[Secure-testing-commits] r2506 - data/DSA
Florian Weimer
fw at costa.debian.org
Thu Oct 20 12:16:08 UTC 2005
Author: fw
Date: 2005-10-20 12:16:07 +0000 (Thu, 20 Oct 2005)
New Revision: 2506
Modified:
data/DSA/list
Log:
Add woody and sarge status for some DSAs.
Modified: data/DSA/list
===================================================================
--- data/DSA/list 2005-10-20 12:14:18 UTC (rev 2505)
+++ data/DSA/list 2005-10-20 12:16:07 UTC (rev 2506)
@@ -12,861 +12,929 @@
NOTE: wrapper script in a vulnerable version.
[13 Oct 2005] DSA-865-1 hylafax - insecure temporary files
{CVE-2005-3069}
- - hylafax 1:4.2.2-1
+ [woody] - hylafax 1:4.1.1-3.2
+ [sarge] - hylafax 1:4.2.1-5sarge1
NOTE: not fixed in testing at time of DSA (missing arm)
[13 Oct 2005] DSA-864-1 ruby1.8 - programming error
{CVE-2005-2337}
- - ruby1.6 1.6.8-13
+ [sarge] - ruby1.8 1.8.2-7sarge2
NOTE: not fixed in testing at time of DSA (RC bugs)
[12 Oct 2005] DSA-863-1 xine-lib - format string vulnerability
{CVE-2005-2967}
- - xine-lib <unfixed> (bug #332919; medium)
+ [woody] - xine-lib 0.9.8-2woody4
+ [sarge] - xine-lib 1.0.1-1sarge1
NOTE: not fixed in testing at time of DSA (unfixed in sid)
[11 Oct 2005] DSA-862-1 ruby1.6 - programming error
{CVE-2005-2337}
- - ruby1.6 1.6.8-13
- NOTE: fixed in testing at time of DSA
+ [sarge] - ruby1.6 1.6.8-12sarge1
+ NOTE: not fixed in testing at time of DSA (RC bugs)
[11 Oct 2005] DSA-861-1 up-imap - buffer overflow
{CVE-2005-2933}
- - uw-imap 7:2002edebian1-12
+ [sarge] - uw-imap 7:2002edebian1-11sarge1
NOTE: not fixed in testing at time of DSA (unfixed in sid)
[11 Oct 2005] DSA-860-1 ruby - programming error
{CVE-2005-2337}
- - ruby <removed>
+ [woody] - ruby 1.6.7-3woody5
NOTE: fixed in testing at time of DSA (woody-only DSA)
[10 Oct 2005] DSA-859-1 xli - buffer overflows
{CVE-2005-3178}
- - xli 1.17.0-20 (medium)
+ [woody] - xli 1.17.0-11woody2
+ [sarge] - xli 1.17.0-18sarge1
NOTE: not fixed in testing at time of DSA (unfixed in sid)
[10 Oct 2005] DSA-858-1 xloadimage - buffer overflows
{CVE-2005-3178}
- - xloadimage 4.1-15 (bug #332524; medium)
+ [woody] - xloadimage 4.1-10woody2 (bug #332524; medium)
+ [sarge] - xloadimage 4.1-14.3
NOTE: not fixed in testing at time of DSA (too young)
[10 Oct 2005] DSA-857-1 graphviz - insecure temporary file
{CVE-2005-2965}
- - graphviz 2.2.1-1sarge1 (low)
+ [sarge] - graphviz 2.2.1-1sarge1 (low)
NOTE: fixed in testing at time of DSA
[10 Oct 2005] DSA-856-1 py2play - design error
{CVE-2005-2875}
- - py2play 0.1.8-1 (bug #326976; medium)
+ [sarge] - py2play 0.1.7-1sarge1 (bug #326976; medium)
NOTE: fixed in testing at time of DSA
[10 Oct 2005] DSA-855-1 weex - format string vulnerability
{CVE-2005-3150}
- - weex 2.6.1-6sarge1 (bug #332424; medium)
+ [sarge] - weex 2.6.1-6sarge1 (bug #332424; medium)
+ [woody] - weex 2.6.1-4woody2 (bug #332424; medium)
NOTE: not fixed in testing at time of DSA (DSA fix propagated to sid)
[09 Oct 2005] DSA-854-1 tcpdump - infinite loop
{CVE-2005-1267}
- - tcpdump 3.9.0.cvs.20050614-1
+ [sarge] - tcpdump 3.8.3-5sarge1
+ [woody] - tcpdump <not-affected> (not affected according to DSA)
NOTE: fixed in testing at time of DSA
[09 Oct 2005] DSA-853-1 ethereal - several
{CVE-2005-2360 CVE-2005-2361 CVE-2005-2363 CVE-2005-2364 CVE-2005-2365 CVE-2005-2366 CVE-2005-2367}
- - ethereal 0.10.12-1
+ [woody] - ethereal 0.9.4-1woody13
+ [sarge] - ethereal 0.10.10-2sarge3
NOTE: not fixed in testing at time of DSA (not fixed in unstable)
[08 Oct 2005] DSA-852-1 up-imapproxy - arbitrary code execution
{CVE-2005-2661}
- - up-imapproxy 1.2.4-2
+ [sarge] - up-imapproxy 1.2.3-1sarge1
NOTE: not fixed in testing at time of DSA (not fixed in unstable)
[08 Oct 2005] DSA-851-1 openvpn - denial of service
{CVE-2005-2531 CVE-2005-2532 CVE-2005-2533 CVE-2005-2534}
- - openvpn 2.0.2-1
+ [sarge] - openvpn 2.0-1sarge1
NOTE: fixed in testing at time of DSA
[08 Oct 2005] DSA-850-1 tcpdump - denial of service
{CVE-2005-1279}
- - tcpdump 3.8.3-4
+ [woody] - tcpdump 3.6.2-2.9
NOTE: fixed in testing at time of DSA (woody-only DSA)
[08 Oct 2005] DSA-849-1 shorewall - programming error
{CVE-2005-2317}
- - shorewall 2.4.2-2
+ [woody] - shorewall <not-affected> (vulnerable code not yet present)
+ [sarge] - shorewall 2.2.3-2
NOTE: fixed in testing at time of DSA
[08 Oct 2005] DSA-848-1 masqmail - several
{CVE-2005-2662 CVE-2005-2663}
- - masqmail 0.2.20-1sarge1
+ [woody] - masqmail 0.1.16-2.2
+ [sarge] - masqmail 0.2.20-1sarge1
NOTE: not fixed in testing at time of DSA (not fixed in unstable)
[08 Oct 2005] DSA-847-1 dia - missing input sanitising
{CVE-2005-2966}
- - dia 0.94.0-15 (bug #330890; medium)
+ [sarge] - dia 0.94.0-7sarge1 (bug #330890; medium)
+ [woody] - dia <not-affected> (not affected according to DSA)
NOTE: not fixed in testing at time of DSA, missing sparc build, gcc-4.0
[07 Oct 2005] DSA-846-1 cpio - several
{CVE-2005-1111 CVE-2005-1229}
- - cpio 2.6-6
+ [woody] - cpio 2.4.2-39woody2
+ [sarge] - cpio 2.5-1.3
NOTE: fixed in testing at time of DSA
[06 Oct 2005] DSA-845-1 mason - programming error
{CVE-2005-3118}
- - mason 1.0.0-3
+ [woody] - mason 0.13.0.92-2woody1
+ [sarge] - mason 1.0.0-2.2
NOTE: fixed in testing at time of DSA
[05 Oct 2005] DSA-844-1 mod-auth-shadow - programming error
{CVE-2005-2963}
- - mod-auth-shadow 1.4-2
+ [woody] - mod-auth-shadow 1.3-3.1woody.2
+ [sarge] - mod-auth-shadow 1.4-1sarge1
NOTE: not fixed in testing at time of DSA (missing m68k)
[05 Oct 2005] DSA-843-1 arc - insecure temporary file
{CVE-2005-2945 CVE-2005-2992}
- - arc 5.21m-1
+ [sarge] - arc 5.21l-1sarge1
NOTE: fixed in testing at time of DSA
[04 Oct 2005] DSA-842-1 egroupware - missing input sanitising
{CVE-2005-2498}
- - egroupware 1.0.0.009.dfsg-1
+ [sarge] - egroupware 1.0.0.007-2.dfsg-2sarge2
NOTE: fixed in testing at time of DSA
[04 Oct 2005] DSA-841-1 mailutils - format string vulnerability
{CVE-2005-2878}
- - mailutils 1:0.6.90-2.1etch1
+ [woody] - mailutils <not-affected> (not affected according to DSA)
+ [sarge] - mailutils 1:0.6.1-4sarge1
NOTE: not fixed in testing at time of DSA (missing arm)
