Author: jmm-guest Date: 2009-02-13 21:30:33 +0000 (Fri, 13 Feb 2009) New Revision: 11210
Modified: data/CVE/list data/spu-candidates.txt Log: - no-dsa: mailscanner, tsqllib, mikmod, sdlmixer - remove CVEfied trac temp entry - one tomcat issue is actually a JVM issue - libnet-dns-perl isn't fixed DNS randomisation-wise Modified: data/CVE/list =================================================================== --- data/CVE/list 2009-02-13 21:14:13 UTC (rev 11209) +++ data/CVE/list 2009-02-13 21:30:33 UTC (rev 11210) @@ -1233,6 +1233,7 @@ NOT-FOR-US: Fedora specific issue CVE-2009-0179 (libmikmod 3.1.11 through 3.2.0, as used by MikMod and possibly other ...) - libmikmod <unfixed> (low; bug #476339) + [etch] - libmikmod <no-dsa> (Minor issue) CVE-2009-0178 (Unspecified vulnerability in IBM Hardware Management Console (HMC) 7 ...) NOT-FOR-US: IBM Hardware Management Console CVE-2009-0177 (vmwarebase.dll, as used in the vmware-authd service (aka ...) @@ -1262,7 +1263,9 @@ NOT-FOR-US: RealNetworks Helix CVE-2007-6720 (libmikmod 3.1.9 through 3.2.0, as used by MikMod, SDL-mixer, and ...) - libmikmod <unfixed> (low; bug #461519) + [etch] - libmikmod <no-dsa> (Minor issue) - sdl-mixer1.2 1.2.8-1 (low; bug #422021) + [etch] - sdl-mixer1.2 <no-dsa> (Minor issue) CVE-2009-0173 (Unspecified vulnerability in the server in IBM DB2 9.1 before FP6a and ...) NOT-FOR-US: IBM DB2 CVE-2009-0172 (Unspecified vulnerability in IBM DB2 9.1 before FP6a and 9.5 before ...) @@ -1375,7 +1378,8 @@ CVE-2009-0125 (** DISPUTED ** ...) - libnasl <unfixed> (unimportant; bug #511517) CVE-2009-0124 (The tqsl_verifyDataBlock function in openssl_cert.cpp in American ...) - - tqsllib 2.0-8 (bug #511509) + - tqsllib 2.0-8 (low; bug #511509) + [etch] - tqsllib <no-dsa> (Minor issue) CVE-2009-0123 (Unspecified vulnerability in Apple Safari on Mac OS X 10.5 and Windows ...) NOT-FOR-US: Apple Safari CVE-2009-0122 (hplip.postinst in HP Linux Imaging and Printing (HPLIP) 2.7.7 and ...) @@ -2122,9 +2126,9 @@ CVE-2008-5648 (SQL injection vulnerability in admin/login.php in DeltaScripts PHP ...) NOT-FOR-US: DeltaScripts PHP Shop CVE-2008-5647 (Unspecified vulnerability in the HTML sanitizer filter in Trac before ...) - - trac 0.11.1-2.1 (low; bug #509342) + - trac 0.11.1-2.1 (low; bug #509342; bug #505197) CVE-2008-5646 (Unspecified vulnerability in Trac before 0.11.2 allows attackers to ...) - - trac 0.11.1-2.1 (low; bug #509342) + - trac 0.11.1-2.1 (low; bug #509342; bug #505197) CVE-2008-5645 (Directory traversal vulnerability in the media server in Orb Networks ...) NOT-FOR-US: Orb Networks Orb CVE-2008-5644 (Cross-site scripting (XSS) vulnerability in the file backend module in ...) @@ -3438,9 +3442,11 @@ NOTE: http://securityreason.com/achievement_securityalert/57 CVE-2008-5312 (mailscanner 4.55.10 and other versions before 4.74.16-1 might allow ...) - mailscanner 4.74.16-1 (bug #506353) + [etch] - mailscanner <no-dsa> (Minor issue) NOTE: there is no difference apart from the versions to CVE-2008-5313 CVE-2008-5313 (mailscanner 4.68.8 and other versions before 4.74.16-1 might allow ...) - mailscanner 4.74.16-1 (bug #506353) + [etch] - mailscanner <no-dsa> (Minor issue) NOTE: there is no difference apart from the versions to CVE-2008-5312 CVE-2008-5175 (Directory traversal vulnerability in the FTP client in AceFTP Freeware ...) NOT-FOR-US: AceFTP @@ -3889,8 +3895,6 @@ {DSA-1687-1 DSA-1681-1} - linux-2.6 2.6.26-11 - linux-2.6.24 2.6.24-6~etchnhalf.7 -CVE-2008-XXXX [Trac Multiple Vulnerabilities] - - trac 0.11.1-2.1 (bug #505197) CVE-2008-5008 (Buffer overflow in src/src_sinc.c in Secret Rabbit Code (aka SRC or ...) - libsamplerate 0.1.4-1 CVE-2008-5006 (smtp.c in the c-client library in University of Washington IMAP ...) @@ -7860,8 +7864,6 @@ NOT-FOR-US: IntelliTamper CVE-2008-3359 (SQL injection vulnerability in register.php in Steve Bourgeois and ...) - owl-dms 0.95-1.1 (bug #493372) - NOTE: Hardly maintained and very few users, long standing sec issues in Etch, - NOTE: Emailed release team to ask for removal from lenny CVE-2008-3358 (Cross-site scripting (XSS) vulnerability in Web Dynpro (WD) in the SAP ...) NOT-FOR-US: SAP NetWeaver portal CVE-2008-3357 (Untrusted search path vulnerability in ingvalidpw in Ingres 2.6, ...) @@ -8822,7 +8824,9 @@ [etch] - apache2 2.2.3-4+etch6 - apache <not-affected> (vulnerable code not present) CVE-2008-2938 (Directory traversal vulnerability in Apache Tomcat 4.1.0 through ...) - - tomcat5.5 5.5.26-5 (low; bug #496309) + NOTE: This is an issue in the respective JVMs, Tomcat only includes a workaround + NOTE: Check status of free JVMs + - tomcat5.5 5.5.26-5 (unimportant; bug #496309) CVE-2008-2937 (Postfix 2.5 before 2.5.4 and 2.6 before 2.6-20080814 delivers to a ...) - postfix 2.5.4-1 (low) [etch] - postfix <no-dsa> (minor issue) @@ -12327,7 +12331,7 @@ - adns 1.4-2 (unimportant; bug #492698) NOTE: adns is not suitable to use with untrusted responses, documented in README.Debian - udns <unfixed> (bug #493599) - - libnet-dns-perl 0.63-2 (low; bug #492700) + - libnet-dns-perl <unfixed> (low; bug #492700) NOTE: Source port randomization from Lenny kernel should provide sufficient protection NOTE: since this is just a Perl nodule for DNS queries and not a high-profile server app like NOTE: Bind, it's unlikely that a home-grown fix will provide an implementation of higher @@ -12336,7 +12340,8 @@ - ruby1.9 1.9.0.2-6 (low) NOTE: Unbound, djbdns, pdnsd and PowerDNS are affected by the underlying protocol issue, but NOTE: already use source port randomization. - NOTE: Marking non-caching stub resolvers as low since these really should be fixed, but are much less vulnerable than a caching server. + NOTE: Marking non-caching stub resolvers as low since these really should be fixed, + NOTE: but are much less vulnerable than a caching server. CVE-2008-1446 (Integer overflow in the Internet Printing Protocol (IPP) ISAPI ...) NOT-FOR-US: Microsoft CVE-2008-1445 (Active Directory on Microsoft Windows 2000 Server SP4, XP Professional ...) @@ -19935,7 +19940,7 @@ - iceape 1.1.5 NOTE: MFSA2007-33 CVE-2007-5333 (Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 ...) - - tomcat5.5 5.5.26-1 (medium; bug #465645) + - tomcat5.5 5.5.26-1 (low; bug #465645) - tomcat5 <removed> CVE-2007-5332 (Multiple unspecified vulnerabilities in (1) mediasvr and (2) caloggerd ...) NOT-FOR-US: ARCServe BackUp Modified: data/spu-candidates.txt =================================================================== --- data/spu-candidates.txt 2009-02-13 21:14:13 UTC (rev 11209) +++ data/spu-candidates.txt 2009-02-13 21:30:33 UTC (rev 11210) @@ -316,6 +316,11 @@ -- +mailscanner (CVE-2008-5312, CVE-2008-5313) +#506353 + +-- + mecab (CVE-2007-3231) #429174 notified maintainer @@ -545,6 +550,11 @@ -- +tqsllib 2.0-8 (CVE-2009-0124) +#511509 + +-- + trickle #513456 notified maintainer _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits