[Secure-testing-commits] r14343 - in data: . CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Sun Mar 28 21:03:29 UTC 2010 

Author: jmm-guest
Date: 2010-03-28 21:03:28 +0000 (Sun, 28 Mar 2010)
New Revision: 14343

Modified:
   data/CVE-2009-3555
   data/CVE/list
Log:
- fix opensaml spu tracking
- move openssl entry to separate file
- make two xulrunner issues undetermined, there's too much noise
  wrt Mozilla reports, such issues should be send to 
  security at mozilla.org for feedback and track those confirmed by
  Mozilla security folks


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2010-03-28 11:17:55 UTC (rev 14342)
+++ data/CVE/list	2010-03-28 21:03:28 UTC (rev 14343)
@@ -1077,7 +1077,7 @@
 	{DSA-2023-1}
 	- curl 7.20.0-1 (low)
 	NOTE: http://www.openwall.com/lists/oss-security/2010/03/16/11
-	NOTE: depends on the application that uses libcurl
+        NOTE: depends on the application that uses libcurl
 CVE-2010-0733 (Integer overflow in src/backend/executor/nodeHash.c in PostgreSQL ...)
 	- postgresql-7.4 <undetermined>
 	- postgresql-8.1 <undetermined>
@@ -1316,7 +1316,7 @@
 CVE-2010-0655 (Use-after-free vulnerability in Google Chrome before 4.0.249.78 allows ...)
 	- chromium-browser <itp> (bug #520334)
 CVE-2010-0654 (Mozilla Firefox permits cross-origin loading of CSS stylesheets even ...)
-	- xulrunner <unfixed> (bug #570743)
+	- xulrunner <undetermined> (bug #570743)
 CVE-2010-0653 (Opera permits cross-origin loading of CSS stylesheets even when the ...)
 	NOT-FOR-US: Opera
 CVE-2010-0652 (Microsoft Internet Explorer permits cross-origin loading of CSS ...)
@@ -1339,7 +1339,7 @@
 CVE-2010-0649 (Integer overflow in the CrossCallParamsEx::CreateFromBuffer function ...)
 	- chromium-browser <itp> (bug #520334)
 CVE-2010-0648 (Mozilla Firefox, possibly before 3.6, allows remote attackers to ...)
-	- xulrunner <unfixed> (bug #570743)
+	- xulrunner <undetermined> (bug #570743)
 CVE-2010-0647 (WebKit before r53525, as used in Google Chrome before 4.0.249.89, ...)
 	- chromium-browser <itp> (bug #520334)
 	- webkit 1.1.21-1 (medium)
@@ -6058,7 +6058,6 @@
 CVE-2009-3555 (The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as ...)
 	{DSA-1934-1}
 	- apache2 2.2.14-2
-	- openssl 0.9.8k-6
 	NOTE: See separate CVE-2009-3555 file in SVN
 CVE-2009-3554 (Twiddle in Red Hat JBoss Enterprise Application Platform (aka JBoss ...)
 	- jbossas4 4.2.2.GA-1 (bug #562000)
@@ -6272,7 +6271,8 @@
 	- opensaml2 2.2.1-1
 	- shibboleth-sp <removed>
 	- shibboleth-sp2 2.2.1+dfsg-1
-	[lenny] - opensaml 2.0-2+lenny1
+	[lenny] - opensaml 1.1.1-2+lenny1
+	[lenny] - opensaml2 2.0-2+lenny1
 CVE-2009-3473 (IBM DB2 9.1 before FP8 does not require the SETSESSIONUSER privilege ...)
 	NOT-FOR-US: IBM DB2
 CVE-2009-3472 (IBM DB2 8 before FP18, 9.1 before FP8, and 9.5 before FP4 allows ...)

Modified: data/CVE-2009-3555
===================================================================
--- data/CVE-2009-3555	2010-03-28 11:17:55 UTC (rev 14342)
+++ data/CVE-2009-3555	2010-03-28 21:03:28 UTC (rev 14343)
@@ -21,13 +21,15 @@
 - sun-java5
 - sun-java6
 
-Applications, which have been modified:
+Applications, which have been modified with workarounds
 - proftpd-dfsg -> Disabled SSL/TLS renegotiations in 1.3.2b-2 in unstable
 - apache2 -> Disabled client-initiated SSL/TLS renegs in 2.2.14-2, only partial fix, also issued as DSA 1934 for stable
 - tomcat-native -> 1.1.18-1
 - nginx: disabled renegotiation in 0.7.64-1
   patch at http://sysoev.ru/nginx/patch.cve-2009-3555.txt
+- openssl 0.9.8k-6
 
+
 Candidates for modification:
 - libapache-mod-ssl (oldstable only) bug #556942, no patch yet

More information about the Secure-testing-commits mailing list