[Secure-testing-commits] r13440 - in data: . CVE DSA

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Thu Dec 3 18:34:23 UTC 2009 

Author: jmm-guest
Date: 2009-12-03 18:34:22 +0000 (Thu, 03 Dec 2009)
New Revision: 13440

Modified:
   data/CVE/list
   data/DSA/list
   data/embedded-code-copies
Log:
- evolution unimportant
- two BSD issues NFU
- only one CVE ID is used for the dtoa issue
- mark two browser RNG issues as unimportant
- xen fixed
- libhtml-prototype-perl fixed, also fixes
  code copies


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2009-12-03 12:51:46 UTC (rev 13439)
+++ data/CVE/list	2009-12-03 18:34:22 UTC (rev 13440)
@@ -2529,7 +2529,7 @@
 	[lenny] - otrs2 <not-affected> (prototype.js not present)
 	- webcalendar <unfixed> (low; bug #555268)
 	[lenny] - webcalendar <not-affected> (prototype.js not present)
-	- libhtml-prototype-perl <unfixed> (low; bug #558977)
+	- libhtml-prototype-perl 1.48-3 (low; bug #558977)
 	[etch] - libhtml-prototype-perl <no-dsa> (minor issue)
 	[lenny] - libhtml-prototype-perl <no-dsa> (minor issue)
 	- plone3 <unfixed> (low; bug #555274)
@@ -6538,13 +6538,11 @@
 	- kdebase <unfixed> (low; bug #532519)
 	[lenny] - kdebase <no-dsa> (Minor issue)
 	[etch] - kdebase <no-dsa> (Minor issue)
-	- w3m <unfixed> (low; bug #532521)
-	[lenny] - w3m <no-dsa> (Minor issue)
-	[etch] - w3m <no-dsa> (Minor issue)
+	- w3m <unfixed> (unimportant; bug #532521)
+	NOTE: w3m doesn't have Javascript support and the boundary issue is harmles
 	- chromium-browser <itp> (low; bug #520324)
-	- lynx 2.8.7rel.1-1 (low; bug #532520)
-	[lenny] - lynx <no-dsa> (Minor issue)
-	[etch] - lynx <no-dsa> (Minor issue)
+	- lynx 2.8.7rel.1-1 (unimportant; bug #532520)
+	NOTE: lynx doesn't have Javascript and form-data support
 	- dillo <unfixed> (low; bug #532522)
 	[lenny] - dillo <no-dsa> (Minor issue)
 	[etch] - dillo <no-dsa> (Minor issue)
@@ -7454,9 +7452,8 @@
 	{DSA-1804-1}
 	- ipsec-tools 1:0.7.1-1.5 (medium; bug #528933)
 CVE-2009-1631 (The Mailer component in Evolution 2.26.1 and earlier uses ...)
-	- evolution <unfixed> (low; bug #526409)
-	[lenny] - evolution <no-dsa> (Minor issue, only for local users/mail and open homedirs)
-	[etch] - evolution <no-dsa> (Minor issue, only for local users/mail and open homedirs)
+	- evolution <unfixed> (unimportant; bug #526409)
+	NOTE: Mostly a security enhancement, only for local users/mail and open homedirs
 CVE-2009-1630 (The nfs_permission function in fs/nfs/dir.c in the NFS client ...)
 	{DSA-1865-1 DSA-1844-1 DSA-1809-1}
 	- linux-2.6 2.6.30-1 
@@ -7658,9 +7655,7 @@
 CVE-2009-1564
 	RESERVED
 CVE-2009-1563 (Array index error in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x ...)
-	{DSA-1931-1}
-	- nspr 4.8-2
-	[etch] - nspr <no-dsa> (Mozilla packages from oldstable no longer covered by security support)
+	NOTE: Tracked as CVE-2009-0689
 CVE-2009-1562
 	RESERVED
 CVE-2009-1561 (Cross-site request forgery (CSRF) vulnerability in administration.cgi ...)
@@ -11016,8 +11011,13 @@
 CVE-2009-0690 (The Foxit JPEG2000/JBIG2 Decoder add-on before 2.0.2009.616 for Foxit ...)
 	NOT-FOR-US: Foxit JPEG2000/JBIG2 Decoder add-on
 CVE-2009-0689 (The gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc in ...)
+	{DSA-1931-1}
+	- nspr 4.8-2
+	[etch] - nspr <no-dsa> (Mozilla packages from oldstable no longer covered by security support)
 	- kdelibs <unfixed> (medium; bug #559265)
 	- kde4libs <unfixed> (medium; bug #559266)
+	TODO: check and merge with 2009-1563?
+	TODO: Someone posted a long list of dtoa embedded to debian-devel some time ago
 	NOTE: CVE-2009-1563 will be marked REJECTED by MITRE.
 	NOTE: http://securityreason.com/achievement_securityalert/74
