[Secure-testing-commits] r7239 - in data: CVE DSA
jmm-guest at alioth.debian.org
jmm-guest at alioth.debian.org
Wed Nov 7 18:36:50 UTC 2007
Author: jmm-guest
Date: 2007-11-07 18:36:49 +0000 (Wed, 07 Nov 2007)
New Revision: 7239
Modified:
data/CVE/list
data/DSA/list
Log:
one additional iceweasel issue fixed in latest DSA
duplicity CVEfied
mysql cleanups, suite-specific <not-affected> entries _need_ to be
done with great care, otherwise issues fall through
rewrite cvstrac entry
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2007-11-07 14:40:23 UTC (rev 7238)
+++ data/CVE/list 2007-11-07 18:36:49 UTC (rev 7239)
@@ -1872,7 +1872,8 @@
CVE-2007-5336
REJECTED
CVE-2007-5335 (Mozilla Firefox 2.0 before 2.0.0.8 allows remote attackers to obtain ...)
- - iceweasel 2.0.0.8-1
+ - iceweasel 2.0.0.8-1 (low)
+ NOTE: Firefox 2.0-specific issue, doesn't affect xulrunner, iceape or icedove
NOTE: not mentioned in debian changelog, but mozilla #390983 confirms it went into 2.0.0.8
CVE-2007-5334 (Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 can hide the ...)
{DSA-1401-1 DSA-1396-1 DSA-1392-1 DTSA-69-1}
@@ -2316,7 +2317,7 @@
CVE-2007-5202
RESERVED
CVE-2007-5201 (The FTP backend for Duplicity sends the password as a command line ...)
- - duplicity 0.4.3-2 (medium; bug #442840)
+ - duplicity 0.4.3-2 (bug #442840)
CVE-2007-5200 (hugin in SUSE openSUSE 10.2 and 10.3 allows local users to overwrite ...)
{DTSA-74-1}
- hugin 0.6.1-1.1 (low; bug #447344)
@@ -3019,8 +3020,6 @@
- wordpress 2.2.3-1 (low)
CVE-2007-4892 (Multiple SQL injection vulnerabilities in SWSoft Plesk 7.6.1, 8.1.0, ...)
NOT-FOR-US: Plesk (Windows)
-CVE-2007-XXXX [duplicity exposes FTP password in command line args]
- - duplicity 0.4.3-2 (bug #442840)
CVE-2007-XXXX [libgd2: gdImageColorTransparent can write outside buffer]
- libgd2 2.0.35.dfsg-3
CVE-2007-XXXX [moin cross site scripting]
@@ -5568,11 +5567,17 @@
CVE-2007-3783 (SQL injection vulnerability in default.asp in enVivo!CMS allows remote ...)
NOT-FOR-US: enVivo!CMS
CVE-2007-3782 (MySQL Community Server before 5.0.45 allows remote authenticated users ...)
- - mysql-dfsg-5.0 5.0.45-1
+ - mysql-dfsg-5.0 5.0.42
+ [sarge] - mysql-dfsg <not-affected> (Vulnerable functionality was introduced in 5.0)
+ [sarge] - mysql-dfsg-4.1 <not-affected> (Vulnerable functionality was introduced in 5.0)
CVE-2007-3781 (MySQL Community Server before 5.0.45 does not require privileges such ...)
- mysql-dfsg-5.0 5.0.45-1
+ [etch] - mysql-dfsg-5.0 <no-dsa> (Minor issue, too intrusive to backport)
+ [sarge] - mysql-dfsg <no-dsa> (Minor issue, too intrusive to backport)
+ [sarge] - mysql-dfsg-4.1 <no-dsa> (Minor issue, too intrusive to backport)
CVE-2007-3780 (MySQL Community Server before 5.0.45 allows remote attackers to cause ...)
- - mysql-dfsg-5.0 5.0.45-1
+ - mysql-dfsg-5.0 5.0.44
+ [sarge] - mysql-dfsg <not-affected> (Introduced with SSL support in 4.1)
CVE-2007-3779 (PHP local file inclusion vulnerability in gpg_pop_init.php in the ...)
NOT-FOR-US: G/PGP (GPG) Plugin for Squirrelmail
CVE-2007-3778 (The G/PGP (GPG) Plugin 2.0, and 2.1dev before 20060912, for ...)
@@ -8227,20 +8232,16 @@
CVE-2007-2694 (Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic ...)
NOT-FOR-US: BEA WebLogic
CVE-2007-2693 (MySQL before 5.1.18 allows remote authenticated users without SELECT ...)
