[Secure-testing-commits] r19173 - in data: . CVE

Moritz Muehlenhoff jmm at alioth.debian.org
Tue May 8 17:42:30 UTC 2012


Author: jmm
Date: 2012-05-08 17:42:29 +0000 (Tue, 08 May 2012)
New Revision: 19173

Modified:
   data/CVE/list
   data/spu-candidates.txt
Log:
triage output of external check script:
 new ruby-mail issue (fixed, not in stable)
 new kernel issue
 new munin issue (doesn't affect stable)
 jboss not affected
 NFUs
vlc fixed in sid
x11-apps fixed in sid, no-dsa
NFUs
filed bug for eglibc ORIGIN issue
icedtea-web fixed
remove CVEfied asterisk temp issue dupes


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2012-05-08 10:39:24 UTC (rev 19172)
+++ data/CVE/list	2012-05-08 17:42:29 UTC (rev 19173)
@@ -16,11 +16,11 @@
 CVE-2012-2452
 	RESERVED
 CVE-2012-2450 (VMware Workstation 8.x before 8.0.3, VMware Player 4.x before 4.0.3, ...)
-	TODO: check
+	NOT-FOR-US: VMware
 CVE-2012-2449 (VMware Workstation 8.x before 8.0.3, VMware Player 4.x before 4.0.3, ...)
-	TODO: check
+	NOT-FOR-US: VMware
 CVE-2012-2448 (VMware ESXi 3.5 through 5.0 and ESX 3.5 through 4.1 allow remote ...)
-	TODO: check
+	NOT-FOR-US: VMware
 CVE-2012-2447
 	RESERVED
 CVE-2012-2446
@@ -388,6 +388,7 @@
 	RESERVED
 CVE-2012-2319
 	RESERVED
+	- linux-2.6 <unfixed> (low)
 CVE-2012-2318 [Improper validation of incoming plaintext messages in MSN protocol plug-in]
 	RESERVED
 	- pidgin 2.10.4-1
@@ -411,6 +412,7 @@
 	- linux-2.6 <unfixed>
 CVE-2012-2312
 	RESERVED
+	- jbossas4 <not-affected> (Only affects JBoss 7)
 CVE-2012-2311 [PHP-CGI query string parameter vulnerability]
 	RESERVED
 	- php5 <unfixed> (bug #671880)
@@ -643,7 +645,7 @@
 	TODO: check
 	NOTE: http://www.pidgin.im/news/security/?id=62
 CVE-2012-2213 (** DISPUTED ** Squid 3.1.9 allows remote attackers to bypass the ...)
-	TODO: check
+	NOT-FOR-US: Disputed Squid access bypass, probably user error and minor impact anyway
 CVE-2012-2212 (** DISPUTED ** McAfee Web Gateway 7.0 allows remote attackers to ...)
 	NOT-FOR-US: McAfee Web Gateway
 CVE-2012-2211
@@ -788,6 +790,8 @@
 	RESERVED
 CVE-2012-2147
 	RESERVED
+	- munin <unfixed> (bug #670811)
+	[squeeze] - munin <not-affected> (Vulnerable code not present)
 CVE-2012-2146
 	RESERVED
 	- elixir <unfixed> (low; bug #670919)
@@ -806,8 +810,10 @@
 	NOTE:  Red Hat patch: https://bugzilla.redhat.com/attachment.cgi?id=580443&action=diff
 CVE-2012-2140
 	RESERVED
+	- ruby-mail 2.4.4-1
 CVE-2012-2139
 	RESERVED
+	- ruby-mail 2.4.4-1
 CVE-2012-2138
 	RESERVED
 CVE-2012-2137
@@ -821,6 +827,7 @@
 	- python3.3 <unfixed>
 CVE-2012-2134
 	RESERVED
+	NOT-FOR-US: Dynamic LDAP backend plugin for BIND
 CVE-2012-2133
 	RESERVED
 	- linux-2.6 <unfixed>
@@ -1331,7 +1338,7 @@
 CVE-2012-XXXX [mahara SAML impersonation issue]
 	- mahara 1.4.2-1
 CVE-2012-1936 (** DISPUTED ** The wp_create_nonce function in ...)
-	TODO: check
+	NOT-FOR-US: Disputed Wordpress issue
 CVE-2012-1935
 	RESERVED
 CVE-2012-1934
@@ -1643,11 +1650,9 @@
 CVE-2012-1777 (SQL injection vulnerability in my.activation.php3 in F5 FirePass 6.0.0 ...)
