[Secure-testing-commits] r17509 - in data: . CVE

Moritz Muehlenhoff jmm at alioth.debian.org
Thu Oct 27 16:08:11 UTC 2011


Author: jmm
Date: 2011-10-27 16:08:11 +0000 (Thu, 27 Oct 2011)
New Revision: 17509

Modified:
   data/CVE/list
   data/ospu-candidates.txt
   data/spu-candidates.txt
Log:
- ark CVEfied and no-dsa 
- perl/encode issues CVEfied and no-dsa
- track correct postgres versions for CVE-2011-2483
- new libxmlrpc3-java issue (oldstable only, no-dsa)
- two php issue doesn't affect stable/oldstable
- new kernel issue
- acpid no-dsa
- pure-ftpd fixed (needs a ticket)
- spip unimportant
- NFUs


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2011-10-27 09:14:18 UTC (rev 17508)
+++ data/CVE/list	2011-10-27 16:08:11 UTC (rev 17509)
@@ -1,7 +1,7 @@
 CVE-2011-XXXX [spip path disclosure]
-	- spip <unfixed> (low; bug #646758)
-	[squeeze] - spip <no-dsa> (Minor issue)
+	- spip <unfixed> (unimportant; bug #646758)
 	NOTE: http://archives.rezo.net/archives/spip-ann.mbox/5XCQ4RYDCYRXQSQQK42DT7IO2GVT7ZSI/
+	NOTE: Path disclosure not an issue for Debian
 CVE-2011-4196
 	RESERVED
 CVE-2011-4195
@@ -259,6 +259,7 @@
 	RESERVED
 CVE-2011-4077
 	RESERVED
+	- linux-2.6 <unfixed>
 CVE-2011-4076
 	RESERVED
 CVE-2011-4075 [phpldapadmin arbitrary execution]
@@ -1589,6 +1590,8 @@
 	NOTE: http://seclists.org/oss-sec/2011/q4/30 
 CVE-2011-3600
 	RESERVED
+	- libxmlrpc3-java 3.1.3-1 (low)
+	[lenny] - libxmlrpc3-java <no-dsa> (Minor issue)
 CVE-2011-3599 (The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when ...)
 	- libcrypt-dsa-perl 1.17-3 (unimportant; bug #644189)
 	NOTE: All supported Debian kernels have /dev/random, so severity unimportant
@@ -2464,9 +2467,13 @@
 CVE-2011-3269
 	RESERVED
 CVE-2011-3268 (Buffer overflow in the crypt function in PHP before 5.3.7 allows ...)
-	- php5 <undetermined>
+	- php5 5.3.8-1
+	[squeeze] - php5 <not-affected> (Only affected 5.3.7)
+	[lenny] - php5 <not-affected> (Only affected 5.3.7)
 CVE-2011-3267 (PHP before 5.3.7 does not properly implement the error_log function, ...)
-	- php5 <undetermined>
+	- php5 5.3.7-1
+	[squeeze] - php5 <not-affected> (Vulnerable code not present)
+	[lenny] - php5 <not-affected> (Vulnerable code not present)
 CVE-2011-3266 (The proto_tree_add_item function in Wireshark 1.6.0 through 1.6.1 and ...)
 	- wireshark 1.6.2-1 (unimportant)
 	NOTE: no code injection, not treated as a security issue, see README.Debian.security
@@ -2857,8 +2864,6 @@
 	NOT-FOR-US: Tivoli
 CVE-2008-7299 (IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.2 uses ...)
 	NOT-FOR-US: Tivoli
-CVE-2011-XXXX [Fix decode_xs n-byte heap-overflow security bug in Unicode.xs]
-	- perl 5.12.4-4
 CVE-2011-3134 (Unspecified vulnerability in TIBCO Spotfire Server 3.0.x before 3.0.2, ...)
 	NOT-FOR-US: TIBCO Spotfire Server
 CVE-2011-3133 (Session fixation vulnerability in TIBCO Spotfire Server 3.0.x before ...)
@@ -3131,8 +3136,6 @@
 	TODO: check
 CVE-2008-7292 (Bugzilla 2.20.x before 2.20.5, 2.22.x before 2.22.3, and 3.0.x before ...)
 	- bugzilla 3.0.4-1
-CVE-2011-XXXX [libencode-perl unspecified issue]
-	- libencode-perl 2.44-1
 CVE-2011-3007 (The myCIOScn ActiveX control (myCIOScn.dll) in McAfee SaaS Endpoint ...)
 	NOT-FOR-US: McAfee SaaS
 CVE-2011-3006 (The MyAsUtil ActiveX control in MyAsUtil5.2.0.603.dll in McAfee SaaS ...)
@@ -3416,8 +3419,12 @@
 	- stunnel4 3:4.42-1 (bug #638758)
 	[squeeze] - stunnel4 <not-affected> (Only 4.4x affected)
 	[lenny] - stunnel4 <not-affected> (Only 4.4x affected)
-CVE-2011-2939
+CVE-2011-2939 [Fix decode_xs n-byte heap-overflow security bug in Unicode.xs]
 	RESERVED
+	- perl 5.12.4-4 (low)
+	[squeeze] - perl <no-dsa> (Minor issue)
+	[lenny] - perl <no-dsa> (Minor issue)
+	- libencode-perl 2.44-1 (low)
 CVE-2011-2938 (Multiple cross-site scripting (XSS) vulnerabilities in filter_api.php ...)
 	- mantis 1.2.6-1 (bug #638321)
 	[squeeze] - mantis <not-affected> (Only affects Mantis 1.1)
@@ -3566,8 +3573,6 @@
 	NOT-FOR-US: IBM Lotus Symphony
 CVE-2011-2884 (Multiple unspecified vulnerabilities in IBM Lotus Symphony 3 before ...)
 	NOT-FOR-US: IBM Lotus Symphony
-CVE-2011-XXXX [ark directory traversal]
-	- kdeutils <unfixed> (bug #635541)
 CVE-2011-2883 (The NSEPA.NsepaCtrl.1 ActiveX control in nsepa.ocx in Citrix Access ...)
 	NOT-FOR-US: Citrix Access Gateway
 CVE-2011-2882 (Stack-based buffer overflow in the NSEPA.NsepaCtrl.1 ActiveX control ...)
