[Secure-testing-commits] r8055 - in data: . CVE

jmm-guest at alioth.debian.org jmm-guest at alioth.debian.org
Tue Jan 29 20:57:32 UTC 2008 

Author: jmm-guest
Date: 2008-01-29 20:57:31 +0000 (Tue, 29 Jan 2008)
New Revision: 8055

Modified:
   data/CVE/list
   data/spu-candidates.txt
Log:
one kernel issue doesn't affect etch
denyhosts fixed in stable update
php5 ini issue no-dsa due to regressions
one php issue unimportant
ruby1.9 no-dsa
streamripper no-dsa


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2008-01-29 18:22:08 UTC (rev 8054)
+++ data/CVE/list	2008-01-29 20:57:31 UTC (rev 8055)
@@ -1441,6 +1441,7 @@
 	NOT-FOR-US: Novell GroupWise
 CVE-2007-6434 (Linux kernel 2.6.23 allows local users to create low pages in virtual ...)
 	- linux-2.6 2.6.23-2
+	[etch] - linux-2.6 <not-affected> (Only Linux 2.6.23 and above affected)
 CVE-2007-6433 (The getRenderedEjbql method in the org.jboss.seam.framework.Query ...)
 	- jbosseam <itp> (bug #451956)
 CVE-2007-6432
@@ -3391,7 +3392,8 @@
 CVE-2007-5716 (Unspecified vulnerability in the Internet Protocol (IP) functionality ...)
 	NOT-FOR-US: Sun Solaris 10
 CVE-2007-5715 (DenyHosts 2.6 processes OpenSSH sshd &quot;not listed in AllowUsers&quot; log ...)
-	- denyhosts 2.6-2
+	- denyhosts 2.6-2 (low)
+	[etch] - denyhosts <no-dsa> (Minor issue)
 	NOTE: bug was fixed with 06_permit_rootlogin_no.dpatch
 CVE-2007-5714 (The Gentoo ebuild of MLDonkey before 2.9.0-r3 has a p2p user account ...)
 	- mldonkey <not-affected> (Gentoo-specific packaging flaw)
@@ -6695,8 +6697,8 @@
 	NOTE: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.61&r2=1.445.2.14.2.62&pathrev=PHP_5_2
 CVE-2007-4659 (The zend_alter_ini_entry function in PHP before 5.2.4 does not ...)
 	{DTSA-61-1}
-	- php5 5.2.4-1
-	NOTE: Previous DSA fix has been revoked for now
+	- php5 5.2.4-1 (low)
+	[etch] - php5 <no-dsa> (Backport prone to regressions, causes more problems that it does resolved, minor issue anyway)
 CVE-2007-4658 (The money_format function in PHP 5 before 5.2.4, and PHP 4 before ...)
 	{DSA-1444-1 DTSA-61-1}
 	- php5 5.2.4-1 (low)
@@ -6705,10 +6707,11 @@
 	NOTE: limited format string vulnerability, the will be put into strfmon and the format string chars are limited to i,n and %
 CVE-2007-4657 (Multiple integer overflows in PHP 4 before 4.4.8, and PHP 5 before ...)
 	{DSA-1444-1 DTSA-61-1}
-	- php5 5.2.4-1
-	- php4 <removed>
+	- php5 5.2.4-1 (unimportant)
+	- php4 <removed> (unimportant)
 	NOTE: fixed in php4/etch, php5/etch, php4/sarge svn
 	NOTE: http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/string.c?r1=1.640&r2=1.641
+	NOTE: Only exploitable by malicious script
 CVE-2007-4656 (backup-manager-upload in Backup Manager before 0.6.3 provides the FTP ...)
 	- backup-manager 0.7.6-3 (bug #439392)
 CVE-2007-4655 (Multiple directory traversal vulnerabilities in CGI RESCUE Shopping ...)
@@ -6719,6 +6722,7 @@
 	NOT-FOR-US: Cisco Content Services Switch
 CVE-2007-4652 (The session extension in PHP before 5.2.4 might allow local users to ...)
 	- php5 5.2.4-1 (unimportant)
+	NOTE: open_basedir() not supported
 CVE-2007-4651 (Unspecified vulnerability in Adobe Connect Enterprise Server 6 allows ...)
 	NOT-FOR-US: Adobe Connect Enterprise Server
 CVE-2007-4650 (Multiple unspecified vulnerabilities in Gallery before 2.2.3 allow ...)
@@ -7481,6 +7485,7 @@
 	NOT-FOR-US: Family Connections
 CVE-2007-4337 (Multiple buffer overflows in the httplib_parse_sc_header function in ...)
 	- streamripper 1.62.2-1 (low)
+	[etch] - streamripper <no-dsa> (Minor issue)
 CVE-2007-4336 (Buffer overflow in the Live Picture Corporation ...)
 	NOT-FOR-US: Microsoft
 CVE-2007-4335 (Format string vulnerability in the SMTP server component in Qbik ...)
@@ -7511,6 +7516,7 @@
 	[sarge] - flashplugin-nonfree <no-dsa> (Non-free not supported)
 CVE-2007-4323 (DenyHosts 2.6 does not properly parse sshd log files, which allows ...)
 	- denyhosts 2.6-2.1 (bug #438162; medium)
+	[etch] - denyhosts 2.6-1etch1
 CVE-2007-4322 (BlockHosts before 2.0.4 does not properly parse (1) sshd and (2) ...)
 	NOT-FOR-US: BlockHosts
 CVE-2007-4321 (fail2ban 0.8 and earlier does not properly parse sshd log files, which ...)
@@ -8405,9 +8411,9 @@
 CVE-2007-3920 (GNOME screensaver 2.20 in Ubuntu 7.10, when used with Compiz, does not ...)
 	{DTSA-75-1}
 	[etch] - gnome-screensaver <not-affected> (Affected Compiz not present in Etch version)
+	[etch] - xorg-server <not-affected> (Affected Compiz not present in Etch version)
 	- gnome-screensaver 2.20.0-1.1
 	- xorg-server 2:1.4.1~git20080118-1 (bug #449108; medium)
-	[etch] - compiz <not-affected> (Affected Compiz not present in Etch version)
 CVE-2007-3919 ((1) xenbaked and (2) xenmon.py in Xen 3.1 and earlier allow local ...)
 	{DSA-1395-1}
 	- xen-unstable <unfixed> (low)
@@ -21586,8 +21592,7 @@
 	{DSA-1235-1 DSA-1234-1}
 	- ruby1.8 1.8.5-3 (low; bug #398457)
 	- ruby1.9 1.9.0+20070606-1 (low)
-	NOTE: ruby1.9 not to be released with etch
-	NOTE: etch and testing affected
+	[etch] - ruby1.9 <no-dsa> (Minor issue)
 CVE-2006-5466 (Heap-based buffer overflow in the showQueryPackage function in librpm ...)
 	- rpm 4.4.1-11 (low; bug #397076)
 	[sarge] - rpm <no-dsa> (You need to trust the RPMs you're installing)

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2008-01-29 18:22:08 UTC (rev 8054)
+++ data/spu-candidates.txt	2008-01-29 20:57:31 UTC (rev 8055)
@@ -101,6 +101,10 @@
 
 --
 
+streamripper (CVE-2007-4337)
+
+--
+
 sylpheed (CVE-2007-2958)
 #441854
 http://www.colino.net/claws-mail/getpatchset.php3?ver=2.10.0cvs153 fixes the bug

More information about the Secure-testing-commits mailing list