[Secure-testing-commits] r14185 - in data: . CVE DSA

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Thu Mar 4 16:58:17 UTC 2010


Author: jmm-guest
Date: 2010-03-04 16:58:17 +0000 (Thu, 04 Mar 2010)
New Revision: 14185

Modified:
   data/CVE/list
   data/DSA/list
   data/spu-candidates.txt
Log:
- libpng no-dsa
- new moin issues fixed
- fix version for sudo NMU
- annotate the split for CVE-2009-3297 (splitting this several weeks after
  multiple issues have been released really sucks)
- asterisk design issue discussed with maintainers, no update planned
- fix typo in wordpress source package name
- flex fixed even before Lenny


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2010-03-04 09:14:35 UTC (rev 14184)
+++ data/CVE/list	2010-03-04 16:58:17 UTC (rev 14185)
@@ -71,13 +71,14 @@
 CVE-2010-0789 (fusermount in FUSE before 2.7.5, and 2.8.x before 2.8.2, allows local ...)
 	{DSA-1989-1}
 	- fuse 2.8.1-1.2 (bug #567633)
+	NOTE: Initial DSA released as CVE-2009-3297
 CVE-2010-0788 (ncpfs 2.2.6 allows local users to cause a denial of service, obtain ...)
-	- ncpfs <undetermined>
-	TODO: check
+	- ncpfs <unfixed>
 CVE-2010-0787 (client/mount.cifs.c in mount.cifs in smbfs in Samba 3.0.22, 3.0.28a, ...)
 	{DSA-2004-1}
 	- samba 2:3.4.5~dfsg-2 (bug #567554)
 	NOTE: https://bugzilla.samba.org/show_bug.cgi?id=6853
+	NOTE: Initial DSA released as CVE-2009-3297
 CVE-2010-0786
 	RESERVED
 CVE-2010-0785
@@ -204,8 +205,8 @@
 	- moin <undetermined>
 	TODO: check
 CVE-2009-4652 (The (1) Conn_GetCipherInfo and (2) Conn_UsesSSL functions in ...)
-	- ngircd <undetermined>
-	TODO: check
+	- ngircd <unfixed>
+	TODO: File bug
 CVE-2003-1590 (Unspecified vulnerability in Sun ONE (aka iPlanet) Web Server 6.0 SP3 ...)
 	NOT-FOR-US: Sun ONE Web Server
 CVE-2003-1589 (Unspecified vulnerability in Sun ONE (aka iPlanet) Web Server 4.1 ...)
@@ -297,14 +298,15 @@
 CVE-2010-0686
 	RESERVED
 CVE-2010-0685 (The design of the dialplan functionality in Asterisk Open Source ...)
-	- asterisk <undetermined>
-	TODO: check
+	- asterisk <unfixed>
+	[lenny] - asterisk <no-dsa> (Unfixable design issue, best practice docs need to be followed)
+	[squeeze] - asterisk <no-dsa> (Unfixable design issue, best practice docs need to be followed)
 CVE-2010-0684
 	RESERVED
 CVE-2010-0683 (Unspecified vulnerability in TIBRepoServer5.jar in TIBCO Administrator ...)
 	NOT-FOR-US: TIBCO Administrator
 CVE-2010-0682 (WordPress 2.9 before 2.9.2 allows remote authenticated users to read ...)
-	- wodpress <undetermined>
+	- wordpress <undetermined>
 	TODO: check
 CVE-2010-XXXX [http://downloads.digium.com/pub/security/AST-2010-003.pdf]
 	- asterisk <unfixed>
@@ -336,14 +338,11 @@
 CVE-2010-0670 (Unspecified vulnerability in the IP-Tech JQuarks (com_jquarks) ...)
 	NOT-FOR-US: IP-Tech JQuarks (com_jquarks) Component
 CVE-2010-0669 (MoinMoin before 1.8.7 and 1.9.x before 1.9.2 does not properly ...)
-	- moin <undetermined>
-	TODO: check
+	- moin 1.9.2-1
 CVE-2010-0668 (Unspecified vulnerability in MoinMoin 1.5.x through 1.7.x, 1.8.x ...)
-	- moin <undetermined>
-	TODO: check
+	- moin 1.9.2-1
 CVE-2010-0667 (MoinMoin 1.9 before 1.9.1 does not perform the expected clearing of ...)
-	- moin <undetermined>
-	TODO: check
+	- moin 1.9.1-1
 CVE-2010-0666 (Unspecified vulnerability in eMBox in Novell eDirectory 8.8 SP5 Patch ...)
 	NOT-FOR-US: Novell eDirectory
 CVE-2010-0665 (JAG (Just Another Guestbook) 1.14 stores sensitive information under ...)
@@ -446,8 +445,10 @@
 CVE-2010-0640 (Cross-site scripting (XSS) vulnerability in CA eHealth Performance ...)
 	NOT-FOR-US: CA eHealth Performance Manager
 CVE-2010-0639 (The htcpHandleTstRequest function in htcp.c in Squid 2.x and 3.0 ...)
-	- squid <undetermined>
-	TODO: check
+	- squid <unfixed>
+	[lenny] - squid <no-dsa> (Minor issue, only affects non-default setup)
+	- squid3 <unfixed>
+	[lenny] - squid3 <no-dsa> (Minor issue, only affects non-default setup)
 CVE-2010-0638 (Cross-site request forgery (CSRF) vulnerability in WebCalendar 1.2.0 ...)
 	- webcalendar <undetermined>
 	TODO: check
@@ -479,8 +480,7 @@
 	NOTE: http://www.openwall.com/lists/oss-security/2010/02/12/2
 	NOTE: http://www.kde.org/info/security/advisory-2010-02-17-1.txt
 CVE-2010-0634 (Unspecified vulnerability in Fast Lexical Analyzer Generator (flex) ...)
-	- flex <undetermined>
-	TODO: check
+	- flex 2.5.35-1
 CVE-2010-0629
 	RESERVED
 CVE-2010-0628
@@ -1025,7 +1025,7 @@
 	NOTE: http://www.openwall.com/lists/oss-security/2010/02/23/4
 CVE-2010-0426 (sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a ...)
 	{DSA-2006-1}
-	- sudo 1.7.2p1-1.1 (bug #570737)
+	- sudo 1.7.2p1-1.2 (bug #570737)
 	NOTE: http://www.openwall.com/lists/oss-security/2010/02/23/4
 CVE-2010-0425 [apache mod_isapi DoS]
 	RESERVED
@@ -1764,7 +1764,8 @@
 	RESERVED
 CVE-2010-0205 [libpng memory consumption dos]
 	RESERVED
-	- libpng 1.2.43-1 (bug #572308)
+	- libpng 1.2.43-1 (low; bug #572308)
+	[lenny] - libpng <no-dsa> (Minor issue)
 	NOTE: http://www.kb.cert.org/vuls/id/576029
 CVE-2010-0204
 	RESERVED

