[Secure-testing-commits] r11590 - in data: . CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Wed Apr 8 15:51:18 UTC 2009 

Author: jmm-guest
Date: 2009-04-08 15:51:18 +0000 (Wed, 08 Apr 2009)
New Revision: 11590

Modified:
   data/CVE/list
   data/embedded-code-copies
   data/ospu-candidates.txt
Log:
- monotone no longer uses embedded libs
- remote horde ospu entry now that it's fixed in a DSA
- new wireshark issues (unfixed in sid)
- two new openafs issues (fixed in sid)
- two new kernel issues
- postgresql no-dsa (postgres point releases are regularly synced into Debian stable updates)
- update on ecryptfs kernel issue
- NFUs


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2009-04-08 14:30:52 UTC (rev 11589)
+++ data/CVE/list	2009-04-08 15:51:18 UTC (rev 11590)
@@ -1,3 +1,10 @@
+CVE-2009-XXXX [Wireshark: The LDAP dissector could crash on Windows]
+	- wireshark <not-affected> (Only affects Wireshark on Windows)
+CVE-2009-XXXX [Wireshark: Wireshark could crash while loading a Tektronix .rf5 file]
+	- wireshark <unfixed>
+	[etch] - wireshark <not-affected> (Vulnerable code not present; introduced in 0.99.6)
+CVE-2009-XXXX [Wireshark: The Check Point High-Availability Protocol (CPHAP) dissector could crash.]
+	- wireshark <unfixed>
 CVE-2009-XXXX
 	- clamav <unfixed> (medium; bug #523016)
 CVE-2009-1254
@@ -8,10 +15,12 @@
 	{DSA-1764-1}
 CVE-2009-1252
 	RESERVED
-CVE-2009-1251
+CVE-2009-1251 [openafs]
 	RESERVED
-CVE-2009-1250
+	- openafs 1.4.10+dfsg1-1
+CVE-2009-1250 [openafs]
 	RESERVED
+	- openafs 1.4.10+dfsg1-1
 CVE-2009-1249 (Cross-site scripting (XSS) vulnerability in Feed element mapper 5.x ...)
 	NOT-FOR-US: Feed element mapper for Drupal
 CVE-2009-1248 (Multiple PHP remote file inclusion vulnerabilities in Acute Control ...)
@@ -25,9 +34,11 @@
 CVE-2009-1244
 	RESERVED
 CVE-2009-1243 (net/ipv4/udp.c in the Linux kernel before 2.6.29.1 performs an ...)
-	TODO: check
+	- linux-2.6 <not-affected> (Issue was introduced after 2.6.27 release)
+	- linux-2.6.24 <not-affected> (Issue was introduced after 2.6.27 release)
 CVE-2009-1242 (The vmx_set_msr function in arch/x86/kvm/vmx.c in the VMX ...)
-	TODO: check
+	- linux-2.6 <unfixed>
+	- linux-2.6.24 <unfixed>
 CVE-2008-6656 (Multiple SQL injection vulnerabilities in Open Auto Classifieds 1.4.3b ...)
 	TODO: check
 CVE-2008-6655 (Multiple cross-site scripting (XSS) vulnerabilities in GEDCOM_TO_MYSQL ...)
@@ -280,7 +291,7 @@
 	NOT-FOR-US: Blue Coat ProxySG
 CVE-2009-1210 (Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in ...)
 	- wireshark <unfixed>
-	TODO: File bug, investigate, if necessary open RT ticket
+	[etch] - wireshark <not-affected> (Vulnerable code not present, introduced in 0.99.6)
 CVE-2009-1209 (Stack-based buffer overflow in W3C Amaya Web Browser 11.1 allows ...)
 	- amaya <removed>
 CVE-2009-1208 (SQL injection vulnerability in auth2db 0.2.5, and possibly other ...)
@@ -460,9 +471,9 @@
 	[etch] - phpmyadmin <not-affected> (Vulnerable code not present)
 	[lenny] - phpmyadmin <not-affected> (Vulnerable code not present)
 CVE-2009-1147 (Unspecified vulnerability in vmci.sys in the Virtual Machine ...)
-	TODO: check
+	NOT-FOR-US: VmWare
 CVE-2009-1146 (Unspecified vulnerability in an ioctl in hcmon.sys in VMware ...)
-	TODO: check
+	NOT-FOR-US: VmWare
 CVE-2009-1145
 	RESERVED
 CVE-2009-1144
@@ -1136,9 +1147,11 @@
 	NOT-FOR-US: Solaris
 CVE-2009-0922 (PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows ...)
 	- postgresql-8.3 8.3.7-1 (bug #517405)
+	[lenny] - postgresql-8.3 <no-dsa> (Minor issue)
 	- postgresql-8.1 <removed>
 	- postgresql-7.4 <removed>
-	NOTE: fixed in ubuntu: http://www.ubuntu.com/usn/USN-753-1
+	[etch] - postgresql-8.1 <no-dsa> (Minor issue)
+	[etch] - postgresql-7.4 <no-dsa> (Minor issue)
 CVE-2008-6481 (SQL injection vulnerability in the Versioning component ...)
 	NOT-FOR-US: Versioning component (com_versioning) in Joomla! and Mambo 
 CVE-2009-0921 (Multiple heap-based buffer overflows in OvCgi/Toolbar.exe in HP ...)
@@ -1180,11 +1193,11 @@
 CVE-2008-6473 (_blogadata/include/init_pass2.php in Blogator-script 0.95 allows ...)
 	NOT-FOR-US: Blogator-script
 CVE-2009-0910 (Heap-based buffer overflow in the VNnc Codec in VMware Workstation ...)
-	TODO: check
+	NOT-FOR-US: VmWare
 CVE-2009-0909 (Heap-based buffer overflow in the VNnc Codec in VMware Workstation ...)
-	TODO: check
+	NOT-FOR-US: VmWare
 CVE-2009-0908 (Unspecified vulnerability in the ACE shared folders implementation in ...)
-	TODO: check
+	NOT-FOR-US: VmWare
 CVE-2009-0907
 	RESERVED
 CVE-2009-0906
@@ -1598,9 +1611,9 @@
 CVE-2009-0788
 	RESERVED
 CVE-2009-0787 (The ecryptfs_write_metadata_to_contents function in the eCryptfs ...)
-	- linux-2.6 <unfixed>
+	- linux-2.6 2.6.29-1
 	[etch] - linux-2.6 <not-affected> (ecryptfs was merged in 2.6.19)
-	- linux-2.6.24 <removed>
+	- linux-2.6.24 <not-affected> (Only affects 2.6.28)
 CVE-2009-0786
 	RESERVED
 CVE-2009-0785
@@ -2693,7 +2706,7 @@
 CVE-2009-0557
 	RESERVED
 CVE-2009-0556 (Unspecified vulnerability in Microsoft Office PowerPoint 2000 SP3, ...)
-	TODO: check
+	NOT-FOR-US: Microsoft Office
 CVE-2009-0555
 	RESERVED
 CVE-2009-0554
@@ -2855,7 +2868,7 @@
 CVE-2009-0519 (Unspecified vulnerability in Adobe Flash Player 9.x before 9.0.159.0 ...)
 	NOT-FOR-US: Adobe Flash Player
 CVE-2009-0518 (VI Client in VMware VirtualCenter before 2.5 Update 4, VMware ESXi 3.5 ...)
-	TODO: check
+	NOT-FOR-US: VMware
 CVE-2009-0517 (Eval injection vulnerability in index.php in phpSlash 0.8.1.1 and ...)
 	NOT-FOR-US: phpSlash
 CVE-2009-0516 (SQL injection vulnerability in the classified page (classified.php) in ...)

