[Secure-testing-commits] r13932 - in data: . CVE
Moritz Muehlenhoff
jmm-guest at alioth.debian.org
Wed Jan 27 18:34:29 UTC 2010
Author: jmm-guest
Date: 2010-01-27 18:34:28 +0000 (Wed, 27 Jan 2010)
New Revision: 13932
Modified:
data/CVE/list
data/spu-candidates.txt
Log:
Lenny status triage:
- multiple no-dsa
- acidbase CVEfied
- ocsinventory unimportant
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2010-01-27 18:30:52 UTC (rev 13931)
+++ data/CVE/list 2010-01-27 18:34:28 UTC (rev 13932)
@@ -6,8 +6,9 @@
- postgresql-8.4 <unfixed>
NOTE: CVE id requested on oss-sec
CVE-2010-XXXX [bozohttpd DoS on incomplete requests]
- - bozohttpd <unfixed> (bug #566325)
- TODO: check
+ - bozohttpd <unfixed> (low; bug #566325)
+ [lenny] - bozohttpd <no-dsa> (Minor issue)
+ [etch] - bozohttpd <no-dsa> (Minor issue)
CVE-2010-XXXX [maradns null pointer dereference]
- maradns <unfixed> (low)
[lenny] - maradns <no-dsa> (minor issue)
@@ -20,6 +21,7 @@
NOTE: http://osvdb.org/show/osvdb/61203
CVE-2010-XXXX [sqlite: info leak]
- sqlite3 <unfixed> (low; bug #566326)
+ [lenny] - sqlite3 <no-dsa> (Minor information leak)
CVE-2010-XXXX [backup-manager: make sure password is not written to world-readable files]
- backup-manager <undetermined> (low)
TODO: after next stable point release: [lenny] - backup-manager 0.7.7-2
@@ -130,7 +132,8 @@
CVE-2009-4614 (Multiple PHP remote file inclusion vulnerabilities in Moa Gallery ...)
NOT-FOR-US: Moa Gallery
CVE-2010-XXXX [zope standard_error_message XSS]
- - zope2.10 <unfixed>
+ - zope2.10 <removed> (low)
+ [lenny] - zope2.10 <no-dsa> (Minor issue)
- zope2.11 <removed>
- zope2.9 <removed>
NOTE: https://mail.zope.org/pipermail/zope-announce/2010-January/002229.html
@@ -502,10 +505,16 @@
NOT-FOR-US: Bftpd
CVE-2009-4592 (Unspecified vulnerability in base_local_rules.php in Basic Analysis ...)
- acidbase 1.4.4-1
+ [lenny] - acidbase <no-dsa> (Minor issue)
+ [etch] - acidbase <no-dsa> (Minor issue)
CVE-2009-4591 (SQL injection vulnerability in Basic Analysis and Security Engine ...)
- acidbase 1.4.4-1
+ [lenny] - acidbase <no-dsa> (Minor issue)
+ [etch] - acidbase <no-dsa> (Minor issue)
CVE-2009-4590 (Cross-site scripting (XSS) vulnerability in base_local_rules.php in ...)
- acidbase <unfixed>
+ [lenny] - acidbase <no-dsa> (Minor issue)
+ [etch] - acidbase <no-dsa> (Minor issue)
NOTE: 1.4.5 fixed more XSS issues in this file
TODO: report bug
CVE-2009-4588 (Heap-based buffer overflow in the WindsPlayerIE.View.1 ActiveX control ...)
@@ -1173,6 +1182,8 @@
- trac 0.11.6-1
CVE-2009-4404 (Unspecified vulnerability in t-prot (TOFU Protection) before 2.8 ...)
- t-prot 2.8-1 (low)
+ [etch] - t-prot <no-dsa> (Minor issue)
+ [lenny] - t-prot <no-dsa> (Minor issue)
CVE-2009-4403 (Cross-site scripting (XSS) vulnerability in index.php in Rumba XML 1.8 ...)
NOT-FOR-US: Rumba XML
CVE-2009-4402 (The default configuration of SQL-Ledger 2.8.24 allows remote attackers ...)
@@ -1737,6 +1748,7 @@
TODO: next point update: [lenny] - xfs 1:1.0.8-2.2+lenny1
CVE-2009-XXXX [xserver-xorg: inherits user's mask]
- xorg-server 2:1.7.2-1 (low; bug #555308)
+ [lenny] - xorg-server <no-dsa> (Minor issue)
CVE-2009-4296 (SQL injection vulnerability in the Taxonomy Timer module 5.x-1.8 and ...)
NOT-FOR-US: Taxonomy Timer module for Drupal
CVE-2009-4295 (Sun Ray Server Software 4.0 and 4.1 does not generate a unique DSA ...)
