[Secure-testing-commits] r18063 - in data: . CVE
Moritz Muehlenhoff
jmm at alioth.debian.org
Fri Jan 6 17:12:04 UTC 2012
Author: jmm
Date: 2012-01-06 17:12:03 +0000 (Fri, 06 Jan 2012)
New Revision: 18063
Modified:
data/CVE/list
data/spu-candidates.txt
Log:
- new icu issue
- older otrs2 issue also fixed in 2.4 branch and thus in squeeze
- historic torque issue fixed
- remove a bunch of older <underdetemined> entries for browsers issues in khtml and qtwebkit, not covered by sec support
- one roundcube issue rather not-affected than no-dsa
- remove roundcube dupe, already tracked as CVE-2011-2937
- roundcube no-dsa
- remove CVE-2011-1015 from spu candidates, not really backportable
- fix dupe in vsftpd namespace DoS
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2012-01-06 16:36:36 UTC (rev 18062)
+++ data/CVE/list 2012-01-06 17:12:03 UTC (rev 18063)
@@ -1880,6 +1880,7 @@
[squeeze] - icecast2 <no-dsa> (Minor issue)
CVE-2011-4611
RESERVED
+ - linux-2.6 3.0.0-1
CVE-2011-4610
RESERVED
CVE-2011-4609
@@ -1913,6 +1914,7 @@
RESERVED
CVE-2011-4599
RESERVED
+ - icu <unfixed> (bug #654883)
CVE-2011-4598 (channels/chan_sip.c in Asterisk Open Source 1.6.2.x before 1.6.2.21 ...)
{DSA-2367-1}
- asterisk 1:1.8.8.0~dfsg-1 (bug #651552)
@@ -3458,7 +3460,7 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4079
CVE-2011-4078 (include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP ...)
- roundcube 0.6+dfsg-1 (bug #646675)
- [squeeze] - roundcube <no-dsa> (squeeze PHP version does not expose the issue)
+ [squeeze] - roundcube <not-affected> (squeeze PHP version does not expose the issue)
NOTE: http://trac.roundcube.net/ticket/1488086
NOTE: This is arguably a PHP issue, but will probably not be fixed upstream.
CVE-2011-4077
@@ -4808,8 +4810,6 @@
NOT-FOR-US: ManageEngine EventLog Analyzer
CVE-2010-4840 (Multiple buffer overflows in the Syslog server in ManageEngine ...)
NOT-FOR-US: ManageEngine EventLog Analyzer
-CVE-2011-XXXX [roundcube XSS in UI messages]
- - roundcube 0.5.4+dfsg-1 (bug #641996)
CVE-2011-XXXX [atftp DoS]
- atftp 0.7.dfsg-11
[lenny] - atftp <not-affected> (Introduced with ipv6 patch)
@@ -5742,13 +5742,6 @@
- gtk+2.0 <not-affected> (Win32-specific)
CVE-2009-5086 (Cross-site scripting (XSS) vulnerability in Appliance Configuration ...)
NOT-FOR-US: Juniper IDP
-CVE-2011-XXXX [vsftpd namespace DoS]
- - vsftpd 2.3.4-1 (bug #629373)
- [squeeze] - vsftpd 2.3.2-3+squeeze2
- [lenny] - vsftpd 2.0.7-1+lenny1
- NOTE: this is technically a kernel bug. however this has been workarounded specifically
- NOTE: for vsftpd by adding a kernel check before using this feature, see DSA-2304-1
- NOTE: for details
CVE-2011-3339 (Cross-site scripting (XSS) vulnerability in the Admin Control Center ...)
NOT-FOR-US: Sentinel HASP Run-time Environment
CVE-2011-3338
@@ -7521,8 +7514,7 @@
CVE-2011-2747 (Google Picasa before 3.6 Build 105.67 does not properly handle invalid ...)
NOT-FOR-US: Google Picasa
CVE-2011-2746 (Unspecified vulnerability in Kernel/Modules/AdminPackageManager.pm in ...)
- - otrs2 3.0.10+dfsg1-1 (low)
- [squeeze] - otrs2 <no-dsa> (Minor issue)
+ - otrs2 2.4.7-1 (low)
[lenny] - otrs2 <no-dsa> (Minor issue)
CVE-2011-2745 (upload_handler.php in the swfupload extension in Chyrp 2.0 and earlier ...)