 	NOT-FOR-US: F5 Firepass
 CVE-2012-1776 (Multiple heap-based buffer overflows in VideoLAN VLC media player ...)
-	- vlc <unfixed>
-	TODO: check
+	- vlc 2.0.1-1 (low)
 CVE-2012-1775 (Stack-based buffer overflow in VideoLAN VLC media player before 2.0.1 ...)
-	- vlc <unfixed>
-	TODO: check
+	- vlc 2.0.1-1 (low)
 CVE-2011-5083 (Unrestricted file upload vulnerability in inc/swf/swfupload.swf in ...)
 	- dotclear <unfixed> (low; bug #670227)
 	NOTE: Post-authentication; vulnerability is actually in admin/media.php.
@@ -1816,19 +1821,19 @@
 CVE-2012-1711
 	RESERVED
 CVE-2012-1710 (Unspecified vulnerability in the Oracle WebCenter Forms Recognition ...)
-	TODO: check
+	NOT-FOR-US: Oracle Fusion
 CVE-2012-1709 (Unspecified vulnerability in the Oracle WebCenter Forms Recognition ...)
-	TODO: check
+	NOT-FOR-US: Oracle Fusion
 CVE-2012-1708 (Unspecified vulnerability in the Application Express component in ...)
-	TODO: check
+	NOT-FOR-US: Oracle Database
 CVE-2012-1707 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking ...)
-	TODO: check
+	NOT-FOR-US: Oracle Financial Services Software
 CVE-2012-1706 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking ...)
-	TODO: check
+	NOT-FOR-US: Oracle Financial Services Software
 CVE-2012-1705
 	RESERVED
 CVE-2012-1704 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking ...)
-	TODO: check
+	NOT-FOR-US: Oracle Financial Services Software
 CVE-2012-1703 (Unspecified vulnerability in the MySQL Server component in Oracle ...)
 	- mysql-5.1 5.1.62-1 (bug #670636)
 	- mysql-5.5 5.5.23-1
@@ -1841,21 +1846,21 @@
 CVE-2012-1699
 	RESERVED
 CVE-2012-1698 (Unspecified vulnerability in Oracle Sun Solaris 11 allows remote ...)
-	TODO: check
+	NOT-FOR-US: Solaris
 CVE-2012-1697 (Unspecified vulnerability in the MySQL Server component in Oracle ...)
 	- mysql-5.5 5.5.23-1
 CVE-2012-1696 (Unspecified vulnerability in the MySQL Server component in Oracle ...)
 	- mysql-5.5 5.5.23-1
 CVE-2012-1695 (Unspecified vulnerability in the Oracle JRockit component in Oracle ...)
-	TODO: check
+	NOT-FOR-US: Oracle Fusion
 CVE-2012-1694 (Unspecified vulnerability in Oracle Sun Solaris 10 allows remote ...)
-	TODO: check
+	NOT-FOR-US: Solaris
 CVE-2012-1693 (Unspecified vulnerability in Oracle SPARC Enterprise M Series Servers ...)
-	TODO: check
+	NOT-FOR-US: Oracle SPARC Enterprise M Series Servers
 CVE-2012-1692 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local users ...)
-	TODO: check
+	NOT-FOR-US: Solaris
 CVE-2012-1691 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local users ...)
-	TODO: check
+	NOT-FOR-US: Solaris
 CVE-2012-1690 (Unspecified vulnerability in the MySQL Server component in Oracle ...)
 	- mysql-5.1 5.1.62-1 (bug #670636)
 	- mysql-5.5 5.5.23-1
@@ -1871,13 +1876,13 @@
 CVE-2012-1685
 	RESERVED
 CVE-2012-1684 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 ...)
-	TODO: check
+	NOT-FOR-US: Solaris
 CVE-2012-1683 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 ...)
-	TODO: check
+	NOT-FOR-US: Solaris
 CVE-2012-1682
