[Secure-testing-commits] r13640 - in data: . CVE
Moritz Muehlenhoff
jmm-guest at alioth.debian.org
Thu Dec 24 10:44:32 UTC 2009
Author: jmm-guest
Date: 2009-12-24 10:44:32 +0000 (Thu, 24 Dec 2009)
New Revision: 13640
Modified:
data/CVE/list
data/embedded-code-copies
data/ospu-candidates.txt
data/spu-candidates.txt
Log:
* imagemagick uses system copy of ltdl
* several no-dsa for ltdl issue
* new libhaml-ruby issue already fixed
* another expat no-dsa
* qt4 triage
* python expat issues should be fixed through DSAs
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2009-12-23 21:40:42 UTC (rev 13639)
+++ data/CVE/list 2009-12-24 10:44:32 UTC (rev 13640)
@@ -222,6 +222,8 @@
- wireshark 1.2.5-1
[lenny] - wireshark <not-affected> (Only affects Wireshark 1.2.x)
[etch] - wireshark <not-affected> (Only affects Wireshark 1.2.x)
+CVE-2009-XXXX [libhaml-ruby XSS issue]
+ - libhaml-ruby 2.2.8-1
CVE-2009-XXXX [Wireshark: SMB and SMB2 dissectors could crash]
- wireshark 1.2.5-1 (low)
[lenny] - wireshark <no-dsa> (Minor issue)
@@ -1862,9 +1864,15 @@
CVE-2009-3736 (ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, ...)
- libtool 2.2.6b-1 (low; bug #559797)
- arts <unfixed> (low; bug #559798)
+ [lenny] - arts <no-dsa> (Minor issue)
+ [etch] - arts <no-dsa> (Minor issue)
- bochs <not-affected> (additional hardening in this package prevents this type of attack; bug #559799)
- camserv <unfixed> (low; bug #559800)
+ [lenny] - camserv <no-dsa> (Minor issue)
+ [etch] - camserv <no-dsa> (Minor issue)
- collectd <unfixed> (low; bug #559801)
+ [lenny] - collectd <no-dsa> (Minor issue)
+ [etch] - collectd <no-dsa> (Minor issue)
- cvsnt <unfixed> (low; bug #559803)
[etch] - cvsnt <no-dsa> (Minor issue)
[lenny] - cvsnt <no-dsa> (Minor issue)
@@ -1872,9 +1880,13 @@
[etch] - ggobi <no-dsa> (Minor issue)
[lenny] - ggobi <no-dsa> (Minor issue)
- glame <unfixed> (low; bug #559807)
+ [lenny] - glame <no-dsa> (Minor issue)
+ [etch] - glame <no-dsa> (Minor issue)
- gnash <unfixed> (low; bug #559808)
[lenny] - gnash <no-dsa> (Minor issue)
- gnu-smalltalk <unfixed> (low; bug #559809)
+ [lenny] - gnu-smalltalk <no-dsa> (Minor issue)
+ [etch] - gnu-smalltalk <no-dsa> (Minor issue)
- google-gadgets <unfixed> (low; bug #559810)
- graphicsmagick 1.3.5-6 (low; bug #559811)
[lenny] - graphicsmagick <no-dsa> (Minor issue, can be fixed along with later updates)
@@ -1883,38 +1895,57 @@
[etch] - guile-1.6 <no-dsa> (Minor issue)
[lenny] - guile-1.6 <no-dsa> (Minor issue)
- hamlib <unfixed> (low; bug #559814)
+ [lenny] - hamlib <no-dsa> (Minor issue)
+ [etch] - hamlib <no-dsa> (Minor issue)
- hercules <unfixed> (low; bug #559815)
+ [lenny] - hercules <no-dsa> (Minor issue)
+ [etch] - hercules <no-dsa> (Minor issue)
- jags 1.0.4-1 (low; bug #559816)
- kdelibs <unfixed> (low; bug #559817)
+ [etch] - kdelibs <no-dsa> (Minor issue)
+ [lenny] - kdelibs <no-dsa> (Minor issue)
- libannodex <removed> (low; bug #559818)
+ [lenny] - libannodex <removed> (low; bug #559818)
+ [etch] - libannodex <removed> (low; bug #559818)
- libextractor <unfixed> (low; bug #559819)
[etch] - libextractor <no-dsa> (Minor issue)
[lenny] - libextractor <no-dsa> (Minor issue)
- libmcrypt <not-affected> (not included in any of the binary packages; bug #559820)
- libtunepimp <unfixed> (low; bug #559821)
- mp4h <unfixed> (low; bug #559822)
+ [etch] - mp4h <no-dsa> (Minor issue)
+ [lenny] - mp4h <no-dsa> (Minor issue)
- naim <removed> (low; bug #559823)
[lenny] - naim <no-dsa> (Minor issue)
[etch] - naim <no-dsa> (Minor issue)
- parser-mysql <unfixed> (low; bug #559824)
- pinball <unfixed> (low; bug #559825)
+ [lenny] - pinball <no-dsa> (Minor issue)
+ [etch] - pinball <no-dsa> (Minor issue)
TODO: insufficient solution: only added depends libltdl-dev?
