[Secure-testing-commits] r13557 - in data: . CVE
Moritz Muehlenhoff
jmm-guest at alioth.debian.org
Tue Dec 15 18:53:59 UTC 2009
Author: jmm-guest
Date: 2009-12-15 18:53:59 +0000 (Tue, 15 Dec 2009)
New Revision: 13557
Modified:
data/CVE/list
data/embedded-code-copies
data/ospu-candidates.txt
data/spu-candidates.txt
Log:
* updates on libtool issues
* xfig fixed
* zoph fixed
* liboggplay fixed
* update fixed version for firefox-sage
* wxwidgets code copies of expat fixed
* ayttm/expat fixed
* start readjusting some of the expat issue, calling most of
them security issues is stretching things too far
* fix acpid entry
* xen fixed
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2009-12-15 14:38:18 UTC (rev 13556)
+++ data/CVE/list 2009-12-15 18:53:59 UTC (rev 13557)
@@ -229,9 +229,7 @@
CVE-2009-4236 (The process function in ...)
NOT-FOR-US: EC-CUBE
CVE-2009-4235 (acpid 1.0.4 sets an unrestrictive umask, which might allow local users ...)
- [etch] - acpid <unfixed> (low; bug #560771)
- [lenny] - acpid <not-affected> (only logs to syslog)
- - acpid <not-affected> (only logs to syslog)
+ - acpid 1.0.6 (low; bug #560771)
NOTE: all versions set umask(0), might be worth double-checking what it opens
CVE-2009-4234 (Cross-site scripting (XSS) vulnerability in ...)
NOT-FOR-US: Micronet Network Access Controller
@@ -251,11 +249,13 @@
NOT-FOR-US: PestPatrol
CVE-2009-4228 (Stack consumption vulnerability in u_bound.c in Xfig 3.2.5b and ...)
- xfig <unfixed>
- TODO: check
+ [lenny] - xfig <no-dsa> (Minor issue)
+ [etch] - xfig <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=543905
CVE-2009-4227 (Stack-based buffer overflow in the read_1_3_textobject function in ...)
- - xfig 1:3.2.5.b-1 (bug #559274)
- TODO: check
+ - xfig 1:3.2.5.b-1 (low; bug #559274)
+ [lenny] - xfig <no-dsa> (Minor issue)
+ [etch] - xfig <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=543905
CVE-2009-XXXX [polipo crash/DoS via overly-large content-length header]
- polipo <unfixed> (medium; bug #560779)
@@ -520,7 +520,7 @@
CVE-2009-4103 (Buffer overflow in Robo-FTP 3.6.17, and possibly other versions, ...)
NOT-FOR-US: Robo-FTP
CVE-2009-4102 (Sage 1.4.3 and earlier extension for Firefox performs certain ...)
- - firefox-sage 1.4.3-3 (medium; bug #559267)
+ - firefox-sage 1.4.3-4 (medium; bug #559267)
CVE-2009-4101 (infoRSS 1.1.4.2 and earlier extension for Firefox performs certain ...)
NOT-FOR-US: infoRSS extension for Firefox
CVE-2009-4100 (Yoono extension before 6.1.1 for Firefox performs certain operations ...)
@@ -1461,6 +1461,8 @@
- gnu-smalltalk <unfixed> (low; bug #559809)
- google-gadgets <unfixed> (low; bug #559810)
- graphicsmagick 1.3.5-6 (low; bug #559811)
+ [lenny] - graphicsmagick <no-dsa> (Minor issue, can be fixed along with later updates)
+ [etch] - graphicsmagick <no-dsa> (Minor issue, can be fixed along with later updates)
- graphviz <unfixed> (low; bug #559812)
- guile-1.6 <unfixed> (low; bug #559813)
- hamlib <unfixed> (low; bug #559814)
@@ -1500,7 +1502,10 @@
TODO: insufficient solution: only added depends libltdl-dev?