@@ -4080,8 +4085,11 @@
 CVE-2011-2726 [SA-CORE-2011-003]
 	RESERVED
 	- drupal7 7.6-1
-CVE-2011-2725
+CVE-2011-2725 [ark directory traversal]
 	RESERVED
+	- kdeutils <unfixed> (low; bug #635541)
+	[squeeze] - kdeutils <no-dsa> (Minor issue)
+	[lenny] - kdeutils <no-dsa> (Minor issue)
 CVE-2011-2724 (The check_mtab function in client/mount.cifs.c in mount.cifs in smbfs ...)
 	- samba 2:3.4.7~dfsg-2 (low)
 	- cifs-utils 2:5.1-1 (low)
@@ -4757,7 +4765,9 @@
 CVE-2011-2483 (crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain ...)
 	- libcrypt-eksblowfish-perl <not-affected> (discovered and corrected in initial release in 2007)
 	- php-suhosin <unfixed> (bug #631283)
-	- postgresql <unfixed> (bug #631285)
+	- postgresql-8.4 8.4.9-1 (bug #631285)
+	- postgresql-9.0 9.0.5-1 (bug #631285)
+	- postgresql-9.1 9.1~rc1-1
 	- php5 5.3.6-13 (bug #631347)
 	- john 1.7.8-1
 	NOTE: http://openwall.com/lists/oss-security/2011/06/20/2
@@ -5208,18 +5218,18 @@
 CVE-2011-2307 (Unspecified vulnerability in Oracle SysFW 8.1.0.a in various Oracle ...)
 	NOT-FOR-US: Oracle SysFW
 CVE-2011-2306 (Unspecified vulnerability in Oracle Linux 4 and 5 allows remote ...)
-	TODO: check
+	NOT-FOR-US: Oracle Linux-specific feature
 CVE-2011-2305 (Unspecified vulnerability in Oracle VM VirtualBox 3.0, 3.1, 3.2, and ...)
 	- virtualbox-ose <not-affected> (Only affects 4.x)
 	- virtualbox 4.0.10-dfsg-1
 CVE-2011-2304 (Unspecified vulnerability in Oracle Solaris 10 allows remote attackers ...)
 	NOT-FOR-US: Oracle Solaris
 CVE-2011-2303 (Unspecified vulnerability in the Oracle Application Object Library ...)
-	TODO: check
+	NOT-FOR-US: Oracle E-Business Suite
 CVE-2011-2302 (Unspecified vulnerability in the Oracle Application Object Library ...)
-	TODO: check
+	NOT-FOR-US: Oracle E-Business Suite
 CVE-2011-2301 (Unspecified vulnerability in the Oracle Text component in Oracle ...)
-	TODO: check
+	NOT-FOR-US: Oracle Database
 CVE-2011-2300 (Unspecified vulnerability in Oracle VM VirtualBox 4.0 allows local ...)
 	- virtualbox-guest-additions <removed> (bug #635276)
 	[squeeze] - virtualbox-guest-additions <no-dsa> (Non-free not supported)
@@ -5238,7 +5248,7 @@
 CVE-2011-2293 (Unspecified vulnerability in Oracle Solaris 11 Express allows local ...)
 	NOT-FOR-US: Oracle Solaris
 CVE-2011-2292 (Unspecified vulnerability in Oracle Solaris 9 and 11 Express allows ...)
-	TODO: check
+	NOT-FOR-US: Oracle Solaris
 CVE-2011-2291 (Unspecified vulnerability in Oracle Solaris 10 allows local users to ...)
 	NOT-FOR-US: Oracle Solaris
 CVE-2011-2290 (Unspecified vulnerability in Oracle Solaris 10, and 11 Express allows ...)
@@ -5250,7 +5260,7 @@
 CVE-2011-2287 (Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express ...)
 	NOT-FOR-US: Oracle Solaris
 CVE-2011-2286 (Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows ...)
-	TODO: check
+	NOT-FOR-US: Oracle Solaris
 CVE-2011-2285 (Unspecified vulnerability in Oracle Solaris 10 allows local users to ...)
 	NOT-FOR-US: Oracle Solaris
 CVE-2011-2284 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...)
@@ -5312,7 +5322,7 @@
 CVE-2011-2256
 	RESERVED
 CVE-2011-2255 (Unspecified vulnerability in the Oracle WebLogic Portal component in ...)
-	TODO: check
+	NOT-FOR-US: Oracle Fusion
 CVE-2011-2254
 	RESERVED
 CVE-2011-2253 (Unspecified vulnerability in the Core RDBMS component in Oracle ...)
@@ -5348,7 +5358,7 @@
 CVE-2011-2238 (Unspecified vulnerability in the Database Vault component in Oracle ...)
 	NOT-FOR-US: Oracle Database Server
 CVE-2011-2237 (Unspecified vulnerability in the Oracle Web Services Manager component ...)
-	TODO: check
+	NOT-FOR-US: Oracle Fusion
 CVE-2011-2236
 	RESERVED
 CVE-2011-2235
@@ -8484,6 +8494,8 @@
 	- linux-2.6 2.6.38-4 (low)
 CVE-2011-1159 (acpid.c in acpid before 2.0.9 does not properly handle a situation in ...)
 	- acpid 1:2.0.9-1
+	[lenny] - acpid <no-dsa> (Minor issue)
+	[squeeze] - acpid <no-dsa> (Minor issue)
 CVE-2011-1158 (Cross-site scripting (XSS) vulnerability in feedparser.py in Universal ...)
 	- feedparser 5.0.1-1 (low; bug #617998)
 	[squeeze] - feedparser <no-dsa> (Minor issue)
@@ -10705,8 +10717,7 @@
 	{DSA-2237-2}
 	- apr 1.4.4-1 (low)
 CVE-2011-0418 (The glob implementation in Pure-FTPd before 1.0.32, and in libc in ...)
-	- pure-ftpd <unfixed>
-	TODO: File bug
+	- pure-ftpd 1.0.32-1
 CVE-2011-0417
 	RESERVED
 CVE-2011-0416

