[Secure-testing-commits] r14529 - in data: . CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Mon Apr 19 22:34:53 UTC 2010 

Author: jmm-guest
Date: 2010-04-19 22:34:53 +0000 (Mon, 19 Apr 2010)
New Revision: 14529

Modified:
   data/CVE/list
   data/spu-candidates.txt
Log:
- rewrite clamav with EOL tag
- couchdb fixed
- two fixes in Sun Java 6
- couchdb no-dsa
- begin qt4-x11 triage


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2010-04-19 21:14:22 UTC (rev 14528)
+++ data/CVE/list	2010-04-19 22:34:53 UTC (rev 14529)
@@ -1584,8 +1584,14 @@
 	TODO: check
 CVE-2010-0887
 	RESERVED
+	- openjdk-6 <undetermined>
+	- sun-java6 6.20-1
+	[lenny] - sun-java6 <no-dsa> (Non-free not supported)
 CVE-2010-0886
 	RESERVED
+	- openjdk-6 <undetermined>
+	- sun-java6 6.20-1
+	[lenny] - sun-java6 <no-dsa> (Non-free not supported)
 CVE-2010-0885 (Unspecified vulnerability in the Sun Java System Communications ...)
 	TODO: check
 CVE-2010-0884 (Unspecified vulnerability in the Sun Cluster component in Oracle Sun ...)
@@ -4016,8 +4022,7 @@
 	RESERVED
 CVE-2010-0098 (ClamAV before 0.96 does not properly handle the (1) CAB and (2) 7z ...)
 	- clamav 0.96+dfsg-1
-	[lenny] - clamav <no-dsa> (no longer supported)
-	TODO: check
+	[lenny] - clamav <end-of-life> (No longer supported in Lenny)
 CVE-2010-0097 (ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before ...)
 	- bind9 1:9.7.0.dfsg-1
 CVE-2010-0096
@@ -4801,8 +4806,8 @@
 	NOTE: not by a client. No sane person uses apache 1.3 as forward proxy and in reverse
 	NOTE: proxy situations, the backend server is usually trusted, anyway.
 CVE-2010-0009 (Apache CouchDB 0.8.0 through 0.10.1 allows remote attackers to obtain ...)
-	- couchdb <unfixed> (bug #576304)
-	NOTE: I don't really see the security implications?
+	- couchdb 0.11.0-1 (bug #576304)
+	[lenny] - couchdb <no-dsa> (Minor information leak)
 CVE-2010-0008 (The sctp_rcv_ootb function in the SCTP implementation in the Linux ...)
 	- linux-2.6 2.6.23-1
 CVE-2010-0007 (net/bridge/netfilter/ebtables.c in the ebtables module in the ...)
@@ -12862,7 +12867,7 @@
 	NOTE: patch http://trac.webkit.org/changeset/44799/
 	NOTE: PoC https://cevans-app.appspot.com/static/webkitentityoffbyone.html
 CVE-2009-1724 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari ...)
-	- qt4-x11 <unfixed> (low; bug #538403)
+	- qt4-x11 <undetermined> (bug #538403)
 	[etch] - qt4-x11 <not-affected> (webkit support introduced in version 4.4)
 	- webkit 1.1.13-1 (low; bug #538402)
 	- kdelibs <unfixed> (unimportant)
@@ -13020,14 +13025,15 @@
 	- webkit 1.1.12-1 (medium; bug #535793)
 	- kdelibs <not-affected>
 	- kde4libs <not-affected>
-	- qt4-x11 <undetermined>
+	- qt4-x11 <unfixed>
 	NOTE: http://trac.webkit.org/changeset/35928
 CVE-2009-1692 (WebKit before r41741, as used in Apple iPhone OS 1.0 through 2.2.1, ...)
 	{DSA-1950-1}
 	- webkit 1.1.12-1 (low; bug #535793)
 	- kdelibs <unfixed> (unimportant)
 	- kde4libs <unfixed> (unimportant)
-	- qt4-x11 <undetermined> (unimportant)
+	- qt4-x11 4:4.6.2-4 (unimportant)
+	NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against
 	NOTE: upstream (undisclosed) bug report is https://bugs.webkit.org/show_bug.cgi?id=23319
 	NOTE: http://trac.webkit.org/changeset/41741
 CVE-2009-1691 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari ...)

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2010-04-19 21:14:22 UTC (rev 14528)
+++ data/spu-candidates.txt	2010-04-19 22:34:53 UTC (rev 14529)
@@ -66,6 +66,11 @@
 
 --
 
+couchdb (CVE-2010-0009)
+#576304
+
+--
+
 cron: Incomplete fix for CVE-2006-2607 (setgid() and initgroups() not checked
 #528434
 notified maintainer

More information about the Secure-testing-commits mailing list