[Secure-testing-commits] r8393 - data/CVE
Author: thijs Date: 2008-03-24 10:59:34 + (Mon, 24 Mar 2008) New Revision: 8393 Modified: data/CVE/list Log: otrs issue not relevant for sarge/etch requested CVE id for serendipity XSS Modified: data/CVE/list === --- data/CVE/list 2008-03-23 13:34:03 UTC (rev 8392) +++ data/CVE/list 2008-03-24 10:59:34 UTC (rev 8393) @@ -1,3 +1,7 @@ +CVE-2008- [Serendipity XSS in trackbacks] + - serendipity 1.3-1 + NOTE: http://blog.s9y.org/archives/192-Serendipity-1.3-released-addresses-security.html + NOTE: CVE id requested CVE-2008- [multiple security issues in kses as used in egroupware] - egroupware 1.4.002.dfsg-2.1 (bug #471839) CVE-2008- [OTRS osa-2008-01] @@ -2,4 +6,6 @@ - otrs2 2.2.5-2 + [etch] - otrs2 not-affected (Vulnerable code not present) + [etch] - otrs not-affected (Vulnerable code not present) + [sarge] - otrs not-affected (Vulnerable code not present) NOTE: http://packages.qa.debian.org/o/otrs2/news/20080320T211729Z.html - NOTE: maintainer claims sarge/etch unaffected but details lacking CVE-2008- [unspecified egroupware security issue] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r8395 - data/DSA
Author: thijs
Date: 2008-03-24 14:48:41 + (Mon, 24 Mar 2008)
New Revision: 8395
Modified:
data/DSA/list
Log:
DSA-1527-1 debian-goodies
Modified: data/DSA/list
===
--- data/DSA/list 2008-03-24 11:27:14 UTC (rev 8394)
+++ data/DSA/list 2008-03-24 14:48:41 UTC (rev 8395)
@@ -1,3 +1,7 @@
+[24 Mar 2008] DSA-1527-1 debian-goodies - privilege escalation
+ {CVE-2007-3912}
+ [sarge] - debian-goodies 0.23+sarge1
+ [etch] - debian-goodies 0.27+etch1
[20 Mar 2008] DSA-1526-1 xwine
{CVE-2008-0930 CVE-2008-0931}
[etch] - xwine 1.0.1-1etch1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r8396 - in data: CVE DSA
Author: thijs
Date: 2008-03-24 16:39:54 + (Mon, 24 Mar 2008)
New Revision: 8396
Modified:
data/CVE/list
data/DSA/list
Log:
DSA-1528-1 serendipity
Modified: data/CVE/list
===
--- data/CVE/list 2008-03-24 14:48:41 UTC (rev 8395)
+++ data/CVE/list 2008-03-24 16:39:54 UTC (rev 8396)
@@ -1,5 +1,7 @@
CVE-2008- [Serendipity XSS in trackbacks]
- serendipity 1.3-1
+ [etch] - serendipity 1.0.4-1+etch1
+ NOTE: no CVE id available at time of DSA release
NOTE:
http://blog.s9y.org/archives/192-Serendipity-1.3-released-addresses-security.html
NOTE: CVE id requested
CVE-2008- [multiple security issues in kses as used in egroupware]
Modified: data/DSA/list
===
--- data/DSA/list 2008-03-24 14:48:41 UTC (rev 8395)
+++ data/DSA/list 2008-03-24 16:39:54 UTC (rev 8396)
@@ -1,3 +1,6 @@
+[24 Mar 2008] DSA-1528-1 serendipity - cross site scripting
+ {CVE-2007-6205 CVE-2008-0124}
+ [etch] - serendipity 1.0.4-1+etch1
[24 Mar 2008] DSA-1527-1 debian-goodies - privilege escalation
{CVE-2007-3912}
[sarge] - debian-goodies 0.23+sarge1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r8397 - bin
Author: nion
Date: 2008-03-24 17:12:19 + (Mon, 24 Mar 2008)
New Revision: 8397
Modified:
bin/compare-testing-status
Log:
add date to subject of testing-security update notifications
Modified: bin/compare-testing-status
===
--- bin/compare-testing-status 2008-03-24 16:39:54 UTC (rev 8396)
+++ bin/compare-testing-status 2008-03-24 17:12:19 UTC (rev 8397)
@@ -11,6 +11,9 @@
my $MAILTO='[EMAIL PROTECTED]';
my $MAILFROM='[EMAIL PROTECTED]';
+my @d = localtime(time);
+my $MAILDATE = sprintf(%4d-%02d-%02d, $d[5] + 1900, $d[4], $d[3]);
+
