[Secure-testing-commits] r17509 - in data: . CVE
Moritz Muehlenhoff
jmm at alioth.debian.org
Thu Oct 27 16:08:11 UTC 2011
Author: jmm
Date: 2011-10-27 16:08:11 +0000 (Thu, 27 Oct 2011)
New Revision: 17509
Modified:
data/CVE/list
data/ospu-candidates.txt
data/spu-candidates.txt
Log:
- ark CVEfied and no-dsa
- perl/encode issues CVEfied and no-dsa
- track correct postgres versions for CVE-2011-2483
- new libxmlrpc3-java issue (oldstable only, no-dsa)
- two php issue doesn't affect stable/oldstable
- new kernel issue
- acpid no-dsa
- pure-ftpd fixed (needs a ticket)
- spip unimportant
- NFUs
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2011-10-27 09:14:18 UTC (rev 17508)
+++ data/CVE/list 2011-10-27 16:08:11 UTC (rev 17509)
@@ -1,7 +1,7 @@
CVE-2011-XXXX [spip path disclosure]
- - spip <unfixed> (low; bug #646758)
- [squeeze] - spip <no-dsa> (Minor issue)
+ - spip <unfixed> (unimportant; bug #646758)
NOTE: http://archives.rezo.net/archives/spip-ann.mbox/5XCQ4RYDCYRXQSQQK42DT7IO2GVT7ZSI/
+ NOTE: Path disclosure not an issue for Debian
CVE-2011-4196
RESERVED
CVE-2011-4195
@@ -259,6 +259,7 @@
RESERVED
CVE-2011-4077
RESERVED
+ - linux-2.6 <unfixed>
CVE-2011-4076
RESERVED
CVE-2011-4075 [phpldapadmin arbitrary execution]
@@ -1589,6 +1590,8 @@
NOTE: http://seclists.org/oss-sec/2011/q4/30
CVE-2011-3600
RESERVED
+ - libxmlrpc3-java 3.1.3-1 (low)
+ [lenny] - libxmlrpc3-java <no-dsa> (Minor issue)
CVE-2011-3599 (The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when ...)
- libcrypt-dsa-perl 1.17-3 (unimportant; bug #644189)
NOTE: All supported Debian kernels have /dev/random, so severity unimportant
@@ -2464,9 +2467,13 @@
CVE-2011-3269
RESERVED
CVE-2011-3268 (Buffer overflow in the crypt function in PHP before 5.3.7 allows ...)
- - php5 <undetermined>
+ - php5 5.3.8-1
+ [squeeze] - php5 <not-affected> (Only affected 5.3.7)
+ [lenny] - php5 <not-affected> (Only affected 5.3.7)
CVE-2011-3267 (PHP before 5.3.7 does not properly implement the error_log function, ...)
- - php5 <undetermined>
+ - php5 5.3.7-1
+ [squeeze] - php5 <not-affected> (Vulnerable code not present)
+ [lenny] - php5 <not-affected> (Vulnerable code not present)
CVE-2011-3266 (The proto_tree_add_item function in Wireshark 1.6.0 through 1.6.1 and ...)
- wireshark 1.6.2-1 (unimportant)
NOTE: no code injection, not treated as a security issue, see README.Debian.security
@@ -2857,8 +2864,6 @@
NOT-FOR-US: Tivoli
CVE-2008-7299 (IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.2 uses ...)
NOT-FOR-US: Tivoli
-CVE-2011-XXXX [Fix decode_xs n-byte heap-overflow security bug in Unicode.xs]
- - perl 5.12.4-4
CVE-2011-3134 (Unspecified vulnerability in TIBCO Spotfire Server 3.0.x before 3.0.2, ...)
NOT-FOR-US: TIBCO Spotfire Server
CVE-2011-3133 (Session fixation vulnerability in TIBCO Spotfire Server 3.0.x before ...)
@@ -3131,8 +3136,6 @@
TODO: check
CVE-2008-7292 (Bugzilla 2.20.x before 2.20.5, 2.22.x before 2.22.3, and 3.0.x before ...)
- bugzilla 3.0.4-1
-CVE-2011-XXXX [libencode-perl unspecified issue]
- - libencode-perl 2.44-1
CVE-2011-3007 (The myCIOScn ActiveX control (myCIOScn.dll) in McAfee SaaS Endpoint ...)
