[Secure-testing-commits] r14951 - in data: . CVE
Moritz Muehlenhoff
jmm-guest at alioth.debian.org
Fri Jul 2 17:51:45 UTC 2010
Author: jmm-guest
Date: 2010-07-02 17:51:39 +0000 (Fri, 02 Jul 2010)
New Revision: 14951
Modified:
data/CVE/list
data/spu-candidates.txt
Log:
- NFUs
- redmine not in Lenny
- rewrite old kdebase entry
- rewrite old rails entry
- fastjar fixed
- remove policykit TODO, has been removed
- webkit issue is in Ruby
- old OO exploit never appeared, mark as NFU. If there ever is
one, we'll learn about it anyway
- remove a few obsolete TODOs
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2010-07-02 16:53:39 UTC (rev 14950)
+++ data/CVE/list 2010-07-02 17:51:39 UTC (rev 14951)
@@ -126,9 +126,9 @@
CVE-2010-2519
RESERVED
CVE-2010-2518 (Unspecified vulnerability in the P8 Content Engine (P8CE) 4.5.1 before ...)
- TODO: check
+ NOT-FOR-US: P8 Content Search Engine
CVE-2010-2517 (Multiple unspecified vulnerabilities in IBM Rational ClearQuest before ...)
- TODO: check
+ NOT-FOR-US: ClearQuest
CVE-2010-XXXX [murmur DoS via malformed client query]
- qt4-x11 <undetermined> (low; bug #587713)
- sqlite3 <undetermined>
@@ -904,7 +904,7 @@
CVE-2010-2205 (Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on ...)
NOT-FOR-US: Adobe Reader
CVE-2010-2204 (Unspecified vulnerability in Adobe Reader and Acrobat 9.x before ...)
- TODO: check
+ NOT-FOR-US: Adobe Reader
CVE-2010-2203 (Adobe Reader and Acrobat 9.x before 9.3.3 on UNIX allow attackers to ...)
NOT-FOR-US: Adobe Reader
CVE-2010-2202 (Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on ...)
@@ -2679,9 +2679,9 @@
CVE-2010-1522
RESERVED
CVE-2010-1521 (SQL injection vulnerability in include/classes/tzn_user.php in ...)
- TODO: check
+ NOT-FOR-US: TaskFreak! Original multi user
CVE-2010-1520 (Cross-site scripting (XSS) vulnerability in logout.php in TaskFreak! ...)
- TODO: check
+ NOT-FOR-US: TaskFreak! Original multi user
CVE-2010-1519
RESERVED
CVE-2010-1518
@@ -4246,10 +4246,8 @@
- iceape <not-affected> (Vulnerable code not present)
CVE-2010-XXXX [Escape href attribute in auto links]
- redmine 0.9.3-3
- TODO: Check severity, Lenny status
CVE-2010-XXXX [Fixes permission check in QueriesController]
- redmine 0.9.3-3
- TODO: Check severity, Lenny status
CVE-2010-1003 (Directory traversal vulnerability in ...)
NOT-FOR-US: eFront-learning
CVE-2010-1002
@@ -4609,10 +4607,9 @@
CVE-2010-0924 (cfnetwork.dll 1.450.5.0 in CFNetwork, as used by safari.exe 531.21.10 ...)
NOT-FOR-US: Apple Safari
CVE-2010-0923 (Race condition in workspace/krunner/lock/lockdlg.cc in the KRunner ...)
- - kdebase <not-affected> (vulnerability introduced in version 4.4.0)
- - kdebase-workspace <not-affected> (vulnerability introduced in version 4.4.0)
- NOTE: http://www.openwall.com/lists/oss-security/2010/02/12/2
- TODO: recheck when >= 4.4.0 is uploaded; claimed fixed in 4.4.1
+ - kdebase 4:4.4.2-1
+ [lenny] - kdebase <not-affected> (Only affected version 4.4.0)
+ - kdebase-workspace 4:4.4.2-1
CVE-2010-0922 (Unspecified vulnerability in secldapclntd in IBM AIX 5.3 with SP ...)
NOT-FOR-US: IBM AIX
CVE-2010-0921 (Cross-site request forgery (CSRF) vulnerability in IBM Lotus iNotes ...)
@@ -4828,9 +4825,8 @@
CVE-2010-0832
RESERVED
CVE-2010-0831 (Directory traversal vulnerability in the extract_jar function in ...)
- - fastjar <unfixed> (low)
+ - fastjar 2:0.98-3 (low)
[lenny] - fastjar <no-dsa> (Minor issue)
- TODO: File bug
CVE-2010-0830 (Integer signedness error in the elf_get_dynamic_info function in ...)
{DSA-2058-1}
- glibc <removed>
@@ -5086,7 +5082,6 @@
CVE-2010-0750 (pkexec.c in pkexec in libpolkit in PolicyKit 0.96 allows local users ...)
