[Secure-testing-commits] r13900 - in data: . CVE

Michael Gilbert gilbert-guest at alioth.debian.org
Sun Jan 24 23:48:49 UTC 2010


Author: gilbert-guest
Date: 2010-01-24 23:48:49 +0000 (Sun, 24 Jan 2010)
New Revision: 13900

Modified:
   data/CVE/list
   data/embedded-code-copies
Log:
various new issues; many libltdl, prototype, and expat issues fixed

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2010-01-24 23:31:05 UTC (rev 13899)
+++ data/CVE/list	2010-01-24 23:48:49 UTC (rev 13900)
@@ -8,6 +8,19 @@
 	[lenny] - gtk+2.0 <not-affected> (issue only exposed by gnome-screensaver 2.28)
 	[etch] - gtk+2.0 <not-affected> (issue only exposed by gnome-screensaver 2.28)
 	NOTE: http://osvdb.org/show/osvdb/61203
+CVE-2010-XXXX [sqlite: info leak]
+	- sqlite3 <unfixed> (low; bug #566326)
+CVE-2010-XXXX [backup-manager: make sure password is not written to world-readable files]
+	- backup-manager <undetermined> (low)
+	TODO: after next stable point release: [lenny] - backup-manager 0.7.7-2
+	NOTE: http://lists.debian.org/debian-release/2010/01/msg00181.html
+CVE-2010-XXXX [sudosh3: many security weaknesses]
+	- sudosh3 <unfixed> (high; bug #566142)
+	NOTE: package is likely to be removed
+CVE-2010-XXXX [phpbb: many issues]
+	- phpbb <undetermined>
+	NOTE: http://www.openwall.com/lists/oss-security/2010/01/16/2
+	TODO: check
 CVE-2010-0379 (Multiple unspecified vuilnerabilities in the Macromedia Flash ActiveX ...)
 	TODO: check
 CVE-2010-0378 (Use-after-free vulnerability in Adobe Flash Player 6.0.79, as ...)
@@ -193,6 +206,7 @@
 CVE-2010-0319 (Cross-site scripting (XSS) vulnerability in index.php in Docmint 1.0 ...)
 	NOT-FOR-US: Docmint
 CVE-2010-0318 (The replay functionality for ZFS Intent Log (ZIL) in FreeBSD 7.1, 7.2, ...)
+	- kfreebsd-6 <not-affected> (vulnerable code introduced in freebsd 7)
 	- kfreebsd-7 7.2-10 (bug #566684)
 	- kfreebsd-8 8.0-2
 CVE-2010-0317 (Novell Netware 6.5 SP8 allows remote attackers to cause a denial of ...)
@@ -268,8 +282,10 @@
 	RESERVED
 CVE-2010-0291
 	RESERVED
-CVE-2010-0290
+CVE-2010-0290 [bind: CVE-2009-4022 fix incomplete]
 	RESERVED
+	- bind <unfixed>
+	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=554851#c7
 CVE-2010-0289 [dokuwiki CSRF]
 	RESERVED
 	{DSA-1976-1}
@@ -3109,7 +3125,7 @@
 	- hamlib <unfixed> (low; bug #559814)
 	[lenny] - hamlib <no-dsa> (Minor issue)
 	[etch] - hamlib <no-dsa> (Minor issue)
-	- hercules <unfixed> (low; bug #559815)
+	- hercules 3.06-1.2 (low; bug #559815)
 	[lenny] - hercules <no-dsa> (Minor issue)
 	[etch] - hercules <no-dsa> (Minor issue)
 	- jags 1.0.4-1 (low; bug #559816)
@@ -3140,7 +3156,7 @@
 	[lenny] - siproxd <no-dsa> (Minor issue)
 	[etch] - siproxd <no-dsa> (Minor issue)
 	- ski <unfixed> (low; bug #559828)
-	- synfig <unfixed> (low; bug #559829)
+	- synfig 0.62.00-1 (low; bug #559829)
 	[lenny] - synfig <no-dsa> (Minor issue)
 	- xmlsec1 1.2.14-1 (unimportant; bug #559831)
 	NOTE: Embedded code copy isn't used
@@ -3267,7 +3283,7 @@
 	- grmonitor <removed> (unimportant; bug #560931)
 	- iceape <unfixed> (unimportant; bug #560932)
 	- insighttoolkit 3.16.0-1 (unimportant; bug #560933)
-	- paraview <unfixed> (unimportant; bug #560935)
+	- paraview 3.6.2-1 (unimportant; bug #560935)
 	- poco <unfixed> (unimportant; bug #560936)
 	- simgear <unfixed> (unimportant; bug #560937)
 	- smart <unfixed> (low; bug #560953)
@@ -3750,7 +3766,7 @@
 	- grmonitor <removed> (unimportant; bug #560931)
 	- iceape <unfixed> (unimportant; bug #560932)
 	- insighttoolkit 3.16.0-1 (unimportant; bug #560933)
-	- paraview <unfixed> (unimportant; bug #560935)
+	- paraview 3.6.2-1 (unimportant; bug #560935)
 	- poco <unfixed> (unimportant; bug #560936)
 	- simgear <unfixed> (unimportant; bug #560937)
 	- smart <unfixed> (low; bug #560953)
@@ -4854,7 +4870,7 @@
 	- otrs2 2.3.4-6 (low; bug #555266)
 	[etch] - otrs2 <not-affected> (prototype.js not present)
 	[lenny] - otrs2 <not-affected> (prototype.js not present)
-	- webcalendar <unfixed> (low; bug #555268)
+	- webcalendar 1.2~b1-2 (low; bug #555268)
 	[lenny] - webcalendar <not-affected> (prototype.js not present)
 	- libhtml-prototype-perl 1.48-3 (low; bug #558977)
 	[etch] - libhtml-prototype-perl <no-dsa> (minor issue)
@@ -5400,7 +5416,7 @@
 CVE-2008-7149 (Unspecified vulnerability in AgileWiki before 0.10.1 has unknown ...)
 	NOT-FOR-US: AgileWiki
 CVE-2008-7148 (Unspecified vulnerability in Synfig Animation Studio before 0.61.08 ...)
-	NOT-FOR-US: Synfig Animation Studio
+	- synfig 0.61.08-1
 CVE-2008-7147 (Multiple cross-site scripting (XSS) vulnerabilities in IntraLearn ...)
 	NOT-FOR-US: IntraLearn Software IntraLearn
 CVE-2008-7146 (IntraLearn Software IntraLearn 2.1, and possibly other versions before ...)
@@ -30087,9 +30103,7 @@
 CVE-2007-6673 (Cross-site scripting (XSS) vulnerability in Makale Scripti allows ...)
 	NOT-FOR-US: Makale Scripti
 CVE-2007-6672 (Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass ...)
-	- jetty <not-affected> (medium; bug #462793; bug #559765)
-	NOTE: only applies to version >= 6
-	TODO: maintainer checking on status; follow up
+	- jetty 6.1.18-1 (medium; bug #462793; bug #559765)
 CVE-2007-6671 (SQL injection vulnerability in login_form.asp in Instant Softwares ...)
 	NOT-FOR-US: Instant Softwares Dating Site
 CVE-2007-6670 (SQL injection vulnerability in search.php in PHCDownload 1.1.0 allows ...)
@@ -41715,7 +41729,7 @@
 	- activeldap <not-affected> (fixed since initial inclusion)
 	- mantis <not-affected> (fixed since initial inclusion)
 	- otrs2 <not-affected> (fixed since initial inclusion)
-	- webcalendar <unfixed> (low; bug #555268)
+	- webcalendar 1.2~b1-2 (low; bug #555268)
 	[lenny] - webcalendar <not-affected> (prototype.js not present)
 	- plone3 <removed> (low; bug #555274)
 	- wesnoth <not-affected> (fixed since initial inclusion)

