[Secure-testing-commits] r11210 - in data: . CVE

jmm-guest at alioth.debian.org jmm-guest at alioth.debian.org
Fri Feb 13 21:30:33 UTC 2009 

Author: jmm-guest
Date: 2009-02-13 21:30:33 +0000 (Fri, 13 Feb 2009)
New Revision: 11210

Modified:
   data/CVE/list
   data/spu-candidates.txt
Log:
- no-dsa: mailscanner, tsqllib, mikmod, sdlmixer
- remove CVEfied trac temp entry
- one tomcat issue is actually a JVM issue
- libnet-dns-perl isn't fixed DNS randomisation-wise


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2009-02-13 21:14:13 UTC (rev 11209)
+++ data/CVE/list	2009-02-13 21:30:33 UTC (rev 11210)
@@ -1233,6 +1233,7 @@
 	NOT-FOR-US: Fedora specific issue
 CVE-2009-0179 (libmikmod 3.1.11 through 3.2.0, as used by MikMod and possibly other ...)
 	- libmikmod <unfixed> (low; bug #476339)
+	[etch] - libmikmod <no-dsa> (Minor issue)
 CVE-2009-0178 (Unspecified vulnerability in IBM Hardware Management Console (HMC) 7 ...)
 	NOT-FOR-US: IBM Hardware Management Console
 CVE-2009-0177 (vmwarebase.dll, as used in the vmware-authd service (aka ...)
@@ -1262,7 +1263,9 @@
 	NOT-FOR-US: RealNetworks Helix
 CVE-2007-6720 (libmikmod 3.1.9 through 3.2.0, as used by MikMod, SDL-mixer, and ...)
 	- libmikmod <unfixed> (low; bug #461519)
+	[etch] - libmikmod <no-dsa> (Minor issue)
 	- sdl-mixer1.2 1.2.8-1 (low; bug #422021)
+	[etch] - sdl-mixer1.2 <no-dsa> (Minor issue)
 CVE-2009-0173 (Unspecified vulnerability in the server in IBM DB2 9.1 before FP6a and ...)
 	NOT-FOR-US: IBM DB2
 CVE-2009-0172 (Unspecified vulnerability in IBM DB2 9.1 before FP6a and 9.5 before ...)
@@ -1375,7 +1378,8 @@
 CVE-2009-0125 (** DISPUTED ** ...)
 	- libnasl <unfixed> (unimportant; bug #511517)
 CVE-2009-0124 (The tqsl_verifyDataBlock function in openssl_cert.cpp in American ...)
-	- tqsllib 2.0-8 (bug #511509)
+	- tqsllib 2.0-8 (low; bug #511509)
+	[etch] - tqsllib <no-dsa> (Minor issue)
 CVE-2009-0123 (Unspecified vulnerability in Apple Safari on Mac OS X 10.5 and Windows ...)
 	NOT-FOR-US: Apple Safari
 CVE-2009-0122 (hplip.postinst in HP Linux Imaging and Printing (HPLIP) 2.7.7 and ...)
@@ -2122,9 +2126,9 @@
 CVE-2008-5648 (SQL injection vulnerability in admin/login.php in DeltaScripts PHP ...)
 	NOT-FOR-US: DeltaScripts PHP Shop
 CVE-2008-5647 (Unspecified vulnerability in the HTML sanitizer filter in Trac before ...)
-	- trac 0.11.1-2.1 (low; bug #509342)
+	- trac 0.11.1-2.1 (low; bug #509342; bug #505197)
 CVE-2008-5646 (Unspecified vulnerability in Trac before 0.11.2 allows attackers to ...)
-	- trac 0.11.1-2.1 (low; bug #509342)
+	- trac 0.11.1-2.1 (low; bug #509342; bug #505197)
 CVE-2008-5645 (Directory traversal vulnerability in the media server in Orb Networks ...)
 	NOT-FOR-US: Orb Networks Orb
 CVE-2008-5644 (Cross-site scripting (XSS) vulnerability in the file backend module in ...)
@@ -3438,9 +3442,11 @@
 	NOTE: http://securityreason.com/achievement_securityalert/57
 CVE-2008-5312 (mailscanner 4.55.10 and other versions before 4.74.16-1 might allow ...)
 	- mailscanner 4.74.16-1 (bug #506353)
+	[etch] - mailscanner <no-dsa> (Minor issue)
 	NOTE: there is no difference apart from the versions to CVE-2008-5313
 CVE-2008-5313 (mailscanner 4.68.8 and other versions before 4.74.16-1 might allow ...)
 	- mailscanner 4.74.16-1 (bug #506353)
+	[etch] - mailscanner <no-dsa> (Minor issue)
 	NOTE: there is no difference apart from the versions to CVE-2008-5312
 CVE-2008-5175 (Directory traversal vulnerability in the FTP client in AceFTP Freeware ...)
 	NOT-FOR-US: AceFTP
@@ -3889,8 +3895,6 @@