[lenny] - babel <no-dsa> (Minor issue)
- libprelude <unfixed> (low; bug #559844)
- - heartbeat <unfixed> (low; bug #559845)
+ - heartbeat 2.1.4-7 (unimportant; bug #559845)
+ NOTE: the dlopened path is always below /usr/lib/heartbeat, which isn't under control of an attacker
+ NOTE: From Squeeze onwards the system copy of ltdl is used, use the current version from Squeeze,
+ NOTE: might've been fixed earlier
CVE-2009-3735
RESERVED
CVE-2009-3734
@@ -1569,10 +1574,10 @@
- python-4suite <unfixed> (low; bug #560914)
- wxwindows2.4 <removed> (low; bug #560915)
[etch] - wxwindows2.4 <no-dsa> (minor issue)
- - wxwidgets2.6 <unfixed> (low; bug #560916)
+ - wxwidgets2.6 2.6.3.2.2-4 (low; bug #560916)
[etch] - wxwidgets2.6 <no-dsa> (minor issue)
[lenny] - wxwidgets2.6 <no-dsa> (minor issue)
- - wxwidgets2.8 <unfixed> (low; bug #560917)
+ - wxwidgets2.8 2.8.10.1-2 (low; bug #560917)
[lenny] - wxwidgets2.8 <no-dsa> (minor issue)
- celementtree <unfixed> (low; bug #560918)
[etch] - celementtree <no-dsa> (minor issue)
@@ -1580,9 +1585,7 @@
- audacity <unfixed> (low; bug #560919)
[etch] - audacity <no-dsa> (minor issue)
[lenny] - audacity <no-dsa> (minor issue)
- - matanza <unfixed> (low; bug #560920)
- [etch] - matanza <no-dsa> (minor issue)
- [lenny] - matanza <no-dsa> (minor issue)
+ - matanza <unfixed> (unimportant; bug #560920)
- tdom <unfixed> (low; bug #560921)
[etch] - tdom <no-dsa> (minor issue)
[lenny] - tdom <no-dsa> (minor issue)
@@ -1591,38 +1594,22 @@
- ayttm 0.6.1-2 (low; bug #560924)
[etch] - ayttm <no-dsa> (minor issue)
[lenny] - ayttm <no-dsa> (minor issue)
- - cableswig <unfixed> (low; bug #560925)
- [etch] - cableswig <no-dsa> (minor issue)
- [lenny] - cableswig <no-dsa> (minor issue)
- - cadaver <unfixed> (low; bug #560926)
- [etch] - cadaver <no-dsa> (minor issue)
- [lenny] - cadaver <no-dsa> (minor issue)
- - cmake 2.6.0-6 (low; bug #560927)
- [etch] - cmake <no-dsa> (minor issue)
+ - cableswig <unfixed> (unimportant; bug #560925)
+ - cadaver <unfixed> (unimportant; bug #560926)
+ - cmake 2.6.0-6 (unimportant; bug #560927)
- coin3 <unfixed> (low; bug #560928)
- gdcm 2.0.14-2 (low; bug #560929)
- - ghostscript <unfixed> (low; bug #560930)
- [lenny] - ghostscript <no-dsa> (minor issue)
- - grmonitor <unfixed> (low; bug #560931)
- [etch] - grmonitor <no-dsa> (minor issue)
- [lenny] - grmonitor <no-dsa> (minor issue)
- - iceape <unfixed> (low; bug #560932)
- [etch] - iceape <no-dsa> (minor issue)
- [lenny] - iceape <no-dsa> (minor issue)
+ - ghostscript <unfixed> (unimportant; bug #560930)
+ - grmonitor <unfixed> (unimportant; bug #560931)
+ - iceape <unfixed> (unimportant; bug #560932)
- insighttoolkit <unfixed> (low; bug #560933)
[lenny] - insighttoolkit <no-dsa> (minor issue)
- - libparagui1.1 <unfixed> (low; bug #560934)
- [lenny] - libparagui1.1 <no-dsa> (minor issue)
- - paraview <unfixed> (low; bug #560935)
- [lenny] - paraview <no-dsa> (minor issue)
