[Secure-testing-commits] r12636 - data/CVE
Michael Gilbert
gilbert-guest at alioth.debian.org
Wed Aug 19 00:35:58 UTC 2009
Author: gilbert-guest
Date: 2009-08-19 00:35:57 +0000 (Wed, 19 Aug 2009)
New Revision: 12636
Modified:
data/CVE/list
Log:
remove hacks for squeeze now that it has a 2.6.30 kernel
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2009-08-19 00:28:50 UTC (rev 12635)
+++ data/CVE/list 2009-08-19 00:35:57 UTC (rev 12636)
@@ -972,7 +972,6 @@
- linux-2.6 <unfixed> (low)
[etch] - linux-2.6 <not-affected> (vulnerable code not present)
[lenny] - linux-2.6 <not-affected> (vulnerable code not present)
- [squeeze] - linux-2.6 <not-affected> (vulnerable code not present)
- linux-2.6.24 <not-affected> (vulnerable code not present)
CVE-2009-2583 (Multiple session fixation vulnerabilities in IBM Tivoli Identity ...)
NOT-FOR-US: IBM Tivoli
@@ -2605,7 +2604,6 @@
- linux-2.6 2.6.30-1 (low)
[etch] - linux-2.6 <not-affected> (Affected code was introduced in 2.6.19)
[lenny] - linux-2.6 2.6.26-16
- [squeeze] - linux-2.6 2.6.26-16
- linux-2.6.24 <removed>
NOTE: fixed in lenny 5.0.2 release
CVE-2009-1959 (Off-by-one error in the event_wallops function in ...)
@@ -2715,7 +2713,6 @@
{DSA-1844-1}
- linux-2.6 2.6.29-1 (low; bug #532722)
[lenny] - linux-2.6 2.6.26-16
- [squeeze] - linux-2.6 2.6.26-16
- linux-2.6.24 <removed>
NOTE: updated in lenny 5.0.2 release
CVE-2009-1913 (SQL injection vulnerability in manager.php in LuxBum 0.5.5, when ...)
@@ -2770,7 +2767,6 @@
- linux-2.6 2.6.30-3 (high; bug #537409)
[etch] - linux-2.6 <not-affected> (vulnerable code introduced in 2.6.29)
[lenny] - linux-2.6 <not-affected> (vulnerable code introduced in 2.6.29)
- [squeeze] - linux-2.6 <not-affected> (vulnerable code introduced in 2.6.29)
- linux-2.6.24 <not-affected> (vulnerable code introduced in 2.6.29)
NOTE: http://seclists.org/fulldisclosure/2009/Jul/0241.html
CVE-2009-1896 (The Java Web Start framework in IcedTea in OpenJDK before ...)
@@ -3150,7 +3146,6 @@
CVE-2009-1758 (The hypervisor_callback function in Xen, possibly before 3.4.0, as ...)
{DSA-1809-1}
- linux-2.6 2.6.28-1 (low; bug #536148)
- [squeeze] - linux-2.6 2.6.26-17
- linux-2.6.24 <removed>
NOTE: maximum impact is denial-of-service, so low-urgency
CVE-2009-1757 (Cross-site request forgery (CSRF) vulnerability in Transmission 1.5 ...)
@@ -3493,7 +3488,6 @@
CVE-2009-1633 (Multiple buffer overflows in the cifs subsystem in the Linux kernel ...)
{DSA-1865-1 DSA-1844-1 DSA-1809-1}
- linux-2.6 2.6.30-1
- [squeeze] - linux-2.6 2.6.26-17
- linux-2.6.24 <removed>
CVE-2009-1632 (Multiple memory leaks in Ipsec-tools before 0.7.2 allow remote ...)
{DSA-1804-1}
@@ -3505,7 +3499,6 @@
CVE-2009-1630 (The nfs_permission function in fs/nfs/dir.c in the NFS client ...)