NOT-FOR-US: Chyrp
@@ -8951,9 +8943,12 @@
- linux-2.6 2.6.35-1 (low)
[lenny] - linux-2.6 <no-dsa> (attacker needs elevated CAP_SYS_ADMIN privileges to abuse this)
[squeeze] - linux-2.6 <no-dsa> (attacker needs elevated CAP_SYS_ADMIN privileges to abuse this)
- - vsftpd 2.3.4-1
- [lenny] - vsftpd <not-affected> (vulnerable code not present)
+ - vsftpd 2.3.4-1 (bug #629373)
[squeeze] - vsftpd 2.3.2-3+squeeze2
+ [lenny] - vsftpd 2.0.7-1+lenny1
+ NOTE: this is technically a kernel bug. however this has been workarounded specifically
+ NOTE: for vsftpd by adding a kernel check before using this feature, see DSA-2304-1
+ NOTE: for details
CVE-2011-2187
RESERVED
CVE-2011-2186
@@ -10961,10 +10956,10 @@
- linux-2.6 2.6.38-4
CVE-2011-1492 (steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not ...)
- roundcube 0.5.1-1
- TODO: check impact with maintainer for stable with maintainer, seems harmless
+ [squeeze] - roundcube <no-dsa> (Minor issue)
CVE-2011-1491 (The login form in Roundcube Webmail before 0.5.1 does not properly ...)
- - roundcube 0.5.1-1
- TODO: check impact with maintainer for stable with maintainer, seems harmless
+ - roundcube 0.5.1-1 (low)
+ [squeeze] - roundcube <no-dsa> (Minor issue)
CVE-2011-1490
RESERVED
- rsyslog 5.7.6-1 (low)
@@ -12481,7 +12476,7 @@
- linux-2.6 2.6.38-1
CVE-2011-1015 (The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in ...)
- python2.6 <unfixed> (low; bug #614860)
- [squeeze] - python2.6 <no-dsa> (Minor issue)
+ [squeeze] - python2.6 <no-dsa> (Minor issue, fix modifies behaviour, too intrusive to backport)
- python2.5 <unfixed> (low)
[squeeze] - python2.5 <no-dsa> (Minor issue, fix modifies behaviour, too intrusive to backport)
[lenny] - python2.5 <no-dsa> (Minor issue, fix modifies behaviour, too intrusive to backport)
@@ -23592,8 +23587,7 @@
NOTE: CVE-2010-1729/1730/1731 are the same issue but with different effects
NOTE: not reproducible with chromium-browser 5.0.375.55~r47796-1
CVE-2010-1730 (Dolphin Browser 2.5.0 on the HTC Hero allows remote attackers to cause ...)
- - kdelibs <undetermined>
- - kde4libs <undetermined>
+ NOT-FOR-US: Dolphin browser, Konqueror not covered by security support
NOTE: CVE-2010-1729/1730/1731 are the same issue but with different effects
CVE-2010-1729 (WebKit.dll in WebKit, as used in Safari.exe 4.531.9.1 in Apple Safari, ...)
- webkit <unfixed> (unimportant)
@@ -26927,9 +26921,6 @@
- chromium-browser 5.0.375.29~r46008-1
- webkit 1.1.21-1 (low)
[lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps)
- - qt4-x11 <undetermined> (low)
- - kdelibs <undetermined> (low)
- - kde4libs <undetermined> (low)
CVE-2010-0658 (Multiple integer overflows in Skia, as used in Google Chrome before ...)
- chromium-browser 5.0.375.29~r46008-1
- webkit <not-affected> (chrome-specific issue)
@@ -26941,9 +26932,6 @@
- chromium-browser 5.0.375.29~r46008-1
- webkit 1.1.21-1 (low)
[lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps)
- - qt4-x11 <undetermined> (low)
- - kdelibs <undetermined> (low)
- - kde4libs <undetermined> (low)
CVE-2010-0655 (Use-after-free vulnerability in Google Chrome before 4.0.249.78 allows ...)
- chromium-browser 5.0.375.29~r46008-1
- webkit <not-affected> (chrome-specific issue)
@@ -26964,17 +26952,11 @@
- chromium-browser 5.0.375.29~r46008-1
- webkit 1.1.21-1 (low)
[lenny] - webkit <no-dsa> (Too intrusive to backport, disk of regression higher than impact at hand)
- - qt4-x11 <undetermined> (low)
- - kdelibs <undetermined> (low)
- - kde4libs <undetermined> (low)
NOTE: http://trac.webkit.org/changeset/52784
CVE-2010-0650 (WebKit, as used in Google Chrome before 4.0.249.78 and Apple Safari, ...)