[04 Jul 2005] DSA-840-1 drupal - missing input sanitising
{CVE-2005-2498}
- - drupal 4.5.5-1
+ [sarge] - drupal 4.5.3-4
NOTE: fixed in testing at time of DSA
[04 Oct 2005] DSA-839-1 apachetop - insecure temporary file
{CVE-2005-2660}
- - apachetop 0.12.5-3
+ [sarge] - apachetop 0.12.5-1sarge1
NOTE: not fixed in testing at time of DSA (not built on m68k, waiting on gcc-4)
[03 Oct 2005] DSA-838-1 mozilla-firefox - multiple vulnerabilities
{CVE-2005-2701 CVE-2005-2702 CVE-2005-2703 CVE-2005-2704 CVE-2005-2705 CVE-2005-2706 CVE-2005-2707}
- - mozilla-firefox 1.0.7-1
+ [sarge] - mozilla-firefox 1.0.4-2sarge5
NOTE: not fixed in testing at time of DSA (not built on arm, silly RC bugs)
[02 Oct 2005] DSA-837-1 mozilla-firefox - buffer overflow
{CVE-2005-2871}
- - mozilla-firefox 1.0.6-5 (medium)
+ [sarge] - mozilla-firefox 1.0.4-2sarge4 (medium; bug #327452)
NOTE: not fixed in testing at time of DSA (not built on arm, silly RC bugs)
[01 Oct 2005] DSA-836-1 cfengine2 - insecure temporary files
{CVE-2005-2960 CVE-2005-3137}
- - cfengine2 <unfixed>
+ [sarge] - cfengine2 2.1.14-1sarge1
NOTE: not fixed in testing at time of DSA (unfixed in sid)
NOTE: No bug exists for this issue
[01 Oct 2005] DSA-835-1 cfengine - insecure temporary files
{CVE-2005-2960 CVE-2005-3137}
- - cfengine <unfixed>
+ [woody] - cfengine 1.6.3-9woody1
+ [sarge] - cfengine 1.6.5-1sarge1
NOTE: not fixed in testing at time of DSA (unfixed in sid)
NOTE: No bug exists for this issue
[01 Oct 2005] DSA-834-1 prozilla - buffer overflow
{CVE-2005-2961}
+ [woody] - prozilla 1:1.3.6-3woody3
NOTE: Prozilla has been removed before Sarge release
[30 Sep 2005] DSA-832-1 gopher - buffer overflows
{CVE-2005-2772}
- - gopher 3.0.11
+ [woody] - gopher 3.0.3woody4
NOTE: fixed in testing at time of DSA
[30 Sep 2005] DSA-831-1 mysql-dfsg-4.1 - several
{CVE-2005-2558}
- - mysql-dfsg-4.1 4.1.14-2 (medium)
- - mysql-dfsg-5.0 5.0.11beta-3 (medium)
+ [sarge] - mysql-dfsg-4.1 4.1.11a-4sarge2
NOTE: not fixed in testing at time of DSA (waiting on gmp, missing builds)
[30 Sep 2005] DSA-830-1 ntlmaps - wrong permissions
{CVE-2005-2962}
- - ntlmaps 0.9.9-4
+ [sarge] - ntlmaps 0.9.9-2sarge1
NOTE: fixed in testing at time of DSA
[30 Sep 2005] DSA-829-1 mysql - several
{CVE-2005-2558}
- - mysql-dfsg-4.1 4.1.14-2 (medium)
- - mysql-dfsg-5.0 5.0.11beta-3 (medium)
+ [woody] - mysql 3.23.49-8.14
NOTE: fixed in testing at time of DSA
[30 Sep 2005] DSA-828-1 squid - several
{CVE-2005-2917}
- - squid 2.5.10-6 (medium)
+ [woody] - squid <not-affected> (not affected according to DSA)
+ [sarge] - squid 2.5.9-10sarge2
NOTE: fixed in testing at time of DSA
[30 Sep 2005] DSA-809-2 squid - assertion error
{CVE-2005-2794}
- - squid 2.5.10-5 (medium)
+ [woody] - squid 2.4.6-2woody10
+ [sarge] - squid 2.5.9-10sarge1
NOTE: fixed in testing at time of DSA
+ NOTE: This is partly an update for another DSA.
[29 Sep 2005] DSA-827-1 backupninja - insecure temporary file creation
- - backupninja 0.8-2 (medium)
+ {CVE-2005-3111}
+ [sarge] - backupninja 0.5-3sarge1 (medium)
NOTE: not fixed in testing at time of DSA (too young 1/2 days)
[29 Sep 2005] DSA-826-1 helix-player - multiple
{CVE-2005-1766 CVE-2005-2710}
- - helix-player 1.0.6-1 (high)
+ [sarge] - helix-player 1.0.4-1sarge1 (high)
NOTE: not fixed in testing at time of DSA
[29 Sep 2005] DSA-825-1 loop-aes-utils - privilege escalation
{CVE-2005-2876}
- - loop-aes-utils 2.12p-9 (medium)
+ [sarge] - loop-aes-utils 2.12p-4sarge1 (medium)
NOTE: fixed in testing at the time of the DSA
[29 Sep 2005] DSA-823-1 util-linux - privilege escalation
{CVE-2005-2876}
- - util-linux 2.12p-8 (high)
+ [woody] - util-linux 2.11n-7woody1 (high)
+ [sarge] - util-linux 2.12p-4sarge1 (high)
NOTE: not fixed in testing at time of DSA
[29 Sep 2005] DSA-822-1 gtkdiskfree - insecure temporary file creation
{CVE-2005-2918}
- - gtkdiskfree 1.9.3-4sarge1 (medium)
+ [sarge] - gtkdiskfree 1.9.3-4sarge1 (bug #328566; medium)
NOTE: not fixed even in unstable at time of DSA
[29 Sep 2005] DSA-824-1 clamav - infinite loop, buffer overflow
{CVE-2005-2919 CVE-2005-2920}
- - clamav 0.87-1 (high)
+ [sarge] - clamav 0.84-2.sarge.4 (high)
NOTE: not fixed in testing at time of DSA
[28 Sep 2005] DSA-797-2 zsync - buffer overflow
{CVE-2005-1849 CVE-2005-2096}
- - zsync 0.3.3-1.sarge.1.2 (low)
- NOTE: An upload to fix a FTBS
+ NOTE: An upload to fix a build failure on i386
[28 Sep 2005] DSA-821-1 python2.3 - integer overflow
{CVE-2005-2491}
- - python2.3 2.3.5-8 (medium)
+ [sarge] - python2.3 2.3.5-3sarge1 (medium)
NOTE: not fixed in testing at time of DSA (waiting on gmp)
+ NOTE: python2.3 is not in woody
[24 Sep 2005] DSA-820-1 courier - missing input sanitising
{CVE-2005-2820}
- - courier 0.47-9 (medium)
+ [woody] - courier 0.37.3-2.7 (medium)
+ [sarge] - courier 0.47-4sarge3 (medium)
NOTE: fixed in testing at time of DSA
[23 Sep 2005] DSA-819-1 python2.1 - integer overflow
{CVE-2005-2491}
- - python2.1 2.1.3dfsg-3 (medium)
+ [woody] - python2.1 2.1.3-3.4 (medium)
+ [sarge] - python2.1 2.1.3dfsg-1sarge1 (medium)
NOTE: not fixed in testing at time of DSA (waiting on gmp)
[22 Sep 2005] DSA-818-1 kdeedu - insecure temporary files
{CVE-2005-2101}
- - kdeedu 4:3.4.2-1
+ [sarge] - kdeedu 4:3.3.2-3.sarge.1 (low)
NOTE: not fixed in testing at time of DSA
+ NOTE: woody is not affected according to the DSA
[22 Sep 2005] DSA-817-1 python2.2 - integer overflow
{CVE-2005-2491}
- - python2.2 2.2.3dfsg-4 (medium)
+ [woody] - python2.2 2.2.1-4.8 (bug #324531; medium)
+ [sarge] - python2.2 2.2.3dfsg-2sarge1 (bug #324531; medium)
NOTE: not fixed in testing at time of DSA (waiting on gmp)
[19 Sep 2005] DSA-816-1 xfree86 - integer overflow
+ { VU#102441 }
{CVE-2005-2495}
- - xserver-xorg 6.8.2.dfsg.1-7
+ [woody] - xfree86 4.1.0-16woody7
+ [sarge] - xfree86 4.3.0.dfsg.1-14sarge1
NOTE: not fixed in testing at time of DSA (waiting on gcc, which is waiting on gmp)
[16 Sep 2005] DSA-815-1 kdebase - programming error
{CVE-2005-2494}
- - kdebase 4:3.4.2-3 (medium)
+ [sarge] - kdebase 4:3.3.2-1sarge1 (bug #327039; medium)
+ [woody] - kdebase <not-affected> (according to the DSA)
