[Secure-testing-commits] r973 - sarge-checks/CAN

Moritz Muehlenhoff jmm-guest@costa.debian.org
Tue, 03 May 2005 22:13:25 +0000


Author: jmm-guest
Date: 2005-05-03 22:13:18 +0000 (Tue, 03 May 2005)
New Revision: 973

Modified:
   sarge-checks/CAN/list
Log:
bugnums for kernel DoS issues.
I don't think the Postgres salt issue is a real problem, if anyone
disgrees please file a bug.


Modified: sarge-checks/CAN/list
===================================================================
--- sarge-checks/CAN/list	2005-05-03 21:44:38 UTC (rev 972)
+++ sarge-checks/CAN/list	2005-05-03 22:13:18 UTC (rev 973)
@@ -58,9 +58,9 @@
 CAN-2005-1370 (Unknown vulnerability in Radia Management Agent (RMA) in HP OpenView ...)
 	NOTE: not-for-us (HO OpenView)
 CAN-2005-1369 (The (1) it87 and (2) via686a drivers in I2C for Linux 2.6.x before ...)
-	- kernel-source-2.6.8 (unfixed; bug filed)
+	- kernel-source-2.6.8 (unfixed; bug #307552)
 CAN-2005-1368 (The key_user_lookup function in security/keys/key.c in Linux kernel ...)
-	- kernel-source-2.6.8 (unfixed; bug filed)
+	- kernel-source-2.6.8 (unfixed; bug #307553)
 CAN-2005-1367
 	NOTE: reserved
 CAN-2005-1366
@@ -401,7 +401,9 @@
 CAN-2005-1205
 	NOTE: reserved
 CAN-2002-1657 (PostgreSQL uses the username for a salt when generating passwords, ...)
-	TODO: check
+	NOTE: This is not a real world problem; it's only applicable in rare circurstances
+	NOTE: like someone analysing stolen user database information and even then the gain
+	NOTE: is slim. In that case SHA256 hashes would be more appropriate anyway.
 CAN-2005-XXXX [libpam-ssh: Inproper caching of pwd data with potential security implications]
 	- libpam-ssh 1.91.0-9
 CAN-2005-1204 (Desktop Rover 3.0, and possibly earlier versions, allows remote ...)