[Secure-testing-commits] r18008 - in data: . CVE

Moritz Muehlenhoff jmm at alioth.debian.org
Tue Jan 3 19:05:56 UTC 2012 

Author: jmm
Date: 2012-01-03 19:05:56 +0000 (Tue, 03 Jan 2012)
New Revision: 18008

Modified:
   data/CVE/list
   data/spu-candidates.txt
Log:
jenkins-winstone fixed
nagios and ejabberd no-dsa
remove john entry, this only added support for the new style of hashes, not a sec issue
drop gmime entry, regular bug
remove old kdebase entry, konqueror not supported security-wise
Firefox not affected by BEAST attack


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2012-01-03 19:04:25 UTC (rev 18007)
+++ data/CVE/list	2012-01-03 19:05:56 UTC (rev 18008)
@@ -2234,7 +2234,7 @@
 	- namazu2 2.0.21-1 (low)
 	[squeeze] - namazu2 <no-dsa> (Minor issue)
 CVE-2011-4344 (Cross-site scripting (XSS) vulnerability in Jenkins Core in CloudBees ...)
-	- jenkins-winstone <unfixed> (bug #649900)
+	- jenkins-winstone 0.9.10-jenkins-29+dfsg-1  (bug #649900)
 CVE-2011-4343
 	RESERVED
 CVE-2011-4342
@@ -2303,7 +2303,8 @@
 	NOT-FOR-US: Joomla
 CVE-2011-4320 [ejabberd DoS in pubsub module]
 	RESERVED
-	- ejabberd 2.1.9-1
+	- ejabberd 2.1.9-1 (low)
+	[squeeze] - ejabberd <no-dsa> (Only triggerable with malformed config file)
 	NOTE: https://support.process-one.net/browse/EJAB-1498
 CVE-2011-4319 (Cross-site scripting (XSS) vulnerability in the i18n translations ...)
 	- rails <not-affected> (Only affects RoR 3.0 and above)
@@ -5214,7 +5215,8 @@
 	[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
 	- openjdk-6 6b23~pre11-1
 	- openjdk-7 7~b147-2.0-1
-	- iceweasel <unfixed>
+	- iceweasel <not-affected> 
+	NOTE: http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
 	- chromium-browser <unfixed>
 	- webkit <unfixed>
 	NOTE: strictly speaking this is no lighttpd issue, but lighttpd adds a workaround
@@ -7879,7 +7881,6 @@
 	- postgresql-9.0 9.0.5-1 (bug #631285)
 	- postgresql-9.1 9.1~rc1-1
 	- php5 5.3.6-13 (bug #631347)
-	- john 1.7.8-1
 	NOTE: http://openwall.com/lists/oss-security/2011/06/20/2
 CVE-2011-2482
 	RESERVED
@@ -8602,7 +8603,9 @@
 	NOT-FOR-US: CRE Loaded
 CVE-2011-2477 (Multiple cross-site scripting (XSS) vulnerabilities in config.c in ...)
 	- icinga 1.4.1-1
+	[squeeze] - icinga <no-dsa> (Minor issue)
 	- nagios3 <unfixed>
+	[squeeze] - nagios3 <no-dsa> (Minor issue)
 CVE-2011-2476 (Cross-site scripting (XSS) vulnerability in Coppermine Photo Gallery ...)
 	NOT-FOR-US: Coppermine Photo Gallery
 CVE-2011-2208 [Alpha-specific issue]
@@ -11134,8 +11137,6 @@
 	NOT-FOR-US: WebSphere
 CVE-2011-1306 (Unspecified vulnerability in the Scratchpad application in Google ...)
 	NOT-FOR-US: Google ChromeOS
-CVE-2011-XXXX [gmime segfault]
-	- gmime2.4 2.4.23-1 (bug #616366)
 CVE-2011-1305 (Race condition in Google Chrome before 11.0.696.57 on Linux and Mac OS ...)
 	- chromium-browser 11.0.696.65~r84435-1
 	[squeeze] - chromium-browser <no-dsa> (minor issue)
@@ -11389,7 +11390,7 @@
 	- webkit <unfixed>
 	NOTE: http://trac.webkit.org/changeset/79476
 CVE-2011-1202 (The xsltGenerateIdFunction function in functions.c in libxslt 1.1.26 ...)
-	- libxslt 1.1.26-7 (bug #617413)
+	- libxslt 1.1.26-7 (low; bug #617413)
 	- xulrunner <removed>
 	[lenny] - xulrunner <no-dsa> (minor issue)
 	- iceweasel 3.5.19-1
@@ -14899,8 +14900,9 @@
 	- icedove 3.1.11-1
 	[lenny] - icedove <end-of-life>
 CVE-2011-0082 (The X.509 certificate validation functionality in Mozilla Firefox ...)
-	- xulrunner <removed>
-	- iceweasel <unfixed> (low; bug #627552)
+	- xulrunner <removed> (unimportant)
+	- iceweasel <unfixed> (unimportant; bug #627552)
+	NOTE: Negligable impact
 CVE-2011-0081 (Unspecified vulnerability in the browser engine in Mozilla Firefox ...)
 	{DSA-2235-1 DSA-2228-1 DSA-2227-1}
 	- xulrunner <not-affected> (Only affects Firefox 4.0/3.6, not yet in unstable)
@@ -36693,10 +36695,7 @@
 	- webkit 1.2 (low; bug #532514)
 	NOTE: The implementations for UNIX seems fine, might be fixed earlier
 	[lenny] - webkit <no-dsa> (Minor issue)
-	- kdebase <unfixed> (low; bug #532519)
-	[squeeze] - kdebase <no-dsa> (Minor issue)
-	[lenny] - kdebase <no-dsa> (Minor issue)
-	[etch] - kdebase <no-dsa> (Minor issue)
+	- kdebase <unfixed> (unimportant; bug #532519)
 	- w3m <unfixed> (unimportant; bug #532521)
 	NOTE: w3m doesn't have Javascript support and the boundary issue is harmles
 	- chromium-browser <undetermined> (bug #520324)

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2012-01-03 19:04:25 UTC (rev 18007)
+++ data/spu-candidates.txt	2012-01-03 19:05:56 UTC (rev 18008)
@@ -85,6 +85,12 @@
 
 --
 
+icinga (CVE-2011-1523, CVE-2011-2477)
+http://tracker.nagios.org/view.php?id=207
+https://dev.icinga.org/issues/1605
+
+--
+
 kdeutils (CVE-2011-2725)
 #635541
 maintainers notified in bug log
@@ -101,9 +107,10 @@
 
 --
 
-nagios3 (CVE-2011-1523)
+nagios3 (CVE-2011-1523, CVE-2011-2477)
 #629127
 http://tracker.nagios.org/view.php?id=207
+https://dev.icinga.org/issues/1605
 
 --

More information about the Secure-testing-commits mailing list