[Secure-testing-commits] r14966 - data/CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Tue Jul 6 20:31:17 UTC 2010 

Author: jmm-guest
Date: 2010-07-06 20:31:16 +0000 (Tue, 06 Jul 2010)
New Revision: 14966

Modified:
   data/CVE/list
Log:
- bugnums
- new tiff issue doesn't affect Lenny, still unfixed in 3.9.4 according
  to Red Hat bugzilla
- bogofilter fixed
- older typo3 issue a non-issue, pinged MITRE for rejection


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2010-07-06 16:03:38 UTC (rev 14965)
+++ data/CVE/list	2010-07-06 20:31:16 UTC (rev 14966)
@@ -1,5 +1,5 @@
 CVE-2010-XXXX [bogofilter]
-	- bogofilter <unfixed> (low; bug #588090)
+	- bogofilter 1.2.1-3 (low; bug #588090)
 CVE-2010-XXXX [l2tp oops]
 	- linux-2.6 <unfixed>
 	[lenny] - linux-2.6 <not-affected> (vulnerability introduced in 2.6.29)
@@ -934,7 +934,8 @@
 CVE-2010-2234
 	RESERVED
 CVE-2010-2233 (tif_getimage.c in LibTIFF 3.9.0 and 3.9.2 on 64-bit platforms, as used ...)
-	- tiff 3.9.4-1 (low)
+	- tiff <unfixed>
+	[lenny] - tiff <not-affected> (Only affects 3.9.x)
 CVE-2010-2232
 	RESERVED
 CVE-2010-2231 (Cross-site request forgery (CSRF) vulnerability in ...)
@@ -1455,10 +1456,10 @@
 	NOT-FOR-US: Cisco
 CVE-2010-2024 (transports/appendfile.c in Exim before 4.72, when MBX locking is ...)
 	- exim4 4.72-1 (low)
-	NOTE: Fixed in experimental, both seem no-dsa, but should be checked with maintainers
+	NOTE: seems no-dsa, but should be checked with maintainers
 CVE-2010-2023 (transports/appendfile.c in Exim before 4.72, when a world-writable ...)
 	- exim4 4.72-1 (low)
-	NOTE: Fixed in experimental, both seem no-dsa, but should be checked with maintainers
+	NOTE: seems no-dsa, but should be checked with maintainers
 CVE-2010-2022 (jail.c in jail in FreeBSD 8.0 and 8.1-PRERELEASE, when the &quot;-l -U ...)
 	- kfreebsd-6 <not-affected> (jail binary not yet provided, see bug #584930)
 	- kfreebsd-7 <not-affected> (jail binary not yet provided, see bug #584930)
@@ -1875,9 +1876,8 @@
 CVE-2009-4856 (Cross-site scripting (XSS) vulnerability in subitems.php in PHP Easy ...)
 	NOT-FOR-US: PHP Easy Shopping Cart
 CVE-2009-4855 (SQL injection vulnerability in index.php in TYPO3 4.0 allows remote ...)
-	- typo3-src 4.2.5-1+lenny3
-	NOTE: I have no idea when this was fixed, 4.2.5-1+lenny3 is the version currently in lenny
-	NOTE: which is not affected by this bug
+	NOT-FOR-US: Bogus issue claimed for typo3
+	NOTE: See http://secure.t3sec.info/blog/post/2009/08/06/typo3-cms-40-showuid-exploit-not-a-vulnerability/4.2.5-1+lenny3
 CVE-2009-4854 (addons/import.php in TalkBack 2.3.14 allows remote attackers to ...)
 	NOT-FOR-US: TalkBack
 CVE-2009-4853 (Multiple cross-site scripting (XSS) vulnerabilities in JumpBox before ...)
@@ -2249,7 +2249,7 @@
 CVE-2009-4840 (Heap-based buffer overflow in the IAManager ActiveX control in ...)
 	NOT-FOR-US: Roxio CinePlayer
 CVE-2009-4839 (Multiple cross-site scripting (XSS) vulnerabilities in Basic Analysis ...)
-	- acidbase 1.4.5-1 (bug filed)
+	- acidbase 1.4.5-1 (bug #587819)
 	[lenny] - acidbase <no-dsa> (Minor issue)
 CVE-2009-4838 (SQL injection vulnerability in base_ag_common.php in Basic Analysis ...)
 	- acidbase 1.4.4-1 (low)
@@ -5178,10 +5178,10 @@
 	[lenny] - policykit <not-affected> (pkexec introduced in 0.92)
 CVE-2010-0749
 	RESERVED
-	- transmission 1.92-1 (unimportant; bug filed)
+	- transmission 1.92-1 (unimportant; bug #574507)
 CVE-2010-0748 [transmission magnet links parser buffer overflow]
 	RESERVED
-	- transmission 1.92-1 (medium; bug filed)
+	- transmission 1.92-1 (medium; bug #574507)
 	[lenny] - transmission <not-affected> (Support for Magnet links not yet available)
 CVE-2010-0746 [DeviceKit privilege escalation via pluggable storage device labels]
 	RESERVED

More information about the Secure-testing-commits mailing list