[Secure-testing-commits] r14797 - data/CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Fri Jun 4 17:30:44 UTC 2010 

Author: jmm-guest
Date: 2010-06-04 17:30:30 +0000 (Fri, 04 Jun 2010)
New Revision: 14797

Modified:
   data/CVE/list
Log:
"Unfixed in sid" cleanup:

- aircrack-ng, shibboleth-sp2 fixed
- asterisk design issue fixed by documenting best practices
- remove duped asterisk entry, already tracked as CVE-2010-2214
- marking fcron as unimportant, limited by system groups
- mark two older Mozilla issues as unimportant; the impact is
  negligable
- kdegraphics from KDE 4.4 uses Okular which links dynamically
  against poppler
- linux-ftpd not-affected


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2010-06-04 15:13:34 UTC (rev 14796)
+++ data/CVE/list	2010-06-04 17:30:30 UTC (rev 14797)
@@ -2205,7 +2205,7 @@
 	NOTE: http://git.kernel.org/linus/b525c06cdbd8a3963f0173ccd23f9147d4c384b5
 CVE-2010-1159 [aircrack-ng EAPOL buffer overflow]
 	RESERVED
-	- aircrack-ng <unfixed> (low; bug #577758)
+	- aircrack-ng 1:1.1-1 (low; bug #577758)
 	[lenny] - aircrack-ng <no-dsa> (low)
 	[etch] - aircrack-ng <no-dsa> (low)
 	NOTE: http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.py
@@ -3517,7 +3517,7 @@
 CVE-2010-XXXX [irssi emote leak]
 	- irssi-plugin-otr <unfixed> (unimportant; bug #569506)
 CVE-2010-XXXX [shibboleth-sp2: world-readable key]
-	- shibboleth-sp2 <unfixed> (low; bug #571631)
+	- shibboleth-sp2 2.3.1+dfsg-2 (low; bug #571631)
 	[lenny] - shibboleth-sp2 <no-dsa> (Minor issue)
 	- shibboleth-sp <not-affected> (Vulnerable code not present)
 CVE-2010-1192 (libESMTP, probably 1.0.4 and earlier, does not properly handle a '\0' ...)
@@ -3539,8 +3539,7 @@
 	[lenny] - drupal6 6.6-3lenny5
 	NOTE: http://drupal.org/node/731710
 CVE-2010-XXXX [linux-ftpd: null ptr dereference]
-	- linux-ftpd <unfixed> (low; bug #572813)
-	[lenny] - linux-ftpd <no-dsa> (Minor issue)
+	- linux-ftpd <not-affected> (Performs proper length checks, see #572813)
 CVE-2010-0824
 	RESERVED
 CVE-2010-0823
@@ -3607,9 +3606,9 @@
 	{DSA-2049-1}
 	- barnowl 1.5.1-1 (bug #574418)
 CVE-2010-0792 (fcrontab in fcron before 3.0.5 allows local users to read arbitrary ...)
-	- fcron <unfixed> (low; bug #572587)
-	[lenny] - fcron <no-dsa> (Minor issue)
-	NOTE: http://seclists.org/fulldisclosure/2010/Mar/97
+	- fcron <unfixed> (unimportant; bug #572587)
+	NOTE: On Debian runs suid/sgid fcron and the issue is limited to the exposure
+	NOTE: of the content of crontabs
 CVE-2010-0791 (The (1) ncpmount, (2) ncpumount, and (3) ncplogin programs in ncpfs ...)
 	- ncpfs 2.2.6-7 (bug #572937)
 	[lenny] - ncpfs <no-dsa> (Minor issue)
@@ -3876,7 +3875,8 @@
 CVE-2010-0686 (WebAccess in VMware VirtualCenter 2.0.2 and 2.5, VMware Server 2.0, ...)
 	NOT-FOR-US: VMware Server
 CVE-2010-0685 (The design of the dialplan functionality in Asterisk Open Source ...)
-	- asterisk <unfixed>
+	- asterisk 1:1.6.2.6-1
+	NOTE: Design limitation documented in that version
