[Secure-testing-commits] r10053 - data/CVE
jmm-guest at alioth.debian.org
jmm-guest at alioth.debian.org
Fri Oct 10 22:08:44 UTC 2008
Author: jmm-guest
Date: 2008-10-10 22:08:43 +0000 (Fri, 10 Oct 2008)
New Revision: 10053
Modified:
data/CVE/list
Log:
Lenny triage:
- mark libnet-dns-perl/CVE-2008-1447 as fixed for Lenny
- one webcalendar issue doesn't affect Lenny
- mark some browser non-issues as such
- one firefox issue fixed in the past already
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2008-10-10 21:14:12 UTC (rev 10052)
+++ data/CVE/list 2008-10-10 22:08:43 UTC (rev 10053)
@@ -7266,7 +7266,12 @@
- adns 1.4-2 (unimportant; bug #492698)
NOTE: adns is not suitable to use with untrusted responses, documented in README.Debian
- udns <unfixed> (bug #493599)
- - libnet-dns-perl <unfixed> (low; bug #492700)
+ - libnet-dns-perl 0.63-2 (low; bug #492700)
+ NOTE: Source port randomization from Lenny kernel should provide sufficient protection
+ NOTE: since this is just a Perl nodule for DNS queries and not a high-profile server app like
+ NOTE: Bind, it's unlikely that a home-grown fix will provide an implementation of higher
+ NOTE: cryptographical quality. Marking the version from Lenny as fixed, since Lenny includes
+ NOTE: a kernel which provides source port randomization
- ruby1.9 1.9.0.2-6 (low)
NOTE: Unbound, djbdns, pdnsd and PowerDNS are affected by the underlying protocol issue, but
NOTE: already use source port randomization.
@@ -9494,6 +9499,7 @@
- openldap2 <not-affected> (slapd not built)
CVE-2007-6696 (Multiple cross-site scripting (XSS) vulnerabilities in WebCalendar ...)
- webcalendar 1.1.6-7 (bug #466935)
+ [lenny] - webcalendar <not-affected> (See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466935#37)
CVE-2007-6695 (Cross-site scripting (XSS) vulnerability in index.php in Drake CMS ...)
NOT-FOR-US: Drake CMS
CVE-2008-0664 (The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, ...)
@@ -20246,9 +20252,9 @@
CVE-2007-3146 (Zen Help Desk 2.1 stores sensitive information under the web root with ...)
NOT-FOR-US: Zen Help Desk
CVE-2007-3145 (Visual truncation vulnerability in Galeon 2.0.1 allows remote ...)
- - galeon <unfixed> (low; bug #429216)
- [sarge] - galeon <no-dsa> (Minor issue)
- [etch] - galeon <no-dsa> (Minor issue)
+ - galeon <unfixed> (unimportant; bug #429216)
+ NOTE: Hardly a problem, Galeon's rotting any way and doesn't offer up-to-date
+ NOTE: phishing protections anyway
CVE-2007-3144 (Visual truncation vulnerability in Mozilla 1.7.12 allows remote ...)
- iceweasel <unfixed> (low)
[etch] - iceweasel <no-dsa> (Minor issue)
@@ -23529,8 +23535,10 @@
CVE-2007-1763 (The ATI kernel driver (atikmdag.sys) in Microsoft Windows Vista allows ...)
NOT-FOR-US: Microsoft
CVE-2007-1762 (Mozilla Firefox 2.0.0.1 through 2.0.0.3 does not canonicalize URLs ...)
- - iceweasel <unfixed> (low; bug #445515)
- [etch] - iceweasel <no-dsa> (Minor issue)
+ - iceweasel <unfixed> (unimportant; bug #445515)
+ NOTE: I don't believe this has relevant security impact, such a black list
+ NOTE: will register URLs found in the wild and the used adresses will be
+ NOTE: volatile anyway
CVE-2007-1761
RESERVED
CVE-2007-1760
@@ -23583,8 +23591,10 @@
CVE-2007-1737 (Opera 9.10 does not check URLs embedded in (1) object or (2) iframe ...)
NOT-FOR-US: Opera
CVE-2007-1736 (Mozilla Firefox 2.0.0.3 does not check URLs embedded in (1) object or ...)
- - iceweasel <unfixed> (low)
- [etch] - iceweasel <no-dsa> (Minor issue)
+ - iceweasel <unfixed> (unimportant)
+ NOTE: I don't believe this has relevant security impact, such a black list
+ NOTE: will register URLs found in the wild and the used adresses will be
+ NOTE: volatile anyway
CVE-2007-1735 (Stack-based buffer overflow in Corel WordPerfect Office X3 ...)
NOT-FOR-US: Corel WordPerfect
CVE-2007-1734 (The DCCP support in the do_dccp_getsockopt function in ...)
@@ -26265,8 +26275,8 @@
[etch] - stlport5 5.0.2-12
[sarge] - stlport5 <not-affected> (Vulnerable code not compiled in)
CVE-2007-0802 (Mozilla Firefox 2.0.0.1 allows remote attackers to bypass the Phishing ...)
- - iceweasel <unfixed> (low)
- [etch] - iceweasel <no-dsa> (Minor issue)
+ - iceweasel 2.0.0.16-1 (low)
+ NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=367538
CVE-2007-0801 (The nsExternalAppHandler::SetUpTempFile function in Mozilla Firefox ...)
- iceweasel 2.0.0.2+dfsg-1 (low)
- firefox <removed> (low)
More information about the Secure-testing-commits
mailing list