[Secure-testing-commits] r8393 - data/CVE
Author: thijs Date: 2008-03-24 10:59:34 + (Mon, 24 Mar 2008) New Revision: 8393 Modified: data/CVE/list Log: otrs issue not relevant for sarge/etch requested CVE id for serendipity XSS Modified: data/CVE/list === --- data/CVE/list 2008-03-23 13:34:03 UTC (rev 8392) +++ data/CVE/list 2008-03-24 10:59:34 UTC (rev 8393) @@ -1,3 +1,7 @@ +CVE-2008- [Serendipity XSS in trackbacks] + - serendipity 1.3-1 + NOTE: http://blog.s9y.org/archives/192-Serendipity-1.3-released-addresses-security.html + NOTE: CVE id requested CVE-2008- [multiple security issues in kses as used in egroupware] - egroupware 1.4.002.dfsg-2.1 (bug #471839) CVE-2008- [OTRS osa-2008-01] @@ -2,4 +6,6 @@ - otrs2 2.2.5-2 + [etch] - otrs2 not-affected (Vulnerable code not present) + [etch] - otrs not-affected (Vulnerable code not present) + [sarge] - otrs not-affected (Vulnerable code not present) NOTE: http://packages.qa.debian.org/o/otrs2/news/20080320T211729Z.html - NOTE: maintainer claims sarge/etch unaffected but details lacking CVE-2008- [unspecified egroupware security issue] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r8395 - data/DSA
Author: thijs Date: 2008-03-24 14:48:41 + (Mon, 24 Mar 2008) New Revision: 8395 Modified: data/DSA/list Log: DSA-1527-1 debian-goodies Modified: data/DSA/list === --- data/DSA/list 2008-03-24 11:27:14 UTC (rev 8394) +++ data/DSA/list 2008-03-24 14:48:41 UTC (rev 8395) @@ -1,3 +1,7 @@ +[24 Mar 2008] DSA-1527-1 debian-goodies - privilege escalation + {CVE-2007-3912} + [sarge] - debian-goodies 0.23+sarge1 + [etch] - debian-goodies 0.27+etch1 [20 Mar 2008] DSA-1526-1 xwine {CVE-2008-0930 CVE-2008-0931} [etch] - xwine 1.0.1-1etch1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r8396 - in data: CVE DSA
Author: thijs Date: 2008-03-24 16:39:54 + (Mon, 24 Mar 2008) New Revision: 8396 Modified: data/CVE/list data/DSA/list Log: DSA-1528-1 serendipity Modified: data/CVE/list === --- data/CVE/list 2008-03-24 14:48:41 UTC (rev 8395) +++ data/CVE/list 2008-03-24 16:39:54 UTC (rev 8396) @@ -1,5 +1,7 @@ CVE-2008- [Serendipity XSS in trackbacks] - serendipity 1.3-1 + [etch] - serendipity 1.0.4-1+etch1 + NOTE: no CVE id available at time of DSA release NOTE: http://blog.s9y.org/archives/192-Serendipity-1.3-released-addresses-security.html NOTE: CVE id requested CVE-2008- [multiple security issues in kses as used in egroupware] Modified: data/DSA/list === --- data/DSA/list 2008-03-24 14:48:41 UTC (rev 8395) +++ data/DSA/list 2008-03-24 16:39:54 UTC (rev 8396) @@ -1,3 +1,6 @@ +[24 Mar 2008] DSA-1528-1 serendipity - cross site scripting + {CVE-2007-6205 CVE-2008-0124} + [etch] - serendipity 1.0.4-1+etch1 [24 Mar 2008] DSA-1527-1 debian-goodies - privilege escalation {CVE-2007-3912} [sarge] - debian-goodies 0.23+sarge1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r8397 - bin
Author: nion Date: 2008-03-24 17:12:19 + (Mon, 24 Mar 2008) New Revision: 8397 Modified: bin/compare-testing-status Log: add date to subject of testing-security update notifications Modified: bin/compare-testing-status === --- bin/compare-testing-status 2008-03-24 16:39:54 UTC (rev 8396) +++ bin/compare-testing-status 2008-03-24 17:12:19 UTC (rev 8397) @@ -11,6 +11,9 @@ my $MAILTO='[EMAIL PROTECTED]'; my $MAILFROM='[EMAIL PROTECTED]'; +my @d = localtime(time); +my $MAILDATE = sprintf(%4d-%02d-%02d, $d[5] + 1900, $d[4], $d[3]); + if (@ARGV != 2) { die usage:\nlist-updates old.db new.deb\n; } @@ -206,7 +209,7 @@ print $sendmail EOF; From: $MAILFROM To: $MAILTO -Subject: Security update for Debian Testing +Subject: Security update for Debian Testing - $MAILDATE This automatic mail gives an overview over security issues that were recently fixed in Debian Testing. The majority of fixed packages migrate to testing ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r8398 - data/CVE
