[Secure-testing-commits] r15951 - data/CVE

Mon Jan 24 18:10:30 UTC 2011

Author: jmm
Date: 2011-01-24 18:10:25 +0000 (Mon, 24 Jan 2011)
New Revision: 15951

Modified:
   data/CVE/list
Log:
- "new" redmine issues
- new hplip issue (DSA pending)
- NFUs
- glibc regexp issues unimportant
- patch issue unimportant
- remove sudo entry, not a security issue



Modified: data/CVE/list
===================================================================

--- data/CVE/list	2011-01-24 13:16:33 UTC (rev 15950)
+++ data/CVE/list	2011-01-24 18:10:25 UTC (rev 15951)
@@ -1,3 +1,6 @@
+CVE-2010-XXXX
+	- redmine 1.0.5-1 (bug #608397)
+	NOTE: http://www.redmine.org/news/49
 CVE-2011-XXXX [shibboleth Single TransientID Mapped to Multiple Principals]
 	- shibboleth-sp2 <unfixed>
 	NOTE: http://shibboleth.internet2.edu/secadv/secadv_20110113.txt
@@ -901,7 +904,8 @@
 	RESERVED
 CVE-2010-4651 [patch directory traversal]
 	RESERVED
-	- patch <unfixed>
+	- patch <unfixed> (unimportant)
+	NOTE: Applying a patch blindly opens more severe security issues than only directory traversal...
 CVE-2010-4650
 	RESERVED
 	- linux-2.6 2.6.32-30
@@ -2468,7 +2472,7 @@
 CVE-2010-4268 (SQL injection vulnerability in the Pulse Infotech Flip Wall ...)
 	NOT-FOR-US: Pulse Infotech
 CVE-2010-4267 (Stack-based buffer overflow in the hpmud_get_pml function in ...)
-	TODO: check
+	- hplip <unfixed> (bug #610960)
 CVE-2010-4266
 	RESERVED
 CVE-2010-4265 (The ...)
@@ -2985,11 +2989,17 @@
 CVE-2010-4053 (Stack-based buffer overflow in an unspecified logging function in ...)
 	NOT-FOR-US: IBM Informix Dynamic Server
 CVE-2010-4052 (Stack consumption vulnerability in the regcomp implementation in the ...)
-	- glibc <removed>
-	- eglibc <unfixed>
+	- glibc <removed> (unimportant)
+	- eglibc <unfixed> (unimportant)
+	NOTE: Deficiency in the regexp engine of glibc, while there implementations which
+	NOTE: process such expressions more efficiently, imposing a limit lies within
+	NOTE: the application accepting it from user input
 CVE-2010-4051 (The regcomp implementation in the GNU C Library (aka glibc or libc6) ...)
-	- glibc <removed>
-	- eglibc <unfixed>
+	- glibc <removed> (unimportant)
+	- eglibc <unfixed> (unimportant)
+	NOTE: Deficiency in the regexp engine of glibc, while there implementations which
+	NOTE: process such expressions more efficiently, imposing a limit lies within
+	NOTE: the application accepting it from user input
 CVE-2010-XXXX [XSS vulnerability discovered -plugin-globalsearch]
 	- fusionforge 5.0.2-3
 CVE-2010-XXXX [insecure usage of temporary files in flash-kernel]
@@ -3290,7 +3300,7 @@
 CVE-2010-3929
 	RESERVED
 CVE-2010-3928 (Ruby Version Manager (RVM) before 1.2.1 writes file contents to a ...)
-	TODO: check
+	NOT-FOR-US: Ruby Version Manager
 CVE-2010-3927
 	RESERVED
 CVE-2010-3926 (Multiple cross-site scripting (XSS) vulnerabilities in Shop.cgi in ...)
@@ -4692,8 +4702,6 @@
 CVE-2010-XXXX [numpy memory corruption]
 	- python-numpy 1:1.4.1-5 (bug #581058)
 	NOTE: http://projects.scipy.org/numpy/changeset/8364
-CVE-2010-XXXX [glob processing issue]
-	- sudo 1.7.0-1 (low; bug #565223; bug #580342)
 CVE-2010-XXXX [mediatomb directory traversal]
 	- mediatomb 0.12.0~svn2018-6.1 (medium; bug #580120)
 CVE-2010-3428 (SQL injection vulnerability in modules/notes/json.php in Intermesh ...)
@@ -15399,8 +15407,7 @@
 	{DSA-2080-1}
 	- ghostscript 8.70~dfsg-2.1 (medium; bug #562643)
 CVE-2009-4269 (The password hash generation algorithm in the BUILTIN authentication ...)
-	- sun-java6 <undetermined>
-	TODO: check
+	NOT-FOR-US: Apache Derby
 CVE-2009-4268
 	RESERVED
 CVE-2009-4267


