[Secure-testing-commits] r9331 - in data: . CVE

jmm-guest at alioth.debian.org jmm-guest at alioth.debian.org
Tue Jul 15 09:54:18 UTC 2008 

Author: jmm-guest
Date: 2008-07-15 09:54:17 +0000 (Tue, 15 Jul 2008)
New Revision: 9331

Modified:
   data/CVE/list
   data/spu-candidates.txt
Log:
record several upstream fixes for the upcoming 2.6.26 upload
remove <unfixed> entries for [etch], since they're always implicitly unfixed
   if the version number is lower than the entry for unstable
do not record 2.6.24 entries if the fixed version in unstable is lower than
   2.6.24


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2008-07-15 08:59:57 UTC (rev 9330)
+++ data/CVE/list	2008-07-15 09:54:17 UTC (rev 9331)
@@ -652,9 +652,9 @@
 	NOTE: the fix sent to t-s and unstable does not seem possible in etch due to
 	NOTE: missing api features from the version of libc-client in etch.
 CVE-2008-2826 (Integer overflow in the sctp_getsockopt_local_addrs_old function in ...)
-	- linux-2.6 <unfixed>
+	- linux-2.6 2.6.25-6
 	- linux-2.6.24 <unfixed>
-	NOTE: 735ce972fbc8a65fb17788debd7bbe7b4383cc62
+	NOTE: 735ce972fbc8a65fb17788debd7bbe7b4383cc62, present in 2.6.25.9
 CVE-2008-2825 (Cross-site scripting (XSS) vulnerability in the embedded Web Server in ...)
 	NOT-FOR-US: Xerox WorkCentre
 CVE-2008-2824 (Unspecified vulnerability in the Extensible Interface Platform in Web ...)
@@ -682,7 +682,7 @@
 CVE-2008-2813 (Directory traversal vulnerability in index.php in WallCity-Server ...)
 	NOT-FOR-US: WallCity-Server
 CVE-2008-2812 (The Linux kernel before 2.6.25.10 does not properly perform tty ...)
-	- linux-2.6 <unfixed>
+	- linux-2.6 2.6.26
 	- linux-2.6.24 <unfixed>
 CVE-2008-2811 (The block reflow implementation in Mozilla Firefox before 2.0.0.15, ...)
 	{DSA-1607-1}
@@ -862,8 +862,8 @@
 CVE-2008-2751 (Multiple cross-site scripting (XSS) vulnerabilities in the Glassfish ...)
 	NOT-FOR-US: Sun Java System Application Server
 CVE-2008-2750 (The pppol2tp_recvmsg function in drivers/net/pppol2tp.c in the Linux ...)
-	- linux-2.6 <unfixed>
-	[etch] - linux-2.6 <not-affected>
+	- linux-2.6 2.6.26
+	[etch] - linux-2.6 <not-affected> (Vulnerable code was introduced in 2.6.23)
 	[etch] - linux-2.6.24 <unfixed>
 	NOTE: 6b6707a50c7598a83820077393f8823ab791abf8 
 CVE-2008-2749 (Unspecified vulnerability in cshttpd in Sun Java System Calendar ...)
@@ -908,8 +908,6 @@
 	NOT-FOR-US: cisco
 CVE-2008-2729 (arch/x86_64/lib/copy_user.S in the Linux kernel before 2.6.19 on some ...)
 	- linux-2.6 2.6.19-1
-	[etch] - linux-2.6 <unfixed>
-	[etch] - linux-2.6.24 <not-affected> (Fixed before initial release, upstream in 2.6.19)
 	NOTE: 3022d734a54cbd2b65eea9a024564821101b4a9a
 CVE-2008-2728
 	RESERVED
@@ -980,6 +978,7 @@
 	NOT-FOR-US: Flux CMS
 CVE-2008-XXXX [insecure tempfile in wdiff]
 	- wdiff 0.5-18 (low; bug #425254)
+	[etch] - wdiff  <no-dsa> (Minor issue)
 CVE-2008-2719 (Off-by-one error in the ppscan function (preproc.c) in Netwide ...)
 	- nasm 2.03.01-1 (low; bug #486715)
 	[etch] - nasm <not-affected> (vulnerable code not present)
@@ -1667,9 +1666,10 @@
 CVE-2008-2373
 	RESERVED
 CVE-2008-2372 (The Linux kernel 2.6.24 and 2.6.25 before 2.6.25.9 allows local users ...)
-	- linux-2.6 <unfixed>
+	- linux-2.6 2.6.26
 	[etch] - linux-2.6 <not-affected> (Introduced between 2.6.23 and 2.6.24)
 	- linux-2.6.24 <unfixed>
+	NOTE: IMO this is a lack of optimisation, not a security issue? - jmm
 	NOTE: 89f5b7da2a6bad2e84670422ab8192382a5aeb9f
 CVE-2008-2371 (Heap-based buffer overflow in pcre_compile.c in the Perl-Compatible ...)
 	{DSA-1602-1 DTSA-145-1}
@@ -1685,9 +1685,7 @@
 CVE-2008-2366 (Untrusted search path vulnerability in a certain Red Hat build script ...)
 	- openoffice.org <not-affected> (RedHat-specific packaging flaw)
 CVE-2008-2365 (Race condition in the ptrace and utrace support in the Linux kernel ...)
-	- linux-2.6 <not-affected>
-	[etch] - linux-2.6 <not-affected> (fixed before 2.6.18)
-	[etch] - linux-2.6.24 <not-affected>
+	- linux-2.6 2.6.17
 	NOTE: 5ecfbae093f0c37311e89b29bfc0c9d586eace87 f5b40e363ad6041a96e3da32281d8faa191597b9
 	NOTE: f358166a9405e4f1d8e50d8f415c26d95505b6de
 CVE-2008-2364 (The ap_proxy_http_process_response function in mod_proxy_http.c in the ...)
@@ -5795,6 +5793,7 @@
 	[etch] - php4 <not-affected> (Vulnerable code not yet present)
 CVE-2008-0598 (Unspecified vulnerability in the 32-bit and 64-bit emulation in the ...)
 	- linux-2.6 <unfixed> (bug #490910)
+	- linux-2.6.24 <unfixed>
 CVE-2008-0597 (Use-after-free vulnerability in CUPS before 1.1.22, and possibly other ...)
 	- cups 1.2
 	- cupsys 1.2

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2008-07-15 08:59:57 UTC (rev 9330)
+++ data/spu-candidates.txt	2008-07-15 09:54:17 UTC (rev 9331)
@@ -214,6 +214,11 @@
 
 --
 
+wdiff [insecure tempfile in wdiff]
+bug #425254
+
+--
+
 wyrd (CVE-2008-0806)
 bug #466382
 notified maintainer

More information about the Secure-testing-commits mailing list