[Secure-testing-commits] r14706 - in data: . CVE

Tue May 18 16:13:45 UTC 2010

Author: jmm-guest
Date: 2010-05-18 16:13:41 +0000 (Tue, 18 May 2010)
New Revision: 14706

Modified:
   data/CVE/list
   data/mops.txt
Log:
- jboss and samhain non-issues (both confirmed by maintainers)
- memcached, oftc-hybric fixed
- kget issues don't affect Lenny, partially fixed in sid
- new pidgin issue, doesn't affect Lenny since MSN support has been dropped before
- MOPS updates, no CVE yet, nothing for Lenny's PHP (Raphael, please double-check)
- sudo globbing w/o security impact, removing


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2010-05-18 14:54:09 UTC (rev 14705)
+++ data/CVE/list	2010-05-18 16:13:41 UTC (rev 14706)
@@ -130,7 +130,7 @@
 	NOT-FOR-US: EFront ask_chat
 CVE-2010-1917 (Stack consumption vulnerability in PHP 5.2 through 5.2.13 and 5.3 ...)
 	- php5 <unfixed> (low)
-	[lenny] - php5 <no-dsa> (low)
+	[lenny] - php5 <no-dsa> (Minor issue)
 CVE-2010-1916 (The dynamic configuration feature in Xinha WYSIWYG editor 0.96 Beta 2 ...)
 	TODO: check the embedded copies
 CVE-2010-1915 (The preg_quote function in PHP 5.2 through 5.2.13 and 5.3 through ...)
@@ -726,8 +726,9 @@
 CVE-2010-1625
 	RESERVED
 CVE-2010-1624 (The msn_emoticon_msg function in slp.c in the MSN protocol plugin in ...)
-	- pidgin <undetermined>
-	TODO: check
+	- pidgin 2.7.0-1 (low)
+	[lenny] - pidgin 2.4.3-4lenny6
+	NOTE: MSN support was disabled in 2.4.3-4lenny6
 CVE-2010-1623
 	RESERVED
 CVE-2010-1622
@@ -1025,9 +1026,10 @@
 	NOTE: http://seclists.org/fulldisclosure/2010/May/168
 CVE-2010-1511 [kget insecure file get]
 	RESERVED
-	- kdenetwork <undetermined>
+	- kdenetwork <unfixed> (low)
+	[lenny] - kdenetwork <not-affected> (Metalink plugin not yet present)
 	NOTE: http://seclists.org/fulldisclosure/2010/May/164
-	TODO: check
+	TODO: File bug for unstable
 CVE-2010-1510 (Heap-based buffer overflow in IrfanView before 4.27 allows remote ...)
 	NOT-FOR-US: IrfanView
 CVE-2010-1509 (IrfanView before 4.27 does not properly handle an unspecified integer ...)
@@ -1083,7 +1085,8 @@
 CVE-2010-1491 (Directory traversal vulnerability in the MMS Blog (com_mmsblog) ...)
 	NOT-FOR-US: com_mmsblog component for joomla!
 CVE-2009-4810 (The Secure Remote Password (SRP) implementation in Samhain before ...)
-	- samhain 2.5.4-1
+	- samhain 2.5.4-1 (unimportant)
+	NOTE: Support for client/server operation is not enabled in the Debian packages
 CVE-2009-4809 (Directory traversal vulnerability in thumbnail.ghp in Easy File ...)
 	NOT-FOR-US: Easy File Sharing Web Server
 CVE-2009-4808 (admin.php in Graugon PHP Article Publisher 1.0 allows remote attackers ...)
@@ -1330,11 +1333,9 @@
 CVE-2010-1430
 	RESERVED
 CVE-2010-1429 (Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) ...)
-	- jbossas4 <unfixed> (bug #581226)
-	[lenny] - jbossas4 <no-dsa> (Contrib not supported)
+	- jbossas4 <not-affected> (Only builds a few libraries, not the full application server, #581226)
 CVE-2010-1428 (The Web Console (aka web-console) in JBossAs in Red Hat JBoss ...)