NOT-FOR-US: McAfee SaaS
CVE-2011-3006 (The MyAsUtil ActiveX control in MyAsUtil5.2.0.603.dll in McAfee SaaS ...)
@@ -3416,8 +3419,12 @@
- stunnel4 3:4.42-1 (bug #638758)
[squeeze] - stunnel4 <not-affected> (Only 4.4x affected)
[lenny] - stunnel4 <not-affected> (Only 4.4x affected)
-CVE-2011-2939
+CVE-2011-2939 [Fix decode_xs n-byte heap-overflow security bug in Unicode.xs]
RESERVED
+ - perl 5.12.4-4 (low)
+ [squeeze] - perl <no-dsa> (Minor issue)
+ [lenny] - perl <no-dsa> (Minor issue)
+ - libencode-perl 2.44-1 (low)
CVE-2011-2938 (Multiple cross-site scripting (XSS) vulnerabilities in filter_api.php ...)
- mantis 1.2.6-1 (bug #638321)
[squeeze] - mantis <not-affected> (Only affects Mantis 1.1)
@@ -3566,8 +3573,6 @@
NOT-FOR-US: IBM Lotus Symphony
CVE-2011-2884 (Multiple unspecified vulnerabilities in IBM Lotus Symphony 3 before ...)
NOT-FOR-US: IBM Lotus Symphony
-CVE-2011-XXXX [ark directory traversal]
- - kdeutils <unfixed> (bug #635541)
CVE-2011-2883 (The NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access ...)
NOT-FOR-US: Citrix Access Gateway
CVE-2011-2882 (Stack-based buffer overflow in the NSEPA.NsepaCtrl.1 ActiveX control ...)
@@ -4080,8 +4085,11 @@
CVE-2011-2726 [SA-CORE-2011-003]
RESERVED
- drupal7 7.6-1
-CVE-2011-2725
+CVE-2011-2725 [ark directory traversal]
RESERVED
+ - kdeutils <unfixed> (low; bug #635541)
+ [squeeze] - kdeutils <no-dsa> (Minor issue)
+ [lenny] - kdeutils <no-dsa> (Minor issue)
CVE-2011-2724 (The check_mtab function in client/mount.cifs.c in mount.cifs in smbfs ...)
- samba 2:3.4.7~dfsg-2 (low)
- cifs-utils 2:5.1-1 (low)
@@ -4757,7 +4765,9 @@
CVE-2011-2483 (crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain ...)
- libcrypt-eksblowfish-perl <not-affected> (discovered and corrected in initial release in 2007)
- php-suhosin <unfixed> (bug #631283)
- - postgresql <unfixed> (bug #631285)
+ - postgresql-8.4 8.4.9-1 (bug #631285)
+ - postgresql-9.0 9.0.5-1 (bug #631285)
+ - postgresql-9.1 9.1~rc1-1
- php5 5.3.6-13 (bug #631347)
- john 1.7.8-1
NOTE: http://openwall.com/lists/oss-security/2011/06/20/2
@@ -5208,18 +5218,18 @@
CVE-2011-2307 (Unspecified vulnerability in Oracle SysFW 8.1.0.a in various Oracle ...)
NOT-FOR-US: Oracle SysFW
CVE-2011-2306 (Unspecified vulnerability in Oracle Linux 4 and 5 allows remote ...)
- TODO: check
+ NOT-FOR-US: Oracle Linux-specific feature
CVE-2011-2305 (Unspecified vulnerability in Oracle VM VirtualBox 3.0, 3.1, 3.2, and ...)
- virtualbox-ose <not-affected> (Only affects 4.x)
- virtualbox 4.0.10-dfsg-1
CVE-2011-2304 (Unspecified vulnerability in Oracle Solaris 10 allows remote attackers ...)
NOT-FOR-US: Oracle Solaris
CVE-2011-2303 (Unspecified vulnerability in the Oracle Application Object Library ...)
- TODO: check
+ NOT-FOR-US: Oracle E-Business Suite
CVE-2011-2302 (Unspecified vulnerability in the Oracle Application Object Library ...)
- TODO: check
+ NOT-FOR-US: Oracle E-Business Suite
CVE-2011-2301 (Unspecified vulnerability in the Oracle Text component in Oracle ...)
- TODO: check
+ NOT-FOR-US: Oracle Database
CVE-2011-2300 (Unspecified vulnerability in Oracle VM VirtualBox 4.0 allows local ...)
