[Secure-testing-commits] r18415 - data/CVE

Fri Feb 10 16:42:01 UTC 2012

Author: jmm
Date: 2012-02-10 16:42:01 +0000 (Fri, 10 Feb 2012)
New Revision: 18415

Modified:
   data/CVE/list
Log:
new imagemagick issues
new surf issue (will request removal)
new glpi issue (unimportant)
NFUs
cve-2012-1033 is a generic DNS misdesign
kcheckpass issue harmless


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2012-02-10 07:02:47 UTC (rev 18414)
+++ data/CVE/list	2012-02-10 16:42:01 UTC (rev 18415)
@@ -1,3 +1,5 @@
+CVE-2012-XXXX [surf info leak]
+	- surf <unfixed> (bug #659296)
 CVE-2012-1038
 	RESERVED
 CVE-2012-1037
@@ -2,12 +4,14 @@
 	RESERVED
+	- glpi <unfixed> (unimportant)
+	NOTE: Only supported behind an authenticated HTTP zone
 CVE-2012-1036
 	RESERVED
 CVE-2012-1035 (AdaCore Ada Web Services (AWS) before 2.10.2 computes hash values for ...)
-	TODO: check
+	NOT-FOR-US: AdaCore Ada Web Services
 CVE-2011-5078 (The web administration interface in the server in Sybase M-Business ...)
-	TODO: check
+	NOT-FOR-US: Sybase
 CVE-2012-1034 (Multiple cross-site scripting (XSS) vulnerabilities in the admin ...)
 	NOT-FOR-US: EPiServer CMS
 CVE-2012-1033 (The resolver in ISC BIND 9 through 9.8.1-P1 does not properly ...)
-	TODO: check
+	NOTE: DNS protocol flaw
 CVE-2012-1032
@@ -229,19 +233,19 @@
 CVE-2012-0929 (Multiple buffer overflows in Schneider Electric Modicon Quantum PLC ...)
 	NOT-FOR-US: Schneider Electric Modicon Quantum PLC
 CVE-2012-0928 (The ATRAC codec in RealNetworks RealPlayer 11.x and 14.x through ...)
-	TODO: check
+	NOT-FOR-US: RealPlayer
 CVE-2012-0927 (Unspecified vulnerability in RealNetworks RealPlayer 11.x, 14.x, and ...)
-	TODO: check
+	NOT-FOR-US: RealPlayer
 CVE-2012-0926 (The RV10 codec in RealNetworks RealPlayer 11.x, 14.x, and 15.x before ...)
-	TODO: check
+	NOT-FOR-US: RealPlayer
 CVE-2012-0925 (Unspecified vulnerability in the RV40 codec in RealNetworks RealPlayer ...)
-	TODO: check
+	NOT-FOR-US: RealPlayer
 CVE-2012-0924 (RealNetworks RealPlayer 11.x, 14.x, and 15.x before 15.02.71, and ...)
-	TODO: check
+	NOT-FOR-US: RealPlayer
 CVE-2012-0923 (The RV20 codec in RealNetworks RealPlayer 11.x, 14.x, and 15.x before ...)
-	TODO: check
+	NOT-FOR-US: RealPlayer
 CVE-2012-0922 (rvrender.dll in RealNetworks RealPlayer 11.x, 14.x, and 15.x before ...)
-	TODO: check
+	NOT-FOR-US: RealPlayer
 CVE-2011-5075 (translate.php in Support Incident Tracker (aka SiT!) 3.45 through 3.65 ...)
 	NOT-FOR-US: Support Incident Tracker
 CVE-2011-5074 (Multiple cross-site request forgery (CSRF) vulnerabilities in Support ...)
@@ -1451,7 +1455,7 @@
 CVE-2012-0397
 	RESERVED
 CVE-2012-0396 (EMC Documentum xPlore 1.0, 1.1 before P07, and 1.2 does not properly ...)
-	TODO: check
+	NOT-FOR-US: EMC
 CVE-2012-0395 (Buffer overflow in the server in EMC NetWorker 7.5.x and 7.6.x before ...)
 	NOT-FOR-US: EMC
 CVE-2012-0394 (** DISPUTED ** The DebuggingInterceptor component in Apache Struts ...)
@@ -1469,8 +1473,9 @@
 CVE-2011-5055 (MaraDNS 1.3.07.12 and 1.4.08 computes hash values for DNS data without ...)
 	- maradns <unfixed>
 CVE-2011-5054 (kcheckpass passes a user-supplied argument to the pam_start function, ...)
-	- kdebase-workspace <undetermined>
-	NOTE: the kcheckpass utility is not present in sid
+	- kdebase-workspace <unfixed> (unimportant)
+	NOTE: the kcheckpass utility is not present in sid (still present in src package, will check with KDE maints)
+	NOTE: Not exploitable without OpenPAM
 CVE-2011-5053 (The Wi-Fi Protected Setup (WPS) protocol, when the "external ...)
 	NOT-FOR-US: This vulnerability affects a protocol, not a product. More information can be found at http://www.kb.cert.org/vuls/id/723755. All products listed there are not part of Debian.
 CVE-2011-XXXX [glib hashtable dos issues: ocert-2011-003]
@@ -2209,8 +2214,10 @@
 	RESERVED
 CVE-2012-0248
 	RESERVED
+	- imagemagick <unfixed> (low; bug #659339)
 CVE-2012-0247
 	RESERVED
+	- imagemagick <unfixed> (bug #659339)
 CVE-2012-0246
 	RESERVED
 CVE-2012-0245