NOTE: not fixed in testing at time of DSA (not even fixed in unstable)
[15 Sep 2005] DSA-814-1 lm-sensors - insecure temporary file
{CVE-2005-2672}
- - lm-sensors 1:2.9.1-6etch1
+ [sarge] - lm-sensors 1:2.9.1-1sarge2 (bug #324193)
+ [woody] - lm-sensors <not-affected> (according to DSA)
NOTE: not fixed in testing at time of DSA (waiting on rrdtool, which is waiting on perl)
[15 Sep 2005] DSA-813-1 centericq - several
{CVE-2005-2369 CVE-2005-2370 CVE-2005-2448}
- - centericq 4.20.0-9
+ [woody] - centericq <not-affected> (according to DSA)
+ [sarge] - centericq 4.20.0-1sarge2
NOTE: fixed in testing in time of DSA
[15 Sep 2005] DSA-812-1 turqstat - buffer overflow
{CVE-2005-2658}
- - turqstat 2.2.4-1 (medium)
+ [woody] - turqstat 2.2.1woody1 (medium)
+ [sarge] - turqstat 2.2.2sarge1 (medium)
NOTE: not fixed in testing at time of DSA (waiting on qt, borked on m68k)
[14 Sep 2005] DSA-811-1 common-lisp-controller - design error
{CVE-2005-2657}
- - common-lisp-controller 4.18 (bug #328633; medium)
+ [woody] - common-lisp-controller <not-affected> (according to the DSA)
+ [sarge] - common-lisp-controller 4.15sarge2 (bug #328633; medium)
NOTE: not fixed in testing at time of DSA (too young, sid fix not yet uploaded)
[13 Sep 2005] DSA-810-1 mozilla - several
{CVE-2004-0718 CVE-2005-1937 CVE-2005-2260 CVE-2005-2261 CVE-2005-2263 CVE-2005-2265 CVE-2005-2266 CVE-2005-2268 CVE-2005-2269 CVE-2005-2270}
- - mozilla 2:1.7.8-1sarge2 (medium)
+ [sarge] - mozilla 2:1.7.8-1sarge2 (medium)
NOTE: not fixed in testing at time of DSA (buggy and TBS)
[13 Sep 2005] DSA-809-1 squid - several
{CVE-2005-2794 CVE-2005-2796}
- - squid 2.5.10-5 (medium)
+ [sarge] - squid 2.5.9-10sarge1 (medium)
NOTE: not fixed in testing at time of DSA (too young)
[12 Sep 2005] DSA-808-1 tdiary - design error
{CVE-2005-2411}
- - tdiary 2.0.2-1 (medium)
+ [sarge] - tdiary 2.0.1-1sarge1 (medium)
NOTE: fixed in testing at time of DSA
[12 Sep 2005] DSA-807-1 libapache-mod-ssl - acl restriction bypass
{CVE-2005-2700}
- - libapache-mod-ssl 2.8.24-1 (medium)
+ [woody] - libapache-mod-ssl 2.8.9-2.5 (medium)
+ [sarge] - libapache-mod-ssl 2.8.22-1sarge1 (medium)
NOTE: not fixed in testing at time of DSA (too young)
[09 Sep 2005] DSA-806-1 gcvs - insecure temporary files
{CVE-2005-2693}
- - gcvs 1.0final-7 (low)
+ [woody] - gcvs 1.0a7-2woody1 (low)
+ [sarge] - gcvs 1.0final-5sarge1 (low)
NOTE: fixed in testing at time of DSA
[08 Sep 2005] DSA-805-1 apache2 - several
{CVE-2005-1268 CVE-2005-2088 CVE-2005-2700 CVE-2005-2728}
- - apache2 2.0.54-5 (medium)
+ [sarge] - apache2 2.0.54-5 (medium)
NOTE: not fixed in testing at time of DSA (too young)
[08 Sep 2005] DSA-804-1 kdelibs - insecure permissions
{CVE-2005-1920}
- - kdelibs 4:3.4.2-1 (medium)
+ [sarge] - kdelibs 4:3.3.2-6.2 (medium)
NOTE: not fixed in testing at time of DSA (kde transition)
[07 Sep 2005] DSA-803-1 apache - programming error
{CVE-2005-2088}
- - apache 1.3.33-8 (medium)
+ [woody] - apache 1.3.26-0woody7 (medium)
+ [sarge] - apache 1.3.33-6sarge1 (medium)
NOTE: not fixed in testing at time of DSA (too young)
[07 Sep 2005] DSA-802-1 cvs - insecure temporary files
{CVE-2005-2693}
- - cvs 1:1.11.5-4 (low)
+ [woody] - cvs 1.11.1p1debian-13 (low)
+ NOTE: not exposed in sarge according to the DSA
NOTE: fixed in testing at time of DSA
[05 Sep 2005] DSA-801-1 ntp - programming error
{CVE-2005-2496}
- - ntp 1:4.2.0a+stable-2sarge1 (medium)
+ [sarge] - ntp 1:4.2.0a+stable-2sarge1 (medium)
+ [woody] - ntp <not-affected> (not affected according to DSA)
NOTE: not fixed in testing at time of DSA (RC bugs)
[02 Sep 2005] DSA-800-1 pcre3 - integer overflow
{CVE-2005-2491}
- - pcre3 6.3-0.1etch1 (high)
+ [woody] - pcre3 3.4-1.1woody1
+ [sarge] - pcre3 4.5-1.2sarge1
NOTE: not fixed in testing at time of DSA (glibc transition)
NOTE: however, fixed in secure-testing archive
[02 Sep 2005] DSA-799-1 webcalendar - input validation
{CVE-2005-2717}
- - webcalendar 0.9.45-7 (bug #326223; high)
+ [sarge] - webcalendar 0.9.45-4sarge2 (bug #326223; high)
NOTE: not fixed in testing at time of DSA (coordinated disclosure)
[02 Sep 2005] DSA-798-1 phpgroupware - several
{CVE-2005-2498 CVE-2005-2600 CVE-2005-2761}
- - phpgroupware 0.9.16.008-1 (high)
+ [woody] - phpgroupware <not-affected> (according to the DSA)
+ [sarge] - phpgroupware 0.9.16.005-3.sarge2 (high)
NOTE: not fixed in testing at time of DSA (too young)
[01 Sep 2005] DSA-797-1 zsync - buffer overflow
{CVE-2005-1849 CVE-2005-2096}
- - zsync 0.4.0-2 (medium)
+ [sarge] - zsync 0.3.3-1.sarge.1 (medium)
NOTE: fixed in testing at time of DSA
[01 Sep 2005] DSA-796-1 affix - unsafe use of popen
{CVE-2005-2716}
- - affix 2.1.2-3 (medium)
+ [sarge] - affix 2.1.1-3 (medium)
NOTE: not fixed in testing at time of DSA (glibc transition, builds)
[01 Sep 2005] DSA-795-2 proftpd - format string error
{CVE-2005-2390}
- - proftpd 1.2.10-20 (medium)
+ [woody] - proftpd <not-affected> (not affected according to the DSA)
+ [sarge] - proftpd 1.2.10-15sarge1 (medium)
NOTE: fixed in testing at time of DSA
NOTE: Initial -1 release had a build problem
[01 Sep 2005] DSA-794-1 polygen - programming error
{CVE-2005-2656}
- - polygen 1.0.6-9 (low)
+ [sarge] - polygen 1.0.6-7sarge1 (low)
NOTE: not fixed in testing at time of DSA (too young)
[21 Aug 2005] DSA-779-2 mozilla-firefox - several
NOTE: Essentially 1.0.6 with rolled-back version number, backported version had regressions
{CVE-2005-2260 CVE-2005-2261 CVE-2005-2262 CVE-2005-2263 CVE-2005-2264 CVE-2005-2265 CVE-2005-2266 CVE-2005-2267 CVE-2005-2268 CVE-2005-2269 CVE-2005-2270}
- - mozilla-firefox 1.0.4-2sarge3 (medium)
+ [sarge] - mozilla-firefox 1.0.4-2sarge3 (medium)
NOTE: not fixed in testing at time of DSA (waiting on dependencies)
NOTE: Fixed in DTSA, which will have the same regressions, should be checked/reverted
[01 Sep 2005] DSA-793-1 courier - missing input sanitising
{CVE-2005-2724}
- - courier 0.47-8 (medium)
+ [woody] - courier 0.37.3-2.6 (medium)
+ [sarge] - courier 0.47-4sarge2 (medium)
NOTE: not fixed in testing at time of DSA (glibc transition, too young)
[31 Aug 2005] DSA-792-1 pstotext - missing input sanitising
