-affected> (Fixed before upload into archive)
+	TODO: Check, when this was fixed in 2.4
 CVE-2004-0811 (Unknown vulnerability in Apache 2.0.51 prevents &quot;the merging of the ...)
 	- apache2 2.0.52
 CVE-2004-0810 (Buffer overflow in Netopia Timbuktu 7.0.3 allows remote attackers to ...)
@@ -16179,8 +16183,8 @@
 	{DSA-538}
 	- rsync 2.6.2-3
 CVE-2004-0791 (Multiple TCP/IP and ICMP implementations allow remote attackers to ...)
-	NOTE: All 2.4 and 2.6 kernels verify the TCP sequence numbering when errors occur
-	NOTE: Kernel will never abort due to an ICMP packet
+	- kernel-source-2.4.27 <not-affected> (Kernel verifies the TCP sequence nr. on errors, will never abort)
+	- linux-2.6 <not-affected> (Kernel verifies the TCP sequence nr. on errors, will never abort)
 CVE-2004-0790 (Multiple TCP/IP and ICMP implementations allow remote attackers to ...)
 	- kernel-source-2.6.8 2.6.8-16 (bug #305664)
 	- kernel-source-2.4.27 2.4.27-10 (bug #305664)
@@ -16191,9 +16195,9 @@
 	- gtk+2.0 2.4.9-2
 	- gdk-pixbuf 0.22.0-7
 CVE-2004-0787 (Cross-site scripting (XSS) vulnerability in the web frontend in OpenCA ...)
-	NOT-FOR-US: seems OpenCA is 
+	NOT-FOR-US: OpenCA
 CVE-2004-0786 (The IPv6 URI parsing routines in the apr-util library for Apache ...)
-	NOTE: not vulnerable according to http://www.debian.org/security/nonvulns-sarge
+	- apache <not-affected>	(not vulnerable according to http://www.debian.org/security/nonvulns-sarge)
 	- apache2 2.0.51
 CVE-2004-0785 (Multiple buffer overflows in Gaim before 0.82 allow remote attackers ...)
 	- gaim 1:0.82
@@ -16217,7 +16221,7 @@
 CVE-2004-0778 (CVS 1.11.x before 1.11.17, and 1.12.x before 1.12.9, allows remote ...)
 	- cvs 1:1.12.9
 CVE-2004-0777 (Format string vulnerability in the auth_debug function in Courier-IMAP ...)
-	NOTE: not vulnerable according to http://www.debian.org/security/nonvulns-sarge
+	[sarge] - courier <not-affected> (not vulnerable; #266723)
 	- courier-imap 2.2.2
 CVE-2004-0776
 	RESERVED
@@ -16292,11 +16296,11 @@
 CVE-2004-0748 (mod_ssl in Apache 2.0.50 and earlier allows remote attackers to cause ...)
 	- apache2 2.0.51
 CVE-2004-0747 (Buffer overflow in Apache 2.0.50 and earlier allows local users to ...)
-	NOTE: not vulnerable according to http://www.debian.org/security/nonvulns-sarge
+	[sarge] - apache2 <not-affected>
 	- apache2 2.0.51
 CVE-2004-0746 (Konqueror in KDE 3.2.3 and earlier allows web sites to set cookies for ...)
-	- kdelibs 4:3.2.3-3.sarge.1
-	NOTE: in t-p-u; 4.3.3 in unstable also fixes it
+	[sarge] - kdelibs 4:3.2.3-3.sarge.1
+	- kdelibs 4:3.3
 CVE-2004-0745 (LHA 1.14 and earlier allows attackers to execute arbitrary commands ...)
 	- lha 1.14i-10 (bug #279870)
 CVE-2004-0744 (The TCP/IP Networking component in Mac OS X before 10.3.5 allows ...)
@@ -16346,13 +16350,14 @@
 CVE-2004-0722 (Integer overflow in the SOAPParameter object constructor in (1) ...)
 	- mozilla 2:1.6
 CVE-2004-0721 (Konqueror 3.1.3, 3.2.2, and possibly other versions does not properly ...)
-	- konqueror 4:3.2.3-1.sarge.1
-	- kdelibs 4:3.2.3-3.sarge.1
-	NOTE: in t-p-u; also fixed in 4.3.3 in unstable
+	[sarge] - kdebase 4:3.2.3-1.sarge.1
+	[sarge] - kdelibs 4:3.2.3-3.sarge.1
+	- kdelibs 4:3.3.0-1
+	- kdebase 4:3.3.0-1
 CVE-2004-0720 (Safari 1.2.2 does not properly prevent a frame in one domain from ...)
 	NOT-FOR-US: Safari
 CVE-2004-0719 (Internet Explorer for Mac 5.2.3, Internet Explorer 6 on Windows XP, ...)
-	NOTE: not-fos-us (Microsoft)
+	NOT-FOR-US: Microsoft
 CVE-2004-0718 (The (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4) ...)
