Author: jmm
Date: 2012-05-08 17:42:29 +0000 (Tue, 08 May 2012)
New Revision: 19173
Modified:
data/CVE/list
data/spu-candidates.txt
Log:
triage output of external check script:
new ruby-mail issue (fixed, not in stable)
new kernel issue
new munin issue (doesn't affect stable)
jboss not affected
NFUs
vlc fixed in sid
x11-apps fixed in sid, no-dsa
NFUs
filed bug for eglibc ORIGIN issue
icedtea-web fixed
remove CVEfied asterisk temp issue dupes
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2012-05-08 10:39:24 UTC (rev 19172)
+++ data/CVE/list 2012-05-08 17:42:29 UTC (rev 19173)
@@ -16,11 +16,11 @@
CVE-2012-2452
RESERVED
CVE-2012-2450 (VMware Workstation 8.x before 8.0.3, VMware Player 4.x before
4.0.3, ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2012-2449 (VMware Workstation 8.x before 8.0.3, VMware Player 4.x before
4.0.3, ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2012-2448 (VMware ESXi 3.5 through 5.0 and ESX 3.5 through 4.1 allow
remote ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2012-2447
RESERVED
CVE-2012-2446
@@ -388,6 +388,7 @@
RESERVED
CVE-2012-2319
RESERVED
+ - linux-2.6 <unfixed> (low)
CVE-2012-2318 [Improper validation of incoming plaintext messages in MSN
protocol plug-in]
RESERVED
- pidgin 2.10.4-1
@@ -411,6 +412,7 @@
- linux-2.6 <unfixed>
CVE-2012-2312
RESERVED
+ - jbossas4 <not-affected> (Only affects JBoss 7)
CVE-2012-2311 [PHP-CGI query string parameter vulnerability]
RESERVED
- php5 <unfixed> (bug #671880)
@@ -643,7 +645,7 @@
TODO: check
NOTE: http://www.pidgin.im/news/security/?id=62
CVE-2012-2213 (** DISPUTED ** Squid 3.1.9 allows remote attackers to bypass
the ...)
- TODO: check
+ NOT-FOR-US: Disputed Squid access bypass, probably user error and minor
impact anyway
CVE-2012-2212 (** DISPUTED ** McAfee Web Gateway 7.0 allows remote attackers
to ...)
NOT-FOR-US: McAfee Web Gateway
CVE-2012-2211
@@ -788,6 +790,8 @@
RESERVED
CVE-2012-2147
RESERVED
+ - munin <unfixed> (bug #670811)
+ [squeeze] - munin <not-affected> (Vulnerable code not present)
CVE-2012-2146
RESERVED
- elixir <unfixed> (low; bug #670919)
@@ -806,8 +810,10 @@
NOTE: Red Hat patch:
https://bugzilla.redhat.com/attachment.cgi?id=580443&action=diff
CVE-2012-2140
RESERVED
+ - ruby-mail 2.4.4-1
CVE-2012-2139
RESERVED
+ - ruby-mail 2.4.4-1
CVE-2012-2138
RESERVED
CVE-2012-2137
@@ -821,6 +827,7 @@
- python3.3 <unfixed>
CVE-2012-2134
RESERVED
+ NOT-FOR-US: Dynamic LDAP backend plugin for BIND
CVE-2012-2133
RESERVED
- linux-2.6 <unfixed>
@@ -1331,7 +1338,7 @@
CVE-2012-XXXX [mahara SAML impersonation issue]
- mahara 1.4.2-1
CVE-2012-1936 (** DISPUTED ** The wp_create_nonce function in ...)
- TODO: check
+ NOT-FOR-US: Disputed Wordpress issue
CVE-2012-1935
RESERVED
CVE-2012-1934
@@ -1643,11 +1650,9 @@
CVE-2012-1777 (SQL injection vulnerability in my.activation.php3 in F5
FirePass 6.0.0 ...)