{DSA-1865-1 DSA-1844-1 DSA-1809-1}
- linux-2.6 2.6.30-1
- [squeeze] - linux-2.6 2.6.26-17
- linux-2.6.24 <removed>
CVE-2009-1629 (ajaxterm.js in AjaxTerm 0.10 and earlier generates session IDs with ...)
- ajaxterm <unfixed> (medium; bug #528938)
@@ -3790,9 +3783,6 @@
- linux-2.6 2.6.29-5 (high)
[etch] - linux-2.6 <not-affected> (vulnerable code introduced in 2.6.29)
[lenny] - linux-2.6 <not-affected> (vulnerable code introduced in 2.6.29)
- [squeeze] - linux-2.6 <not-affected> (vulnerable code introduced in 2.6.29)
- NOTE: vulnerability introduced in commit d84f4f99, which has only been included in the kernel since 2.6.29
- NOTE: i had checked 2.6.28, 2.6.26, 2.6.24, and 2.6.18 and have now rechecked. the vulnerable code is not present until 2.6.29
CVE-2009-1526 (JBMC Software DirectAdmin before 1.334 allows local users to create or ...)
NOT-FOR-US: Directadmin
CVE-2009-1525 (CMD_DB in JBMC Software DirectAdmin before 1.334 allows remote ...)
@@ -4072,7 +4062,6 @@
CVE-2009-1439 (Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel ...)
{DSA-1800-1 DSA-1794-1 DSA-1787-1}
- linux-2.6 2.6.29-2 (bug #523365)
- [squeeze] - linux-2.6 2.6.26-17
- linux-2.6.24 <removed>
CVE-2009-1438 (Integer overflow in the CSoundFile::ReadMed function ...)
{DSA-1851-1 DSA-1850-1}
@@ -4202,9 +4191,6 @@
CVE-2009-1388 (The ptrace_start function in kernel/ptrace.c in the Linux kernel ...)
- linux-2.6 <not-affected> (problem in redhat-specific kernel patches)
- linux-2.6.24 <not-affected> (problem in redhat-specific kernel patches)
- NOTE: i can't find the ptrace_start() code in any of the debian kernels,
- NOTE: so my best guess is that this is a problem in a redhat-specific patch
- NOTE: see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1388
CVE-2009-1387 (The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in ...)
- openssl 0.9.8k-2 (low; bug #532037)
- openssl097 <not-affected> (DTLS support was introduced in 0.9.8)
@@ -4265,7 +4251,6 @@
- linux-2.6 2.6.29-1 (low; bug #529342)
[etch] - linux-2.6 <not-affected> (Introduced in 2.6.27)
[lenny] - linux-2.6 <not-affected> (Introduced in 2.6.27)
- [squeeze] - linux-2.6 <not-affected> (Introduced in 2.6.27)
- linux-2.6.24 <not-affected> (Introduced in 2.6.27)
CVE-2009-1411 (SQL injection vulnerability in events/inc/events.inc.php in the Events ...)
NOT-FOR-US: Seditio CMS
@@ -4407,12 +4392,10 @@
CVE-2009-1338 (The kill_something_info function in kernel/signal.c in the Linux ...)
{DSA-1800-1 DSA-1787-1}
- linux-2.6 2.6.29-1
- [squeeze] - linux-2.6 2.6.26-17
[etch] - linux-2.6 <not-affected> (Vulnerable code not present)
CVE-2009-1337 (The exit_notify function in kernel/exit.c in the Linux kernel before ...)
{DSA-1800-1 DSA-1794-1 DSA-1787-1}
- linux-2.6 2.6.29-5
- [squeeze] - linux-2.6 2.6.26-17
- linux-2.6.24 <removed>
CVE-2009-1336 (fs/nfs/client.c in the Linux kernel before 2.6.23 does not properly ...)
