[Secure-testing-commits] r15154 - data/CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Mon Aug 16 15:16:54 UTC 2010 

Author: jmm-guest
Date: 2010-08-16 15:16:45 +0000 (Mon, 16 Aug 2010)
New Revision: 15154

Modified:
   data/CVE/list
Log:
- new issues in webkitkde and rekonq, both fixed
- record mapserver fixes in sid
- tiff fixed
- mark some xulrunner issues only in experimental as not-affected
- jboss issues don't affect Debian
- NFUs
- remove historic TODOs


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2010-08-15 03:59:29 UTC (rev 15153)
+++ data/CVE/list	2010-08-16 15:16:45 UTC (rev 15154)
@@ -105,9 +105,9 @@
 CVE-2010-2927 (The slapi_printmessage function in IBM Tivoli Directory Server (ITDS) ...)
 	NOT-FOR-US: Tivoli
 CVE-2009-4976 (Cross-site scripting (XSS) vulnerability in webkitpart.cpp in ...)
-	TODO: check
+	- webkitkde 0.4svn1059630-1
 CVE-2009-4975 (Cross-site scripting (XSS) vulnerability in webview.cpp in ...)
-	TODO: check
+	- rekonq 0.5.0-1
 CVE-2010-XXXX [Insufficient stripping of CR/LF allows arbitrary IRC command execution]
 	- libpoe-component-irc-perl 6.32+dfsg-1
 	[lenny] - libpoe-component-irc-perl <no-dsa> (#581194)
@@ -892,7 +892,7 @@
 CVE-2010-2634
 	RESERVED
 CVE-2010-2633 (Unspecified vulnerability in EMC Disk Library (EDL) before 3.2.7, ...)
-	TODO: check
+	NOT-FOR-US: EMC
 CVE-2010-2632
 	RESERVED
 CVE-2010-2631 (LibTIFF 3.9.0 ignores tags in certain situations during the first ...)
@@ -1097,10 +1097,10 @@
 	RESERVED
 CVE-2010-2540 (mapserv.c in mapserv in MapServer before 4.10.6 and 5.x before 5.6.4 ...)
 	{DSA-2079-1}
-	TODO: check
+	- mapserver 5.6.4-1
 CVE-2010-2539 (Buffer overflow in the msTmpFile function in maputil.c in mapserv in ...)
 	{DSA-2079-1}
-	TODO: check
+	- mapserver 5.6.4-1
 CVE-2010-2538 [btrfs issue]
 	RESERVED
 	- linux-2.6 <unfixed>
@@ -1901,7 +1901,7 @@
 CVE-2010-2234
 	RESERVED
 CVE-2010-2233 (tif_getimage.c in LibTIFF 3.9.0 and 3.9.2 on 64-bit platforms, as used ...)
-	- tiff <unfixed>
+	- tiff 3.9.1-1
 	[lenny] - tiff <not-affected> (Only affects 3.9.x)
 CVE-2010-2232
 	RESERVED
@@ -2771,7 +2771,7 @@
 CVE-2010-1914 (The Zend Engine in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows ...)
 	- php5 <unfixed> (unimportant)
 CVE-2010-1871 (JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application ...)
-	TODO: check
+	- jbossas4 <not-affected> (Only builds a few libraries, not the full application server, #581226)
 CVE-2010-1870
 	RESERVED
 CVE-2010-1869 (Stack-based buffer overflow in the parser function in GhostScript 8.70 ...)
@@ -3002,7 +3002,7 @@
 CVE-2010-1795
 	RESERVED
 CVE-2010-1794 (The webdav_mount function in webdav_vfsops.c in the WebDAV kernel ...)
-	TODO: check
+	NOT-FOR-US: Apple
 CVE-2010-1793 (Multiple use-after-free vulnerabilities in WebKit in Apple Safari ...)
 	- webkit <undetermined>
 	- chromium-browser <undetermined>
@@ -3767,9 +3767,9 @@
 CVE-2010-1519
 	RESERVED
 CVE-2010-1518 (Array index error in the SetDLInfo method in the GIGABYTE Dldrv2 ...)
-	TODO: check
+	NOT-FOR-US: GIGABYTE Dldrv2 ActiveX control
 CVE-2010-1517 (The GIGABYTE Dldrv2 ActiveX control 1.4.206.11 allows remote attackers ...)
-	TODO: check
+	NOT-FOR-US: GIGABYTE Dldrv2 ActiveX control
 CVE-2010-1516
 	RESERVED
 CVE-2010-1515 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in ...)
@@ -4799,7 +4799,7 @@
 	- icedove 3.0.6-1
 	[lenny] - iceape <not-affected> (Only a stub package)
 CVE-2010-1210 (intl/uconv/util/nsUnicodeDecodeHelper.cpp in Mozilla Firefox before ...)
-	TODO: check
+	- xulrunner <not-affected> (Only affects 1.9.2 and above)
 CVE-2010-1209 (Use-after-free vulnerability in the NodeIterator implementation in ...)
 	- xulrunner 1.9.1.11-1
 	[lenny] - xulrunner <not-affected> (Only affects 1.9.1 and above)
@@ -4811,7 +4811,7 @@
 	- iceape 2.0.6-1
 	[lenny] - iceape <not-affected> (Only a stub package)
 CVE-2010-1207 (Mozilla Firefox before 3.6.7 and Thunderbird before 3.1.1 do not ...)
-	TODO: check
+	- xulrunner <not-affected> (Only affects 1.9.2 and above)
 CVE-2010-1206 (The startDocumentLoad function in browser/base/content/browser.js in ...)
 	- iceweasel 3.5.11-1
 	[lenny] - iceweasel <not-affected> (Vulnerable code not present)
@@ -16302,7 +16302,6 @@
 	- libpng 1.2.37-1 (low; bug #533676)
 	[etch] - libpng <no-dsa> (Minor issue, only exploitable in rare setups)