{CVE-2005-2536}
- - pstotext 1.9-2 (medium)
+ [woody] - pstotext 1.8g-5woody1 (medium)
+ [sarge] - pstotext 1.9-1sarge1 (medium)
NOTE: not fixed in testing at time of DSA (glibc transition, builds)
[30 Aug 2005] DSA-791-1 maildrop - missing privilege release
{CVE-2005-2655}
- - maildrop 1.5.3-1.1etch1 (medium)
+ [sarge] - maildrop 1.5.3-1.1sarge1
+ [woody] - maildrop <not-affected> (not affected according to the DSA)
NOTE: not fixed in testing at time of DSA (glibc transition)
NOTE: but fixed in secure-testing repo
[30 Aug 2005] DSA-790-1 phpldapadmin - programming error
{CVE-2005-2654}
- - phpldapadmin 0.9.6c-5 (medium)
+ [sarge] - phpldapadmin 0.9.5-3sarge2 (medium)
NOTE: fixed in testing at time of DSA
[29 Aug 2005] DSA-789-1 php4 - several
{CVE-2005-1751 CVE-2005-1921 CVE-2005-2498}
- - php4 4:4.3.10-16etch1 (high)
+ [woody] - php4 4:4.1.2-7.woody5 (high)
+ [sarge] - php4 4:4.3.10-16 (high)
NOTE: not fixed in testing at time of DSA (not uploaded yet)
[29 Aug 2005] DSA-788-1 kismet - several
{CVE-2005-2626 CVE-2005-2627}
- - kismet 2005.08.R1-1 (medium)
+ [woody] - kismet <not-affected> (not affected according to DSA)
+ [sarge] - kismet 2005.04.R1-1sarge1 (medium)
NOTE: not fixed in testing at time of DSA (glibc transition)
NOTE: but fixed in secure-testing repo
[26 Aug 2005] DSA-787-1 backup-manager - insecure permissions and tempfile
{CVE-2005-1855 CVE-2005-1856}
- - backup-manager 0.5.8-2 (medium)
+ [sarge] - backup-manager 0.5.7-1sarge1 (medium)
NOTE: fixed in testing at time of DSA
[26 Aug 2005] DSA-786-1 simpleproxy - format string vulnerability
{CVE-2005-1857}
- - simpleproxy 3.2-4 (medium)
+ [sarge] - simpleproxy 3.2-3sarge1 (medium)
NOTE: not fixed in testing at time of DSA (embargoed disclosure)
[25 Aug 2005] DSA-785-1 libpam-ldap - authentication bypass
{CVE-2005-2641 CVE-2005-2069}
- - libpam-ldap 178-1sarge1 (medium)
+ [woody] - libpam-ldap <not-affected> (not affected according to DSA)
+ [sarge] - libpam-ldap 178-1sarge1 (medium)
NOTE: not fixed in testing at time of DSA (embargoed disclosure)
[25 Aug 2005] DSA-784-1 courier - programming error
{CVE-2005-2151}
- - courier 0.47-6 (low)
+ [woody] - courier <not-affected> (no SPF support)
+ [sarge] - courier 0.47-4sarge1 (low)
NOTE: not fixed in testing at time of DSA (glibc transition)
[24 Aug 2005] DSA-783-1 mysql-dfsg-4.1 - insecure temporary file
{CVE-2005-1636}
- - mysql-dfsg-4.1 4.1.12 (medium; bug #319526)
- NOTE: not fixed in testing at time of DSA (glibc transition)
- - mysql-dfsg-5.0 5.0.11beta-3 (medium)
- NOTE: not fixed in testing at time of DSA (glibc transition)
+ [sarge] - mysql-dfsg-4.1 4.1.11a-4sarge1 (low)
[23 Aug 2005] DSA-782-1 bluez-utils - missing input sanitising
{CVE-2005-2547}
- - bluez-utils 2.19-1 (high)
+ [sarge] - bluez-utils 2.15-1.1 (high)
NOTE: not fixed in testing at time of DSA (missing builds)
[23 Aug 2005] DSA-781-1 mozilla-thunderbird - several
{CVE-2005-0989 CVE-2005-1159 CVE-2005-1160 CVE-2005-1532 CVE-2005-2261 CVE-2005-2265 CVE-2005-2266 CVE-2005-2269 CVE-2005-2270}
- - mozilla-thunderbird 1.0.6-1 (medium)
+ [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.6 (medium)
NOTE: not fixed in testing at time of DSA (missing builds)
[22 Aug 2005] DSA-780-1 kdegraphics - wrong input sanitising
{CVE-2005-2097}
- - kdegraphics 4:3.4.2-1 (bug #322458; low)
+ [woody] - kdegraphics <not-affected> (not affected according to DSA)
+ [sarge] - kdegraphics 4:3.3.2-2sarge1 (bug #322458; low)
NOTE: not fixed in testing at time of DSA (nor in unstable; C++ ABI transition)
[21 Aug 2005] DSA-779-1 mozilla-firefox - several
{CVE-2005-2260 CVE-2005-2261 CVE-2005-2262 CVE-2005-2263 CVE-2005-2264 CVE-2005-2265 CVE-2005-2266 CVE-2005-2267 CVE-2005-2268 CVE-2005-2269 CVE-2005-2270}
- - mozilla-firefox 1.0.4-2sarge3 (medium)
+ [sarge] - mozilla-firefox 1.0.4-2sarge2 (medium)
NOTE: not fixed in testing at time of DSA (build and deps)
[19 Aug 2005] DSA-778-1 mantis - missing input sanitising
{CVE-2005-2556 CVE-2005-2557}
- - mantis 0.19.2-4 (medium)
+ [sarge] - mantis 0.19.2-4 (medium)
NOTE: not fixed in testing at time of DSA (nor unstable)
[17 Aug 2005] DSA-777-1 mozilla - frame injection spoofing
{CVE-2004-0718 CVE-2005-1937}
- - mozilla 2:1.7.10-1 (medium)
+ [sarge] - mozilla 2:1.7.8-1sarge1 (medium)
NOTE: not fixed in testing at time of DSA (waiting on builds)
[16 Aug 2005] DSA-776-1 clamav - integer overflows, infinite loop
{CVE-2005-2450}
- - clamav 0.86.2-1 (medium)
+ [sarge] - clamav 0.84-2.sarge.2 (medium)
NOTE: not fixed in testing at time of DSA (waiting on dependencies)
[12 Aug 2005] DSA-775-1 mozilla-firefox - frame injection spoofing
{CVE-2004-0718 CVE-2005-1937}
- - mozilla-firefox 1.0.4-2sarge3 (medium)
+ [sarge] - mozilla-firefox 1.0.4-2sarge1 (medium)
NOTE: IMO the information about the sid fix in the DSA is wrong, pinged security@
NOTE: fixed in testing at time of DSA
[12 Aug 2005] DSA-774-1 fetchmail - buffer overflow
{CVE-2005-2335}
- - fetchmail 6.2.5-16 (medium)
+ [woody] - fetchmail <not-affected> (not affected according to DSA)
+ [sarge] - fetchmail 6.2.5-12sarge1 (medium)
NOTE: fixed in testing at time of DSA
[11 Aug 2005] DSA-773-1 New amd64 packages fix several bugs
NOTE: amd64 catch-up DSA, no new holes
[03 Aug 2005] DSA-772-1 apt-cacher - missing input sanitising
{CVE-2005-1854}
- - apt-cacher 0.9.10 (high)
+ [sarge] - apt-cacher 0.9.4sarge1 (high)
NOTE: not fixed in testing at time of DSA (not uploaded to unstable yet)
[01 Aug 2005] DSA-771-1 pdns - several
- {CVE-2005-2301 CVE-2005-2302}
- - pdns 2.9.18-1 (medium)
+ {CVE-2005-2301 CVE-2005-2302}
+ [sarge] - pdns 2.9.17-13sarge1 (medium)
NOTE: not fixed in testing at time of DSA (too young)
[29 Jul 2005] DSA-770-1 gopher - insecure tmpfile handling
{CVE-2005-1853}
- - gopher 3.0.10
+ [woody] - gopher 3.0.3woody3
+ [sarge] - gopher 3.0.7sarge1
NOTE: not fixed in testing at time of DSA (Debian server outage)
[29 Jul 2005] DSA-769-1 gaim - memory alignment bug
{CVE-2005-2370}
- - gaim 1:1.4.0-5 (high)
+ [sarge] - gaim 1:1.2.1-1.4 (low)
NOTE: not fixed in testing at time of DSA (?)
