[Secure-testing-commits] r11213 - in data: . CVE DSA

[jmm-guest at alioth.debian.org]

Author: jmm-guest
Date: 2009-02-13 22:10:07 +0000 (Fri, 13 Feb 2009)
New Revision: 11213

Modified:
   data/CVE/list
   data/DSA/list
   data/spu-candidates.txt
Log:
- add libarchive-tar-perl to spu candidates
- libsamplerate, python/imageop no-dsa
- add one missing CVE ID to python-dns DSA
- two mediawiki issues don't affect etch
- tar module not yet present in Etch's perl


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2009-02-13 21:51:36 UTC (rev 11212)
+++ data/CVE/list	2009-02-13 22:10:07 UTC (rev 11213)
@@ -2046,7 +2046,7 @@
 CVE-2008-5687 (MediaWiki 1.11, and other versions before 1.13.3, does not properly ...)
 	{DTSA-186-1}
 	- mediawiki 1:1.13.3-1 (low)
-	NOTE: the CVE id description is wrong, this is fixed in 1.13.3, notified mitre
+        [etch] - mediawiki <not-affected> (The backup feature was introduced in 1.11)
 CVE-2008-5686 (IBM Tivoli Provisioning Manager (TPM) before 5.1.1.1 IF0006, when its ...)
 	NOT-FOR-US: IBM Tivoli Provisioning Manager
 CVE-2008-5685 (Sun ScApp firmware 5.18.x, 5.19.x, and 5.20.0 through 5.20.10 on Sun ...)
@@ -3231,6 +3231,7 @@
 CVE-2008-5249 (Cross-site scripting (XSS) vulnerability in MediaWiki 1.13.0 through ...)
 	{DTSA-186-1}
 	- mediawiki 1:1.13.3-1 (bug #508868)
+        [etch] - mediawiki <not-affected> (Only 1.13.x is affected)
 CVE-2008-5276 (Integer overflow in the ReadRealIndex function in real.c in the Real ...)
 	- vlc <not-affected> (vulnerable code not present)
 	NOTE: affected versions are >= 0.9.x (experimental)
@@ -3789,7 +3790,10 @@
 	[etch] - linux-2.6 <not-affected> (Vulnerable code not present; different ioctls)
 CVE-2008-5031 (Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, ...)
 	- python2.5 2.5.2-11.1
+	[etch] - python2.5 <no-dsa> (Minor issue)
 	- python2.4 2.4.6-1 (bug #507317)
+	[etch] - python2.4 <no-dsa> (Minor issue)
+	- python2.4 2.4.5-6 (low; bug #504620)
 	NOTE: definitely fixed in 2.5.2-11.1 for lenny/unstable (svn-updates.dpatch)
 	NOTE: maybe fixed earlier, doko is not able to tell the exact version atm
 CVE-2008-5030 (Heap-based buffer overflow in the cddb_read_disc_data function in ...)
@@ -3893,7 +3897,8 @@
 	- linux-2.6 2.6.26-11
 	- linux-2.6.24 2.6.24-6~etchnhalf.7
 CVE-2008-5008 (Buffer overflow in src/src_sinc.c in Secret Rabbit Code (aka SRC or ...)
-	- libsamplerate 0.1.4-1
+	- libsamplerate 0.1.4-1 (low)
+	[etch] - libsamplerate <no-dsa> (Minor issue)
 CVE-2008-5006 (smtp.c in the c-client library in University of Washington IMAP ...)
 	{DSA-1685-1 DTSA-174-1 DTSA-174-2}
 	- uw-imap 7:2007d~dfsg-1
@@ -4151,8 +4156,10 @@
 	- valgrind 1:3.3.1-3 (unimportant; bug #507312)
 	NOTE: That's hardly an issue
 CVE-2008-4864 (Multiple integer overflows in imageop.c in the imageop module in ...)
-	- python2.5 2.5.2-12 (bug #504619)
-	- python2.4 2.4.5-6 (bug #504620)
+	- python2.5 2.5.2-12 (low; bug #504619)
+	[etch] - python2.5 <no-dsa> (Minor issue)
+	- python2.4 2.4.5-6 (low; bug #504620)
+	[etch] - python2.4 <no-dsa> (Minor issue)
 CVE-2008-4863 (Untrusted search path vulnerability in BPY_interface in Blender 2.46 ...)
 	- blender 2.46+dfsg-5 (bug #503632; low)
 	[etch] - blender 2.42a-8
@@ -21268,6 +21275,7 @@
 	NOT-FOR-US: DirectAdmin
 CVE-2007-4829 (Directory traversal vulnerability in the Archive::Tar Perl module 1.36 ...)
 	- perl 5.10.0-19
+	[etch] - perl <not-affected> (Was merged into Perl as of 5.10)
 	- libarchive-tar-perl 1.38-1 (low; bug #449544)
 	[sarge] - libarchive-tar-perl <no-dsa> (Minor issue)
 	[etch] - libarchive-tar-perl <no-dsa> (Minor issue)

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2009-02-13 21:51:36 UTC (rev 11212)
+++ data/DSA/list	2009-02-13 22:10:07 UTC (rev 11213)
@@ -324,7 +324,7 @@
 	{CVE-2007-2052 CVE-2007-4965 CVE-2008-1679 CVE-2008-1721 CVE-2008-1887}
 	[etch] - python2.5 2.5-5+etch1
 [27 Jul 2008] DSA-1619-1 python-dns - DNS response spoofing
-	{CVE-2008-1447 CVE-2008-4099}
+	{CVE-2008-1447 CVE-2008-4099 CVE-2008-4126}
 	[etch] - python-dns 2.3.0-5.2+etch1
 [26 Jul 2008] DSA-1618-1 ruby1.9 - several vulnerabilities
 	{CVE-2008-2376 CVE-2008-2662 CVE-2008-2663 CVE-2008-2664 CVE-2008-2725 CVE-2008-2726}

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2009-02-13 21:51:36 UTC (rev 11212)
+++ data/spu-candidates.txt	2009-02-13 22:10:07 UTC (rev 11213)
@@ -272,12 +272,22 @@
 
 --
 
+libarchive-tar-perl (CVE-2007-4829)
+#449544
+
+--
+
 libpam-ssh (CVE-2007-0844)
 #410236
 notified maintainer
 
 --
 
+libsamplerate (CVE-2008-5008)
+https://bugzilla.redhat.com/attachment.cgi?id=323069
+
+--
+
 libpng (CVE-2008-1382)
 #476669
 notified maintainer
@@ -407,6 +417,14 @@
 
 --
 
+python2.4 (CVE-2008-4864, CVE-2008-5031)
+#504620
+
+python2.5 (CVE-2008-4864, CVE-2008-5031)
+#504619
+
+--
+
 python-django (CVE-2007-5712)
 http://media.djangoproject.com/patches/2007-10-26-security-fix/
 #448838