[Secure-testing-commits] r12244 - in data: . CVE
Moritz Muehlenhoff
jmm-guest at alioth.debian.org
Wed Jul 1 18:24:25 UTC 2009
Author: jmm-guest
Date: 2009-07-01 18:24:25 +0000 (Wed, 01 Jul 2009)
New Revision: 12244
Modified:
data/CVE/list
data/ospu-candidates.txt
data/spu-candidates.txt
Log:
- new phpmyadmin issue
- libpng and browser randomness issues no-dsa
- ocsinventory documented as not to be used
with a public web server (TODO: document in
debtag)
- moin non-issue
- samba fixed
- add epoch to compface entry
- new icedove issues
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2009-07-01 17:52:25 UTC (rev 12243)
+++ data/CVE/list 2009-07-01 18:24:25 UTC (rev 12244)
@@ -27,6 +27,8 @@
NOT-FOR-US: Zen Cart
CVE-2009-2253
RESERVED
+CVE-2009-XXXX [PMASA-2009-5: XSS via a crafted SQL bookmark]
+ - phpmyadmin 4:3.2.0.1-1
CVE-2009-2252
RESERVED
CVE-2009-2251
@@ -91,7 +93,7 @@
[etch] - nagios2 <unfixed>
NOTE: http://secunia.com/advisories/35543
CVE-2009-2286 [compface buffer overflow]
- - libcompface 1.5.2-5 (medium; bug #534973)
+ - libcompface 1:1.5.2-5 (medium; bug #534973)
CVE-2009-XXXX [apache2 mod_deflate DoS]
- apache2 <unfixed> (medium; bug #534712)
CVE-2009-2233 (The admin interface in AWScripts.com Gallery Search Engine 1.5 allows ...)
@@ -236,7 +238,8 @@
CVE-2009-2167 (Multiple SQL injection vulnerabilities in cpanel/login.php in EgyPlus ...)
NOT-FOR-US: EgyPlus 7ammel (aka 7ml)
CVE-2009-2166 (Absolute path traversal vulnerability in cvs.php in OCS Inventory NG ...)
- - ocsinventory-server 1.02.1-1 (medium; bug #531735)
+ - ocsinventory-server 1.02.1-1 (unimportant; bug #531735)
+ NOTE: README.Debian states Important: access to the reports server should be restricted
CVE-2009-2165 (SerendipityNZ (aka SimpleBoxes) Serene Bach 2.20R and earlier, and ...)
NOT-FOR-US: SerendipityNZ (aka SimpleBoxes) Serene Bach
CVE-2009-2164 (Multiple SQL injection vulnerabilities in Kjtechforce mailman beta1, ...)
@@ -364,7 +367,8 @@
- git-core 1:1.6.3.3-1 (medium; bug #532935)
NOTE: http://git.kernel.org/?p=git/git.git;a=commitdiff;h=73bb33a9
CVE-2009-XXXX [moin: heirarchical ACL vulnerability]
- - moin 1.8.4-1 (low; bug #533673)
+ - moin 1.8.4-1 (unimportant; bug #533673)
+ NOTE: Not a specific vulnerability, rather a security-related behaviour change, see bug
[etch] - moin <not-affected> (vulnerable code not present in 1.5.3-1.2etch2)
CVE-2009-XXXX [pcsc-lite: creates world-writable directory]
- pcsc-lite 1.5.4-1 (low; bug #533670)
@@ -524,6 +528,8 @@
NOTE: Browser crashes not treated as security issues
CVE-2009-2042 (libpng before 1.2.37 does not properly parse 1-bit interlaced images ...)
- libpng 1.2.37-1 (low; bug #533676)
+ [etch] - libpng <no-dsa> (Minor issue, only exploitable in rare setups)
+ [lenny] - libpng <no-dsa> (Minor issue, only exploitable in rare setups)
CVE-2009-2041 (Cross-site scripting (XSS) vulnerability in A51 D.O.O. activeCollab ...)
