would it make sense to integrate ubuntu's security tracker with
debian's, especially since the two distros are so closely related?
for example, [intrepid]/[jaunty] tags could be used to track
ubuntu-specific issues within the debian tracker.
this would greatly reduce duplication of effort and make it clear to
the other team when the one pushes a fix since everyone will be getting
updates from the same tracker. it would also make a lot of sense for
the two teams to work more closely together.
also, debsecan could finally be modified so that its output makes
sense on ubuntu (a pet peeve of mine).
just a thought.
mike
On Fri, 17 Apr 2009 01:25:52 +0000
Kees Cook <k...@alioth.debian.org> wrote:
> Author: kees
> Date: 2009-04-17 01:25:52 +0000 (Fri, 17 Apr 2009)
> New Revision: 11636
>
> Modified:
> data/CVE/list
> Log:
> Sync from Ubuntu CVE tracker...
> unfixed: archivemail azureus clamav evolution-data-server ghostscript
> graphicsmagick iceape iceweasel jbossas4 libapache2-mod-perl2
> libstruts1.2-java linux-2.6 ntp openjdk-6 python2.4 python2.5 sun-java5
> sun-java6 tomcat5.5 torrentflux typo3-src wireshark xulrunner
> fixed: lighttpd tunapie
>
>
> Modified: data/CVE/list
> ===================================================================
> --- data/CVE/list 2009-04-16 21:14:13 UTC (rev 11635)
> +++ data/CVE/list 2009-04-17 01:25:52 UTC (rev 11636)
> @@ -163,15 +163,15 @@
> - php4 <not-affected> (the JSON extension was introduced in php5.2)
> - php-json-ext <unfixed>
> CVE-2009-1269 (Unspecified vulnerability in Wireshark 0.99.6 through 1.0.6
> allows ...)
> - TODO: check
> + - wireshark <unfixed>
> CVE-2009-1268 (The Check Point High-Availability Protocol (CPHAP) dissector
> in ...)
> - TODO: check
> + - wireshark <unfixed>
> CVE-2009-1267 (Unspecified vulnerability in the LDAP dissector in Wireshark
> 0.99.2 ...)
> - TODO: check
> + - wireshark <unfixed>
> CVE-2009-1266
> RESERVED
> CVE-2009-1265 (Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the
> Linux ...)
> - TODO: check
> + - linux-2.6 <unfixed>
> CVE-2009-1264 (Frontend User Registration (sr_feuser_register) extension
> 2.5.20 and ...)
> NOT-FOR-US: Frontend User Registration (sr_feuser_register) extension
> CVE-2009-1263 (SQL injection vulnerability in sub_commententry.php in the
> BookJoomlas ...)
> @@ -193,7 +193,7 @@
> CVE-2009-1255
> RESERVED
> CVE-2008-6679 (Buffer overflow in the BaseFont writer module in Ghostscript
> 8.62, and ...)
> - TODO: check
> + - ghostscript <unfixed>
> CVE-2008-6678 (SQL injection vulnerability in asp/includes/contact.asp in
> QuickerSite ...)
> NOT-FOR-US: QuickerSite
> CVE-2008-6677 (Unrestricted file upload vulnerability in ...)
> @@ -239,7 +239,7 @@
> CVE-2008-6657 (Cross-site request forgery (CSRF) vulnerability in index.php
> in Simple ...)
> NOT-FOR-US: Simple Machines Forum
> CVE-2007-6725 (The CCITTFax decoding filter in Ghostscript 8.60, 8.61, and
> possibly ...)
> - TODO: check
> + - ghostscript <unfixed>
> CVE-2009-XXXX [roundup: insufficient access checks in web frontend]
> - roundup <unfixed> (bug #518768)
> [etch] - roundup 1.2.1-10+etch1
> @@ -259,10 +259,10 @@
> - clamav 0.94.dfsg.2-1~volatile2 (medium; bug #523016)
> CVE-2009-1254 (James Stone Tunapie 2.1 allows remote attackers to execute
> arbitrary ...)
> {DSA-1764-1}
> - TODO: check
> + - tunapie 2.1.17-1
> CVE-2009-1253 (James Stone Tunapie 2.1 allows local users to overwrite
> arbitrary ...)
