[Secure-testing-commits] r17862 - in data: . CVE

Moritz Muehlenhoff jmm at alioth.debian.org
Fri Dec 23 20:23:18 UTC 2011 

Author: jmm
Date: 2011-12-23 20:23:17 +0000 (Fri, 23 Dec 2011)
New Revision: 17862

Modified:
   data/CVE/list
   data/next-point-update.txt
   data/spu-candidates.txt
Log:
unixodbc fixed
zorp, unixodbc no-dsa
record CVE-less typo3 DSA (requested CVE ID)
new kernel issue (didn't affect any release)
record fixes for eglibc spu upload
record clamav fix


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2011-12-23 15:31:51 UTC (rev 17861)
+++ data/CVE/list	2011-12-23 20:23:17 UTC (rev 17862)
@@ -1082,6 +1082,9 @@
 	RESERVED
 CVE-2011-4594
 	RESERVED
+	- linux-2.6 3.1-1
+	[squeeze] - linux-2.6 <not-affected> (Introduced and fixed during 3.1 dev cycle)
+	[lenny] - linux-2.6 <not-affected> (Introduced and fixed during 3.1 dev cycle)
 CVE-2011-4593
 	RESERVED
 	- moodle <not-affected> (Only affects 2.x)
@@ -3951,6 +3954,7 @@
 	[lenny] - pam <no-dsa> (Minor issue)
 CVE-2011-3627 (The bytecode engine in ClamAV before 0.97.3 allows remote attackers to ...)
 	- clamav 0.97.3+dfsg-1 (low)
+	[squeeze] - clamav 0.97.3+dfsg-1~squeeze1
 CVE-2011-3626
 	RESERVED
 CVE-2011-3625 [mplayer SAMI subtitle parsing buffer overflow]
@@ -5898,6 +5902,9 @@
 	NOT-FOR-US: 7-Technologies Interactive Graphical SCADA System (IGSS)
 CVE-2011-XXXX [TYPO3-SA-2011-001]
 	- typo3-src 4.5.4+dfsg1-1 (bug #635937)
+	[squeeze] - typo3-src 4.3.9+dfsg1-1+squeeze1
+	[lenny] - typo3-src 4.2.5-1+lenny8
+	NOTE: This was DSA 2289
 CVE-2011-2958 (Multiple cross-site scripting (XSS) vulnerabilities in Ecava ...)
 	NOT-FOR-US: Ecava IntegraXor
 CVE-2011-2957 (Unspecified vulnerability in Rockwell Automation FactoryTalk ...)
@@ -11076,7 +11083,9 @@
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=683650
 CVE-2011-1145 [buffer overflow in unixODBC's SQLDriverConnect()]
 	RESERVED
-	- unixodbc <unfixed> (low; bug #617655)
+	- unixodbc 2.2.14p2-3 (low; bug #617655)
+	[squeeze] - unixodbc <no-dsa> (Only exploitable through a malicious server)
+	[lenny] - unixodbc <no-dsa> (Only exploitable through a malicious server)
 	NOTE: http://seclists.org/oss-sec/2011/q1/446
 CVE-2011-1144 (The installer in PEAR 1.9.2 and earlier allows local users to ...)
 	- php5 <not-affected> (incomplete fix never used in Debian packages)
@@ -11110,9 +11119,10 @@
 CVE-2011-1126 (VMware vmrun, as used in VIX API 1.x before 1.10.3 and VMware ...)
 	NOT-FOR-US: VMware Workstation
 CVE-2010-4756 (The glob implementation in the GNU C Library (aka glibc or libc6) ...)
-	- glibc <removed>
-	- eglibc <unfixed>
-	TODO: check
+	- glibc <removed> (unimportant)
+	- eglibc <unfixed> (unimportant)
+	NOTE: That's standard POSIX behaviour implemented by (e)glibc. Applications using
+	NOTE: glob need to impose limits for themselves
 CVE-2010-4755 (The (1) remote_glob function in sftp-glob.c and the (2) process_put ...)
 	NOTE: That's essentially shooting yourself in your own foot:
 	NOTE: http://lists.mindrot.org/pipermail/openssh-unix-dev/2011-March/029433.html
@@ -30999,6 +31009,8 @@
 	- gcj-4.3 <undetermined>
 	- gcj-4.4 <undetermined>
 	- zorp 3.9.2-1
+	[squeeze] - zorp <no-dsa> (Minor issue)
+	[lenny] - zorp <no-dsa> (Minor issue)
 	NOTE: for any of the currently unfixed implementations, you can solve the problem by disabling renegotiation 
 	NOTE: the following implement RFC 5746:
 	NOTE: - openssl 0.9.8m-1

Modified: data/next-point-update.txt
===================================================================
--- data/next-point-update.txt	2011-12-23 15:31:51 UTC (rev 17861)
+++ data/next-point-update.txt	2011-12-23 20:23:17 UTC (rev 17862)
@@ -31,6 +31,12 @@
 	[squeeze] - gnutls26 2.8.6-1+squeeze1
 CVE-2011-3378
 	[squeeze] - rpm 4.8.1-6+squeeze1
+CVE-2011-1095
+	[squeeze] - eglibc 2.11.3-2
+CVE-2011-1071
+	[squeeze] - eglibc 2.11.3-2
+CVE-2011-1659
+	[squeeze] - eglibc 2.11.3-2
 
 
 
@@ -41,4 +47,3 @@
 
 
 
-

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2011-12-23 15:31:51 UTC (rev 17861)
+++ data/spu-candidates.txt	2011-12-23 20:23:17 UTC (rev 17862)
@@ -64,6 +64,11 @@
 
 --
 
+gif2png (CVE-2010-4694, CVE-2010-4695)
+#610479
+
+--
+
 gnash (CVE-2011-4328)
 #649384
 
@@ -243,7 +248,18 @@
 system-config-printer (CVE-2011-2899)
 #639243
 
+--
 
+tsclient (CVE-2011-0900, CVE-2011-0901)
+#613204
+
+--
+
+unixodbc (CVE-2011-1145)
+#617655
+
+--
+
 nss (CVE-2011-XXXX)
 https://bugzilla.mozilla.org/show_bug.cgi?id=641052
 
@@ -256,3 +272,7 @@
 
 xpdf (CVE-2011-2902)
 #635849
+
+--
+
+zorp (CVE-2009-3555)

More information about the Secure-testing-commits mailing list