[Secure-testing-commits] r10040 - data/CVE

jmm-guest at alioth.debian.org jmm-guest at alioth.debian.org
Wed Oct 8 15:41:38 UTC 2008 

Author: jmm-guest
Date: 2008-10-08 15:41:36 +0000 (Wed, 08 Oct 2008)
New Revision: 10040

Modified:
   data/CVE/list
Log:
one wireshark issue doesn't affect etch
cleanup some rejects
one mozilla is a hoax/dupe
one mozilla is a non-issue
one mozilla issue has been fixed some time ago


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2008-10-08 09:14:14 UTC (rev 10039)
+++ data/CVE/list	2008-10-08 15:41:36 UTC (rev 10040)
@@ -674,7 +674,6 @@
 	- debtorrent <unfixed> (bug #500180)
 CVE-2008-4189
 	REJECTED
-	NOT-FOR-US: Xerox
 CVE-2008-4188 (Unspecified vulnerability in the TYPO3 Secure Directory (kw_secdir) ...)
 	NOT-FOR-US: kw_secdir extension for TYPO3
 CVE-2008-4187 (Directory traversal vulnerability in index.php in ProActive CMS allows ...)
@@ -1337,6 +1336,7 @@
 CVE-2008-3934 (Unspecified vulnerability in Wireshark (formerly Ethereal) 0.99.6 ...)
 	{DTSA-167-1}
 	- wireshark 1.0.3-1 (bug #497878)
+	[etch] - wireshark <not-affected> (Only >= 0.99.6)
 CVE-2008-3933 (Wireshark (formerly Ethereal) 0.10.14 through 1.0.2 allows attackers ...)
 	{DTSA-167-1}
 	- wireshark 1.0.3-1 (low; bug #497878)
@@ -2559,7 +2559,6 @@
 	NOT-FOR-US: phpFreeChat
 CVE-2008-3427
 	REJECTED
-	NOT-FOR-US: Moebius for Mimsy XG
 CVE-2008-3426 (Unspecified vulnerability in the Solaris Platform Information and ...)
 	NOT-FOR-US: Solaris
 CVE-2008-3425 (Unspecified vulnerability in the Sun Java System Web Server 7.0 plugin ...)
@@ -4090,10 +4089,9 @@
 CVE-2008-2828 (Stack-based buffer overflow in tmsnc allows remote attackers to cause ...)
 	- tmsnc 0.3.2-1.1 (low; bug #487222)
 CVE-2008-2786 (Buffer overflow in Firefox 3.0 and 2.0.x has unknown impact and attack ...)
-	- iceweasel <unfixed> (bug #488358)
-	- iceape <unfixed> (bug #491162)
-	- xulrunner <unfixed> (bug #491160)
-	NOTE: Just hashes posted to full-disclosure, no specific information
+	NOT-FOR-US: Just hashes posted to full-disclosure, no specific information
+	NOTE: Unless more specific information pops up, this can be considered covered by
+	NOTE: CVE-2008-2785
 CVE-2008-2785 (Mozilla Firefox before 2.0.0.16 and 3.x before 3.0.1, Thunderbird ...)
 	{DSA-1621-1 DSA-1615-1 DSA-1614-1}
 	- iceweasel 3.0 (medium; bug #488358)
@@ -4223,10 +4221,8 @@
 	NOTE: 3022d734a54cbd2b65eea9a024564821101b4a9a
 CVE-2008-2728
 	REJECTED
-	NOT-FOR-US: only Ruby 1.6 is affected
 CVE-2008-2727
 	REJECTED
-	NOT-FOR-US: only Ruby 1.6 is affected
 CVE-2008-2726 (Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and ...)
 	{DSA-1618-1 DSA-1612-1}
 	- ruby1.9 1.9.0.2-1
@@ -10736,12 +10732,6 @@
 	NOTE: No longer occurs in KDE 4.0.3 according to upstream bug
 CVE-2007-6590
 	REJECTED
-	- iceape <unfixed> (low)
-	[etch] - iceape <no-dsa> (Minor issue, new certificate manager in Firefox 3 et al will address this)
-	- iceweasel <unfixed> (low)
-	[etch] - iceweasel <no-dsa> (Minor issue, new certificate manager in Firefox 3 et al will address this)
-	- xulrunner <unfixed> (low)
-	[etch] - xulrunner <no-dsa> (Minor issue, new certificate manager in Firefox 3 et al will address this)
 CVE-2007-6589 (The jar protocol handler in Mozilla Firefox before 2.0.0.10 and ...)
 	- iceape 1.1.7-1 (medium)
 	- iceweasel 2.0.0.10-1 (medium)
@@ -14747,7 +14737,6 @@
 	NOT-FOR-US: Typolight webCMS
