[Secure-testing-commits] r14201 - in data: . CVE
Michael Gilbert
gilbert-guest at alioth.debian.org
Sat Mar 6 21:55:31 UTC 2010
Author: gilbert-guest
Date: 2010-03-06 21:55:31 +0000 (Sat, 06 Mar 2010)
New Revision: 14201
Modified:
data/CVE/list
data/embedded-code-copies
Log:
various updates
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2010-03-06 21:55:21 UTC (rev 14200)
+++ data/CVE/list 2010-03-06 21:55:31 UTC (rev 14201)
@@ -43,8 +43,10 @@
CVE-2010-0924 (cfnetwork.dll 1.450.5.0 in CFNetwork, as used by safari.exe 531.21.10 ...)
NOT-FOR-US: Apple Safari
CVE-2010-0923 (Race condition in workspace/krunner/lock/lockdlg.cc in the KRunner ...)
- - kdebase <not-affected> (only version 4.4.0 is affected, not present in Debian)
- NOTE: version 4.4.1 is ready, check if 4.4.0 is not uploaded in the meantime
+ - kdebase <not-affected> (vulnerability introduced in version 4.4.0)
+ - kdebase-workspace <not-affected> (vulnerability introduced in version 4.4.0)
+ NOTE: http://www.openwall.com/lists/oss-security/2010/02/12/2
+ TODO: recheck when >= 4.4.0 is uploaded; claimed fixed in 4.4.1
CVE-2010-0922 (Unspecified vulnerability in secldapclntd in IBM AIX 5.3 with SP ...)
NOT-FOR-US: IBM AIX
CVE-2010-0921 (Cross-site request forgery (CSRF) vulnerability in IBM Lotus iNotes ...)
@@ -243,9 +245,8 @@
RESERVED
CVE-2009-4664 (Firewall Builder 3.0.4, 3.0.5, and 3.0.6, when running on Linux, ...)
- fwbuilder 3.0.7-1 (bug #547390; medium)
- - libfwbuilder8 3.0.7-1 (bug #547390; medium)
[lenny] - fwbuilder <not-affected> (only versions 3.0.4, 3.0.5 and 3.0.6 are affected)
- [lenny] - libfwbuilder8 <not-affected> (only versions 3.0.4, 3.0.5 and 3.0.6 are affected)
+ - libfwbuilder 3.0.7-1 (bug #547390; medium)
NOTE: m68k package in debports in still affected at version 3.0.5
NOTE: see http://www.fwbuilder.org/docs/firewall_builder_release_notes.html#3.0.7
CVE-2009-4663 (Heap-based buffer overflow in the Quiksoft EasyMail Objects 6 ActiveX ...)
@@ -264,6 +265,8 @@
NOT-FOR-US: Xerver
CVE-2009-4656 (Stack-based buffer overflow in E-Soft DJ Studio Pro 4.2 including ...)
NOT-FOR-US: E-Soft DJ Studio Pro
+CVE-2010-XXXX [linux-ftpd: null ptr dereference]
+ - linux-ftpd <unfixed>
CVE-2010-XXXX [openssl power supply fluctuation fault-based key disclosure]
- openssl <unfixed> (low)
NOTE: http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf
@@ -322,9 +325,9 @@
CVE-2010-0799 (Directory traversal vulnerability in misc/tell_a_friend/tell.php in ...)
NOT-FOR-US: phpunity.newsmanager
CVE-2010-0798 (SQL injection vulnerability in the T3BLOG extension 0.6.2 and earlier ...)
- - typo3 <not-affected> (Vulnerable code not present)
+ NOT-FOR-US: T3BLOG extension for TYPO3
CVE-2010-0797 (Cross-site scripting (XSS) vulnerability in the T3BLOG extension 0.6.2 ...)
- - typo3 <not-affected> (Vulnerable code not present)
+ NOT-FOR-US: T3BLOG extension for TYPO3
CVE-2010-0796 (SQL injection vulnerability in the JE Quiz (com_jequizmanagement) ...)
NOT-FOR-US: Joomla!
CVE-2010-0795 (SQL injection vulnerability in the JE Event Calendars ...)
