[Secure-testing-commits] r13592 - in data: . CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Fri Dec 18 17:31:26 UTC 2009 

Author: jmm-guest
Date: 2009-12-18 17:31:26 +0000 (Fri, 18 Dec 2009)
New Revision: 13592

Modified:
   data/CVE/list
   data/embedded-code-copies
Log:
* libaws code copy fixed
* puppet fixed
* more ltdl updates
* mark css/history issue as unimportant
* mark further expat issues w/o security impact as unimportant
* xfs fixed
* fix srcpkg name of kpdf, fixed in 4.0 by switch to Okular


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2009-12-18 07:41:39 UTC (rev 13591)
+++ data/CVE/list	2009-12-18 17:31:26 UTC (rev 13592)
@@ -256,21 +256,23 @@
 	[etch] - gif2png <no-dsa> (minor issue)
 	[lenny] - gif2png <no-dsa> (minor issue)
 CVE-2009-XXXX [browser-based css info disclosure]
-	- xulrunner <unfixed> (low; bug #560108)
-	- webkit <unfixed> (low; bug #560870)
-	- kazehakase <unfixed> (low; bug #560871)
-	- epiphany-browser <unfixed> (low; bug #560872)
-	- galeon <unfixed> (low; bug #560873)
-	- dillo <unfixed> (low; bug #560874)
+	- xulrunner <unfixed> (unimportant; bug #560108)
+	- webkit <unfixed> (unimportant; bug #560870)
+	- kazehakase <unfixed> (unimportant; bug #560871)
+	- epiphany-browser <unfixed> (unimportant; bug #560872)
+	- galeon <unfixed> (unimportant; bug #560873)
+	- dillo <unfixed> (unimportant; bug #560874)
+	NOTE: Minor design issue
 CVE-2009-XXXX [xpat2: save game permissions issue]
 	- xpat2 <unfixed> (unimportant; bug #560087)
 CVE-2009-4144 [network-manager-gnome: wpa2 authentication issue]
 	RESERVED
 	- network-manager-applet <unfixed> (low; bug #560067)
 CVE-2009-XXXX [unsafe xfs]
-	- xfs <unfixed> (low; bug #521107)
+	- xfs 1:1.0.8-6 (low; bug #521107)
 	[etch] - xfs <no-dsa> (minor issue)
 	[lenny] - xfs <no-dsa> (minor issue)
+	TODO: next point update: [lenny] - xfs 1:1.0.8-2.2+lenny1
 CVE-2009-XXXX [xserver-xorg: inherits user's mask]
 	- xserver-xorg-core 2:1.7.2-1 (low; bug #555308)
 CVE-2009-4296 (SQL injection vulnerability in the Taxonomy Timer module 5.x-1.8 and ...)
@@ -855,7 +857,7 @@
 	RESERVED
 CVE-2009-4035 [FoFiType1::parse() integer underflow in xpdf/fofi/FoFiType1.cc]
 	RESERVED
-	- kdegraphics <unfixed>
+	- kdegraphics 4.0
 	- xpdf 3.01-1
 	- poppler 0.5.1-1
 	TODO: check
@@ -1675,7 +1677,7 @@
 	- parser-mysql <unfixed> (low; bug #559824)
 	- pinball <unfixed> (low; bug #559825)
 	TODO: insufficient solution: only added depends libltdl-dev?
-	- redland <unfixed> (low; bug #559826)
+	- redland 1.0.10-1 (low; bug #559826)
 	[etch] - redland <not-affected> (Versions prior to 1.0.9 don't use libtool/libltdl)
 	[lenny] - redland <not-affected> (Versions prior to 1.0.9 don't use libtool/libltdl)
 	- siproxd <unfixed> (low; bug #559827)
@@ -1692,8 +1694,10 @@
 	[lenny] - hypre <no-dsa> (Minor issue)
 	- lam <unfixed> (low; bug #559835)
 	- openmpi 1.3.3-4 (low; bug #559836)
+	[lenny] - openmpi <no-dsa> (Minor issue)
+	[etch] - openmpi <no-dsa> (Minor issue)
 	- parser <unfixed> (low; bug #559837)
-	- pdsh <unfixed> (low; bug #559838)
+	- pdsh <not-affected> (Only loads from /usr/lib/pdsh, which is controlled by root)
 	- sbnc <not-affected> (All released/unstable versions use the system copy of libtool)
 	- sdcc <unfixed> (low; bug #559840)
 	- wml <unfixed> (low; bug #559841)
@@ -1701,7 +1705,8 @@
 	- babel 1.4.0.dfsg-5 (low; bug #559843)
 	TODO: insufficient solution: only added depends libltdl-dev?
 	[lenny] - babel <no-dsa> (Minor issue)