 CVE-2009-0688 (Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 ...)
@@ -23003,7 +23003,7 @@
 	{DTSA-133-1}
 	- qemu 0.9.1-5
 	- kvm 66+dfsg-1.1 (bug #481204)
-	- xen-3 <unfixed> (bug #490409)
+	- xen-3 3.4.0-1 (bug #490409)
 	- xen-unstable <unfixed> (bug #490411)
 	- xen-3.0 <removed>
 CVE-2008-2003 (BadBlue 2.72 Personal Edition stores multiple programs in the web ...)
@@ -25082,12 +25082,7 @@
 	NOTE: you must be able to create pages in the same cookie domain, which seems
 	NOTE: rare and unwise. low priority.
 CVE-2008-1148 (A certain pseudo-random number generator (PRNG) algorithm that uses ...)
-	- kfreebsd-5 <removed>
-	[etch] - kfreebsd-5 <no-dsa> (KFreebsd not supported)
-	- kfreebsd-6 <unfixed>
-	[lenny] - kfreebsd-6 <no-dsa> (KFreebsd not supported)
-	- kfreebsd-7 <unfixed> (bug #483152)
-	[lenny] - kfreebsd-7 <no-dsa> (KFreebsd not supported)
+	NOT-FOR-US: OpenBSD / NetBSD
 CVE-2008-1147 (A certain pseudo-random number generator (PRNG) algorithm that uses ...)
 	- kfreebsd-5 <removed>
 	[etch] - kfreebsd-5 <no-dsa> (KFreebsd not supported)
@@ -25096,12 +25091,7 @@
 	- kfreebsd-7 <unfixed> (bug #483152)
 	[lenny] - kfreebsd-7 <no-dsa> (KFreebsd not supported)
 CVE-2008-1146 (A certain pseudo-random number generator (PRNG) algorithm that uses ...)
-	- kfreebsd-5 <removed>
-	[etch] - kfreebsd-5 <no-dsa> (KFreebsd not supported)
-	- kfreebsd-6 <unfixed> (bug #483152)
-	[lenny] - kfreebsd-6 <no-dsa> (KFreebsd not supported)
-	- kfreebsd-7 <unfixed> (bug #483152)
-	[lenny] - kfreebsd-7 <no-dsa> (KFreebsd not supported)
+	NOT-FOR-US: OpenBSD
 CVE-2008-1144 (The Marvell driver for the Netgear WN802T Wi-Fi access point with ...)
 	NOT-FOR-US: Marvell driver for the Netgear WN802T Wi-Fi access point
 CVE-2008-1143
@@ -39253,7 +39243,7 @@
 	[lenny] - webcalendar <not-affected> (prototype.js not present)
 	- plone3 <unfixed> (low; bug #555274)
 	- wesnoth <not-affected> (fixed since initial inclusion)
-	- libhtml-prototype-perl <unfixed> (low; bug #558977)
+	- libhtml-prototype-perl 1.48-3 (low; bug #558977)
 	[etch] - libhtml-prototype-perl <no-dsa> (minor issue)
 	[lenny] - libhtml-prototype-perl <no-dsa> (minor issue)
 	NOTE: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2009-12-03 12:51:46 UTC (rev 13439)
+++ data/DSA/list	2009-12-03 18:34:22 UTC (rev 13440)
@@ -54,7 +54,7 @@
 	{CVE-2009-3615}
 	[lenny] - pidgin 2.4.3-4lenny5
 [08 Nov 2009] DSA-1931-1 nspr - several vulnerabilities
-	{CVE-2009-1563 CVE-2009-2463}
+	{CVE-2009-2463 CVE-2009-0689}
 	[lenny] - nspr 4.7.1-5
 [07 Nov 2009] DSA-1930-1 drupal6 - several vulnerabilities
 	{CVE-2009-2372 CVE-2009-2373 CVE-2009-2374}

Modified: data/embedded-code-copies
===================================================================
--- data/embedded-code-copies	2009-12-03 12:51:46 UTC (rev 13439)
+++ data/embedded-code-copies	2009-12-03 18:34:22 UTC (rev 13440)
@@ -692,7 +692,7 @@
 	- passenger 2.2.5debian1-1 (embed; bug #555273)
 	- plone3 <unfixed> (embed; bug #555275)
 	- wesnoth <not-affected> (prototype.js not included in any of the binary packages; bug #555277)
-	- libhtml-prototype-perl <unfixed> (embed; bug #538920)
+	- libhtml-prototype-perl 1.48-3 (embed; bug #538920)
 	- xulrunner <unfixed> (embed)
 	NOTE: included in iceweasel/xulrunner unit tests directory, so may not be security-relevant
 
@@ -785,6 +785,7 @@
 	- request-tracker3.8 <unfixed> (embed)
 	- rt-extension-emailcompletion <not-affected> (prototype.js not included in the binary package)
 	- wordpress 2.5.0-2 (embed)
+	- libhtml-prototype-perl 1.48-3 (embed)
 
 libmarkdown-php
 	- moodle <unfixed> (embed; bug #507185)

More information about the Secure-testing-commits mailing list