[27 Jul 2005] DSA-768-1 phpbb2 - missing input validation
{CVE-2005-2161}
- - phpbb2 2.0.13-6sarge1
+ [sarge] - phpbb2 2.0.13+1-6sarge1
NOTE: not fixed in testing at time of DSA (Debian server outage)
[27 Jul 2005] DSA-767-1 ekg - integer overflows
{CVE-2005-1852}
- - ekg 1:1.5+20050718+1.6rc3-1 (medium)
+ [sarge] - ekg 1:1.5+20050411-5 (medium)
NOTE: not fixed in testing at time of DSA (Debian server outage)
[26 Jul 2005] DSA-766-1 webcalendar - authorisation failure
{CVE-2005-2320}
- - webcalendar 0.9.45-7 (medium)
+ [sarge] - webcalendar 0.9.45-4sarge1 (medium)
NOTE: not fixed in testing at time of DSA (Debian server outage)
[22 Jul 2005] DSA-765-1 heimdal - buffer overflow
{CVE-2005-0469}
- - heimdal 0.6.3-10 (medium)
+ [woody] - heimdal 0.4e-7.woody.11 (medium)
NOTE: fixed in testing at time of DSA
[21 Jul 2005] DSA-764-1 cacti - several
{CVE-2005-1524 CVE-2005-1525 CVE-2005-1526 CVE-2005-2148 CVE-2005-2149}
- - cacti 0.8.6f-1 (high)
+ [woody] - cacti 0.6.7-2.5 (high)
+ [sarge] - cacti 0.8.6c-7sarge2 (high)
NOTE: fixed in testing at time of DSA
NOTE: DSA information is incorrect, sid fix is 6f, not 6e
[20 Jul 2005] DSA-763-1 zlib - buffer overflow
{CVE-2005-1849}
- - zlib 1:1.2.3-1 (medium)
+ [woody] - zlib <not-affected> (vulnerable code introduced later)
+ [sarge] - zlib 1:1.2.2-4.sarge.2 (medium)
NOTE: not fixed in testing at time of DSA (only 1/2 days old, not built on s390)
[19 Jul 2005] DSA-762-1 affix - several
{CVE-2005-2250 CVE-2005-2277}
- - affix 2.1.2-2 (medium)
+ [sarge] - affix 2.1.1-2 (medium)
NOTE: not fixed in testing at time of DSA (only 2/2 days old)
[19 Jul 2005] DSA-761-2 heartbeat - insecure temporary files
{CVE-2005-2231}
- - heartbeat 1.2.3-12 (medium)
+ [woody] - heartbeat 0.4.9.0l-7.3 (medium)
+ [sarge] - heartbeat 1.2.3-9sarge3 (medium)
NOTE: not fixed in testing at time of DSA (only 0/2 days old)
[18 Jul 2005] DSA-760-1 ekg - several
{CVE-2005-1850 CVE-2005-1851 CVE-2005-1916}
- - ekg 1:1.5+20050712+1.6rc2-1 (low)
+ [sarge] - ekg 1:1.5+20050411-4 (low)
NOTE: not fixed in testing at time of DSA (waiting on dependencies, not built on five archs)
[18 Jul 2005] DSA-759-1 phppgadmin - missing input sanitising
{CVE-2005-2256}
- - phppgadmin 3.5.4-1 (medium)
+ [woody] - phppgadmin <not-affected> (not affected according to the DSA)
+ [sarge] - phppgadmin 3.5.2-5 (medium)
NOTE: not fixed in testing at time of DSA (only 0/10 days old)
[18 Jul 2005] DSA-758-1 heimdal - buffer overflow
{CVE-2005-2040}
- - heimdal 0.6.3-11 (medium)
+ [woody] - heimdal 0.4e-7.woody.10 (medium)
+ [sarge] - heimdal 0.6.3-10sarge1 (medium)
NOTE: not fixed in testing at time of DSA (waiting on dependencies)
[17 Jul 2005] DSA-757-1 krb5 - buffer overflow, double-free memory
{CVE-2005-1689 CVE-2005-1174 CVE-2005-1175}
- - krb5 1.3.6-4 (medium)
+ [woody] - krb5 1.2.4-5woody10 (medium)
+ [sarge] - krb5 1.3.6-2sarge2 (medium)
NOTE: not fixed in testing at time of DSA (waiting on dependencies, not built on m68k)
[14 Jul 2005] DSA-746-1 phpgroupware - remote command execution
{CVE-2005-1921}
- - phpgroupware 0.9.16.006-1 (high)
+ [woody] - phpgroupware <unfixed> (high)
+ [sarge] - phpgroupware 0.9.16.005-3.sarge0 (high)
NOTE: fixed in testing at time of DSA
[13 Jul 2005] DSA-756-1 squirrelmail - several
{CVE-2005-1769 CVE-2005-2095}
- - squirrelmail 2:1.4.4-6 (medium)
+ [woody] - squirrelmail 1:1.2.6-4 (medium)
+ [sarge] - squirrelmail 2:1.4.4-6sarge1 (medium)
NOTE: not fixed in testing at time of DSA (only 0/2 days old)
[13 Jul 2005] DSA-755-1 tiff - buffer overflow
{CVE-2005-1544}
- - tiff 3.7.2-3 (medium)
+ [woody] - tiff 3.5.5-7 (medium)
NOTE: fixed in testing at time of DSA
[13 Jul 2005] DSA-754-1 centericq - insecure temporary file
{CVE-2005-1914}
- - centericq 4.20.0-7 (low)
+ [woody] - centericq <not-affected> (not affected according to DSA)
+ [sarge] - centericq 4.20.0-1sarge1 (low)
NOTE: not fixed in testing at time of DSA (waiting on dependencies)
[12 Jul 2005] DSA-753-1 gedit - format string
{CVE-2005-1686}
- - gedit 2.10.3-1 (low)
+ [woody] - gedit <not-affected> (not affected according to DSA)
+ [sarge] - gedit 2.8.3-4sarge1 (low)
NOTE: not fixed in testing at time of DSA (waiting on dependencies)
[11 Jul 2005] DSA-752-1 gzip - several
{CVE-2005-0988 CVE-2005-1228}
- - gzip 1.3.5-10
+ [woody] - gzip 1.3.2-3woody5
NOTE: fixed in testing at time of DSA
-[11 Jul 2005] DSA-751-1 squid - IP spoofind
+[11 Jul 2005] DSA-751-1 squid - IP spoofing
{CVE-2005-1519}
- - squid 2.5.9-9
+ [woody] - squid 2.4.6-2woody9
NOTE: fixed in testing at time of DSA
[10 Jul 2005] DSA-748-1 ruby1.8 - bad default value
{CVE-2005-1992}
- - ruby1.8 1.8.2-8 (medium)
+ [sarge] - ruby1.8 1.8.2-7sarge1 (medium)
NOTE: not fixed in testing at time of DSA (waiting on dependencies)
[11 Jul 2005] DSA-750-1 dhcpcd - out-of-bound memory access
{CVE-2005-1848}
- - dhcpcd 1:1.3.22pl4-22
+ [sarge] - dhcpcd 1:1.3.22pl4-21sarge1
NOTE: fixed in testing at time of DSA
[10 Jul 2005] DSA-749-1 ettercap - format string error
{CVE-2005-1796}
- - ettercap 1:0.7.3-1 (medium)
+ [sarge] - ettercap 1:0.7.1-1sarge1 (medium)
NOTE: fixed in testing at time of DSA
[10 Jul 2005] DSA-747-1 egroupware - input validation error
{CVE-2005-1921}
- - egroupware 1.0.0.007-3.dfsg-1 (high)
+ [sarge] - egroupware 1.0.0.007-2.dfsg-2sarge1 (high)
NOTE: not fixed in testing at time of DSA (only 1/2 days old)
[10 Jul 2005] DSA-745-1 drupal - arbitrary command execution
- {CVE-2005-1921 CVE-2005-2106 CVE-2005-2116}
- - drupal 4.5.4-1 (high)
+ {CVE-2005-1921 CVE-2005-2106}