-	- libprelude <unfixed> (low; bug #559844)
+	- libprelude 0.9.14-2 (low; bug #559844)
+	[etch] - libprelude <no-dsa> (Minor issue)
 	- heartbeat 2.1.4-7 (unimportant; bug #559845)
 	NOTE: the dlopened path is always below /usr/lib/heartbeat, which isn't under control of an attacker
 	NOTE: From Squeeze onwards the system copy of ltdl is used, use the current version from Squeeze,
@@ -1793,7 +1798,7 @@
 	- cableswig <unfixed> (unimportant; bug #560925)
 	- cadaver <unfixed> (unimportant; bug #560926)
 	- cmake 2.6.0-6 (unimportant; bug #560927)
-	- coin3 <unfixed> (low; bug #560928)
+	- coin3 <unfixed> (unimportant; bug #560928)
 	- gdcm 2.0.14-2 (low; bug #560929)
 	- ghostscript <unfixed> (unimportant; bug #560930)
 	- grmonitor <unfixed> (unimportant; bug #560931)
@@ -2250,7 +2255,7 @@
 CVE-2009-3565 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
 	NOT-FOR-US: McAfee IntruShield Network Security Manager
 CVE-2009-3564 (puppetmasterd in puppet 0.24.6 does not reset supplementary groups ...)
-	- puppet <unfixed> (low; bug #551073)
+	- puppet 0.25.1-3 (low; bug #551073)
 	[etch] - puppet <no-dsa> (minor issue)
 	[lenny] - puppet <no-dsa> (minor issue)
 CVE-2009-3563 (ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote ...)
@@ -2306,10 +2311,8 @@
 	[etch] - iceape <no-dsa> (minor issue)
 	[lenny] - iceape <no-dsa> (minor issue)
 	- insighttoolkit 3.16.0-1 (unimportant; bug #560933)
-	- libparagui1.1 <unfixed> (low; bug #560934)
-	[lenny] - libparagui1.1 <no-dsa> (minor issue)
-	- paraview <unfixed> (low; bug #560935)
-	[lenny] - paraview <no-dsa> (minor issue)
+	- libparagui1.1 <unfixed> (unimportant; bug #560934)
+	- paraview <unfixed> (unimportant; bug #560935)
 	- poco <unfixed> (low; bug #560936)
 	[lenny] - poco <no-dsa> (minor issue)
 	- simgear <unfixed> (low; bug #560937)
@@ -3368,7 +3371,7 @@
 	[etch] - asterisk <no-dsa> (Minor issue)
 	[lenny] - asterisk <no-dsa> (Minor issue)
 	- auth2db 0.2.5-2+dfsg-1 (low; bug #555217)
-	- libaws <unfixed> (low; bug #555221)
+	- libaws 2.7-1 (low; bug #555221)
 	[etch] - libaws <no-dsa> (minor issue)
 	[lenny] - libaws <no-dsa> (minor issue)
 	- libjson-ruby 1.1.4-1 (low; bug #555223)
@@ -40133,7 +40136,7 @@
 	- asterisk 1:1.6.2.0~rc3-1 (low; bug #555220)
 	[etch] - asterisk <no-dsa> (minor issue)
 	[lenny] - asterisk <no-dsa> (minor issue)
-	- libaws <unfixed> (low; bug #555221)
+	- libaws 2.7-1 (low; bug #555221)
 	[etch] - libaws <no-dsa> (minor issue)
 	[lenny] - libaws <no-dsa> (minor issue)
 	- libjson-ruby <not-affected> (has prototype.js >= 1.5.1)

Modified: data/embedded-code-copies
===================================================================
--- data/embedded-code-copies	2009-12-18 07:41:39 UTC (rev 13591)
+++ data/embedded-code-copies	2009-12-18 17:31:26 UTC (rev 13592)
@@ -716,6 +716,7 @@
 	- mediatomb <unfixed> (embed; bug #555233)
 	- mt-daapd 0.9~r1696.dfsg-6lenny2 (embed)
 	- ebug-http <unfixed> (embed; bug #555236)
+	- libaws 2.7-1 (embed; bug #555222)
 	- phpgedview <removed> (embed)
 	- poker-network <unfixed> (embed; bug #555238)
 	- rails 2.1.0-6 (embed)
@@ -1579,7 +1580,7 @@
 	- wml <unfixed> (embed)
 	- proftpd-dfsg <unfixed> (embed)
 	- babel 1.4.0.dfsg-5 (embed)
-	- libprelude <unfixed> (embed)
+	- libprelude 0.9.14-2 (embed)
 	- heartbeat 2.1.4-7 (embed)
 	NOTE: From Squeeze onwards the system copy of ltdl is used, use the current version from Squeeze,
 	NOTE: might've been fixed earlier

More information about the Secure-testing-commits mailing list