 	{DSA-810-1 DSA-777-1 DSA-775-1 DTSA-7-1 DTSA-8-2 DTSA-14-1}
 	NOTE: This has been fixed in mozilla-firefox 0.8 and mozilla 1.6, but recent
@@ -16384,15 +16389,21 @@
 CVE-2004-0707 (SQL injection vulnerability in editusers.cgi in Bugzilla 2.16.x before ...)
 	- bugzilla 2.16.7-0.1
 CVE-2004-0706 (Bugzilla 2.17.5 through 2.17.7 embeds the password in an image URL, ...)
-	NOTE: bugzilla 2.16.x is not affected, only 2.17 which is not yet in Debian
+	[woody] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable)
+	[sarge] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable)
+	- bugzilla 2.18-1
 CVE-2004-0705 (Multiple cross-site scripting (XSS) vulnerabilities in (1) ...)
 	- bugzilla 2.16.7-0.1
 CVE-2004-0704 (Unknown vulnerability in (1) duplicates.cgi and (2) buglist.cgi in ...)
 	- bugzilla 2.16.7-0.1
 CVE-2004-0703 (Unknown vulnerability in the administrative controls in Bugzilla ...)
-	NOTE: bugzilla 2.16.x is not affected, only 2.17 which is not yet in Debian
+	[woody] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable)
+	[sarge] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable)
+	- bugzilla 2.18-1
 CVE-2004-0702 (DBI in Bugzilla 2.17.1 through 2.17.7 displays the database password ...)
-	NOTE: bugzilla 2.16.x is not affected, only 2.17 which is not yet in Debian
+	[woody] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable)
+	[sarge] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable)
+	- bugzilla 2.18-1
 CVE-2004-0701 (Sun Ray Server Software (SRSS) 1.3 and 2.0 for Solaris 2.6, 7 and 8 ...)
 	NOT-FOR-US: Solaris
 CVE-2004-0700 (Format string vulnerability in the mod_proxy hook functions function ...)
@@ -16424,8 +16435,8 @@
 	- qt-x11-free 3:3.3.3-4
 	- qt-copy <removed>
 CVE-2004-0690 (The DCOPServer in KDE 3.2.3 and earlier allows local users to gain ...)
-	- kdelibs 4:3.2.3-3.sarge.1
-	NOTE: in t-p-u, 4.3.3 in unstable is also fixed
+	[sarge] - kdelibs 4:3.2.3-3.sarge.1
+	- kdelibs 4:3.3.0-1
 CVE-2004-0689 (KDE before 3.3.0 does not properly handle when certain symbolic links ...)
 	{DSA-539}
 	- kdelibs 4:3.3.0-1
@@ -16433,7 +16444,6 @@
 	{DSA-561-1 DSA-560-1}
 	NOTE: Matej Vela has checked that these are backported to lesstif1 as well
 	- lesstif1-1 1:0.93.94-10
-	NOTE: openmotif is non-free
 	- openmotif 2.2.3-1.1 (bug #308819; low)
 	- xfree86 4.3.0.dfsg.1-8
 	- xorg-x11 <not-affected> (Fixed before introduction into archive)
@@ -16441,14 +16451,13 @@
 	{DSA-561-1 DSA-560-1}
 	NOTE: Matej Vela has checked that these are backported to lesstif1 as well
 	- lesstif1-1 1:0.93.94-10
-	NOTE: openmotif is non-free
 	- openmotif 2.2.3-1.1 (bug #308819; low)
 	- xfree86 4.3.0.dfsg.1-8
 	- xorg-x11 <not-affected> (Fixed before introduction into archive)
 CVE-2004-0686 (Buffer overflow in Samba 2.2.x to 2.2.9, and 3.0.0 to 3.0.4, when the ...)
 	- samba 3.0.5 (bug #260839; bug #260838)
 CVE-2004-0685 (Certain USB drivers in the Linux 2.4 kernel use the copy_to_user ...)
-	NOTE: Fixed in upstream 2.4.27
+	- kernel-source-2.4.27 2.4.27-1
 CVE-2004-0684 (WebSphere Edge Component Caching Proxy in WebSphere Edge Server 5.02, ...)
 	NOT-FOR-US: WebSphere Edge Server
 CVE-2004-0683 (Symantec Norton AntiVirus 2002 and 2003 allows remote attackers to ...)

Modified: doc/narrative_introduction
===================================================================
--- doc/narrative_introduction	2005-12-18 12:02:31 UTC (rev 3084)
+++ doc/narrative_introduction	2005-12-18 12:21:13 UTC (rev 3085)
@@ -320,7 +320,7 @@
 thus be used to
 - Present the security history of a package
 - Provide overviews of vulnerable packages in stable, testing, sid and
-  soon oldstable (it still has some false positives, wrt packages in
+  oldstable (it still has some false positives, wrt packages in
   stable that are present in stable, but not vulnerable, but these
   will be ironed out soon)
 - Generate a list of packages that are subject to security problems, but

More information about the Secure-testing-commits mailing list