 	- xulrunner <not-affected> (xulrunner dynamically linked against libpng; embeded code copy not used)
-	TODO: check tuxonice-userui
 CVE-2009-2041 (Cross-site scripting (XSS) vulnerability in A51 D.O.O. activeCollab ...)
 	NOT-FOR-US: activeCollab
 CVE-2009-2040 (admin/options.php in Grestul 1.2 does not properly restrict access, ...)
@@ -21417,7 +21416,6 @@
 CVE-2008-6218 (Memory leak in the png_handle_tEXt function in pngrutil.c in libpng ...)
 	{DSA-1750-1}
 	- libpng 1.2.33-1
-	TODO: check tuxonice-userui
 CVE-2008-6217 (Cross-site scripting (XSS) vulnerability in index.php in Extrakt ...)
 	NOT-FOR-US: Extrakt Framework
 CVE-2008-6216 (SQL injection vulnerability in cadena_ofertas_ext.php in Venalsur ...)
@@ -23213,7 +23211,6 @@
 	{DSA-1790-1}
 	- xpdf 3.02-1.4+lenny1 (medium; bug #524809)
 	[squeeze] - xpdf 3.02-1.4+lenny1
-	TODO: check poppler cups kdegraphics swftools
 CVE-2009-0194 (The domain-locking implementation in the ...)
 	NOT-FOR-US: Garmin Communicator Plug-In
 CVE-2009-0193 (Heap-based buffer overflow in Adobe Acrobat Reader 9 before 9.1, 8 ...)
@@ -23442,7 +23439,6 @@
 CVE-2008-5907 (The png_check_keyword function in pngwutil.c in libpng before 1.0.42, ...)
 	{DSA-1750-1}
 	- libpng 1.2.35-1 (bug #512665)
-	TODO: check tuxonice-userui
 	NOTE: Only an issues when using libpng to create out-of-spec images
 CVE-2008-5906 (Eval injection vulnerability in the web interface plugin in KTorrent ...)
 	- ktorrent2.2 2.2.8.dfsg.1-1 (bug #504178)
@@ -23654,7 +23650,7 @@
 CVE-2009-0067
 	RESERVED
 CVE-2009-0066 (Multiple unspecified vulnerabilities in Intel system software for ...)
-	TODO: will be presented at Black Hat
+	NOT-FOR-US: Intel system software for TXT
 CVE-2009-0065 (Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control ...)
 	{DSA-1794-1 DSA-1787-1 DSA-1749-1}
 	- linux-2.6 2.6.29-1
@@ -24335,7 +24331,6 @@
 	- icedove 2.0.0.22-1 (bug #535124)
 	[squeeze] - icedove 2.0.0.22-0lenny1
 	- libpng 1.2.35-1 (bug #516256)
-	TODO: check tuxonice-userui
 CVE-2009-0039 (Multiple cross-site request forgery (CSRF) vulnerabilities in the web ...)
 	- geronimo <itp> (bug #481869)
 CVE-2009-0038 (Multiple cross-site scripting (XSS) vulnerabilities in the web ...)
@@ -42081,7 +42076,6 @@
 CVE-2007-5377 (The (1) tramp-make-temp-file and (2) tramp-make-tramp-temp-file ...)
 	- tramp <not-affected> (the version we ship still uses make-temp-file)
 	- emacs22 <not-affected> (the version we ship still uses make-temp-file)
-	TODO: check if upstream release > 22.1 gets uploaded
 CVE-2007-5376
 	RESERVED
 CVE-2007-5375 (Interpretation conflict in the Sun Java Virtual Machine (JVM) allows ...)
@@ -49472,7 +49466,6 @@
 	NOTE: only be considered vunerabile if they process confidential data.
 	NOTE: The frameworks should be fixed in any case.
 CVE-2007-2384 (The Script.aculo.us framework exchanges data using JavaScript Object ...)
-	TODO: check glpi knowledgeroot mt-daapd op-panel python-webhelpers qwik rails wordpress
 	NOTE: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
 	NOTE: This allows to steal data from affected websites. Therefore web applications should
 	NOTE: only be considered vunerabile if they process confidential data.
@@ -49542,7 +49535,6 @@
 	NOTE: only be considered vunerabile if they process confidential data.
 	NOTE: The frameworks should be fixed in any case.
 CVE-2007-2381 (The MochiKit framework exchanges data using JavaScript Object Notation ...)
-	TODO: check python-paste
 	NOTE: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
 	NOTE: This allows to steal data from affected websites. Therefore web applications should
 	NOTE: only be considered vunerabile if they process confidential data.
@@ -90161,7 +90153,6 @@
 CVE-2004-0433 (Multiple buffer overflows in the Real-Time Streaming Protocol (RTSP) ...)
 	- mplayer 1.0~pre6a-1
 	- xine-lib 1-rc4
-	TODO: check vlc (a problem in the xine-lib rtsp code copy.  this was likely fixed a long time ago, but i can't find a link to the relevant code anymore to compare to)
 CVE-2004-0432 (ProFTPD 1.2.9 treats the Allow and Deny directives for CIDR based ACL ...)
 	- proftpd 1.2.9-4
 CVE-2004-0431 (Integer overflow in Apple QuickTime (QuickTime.qts) before 6.5.1 ...)

More information about the Secure-testing-commits mailing list