[Secure-testing-commits] r13302 - in data: . CVE
Moritz Muehlenhoff
jmm-guest at alioth.debian.org
Tue Nov 17 18:08:04 UTC 2009
Author: jmm-guest
Date: 2009-11-17 18:08:03 +0000 (Tue, 17 Nov 2009)
New Revision: 13302
Modified:
data/CVE/list
data/ospu-candidates.txt
data/spu-candidates.txt
Log:
- track grub2 fix for unstable, not experimental
- asterisk, kernel, xmltooling, net-snmp fixed
- various no-dsa
- remove dubious VulnDisco "issues" from the tracker
until details are published
- old kvm issue doesn't affect us, CVE description is wrong,
confirmed by KVM upstream
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2009-11-17 16:19:07 UTC (rev 13301)
+++ data/CVE/list 2009-11-17 18:08:03 UTC (rev 13302)
@@ -72,7 +72,7 @@
CVE-2009-3906
RESERVED
CVE-2009-XXXX [grub2: password bypass]
- - grub2 1.97+experimental.20091110-1 (bug #555195)
+ - grub2 1.97+20091115-1 (bug #555195)
[lenny] - grub2 <not-affected> (Password authentication not yet present)
NOTE: fixed in upstream verion 1.97.1
CVE-2009-3905 (Multiple cross-site scripting (XSS) vulnerabilities in e-Courier CMS ...)
@@ -377,7 +377,7 @@
CVE-2009-3768
RESERVED
CVE-2009-3767 (libraries/libldap/tls_o.c in OpenLDAP, when OpenSSL is used, does not ...)
- - openldap 2.4.17-2.1 (medium; bug #553432)
+ - openldap 2.4.17-2.1 (low; bug #553432)
- openldap2.3 <removed>
CVE-2009-3766 (mutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when ...)
- mutt <not-affected> (uses GnuTLS and not OpenSSL)
@@ -462,7 +462,7 @@
CVE-2009-3728 (Directory traversal vulnerability in the ICC_Profile.getInstance ...)
TODO: check
CVE-2009-3727 (Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, ...)
- - asterisk <unfixed>
+ - asterisk 1:1.6.2.0~rc6-1
[lenny] - asterisk <no-dsa> (Minor issue)
[etch] - asterisk <no-dsa> (Minor issue)
CVE-2009-3726 (The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client ...)
@@ -701,13 +701,15 @@
NOT-FOR-US: FrontRange HEAT
CVE-2009-3641 (Snort before 2.8.5.1, when the -v option is enabled, allows remote ...)
- snort <unfixed> (low; bug #553584)
- NOTE: -v is usually not used as it's slow and is only for debugging purposes
+ [lenny] - snort <no-dsa> (Minor issue; -v is usually not used as it's slow and is only for debugging purposes)
+ [etch] - snort <no-dsa> (Minor issue; -v is usually not used as it's slow and is only for debugging purposes)
CVE-2009-3640 (The update_cr8_intercept function in arch/x86/kvm/x86.c in the KVM ...)
- linux-2.6 2.6.31-1 (medium)
- [etch] - linux-2.6 <not-affected> (introduced in 2.6.25)
- NOTE: fixed in upstream 2.6.32-rc1
- - linux-2.6.24 <not-affected> (introduced in 2.6.25)
- - kvm <unfixed> (medium)
+ [lenny] - linux-2.6 <not-affected> (introduced post 2.6.27)
+ [etch] - linux-2.6 <not-affected> (introduced post 2.6.27)
+ - linux-2.6.24 <not-affected> (introduced post 2.6.27)
+ - kvm <unfixed>
+ [lenny] - kvm <not-affected> (Vulnerable code not present)
CVE-2009-3639 (The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before ...)
{DSA-1925-1}
- proftpd-dfsg 1.3.2a-2 (low)
@@ -722,6 +724,7 @@
CVE-2009-3637 [alien-arena server issue]
RESERVED
- alien-arena <unfixed> (bug #552038)
+ [lenny] - alien-arena <no-dsa> (Contrib not supported)
CVE-2009-3636 (Cross-site scripting (XSS) vulnerability in the Install Tool ...)
{DSA-1926-1}
- typo3-src 4.2.10-1 (medium; bug #552020)
@@ -813,7 +816,6 @@
{DSA-1929-1 DSA-1928-1 DSA-1927-1}
- linux-2.6 2.6.31-2 (low)
- linux-2.6.24 <removed> (low)
- NOTE: fixed in 2.6.32-rc5
CVE-2009-3611 (common/snapshots.py in Back In Time (aka backintime) 0.9.26 changes ...)
- backintime 0.9.26-3 (bug #543785)
CVE-2009-3609 (Integer overflow in the ImageStream::ImageStream function in Stream.cc ...)
