[Secure-testing-commits] r15825 - in data: . CVE
Moritz Muehlenhoff
jmm at alioth.debian.org
Mon Jan 10 17:31:38 UTC 2011
Author: jmm
Date: 2011-01-10 17:31:36 +0000 (Mon, 10 Jan 2011)
New Revision: 15825
Modified:
data/CVE/list
data/embedded-code-copies
Log:
- new pimd issue
- mark two minor games priv esc as unimportant
- debian's mono not affected by moonlight issue
- libgd/wmf only used to write images
- libgd/plt-scheme no-dsa
- dhcp issue doesn't affect any Debian release
- filed bugs for xen and evince issues
- ftpcopy no-dsa
- split calibre into two IDs, both fixed in sid
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2011-01-09 22:11:59 UTC (rev 15824)
+++ data/CVE/list 2011-01-10 17:31:36 UTC (rev 15825)
@@ -7,11 +7,11 @@
[lenny] - php5 <unfixed> (high)
NOTE: lenny9 doesn't appear to be affected, for a reason still unknown
CVE-2011-XXXX [Crash with long HOME environment variable]
- - toppler <unfixed> (bug #608979)
- TODO: check
+ - toppler <unfixed> (unimportant; bug #608979)
+ NOTE: Negligable privilege escalation
CVE-2011-XXXX [Crash with long HOME environment variable]
- - lbreakout2 <unfixed> (bug #608980)
- TODO: check
+ - lbreakout2 <unfixed> (unimportant; bug #608980)
+ NOTE: Negligable privilege escalation
CVE-2011-XXXX [Crash with long GGI_DISPLAY environment variable]
- zhcon <unfixed> (bug #608981)
TODO: check
@@ -20,6 +20,8 @@
[lenny] - syslog-ng <not-affected> (Freebsd-specific, which is not supported in Lenny)
CVE-2010-XXXX [XSS in ftpls]
- ftpcopy <unfixed> (bug #607494)
+ [squeeze] - ftpcopy <no-dsa> (Minor issue)
+ [lenny] - ftpcopy <no-dsa> (Minor issue)
CVE-2011-0285
RESERVED
CVE-2011-0284
@@ -749,9 +751,12 @@
NOT-FOR-US: Opera
CVE-2010-4579 (Opera before 11.00 does not properly constrain dialogs to appear on ...)
NOT-FOR-US: Opera
-CVE-2010-XXXX [calibre XSS and file disclosure]
- - calibre <unfixed> (bug #608822)
+CVE-2010-XXXX [calibre XSS]
+ - calibre 0.7.38+dfsg-1 (bug #608822)
NOTE: http://www.waraxe.us/advisory-77.html
+CVE-2010-XXXX [calibre file disclosure]
+ - calibre 0.7.38+dfsg-1 (bug #608822)
+ NOTE: http://www.waraxe.us/advisory-77.html
CVE-2010-XXXX [webkit info leak]
- webkit <unfixed> (low)
- chromium-browser <undetermined> (low)
@@ -1019,6 +1024,7 @@
RESERVED
CVE-2011-0007
RESERVED
+ - pimd 2.1.6-1 (bug #609304)
CVE-2011-0006
RESERVED
- linux-2.6 2.6.32-30
@@ -1484,8 +1490,8 @@
CVE-2010-4313 (Unrestricted file upload vulnerability in fileman_file_upload.php in ...)
NOT-FOR-US: Orbis CMS
CVE-2010-4312 (The default configuration of Apache Tomcat 6.x does not include the ...)
- - tomcat6 <unfixed> (bug #608286)
- NOTE: CVE Description seems incomplete as there's also an XSS issue.
+ - tomcat6 <unfixed> (unimportant; bug #608286)
+ NOTE: S
CVE-2010-4311 (Free Simple Software 1.0 stores passwords in cleartext, which allows ...)
NOT-FOR-US: Free Simple Software
CVE-2010-4310
@@ -1649,9 +1655,9 @@
- linux-2.6 <unfixed>
CVE-2010-4255 [linux: Xen direct pv guest access crash]
RESERVED
- - xen <unfixed>
+ - xen <unfixed> (bug #609531)
CVE-2010-4254 (Mono, when Moonlight before 2.3.0.1 or 2.99.x before 2.99.0.10 is ...)
- - moon <unfixed> (bug #608288)
+ - moon <not-affected> (Debian's version of Moonlight is not affected, see #608288)
CVE-2010-4253
RESERVED
CVE-2010-4252 (OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly ...)
@@ -3286,11 +3292,9 @@
CVE-2010-3617
RESERVED
CVE-2010-3616 (ISC DHCP server 4.2 before 4.2.0-P2, when configured to use failover ...)
- - iscp-dhcp <unfixed>
- - dhcp3 <removed>
- - dhcp <removed>
- TODO: check
- NOTE: probably doesn't affect squeeze: https://lists.isc.org/pipermail/dhcp-users/2010-December/012368.html
+ - isc-dhcp <not-affected> (Only affects 4.2.x)
+ - dhcp3 <not-affected> (Only affects 4.2.x)
+ - dhcp <not-affected> (Only affects 4.2.x)
CVE-2010-3615 (named in ISC BIND 9.7.2-P2 does not check all intended locations for ...)
