[Secure-testing-commits] r2535 - in data: CVE DSA

Florian Weimer fw at costa.debian.org
Sun Oct 23 13:27:26 UTC 2005 

Author: fw
Date: 2005-10-23 13:27:20 +0000 (Sun, 23 Oct 2005)
New Revision: 2535

Modified:
   data/CVE/list
   data/DSA/list
Log:
Reprocess some of the January 2005 DSAs (remaining DSAs will follow)


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2005-10-23 12:44:36 UTC (rev 2534)
+++ data/CVE/list	2005-10-23 13:27:20 UTC (rev 2535)
@@ -11670,13 +11670,13 @@
 	- mailman 2.1.5-5
 CVE-2005-0079 (Buffer overflow in xtrlock 2.0 allows local users to cause a denial of ...)
 	{DSA-649-1}
-	TODO: check
+	- xtrlock 2.0-9
 CVE-2005-0078 (The KDE screen saver in KDE before 3.0.5 does not properly check the ...)
 	{DSA-660-1}
-	TODO: check
+	- kdebase 4:3.0.5
 CVE-2005-0077 (The DBI library (libdbi-perl) for Perl allows local users to overwrite ...)
 	{DSA-658-1}
-	TODO: check
+	- libdbi-perl 1.46-6
 CVE-2005-0076 (Multiple buffer overflows in the XView library 3.2 may allow local ...)
 	{DSA-672-1}
 	- xview 3.2p1.4-19
@@ -11690,13 +11690,13 @@
 	- sympa 4.1.2-2.1
 CVE-2005-0072 (zhcon before 0.2 does not drop privileges before reading a user ...)
 	{DSA-655-1}
-	TODO: check
+	- zhcon 1:0.2.3-8.1 (bug #292210)
 CVE-2005-0071 (vdr before 1.2.6 does not securely create files, which allows ...)
 	{DSA-656-1}
-	TODO: check
+	- vdr 1.2.6-6
 CVE-2005-0070 (Synaesthesia 2.1 and earlier, and possibly other versions, when ...)
 	{DSA-681-1}
-	TODO: check
+	NOTE: does not apply for sarge, program is not setuid anymore
 CVE-2005-0069 (The (1) tcltags or (2) vimspell.sh scripts in vim 6.3 allow local ...)
 	- vim 1:6.3-058+1
 CVE-2005-0068 (The original design of ICMP does not require authentication for ...)
@@ -11887,7 +11887,7 @@
 	TODO: check
 CVE-2005-0020 (Buffer overflow in playmidi before 2.4 allows local users to execute ...)
 	{DSA-641-1}
-	TODO: check
+	- playmidi 2.4debian-3
 CVE-2005-0019 (Unknown vulnerability in hztty 2.0 and earlier allows local users to ...)
 	{DSA-675-1}
 	- hztty 2.0-6.1
@@ -11899,10 +11899,10 @@
 	- f2c 20020621-3.4 (bug #292792)
 CVE-2005-0016 (Buffer overflow in the exported_display function in xatitv in gatos ...)
 	{DSA-640-1}
-	TODO: check
+	- gatos 0.0.5-15
 CVE-2005-0015 (diatheke.pl in Sword 1.5.7a allows remote attackers to execute ...)
 	{DSA-650-1}
-	TODO: check
+	- sword 1.5.7-7 (bug #291433)
 CVE-2005-0014 (Buffer overflow in ncplogin in ncpfs before 2.2.6 allows remote ...)
 	- ncpfs 2.2.6-1
 CVE-2005-0013 (nwclient.c in ncpfs before 2.2.6 does not drop root privileges before ...)
@@ -12288,13 +12288,13 @@
 	- xine-lib 1-rc8-1
 CVE-2004-1186 (Multiple buffer overflows in enscript 1.6.3 allow remote attackers or ...)
 	{DSA-654-1}
-	TODO: check
+	- enscript 1.6.4-6
 CVE-2004-1185 (Enscript 1.6.3 does not sanitize filenames, which allows remote ...)