-	- jbossas4 <unfixed> (bug #581226)
-	[lenny] - jbossas4 <no-dsa> (Contrib not supported)
+	- jbossas4 <not-affected> (Only builds a few libraries, not the full application server, #581226)
 CVE-2010-1427 (Cross-site scripting (XSS) vulnerability in the SearchHighlight plugin ...)
 	NOT-FOR-US: MODx Evolution
 CVE-2010-1426 (SQL injection vulnerability in MODx Evolution before 1.0.3 allows ...)
@@ -2419,9 +2420,9 @@
 	RESERVED
 CVE-2010-1000 [kget directory traversal]
 	RESERVED
-	- kdenetwork <undetermined>
+	- kdenetwork 4:4.4.3-2
+	[lenny] - kdenetwork <not-affected> (Metalink plugin not yet present)
 	NOTE: http://seclists.org/fulldisclosure/2010/May/165
-	TODO: check
 CVE-2010-0999
 	RESERVED
 CVE-2010-0998
@@ -3272,8 +3273,7 @@
 	- texlive-bin 2009-6 (low; bug #560668)
 	[lenny] - texlive-bin <no-dsa> (minor issue)
 CVE-2010-0738 (The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise ...)
-	- jbossas4 <unfixed> (bug #581226)
-	[lenny] - jbossas4 <no-dsa> (Contrib not supported)
+	- jbossas4 <not-affected> (Only builds a few libraries, not the full application server, #581226)
 CVE-2010-0737
 	RESERVED
 CVE-2010-0736 (Cross-site scripting (XSS) vulnerability in the view_queryform ...)
@@ -4444,9 +4444,6 @@
 	- zope2.11 <removed>
 	- zope2.9 <removed>
 	NOTE: https://mail.zope.org/pipermail/zope-announce/2010-January/002229.html
-CVE-2010-XXXX [sudo glob processing issue]
-	- sudo 1.7.0-1 (low; bug #565223)
-	[lenny] - sudo <no-dsa> (no known attack vector; attacker needs to be able to modify sudoers file)
 CVE-2010-XXXX [makepasswd: insecure passwords generated with default settings]
 	- makepasswd 1.10-5 (low; bug #564559)
 	[lenny] - makepasswd <no-dsa> (Minor issue)
@@ -6919,7 +6916,7 @@
 	{DSA-1980-1}
 	- ircd-ratbox 3.0.6.dfsg-1 (medium; bug #567191)
 	- ircd-hybrid 1:7.2.2.dfsg.2-6.1 (medium; bug #567192)
-	- oftc-hybrid <unfixed> (medium; bug #567193)
+	- oftc-hybrid 1.6.3.dfsg-1.1 (medium; bug #567193)
 CVE-2009-4015 (Lintian 1.23.x through 1.23.28, 1.24.x through 1.24.2.1, and 2.x ...)
 	{DSA-1979-1}
 	- lintian 2.3.2 (medium)

Modified: data/mops.txt
===================================================================
--- data/mops.txt	2010-05-18 14:54:09 UTC (rev 14705)
+++ data/mops.txt	2010-05-18 16:13:41 UTC (rev 14706)
@@ -21,3 +21,13 @@
 019: CVE-2010-1916; Serendipity, doesn't affect Lenny (1.4 onwards), pinged Thijs
 020: CVE-2010-1916; External app; xinha, Just an ITP: #479708, there are embedders
 021: CVE-2010-1917; PHP fnmatch() Stack Exhaustion Vulnerability
+022: no CVE yet; Only triggerable by malicious script
+023: no CVE yet; Cacti, pinged Sean Finney
+024: no CVE yet; Doesn't affect Lenny
+025: no CVE yet; Doesn't affect Lenny
+026: no CVE yet; Doesn't affect Lenny
+027: no CVE yet; Doesn't affect Lenny
+028: no CVE yet; Doesn't affect Lenny
+029: External app not in Debian: CMSQLITE
+030: External app not in Debian: CMSQLITE
+031: External app not in Debian: e107
\ No newline at end of file


