[Secure-testing-commits] r13472 - in data: . CVE

Michael Gilbert gilbert-guest at alioth.debian.org
Mon Dec 7 02:24:47 UTC 2009 

Author: gilbert-guest
Date: 2009-12-07 02:24:47 +0000 (Mon, 07 Dec 2009)
New Revision: 13472

Modified:
   data/CVE/list
   data/embedded-code-copies
Log:
info for jasper, ghostscript, and vlc issues

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2009-12-07 02:24:37 UTC (rev 13471)
+++ data/CVE/list	2009-12-07 02:24:47 UTC (rev 13472)
@@ -17001,7 +17001,8 @@
 	NOT-FOR-US: Flash plugin
 CVE-2008-4558 (Array index error in VLC media player 0.9.2 allows remote attackers to ...)
 	- vlc <not-affected> (medium; bug #502314)
-	TODO: only 0.9.0->0.9.2 are affected, check if newer upstream version is uploaded to unstable
+	NOTE: claimed fix since 0.9.3, and i have verified that 1.0.3 (currently in
+	NOTE: unstable) has the patch applied
 CVE-2008-4545 (Cisco Unity 4.x before 4.2(1)ES161, 5.x before 5.0(1)ES53, and 7.x ...)
 	NOT-FOR-US: Cisco
 CVE-2008-4544 (Unspecified vulnerability in an unspecified Microsoft API, as used by ...)
@@ -19615,13 +19616,15 @@
 	RESERVED
 CVE-2008-3522 (Buffer overflow in the jas_stream_printf function in ...)
 	- jasper 1.900.1-5.1 (medium; bug #501021)
-	TODO: determine whether netpbm affected (see mandriva announcement http://seclists.org/fulldisclosure/2009/Jun/0270.html)
+	- ghostscript <unfixed> (medium; bug #559778)
+	- netpbm <not-affected> (dynamically links to ghostscript if available)
 CVE-2008-3521 (Race condition in the jas_stream_tmpfile function in ...)
 	- jasper 1.900.1-5.1 (unimportant; bug #501021)
 	NOTE: file is opened with O_EXCL even if tmpnam is used in this case
 CVE-2008-3520 (Multiple integer overflows in JasPer 1.900.1 might allow ...)
 	- jasper 1.900.1-5.1 (medium; bug #501021)
-	TODO: determine whether netpbm affected (see mandriva announcement http://seclists.org/fulldisclosure/2009/Jun/0270.html)
+	- ghostscript <unfixed> (medium; bug #559778)
+	- netpbm <not-affected> (dynamically links to ghostscript if available)
 CVE-2008-3519 (The default configuration of the JBossAs component in Red Hat JBoss ...)
 	- jbossas4 <not-affected> (configuration not yet included in Debian package)
 CVE-2008-3518
@@ -20484,11 +20487,9 @@
 CVE-2008-3134 (Multiple unspecified vulnerabilities in GraphicsMagick before 1.2.4 ...)
 	{DSA-1903-1}
 	- graphicsmagick 1.2.4-1 (unimportant; bug #491439)
+	- imagemagick <unfixed> (unimportant; bug #559775)
 	NOTE: several DoS fixed in 1.2.4 according to upstream
 	NOTE: http://sourceforge.net/project/shownotes.php?release_id=610253
-	TODO: check imagemagick
-	NOTE: *magick don't really meet the robustness/quality criteria to treat such crashes as
-	NOTE: security issues
 CVE-2008-3133 (SQL injection vulnerability in admin/index.php in BareNuked CMS 1.1.0, ...)
 	NOT-FOR-US: BareNuked CMS
 CVE-2008-3132 (SQL injection vulnerability in the beamospetition (com_beamospetition) ...)

Modified: data/embedded-code-copies
===================================================================
--- data/embedded-code-copies	2009-12-07 02:24:37 UTC (rev 13471)
+++ data/embedded-code-copies	2009-12-07 02:24:47 UTC (rev 13472)
@@ -521,8 +521,8 @@
 	- krb5 <unfixed> (embed)
 
 jasper
-	- ghostscript <unfixed> (embed)
-	- gs-gpl <unfixed> (embed)
+	- ghostscript 8.70~dfsg-2+b1 (embed)
+	- ghostscript <unfixed> (static)
 
 libiris
 	- psi <unfixed> (embed)

More information about the Secure-testing-commits mailing list