NOT-FOR-US: activeCollab
CVE-2009-2040 (admin/options.php in Grestul 1.2 does not properly restrict access, ...)
@@ -702,12 +708,21 @@
NOT-FOR-US: MHF Media Pro
CVE-2009-XXXX [predictable random number generator used in web browsers]
- webkit <unfixed> (low; bug #532514)
+ [lenny] - webkit <no-dsa> (Minor issue)
- xulrunner <unfixed> (low; bug #532516)
+ [lenny] - xulrunner <no-dsa> (Minor issue)
+ [etch] - xulrunner <no-dsa> (Minor issue)
+ - xulrunner <unfixed> (low; bug #532516)
- kdebase <unfixed> (low; bug #532519)
+ [lenny] - kdebase <no-dsa> (Minor issue)
+ [etch] - kdebase <no-dsa> (Minor issue)
- w3m <unfixed> (low; bug #532521)
+ [lenny] - w3m <no-dsa> (Minor issue)
+ [etch] - w3m <no-dsa> (Minor issue)
- chromium-browser <itp> (low; bug #520324)
NOTE: lynx and dillo not affected, don't support Javascript and multipart/form-data
- NOTE: tracking fringe browsers (w3m), but need to check whether they are really affected or not
+ NOTE: These issues can be fixed in more recent upstream versions, but the risk
+ NOTE: of regression doesn't outweigh the issue at hand
CVE-2009-1961 (The inode double locking code in fs/ocfs2/file.c in the Linux kernel ...)
- linux-2.6 <unfixed> (low)
[etch] - linux-2.6 <not-affected> (Affected code was introduced in 2.6.19)
@@ -892,6 +907,7 @@
{DSA-1823-1}
- samba 2:3.3.6-1
[etch] - samba <not-affected> (Vulnerable code not present)
+ NOTE: Only the 3.2.x branch was affected, so marking 3.3 as affected
CVE-2009-1885
RESERVED
CVE-2009-1884
@@ -906,7 +922,8 @@
CVE-2009-1880 (Cross-site scripting (XSS) vulnerability in MT312 REP-BBS allows ...)
NOT-FOR-US: MT312
CVE-2009-XXXX [OCS Inventory NG SQL Injection Vulnerability]
- - ocsinventory-server 1.02.1-1 (low; bug #531735)
+ - ocsinventory-server 1.02.1-1 (unimportant; bug #531735)
+ NOTE: README.Debian states Important: access to the reports server should be restricted
NOTE: can be exploited only if magic_quotes is off
CVE-2009-3870
REJECTED
@@ -1013,15 +1030,12 @@
- xulrunner 1.9.0.11-1
[squeeze] - xulrunner 1.9.0.11-0lenny1
[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer covered by security support)
- - icedove <unfixed>
- TODO: check whether icedove itself is affected or whether the problem is solely within xulrunner
+ - icedove 2.0.0.22-1
CVE-2009-1840 (Mozilla Firefox before 3.0.11, Thunderbird, and SeaMonkey do not check ...)
{DSA-1820-1}
- xulrunner 1.9.0.11-1
[squeeze] - xulrunner 1.9.0.11-0lenny1
[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer covered by security support)
- - icedove <unfixed>
- TODO: check whether icedove itself is affected or whether the problem is solely within xulrunner
CVE-2009-1839 (Mozilla Firefox 3 before 3.0.11 associates an incorrect principal with ...)
{DSA-1820-1}
- xulrunner 1.9.0.11-1
@@ -1032,8 +1046,7 @@
- xulrunner 1.9.0.11-1
[squeeze] - xulrunner 1.9.0.11-0lenny1
[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer covered by security support)
- - icedove <unfixed>
- TODO: check whether icedove itself is affected or whether the problem is solely within xulrunner
+ - icedove 2.0.0.22-1
CVE-2009-1837 (Race condition in the NPObjWrapper_NewResolve function in ...)
