[Secure-testing-commits] r14935 - in data: . CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Wed Jun 30 17:25:29 UTC 2010 

Author: jmm-guest
Date: 2010-06-30 17:25:28 +0000 (Wed, 30 Jun 2010)
New Revision: 14935

Modified:
   data/CVE/list
   data/spu-candidates.txt
Log:
- three new bugzilla issues, two not-affected, one no-dsa
- new minor xulrunner issue, one xulrunner issue not-affected
- Fix openjdk srcpkg name
- remove a few old undetermined entries for webkit copies for new,
  we won't be able to realistically triage/support them if
  this isn't even done upstream


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2010-06-30 17:01:54 UTC (rev 14934)
+++ data/CVE/list	2010-06-30 17:25:28 UTC (rev 14935)
@@ -98,7 +98,7 @@
 CVE-2010-2471
 	RESERVED
 CVE-2010-2470 (Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6.1 and 3.7 through ...)
-	- bugzilla <undetermined>
+	- bugzilla <not-affected> (Only affects 3.5 to 3.7)
 CVE-2010-XXXX [syscp open_basedir bypassing]
 	- syscp <unfixed> (bug #587481)
 	NOTE: CVE id requested on oss-sec
@@ -411,7 +411,7 @@
 CVE-2010-2322 (Absolute path traversal vulnerability in the extract_jar function in ...)
 	- fastjar 2:0.98-3 (low)
 	[lenny] - fastjar <no-dsa> (Minor issue)
-	- openjdk <undetermined>
+	- openjdk-6 <undetermined>
 CVE-2010-2321 (Buffer overflow in Adobe InDesign CS3 10.0 allows user-assisted remote ...)
 	NOT-FOR-US: Adobe InDesign
 CVE-2009-4902 (Buffer overflow in the MSGFunctionDemarshall function in ...)
@@ -634,9 +634,8 @@
 CVE-2010-2249 [memory leak in libpng]
 	RESERVED
 	- libpng <unfixed> (low)
-	- freeimage <undetermined>
-	- tuxonice-userui <unfixed>
-	TODO: check
+	- freeimage <undetermined> (unimportant)
+	- tuxonice-userui <unfixed> (unimportant)
 	TODO: binNMU tuxonice-userui once libpng is fixed
 CVE-2010-2248 [os/2 smb issue]
 	RESERVED
@@ -1445,7 +1444,7 @@
 CVE-2010-1930 (Off-by-one error in Novell iManager 2.7, 2.7.3, and 2.7.3 FTF2 allows ...)
 	NOT-FOR-US: Novell iManager
 CVE-2010-1929 (Multiple stack-based buffer overflows in the ...)
-	TODO: check
+	NOT-FOR-US: Novell iImanager
 CVE-2010-1919 (Unspecified vulnerability in EMC Avamar 4.1.x and 5.0 before SP1 ...)
 	NOT-FOR-US: EMC
 CVE-2010-1913 (The default configuration of pluginlicense.ini for the ...)
@@ -3468,9 +3467,6 @@
 	NOT-FOR-US: Novell NetWare
 CVE-2010-1237 (Google Chrome 4.1 BETA before 4.1.249.1036 allows remote attackers to ...)
 	- webkit 1.1.90-1
-	- kdelibs <undetermined>
-	- kde4libs <undetermined>
-	- qt4-x11 <undetermined>
 	- chromium-browser 5.0.375.29~r46008-1
 	NOTE: http://trac.webkit.org/changeset/55511
 	NOTE: evidence of memory corruption http://code.google.com/p/chromium/issues/detail?id=37061
@@ -3491,9 +3487,6 @@
 	TODO: recheck as newer webkits get uploaded
 CVE-2010-1232 (Google Chrome before 4.1.249.1036 allows remote attackers to cause a ...)
 	- webkit 1.1.90-1
-	- kdelibs <undetermined>
-	- kde4libs <undetermined>
-	- qt4-x11 <undetermined>
 	- chromium-browser 5.0.375.29~r46008-1
 	NOTE: http://code.google.com/p/chromium/issues/detail?id=34978
 CVE-2010-1231 (Google Chrome before 4.1.249.1036 processes HTTP headers before ...)
@@ -3554,16 +3547,17 @@
 CVE-2010-1207
 	RESERVED
 CVE-2010-1206 (The startDocumentLoad function in browser/base/content/browser.js in ...)
-	TODO: check
+	- xulrunner <unfixed> (low)
+	NOTE: Scheduled for next round of Firefox updates (20th July)
 CVE-2010-1205 [memory write out of bounds]
 	RESERVED
 	- libpng <unfixed>
-	- freeimage <undetermined>
-	- tuxonice-userui <unfixed>
-	TODO: check
