[Secure-testing-commits] r13313 - in data: . CVE

[Moritz Muehlenhoff]

Author: jmm-guest
Date: 2009-11-18 18:49:37 +0000 (Wed, 18 Nov 2009)
New Revision: 13313

Added:
   data/CVE-2009-3555
Modified:
   data/CVE/list
Log:
track pdf NULL derefs as non-issues
move tracking of TLS issue into a separate file


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2009-11-18 12:53:20 UTC (rev 13312)
+++ data/CVE/list	2009-11-18 18:49:37 UTC (rev 13313)
@@ -394,9 +394,8 @@
 CVE-2009-3778 (SQL injection vulnerability in Moodle Course List 6.x before 6.x-1.2, ...)
 	NOT-FOR-US: module for Drupal
 CVE-2009-XXXX [NULL dereferences, similar to Adobe's CVE-2009-0658]
-	- ghostscript <unfixed>
-	- xpdf <unfixed>
-	TODO: check poppler and friends, file bugs
+	- ghostscript <unfixed> (unimportant)
+	- xpdf <unfixed> (unimportant)
 CVE-2009-XXXX [multiple vulnerabilities in acidbase; XSS + possible sql injection]
 	- acidbase <unfixed> (bug #552235)
 CVE-2009-XXXX [multiple vulnerabilities in jetty]
@@ -1013,31 +1012,7 @@
 	RESERVED
 CVE-2009-3555 (The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as ...)
 	{DSA-1934-1}
-	- openssl 0.9.8k-6 (bug #555829)
-	- openssl097 <removed>
-	- gnutls26 <unfixed>
-	- gnutls13 <removed>
-	- nss <unfixed>
-	- xyssl <unfixed>
-	- proftpd-dfsg 1.3.2b-2
-	- polarssl <unfixed>
-	- matrixssl <unfixed>
-	- pike7.6 <unfixed>
-	- classpath <unfixed>
-	- gcj-4.1 <unfixed>
-	- gcj-4.2 <unfixed>
-	- gcj-4.3 <unfixed>
-	- gcj-4.4 <unfixed>
-	- zorp <unfixed>
-	- openjdk-6 <unfixed>
-	- sun-java5 <removed>
-	[etch] - sun-java5 <no-dsa> (non-free not supported)
-	[lenny] - sun-java5 <no-dsa> (non-free not supported)
-	- sun-java6 <unfixed>
-	[lenny] - sun-java6 <no-dsa> (non-free not supported)
-	TODO: check
-	TODO: I haven't checked if all the java ssl implementations are actually used. 
-	NOTE: This may need fixes in TLS/SSL using packages, too.
+	NOTE: See separate CVE-2009-3555 file in SVN
 CVE-2009-3554
 	RESERVED
 CVE-2009-3553

Added: data/CVE-2009-3555
===================================================================
--- data/CVE-2009-3555	                        (rev 0)
+++ data/CVE-2009-3555	2009-11-18 18:49:37 UTC (rev 13313)
@@ -0,0 +1,26 @@
+A generic position statement will be send by Florian.
+
+SSL implementations in the archive:
+
+- openssl -> Disabled SSL/TLS renegotiations in 0.9.8k-6 in unstable (bug #555829)
+- openssl097 (oldstable only)
+- gnutls26
+- gnutls13 (oldstable only)
+- nss
+- xyssl
+- polarssl
+- matrixssl
+- pike7.6
+- classpath
+- gcj-4.1
+- gcj-4.2
+- gcj-4.3
+- gcj-4.4
+- zorp
+- openjdk-6
+- sun-java5
+- sun-java6
+
+Applications, which have been modified:
+- proftpd-dfsg -> Disabled SSL/TLS renegotiations in 1.3.2b-2 in unstable
+- apache2 -> Disabled client-initiated SSL/TLS renegs in 2.2.14-2, only partial fix, also issued as DSA 1934 for stable