[Secure-testing-commits] r9522 - in data: . CVE DSA

jmm-guest at alioth.debian.org jmm-guest at alioth.debian.org
Wed Aug 6 19:37:45 UTC 2008 

Author: jmm-guest
Date: 2008-08-06 19:37:44 +0000 (Wed, 06 Aug 2008)
New Revision: 9522

Modified:
   data/CVE/list
   data/DSA/list
   data/package-tags
   data/spu-candidates.txt
Log:
links2, exiv2 no-dsa
add php to packages with special security support
add one missing mozilla CVE ID, which was split off
one moin issue doesn't affect etch
two dnsmasq issues don't affect etch, dnsmasq CVEfied
one iceweasel issue Mac specific
add note on firebird in etch
one issues marked as php is only relevant to libgd


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2008-08-06 15:53:23 UTC (rev 9521)
+++ data/CVE/list	2008-08-06 19:37:44 UTC (rev 9522)
@@ -89,7 +89,8 @@
 CVE-2008-3382 (SQL injection vulnerability in mojoClassified.cgi in MojoClassifieds ...)
 	NOT-FOR-US: MojoClassifieds
 CVE-2008-3381 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
-	- moin 1.7.1-1
+	- moin 1.7.1-1 (low)
+	[etch] - moin <not-affected> (Vulnerable macro not present)
 CVE-2008-3380 (Cross-site scripting (XSS) vulnerability in ajaxp_backend.php in ...)
 	NOT-FOR-US: MyioSoft EasyBookMarker
 CVE-2008-3379 (Cross-site scripting (XSS) vulnerability in Snark VisualPic 0.3.1 ...)
@@ -134,6 +135,8 @@
 	NOT-FOR-US: IntelliTamper
 CVE-2008-3359 (SQL injection vulnerability in register.php in Steve Bourgeois and ...)
 	- owl-dms <unfixed> (bug #493372)
+	NOTE: Hardly maintained and very few users, long standing sec issues in Etch,
+	TODO: we should remove this from Lenny w/o maintainer reaction
 CVE-2008-3358
 	RESERVED
 CVE-2008-3357
@@ -152,6 +155,7 @@
 	NOT-FOR-US: Atom PhotoBlog
 CVE-2008-3350 (dnsmasq 2.43 allows remote attackers to cause a denial of service ...)
 	- dnsmasq 2.44-1 (low)
+	[etch] - dnsmasq <not-affected> (Issue was introduced in 2.43)
 CVE-2008-3349 (Multiple unspecified vulnerabilities in NetApp Data ONTAP, as used on ...)
 	NOT-FOR-US: NetApp Data ONTAP
 CVE-2008-3348 (Cross-site scripting (XSS) vulnerability in ...)
@@ -416,7 +420,7 @@
 	{DSA-1616-2}
 	- clamav 0.93.1.dfsg-1.1 (medium)
 CVE-2008-3214 (dnsmasq 2.25 allows remote attackers to cause a denial of service ...)
-	- dnsmasq 2.44-1 (low)
+	- dnsmasq 2.26-1 (medium)
 CVE-2008-3213 (SQL injection vulnerability in secciones/tablon/tablon.php in WebCMS ...)
 	NOT-FOR-US: WebCMS
 CVE-2008-3212 (Multiple SQL injection vulnerabilities in Scripteen Free Image Hosting ...)
@@ -448,7 +452,8 @@
 CVE-2008-3199 (Multiple unspecified vulnerabilities in ReSIProcate before 1.3.4 allow ...)
 	NOT-FOR-US: ReSIProcate
 CVE-2008-3198 (Mozilla Firefox 3.x before 3.0.1 allows remote attackers to inject ...)
-	TODO: check
+	- iceweasel 3.0.1-1 (low)
+	NOTE: http://www.mozilla.org/security/announce/2008/mfsa2008-35.html
 CVE-2008-3195
 	RESERVED
 CVE-2008-3194 (Multiple directory traversal vulnerabilities in ...)
@@ -1056,11 +1061,10 @@
 	- libxslt 1.1.24-2 (bug #493162)
 	NOTE: http://www.ocert.org/advisories/ocert-2008-009.html
 CVE-2008-2934 (Mozilla Firefox 3 before 3.0.1 on Mac OS X allows remote attackers to ...)
-	TODO: check
+	- iceweasel <not-affected> (MacOS-specific)
 CVE-2008-2933 (Mozilla Firefox before 2.0.0.16, and 3.x before 3.0.1, interprets '|' ...)
 	{DSA-1615-1 DSA-1614-1}
 	- iceweasel 3.0.1-1 (low)
-	NOTE: http://www.mozilla.org/security/announce/2008/mfsa2008-35.html
 CVE-2008-2932
 	RESERVED
 CVE-2008-2931 (The do_change_type function in fs/namespace.c in the Linux kernel ...)
@@ -1272,10 +1276,6 @@
 CVE-2008-3141 (Unspecified vulnerability in the RMI dissector in Wireshark (formerly ...)
 	- wireshark 1.0.1-1 (low; bug #488834)
 	NOTE: http://www.wireshark.org/security/wnpa-sec-2008-03.html
-CVE-2008-XXXX [dnsmasq crash on renewing non-existent lease]
-	- dnsmasq 2.26-1 (medium)
-	NOTE: CVE id requested by Ubuntu
-	NOTE: http://freshmeat.net/projects/dnsmasq/?branch_id=1991&release_id=217681
 CVE-2008-2952 (liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to ...)
 	{DTSA-151-1}
 	- openldap2.3 <removed> (low; bug #488710)
@@ -3493,6 +3493,7 @@
 	- vlc 0.8.6.e-2.1 (medium; bug #477805)
 CVE-2008-1880 (The default configuration of Firebird before 2.0.3.12981.0-r6 on ...)
 	- firebird2 <removed>
+	[etch] - firebird2 <no-dsa> (Firebird 1.5 no longer supported, see last DSA)
 	- firebird2.0 2.0.3.12981.ds1-14 (bug #481389)
 	NOTE: on debian after the installation firebird2.0-super is disabled, to enable it
 	NOTE: you need to call dpkg-reconfigure
@@ -15404,7 +15405,7 @@
 CVE-2007-3996 (Multiple integer overflows in libgd in PHP before 5.2.4 allow remote ...)
 	{DSA-1613-1}
 	- libgd2 2.0.35.dfsg-1 (bug #443456; medium)
-	- php5 5.2.4-1 (medium)
+	NOTE: Debian's PHP packages are linked dynamically against libgd
 	NOTE: see http://www.php.net/releases/5_2_4.php
 CVE-2007-3995
 	RESERVED