 	{DSA-654-1}
-	TODO: check
+	- enscript 1.6.4-6
 CVE-2004-1184 (The EPSF pipe support in enscript 1.6.3 allows remote attackers or ...)
 	{DSA-654-1}
-	TODO: check
+	- enscript 1.6.4-6
 CVE-2004-1183 (Integer overflow in the tiffdump utility for libtiff 3.7.1 and earlier ...)
 	{DSA-626-1}
 	- libtiff-tools 3.6.1-5
@@ -12317,13 +12317,19 @@
 	- mailman 2.1.5-5
 CVE-2004-1176 (Buffer underflow in extfs.c in Midnight Commander (mc) 4.5.55 and ...)
 	{DSA-639-1}
-	TODO: check
+	NOTE: unstable not vulnerable according to DSA
+	NOTE: DSA was wrong..
+	- mc 1:4.6.0-4.6.1-pre3-1
 CVE-2004-1175 (fish.c in midnight commander allows remote attackers execute arbitrary ...)
 	{DSA-639-1}
-	TODO: check
+	NOTE: unstable not vulnerable according to DSA
+	NOTE: DSA was wrong..
+	- mc 1:4.6.0-4.6.1-pre3-1
 CVE-2004-1174 (direntry.c in Midnight Commander (mc) 4.5.55 and earlier allows ...)
 	{DSA-639-1}
-	TODO: check
+	NOTE: unstable not vulnerable according to DSA
+	NOTE: DSA was wrong..
+	- mc 1:4.6.0-4.6.1-pre3-1
 CVE-2004-1173 (Internet Explorer 6 allows remote attackers to bypass the popup ...)
 	NOT-FOR-US: MSIE
 CVE-2004-1172 (Stack-based buffer overflow in the Agent Browser in Veritas Backup ...)
@@ -12505,16 +12511,24 @@
 	NOT-FOR-US: RealPlayer
 CVE-2004-1093 (Midnight commander (mc) 4.5.55 and earlier allows remote attackers to ...)
 	{DSA-639-1}
-	TODO: check
+	NOTE: unstable not vulnerable according to DSA
+	NOTE: DSA was wrong..
+	- mc 1:4.6.0-4.6.1-pre3-1
 CVE-2004-1092 (Midnight commander (mc) 4.5.55 and earlier allows remote attackers to ...)
 	{DSA-639-1}
-	TODO: check
+	NOTE: unstable not vulnerable according to DSA
+	NOTE: DSA was wrong..
+	- mc 1:4.6.0-4.6.1-pre3-1
 CVE-2004-1091 (Midnight commander (mc) 4.5.55 and earlier allows remote attackers to ...)
 	{DSA-639-1}
-	TODO: check
+	NOTE: unstable not vulnerable according to DSA
+	NOTE: DSA was wrong..
+	- mc 1:4.6.0-4.6.1-pre3-1
 CVE-2004-1090 (Midnight commander (mc) 4.5.55 and earlier allows remote attackers to ...)
 	{DSA-639-1}
-	TODO: check
+	NOTE: unstable not vulnerable according to DSA
+	NOTE: DSA was wrong..
+	- mc 1:4.6.0-4.6.1-pre3-1
 CVE-2004-1089 (Unknown vulnerability in Apple Mac OS X 10.3.6 server, when using ...)
 	NOT-FOR-US: Apple MacOS
 CVE-2004-1088 (Postfix server for Apple Mac OS X 10.3.6, when using CRAM-MD5, allows ...)
@@ -12716,7 +12730,9 @@
 	- zip 2.30-8
 CVE-2004-1009 (Midnight commander (mc) 4.5.55 and earlier allows remote attackers to ...)
 	{DSA-639-1}
-	TODO: check
+	NOTE: unstable not vulnerable according to DSA
+	NOTE: DSA was wrong..
+	- mc 1:4.6.0-4.6.1-pre3-1
 CVE-2004-1008 (Integer signedness error in the ssh2_rdpkt function in PuTTY before ...)
 	- putty 0.56-1
 CVE-2004-1007 (The quoted-printable decoder in bogofilter 0.17.4 to 0.92.7 allows ...)
