[Secure-testing-commits] r15999 - in data: . CVE
Moritz Muehlenhoff
jmm at alioth.debian.org
Fri Jan 28 17:46:22 UTC 2011
Author: jmm
Date: 2011-01-28 17:46:21 +0000 (Fri, 28 Jan 2011)
New Revision: 15999
Modified:
data/CVE/list
data/spu-candidates.txt
Log:
- egroupware/kses not-affected
- liboggz, mercurial, greylistd, dbus-glib no-dsa
- libxml2 issue is actually a php issue
- proftpd fixed
- pixelpost removed
- yet another weborf issue
- new nbd issue
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2011-01-28 10:04:21 UTC (rev 15998)
+++ data/CVE/list 2011-01-28 17:46:21 UTC (rev 15999)
@@ -1,3 +1,7 @@
+CVE-2011-XXXX [Reoccurance of CVE-2005-3534]
+ - nbd 1:2.9.16-8 (bug #611187)
+CVE-2011-XXXX [yet another weborf DoS]
+ - weborf 0.12.5-1
CVE-2011-0649
RESERVED
CVE-2011-0648
@@ -46,10 +50,6 @@
CVE-2010-4704 (libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg 0.6.1 and ...)
- ffmpeg <unfixed> (bug #610550)
- ffmpeg-debian <removed>
-CVE-2011-XXXX [xmlTextWriterWriteAttribute heap disclosure]
- - libxml2 <unfixed>
- NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=631551
- NOTE: CVE id requested
CVE-2010-XXXX
- redmine 1.0.5-1 (bug #608397)
NOTE: http://www.redmine.org/news/49
@@ -952,8 +952,12 @@
CVE-2010-4658
RESERVED
- statusnet <itp> (bug #491723)
-CVE-2010-4657
+CVE-2010-4657 [xmlTextWriterWriteAttribute heap disclosure]
RESERVED
+ - php5 <unfixed>
+ NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=631551
+ NOTE: This was initially reported to be a bug in libxml2, but it later showed that PHP
+ NOTE: is using the libxml2 API in an incorrect manner
CVE-2010-4656 [iowarrior usb device heap overflow]
RESERVED
- linux-2.6 <unfixed>
@@ -976,7 +980,7 @@
TODO: check
CVE-2010-4652 [buffer overflow when preparing SQL queries]
RESERVED
- - proftpd-dfsg <unfixed>
+ - proftpd-dfsg 1.3.3a-6
CVE-2010-4651 [patch directory traversal]
RESERVED
- patch <unfixed> (unimportant)
@@ -997,8 +1001,8 @@
CVE-2010-4646 (Cross-site scripting (XSS) vulnerability in Hastymail2 before 1.01 ...)
NOT-FOR-US: Hastymail
CVE-2010-4644 (Multiple memory leaks in rev_hunt.c in Apache Subversion before 1.6.15 ...)
- - subversion 1.6.12dfsg-3 (bug #608989)
- NOTE: http://www.openwall.com/lists/oss-security/2011/01/04/8
+ - subversion 1.6.12dfsg-3 (low; bug #608989)
+ [lenny] - subversion <no-dsa> (Minor issue)
CVE-2010-4643
RESERVED
{DSA-2151-1}
@@ -1787,8 +1791,8 @@
[lenny] - wordpress <not-affected> (vulnerable code not present)
NOTE: http://core.trac.wordpress.org/changeset/16803
CVE-2010-4539 (The walk function in repos.c in the mod_dav_svn module for the Apache ...)
- - subversion 1.6.12dfsg-4 (bug #608989)
- NOTE: http://www.openwall.com/lists/oss-security/2011/01/04/8
+ - subversion 1.6.12dfsg-4 (low; bug #608989)
+ [lenny] - subversion <no-dsa> (Minor issue)
CVE-2010-4538 (Buffer overflow in the sect_enttec_dmx_da function in ...)
{DSA-2144-1}
- wireshark 1.2.11-6 (bug #608990)
@@ -1797,7 +1801,7 @@
CVE-2010-4536 (Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used ...)
- wordpress 3.0.4+dfsg-1
- moodle <not-affected> (Moodle's version of KSES is not affected)
- - egroupware <removed>
+ - egroupware <not-affected> (Only uses a minor subset of KSES)
CVE-2010-4535 (The password reset functionality in django.contrib.auth in Django ...)
- python-django 1.2.4-1
[squeeze] - python-django 1.2.3-3
@@ -3640,6 +3644,7 @@
CVE-2010-4237
RESERVED
- mercurial 1.6.4-1 (low; bug #598841)
+ [lenny] - mercurial <no-dsa> (Minor issue)
CVE-2010-3840 (The Gis_line_string::init_from_wkb function in sql/spatial.cc in MySQL ...)