- policykit <not-affected> (pkexec introduced in 0.92)
[lenny] - policykit <not-affected> (pkexec introduced in 0.92)
- TODO: check when >= 0.92 gets uploaded
CVE-2010-0749
RESERVED
- transmission 1.92-1 (unimportant; bug filed)
@@ -5168,8 +5163,8 @@
{DSA-2014-1}
- moin 1.9.0~rc2-1
CVE-2009-4652 (The (1) Conn_GetCipherInfo and (2) Conn_UsesSSL functions in ...)
- - ngircd <not-affected> (SSL/TLS support not yet present)
- TODO: Recheck when 0.15 gets uploaded
+ - ngircd 15-0.1
+ [lenny] - ngircd <not-affected> (SSL/TLS support not yet present)
CVE-2003-1590 (Unspecified vulnerability in Sun ONE (aka iPlanet) Web Server 6.0 SP3 ...)
NOT-FOR-US: Sun ONE Web Server
CVE-2003-1589 (Unspecified vulnerability in Sun ONE (aka iPlanet) Web Server 4.1 ...)
@@ -5756,8 +5751,13 @@
CVE-2010-0542 (The _WriteProlog function in texttops.c in texttops in the Text Filter ...)
- cups 1.4.4-1
CVE-2010-0541 (Cross-site scripting (XSS) vulnerability in the WEBrick HTTP server in ...)
- - libwebapp-ruby <undetermined>
- TODO: check
+ - ruby1.8 <unfixed>
+ [lenny] - ruby1.8 <no-dsa> (Minor issue)
+ - ruby1.9 <unfixed>
+ [lenny] - ruby1.9 <no-dsa> (Minor issue)
+ - ruby1.9.1 <unfixed>
+ NOTE: File bugs: https://bugzilla.redhat.com/show_bug.cgi?id=587731#c3
+ TODO: File bugs, no-dsa for Lenny
CVE-2010-0540 (Cross-site request forgery (CSRF) vulnerability in the web interface ...)
- cups 1.4.4-1
CVE-2010-0539 (Integer signedness error in the window drawing implementation in Apple ...)
@@ -8072,7 +8072,6 @@
- gnome-screensaver 2.28.0-2 (low; bug #560895)
[etch] - gnome-screensaver <not-affected> (vulnerable code introduced in 2.28)
[lenny] - gnome-screensaver <not-affected> (vulnerable code introduced in 2.28)
- TODO: request CVE id
NOTE: the code in etch's version is more different but it seems to be affected
NOTE: http://git.gnome.org/browse/gnome-screensaver/commit/?id=284c9924969a49dbf2d5fae1d680d3310c4df4a3
CVE-2009-XXXX [gif2png multiple buffer overflows parsing CLI arguments]
@@ -10102,14 +10101,11 @@
- aria2 1.2.0-1 (low; bug #551070)
[etch] - aria2 <not-affected> (Vulnerable code not present)
CVE-2009-3571 (Unspecified vulnerability in OpenOffice.org (OOo) has unknown impact ...)
- TODO: check once details are available: - openoffice.org <unfixed> (medium; bug #551068)
- NOTE: details are unknown
+ NOT-FOR-US: Unidentified exploit for OpenOffice, hasn't materialised in any form
CVE-2009-3570 (Unspecified vulnerability in OpenOffice.org (OOo) has unspecified ...)
- TODO: check once details are available:- openoffice.org <unfixed> (medium; bug #551068)
- NOTE: details are unknown
+ NOT-FOR-US: Unidentified exploit for OpenOffice, hasn't materialised in any form
CVE-2009-3569 (Stack-based buffer overflow in OpenOffice.org (OOo) allows remote ...)
- TODO: check once details are available:- openoffice.org <unfixed> (medium; bug #551068)
- NOTE: details are unknown
+ NOT-FOR-US: Unidentified exploit for OpenOffice, hasn't materialised in any form
CVE-2009-3568 (Comment RSS 5.x before 5.x-2.2 and 6.x before 6.x-2.2, a module for ...)
NOT-FOR-US: module for Drupal
CVE-2009-3692 (Unspecified vulnerability in the VBoxNetAdpCtl configuration tool in ...)
@@ -10653,10 +10649,8 @@
[lenny] - xulrunner <not-affected> (Video playback capabilities were added in 3.5)
CVE-2009-3387 (Bugzilla 3.3.1 through 3.4.4, 3.5.1, and 3.5.2 does not allow group ...)
- bugzilla <not-affected> (Only Bugzilla >= 3.3 is affected)
- TODO: Check when a current Bugzilla is uploaded
CVE-2009-3386 (Template.pm in Bugzilla 3.3.2 through 3.4.3 and 3.5 through 3.5.1 ...)
- bugzilla <not-affected> (Only 3.3 onwards are affected)
- TODO: recheck, once a more recent (3.3.x or 3.4.x) version has been uploaded
CVE-2009-3385 (The mail component in Mozilla SeaMonkey before 1.1.19 does not ...)
