[Secure-testing-commits] r37391 - data/CVE

Henri Salo fgeek-guest at moszumanska.debian.org
Wed Oct 28 06:04:26 UTC 2015


Author: fgeek-guest
Date: 2015-10-28 06:04:26 +0000 (Wed, 28 Oct 2015)
New Revision: 37391

Modified:
   data/CVE/list
Log:
Cleanup double space after dot in notes to improve readability.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2015-10-28 05:25:12 UTC (rev 37390)
+++ data/CVE/list	2015-10-28 06:04:26 UTC (rev 37391)
@@ -10278,7 +10278,7 @@
 	[squeeze] - python2.5 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue17997#msg194950
 	NOTE: https://hg.python.org/cpython/rev/10d0edadbcdd
-	NOTE: The CVE is only about refusing multiple wildcards.  Backporting that part only is not so difficult.
+	NOTE: The CVE is only about refusing multiple wildcards. Backporting that part only is not so difficult.
 CVE-2015-4047 (racoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause ...)
 	{DSA-3272-1 DLA-234-1}
 	- ipsec-tools 1:0.8.2+20140711-3 (bug #785778)
@@ -15242,7 +15242,7 @@
 	NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3251bdcf1c67427d964517053c3d185b46e618e8 (v2.2.0-rc2)
 	NOTE: http://www.openwall.com/lists/oss-security/2015/03/24/4
 	NOTE: Per maintainer not a security issue:
-	NOTE: Qemu either leaks memory or loops infinitely.  Memory leakage can be easily
+	NOTE: Qemu either leaks memory or loops infinitely. Memory leakage can be easily
 	NOTE: mitigated using some kind of resource limits in security-sensitive environments,
 	NOTE: and looping can trivially be done inside the virtual machine just fine, achieving
 	NOTE: the same effect
@@ -89245,7 +89245,7 @@
 CVE-2011-3572
 	RESERVED
 CVE-2011-3571 (Unspecified vulnerability in the Virtual Desktop Infrastructure (VDI) ...)
-	NOTE: CVE was misused by Oracle.  Replaced by CVE-2012-0507.
+	NOTE: CVE was misused by Oracle. Replaced by CVE-2012-0507.
 CVE-2011-3570 (Unspecified vulnerability in Oracle Communications Unified 7.0 allows ...)
 	NOT-FOR-US: Oracle Communications Unified
 CVE-2011-3569 (Unspecified vulnerability in the Oracle Web Services Manager component ...)
@@ -107657,7 +107657,7 @@
 	NOTE: https://bugs.webkit.org/show_bug.cgi?id=43461
 	NOTE: the problem is that the standard-library strtod()
 	NOTE: parses "NAN(payload)" as a NaN with a user-defined payload, which is bad for the nan-boxing
-	NOTE: scheme used by webkit (and mozilla).  The fix is not to accept "NAN(payload)".
+	NOTE: scheme used by webkit (and mozilla). The fix is not to accept "NAN(payload)".
 	NOTE: test-case: -parseFloat("NAN(ffffeeeeeff0f)")
 	NOTE: reproduced with epiphany
 CVE-2010-1806 (Use-after-free vulnerability in Apple Safari 4.x before 4.1.2 and 5.x ...)
@@ -115220,7 +115220,7 @@
 CVE-2009-3850 (Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to ...)
 	- blender <unfixed> (unimportant)
 	NOTE: attack vector is social engineering to get the user to open
-	NOTE: a malicious .blend file.  by design, blend files support
+	NOTE: a malicious .blend file. by design, blend files support
 	NOTE: all python operations, so ultimately any code can be executed
 CVE-2009-3849 (Multiple stack-based buffer overflows in HP OpenView Network Node ...)
 	NOT-FOR-US: HP OpenView Network Node Manager
@@ -126057,7 +126057,7 @@
 	NOTE: Original fix was incomplete/risky, see:
 	NOTE: <http://marc.info/?l=linux-kernel&m=123540732700371&w=2>
 	NOTE: Reproducer in <https://bugzilla.redhat.com/show_bug.cgi?id=486305>
-	NOTE: lacks initialzer for len.  Leak confirmed with fixed reproducer.
+	NOTE: lacks initialzer for len. Leak confirmed with fixed reproducer.
 CVE-2009-0675 (The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux ...)
