[Secure-testing-commits] r7239 - in data: CVE DSA

jmm-guest at alioth.debian.org jmm-guest at alioth.debian.org
Wed Nov 7 18:36:50 UTC 2007 

Author: jmm-guest
Date: 2007-11-07 18:36:49 +0000 (Wed, 07 Nov 2007)
New Revision: 7239

Modified:
   data/CVE/list
   data/DSA/list
Log:
one additional iceweasel issue fixed in latest DSA
duplicity CVEfied
mysql cleanups, suite-specific <not-affected> entries _need_ to be
  done with great care, otherwise issues fall through
rewrite cvstrac entry


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2007-11-07 14:40:23 UTC (rev 7238)
+++ data/CVE/list	2007-11-07 18:36:49 UTC (rev 7239)
@@ -1872,7 +1872,8 @@
 CVE-2007-5336
 	REJECTED
 CVE-2007-5335 (Mozilla Firefox 2.0 before 2.0.0.8 allows remote attackers to obtain ...)
-	- iceweasel 2.0.0.8-1
+	- iceweasel 2.0.0.8-1 (low)
+	NOTE: Firefox 2.0-specific issue, doesn't affect xulrunner, iceape or icedove
 	NOTE: not mentioned in debian changelog, but mozilla #390983 confirms it went into 2.0.0.8
 CVE-2007-5334 (Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 can hide the ...)
 	{DSA-1401-1 DSA-1396-1 DSA-1392-1 DTSA-69-1}
@@ -2316,7 +2317,7 @@
 CVE-2007-5202
 	RESERVED
 CVE-2007-5201 (The FTP backend for Duplicity sends the password as a command line ...)
-	- duplicity 0.4.3-2 (medium; bug #442840)
+	- duplicity 0.4.3-2 (bug #442840)
 CVE-2007-5200 (hugin in SUSE openSUSE 10.2 and 10.3 allows local users to overwrite ...)
 	{DTSA-74-1}
 	- hugin 0.6.1-1.1 (low; bug #447344)
@@ -3019,8 +3020,6 @@
 	- wordpress 2.2.3-1 (low)
 CVE-2007-4892 (Multiple SQL injection vulnerabilities in SWSoft Plesk 7.6.1, 8.1.0, ...)
 	NOT-FOR-US: Plesk (Windows)
-CVE-2007-XXXX [duplicity exposes FTP password in command line args]
-	- duplicity 0.4.3-2 (bug #442840)
 CVE-2007-XXXX [libgd2: gdImageColorTransparent can write outside buffer]
 	- libgd2 2.0.35.dfsg-3
 CVE-2007-XXXX [moin cross site scripting]
@@ -5568,11 +5567,17 @@
 CVE-2007-3783 (SQL injection vulnerability in default.asp in enVivo!CMS allows remote ...)
 	NOT-FOR-US: enVivo!CMS
 CVE-2007-3782 (MySQL Community Server before 5.0.45 allows remote authenticated users ...)
-	- mysql-dfsg-5.0 5.0.45-1
+	- mysql-dfsg-5.0 5.0.42
+	[sarge] - mysql-dfsg <not-affected> (Vulnerable functionality was introduced in 5.0)
+	[sarge] - mysql-dfsg-4.1 <not-affected> (Vulnerable functionality was introduced in 5.0)
 CVE-2007-3781 (MySQL Community Server before 5.0.45 does not require privileges such ...)
 	- mysql-dfsg-5.0 5.0.45-1
+	[etch] - mysql-dfsg-5.0 <no-dsa> (Minor issue, too intrusive to backport)
+	[sarge] - mysql-dfsg <no-dsa> (Minor issue, too intrusive to backport)
+	[sarge] - mysql-dfsg-4.1 <no-dsa> (Minor issue, too intrusive to backport)
 CVE-2007-3780 (MySQL Community Server before 5.0.45 allows remote attackers to cause ...)
-	- mysql-dfsg-5.0 5.0.45-1
+	- mysql-dfsg-5.0 5.0.44
+	[sarge] - mysql-dfsg <not-affected> (Introduced with SSL support in 4.1)
 CVE-2007-3779 (PHP local file inclusion vulnerability in gpg_pop_init.php in the ...)
 	NOT-FOR-US: G/PGP (GPG) Plugin for Squirrelmail
 CVE-2007-3778 (The G/PGP (GPG) Plugin 2.0, and 2.1dev before 20060912, for ...)
@@ -8227,20 +8232,16 @@
 CVE-2007-2694 (Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic ...)
 	NOT-FOR-US: BEA WebLogic 
 CVE-2007-2693 (MySQL before 5.1.18 allows remote authenticated users without SELECT ...)
-	- mysql-dfsg-5.0 <not-affected> (bug #424778)
-	[sarge] - mysql-dfsg-4.1 <not-affected> (bug #424830)