if (@ARGV != 2) {
die usage:\nlist-updates old.db new.deb\n;
}
@@ -206,7 +209,7 @@
print $sendmail EOF;
From: $MAILFROM
To: $MAILTO
-Subject: Security update for Debian Testing
+Subject: Security update for Debian Testing - $MAILDATE
This automatic mail gives an overview over security issues that were recently
fixed in Debian Testing. The majority of fixed packages migrate to testing
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r8398 - data/CVE
Author: nion Date: 2008-03-24 18:29:08 + (Mon, 24 Mar 2008) New Revision: 8398 Modified: data/CVE/list Log: remove doubled entry Modified: data/CVE/list === --- data/CVE/list 2008-03-24 17:12:19 UTC (rev 8397) +++ data/CVE/list 2008-03-24 18:29:08 UTC (rev 8398) @@ -12,8 +12,6 @@ [etch] - otrs not-affected (Vulnerable code not present) [sarge] - otrs not-affected (Vulnerable code not present) NOTE: http://packages.qa.debian.org/o/otrs2/news/20080320T211729Z.html -CVE-2008- [unspecified egroupware security issue] - - egroupware unfixed (bug #471839) CVE-2008-1391 RESERVED CVE-2008-1390 [AST-2008-005: HTTP Manager ID is predictable] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r8399 - data/CVE
Author: jmm-guest
Date: 2008-03-24 20:41:07 + (Mon, 24 Mar 2008)
New Revision: 8399
Modified:
data/CVE/list
Log:
firebird special case DSA
some bug nums
one older cups no longer exploitable since 1.2
Modified: data/CVE/list
===
--- data/CVE/list 2008-03-24 18:29:08 UTC (rev 8398)
+++ data/CVE/list 2008-03-24 20:41:07 UTC (rev 8399)
@@ -2110,6 +2110,7 @@
NOT-FOR-US: Flinx
CVE-2008-0467 (Stack-based buffer overflow in Firebird before 2.0.4, and 2.1.x
before ...)
- firebird2 removed
+[etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
- firebird2.0 2.0.3.12981.ds1-5 (medium; bug #463596)
CVE-2008-0466 (Web Wiz RTE_file_browser.asp in, as used in Web Wiz Rich Text
Editor ...)
NOT-FOR-US: Web Wiz Rich Text Editor
@@ -2332,7 +2333,7 @@
- firebird2.0 2.0.3.12981.ds1-4 (bug #460048)
[lenny] - firebird2.0 2.0.3.12981.ds1-1+lenny1
- firebird2 removed
- NOTE: firebird2 in etch is vulnerable
+[etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
CVE-2008-0386 (Xdg-utils 1.0.2 and earlier allows user-assisted remote
attackers to ...)
- xdg-utils not-affected (Ships a patch that modifies the vulnerable
code and uses sed secure)
NOTE: xdg-open-generic replaces the vulnerable code and runs
view-mailcap or sensible-browser
@@ -4695,7 +4696,7 @@
CVE-2007-6040 (The Belkin F5D7230-4 Wireless G Router allows remote attackers
to ...)
NOT-FOR-US: Belkin F5D7230-4 Wireless G Router
CVE-2007-6039 (PHP 5.2.5 and earlier allows context-dependent attackers to
cause a ...)
- - php5 unfixed (unimportant; bug #453295)
+ - php5 unfixed (unimportant; bug #453295; bug #453295)
NOTE: Not a vulnerability per Debian PHP security policy, requires
malicious
NOTE: script to trigger this issue
CVE-2007-6077 (The session fixation protection mechanism in cgi_process.rb in
Rails ...)
@@ -8977,27 +8978,27 @@
NOTE: This refers to an improved fix for MOPB 03-2007, which is
CVE-2007-1285 and a non-issue
CVE-2007-4669 (The Services API in Firebird before 2.0.2 allows remote
authenticated ...)
- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
- [etch] - firebird2 unfixed
+[etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
[sarge] - firebird2 unfixed
CVE-2007-4668 (Unspecified vulnerability in the server in Firebird before
2.0.2 ...)
- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
- [etch] - firebird2 unfixed
+[etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
[sarge] - firebird2 unfixed
CVE-2007-4667 (Unspecified vulnerability in the Services API in Firebird
before 2.0.2 ...)
- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
- [etch] - firebird2 unfixed
+[etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
[sarge] - firebird2 unfixed
CVE-2007-4666 (Unspecified vulnerability in the server in Firebird before
2.0.2, when ...)
- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
- [etch] - firebird2 unfixed
+[etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
[sarge] - firebird2 unfixed
CVE-2007-4665 (Unspecified vulnerability in the server in Firebird before
2.0.2 ...)
- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
- [etch] - firebird2 unfixed
+[etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
[sarge] - firebird2 unfixed
CVE-2007-4664 (Unspecified vulnerability in the (1) attach database and (2)
create ...)
- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
- [etch] - firebird2 unfixed
+[etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
[sarge] - firebird2 unfixed
CVE-2007-4663 (Directory traversal vulnerability in PHP before 5.2.4 allows
attackers ...)
- php5 unfixed (unimportant)
@@ -10455,7 +10456,8 @@
CVE-2007-4046 (SQL injection vulnerability in index.php in the Pony Gallery
...)
NOT-FOR-US: Pony Gallery
CVE-2007-4045 (The CUPS service, as used in SUSE Linux before 20070720 and
other ...)
- - cupsys not-affected (SuSE-specific regression)
+ - cupsys 1.2
+NOTE: Since 1.2 allocation has changed and this issue is no longer
exploitable
CVE-2007-4044
REJECTED
CVE-2007-4043 (file.cgi in Secure Computing SecurityReporter (aka Network
Security ...)
@@ -10493,7 +10495,7 @@
RESERVED
CVE-2007-4029 (libvorbis 1.1.2, and possibly other versions before 1.2.0,
allows ...)
{DSA-1471-1}
- - libvorbis 1.2.0.dfsg-1 (medium)
+ - libvorbis
[Secure-testing-commits] Processing r8399 failed
The error message was: Traceback (most recent call last): File bin/update-db, line 40, in ? warnings = db.readBugs(cursor, 'data') File /home/secure-testing/production/lib/python/security_db.py, line 769, in readBugs read_one(cls(path + name)) File /home/secure-testing/production/lib/python/security_db.py, line 761, in read_one do_parse(source) File /home/secure-testing/production/lib/python/security_db.py, line 717, in do_parse bug.writeDB(cursor) File /home/secure-testing/production/lib/python/bugs.py, line 239, in writeDB n.writeDB(cursor, self.name) File /home/secure-testing/production/lib/python/bugs.py, line 92, in writeDB cursor.execute(INSERT INTO debian_bugs (bug, note) apsw.ConstraintError: ConstraintError: columns bug, note are not unique Exception exceptions.AttributeError: 'apsw.Connection' object has no attribute 'close' in bound method DB.__del__ of security_db.DB instance at 0x401c ignored make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r8400 - data/CVE
Author: joeyh
Date: 2008-03-24 21:14:09 + (Mon, 24 Mar 2008)
New Revision: 8400
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2008-03-24 20:41:07 UTC (rev 8399)
+++ data/CVE/list 2008-03-24 21:14:09 UTC (rev 8400)
@@ -2110,7 +2110,7 @@
NOT-FOR-US: Flinx
CVE-2008-0467 (Stack-based buffer overflow in Firebird before 2.0.4, and 2.1.x
before ...)
- firebird2 removed
-[etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
+ [etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
- firebird2.0 2.0.3.12981.ds1-5 (medium; bug #463596)
CVE-2008-0466 (Web Wiz RTE_file_browser.asp in, as used in Web Wiz Rich Text
Editor ...)
NOT-FOR-US: Web Wiz Rich Text Editor
@@ -2333,7 +2333,7 @@
- firebird2.0 2.0.3.12981.ds1-4 (bug #460048)
[lenny] - firebird2.0 2.0.3.12981.ds1-1+lenny1
- firebird2 removed
-[etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
+ [etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
CVE-2008-0386 (Xdg-utils 1.0.2 and earlier allows user-assisted remote
attackers to ...)
- xdg-utils not-affected (Ships a patch that modifies the vulnerable
code and uses sed secure)
NOTE: xdg-open-generic replaces the vulnerable code and runs
view-mailcap or sensible-browser
@@ -2960,6 +2960,7 @@
CVE-2008-0125
RESERVED
CVE-2008-0124 (Cross-site scripting (XSS) vulnerability in Serendipity (S9Y)
before ...)
