[Secure-testing-commits] r15243 - in data: . CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Tue Aug 31 16:20:22 UTC 2010 

Author: jmm-guest
Date: 2010-08-31 16:20:21 +0000 (Tue, 31 Aug 2010)
New Revision: 15243

Modified:
   data/CVE/list
   data/spu-candidates.txt
Log:
- fix drupal c&p error
- no-dsa: libhx, libgdiplus, mapserver
- fix phpmyadmin entry, was still marked as unfixed for lenny


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2010-08-31 09:14:36 UTC (rev 15242)
+++ data/CVE/list	2010-08-31 16:20:21 UTC (rev 15243)
@@ -343,9 +343,8 @@
 	NOTE: http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php
 CVE-2010-3055 (The configuration setup script (aka scripts/setup.php) in phpMyAdmin ...)
 	{DSA-2097-1}
-	- phpmyadmin <not-affected> (Affects only 2.x branch)
-	[lenny] - phpmyadmin <unfixed>
-	NOTE: http://www.phpmyadmin.net/home_page/security/PMASA-2010-4.php
+	- phpmyadmin 4:3.0.0
+	NOTE: Affects only 2.x branch
 CVE-2010-3052
 	RESERVED
 CVE-2010-3051
@@ -570,6 +569,7 @@
 	[lenny] - php5 <not-affected> (phar extension introduced in 5.3)
 CVE-2010-2947 (Heap-based buffer overflow in the HX_split function in string.c in ...)
 	- libhx 3.5-2 (low; bug #594393)
+	[lenny] - libhx <no-dsa> (Minor issue, asked maintainer to fix through spu)
 CVE-2010-2946 [jfs issue]
 	RESERVED
 	- linux-2.6 2.6.32-21
@@ -958,12 +958,14 @@
 	RESERVED
 CVE-2010-2796 (Cross-site scripting (XSS) vulnerability in phpCAS before 1.1.2, when ...)
 	- libphp-cas <itp> (bug #495542)
-	- glpi <unfixed>
+	- glpi <unfixed> (unimportant)
+	NOTE: Only supported behind an authenticated HTTP zone
 	- moodle <unfixed>
 	TODO: check embedders
 CVE-2010-2795 (phpCAS before 1.1.2 allows remote authenticated users to hijack ...)
 	- libphp-cas <itp> (bug #495542)
-	- glpi <unfixed>
+	- glpi <unfixed> (unimportant)
+	NOTE: Only supported behind an authenticated HTTP zone
 	- moodle <unfixed>
 	TODO: check embedders
 CVE-2010-2794
@@ -1073,8 +1075,10 @@
 	NOT-FOR-US: SPirate
 CVE-2010-3484 [mapserver: buffer overflow in msTmpFile()]
 	- mapserver 5.6.4-1 (low)
+	[lenny] - mapserver <no-dsa> (Minor issue)
 CVE-2010-3485 [mapserver: insecure mapserv cgi command-line debug args]
 	- mapserver 5.6.4-1 (low)
+	[lenny] - mapserver <no-dsa> (Minor issue)
 CVE-2010-2770
 	RESERVED
 CVE-2010-2769
@@ -1098,13 +1102,13 @@
 CVE-2010-2760
 	RESERVED
 CVE-2010-2759 (Bugzilla 2.23.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through ...)
-	- bugzilla <unfixed> (medium)
+	- bugzilla <unfixed> (bug #595015; medium)
 CVE-2010-2758 (Bugzilla 2.17.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through ...)
-	- bugzilla <unfixed> (low)
+	- bugzilla <unfixed> (bug #595015; low)
 CVE-2010-2757 (The sudo feature in Bugzilla 2.22rc1 through 3.2.7, 3.3.1 through ...)
-	- bugzilla <unfixed> (low)
+	- bugzilla <unfixed> (bug #595015; low)
 CVE-2010-2756 (Search.pm in Bugzilla 2.19.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 ...)
-	- bugzilla <unfixed> (low)
+	- bugzilla <unfixed> (bug #595015; low)
 CVE-2010-2755 (layout/generic/nsObjectFrame.cpp in Mozilla Firefox 3.6.7 does not ...)
 	- xulrunner <not-affected> (Only exploitable in Firefox 3.6.x and above)
 CVE-2010-2754 (dom/base/nsJSEnvironment.cpp in Mozilla Firefox 3.5.x before 3.5.11 ...)
@@ -4070,8 +4074,8 @@
 CVE-2010-1618 (Cross-site scripting (XSS) vulnerability in the phpCAS client library ...)
 	- libphp-cas <itp> (bug #495542)
 	- moodle 1.9.8-1 (low; bug #574757)
-	- glpi <unfixed>
-	TODO: check glpi
+	- glpi <unfixed> (unimportant)
+	NOTE: Only supported behind an authenticated HTTP zone
 CVE-2010-1617 (user/view.php in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 ...)
 	- moodle 1.9.8-1 (unimportant; bug #585427)
 	NOTE: i have a hard time seeing the security impact, moodle is a course management
@@ -4279,6 +4283,7 @@
 	NOT-FOR-US: Novell iPrint Client
 CVE-2010-1526 (Multiple integer overflows in libgdiplus 2.6.7, as used in Mono, allow ...)
 	- libgdiplus 2.6.7-2 (low; bug #594155)
+	[lenny] - libgdiplus <no-dsa> (Minor issue)
 CVE-2010-1525 (Integer underflow in the SpreadSheet Lotus 123 reader (wkssr.dll) in ...)
 	NOT-FOR-US: SpreadSheet Lotus 123 reader
 CVE-2010-1524 (The SpreadSheet Lotus 123 reader (wkssr.dll) in Autonomy KeyView 10.4 ...)
@@ -6537,16 +6542,16 @@
 	NOTE: Triggered through config files, not a security issue
 CVE-2010-2473 [Blocked user session regeneration]
 	RESERVED
-	- drupal6 6.16-1 (bug #572439)
+	- drupal6 6.18-1 (bug #592716)
 CVE-2010-2472 [Locale module cross site scripting]
 	RESERVED
-	- drupal6 6.16-1 (bug #572439)
+	- drupal6 6.18-1 (bug #592716)
 CVE-2010-2471 [Open redirection]
 	RESERVED
-	- drupal6 6.16-1 (bug #572439)
+	- drupal6 6.18-1 (bug #592716)
 CVE-2010-2250 [Installation cross site scripting]
 	RESERVED
-	- drupal6 6.16-1 (bug #572439)
+	- drupal6 6.18-1 (bug #592716)
 CVE-2010-XXXX [linux-ftpd: null ptr dereference]
 	- linux-ftpd <not-affected> (Performs proper length checks, see #572813)
 CVE-2010-0824 (Unspecified vulnerability in Microsoft Office Excel 2002 SP3 and ...)

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2010-08-31 09:14:36 UTC (rev 15242)
+++ data/spu-candidates.txt	2010-08-31 16:20:21 UTC (rev 15243)
@@ -293,6 +293,11 @@
 
 --
 
+mapserver (CVE-2010-3484, CVE-2010-3485)
+fixed in 5.6.4-1
+
+--
+
 maradns
 http://maradns.org/download/maradns-1.4.02-parse_segfault.patch
 notified maintainer

More information about the Secure-testing-commits mailing list