+ - libparagui1.1 <unfixed> (unimportant; bug #560934)
+ - paraview <unfixed> (unimportant; bug #560935)
- poco <unfixed> (low; bug #560936)
[lenny] - poco <no-dsa> (minor issue)
- - simgear <unfixed> (low; bug #560937)
- [etch] - simgear <no-dsa> (minor issue)
- [lenny] - simgear <no-dsa> (minor issue)
- - sitecopy <unfixed> (low; bug #560938)
- [etch] - sitecopy <no-dsa> (minor issue)
- [lenny] - sitecopy <no-dsa> (minor issue)
+ - simgear <unfixed> (unimportant; bug #560937)
+ - sitecopy <unfixed> (unimportant; bug #560938)
- smart <unfixed> (low; bug #560953)
[etch] - smart <no-dsa> (minor issue)
[lenny] - smart <no-dsa> (minor issue)
@@ -1641,18 +1628,12 @@
- xmlrpc-c <unfixed> (low; bug #560942)
[etch] - xmlrpc-c <no-dsa> (minor issue)
[lenny] - xmlrpc-c <no-dsa> (minor issue)
- - iceweasel <unfixed> (low; bug #560943)
- [etch] - iceweasel <no-dsa> (minor issue)
- [lenny] - iceweasel <no-dsa> (minor issue)
- - kompozer 1:0.8~b1-2 (low; bug #560944)
- - vxl <unfixed> (low; bug #560945)
- - xulrunner <unfixed> (low; bug #560946)
- [etch] - xulrunner <no-dsa> (minor issue)
- [lenny] - xulrunner <no-dsa> (minor issue)
+ - iceweasel <unfixed> (unimportant; bug #560943)
+ - kompozer 1:0.8~b1-2 (unimportant; bug #560944)
+ - vxl 1.13.0-2 (low; bug #560945)
+ - xulrunner <unfixed> (unimportant; bug #560946)
- apache2 <not-affected> (links to system expat)
- - texlive-bin <unfixed> (low; bug #560948)
- [etch] - texlive-bin <no-dsa> (minor issue)
- [lenny] - texlive-bin <no-dsa> (minor issue)
+ - texlive-bin <unfixed> (unimportant; bug #560948)
- vnc4 <unfixed> (low; bug #560951)
[etch] - vnc4 <no-dsa> (minor issue)
[lenny] - vnc4 <no-dsa> (minor issue)
@@ -2099,10 +2080,10 @@
- python-4suite <unfixed> (low; bug #560914)
- wxwindows2.4 <removed> (low; bug #560915)
[etch] - wxwindows2.4 <no-dsa> (minor issue)
- - wxwidgets2.6 <unfixed> (low; bug #560916)
+ - wxwidgets2.6 2.6.3.2.2-4 (low; bug #560916)
[etch] - wxwidgets2.6 <no-dsa> (minor issue)
[lenny] - wxwidgets2.6 <no-dsa> (minor issue)
- - wxwidgets2.8 <unfixed> (low; bug #560917)
+ - wxwidgets2.8 2.8.10.1-2 (low; bug #560917)
[lenny] - wxwidgets2.8 <no-dsa> (minor issue)
- celementtree <unfixed> (low; bug #560918)
[etch] - celementtree <no-dsa> (minor issue)
@@ -2175,7 +2156,7 @@
[etch] - iceweasel <no-dsa> (minor issue)
[lenny] - iceweasel <no-dsa> (minor issue)
- kompozer 1:0.8~b1-2 (low; bug #560944)
- - vxl <unfixed> (low; bug #560945)
+ - vxl 1.13.0-2 (low; bug #560945)
- xulrunner <unfixed> (low; bug #560946)
[etch] - xulrunner <no-dsa> (minor issue)
[lenny] - xulrunner <no-dsa> (minor issue)
@@ -2654,7 +2635,7 @@
- xulrunner 1.9.1.4-1
[etch] - xulrunner <not-affected> (ogg support added in firefox 3.5)
[lenny] - xulrunner <not-affected> (ogg support added in firefox 3.5)
- - liboggplay <unfixed> (medium; bug #552743)
+ - liboggplay 0.2.1~git20091120-1 (medium; bug #552743)
CVE-2009-3377 (Multiple unspecified vulnerabilities in liboggz before ...)