Author: nion Date: 2008-03-24 18:29:08 + (Mon, 24 Mar 2008) New Revision: 8398 Modified: data/CVE/list Log: remove doubled entry Modified: data/CVE/list === --- data/CVE/list 2008-03-24 17:12:19 UTC (rev 8397) +++ data/CVE/list 2008-03-24 18:29:08 UTC (rev 8398) @@ -12,8 +12,6 @@ [etch] - otrs not-affected (Vulnerable code not present) [sarge] - otrs not-affected (Vulnerable code not present) NOTE: http://packages.qa.debian.org/o/otrs2/news/20080320T211729Z.html -CVE-2008- [unspecified egroupware security issue] - - egroupware unfixed (bug #471839) CVE-2008-1391 RESERVED CVE-2008-1390 [AST-2008-005: HTTP Manager ID is predictable] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r8399 - data/CVE
Author: jmm-guest Date: 2008-03-24 20:41:07 + (Mon, 24 Mar 2008) New Revision: 8399 Modified: data/CVE/list Log: firebird special case DSA some bug nums one older cups no longer exploitable since 1.2 Modified: data/CVE/list === --- data/CVE/list 2008-03-24 18:29:08 UTC (rev 8398) +++ data/CVE/list 2008-03-24 20:41:07 UTC (rev 8399) @@ -2110,6 +2110,7 @@ NOT-FOR-US: Flinx CVE-2008-0467 (Stack-based buffer overflow in Firebird before 2.0.4, and 2.1.x before ...) - firebird2 removed +[etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) - firebird2.0 2.0.3.12981.ds1-5 (medium; bug #463596) CVE-2008-0466 (Web Wiz RTE_file_browser.asp in, as used in Web Wiz Rich Text Editor ...) NOT-FOR-US: Web Wiz Rich Text Editor @@ -2332,7 +2333,7 @@ - firebird2.0 2.0.3.12981.ds1-4 (bug #460048) [lenny] - firebird2.0 2.0.3.12981.ds1-1+lenny1 - firebird2 removed - NOTE: firebird2 in etch is vulnerable +[etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) CVE-2008-0386 (Xdg-utils 1.0.2 and earlier allows user-assisted remote attackers to ...) - xdg-utils not-affected (Ships a patch that modifies the vulnerable code and uses sed secure) NOTE: xdg-open-generic replaces the vulnerable code and runs view-mailcap or sensible-browser @@ -4695,7 +4696,7 @@ CVE-2007-6040 (The Belkin F5D7230-4 Wireless G Router allows remote attackers to ...) NOT-FOR-US: Belkin F5D7230-4 Wireless G Router CVE-2007-6039 (PHP 5.2.5 and earlier allows context-dependent attackers to cause a ...) - - php5 unfixed (unimportant; bug #453295) + - php5 unfixed (unimportant; bug #453295; bug #453295) NOTE: Not a vulnerability per Debian PHP security policy, requires malicious NOTE: script to trigger this issue CVE-2007-6077 (The session fixation protection mechanism in cgi_process.rb in Rails ...) @@ -8977,27 +8978,27 @@ NOTE: This refers to an improved fix for MOPB 03-2007, which is CVE-2007-1285 and a non-issue CVE-2007-4669 (The Services API in Firebird before 2.0.2 allows remote authenticated ...) - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) - [etch] - firebird2 unfixed +[etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 unfixed CVE-2007-4668 (Unspecified vulnerability in the server in Firebird before 2.0.2 ...) - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) - [etch] - firebird2 unfixed +[etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 unfixed CVE-2007-4667 (Unspecified vulnerability in the Services API in Firebird before 2.0.2 ...) - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) - [etch] - firebird2 unfixed +[etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 unfixed CVE-2007-4666 (Unspecified vulnerability in the server in Firebird before 2.0.2, when ...) - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) - [etch] - firebird2 unfixed +[etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 unfixed CVE-2007-4665 (Unspecified vulnerability in the server in Firebird before 2.0.2 ...) - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) - [etch] - firebird2 unfixed +[etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 unfixed CVE-2007-4664 (Unspecified vulnerability in the (1) attach database and (2) create ...) - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) - [etch] - firebird2 