Modified: data/ospu-candidates.txt
===================================================================
--- data/ospu-candidates.txt	2011-10-27 09:14:18 UTC (rev 17508)
+++ data/ospu-candidates.txt	2011-10-27 16:08:11 UTC (rev 17509)
@@ -23,6 +23,11 @@
 
 --
 
+acpid (CVE-2011-1159)
+https://bugzilla.redhat.com/show_bug.cgi?id=688698
+
+--
+
 acl (CVE-2009-4411)
 #499076
 notified maintainer
@@ -310,6 +315,11 @@
 
 --
 
+kdeutils (CVE-2011-2725)
+#635541
+
+--
+
 kfreebsd-6
 [freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl]
 http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2011-10-27 09:14:18 UTC (rev 17508)
+++ data/spu-candidates.txt	2011-10-27 16:08:11 UTC (rev 17509)
@@ -9,6 +9,11 @@
 
 --
 
+acpid (CVE-2011-1159)
+https://bugzilla.redhat.com/show_bug.cgi?id=688698
+
+--
+
 ax25-tools (CVE-2011-2910)
 #638918
 waiting unstable
@@ -48,6 +53,11 @@
 
 --
 
+kdeutils (CVE-2011-2725)
+#635541
+
+--
+
 mutt (CVE-2011-1429)
 #619216
 
@@ -70,7 +80,7 @@
 
 --
 
-perl (CVE-2011-3597)
+perl (CVE-2011-3597, CVE-2011-2939)
 
 --
 




More information about the Secure-testing-commits mailing list