+ {DSA-1528-1}
- serendipity 1.3~b1-1 (low; bug #469667)
CVE-2008-0123 (Cross-site scripting (XSS) vulnerability in install.php for
Moodle ...)
- moodle unfixed (unimportant)
@@ -4337,6 +4338,7 @@
{DSA-1503-2 DSA-1504-1 DSA-1503-1 DSA-1436-1}
- linux-2.6 2.6.24-1
CVE-2007-6205 (Cross-site scripting (XSS) vulnerability in the remote RSS
sidebar ...)
+ {DSA-1528-1}
- serendipity 1.2.1-1 (low)
[etch] - serendipity no-dsa (Can only be exploited in rare conditions)
CVE-2007-6204 (Multiple stack-based buffer overflows in HP OpenView Network
Node ...)
@@ -8978,27 +8980,27 @@
NOTE: This refers to an improved fix for MOPB 03-2007, which is
CVE-2007-1285 and a non-issue
CVE-2007-4669 (The Services API in Firebird before 2.0.2 allows remote
authenticated ...)
- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
-[etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
+ [etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
[sarge] - firebird2 unfixed
CVE-2007-4668 (Unspecified vulnerability in the server in Firebird before
2.0.2 ...)
- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
-[etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
+ [etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
[sarge] - firebird2 unfixed
CVE-2007-4667 (Unspecified vulnerability in the Services API in Firebird
before 2.0.2 ...)
- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
-[etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
+ [etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
[sarge] - firebird2 unfixed
CVE-2007-4666 (Unspecified vulnerability in the server in Firebird before
2.0.2, when ...)
- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
-[etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
+ [etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
[sarge] - firebird2 unfixed
CVE-2007-4665 (Unspecified vulnerability in the server in Firebird before
2.0.2 ...)
- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
-[etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
+ [etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
[sarge] - firebird2 unfixed
CVE-2007-4664 (Unspecified vulnerability in the (1) attach database and (2)
create ...)
- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
-[etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
+ [etch] - firebird2 no-dsa (Fixed packages have been released through
backports.org, see #1529)
[sarge] - firebird2 unfixed
CVE-2007-4663 (Directory traversal vulnerability in PHP before 5.2.4 allows
attackers ...)
- php5 unfixed (unimportant)
@@ -10457,7 +10459,7 @@
NOT-FOR-US: Pony Gallery
[Secure-testing-commits] Processing r8400 failed
The error message was: Traceback (most recent call last): File bin/update-db, line 40, in ? warnings = db.readBugs(cursor, 'data') File /home/secure-testing/production/lib/python/security_db.py, line 769, in readBugs read_one(cls(path + name)) File /home/secure-testing/production/lib/python/security_db.py, line 761, in read_one do_parse(source) File /home/secure-testing/production/lib/python/security_db.py, line 717, in do_parse bug.writeDB(cursor) File /home/secure-testing/production/lib/python/bugs.py, line 239, in writeDB n.writeDB(cursor, self.name) File /home/secure-testing/production/lib/python/bugs.py, line 92, in writeDB cursor.execute(INSERT INTO debian_bugs (bug, note) apsw.ConstraintError: ConstraintError: columns bug, note are not unique Exception exceptions.AttributeError: 'apsw.Connection' object has no attribute 'close' in bound method DB.__del__ of security_db.DB instance at 0x401c ignored make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] Processing r8400 failed
The error message was: Traceback (most recent call last): File bin/update-db, line 40, in ? warnings = db.readBugs(cursor, 'data') File /home/secure-testing/production/lib/python/security_db.py, line 769, in readBugs read_one(cls(path + name)) File /home/secure-testing/production/lib/python/security_db.py, line 761, in read_one do_parse(source) File /home/secure-testing/production/lib/python/security_db.py, line 717, in do_parse bug.writeDB(cursor) File /home/secure-testing/production/lib/python/bugs.py, line 239, in writeDB n.writeDB(cursor, self.name) File /home/secure-testing/production/lib/python/bugs.py, line 92, in writeDB cursor.execute(INSERT INTO debian_bugs (bug, note) apsw.ConstraintError: ConstraintError: columns bug, note are not unique Exception exceptions.AttributeError: 'apsw.Connection' object has no attribute 'close' in bound method DB.__del__ of security_db.DB instance at 0x401c ignored make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