@@ -880,13 +882,13 @@
[etch] - aria2 <not-affected> (Vulnerable code not present)
[lenny] - aria2 <not-affected> (Vulnerable code not present)
CVE-2009-3571 (Unspecified vulnerability in OpenOffice.org (OOo) has unknown impact ...)
- - openoffice.org <unfixed> (medium; bug #551068)
+ TODO: check once details are available: - openoffice.org <unfixed> (medium; bug #551068)
NOTE: details are unknown
CVE-2009-3570 (Unspecified vulnerability in OpenOffice.org (OOo) has unspecified ...)
- - openoffice.org <unfixed> (medium; bug #551068)
+ TODO: check once details are available:- openoffice.org <unfixed> (medium; bug #551068)
NOTE: details are unknown
CVE-2009-3569 (Stack-based buffer overflow in OpenOffice.org (OOo) allows remote ...)
- - openoffice.org <unfixed> (medium; bug #551068)
+ TODO: check once details are available:- openoffice.org <unfixed> (medium; bug #551068)
NOTE: details are unknown
CVE-2009-3568 (Comment RSS 5.x before 5.x-2.2 and 6.x before 6.x-2.2, a module for ...)
NOT-FOR-US: module for Drupal
@@ -1007,7 +1009,6 @@
{DSA-1929-1 DSA-1928-1 DSA-1927-1}
- linux-2.6 2.6.31-2 (high)
- linux-2.6.24 <removed> (high)
- NOTE: being exploited in the wild
CVE-2009-3546 (The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the ...)
- libgd2 2.0.36~rc1~dfsg-3.1 (medium; bug #552534)
- php5 <not-affected> (the php packages use the system libgd2)
@@ -1607,6 +1608,7 @@
CVE-2009-3300 (Multiple cross-site scripting (XSS) vulnerabilities in the Identity ...)
- shibboleth-sp2 <unfixed> (medium; bug #555608)
- shibboleth-sp <removed> (medium)
+ - xmltooling 1.3.1-1
CVE-2009-3299 (Cross-site scripting (XSS) vulnerability in the resume blocktype in ...)
{DSA-1924-1}
- mahara 1.1.7-1 (low)
@@ -1987,6 +1989,7 @@
[lenny] - mediatomb <no-dsa> (minor issue)
- op-panel 0.30~dfsg-1 (low; bug #555234)
- ebug-http <unfixed> (low; bug #555235)
+ [lenny] - ebug-http <no-dsa> (Minor issue)
- poker-network <unfixed> (low; bug #555237)
[etch] - poker-network <no-dsa> (minor issue)
- webhelpers <unfixed> (low; bug #555239)
@@ -11247,7 +11250,7 @@
{DSA-1691-1}
- moodle 1.8.2.dfsg-2
CVE-2008-6123 (The netsnmp_udp_fmtaddr function (snmplib/snmpUDPDomain.c) in net-snmp ...)
- - net-snmp <unfixed> (low; bug #516801)
+ - net-snmp 5.4.2.1~dfsg-1 (low; bug #516801)
[etch] - net-snmp <no-dsa> (Minor issue)
[lenny] - net-snmp <no-dsa> (Minor issue)
CVE-2008-6122 (The web management interface in Netgear WGR614v9 allows remote ...)
@@ -38694,6 +38697,7 @@
- mediatomb 0.11.0-3 (low; bug #555232)
- op-panel 0.30~dfsg-1 (low; bug #555234)
- ebug-http <unfixed> (low; bug #555235)
+ [lenny] - ebug-http <no-dsa> (Minor issue)
- poker-network <unfixed> (low; bug #555237)
[etch] - poker-network <no-dsa> (minor issue)
- webhelpers <not-affected> (fixed since initial inclusion)
Modified: data/ospu-candidates.txt
===================================================================
--- data/ospu-candidates.txt 2009-11-17 16:19:07 UTC (rev 13301)
+++ data/ospu-candidates.txt 2009-11-17 18:08:03 UTC (rev 13302)
@@ -709,6 +709,11 @@
--
+snort (CVE-2009-3641)
+#553584
+
+--
+
squid (CVE-2009-0801)
#521053
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2009-11-17 16:19:07 UTC (rev 13301)
+++ data/spu-candidates.txt 2009-11-17 18:08:03 UTC (rev 13302)
@@ -3,8 +3,14 @@
it. If someone wants to address these, please add a note about it
and get in contact with debian-release at lists.debian.org
+
--
+alien-arena (CVE-2009-3637)
+#552038
+
+--
+
asterisk (CVE-2009-0041)
#513413
notified maintainer
@@ -206,6 +212,11 @@
--
+snort (CVE-2009-3641)
+#553584
+
+--
+
squid (CVE-2009-0801)
#521053
More information about the Secure-testing-commits
mailing list