 	{DSA-1794-1 DSA-1787-1 DSA-1749-1}
 	- linux-2.6 2.6.29-1 (low)
@@ -126298,8 +126298,8 @@
 	NOTE: hardly a security issue, if an attacker has local access to the machine and you
 	NOTE: don't use encryption or something similar you have lost anyway
 	NOTE: - this ^ philosophy is flawed; it should not be trivial to get root just because you
-	NOTE:   have local access to the machine.  it is worth it to make it as difficult as
-	NOTE:   possible without impacting authorized users.  otherwise, why spend so much effort
+	NOTE:   have local access to the machine. it is worth it to make it as difficult as
+	NOTE:   possible without impacting authorized users. otherwise, why spend so much effort
 	NOTE:   to make sure xscreensaver, gdm, and login are rock solid?
 	NOTE: - i would like to track as low, rather than unimportant
 CVE-2009-0753 (Absolute path traversal vulnerability in MLDonkey 2.8.4 through 2.9.7 ...)
@@ -133197,7 +133197,7 @@
 	{DSA-1638-1 CVE-2006-5051}
 	- openssh 1:4.6p1-1 (low)
 	NOTE: The patch backported for CVE-2006-5051 was incorrect and did not
-	NOTE: fully address the issue.  The upstream fix in 4.4p1 was
+	NOTE: fully address the issue. The upstream fix in 4.4p1 was
 	NOTE: right, and it the next unstable upload after that was 4.6p1.
 CVE-2008-4100 (GNU adns 1.4 and earlier uses a fixed source port and sequential ...)
 	- adns 1.4-2 (unimportant; bug #492698)
@@ -134507,14 +134507,14 @@
 	NOTE: Comment from tytso:
 	NOTE: Note: some people thinks this represents a security bug, since it
 	NOTE: might make the system go away while it is printing a large number of
-	NOTE: console messages, especially if a serial console is involved.  Hence,
+	NOTE: console messages, especially if a serial console is involved. Hence,
 	NOTE: it has been assigned CVE-2008-3528, but it requires that the attacker
 	NOTE: either has physical access to your machine to insert a USB disk with a
 	NOTE: corrupted filesystem image (at which point why not just hit the power
 	NOTE: button), or is otherwise able to convince the system administrator to
 	NOTE: mount an arbitrary filesystem image (at which point why not just
 	NOTE: include a setuid shell or world-writable hard disk device file or some
-	NOTE: such).  Me, I think they're just being silly.
+	NOTE: such). Me, I think they're just being silly.
 CVE-2008-3527 (arch/i386/kernel/sysenter.c in the Virtual Dynamic Shared Objects ...)
 	{DSA-1687-1}
 	- linux-2.6 2.6.21-1
@@ -137349,7 +137349,7 @@
 CVE-2008-2320 (Stack-based buffer overflow in CarbonCore in Apple Mac OS X 10.4.11 ...)
 	NOT-FOR-US: Apple Mac OS X
 	NOTE: the original apple advisory (HT3613) is completely different from the current CVE
-	NOTE: description.  it claims that this is a webkit issue, which is completely wrong
+	NOTE: description. it claims that this is a webkit issue, which is completely wrong
 CVE-2008-2319
 	RESERVED
 CVE-2008-2318 (The WOHyperlink implementation in WebObjects in Apple Xcode tools ...)
@@ -148585,7 +148585,7 @@
 	[sarge] - openssh <no-dsa> (minor issue in weak security measure)
 	NOTE: An exploit needs limited control over the machine running a
 	NOTE: trusted X client, so this is only a slight privilege
-	NOTE: escalation.  The X Security extension is merely an afterthought
+	NOTE: escalation. The X Security extension is merely an afterthought
 	NOTE: and is unlikely to provide strong security guarantees.
 CVE-2007-4748 (Buffer overflow in the PowerPlayer.dll ActiveX control in PPStream ...)
 	NOT-FOR-US: PowerPlayer
@@ -153256,7 +153256,7 @@
 	{DSA-1316-1}
 	- emacs21 21.4a+1-5.1 (bug #408929; low)
 	- emacs-snapshot <removed>
-	NOTE: The bug is not present in emacs22 22.2+1-1.  It was probably
+	NOTE: The bug is not present in emacs22 22.2+1-1. It was probably
 	NOTE: fixed before the first emacs22 upload.
 CVE-2007-2832 (Cross-site scripting (XSS) vulnerability in the web application ...)
 	NOT-FOR-US: Cisco
@@ -154399,7 +154399,7 @@
 	NOT-FOR-US: Microsoft Atlas
 CVE-2007-2379 (The jQuery framework exchanges data using JavaScript Object Notation ...)
