[Secure-testing-commits] r13490 - in data: . CVE

Tue Dec 8 17:09:51 UTC 2009

Author: jmm-guest
Date: 2009-12-08 17:09:50 +0000 (Tue, 08 Dec 2009)
New Revision: 13490

Modified:
   data/CVE/list
   data/embedded-code-copies
   data/ospu-candidates.txt
   data/spu-candidates.txt
Log:
- updates on libtool code copies: 
  * snbc, dico and unixodbc use the system copy
  * hypre and babel fixed, but no-dsa for Lenny/Etch
- update poppler issue for code copies
- fix kfreebsd bug num
- new devil issue
- fix tracking for dstat


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2009-12-08 14:52:57 UTC (rev 13489)
+++ data/CVE/list	2009-12-08 17:09:50 UTC (rev 13490)
@@ -262,9 +262,10 @@
 CVE-2009-4082 (PHP remote file inclusion vulnerability in ...)
 	NOT-FOR-US: Outreach Project Tool
 CVE-2009-4081 (Untrusted search path vulnerability in dstat before r3199 allows local ...)
-	- dstat 0.7.0-1 (low; bug #559667)
-	[lenny] - dstat <no-dsa> (Minor issue)
-	[etch] - dstat <no-dsa> (Minor issue)
+	- dstat <not-affected> (Fixed/tracked as CVE-2009-3894)
+	NOTE: This second ID is about the same issue, but for an older version, see
+	NOTE: http://bugs.gentoo.org/show_bug.cgi?id=293497
+	NOTE: For Debian we'll just use CVE-2009-3894 and mark this one as not-affected
 CVE-2009-4080 (Multiple unspecified vulnerabilities in ldap_cachemgr (aka the LDAP ...)
 	NOT-FOR-US: ldap_cachemgr in Sun Solaris
 CVE-2009-4079 (Cross-site request forgery (CSRF) vulnerability in Redmine 0.8.5 and ...)
@@ -489,8 +490,11 @@
 	RESERVED
 CVE-2009-3995
 	RESERVED
-CVE-2009-3994
+CVE-2009-3994 [devil buffer overflow]
 	RESERVED
+	- devil <unfixed> 
+	TODO: File bug
+	NOTE: http://secunia.com/secunia_research/2009-51/
 CVE-2009-3993
 	RESERVED
 CVE-2009-3992
@@ -1127,7 +1131,6 @@
 	- collectd <unfixed> (medium; bug #559801)
 	- courier-authlib <unfixed> (medium; bug #559802)
 	- cvsnt <unfixed> (medium; bug #559803)
-	- dico <unfixed> (medium; bug #559804)
 	- ggobi <unfixed> (medium; bug #559806)
 	- glame <unfixed> (medium; bug #559807)
 	- gnash <unfixed> (medium; bug #559808)
@@ -1152,20 +1155,22 @@
 	- siproxd <unfixed> (medium; bug #559827)
 	- ski <unfixed> (medium; bug #559828)
 	- synfig <unfixed> (medium; bug #559829)
-	- unixodbc <unfixed> (medium; bug #559830)
 	- xmlsec1 <unfixed> (medium; bug #559831)
 	- clamav <unfixed> (medium; bug #559832)
 	- imagemagick <unfixed> (medium; bug #559833)
-	- hypre <unfixed> (medium; bug #559834)
+	- hypre 2.4.0b-5 (low; bug #559834)
+	[etch] - hypre <no-dsa> (Minor issue)
+	[lenny] - hypre <no-dsa> (Minor issue)
 	- lam <unfixed> (medium; bug #559835)
 	- openmpi <unfixed> (medium; bug #559836)
 	- parser <unfixed> (medium; bug #559837)
 	- pdsh <unfixed> (medium; bug #559838)
-	- sbnc <unfixed> (medium; bug #559839)
+	- sbnc <not-affected> (All released/unstable versions use the system copy of libtool)
 	- sdcc <unfixed> (medium; bug #559840)
 	- wml <unfixed> (medium; bug #559841)
 	- proftpd-dfsg <unfixed> (medium; bug #559842)
-	- babel <unfixed> (medium; bug #559843)
+	- babel 1.4.0.dfsg-5 (low; bug #559843)
+	[lenny] - babel <no-dsa> (Minor issue)
 	- libprelude <unfixed> (medium; bug #559844)
 	- heartbeat <unfixed> (medium; bug #559845)
 CVE-2009-3735
@@ -9341,6 +9346,9 @@
 CVE-2009-1188 (Integer overflow in the JBIG2 decoding feature in the ...)
 	- poppler 0.10.6-1 (medium; bug #524806)
 	[etch] - poppler <not-affected> (SplashBitmap code not present)
+	- xpdf <unfixed>
+	- kdegraphics 4:4.0
+	- swftools <unfixed>
 CVE-2009-1187 (Integer overflow in the JBIG2 decoding feature in Poppler before ...)
 	- poppler 0.10.6-1 (medium; bug #524806)
 CVE-2009-1186 (Buffer overflow in the util_path_encode function in ...)
@@ -14046,7 +14054,7 @@
 CVE-2008-5737 (SQL injection vulnerability in index.php in Nodstrum MySQL Calendar ...)
 	NOT-FOR-US: Nodstrum MySQL Calendar
 CVE-2008-5736 (Multiple unspecified vulnerabilities in FreeBSD 6 before 6.4-STABLE, ...)
-	- kfreebsd-6 <unfixed>
+	- kfreebsd-6 <removed>
 	[lenny] - kfreebsd-6 <no-dsa> (KFreebsd not supported)
 	- kfreebsd-7 7.1-1
 	[lenny] - kfreebsd-7 <no-dsa> (KFreebsd not supported)
@@ -15649,7 +15657,7 @@
 CVE-2008-5163 (Multiple SQL injection vulnerabilities in The Rat CMS Pre-Alpha 2 ...)
 	NOT-FOR-US: The Rat CMS
 CVE-2008-5162 (The arc4random function in the kernel in FreeBSD 6.3 through 7.1 does ...)
-	- kfreebsd-6 <unfixed>
+	- kfreebsd-6 <removed>
 	[lenny] - kfreebsd-6 <no-dsa> (KFreebsd not supported)
 	- kfreebsd-7 7.1-1
 	[lenny] - kfreebsd-7 7.0-7lenny1
@@ -25321,9 +25329,9 @@
 CVE-2008-1147 (A certain pseudo-random number generator (PRNG) algorithm that uses ...)
 	- kfreebsd-5 <removed>
 	[etch] - kfreebsd-5 <no-dsa> (KFreebsd not supported)
-	- kfreebsd-6 <unfixed>
+	- kfreebsd-6 <removed>
 	[lenny] - kfreebsd-6 <no-dsa> (KFreebsd not supported)
-	- kfreebsd-7 <unfixed> (bug #483152)
+	- kfreebsd-7 <unfixed> (bug #559107)
 	[lenny] - kfreebsd-7 <no-dsa> (KFreebsd not supported)
 CVE-2008-1146 (A certain pseudo-random number generator (PRNG) algorithm that uses ...)
 	NOT-FOR-US: OpenBSD

