[Secure-testing-commits] r2551 - in data: CVE DSA

[Moritz Muehlenhoff]

Author: jmm-guest
Date: 2005-10-24 12:35:07 +0000 (Mon, 24 Oct 2005)
New Revision: 2551

Modified:
   data/CVE/list
   data/DSA/list
Log:
adapt the rest of november's DSAs to the new format


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2005-10-24 11:05:29 UTC (rev 2550)
+++ data/CVE/list	2005-10-24 12:35:07 UTC (rev 2551)
@@ -12848,6 +12848,8 @@
 	- libgd 1.8.4-36.1
 CVE-2004-0989 (Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and ...)
 	{DSA-582-1}
+	- libxml 1:1.8.17-9
+	- libxml2 2.6.11-5
 CVE-2004-0988 (Integer overflow on Apple QuickTime before 6.5.2, when running on ...)
 	NOT-FOR-US: Apple
 CVE-2004-0987 (Buffer overflow in the process_menu function in yardradius 1.0.20 ...)
@@ -12864,9 +12866,11 @@
 	{DSA-586-1}
 	- ruby1.8 1.8.1+1.8.2pre2-4
 	- ruby1.6 1.6.8-12
+	- ruby <removed>
 CVE-2004-0982 (Buffer overflow in the getauthfromURL function in httpget.c in mpg123 ...)
 	{DSA-578-1}
 	- mpg123 0.59r-18
+	NOTE: Original fix in -17 was incomplete
 CVE-2004-0981 (Buffer overflow in the EXIF parsing routine in ImageMagick before ...)
 	{DSA-593-1}
 	- imagemagick 6:6.0.6.2-1.5 (bug #278401)
@@ -12895,13 +12899,15 @@
 CVE-2004-0972 (The lvmcreate_initrd script in the lvm package in Trustix Secure Linux ...)
 	{DSA-583-1}
 	NOTE: lvmcreate_initrd not in debian
+	NOTE: It's fixed in the changelog, so above note is possibly wrong
+	- lvm10 1:1.0.8-8
 CVE-2004-0971 (The krb5-send-pr script in the kerberos5 (krb5) package in Trustix ...)
 	NOTE: not shipped in deb
 	- krb5 <unfixed> (bug #278271; low)
 	- arla 0.36.2-11
 CVE-2004-0970 (The (1) gzexe, (2) zdiff, and (3) znew scripts in the gzip package, as ...)
 	{DSA-588-1}
-	NOTE: sarge is not vulnerable as our version uses set -C
+	- gzip <not-affected> (recent versions not vulnerable as our version uses set -C)
 CVE-2004-0969 (The groffer script in the Groff package 1.18 and later versions, as ...)
 	- groff 1.18.1.1-2
 CVE-2004-0968 (The catchsegv script in glibc 2.3.2 and earlier allows local users to ...)
@@ -12917,9 +12923,9 @@
 	NOT-FOR-US: HP-UX
 CVE-2004-0964 (Buffer overflow in Zinf 2.2.1 on Windows, and other older versions for ...)
 	{DSA-587-1}
-	NOTE: not vulnerable according to http://www.debian.org/security/nonvulns-sarge
-	NOTE: DSA says zinf not vulnerable in sarge
-	- zinf 2.2.5
+	- zinf <not-affected> (According to DSA-587 not affected, as module was rewritten)
+	- freeamp <removed>
+	NOTE: Changelog claims a possibly related fix in 2.2.5?
 CVE-2004-0963 (Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and ...)
 	NOT-FOR-US: windows
 CVE-2004-0962 (Apple Remote Desktop Client 1.2.4 executes a GUI application as root ...)
@@ -13112,6 +13118,7 @@
 	NOTE: only affects source package, not used in binary
 	- cupsys <unfixed> (bug #324460; unimportant)
 	- tetex-bin 2.0.2-23
+ 	- xpdf 3.00-9
 CVE-2004-0887 (SUSE Linux Enterprise Server 9 on the S/390 platform does not properly ...)
 	NOTE: waldi provided this info
 	- linux-kernel-image-2.6.8-s390 2.6.8-3
@@ -13664,6 +13671,7 @@
 	NOT-FOR-US: JRun
 CVE-2004-0645 (Buffer overflow in the wvHandleDateTimePicture function in wv library ...)
 	{DSA-579-1 DSA-550-1}
+	- abiword <not-affected> (According to DSA-759 sid is not affected)
 CVE-2004-0644 (The asn1buf_skiptail function in the ASN.1 decoder library for MIT ...)
 	{DSA-543-1}
 CVE-2004-0643 (Double-free vulnerability in the krb5_rd_cred function for MIT ...)