@@ -744,10 +747,6 @@
- gnome-screensaver <undetermined>
[lenny] - gnome-screensaver <not-affected> (Vulnerable code not present)
NOTE: http://www.openwall.com/lists/oss-security/2010/02/12/1
- - kdeartwork <undetermined>
- [lenny] - kdeartwork <not-affected> (Vulnerable code not present)
- NOTE: http://www.openwall.com/lists/oss-security/2010/02/12/2
- NOTE: http://www.kde.org/info/security/advisory-2010-02-17-1.txt
CVE-2010-0634 (Unspecified vulnerability in Fast Lexical Analyzer Generator (flex) ...)
- flex 2.5.35-1
CVE-2010-0629
@@ -1204,8 +1203,6 @@
CVE-2010-XXXX [nautilus: file preview html script execution]
- nautilus <not-affected> (proof-of-concept script is previewed as text, not executed)
NOTE: http://seclists.org/fulldisclosure/2010/Feb/112
-CVE-2010-XXXX [samba: remote zero-day vulnerability]
- - samba <unfixed> (low; bug #568493)
CVE-2010-XXXX [browser javascript document.write denial-of-service]
- xulrunner <unfixed> (unimportant; bug #568486)
- webkit <unfixed> (unimportant; bug #568485)
@@ -1772,8 +1769,10 @@
CVE-2010-0297 (Buffer overflow in the usb_host_handle_control function in the USB ...)
- qemu-kvm 0.11.1+dfsg-1
- kvm <removed>
-CVE-2010-0296
+CVE-2010-0296 [samba directory traversal]
RESERVED
+ - samba <unfixed> (low; bug #568493)
+ NOTE: supposedly fixed upstream in 3.5.0
CVE-2010-0295 (lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read ...)
{DSA-1987-1}
- lighttpd <unfixed> (medium)
@@ -2154,7 +2153,7 @@
CVE-2010-0157 (Directory traversal vulnerability in the Bible Study (com_biblestudy) ...)
NOT-FOR-US: component for Joomla!
CVE-2010-0156 (Puppet 0.24.x before 0.24.9 and 0.25.x before 0.25.2 allows local ...)
- TODO: check
+ - puppet 0.25.4-2
CVE-2010-0155
RESERVED
CVE-2010-0154
@@ -3074,7 +3073,6 @@
CVE-2010-0012 (Directory traversal vulnerability in libtransmission/metainfo.c in ...)
{DSA-1967-1}
- transmission 1.77-1 (low)
- TODO: check affected versions
NOTE: http://trac.transmissionbt.com/changeset/9829/
NOTE: https://bugs.launchpad.net/ubuntu/+source/transmission/+bug/500625
CVE-2010-0011 (The eval_js function in uzbl-core.c in Uzbl before 2010.01.05 exposes ...)
@@ -3632,9 +3630,8 @@
RESERVED
CVE-2009-4124 (Heap-based buffer overflow in the rb_str_justify function in string.c ...)
- ruby1.9.1 1.9.1.376-1
- - ruby1.9 <unfixed>
+ - ruby1.9 <unfixed> (bug #572817)
- ruby1.8 <not-affected>
- TODO: check, 1.9.0.* might be affected as well
NOTE: http://www.ruby-lang.org/en/news/2009/12/07/heap-overflow-in-string/
CVE-2009-4123
RESERVED
@@ -3842,11 +3839,10 @@
- kdegraphics 4.0
- xpdf 3.01-1
- poppler 0.5.1-1
- TODO: check
+ - swftools <removed>
NOTE: was silently fixed by upstream xpdf, fix propagated to poppler in 4b4fc5c017b/2005-09-14
NOTE: but at least version 0.4.5 does *not* contain the ship.
NOTE: Was fixed somewhere between 0.4.5 and 0.5.1
- NOTE: swftools probably not affected
CVE-2009-4034 (PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before ...)
{DSA-1964-1}
- postgresql-7.4 <removed>
@@ -5771,7 +5767,7 @@
[lenny] - merkaartor <not-affected> (vulnerable code not present)
NOTE: does not run as root so minor issue.
CVE-2009-XXXX [amsn SSL verification vuln]
- TODO: check, file bug - amsn <unfixed>
+ - amsn <undetermined> (bug #527818)
NOTE: http://www.juniper.net/security/auto/vulnerabilities/vuln35507.html
CVE-2009-XXXX [SA-CORE-2009-008]
- drupal6 6.14-1 (bug #547140)
@@ -6738,11 +6734,7 @@
[etch] - apache2 <no-dsa> (minor issue)
[lenny] - apache2 2.2.9-10+lenny5 (low; bug #545951)
NOTE: The attacker needs to have valid credentials for the FTP server, which
- NOTE: makes this irrelevant in most cases.