 	- jquery <unfixed> (unimportant)
-	NOTE: the paper in this reference is a guideline on how to avoid writing unsafe jquery applications.  there really isn't anything to fix in the library itself.
+	NOTE: the paper in this reference is a guideline on how to avoid writing unsafe jquery applications. there really isn't anything to fix in the library itself.
 	NOTE: https://www.fortify.com/vulncat/en/vulncat/javascript/javascript_hijacking_ad_hoc_ajax.html
 CVE-2007-2378 (The Google Web Toolkit (GWT) framework exchanges data using JavaScript ...)
 	- gwt <removed> (unimportant; bug #563542)
@@ -155998,7 +155998,7 @@
 	[etch] - php4 6:4.4.4-8+etch1
 	[sarge] - php4 4:4.3.10-21
 	NOTE: This was fixed as a side-effect of previous security fixes, noting the
-	NOTE: status as of DSA-1286 as fixed version.  likewise the oldstable
+	NOTE: status as of DSA-1286 as fixed version. likewise the oldstable
 	NOTE: version was fixed.
 CVE-2007-1699 (Multiple PHP remote file inclusion vulnerabilities in the SWmenu ...)
 	NOT-FOR-US: Mambo module SWmenu
@@ -160040,7 +160040,7 @@
 	[sarge] - slocate <not-affected> (Performs correct access checks)
 	[etch] - slocate <no-dsa> (Minor issue)
 	NOTE: slocate will allow users to find files in directories with the
-	NOTE: executable bit set but without the readable bit set.  This is
+	NOTE: executable bit set but without the readable bit set. This is
 	NOTE: an information leak.
 CVE-2007-0226 (SQL injection vulnerability in wbsearch.aspx in uniForum 4 and earlier ...)
 	NOT-FOR-US: uniForum
@@ -161005,7 +161005,7 @@
 	- sun-java5 1.5.0-08-1
 CVE-2006-6730 (OpenBSD and NetBSD permit usermode code to kill the display server and ...)
 	NOTE: Access to DMA-capable hardware such as graphics cards can,
-	NOTE: by design, bypass security restrictions.  Not a real issue.
+	NOTE: by design, bypass security restrictions. Not a real issue.
 CVE-2006-6729 (Cross-site scripting (XSS) vulnerability in a-blog 1.51 and earlier ...)
 	NOT-FOR-US: a-blog
 CVE-2006-6728 (Unspecified vulnerability in the info request mechanism in LAN ...)
@@ -170322,7 +170322,7 @@
 	- php4 4:4.4.4-1 (unimportant)
 	- php5 5.1.6-1 (unimportant)
 	NOTE: using a long enough path (>MAXPATHLEN) allows you to have
-	NOTE: tempnam create a file without the temp extension.  sounds like
+	NOTE: tempnam create a file without the temp extension. sounds like
 	NOTE: another shoot yourself in the foot issue, since the local user
 	NOTE: could just as easily create the file manually, and if the
 	NOTE: tempnam function is taking unsanitized input, it's an
@@ -171120,8 +171120,8 @@
 	- pygresql 3.8-1.1 (medium)
 	[sarge] - pygresql <not-affected> (Already includes proper quoting)
 	NOTE: Beginning with version 7.5.4, postgresql is a transition
-	NOTE: package which does not contain actual code.  That's why
-	NOTE: it's marked as fixed here.  (Previous versions are vulnerable.)
+	NOTE: package which does not contain actual code. That's why
+	NOTE: it's marked as fixed here. (Previous versions are vulnerable.)
 	NOTE: The following packages needed to adapted to cope with the new system:
 	NOTE: psycopg 1.1.21-5 (bug #369230)
 	NOTE: python-pgsql 2.4.0-8 (bug #369250)
@@ -171134,8 +171134,8 @@
 	- postgresql-7.4 1:7.4.13-1 (high)
 	- postgresql-8.1 8.1.4-1 (high)
 	NOTE: Beginning with version 7.5.4, postgresql is a transition
-	NOTE: package which does not contain actual code.  That's why
-	NOTE: it's marked as fixed here.  (Previous versions are vulnerable.)
+	NOTE: package which does not contain actual code. That's why
+	NOTE: it's marked as fixed here. (Previous versions are vulnerable.)
 CVE-2006-2312 (Argument injection vulnerability in the URI handler in Skype 2.0.*.104 ...)
 	NOT-FOR-US: Skype
 CVE-2006-2311 (Cross-site scripting (XSS) vulnerability in BlueDragon Server and ...)
