[Secure-testing-commits] r13534 - in data: . CVE

Michael Gilbert gilbert-guest at alioth.debian.org
Sun Dec 13 00:42:50 UTC 2009


Author: gilbert-guest
Date: 2009-12-13 00:42:49 +0000 (Sun, 13 Dec 2009)
New Revision: 13534

Modified:
   data/CVE/list
   data/embedded-code-copies
Log:
recent non-numbered issues, libtool, and various other updates

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2009-12-13 00:30:18 UTC (rev 13533)
+++ data/CVE/list	2009-12-13 00:42:49 UTC (rev 13534)
@@ -2,6 +2,23 @@
 	- gif2png 2.5.2-1 (low; bug #550978)
 	[etch] - gif2png <no-dsa> (minor issue)
 	[lenny] - gif2png <no-dsa> (minor issue)
+CVE-2009-XXXX [browser-based css info disclosure]
+	- xulrunner <unfixed> (low; bug #560108)
+	- webkit <unfixed> (low; bug #560870)
+	- kazehakase <unfixed> (low; bug #560871)
+	- epiphany-browser <unfixed> (low; bug #560872)
+	- galeon <unfixed> (low; bug #560873)
+	- dillo <unfixed> (low; bug #560874)
+CVE-2009-XXXX [xpat2: save game permissions issue]
+	- xpat2 <unfixed> (unimportant; bug #560087)
+CVE-2009-XXXX [network-manager-gnome: wpa2 authentication issue]
+	- network-manager-gnome <unfixed> (low; bug #560067)
+CVE-2009-XXXX [unsafe xfs]
+	- xfs <unfixed> (low; bug #521107)
+	[etch] - xfs <no-dsa> (minor issue)
+	[lenny] - xfs <no-dsa> (minor issue)
+CVE-2009-XXXX [xserver-xorg: inherits user's mask]
+	- xserver-xorg 2:1.7.2-1 (low; bug #555308)
 CVE-2009-4296
 	NOT-FOR-US: Taxonomy Timer module for Drupal
 CVE-2009-4295
@@ -1340,7 +1357,7 @@
 CVE-2009-3736 (ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, ...)
 	- libtool 2.2.6b-1 (low; bug #559797)
 	- arts <unfixed> (low; bug #559798)
-	- bochs <unfixed> (low; bug #559799)
+	- bochs <not-affected> (additional hardening in this package prevents this type of attack; bug #559799)
 	- camserv <unfixed> (low; bug #559800)
 	- collectd <unfixed> (low; bug #559801)
 	- courier-authlib <unfixed> (low; bug #559802)
@@ -1350,21 +1367,22 @@
 	- gnash <unfixed> (low; bug #559808)
 	- gnu-smalltalk <unfixed> (low; bug #559809)
 	- google-gadgets <unfixed> (low; bug #559810)
-	- graphicsmagick <unfixed> (low; bug #559811)
+	- graphicsmagick 1.3.5-6 (low; bug #559811)
 	- graphviz <unfixed> (low; bug #559812)
 	- guile-1.6 <unfixed> (low; bug #559813)
 	- hamlib <unfixed> (low; bug #559814)
 	- hercules <unfixed> (low; bug #559815)
-	- jags <unfixed> (low; bug #559816)
+	- jags 1.0.4-1 (low; bug #559816)
 	- kdelibs <unfixed> (low; bug #559817)
 	- libannodex <removed> (low; bug #559818)
 	- libextractor <unfixed> (low; bug #559819)
-	- libmcrypt <unfixed> (low; bug #559820)
+	- libmcrypt <not-affected> (not included in any of the binary packages; bug #559820)
 	- libtunepimp <unfixed> (low; bug #559821)
 	- mp4h <unfixed> (low; bug #559822)
 	- naim <unfixed> (low; bug #559823)
 	- parser-mysql <unfixed> (low; bug #559824)
 	- pinball <unfixed> (low; bug #559825)
+	TODO: insufficient solution: only added depends libltdl-dev?
 	- redland <unfixed> (low; bug #559826)
 	[etch] - redland <not-affected> (Versions prior to 1.0.9 don't use libtool/libltdl)
 	[lenny] - redland <not-affected> (Versions prior to 1.0.9 don't use libtool/libltdl)
@@ -1386,6 +1404,7 @@
 	- wml <unfixed> (low; bug #559841)
 	- proftpd-dfsg <unfixed> (low; bug #559842)
 	- babel 1.4.0.dfsg-5 (low; bug #559843)
+	TODO: insufficient solution: only added depends libltdl-dev?
 	[lenny] - babel <no-dsa> (Minor issue)
 	- libprelude <unfixed> (low; bug #559844)
 	- heartbeat <unfixed> (low; bug #559845)
@@ -43016,6 +43035,8 @@
 	NOTE: only epiphany-gecko backend affected
 	- galeon <unfixed> (unimportant; bug #556270)
 	- kazehakase 0.5.8-2 (unimportant; bug #556271)
+	TODO: next point release: [etch] - kazehakase 0.4.2-1etch2
+	TODO: next point release: [lenny] - kazehakase 0.5.4-2lenny1
 	- conkeror <not-affected> (doesn't support bookmarks)
 	- webkit <not-affected> (doesn't support javascript embedded in bookmarks)
 CVE-2007-1083 (Buffer overflow in the Configuration Checker (ConfigChk) ActiveX ...)

