[Secure-testing-commits] r22373 - data/CVE

Moritz Muehlenhoff jmm at alioth.debian.org
Mon May 27 16:33:07 UTC 2013 

Author: jmm
Date: 2013-05-27 16:33:07 +0000 (Mon, 27 May 2013)
New Revision: 22373

Modified:
   data/CVE/list
Log:
fixup python/ssl CVE ID assignment mess, no-dsa
gallery not-affected
sort out mysql IDs: one already fixed, the other three no-dsa until fixed in Oracle MySQL CPUs
wordpress, pyrad, mediawiki, openjdk no-dsa
one java issue unimportant
jquery-jplayer fixed
NFU


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2013-05-27 08:24:35 UTC (rev 22372)
+++ data/CVE/list	2013-05-27 16:33:07 UTC (rev 22373)
@@ -3513,7 +3513,11 @@
 	[squeeze] - linkchecker <no-dsa> (Minor issue)
 	[wheezy] - linkchecker <no-dsa> (Minor issue)
 	- python3.2 <unfixed> (low; bug #708530)
+	[wheezy] - python3.2 <no-dsa> (Minor issue)
 	- python3.3 <unfixed> (low; bug #708530)
+	- python2.6 <not-affected> (Introduced in Python 3.2)
+	- python2.5 <not-affected> (Introduced in Python 3.2)
+	- python3.1 <not-affected> (Introduced in Python 3.2)
 	- bzr 2.6.0~bzr6574-1 (low; bug #709068)
 	[squeeze] - bzr <no-dsa> (Minor issue)
 	[wheezy] - bzr <no-dsa> (Minor issue)
@@ -3528,13 +3532,7 @@
 CVE-2013-2098
 	RESERVED
 	NOTE: http://www.openwall.com/lists/oss-security/2013/05/16/5
-	- python2.7 <not-affected> (Introduced in Python 3.2)
-	- python2.6 <not-affected> (Introduced in Python 3.2)
-	- python2.5 <not-affected> (Introduced in Python 3.2)
-	- python3.1 <not-affected> (Introduced in Python 3.2)
-	- python3.2 <unfixed> (low)
-	- python3.3 <unfixed> (low)
-	TODO: is python-backports-ssl_match_hostname packaged/included somewhere?
+	NOTE: This ID is solely for the backport, CVE-2013-2099 is for standard Python
 CVE-2013-2097 [zPanel themes remote command execution as root]
 	RESERVED
 	NOT-FOR-US: zPanel
@@ -3567,8 +3565,7 @@
 	RESERVED
 CVE-2013-2087 [gallery: multiple xss]
 	RESERVED
-	- gallery <unfixed>
-	TODO: check if affects 1.5.10.dfsg-1.1 and report bug
+	- gallery <not-affected> (Vulnerable code not present)
 CVE-2013-2086 [owncloud: oC-SA-2013-027]
 	RESERVED
 	- owncloud <not-affected> (Only owncloud 5.0.x)
@@ -3635,7 +3632,7 @@
 	[squeeze] - nginx <not-affected> (Vulnerable code not present)
 CVE-2013-2069
 	RESERVED
-	TODO: check
+	NOT-FOR-US: Red Hat livecd-tools
 	NOTE: http://www.openwall.com/lists/oss-security/2013/05/23/2
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=964299
 CVE-2013-2068
@@ -3757,11 +3754,15 @@
 	- jenkins <unfixed> (bug #706725)
 CVE-2013-2032 [Extensions can't fully block password changes]
 	RESERVED
-	- mediawiki 1:1.19.6-1 (bug #706601)
+	- mediawiki 1:1.19.6-1 (low; bug #706601)
+	[wheezy] - mediawiki <no-dsa> (Minor issue)
+	[squeeze] - mediawiki <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=46590
 CVE-2013-2031 [SVG JavaScript detection bypass]
 	RESERVED
 	- mediawiki 1:1.19.6-1 (bug #706601)
+	[wheezy] - mediawiki <no-dsa> (Minor issue)
+	[squeeze] - mediawiki <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=47304
 CVE-2013-2030 [Nova uses insecure keystone middleware tmpdir by default]
 	RESERVED
@@ -3787,10 +3788,9 @@
 	NOTE: http://lists.nongnu.org/archive/html/chicken-announce/2013-04/msg00000.html
 CVE-2013-2023
 	RESERVED
-	- jquery-jplayer 2.3.0-1
+	- jquery-jplayer 2.1.0-2
 	NOTE: used for jPlayer 2.2.23 XSS
 	NOTE: http://www.openwall.com/lists/oss-security/2013/05/05/3
-	TODO: check if 2.1.0-2 already fixed this issue
 CVE-2013-2022
 	RESERVED
 	- jquery-jplayer 2.1.0-2
@@ -4351,9 +4351,9 @@
 	- apache2 <unfixed> (unimportant)
 	NOTE: Such injection issues are not treated as security issues
 CVE-2013-1861 (MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15, ...)
-	- mysql-5.5 <unfixed> (bug #706715)
-	- mysql-5.1 <removed>