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2008-08-06 15:53:23 UTC (rev 9521)
+++ data/DSA/list	2008-08-06 19:37:44 UTC (rev 9522)
@@ -38,7 +38,7 @@
 	{CVE-2008-2785 CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2811 CVE-2008-2933}
 	[etch] - xulrunner 1.8.0.15~pre080614d-0etch1
 [23 Jul 2008] DSA-1614-1 iceweasel - several vulnerabilities
-	{CVE-2008-2785 CVE-2008-2933}
+	{CVE-2008-2785 CVE-2008-2933 CVE-2008-3198}
 	[etch] - iceweasel 2.0.0.16-0etch1
 [22 Jul 2008] DSA-1613-1 libgd2 - multiple vulnerabilities
 	{CVE-2007-2445 CVE-2007-3476 CVE-2007-3477 CVE-2007-3996}

Modified: data/package-tags
===================================================================
--- data/package-tags	2008-08-06 15:53:23 UTC (rev 9521)
+++ data/package-tags	2008-08-06 19:37:44 UTC (rev 9522)
@@ -8,5 +8,8 @@
 [etch] sql-ledger <limited-support> (Only supported behind an authenticated HTTP zone)
 [lenny] sql-ledger <limited-support> (Only supported behind an authenticated HTTP zone)
 
+[etch] php5 <limited-support> (See README.Debian.security for the PHP security policy)
+[etch] php4 <limited-support> (See README.Debian.security for the PHP security policy)
+[lenny] php5 <limited-support> (See README.Debian.security for the PHP security policy)
 [etch] adns <limited-support> (Stub resolver that should only be used with trusted recursors)
 [lenny] adns <limited-support> (Stub resolver that should only be used with trusted recursors)

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2008-08-06 15:53:23 UTC (rev 9521)
+++ data/spu-candidates.txt	2008-08-06 19:37:44 UTC (rev 9522)
@@ -67,6 +67,12 @@
 
 --
 
+exiv2 (CVE-2008-2696)
+bug #486328)
+http://dev.robotbattle.com/cgi-bin/viewvc.cgi/exiv2/trunk/src/nikonmn.cpp?r1=1473&r2=1499
+
+--
+
 flac123 (CVE-2007-3507)
 notified maintainer
 
@@ -105,6 +111,11 @@
 
 --
 
+links2 (CVE-2008-3329)
+bug #492744)
+
+--
+
 linux-ftpd-ssl (CVE-2007-6263)
 #454733
 notified maintainer

More information about the Secure-testing-commits mailing list