{DSA-1794-1}
@@ -4433,9 +4416,6 @@
[etch] - linux-2.6 <no-dsa> (the solution, STRICT_DEVMEM=Y, could potentially lead to unanticipated compatibility problems in the stable releases)
[lenny] - linux-2.6 <no-dsa> (the solution, STRICT_DEVMEM=Y, could potentially lead to unanticipated compatiblity problems in the stable releases)
NOTE: This is about an additional hardening feature, not a security issue
- NOTE: - isn't hardening an aspect of security?
- NOTE: - if you can make it "harder" for an attacker to hide himself, shouldn't you do so?
- NOTE: - this problem has been fixed in unstable, so it should be tracked with a non-unimportant urgency
CVE-2009-XXXX [pptp-linux: unrestrictive pptpsetup permissions]
- pptp-linux 1.7.2-3 (low; bug #523476)
[lenny] - pptp-linux <no-dsa> (Minor issue)
@@ -4732,7 +4712,6 @@
CVE-2009-1265 (Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux ...)
{DSA-1800-1 DSA-1794-1 DSA-1787-1}
- linux-2.6 2.6.29-4
- [squeeze] - linux-2.6 2.6.26-17
- linux-2.6.24 <removed>
CVE-2009-1264 (Frontend User Registration (sr_feuser_register) extension 2.5.20 and ...)
NOT-FOR-US: Frontend User Registration (sr_feuser_register) extension
@@ -4849,7 +4828,6 @@
CVE-2009-1242 (The vmx_set_msr function in arch/x86/kvm/vmx.c in the VMX ...)
{DSA-1800-1 DSA-1787-1}
- linux-2.6 2.6.30-1
- [squeeze] - linux-2.6 2.6.26-17
[etch] - linux-2.6 <not-affected> (Doesn't include KVM yet)
- linux-2.6.24 <removed>
CVE-2008-6656 (Multiple SQL injection vulnerabilities in Open Auto Classifieds 1.4.3b ...)
@@ -5147,7 +5125,6 @@
CVE-2009-1192 (The (1) agp_generic_alloc_page and (2) agp_generic_alloc_pages ...)
{DSA-1800-1 DSA-1794-1 DSA-1787-1}
- linux-2.6 2.6.29-4
- [squeeze] - linux-2.6 2.6.26-17
- linux-2.6.24 <removed>
CVE-2009-1191 (mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server ...)
- apache2 2.2.11-4 (low)
@@ -5174,7 +5151,6 @@
CVE-2009-1184 (The selinux_ip_postroute_iptables_compat function in ...)
{DSA-1809-1 DSA-1800-1}
- linux-2.6 2.6.29-5
- [squeeze] - linux-2.6 2.6.26-17
[etch] - linux-2.6 <not-affected> (Issue was introduced after 2.6.24 release)
- linux-2.6.24 <not-affected> (Issue was introduced after 2.6.24 release)
CVE-2009-1183 (The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and ...)
@@ -5646,7 +5622,6 @@
CVE-2009-1072 (nfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD ...)
{DSA-1800-1}
- linux-2.6 2.6.29-1
- [squeeze] - linux-2.6 2.6.26-17
[etch] - linux-2.6 <not-affected> (Issue was introduced after 2.6.24 release)
- linux-2.6.24 <not-affected> (Issue was introduced after 2.6.24 release)
CVE-2009-0934 (Cross-site scripting (XSS) vulnerability in ejabberd before 2.0.4 ...)
@@ -5715,7 +5690,6 @@
CVE-2009-1046 (The console selection feature in the Linux kernel 2.6.28 before ...)
{DSA-1800-1 DSA-1787-1}
- linux-2.6 2.6.29-1
- [squeeze] - linux-2.6 2.6.26-17
- linux-2.6.24 <removed>
[etch] - linux-2.6 <not-affected> (Introduced in 2.6.23-rc1)
CVE-2009-1045 (requests/status.xml in VLC 0.9.8a allows remote attackers to cause a ...)
