[Secure-testing-commits] r11944 - in data: . CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Thu May 21 12:24:46 UTC 2009 

Author: jmm-guest
Date: 2009-05-21 12:24:46 +0000 (Thu, 21 May 2009)
New Revision: 11944

Modified:
   data/CVE/list
   data/ospu-candidates.txt
   data/spu-candidates.txt
Log:
- minor ntp issue has been fixed in DSA alongside with a more severe issue,
  remove from ospu/spu candidates list
- kernel fixed
- selinux issue was fixed for 2.6.29 through stable kernel update
- issue tracked as openjdk is actually a lcms issue
- CVE-2008-5519 is listed on the Tomcat web site, but it's actually within
  mod-jk only
- clone ffmpeg-debian issue for the ffmpeg version in etch
- clone gnutls issue for the gnutls version in etch
- remove duplicate etch entry for older apache issue


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2009-05-21 11:55:59 UTC (rev 11943)
+++ data/CVE/list	2009-05-21 12:24:46 UTC (rev 11944)
@@ -992,7 +992,7 @@
 	[etch] - linux-2.6 <not-affected> (Vulnerable code not present)
 CVE-2009-1337 (The exit_notify function in kernel/exit.c in the Linux kernel before ...)
 	{DSA-1800-1 DSA-1794-1 DSA-1787-1}
-	- linux-2.6 <unfixed>
+	- linux-2.6 2.6.29-5
 	- linux-2.6.24 <removed>
 CVE-2009-1336 (fs/nfs/client.c in the Linux kernel before 2.6.23 does not properly ...)
 	{DSA-1794-1}
@@ -1740,8 +1740,7 @@
 	- udev 0.141-1 (medium)
 CVE-2009-1184 (The selinux_ip_postroute_iptables_compat function in ...)
 	{DSA-1800-1}
-	- linux-2.6 2.6.30-1
-	NOTE: compat code was removed in 30-rc1, so marking 2.6.30 as fixed
+	- linux-2.6 2.6.29-5
 	[etch] - linux-2.6 <not-affected> (Issue was introduced after 2.6.24 release)
 	- linux-2.6.24 <not-affected> (Issue was introduced after 2.6.24 release)
 CVE-2009-1183 (The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and ...)
@@ -3063,6 +3062,7 @@
 CVE-2009-0793 (cmsxform.c in LittleCMS (aka lcms or liblcms) 1.18, as used in OpenJDK ...)
 	{DSA-1769-1}
 	- openjdk-6 <unfixed>
+	- lcms <unfixed> (low)
 CVE-2009-0792 (Multiple integer overflows in icc.c in the International Color ...)
 	{DTSA-198-1}
 	- argyll 1.0.3-3 (medium; bug #523472; bug #524802)
@@ -6877,10 +6877,7 @@
 CVE-2008-5520 (AhnLab V3 2008.12.4.1 and possibly 2008.9.13.0, when Internet Explorer ...)
 	NOT-FOR-US: AhnLab V3
 CVE-2008-5519 (The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat ...)
-	- tomcat5.5 <unfixed> (bug #523054)
-	- libapache-mod-jk <removed>
-	- libapache2-mod-jk <unfixed> (bug #523054)
-	TODO: check whether libapache-mod-jk and libapache2-mod-jk are vulnerable
+	- libapache-mod-jk <unfixed> (bug #523054)
 CVE-2008-5518 (Multiple directory traversal vulnerabilities in the web administration ...)
 	- geronimo <itp> (bug #481869)
 CVE-2008-5517 (The web interface in git (gitweb) 1.5.x before 1.5.6 allows remote ...)
@@ -9170,6 +9167,7 @@
 	NOTE: only the aac issue affected mplayer because it built against a copy of faad
 	NOTE: the ogm issue is a problem in ffmpeg
 	- ffmpeg-debian <unfixed> (unimportant; bug #509616)
+	- ffmpeg <removed> (unimportant)
 	NOTE: just a crasher, no security implications known so far
 	NOTE: http://sam.zoy.org/blog/2007-01-16-exposing-file-parsing-vulnerabilities
 CVE-2008-4609 (The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, ...)
@@ -14604,6 +14602,7 @@
 	- hf 0.8-8.1 (medium; bug #504182)
 CVE-2008-2377 (Use after free vulnerability in the ...)
 	- gnutls26 2.4.1-1 (medium)
+	- gnutls13 <not-affected> (Problem was introduced in 2.3.5)
 CVE-2008-2376 (Integer overflow in the rb_ary_fill function in array.c in Ruby before ...)
 	{DSA-1618-1 DSA-1612-1}
 	- ruby1.9 1.9.0.2-2
@@ -26630,7 +26629,6 @@
 	NOTE: Etch's default configuration not vulnerable due to AddDefaultCharset,
 	NOTE: but many users change this.
 	NOTE: The apache2 fix is actually a workaround. It will not be applied to apache 1.3.
-	[etch] - apache2 2.2.3-4+etch4
 CVE-2007-4464 (CRLF injection vulnerability in the Fileinfo 2.0.9 plugin for Total ...)
 	NOT-FOR-US: Total Commander
 CVE-2007-4463 (The Fileinfo 2.0.9 plugin for Total Commander allows user-assisted ...)

Modified: data/ospu-candidates.txt
===================================================================
--- data/ospu-candidates.txt	2009-05-21 11:55:59 UTC (rev 11943)
+++ data/ospu-candidates.txt	2009-05-21 12:24:46 UTC (rev 11944)
@@ -444,11 +444,6 @@
 
 --
 
-ntp (CVE-2009-0159)
-#525373
-
---
-
 nvi
 #496462
 notified maintainer

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2009-05-21 11:55:59 UTC (rev 11943)
+++ data/spu-candidates.txt	2009-05-21 12:24:46 UTC (rev 11944)
@@ -52,11 +52,6 @@
 
 --
 
-ntp (CVE-2009-0159)
-#525373
-
---
-
 openldap
 #253838

More information about the Secure-testing-commits mailing list