> {DSA-1764-1}
> - TODO: check
> + - tunapie 2.1.17-1
> CVE-2009-1252
> RESERVED
> CVE-2009-1251 (Heap-based buffer overflow in the cache manager in the client
> in ...)
> @@ -360,7 +360,7 @@
> CVE-2008-6622 (SQL injection vulnerability in choosecard.php in WEBBDOMAIN
> Post Card ...)
> NOT-FOR-US: WEBBDOMAIN Multi Languages WebShop Online
> CVE-2008-6621 (Unspecified vulnerability in GraphicsMagick before 1.2.3
> allows remote ...)
> - TODO: check
> + - graphicsmagick <unfixed>
> CVE-2008-6620 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
> NOT-FOR-US: GraFX miniCWB
> CVE-2008-6619 (Unrestricted file upload vulnerability in class/ApplyDB.php
> in ...)
> @@ -421,7 +421,7 @@
> CVE-2008-6595 (SQL injection vulnerability in the pmk_rssnewsexport
> extension for ...)
> NOT-FOR-US: pmk_rssnewsexport extension for TYPO3
> CVE-2008-6594 (SQL injection vulnerability in the cm_rdfexport extension for
> TYPO3 ...)
> - TODO: check
> + - typo3-src <unfixed>
> CVE-2008-6593 (SQL injection vulnerability in LightNEasy/lightneasy.php in
> LightNEasy ...)
> NOT-FOR-US: LightNEasy SQLite
> CVE-2008-6592 (thumbsup.php in Thumbs-Up 1.12, as used in LightNEasy
> "no database" ...)
> @@ -435,13 +435,13 @@
> CVE-2008-6588 (Aztech ADSL2/2+ 4-port router has a default "isp"
> account with a ...)
> NOT-FOR-US: Aztech port router
> CVE-2008-6587 (Cross-site request forgery (CSRF) vulnerability in index.tmpl
> in Vuze ...)
> - TODO: check
> + - azureus <unfixed>
> CVE-2008-6586 (Cross-site request forgery (CSRF) vulnerability in
> gui/index.php in ...)
> NOT-FOR-US: ?Torrent (uTorrent) WebUI
> CVE-2008-6585 (Cross-site request forgery (CSRF) vulnerability in
> html/admin.php in ...)
> - TODO: check
> + - torrentflux <unfixed>
> CVE-2008-6584 (html/index.php in TorrentFlux 2.3 allows remote authenticated
> users to ...)
> - TODO: check
> + - torrentflux <unfixed>
> CVE-2008-6583 (Buffer overflow in BS.player 2.27 build 959 allows remote
> attackers to ...)
> NOT-FOR-US: BS.player
> CVE-2009-1274 (Integer overflow in the qt_error parse_trak_atom function in
> ...)
> @@ -1859,16 +1859,16 @@
> CVE-2009-0797
> RESERVED
> CVE-2009-0796 (Cross-site scripting (XSS) vulnerability in Status.pm in ...)
> - TODO: check
> + - libapache2-mod-perl2 <unfixed>
> CVE-2009-0795 [af_rose/x25 DoS]
> REJECTED
> - linux-2.6 <unfixed>
> - linux-2.6.24 <unfixed>
> CVE-2009-0794 (Integer overflow in the PulseAudioTargetDataL class in ...)
> - TODO: check
> + - openjdk-6 <unfixed>
> CVE-2009-0793 (cmsxform.c in LittleCMS (aka lcms or liblcms) 1.18, as used
> in OpenJDK ...)
> {DSA-1769-1}
> - TODO: check
> + - openjdk-6 <unfixed>
> CVE-2009-0792 (Multiple integer overflows in icc.c in the International
> Color ...)
> - argyll <unfixed> (low; bug #523427)
> CVE-2009-0791
> @@ -2445,7 +2445,9 @@
> CVE-2009-0653 (OpenSSL, probably 0.9.6, does not verify the Basic
> Constraints for an ...)
> - openssl 0.9.8-1 (bug #517791)
> CVE-2009-0652 (Mozilla Firefox 3.0.6 does not properly prevent the literal
> rendering ...)
> - TODO: check
> + - iceape <unfixed>
> + - xulrunner <unfixed>
> + - iceweasel <unfixed>
> CVE-2009-0651 (Unspecified vulnerability in the Veritas network daemon (aka
> vnetd) in ...)
