[Secure-testing-commits] r13618 - in data: . CVE
Moritz Muehlenhoff
jmm-guest at alioth.debian.org
Mon Dec 21 18:55:22 UTC 2009
Author: jmm-guest
Date: 2009-12-21 18:55:22 +0000 (Mon, 21 Dec 2009)
New Revision: 13618
Modified:
data/CVE/list
data/spu-candidates.txt
Log:
* mark several ltdl issues as no-dsa
* devil no-dsa
* jetty issues not in binary package
* record more openjdk fixes
* iceape in lenny only a stub package
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2009-12-21 18:29:24 UTC (rev 13617)
+++ data/CVE/list 2009-12-21 18:55:22 UTC (rev 13618)
@@ -996,6 +996,7 @@
RESERVED
CVE-2009-3994 (Stack-based buffer overflow in the GetUID function in ...)
- devil 1.7.8-6 (low; bug #560080)
+ [lenny] - devil <no-dsa> (Minor issue)
CVE-2009-3993
RESERVED
CVE-2009-3992
@@ -1558,9 +1559,9 @@
CVE-2009-XXXX [multiple vulnerabilities in acidbase; XSS + possible sql injection]
- acidbase 1.4.4-1 (bug #552235)
CVE-2009-XXXX [multiple vulnerabilities in jetty]
- - jetty <unfixed> (bug #553644)
- TODO: check
+ - jetty <unfixed> (unimportant; bug #553644)
NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
+ NOTE: The affected apps are not shipped in the package, see #553644
CVE-2009-XXXX [cherokee 0.5.4 DoS]
- cherokee <not-affected> (not reproducible)
NOTE: <4089.110.37.64.157.1256562313.squirrel at mail.xc0re.net> in bugtraq
@@ -1658,11 +1659,14 @@
- camserv <unfixed> (low; bug #559800)
- collectd <unfixed> (low; bug #559801)
- cvsnt <unfixed> (low; bug #559803)
+ [etch] - cvsnt <no-dsa> (Minor issue)
+ [lenny] - cvsnt <no-dsa> (Minor issue)
- ggobi 2.1.9~20091212-1 (low; bug #559806)
[etch] - ggobi <no-dsa> (Minor issue)
[lenny] - ggobi <no-dsa> (Minor issue)
- glame <unfixed> (low; bug #559807)
- gnash <unfixed> (low; bug #559808)
+ [lenny] - gnash <no-dsa> (Minor issue)
- gnu-smalltalk <unfixed> (low; bug #559809)
- google-gadgets <unfixed> (low; bug #559810)
- graphicsmagick 1.3.5-6 (low; bug #559811)
@@ -1677,10 +1681,14 @@
- kdelibs <unfixed> (low; bug #559817)
- libannodex <removed> (low; bug #559818)
- libextractor <unfixed> (low; bug #559819)
+ [etch] - libextractor <no-dsa> (Minor issue)
+ [lenny] - libextractor <no-dsa> (Minor issue)
- libmcrypt <not-affected> (not included in any of the binary packages; bug #559820)
- libtunepimp <unfixed> (low; bug #559821)
- mp4h <unfixed> (low; bug #559822)
- - naim <unfixed> (low; bug #559823)
+ - naim <removed> (low; bug #559823)
+ [lenny] - naim <no-dsa> (Minor issue)
+ [etch] - naim <no-dsa> (Minor issue)
- parser-mysql <unfixed> (low; bug #559824)
- pinball <unfixed> (low; bug #559825)
TODO: insufficient solution: only added depends libltdl-dev?
@@ -1708,7 +1716,11 @@
- pdsh <not-affected> (Only loads from /usr/lib/pdsh, which is controlled by root)
- sbnc <not-affected> (All released/unstable versions use the system copy of libtool)
- sdcc <unfixed> (low; bug #559840)
+ [lenny] - sdcc <no-dsa> (Minor issue)
+ [etch] - sdcc <no-dsa> (Minor issue)
- wml <unfixed> (low; bug #559841)
+ [lenny] - wml <no-dsa> (Minor issue)
+ [etch] - wml <no-dsa> (Minor issue)
- proftpd-dfsg <not-affected> (Only loads from /usr/lib/proftpd)
- babel 1.4.0.dfsg-5 (low; bug #559843)
TODO: insufficient solution: only added depends libltdl-dev?
@@ -4065,6 +4077,7 @@
{DSA-1922-1}
- xulrunner 1.9.1.3-3 (low)
- iceape 2.0-1 (low)
+ [lenny] - iceape <not-affected> (Iceape from Lenny only provides NSS libs)
- webkit <not-affected> (proof-of-concept did not work)
CVE-2009-3006 (Maxthon Browser 2.5.3.80 UNICODE allows remote attackers to spoof the ...)
NOT-FOR-US: Maxthon Browser
@@ -5196,27 +5209,27 @@
- sun-java6 6-15-1
[etch] - sun-java6 <no-dsa> (Non-free not supported)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
- - openjdk-6 <unfixed> (medium; bug #560908)
+ - openjdk-6 6b16-1 (medium; bug #560908)
CVE-2009-2719 (The Java Web Start implementation in Sun Java SE 6 before Update 15 ...)
- sun-java6 6-15-1
[etch] - sun-java6 <no-dsa> (Non-free not supported)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
- - openjdk-6 <unfixed> (medium; bug #560908)
+ - openjdk-6 6b16-1 (medium; bug #560908)
CVE-2009-2718 (The Abstract Window Toolkit (AWT) implementation in Sun Java SE 6 ...)
- sun-java6 6-15-1
[etch] - sun-java6 <no-dsa> (Non-free not supported)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
- - openjdk-6 <unfixed> (medium; bug #560908)
+ - openjdk-6 6b16-1 (medium; bug #560908)
CVE-2009-2717 (The Abstract Window Toolkit (AWT) implementation in Sun Java SE 6 ...)
- sun-java6 6-15-1
[etch] - sun-java6 <no-dsa> (Non-free not supported)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
- - openjdk-6 <unfixed> (medium; bug #560908)
+ - openjdk-6 6b16-1 (medium; bug #560908)
CVE-2009-2716 (The plugin functionality in Sun Java SE 6 before Update 15 does not ...)
- sun-java6 6-15-1
[etch] - sun-java6 <no-dsa> (Non-free not supported)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
- - openjdk-6 <unfixed> (medium; bug #560908)
+ - openjdk-6 6b16-1 (medium; bug #560908)
CVE-2008-6927 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
NOT-FOR-US: cPanel
CVE-2008-6926 (Directory traversal vulnerability in ...)
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2009-12-21 18:29:24 UTC (rev 13617)
+++ data/spu-candidates.txt 2009-12-21 18:55:22 UTC (rev 13618)
@@ -61,6 +61,11 @@
--
+devil (CVE-2009-3994)
+#560080
+
+--
+
dopewars (CVE-2009-3591)
#550913
notified maintainer
More information about the Secure-testing-commits
mailing list