{DSA-1820-1}
- xulrunner 1.9.0.11-1
@@ -1044,36 +1057,28 @@
- xulrunner 1.9.0.11-1
[squeeze] - xulrunner 1.9.0.11-0lenny1
[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer covered by security support)
- - icedove <unfixed>
- TODO: check whether icedove itself is affected or whether the problem is solely within xulrunner
+ - icedove 2.0.0.22-1
CVE-2009-1835 (Mozilla Firefox before 3.0.11 and SeaMonkey before 1.1.17 associate ...)
{DSA-1820-1}
- xulrunner 1.9.0.11-1
[squeeze] - xulrunner 1.9.0.11-0lenny1
[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer covered by security support)
- - icedove <unfixed>
- TODO: check whether icedove itself is affected or whether the problem is solely within xulrunner
CVE-2009-1834 (Visual truncation vulnerability in netwerk/dns/src/nsIDNService.cpp in ...)
{DSA-1820-1}
- xulrunner 1.9.0.11-1
[squeeze] - xulrunner 1.9.0.11-0lenny1
[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer covered by security support)
- - icedove <unfixed>
- TODO: check whether icedove itself is affected or whether the problem is solely within xulrunner
CVE-2009-1833 (The JavaScript engine in Mozilla Firefox before 3.0.11, Thunderbird ...)
{DSA-1820-1}
- xulrunner 1.9.0.11-1
[squeeze] - xulrunner 1.9.0.11-0lenny1
[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer covered by security support)
- - icedove <unfixed>
- TODO: check whether icedove itself is affected or whether the problem is solely within xulrunner
CVE-2009-1832 (Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and ...)
{DSA-1820-1}
- xulrunner 1.9.0.11-1
[squeeze] - xulrunner 1.9.0.11-0lenny1
[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer covered by security support)
- - icedove <unfixed>
- TODO: check whether icedove itself is affected or whether the problem is solely within xulrunner
+ - icedove 2.0.0.22-1
CVE-2009-1828 (Mozilla Firefox 3.0.10 allows remote attackers to cause a denial of ...)
- xulrunner <unfixed> (unimportant)
NOTE: Browser crashes not treated as security issues
@@ -2547,6 +2552,7 @@
[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer covered by security support)
CVE-2009-1307 (The view-source: URI implementation in Mozilla Firefox before 3.0.9, ...)
{DSA-1797-1}
+ - icedove 2.0.0.22-1
- xulrunner 1.9.0.9-1
[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer covered by security support)
CVE-2009-1306 (The jar: URI implementation in Mozilla Firefox before 3.0.9, ...)
@@ -2565,10 +2571,12 @@
[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer covered by security support)
CVE-2009-1303 (The browser engine in Mozilla Firefox before 3.0.9, Thunderbird before ...)
{DSA-1797-1}
+ - icedove 2.0.0.22-1
- xulrunner 1.9.0.9-1
[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer covered by security support)
CVE-2009-1302 (The browser engine in Mozilla Firefox 3.x before 3.0.9, Thunderbird ...)
{DSA-1797-1}
+ - icedove 2.0.0.22-1
- xulrunner 1.9.0.9-1
[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer covered by security support)
CVE-2009-1301 (Integer signedness error in the store_id3_text function in the ID3v2 ...)
@@ -4628,6 +4636,7 @@
- iceweasel 3.0.7-1 (low)
CVE-2009-0776 (nsIRDFService in Mozilla Firefox before 3.0.7, Thunderbird before ...)
{DSA-1751-1}
+ - icedove 2.0.0.22-1
- iceweasel 3.0
NOTE: Iceweasel in Lenny links against Xulrunner
- xulrunner 1.9.0.7-1
@@ -4638,20 +4647,24 @@
[etch] - xulrunner <not-affected> (Vulnerable code not present)
CVE-2009-0774 (The layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird ...)
