[Secure-testing-commits] r20213 - data/CVE

Sat Sep 22 11:51:38 UTC 2012

Author: jmm
Date: 2012-09-22 11:51:38 +0000 (Sat, 22 Sep 2012)
New Revision: 20213

Modified:
   data/CVE/list
Log:
record old disputed gitweb issue
no-dsa: libxslt, libcap2, util-linux
new jenkins issues
older php zip issue also affects libzip
mysql fixed
imp fixed
chromium unfixed for TLS compression issue


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2012-09-22 11:11:37 UTC (rev 20212)
+++ data/CVE/list	2012-09-22 11:51:38 UTC (rev 20213)
@@ -179,7 +179,9 @@
 	TODO: check chromium
 CVE-2012-4929 (The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google ...)
 	- iceweasel <not-affected> (Firefox ESV not use TLS/SSL compression)
-	TODO: check openssl and chromium
+	- chromium-browser <unfixed>
+	NOTE: Chromium fix: https://chromiumcodereview.appspot.com/10825183/
+	TODO: check openssl
 CVE-2012-4928 (Cross-site scripting (XSS) vulnerability in ow_updates/index.php in ...)
 	NOT-FOR-US: Oxwall 1.1.1
 CVE-2012-4927 (SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before ...)
@@ -1617,29 +1619,24 @@
 	NOTE: CVE-request http://www.openwall.com/lists/oss-security/2012/09/20/7
 CVE-2012-4441 [jenkins XSS in CI game plugin]
 	RESERVED
-	TODO: check
+	- jenkins <unfixed> (bug #688298)
 	NOTE: http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
-	NOTE: http://www.openwall.com/lists/oss-security/2012/09/21/1
 CVE-2012-4440 [jenkins XSS in Violations plugin]
 	RESERVED
-	TODO: check
+	- jenkins <unfixed> (bug #688298)
 	NOTE: http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
-	NOTE: http://www.openwall.com/lists/oss-security/2012/09/21/1
 CVE-2012-4439 [jenkins XSS]
 	RESERVED
-	TODO: check
+	- jenkins <unfixed> (bug #688298)
 	NOTE: http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
-	NOTE: http://www.openwall.com/lists/oss-security/2012/09/21/1
 CVE-2012-4438 [jenkins remote code execution]
 	RESERVED
-	TODO: check
+	- jenkins <unfixed> (bug #688298)
 	NOTE: http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
-	NOTE: http://www.openwall.com/lists/oss-security/2012/09/21/1
 CVE-2012-4437 [Smarty / php-Smarty: XSS in Smarty exception messages]
 	RESERVED
 	- smarty3 <unfixed> (bug #688153)
 	- smarty <not-affected> (Vulnerable code not present)
-	TODO: check
 	NOTE: http://www.openwall.com/lists/oss-security/2012/09/19/1
 	NOTE: http://secunia.com/advisories/50589/
 	NOTE: http://code.google.com/p/smarty-php/source/browse/trunk/distribution/change_log.txt
@@ -1647,19 +1644,16 @@
 CVE-2012-4436 [local buffer overflow in --last processing with a maliciously constructed ~/.fwknop.run file]
 	RESERVED
 	- fwknop <unfixed> (bug #688151)
-	TODO: check
 	NOTE: http://seclists.org/oss-sec/2012/q3/509
 	NOTE: http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=a60f05ad44e824f6230b22f8976399340cb535dc
 CVE-2012-4435 [fwknop 2.0.3: server did not properly validate allow IP addresses ... ]
 	RESERVED
 	- fwknop <unfixed> (bug #688151)
-	TODO: check
 	NOTE: http://seclists.org/oss-sec/2012/q3/509
 	NOTE: http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=f4c16bc47fc24a96b63105556b62d61c1ba7d799
 CVE-2012-4434 [fwknop 2.0.3: multiple DoS / code execution flaw]
 	RESERVED
 	- fwknop <unfixed> (bug #688151)
-	TODO: check
 	NOTE: http://seclists.org/oss-sec/2012/q3/509
 	NOTE: http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=d46ba1c027a11e45821ba897a4928819bccc8f22
 CVE-2012-4433
@@ -5450,7 +5444,8 @@
 	- chromium-browser 20.0.1132.43~r143823-1
