[Secure-testing-commits] r15619 - in data: . CVE DSA
Moritz Muehlenhoff
jmm-guest at alioth.debian.org
Sat Nov 27 12:09:19 UTC 2010
Author: jmm-guest
Date: 2010-11-27 12:09:05 +0000 (Sat, 27 Nov 2010)
New Revision: 15619
Modified:
data/CVE/list
data/DSA/list
data/spu-candidates.txt
Log:
- new chrome/webkit issues
- new library path issues in banshee, gnome-shell, gnucash, tomboy
- vim issue Windows-specific
- one typo3 issue was fixed in previous DSA
- NFUs
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2010-11-27 04:52:40 UTC (rev 15618)
+++ data/CVE/list 2010-11-27 12:09:05 UTC (rev 15619)
@@ -187,23 +187,31 @@
CVE-2010-4207 (Cross-site scripting (XSS) vulnerability in the Flash component ...)
- yui <unfixed> (bug #603513)
CVE-2010-4206 (Google Chrome before 7.0.517.44 accesses memory at an out-of-bounds ...)
- TODO: check
+ - webkit <undetermined>
+ - chromium-browser <undetermined>
CVE-2010-4205 (Google Chrome before 7.0.517.44 does not properly handle the data ...)
- TODO: check
+ - webkit <undetermined>
+ - chromium-browser <undetermined>
CVE-2010-4204 (Google Chrome before 7.0.517.44 accesses a frame object after this ...)
- TODO: check
+ - webkit <undetermined>
+ - chromium-browser <undetermined>
CVE-2010-4202 (Multiple integer overflows in Google Chrome before 7.0.517.44 on Linux ...)
- TODO: check
+ - webkit <undetermined>
+ - chromium-browser <undetermined>
CVE-2010-4201 (Use-after-free vulnerability in Google Chrome before 7.0.517.44 allows ...)
- TODO: check
+ - webkit <undetermined>
+ - chromium-browser <undetermined>
CVE-2010-4200
REJECTED
CVE-2010-4199 (Google Chrome before 7.0.517.44 does not properly perform a cast of an ...)
- TODO: check
+ - webkit <undetermined>
+ - chromium-browser <undetermined>
CVE-2010-4198 (Google Chrome before 7.0.517.44 does not properly handle large text ...)
- TODO: check
+ - webkit <undetermined>
+ - chromium-browser <undetermined>
CVE-2010-4197 (Use-after-free vulnerability in Google Chrome before 7.0.517.44 allows ...)
- TODO: check
+ - webkit <undetermined>
+ - chromium-browser <undetermined>
CVE-2010-4196
RESERVED
CVE-2010-4195
@@ -285,7 +293,8 @@
CVE-2010-4161
RESERVED
CVE-2010-4159 (Untrusted search path vulnerability in metadata/loader.c in Mono 2.8 ...)
- TODO: check
+ - mono <unfixed> (bug filed)
+ [lenny] - mono <no-dsa> (Minor issue)
CVE-2010-4156 (The mb_strcut function in Libmbfl 1.1.0, as used in PHP 5.3.x through ...)
- php5 5.3.3-4 (bug #603751)
[lenny] - php5 <not-affected> (Only affects 5.3.x)
@@ -306,7 +315,8 @@
CVE-2009-5014 (The default quickstart configuration of TurboGears2 (aka tg2) before ...)
- turbogears2 2.0.3-1
CVE-2008-7265 (The pr_data_xfer function in ProFTPD before 1.3.2rc3 allows remote ...)
- TODO: check
+ - proftpd-dfsg 1.3.2-1 (low)
+ [lenny] - proftpd-dfsg <no-dsa> (Minor issue)
CVE-2010-4203 (WebM libvpx (aka the VP8 Codec SDK) before 0.9.5, as used in Google ...)
- libvpx 0.9.1-2 (bug #602693)
CVE-2010-4160
@@ -498,7 +508,8 @@
CVE-2010-4069 (Stack-based buffer overflow in IBM Informix Dynamic Server (IDS) 7.x ...)
NOT-FOR-US: IBM Informix Dynamic Server
CVE-2010-4068 (Unspecified vulnerability in the Extension Manager in TYPO3 4.2.x ...)
- TODO: check
+ {DSA-2121-1}
+ - typo3-src 4.3.7-1
CVE-2010-4096 (share/ma/keys_for_user in Monkeysphere 0.31 and 0.32 allows local ...)
- monkeysphere 0.31-3 (bug #600304)
NOTE: micah requested this CVE from mitre, issue has been fixed in debian already
@@ -648,7 +659,8 @@
CVE-2010-4006 (Multiple SQL injection vulnerabilities in search.php in WSN Links ...)
NOT-FOR-US: WSN Links
CVE-2010-4005 (The (1) tomboy and (2) tomboy-panel scripts in GNOME Tomboy 1.5.2 and ...)