unfixed +[etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 unfixed CVE-2007-4663 (Directory traversal vulnerability in PHP before 5.2.4 allows attackers ...) - php5 unfixed (unimportant) @@ -10455,7 +10456,8 @@ CVE-2007-4046 (SQL injection vulnerability in index.php in the Pony Gallery ...) NOT-FOR-US: Pony Gallery CVE-2007-4045 (The CUPS service, as used in SUSE Linux before 20070720 and other ...) - - cupsys not-affected (SuSE-specific regression) + - cupsys 1.2 +NOTE: Since 1.2 allocation has changed and this issue is no longer exploitable CVE-2007-4044 REJECTED CVE-2007-4043 (file.cgi in Secure Computing SecurityReporter (aka Network Security ...) @@ -10493,7 +10495,7 @@ RESERVED CVE-2007-4029 (libvorbis 1.1.2, and possibly other versions before 1.2.0, allows ...) {DSA-1471-1} - - libvorbis 1.2.0.dfsg-1 (medium) + - libvorbis
[Secure-testing-commits] Processing r8399 failed
The error message was: Traceback (most recent call last): File bin/update-db, line 40, in ? warnings = db.readBugs(cursor, 'data') File /home/secure-testing/production/lib/python/security_db.py, line 769, in readBugs read_one(cls(path + name)) File /home/secure-testing/production/lib/python/security_db.py, line 761, in read_one do_parse(source) File /home/secure-testing/production/lib/python/security_db.py, line 717, in do_parse bug.writeDB(cursor) File /home/secure-testing/production/lib/python/bugs.py, line 239, in writeDB n.writeDB(cursor, self.name) File /home/secure-testing/production/lib/python/bugs.py, line 92, in writeDB cursor.execute(INSERT INTO debian_bugs (bug, note) apsw.ConstraintError: ConstraintError: columns bug, note are not unique Exception exceptions.AttributeError: 'apsw.Connection' object has no attribute 'close' in bound method DB.__del__ of security_db.DB instance at 0x401c ignored make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r8400 - data/CVE
Author: joeyh Date: 2008-03-24 21:14:09 + (Mon, 24 Mar 2008) New Revision: 8400 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2008-03-24 20:41:07 UTC (rev 8399) +++ data/CVE/list 2008-03-24 21:14:09 UTC (rev 8400) @@ -2110,7 +2110,7 @@ NOT-FOR-US: Flinx CVE-2008-0467 (Stack-based buffer overflow in Firebird before 2.0.4, and 2.1.x before ...) - firebird2 removed -[etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) + [etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) - firebird2.0 2.0.3.12981.ds1-5 (medium; bug #463596) CVE-2008-0466 (Web Wiz RTE_file_browser.asp in, as used in Web Wiz Rich Text Editor ...) NOT-FOR-US: Web Wiz Rich Text Editor @@ -2333,7 +2333,7 @@ - firebird2.0 2.0.3.12981.ds1-4 (bug #460048) [lenny] - firebird2.0 2.0.3.12981.ds1-1+lenny1 - firebird2 removed -[etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) + [etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) CVE-2008-0386 (Xdg-utils 1.0.2 and earlier allows user-assisted remote attackers to ...) - xdg-utils not-affected (Ships a patch that modifies the vulnerable code and uses sed secure) NOTE: xdg-open-generic replaces the vulnerable code and runs view-mailcap or sensible-browser @@ -2960,6 +2960,7 @@ CVE-2008-0125 RESERVED CVE-2008-0124 (Cross-site scripting (XSS) vulnerability in Serendipity (S9Y) before ...) + {DSA-1528-1} - serendipity 1.3~b1-1 (low; bug #469667) CVE-2008-0123 (Cross-site scripting (XSS) vulnerability in install.php for Moodle ...) - moodle unfixed (unimportant) @@ -4337,6 +4338,7 @@ {DSA-1503-2 DSA-1504-1 DSA-1503-1 DSA-1436-1} - linux-2.6 2.6.24-1 CVE-2007-6205 (Cross-site scripting (XSS) vulnerability in the remote RSS sidebar ...) + {DSA-1528-1} - serendipity 1.2.1-1 (low) [etch] - serendipity no-dsa (Can only be exploited in rare conditions) CVE-2007-6204 (Multiple stack-based buffer overflows in HP OpenView Network Node ...) @@ -8978,27 +8980,27 @@ NOTE: This refers to an improved fix for MOPB 03-2007, which is