[Secure-testing-commits] r14211 - in data: . CVE packages

Michael Gilbert gilbert-guest at alioth.debian.org
Sun Mar 7 20:01:52 UTC 2010 

Author: gilbert-guest
Date: 2010-03-07 20:01:52 +0000 (Sun, 07 Mar 2010)
New Revision: 14211

Modified:
   data/CVE/list
   data/embedded-code-copies
   data/packages/removed-packages
Log:
recent issues with embedded code elsewhere; bugs submitted for a couple other issues

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2010-03-07 18:59:14 UTC (rev 14210)
+++ data/CVE/list	2010-03-07 20:01:52 UTC (rev 14211)
@@ -273,6 +273,7 @@
 	- irssi-plugin-otr <unfixed> (unimportant; bug #569506)
 CVE-2010-XXXX [shibboleth-sp2: world-readable key]
 	- shibboleth-sp2 <unfixed> (low; bug #571631)
+	- shibboleth-sp <removed> (low)
 CVE-2010-XXXX [libesmtp doesn't handle null bytes in commonname]
 	- libesmtp <unfixed>
 	NOTE: http://www.openwall.com/lists/oss-security/2010/03/03/6
@@ -1242,6 +1243,9 @@
 CVE-2010-XXXX [browser javascript document.write denial-of-service]
 	- xulrunner <unfixed> (unimportant; bug #568486)
 	- webkit <unfixed> (unimportant; bug #568485)
+	- qt4-x11 <unfixed> (unimportant)
+	- kdelibs <unfixed> (unimportant)
+	- kde4libs <unfixed> (unimportant)
 CVE-2010-XXXX [moinmoin unspecified issue]
 	- moin <unfixed> (bug #569975)
 	NOTE: http://moinmo.in/SecurityFixes
@@ -1346,6 +1350,9 @@
 	NOT-FOR-US: cronie and vixie-cron
 CVE-2010-0423 (gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a ...)
 	- pidgin 2.6.6-1 (low)
+	- gaim <removed> (low)
+        [lenny] - gaim <not-affected> (gaim is a transitional dummy package only)
+	- qutecom <undetermined> (low; bug #572946)
 CVE-2010-0422 (gnome-screensaver 2.28.x before 2.28.3 does not properly synchronize ...)
 	- gnome-screensaver 2.28.3-1
 	[lenny] - gnome-screensaver <not-affected> (Vulnerable code not present)
@@ -1353,6 +1360,9 @@
 	RESERVED
 CVE-2010-0420 (libpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user ...)
 	- pidgin 2.6.6-1 (low)
+	- gaim <removed> (low)
+        [lenny] - gaim <not-affected> (gaim is a transitional dummy package only)
+	- qutecom <undetermined> (low; bug #572946)
 CVE-2010-0419
 	RESERVED
 CVE-2010-0418
@@ -1636,7 +1646,7 @@
 	- xulrunner 1.9.1-1
 	[etch] - xulrunner <not-affected> (theora introduced in 1.9.1)
 	[lenny] - xulrunner <not-affected> (theora introduced in 1.9.1)
-	- libtheora 1.1.1+dfsg.1-3 (medium)
+	- libtheora 1.1.1+dfsg.1-3 (medium; bug #572950)
 	[etch] - libtheora <not-affected> (vulnerable code not present)
 	NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=498815
 	NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=498824
@@ -1727,6 +1737,9 @@
 CVE-2010-0315 (WebKit before r53607, as used in Google Chrome before 4.0.249.89, ...)
 	- chromium-browser <itp> (bug #520324)
 	- webkit 1.1.21-1 (medium)
+	- qt4-x11 <undetermined> (medium)
+	- kdelibs <undetermined> (medium)
+	- kde4libs <undetermined> (medium)
 CVE-2010-0314 (Apple Safari allows remote attackers to discover a redirect's target ...)
 	NOT-FOR-US: Safari
 CVE-2010-0313 (The core_get_proxyauth_dn function in ns-slapd in Sun Java System ...)
@@ -1814,7 +1827,7 @@
 	- kvm <removed>
 CVE-2010-0296 [samba directory traversal]
 	RESERVED
-	- samba <unfixed> (low; bug #568493)
+	- samba <unfixed> (low; bug #568493; bug #572953)
 	NOTE: supposedly fixed upstream in 3.5.0
 CVE-2010-0295 (lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read ...)
 	{DSA-1987-1}
@@ -1908,6 +1921,9 @@
 	NOT-FOR-US: PHP Inventory
 CVE-2010-0277 (slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, ...)
 	- pidgin 2.6.6-1 (low; bug #566775)
+	- gaim <removed> (low)
+        [lenny] - gaim <not-affected> (gaim is a transitional dummy package only)
+	- qutecom <undetermined> (low; bug #572946)
 CVE-2010-0276 (IBM Lotus iNotes (aka Domino Web Access or DWA) before 229.241 for ...)
 	NOT-FOR-US: IBM Lotus iNotes
 CVE-2010-0275 (Ultra-light Mode in IBM Lotus iNotes (aka Domino Web Access or DWA) ...)
@@ -3157,6 +3173,10 @@
 CVE-2010-0001 (Integer underflow in the unlzw function in unlzw.c in gzip before 1.4 ...)
 	{DSA-1974-1}
 	- gzip 1.3.12-9 (medium; bug #566002)
+	- linux-2.6 <not-affected> (does not include unlzw.c in its gzip code copy)
+	- klibc <not-affected> (does not include unlzw.c in its gzip code copy)
+	- busybox <not-affected> (does not include unlzw.c in its gzip code copy)
+	- pristine-tar <not-affected> (does not include unlzw.c in its gzip code copy)
 CVE-2009-4324 (Use-after-free vulnerability in the Doc.media.newPlayer method in ...)
 	NOT-FOR-US: Adobe Reader and Acrobat 8.0
 CVE-2009-4323 (The installation for Zen Cart stores sensitive information and ...)
@@ -5821,7 +5841,7 @@
 CVE-2009-3390 (Multiple unspecified vulnerabilities in the (1) iscsiadm and (2) ...)
 	NOT-FOR-US: iscsiadm and iscsitadm programs in Sun Solaris 10
 CVE-2009-3389 (Integer overflow in libtheora in Xiph.Org Theora before 1.1, as used ...)
-	- libtheora 1.1
+	- libtheora 1.1 (bug #527950)
 	[etch] - libtheora <not-affected> (vulnerable code not present)
 	- xulrunner 1.9.1.6-1
 	[etch] - xulrunner <end-of-life> (Mozilla packages from oldstable no longer covered by security support)