-	[sarge] - mysql-dfsg <not-affected>
+	- mysql-dfsg-5.0 <not-affected> (Only MySQL 5.1 affected)
+	[sarge] - mysql-dfsg-4.1 <not-affected> (Only MySQL 5.1 affected)
+	[sarge] - mysql-dfsg <not-affected> (Only MySQL 5.1 affected)
 CVE-2007-2692 (The mysql_change_db function in MySQL 5.0.x before 5.0.40 and 5.1.x ...)
-	- mysql-dfsg-5.0 5.0.45-1 (bug #424778)
-	[sarge] - mysql-dfsg-4.1 <unfixed> (bug #424830)
-	[sarge] - mysql-dfsg <not-affected>
-	NOTE: the CVE says it's fixed in 5.0.40, but 5.0.41 is vulnerable
+	- mysql-dfsg-5.0 5.0.42 (bug #424778)
+	[sarge] - mysql-dfsg-4.1 <not-affected> (Vulnerable functionality not implemented)
+	[sarge] - mysql-dfsg <not-affected> (Vulnerable functionality not implemented)
 	NOTE: http://bugs.mysql.com/bug.php?id=28499
-	NOTE: seanius told me that this bug is fixed in unstable
 CVE-2007-2691 (MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does ...)
-	- mysql-dfsg-5.0 5.0.41a-1 (bug #424778)
-	[sarge] - mysql-dfsg-4.1 <unfixed> (bug #424830)
-	[sarge] - mysql-dfsg <not-affected>
+	- mysql-dfsg-5.0 5.0.41a-1 (bug #424778; bug #424830)
 CVE-2007-2690 (Multiple IBM ISS Proventia Series products, including the A, G, and M ...)
 	NOT-FOR-US: ISS
 CVE-2007-2689 (Check Point Web Intelligence does not properly handle certain ...)
@@ -8476,8 +8477,9 @@
 CVE-2007-2584 (Buffer overflow in the IsOldAppInstalled function in the ...)
 	NOT-FOR-US: Subscription Manager ActiveX control
 CVE-2007-2583 (The in_decimal::set function in item_cmpfunc.cc in MySQL before ...)
-	- mysql-dfsg-5.0 5.0.41-1 (low)
-	NOTE: http://bugs.mysql.com/bug.php?id=27513
+	- mysql-dfsg-5.0 5.0.41-1 (low; bug #426353)
+	[sarge] - mysql-dfsg <not-affected> (Vulnerable functionality not implemented)
+	[sarge] - mysql-dfsg <not-affected> (Not affected, test case doesn't crash the daemon)
 CVE-2007-2582 (Multiple buffer overflows in the DB2 JDBC Applet Server (DB2JDS) ...)
 	NOT-FOR-US: IBM DB2
 CVE-2007-2581 (Multiple cross-site scripting (XSS) vulnerabilities in Microsoft ...)
@@ -14258,9 +14260,8 @@
 	NOT-FOR-US: ActiveX control in InterActual Player
 CVE-2007-0347 (The is_eow function in format.c in CVSTrac before 2.0.1 does not ...)
 	- cvstrac 2.0.1-1
-	[etch] - cvstrac <not-affected>
-	[sarge] - cvstrac <not-affected>
-	NOTE: 1.1.5 is not vulnerable (is_repository_file is not in 1.1.5 source)
+	[etch] - cvstrac <not-affected> (Vulnerable code not present)
+	[sarge] - cvstrac <not-affected> (Vulnerable code not present)
 	NOTE: the vulnerable code can't be found on other places in 1.1.5 and also similar things
 	NOTE: are done like using %q instead of %s for user supplied data
 CVE-2007-0346 (SQL injection vulnerability in index.php in SmE FileMailer 1.21 allows ...)

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2007-11-07 14:40:23 UTC (rev 7238)
+++ data/DSA/list	2007-11-07 18:36:49 UTC (rev 7239)
@@ -21,7 +21,7 @@
 	[etch] - dhcp 2.0pl5-19.5etch2
 	NOTE: DSA-1388-1 was incomplete
 [27 Oct 2007] DSA-1396-1 iceweasel
-        {CVE-2007-1095 CVE-2007-2292 CVE-2007-3511 CVE-2007-5334 CVE-2007-5337 CVE-2007-5338 CVE-2007-5339 CVE-2007-5340}
+        {CVE-2007-1095 CVE-2007-2292 CVE-2007-3511 CVE-2007-5334 CVE-2007-5335  CVE-2007-5337 CVE-2007-5338 CVE-2007-5339 CVE-2007-5340}
         [etch] - iceweasel 2.0.0.6+2.0.0.8-0etch1
 [25 Oct 2007] DSA-1395-1 xen-3.0 - insecure temporary files
 	{CVE-2007-3919}

More information about the Secure-testing-commits mailing list