NOT-FOR-US: F5 Firepass
CVE-2012-1776 (Multiple heap-based buffer overflows in VideoLAN VLC media
player ...)
- - vlc <unfixed>
- TODO: check
+ - vlc 2.0.1-1 (low)
CVE-2012-1775 (Stack-based buffer overflow in VideoLAN VLC media player before
2.0.1 ...)
- - vlc <unfixed>
- TODO: check
+ - vlc 2.0.1-1 (low)
CVE-2011-5083 (Unrestricted file upload vulnerability in inc/swf/swfupload.swf
in ...)
- dotclear <unfixed> (low; bug #670227)
NOTE: Post-authentication; vulnerability is actually in admin/media.php.
@@ -1816,19 +1821,19 @@
CVE-2012-1711
RESERVED
CVE-2012-1710 (Unspecified vulnerability in the Oracle WebCenter Forms
Recognition ...)
- TODO: check
+ NOT-FOR-US: Oracle Fusion
CVE-2012-1709 (Unspecified vulnerability in the Oracle WebCenter Forms
Recognition ...)
- TODO: check
+ NOT-FOR-US: Oracle Fusion
CVE-2012-1708 (Unspecified vulnerability in the Application Express component
in ...)
- TODO: check
+ NOT-FOR-US: Oracle Database
CVE-2012-1707 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking
...)
- TODO: check
+ NOT-FOR-US: Oracle Financial Services Software
CVE-2012-1706 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking
...)
- TODO: check
+ NOT-FOR-US: Oracle Financial Services Software
CVE-2012-1705
RESERVED
CVE-2012-1704 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking
...)
- TODO: check
+ NOT-FOR-US: Oracle Financial Services Software
CVE-2012-1703 (Unspecified vulnerability in the MySQL Server component in
Oracle ...)
- mysql-5.1 5.1.62-1 (bug #670636)
- mysql-5.5 5.5.23-1
@@ -1841,21 +1846,21 @@
CVE-2012-1699
RESERVED
CVE-2012-1698 (Unspecified vulnerability in Oracle Sun Solaris 11 allows
remote ...)
- TODO: check
+ NOT-FOR-US: Solaris
CVE-2012-1697 (Unspecified vulnerability in the MySQL Server component in
Oracle ...)
- mysql-5.5 5.5.23-1
CVE-2012-1696 (Unspecified vulnerability in the MySQL Server component in
Oracle ...)
- mysql-5.5 5.5.23-1
CVE-2012-1695 (Unspecified vulnerability in the Oracle JRockit component in
Oracle ...)
- TODO: check
+ NOT-FOR-US: Oracle Fusion
CVE-2012-1694 (Unspecified vulnerability in Oracle Sun Solaris 10 allows
remote ...)
- TODO: check
+ NOT-FOR-US: Solaris
CVE-2012-1693 (Unspecified vulnerability in Oracle SPARC Enterprise M Series
Servers ...)
- TODO: check
+ NOT-FOR-US: Oracle SPARC Enterprise M Series Servers
CVE-2012-1692 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local
users ...)
- TODO: check
+ NOT-FOR-US: Solaris
CVE-2012-1691 (Unspecified vulnerability in Oracle Sun Solaris 11 allows local
users ...)
- TODO: check
+ NOT-FOR-US: Solaris
CVE-2012-1690 (Unspecified vulnerability in the MySQL Server component in
Oracle ...)
- mysql-5.1 5.1.62-1 (bug #670636)
- mysql-5.5 5.5.23-1
@@ -1871,13 +1876,13 @@
CVE-2012-1685
RESERVED
CVE-2012-1684 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and
11 ...)
- TODO: check
+ NOT-FOR-US: Solaris
CVE-2012-1683 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and
11 ...)
- TODO: check
+ NOT-FOR-US: Solaris
CVE-2012-1682
RESERVED
CVE-2012-1681 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and
11 ...)