- virtualbox-guest-additions <removed> (bug #635276)
[squeeze] - virtualbox-guest-additions <no-dsa> (Non-free not supported)
@@ -5238,7 +5248,7 @@
CVE-2011-2293 (Unspecified vulnerability in Oracle Solaris 11 Express allows local ...)
NOT-FOR-US: Oracle Solaris
CVE-2011-2292 (Unspecified vulnerability in Oracle Solaris 9 and 11 Express allows ...)
- TODO: check
+ NOT-FOR-US: Oracle Solaris
CVE-2011-2291 (Unspecified vulnerability in Oracle Solaris 10 allows local users to ...)
NOT-FOR-US: Oracle Solaris
CVE-2011-2290 (Unspecified vulnerability in Oracle Solaris 10, and 11 Express allows ...)
@@ -5250,7 +5260,7 @@
CVE-2011-2287 (Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express ...)
NOT-FOR-US: Oracle Solaris
CVE-2011-2286 (Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows ...)
- TODO: check
+ NOT-FOR-US: Oracle Solaris
CVE-2011-2285 (Unspecified vulnerability in Oracle Solaris 10 allows local users to ...)
NOT-FOR-US: Oracle Solaris
CVE-2011-2284 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...)
@@ -5312,7 +5322,7 @@
CVE-2011-2256
RESERVED
CVE-2011-2255 (Unspecified vulnerability in the Oracle WebLogic Portal component in ...)
- TODO: check
+ NOT-FOR-US: Oracle Fusion
CVE-2011-2254
RESERVED
CVE-2011-2253 (Unspecified vulnerability in the Core RDBMS component in Oracle ...)
@@ -5348,7 +5358,7 @@
CVE-2011-2238 (Unspecified vulnerability in the Database Vault component in Oracle ...)
NOT-FOR-US: Oracle Database Server
CVE-2011-2237 (Unspecified vulnerability in the Oracle Web Services Manager component ...)
- TODO: check
+ NOT-FOR-US: Oracle Fusion
CVE-2011-2236
RESERVED
CVE-2011-2235
@@ -8484,6 +8494,8 @@
- linux-2.6 2.6.38-4 (low)
CVE-2011-1159 (acpid.c in acpid before 2.0.9 does not properly handle a situation in ...)
- acpid 1:2.0.9-1
+ [lenny] - acpid <no-dsa> (Minor issue)
+ [squeeze] - acpid <no-dsa> (Minor issue)
CVE-2011-1158 (Cross-site scripting (XSS) vulnerability in feedparser.py in Universal ...)
- feedparser 5.0.1-1 (low; bug #617998)
[squeeze] - feedparser <no-dsa> (Minor issue)
@@ -10705,8 +10717,7 @@
{DSA-2237-2}
- apr 1.4.4-1 (low)
CVE-2011-0418 (The glob implementation in Pure-FTPd before 1.0.32, and in libc in ...)
- - pure-ftpd <unfixed>
- TODO: File bug
+ - pure-ftpd 1.0.32-1
CVE-2011-0417
RESERVED
CVE-2011-0416
Modified: data/ospu-candidates.txt
===================================================================
--- data/ospu-candidates.txt 2011-10-27 09:14:18 UTC (rev 17508)
+++ data/ospu-candidates.txt 2011-10-27 16:08:11 UTC (rev 17509)
@@ -23,6 +23,11 @@
--
+acpid (CVE-2011-1159)
+https://bugzilla.redhat.com/show_bug.cgi?id=688698
+
+--
+
acl (CVE-2009-4411)
#499076
notified maintainer
@@ -310,6 +315,11 @@
--
+kdeutils (CVE-2011-2725)
+#635541
+
+--
+
kfreebsd-6
[freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl]
http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2011-10-27 09:14:18 UTC (rev 17508)
+++ data/spu-candidates.txt 2011-10-27 16:08:11 UTC (rev 17509)
@@ -9,6 +9,11 @@
--
+acpid (CVE-2011-1159)
+https://bugzilla.redhat.com/show_bug.cgi?id=688698
+
+--
+
ax25-tools (CVE-2011-2910)
#638918
waiting unstable
@@ -48,6 +53,11 @@
--
+kdeutils (CVE-2011-2725)
+#635541
+
+--
+
mutt (CVE-2011-1429)
#619216
@@ -70,7 +80,7 @@
--
-perl (CVE-2011-3597)
+perl (CVE-2011-3597, CVE-2011-2939)
--
More information about the Secure-testing-commits
mailing list