[Secure-testing-commits] r12191 - in data: . CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Wed Jun 24 18:47:23 UTC 2009 

Author: jmm-guest
Date: 2009-06-24 18:47:22 +0000 (Wed, 24 Jun 2009)
New Revision: 12191

Modified:
   data/CVE/list
   data/spu-candidates.txt
Log:
- xfs fixed
- convirt fixed
- jasper fixed
- some cleanups of CVE requests
- I've begun triaging the xine-lib issues for etch


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2009-06-24 17:27:44 UTC (rev 12190)
+++ data/CVE/list	2009-06-24 18:47:22 UTC (rev 12191)
@@ -1623,10 +1623,9 @@
 CVE-2008-6788 (SQL injection vulnerability in MindDezign Photo Gallery 2.2, when ...)
 	NOT-FOR-US: MindDezign Photo Gallery
 CVE-2009-1573 (xvfb-run 1.6.1 in Debian GNU/Linux, Ubuntu, Fedora 10, and possibly ...)
-	- xorg-server <unfixed> (low; bug #526678)
+	- xorg-server 2:1.6.1.901-3 (low; bug #526678)
 	[etch] - xorg-server <no-dsa> (minor issue)
 	[lenny] - xorg-server <no-dsa> (minor issue)
-	NOTE: CVE id requested
 CVE-2009-1515 (Heap-based buffer overflow in the cdf_read_sat function in src/cdf.c ...)
 	- file 5.02-1
 	[lenny] - file <not-affected> (Vulnerable code not present)
@@ -5063,7 +5062,6 @@
 	NOTE:   possible without impacting authorized users.  otherwise, why spend so much effort 
 	NOTE:   to make sure xscreensaver, gdm, and login are rock solid?
 	NOTE: - i would like to track as low, rather than unimportant
-	NOTE: should a CVE be requested for this problem?
 CVE-2009-0753 (Absolute path traversal vulnerability in MLDonkey 2.8.4 through 2.9.7 ...)
 	{DSA-1739-1}
 	- mldonkey 3.0.0-1 (bug #516829; medium)
@@ -6170,9 +6168,6 @@
 CVE-2009-0490 (Stack-based buffer overflow in the String_parse::get_nonspace_quoted ...)
 	{DTSA-192-1}
 	- audacity 1.3.6-1 (bug #514138)
-	NOTE: http://www.milw0rm.com/exploits/7634
-	NOTE: https://bugs.gentoo.org/show_bug.cgi?id=253493
-	NOTE: CVE id requested
 	[lenny] - audacity 1.3.5-2+lenny1
 CVE-2009-0368 (OpenSC before 0.11.7 allows physically proximate attackers to bypass ...)
 	{DSA-1734-1}
@@ -8927,8 +8922,7 @@
 	- geda-gnetlist 1:1.4.0-3 (bug #506625; unimportant)
 	NOTE: sch2eaglepos.sh only used as example script
 CVE-2008-5248 (xine-lib before 1.1.15 allows remote attackers to cause a denial of ...)
-	- xine-lib 1.1.14-3 (unimportant)
-	NOTE: just a crasher
+	- xine-lib 1.1.14-3
 CVE-2008-5247 (The real_parse_audio_specific_data function in demux_real.c in ...)
 	- xine-lib <unfixed> (unimportant; bug #508715)
 	NOTE: a devide by 0 because of a crafted media file is hardly a security issue,
@@ -8938,6 +8932,7 @@
 	- xine-lib 1.1.14-3 (low; bug #507184; bug #498243)
 CVE-2008-5245 (xine-lib before 1.1.15 performs V4L video frame preallocation before ...)
 	- xine-lib 1.1.14-3 (low)
+	[etch] - xine-lib <not-affected> (The version from Etch doesn't yet perform pre-allocation)
 CVE-2008-5244 (Unspecified vulnerability in xine-lib before 1.1.15 has unknown impact ...)
 	- xine-lib 1.1.14-3 (unimportant)
 	- faad2 2.6.1-1 (unimportant)
@@ -12539,7 +12534,7 @@
 	- apertium 3.0.7+1-1.1 (low; bug #496395)
 	[etch] - apertium <no-dsa> (Minor issue)
 CVE-2008-4946 (convirt 0.8.2 allows local users to overwrite arbitrary files via a ...)
-	- convirt <unfixed> (medium; bug #496419)
+	- convirt 0.9.6-1 (medium; bug #496419)
 CVE-2008-4942 (audiolink in audiolink 0.05 allows local users to overwrite arbitrary ...)
 	- audiolink 0.05-1.1 (low; bug #496433)
 	[etch] - audiolink <no-dsa> (Minor issue)
@@ -32117,7 +32112,7 @@
 CVE-2007-2722 (Unspecified vulnerability in NewzCrawler 1.8 allows remote attackers ...)
 	NOT-FOR-US: NewzCrawler
 CVE-2007-2721 (The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer ...)
-	- jasper <unfixed> (medium; bug #413033; bug #528543)
+	- jasper 1.900.1-6 (medium; bug #413033; bug #528543)
 	NOTE: Jasper was initially fixed in 1.900.1-3, but the fix got dropped later, see #528543
 	- ghostscript 8.61.dfsg.1~svn8187-1.1 (medium; bug #447188)
 	NOTE: see http://ghostscript.com/pipermail/gs-cvs/2007-October/007877.html

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2009-06-24 17:27:44 UTC (rev 12190)
+++ data/spu-candidates.txt	2009-06-24 18:47:22 UTC (rev 12191)
@@ -52,7 +52,7 @@
 [freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl]
 http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc
 
-[freebsd Local information disclosure via direct pipe writes]
+[freebsd Local information disclosure via direct pipe writes] (CVE-2009-1935)
 http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc
 
 --
@@ -61,7 +61,7 @@
 [freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl]
 http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc
 
-[freebsd Local information disclosure via direct pipe writes]
+[freebsd Local information disclosure via direct pipe writes] (CVE-2009-1935)
 http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc
 
 --

More information about the Secure-testing-commits mailing list