- TODO: check
+ - tomboy <unfixed> (bug filed)
+ [lenny] - tomboy <no-dsa> (Minor issue)
CVE-2010-4004
RESERVED
CVE-2010-4003
@@ -656,13 +668,16 @@
CVE-2010-4002
RESERVED
CVE-2010-4001 (** DISPUTED ** GMXRC.bash in Gromacs 4.5.1 and earlier places a ...)
- TODO: check
+ NOTE: Not a security issue
CVE-2010-4000 (gnome-shell in GNOME Shell 2.31.5 places a zero-length directory name ...)
- TODO: check
+ - gnome-shell <unfixed> (bug filed)
+ [lenny] - gnome-shell <no-dsa> (Minor issue)
CVE-2010-3999 (gnc-test-env in GnuCash 2.3.15 and earlier places a zero-length ...)
- TODO: check
+ - gnucash <unfixed> (low; bug #603329)
+ [lenny] - gnucash <no-dsa> (Minor issue)
CVE-2010-3998 (The (1) banshee-1 and (2) muinshee scripts in Banshee 1.8.0 and ...)
- TODO: check
+ - banshee <unfixed> (bug filed)
+ [lenny] - banshee <no-dsa> (Minor issue)
CVE-2010-3997
RESERVED
CVE-2010-3996 (festival_server in Centre for Speech Technology Research (CSTR) ...)
@@ -856,7 +871,7 @@
CVE-2010-3915 (Unspecified vulnerability in JustSystems Ichitaro and Ichitaro ...)
NOT-FOR-US: JustSystems Ichitaro and Ichitaro Government
CVE-2010-3914 (Untrusted search path vulnerability in VIM Development Group GVim ...)
- TODO: check
+ - vim <not-affected> (Windows-specific)
CVE-2010-3913 (CRLF injection vulnerability in TransWARE Active! mail 6 build ...)
NOT-FOR-US: TransWARE Active! mail
CVE-2010-3912
@@ -954,7 +969,6 @@
RESERVED
CVE-2010-3871 (Cross-site scripting (XSS) vulnerability in ...)
- mahara <not-affected> (Vulnerable feature introduced in 1.3)
- TODO: File was introduced after 1.2.6, so check that next sid version is at least 1.3.3 or higher
CVE-2010-3870 (The utf8_decode function in PHP before 5.3.4 does not properly handle ...)
- php5 5.3.3-4 (bug #603751)
CVE-2010-3869 (Red Hat Certificate System (RHCS) 7.3 and 8 and Dogtag Certificate ...)
@@ -1006,7 +1020,7 @@
CVE-2010-3852 (The default configuration of Luci 0.22.4 and earlier in Red Hat Conga ...)
NOT-FOR-US: Red Hat Conga
CVE-2010-3851 (libguestfs before 1.5.23, as used in virt-v2v, virt-inspector 1.5.3 ...)
- TODO: check
+ NOT-FOR-US: libguestfs
CVE-2010-3850
RESERVED
- linux-2.6 2.6.32-28
@@ -3071,7 +3085,7 @@
- mailman 1:2.1.13-4.1 (bug #599833)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id={631881,631859}
CVE-2010-3088 (The notify function in pidgin-knotify.c in the pidgin-knotify plugin ...)
- TODO: check
+ NOT-FOR-US: Knotify plugin for Pidgin
CVE-2010-3087 (LibTIFF before 3.9.2-5.2.1 in SUSE openSUSE 11.3 allows remote ...)
- tiff 3.9.4-5 (bug #600188)
[lenny] - tiff <not-affected> (Vulnerable code not present)
Modified: data/DSA/list
===================================================================
--- data/DSA/list 2010-11-27 04:52:40 UTC (rev 15618)
+++ data/DSA/list 2010-11-27 12:09:05 UTC (rev 15619)
@@ -14,7 +14,7 @@
{CVE-2010-3847 CVE-2010-3856}
[lenny] - glibc 2.7-18lenny6
[19 Oct 2010] DSA-2121-1 typo3-src - several vulnerabilities
- {CVE-2010-3714 CVE-2010-3715 CVE-2010-3716 CVE-2010-3717}
+ {CVE-2010-3714 CVE-2010-3715 CVE-2010-3716 CVE-2010-3717 CVE-2010-4068}
[lenny] - typo3-src 4.2.5-1+lenny6
[12 Oct 2010] DSA-2120-1 postgresql-8.3 - privilege escalation
{CVE-2010-3433}
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2010-11-27 04:52:40 UTC (rev 15618)
+++ data/spu-candidates.txt 2010-11-27 12:09:05 UTC (rev 15619)
@@ -143,6 +143,10 @@
--
+gnome-shell (CVE-2010-4000)
+
+--
+
ika (CVE-2010-3361)
#5982925B
notified maintainer
@@ -161,6 +165,11 @@
--
+gnucash (CVE-2010-3999)
+#603329
+
+--
+
gnutls26 (CVE-2009-1417)
#531614
notified maintainer
@@ -378,6 +387,10 @@
--
+proftpd-dfsg (CVE-2008-7265)
+
+--
+
roaraudio (CVE-2010-3362)
#598295
More information about the Secure-testing-commits
mailing list