[Secure-testing-commits] r15536 - in data: . CVE
Moritz Muehlenhoff
jmm-guest at alioth.debian.org
Thu Oct 28 21:31:42 UTC 2010
Author: jmm-guest
Date: 2010-10-28 21:31:39 +0000 (Thu, 28 Oct 2010)
New Revision: 15536
Modified:
data/CVE/list
data/spu-candidates.txt
Log:
- ember fixed
- two more dovecot issues (fixed in Squeeze, N/A in Lenny)
- new mozilla issue and various mozilla updates
- postgresql9 issue (sid only)
- new python issue (already fixed in 3.1, 2.6 and 2.5 still needed)
- eglibc issue unimportant
- NFUs
- mantis fixed
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2010-10-28 02:38:42 UTC (rev 15535)
+++ data/CVE/list 2010-10-28 21:31:39 UTC (rev 15536)
@@ -740,11 +740,13 @@
CVE-2010-3782
RESERVED
CVE-2010-3781 (The PL/php add-on 1.4 and earlier for PostgreSQL does not properly ...)
- TODO: check
+ - postgresql-9.0 9.0.1-1
CVE-2010-3780 (Dovecot 1.2.x before 1.2.15 allows remote authenticated users to cause ...)
- dovecot 1:1.2.15-1 (bug #599521)
+ [lenny] - dovecot <not-affected> (Only affects 1.2.x)
CVE-2010-3779 (Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the ...)
- dovecot 1:1.2.15-1 (bug #599521)
+ [lenny] - dovecot <not-affected> (Only affects 1.2.x)
CVE-2010-3778
RESERVED
CVE-2010-3777
@@ -773,10 +775,17 @@
RESERVED
CVE-2010-3765
RESERVED
+ - xulrunner <removed>
+ - iceweasel 3.5.15-1
+ [lenny] - iceweasel <not-affected> (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg)
+ - iceape 2.0.10-1
+ [lenny] - iceape <not-affected> (Only a stub package)
+ [lenny] - xulrunner <not-affected> (bug in optimization added later)
CVE-2010-3764
RESERVED
CVE-2010-3763 (Cross-site scripting (XSS) vulnerability in core/summary_api.php in ...)
- - mantis <unfixed> (bug filed)
+ - mantis 1.1.8+dfsg-9 (bug #601618)
+ [lenny] - mantis <no-dsa> (Minor issue)
CVE-2010-3762 (ISC BIND before 9.7.2-P2, when DNSSEC validation is enabled, does not ...)
- bind9 <unfixed> (bug #599515)
NOTE: http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html
@@ -905,9 +914,11 @@
CVE-2010-3708
RESERVED
CVE-2010-3707 (plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and ...)
- TODO: check
+ - dovecot 1.2.15-1
+ [lenny] - dovecot <not-affected> (Only affects 1.2.x)
CVE-2010-3706 (plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and ...)
- TODO: check
+ - dovecot 1.2.15-1
+ [lenny] - dovecot <not-affected> (Only affects 1.2.x)
CVE-2010-3705 [sctp out-of-bounds issue]
RESERVED
- linux-2.6 2.6.32-25
@@ -984,8 +995,6 @@
TODO: check, apparently bogus dupes, contact MITRE for rejection
CVE-2010-XXXX [libcloud doesn't verify SSL certificate]
- libcloud <unfixed> (bug #598463)
- TODO: check
- NOTE: other similar python code should be reviewed
CVE-2010-3688 (Directory traversal vulnerability in ADMIN/login.php in NetArtMEDIA ...)
NOT-FOR-US: NetArtMEDIA WebSiteAdmin
CVE-2010-3684 (The FTP authentication module in Synology Disk Station 2.x logs ...)
@@ -1035,7 +1044,7 @@
CVE-2010-3654
RESERVED
CVE-2010-3653 (The Director module (dirapi.dll) in Adobe Shockwave player 11.5.8.612, ...)
- TODO: check
+ NOT-FOR-US: Adobe Shockwave
CVE-2010-3652
RESERVED
CVE-2010-3651
@@ -1221,7 +1230,10 @@
- python-pyftpdlib 0.5.2-1 (low)
NOTE: http://code.google.com/p/pyftpdlib/issues/detail?id=104
CVE-2010-3493 (Multiple race conditions in smtpd.py in the smtpd module in Python ...)