 CVE-2007-5317
 	REJECTED
-	NOT-FOR-US: Directory Image Gallery
 CVE-2007-5316 (SQL injection vulnerability in browsecats.php in Softbiz Jobs and ...)
 	NOT-FOR-US: Softbiz Jobs
 CVE-2007-5315 (PHP remote file inclusion vulnerability in common.php in LiveAlbum ...)
@@ -16322,7 +16311,6 @@
 	NOT-FOR-US: Quantum Streaming
 CVE-2007-4721
 	REJECTED
-	NOT-FOR-US: Wireshark dupe, will be rejected
 CVE-2007-4720 (Unspecified vulnerability in the Shared Trace Service in Hitachi ...)
 	NOT-FOR-US: Hitachi
 CVE-2007-4719 (SQL injection vulnerability in read.php in 212cafeBoard 6.30 Beta ...)
@@ -16668,7 +16656,6 @@
 	NOT-FOR-US: Sophos
 CVE-2007-4576
 	REJECTED
-	NOTE: duplicate of CVE-2007-4575, will be rejected
 CVE-2007-4575 (HSQLDB before 1.8.0.9, as used in OpenOffice.org (OOo) 2 before 2.3.1, ...)
 	{DSA-1419-1}
 	- openoffice.org 2.3.1~rc1-1 (medium; bug #454463)
@@ -20328,6 +20315,7 @@
 	- iceape 1.0.9-1 (low)
 	- xulrunner 1.8.1.4-1 (low)
 CVE-2007-3073 (Directory traversal vulnerability in Mozilla Firefox 2.0.0.4 and ...)
+	NOTE: Dupe
 	- iceweasel <unfixed> (low)
 	- iceape <unfixed> (low)
 	- xulrunner <unfixed> (low)
@@ -25568,13 +25556,10 @@
 CVE-2007-1005 (Heap-based buffer overflow in SW3eng.exe in the eID Engine service in ...)
 	NOT-FOR-US: eTrust Intrusion Detection
 CVE-2007-1004 (Mozilla Firefox might allow remote attackers to conduct spoofing and ...)
-	- iceweasel <unfixed> (low)
-	[etch] - iceweasel <no-dsa> (Minor issue)
-	- iceape <unfixed> (low)
-	[etch] - iceape <no-dsa> (Minor issue)
-	- xulrunner <unfixed> (low)
-	[etch] - xulrunner <no-dsa> (Minor issue)
-	NOTE: maintainer notes that this may affect browsers based on xulrunner
+	- iceweasel 2.0.0.4-1 (low)
+	- iceape 1.0.9-1 (low)
+	- xulrunner 1.8.0.4-1 (low)
+	NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=370555
 CVE-2007-1003 (Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList ...)
 	{DSA-1294-1}
 	- xorg-server 2:1.1.1-21 (medium)
@@ -43107,15 +43092,13 @@
 CVE-2006-0497 (Multiple SQL injection vulnerabilities in PHP GEN before 1.4 allow ...)
 	NOT-FOR-US: PHP GEN
 CVE-2006-0496 (Cross-site scripting (XSS) vulnerability in Mozilla 1.7.12 and ...)
-	- iceweasel <unfixed> (low; bug #349339)
-	[etch] - iceweasel <no-dsa> (Minor design issue, affects only broken setups)
-	- mozilla-firefox 1.5.dfsg+1.5.0.3-2 (low; bug #349339)
-	[sarge] - mozilla-firefox <no-dsa> (Mozilla products from Sarge no longer supported)
-	[sarge] - mozilla <no-dsa> (Mozilla products from Sarge no longer supported)
-	- iceape <unfixed> (low)
-	[etch] - iceape <no-dsa> (Minor design issue, affects only broken setups)
-	- xulrunner <unfixed> (low)
-	[etch] - xulrunner <no-dsa> (Minor design issue, affects only broken setups)
+	- iceweasel <unfixed> (unimportant; bug #349339)
+	- mozilla-firefox <unfixed> (unimportant; bug #349339)
+	- iceape <unfixed> (unimportant)
+	- xulrunner <unfixed> (unimportant)
+	NOTE: This is not a direct vulnerability, but rather the lack of protection
+	NOTE: for shooting into own's own foot, so we should treat it as a security
+	NOTE: enhancement bug and not as a vulnerability.
 CVE-2006-0495 (Cross-site scripting (XSS) vulnerability in the Add Thread to ...)
 	NOT-FOR-US: MyBB (aka MyBulletinBoard)
 CVE-2006-0494 (Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.02 ...)

More information about the Secure-testing-commits mailing list