- redland 1.0.10-1 (low; bug #559826)
[etch] - redland <not-affected> (Versions prior to 1.0.9 don't use libtool/libltdl)
[lenny] - redland <not-affected> (Versions prior to 1.0.9 don't use libtool/libltdl)
- siproxd <unfixed> (low; bug #559827)
+ [lenny] - siproxd <no-dsa> (Minor issue)
+ [etch] - siproxd <no-dsa> (Minor issue)
- ski <unfixed> (low; bug #559828)
- synfig <unfixed> (low; bug #559829)
+ [lenny] - synfig <no-dsa> (Minor issue)
- xmlsec1 1.2.14-1 (unimportant; bug #559831)
NOTE: Embedded code copy isn't used
- clamav 0.95+dfsg-1 (low; bug #559832)
[lenny] - clamav <no-dsa> (Minor issue)
[etch] - clamav <no-dsa> (Minor issue)
- - imagemagick <unfixed> (low; bug #559833)
+ - imagemagick 6:6.2.3.1-1 (low; bug #559833)
+ [lenny] - imagemagick <no-dsa> (Minor issue)
+ [etch] - imagemagick <no-dsa> (Minor issue)
- hypre 2.4.0b-5 (low; bug #559834)
[etch] - hypre <no-dsa> (Minor issue)
[lenny] - hypre <no-dsa> (Minor issue)
- lam <unfixed> (low; bug #559835)
+ [lenny] - lam <no-dsa> (Minor issue)
+ [etch] - lam <no-dsa> (Minor issue)
- openmpi 1.3.3-4 (low; bug #559836)
[lenny] - openmpi <no-dsa> (Minor issue)
[etch] - openmpi <no-dsa> (Minor issue)
@@ -2000,12 +2031,10 @@
[etch] - python-xml <no-dsa> (minor issue)
[lenny] - python-xml <no-dsa> (minor issue)
- python2.5 <unfixed> (low; bug #560912)
- [etch] - python2.5 <no-dsa> (minor issue)
- [lenny] - python2.5 <no-dsa> (minor issue)
- python2.4 <unfixed> (low; bug #560913)
- [etch] - python2.4 <no-dsa> (minor issue)
- [lenny] - python2.4 <no-dsa> (minor issue)
- python-4suite <unfixed> (low; bug #560914)
+ [etch] - python-4suite <no-dsa> (Minor issue)
+ [lenny] - python-4suite <no-dsa> (Minor issue)
- wxwindows2.4 <removed> (low; bug #560915)
[etch] - wxwindows2.4 <no-dsa> (minor issue)
- wxwidgets2.6 2.6.3.2.2-4 (low; bug #560916)
@@ -2500,12 +2529,10 @@
[etch] - python-xml <no-dsa> (minor issue)
[lenny] - python-xml <no-dsa> (minor issue)
- python2.5 <unfixed> (low; bug #560912)
- [etch] - python2.5 <no-dsa> (minor issue)
- [lenny] - python2.5 <no-dsa> (minor issue)
- python2.4 <unfixed> (low; bug #560913)
- [etch] - python2.4 <no-dsa> (minor issue)
- [lenny] - python2.4 <no-dsa> (minor issue)
- python-4suite <unfixed> (low; bug #560914)
+ [etch] - python-4suite <no-dsa> (Minor issue)
+ [lenny] - python-4suite <no-dsa> (Minor issue)
- wxwindows2.4 <removed> (low; bug #560915)
[etch] - wxwindows2.4 <no-dsa> (minor issue)
- wxwidgets2.6 2.6.3.2.2-4 (low; bug #560916)
@@ -8287,6 +8314,8 @@
{DSA-1950-1}
- webkit 1.1.13-1 (medium; bug #538346)
- qt4-x11 4:4.5.2-2 (medium; bug #538347)
+ [lenny] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
+ [etch] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
- kdelibs <not-affected> (medium; bug #538350)
- kde4libs <not-affected> (medium; bug #538349)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=513813#c18
@@ -8324,15 +8353,24 @@
NOTE: http://trac.webkit.org/changeset/36359
CVE-2009-1713 (The XSLT functionality in WebKit in Apple Safari before 4.0 does not ...)