- xulrunner 1.9.1.4-1
[lenny] - xulrunner <not-affected> (Only affects Firefox 3.5)
@@ -6610,7 +6591,7 @@
- zoph 0.8.0.1-1 (bug #535188)
NOTE: the details are unknown
CVE-2009-2343 (Cross-site scripting (XSS) vulnerability in people.php in Zoph before ...)
- - zoph <unfixed> (low; bug #535188)
+ - zoph 0.7.5-1 (low; bug #535188)
NOTE: http://sourceforge.net/tracker/?func=detail&aid=2815898&group_id=69353&atid=524249
NOTE: http://sourceforge.net/project/shownotes.php?group_id=69353&release_id=694128
CVE-2008-6836 (Cross-site request forgery (CSRF) vulnerability in OpenID 5.x before ...)
@@ -17896,7 +17877,7 @@
- sabre 0.2.4b-25 (low; bug #433996)
[etch] - sabre <no-dsa> (Game not qualified as multi-user system, thus minor issue)
CVE-2008-4405 (xend in Xen 3.0.3 does not properly limit the contents of the ...)
- - xen-3 <unfixed> (bug #503811)
+ - xen-3 3.4.0-1 (bug #503811)
- xen-unstable <unfixed>
NOTE: a proposed patch leads to new problems, see CVE-2008-5716
CVE-2008-4404 (The IPv6 Neighbor Discovery Protocol (NDP) implementation on IBM ...)
Modified: data/embedded-code-copies
===================================================================
--- data/embedded-code-copies 2009-12-15 14:38:18 UTC (rev 13556)
+++ data/embedded-code-copies 2009-12-15 18:53:59 UTC (rev 13557)
@@ -1085,8 +1085,8 @@
- python2.4 <unfixable> (embed; bug #553403)
- python-4suite <unfixed> (embed; bug #516935)
- wxwindows2.4 <removed> (embed)
- - wxwidgets2.6 <unfixed> (embed)
- - wxwidgets2.8 <unfixed> (embed)
+ - wxwidgets2.6 2.6.3.2.2-4 (embed)
+ - wxwidgets2.8 2.8.10.1-2 (embed)
- celementtree <unfixed> (embed)
- audacity 1.3.2-1 (embed)
- matanza <unfixed> (embed)
@@ -1117,7 +1117,7 @@
- xmlrpc-c <unfixed> (embed)
- iceweasel <unfixed> (embed)
- kompozer <unfixed> (embed)
- - vxl <unfixed> (embed)
+ - vxl 1.13.0-2 (embed)
- xulrunner <unfixed> (embed)
- apache2 2.2 (embed)
- texlive-bin <unfixed> (embed) [included twice]
@@ -1578,7 +1578,9 @@
- proftpd-dfsg <unfixed> (embed)
- babel 1.4.0.dfsg-5 (embed)
- libprelude <unfixed> (embed)
- - heartbeat <unknown> (embed)
+ - heartbeat 2.1.4-7 (embed)
+ NOTE: From Squeeze onwards the system copy of ltdl is used, use the current version from Squeeze,
+ NOTE: might've been fixed earlier
- gcc-* <unknown> (embed)
ocamlgsl
Modified: data/ospu-candidates.txt
===================================================================
--- data/ospu-candidates.txt 2009-12-15 14:38:18 UTC (rev 13556)
+++ data/ospu-candidates.txt 2009-12-15 18:53:59 UTC (rev 13557)
@@ -914,6 +914,11 @@
25_mkstemp added in 1:3.2.5.a-1
notified maintainer
+
+CVE-2009-4228/CVE-2009-4227
+#559274)
+https://bugzilla.redhat.com/show_bug.cgi?id=543905
+
--
xmcd (CVE-2008-4994)
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2009-12-15 14:38:18 UTC (rev 13556)
+++ data/spu-candidates.txt 2009-12-15 18:53:59 UTC (rev 13557)
@@ -376,6 +376,10 @@
25_mkstemp added in 1:3.2.5.a-1
notified maintainer
+CVE-2009-4228/CVE-2009-4227
+#559274)
+https://bugzilla.redhat.com/show_bug.cgi?id=543905
+
--
xmp (CVE-2007-6731, CVE-2007-6732)
More information about the Secure-testing-commits
mailing list