@@ -12726,10 +12742,14 @@
 	- dhcp 2.0pl5-19.1
 CVE-2004-1005 (Multiple buffer overflows in Midnight Commander (mc) 4.5.55 and ...)
 	{DSA-639-1}
-	TODO: check
+	NOTE: unstable not vulnerable according to DSA
+	NOTE: DSA was wrong..
+	- mc 1:4.6.0-4.6.1-pre3-1
 CVE-2004-1004 (Multiple format string vulnerabilities in Midnight Commander (mc) ...)
 	{DSA-639-1}
-	TODO: check
+	NOTE: unstable not vulnerable according to DSA
+	NOTE: DSA was wrong..
+	- mc 1:4.6.0-4.6.1-pre3-1
 CVE-2004-1003 (Trend ScanMail allows remote attackers to obtain potentially sensitive ...)
 	NOT-FOR-US: Trend ScanMail
 CVE-2004-1002 (Integer underflow in pppd in cbcp.c for ppp 2.4.1 allows remote ...)
@@ -13786,7 +13806,7 @@
 	RESERVED
 CVE-2004-0555 (Buffer overflow in (1) queue.c and (2) queued.c in queue before 1.30.1 ...)
 	{DSA-643-1}
-	TODO: check
+	- queue 1.30.1-5
 CVE-2004-0554 (Linux kernel 2.4.x and 2.6.x for x86 allows local users to cause a ...)
 	NOTE: this was a big deal and is fixed in all current kernels
 CVE-2004-0553

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2005-10-23 12:44:36 UTC (rev 2534)
+++ data/DSA/list	2005-10-23 13:27:20 UTC (rev 2535)
@@ -946,94 +946,95 @@
 	NOTE: not fixed in testing at time of DSA
 [26 Jan 2005] DSA-660-1 kdebase - missing return value check
 	{CVE-2005-0078}
-	- kdebase 4:3.0.5
+	[woody] - kdebase 4:2.2.2-14.9
 	NOTE: fixed in testing at time of DSA
 [26 Jan 2005] DSA-659-1 libpam-radius-auth - information leak, integer underflow
 	{CVE-2004-1340 CVE-2005-0108}
-	- libpam-radius-auth 1.3.16-3
+	[woody] - libpam-radius-auth 1.3.14-1.3
 	NOTE: 1/2 fixed in testing at time of DSA
 [25 Jan 2005] DSA-658-1 libdbi-perl - insecure temporary file
 	{CVE-2005-0077}
-	- libdbi-perl 1.46-6
+	[woody] - libdbi-perl 1.21-2woody2
 	NOTE: not fixed in testing at time of DSA
 [25 Jan 2005] DSA-657-1 xine-lib - buffer overflow
 	{CVE-2004-1379}
-	- xine-lib 1-rc6a-1
+	[woody] - xine-lib 0.9.8-2woody2
 	NOTE: fixed in testing at time of DSA
 [25 Jan 2005] DSA-656-1 vdr - insecure file access
 	{CVE-2005-0071}
-	- vdr 1.2.6-6
+	[woody] - vdr 1.0.0-1woody2
 	NOTE: not fixed in testing at time of DSA
 [25 Jan 2005] DSA-655-1 zhcon - missing privilege release
 	{CVE-2005-0072}
-	- zhcon 1:0.2.3-8.1 (bug #292210)
+	[woody] - zhcon 1:0.2-4woody3
 	NOTE: not fixed in testing at time of DSA
 [21 Jan 2005] DSA-654-1 enscript - several
 	{CVE-2004-1184 CVE-2004-1185 CVE-2004-1186}
-	- enscript 1.6.4-6
+	[woody] - enscript 1.6.3-1.3
 	NOTE: not fixed in testing at time of DSA
 [21 Jan 2005] DSA-653-1 ethereal - buffer overflow
 	{CVE-2005-0084}
-	- ethereal 0.10.9-1
+	[woody] - ethereal 0.9.4-1woody11
 	NOTE: not fixed in testing at time of DSA
 [21 Jan 2005] DSA-652-1 unarj