- chromium-browser 5.0.375.29~r46008-1
- webkit 1.1.21-1 (unimportant)
NOTE: http://code.google.com/p/chromium/issues/detail?id=3275
- - qt4-x11 <undetermined> (unimportant)
- - kdelibs <undetermined> (unimportant)
- - kde4libs <undetermined> (unimportant)
NOTE: unimportant because this is just a popup blocker bypass
CVE-2010-0649 (Integer overflow in the CrossCallParamsEx::CreateFromBuffer function ...)
- chromium-browser 5.0.375.29~r46008-1
@@ -26985,9 +26967,6 @@
- chromium-browser 5.0.375.29~r46008-1
- webkit 1.1.21-1 (medium)
[lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps)
- - qt4-x11 <undetermined> (medium)
- - kdelibs <undetermined> (medium)
- - kde4libs <undetermined> (medium)
CVE-2010-0646 (Multiple integer signedness errors in factory.cc in Google V8 before ...)
- chromium-browser 5.0.375.29~r46008-1
- libv8 2.1.6-1
@@ -27964,9 +27943,6 @@
- chromium-browser 5.0.375.29~r46008-1
- webkit 1.1.21-1 (low)
[lenny] - webkit <no-dsa> (Too intrusive to backport, disk of regression higher than impact at hand)
- - qt4-x11 <undetermined>
- - kdelibs <undetermined>
- - kde4libs <undetermined>
CVE-2010-0314 (Apple Safari allows remote attackers to discover a redirect's target ...)
- webkit 1.1.90-1
[lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps)
@@ -29407,9 +29383,6 @@
- chromium-browser 6.0.466.0~r52279-1
- webkit 1.1.90-1 (bug #574064)
[lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps)
- - kde4libs <undetermined>
- - kdelibs <undetermined>
- - qt4-x11 <undetermined>
NOTE: http://trac.webkit.org/changeset/53812
NOTE: http://trac.webkit.org/changeset/53813
NOTE: http://trac.webkit.org/changeset/54242
@@ -29417,17 +29390,11 @@
- chromium-browser 6.0.466.0~r52279-1
- webkit 1.1.90-1 (bug #574064)
[lenny] - webkit <not-affected> (Vulnerable code not present)
- - kde4libs <undetermined>
- - kdelibs <undetermined>
- - qt4-x11 <undetermined>
NOTE: http://trac.webkit.org/changeset/50466
CVE-2010-0052 (Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 ...)
- chromium-browser 6.0.466.0~r52279-1
- webkit 1.1.90-1 (bug #574064)
[lenny] - webkit <not-affected> (Vulnerable code not present)
- - kde4libs <undetermined>
- - kdelibs <undetermined>
- - qt4-x11 <undetermined>
NOTE: http://trac.webkit.org/changeset/51877
CVE-2010-0051 (WebKit in Apple Safari before 4.0.5 does not properly validate the ...)
NOTE: http://trac.webkit.org/changeset/52784
@@ -29436,41 +29403,26 @@
- chromium-browser 6.0.466.0~r52279-1
- webkit 1.1.90-1 (bug #574064)
[lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps)
- - kde4libs <undetermined>
- - kdelibs <undetermined>
- - qt4-x11 <undetermined>
NOTE: http://trac.webkit.org/changeset/52073
CVE-2010-0049 (Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 ...)
- chromium-browser 6.0.466.0~r52279-1
- webkit 1.1.90-1 (bug #574064)
[lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps)
- - kde4libs <undetermined>
- - kdelibs <undetermined>
- - qt4-x11 <undetermined>
NOTE: http://trac.webkit.org/changeset/52527
CVE-2010-0048 (Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 ...)
- chromium-browser 6.0.466.0~r52279-1
- webkit 1.1.90-1 (bug #574064)
[lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps)
- - kde4libs <undetermined>
- - kdelibs <undetermined>
- - qt4-x11 <undetermined>
NOTE: http://trac.webkit.org/changeset/51962
CVE-2010-0047 (Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 ...)
- chromium-browser 6.0.466.0~r52279-1
- webkit 1.1.90-1 (bug #574064)
[lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps)
- - kde4libs <undetermined>
- - kdelibs <undetermined>
- - qt4-x11 <undetermined>
NOTE: http://trac.webkit.org/changeset/50698
CVE-2010-0046 (The Cascading Style Sheets (CSS) implementation in WebKit in Apple ...)
- chromium-browser 6.0.466.0~r52279-1
- webkit 1.1.90-1 (bug #574064)
[lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps)
- - kde4libs <undetermined>
- - kdelibs <undetermined>
- - qt4-x11 <undetermined>
NOTE: http://trac.webkit.org/changeset/51727
CVE-2010-0045 (Apple Safari before 4.0.5 on Windows does not properly validate ...)