{DSA-1922-1}
- xulrunner 1.9.0.15-1
@@ -11242,7 +11236,6 @@
NOT-FOR-US: RunCMS
CVE-2009-3166 (token.cgi in Bugzilla 3.4rc1 through 3.4.1 places a password in a URL ...)
- bugzilla <not-affected> (only 3.4.x is affected)
- TODO: check when 3.4.x will be uploaded in unstable
CVE-2009-3165 (SQL injection vulnerability in the Bug.create WebService function in ...)
{DSA-1913-1}
- bugzilla 3.2.5.0-1 (low; bug #547132)
@@ -11505,7 +11498,6 @@
NOT-FOR-US: ArticleFriend Script
CVE-2009-3125 (SQL injection vulnerability in the Bug.search WebService function in ...)
- bugzilla <not-affected> (Only 3.3.x and 3.4.x are affected)
- TODO: check when 3.3.x or 3.4.x will be uploaded in unstable
CVE-2009-3124 (Directory traversal vulnerability in get_message.cgi in QuarkMail ...)
NOT-FOR-US: QuarkMail
CVE-2009-3123 (Directory traversal vulnerability in gallery/gallery.php in Wap-Motor ...)
@@ -12476,12 +12468,9 @@
CVE-2009-2902 (Directory traversal vulnerability in Apache Tomcat 5.5.0 through ...)
- tomcat6 6.0.24-1 (low)
- tomcat5 <removed>
- NOTE: tomcat 5.0 (in etch) is unsupported by upstream and may also be affected
CVE-2009-2901 (The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and ...)
- tomcat6 6.0.24-1 (low)
- - tomcat5 <removed>
- TODO: check
- NOTE: tomcat 5.0 (in etch) is unsupported by upstream and may also be affected
+ - tomcat5 <not-affected> (Windows-only)
CVE-2009-2900
RESERVED
CVE-2009-2899
@@ -13174,7 +13163,6 @@
- libxerces2-java <unfixed> (low; bug #540862)
[etch] - libxerces2-java <no-dsa> (minor issue)
[lenny] - libxerces2-java <no-dsa> (minor issue)
- TODO: request cve id
CVE-2009-XXXX [gri: insecure temp file generation]
- gri 2.12.18-1 (low)
[etch] - gri <no-dsa> (Minor issue)
@@ -13218,7 +13206,6 @@
[etch] - bugzilla <no-dsa> (minor issue)
[lenny] - bugzilla <no-dsa> (minor issue)
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=495257
- TODO: request CVE id
CVE-2009-XXXX [groff: insecure usage of gs]
- groff 1.20.1-5 (low; bug #538338)
[etch] - groff <not-affected> (pdfroff not yet present)
@@ -13234,7 +13221,6 @@
NOTE: Standard behaviour of crypt, enhancement bug for stronger method
CVE-2009-XXXX [xscreensaver: local screen lock bypassable via low resolution video devices]
- xscreensaver 5.05-3+nmu1 (low; bug #539699)
- TODO: request CVE id
[etch] - xscreensaver <not-affected> (vulnerable code not present)
[lenny] - xscreensaver 5.05-3+lenny1
CVE-2009-2626 (The zend_restore_ini_entry_cb function in zend_ini.c in PHP 5.3.0, ...)
@@ -13316,8 +13302,6 @@
CVE-2009-2693 (Directory traversal vulnerability in Apache Tomcat 5.5.0 through ...)
- tomcat6 6.0.24-1 (low)
- tomcat5 <removed>
- TODO: check
- NOTE: tomcat 5.0 (in etch) is unsupported by upstream and may also be affected
CVE-2009-2692 (The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, ...)
{DSA-1864-1 DSA-1865-1 DSA-1862-1}
- linux-2.6 2.6.30-6 (high; bug #541403)
@@ -14169,10 +14153,8 @@
CVE-2009-2423 (SQL injection vulnerability in category.php in Ebay Clone 2009 allows ...)
NOT-FOR-US: Ebay Clone 2009
CVE-2009-2422 (The example code for the digest authentication functionality ...)
- - rails <not-affected> (high; bug #535896)
- TODO: check after 2.3.x upload
- NOTE: vulnerable code not present, introduced in 2.3.x
- NOTE: to be fixed in upstream version 2.3.3
+ - rails 2.3.5-1 (bug #535896)
+ [lenny] - rails <not-affected> (vulnerable code not present, introduced in 2.3.x)
CVE-2009-2446 (Multiple format string vulnerabilities in the dispatch_command ...)
{DSA-1877-1}
- mysql-dfsg-5.0 <removed> (low; bug #536726)
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2010-07-02 16:53:39 UTC (rev 14950)
+++ data/spu-candidates.txt 2010-07-02 17:51:39 UTC (rev 14951)
@@ -332,6 +332,14 @@
--
+ruby1.8 (CVE-2010-0541)
+
+--
+
+ruby1.9 (CVE-2010-0541)
+
+--
+
squid (CVE-2009-0801)
#521053
notified maintainer
More information about the Secure-testing-commits
mailing list