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2005-10-24 11:05:29 UTC (rev 2550)
+++ data/DSA/list	2005-10-24 12:35:07 UTC (rev 2551)
@@ -1202,41 +1202,42 @@
 	[woody] - gnats 3.999.beta1+cvs20020303-2
 [09 Nov 2004] DSA-589-1 libgd - integer overflows
 	{CVE-2004-0990}
-	- libgd 1.8.4-36.1
+	[woody] - libgd 1.8.4-17.woody3
 [08 Nov 2004] DSA-588-1 gzip - insecure temporary files
 	{CVE-2004-0970}
-	NOTE: dsa says sid not affected
+	[woody] - gzip 1.3.2-3woody3
 [08 Nov 2004] DSA-587-1 freeamp - buffer overflow
 	{CVE-2004-0964}
-	NOTE: DSA says zinf not vulnerable in sarge
+	[woody] - freeamp 2.1.1.0-4woody2
+	NOTE: Was later renamed to zinf
 [08 Nov 2004] DSA-586-1 ruby - infinite loop
 	{CVE-2004-0983}
-	- ruby1.6 1.6.8-12
-	- ruby1.8 1.8.1+1.8.2pre2-4
+	[woody] - ruby 1.6.7-3woody4
 [05 Nov 2004] DSA-585-1 shadow - programming error
 	{CVE-2004-1001}
-	- shadow 1:4.0.3-30.3
+	[woody] - shadow 20000902-12woody1
 [04 Nov 2004] DSA-584-1 dhcp - format string vulnerability
 	{CVE-2004-1006}
-	- dhcp 2.0pl5-19.1
+	[woody] - dhcp 2.0pl5-11woody1
 [03 Nov 2004] DSA-583-1 lvm10 - insecure temporary directory
 	{CVE-2004-0972}
+	[woody] - lvm10 1.0.4-5woody2
 [02 Nov 2004] DSA-582-1 libxml - buffer overflow
 	{CVE-2004-0989}
-	- libxml 1:1.8.17-9
-	- libxml2 2.6.11-5
+	[woody] - libxml 1.8.17-2woody2
+	[woody] - libxml2 2.4.19-4woody2
 [01 Nov 2004] DSA-581-1 xpdf - integer overflows
 	{CVE-2004-0888}
-	- xpdf 3.00-9
+ 	[woody] - xpdf 1.00-3.2
 [01 Nov 2004] DSA-580-1 iptables - missing initialisation
 	{CVE-2004-0986}
-	- iptables 1.2.11-4
+	[woody] - iptables 1.2.6a-5.0woody2
 [01 Nov 2004] DSA-579-1 abiword - buffer overflow
 	{CVE-2004-0645}
-	NOTE: according to DSA, sid's abiword is not affected. sarge is same
+	[woody] - abiword 1.0.2+cvs.2002.06.05-1woody2
 [01 Nov 2004] DSA-578-1 mpg123 - buffer overflow
 	{CVE-2004-0982}
-	- mpg123 0.59r-17
+	[woody] - mpg123 0.59r-13woody4
 [29 Oct 2004] DSA-577-1 postgresql - symlink vulnerability
 	{CVE-2004-0977}
 	- postgresql 7.4.6-1