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2010-03-04 09:14:35 UTC (rev 14184)
+++ data/DSA/list	2010-03-04 16:58:17 UTC (rev 14185)
@@ -10,6 +10,7 @@
 [28 Feb 2010] DSA-2004-1 samba - several vulnerabilities
 	{CVE-2010-0787 CVE-2010-0547}
 	[lenny] - samba 2:3.2.5-4lenny9
+	NOTE: Initial DSA released as CVE-2009-3297
 [22 Feb 2010] DSA-2003-1 linux-2.6 - several vulnerabilities
 	{CVE-2009-3080 CVE-2009-3726 CVE-2009-4005 CVE-2009-4020 CVE-2009-4021 CVE-2009-4536 CVE-2010-0007 CVE-2010-0410 CVE-2010-0415 CVE-2010-0622}
 	[etch] - linux-2.6 2.6.18.dfsg.1-26etch2
@@ -66,6 +67,7 @@
 	{CVE-2010-0789}
 	[etch] - fuse 2.5.3-4.4+etch1 
 	[lenny] - fuse 2.7.4-1.1+lenny1
+	NOTE: Used to be CVE-2009-3297
 [02 Feb 2010] DSA-1988-1 qt4-x11 - several vulnerabilities
 	{CVE-2009-0945 CVE-2009-1687 CVE-2009-1690 CVE-2009-1698 CVE-2009-1699 CVE-2009-1711 CVE-2009-1712 CVE-2009-1713 CVE-2009-1725 CVE-2009-2700}
 	[lenny] - qt4-x11 4.4.3-1+lenny1

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2010-03-04 09:14:35 UTC (rev 14184)
+++ data/spu-candidates.txt	2010-03-04 16:58:17 UTC (rev 14185)
@@ -183,6 +183,9 @@
 #533676
 notified maintainer
 
+CVE-2010-0205
+#572308
+
 --
 
 libsndfile




More information about the Secure-testing-commits mailing list