- TODO: check
+ - python3.1 3.1.2+20100829-1
+ - python2.6 <unfixed> (low; bug #601690)
+ - python2.5 <unfixed>
+ [lenny] - python2.5 <no-dsa> (Minor issue)
CVE-2010-3492 (The asyncore module in Python before 3.2 does not properly handle ...)
- python2.7 <unfixed> (unimportant)
- python3.1 <unfixed> (unimportant)
@@ -1229,7 +1241,7 @@
NOTE: Unfixable design limitation, which needs to be coped with in applications
NOTE: This CVE is about proper documentation
CVE-2010-3491 (The (1) ActiveMatrix Runtime and (2) ActiveMatrix Administrator ...)
- TODO: check
+ NOT-FOR-US: TIBCO ActiveMatrix Service Grid
CVE-2010-3490 (Directory traversal vulnerability in page.recordings.php in the System ...)
NOT-FOR-US: System Recordings component in the configuration interface in FreePBX
CVE-2010-3489 (Cross-site scripting (XSS) vulnerability in ...)
@@ -1732,10 +1744,8 @@
CVE-2010-3401
RESERVED
CVE-2010-3400 (The js_InitRandom function in the JavaScript implementation in Mozilla ...)
- TODO: check
NOTE: These will likely be rejected, Mozilla people will clarify with MITRE
CVE-2010-3399 (The js_InitRandom function in the JavaScript implementation in Mozilla ...)
- TODO: check
NOTE: These will likely be rejected, Mozilla people will clarify with MITRE
CVE-2010-3398 (Unspecified vulnerability in the webcontainer implementation in IBM ...)
NOT-FOR-US: IBM Lotus Sametime Connect
@@ -1843,7 +1853,7 @@
CVE-2010-3356
RESERVED
CVE-2010-3355 (Ember 0.5.7 places a zero-length directory name in the ...)
- - ember <unfixed> (bug #598288)
+ - ember 0.5.7-1.1 (low; bug #598288)
CVE-2010-3354 (dropboxd in Dropbox 0.7.110 places a zero-length directory name in the ...)
- dropbox 0.8.107-1 (low; bug #598287)
[lenny] - dropbox <no-dsa> (Non-free not supported)
@@ -1959,8 +1969,7 @@
- pixelpost <unfixed>
CVE-2010-3304 (The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to ...)
- dovecot 1.2.13-1
- TODO: check whether this is true: [lenny] - dovecot <not-affected> (only affects 1.2.x)
- NOTE: http://www.dovecot.org/list/dovecot-news/2010-July/000163.html
+ [lenny] - dovecot <not-affected> (only affects 1.2.x)
CVE-2010-3303 (Multiple cross-site scripting (XSS) vulnerabilities in MantisBT before ...)
- mantis 1.1.8+dfsg-8 (bug #599710)
[lenny] - mantis <no-dsa> (Minor issue)
@@ -2169,7 +2178,7 @@
CVE-2010-3228 (The JIT compiler in Microsoft .NET Framework 4.0 on 64-bit platforms ...)
NOT-FOR-US: Microsoft .NET Framework
CVE-2010-3227 (Stack-based buffer overflow in the UpdateFrameTitleForDocument method ...)
- TODO: check
+ NOT-FOR-US: Microsoft Windows
CVE-2010-3226
RESERVED
CVE-2010-3225 (Use-after-free vulnerability in the Media Player Network Sharing ...)
@@ -2244,7 +2253,8 @@
CVE-2010-3193 (Unspecified vulnerability in the DB2STST program in IBM DB2 9.1 before ...)
NOT-FOR-US: IBM DB2
CVE-2010-3192 (Certain run-time memory protection mechanisms in the GNU C Library ...)
- TODO: check
+ - eglibc <unfixed> (unimportant)
+ NOTE: Minor information leak
CVE-2010-3191 (Untrusted search path vulnerability in Adobe Captivate 5.0.0.596, and ...)
NOT-FOR-US: Adobe Captivate
CVE-2010-3190 (Untrusted search path vulnerability in ATL MFC Trace Tool ...)