- TODO: check
+ NOT-FOR-US: Solaris
CVE-2012-1680
RESERVED
CVE-2012-1679 (Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking
...)
@@ -1908,12 +1913,6 @@
RESERVED
CVE-2012-1666
RESERVED
-CVE-2012-XXXX [http://downloads.asterisk.org/pub/security/AST-2012-003.html]
- - asterisk <unfixed>
- [squeeze] - asterisk <not-affected> (Vulnerable code not present)
-CVE-2012-XXXX [http://downloads.asterisk.org/pub/security/AST-2012-002.html]
- - asterisk <unfixed>
- [squeeze] - asterisk <not-affected> (Vulnerable code not present)
CVE-2012-1665
RESERVED
CVE-2012-1664
@@ -2304,9 +2303,9 @@
CVE-2012-1518 (VMware Workstation 8.x before 8.0.2, VMware Player 4.x before
4.0.2, ...)
NOT-FOR-US: VMware
CVE-2012-1517 (The VMX process in VMware ESXi 4.1 and ESX 4.1 does not
properly ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2012-1516 (The VMX process in VMware ESXi 3.5 through 4.1 and ESX 3.5
through 4.1 ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2012-1515 (VMware ESXi 3.5, 4.0, and 4.1 and ESX 3.5, 4.0, and 4.1 do not
...)
NOT-FOR-US: VMware ESXi
CVE-2012-1514 (Cross-site request forgery (CSRF) vulnerability in VMware
vShield ...)
@@ -4148,7 +4147,6 @@
CVE-2012-0780
RESERVED
CVE-2012-0779 (Adobe Flash Player before 10.3.183.19 and 11.x before
11.2.202.235 on ...)
- TODO: check
NOT-FOR-US: Adobe Flash Player
CVE-2012-0778
RESERVED
@@ -13805,9 +13803,8 @@
CVE-2011-2514
RESERVED
- openjdk-6 6b21~pre1-1
- - icedtea-web <unfixed>
+ - icedtea-web 1.1-1
NOTE: Browser plugin was removed in openjdk-6 6b21~pre1-1.
- TODO: check
CVE-2011-2513
RESERVED
- openjdk-6 6b21~pre1-1
@@ -13848,8 +13845,8 @@
[lenny] - phpmyadmin <not-affected> (Vulnerable code not present)
CVE-2011-2504
RESERVED
- - x11-apps <unfixed> (low)
- TODO: check
+ - x11-apps 7.7~1 (low)
+ [squeeze] - x11-apps <no-dsa> (Minor issue)
CVE-2011-2503
RESERVED
{DSA-2348-1}
@@ -16194,9 +16191,8 @@
[lenny] - glibc <no-dsa> (Minor issue)
NOTE: http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=8126d90480fa
CVE-2011-1658 (ld.so in the GNU C Library (aka glibc or libc6) 2.13 and
earlier ...)
- - eglibc <unfixed>
- - glibc <removed>
- TODO: check
+ - eglibc <unfixed> (low; bug #672119)
+ [squeeze] - eglibc <no-dsa> (Minor issue)
CVE-2011-1657 (The (1) ZipArchive::addGlob and (2) ZipArchive::addPattern
functions ...)
- php5 <unfixed> (unimportant)
NOTE: safe mode not supported
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2012-05-08 10:39:24 UTC (rev 19172)
+++ data/spu-candidates.txt 2012-05-08 17:42:29 UTC (rev 19173)
@@ -91,7 +91,10 @@
CVE-2011-4609
+CVE-2011-1658
+#672119
+
--
fabric (CVE-2011-2185)
@@ -431,6 +434,11 @@
--
+x11-apps (CVE-2011-2504)
+http://cgit.freedesktop.org/xorg/app/x11perf/commit/?id=fefc834c419085b2db3b2d7d57bdbfe240d1b75c
+
+--
+
nss (CVE-2011-XXXX)
https://bugzilla.mozilla.org/show_bug.cgi?id=641052
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