-	[squeeze] - mysql-5.1 <unfixed> (bug #706715)
+	- mysql-5.5 <unfixed> (low; bug #706715)
+	[wheezy] - mysql-5.5 <no-dsa> (Minor issue, currently not fixed in MySQL, can be included once fixed in 5.5.x)
+	- mysql-5.1 <removed> (low; bug #706715)
 	NOTE: https://mariadb.atlassian.net/browse/MDEV-4252
 CVE-2013-1860 (Heap-based buffer overflow in the wdm_in_callback function in ...)
 	{DSA-2668-1}
@@ -5280,7 +5280,7 @@
 CVE-2013-1524 (Unspecified vulnerability in the Oracle Application Object Library ...)
 	NOT-FOR-US: Oracle E-Business Suite
 CVE-2013-1523 (Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier and ...)
-	- mysql-5.5 <unfixed>		
+	- mysql-5.5 5.5.30+dfsg-1
 	- mysql-5.1 <not-affected> (Only affects MySQL 5.5 and 5.6)
 CVE-2013-1522 (Unspecified vulnerability in the Oracle WebCenter Content component in ...)
 	NOT-FOR-US: Oracle Fusion Middleware
@@ -8396,7 +8396,9 @@
 	- linux-2.6 <removed> (low)
 CVE-2013-0342 [CreateID() creates serialized packet IDs for RADIUS]
 	RESERVED
-	- pyrad <unfixed> (bug #701151)
+	- pyrad <unfixed> (low; bug #701151)
+	[wheezy] - pyrad <no-dsa> (Minor issue)
+	[squeeze] - pyrad <no-dsa> (Minor issue)
 	NOTE: this is initially related to #700669
 CVE-2013-0341
 	RESERVED
@@ -10491,7 +10493,9 @@
 CVE-2012-5869
 	RESERVED
 CVE-2012-5868 (WordPress 3.4.2 does not invalidate a wordpress_sec session cookie ...)
-	- wordpress <unfixed> (bug #696868)
+	- wordpress <unfixed> (low; bug #696868)
+	[squeeze] - wordpress <no-dsa> (Minor issue)
+	[wheezy] - wordpress <no-dsa> (Minor issue)
 CVE-2012-5867
 	RESERVED
 CVE-2012-5866
@@ -11158,6 +11162,7 @@
 	RESERVED
 	- mysql-5.1 <unfixed> (low)
 	- mysql-5.5 <unfixed> (low)
+	[wheezy] - mysql-5.5 <no-dsa> (Minor issue, currently not fixed in MySQL, can be included once fixed in 5.5.x)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=883719
 CVE-2012-5626
 	RESERVED
@@ -11195,6 +11200,7 @@
 CVE-2012-5615 (MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a, 5.3.11, ...)
 	- mysql-5.1 <unfixed> (low; bug #695001)
 	- mysql-5.5 <unfixed> (low; bug #695001)
+	[wheezy] - mysql-5.5 <no-dsa> (Minor issue, currently not fixed in MySQL, can be included once fixed in 5.5.x)
 	NOTE: https://mariadb.atlassian.net/browse/MDEV-3909
 	NOTE: http://seclists.org/fulldisclosure/2012/Dec/9
 CVE-2012-5614 (Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier, and MariaDB ...)
@@ -11813,8 +11819,10 @@
 	- linux-2.6 <unfixed> (unimportant)
 	NOTE: btrfs support in Squeeze/Wheezy is not ready for production use
 CVE-2012-5373 (Oracle Java SE 7 and earlier, and OpenJDK 7 and earlier, computes hash ...)
-	- openjdk-6 <unfixed>
-	- openjdk-7 <unfixed>
+	- openjdk-6 <unfixed> (low)
+	[squeeze] - openjdk-6 <no-dsa> (Minor issue, no icedtea fix, too complex to backport)
+	[wheezy] - openjdk-6 <no-dsa> (Minor issue, no icedtea fix, too complex to backport)
+	- openjdk-7 <unfixed> (low)
 CVE-2012-5372 (Rubinius computes hash values without properly restricting the ability ...)
 	- rubinius  <itp> (bug #591817)
 CVE-2012-5371 (Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes ...)
@@ -18797,8 +18805,9 @@
 CVE-2012-2740 (SQL injection vulnerability in public_html/lists/admin in phpList ...)
 	NOT-FOR-US: phplist
 CVE-2012-2739 (Oracle Java SE before 7 Update 6, and OpenJDK 7 before 7u6 build 12 ...)
-	- openjdk-6 <unfixed>
+	- openjdk-6 <unfixed> (unimportant)
 	- openjdk-7 <unfixed>
+	NOTE: Upstream disputes this and states it needs to be fixed in Java apps itself
 	NOTE: http://mail.openjdk.java.net/pipermail/core-libs-dev/2012-May/010238.html
 	NOTE: http://armoredbarista.blogspot.de/2012/02/investigating-hashdos-issue.html
 	NOTE: http://www.openwall.com/lists/oss-security/2012/06/15/12

More information about the Secure-testing-commits mailing list