+ [sarge] - drupal 4.5.3-3 (high)
NOTE: fixed in testing at time of DSA
[08 Jul 2005] DSA-744-1 fuse - programming error
{CVE-2005-1858}
- - fuse 2.3.0-1
+ [sarge] - fuse 2.2.1-4sarge2
NOTE: fixed in testing at time of DSA
[08 Jul 2005] DSA-743-1 ht - buffer overflows, integer overflows
{CVE-2005-1545 CVE-2005-1546}
- - ht 0.8.0-3
+ [woody] - ht 0.5.0-1woody4
+ [sarge] - ht 0.8.0-2sarge4
NOTE: fixed in testing at time of DSA
[09 Jul 2005] DSA-742-1 cvs - buffer overflow
{CVE-2005-0753}
- - cvs 1:1.12.9-13 (high)
+ [woody] - cvs 1.11.1p1debian-12
NOTE: fixed in testing at time of DSA
[07 Jul 2005] DSA-741-1 bzip2 - infinite loop
{CVE-2005-1260}
- - bzip2 1.0.2-7 (low)
+ [woody] - bzip2 1.0.2-1.woody5 (low)
NOTE: fixed in testing at time of DSA
[06 Jul 2005] DSA-740-1 zlib - buffer overflow
{CVE-2005-2096}
- - zlib 1:1.2.2-7 (medium)
+ [woody] - zlib <not-affected> (vulnerability was introduced later)
+ [sarge] - zlib 1:1.2.2-4.sarge.1 (medium)
NOTE: anything statically linking zlib needs rebuild
NOTE: not fixed in testing at time of DSA (embargoed disclosure)
[06 Jul 2005] DSA-739-1 trac - missing input sanitising
{CVE-2005-2007}
- - trac 0.8.4-1 (medium)
+ [sarge] - trac 0.8.1-3sarge2 (medium)
NOTE: fixed in testing at time of DSA
[19 May 2005] DSA-725-2 ppxp - missing privilege release
{CVE-2005-0392}
- - ppxp 0.2001080415-11
+ [sarge] - ppxp 0.2001080415-10sarge2
NOTE: fixed in testing at time of DSA
[05 Jul 2005] DSA-738-1 razor - email header parsing error
{CVE-2005-2024}
- - razor 2.720-1 (low)
+ [woody] - razor <not-affected> (not affected according to DSA)
+ [sarge] - razor 2.670-1sarge2 (low)
NOTE: not fixed in testing at time of DSA (not built on arm)
[05 Jul 2005] DSA-737-1 clamav - various DOS vulnerabilities
{CVE-2005-1922 CVE-2005-1923 CVE-2005-2056 CVE-2005-2070}
- - clamav 0.86.1-1 (medium)
+ [sarge] - clamav 0.84-2.sarge.1 (medium)
NOTE: not fixed in testing at time of DSA (uploaded with low urgency only, one fix missing for sid)
[05 Jul 2005] DSA-734-1 gaim - denial of service
{CVE-2005-1269 CVE-2005-1934}
- - gaim 1:1.3.1-1
+ [woody] - gaim <not-affected> (DSA: "does not seem to be affected")
+ [sarge] - gaim 1:1.2.1-1.3
NOTE: not fixed in testing at time of DSA (not built on sparc)
[01 Jul 2005] DSA-736-2 spamassassin - mail header parsing error
{CVE-2005-1266}
- - spamassassin 3.0.4-1 (medium)
+ [woody] - spamassassin <not-affected> (not vulnerable according to DSA)
+ [sarge] - spamassassin 3.0.3-2
NOTE: fixed in testing at time of DSA
+ NOTE: Some architectures were not ready, that's why another DSA was
+ NOTE: issued.
[01 Jul 2005] DSA-736-1 spamassassin - mail header parsing error
{CVE-2005-1266}
- - spamassassin 3.0.4-1 (medium)
+ [woody] - spamassassin <not-affected> (not vulnerable according to DSA)
+ [sarge] - spamassassin 3.0.3-2
NOTE: fixed in testing at time of DSA
[08 Jul 2005] DSA-735-2 sudo - pathname validation race
{CVE-2005-1993}
- - sudo 1.6.8p9-1 (medium)
+ [woody] - sudo 1.6.6-1.3woody1 (medium)
+ [sarge] - sudo 1.6.8p7-1.1sarge1 (medium)
NOTE: fixed in testing at time of DSA
+ NOTE: Some architectures were not ready, that's why another DSA was
+ NOTE: issued.
[01 Jul 2005] DSA-735-1 sudo - pathname validation race
{CVE-2005-1993}
- - sudo 1.6.8p9-1 (medium)
+ [woody] - sudo 1.6.6-1.3woody1 (medium)
+ [sarge] - sudo 1.6.8p7-1.1sarge1 (medium)
NOTE: not fixed in testing at time of DSA
[30 Jun 2005] DSA-733-1 crip - insecure temporary files
{CVE-2005-0393}
- - crip 3.5-1sarge2 (low)
+ [sarge] - crip 3.5-1sarge2 (low)
NOTE: not fixed in testing at time of DSA (reserved)
[03 Jun 2005] DSA-732-1 mailutils - several
{CVE-2005-1520 CVE-2005-1521 CVE-2005-1522 CVE-2005-1523}
- - mailutils 1:0.6.1-4
+ [woody] - mailutils 20020409-1woody2
NOTE: fixed in testing at time of DSA
[02 Jun 2005] DSA-731-1 krb4 - buffer overflows
- {CVE-2005-0468 CVE-2005-0469}
- - krb4 1.2.2-11.2
+ {CVE-2005-0468 CVE-2005-0469}
+ [woody] - krb4 1.1-8-2.4
NOTE: fixed in testing at time of DSA
[27 May 2005] DSA-730-1 bzip2 - race condition
{CVE-2005-0953}
- - bzip2 1.0.2-6
+ [woody] - bzip2 1.0.2-1.woody2
NOTE: fixed in testing at time of DSA
[26 May 2005] DSA-729-1 php4 - missing input sanitising
{CVE-2005-0525}
- - php4 4:4.3.10-10
+ [woody] - php4 4:4.1.2-7.woody4
NOTE: fixed in testing at time of DSA
[25 May 2005] DSA-728-1 qpopper - missing privilege release
{CVE-2005-1151 CVE-2005-1152}
- - qpopper 4.0.5-4sarge1
+ [woody] - qpopper 4.0.4-2.woody.5
NOTE: fixed in testing at time of DSA by security team
[20 May 2005] DSA-727-1 libconvert-uulib-perl - buffer overflow
{CVE-2005-1349}
- - libconvert-uulib-perl 1.0.5.1-1
+ [woody] - libconvert-uulib-perl 0.201-2woody1
NOTE: fixed in testing at time of DSA
[20 May 2005] DSA-726-1 oops - format string vulnerability
{CVE-2005-1121}
- - oops <unfixed> (bug #307360; high)
+ [woody] - oops 1.5.19.cvs.20010818-0.1woody1
NOTE: not in testing at time of DSA
[19 May 2005] DSA-725-1 ppxp - missing privilege release
{CVE-2005-0392}
- - ppxp 0.2001080415-11
+ [woody] - ppxp 0.2001080415-6woody2
NOTE: not fixed in testing at time of DSA
[18 May 2005] DSA-724-1 phpsysinfo - design flaw
{CVE-2005-0870}
- - phpsysinfo 2.3-3
+ [woody] - phpsysinfo 2.0-3woody2
NOTE: fixed in testing at time of DSA
[09 May 2005] DSA-723-1 xfree86 - buffer overflow
{CVE-2005-0605}
- - xfree86 4.3.0.dfsg.1-13
+ [woody] - xfree86 4.1.0-16woody6
NOTE: not fixed in testing at time of DSA
[09 May 2005] DSA-722-1 smail - buffer overflow
{CVE-2005-0892}
+ [woody] - smail 3.2.0.114-4woody1
NOTE: Package not in testing at time of DSA
