[Secure-testing-commits] r15387 - in data: . CVE DSA
Moritz Muehlenhoff
jmm-guest at alioth.debian.org
Wed Sep 29 17:27:00 UTC 2010
Author: jmm-guest
Date: 2010-09-29 17:26:54 +0000 (Wed, 29 Sep 2010)
New Revision: 15387
Modified:
data/CVE/list
data/DSA/list
data/spu-candidates.txt
Log:
- multiple CVE IDs assigned for typo3 DSA
- ardour and brostol fixed and no-dsa for Lenny
- new Chromium/Webkit issue
- NFUs
Further cleanups of issues w/o a CVE ID:
- remove /dev/mem entry, this is a hardening feature not a vulnerability
- remove gmanedit and warzone entries, not a vulnerability as config
files are under local control
- remove duplicated piwigo entry
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2010-09-29 06:41:11 UTC (rev 15386)
+++ data/CVE/list 2010-09-29 17:26:54 UTC (rev 15387)
@@ -1,3 +1,35 @@
+CVE-2010-3659 [Multiple security issues]
+ - typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3660 [Multiple security issues]
+ - typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3661 [Multiple security issues]
+ - typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3662 [Multiple security issues]
+ - typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3663 [Multiple security issues]
+ - typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3664 [Multiple security issues]
+ - typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3665 [Multiple security issues]
+ - typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3666 [Multiple security issues]
+ - typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3667 [Multiple security issues]
+ - typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3668 [Multiple security issues]
+ - typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3669 [Multiple security issues]
+ - typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3670 [Multiple security issues]
+ - typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3671 [Multiple security issues]
+ - typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3672 [Multiple security issues]
+ - typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3673 [Multiple security issues]
+ - typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3674 [Multiple security issues]
+ - typo3-src 4.3.5-1 (bug #590719)
CVE-2010-XXXX [wireshark: BER dissector]
- wireshark <unfixed> (low)
[lenny] - wireshark <no-dsa> (Only leads to a crash)
@@ -501,8 +533,10 @@
NOTE: see 4C88DB97.1060602 at redhat.com for details
CVE-2010-3400 (The js_InitRandom function in the JavaScript implementation in Mozilla ...)
TODO: check
+ NOTE: These will likely be rejected, Mozilla people will clarify with MITRE
CVE-2010-3399 (The js_InitRandom function in the JavaScript implementation in Mozilla ...)
TODO: check
+ NOTE: These will likely be rejected, Mozilla people will clarify with MITRE
CVE-2010-3398 (Unspecified vulnerability in the webcontainer implementation in IBM ...)
NOT-FOR-US: IBM Lotus Sametime Connect
CVE-2010-3397 (Untrusted search path vulnerability in PGP Desktop 9.9.0 Build 397, ...)
@@ -635,13 +669,15 @@
RESERVED
CVE-2010-3351
RESERVED
- - bristol <unfixed> (bug #598285)
+ - bristol 0.60.5-2 (bug #598285)
+ [lenny] - bristol <no-dsa> (Minor issue)
CVE-2010-3350
RESERVED
- bareftp <unfixed> (bug #598284)
CVE-2010-3349
RESERVED
- - ardour <unfixed> (bug #598282)
+ - ardour 1:2.8.11-2 (low; bug #598282)
+ [lenny] - ardour <no-dsa> (Minor issue)
CVE-2010-3348
RESERVED
CVE-2010-3347
@@ -797,10 +833,6 @@
TODO: check
CVE-2010-3279 (The default configuration of the CCAgent option before 9.0.8.4 in the ...)
TODO: check
-CVE-2010-XXXX [piwigo multiple vulnerabilities]
- - piwigo <unfixed>
- TODO: check, secunia only reported the XSS one
- NOTE: http://www.exploit-db.com/exploits/14973/
CVE-2010-3294 (Cross-site scripting (XSS) vulnerability in apc.php in the Alternative ...)
- php-apc <unfixed> (unimportant)
NOTE: vulnerable script is, mainly, for debugging purposes
@@ -1620,7 +1652,6 @@
- libmikmod 3.1.11-6.3
CVE-2010-2970 (Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.9.x ...)
- moin 1.9.3-1 (low)
- TODO: check
CVE-2010-2969 (Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.7.3 ...)
- moin <undetermined>
TODO: check
@@ -1810,9 +1841,6 @@
- chromium-browser 5.0.375.125~r53311-1
CVE-2010-2896 (IBM FileNet Content Manager (CM) 4.0.0, 4.0.1, 4.5.0, and 4.5.1 before ...)
NOT-FOR-US: IBM FileNet Content Manager
-CVE-2010-XXXX [Multiple security issues]
- - typo3-src 4.3.5-1 (bug #590719)
- [lenny] - typo3-src 4.2.5-1+lenny4
CVE-2010-XXXX [flaw that allows unsigned code to access any file on the machine (accessible to the user) and write to it.]
- openjdk-6 6b18-1.8.1-1
CVE-2010-XXXX [flaw in NetX that allows arbitrary unsigned apps to set any java property]
@@ -1970,23 +1998,23 @@
CVE-2010-2837 (The SIPStationInit implementation in Cisco Unified Communications ...)