@@ -6015,7 +5989,6 @@
- linux-2.6 2.6.30-1 (low)
[etch] - linux-2.6 <not-affected> (Vulnerability was introduced in 2.6.27-rc9)
[lenny] - linux-2.6 <not-affected> (Vulnerability was introduced in 2.6.27-rc9)
- [squeeze] - linux-2.6 <not-affected> (Vulnerability was introduced in 2.6.27-rc9)
- linux-2.6.24 <not-affected> (Vulnerability was introduced in 2.6.27-rc9)
CVE-2009-0933 (Cross-site scripting (XSS) vulnerability in the administrative ...)
NOT-FOR-US: Dotclear
@@ -6375,7 +6348,6 @@
CVE-2009-0835 (The __secure_computing function in kernel/seccomp.c in the seccomp ...)
{DSA-1800-1}
- linux-2.6 2.6.30-1 (low)
- [squeeze] - linux-2.6 2.6.26-17
[etch] - linux-2.6 <not-affected> (Not enabled in 2.6.18)
- linux-2.6.24 <removed>
[etch] - linux-2.6.24 <no-dsa> (unimportant)
@@ -6383,7 +6355,6 @@
CVE-2009-0834 (The audit_syscall_entry function in the Linux kernel 2.6.28.7 and ...)
{DSA-1800-1 DSA-1794-1 DSA-1787-1}
- linux-2.6 2.6.29-1 (low)
- [squeeze] - linux-2.6 2.6.26-17
- linux-2.6.24 <removed>
CVE-2009-0833 (Heap-based buffer overflow in gen_msn.dll in the gen_msn plugin 0.31 ...)
NOT-FOR-US: Winamp
@@ -6555,7 +6526,6 @@
- linux-2.6 2.6.29-1 (medium; bug #529326)
[etch] - linux-2.6 <not-affected> (ecryptfs was merged in 2.6.19)
[lenny] - linux-2.6 <not-affected> (vulnerable code introduced in 2.6.28)
- [squeeze] - linux-2.6 <not-affected> (vulnerable code introduced in 2.6.28)
- linux-2.6.24 <not-affected> (vulnerabile code introduced in 2.6.28)
CVE-2009-0786
REJECTED
@@ -6785,28 +6755,24 @@
- linux-2.6 2.6.29-1 (low)
[etch] - linux-2.6 <not-affected> (ext4 not yet present)
- linux-2.6.24 <unfixed> (low)
- [squeeze] - linux-2.6 2.6.26-13lenny2
NOTE: Since the feature is experimental until 2.6.27, I don't think we need to fix this
CVE-2009-0747 (The ext4_isize function in fs/ext4/ext4.h in the Linux kernel 2.6.27 ...)
{DSA-1749-1}
- linux-2.6 2.6.28-2 (low)
[etch] - linux-2.6 <not-affected> (ext4 not yet present)
- linux-2.6.24 <unfixed> (low)
- [squeeze] - linux-2.6 2.6.26-13lenny2
NOTE: Since the feature is experimental until 2.6.27, I don't think we need to fix this
CVE-2009-0746 (The make_indexed_dir function in fs/ext4/namei.c in the Linux kernel ...)
{DSA-1749-1}
- linux-2.6 2.6.28-1 (low)
[etch] - linux-2.6 <not-affected> (ext4 not yet present)
- linux-2.6.24 <unfixed> (low)
- [squeeze] - linux-2.6 2.6.26-13lenny2
NOTE: Since the feature is experimental until 2.6.27, I don't think we need to fix this
CVE-2009-0745 (The ext4_group_add function in fs/ext4/resize.c in the Linux kernel ...)
{DSA-1787-1 DSA-1749-1}
- linux-2.6 2.6.29-1 (low)
[etch] - linux-2.6 <not-affected> (ext4 not yet present)
- linux-2.6.24 <unfixed> (low)
- [squeeze] - linux-2.6 2.6.26-13lenny2
NOTE: Since the feature is experimental until 2.6.27, I don't think we need to fix this
CVE-2009-0744 (Apple Safari 4 Beta build 528.16 allows remote attackers to cause a ...)
