[Secure-testing-commits] r13281 - data/CVE

Moritz Muehlenhoff Thu, 12 Nov 2009 14:50:14 -0800

Author: jmm-guest
Date: 2009-11-12 22:49:53 +0000 (Thu, 12 Nov 2009)
New Revision: 13281


Modified:
   data/CVE/list
Log:
- grub2 fixed, doesn't affect Lenny
- convert expat embedded issues to TODOs until they're triaged
- one mozilla issue only affects xulrunner, not iceweasel
- proftpd is also affected by the general TLS issue, track it for now
- cups fixed


Modified: data/CVE/list
===================================================================
--- data/CVE/list       2009-11-12 21:14:19 UTC (rev 13280)
+++ data/CVE/list       2009-11-12 22:49:53 UTC (rev 13281)
@@ -51,7 +51,8 @@
 CVE-2009-3906
        RESERVED
 CVE-2009-XXXX [grub2: password bypass]
-       - grub2 <unfixed> (high; bug #555195)
+       - grub2 1.97+experimental.20091110-1 (bug #555195)
+       [lenny] - grub2 <not-affected> (Password authentication not yet present)
        NOTE: fixed in upstream verion 1.97.1
 CVE-2009-3905 (Multiple cross-site scripting (XSS) vulnerabilities in 
e-Courier CMS ...)
        NOT-FOR-US: e-Courier CMS
@@ -162,8 +163,7 @@
 CVE-2009-3851 (Trusted Extensions in Sun Solaris 10 interferes with the 
operation of ...)
        NOT-FOR-US: Sun Solaris 10
 CVE-2009-3850 (Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to 
...)
-       - blender <unfixed> (low)
-       TODO: determine whether this is a no-dsa issue.  
+       - blender <unfixed> (unimportant)
        NOTE: attack vector is social engineering to get the user to open
        NOTE: a malicious .blend file.  by design, blend files support
        NOTE: all python operations, so ultimately any code can be executed
@@ -476,46 +476,46 @@
        - w3c-libwww <removed> (low; bug #551938)
        [etch] - w3c-libwww <no-dsa> (Minor issue, only used by fringe apps)
        - python-xml <unfixed> (low; bug #551939)
-       - python2.5 <unfixed> (low)
-       - python2.4 <unfixed> (low)
-       - wxwindows2.4 <removed> (low)
-       - wxwidgets2.6 <unfixed> (low)
-       - wxwidgets2.8 <unfixed> (low)
-       - celementtree <unfixed> (low)
-       - audacity <unfixed> (low)
-       - matanza <unfixed> (low)
-       - tdom <unfixed> (low)
-       - udunits <unfixed> (low)
+       TODO: check     - python2.5 <unfixed> (low)
+       TODO: check     - python2.4 <unfixed> (low)
+       TODO: check     - wxwindows2.4 <removed> (low)
+       TODO: check     - wxwidgets2.6 <unfixed> (low)
+       TODO: check     - wxwidgets2.8 <unfixed> (low)
+       TODO: check     - celementtree <unfixed> (low)
+       TODO: check     - audacity <unfixed> (low)
+       TODO: check     - matanza <unfixed> (low)
+       TODO: check     - tdom <unfixed> (low)
+       TODO: check     - udunits <unfixed> (low)
        - apr-util <not-affected> (links to system expat)
-       - ayttm <unfixed> (low)
-       - cableswig <unfixed> (low)
-       - cadaver <unfixed> (low)
-       - cmake <unfixed> (low)
-       - coin3 <unfixed> (low)
-       - gdcm <unfixed> (low)
-       - ghostscript <unfixed> (low)
-       - grmonitor <unfixed> (low)
-       - iceape <unfixed> (low)
-       - insighttoolkit <unfixed> (low)
-       - libparagui1.1 <unfixed> (low)
-       - paraview <unfixed> (low)
-       - poco <unfixed> (low)
-       - simgear <unfixed> (low)
-       - sitecopy <unfixed> (low)
-       - smart <unfixed> (low)
-       - swish-e <unfixed> (low)
-       - tla <unfixed> (low)
-       - vtk <unfixed> (low)
-       - wbxml2 <unfixed> (low)
-       - xmlrpc-c <unfixed> (low)
-       - iceweasel <unfixed> (low)
-       - kompozer 1:0.8~b1-2 (low)
