[Secure-testing-commits] r14834 - in data: . CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Wed Jun 9 16:50:54 UTC 2010 

Author: jmm-guest
Date: 2010-06-09 16:50:43 +0000 (Wed, 09 Jun 2010)
New Revision: 14834

Modified:
   data/CVE/list
   data/embedded-code-copies
   data/mops.txt
Log:
- readd bugnumber to kfreebsd entry
- xmail no-dsa
- pyfits code copy of zlib fixed
- more MOPS assignments
- NFUs
- new kernel issue
- new issues in emesene and beanstalkd


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2010-06-08 21:14:16 UTC (rev 14833)
+++ data/CVE/list	2010-06-09 16:50:43 UTC (rev 14834)
@@ -9,9 +9,11 @@
 CVE-2010-2192
 	RESERVED
 CVE-2010-2191 (The (1) parse_str, (2) preg_match, (3) unpack, and (4) pack functions; ...)
-	TODO: check
+	- php5 <unfixed> (unimportant)
+	NOTE: Only triggerable through malicious script
 CVE-2010-2190 (The (1) trim, (2) ltrim, (3) rtrim, and (4) substr_replace functions ...)
-	TODO: check
+	- php5 <unfixed> (unimportant)
+	NOTE: Only triggerable through malicious script
 CVE-2010-2189
 	RESERVED
 CVE-2010-2188
@@ -73,11 +75,11 @@
 CVE-2010-2160
 	RESERVED
 CVE-2010-2159 (Dameng DM Database Server allows remote authenticated users to cause a ...)
-	TODO: check
+	NOT-FOR-US: Dameng DM Database
 CVE-2010-2158 (Multiple cross-site scripting (XSS) vulnerabilities in the Storm ...)
-	TODO: check
+	NOT-FOR-US: Storm module for Drupal
 CVE-2010-2157 (Unspecified vulnerability in CA ARCserve Backup r11.5 SP4, r12.0 SP2, ...)
-	TODO: check
+	NOT-FOR-US: CA ARCserve
 CVE-2010-2156 (ISC DHCP 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1 allows remote ...)
 	- isc-dhcp 4.1.1-P1-1
 	- dhcp3 <not-affected> (Only affects DHCP 4.x)
@@ -305,6 +307,8 @@
 	RESERVED
 CVE-2010-2066
 	RESERVED
+	- linux-2.6 <unfixed>
+	[lenny] - linux-2.6 <not-affected> (Vulnerable code introduced in 2.6.31)
 CVE-2010-2065
 	RESERVED
 CVE-2010-2064
@@ -325,7 +329,10 @@
 CVE-2010-2061
 	RESERVED
 CVE-2010-2060 (The put command functionality in beanstalkd 1.4.5 and earlier allows ...)
-	TODO: check
+	- beanstalkd <unfixed>
+	NOTE: Package description reads: "Beanstalkd is meant to be ran in a trusted network,
+	NOTE: "as it has no authorisation/authentication mechanisms". So this is likely a non-issue
+	TODO: File bug
 CVE-2010-2059
 	RESERVED
 CVE-2010-2058 (setup.py in Prewikka 0.9.14 installs prewikka.conf with world-readable ...)
@@ -339,7 +346,8 @@
 CVE-2010-2054
 	RESERVED
 CVE-2010-2053 (emesenelib/ProfileManager.py in emesene before 1.6.2 allows local ...)
-	TODO: check
+	- emesene 1.6.2-1 (low)
+	[lenny] - emesene <not-affected> (Introduced in 1.6.1) 
 CVE-2010-2052
 	REJECTED
 CVE-2010-2051 (SQL injection vulnerability in article.php in Debliteck DBCart allows ...)
@@ -403,9 +411,9 @@
 	- exim4 <unfixed> (low)
 	NOTE: Fixed in experimental, both seem no-dsa, but should be checked with maintainers
 CVE-2010-2022 (jail.c in jail in FreeBSD 8.0 and 8.1-PRERELEASE, when the &quot;-l -U ...)
-	- kfreebsd-6 <removed>
-	- kfreebsd-7 <not-affected>
-	- kfreebsd-8 <not-affected>
+	- kfreebsd-6 <not-affected> (jail binary not yet provided, see bug #584930)
+	- kfreebsd-7 <not-affected> (jail binary not yet provided, see bug #584930)
+	- kfreebsd-8 <not-affected> (jail binary not yet provided, see bug #584930)
 CVE-2010-2021
 	RESERVED
 CVE-2010-2020 (sys/nfsclient/nfs_vfsops.c in the NFS client in the kernel in FreeBSD ...)
@@ -542,9 +550,9 @@
 CVE-2010-1964
 	RESERVED
 CVE-2010-1963 (Cross-site scripting (XSS) vulnerability in HP ServiceCenter allows ...)
-	TODO: check
+	NOT-FOR-US: HP ServiceCenter
 CVE-2010-1962 (Unspecified vulnerability in HP StorageWorks Storage Mirroring 5 ...)
-	TODO: check
+	NOT-FOR-US: HP StorageWorks 
 CVE-2010-1961
 	RESERVED
 CVE-2010-1960
@@ -651,7 +659,7 @@
 CVE-2010-1905 (Multiple cross-site scripting (XSS) vulnerabilities in Consona Live ...)
 	NOT-FOR-US: Consona
 CVE-2010-1904 (SQL injection vulnerability in EMC RSA Key Manager Client 1.5.x allows ...)
-	TODO: check
+	NOT-FOR-US: EMC RSA key manager
 CVE-2010-1903
 	RESERVED
 CVE-2010-1902
@@ -1275,7 +1283,7 @@
 CVE-2010-1650 (IBM WebSphere Application Server (WAS) 6.0.x before 6.0.2.41, 6.1.x ...)
 	NOT-FOR-US: IBM WebSphere Application Server
 CVE-2010-1649 (Multiple cross-site scripting (XSS) vulnerabilities in the back end in ...)
-	TODO: check
+	NOT-FOR-US: Joomla
 CVE-2010-1648 (Cross-site request forgery (CSRF) vulnerability in the login interface ...)
 	- mediawiki <unfixed>
 	NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2010-May/000091.html
@@ -2364,7 +2372,8 @@
 	NOTE: http://seclists.org/fulldisclosure/2010/Apr/104
 	NOTE: setting K_TCPDF_CALLS_IN_HTML to false mitigates the problem
 CVE-2010-XXXX [xmail insecure temp files handling]
-	- xmail 1.27-1
+	- xmail 1.27-1 (low)
+	[lenny] - xmail <no-dsa> (Minor issue)
 	NOTE: http://www.xmailserver.org/ChangeLog.html#feb_25__2010_v_1_27
 CVE-2010-XXXX [dovecot wrong Mail dir permissions]
 	- dovecot 1:1.2.11-1 (low)