Modified: data/embedded-code-copies
===================================================================
--- data/embedded-code-copies	2010-03-07 18:59:14 UTC (rev 14210)
+++ data/embedded-code-copies	2010-03-07 20:01:52 UTC (rev 14211)
@@ -294,7 +294,7 @@
 faad2
 	- mplayer 1.0~rc2-20 (embed)
 	- avifile <unfixed> (embed; bug #538750)
-	- ffmpeg-debian <removed> (old-version)
+	- ffmpeg-debian <removed> (embed)
 
 libmad (MPEG decoding lib)
 	- xine-lib <unfixed> (embed)
@@ -427,8 +427,7 @@
 	- mahara <unfixed> (embed)
 
 gzip
-	- linux-kernel <unfixed> (embed)
-	NOTE: lib/inflate.c
+	- linux-2.6 <unfixed> (embed) [lib/inflate.c]
 	- klibc <unfixed> (embed)
 	NOTE: based on linux-kernel gzip code
 	- busybox <unfixed> (embed)
@@ -1008,12 +1007,12 @@
 nusoap
 	- gforge 4.8.2-1 (embed)
 	- ampache <unfixed> (embed)
-	- poker-network <unfixed> (old-version)
-	- moodle <unfixed> (old-version)
+	- poker-network <unfixed> (embed)
+	- moodle <unfixed> (embed)
 	NOTE: code is not used when running under php5 and soap is enabled
-	- phpwiki <unfixed> (old-version)
-	- gallery2 <unfixed> (old-version)
-	- typo3-src <unfixed> (old-version)
+	- phpwiki <unfixed> (embed)
+	- gallery2 <unfixed> (embed)
+	- typo3-src <unfixed> (embed)
 
 libept
 	- adept <unfixed> (embed; bug #540649)
@@ -1659,7 +1658,7 @@
 phpass (http://www.openwall.com/phpass/)
 	- gallery2 <unfixed> (embed)
 	- wordpress <unfixed> (embed)
-	- typo3-src <unfixed> (fork)
+	- typo3-src <unfixed> (modified-embed)
 	NOTE: file refers to drupal, maybe there's a copy somewhere there
 	NOTE: a copyright owner search didn't match anything
 	- libauthen-passphrase-perl <unfixable> (fork)

Modified: data/packages/removed-packages
===================================================================
--- data/packages/removed-packages	2010-03-07 18:59:14 UTC (rev 14210)
+++ data/packages/removed-packages	2010-03-07 20:01:52 UTC (rev 14211)
@@ -217,3 +217,4 @@
 ingimp
 drupal5
 swftools
+libwordpress-xmlrpc-perl

More information about the Secure-testing-commits mailing list