CVE-2007-1285 and a non-issue CVE-2007-4669 (The Services API in Firebird before 2.0.2 allows remote authenticated ...) - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) -[etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) + [etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 unfixed CVE-2007-4668 (Unspecified vulnerability in the server in Firebird before 2.0.2 ...) - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) -[etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) + [etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 unfixed CVE-2007-4667 (Unspecified vulnerability in the Services API in Firebird before 2.0.2 ...) - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) -[etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) + [etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 unfixed CVE-2007-4666 (Unspecified vulnerability in the server in Firebird before 2.0.2, when ...) - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) -[etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) + [etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 unfixed CVE-2007-4665 (Unspecified vulnerability in the server in Firebird before 2.0.2 ...) - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) -[etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) + [etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 unfixed CVE-2007-4664 (Unspecified vulnerability in the (1) attach database and (2) create ...) - firebird2.0 2.0.3.12981.ds1-1 (bug #441405) -[etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) + [etch] - firebird2 no-dsa (Fixed packages have been released through backports.org, see #1529) [sarge] - firebird2 unfixed CVE-2007-4663 (Directory traversal vulnerability in PHP before 5.2.4 allows attackers ...) - php5 unfixed (unimportant) @@ -10457,7 +10459,7 @@ NOT-FOR-US: Pony Gallery
[Secure-testing-commits] Processing r8400 failed
The error message was: Traceback (most recent call last): File bin/update-db, line 40, in ? warnings = db.readBugs(cursor, 'data') File /home/secure-testing/production/lib/python/security_db.py, line 769, in readBugs read_one(cls(path + name)) File /home/secure-testing/production/lib/python/security_db.py, line 761, in read_one do_parse(source) File /home/secure-testing/production/lib/python/security_db.py, line 717, in do_parse bug.writeDB(cursor) File /home/secure-testing/production/lib/python/bugs.py, line 239, in writeDB n.writeDB(cursor, self.name) File /home/secure-testing/production/lib/python/bugs.py, line 92, in writeDB cursor.execute(INSERT INTO debian_bugs (bug, note) apsw.ConstraintError: ConstraintError: columns bug, note are not unique Exception exceptions.AttributeError: 'apsw.Connection' object has no attribute 'close' in bound method DB.__del__ of security_db.DB instance at 0x401c ignored make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] Processing r8400 failed
The error message was: Traceback (most recent call last): File bin/update-db, line 40, in ? warnings = db.readBugs(cursor, 'data') File /home/secure-testing/production/lib/python/security_db.py, line 769, in readBugs read_one(cls(path + name)) File /home/secure-testing/production/lib/python/security_db.py, line 761, in read_one do_parse(source) File /home/secure-testing/production/lib/python/security_db.py, line 717, in do_parse bug.writeDB(cursor) File /home/secure-testing/production/lib/python/bugs.py, line 239, in writeDB n.writeDB(cursor, self.name) File /home/secure-testing/production/lib/python/bugs.py, line 92, in writeDB cursor.execute(INSERT INTO debian_bugs (bug, note) apsw.ConstraintError: ConstraintError: columns bug, note are not unique Exception exceptions.AttributeError: 'apsw.Connection' object has no attribute 'close' in bound method DB.__del__ of security_db.DB instance at 0x401c ignored make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits