[Secure-testing-commits] r15999 - in data: . CVE

Moritz Muehlenhoff jmm at alioth.debian.org
Fri Jan 28 17:46:22 UTC 2011 

Author: jmm
Date: 2011-01-28 17:46:21 +0000 (Fri, 28 Jan 2011)
New Revision: 15999

Modified:
   data/CVE/list
   data/spu-candidates.txt
Log:
- egroupware/kses not-affected
- liboggz, mercurial, greylistd, dbus-glib no-dsa
- libxml2 issue is actually a php issue
- proftpd fixed
- pixelpost removed
- yet another weborf issue
- new nbd issue


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2011-01-28 10:04:21 UTC (rev 15998)
+++ data/CVE/list	2011-01-28 17:46:21 UTC (rev 15999)
@@ -1,3 +1,7 @@
+CVE-2011-XXXX [Reoccurance of CVE-2005-3534]
+	- nbd 1:2.9.16-8 (bug #611187)
+CVE-2011-XXXX [yet another weborf DoS]
+	- weborf 0.12.5-1
 CVE-2011-0649
 	RESERVED
 CVE-2011-0648
@@ -46,10 +50,6 @@
 CVE-2010-4704 (libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg 0.6.1 and ...)
 	- ffmpeg <unfixed> (bug #610550)
 	- ffmpeg-debian <removed>
-CVE-2011-XXXX [xmlTextWriterWriteAttribute heap disclosure]
-	- libxml2 <unfixed>
-	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=631551
-	NOTE: CVE id requested
 CVE-2010-XXXX
 	- redmine 1.0.5-1 (bug #608397)
 	NOTE: http://www.redmine.org/news/49
@@ -952,8 +952,12 @@
 CVE-2010-4658
 	RESERVED
 	- statusnet <itp> (bug #491723)
-CVE-2010-4657
+CVE-2010-4657 [xmlTextWriterWriteAttribute heap disclosure]
 	RESERVED
+	- php5 <unfixed>
+	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=631551
+	NOTE: This was initially reported to be a bug in libxml2, but it later showed that PHP
+	NOTE: is using the libxml2 API in an incorrect manner
 CVE-2010-4656 [iowarrior usb device heap overflow]
 	RESERVED
 	- linux-2.6 <unfixed>
@@ -976,7 +980,7 @@
 	TODO: check
 CVE-2010-4652 [buffer overflow when preparing SQL queries]
 	RESERVED
-	- proftpd-dfsg <unfixed>
+	- proftpd-dfsg 1.3.3a-6
 CVE-2010-4651 [patch directory traversal]
 	RESERVED
 	- patch <unfixed> (unimportant)
@@ -997,8 +1001,8 @@
 CVE-2010-4646 (Cross-site scripting (XSS) vulnerability in Hastymail2 before 1.01 ...)
 	NOT-FOR-US: Hastymail
 CVE-2010-4644 (Multiple memory leaks in rev_hunt.c in Apache Subversion before 1.6.15 ...)
-	- subversion 1.6.12dfsg-3 (bug #608989)
-	NOTE: http://www.openwall.com/lists/oss-security/2011/01/04/8
+	- subversion 1.6.12dfsg-3 (low; bug #608989)
+	[lenny] - subversion <no-dsa> (Minor issue)
 CVE-2010-4643
 	RESERVED
 	{DSA-2151-1}
@@ -1787,8 +1791,8 @@
 	[lenny] - wordpress <not-affected> (vulnerable code not present)
 	NOTE: http://core.trac.wordpress.org/changeset/16803
 CVE-2010-4539 (The walk function in repos.c in the mod_dav_svn module for the Apache ...)
-	- subversion 1.6.12dfsg-4 (bug #608989)
-	NOTE: http://www.openwall.com/lists/oss-security/2011/01/04/8
+	- subversion 1.6.12dfsg-4 (low; bug #608989)
+	[lenny] - subversion <no-dsa> (Minor issue)
 CVE-2010-4538 (Buffer overflow in the sect_enttec_dmx_da function in ...)
 	{DSA-2144-1}
 	- wireshark 1.2.11-6 (bug #608990)
@@ -1797,7 +1801,7 @@
 CVE-2010-4536 (Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used ...)
 	- wordpress 3.0.4+dfsg-1
 	- moodle <not-affected> (Moodle's version of KSES is not affected)
-	- egroupware <removed>
+	- egroupware <not-affected> (Only uses a minor subset of KSES)
 CVE-2010-4535 (The password reset functionality in django.contrib.auth in Django ...)
 	- python-django 1.2.4-1
 	[squeeze] - python-django 1.2.3-3
@@ -3640,6 +3644,7 @@
 CVE-2010-4237
 	RESERVED
 	- mercurial 1.6.4-1 (low; bug #598841)
+	[lenny] - mercurial <no-dsa> (Minor issue)