 	{DSA-1687-1 DSA-1681-1}
 	- linux-2.6 2.6.26-11
 	- linux-2.6.24 2.6.24-6~etchnhalf.7
-CVE-2008-XXXX [Trac Multiple Vulnerabilities]
-	- trac 0.11.1-2.1 (bug #505197)
 CVE-2008-5008 (Buffer overflow in src/src_sinc.c in Secret Rabbit Code (aka SRC or ...)
 	- libsamplerate 0.1.4-1
 CVE-2008-5006 (smtp.c in the c-client library in University of Washington IMAP ...)
@@ -7860,8 +7864,6 @@
 	NOT-FOR-US: IntelliTamper
 CVE-2008-3359 (SQL injection vulnerability in register.php in Steve Bourgeois and ...)
 	- owl-dms 0.95-1.1 (bug #493372)
-	NOTE: Hardly maintained and very few users, long standing sec issues in Etch,
-	NOTE: Emailed release team to ask for removal from lenny
 CVE-2008-3358 (Cross-site scripting (XSS) vulnerability in Web Dynpro (WD) in the SAP ...)
 	NOT-FOR-US: SAP NetWeaver portal
 CVE-2008-3357 (Untrusted search path vulnerability in ingvalidpw in Ingres 2.6, ...)
@@ -8822,7 +8824,9 @@
 	[etch] - apache2 2.2.3-4+etch6
 	- apache <not-affected> (vulnerable code not present)
 CVE-2008-2938 (Directory traversal vulnerability in Apache Tomcat 4.1.0 through ...)
-	- tomcat5.5 5.5.26-5 (low; bug #496309)
+	NOTE: This is an issue in the respective JVMs, Tomcat only includes a workaround
+	NOTE: Check status of free JVMs
+	- tomcat5.5 5.5.26-5 (unimportant; bug #496309)
 CVE-2008-2937 (Postfix 2.5 before 2.5.4 and 2.6 before 2.6-20080814 delivers to a ...)
 	- postfix 2.5.4-1 (low)
 	[etch] - postfix <no-dsa> (minor issue)
@@ -12327,7 +12331,7 @@
 	- adns 1.4-2 (unimportant; bug #492698)
 	NOTE: adns is not suitable to use with untrusted responses, documented in README.Debian
 	- udns <unfixed> (bug #493599)
-	- libnet-dns-perl 0.63-2 (low; bug #492700)
+	- libnet-dns-perl <unfixed> (low; bug #492700)
 	NOTE: Source port randomization from Lenny kernel should provide sufficient protection
 	NOTE: since this is just a Perl nodule for DNS queries and not a high-profile server app like
 	NOTE: Bind, it's unlikely that a home-grown fix will provide an implementation of higher
@@ -12336,7 +12340,8 @@
 	- ruby1.9 1.9.0.2-6 (low)
 	NOTE: Unbound, djbdns, pdnsd and PowerDNS are affected by the underlying protocol issue, but
 	NOTE: already use source port randomization.
-	NOTE: Marking non-caching stub resolvers as low since these really should be fixed, but are much less vulnerable than a caching server.
+	NOTE: Marking non-caching stub resolvers as low since these really should be fixed,
+	NOTE: but are much less vulnerable than a caching server.
 CVE-2008-1446 (Integer overflow in the Internet Printing Protocol (IPP) ISAPI ...)
 	NOT-FOR-US: Microsoft
 CVE-2008-1445 (Active Directory on Microsoft Windows 2000 Server SP4, XP Professional ...)
@@ -19935,7 +19940,7 @@
 	- iceape 1.1.5
 	NOTE: MFSA2007-33
 CVE-2007-5333 (Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 ...)
-	- tomcat5.5 5.5.26-1 (medium; bug #465645)
+	- tomcat5.5 5.5.26-1 (low; bug #465645)
 	- tomcat5 <removed>
 CVE-2007-5332 (Multiple unspecified vulnerabilities in (1) mediasvr and (2) caloggerd ...)
 	NOT-FOR-US: ARCServe BackUp

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2009-02-13 21:14:13 UTC (rev 11209)
+++ data/spu-candidates.txt	2009-02-13 21:30:33 UTC (rev 11210)
@@ -316,6 +316,11 @@
 
 --
 
+mailscanner (CVE-2008-5312, CVE-2008-5313)
+#506353
+
+--
+
 mecab (CVE-2007-3231)
 #429174
 notified maintainer
@@ -545,6 +550,11 @@
 
 --
 
+tqsllib 2.0-8 (CVE-2009-0124)
+#511509
+
+--
+
 trickle
 #513456
 notified maintainer

More information about the Secure-testing-commits mailing list