[Secure-testing-commits] r19673 - in data: . CVE

Fri Jul 6 15:19:57 UTC 2012

Author: jmm
Date: 2012-07-06 15:19:56 +0000 (Fri, 06 Jul 2012)
New Revision: 19673

Modified:
   data/CVE/list
   data/next-point-update.txt
   data/spu-candidates.txt
Log:
fixup old mozilla entry
bugzilla no-dsa
asterisk bugnum (CVE ID requested for one issue)
wireshark will be fixed in point update
xen fixed in sid
new vlc issue (CVE ID requested)
filed bug for ubuntu-sso-client
add data for old/resolved Mozilla issue


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2012-07-06 06:42:55 UTC (rev 19672)
+++ data/CVE/list	2012-07-06 15:19:56 UTC (rev 19673)
@@ -1,3 +1,5 @@
+CVE-2012-XXXX [VLC Ogg demuxer heap overflow]
+	- vlc 2.0.2-1
 CVE-2012-XXXX [naxsi: file disclosure in nx_extract]
 	- nginx 1.2.1-2
 	[squeeze] - nginx <not-affected> (naxsi package was introduced in 1.1.18-1)
@@ -87,10 +89,10 @@
 CVE-2012-3813
 	RESERVED
 CVE-2012-XXXX [AST-2012-010: Possible resource leak on uncompleted re-invite transactions]
-	- asterisk <unfixed>
+	- asterisk <unfixed> (bug #680470)
 CVE-2012-3812 [AST-2012-011: Remote crash vulnerability in voice mail application]
 	RESERVED
-	- asterisk <unfixed>
+	- asterisk <unfixed> (bug #680470)
 CVE-2012-3811 (Unrestricted file upload vulnerability in ImageUpload.ashx in the ...)
 	NOT-FOR-US: Not in Debian
 CVE-2012-3810
@@ -5262,6 +5264,7 @@
 	NOTE: Not suitable for code injection
 CVE-2012-1595 (The pcap_process_pseudo_header function in wiretap/pcap-common.c in ...)
 	- wireshark 1.6.6-1 (bug #666058)
+	[squeeze] - wireshark <no-dsa> (Minor issue, will be fixed through spu)
 CVE-2012-1594 (epan/dissectors/packet-ieee80211.c in the IEEE 802.11 dissector in ...)
 	- wireshark 1.6.6-1 (unimportant; bug #666058)
 	NOTE: Not suitable for code injection
@@ -8143,8 +8146,7 @@
 	- iceweasel <not-affected> (Only affects Firefox on Windows)
 CVE-2012-0453 (Cross-site request forgery (CSRF) vulnerability in xmlrpc.cgi in ...)
 	- bugzilla <removed>
-	NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=725663
-	NOTE: upstream bug only talks about 4.x but afaict the vulnerable code already exists in 3.x
+	[squeeze] - bugzilla <no-dsa> (Minor issue)
 CVE-2012-0452 (Use-after-free vulnerability in Mozilla Firefox 10.x before 10.0.1, ...)
 	- icedove <not-affected> (Introduced in Thunderbird 10)
 	- iceweasel 10.0.1-1
@@ -10205,7 +10207,7 @@
 	- qemu-kvm 1.0+dfsg-5
 	- xen-qemu-dm-4.0 <removed>
 	[squeeze] - xen <not-affected> (vulnerable code not present)
-	- xen <unfixed> (medium)
+	- xen 4.1.3~rc1+hg-20120614.a9c0a89c08f2-1 (medium)
 CVE-2012-0028 (The robust futex implementation in the Linux kernel before 2.6.28 does ...)
 	- linux-2.6 2.6.32-1
 CVE-2012-0027 (The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle ...)
@@ -11052,7 +11054,7 @@
 CVE-2011-4409 (The Ubuntu One Client for Ubuntu 10.04 LTS, 11.04, 11.10, and 12.04 ...)
 	NOT-FOR-US: Ubuntu One
 CVE-2011-4408 (The Single Sign On Client (ubuntu-sso-client) for Ubuntu 11.04 and ...)
-	- ubuntu-sso-client <unfixed>
+	- ubuntu-sso-client <unfixed> (bug #680492)
 CVE-2011-4407 [apt-add-repository does not perform ssl verification where it *needs* to]
 	RESERVED
 	- software-properties 0.76.7debian2+nmu2
@@ -13390,10 +13392,11 @@
 CVE-2011-3672
 	RESERVED
 CVE-2011-3671 (Use-after-free vulnerability in the nsHTMLSelectElement function in ...)
-	TODO: check
-	- icedove <unfixed>
-	- iceweasel <unfixed>
-	- iceape <unfixed>
+	- xulrunner <not-affected> (Only affects Firefox >= 4)
+	- iceweasel 9.0-1
+	[lenny] - iceweasel <not-affected> (Only affects Firefox >= 4)
+	[squeeze] - iceweasel <not-affected> (Only affects Firefox >= 4)
+	- iceape <not-affected> (Only affects Firefox >= 4)
 CVE-2011-3670 (Mozilla Firefox before 3.6.26 and 4.x through 6.0, Thunderbird before ...)
 	{DSA-2406-1 DSA-2402-1 DSA-2400-1}
 	- icedove 7.0-1

Modified: data/next-point-update.txt
===================================================================
--- data/next-point-update.txt	2012-07-06 06:42:55 UTC (rev 19672)
+++ data/next-point-update.txt	2012-07-06 15:19:56 UTC (rev 19673)
@@ -6,5 +6,9 @@
 	[squeeze] - vte 1:0.24.3-4
 CVE-2012-0946
 	[squeeze] - nvidia-graphics-drivers 195.36.31-6squeeze1
+CVE-2012-1595
+	[squeeze] - wireshark 1.2.11-6+squeeze7
+CVE-2012-1593
+	[squeeze] - wireshark 1.2.11-6+squeeze7
 
 

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2012-07-06 06:42:55 UTC (rev 19672)
+++ data/spu-candidates.txt	2012-07-06 15:19:56 UTC (rev 19673)
@@ -42,11 +42,12 @@
 
 --
 
-bugzilla (CVE-2012-0440, CVE-2012-0448, CVE-2012-0465, CVE-2012-0466)
+bugzilla (CVE-2012-0440, CVE-2012-0448, CVE-2012-0453, CVE-2012-0465, CVE-2012-0466)
 https://bugzilla.mozilla.org/show_bug.cgi?id=728639
 https://bugzilla.mozilla.org/show_bug.cgi?id=745397
 https://bugzilla.mozilla.org/show_bug.cgi?id=714472
 https://bugzilla.mozilla.org/show_bug.cgi?id=718319
+https://bugzilla.mozilla.org/show_bug.cgi?id=725663
 
 --
 