 CVE-2010-3840 (The Gis_line_string::init_from_wkb function in sql/spatial.cc in MySQL ...)
 	{DSA-2143-1}
 	- mysql-5.1 5.1.49-3 (bug #599937) 
@@ -4817,6 +4822,7 @@
 	- dpkg 1.15.1 (unimportant; bug #592115)
 CVE-2008-XXXX [greylistd bypass]
 	- greylistd 0.8.7+nmu2 (low; bug #464084)
+	[lenny] - greylistd <no-dsa> (Minor issue)
 CVE-2010-XXXX [numpy memory corruption]
 	- python-numpy 1:1.4.1-5 (bug #581058)
 	NOTE: http://projects.scipy.org/numpy/changeset/8364
@@ -7856,11 +7862,11 @@
 	NOTE: http://trac.webkit.org/changeset/58829
 CVE-2009-4900 [pixelpost XSS]
 	RESERVED
-	- pixelpost <unfixed> (bug #597224)
+	- pixelpost <removed> (bug #597224)
 	NOTE: http://www.pixelpost.org/blog/2009/09/02/pixelpost-173-security-update/
 CVE-2009-4899 [pixelpost SQL injection]
 	RESERVED
-	- pixelpost <unfixed> (bug #597224)
+	- pixelpost <removed> (bug #597224)
 	NOTE: http://www.pixelpost.org/blog/2009/09/02/pixelpost-173-security-update/
 CVE-2009-4898 (Cross-site request forgery (CSRF) vulnerability in TWiki before 4.3.2 ...)
 	NOT-FOR-US: TWiki
@@ -8056,8 +8062,7 @@
 	{DSA-2115-1}
 	- moodle 1.9.9-1 (bug #586280)
 	- wordpress 3.0.4+dfsg-1
-	- egroupware <removed>
-	TODO: check
+	- egroupware <not-affected> (Only forks a minor subset of KSES)
 CVE-2010-2229 (Multiple cross-site scripting (XSS) vulnerabilities in blog/index.php ...)
 	{DSA-2115-1}
 	- moodle 1.9.9-1 (bug #586280)
@@ -9798,8 +9803,7 @@
 	{DSA-2115-1}
 	- moodle 1.9.8-1 (low; bug #585425)
 	- wordpress <not-affected> (Vulnerable code not present)
-	- egroupware <removed>
-	TODO: check
+	- egroupware <not-affected> (Vulneable code not present)
 CVE-2010-1618 (Cross-site scripting (XSS) vulnerability in the phpCAS client library ...)
 	{DSA-2115-1}
 	- libphp-cas <itp> (bug #495542)
@@ -11225,7 +11229,8 @@
 	{DSA-2053-1}
 	- linux-2.6 2.6.32-12
 CVE-2010-1172 (DBus-GLib 0.73 disregards the access flag of exported GObject ...)
-	- dbus-glib 0.88-1 (bug #592753)
+	- dbus-glib 0.88-1 (low; bug #592753)
+	[lenny] - dbus-glib <no-dsa> (Minor issue)
 CVE-2010-1171
 	RESERVED
 CVE-2010-1170 (The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0 before ...)
@@ -18247,7 +18252,8 @@
 	- xulrunner 1.9.1.4-1
 	[lenny] - xulrunner <not-affected> (Only affects Firefox 3.5)
 	[etch] - xulrunner <not-affected> (Only affects Firefox 3.5)
-	- liboggz 0.9.9-1 (medium)
+	- liboggz 0.9.9-1 (low)
+	[lenny] - liboggz <no-dsa> (Too intrusive to backport, needs to be updated to 0.9.9. Requires additional rebuild of rev dep)
 CVE-2009-3376 (Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey ...)
 	{DSA-1922-1}
 	- xulrunner 1.9.1.4-1

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2011-01-28 10:04:21 UTC (rev 15998)
+++ data/spu-candidates.txt	2011-01-28 17:46:21 UTC (rev 15999)
@@ -100,6 +100,11 @@
 
 --
 
+dbus-glib (CVE-2010-1172)
+#592753
+
+--
+
 devil (CVE-2009-3994)
 #560080
 notified maintainer
@@ -162,6 +167,11 @@
 
 --
 
+CVE-2008-XXXX [greylistd bypass]
+#464084
+
+--
+
 ika (CVE-2010-3361)
 #5982925B
 notified maintainer
@@ -295,6 +305,12 @@
 
 --
 
+liboggz (CVE-2009-3377)
+Fixed in 0.9.9-1
+Too intrusive to backport, needs to be updated to 0.9.9. Requires additional rebuild of rev dep.
+
+--
+
 libpam-ssh (CVE-2009-1273)
 #535877
 maintainer notified through initial bug report, said he would work on an update
@@ -373,6 +389,11 @@
 
 --
 
+mercurial (CVE-2010-4237)
+#598841
+
+--
+
 mimedecode
 potential dos/crash due to invalid input
 orphaned

More information about the Secure-testing-commits mailing list