 	[lenny] - asterisk <no-dsa> (Unfixable design issue, best practice docs need to be followed)
 	[squeeze] - asterisk <no-dsa> (Unfixable design issue, best practice docs need to be followed)
 CVE-2010-0684 (Cross-site scripting (XSS) vulnerability in createDestination.action ...)
@@ -3886,9 +3886,6 @@
 CVE-2010-0682 (WordPress 2.9 before 2.9.2 allows remote authenticated users to read ...)
 	- wordpress 2.9.2-1 (low)
 	[lenny] - wordpress <not-affected> (Only affects Wordpress >= 2.9)
-CVE-2010-XXXX [http://downloads.digium.com/pub/security/AST-2010-003.pdf]
-	- asterisk <unfixed>
-	[lenny] - asterisk <not-affected> (Only affects Asterisk 1.6)
 CVE-2010-XXXX [multiple typo issues]
 	- typo3-src 4.3.2-1 (bug #571151)
 	[lenny] - typo3-src 4.2.5-1+lenny3
@@ -4732,14 +4729,12 @@
 	[lenny] - iceape <not-affected> (dns prefetching implemented in xulrunner 1.9.1)
 	NOTE: mozilla's dns prefetching leads to disclosure of the user's network location
 CVE-2009-4629 (Mozilla Necko, as used in Thunderbird 3.0.1, SeaMonkey, and other ...)
-	- icedove 3.0.2-1 (low)
+	- icedove 3.0.2-1 (unimportant)
 	[etch] - icedove <not-affected> (dns prefetching implemented in xulrunner 1.9.1)
 	[lenny] - icedove <not-affected> (dns prefetching implemented in xulrunner 1.9.1)
-	- iceape <unfixed> (low)
+	- iceape <unfixed> (unimportant)
 	[etch] - iceape <not-affected> (dns prefetching implemented in xulrunner 1.9.1)
 	[lenny] - iceape <not-affected> (dns prefetching implemented in xulrunner 1.9.1)
-	NOTE: mozilla's dns prefetching leads to disclosure of the user's network location
-	TODO: this may be unimportant since mozilla has chosen to ignore the issue
 CVE-2005-4885 (Unspecified vulnerability on certain Sun StorEdge 6130 (SE6130) ...)
 	NOT-FOR-US: Sun StorEdge 6130
 CVE-2004-2766 (Webmail in Sun ONE Messaging Server 6.1 and iPlanet Messaging Server ...)
@@ -20743,9 +20738,8 @@
 CVE-2008-5914 (An unspecified function in the JavaScript implementation in Apple ...)
 	NOT-FOR-US: Apple
 CVE-2008-5913 (An unspecified function in the JavaScript implementation in Mozilla ...)
-	- xulrunner <unfixed> (low; bug #559792)
-	[lenny] - xulrunner <no-dsa> (Minor issue)
-	- iceape <unfixed>
+	- xulrunner <unfixed> (unimportant; bug #559792)
+	- iceape <unfixed> (unimportant)
 	[lenny] - iceape <not-affected> (Just a stub package)
 	NOTE: fixed upstream https://bugzilla.mozilla.org/show_bug.cgi?id=cve-2008-5913
 	TODO: check next set of MFSA's
@@ -20786,7 +20780,7 @@
 	{DSA-1793-1 DSA-1790-1}
 	- xpdf 3.02-1.4+lenny1 (low; bug #524809)
 	[squeeze] - xpdf 3.02-1.4+lenny1
-	- kdegraphics <unfixed> (low; bug #528369)
+	- kdegraphics 4:4.0 (low; bug #528369)
 CVE-2009-0164 (The web interface for CUPS before 1.3.10 does not validate the HTTP ...)
 	- cups 1.3.10-1 (low)
 	[lenny] - cups <no-dsa> (Minor issue, needs several prerequirements for attack)

More information about the Secure-testing-commits mailing list