[06 May 2005] DSA-721-1 squid - design flaw
{CVE-2005-1345}
- - squid 2.5.9-7
+ [woody] - squid 2.4.6-2woody8
NOTE: not fixed in testing at time of DSA
[03 May 2005] DSA-720-1 smartlist - wrong input processing
{CVE-2005-0157}
- - smartlist 3.15-18
+ [woody] - smartlist 3.15-5.woody.1
NOTE: fixed in testing at time of DSA
[28 Apr 2005] DSA-719-1 prozilla - format string problems
{CVE-2005-0523}
- - prozilla 1:1.3.7.4-1
+ [woody] - prozilla 1:1.3.6-3woody2
NOTE: fixed in testing at time of DSA
[28 Apr 2005] DSA-718-1 ethereal - buffer overflow
{CVE-2005-0739}
- - ethereal 0.10.10-1
+ [woody] - ethereal 0.9.4-1woody12
NOTE: fixed in testing at time of DSA
[27 Apr 2005] DSA-717-1 lsh-utils - buffer overflow, typo
{CVE-2003-0826 CVE-2005-0814}
- - lsh-utils 2.0.1-2
+ [woody] - lsh-utils 1.2.5-2woody3
NOTE: fixed in testing at time of DSA
[27 Apr 2005] DSA-716-1 gaim - denial of service
{CVE-2005-0472}
- - gaim 1:1.1.3-1
+ [woody] - gaim 1:0.58-2.5
NOTE: fixed in testing at time of DSA
[27 Apr 2005] DSA-715-1 cvs - several
{CVE-2004-1342 CVE-2004-1343}
- - cvs 1:1.12.9-12
+ [woody] - cvs 1.11.1p1debian-10
NOTE: not fixed in testing at time of DSA
[26 Apr 2005] DSA-714-1 kdelibs - several
{CVE-2005-1046}
- - kdelibs 4:3.3.2-5
+ [woody] - kdelibs 4:2.2.2-13.woody.14
NOTE: not fixed in testing at time of DSA
[21 Apr 2005] DSA-701-2 samba - integer overflows
NOTE: only a bug in the backported fix to stable, testing is ok
[21 Apr 2005] DSA-713-1 junkbuster - several
{CVE-2005-1108 CVE-2005-1109}
+ [woody] - junkbuster 2.0.2-0.2woody1
NOTE: package not in testing/unstable
[19 Apr 2005] DSA-712-1 geneweb - insecure file operations
{CVE-2005-0391}
- - geneweb 4.10-7
+ [woody] - geneweb 4.06-2woody1
NOTE: fixed in testing at time of DSA
[19 Apr 2005] DSA-711-1 info2www - missing input sanitising
{CVE-2004-1341}
- - info2www 1.2.2.9-23
+ [woody] - info2www 1.2.2.9-20woody1
NOTE: fixed in testing at time of DSA
[18 Apr 2005] DSA-710-1 gtkhtml - null pointer dereference
{CVE-2003-0541}
- - gtkhtml 1.0.4-6.2
+ [woody] - gtkhtml 1.0.2-1.woody1
NOTE: fixed in testing at time of DSA
[15 Apr 2005] DSA-709-1 libexif - buffer overflow
{CVE-2005-0664}
- - libexif 0.6.9-5
+ [woody] - libexif 0.5.0-1woody1 (bug #298464)
[15 Apr 2005] DSA-708-1 php3 - missing input sanitising
{CVE-2005-0525}
- - php3 3:3.0.18-31
+ [woody] - php3 3:3.0.18-23.1woody3 (bug #302701)
[13 Apr 2005] DSA-707-1 mysql - several
- {CVE-2004-0957 CVE-2005-0709 CVE-2005-0710 CVE-2005-0711}
- - mysql-dfsg 4.0.24-5
- - mysql-dfsg-4.1 4.1.10a-6
+ {CVE-2004-0957 CVE-2005-0709 CVE-2005-0710 CVE-2005-0711}
+ [woody] - mysql 3.23.49-8.11
NOTE: not fixed in testing at time of DSA
[13 Apr 2005] DSA-706-1 axel - buffer overflow
{CVE-2005-0390}
- - axel 1.0b-1
+ [woody] - axel 1.0a-1woody1
NOTE: fixed in testing at time of DSA
[04 Apr 2005] DSA-705-1 wu-ftpd - missing input sanitising
- {CVE-2005-0256 CVE-2003-0854}
- - wu-ftpd 2.6.2-19
+ {CVE-2005-0256}
+ {CVE-2003-0854}
+ [woody] - wu-ftpd 2.6.2-3woody5
+ NOTE: DSA mentions CVE-2003-0854 as fixed, but this update only
+ NOTE: contains a workaround.
[04 Apr 2005] DSA-704-1 remstats - tempfile, missing input sanitising
{CVE-2005-0387 CVE-2005-0388}
- - remstats 1.0.13a-5
+ [woody] - remstats 1.00a4-8woody1
NOTE: not fixed in testing at time of DSA
[01 Apr 2005] DSA-703-1 krb5 - buffer overflows
{CVE-2005-0468 CVE-2005-0469}
- - krb5 1.3.6-1
+ [woody] - krb5 1.2.4-5woody8
[01 Apr 2005] DSA-702-1 imagemagick - several
{CVE-2005-0397 CVE-2005-0759 CVE-2005-0760 CVE-2005-0762}
- - imagemagick 6:6.0.6.2-2.2
+ [woody] - imagemagick 4:5.4.4.5-1woody6
[31 Mar 2005] DSA-701-1 samba - integer overflows
{CVE-2004-1154}
- - samba 3.0.10-1
+ [woody] - samba 2.2.3a-15
[30 Mar 2005] DSA-700-1 mailreader - missing input sanitising
{CVE-2005-0386}
- - mailreader 2.3.29-11
+ [woody] - mailreader 2.3.29-5woody2
NOTE: not fixed in testing at time of DSA
[29 Mar 2005] DSA-699-1 netkit-telnet-ssl - buffer overflow
{CVE-2005-0469}
- - netkit-telnet-ssl 0.17.24+0.1-7.1 (bug #302036)
+ [woody] - netkit-telnet-ssl 0.17.17+0.1-2woody4
NOTE: not fixed in testing at time of DSA
[29 Mar 2005] DSA-698-1 mc - buffer overflow
{CVE-2005-0763}
- NOTE: Not clear which unstable/testing version fixed this,
- NOTE: but advisory says it's fixed.
+ [woody] - mc 4.5.55-1.2woody6
+ NOTE: Seems to be a "fix the fix", correcting a previous DSA.
[29 Mar 2005] DSA-697-1 netkit-telnet - buffer overflow
{CVE-2005-0469}
- - netkit-telnet 0.17-28
+ [woody] - netkit-telnet 0.17-18woody3
NOTE: not fixed in testing at time of DSA
[22 Mar 2005] DSA-696-1 perl - design flaw
{CVE-2005-0448}
- - perl 5.8.4-8
+ [woody] - perl 5.6.1-8.9
NOTE: fixed in testing at time of DSA
+ NOTE: (sid version in DSA is 5.8.4-8, but 5.8.4-7 is more correct)
[21 Mar 2005] DSA-695-1 xli - buffer overflow, input sanitising, integer overflow
{CVE-2001-0775 CVE-2005-0638 CVE-2005-0639}
- - xli 1.17.0-18
+ [woody] - xli 1.17.0-11woody1
NOTE: not fixed in testing at time of DSA
[21 Mar 2005] DSA-694-1 xloadimage - missing input sanitising, integer overflow
{CVE-2005-0638 CVE-2005-0639}
- - xloadimage 4.1-14.2
+ [woody] - xloadimage 4.1-10woody1
NOTE: not fixed in testing at time of DSA
[14 Mar 2005] DSA-693-1 luxman - buffer overflow
{CVE-2005-0385}
NOTE: not fixed in testing at time of DSA
NOTE: not in unstable at time of DSA though DSA claimed it was
- - luxman 0.41-20
+ [woody] - luxman 0.41-17.2
[14 Mar 2005] DSA-662-2 squirrelmail - several
NOTE: only an update to a prior DSA, did not affct sid/sarge.
