[Secure-testing-commits] r17783 - in data: . CVE
Moritz Muehlenhoff
jmm at alioth.debian.org
Tue Dec 13 17:07:59 UTC 2011
Author: jmm
Date: 2011-12-13 17:07:59 +0000 (Tue, 13 Dec 2011)
New Revision: 17783
Modified:
data/CVE/list
data/spu-candidates.txt
Log:
- rampart no-dsa
- fabric fixed in sid
- update spu-candidates file for several older no-dsa issues
- remove old dtc-xen entry, disputed by upstream
- netqmail and qmail packages don't include/apply the affected TLS patch
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2011-12-13 10:21:45 UTC (rev 17782)
+++ data/CVE/list 2011-12-13 17:07:59 UTC (rev 17783)
@@ -7076,7 +7076,8 @@
CVE-2011-2333
RESERVED
CVE-2011-2329 (The rampart_timestamp_token_validate function in ...)
- - rampart <unfixed> (bug #631221)
+ - rampart <unfixed> (low; bug #631221)
+ [squeeze] - rampart <no-dsa> (Minor issue)
CVE-2011-2327 (Unspecified vulnerability in the Oracle Communications Unified ...)
NOT-FOR-US: Oracle Sun Products Suite
CVE-2011-2326
@@ -7430,7 +7431,7 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=711170
NOTE: CVE request and discussion: http://www.openwall.com/lists/oss-security/2011/06/06/3
CVE-2011-2185 (Fabric before 1.1.0 allows local users to overwrite arbitrary files ...)
- - fabric <unfixed> (low; bug #629003)
+ - fabric 1.1.2-1 (low; bug #629003)
[squeeze] - fabric <no-dsa> (Minor issue)
CVE-2011-2475 (Format string vulnerability in ECTrace.dll in the iMailGateway service ...)
NOT-FOR-US: Sybase OneBridge Mobile Data Suite
@@ -9263,11 +9264,6 @@
- mahara 1.2.5-1
[lenny] - mahara 1.0.4-4+lenny10
NOTE: http://htmlpurifier.org/news/2011/0327-4.3.0-released
-CVE-2011-XXXX [dtc-xen Remote authenticated root exploit]
- - dtc-xen <unfixed> (bug #611680)
- [squeeze] - dtc-xen <no-dsa> (minor issue)
- [lenny] - dtc-xen <no-dsa> (minor issue)
- NOTE: maintainer claims you shouldn't grant access to the SOAP daemon to a user you do not trust.
CVE-2011-1517
RESERVED
CVE-2011-1516 (The kSBXProfileNoNetwork and kSBXProfileNoInternet sandbox profiles in ...)
@@ -9636,10 +9632,9 @@
CVE-2011-1432 (The STARTTLS implementation in SCO SCOoffice Server does not properly ...)
NOT-FOR-US: SCO SCOoffice Server
CVE-2011-1431 (The STARTTLS implementation in qmail-smtpd.c in qmail-smtpd in the ...)
- - qmail <unfixed>
- - netqmail <unfixed>
- [lenny] - qmail <no-dsa> (non-free doesn't get security support)
- [squeeze] - qmail <no-dsa> (non-free doesn't get security support)
+ - qmail <unfixed> (unimportant)
+ NOTE: The TLS patch is shipped in the source package, but it's not applied
+ - netqmail <not-affected> (Doesn't include the TLS patch)
CVE-2011-1430 (The STARTTLS implementation in the server in Ipswitch IMail 11.03 and ...)
NOT-FOR-US: Ipswitch IMail
CVE-2011-1429 (Mutt does not verify that the smtps server hostname matches the domain ...)
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2011-12-13 10:21:45 UTC (rev 17782)
+++ data/spu-candidates.txt 2011-12-13 17:07:59 UTC (rev 17783)
@@ -20,6 +20,17 @@
--
+etherape (CVE-2011-3369)
+#645324
+
+--
+
+fabric (CVE-2011-2185)
+#629003
+
+
+--
+
fail2ban [fail2ban: Insecure creating/writing to tmpfile]
#544232
awaiting maintainer response
@@ -30,15 +41,16 @@
CVE-2011-1158 [sanitizer doesn't strip unsafe URI schemes]
CVE-2011-1157 [sanitization can be bypassed by malformed XML comments]
CVE-2011-1156 [invalid text in XML declaration causes sanitizer to crash]
-CVE-2011-XXXX [XSS vuln]
+CVE-2009-5065 [XSS vuln]
#617998
awaiting maintainer response
--
-feh (CVE-2011-0702)
+feh (CVE-2011-0702, CVE-2011-1031)
#612035
-awaiting maintainer response
+https://derf.homelinux.org/git/feh/commit/?id=23421a86cc826dd30f3dc4f62057fafb04b3ac40
+https://derf.homelinux.org/git/feh/commit/?id=29ab0855f044ef2fe9c295b72abefcb37f0861a5
--
@@ -146,6 +158,11 @@
--
+rampart (CVE-2011-2329)
+#631221
+
+--
+
rdesktop (CVE-2011-1595)
#623552
https://bugzilla.redhat.com/attachment.cgi?id=492845&action=diff&context=patch&collapsed=&headers=1&format=raw
More information about the Secure-testing-commits
mailing list