Modified: data/embedded-code-copies
===================================================================
--- data/embedded-code-copies	2009-04-08 14:30:52 UTC (rev 11589)
+++ data/embedded-code-copies	2009-04-08 15:51:18 UTC (rev 11590)
@@ -35,7 +35,6 @@
 	[etch] - pdftohtml <unfixed>
 	NOTE: has been replaced by poppler-utils
 	- kdegraphics 4:4.2.2-1 (embed; bug #436164)
-	NOTE: the kpdf replacement in KDE 4 is using poppler
 	- texlive-base 3.0-12 (embed)
 	- texlive-bin 2007-1 (embed)
 	NOTE: links to poppler
@@ -162,7 +161,7 @@
 	- libgoffice-1 <unfixed> (embed)
 	- vfu 4.06-4.1 (embed; bug #450754)
 	- tf5 5.0beta7-1 (embed)
-	- monotone <unfixed> (embed)
+	- monotone 0.43-1 (embed)
 	NOTE: this only affects versions >= 0.37
 	- glib2.0 2.15.2-1 (embed)
 	- apache2 2.0.53-4 (embed)
@@ -185,7 +184,7 @@
 
 sqlite (not affected by security vulnerabilities so far)
 	- amarok <unfixed> (embed)
-	- monotone <unfixed> (embed)
+	- monotone 0.43-1 (embed)
 	- iceweasel <unfixed> (embed)
 
 util-linux/mount
@@ -427,20 +426,20 @@
 	NOTE: ksirk/kde4
 	
 libidn
-	- monotone <unfixed> (embed)
+	- monotone 0.43-1 (embed)
 	- psi <unfixed> (embed)
 	NOTE: psi embeds libiris which embeds libidn
 	- kdegames <unfixed> (embed)
 	NOTE: kdegames/kde4 embeds libiris which embeds libidn
 
 liblua
-	- monotone <unfixed> (embed)
+	- monotone 0.43-1 (embed)
 
 libbotan
-	- montone <unfixed> (embed)
+	- montone 0.43-1 (embed)
 
 NetXX
-	- monotone <unfixed> (embed)
+	- monotone 0.43-1 (embed)
 
 libgc
 	- mono <unfixed> (embed)

Modified: data/ospu-candidates.txt
===================================================================
--- data/ospu-candidates.txt	2009-04-08 14:30:52 UTC (rev 11589)
+++ data/ospu-candidates.txt	2009-04-08 15:51:18 UTC (rev 11590)
@@ -248,12 +248,6 @@
 
 --
 
-horde3 (CVE-2008-3330)
-#495332
-notified maintainer
-
---
-
 hplip (CVE-2008-2940/CVE-2008-2941)
 #499842
 notified maintainer

More information about the Secure-testing-commits mailing list