NOT-FOR-US: Apple Safari
@@ -7077,7 +7043,6 @@
{DSA-1794-1 DSA-1787-1 DSA-1749-1}
- linux-2.6 2.6.29-1 (low)
- linux-2.6.24 <unfixed> (low)
- [squeeze] - linux-2.6 2.6.26-13lenny1
NOTE: Original fix was incomplete/risky, see:
NOTE: <http://marc.info/?l=linux-kernel&m=123540732700371&w=2>
NOTE: Reproducer in <https://bugzilla.redhat.com/show_bug.cgi?id=486305>
@@ -7086,7 +7051,6 @@
{DSA-1794-1 DSA-1787-1 DSA-1749-1}
- linux-2.6 2.6.29-1 (low)
- linux-2.6.24 <removed> (low)
- [squeeze] - linux-2.6 2.6.26-13lenny2
CVE-2009-0674 (images/captcha.php in Raven Web Services RavenNuke 2.30, when ...)
NOT-FOR-US: RavenNuke
CVE-2009-0673 (Eval injection vulnerability in the Custom Fields feature in the Your ...)
@@ -8761,7 +8725,6 @@
{DSA-1787-1 DSA-1749-1}
- linux-2.6 2.6.29-1
[etch] - linux-2.6 <not-affected> (ecryptfs was merged in 2.6.19)
- [squeeze] - linux-2.6 2.6.26-13lenny1
- linux-2.6.24 <removed>
CVE-2009-0265 (Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not ...)
- bind9 <not-affected> (vulnerable code not present, introduced in 9.6.x)
@@ -9508,7 +9471,6 @@
{DSA-1794-1 DSA-1787-1 DSA-1749-1}
- linux-2.6 2.6.29-1
- linux-2.6.24 <removed>
- [squeeze] - linux-2.6 2.6.26-13lenny1
CVE-2009-0064 (Multiple unspecified vulnerabilities in the Control Center in Symantec ...)
NOT-FOR-US: Symantec Brightmail Gateway Appliance
CVE-2009-0063 (Cross-site scripting (XSS) vulnerability in the Control Center in ...)
@@ -10196,18 +10158,15 @@
{DSA-1794-1 DSA-1787-1 DSA-1749-1}
- linux-2.6 2.6.29-1 (low)
- linux-2.6.24 <removed>
- [squeeze] - linux-2.6 2.6.26-13lenny1
CVE-2009-0030 (A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID ...)
- squirrelmail <not-affected> (RedHat-specific regression)
CVE-2009-0029 (The ABI in the Linux kernel 2.6.28 and earlier on s390, powerpc, ...)
{DSA-1794-1 DSA-1787-1 DSA-1749-1}
- linux-2.6 2.6.29-1 (medium; bug #536147)
- linux-2.6.24 <removed>
- [squeeze] - linux-2.6 2.6.26-13lenny1
CVE-2009-0028 (The clone system call in the Linux kernel 2.6.28 and earlier allows ...)
{DSA-1800-1 DSA-1794-1 DSA-1787-1}
- linux-2.6 2.6.29-1
- [squeeze] - linux-2.6 2.6.26-17
- linux-2.6.24 <removed>
CVE-2009-0027 (The request handler in JBossWS in JBoss Enterprise Application ...)
- jbossas4 <unfixed>
@@ -11751,7 +11710,7 @@
[etch] - websvn <not-affected> (vulnerable code not present)
CVE-2008-5033 (The chip_command function in drivers/media/video/tvaudio.c in the ...)
- linux-2.6 2.6.26-11
- [etch] - linux-2.6.24 <not-affected> (Vulnerable code not present; different ioctls3B)
+ - linux-2.6.24 <not-affected> (Vulnerable code not present; different ioctls3B)
[etch] - linux-2.6 <not-affected> (Vulnerable code not present; different ioctls)
CVE-2008-5031 (Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, ...)
- python2.5 2.5.2-11.1
More information about the Secure-testing-commits
mailing list