[Secure-testing-commits] r9995 - in data: . CVE

jmm-guest at alioth.debian.org jmm-guest at alioth.debian.org
Sat Oct 4 21:04:01 UTC 2008


Author: jmm-guest
Date: 2008-10-04 21:03:59 +0000 (Sat, 04 Oct 2008)
New Revision: 9995

Modified:
   data/CVE/list
   data/spu-candidates.txt
Log:
more no-dsa
sql-ledger not fully supported in Etch/Lenny


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2008-10-04 20:51:05 UTC (rev 9994)
+++ data/CVE/list	2008-10-04 21:03:59 UTC (rev 9995)
@@ -295,6 +295,7 @@
 CVE-2008-4297 (Mercurial before 1.0.2 does not enforce the allowpull permission ...)
 	- mercurial 1.0.1-5.1 (low; bug #500781)
 	NOTE: the package doesnt install this script by default but ships it with the examples
+        [etch] - mercurial <no-dsa> (Only shipped in examples)
 CVE-2008-4296 (The Cisco Linksys WRT350N with firmware 1.0.3.7 has &quot;admin&quot; as its ...)
 	NOT-FOR-US: Cisco Linksys WRT350N
 CVE-2008-4295 (Microsoft Windows Mobile 6.0 on HTC Wiza 200 and HTC MDA 8125 devices ...)
@@ -773,9 +774,12 @@
 CVE-2008-4079 (Cross-site scripting (XSS) vulnerability in Movable Type (MT) 4.x ...)
 	- movabletype-opensource 4.2~rc5-1 (low; bug #499252)
 CVE-2008-4078 (SQL injection vulnerability in the AR/AP transaction report in (1) ...)
-	- sql-ledger <unfixed>
+	- sql-ledger <unfixed> (unimportant)
+        NOTE: Only supported behind an authenticated HTTP zone
+        TODO: File bug
 CVE-2008-4077 (The CGI scripts in (1) LedgerSMB (LSMB) before 1.2.15 and (2) ...)
-	- sql-ledger <unfixed>
+	- sql-ledger <unfixed> (unimportant)
+        NOTE: Only supported behind an authenticated HTTP zone
 CVE-2008-4076 (Cross-site scripting (XSS) vulnerability in (1) Tor World Tor Board ...)
 	NOT-FOR-US: Tor World Software
 CVE-2008-4075 (Directory traversal vulnerability in index.php in D-iscussion Board ...)
@@ -1557,6 +1561,7 @@
 	[etch] - lmbench <no-dsa> (Non-free not supported)
 CVE-2008-XXXX [newsgate: insecure temp files]
 	- newsgate <removed> (low; bug #496437)
+        [etch] - newsgate <no-dsa> (Non-free not supported)
 CVE-2008-XXXX [myspell: insecure temp files]
 	- myspell 1:3.0+pre3.1-21 (low; bug #496392)
 	[etch] - myspell <no-dsa> (Minor issue)
@@ -1568,7 +1573,8 @@
 	- samba 2:3.2.3-1 (bug #496073; medium)
 	[etch] - samba <not-affected> (Only affects Samba 3.2.x)
 CVE-2008-XXXX [insecure temp file in nvi]
-	- nvi 1.81.6-4 (low)
+	- nvi 1.81.6-4 (low; bug #496462)
+        [etch] - nvi <no-dsa> (Minor issue, only exploitable in postinst)
 CVE-2008-XXXX [rkhunter: insecure temp file]
 	- rkhunter 1.3.2-6 (low; bug #496375)
 	[etch] - rkhunter <no-dsa> (Minor issue, only in debug mode)

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2008-10-04 20:51:05 UTC (rev 9994)
+++ data/spu-candidates.txt	2008-10-04 21:03:59 UTC (rev 9995)
@@ -244,6 +244,11 @@
 
 --
 
+mercurial (CVE-2008-4297)
+#500781
+
+--
+
 mgetty
 #496403
 notified maintainer
@@ -284,6 +289,11 @@
 
 --
 
+nvi
+#496462
+
+--
+
 paramiko (CVE-2008-0299)
 #460706
 notified maintainer




More information about the Secure-testing-commits mailing list