[Secure-testing-commits] r7780 - data/CVE
jmm-guest at alioth.debian.org
jmm-guest at alioth.debian.org
Tue Jan 1 18:14:19 UTC 2008
Author: jmm-guest
Date: 2008-01-01 18:14:17 +0000 (Tue, 01 Jan 2008)
New Revision: 7780
Modified:
data/CVE/list
Log:
- rewrite non-free fixes pending for r3 as no-dsa again, otherwise
they show up in the list of unfixed issues, they can be fixed
on time of r3 release
- one rsync issue unimportant
- python, skktools, pulseaudio no-dsa
- fix flashplugin issue
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2008-01-01 17:34:15 UTC (rev 7779)
+++ data/CVE/list 2008-01-01 18:14:17 UTC (rev 7780)
@@ -219,7 +219,8 @@
CVE-2007-XXXX [unace unspecified security issue related to uninitialized variable]
- unace-nonfree 2.5-3
[sarge] - unace-nonfree <no-dsa> (non-free not supported)
- [etch] - unace-nonfree 2.5-1etch1
+ [etch] - unace-nonfree <no-dsa> (non-free not supported)
+ TODO: r3 release: [etch] - unace-nonfree 2.5-1etch1
CVE-2007-6507 (SpntSvc.exe daemon in Trend Micro ServerProtect 5.58 for Windows, ...)
NOT-FOR-US: Trend Micro ServerProtect
CVE-2007-6506 (The HPRulesEngine.ContentCollection.1 ActiveX Control in ...)
@@ -980,7 +981,8 @@
CVE-2007-6200 (Unspecified vulnerability in rsync before 3.0.0pre6, when running a ...)
- rsync 2.6.9-6 (low; bug #453652)
CVE-2007-6199 (rsync before 3.0.0pre6, when running a writable rsync daemon that is ...)
- - rsync 2.6.9-6 (low; bug #453652)
+ - rsync 2.6.9-6 (unimportant; bug #453652)
+ NOTE: Security feature enhancement, not really a security problem
CVE-2007-6198 (portal/server.pt in the Plumtree portal in BEA AquaLogic Interaction ...)
NOT-FOR-US: Plumtree
CVE-2007-6197 (The Plumtree portal in BEA AquaLogic Interaction 5.0.2 through 5.0.4 ...)
@@ -3429,8 +3431,8 @@
NOT-FOR-US: Softbiz Recipes Portal Script
CVE-2007-5448 (Madwifi 0.9.3.2 and earlier allows remote attackers to cause a denial ...)
- madwifi 1:0.9.3.2-2 (medium; bug #446824)
- [etch] - madwifi 1:0.9.2+r1842.20061207-2etch2
- NOTE: this results in a kernel panic
+ [etch] - madwifi <no-dsa> (Non-free not supported)
+ TODO: r3 release: [etch] - madwifi 1:0.9.2+r1842.20061207-2etch2
CVE-2007-5447 (ioncube_loader_win_5.2.dll in the ionCube Loader 6.5 extension for PHP ...)
NOT-FOR-US: ionCube
CVE-2007-5446 (Absolute path traversal vulnerability in a certain ActiveX control in ...)
@@ -4853,7 +4855,10 @@
NOTE: Duplicate of CVE-2007-3913
CVE-2007-4965 (Multiple integer overflows in the imageop module in Python 2.5.1 and ...)
- python2.5 <unfixed> (low; bug #443333)
+ [etch] - python2.5 <no-dsa> (Minor issue)
+ [sarge] - python2.5 <no-dsa> (Minor issue)
- python2.4 <unfixed> (low; bug #443335)
+ [etch] - python2.4 <no-dsa> (Minor issue)
CVE-2007-4964 (WinImage 8.10 and earlier allows remote attackers to cause a denial of ...)
NOT-FOR-US: WinImage
CVE-2007-4963 (Visual truncation vulnerability in WinImage 8.10 and earlier allows ...)
@@ -6378,9 +6383,9 @@
CVE-2007-4325 (PHP remote file inclusion vulnerability in index.php in Gaestebuch 1.5 ...)
NOT-FOR-US: Gaestebuch
CVE-2007-4324 (ActionScript 3 (AS3) in Adobe Flash Player 9.0.47.0, and other ...)
- - flashplugin-nonfree <not-affected> (This package just downloads the plugin from adobe.com which has an updated version)
- [etch] - flashplugin-nonfree <no-dsa> (non-free not supported)
- [sarge] - flashplugin-nonfree <no-dsa> (non-free not supported)
+ - flashplugin-nonfree 9.0.115.0.1
+ [etch] - flashplugin-nonfree 9.0.115.0.1~etch1
+ [sarge] - flashplugin-nonfree <no-dsa> (Non-free not supported)
CVE-2007-4323 (DenyHosts 2.6 does not properly parse sshd log files, which allows ...)
- denyhosts 2.6-2.1 (bug #438162; medium)
CVE-2007-4322 (BlockHosts before 2.0.4 does not properly parse (1) sshd and (2) ...)
@@ -7284,7 +7289,9 @@
{DSA-1386-1}
- wesnoth 1.2.7-1
CVE-2007-3916 (The main function in skkdic-expr.c in SKK Tools 1.2 allows local users ...)
- - skktools 1.2+0.20061004-3
+ - skktools 1.2+0.20061004-3 (low)
+ [sarge] - skktools <no-dsa> (Minor issue)
+ [etch] - skktools <no-dsa> (Minor issue)
CVE-2007-3915
RESERVED
CVE-2007-3914
@@ -12313,6 +12320,7 @@
CVE-2007-1804 (PulseAudio 0.9.5 allows remote attackers to cause a denial of service ...)
{DTSA-44-1}
- pulseaudio 0.9.6-1 (low)
+ [etch] - pulseaudio <no-dsa> (Minor issue)
CVE-2007-1803 (Unspecified vulnerability in MailDwarf 3.01 and earlier allows remote ...)
NOT-FOR-US: MailDwarf
CVE-2007-1802 (Cross-site scripting (XSS) vulnerability in MailDwarf 3.01 and earlier ...)
@@ -15039,7 +15047,8 @@
[etch] - rar <no-dsa> (Non-free)
- unrar-nonfree 1:3.7.3-1 (high; bug #410580)
[sarge] - unrar-nonfree 1:3.5.2-0.2
- [etch] - unrar-nonfree 1:3.5.4-1.1
+ [etch] - unrar-nonfree <no-dsa> (Non-free not supported)
+ TODO: r3 release [etch] - unrar-nonfree 1:3.5.4-1.1
NOTE: amavid-new automatically uses "rar -p-" or "unrar -p-",
NOTE: which probably turns this into remote code execution
NOTE: clamav can also call unrar -p-, but AFAICS not in default configuration
@@ -20420,8 +20429,8 @@
- wireshark 0.99.4-1 (bug #396258; medium)
CVE-2006-5467 (The cgi.rb CGI library for Ruby 1.8 allows remote attackers to cause a ...)
{DSA-1235-1 DSA-1234-1}
- - ruby1.8 1.8.5-3 (medium; bug #398457)
- - ruby1.9 1.9.0+20070606-1 (medium)
+ - ruby1.8 1.8.5-3 (low; bug #398457)
+ - ruby1.9 1.9.0+20070606-1 (low)
NOTE: ruby1.9 not to be released with etch
NOTE: etch and testing affected
CVE-2006-5466 (Heap-based buffer overflow in the showQueryPackage function in librpm ...)
More information about the Secure-testing-commits
mailing list