@@ -2308,7 +2318,7 @@
- iceape 2.0.9-1
[lenny] - iceape <not-affected> (Only a stub package)
CVE-2010-3175 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...)
- TODO: check
+ - iceweasel <not-affected> (Only affects Firefox 3.6, which is only in experimental)
CVE-2010-3174 (Unspecified vulnerability in the browser engine in Mozilla Firefox ...)
- xulrunner <removed>
- icedove 3.0.9-1
@@ -2321,9 +2331,13 @@
CVE-2010-3172
RESERVED
CVE-2010-3171 (The Math.random function in the JavaScript implementation in Mozilla ...)
- TODO: check
+ NOTE: Will likely be rejected by MITRE
CVE-2010-3170 (Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird ...)
- TODO: check
+ - xulrunner <removed>
+ - iceweasel 3.5.14-1
+ [lenny] - iceweasel <not-affected> (Lenny's iceweasel uses Xulrunner from the xulrunner source pkg)
+ - iceape 2.0.9-1
+ [lenny] - iceape <not-affected> (Only a stub package)
CVE-2010-3169 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...)
{DSA-2106-1}
- xulrunner <removed>
@@ -3074,9 +3088,9 @@
CVE-2010-2887 (Multiple unspecified vulnerabilities in Adobe Reader and Acrobat 9.x ...)
NOT-FOR-US: Adobe Reader and Acrobat
CVE-2010-2886 (Multiple cross-site scripting (XSS) vulnerabilities in Adobe RoboHelp ...)
- TODO: check
+ NOT-FOR-US: Adobe RoboHelp
CVE-2010-2885 (Cross-site scripting (XSS) vulnerability in Adobe RoboHelp 7 and 8, ...)
- TODO: check
+ NOT-FOR-US: Adobe RoboHelp
CVE-2010-2884 (Adobe Flash Player 10.1.82.76 and earlier on Windows, Mac OS X, Linux, ...)
NOT-FOR-US: Adobe Flash Player
CVE-2010-2883 (Stack-based buffer overflow in CoolType.dll in Adobe Reader and ...)
@@ -3929,9 +3943,9 @@
CVE-2010-2586
RESERVED
CVE-2010-2585 (Multiple buffer overflows in the RealPage Module Upload ActiveX ...)
- TODO: check
+ NOT-FOR-US: RealPage Module ActiveX Controls
CVE-2010-2584 (The Upload method in the RealPage Module Upload ActiveX control in ...)
- TODO: check
+ NOT-FOR-US: RealPage Module ActiveX Controls
CVE-2010-2583
RESERVED
CVE-2010-2582
@@ -4051,7 +4065,7 @@
CVE-2010-2536 (Multiple cross-site scripting (XSS) vulnerabilities in rekonq 0.5 and ...)
- rekonq 0.5.0-2 (bug #593300)
CVE-2010-2535 (Multiple cross-site scripting (XSS) vulnerabilities in the Back End in ...)
- TODO: check
+ NOT-FOR-US: Joomla
CVE-2010-2534 (The NetworkSyncCommandQueue function in network/network_command.cpp in ...)
- openttd 1.0.3-1
[lenny] - openttd <not-affected> (Introduced in 1.0.1)
@@ -5882,7 +5896,8 @@
- chromium-browser 6.0.472.59~r59126-1
NOTE: http://trac.webkit.org/changeset/65692
CVE-2010-1822 (WebKit, as used in Google Chrome before 6.0.472.62, does not properly ...)
- TODO: check
+ - webkit <undetermined>
+ - chromium-browser 6.0.472.62~r59676-1
CVE-2010-1821
RESERVED
CVE-2010-1820 (Apple Filing Protocol (AFP) Server in Apple Mac OS X 10.6.x through ...)
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2010-10-28 02:38:42 UTC (rev 15535)
+++ data/spu-candidates.txt 2010-10-28 21:31:39 UTC (rev 15536)
@@ -493,7 +493,7 @@
--
-python2.5 (CVE-2010-2089, CVE-2010-1634, CVE-2010-1450, CVE-2010-1449, CVE-2009-4134)
+python2.5 (CVE-2010-2089, CVE-2010-1634, CVE-2010-1450, CVE-2010-1449, CVE-2009-4134, CVE-2010-3493)
--
More information about the Secure-testing-commits
mailing list