NOT-FOR-US: Apple Safari
@@ -33906,10 +33858,6 @@
CVE-2009-2953 (Mozilla Firefox 3.0.6 through 3.0.13, and 3.5.x, allows remote ...)
- xulrunner <unfixed> (unimportant; bug #557753)
- webkit <unfixed> (unimportant; bug #557752)
- - qt4-x11 <undetermined> (unimportant; bug #561760)
- [etch] - qt4-x11 <not-affected> (webkit support introduced in version 4.4)
- - kdelibs <undetermined> (unimportant; bug #561765)
- - kde4libs <undetermined> (unimportant; bug #561762)
NOTE: browser denial-of-services are considered unimportant
CVE-2009-2952 (Unspecified vulnerability in the pollwakeup function in Sun Solaris ...)
NOT-FOR-US: Sun Solaris
@@ -34378,7 +34326,6 @@
[lenny] - qt4-x11 <not-affected> (HTML video support introduced in version 4.5)
[etch] - qt4-x11 <not-affected> (webkit support introduced in version 4.4)
- kdelibs <not-affected> (No support for HTML5 video tags)
- - kde4libs <undetermined> (bug #561762)
CVE-2009-2840 (Spotlight in Apple Mac OS X 10.5.8 does not properly handle temporary ...)
NOT-FOR-US: Apple Mac OS X
CVE-2009-2839 (Screen Sharing in Apple Mac OS X 10.5.8 allows remote VNC servers to ...)
@@ -37841,7 +37788,6 @@
- webkit 1.1.12-1 (medium; bug #535793)
[lenny] - webkit <no-dsa> (Unmaintained, only affects fringe apps)
- kdelibs <not-affected>
- - kde4libs <undetermined>
- qt4-x11 4:4.6.2-4
[lenny] - qt4-x11 <no-dsa> (qtwebkit not supported security-wise)
NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against
@@ -38470,9 +38416,6 @@
CVE-2009-1514 (Google Chrome 1.0.154.53 allows remote attackers to cause a denial of ...)
- chromium-browser 5.0.375.38~r46659-1 (low)
- webkit <unfixed> (unimportant; bug #578982)
- - qt4-x11 <undetermined> (unimportant)
- - kdebase <undetermined> (unimportant)
- - kde4libs <undetermined> (unimportant)
NOTE: proof of concept maximum impact against webkit is dos-only
CVE-2008-6791 (PumpKIN TFTP Server 2.7.2.0 allows remote attackers to cause a denial ...)
NOT-FOR-US: PumpKIN TFTP Server
@@ -43472,7 +43415,7 @@
- python2.5 <unfixed> (low)
[etch] - python2.5 <no-dsa> (Minor issue)
[lenny] - python2.5 <no-dsa> (Minor issue)
- [squeeze] - python2.5 <no-dsa> (Minor issue)
+ [squeeze] - python2.5 <no-dsa> (Minor issue, patch only introduces a new, more secure API)
- python2.4 <unfixed> (low)
[etch] - python2.4 <no-dsa> (Minor issue)
[lenny] - python2.4 <no-dsa> (Minor issue)
@@ -79196,7 +79139,7 @@
CVE-2006-5678 (** DISPUTED ** ...)
NOT-FOR-US: Les Visiteurs
CVE-2006-5677 (resmom/start_exec.c in pbs_mom in TORQUE Resource Manager 2.0.0p8 and ...)
- - torque <undetermined>
+ - torque 2.1.6-1
CVE-2006-5676 (SQL injection vulnerability in consult/classement.php in Uni-Vert ...)
NOT-FOR-US: PhpLeague
CVE-2006-5675 (Multiple unspecified vulnerabilities in Pentaho Business Intelligence ...)
@@ -85771,7 +85714,6 @@
[lenny] - qt4-x11 <no-dsa> (Minor impact, no apps in Lenny which use qtwebkit )
NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against, Lenny is affected
- kdelibs <not-affected> (bug #561765)
- - kde4libs <undetermined> (bug #561762)
CVE-2006-2782 (Firefox 1.5.0.2 does not fix all test cases associated with ...)
{DSA-1134-1 DSA-1120 DSA-1118}
NOTE: MFSA-2006-41
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2012-01-06 16:36:36 UTC (rev 18062)
+++ data/spu-candidates.txt 2012-01-06 17:12:03 UTC (rev 18063)
@@ -187,16 +187,6 @@
--
-python2.6 (CVE-2011-1015)
-http://bugs.python.org/issue2254
-
---
-
-python2.5 (CVE-2011-1015)
-http://bugs.python.org/issue2254
-
---
-
rampart (CVE-2011-2329)
#631221
More information about the Secure-testing-commits
mailing list