[Secure-testing-commits] r13618 - in data: . CVE

Mon Dec 21 18:55:22 UTC 2009

Author: jmm-guest
Date: 2009-12-21 18:55:22 +0000 (Mon, 21 Dec 2009)
New Revision: 13618

Modified:
   data/CVE/list
   data/spu-candidates.txt
Log:
* mark several ltdl issues as no-dsa
* devil no-dsa
* jetty issues not in binary package
* record more openjdk fixes
* iceape in lenny only a stub package


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2009-12-21 18:29:24 UTC (rev 13617)
+++ data/CVE/list	2009-12-21 18:55:22 UTC (rev 13618)
@@ -996,6 +996,7 @@
 	RESERVED
 CVE-2009-3994 (Stack-based buffer overflow in the GetUID function in ...)
 	- devil 1.7.8-6 (low; bug #560080)
+	[lenny] - devil <no-dsa> (Minor issue)
 CVE-2009-3993
 	RESERVED
 CVE-2009-3992
@@ -1558,9 +1559,9 @@
 CVE-2009-XXXX [multiple vulnerabilities in acidbase; XSS + possible sql injection]
 	- acidbase 1.4.4-1 (bug #552235)
 CVE-2009-XXXX [multiple vulnerabilities in jetty]
-	- jetty <unfixed> (bug #553644)
-	TODO: check
+	- jetty <unfixed> (unimportant; bug #553644)
 	NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
+	NOTE: The affected apps are not shipped in the package, see #553644
 CVE-2009-XXXX [cherokee 0.5.4 DoS]
 	- cherokee <not-affected> (not reproducible)
 	NOTE: <4089.110.37.64.157.1256562313.squirrel at mail.xc0re.net> in bugtraq
@@ -1658,11 +1659,14 @@
 	- camserv <unfixed> (low; bug #559800)
 	- collectd <unfixed> (low; bug #559801)
 	- cvsnt <unfixed> (low; bug #559803)
+	[etch] - cvsnt <no-dsa> (Minor issue)
+	[lenny] - cvsnt <no-dsa> (Minor issue)
 	- ggobi 2.1.9~20091212-1 (low; bug #559806)
 	[etch] - ggobi <no-dsa> (Minor issue)
 	[lenny] - ggobi <no-dsa> (Minor issue)
 	- glame <unfixed> (low; bug #559807)
 	- gnash <unfixed> (low; bug #559808)
+	[lenny] - gnash <no-dsa> (Minor issue)
 	- gnu-smalltalk <unfixed> (low; bug #559809)
 	- google-gadgets <unfixed> (low; bug #559810)
 	- graphicsmagick 1.3.5-6 (low; bug #559811)
@@ -1677,10 +1681,14 @@
 	- kdelibs <unfixed> (low; bug #559817)
 	- libannodex <removed> (low; bug #559818)
 	- libextractor <unfixed> (low; bug #559819)
+	[etch] - libextractor <no-dsa> (Minor issue)
+	[lenny] - libextractor <no-dsa> (Minor issue)
 	- libmcrypt <not-affected> (not included in any of the binary packages; bug #559820)
 	- libtunepimp <unfixed> (low; bug #559821)
 	- mp4h <unfixed> (low; bug #559822)
-	- naim <unfixed> (low; bug #559823)
+	- naim <removed> (low; bug #559823)
+	[lenny] - naim <no-dsa> (Minor issue)
+	[etch] - naim <no-dsa> (Minor issue)
 	- parser-mysql <unfixed> (low; bug #559824)
 	- pinball <unfixed> (low; bug #559825)
 	TODO: insufficient solution: only added depends libltdl-dev?
@@ -1708,7 +1716,11 @@
 	- pdsh <not-affected> (Only loads from /usr/lib/pdsh, which is controlled by root)
 	- sbnc <not-affected> (All released/unstable versions use the system copy of libtool)
 	- sdcc <unfixed> (low; bug #559840)
+	[lenny] - sdcc <no-dsa> (Minor issue)
+	[etch] - sdcc <no-dsa> (Minor issue)
 	- wml <unfixed> (low; bug #559841)
+	[lenny] - wml <no-dsa> (Minor issue)
+	[etch] - wml <no-dsa> (Minor issue)
 	- proftpd-dfsg <not-affected> (Only loads from /usr/lib/proftpd)
 	- babel 1.4.0.dfsg-5 (low; bug #559843)
 	TODO: insufficient solution: only added depends libltdl-dev?
@@ -4065,6 +4077,7 @@
 	{DSA-1922-1}
 	- xulrunner 1.9.1.3-3 (low)
 	- iceape 2.0-1 (low)
+	[lenny] - iceape <not-affected> (Iceape from Lenny only provides NSS libs)
 	- webkit <not-affected> (proof-of-concept did not work)
 CVE-2009-3006 (Maxthon Browser 2.5.3.80 UNICODE allows remote attackers to spoof the ...)
 	NOT-FOR-US: Maxthon Browser
@@ -5196,27 +5209,27 @@
 	- sun-java6 6-15-1
 	[etch] - sun-java6 <no-dsa> (Non-free not supported)
 	[lenny] - sun-java6 <no-dsa> (Non-free not supported)
-	- openjdk-6 <unfixed> (medium; bug #560908)
+	- openjdk-6 6b16-1 (medium; bug #560908)
 CVE-2009-2719 (The Java Web Start implementation in Sun Java SE 6 before Update 15 ...)
 	- sun-java6 6-15-1
 	[etch] - sun-java6 <no-dsa> (Non-free not supported)
 	[lenny] - sun-java6 <no-dsa> (Non-free not supported)
-	- openjdk-6 <unfixed> (medium; bug #560908)
+	- openjdk-6 6b16-1 (medium; bug #560908)
 CVE-2009-2718 (The Abstract Window Toolkit (AWT) implementation in Sun Java SE 6 ...)
 	- sun-java6 6-15-1
 	[etch] - sun-java6 <no-dsa> (Non-free not supported)
 	[lenny] - sun-java6 <no-dsa> (Non-free not supported)
-	- openjdk-6 <unfixed> (medium; bug #560908)
+	- openjdk-6 6b16-1 (medium; bug #560908)
 CVE-2009-2717 (The Abstract Window Toolkit (AWT) implementation in Sun Java SE 6 ...)
 	- sun-java6 6-15-1
 	[etch] - sun-java6 <no-dsa> (Non-free not supported)
 	[lenny] - sun-java6 <no-dsa> (Non-free not supported)
-	- openjdk-6 <unfixed> (medium; bug #560908)
+	- openjdk-6 6b16-1 (medium; bug #560908)
 CVE-2009-2716 (The plugin functionality in Sun Java SE 6 before Update 15 does not ...)
 	- sun-java6 6-15-1
 	[etch] - sun-java6 <no-dsa> (Non-free not supported)
 	[lenny] - sun-java6 <no-dsa> (Non-free not supported)
-	- openjdk-6 <unfixed> (medium; bug #560908)
+	- openjdk-6 6b16-1 (medium; bug #560908)
 CVE-2008-6927 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
 	NOT-FOR-US: cPanel
 CVE-2008-6926 (Directory traversal vulnerability in ...)

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2009-12-21 18:29:24 UTC (rev 13617)
+++ data/spu-candidates.txt	2009-12-21 18:55:22 UTC (rev 13618)
@@ -61,6 +61,11 @@
 
 --
 
+devil (CVE-2009-3994)
+#560080
+
+--
+
 dopewars (CVE-2009-3591)
 #550913
 notified maintainer