{DSA-1751-1}
+ - icedove 2.0.0.22-1
- iceweasel 3.0
NOTE: Iceweasel in Lenny links against Xulrunner
- xulrunner 1.9.0.7-1
CVE-2009-0773 (The JavaScript engine in Mozilla Firefox before 3.0.7, Thunderbird ...)
{DSA-1751-1}
+ - icedove 2.0.0.22-1
- xulrunner 1.9.0.7-1
[etch] - xulrunner <not-affected> (Vulnerable code not present)
CVE-2009-0772 (The layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird ...)
{DSA-1751-1}
+ - icedove 2.0.0.22-1
- iceweasel 3.0
NOTE: Iceweasel in Lenny links against Xulrunner
- xulrunner 1.9.0.7-1
CVE-2009-0771 (The layout engine in Mozilla Firefox before 3.0.7, Thunderbird before ...)
{DSA-1751-1}
+ - icedove 2.0.0.22-1
- xulrunner 1.9.0.7-1
[etch] - xulrunner <not-affected> (Vulnerable code not present)
- kompozer 1:0.8~alpha2+dfsg+svn129-1
@@ -5170,6 +5183,7 @@
- openssl 0.9.8-1 (bug #517791)
CVE-2009-0652 (The Internationalized Domain Names (IDN) blacklist in Mozilla Firefox ...)
{DSA-1797-1}
+ - icedove 2.0.0.22-1
- xulrunner 1.9.0.9-1
[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer covered by security support)
CVE-2009-0651 (Unspecified vulnerability in the Veritas network daemon (aka vnetd) in ...)
@@ -6523,14 +6537,14 @@
- xulrunner 1.9.0.5-1
- iceape 1.1.14-1.1
NOTE: Iceape in Lenny only provides XPCOM libs
- - icedove <unfixed>
+ - icedove 2.0.0.22-1
CVE-2009-0352 (Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before ...)
- iceweasel 3.0
NOTE: Iceweasel in Lenny links against Xulrunner
- xulrunner 1.9.0.5-1
- iceape 1.1.14-1.1
NOTE: Iceape in Lenny only provides XPCOM libs
- - icedove <unfixed>
+ - icedove 2.0.0.22-1
- kompozer 1:0.8~alpha2+dfsg+svn129-1
CVE-2009-0343 (Niels Provos Systrace 1.6f and earlier on the x86_64 Linux platform ...)
NOT-FOR-US: Systrace
@@ -8172,6 +8186,7 @@
NOTE: http://www.tdiary.org/20071215.html
CVE-2009-0040 (The PNG reference library (aka libpng) before 1.0.43, and 1.2.x before ...)
{DSA-1750-1}
+ - icedove 2.0.0.22-1
- libpng 1.2.35-1 (bug #516256)
CVE-2009-0039 (Multiple cross-site request forgery (CSRF) vulnerabilities in the web ...)
- geronimo <itp> (bug #481869)
Modified: data/ospu-candidates.txt
===================================================================
--- data/ospu-candidates.txt 2009-07-01 17:52:25 UTC (rev 12243)
+++ data/ospu-candidates.txt 2009-07-01 18:24:25 UTC (rev 12244)
@@ -317,6 +317,11 @@
--
+libpng (CVE-2009-2042)
+#533676
+
+--
+
libsamplerate (CVE-2008-5008)
https://bugzilla.redhat.com/attachment.cgi?id=323069
notified maintainer
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2009-07-01 17:52:25 UTC (rev 12243)
+++ data/spu-candidates.txt 2009-07-01 18:24:25 UTC (rev 12244)
@@ -76,6 +76,11 @@
--
+libpng (CVE-2009-2042)
+#533676
+
+--
+
libvorbis (CVE-2008-2009)
notified maintainer and release team
More information about the Secure-testing-commits
mailing list