[Secure-testing-commits] r9135 - in data: . CVE DSA

jmm-guest at alioth.debian.org jmm-guest at alioth.debian.org
Tue Jun 24 20:54:09 UTC 2008 

Author: jmm-guest
Date: 2008-06-24 20:54:08 +0000 (Tue, 24 Jun 2008)
New Revision: 9135

Modified:
   data/CVE/list
   data/DSA/list
   data/embedded-code-copies
   data/spu-candidates.txt
Log:
updates on embedded code copies
bugzilla no-dsa
add missing CVE ID to libimager-perl DSA
fix two incorrect ruby entries
remove some NOTEs present in the respective CVE entries
new kernel issue, mark unfixed for now until it's been figured
  out when this was fixed upstream
resolve old gpg TODO
NFUs


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2008-06-24 18:59:46 UTC (rev 9134)
+++ data/CVE/list	2008-06-24 20:54:08 UTC (rev 9135)
@@ -128,14 +128,10 @@
 	RESERVED
 CVE-2008-2729
 	RESERVED
-CVE-2008-2728 [Integer overflow in rb_ary_replace()]
+CVE-2008-2728
 	RESERVED
-	- ruby1.9 1.9.0.2-1
-	- ruby1.8 1.8.7.22-1
-CVE-2008-2727 [integer overflow in rb_ary_replace()]
+CVE-2008-2727
 	RESERVED
-	- ruby1.9 1.9.0.2-1
-	- ruby1.8 1.8.7.22-1
 CVE-2008-2726 [integer overflow in rb_ary_splice()]
 	RESERVED
 	- ruby1.9 1.9.0.2-1
@@ -147,27 +143,27 @@
 CVE-2008-2718 (Cross-site scripting (XSS) vulnerability in fe_adminlib.inc in TYPO3 ...)
 	TODO: check
 CVE-2008-2716 (Unspecified vulnerability in Opera before 9.5 allows remote attackers ...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2008-2715 (Unspecified vulnerability in Opera before 9.5 allows remote attackers ...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2008-2714 (Opera before 9.26 allows remote attackers to misrepresent web page ...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2008-2710 (Integer signedness error in the ip_set_srcfilter function in the IP ...)
-	TODO: check
+	NOT-FOR-US: Solaris
 CVE-2008-2709 (Buffer overflow in the BrSmRcvAndCheck function in the RCHMGR module ...)
-	TODO: check
+	NOT-FOR-US: Solaris
 CVE-2008-2708 (Unspecified vulnerability in the Sun (1) UltraSPARC T2 and (2) ...)
-	TODO: check
+	NOT-FOR-US: Solaris
 CVE-2008-2707 (Unspecified vulnerability in the e1000g driver in Sun Solaris 10 and ...)
-	TODO: check
+	NOT-FOR-US: Solaris
 CVE-2008-2706 (Unspecified vulnerability in the event port implementation in Sun ...)
 	TODO: check
 CVE-2008-2705 (Unspecified vulnerability in Sun Java System Access Manager (AM) 7.1, ...)
 	TODO: check
 CVE-2008-2704 (Novell GroupWise Messenger (GWIM) before 2.0.3 Hot Patch 1 allows ...)
-	TODO: check
+	NOT-FOR-US: Novell GroupWise
 CVE-2008-2703 (Multiple stack-based buffer overflows in Novell GroupWise Messenger ...)
-	TODO: check
+	NOT-FOR-US: Novell GroupWise
 CVE-2008-2702 (Directory traversal vulnerability in the FTP client in ALTools ESTsoft ...)
 	TODO: check
 CVE-2008-2701 (SQL injection vulnerability in the GameQ (com_gameq) component 4.0 and ...)
@@ -205,12 +201,10 @@
 CVE-2008-2719 (Off-by-one error in the ppscan function (preproc.c) in Netwide ...)
 	- nasm 2.03.01-1 (low; bug #486715)
 	[etch] - nasm <not-affected> (vulnerable code not present)
-	NOTE: http://www.openwall.com/lists/oss-security/2008/06/11/4
 CVE-2008-2712 (Vim 7.1.314, 6.4, and other versions allows user-assisted remote ...)
 	- vim 1:7.1.314-3 (medium; bug #486502)
 	NOTE: a bunch of these are probably low but because of the filetype.vim issue
 	NOTE: I set this to medium
-	NOTE: http://www.rdancer.org/vulnerablevim.html
 CVE-2008-2696 (Exiv2 0.16 allows user-assisted remote attackers to cause a denial of ...)
 	- exiv2 0.17-1 (low; bug #486328)
 	NOTE: http://dev.robotbattle.com/cgi-bin/viewvc.cgi/exiv2/trunk/src/nikonmn.cpp?r1=1473&r2=1499
@@ -1485,6 +1479,7 @@
 	- bugzilla <not-affected> (regression introduced in 3.1.3 referring to upstream)
 CVE-2008-2103 (Cross-site scripting (XSS) vulnerability in Bugzilla 2.17.2 and later ...)
 	- bugzilla 3.0.4-1 (low; bug #480190)
+	[etch] - bugzilla <no-dsa> (Minor issue)
 CVE-2008-2102
 	RESERVED
 CVE-2008-2101
@@ -1576,7 +1571,7 @@
 CVE-2008-2061
 	RESERVED
 CVE-2008-2060 (Unspecified vulnerability in Cisco Intrusion Prevention System (IPS) ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2008-2059 (Cisco Adaptive Security Appliance (ASA) and Cisco PIX security ...)
 	NOT-FOR-US: Cisco
 CVE-2008-2058 (Cisco Adaptive Security Appliance (ASA) and Cisco PIX security ...)
@@ -2810,7 +2805,8 @@
 	NOTE: I hence consider it a security enhancement/feature, not a vulnerability.
 CVE-2008-1530 (GnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial ...)
 	- gnupg <not-affected> (Only 1.4.8 is affected)
-	TODO: Verify that the next maintainer upload uses 1.4.9 directly
+	NOTE: The next upload was 1.4.9-1, so no vulnerable version was ever in the
+	NOTE: archive
 	[etch] - gnupg <not-affected> (Only 1.4.8 is affected)
 	[sarge] - gnupg <not-affected> (Only 1.4.8 is affected)
 	- gnupg2 2.0.9-1 (bug #472928)
@@ -2851,7 +2847,7 @@
 	[sarge] - otrs <not-affected> (Vulnerable code not present)
 	NOTE: http://packages.qa.debian.org/o/otrs2/news/20080320T211729Z.html
 CVE-2008-1514 (ptrace in Linux kernel 2.6.9 on Fedora 7 and 8 allows local users to ...)
-	TODO: check
+	- linux-2.6 <unfixed>
 	NOTE: s390 specific issue, counterpart for x86 not reproducible with 2.6.24 here
 CVE-2008-1513 (SQL injection vulnerability in index.php in Danneo CMS 0.5.1 and ...)
 	NOT-FOR-US: Danneo CMS
@@ -4269,7 +4265,7 @@
 CVE-2008-0926 (The SOAP interface to the eMBox module in Novell eDirectory 8.7.3.9 ...)
 	NOT-FOR-US: Novell eDirectory
 CVE-2008-0925 (Cross-site scripting (XSS) vulnerability in the iMonitor interface in ...)
-	TODO: check
+	NOT-FOR-US: Novell eDirectory
 CVE-2008-0924 (Stack-based buffer overflow in the DoLBURPRequest function in libnldap ...)
 	NOT-FOR-US: Novell eDirectory
 CVE-2008-0923 (Directory traversal vulnerability in the Shared Folders feature for ...)