 	RESERVED
 CVE-2012-1681 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 ...)
-	TODO: check
+	NOT-FOR-US: Solaris
 CVE-2012-1680
 	RESERVED
 CVE-2012-1679 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking ...)
@@ -1908,12 +1913,6 @@
 	RESERVED
 CVE-2012-1666
 	RESERVED
-CVE-2012-XXXX [http://downloads.asterisk.org/pub/security/AST-2012-003.html]
-	- asterisk <unfixed>
-	[squeeze] - asterisk <not-affected> (Vulnerable code not present)
-CVE-2012-XXXX [http://downloads.asterisk.org/pub/security/AST-2012-002.html]
-	- asterisk <unfixed>
-	[squeeze] - asterisk <not-affected> (Vulnerable code not present)
 CVE-2012-1665
 	RESERVED
 CVE-2012-1664
@@ -2304,9 +2303,9 @@
 CVE-2012-1518 (VMware Workstation 8.x before 8.0.2, VMware Player 4.x before 4.0.2, ...)
 	NOT-FOR-US: VMware
 CVE-2012-1517 (The VMX process in VMware ESXi 4.1 and ESX 4.1 does not properly ...)
-	TODO: check
+	NOT-FOR-US: VMware
 CVE-2012-1516 (The VMX process in VMware ESXi 3.5 through 4.1 and ESX 3.5 through 4.1 ...)
-	TODO: check
+	NOT-FOR-US: VMware
 CVE-2012-1515 (VMware ESXi 3.5, 4.0, and 4.1 and ESX 3.5, 4.0, and 4.1 do not ...)
 	NOT-FOR-US: VMware ESXi
 CVE-2012-1514 (Cross-site request forgery (CSRF) vulnerability in VMware vShield ...)
@@ -4148,7 +4147,6 @@
 CVE-2012-0780
 	RESERVED
 CVE-2012-0779 (Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on ...)
-	TODO: check
 	NOT-FOR-US: Adobe Flash Player
 CVE-2012-0778
 	RESERVED
@@ -13805,9 +13803,8 @@
 CVE-2011-2514
 	RESERVED
 	- openjdk-6 6b21~pre1-1
-	- icedtea-web <unfixed>
+	- icedtea-web 1.1-1
 	NOTE: Browser plugin was removed in openjdk-6 6b21~pre1-1.
-	TODO: check
 CVE-2011-2513
 	RESERVED
 	- openjdk-6 6b21~pre1-1
@@ -13848,8 +13845,8 @@
 	[lenny] - phpmyadmin <not-affected> (Vulnerable code not present)
 CVE-2011-2504
 	RESERVED
-	- x11-apps <unfixed> (low)
-	TODO: check
+	- x11-apps 7.7~1 (low)
+	[squeeze] - x11-apps <no-dsa> (Minor issue)
 CVE-2011-2503
 	RESERVED
 	{DSA-2348-1}
@@ -16194,9 +16191,8 @@
 	[lenny] - glibc <no-dsa> (Minor issue)
 	NOTE: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=8126d90480fa
 CVE-2011-1658 (ld.so in the GNU C Library (aka glibc or libc6) 2.13 and earlier ...)
-	- eglibc <unfixed>
-	- glibc <removed>
-	TODO: check
+	- eglibc <unfixed> (low; bug #672119)
+	[squeeze] - eglibc <no-dsa> (Minor issue)
 CVE-2011-1657 (The (1) ZipArchive::addGlob and (2) ZipArchive::addPattern functions ...)
 	- php5 <unfixed> (unimportant)
 	NOTE: safe mode not supported

Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt	2012-05-08 10:39:24 UTC (rev 19172)
+++ data/spu-candidates.txt	2012-05-08 17:42:29 UTC (rev 19173)
@@ -91,7 +91,10 @@
 
 CVE-2011-4609
 
+CVE-2011-1658
+#672119
 
+
 --
 
 fabric (CVE-2011-2185)
@@ -431,6 +434,11 @@
 
 --
 
+x11-apps (CVE-2011-2504)
+http://cgit.freedesktop.org/xorg/app/x11perf/commit/?id=fefc834c419085b2db3b2d7d57bdbfe240d1b75c
+
+--
+
 nss (CVE-2011-XXXX)
 https://bugzilla.mozilla.org/show_bug.cgi?id=641052
 




More information about the Secure-testing-commits mailing list