[Secure-testing-commits] r10053 - data/CVE

jmm-guest at alioth.debian.org jmm-guest at alioth.debian.org
Fri Oct 10 22:08:44 UTC 2008 

Author: jmm-guest
Date: 2008-10-10 22:08:43 +0000 (Fri, 10 Oct 2008)
New Revision: 10053

Modified:
   data/CVE/list
Log:
Lenny triage:
- mark libnet-dns-perl/CVE-2008-1447 as fixed for Lenny
- one webcalendar issue doesn't affect Lenny
- mark some browser non-issues as such
- one firefox issue fixed in the past already


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2008-10-10 21:14:12 UTC (rev 10052)
+++ data/CVE/list	2008-10-10 22:08:43 UTC (rev 10053)
@@ -7266,7 +7266,12 @@
 	- adns 1.4-2 (unimportant; bug #492698)
 	NOTE: adns is not suitable to use with untrusted responses, documented in README.Debian
 	- udns <unfixed> (bug #493599)
-	- libnet-dns-perl <unfixed> (low; bug #492700)
+	- libnet-dns-perl 0.63-2 (low; bug #492700)
+	NOTE: Source port randomization from Lenny kernel should provide sufficient protection
+        NOTE: since this is just a Perl nodule for DNS queries and not a high-profile server app like
+        NOTE: Bind, it's unlikely that a home-grown fix will provide an implementation of higher
+        NOTE: cryptographical quality. Marking the version from Lenny as fixed, since Lenny includes
+        NOTE: a kernel which provides source port randomization
 	- ruby1.9 1.9.0.2-6 (low)
 	NOTE: Unbound, djbdns, pdnsd and PowerDNS are affected by the underlying protocol issue, but
 	NOTE: already use source port randomization.
@@ -9494,6 +9499,7 @@
 	- openldap2 <not-affected> (slapd not built)
 CVE-2007-6696 (Multiple cross-site scripting (XSS) vulnerabilities in WebCalendar ...)
 	- webcalendar 1.1.6-7 (bug #466935)
+        [lenny] - webcalendar <not-affected> (See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466935#37)
 CVE-2007-6695 (Cross-site scripting (XSS) vulnerability in index.php in Drake CMS ...)
 	NOT-FOR-US: Drake CMS
 CVE-2008-0664 (The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, ...)
@@ -20246,9 +20252,9 @@
 CVE-2007-3146 (Zen Help Desk 2.1 stores sensitive information under the web root with ...)
 	NOT-FOR-US: Zen Help Desk
 CVE-2007-3145 (Visual truncation vulnerability in Galeon 2.0.1 allows remote ...)
-	- galeon <unfixed> (low; bug #429216)
-	[sarge] - galeon <no-dsa> (Minor issue)
-	[etch] - galeon <no-dsa> (Minor issue)
+	- galeon <unfixed> (unimportant; bug #429216)
+        NOTE: Hardly a problem, Galeon's rotting any way and doesn't offer up-to-date
+        NOTE: phishing protections anyway
 CVE-2007-3144 (Visual truncation vulnerability in Mozilla 1.7.12 allows remote ...)
 	- iceweasel <unfixed> (low)
 	[etch] - iceweasel <no-dsa> (Minor issue)
@@ -23529,8 +23535,10 @@
 CVE-2007-1763 (The ATI kernel driver (atikmdag.sys) in Microsoft Windows Vista allows ...)
 	NOT-FOR-US: Microsoft
 CVE-2007-1762 (Mozilla Firefox 2.0.0.1 through 2.0.0.3 does not canonicalize URLs ...)
-	- iceweasel <unfixed> (low; bug #445515)
-	[etch] - iceweasel <no-dsa> (Minor issue)
+	- iceweasel <unfixed> (unimportant; bug #445515)
+        NOTE: I don't believe this has relevant security impact, such a black list
+        NOTE: will register URLs found in the wild and the used adresses will be
+        NOTE: volatile anyway
 CVE-2007-1761
 	RESERVED
 CVE-2007-1760
@@ -23583,8 +23591,10 @@
 CVE-2007-1737 (Opera 9.10 does not check URLs embedded in (1) object or (2) iframe ...)
 	NOT-FOR-US: Opera
 CVE-2007-1736 (Mozilla Firefox 2.0.0.3 does not check URLs embedded in (1) object or ...)
-	- iceweasel <unfixed> (low)
-	[etch] - iceweasel <no-dsa> (Minor issue)
+	- iceweasel <unfixed> (unimportant)
+        NOTE: I don't believe this has relevant security impact, such a black list
+        NOTE: will register URLs found in the wild and the used adresses will be
+        NOTE: volatile anyway
 CVE-2007-1735 (Stack-based buffer overflow in Corel WordPerfect Office X3 ...)
 	NOT-FOR-US: Corel WordPerfect
 CVE-2007-1734 (The DCCP support in the do_dccp_getsockopt function in ...)
@@ -26265,8 +26275,8 @@
 	[etch] - stlport5 5.0.2-12
 	[sarge] - stlport5 <not-affected> (Vulnerable code not compiled in)
 CVE-2007-0802 (Mozilla Firefox 2.0.0.1 allows remote attackers to bypass the Phishing ...)
-	- iceweasel <unfixed> (low)
-	[etch] - iceweasel <no-dsa> (Minor issue)
+	- iceweasel 2.0.0.16-1 (low)
+        NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=367538
 CVE-2007-0801 (The nsExternalAppHandler::SetUpTempFile function in Mozilla Firefox ...)
 	- iceweasel 2.0.0.2+dfsg-1 (low)
 	- firefox <removed> (low)

More information about the Secure-testing-commits mailing list