Modified: data/embedded-code-copies
===================================================================
--- data/embedded-code-copies	2009-12-08 14:52:57 UTC (rev 13489)
+++ data/embedded-code-copies	2009-12-08 17:09:50 UTC (rev 13490)
@@ -1531,7 +1531,7 @@
 	- collectd <unfixed> (embed)
 	- courier-authlib <unfixed> (embed)
 	- cvsnt <unfixed> (embed)
-	- dico <unfixed> (embed)
+	- dico <not-affected> (Uses the system copy of ltdl)
 	- freeradius 0.1+20010527-1 (embed)
         NOTE: Earliest reference I could find from the changelog is from 27 May 2001
 	- ggobi <unfixed> (embed)
@@ -1558,20 +1558,20 @@
 	- siproxd <unfixed> (embed)
 	- ski <unfixed> (embed)
 	- synfig <unfixed> (embed)
-	- unixodbc <unfixed> (embed)
+	- unixodbc 2.2.4-5 (embed)
 	- xmlsec1 <unfixed> (embed)
 	- clamav <unfixed> (embed)
 	- imagemagick <unfixed> (embed)
-	- hypre <unfixed> (embed)
+	- hypre 2.4.0b-5 (embed)
 	- lam <unfixed> (embed)
 	- openmpi <unfixed> (embed)
 	- parser <unfixed> (embed)
 	- pdsh <unfixed> (embed)
-	- sbnc <unfixed> (embed)
+	- sbnc 1.2-8 (embed)
 	- sdcc <unfixed> (embed)
 	- wml <unfixed> (embed)
 	- proftpd-dfsg <unfixed> (embed)
-	- babel <unfixed> (embed)
+	- babel 1.4.0.dfsg-5 (embed)
 	- libprelude <unfixed> (embed)
 	- heartbeat <unknown> (embed)
 	- gcc-* <unknown> (embed)

Modified: data/ospu-candidates.txt
===================================================================
--- data/ospu-candidates.txt	2009-12-08 14:52:57 UTC (rev 13489)
+++ data/ospu-candidates.txt	2009-12-08 17:09:50 UTC (rev 13490)
@@ -334,6 +334,11 @@
 
 --
 
+hypre (CVE-2009-3736)
+#559834
+
+--
+
 ipsec-tools (CVE-2008-3651)
 http://sourceforge.net/mailarchive/forum.php?thread_name=48a0c7a0.qPeWZAE0PY8bDDq%2B%25olel%40ans.pl&forum_name=ipsec-tools-devel
 notified maintainer

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2009-12-08 14:52:57 UTC (rev 13489)
+++ data/spu-candidates.txt	2009-12-08 17:09:50 UTC (rev 13490)
@@ -27,6 +27,11 @@
 
 --
 
+babel (CVE-2009-3736)
+#559843
+
+--
+
 backuppc (CVE-2009-3369)
 #542218
 notified maintainer
@@ -114,6 +119,11 @@
 
 --
 
+hypre (CVE-2009-3736)
+#559834
+
+--
+
 kde4libs (CVE-2009-2702)
 #546218
 notified maintainer