{DSA-2143-1}
- mysql-5.1 5.1.49-3 (bug #599937)
@@ -4817,6 +4822,7 @@
- dpkg 1.15.1 (unimportant; bug #592115)
CVE-2008-XXXX [greylistd bypass]
- greylistd 0.8.7+nmu2 (low; bug #464084)
+ [lenny] - greylistd <no-dsa> (Minor issue)
CVE-2010-XXXX [numpy memory corruption]
- python-numpy 1:1.4.1-5 (bug #581058)
NOTE: http://projects.scipy.org/numpy/changeset/8364
@@ -7856,11 +7862,11 @@
NOTE: http://trac.webkit.org/changeset/58829
CVE-2009-4900 [pixelpost XSS]
RESERVED
- - pixelpost <unfixed> (bug #597224)
+ - pixelpost <removed> (bug #597224)
NOTE: http://www.pixelpost.org/blog/2009/09/02/pixelpost-173-security-update/
CVE-2009-4899 [pixelpost SQL injection]
RESERVED
- - pixelpost <unfixed> (bug #597224)
+ - pixelpost <removed> (bug #597224)
NOTE: http://www.pixelpost.org/blog/2009/09/02/pixelpost-173-security-update/
CVE-2009-4898 (Cross-site request forgery (CSRF) vulnerability in TWiki before 4.3.2 ...)
NOT-FOR-US: TWiki
@@ -8056,8 +8062,7 @@
{DSA-2115-1}
- moodle 1.9.9-1 (bug #586280)
- wordpress 3.0.4+dfsg-1
- - egroupware <removed>
- TODO: check
+ - egroupware <not-affected> (Only forks a minor subset of KSES)
CVE-2010-2229 (Multiple cross-site scripting (XSS) vulnerabilities in blog/index.php ...)
{DSA-2115-1}
- moodle 1.9.9-1 (bug #586280)
@@ -9798,8 +9803,7 @@
{DSA-2115-1}
- moodle 1.9.8-1 (low; bug #585425)
- wordpress <not-affected> (Vulnerable code not present)
- - egroupware <removed>
- TODO: check
+ - egroupware <not-affected> (Vulneable code not present)
CVE-2010-1618 (Cross-site scripting (XSS) vulnerability in the phpCAS client library ...)
{DSA-2115-1}
- libphp-cas <itp> (bug #495542)
@@ -11225,7 +11229,8 @@
{DSA-2053-1}
- linux-2.6 2.6.32-12
CVE-2010-1172 (DBus-GLib 0.73 disregards the access flag of exported GObject ...)
- - dbus-glib 0.88-1 (bug #592753)
+ - dbus-glib 0.88-1 (low; bug #592753)
+ [lenny] - dbus-glib <no-dsa> (Minor issue)
CVE-2010-1171
RESERVED
CVE-2010-1170 (The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0 before ...)
@@ -18247,7 +18252,8 @@
- xulrunner 1.9.1.4-1
[lenny] - xulrunner <not-affected> (Only affects Firefox 3.5)
[etch] - xulrunner <not-affected> (Only affects Firefox 3.5)
- - liboggz 0.9.9-1 (medium)
+ - liboggz 0.9.9-1 (low)
+ [lenny] - liboggz <no-dsa> (Too intrusive to backport, needs to be updated to 0.9.9. Requires additional rebuild of rev dep)
CVE-2009-3376 (Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey ...)
{DSA-1922-1}
- xulrunner 1.9.1.4-1
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2011-01-28 10:04:21 UTC (rev 15998)
+++ data/spu-candidates.txt 2011-01-28 17:46:21 UTC (rev 15999)
@@ -100,6 +100,11 @@
--
+dbus-glib (CVE-2010-1172)
+#592753
+
+--
+
devil (CVE-2009-3994)
#560080
notified maintainer
@@ -162,6 +167,11 @@
--
+CVE-2008-XXXX [greylistd bypass]
+#464084
+
+--
+
ika (CVE-2010-3361)
#5982925B
notified maintainer
@@ -295,6 +305,12 @@
--
+liboggz (CVE-2009-3377)
+Fixed in 0.9.9-1
+Too intrusive to backport, needs to be updated to 0.9.9. Requires additional rebuild of rev dep.
+
+--
+
libpam-ssh (CVE-2009-1273)
#535877
maintainer notified through initial bug report, said he would work on an update
@@ -373,6 +389,11 @@
--
+mercurial (CVE-2010-4237)
+#598841
+
+--
+
mimedecode
potential dos/crash due to invalid input
orphaned
More information about the Secure-testing-commits
mailing list