[08 Mar 2005] DSA-692-1 kppp - design flaw
{CVE-2005-0205}
- - kppp 4:3.1.6
+ [woody] - kdenetwork 4:2.2.2-14.7
NOTE: fixed in testing at time of DSA
[07 Mar 2005] DSA-691-1 abuse - several
{CVE-2005-0098 CVE-2005-0099}
+ [woody] - abuse 2.00+-3woody4
NOTE: not in unstable/testing
[25 Feb 2005] DSA-690-1 bsmtpd - missing input sanitising
{CVE-2005-0107}
- - bsmtpd 2.3pl8b-16
+ [woody] - bsmtpd 2.3pl8b-12woody1
NOTE: not fixed in testing at time of DSA
[23 Feb 2005] DSA-689-1 libapache-mod-python - missing input sanitising
{CVE-2005-0088}
- - libapache-mod-python 2:2.7.10-4
+ [woody] - libapache-mod-python 2:2.7.8-0.0woody5
NOTE: fixed in testing at time of DSA
- - libapache2-mod-python 3.1.3-3
- NOTE: fixed in testing at time of DSA
[23 Feb 2005] DSA-688-1 squid - mising input sanitising
{CVE-2005-0446}
- - squid 2.5.8-3
+ [woody] - squid 2.4.6-2woody7
NOTE: fixed in testing at time of DSA
[21 Feb 2005] DSA-674-3 mailman - cross-site scripting, directory traversal
NOTE: only fixed bug in DSA
[18 Feb 2005] DSA-687-1 bidwatcher - format string
{CVE-2005-0158}
- - bidwatcher 1.3.17-1
+ [woody] - bidwatcher 1.3.3-1woody1
NOTE: not fixed in testing at time of DSA
[17 Feb 2005] DSA-686-1 gftp - missing input sanitising
{CVE-2005-0372}
- - gftp 2.0.18-1
+ [woody] - gftp 2.0.11-1woody1
NOTE: not fixed in testing at time of DSA
[17 Feb 2005] DSA-685-1 emacs21 - format string
{CVE-2005-0100}
- - emacs21 21.3+1-9
+ [woody] - emacs21 21.2-1woody3
NOTE: not fixed in testing at time of DSA
[16 Feb 2005] DSA-684-1 typespeed - format string
{CVE-2005-0105}
- - typespeed 0.4.4-8
+ [woody] - typespeed 0.4.4-8
NOTE: not fixed in testing at time of DSA
[15 Feb 2005] DSA-683-1 postgresql - buffer overflows
{CVE-2005-0245 CVE-2005-0247}
- - postgresql 7.4.7-2
+ [woody] - postgresql 7.2.1-2woody8
NOTE: fixed in testing at time of DSA
[15 Feb 2005] DSA-682-1 awstats - missing input sanitising
{CVE-2005-0363}
- - awstats 6.2-1.2
+ [woody] - awstats 4.0-0.woody.2
NOTE: not fixed in testing at time of DSA
[14 Feb 2005] DSA-681-1 synaesthesia - privilege escalation
{CVE-2005-0070}
+ [woody] - synaesthesia 2.1-2.1woody3
NOTE: does not apply for sarge, program is not setuid anymore
[14 Feb 2005] DSA-680-1 htdig - unsanitised input
{CVE-2005-0085}
- - htdig 1:3.1.6-11
+ [woody] - htdig 3.1.6-3woody1
NOTE: fixed in testing at time of DSA
[14 Feb 2005] DSA-679-1 toolchain-source - insecure temporary files
{CVE-2005-0159}
- - toolchain-source 3.4-5
+ [woody] - toolchain-source 3.0.4-1woody1
NOTE: not fixed in testing at time of DSA
[11 Feb 2005] DSA-678-1 netkit-rwho - missing input validation
{CVE-2004-1180}
- - netkit-rwho 0.17-8
+ [woody] - netkit-rwho 0.17-4woody2
NOTE: not fixed in testing at time of DSA
[11 Feb 2005] DSA-677-1 sympa - buffer overflow
{CVE-2005-0073}
- - sympa 4.1.2-2.1
+ [woody] - sympa 3.3.3-3woody2
NOTE: not fixed in testing at time of DSA
[11 Feb 2005] DSA-676-1 xpcd - buffer overflow
{CVE-2005-0074}
- - xpcd 2.08-11.1 (bug #294793)
+ [woody] - xpcd 2.08-8woody3 (bug #294793)
NOTE: not fixed in testing at time of DSA
[11 Feb 2005] DSA-674-2 mailman - cross-site scripting, directory traversal
NOTE: only fixed bug in DSA
[10 Feb 2005] DSA-675-1 hztty - privilege escalation
{CVE-2005-0019}
- - hztty 2.0-6.1
+ [woody] - hztty 2.0-5.2woody2
NOTE: not fixed in testing at time of DSA
[10 Feb 2005] DSA-674-1 mailman - cross-site scripting, directory traversal
- {CVE-2004-1177}
- - mailman 2.1.5-5
- NOTE: fixed in testing at time of DSA
- {CVE-2005-0202}
- - mailman 2.1.5-6
+ {CVE-2004-1177 CVE-2005-0202}
+ [woody] - mailman 2.0.11-1woody11
NOTE: not fixed in testing at time of DSA
[10 Feb 2005] DSA-673-1 evolution - integer overflow
{CVE-2005-0102}
- - evolution 2.0.3-1.2
+ [woody] - evolution 1.0.5-1woody2
NOTE: fixed in testing at time of DSA
[09 Feb 2005] DSA-672-1 xview - buffer overflows
{CVE-2005-0076}
- - xview 3.2p1.4-19
+ [woody] - xview 3.2p1.4-16woody2
NOTE: not fixed in testing at time of DSA
[08 Feb 2005] DSA-671-1 xemacs21 - format string
{CVE-2005-0100}
NOTE: not fixed in testing at time of DSA
- - xemacs21 21.4.16-2
+ [woody] - xemacs21 21.4.6-8woody2
[08 Feb 2005] DSA-670-1 emacs20 - format string
{CVE-2005-0100}
+ [woody] - emacs20 20.7-13.3
NOTE: also affects emacs21 in unstable, fixed
[04 Feb 2005] DSA-669-1 php3 - several
{CVE-2004-0594 CVE-2004-0595}
- - php3 3:3.0.18-27
+ [woody] - php3 3:3.0.18-23.1woody2
NOTE: fixed in testing at time of DSA
[04 Feb 2005] DSA-668-1 postgresql - privilege escalation
{CVE-2005-0227}
- - postgresql 7.4.7-1
+ [woody] - postgresql 7.2.1-2woody7
NOTE: not fixed in testing at time of DSA
[04 Feb 2005] DSA-667-1 squid - several
- {CVE-2005-0173 CVE-2005-0175 CVE-2005-0194 CVE-2005-0211}
- - squid 2.5.7-7
+ {CVE-2005-0173 CVE-2005-0175 CVE-2005-0194 CVE-2005-0211}
+ [woody] - squid 2.4.6-2woody6
NOTE: not fixed in testing at time of DSA
[04 Feb 2005] DSA-666-1 python2.2 - design flaw
{CVE-2005-0089}
- - python2.2 2.2.3-14
- - python2.3 2.3.4-20
- - python2.4 2.4-5
+ [woody] - python2.2 2.2.1-4.7
NOTE: not fixed in testing at time of DSA
[04 Feb 2005] DSA-665-1 ncpfs - missing privilege release
{CVE-2005-0013}
- - ncpfs 2.2.6-1
+ [woody] - ncpfs 2.2.0.18-10woody2
NOTE: not fixed in testing at time of DSA
[02 Feb 2005] DSA-664-1 cpio - broken file permissions
{CVE-1999-1572}
- - cpio 2.5-1.2 (bug #293379)
+ [woody] - cpio 2.4.2-39woody1
NOTE: not fixed in testing at time of DSA
[02 Feb 2005] DSA-663-1 prozilla - buffer overflows
{CVE-2004-1120}
- - prozilla 1:1.3.7.3-1
+ [woody] - prozilla 1:1.3.6-3woody3
NOTE: fixed in testing at time of DSA
[01 Feb 2005] DSA-662-1 squirrelmail - several
{CVE-2005-0104 CVE-2005-0152}
+ [woody] - squirrelmail 1:1.2.6-3
NOTE: CVE-2005-0152 only exists in 1.2.6 version
- - squirrelmail 2:1.4.4
NOTE: fixed in testing at time of DSA
[20 Apr 2005] DSA-661-2 f2c - insecure temporary files
{CVE-2005-0017 CVE-2005-0018}
- - f2c 20020621-3.4 (bug #292792)
+ [woody] - f2c 20010821-3.2 (bug #292792)
NOTE: not fixed in testing at time of DSA
[26 Jan 2005] DSA-660-1 kdebase - missing return value check
{CVE-2005-0078}
@@ -1544,7 +1612,7 @@
- xitalk 1.1.11-11
[11 Mar 2004] DSA-461 calife - buffer overflow
{CVE-2004-0188}
- - calife 2.8.6-1
+ [woody] - calife 2.8.4c-1woody1 (bug #235157)
[10 Mar 2004] DSA-460 sysstat - insecure temporary file
{CVE-2004-0108}
- sysstat 5.0.2-1
More information about the Secure-testing-commits
mailing list