Modified: data/embedded-code-copies
===================================================================
--- data/embedded-code-copies	2009-12-13 00:30:18 UTC (rev 13533)
+++ data/embedded-code-copies	2009-12-13 00:42:49 UTC (rev 13534)
@@ -657,7 +657,7 @@
 	NOTE: the kvm package will be removed from sid and squeeze soon (after
 	NOTE: which it will only be in experimental). superceded by qemu-kvm.
 	- qemu-kvm <unfixed> (embed; bug #560853)
-	- xen-3 <unfixed> (embed; bug #560856)
+	- xen-3 3.4.2-2 (embed; bug #560856)
 	- xen-unstable <unfixed> (embed; bug #560856)
 
 vgabios
@@ -828,7 +828,7 @@
 	NOTE: maintainer says there are extra incompatible changes required
 	- pixelpost 1.7.1-6 (embed)
 	- webhelpers <unfixed> (embed)
-	- qwik <unfixed> (embed; bug #555241)
+	- qwik <removed> (embed; bug #555241)
 	- smokeping <unfixed> (embed)
 	- turba2 <unfixed> (embed)
 	- typo3-src 4.2.3-1 (embed)
@@ -1439,7 +1439,7 @@
 	- bcfg2 <not-affected> (present in source but not included in any binary files)
 	- serendipity <unfixed> (embed; bug #557746)
 	- moodle 1.8.2.dfsg-5 (embed)
-	- jifty <unfixed> (embed; bug #557748)
+	- jifty 0.91117-1 (embed; bug #557748)
 	- webgui 7.7.26-1 (embed)
 	- loggerhead 1.17-1 (embed)
 
@@ -1531,7 +1531,7 @@
 	- apr <unfixed> (static; bug #489625)
 	NOTE: ships copy of libtool in libapr1-dev; was 'embed' before 1.3.2-3
 	- arts <unfixed> (embed)
-	- bochs <unfixed> (embed)
+	- bochs <unfixed> (embed; bug #560884)
 	- camserv <unfixed> (embed)
 	- collectd <unfixed> (embed)
 	- courier-authlib <unfixed> (embed)
@@ -1544,16 +1544,16 @@
 	- gnash <unfixed> (embed)
 	- gnu-smalltalk <unfixed> (embed)
 	- google-gadgets <unfixed> (embed)
-	- graphicsmagick <unfixed> (embed)
+	- graphicsmagick 1.3.5-6 (embed)
 	- graphviz <unfixed> (embed)
 	- guile-1.6 <unfixed> (embed)
 	- hamlib <unfixed> (embed)
 	- hercules <unfixed> (embed)
-	- jags <unfixed> (embed)
+	- jags <unfixed> (embed; bug #560864)
 	- kdelibs <unfixed> (embed)
 	- libannodex <removed> (embed)
 	- libextractor <unfixed> (embed)
-	- libmcrypt <unfixed> (embed)
+	- libmcrypt <not-affected> (libtool source present but not included in any of the binary packages)
 	- libtunepimp <unfixed> (embed)
 	- mp4h <unfixed> (embed)
 	- naim <unfixed> (embed)
@@ -1569,9 +1569,9 @@
 	- imagemagick <unfixed> (embed)
 	- hypre 2.4.0b-5 (embed)
 	- lam <unfixed> (embed)
-	- openmpi <unfixed> (embed)
+	- openmpi <unfixable> (embed; bug #559386)
 	- parser <unfixed> (embed)
-	- pdsh <unfixed> (embed)
+	- pdsh <unfixed> (embed; bug #560892)
 	- sbnc 1.2-8 (embed)
 	- sdcc <unfixed> (embed)
 	- wml <unfixed> (embed)




More information about the Secure-testing-commits mailing list