[Secure-testing-commits] r6986 - data/CVE

jmm-guest at alioth.debian.org jmm-guest at alioth.debian.org
Tue Oct 16 21:11:28 UTC 2007 

Author: jmm-guest
Date: 2007-10-16 21:11:28 +0000 (Tue, 16 Oct 2007)
New Revision: 6986

Modified:
   data/CVE/list
Log:
- track madwifi by source package name and record it as non-free
- mplayer and one of the vorbis issues unimportant
- no-dsa for minor ircd issues
- rewrite some issues postponed for stable updates, so that they
  don't show up in the mean time, this will be changed once the
  next stable update is released. The tracker cannot record two
  states, so we need this little hack


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2007-10-16 20:43:59 UTC (rev 6985)
+++ data/CVE/list	2007-10-16 21:11:28 UTC (rev 6986)
@@ -21,7 +21,8 @@
 CVE-2007-5449 (SQL injection vulnerability in searchresult.php in Softbiz Recipes ...)
 	NOT-FOR-US: Softbiz Recipes Portal Script
 CVE-2007-5448 (Madwifi 0.9.3.2 and earlier allows remote attackers to cause a denial ...)
-	- madwifi-source <unfixed> (medium; bug #446824)
+	- madwifi <unfixed> (medium; bug #446824)
+	[etch] - madwidi <no-dsa> (Non-free not supported)
 	NOTE: this results in a kernel panic
 CVE-2007-5447 (ioncube_loader_win_5.2.dll in the ionCube Loader 6.5 extension for PHP ...)
 	NOT-FOR-US: ionCube
@@ -1391,8 +1392,8 @@
 	NOT-FOR-US: Media Player Classic
 CVE-2007-4938 (Heap-based buffer overflow in libmpdemux/aviheader.c in MPlayer 1.0rc1 ...)
 	{DTSA-65-1}
-	- mplayer 1.0~rc1-16.1 (bug #443478; low)
-	NOTE: just a NULL pointer dereference.
+	- mplayer 1.0~rc1-16.1 (bug #443478; unimportant)
+	NOTE: just a NULL pointer dereference, not treated as a security problem for this class of applications
 CVE-2007-4937 (CS Guestbook stores sensitive information under the web root with ...)
 	NOT-FOR-US: CS Guestbook
 CVE-2007-4936 (Unspecified vulnerability in Office Efficiencies SafeSquid 4.1.x has ...)
@@ -2595,13 +2596,16 @@
 CVE-2007-4412 (Multiple cross-site scripting (XSS) vulnerabilities in Headstart ...)
 	NOT-FOR-US: Deskpro
 CVE-2007-4411 (ircu 2.10.12.05 and earlier allows remote attackers to discover the ...)
-	- ircd-ircu 2.10.12.10.dfsg1-1 (bug #439314)
+	- ircd-ircu 2.10.12.10.dfsg1-1 (low; bug #439314)
+	[etch] - ircd-ircu <no-dsa> (Minor issue)
 CVE-2007-4410 (ircu 2.10.12.05 and earlier does not properly synchronize a kick ...)
-	- ircd-ircu 2.10.12.10.dfsg1-1 (bug #439314)
+	- ircd-ircu 2.10.12.10.dfsg1-1 (low; bug #439314)
+	[etch] - ircd-ircu <no-dsa> (Minor issue)
 CVE-2007-4409 (Race condition in ircu 2.10.12.01 through 2.10.12.05 allows remote ...)
 	- ircd-ircu <not-affected> (Version affected not yet in unstable, maintainer informed)
 CVE-2007-4408 (ircu 2.10.12.05 and earlier ignores timestamps in bounces, which ...)
-	- ircd-ircu 2.10.12.10.dfsg1-1 (bug #439314)
+	- ircd-ircu 2.10.12.10.dfsg1-1 (low; bug #439314)
+	[etch] - ircd-ircu <no-dsa> (Minor issue)
 CVE-2007-4407 (ircu 2.10.12.03 and 2.10.12.04 does not associate a timestamp with ops ...)
 	- ircd-ircu <not-affected> (Version affected not yet in unstable, maintainer informed)
 CVE-2007-4406 (ircu 2.10.12.01 through 2.10.12.04 does not remove ops privilege after ...)
@@ -3358,7 +3362,9 @@
 CVE-2007-4066 (Multiple buffer overflows in Xiph.Org libvorbis before 1.2.0 allow ...)