 	{CVE-2004-0947 CVE-2004-1027}
-	NOTE: not-for-us (unarj)
+	[woody] - unarj 2.43-3woody1
+	NOTE: package was in non-free, different code base
 [20 Jan 2005] DSA-651-1 squid - buffer overflow, integer overflow
 	{CVE-2005-0094 CVE-2005-0095}
-	- squid 2.5.7-4
+	[woody] - squid 2.4.6-2woody5
 	NOTE: not fixed in testing at time of DSA
 [20 Jan 2005] DSA-650-1 sword - missing input sanitising
 	{CVE-2005-0015}
-	- sword 1.5.7-7
+	[woody] - sword 1.5.3-3woody2
 	NOTE: not fixed in testing at time of DSA
 [20 Jan 2005] DSA-649-1 xtrlock - buffer overflow
 	{CVE-2005-0079}
-	- xtrlock 2.0-9
+	[woody] - xtrlock 2.0-6woody2
 	NOTE: fixed in testing at time of DSA
 [19 Jan 2005] DSA-648-1 xpdf - buffer overflow
 	{CVE-2005-0064}
-	- xpdf 3.00-12
+	[woody] - xpdf 1.00-3.4
 	NOTE: not fixed in testing at time of DSA
 [19 Jan 2005] DSA-647-1 mysql - insecure temporary files
 	{CVE-2005-0004}
-	- mysql-dfsg 4.0.23-3
-	- mysql-dfsg-4.1 4.1.8a-6
+	[woody] - mysql 3.23.49-8.9
 	NOTE: not fixed in testing at time of DSA
 [19 Jan 2005] DSA-646-1 imagemagick - buffer overflow
 	{CVE-2005-0005}
-	- imagemagick 6:6.0.6.2-2
+	[woody] - imagemagick 4:5.4.4.5-1woody5
 	NOTE: not fixed in testing at time of DSA
 [19 Jan 2005] DSA-645-1 cupsys - buffer overflow
 	{CVE-2005-0064}
 	NOTE: cupsys not affected in sarge, though other programs are vulnerable
 	NOTE: see CVE/list
+	[woody] - cupsys 1.1.14-5woody12
 	NOTE: not fixed in testing at time of DSA
 [18 Jan 2005] DSA-644-1 chbg - buffer overflow
 	{CVE-2004-1264}
-	- chbg 1.5-4
+	[woody] - chbg 1.5-1woody1
 	NOTE: fixed in testing at time of DSA
 [18 Jan 2005] DSA-643-1 queue - buffer overflows
 	{CVE-2004-0555}
-	- queue 1.30.1-5
+	[woody] - queue 1.30.1-4woody2
 	NOTE: not fixed in testing at time of DSA
 [17 Jan 2005] DSA-642-1 gallery - several
 	{CVE-2004-1106}
-	- gallery 1.4.4-pl4-1
+	[woody] - gallery 1.2.5-8woody3
 	NOTE: fixed in testing at time of DSA
 [17 Jan 2005] DSA-641-1 playmidi - buffer overflow
 	{CVE-2005-0020}
-	- playmidi 2.4debian-3
+	[woody] - playmidi 2.4-4woody1
 	NOTE: not fixed in testing at time of DSA
 [17 Jan 2005] DSA-640-1 gatos - buffer overflow
 	{CVE-2005-0016}
-	- gatos 0.0.5-15
+	[woody] - gatos 0.0.5-6woody3
 	NOTE: not fixed in testing at time of DSA
 [14 Jan 2005] DSA-639-1 mc - several
 	{CVE-2004-1004 CVE-2004-1005 CVE-2004-1009 CVE-2004-1090 CVE-2004-1091 CVE-2004-1092 CVE-2004-1093 CVE-2004-1174 CVE-2004-1175 CVE-2004-1176}
 	NOTE: unstable not vulnerable according to DSA
 	NOTE: DSA was wrong..
-	- mc 1:4.6.0-4.6.1-pre3-1
+	[woody] - mc 4.5.55-1.2woody5
 	NOTE: not fixed in testing at time of DSA
 [13 Jan 2005] DSA-638-1 gopher - several
 	{CVE-2004-0560 CVE-2004-0561}

More information about the Secure-testing-commits mailing list