- webkit 1.0.1-4 (medium; bug #535793)
+ - qt4-x11 4:4.5.2-2
+ [lenny] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
+ [etch] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
NOTE: http://trac.webkit.org/changeset/34533
CVE-2009-1712 (WebKit in Apple Safari before 4.0 does not prevent remote loading of ...)
{DSA-1950-1}
- webkit 1.1.12-1 (medium; bug #535793)
+ - qt4-x11 4:4.5.2-2
+ [lenny] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
+ [etch] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
NOTE: http://trac.webkit.org/changeset/41568
CVE-2009-1711 (WebKit in Apple Safari before 4.0 does not properly initialize memory ...)
{DSA-1950-1}
- webkit 1.1.12-1 (medium; bug #535793)
NOTE: http://trac.webkit.org/changeset/36918
+ - qt4-x11 4:4.5.2-1
+ [lenny] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
+ [etch] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
CVE-2009-1710 (WebKit in Apple Safari before 4.0 allows remote attackers to spoof the ...)
{DSA-1950-1}
- webkit 1.1.12-1 (medium; bug #535793)
@@ -8365,10 +8403,16 @@
- webkit 1.1.12-1 (low; bug #535793)
CVE-2009-1699 (The XSL stylesheet implementation in WebKit in Apple Safari before ...)
- webkit 1.0.1-4 (medium; bug #535793)
+ - qt4-x11 4:4.5.2-2
+ [lenny] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
+ [etch] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
CVE-2009-1698 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and ...)
{DSA-1950-1 DSA-1868-1 DSA-1867-1}
- webkit 1.1.5-1 (medium; bug #534946)
NOTE: http://trac.webkit.org/changeset/42081
+ - qt4-x11 4:4.5.2-1
+ [lenny] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
+ [etch] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
CVE-2009-1697 (CRLF injection vulnerability in WebKit in Apple Safari before 4.0, ...)
{DSA-1950-1}
- webkit 1.1.15.2-1 (medium; bug #535793)
@@ -8402,6 +8446,8 @@
- kde4libs 4:4.3.0-1 (medium; bug #534949)
NOTE: http://websvn.kde.org/?view=rev&revision=983316
- qt4-x11 4:4.5.2-1 (medium; bug #534947)
+ [lenny] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
+ [etch] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
CVE-2009-1689 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari ...)
- webkit 1.1.12-1 (low; bug #535793)
[lenny] - webkit <not-affected> (Vulnerable code not present)
@@ -8415,6 +8461,8 @@
- kde4libs 4:4.3.0-1
NOTE: http://trac.webkit.org/changeset/41854
- qt4-x11 4:4.5.2-1 (medium; bug #534946)
+ [lenny] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
+ [etch] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
CVE-2009-1686 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and ...)
- webkit 1.1.12-1 (medium; bug #535793)
[lenny] - webkit <not-affected> (Vulnerable code not present)
Modified: data/embedded-code-copies
===================================================================
--- data/embedded-code-copies 2009-12-23 21:40:42 UTC (rev 13639)
+++ data/embedded-code-copies 2009-12-24 10:44:32 UTC (rev 13640)
@@ -1568,7 +1568,7 @@
- unixodbc 2.2.4-5 (embed)
- xmlsec1 <not-affected> (Doesn't enable dynamic loading of crypto modules)
- clamav 0.95+dfsg-1 (embed)
- - imagemagick <unfixed> (embed)
+ - imagemagick 6:6.2.3.1-1 (embed)
- hypre 2.4.0b-5 (embed)
- lam <unfixed> (embed)
- openmpi <unfixable> (embed; bug #559386)
Modified: data/ospu-candidates.txt
===================================================================
--- data/ospu-candidates.txt 2009-12-23 21:40:42 UTC (rev 13639)
+++ data/ospu-candidates.txt 2009-12-24 10:44:32 UTC (rev 13640)
@@ -621,6 +621,11 @@
--
+python-4suite (CVE-2009-3650, CVE-2009-3720)
+#560914
+
+--
+
python2.4 (CVE-2008-4864, CVE-2008-5031)
#504620
notified maintainer
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2009-12-23 21:40:42 UTC (rev 13639)
+++ data/spu-candidates.txt 2009-12-24 10:44:32 UTC (rev 13640)
@@ -317,6 +317,11 @@
--
+python-4suite (CVE-2009-3650, CVE-2009-3720)
+#560914
+
+--
+
python-docutils
#560755
notified maintainer
More information about the Secure-testing-commits
mailing list