[Secure-testing-commits] r4711 - in data: CVE DSA

Moritz Muehlenhoff jmm-guest at costa.debian.org
Sun Sep 10 12:42:29 UTC 2006 

Author: jmm-guest
Date: 2006-09-10 12:42:28 +0000 (Sun, 10 Sep 2006)
New Revision: 4711

Modified:
   data/CVE/list
   data/DSA/list
Log:
- new openssl and bind DSAs
- add missing CVE ID to old gpdf DSA
- remove two thunderbird entries for sarge that overlapped
  the DSA reference
- older thunderbird and firefox issues are non-issue


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2006-09-10 12:37:29 UTC (rev 4710)
+++ data/CVE/list	2006-09-10 12:42:28 UTC (rev 4711)
@@ -4091,7 +4091,6 @@
 	NOTE: MFSA-2006-31
 	- firefox 1.5.dfsg+1.5.0.4-1 (medium)
 	- thunderbird 1.5.0.4-1 (medium)
-	[sarge] - mozilla-thunderbird <unfixed> (medium)
 	- mozilla 2:1.7.13-0.3 (medium)
 	- xulrunner 1.8.0.4-1 (medium)
 CVE-2006-2786 (HTTP response smuggling vulnerability in Mozilla Firefox and ...)
@@ -4099,7 +4098,6 @@
 	NOTE: MFSA-2006-33
 	- firefox 1.5.dfsg+1.5.0.4-1 (medium)
 	- thunderbird 1.5.0.4-1 (medium)
-	[sarge] - mozilla-thunderbird <unfixed> (medium)
 	- mozilla 2:1.7.13-0.3 (medium)
 	- xulrunner 1.8.0.4-1 (medium)
 CVE-2006-2785 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox before ...)
@@ -8162,8 +8160,9 @@
 	- namazu2 <not-affected> (Windows-specific issue)
 CVE-2006-1166 (Monotone 0.25 and earlier, when a user creates a file in a directory ...)
 	- monotone 0.26pre1-0.1 (low)
-	NOTE: Needs a case-insensitive file system (e.g. VFAT or Samba) on
-	NOTE: the client.
+	[sarge] - monotone <no-dsa> (Only exploitable in very far-fetched situation)
+	NOTE: Needs a case-insensitive file system (e.g. VFAT or Samba) on the client
+	NOTE: and massive social engineering 
 CVE-2006-1128 (Directory traversal vulnerability in the session handling class ...)
 	- gallery2 2.0.3
 CVE-2006-1127 (Cross-site scripting (XSS) vulnerability in Gallery 2 up to 2.0.2 ...)
@@ -14223,8 +14222,11 @@
 CVE-2005-3403 (Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.4.1 ...)
 	NOT-FOR-US: ATutor
 CVE-2005-3402 (The SMTP client in Mozilla Thunderbird 1.0.5 BETA, 1.0.7, and possibly ...)
-	- thunderbird <unfixed> (bug #363714; low)
-	[sarge] - mozilla-thunderbird <unfixed> (bug #363714; low)
+	- thunderbird <unfixed> (bug #363714; unimportant)
+	[sarge] - mozilla-thunderbird <unfixed> (bug #363714; unimportant)
+	NOTE: That's a non-issue; only a feature request for an improvement in a corner case.
+	NOTE: If someone wants to use security-sensitive communication a TLS-secured server
+	NOTE: should be used.
 CVE-2005-3401 (Multiple interpretation error in TheHacker 5.8.4.128 allows remote ...)
 	NOT-FOR-US: TheHacker
 CVE-2005-3400 (Multiple interpretation error in Fortinet 2.48.0.0 allows remote ...)
@@ -17528,10 +17530,12 @@
 CVE-2005-2396 (Cross-site scripting (XSS) vulnerability in MediaWiki 1.4.6 and ...)
 	- mediawiki 1.4.9 (bug #276057)
 CVE-2005-2395 (Mozilla Firefox 1.0.4 and 1.0.5 does not choose the challenge with the ...)
-	- firefox <unfixed> (bug #320539; low)
-	NOTE: as of version 1.4.99+1.5rc3.dfsg-2, mozilla-firefox is now an empty transitional package
-	- mozilla-firefox 1.4.99+1.5rc3.dfsg-2 (bug #320539; low)
-	- mozilla <unfixed> (bug #320538; low)
+	- firefox <unfixed> (bug #320539; unimportant)
+	- mozilla-firefox 1.4.99+1.5rc3.dfsg-2 (bug #320539; unimportant)
+	- mozilla <unfixed> (bug #320538; unimportant)
+	NOTE: Firefox and Mozilla follow RFC behaviour. This is more a lack of security
+	NOTE: feature (client-side preference for stronger methods) and not a vulnerabilit
+	NOTE: This also seems like a rare setup.
 CVE-2005-2394 (show_news.php in CuteNews 1.3.6 allows remote attackers to obtain the ...)
 	NOT-FOR-US: CuteNews
 CVE-2005-2393 (Cross-site scripting (XSS) vulnerability in CuteNews 1.3.6 allows ...)

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2006-09-10 12:37:29 UTC (rev 4710)
+++ data/DSA/list	2006-09-10 12:42:28 UTC (rev 4711)
@@ -1,3 +1,9 @@
+[10 Sep 2006] DSA-1773-1 openssl - cryptographic weakness
+	{CVE-2006-4339}
+	[sarge] - openssl 0.9.7e-3sarge2
+[09 Sep 2006] DSA-1772-1 bind9 - programming error
+	{CVE-2006-4095 CVE-2006-4096}
+	[sarge] - bind9 9.2.4-1sarge1
 [07 Sep 2006] DSA-1171 ethereal - several
         {CVE-2006-4333 CVE-2005-3241 CVE-2005-3242 CVE-2005-3243 CVE-2005-3244 CVE-2005-3246 CVE-2005-3248}
         [sarge] - ethereal 0.10.10-2sarge8
@@ -646,7 +652,7 @@
 	[sarge] - pdftohtml 0.36-11sarge2
 	NOTE: sid is not affected, just a revamp of previous patches
 [27 Feb 2006] DSA-982-1 gpdf - several
-	{CVE-2005-2097 CVE-2005-3191 CVE-2005-3193 CVE-2006-0301}
+	{CVE-2005-2097 CVE-2005-3191 CVE-2005-3193 CVE-2006-0301 CVE-2006-1244}
 	[sarge] - gpdf 2.8.2-1.2sarge4
 	NOTE: sid is not affected, just a revamp of previous patches
 [26 Feb 2006] DSA-981-1 bmv - integer overflow

More information about the Secure-testing-commits mailing list