[Secure-testing-commits] r5802 - data/CVE

Sun May 6 20:53:25 UTC 2007

Author: jmm-guest
Date: 2007-05-06 20:53:19 +0000 (Sun, 06 May 2007)
New Revision: 5802

Modified:
   data/CVE/list
Log:
schroot limited to unstable
new kernel issues
lftp is a non-issue
older ekg issue don't affect sarge
some not-affected states of mozilla


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2007-05-06 12:52:45 UTC (rev 5801)
+++ data/CVE/list	2007-05-06 20:53:19 UTC (rev 5802)
@@ -1,8 +1,11 @@
 CVE-2007-XXXX [schroot may use outdated configuration information]
 	- schroot <unfixed> (low; bug #422354)
+	[etch] - schroot <not-affected> (Only exploitable in unstable)
 CVE-2007-2488
 	- asterisk <unfixed> (low)
 	NOTE: ASA-2007-013
+CVE-2007-2480 [port bind info leak]
+	- linux-2.6 <unfixed> (medium)
 CVE-2007-2479 (Cerulean Studios Trillian Pro before 3.1.5.1 allows remote attackers ...)
 	NOT-FOR-US: Cerulean Trillian
 CVE-2007-2478 (Multiple heap-based buffer overflows in the IRC component in Cerulean ...)
@@ -276,7 +279,8 @@
 CVE-2007-2349 (Cross-site scripting (XSS) vulnerability in Invision Power Board ...)
 	NOT-FOR-US: Invision Power Board
 CVE-2007-2348 (mirror --script in lftp before 3.5.9 does not properly quote shell ...)
-	- lftp <unfixed> (low)
+	- lftp <unfixed> (unimportant)
+	NOTE: Non-issue, also already documented as potentially risky
 CVE-2007-2347 (PHP remote file inclusion vulnerability in main/forum/komentar.php in ...)
 	NOT-FOR-US: OneClick CMS
 CVE-2007-2346 (Multiple PHP remote file inclusion vulnerabilities in PHP-Generics 1.0 ...)
@@ -1796,12 +1800,15 @@
 CVE-2007-1665
 	RESERVED
 	- ekg 1:1.7~rc2-2
+	[sarge] - ekg <not-affected> (Vulnerable code not present)
 CVE-2007-1664
 	RESERVED
 	- ekg 1:1.7~rc2-2
+	[sarge] - ekg <not-affected> (Vulnerable code not present)
 CVE-2007-1663
 	RESERVED
 	- ekg 1:1.7~rc2-2
+	[sarge] - ekg <not-affected> (Vulnerable code not present)
 CVE-2007-1662
 	RESERVED
 CVE-2007-1661
@@ -2549,7 +2556,7 @@
 CVE-2007-1354
 	RESERVED
 CVE-2007-1353 (The setsockopt function in the L2CAP and HCI Bluetooth support in the ...)
-	TODO: check
+	- linux-2.6 <unfixed> (low)
 CVE-2007-1352 (Integer overflow in the FontFileInitTable function in X.Org libXfont ...)
 	- libxfont 1:1.2.2-2 (medium)
 CVE-2007-1351 (Integer overflow in the bdfReadCharacters function in bdfread.c in (1) ...)
@@ -4266,8 +4273,8 @@
 	- iceweasel 2.0.0.2+dfsg-1 (medium)
 	- iceape 1.0.8-1 (medium)
 	- xulrunner 1.8.0.10-1 (medium)
-	[sarge] - mozilla-firefox <unfixed> (medium)
-	[sarge] - mozilla <unfixed> (medium)
+	[sarge] - mozilla-firefox <not-affected> (Vulnerable code not present)
+	[sarge] - mozilla <not-affected> (Vulnerable code not present)
 CVE-2007-0779 (GUI overlay vulnerability in Mozilla Firefox 1.5.x before 1.5.0.10 and ...)
 	NOTE: MFSA-2007-04
 	- iceweasel 2.0.0.2+dfsg-1 (low)
@@ -4306,9 +4313,10 @@
 	- iceape 1.0.8-1 (high)
 	- icedove 1.5.0.10.dfsg1-1 (low)
 	- xulrunner 1.8.0.10-1 (high)
-	[sarge] - mozilla-firefox <unfixed> (high)
+	[sarge] - mozilla-firefox <unfixed> (low)
 	[sarge] - mozilla-thunderbird <unfixed> (low)
-	[sarge] - mozilla <unfixed> (high)
+	[sarge] - mozilla <unfixed> (low)
+	NOTE: Only one of the crashes can be triggered in Sarge, 326864
 CVE-2007-0774 (Stack-based buffer overflow in the map_uri_to_worker function ...)
 	- tomcat5.5 <unfixed> (medium)
 CVE-2007-0773
@@ -28855,9 +28863,6 @@
 	{DSA-813-1 DTSA-2-1 DTSA-4-1}
 	- ekg 1:1.5+20050718+1.6rc3-1 (low)
 	- centericq 4.20.0-9 (bug #323185; medium)
-	[sarge] - ekg <not-affected>
-	NOTE: I checked the ekg source from Sarge and all fixes from the centericq DSA 813
-	NOTE: are already included.
 CVE-2005-2447
 	REJECTED
 CVE-2005-2446
@@ -29061,8 +29066,6 @@
 	- gaim 1:1.4.0-5 (low)
 	- centericq 4.20.0-9 (bug #323185; low)
 	- ekg 1:1.5+20050712+1.6rc2-1 (low)
-	[sarge] - ekg <no-dsa> (Minor issue)
-	NOTE: ekg in Sarge is affected (Not in Woody, gaim and centericq had DSAs)
 CVE-2005-2369 (Multiple integer signedness errors in libgadu, as used in ekg before ...)
 	{DSA-813-1 DTSA-2-1}
 	- centericq 4.20.0-9 (bug #323185; medium)