@@ -171606,7 +171606,7 @@
 	[sarge] - trac <unfixed> (medium)
 	NOTE: http://trac.edgewall.org/changeset/3201
 	NOTE: http://trac.edgewall.org/changeset/3287
-	NOTE: the second reference fixes a regression in the first.  i *believe*
+	NOTE: the second reference fixes a regression in the first. i *believe*
 	NOTE: that these correctly solve the problem, though we really ought
 	NOTE: to run this by upstream or the reporter.
 CVE-2006-2105 (Directory traversal vulnerability in index.php in Jupiter CMS 1.1.4 ...)
@@ -175527,7 +175527,7 @@
 	- bind 1:8.4.7-1 (low)
 	[sarge] - bind <no-dsa> (Architectual limitatiom, upgrade to BIND 9 as a a fix)
 	NOTE: BIND 8 is unsuitable for forwarder use because of its
-	NOTE: architecture.  Upgrade to BIND 9 as a fix.
+	NOTE: architecture. Upgrade to BIND 9 as a fix.
 	NOTE: This was fixed in sid by documenting it as an unfixable design limitation
 CVE-2006-0526 (The default configuration of the America Online (AOL) client software ...)
 	NOT-FOR-US: AOL
@@ -177598,7 +177598,7 @@
 	[sarge] - trac <unfixed> (medium)
 	NOTE: upstream bts at http://trac.edgewall.org/ticket/2473 claims this is
 	NOTE: fixed in http://trac.edgewall.org/changeset/2724 but it's a fairly
-	NOTE: invasive set of patches to backport.  basically most instances
+	NOTE: invasive set of patches to backport. basically most instances
 	NOTE: of input being escape()'d are no longer done so, and instead a
 	NOTE: Markup() function replaces them, and special checks are done
 	NOTE: on rendered HTML output to prevent XSS code from being displayed.
@@ -180260,7 +180260,7 @@
 	[sarge] - php4 <no-dsa> (Safe mode violations not supported)
 	- php5 5.1.1-1 (bug #336654; low)
 	NOTE: According to CVE, this is a safe mode violation,
-	NOTE: therefore low impact.  (According to SuSE, it's an
+	NOTE: therefore low impact. (According to SuSE, it's an
 	NOTE: information leak.)
 CVE-2005-3391 (Multiple vulnerabilities in PHP before 4.4.1 allow remote attackers to ...)
 	- php4 4:4.4.2-1 (bug #336645; bug #354678; low)
@@ -185089,7 +185089,7 @@
 CVE-2002-1976 (ifconfig, when used on the Linux kernel 2.2 and later, does not report ...)
 	- net-tools <unfixed> (unimportant)
 	NOTE: This seems to be a misunderstanding of what the PROMISC flag
-	NOTE: is about.  ifconfig reports properly when it is set using
+	NOTE: is about. ifconfig reports properly when it is set using
 	NOTE: "ifconfig promisc".
 CVE-2002-1975 (Sharp Zaurus PDA SL-5000D and SL-5500 uses a salt of "A0" to encrypt ...)
 	NOT-FOR-US: Zaurus hardware
@@ -195595,7 +195595,7 @@
 	[sarge] - openssh <no-dsa> (Minor issue)
 	NOTE: The directory traversal part has been fixed in OpenSSH 3.9p1.
 	NOTE: The "SUID/SGID across trust boundaries" issue remains, but is
-	NOTE: largely theoretic.  This is a rediscovery of CVE-2000-0992.
+	NOTE: largely theoretic. This is a rediscovery of CVE-2000-0992.
 	NOTE: jmm: 3.9p1 thus marked as fixed version
 CVE-2004-0174 (Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using ...)
 	- apache 1.3.29.0.2-5
@@ -197578,7 +197578,7 @@
 	NOT-FOR-US: Historic mutt and Balsa issues, only a crasher anyway
 CVE-2003-0298 (The IMAP Client for Mozilla 1.3 and 1.4a allows remote malicious IMAP ...)
 	- mozilla 2:1.5-1
-	NOTE: May have been fixed in an earlier version.  Not clear how
+	NOTE: May have been fixed in an earlier version. Not clear how
 	NOTE: Mozilla's a/b versions map to the Debian version.
 CVE-2003-0297 (c-client IMAP Client, as used in imap-2002b and Pine 4.53, allows ...)
 	- uw-imap 7:2002c




More information about the Secure-testing-commits mailing list