> NOT-FOR-US: Veritas network daemon
> CVE-2009-0650 (Stack-based buffer overflow in the GetStatsFromLine function
> in TPTEST ...)
> @@ -2924,7 +2926,7 @@
> - gs-gpl <removed>
> - gs-esp <removed>
> CVE-2009-0582 (The ntlm_challenge function in the NTLM SASL authentication
> mechanism ...)
> - TODO: check
> + - evolution-data-server <unfixed>
> CVE-2009-0581 (Memory leak in LittleCMS (aka lcms or liblcms) before
> 1.18beta2, as ...)
> {DSA-1769-1 DSA-1745-1}
> - lcms 1.18.dfsg-1 (bug #522446)
> @@ -3405,11 +3407,11 @@
> CVE-2008-6073 (StorageCrypt 2.0.1 does not properly encrypt disks, which
> allows local ...)
> NOT-FOR-US: StorageCrypt
> CVE-2008-6072 (Multiple unspecified vulnerabilities in GraphicsMagick before
> 1.1.14, ...)
> - TODO: check
> + - graphicsmagick <unfixed>
> CVE-2008-6071 (Heap-based buffer overflow in the DecodeImage function in ...)
> - TODO: check
> + - graphicsmagick <unfixed>
> CVE-2008-6070 (Multiple heap-based buffer underflows in the ReadPALMImage
> function in ...)
> - TODO: check
> + - graphicsmagick <unfixed>
> CVE-2008-6069 (SQL injection vulnerability in e107chat.php in the eChat
> plugin 4.2 ...)
> NOT-FOR-US: eChat plugin
> CVE-2008-6068 (SQL injection vulnerability in the JoomlaDate
> (com_joomladate) ...)
> @@ -3996,7 +3998,8 @@
> - dia 0.96.1-7.1 (low; bug #504251)
> [etch] - dia <no-dsa> (Minor issue, only vulnerable when called from
> certain dir)
> CVE-2008-5983 (Untrusted search path vulnerability in the PySys_SetArgv API
> function ...)
> - TODO: check
> + - python2.5 <unfixed>
> + - python2.4 <unfixed>
> CVE-2008-5982 (Format string vulnerability in BMC PATROL Agent before 3.7.30
> allows ...)
> NOT-FOR-US: BMC PATROL Agent
> CVE-2009-0323 (Multiple stack-based buffer overflows in W3C Amaya Web
> Browser 10.0 ...)
> @@ -4313,7 +4316,7 @@
> CVE-2009-0197 (Integer overflow in the FORMATS Plugin before 4.23 for
> IrfanView ...)
> NOT-FOR-US: IrfanView
> CVE-2009-0196
> - RESERVED
> + - ghostscript <unfixed>
> CVE-2009-0195
> RESERVED
> CVE-2009-0194
> @@ -4414,7 +4417,7 @@
> CVE-2009-0160
> RESERVED
> CVE-2009-0159 (Stack-based buffer overflow in the cookedprint function in
> ntpq/ntpq.c ...)
> - TODO: check
> + - ntp <unfixed>
> CVE-2009-0158
> RESERVED
> CVE-2009-0157
> @@ -5409,7 +5412,7 @@
> - linux-2.6 2.6.29-1
> - linux-2.6.24 <unfixed>
> CVE-2009-0027 (The request handler in JBossWS in JBoss Enterprise
> Application ...)
> - TODO: check
> + - jbossas4 <unfixed>
> CVE-2009-0026 (Multiple cross-site scripting (XSS) vulnerabilities in Apache
> ...)
> NOT-FOR-US: Apache Jackrabbit
> CVE-2009-0025 (BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not
> properly check ...)
> @@ -5602,7 +5605,7 @@
> CVE-2008-5526 (DrWeb Anti-virus 4.44.0.09170, when Internet Explorer 6 or 7
> is used, ...)
> NOT-FOR-US: DrWeb Anti-virus
> CVE-2008-5525 (ClamAV 0.94.1 and possibly 0.93.1, when Internet Explorer 6
> or 7 is ...)
> - TODO: check
> + - clamav <unfixed>
> NOTE: CVE claims it only happens when Internet Explorer 6 or 7 is used,
> but ClamAV doesn't have any special code for IE
> CVE-2008-5524 (CAT-QuickHeal 10.00 and possibly 9.50, when Internet Explorer
> 6 or 7 ...)