 	NOTE: svn revisionsions fixing this: https://bugzilla.redhat.com/show_bug.cgi?id=249780
 CVE-2007-4065 (lib/vorbisfile.c in libvorbisfile in Xiph.Org libvorbis before 1.2.0 ...)
-	NOTE: svn revisionsions fixing this: https://bugzilla.redhat.com/show_bug.cgi?id=249780
+	- libvorbis <unfixed> (unimportant)
+	NOTE: Just an infinite loop in an enduser multimedia libarary, not treated as a vulnerability
+	NOTE: svn revisionions fixing this: https://bugzilla.redhat.com/show_bug.cgi?id=249780
 CVE-2007-4064 (Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x ...)
 	- drupal 4.7.7-1 (low)
 	- drupal5 5.2-1 (low)
@@ -3846,7 +3852,8 @@
 	- linux-2.6 2.6.22-4
 CVE-2007-3847 (The date handling code in modules/proxy/proxy_util.c (mod_proxy) in ...)
 	- apache2 2.2.6-1 (bug #441845; low)
-	[etch] - apache2 2.2.3-4+etch3 (bug #441845; low)
+	[etch] - apache2 <no-dsa> (Scheduled for next point release)
+	NOTE:	[etch] - apache2 2.2.3-4+etch3 (bug #441845; low)
 CVE-2007-3846 (Directory traversal vulnerability in Subversion before 1.4.5, as used ...)
 	NOT-FOR-US: TortoiseSVN on Windows
 CVE-2007-3845 (Mozilla Firefox before 2.0.0.6, Thunderbird before 1.5.0.13 and 2.x ...)
@@ -5182,10 +5189,9 @@
 	NOT-FOR-US: Cerulean Studios Trillian
 CVE-2007-3304 (Apache httpd 1.3.37, 2.0.59, and 2.2.4 with the Prefork MPM module, ...)
 	- apache <removed> (low)
-	[etch] - apache <unfixed> (low)
-	[sarge] - apache <unfixed> (low)
 	- apache2 2.2.4-2 (low)
-	[etch] - apache2 2.2.3-4+etch2
+	[etch] - apache2 <no-dsa> (Scheduled for next point release)
+	NOTE: [etch] - apache2 2.2.3-4+etch2
 	[sarge] - apache2 2.0.54-5sarge2 (low)
 CVE-2007-3303 (Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows ...)
 	- apache2 <unfixed> (unimportant)
@@ -7198,7 +7204,8 @@
 CVE-2007-2452 (Heap-based buffer overflow in the visit_old_format function in ...)
 	- findutils 4.2.31-1 (low; bug #426862)
 	[sarge] - findutils <no-dsa> (Not vulnerable in default configuration, minor issue)
-	[etch] - findutils 4.2.28-1etch1 (low)
+	[etch] - findutils <no-dsa> (Scheduled for next point release)
+	NOTE:	[etch] - findutils 4.2.28-1etch1 (low)
 CVE-2007-2451 (Unspecified vulnerability in drivers/crypto/geode-aes.c in GEODE-AES ...)
 	- linux-2.6 2.6.21-3
 	[etch] - linux-2.6 <not-affected> (Vulnerable code not present, introduced in 2.6.20)
@@ -8561,7 +8568,8 @@
 	- apache2 2.2.4-1 (low)
 	- apache <unfixed> (low)
 	[sarge] - apache2 2.0.54-5sarge2
-	[etch] - apache2 2.2.3-4+etch2
+	NOTE:	[etch] - apache2 2.2.3-4+etch2
+	[etch] - apache2 <no-dsa> (Scheduled for next point release)
 	NOTE: see http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/cache/cache_util.c?view=markup&pathrev=551944
 	NOTE: see http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/cache/cache_util.c?r1=463503&r2=551944&pathrev=551944
 	NOTE: vulnerable code in src/modules/proxy/proxy_cache.c starting in line 1132
@@ -16179,7 +16187,8 @@
 CVE-2006-5752 (Cross-site scripting (XSS) vulnerability in mod_status.c in the ...)
 	- apache2 2.2.4-2 (low)
 	[sarge] - apache2 2.0.54-5sarge2
-	[etch] - apache2 2.2.3-4+etch2
+	NOTE: [etch] - apache2 2.2.3-4+etch2
+	[etch] - apache2 <no-dsa> (Scheduled for next point release)
 	- apache <removed> (low)
 CVE-2006-5751 (Integer overflow in the get_fdb_entries function in ...)
 	{DSA-1233}

More information about the Secure-testing-commits mailing list