- - mysql-dfsg-5.0 <not-affected> (bug #424778)
- [sarge] - mysql-dfsg-4.1 <not-affected> (bug #424830)
- [sarge] - mysql-dfsg <not-affected>
+ - mysql-dfsg-5.0 <not-affected> (Only MySQL 5.1 affected)
+ [sarge] - mysql-dfsg-4.1 <not-affected> (Only MySQL 5.1 affected)
+ [sarge] - mysql-dfsg <not-affected> (Only MySQL 5.1 affected)
CVE-2007-2692 (The mysql_change_db function in MySQL 5.0.x before 5.0.40 and 5.1.x ...)
- - mysql-dfsg-5.0 5.0.45-1 (bug #424778)
- [sarge] - mysql-dfsg-4.1 <unfixed> (bug #424830)
- [sarge] - mysql-dfsg <not-affected>
- NOTE: the CVE says it's fixed in 5.0.40, but 5.0.41 is vulnerable
+ - mysql-dfsg-5.0 5.0.42 (bug #424778)
+ [sarge] - mysql-dfsg-4.1 <not-affected> (Vulnerable functionality not implemented)
+ [sarge] - mysql-dfsg <not-affected> (Vulnerable functionality not implemented)
NOTE: http://bugs.mysql.com/bug.php?id=28499
- NOTE: seanius told me that this bug is fixed in unstable
CVE-2007-2691 (MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does ...)
- - mysql-dfsg-5.0 5.0.41a-1 (bug #424778)
- [sarge] - mysql-dfsg-4.1 <unfixed> (bug #424830)
- [sarge] - mysql-dfsg <not-affected>
+ - mysql-dfsg-5.0 5.0.41a-1 (bug #424778; bug #424830)
CVE-2007-2690 (Multiple IBM ISS Proventia Series products, including the A, G, and M ...)
NOT-FOR-US: ISS
CVE-2007-2689 (Check Point Web Intelligence does not properly handle certain ...)
@@ -8476,8 +8477,9 @@
CVE-2007-2584 (Buffer overflow in the IsOldAppInstalled function in the ...)
NOT-FOR-US: Subscription Manager ActiveX control
CVE-2007-2583 (The in_decimal::set function in item_cmpfunc.cc in MySQL before ...)
- - mysql-dfsg-5.0 5.0.41-1 (low)
- NOTE: http://bugs.mysql.com/bug.php?id=27513
+ - mysql-dfsg-5.0 5.0.41-1 (low; bug #426353)
+ [sarge] - mysql-dfsg <not-affected> (Vulnerable functionality not implemented)
+ [sarge] - mysql-dfsg <not-affected> (Not affected, test case doesn't crash the daemon)
CVE-2007-2582 (Multiple buffer overflows in the DB2 JDBC Applet Server (DB2JDS) ...)
NOT-FOR-US: IBM DB2
CVE-2007-2581 (Multiple cross-site scripting (XSS) vulnerabilities in Microsoft ...)
@@ -14258,9 +14260,8 @@
NOT-FOR-US: ActiveX control in InterActual Player
CVE-2007-0347 (The is_eow function in format.c in CVSTrac before 2.0.1 does not ...)
- cvstrac 2.0.1-1
- [etch] - cvstrac <not-affected>
- [sarge] - cvstrac <not-affected>
- NOTE: 1.1.5 is not vulnerable (is_repository_file is not in 1.1.5 source)
+ [etch] - cvstrac <not-affected> (Vulnerable code not present)
+ [sarge] - cvstrac <not-affected> (Vulnerable code not present)
NOTE: the vulnerable code can't be found on other places in 1.1.5 and also similar things
NOTE: are done like using %q instead of %s for user supplied data
CVE-2007-0346 (SQL injection vulnerability in index.php in SmE FileMailer 1.21 allows ...)
Modified: data/DSA/list
===================================================================
--- data/DSA/list 2007-11-07 14:40:23 UTC (rev 7238)
+++ data/DSA/list 2007-11-07 18:36:49 UTC (rev 7239)
@@ -21,7 +21,7 @@
[etch] - dhcp 2.0pl5-19.5etch2
NOTE: DSA-1388-1 was incomplete
[27 Oct 2007] DSA-1396-1 iceweasel
- {CVE-2007-1095 CVE-2007-2292 CVE-2007-3511 CVE-2007-5334 CVE-2007-5337 CVE-2007-5338 CVE-2007-5339 CVE-2007-5340}
+ {CVE-2007-1095 CVE-2007-2292 CVE-2007-3511 CVE-2007-5334 CVE-2007-5335 CVE-2007-5337 CVE-2007-5338 CVE-2007-5339 CVE-2007-5340}
[etch] - iceweasel 2.0.0.6+2.0.0.8-0etch1
[25 Oct 2007] DSA-1395-1 xen-3.0 - insecure temporary files
{CVE-2007-3919}
More information about the Secure-testing-commits
mailing list