Modified: data/embedded-code-copies
===================================================================
--- data/embedded-code-copies	2010-01-24 23:31:05 UTC (rev 13899)
+++ data/embedded-code-copies	2010-01-24 23:48:49 UTC (rev 13900)
@@ -757,7 +757,7 @@
 	- libv8 <not-affected> (contains a google-specific implementation of prototype.js)
 	- mantis 1.1.2+dfsg-1 (embed; bug #555265)
 	- otrs2 2.3.4-6 (embed; bug #555267)
-	- webcalendar <unfixed> (embed; bug #555269)
+	- webcalendar 1.2~b1-2 (embed; bug #555269)
 	- redmine 0.9.0~svn2907-1 (embed; bug #555270)
 	- jifty 0.90519-1 (embed; bug #555271)
 	- jquery 1.4-1 (embed; bug #555272)
@@ -883,11 +883,6 @@
 	- kdepimlibs 4.2.0-1 (fork)
 	- claws-mail-extra-plugins <unfixed> (fork)
 
-libltdl3
-	- kdelibs <unfixed> (embed)
-	NOTE: it's been said it sets RT_GLOBAL (or something like that) at runtime and version in experimental of libltdl can optionally set it
-	- synfig <unfixed> (embed)
-
 harfbuzz
 	- qt4-x11 <unfixed> (embed)
 	- pango1.0 <unfixed> (embed)
@@ -1141,7 +1136,7 @@
 	- insighttoolkit 3.16.0-1 (embed)
         NOTE: insighttoolkit might've been fixed earlier
 	- libparagui1.1 1.0.2-1 (embed)
-	- paraview <unfixed> (embed)
+	- paraview 3.6.2-1 (embed)
 	- poco <unfixed> (embed)
 	- simgear <unfixed> (embed)
 	- sitecopy 1:0.16.0-1
@@ -1594,7 +1589,7 @@
         NOTE: The etch version of graphviz was the earliest version checked, might be fixed earlier
 	- guile-1.6 1.6.8-7 (embed)
 	- hamlib <unfixed> (embed)
-	- hercules <unfixed> (embed)
+	- hercules 3.06-1.2 (embed)
 	- jags 1.0.4-3 (embed; bug #560864)
 	- kdelibs <unfixed> (embed)
 	- libannodex <removed> (embed)
@@ -1608,7 +1603,7 @@
 	- redland <unfixed> (embed)
 	- siproxd <unfixed> (embed)
 	- ski <unfixed> (embed)
-	- synfig <unfixed> (embed)
+	- synfig 0.62.00-1 (embed)
 	- unixodbc 2.2.4-5 (embed)
 	- xmlsec1 <not-affected> (Doesn't enable dynamic loading of crypto modules)
 	- clamav 0.95+dfsg-1 (embed)




More information about the Secure-testing-commits mailing list