[Secure-testing-commits] r14406 - data/CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Mon Apr 5 14:22:19 UTC 2010 

Author: jmm-guest
Date: 2010-04-05 14:22:12 +0000 (Mon, 05 Apr 2010)
New Revision: 14406

Modified:
   data/CVE/list
Log:
- new zabbix issue, needs to be checked
- transmission fixed in sid, lenny not affected
- new devkit-disks issue, not present in lenny
- squid3 fixed, lenny no-dsa
- xulrunner fixed, lenny fixed in DSA already
- varnish fixed, not treated as a security issue
  by upstream
- alien-arena fixed, lenny no-dsa (contrib)


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2010-04-05 10:27:02 UTC (rev 14405)
+++ data/CVE/list	2010-04-05 14:22:12 UTC (rev 14406)
@@ -565,7 +565,8 @@
 CVE-2009-4736 (Cross-site scripting (XSS) vulnerability in search.php in CommonSense ...)
 	NOT-FOR-US: CommonSense CMS
 CVE-2010-XXXX [alien-arena: server dos]
-	- alien-arena <unfixed> (low; bug #575621)
+	- alien-arena 7.33-5 (low; bug #575621)
+	[lenny] - alien-arena <no-dsa> (Contrib not supported)
 CVE-2010-XXXX [phpCAS XSS in final_uri; PHPCAS-52]
 	- glpi <unfixed> (bug #574760)
 	- moodle <unfixed> (bug #574757)
@@ -1382,21 +1383,27 @@
 	NOT-FOR-US: Joomla!
 CVE-2010-0752 (The week_post_page function in the Weekly Archive by Node Type module ...)
 	NOT-FOR-US: Weekly Archive by Node Type (Drupal module)
-CVE-2010-1144
+CVE-2010-1144 [zabbix SQL injection]
 	RESERVED
+	- zabbix <unfixed>
+        TODO: File bug
 CVE-2010-0750 [policykit information disclosure]
 	RESERVED
 	- policykit <not-affected> (pkexec introduced in 0.92)
 	[lenny] - policykit <not-affected> (pkexec introduced in 0.92)
 CVE-2010-0749
 	RESERVED
-	- transmission <unfixed> (unimportant; bug filed)
+	- transmission 1.92-1 (unimportant; bug filed)
 CVE-2010-0748
 	RESERVED
-	- transmission <unfixed> (medium; bug filed)
+	- transmission 1.92-1 (medium; bug filed)
 	[lenny] - transmission <not-affected> (Support for Magnet links not yet available)
-CVE-2010-0746
+CVE-2010-0746 [DeviceKit privilege escalation via pluggable storage device labels]
 	RESERVED
+        - devicekit-disks 1.0.0~git20100212.aae17d9-1
+        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=523178
+        NOTE: http://cgit.freedesktop.org/DeviceKit/DeviceKit-disks/commit/?id=62f883c7d38e75d0669c162529062a1e81d00da2
+        NOTE: http://bugs.freedesktop.org/show_bug.cgi?id=23235
 CVE-2010-0745 [dovecot DoS]
 	RESERVED
 	- dovecot 1:1.2.11-1 (low)
@@ -1715,7 +1722,7 @@
 CVE-2010-0639 (The htcpHandleTstRequest function in htcp.c in Squid 2.x before ...)
 	- squid 2.7.STABLE8-1 (bug #572553)
 	[lenny] - squid <no-dsa> (Minor issue, only affects non-default setup)
-	- squid3 <unfixed> (bug #572554)
+	- squid3 3.1.0.17-1 (bug #572554)
 	[lenny] - squid3 <no-dsa> (Minor issue, only affects non-default setup)
 CVE-2010-0638 (Cross-site request forgery (CSRF) vulnerability in WebCalendar 1.2.0 ...)
 	- webcalendar <undetermined> (bug #572557)
@@ -3084,7 +3091,7 @@
 	[lenny] - iceape <not-affected> (Only a stub package)
 CVE-2010-0181 [Image src redirect to mailto: URL opens email editor]
 	RESERVED
-	- xulrunner <unfixed> (unimportant)
+	- xulrunner 1.9.1.9-1 (unimportant)
 	- iceape 2.0.4-1
 	[lenny] - iceape <not-affected> (Only a stub package)
 CVE-2010-0180
@@ -3092,41 +3099,42 @@
 CVE-2010-0179
 	RESERVED
 	{DSA-2027-1}
+	- xulrunner 1.9.1.9-1
 	- iceape 2.0.4-1
 	[lenny] - iceape <not-affected> (Only a stub package)
 CVE-2010-0178 [Chrome privilege escalation via forced URL drag and drop]
 	RESERVED
 	{DSA-2027-1}
-	- xulrunner <unfixed>
+	- xulrunner 1.9.1.9-1
 	- iceape 2.0.4-1
 	[lenny] - iceape <not-affected> (Only a stub package)
 CVE-2010-0177 [Dangling pointer vulnerability in nsPluginArray]
 	RESERVED
 	{DSA-2027-1}
-	- xulrunner <unfixed>
+	- xulrunner 1.9.1.9-1
 	- iceape 2.0.4-1
 	[lenny] - iceape <not-affected> (Only a stub package)
 CVE-2010-0176 [Dangling pointer vulnerability in nsTreeContentView]
 	RESERVED
 	{DSA-2027-1}
-	- xulrunner <unfixed>
+	- xulrunner 1.9.1.9-1
 	- iceape 2.0.4-1
 	[lenny] - iceape <not-affected> (Only a stub package)
 CVE-2010-0175 [Remote code execution with use-after-free in nsTreeSelection]
 	RESERVED
 	{DSA-2027-1}
-	- xulrunner <unfixed>
+	- xulrunner 1.9.1.9-1
 	- iceape 2.0.4-1
 	[lenny] - iceape <not-affected> (Only a stub package)
 CVE-2010-0174 [crashes in the browser engine]
 	RESERVED
 	{DSA-2027-1}
-	- xulrunner <unfixed>
+	- xulrunner 1.9.1.9-1
 	- iceape 2.0.4-1
 	[lenny] - iceape <not-affected> (Only a stub package)
 CVE-2010-0173 [crashes in the browser engine]
 	RESERVED
-	- xulrunner <unfixed>
+	- xulrunner 1.9.1.9-1
 	- iceape 2.0.4-1
 	[lenny] - iceape <not-affected> (Only a stub package)
 	[lenny] - xulrunner <not-affected> (Only affects Firefox >= 3.5)
@@ -8517,8 +8525,10 @@
 	- planet-venus 0~bzr116-1 (low; bug #546179)
 	[lenny] - planet-venus 0~bzr95-2+lenny1
 	[etch] - planet-venus <no-dsa> (Minor issue)
-CVE-2009-2936
+CVE-2009-2936 [varnish] 
 	RESERVED
+	- varnish 2.1.0-2 (unimportant)
+	NOTE: Only a security issue if used against best practices
 CVE-2009-2935 (Google V8, as used in Google Chrome before 2.0.172.43, allows remote ...)
 	- chromium-browser <itp> (bug #520324)
 CVE-2009-2934 (Multiple stack-based buffer overflows in xaudio.dll in Programmed ...)

More information about the Secure-testing-commits mailing list