NOT-FOR-US: Cisco
CVE-2010-2836 (Memory leak in the SSL VPN feature in Cisco IOS 12.4, 15.0, and 15.1, ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2010-2835 (Cisco IOS 12.2 through 12.4 and 15.0 through 15.1, Cisco IOS XE 2.5.x ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2010-2834 (Cisco IOS 12.2 through 12.4 and 15.0 through 15.1, Cisco IOS XE 2.5.x ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2010-2833 (Unspecified vulnerability in the NAT for H.225.0 implementation in ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2010-2832 (Unspecified vulnerability in the NAT for H.323 implementation in Cisco ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2010-2831 (Unspecified vulnerability in the NAT for SIP implementation in Cisco ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2010-2830 (The IGMPv3 implementation in Cisco IOS 12.2, 12.3, 12.4, and 15.0 and ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2010-2829 (Unspecified vulnerability in the H.323 implementation in Cisco IOS ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2010-2828 (Unspecified vulnerability in the H.323 implementation in Cisco IOS ...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2010-2827 (Cisco IOS 15.1(2)T allows remote attackers to cause a denial of ...)
NOT-FOR-US: Cisco
CVE-2010-2826 (SQL injection vulnerability in Cisco Wireless Control System (WCS) ...)
@@ -4641,11 +4669,14 @@
CVE-2010-1826
RESERVED
CVE-2010-1825 (Use-after-free vulnerability in WebKit, as used in Google Chrome ...)
- TODO: check
+ - webkit <undetermined>
+ - chromium-browser <undetermined>
CVE-2010-1824 (Use-after-free vulnerability in WebKit, as used in Google Chrome ...)
- TODO: check
+ - webkit <undetermined>
+ - chromium-browser <undetermined>
CVE-2010-1823 (Use-after-free vulnerability in WebKit before r65958, as used in ...)
- TODO: check
+ - webkit <undetermined>
+ - chromium-browser <undetermined>
CVE-2010-1822
RESERVED
CVE-2010-1821
@@ -7769,11 +7800,6 @@
CVE-2010-XXXX [argyll unsafe udev rules]
- argyll <not-affected> (issue with redhat-specific changes to the package)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=560050
-CVE-2010-XXXX [warzone2100 stack overflow]
- - warzone2100 <undetermined> (unimportant)
- NOTE: https://bugs.launchpad.net/ubuntu/+source/warzone2100/+bug/520432
- NOTE: supposedly fixed in version 2.3
- NOTE: Triggered through config files, not a security issue
CVE-2010-2473 [Blocked user session regeneration]
RESERVED
{DSA-2016-1}
@@ -20290,11 +20316,6 @@
NOT-FOR-US: Sun Java System Directory Server
CVE-2009-1331 (Integer overflow in Microsoft Windows Media Player (WMP) ...)
NOT-FOR-US: Windows Media Player
-CVE-2009-XXXX [linux-2.6: /dev/mem rootkit vulnerability]
- - linux-2.6 2.6.29-1 (unimportant; bug #524373)
- [etch] - linux-2.6 <no-dsa> (the solution, STRICT_DEVMEM=Y, could potentially lead to unanticipated compatibility problems in the stable releases)
- [lenny] - linux-2.6 <no-dsa> (the solution, STRICT_DEVMEM=Y, could potentially lead to unanticipated compatiblity problems in the stable releases)
- NOTE: This is about an additional hardening feature, not a security issue
CVE-2009-XXXX [pptp-linux: unrestrictive pptpsetup permissions]
- pptp-linux 1.7.2-3 (low; bug #523476)
[lenny] - pptp-linux <no-dsa> (Minor issue)
@@ -30423,9 +30444,6 @@
CVE-2008-3914 (Multiple unspecified vulnerabilities in ClamAV before 0.94 have ...)
{DSA-1660-1}
- clamav 0.94.dfsg-1
-CVE-2008-XXXX [buffer overflow via crafted configuration file (COMMAND)]
- - gmanedit 0.4.1-1.1 (unimportant; bug #497835)
- NOTE: you can execute commands via this with a valid configuration string anyway
CVE-2008-3934 (Unspecified vulnerability in Wireshark (formerly Ethereal) 0.99.6 ...)
{DTSA-167-1}
- wireshark 1.0.3-1 (bug #497878)
Modified: data/DSA/list
===================================================================
--- data/DSA/list 2010-09-29 06:41:11 UTC (rev 15386)
+++ data/DSA/list 2010-09-29 17:26:54 UTC (rev 15387)
@@ -50,6 +50,7 @@
{CVE-2010-2935 CVE-2010-2936}
[lenny] - openoffice.org 1:2.4.1+dfsg-1+lenny8
[29 Aug 2010] DSA-2098-1 typo3-src - several vulnerabilities
+ {CVE-2010-3659 CVE-2010-3660 CVE-2010-3661 CVE-2010-3662 CVE-2010-3663 CVE-2010-3664 CVE-2010-3665 CVE-2010-3666 CVE-2010-3667 CVE-2010-3668 CVE-2010-3669 CVE-2010-3670 CVE-2010-3671 CVE-2010-3672 CVE-2010-3673 CVE-2010-3674}
[lenny] - typo3-src 4.2.5-1+lenny4
[29 Aug 2010] DSA-2097-1 phpmyadmin - several vulnerabilities
{CVE-2010-3055 CVE-2010-3056}
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2010-09-29 06:41:11 UTC (rev 15386)
+++ data/spu-candidates.txt 2010-09-29 17:26:54 UTC (rev 15387)
@@ -26,6 +26,11 @@
--
+ardour (CVE-2010-3349)
+#598282
+
+--
+
asterisk (CVE-2009-0041)
#513413
notified maintainer
@@ -48,6 +53,11 @@
--
+bristol (CVE-2010-3351)
+#598285
+
+--
+
bugzilla (CVE-2009-0481 to CVE-2009-0485)
notified maintainer
More information about the Secure-testing-commits
mailing list