 	[squeeze] - chromium-browser <not-affected>
 CVE-2012-2825 (The XSL implementation in Google Chrome before 20.0.1132.43 allows ...)
-	- libxslt 1.1.26-13 (bug #679283)
+	- libxslt 1.1.26-13 (low; bug #679283)
+	[squeeze] - libxslt <no-dsa> (Minor issue)
 CVE-2012-2824 (Use-after-free vulnerability in Google Chrome before 20.0.1132.43 ...)
 	- chromium-browser 20.0.1132.43~r143823-1
 	[squeeze] - chromium-browser <not-affected>
@@ -8569,7 +8564,6 @@
 CVE-2012-1571 (file before 5.11 and libmagic allow remote attackers to cause a denial ...)
 	{DSA-2422-1}
 	- file 5.11-1 (low; bug #664263)
-	[squeeze] - file 5.04-5+squeeze1
 CVE-2012-1570 (The resolver in MaraDNS before 1.3.0.7.15 and 1.4.x before 1.4.12 ...)
 	- maradns 1.4.12-1 (bug #665012)
 	[squeeze] - maradns <no-dsa> (Minor DNS protocol flaw)
@@ -15171,6 +15165,7 @@
 CVE-2011-4099
 	RESERVED
 	- libcap2 1:2.22-1 (low)
+	[squeeze] - libcap2 <no-dsa> (Minor issue)
 CVE-2011-4098
 	RESERVED
 CVE-2011-4097 (Integer overflow in the oom_badness function in mm/oom_kill.c in the ...)
@@ -20925,6 +20920,7 @@
 	[squeeze] - xscreensaver <not-affected> (introduced in 5.13)
 CVE-2011-2186
 	RESERVED
+	NOTE: Disputed gitweb non-issue: https://bugzilla.redhat.com/show_bug.cgi?id=713298
 CVE-2011-2181 (Multiple SQL injection vulnerabilities in A Really Simple Chat (ARSC) ...)
 	NOT-FOR-US: A Really Simple Chat
 CVE-2011-2180 (Cross-site scripting (XSS) vulnerability in dereferer.php in A Really ...)
@@ -22424,11 +22420,13 @@
 	NOTE: cifs-utils was split off from the samba source package with 2:3.4.7~dfsg-2, so marking it as fixed
 	NOTE: http://git.samba.org/?p=cifs-utils.git;a=commitdiff;h=f6eae44a3d05b6515a59651e6bed8b6dde689aec
 CVE-2011-1677 (mount in util-linux 2.19 and earlier does not remove the /etc/mtab~ ...)
-	- util-linux 2.20.1-1
+	- util-linux 2.20.1-1 (low)
+	[squeeze] - util-linux <no-dsa> (Minor issue)
 CVE-2011-1676 (mount in util-linux 2.19 and earlier does not remove the /etc/mtab.tmp ...)
 	NOTE: This was found to be a non-issue, see http://thread.gmane.org/gmane.comp.security.oss.general/4374/focus=4983
 CVE-2011-1675 (mount in util-linux 2.19 and earlier attempts to append to the ...)
-	- util-linux 2.20.1-1
+	- util-linux 2.20.1-1 (low)
+	[squeeze] - util-linux <no-dsa> (Minor issue)
 CVE-2011-1674 (The NetGear ProSafe WNAP210 with firmware 2.0.12 allows remote ...)
 	NOT-FOR-US: NetGear ProSafe WNAP210
 CVE-2011-1673 (BackupConfig.php on the NetGear ProSafe WNAP210 allows remote ...)
@@ -22750,8 +22748,7 @@
 CVE-2011-1555 (SQL injection vulnerability in saa.php in Andy's PHP Knowledgebase ...)
 	NOT-FOR-US: Aphpkb
 CVE-2010-4778 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
-	- imp4 <removed>
-	TODO: check
+	- imp4 4.3.10+debian0-1
 CVE-2011-1554 (Off-by-one error in t1lib 5.1.2 and earlier, as used in Xpdf before ...)
 	{DSA-2388-1}
 	- t1lib 5.1.2-3.5
@@ -26178,6 +26175,8 @@
 	{DSA-2266-1}
 	- php5 5.3.6-1
 	NOTE: http://svn.php.net/viewvc?view=revision&revision=307867
+	- libzip 0.10-1
+	NOTE: http://hg.nih.at/libzip/?fd=13654bfdc88c;file=lib/zip_name_locate.c
 CVE-2011-0420 (The grapheme_extract function in the Internationalization extension ...)
 	{DSA-2266-1}
 	- php5 <unfixed> (unimportant)
@@ -27836,8 +27835,7 @@
 CVE-2009-5027
 	RESERVED
 CVE-2009-5026 (The executable comment feature in MySQL 5.0.x before 5.0.93 and 5.1.x ...)
-	- mysql-5.1 <removed>
-	TODO: check
+	- mysql-5.1 5.1.53-1
 CVE-2009-5025 [PyForum XSS+CSRF]
 	RESERVED
 	NOT-FOR-US: PyForum