- TODO: check
- TODO: Disclosure has little information, verify that it is really fixed when
- TODO: more info is disclosed.
- NOTE: based on a VulnDisco commercial 0day
+ NOTE: makes this irrelevant in most cases. Based on a VulnDisco commercial 0day.
CVE-2009-3094 (The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the ...)
{DSA-1934-1}
- apache2 2.2.13-2 (low; bug #545951)
@@ -8548,9 +8540,9 @@
{DSA-1852-1}
- fetchmail 6.3.9~rc2-6
CVE-2009-2665 (The nsDocument::SetScriptGlobalObject function in ...)
- - xulrunner <not-affected>
- NOTE: Affected version only available in experimental, only Firefox 3.5
- TODO: check when 3.5 gets uploaded to unstable
+ - xulrunner 1.9.1.8-1
+ [lenny] - xulrunner <not-affected> (vulnerability introduced in firefox 3.5)
+ [etch] - xulrunner <not-affected> (vulnerability introduced in firefox 3.5)
CVE-2009-2664 (The js_watch_set function in js/src/jsdbgapi.cpp in the JavaScript ...)
{DSA-1873-1}
- xulrunner 1.9.0.13-1
@@ -8634,7 +8626,9 @@
CVE-2009-2650 (Heap-based buffer overflow in Sorcerer Software MultiMedia Jukebox 4.0 ...)
NOT-FOR-US: Sorcerer Software MultiMedia Jukebox
CVE-2009-2649 (The IATA (ata) driver in FreeBSD 6.0 and 8.0, when read access to /dev ...)
- TODO: Check, this might affect KFreeBSD
+ - freebsd-8 <undetermined> (bug #527811)
+ - freebsd-7 <undetermined> (bug #527811)
+ - freebsd-6 <removed> (bug #527811)
CVE-2009-2648 (FlashDen Guestbook allows remote attackers to obtain configuration ...)
NOT-FOR-US: FlashDen Guestbook
CVE-2009-2647 (Unspecified vulnerability in Kaspersky Anti-Virus 2010 and Kaspersky ...)
@@ -9205,9 +9199,9 @@
CVE-2008-6854 (Xigla Software Absolute FAQ Manager.NET 6.0 allows remote attackers to ...)
NOT-FOR-US: Xigla Software Absolute FAQ Manager.NET
CVE-2009-2477 (js/src/jstracer.cpp in the Just-in-time (JIT) JavaScript compiler (aka ...)
- - xulrunner <not-affected> (high; bug #537104)
- NOTE: Affected version only available in experimental, only Firefox 3.5
- TODO: check when 3.5 gets uploaded to unstable
+ - xulrunner 1.9.1.2-1 (bug #537104)
+ [lenny] - xulrunner <not-affected> (vulnerable code introduced in firefox 3.5)
+ [etch] - xulrunner <not-affected> (vulnerable code introduced in firefox 3.5)
CVE-2009-2450 (The OAmon.sys kernel driver 3.1.0.0 and earlier in Tall Emu Online ...)
NOT-FOR-US: Tall Emu Online Armor Personal Firewall
CVE-2009-2449 (Directory traversal vulnerability in ...)
Modified: data/embedded-code-copies
===================================================================
--- data/embedded-code-copies 2010-03-06 21:55:21 UTC (rev 14200)
+++ data/embedded-code-copies 2010-03-06 21:55:31 UTC (rev 14201)
@@ -43,7 +43,7 @@
- ruby-gnome2 <unknown> (embed)
NOTE: copy only present in source but links to poppler
- pdfedit <unfixed> (embed; bug #510794)
- - swftools <unfixed> (embed; bug #551293)
+ - swftools <removed> (embed; bug #551293)
- poppler <unfixable> (fork)
ppmd
@@ -1754,9 +1754,12 @@
- symfony <unfixed> (embed)
hfsutils
- - cdrkit (unfixed); (embed; bug #570187)
+ - cdrkit <unfixed> (embed; bug #570187)
NOTE: embeds hfsutils code in genisoimage
cdrkit
- - grub2 (unfixed); (embed; bug #570156)
+ - grub2 <unfixed> (embed; bug #570156)
NOTE: genisoimage imported into grub-mkisofs
+
+kdebase-workspace
+ - kdebase <unfixed> (old-version)
More information about the Secure-testing-commits
mailing list