-       - vxl <unfixed> (low)
-       - xulrunner <unfixed> (low)
+       TODO: check     - ayttm <unfixed> (low)
+       TODO: check     - cableswig <unfixed> (low)
+       TODO: check     - cadaver <unfixed> (low)
+       TODO: check     - cmake <unfixed> (low)
+       TODO: check     - coin3 <unfixed> (low)
+       TODO: check     - gdcm <unfixed> (low)
+       TODO: check     - ghostscript <unfixed> (low)
+       TODO: check     - grmonitor <unfixed> (low)
+       TODO: check     - iceape <unfixed> (low)
+       TODO: check     - insighttoolkit <unfixed> (low)
+       TODO: check     - libparagui1.1 <unfixed> (low)
+       TODO: check     - paraview <unfixed> (low)
+       TODO: check     - poco <unfixed> (low)
+       TODO: check     - simgear <unfixed> (low)
+       TODO: check     - sitecopy <unfixed> (low)
+       TODO: check     - smart <unfixed> (low)
+       TODO: check     - swish-e <unfixed> (low)
+       TODO: check     - tla <unfixed> (low)
+       TODO: check     - vtk <unfixed> (low)
+       TODO: check     - wbxml2 <unfixed> (low)
+       TODO: check     - xmlrpc-c <unfixed> (low)
+       TODO: check     - iceweasel <unfixed> (low)
+       TODO: check     - kompozer 1:0.8~b1-2 (low)
+       TODO: check     - vxl <unfixed> (low)
+       TODO: check     - xulrunner <unfixed> (low)
        - apache2 <not-affected> (links to system expat)
-       - texlive-bin <unfixed> (low)
-       - vnc4 <unfixed> (low)
-       - xotcl <unfixed> (low)
+       TODO: check     - texlive-bin <unfixed> (low)
+       TODO: check     - vnc4 <unfixed> (low)
+       TODO: check     - xotcl <unfixed> (low)
 CVE-2009-3719 (Cross-site scripting (XSS) vulnerability in comment.asp in 
Battle Blog ...)
        NOT-FOR-US: Battle Blog
 CVE-2009-3718 (SQL injection vulnerability in admin/authenticate.asp in Battle 
Blog ...)
@@ -944,6 +944,7 @@
        - gnutls13 <removed>
        - nss <unfixed>
        - xyssl <unfixed>
+       - proftpd-dfsg 1.3.2b-2
        - polarssl <unfixed>
        - matrixssl <unfixed>
        - pike7.6 <unfixed>
@@ -1434,10 +1435,6 @@
        - xulrunner 1.9.1.4-1
        [etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer 
covered by security support)
 CVE-2009-3371 (Use-after-free vulnerability in Mozilla Firefox 3.5.x before 
3.5.4 ...)
-       - icedove <unfixed> (bug #555313)
-       - iceweasel 3.5.4-1
-       [etch] - iceweasel <not-affected> (web workers introduced in firefox 
3.5)
-       [lenny] - iceweasel <not-affected> (web workers introduced in firefox 
3.5)
        - xulrunner 1.9.1.4-1
        [etch] - xulrunner <not-affected> (web workers introduced in firefox 
3.5)
        [lenny] - xulrunner <not-affected> (web workers introduced in firefox 
3.5)
@@ -1986,6 +1983,7 @@
        [lenny] - jscropperui <no-dsa> (minor issue)
        - rt-extension-emailcompletion <unfixed> (low; bug #555258)
        - scriptaculous 1.8.3-1 (low; bug #555259)
+       [lenny] - scriptaculous <no-dsa> (Minor issue)
        - activeldap 1.0.9-1 (low; bug #555263)
        [lenny] - activeldap <no-dsa> (minor issue)
        - mantis 1.1.8+dfsg-3 (low; bug #555264)
@@ -3361,7 +3359,7 @@
        RESERVED
 CVE-2009-2820 (CUPS in Apple Mac OS X before 10.6.2 does not properly handle 
(1) HTTP ...)
        {DSA-1933-1}
-       - cups <unfixed> (low; bug #555666)
+       - cups 1.4.2-1 (low; bug #555666)
        - cupsys <removed>
 CVE-2009-2819 (AFP Client in Apple Mac OS X 10.5.8 allows remote AFP servers 
to ...)
        TODO: check


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r13281 - data/CVE

Reply via email to