@@ -3014,8 +3026,6 @@
- ghostscript <unfixed> (unimportant)
- gs-gpl <removed> (unimportant)
- xpdf <unfixed> (unimportant)
-CVE-2009-XXXX [multiple vulnerabilities in acidbase; XSS + possible sql injection]
- - acidbase 1.4.4-1 (bug #552235)
CVE-2009-XXXX [multiple vulnerabilities in jetty]
- jetty <unfixed> (unimportant; bug #553644)
NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
@@ -6471,13 +6481,11 @@
CVE-2008-6974 (Multiple cross-site request forgery (CSRF) vulnerabilities in ...)
NOT-FOR-US: DD-WRT
CVE-2009-3040 (Multiple SQL injection vulnerabilities in Open Computer and Software ...)
- - ocsinventory-server 1.02.1-2 (low; bug #541995)
- [lenny] - ocsinventory-server <no-dsa> (Minor issue)
- NOTE: Authentication is needed
+ - ocsinventory-server 1.02.1-2 (unimportant; bug #541995)
+ NOTE: Authentication is needed, only supported in trusted environments, see debtags
CVE-2009-3042 (SQL injection vulnerability in machine.php in Open Computer and ...)
- - ocsinventory-server 1.02.1-2 (low; bug #541995)
- [lenny] - ocsinventory-server <no-dsa> (Minor issue)
- NOTE: Authentication is needed
+ - ocsinventory-server 1.02.1-2 (unimportant; bug #541995)
+ NOTE: Authentication is needed, only supported in trusted environments, see debtags
CVE-2009-2763
RESERVED
CVE-2009-XXXX [logrotate race condition could lead to file disclosure]
@@ -10431,8 +10439,8 @@
CVE-2009-1444 (PHP remote file inclusion vulnerability in indexk.php in WebPortal CMS ...)
NOT-FOR-US: WebPortal CMS
CVE-2009-1443 (Multiple unspecified vulnerabilities in the Server component in OCS ...)
- - ocsinventory-server 1.02-1
- NOTE: unspecified vulnerabilities, unknow impact
+ - ocsinventory-server 1.02-1 (unimportant)
+ NOTE: Only supported in trusted environments, see debtags
CVE-2009-1442 (Multiple integer overflows in Skia, as used in Google Chrome 1.x ...)
NOT-FOR-US: skia
CVE-2009-1441 (Heap-based buffer overflow in the ParamTraits<SkBitmap>::Read function ...)
@@ -16453,8 +16461,9 @@
CVE-2008-5661 (The IPv4 Forwarding feature in Sun Solaris 10 and OpenSolaris snv_47 ...)
NOT-FOR-US: Sun Solaris
CVE-2008-5659 (The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and ...)
- - classpath 2:0.98-1 (bug #512532; medium)
- - libgnucrypto-java <removed> (medium; bug #559789)
+ - classpath 2:0.98-1 (bug #512532; low)
+ - libgnucrypto-java <removed> (low; bug #559789)
+ [lenny] - libgnucrypto-java <no-dsa> (Minor issue)
CVE-2008-5657 (CRLF injection vulnerability in Quassel Core before 0.3.0.3 allows ...)
- quassel 0.2~rc1-1.1 (bug #506550)
CVE-2008-5656 (Cross-site scripting (XSS) vulnerability in the frontend plugin for ...)
@@ -18786,6 +18795,7 @@
- kadu 0.6.0.2-3 (low; bug #504429)
- ekg 1:1.8~rc0-1 (low)
- centerim 4.22.9-1 (low; bug #559782)
+ [lenny] - centerim <no-dsa> (Minor issue)
- qutecom <not-affected> (does not use libgadu embed; bug #559784)
CVE-2008-4769 (Directory traversal vulnerability in the get_category_template ...)
{DSA-1871-2 DSA-1871-1}
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2010-01-27 18:30:52 UTC (rev 13931)
+++ data/spu-candidates.txt 2010-01-27 18:34:28 UTC (rev 13932)
@@ -6,6 +6,10 @@
--
+acidbase (CVE-2009-4590, CVE-2009-4591, CVE-2009-4592)
+
+--
+
asterisk (CVE-2009-0041)
#513413
notified maintainer
@@ -45,6 +49,11 @@
--
+centerim (CVE-2008-4776)
+#559782
+
+--
+
compiz-fusion-plugins-main (CVE-2008-6514)
notified maintainer
@@ -102,6 +111,11 @@
--
+libgnucrypto-java (CVE-2008-5659)
+#559789
+
+--
+
gnutls26 (CVE-2009-1417)
#531614
notified maintainer
@@ -267,6 +281,10 @@
--
+t-prot (CVE-2009-4404)
+
+--
+
net-snmp (CVE-2008-6123)
Noah will see to it.
@@ -350,6 +368,11 @@
--
+sqlite
+#566326
+
+--
+
tau (CVE-2008-5157)
#506348
notified maintainer
@@ -412,7 +435,16 @@
--
+xserver-xorg (no CVE)
+#555308
+
+--
+
ziproxy (CVE-2009-0804)
#521051
notified maintainer
+--
+
+zope2.10 (no CVE)
+https://mail.zope.org/pipermail/zope-announce/2010-January/002229.html
More information about the Secure-testing-commits
mailing list