[Secure-testing-commits] r12810 - in data: . CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Mon Sep 14 16:54:43 UTC 2009 

Author: jmm-guest
Date: 2009-09-14 16:54:43 +0000 (Mon, 14 Sep 2009)
New Revision: 12810

Modified:
   data/CVE/list
   data/spu-candidates.txt
Log:
- rails fixed
- rhythmbox, libdkim unimportant
- wireshark, movable type no-dsa


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2009-09-14 16:09:29 UTC (rev 12809)
+++ data/CVE/list	2009-09-14 16:54:43 UTC (rev 12810)
@@ -283,7 +283,7 @@
 CVE-2009-3087 (Unspecified vulnerability in nserver.exe in the server in IBM Lotus ...)
 	NOT-FOR-US: IBM Lotus Domino
 CVE-2009-3086 (A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x ...)
-	- rails <unfixed> (low; bug #545063)
+	- rails 2.2.3-1 (low; bug #545063)
 CVE-2009-3085 (The XMPP protocol plugin in libpurple in Pidgin before 2.6.2 does not ...)
 	- pidgin 2.6.2-1 (low)
 CVE-2009-3084 (The msn_slp_process_msg function in libpurple/protocols/msn/slpcall.c ...)
@@ -291,7 +291,8 @@
 CVE-2009-3083 (The msn_slp_sip_recv function in libpurple/protocols/msn/slp.c in the ...)
 	- pidgin 2.6.2-1 (low)
 CVE-2008-7185 (GNOME Rhythmbox 0.11.5 allows remote attackers to cause a denial of ...)
-	- rhythmbox <unfixed> (low)
+	- rhythmbox <unfixed> (unimportant)
+	NOTE: No practical security impact
 CVE-2008-7184 (Cross-site scripting (XSS) vulnerability in Diigo Toolbar and Diigolet ...)
 	NOT-FOR-US: Diigo Toolbar and Diigolet
 CVE-2008-7183 (PHP remote file inclusion vulnerability in eva/index.php in EVA CMS ...)
@@ -575,7 +576,7 @@
 	NOTE: This is a web site issue (open redirector), not a browser problem.
 	- iceweasel <unfixed> (unimportant)
 CVE-2009-3009 (Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before ...)
-	- rails <unfixed> (low; bug #545063)
+	- rails 2.2.3-1 (low; bug #545063)
 CVE-2009-3008 (K-Meleon 1.5.3 allows context-dependent attackers to spoof the address ...)
 	NOT-FOR-US: K-Meleon	
 CVE-2009-3007 (Mozilla Firefox 3.5.1 and SeaMonkey 1.1.17, and Flock 2.5.1, allow ...)
@@ -2292,6 +2293,8 @@
 	[lenny] - wireshark <not-affected> (Only affects 1.0.6 to 1.2.0)
 CVE-2009-2562 (Unspecified vulnerability in the AFS dissector in Wireshark 0.9.2 ...)
 	- wireshark 1.2.1-1 (low; bug #538237)
+	[lenny] - wireshark <no-dsa> (Minor issue, targeted for lenny point update)
+	[etch] - wireshark <no-dsa> (Minor issue)
 CVE-2009-2561 (Unspecified vulnerability in the sFlow dissector in Wireshark 1.2.0 ...)
 	- wireshark 1.2.1-1 (bug #538237)
 	[etch] - wireshark <not-affected> (Only affects 1.2.0)
@@ -2444,6 +2447,7 @@
 	NOT-FOR-US: Microsoft Visual Studio .NET
 CVE-2009-2492 (Cross-site scripting (XSS) vulnerability in mt-wizard.cgi in Six Apart ...)
 	- movabletype-opensource 4.2.6.1-1 (low; bug #537935) 
+	[lenny] - movabletype-opensource <no-dsa> (Minor information disclosure)
 CVE-2009-XXXX [mediawiki: XSS via specialblock]
 	- mediawiki 1:1.15.0-1.1 (low; bug #537634)
 	[etch] - mediawiki <not-affected> (vulnerably code introduced in 1.14.0)
@@ -2978,7 +2982,9 @@
 	- xscreensaver <not-affected> (does not run setuid in debian)
 	NOTE: http://bugs.debian.org/535870
 CVE-2009-XXXX [libdkim: signature parsing is not thread-safe]
-	- libdkim <unfixed> (low; bug #532740)
+	- libdkim <unfixed> (unimportant; bug #532740)
+	NOTE: This is mostly a missing feature, it's unlikely that any threaded application
+	NOTE: is using libdkim in the current state, so the practical impact is none
 CVE-2009-XXXX [libsndfile: potential dos via crafted input]
 	- libsndfile <unfixed> (low; bug #530831)
 	[etch] - libsndfile <no-dsa> (minor issue)
@@ -4321,6 +4327,8 @@
 	NOT-FOR-US: myColex
 CVE-2009-1829 (Unspecified vulnerability in the PCNFSD dissector in Wireshark 0.8.20 ...)
 	- wireshark 1.0.8-1 (low; bug #533347)
+	[lenny] - wireshark <no-dsa> (Minor issue, targeted for lenny point update)
+	[etch] - wireshark <no-dsa> (Minor issue)
 CVE-2009-1808 (Microsoft Windows XP SP3 allows local users to cause a denial of ...)
 	NOT-FOR-US: Microsoft
 CVE-2009-1807 (Unspecified vulnerability in Config.dll in Baofeng products 3.09.04.17 ...)

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2009-09-14 16:09:29 UTC (rev 12809)
+++ data/spu-candidates.txt	2009-09-14 16:54:43 UTC (rev 12810)
@@ -136,6 +136,11 @@
 
 --
 
+movabletype-opensource (CVE-2009-2492)
+#537935
+
+--
+
 mpg123 (CVE-2009-1301)
 notified maintainer

More information about the Secure-testing-commits mailing list