+	- freeimage <undetermined> 
+	- tuxonice-userui <unfixed> 
 	TODO: binNMU tuxonice-userui once libpng is fixed
 CVE-2010-1204 (Search.pm in Bugzilla 2.17.1 through 3.2.6, 3.3.1 through 3.4.6, 3.5.1 ...)
-	- bugzilla <undetermined>
+	- bugzilla <unfixed> (low; bug filed)
+	[lenny] - bugzilla <no-dsa> (Minor issue)
 CVE-2010-1203 (The JavaScript engine in Mozilla Firefox 3.6.x before 3.6.4 allow ...)
 	- xulrunner <not-affected> (Only affects Firefox 3.6, i.e xulrunner 1.9.2)
 CVE-2010-1202 (Multiple unspecified vulnerabilities in the JavaScript engine in ...)
@@ -3626,15 +3620,9 @@
 	NOT-FOR-US: IBM WebSphere Application Server 
 CVE-2010-1181 (Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers ...)
 	- webkit <unfixed> (unimportant; bug #578982)
-	- qt4-x11 <undetermined> (unimportant)
-	- kdebase <undetermined> (unimportant)
-	- kde4libs <undetermined> (unimportant)
 	NOTE: proof of concept maximum impact against webkit is dos-only
 CVE-2010-1180 (Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers ...)
 	- webkit <unfixed> (unimportant; bug #578982)
-	- qt4-x11 <undetermined> (unimportant)
-	- kdebase <undetermined> (unimportant)
-	- kde4libs <undetermined> (unimportant)
 	NOTE: proof of concept maximum impact against webkit is dos-only
 CVE-2010-1179 (Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers ...)
 	- webkit <not-affected>
@@ -3773,9 +3761,6 @@
 	NOT-FOR-US: TikiWiki
 CVE-2010-1131 (JavaScriptCore.dll, as used in Apple Safari 4.0.5 on Windows XP SP3, ...)
 	- webkit <undetermined> (unimportant)
-	- kdelibs <undetermined> (unimportant)
-	- kde4libs <undetermined> (unimportant)
-	- qt4-x11 <undetermined> (unimportant)
 	NOTE: browser crashes are not considered security-relevant
 CVE-2010-1130 (session.c in the session extension in PHP before 5.2.13, and 5.3.1, ...)
 	- php5 5.3.2-1 (unimportant)
@@ -3836,12 +3821,8 @@
 	[lenny] - rbot <not-affected> ("reaction" plugin not present in 0.9.10)
 	[etch] - rbot <not-affected> ("reaction" plugin not present in 0.9.10)
 CVE-2010-1122 (Unspecified vulnerability in Mozilla Firefox 3.5.x through 3.5.8 ...)
-	- xulrunner <undetermined>
-	- iceape <undetermined>
-	[lenny] - iceape <not-affected> (stub package)
-	NOTE: no details available, and bug report linked from CVE page is for CVE-2010-1028
-	NOTE: text says that the problem is similar to that, but affecting firefox 3.5
-	TODO: check 
+	- xulrunner <not-affected> (Only affects the Firefox 3.6 branch)
+	NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=552216
 CVE-2010-1121 (Mozilla Firefox 3.6.x before 3.6.3 does not properly manage the scopes ...)
 	- xulrunner <not-affected> (vulnerable code introduced in firefox 3.6)
 	- iceape <not-affected> (vulnerable code introduced in firefox 3.6)
@@ -6669,7 +6650,7 @@
 	- iceape 2.0.4-1
 	[lenny] - iceape <not-affected> (Only a stub package)
 CVE-2010-0180 (Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6 and 3.7, when ...)
-	- bugzilla <undetermined>
+	- bugzilla <not-affected> (Only affects 3.5 to 3.7)
 CVE-2010-0179 (Mozilla Firefox before 3.0.19 and 3.5.x before 3.5.8, and SeaMonkey ...)
 	{DSA-2027-1}
 	- xulrunner 1.9.1.9-1

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2010-06-30 17:01:54 UTC (rev 14934)
+++ data/spu-candidates.txt	2010-06-30 17:25:28 UTC (rev 14935)
@@ -48,6 +48,9 @@
 bugzilla (CVE-2009-0481 to CVE-2009-0485)
 notified maintainer
 
+CVE-2010-1204
+notified maintainer through initial bugreport
+
 --
 
 buildbot (CVE-2009-2959, CVE-2009-2967)

More information about the Secure-testing-commits mailing list