[Secure-testing-commits] r13371 - in data: CVE DSA

Tue Nov 24 22:35:47 UTC 2009

Author: jmm-guest
Date: 2009-11-24 22:35:47 +0000 (Tue, 24 Nov 2009)
New Revision: 13371

Modified:
   data/CVE/list
   data/DSA/list
Log:
- libexif issue only affects unstable
- lucene uses prototype.js only for examples, track as unimportant
- remove some no-dsa entries, need to be double-checked
- php-net-ping issue CVEfied
- php-mail issue CVEfied, amended DSA entry


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2009-11-24 22:14:59 UTC (rev 13370)
+++ data/CVE/list	2009-11-24 22:35:47 UTC (rev 13371)
@@ -43,12 +43,6 @@
 	TODO: check
 	NOTE: http://docs.cacti.net/#cross-site_scripting_fixes
 	NOTE: http://www.cacti.net/download_patches.php
-CVE-2009-XXXX [Net_Ping PEAR module argument injection]
-	- php-net-ping <unfixed>
-	TODO: check
-	NOTE: http://pear.php.net/advisory20091114-01.txt
-	NOTE: the fix by upstream should be double checked,
-	NOTE: escapeshellcmd might not be the most appropriate function either
 CVE-2009-4046 (Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x ...)
 	NOT-FOR-US: FrontAccounting
 CVE-2009-4045 (Multiple SQL injection vulnerabilities in FrontAccounting (FA) before ...)
@@ -93,10 +87,19 @@
 	RESERVED
 CVE-2009-4025
 	RESERVED
-CVE-2009-4024
+CVE-2009-4024 [Net_Ping PEAR module argument injection]
 	RESERVED
-CVE-2009-4023
+	- php-net-ping <unfixed>
+	TODO: check
+	NOTE: http://pear.php.net/advisory20091114-01.txt
+	NOTE: the fix by upstream should be double checked,
+	NOTE: escapeshellcmd might not be the most appropriate function either
+CVE-2009-4023 [command injection in the Mail pear module]
 	RESERVED
+	{DSA-1938-1}
+	- php-mail 1.1.14-2 (medium; bug #557121)
+	[lenny] - php-mail  1.1.14-1+lenny1
+	[etch] - php-mail 1.1.6-2+etch1
 CVE-2009-4022
 	RESERVED
 CVE-2009-4020
@@ -244,10 +247,6 @@
 	- linux-2.6 <unfixed> (medium)
 	- linux-2.6.24 <removed> (medium)
 	NOTE: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=690e744869f3262855b83b4fb59199cf142765b0
-CVE-2009-XXXX [command injection in the Mail pear module]
-	- php-mail 1.1.14-2 (medium; bug #557121)
-	[lenny] - php-mail  1.1.14-1+lenny1
-	[etch] - php-mail 1.1.6-2+etch1
 CVE-2009-4021 [fuse_put_request() invalid pointer dereference]
 	RESERVED
 	- linux-2.6 <unfixed> (low)
@@ -406,9 +405,8 @@
 	{DSA-1920-1}
 CVE-2009-3895 (Heap-based buffer overflow in the exif_entry_fix function (aka the tag ...)
 	- libexif 0.6.19-1 (medium; bug #557137)
-	NOTE: it is said that only 0.6.18 is affected
-	NOTE: http://article.gmane.org/gmane.comp.graphics.libexif.devel/806
-	TODO: check
+	[lenny] - libexif <not-affected> (Only 0.6.18 is affected)
+	[etch] - libexif <not-affected> (Only 0.6.18 is affected)
 CVE-2009-3894
 	RESERVED
 CVE-2009-3893
@@ -1284,7 +1282,6 @@
 	RESERVED
 CVE-2009-3553 (Use-after-free vulnerability in the abstract file-descriptor handling ...)
 	- cups <unfixed> (low; bug #557740)
-	[lenny] - cups <no-dsa> (minor issue)
 	- cupsys <not-affected> (vulnerable code introduced in 1.3.x)
 	NOTE: http://www.cups.org/newsgroups.php/s1+gcups.bugs?s1+gcups.bugs+v4+T+Q3200
 CVE-2009-3552
@@ -2272,9 +2269,9 @@
 	- libjson-ruby 1.1.4-1 (low; bug #555223)
 	[lenny] - libjson-ruby <no-dsa> (minor issue)
 	TODO: next point release [lenny] - libjson-ruby 1.1.2-1+lenny1
-	- lucene2 2.9.1+ds1-2 (low; bug #555225)
+	- lucene2 2.9.1+ds1-2 (unimportant; bug #555225)
 	[etch] - lucene2 <not-affected> (prototype.js not present)
-	[lenny] - lucene2 <no-dsa> (minor issue)
+        NOTE: prototype.js copy unused per #555225
 	- glpi 0.72.3-1 (low; bug #555228)
 	[etch] - glpi <no-dsa> (minor issue)
 	[lenny] - glpi <no-dsa> (minor issue)
@@ -38971,11 +38968,8 @@
 	NOT-FOR-US: Apple mDNSResponder
 CVE-2007-2385 (The Yahoo! UI framework exchanges data using JavaScript Object ...)
 	- yui <unfixed> (low; bug #557745)
-	[lenny] - yui <no-dsa> (minor issue)
 	- bcfg2 <not-affected> (present in source but not included in any binary files)
 	- serendipity <unfixed> (low; bug #557746)
-	[etch] - serendipity <no-dsa> (minor issue)
-	[lenny] - serendipity <no-dsa> (minor issue)
 	- moodle <not-affected> (uses system libjs-yui)
 	- jifty <unfixed> (low; bug #557748)
 	- webgui <not-affected> (uses system libjs-yui)

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2009-11-24 22:14:59 UTC (rev 13370)
+++ data/DSA/list	2009-11-24 22:35:47 UTC (rev 13371)
@@ -1,4 +1,5 @@
 [23 Nov 2009] DSA-1938-1 php-mail - insufficient input sanitising
+	{CVE-2009-4023}
 	[etch] - php-mail 1.1.6-2+etch1
 	[lenny] - php-mail 1.1.14-1+lenny1
 [21 Nov 2009] DSA-1937-1 gforge - cross-site scripting