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2008-06-24 18:59:46 UTC (rev 9134)
+++ data/DSA/list	2008-06-24 20:54:08 UTC (rev 9135)
@@ -360,7 +360,7 @@
 	[sarge] - pcre3 4.5+7.4-2
 	[etch] - pcre3 6.7+7.4-3
 [19 Feb 2008] DSA-1498-1 libimager-perl - buffer overflow
-	{CVE-2007-2459}
+	{CVE-2007-2459 CVE-2007-2413}
 	[etch] - libimager-perl 0.50-1etch1
 [16 Feb 2008] DSA-1497-1 clamav - several vulnerabilities
 	{CVE-2007-6595 CVE-2008-0318}

Modified: data/embedded-code-copies
===================================================================
--- data/embedded-code-copies	2008-06-24 18:59:46 UTC (rev 9134)
+++ data/embedded-code-copies	2008-06-24 20:54:08 UTC (rev 9135)
@@ -200,10 +200,10 @@
 	- kchmviewer <unknown> (embed)
 
 libavcodec/libavformat (source: ffmpeg)
-	- mplayer <unfixed> (embed; bug #395252)
+	- mplayer 1.0~rc2-14 (embed; bug #395252)
 	- xvidcap <unfixed> (embed)
 	- kino <unfixed> (static)
-	- vlc <unfixed> (static)
+	- vlc <not-affected> (Links dynamically since initial release)
 	- smilutils <unfixed> (static)
 	- motion <unfixed> (static)
 	- gst-ffmpeg <unfixed> (embed)

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2008-06-24 18:59:46 UTC (rev 9134)
+++ data/spu-candidates.txt	2008-06-24 20:54:08 UTC (rev 9135)
@@ -33,6 +33,11 @@
 
 --
 
+bugzilla (CVE-2008-2103)
+#480190)
+
+--
+
 bzip2 (CVE-2008-1372)
 #471670
 Maintainer has been notified

More information about the Secure-testing-commits mailing list