[Secure-testing-commits] r14019 - in data: . CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Wed Feb 3 18:39:31 UTC 2010


Author: jmm-guest
Date: 2010-02-03 18:39:30 +0000 (Wed, 03 Feb 2010)
New Revision: 14019

Modified:
   data/CVE/list
   data/embedded-code-copies
   data/spu-candidates.txt
Log:
- acl fixed
- xotcl fixed by using system copy of expat
- asterisk issue unstable/testing only
- acl/struts no-dsa


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2010-02-03 17:21:41 UTC (rev 14018)
+++ data/CVE/list	2010-02-03 18:39:30 UTC (rev 14019)
@@ -61,9 +61,8 @@
 CVE-2010-0441 [asterisk T.38 remote crash]
 	RESERVED
 	- asterisk <unfixed>
-	NOTE: probably doesn't affect pre-squeeze
-	NOTE: http://downloads.asterisk.org/pub/security/AST-2010-001.pdf
-	TODO: check
+	[lenny] - asterisk <not-affected> (Only affects 1.6.x)
+	[etch] - asterisk <not-affected> (Only affects 1.6.x)
 CVE-2010-0440
 	RESERVED
 CVE-2010-0439
@@ -1412,10 +1411,9 @@
 CVE-2009-4412 (Unrestricted file upload vulnerability in Serendipity before 1.5 ...)
 	- serendipity <unfixed> (low; bug #562634)
 CVE-2009-4411 (The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when ...)
-	- acl <unfixed> (low; bug #499076)
+	- acl 2.2.49-2 (low; bug #499076)
 	[etch] - acl <not-affected> (Vulnerable code not present)
 	[lenny] - acl <no-dsa> (Minor issue, symlink attack not always as root)
-	NOTE: bug was closed but the fix seems incomplete
 	NOTE: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499076#51
 CVE-2009-4409 (The (1) CHAP and (2) MS-CHAP-V2 authentication capabilities in the PPP ...)
 	NOT-FOR-US: Internet Initiative Japan SEIL/B1 firmware
@@ -3602,7 +3600,7 @@
 	- vnc4 <unfixed> (low; bug #560949)
 	[etch] - vnc4 <no-dsa> (minor issue)
 	[lenny] - vnc4 <no-dsa> (minor issue)
-	- xotcl <unfixed> (low; bug #560950)
+	- xotcl 1.6.5-1.1 (low; bug #560950)
 	[lenny] - xotcl <no-dsa> (minor issue)
 CVE-2009-3719 (Cross-site scripting (XSS) vulnerability in comment.asp in Battle Blog ...)
 	NOT-FOR-US: Battle Blog
@@ -25695,6 +25693,7 @@
 	NOT-FOR-US:  RSA Authentication Agent
 CVE-2008-2025 (Cross-site scripting (XSS) vulnerability in Apache Struts before ...)
 	- libstruts1.2-java 1.2.9-3.1 (low; bug #528352)
+	[lenny] - libstruts1.2-java <no-dsa> (Minor issue)
 CVE-2008-2024 (Cross-site scripting (XSS) vulnerability in index.php in miniBB 2.2, ...)
 	NOT-FOR-US: miniBB
 CVE-2008-2023 (Multiple SQL injection vulnerabilities in PD9 Software MegaBBS 2.2 ...)

Modified: data/embedded-code-copies
===================================================================
--- data/embedded-code-copies	2010-02-03 17:21:41 UTC (rev 14018)
+++ data/embedded-code-copies	2010-02-03 18:39:30 UTC (rev 14019)
@@ -1157,7 +1157,7 @@
 	- apache2 2.2 (embed)
 	- texlive-bin <not-affected> (Embedded code not compiled in)
 	- vnc4 <unfixed> (embed)
-	- xotcl <unfixed> (embed)
+	- xotcl 1.6.5-1.1 (embed)
 
 xerces-c
 	- xerces-c2 <unfixed> (old-version)

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2010-02-03 17:21:41 UTC (rev 14018)
+++ data/spu-candidates.txt	2010-02-03 18:39:30 UTC (rev 14019)
@@ -11,6 +11,12 @@
 
 --
 
+acl (CVE-2009-4411)
+#499076
+notified maintainer
+
+--
+
 asterisk (CVE-2009-0041)
 #513413
 notified maintainer
@@ -188,6 +194,11 @@
 
 --
 
+libstruts1.2-java (CVE-2008-2025)
+#528352
+
+--
+
 maradns
 http://maradns.org/download/maradns-1.4.02-parse_segfault.patch
 notified maintainer




More information about the Secure-testing-commits mailing list