[Secure-testing-commits] r12626 - in data: . CVE

[Moritz Muehlenhoff]

Author: jmm-guest
Date: 2009-08-17 18:46:29 +0000 (Mon, 17 Aug 2009)
New Revision: 12626

Modified:
   data/CVE/list
   data/ospu-candidates.txt
   data/spu-candidates.txt
Log:
- openvpn, xemacs, libpam-ssh no-dsa
- new gri issue


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2009-08-17 18:38:10 UTC (rev 12625)
+++ data/CVE/list	2009-08-17 18:46:29 UTC (rev 12626)
@@ -228,6 +228,8 @@
 	[etch] - libxerces2-java <no-dsa> (minor issue)
 	[lenny] - libxerces2-java <no-dsa> (minor issue)
 	TODO: request cve it
+CVE-2009-XXXX [gri: insecure temp file generation]
+	- gri 2.12.18-1 (low)
 CVE-2009-XXXX [linux-2.6: parisc eisa underflow]
 	- linux-2.6 2.6.30-6 (low)
 	- linux-2.6.24 <removed>
@@ -263,8 +265,7 @@
 	NOTE: CVE id requested
 	NOTE: http://www.spip-contrib.net/SPIP-Security-Alert-new-version
 CVE-2009-XXXX [rubygems: integrity violation]
-	- libgems-ruby <not-affected> (medium; bug #540610)
-	NOTE: debian's version installs gems packages to /var/lib/gems,
+	- libgems-ruby <not-affected> (Debian's version installs gems packages to /var/lib/gems, bug #540610)
 	NOTE: so no opportunity to overwrite system files
 	NOTE: CVE id already requested
 CVE-2009-XXXX [bugzilla: unauthorized bug modification]
@@ -388,6 +389,8 @@
 	TODO: file bug
 CVE-2009-2688 (Multiple integer overflows in glyphs-eimage.c in XEmacs 21.4.22, when ...)
 	- xemacs21 <unfixed> (low; bug #540470)
+	[etch] - xemacs21 <no-dsa> (Minor issue, obscure attack vector)
+	[lenny] - xemacs21 <no-dsa> (Minor issue, obscure attack vector)
 CVE-2009-2686
 	RESERVED
 CVE-2009-2685
@@ -1487,6 +1490,8 @@
 	NOTE: fixed in etch in DSA-1816-1
 CVE-2009-XXXX [openvpn: possible symlink attack via client-connect script]
 	- openvpn <unfixed> (low; bug #534908)
+	[lenny] - openvpn <no-dsa> (Minor issue)
+	[etch] - openvpn <no-dsa> (Minor issue)
 CVE-2009-XXXX [xscreensaver: symlink attack enables local information disclosure]
 	- xscreensaver <not-affected> (does not run setuid in debian)
 	NOTE: http://bugs.debian.org/535870
@@ -4492,6 +4497,8 @@
 	NOT-FOR-US: Dojo
 CVE-2009-1273 (pam_ssh 1.92 and possibly other versions, as used when PAM is compiled ...)
 	- libpam-ssh 1.92-7 (low; bug #535877)
+	[lenny] - libpam-ssh <no-dsa> (Minor issue)
+	[etch] - libpam-ssh <no-dsa> (Minor issue)
 	TODO: add after r3 [lenny] - libpam-ssh 1.91.0-9.3+lenny1
 CVE-2009-1272 (The php_zip_make_relative_path function in php_zip.c in PHP 5.2.x ...)
 	{DTSA-188-1}

Modified: data/ospu-candidates.txt
===================================================================
--- data/ospu-candidates.txt	2009-08-17 18:38:10 UTC (rev 12625)
+++ data/ospu-candidates.txt	2009-08-17 18:46:29 UTC (rev 12626)
@@ -333,6 +333,12 @@
 
 --
 
+libpam-ssh (CVE-2009-1273)
+#535877
+maintainer notified through initial bug report
+
+--
+
 libpng (CVE-2008-1382)
 #476669
 notified maintainer
@@ -757,6 +763,10 @@
 bug #480877
 notified maintainer
 
+xemacs21 (CVE-2009-2688)
+#540470
+Patches at https://bugzilla.redhat.com/show_bug.cgi?id=511994
+
 --
 
 xen-3 (CVE-2008-4993)
@@ -782,6 +792,11 @@
 
 --
 
+xscreensaver (no CVE)
+#539699
+
+--
+
 zabbix (CVE-2008-1353)
 bug #471678
 notified maintainer

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2009-08-17 18:38:10 UTC (rev 12625)
+++ data/spu-candidates.txt	2009-08-17 18:46:29 UTC (rev 12626)
@@ -87,6 +87,12 @@
 
 --
 
+libpam-ssh (CVE-2009-1273)
+#535877
+maintainer notified through initial bug report
+
+--
+
 libpng (CVE-2009-2042)
 #533676
 notified maintainer
@@ -202,6 +208,12 @@
 
 --
 
+xemacs21 (CVE-2009-2688)
+#540470
+Patches at https://bugzilla.redhat.com/show_bug.cgi?id=511994
+
+--
+
 xen-3 (CVE-2008-4993)
 #496367
 notified maintainer
@@ -214,5 +226,10 @@
 
 --
 
+xscreensaver (no CVE)
+#539699
+
+--
+
 ziproxy (CVE-2009-0804)
 #521051