[Secure-testing-commits] r13366 - in data: . CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Tue Nov 24 18:42:56 UTC 2009 

Author: jmm-guest
Date: 2009-11-24 18:42:55 +0000 (Tue, 24 Nov 2009)
New Revision: 13366

Modified:
   data/CVE-2009-3555
   data/CVE/list
Log:
- TLS updates
- mark dansguardian as non-issue
- adjust severity of kernel issue
- mark older amsn issue as to be checked instead of marking
  itas unfixed, likewise for an older wordpress issue
- correct affected source packages for ship issues, the vulnerability
  is not in xmltooling, it only needs to be adapted
- activeldap only in an example, mark as unimportant


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2009-11-24 09:14:23 UTC (rev 13365)
+++ data/CVE/list	2009-11-24 18:42:55 UTC (rev 13366)
@@ -300,7 +300,7 @@
 	- eglibc 2.10.1-7 (unimportant; bug #552518)
 	- glibc <removed> (unimportant)
 CVE-2009-XXXX [dansguardian: not blocking sites]
-	- dansguardian <unfixed> (low; bug #548108)
+	- dansguardian <unfixed> (unimportant; bug #548108)
 CVE-2009-3924 (Buffer overflow in pbsv.dll, as used in Soldier of Fortune II and ...)
 	NOT-FOR-US: Soldier of Fortune
 CVE-2009-3923 (The VirtualBox 2.0.8 and 2.0.10 web service in Sun Virtual Desktop ...)
@@ -378,8 +378,9 @@
 	- linux-2.6 2.6.27-1 (low)
 	- linux-2.6.24 <removed> (low)
 CVE-2009-3888 (The do_mmap_pgoff function in mm/nommu.c in the Linux kernel before ...)
-	- linux-2.6 <unfixed> (low)
-	- linux-2.6.24 <unfixed> (low)
+	- linux-2.6 <unfixed> (unimportant)
+	- linux-2.6.24 <unfixed> (unimportant)
+	NOTE: All Debian kernels have MMU support enabled
 CVE-2009-3887
 	RESERVED
 CVE-2009-3886 (The Java Web Start implementation in Sun Java SE 6 before Update 17 ...)
@@ -1642,8 +1643,7 @@
 	[lenny] - merkaartor <not-affected> (vulnerable code not present)
 	NOTE: does not run as root so minor issue.
 CVE-2009-XXXX [amsn SSL verification vuln]
-	- amsn <unfixed>
-	TODO: file bug
+	TODO: check, file bug	- amsn <unfixed>
 	NOTE: http://www.juniper.net/security/auto/vulnerabilities/vuln35507.html
 CVE-2009-XXXX [SA-CORE-2009-008]
 	- drupal6 6.14-1 (bug #547140)
@@ -1867,7 +1867,7 @@
 CVE-2009-3300 (Multiple cross-site scripting (XSS) vulnerabilities in the Identity ...)
 	- shibboleth-sp2 2.3+dfsg-1 (medium; bug #555608)
 	- shibboleth-sp <removed> (medium)
-	- xmltooling 1.3.1-1
+	NOTE: xmltooling also needs to be updated, changed in sid in 1.3.1-1
 CVE-2009-3299 (Cross-site scripting (XSS) vulnerability in the resume blocktype in ...)
 	{DSA-1924-1}
 	- mahara 1.1.7-1 (low)
@@ -2270,8 +2270,8 @@
 	- rt-extension-emailcompletion <not-affected> (prototype.js not included in the binary package; bug #555258)
 	- scriptaculous 1.8.3-1 (low; bug #555259)
 	[lenny] - scriptaculous <no-dsa> (Minor issue)
-	- activeldap 1.0.9-1 (low; bug #555263)
-	[lenny] - activeldap <no-dsa> (minor issue)
+	- activeldap 1.0.9-1 (unimportant; bug #555263)
+	NOTE: Only shipped in an example
 	- mantis 1.1.8+dfsg-3 (low; bug #555264)
 	[lenny] - mantis <no-dsa> (minor issue)
 	- otrs2 2.3.4-6 (low; bug #555266)
@@ -38172,8 +38172,7 @@
 CVE-2007-2715 (Admin/users.php in Snaps! Gallery 1.4.4 allows remote attackers to ...)
 	NOT-FOR-US: Snaps! Gallery
 CVE-2007-2714 (Unspecified vulnerability in akismet.php in Matt Mullenweg Akismet ...)
-	- wordpress <unfixed>
-	TODO: check
+	TODO: check: - wordpress <unfixed>
 CVE-2007-2713 (ifdate 2.x sends a redirect to the web browser but does not exit when ...)
 	NOT-FOR-US: iFdate
 CVE-2007-2712 (Unspecified vulnerability in MH Software Connect Daily before 3.3.3 ...)
@@ -61188,9 +61187,9 @@
 	{DSA-947-1}
 	- clamav 0.88-1
 CVE-2006-0138 (aMSN (aka Alvaro's Messenger) allows remote attackers to cause a ...)
-	- amsn <unfixed> (low; bug #557754)
-	[etch] - amsn <no-dsa> (minor issue)
-	[lenny] - amsn <no-dsa> (minor issue)
+        - amsn <unfixed> (low; bug #557754)
+        [etch] - amsn <no-dsa> (minor issue)
+        [lenny] - amsn <no-dsa> (minor issue)
 CVE-2006-0137 (SQL injection vulnerability in linkcategory.php in Phanatic Softwares ...)
 	NOT-FOR-US: Phanatic Softwares Chimera Web Portal System
 CVE-2006-0136 (Multiple cross-site scripting (XSS) vulnerabilities in the guestbook ...)

Modified: data/CVE-2009-3555
===================================================================
--- data/CVE-2009-3555	2009-11-24 09:14:23 UTC (rev 13365)
+++ data/CVE-2009-3555	2009-11-24 18:42:55 UTC (rev 13366)
@@ -9,7 +9,7 @@
 - nss
 - xyssl
 - polarssl
-- matrixssl
+- matrixssl -> Disabled SSL/TLS renegs in 1.8.8-1 in unstable
 - pike7.6
 - classpath
 - gcj-4.1
@@ -25,3 +25,4 @@
 Applications, which have been modified:
 - proftpd-dfsg -> Disabled SSL/TLS renegotiations in 1.3.2b-2 in unstable
 - apache2 -> Disabled client-initiated SSL/TLS renegs in 2.2.14-2, only partial fix, also issued as DSA 1934 for stable
+- tomcat-native -> 1.1.18-1
\ No newline at end of file

More information about the Secure-testing-commits mailing list