- bind9 1:9.7.2.dfsg.P3-1 (bug #605876)
NOTE: http://ftp.isc.org/isc/bind9/9.7.2-P3/RELEASE-NOTES-BIND-9.7.2-P3.html
@@ -6043,16 +6047,16 @@
NOT-FOR-US: IBM WebSphere Service Registry and Repository
CVE-2010-2643
RESERVED
- - evince <unfixed>
+ - evince <unfixed> (bug #609534)
CVE-2010-2642
RESERVED
- - evince <unfixed>
+ - evince <unfixed> (bug #609534)
CVE-2010-2641
RESERVED
- - evince <unfixed>
+ - evince <unfixed> (bug #609534)
CVE-2010-2640
RESERVED
- - evince <unfixed>
+ - evince <unfixed> (bug #609534)
CVE-2010-2639 (IBM WebSphere Commerce Enterprise 7.0 before 7.0.0.2 allows remote ...)
NOT-FOR-US: IBM WebSphere Commerce Enterprise 7.0
CVE-2010-2638 (Unspecified vulnerability in IBM WebSphere MQ 7.0 before 7.0.1.5 ...)
@@ -16795,8 +16799,10 @@
- linux-2.6.24 <removed> (high)
CVE-2009-3546 (The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before ...)
{DSA-1936-1}
- - libwmf <unfixed>
- - plt-scheme <unfixed>
+ - libwmf <unfixed> (unimportant)
+ - plt-scheme <unfixed> (low; bug #601525)
+ [squeeze] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot)
+ [lenny] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot)
- graphviz <unfixed>
- libgd2 2.0.36~rc1~dfsg-3.1 (medium; bug #552534)
- php5 <not-affected> (the php packages use the system libgd2)
@@ -48802,8 +48808,10 @@
CVE-2007-4892 (Multiple SQL injection vulnerabilities in SWSoft Plesk 7.6.1, 8.1.0, ...)
NOT-FOR-US: Plesk (Windows)
CVE-2007-XXXX [libgd2: gdImageColorTransparent can write outside buffer]
- - libwmf <unfixed>
- - plt-scheme <unfixed>
+ - libwmf <unfixed> (unimportant)
+ - plt-scheme <unfixed> (low; bug #601525)
+ [squeeze] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot)
+ [lenny] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot)
- graphviz <unfixed>
- libgd2 2.0.35.dfsg-3
[etch] - libgd2 2.0.33-5.2etch1
@@ -50952,8 +50960,10 @@
CVE-2007-3996 (Multiple integer overflows in libgd in PHP before 5.2.4 allow remote ...)
{DSA-1613-1}
- libgd2 2.0.35.dfsg-1 (bug #443456; medium)
- - libwmf <unfixed>
- - plt-scheme <unfixed>
+ - libwmf <unfixed> (unimportant)
+ - plt-scheme <unfixed> (low; bug #601525)
+ [squeeze] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot)
+ [lenny] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot)
- graphviz <unfixed>
NOTE: Debian's PHP packages are linked dynamically against libgd
NOTE: see http://www.php.net/releases/5_2_4.php
@@ -52220,16 +52230,20 @@
CVE-2007-3477 (The (a) imagearc and (b) imagefilledarc functions in GD Graphics ...)
{DSA-1613-1}
- libgd2 2.0.35.dfsg-1 (low)
- - libwmf <unfixed>
- - plt-scheme <unfixed>
+ - libwmf <unfixed> (unimportant)
+ - plt-scheme <unfixed> (low; bug #601525)
+ [squeeze] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot)
+ [lenny] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot)
- graphviz <unfixed>
NOTE: CPU consumption DoS
TODO: check
CVE-2007-3476 (Array index error in gd_gif_in.c in the GD Graphics Library (libgd) ...)
{DSA-1613-1}
- libgd2 2.0.35.dfsg-1 (low)
- - libwmf <unfixed>
- - plt-scheme <unfixed>
+ - libwmf <unfixed> (unimportant)
+ - plt-scheme <unfixed> (low; bug #601525)
+ [squeeze] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot)
+ [lenny] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot)
- graphviz <unfixed>
NOTE: can write a 0 to a 4k window in heap, very unlikely to be controllable.
TODO: check
Modified: data/embedded-code-copies
===================================================================
--- data/embedded-code-copies 2011-01-09 22:11:59 UTC (rev 15824)
+++ data/embedded-code-copies 2011-01-10 17:31:36 UTC (rev 15825)
@@ -581,7 +581,7 @@
NOTE: lib/gd seems to be 2.0.33
- wml 2.0.11ds2-1 (embed)
- libwmf <unfixed> (embed)
- NOTE: derived from gd 1.6.3
+ NOTE: derived from gd 1.6.3, but only used to write images
- plt-scheme <unfixed> (embed; bug #601525)
- texlive-bin 2009-1 (embed)
More information about the Secure-testing-commits
mailing list