> NOT-FOR-US: CAT-QuickHeal
> @@ -5615,7 +5618,7 @@
> CVE-2008-5520 (AhnLab V3 2008.12.4.1 and possibly 2008.9.13.0, when Internet
> Explorer ...)
> NOT-FOR-US: AhnLab V3
> CVE-2008-5519 (The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache
> Tomcat ...)
> - TODO: check
> + - tomcat5.5 <unfixed>
> CVE-2008-5518
> RESERVED
> CVE-2008-5517 (The web interface in git (gitweb) 1.5.x before 1.5.6 allows
> remote ...)
> @@ -7641,7 +7644,9 @@
> NOTE: not reproducible using iceweasel 3.0.1
> CVE-2008-4723 (Multiple cross-site scripting (XSS) vulnerabilities in
> Mozilla Firefox ...)
> {CVE-2008-4724}
> - TODO: check
> + - iceape <unfixed>
> + - xulrunner <unfixed>
> + - iceweasel <unfixed>
> NOTE: http://www.jorgan.users.cg.yu/ seems to be the original source
> NOTE: Not enough details to tell if this is a real vulnerability.
> NOTE: My guess is that file names containing <>& are incorrectly
> @@ -13994,7 +13999,9 @@
> CVE-2008-2087 (SQL injection vulnerability in search_result.php in Softbiz
> Web Host ...)
> NOT-FOR-US: Softbiz Web Host Directory Script
> CVE-2008-2086 (Sun Java Web Start and Java Plug-in for JDK and JRE 6 Update
> 10 and ...)
> - TODO: check
> + - openjdk-6 <unfixed>
> + - sun-java5 <unfixed>
> + - sun-java6 <unfixed>
> CVE-2008-2084 (SQL injection vulnerability in topics.php in the MyArticles
> 0.6 beta-1 ...)
> NOT-FOR-US: MyArticles
> CVE-2008-2083 (SQL injection vulnerability in directory.php in Prozilla
> Hosting ...)
> @@ -14121,7 +14128,7 @@
> CVE-2008-2026 (Cross-site scripting (XSS) vulnerability in
> WebID/IISWebAgentIF.dll in ...)
> NOT-FOR-US: RSA Authentication Agent
> CVE-2008-2025 (Cross-site scripting (XSS) vulnerability in Apache Struts
> before ...)
> - TODO: check
> + - libstruts1.2-java <unfixed>
> CVE-2008-2024 (Cross-site scripting (XSS) vulnerability in index.php in
> miniBB 2.2, ...)
> NOT-FOR-US: miniBB
> CVE-2008-2023 (Multiple SQL injection vulnerabilities in PD9 Software
> MegaBBS 2.2 ...)
> @@ -29267,7 +29274,7 @@
> CVE-2007-2842
> RESERVED
> CVE-2007-2841 [lighttpd DoS]
> - RESERVED
> + - lighttpd 1.4.16-1 (bug #428368)
> NOTE: Duplicate of CVE-2007-3947, was assigned from Debian CNA and
> clashed with MITRE
> NOTE: assignment
> CVE-2007-2840
> @@ -42623,7 +42630,7 @@
> {DSA-1177-1}
> - usermin <removed> (bug #374609)
> CVE-2006-4245
> - RESERVED
> + - archivemail <unfixed>
> CVE-2006-4244 (SQL-Ledger 2.4.4 through 2.6.17 authenticates users by
> verifying that ...)
> {DSA-1239-1}
> - sql-ledger 2.6.18-1 (medium; bug #386519)
> @@ -45262,7 +45269,6 @@
> {DSA-1112}
> - mysql-dfsg-5.0 5.0.19-1 (bug #373913; high)
> CVE-2006-3100 [termnetd buffer overflow]
> - RESERVED
> - termpkg 3.3-7 (bug #358028; medium)
> CVE-2006-3085 (xt_sctp in netfilter for Linux kernel before 2.6.17.1 allows
> attackers ...)
> - linux-2.6 2.6.16-15
>
>
> _______________________________________________
> Secure-testing-commits mailing list
> secure-testing-comm...@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
--
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