Modified: data/embedded-code-copies
===================================================================
--- data/embedded-code-copies	2010-06-08 21:14:16 UTC (rev 14833)
+++ data/embedded-code-copies	2010-06-09 16:50:43 UTC (rev 14834)
@@ -108,6 +108,7 @@
 	- tra <unfixed>
 	- sash <unfixed>
 	- nsis <unfixed>
+	- pyfits 1:2.3.1-1
 	- mseide-msegui <unfixed>
 	NOTE: mseide
 	- mirrordir <unfixed>

Modified: data/mops.txt
===================================================================
--- data/mops.txt	2010-06-08 21:14:16 UTC (rev 14833)
+++ data/mops.txt	2010-06-09 16:50:43 UTC (rev 14834)
@@ -46,15 +46,15 @@
 044: CVE-2010-2101; Only triggerable by malicious script
 045: CVE-2010-2101; Only triggerable by malicious script
 046: CVE-2010-2101; Only triggerable by malicious script
-047: No CVE yet; Only triggerable by malicious script
-048: No CVE yet; Only triggerable by malicious script
-049: No CVE yet; Only triggerable by malicious script
-050: No CVE yet; Only triggerable by malicious script
-051: No CVE yet; Only triggerable by malicious script
-052: No CVE yet; Only triggerable by malicious script
-053: No CVE yet; Only triggerable by malicious script
-054: No CVE yet; Only triggerable by malicious script
-055: No CVE yet; Only triggerable by malicious script
+047: CVE-2010-2190; Only triggerable by malicious script
+048: CVE-2010-2190; Only triggerable by malicious script
+049: CVE-2010-2191; Only triggerable by malicious script
+050: CVE-2010-2191; Only triggerable by malicious script
+051: CVE-2010-2191; Only triggerable by malicious script
+052: CVE-2010-2191; Only triggerable by malicious script
+053: CVE-2010-2191; Only triggerable by malicious script
+054: CVE-2010-2191; Only triggerable by malicious script
+055: CVE-2010-2191; Only triggerable by malicious script
 056: No CVE yet; Does not affect Lenny; should be fixed in unstable
 057: No CVE yet; Does not affect Lenny; should be fixed in unstable
 058: No CVE yet; Does not affect Lenny; should be fixed in unstable

More information about the Secure-testing-commits mailing list