Author: jmm-guest
Date: 2009-02-13 21:30:33 +0000 (Fri, 13 Feb 2009)
New Revision: 11210
Modified:
data/CVE/list
data/spu-candidates.txt
Log:
- no-dsa: mailscanner, tsqllib, mikmod, sdlmixer
- remove CVEfied trac temp entry
- one tomcat issue is actually a JVM issue
- libnet-dns-perl isn't fixed DNS randomisation-wise
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2009-02-13 21:14:13 UTC (rev 11209)
+++ data/CVE/list 2009-02-13 21:30:33 UTC (rev 11210)
@@ -1233,6 +1233,7 @@
NOT-FOR-US: Fedora specific issue
CVE-2009-0179 (libmikmod 3.1.11 through 3.2.0, as used by MikMod and possibly
other ...)
- libmikmod <unfixed> (low; bug #476339)
+ [etch] - libmikmod <no-dsa> (Minor issue)
CVE-2009-0178 (Unspecified vulnerability in IBM Hardware Management Console
(HMC) 7 ...)
NOT-FOR-US: IBM Hardware Management Console
CVE-2009-0177 (vmwarebase.dll, as used in the vmware-authd service (aka ...)
@@ -1262,7 +1263,9 @@
NOT-FOR-US: RealNetworks Helix
CVE-2007-6720 (libmikmod 3.1.9 through 3.2.0, as used by MikMod, SDL-mixer,
and ...)
- libmikmod <unfixed> (low; bug #461519)
+ [etch] - libmikmod <no-dsa> (Minor issue)
- sdl-mixer1.2 1.2.8-1 (low; bug #422021)
+ [etch] - sdl-mixer1.2 <no-dsa> (Minor issue)
CVE-2009-0173 (Unspecified vulnerability in the server in IBM DB2 9.1 before
FP6a and ...)
NOT-FOR-US: IBM DB2
CVE-2009-0172 (Unspecified vulnerability in IBM DB2 9.1 before FP6a and 9.5
before ...)
@@ -1375,7 +1378,8 @@
CVE-2009-0125 (** DISPUTED ** ...)
- libnasl <unfixed> (unimportant; bug #511517)
CVE-2009-0124 (The tqsl_verifyDataBlock function in openssl_cert.cpp in
American ...)
- - tqsllib 2.0-8 (bug #511509)
+ - tqsllib 2.0-8 (low; bug #511509)
+ [etch] - tqsllib <no-dsa> (Minor issue)
CVE-2009-0123 (Unspecified vulnerability in Apple Safari on Mac OS X 10.5 and
Windows ...)
NOT-FOR-US: Apple Safari
CVE-2009-0122 (hplip.postinst in HP Linux Imaging and Printing (HPLIP) 2.7.7
and ...)
@@ -2122,9 +2126,9 @@
CVE-2008-5648 (SQL injection vulnerability in admin/login.php in DeltaScripts
PHP ...)
NOT-FOR-US: DeltaScripts PHP Shop
CVE-2008-5647 (Unspecified vulnerability in the HTML sanitizer filter in Trac
before ...)
- - trac 0.11.1-2.1 (low; bug #509342)
+ - trac 0.11.1-2.1 (low; bug #509342; bug #505197)
CVE-2008-5646 (Unspecified vulnerability in Trac before 0.11.2 allows
attackers to ...)
- - trac 0.11.1-2.1 (low; bug #509342)
+ - trac 0.11.1-2.1 (low; bug #509342; bug #505197)
CVE-2008-5645 (Directory traversal vulnerability in the media server in Orb
Networks ...)
NOT-FOR-US: Orb Networks Orb
CVE-2008-5644 (Cross-site scripting (XSS) vulnerability in the file backend
module in ...)
@@ -3438,9 +3442,11 @@
NOTE: http://securityreason.com/achievement_securityalert/57
CVE-2008-5312 (mailscanner 4.55.10 and other versions before 4.74.16-1 might
allow ...)
- mailscanner 4.74.16-1 (bug #506353)
+ [etch] - mailscanner <no-dsa> (Minor issue)
NOTE: there is no difference apart from the versions to CVE-2008-5313
CVE-2008-5313 (mailscanner 4.68.8 and other versions before 4.74.16-1 might
allow ...)
- mailscanner 4.74.16-1 (bug #506353)
+ [etch] - mailscanner <no-dsa> (Minor issue)
NOTE: there is no difference apart from the versions to CVE-2008-5312
CVE-2008-5175 (Directory traversal vulnerability in the FTP client in AceFTP
Freeware ...)
NOT-FOR-US: AceFTP
@@ -3889,8 +3895,6 @@
{DSA-1687-1 DSA-1681-1}
- linux-2.6 2.6.26-11
- linux-2.6.24 2.6.24-6~etchnhalf.7
-CVE-2008-XXXX [Trac Multiple Vulnerabilities]
- - trac 0.11.1-2.1 (bug #505197)
CVE-2008-5008 (Buffer overflow in src/src_sinc.c in Secret Rabbit Code (aka
SRC or ...)
- libsamplerate 0.1.4-1
CVE-2008-5006 (smtp.c in the c-client library in University of Washington IMAP
...)
@@ -7860,8 +7864,6 @@
NOT-FOR-US: IntelliTamper
CVE-2008-3359 (SQL injection vulnerability in register.php in Steve Bourgeois
and ...)
- owl-dms 0.95-1.1 (bug #493372)
- NOTE: Hardly maintained and very few users, long standing sec issues in
Etch,
- NOTE: Emailed release team to ask for removal from lenny
CVE-2008-3358 (Cross-site scripting (XSS) vulnerability in Web Dynpro (WD) in
the SAP ...)
NOT-FOR-US: SAP NetWeaver portal
CVE-2008-3357 (Untrusted search path vulnerability in ingvalidpw in Ingres
2.6, ...)
@@ -8822,7 +8824,9 @@
[etch] - apache2 2.2.3-4+etch6
- apache <not-affected> (vulnerable code not present)
CVE-2008-2938 (Directory traversal vulnerability in Apache Tomcat 4.1.0
through ...)
- - tomcat5.5 5.5.26-5 (low; bug #496309)
+ NOTE: This is an issue in the respective JVMs, Tomcat only includes a
workaround
+ NOTE: Check status of free JVMs
+ - tomcat5.5 5.5.26-5 (unimportant; bug #496309)
CVE-2008-2937 (Postfix 2.5 before 2.5.4 and 2.6 before 2.6-20080814 delivers
to a ...)
- postfix 2.5.4-1 (low)
[etch] - postfix <no-dsa> (minor issue)
@@ -12327,7 +12331,7 @@
- adns 1.4-2 (unimportant; bug #492698)
NOTE: adns is not suitable to use with untrusted responses, documented
in README.Debian
- udns <unfixed> (bug #493599)
- - libnet-dns-perl 0.63-2 (low; bug #492700)
+ - libnet-dns-perl <unfixed> (low; bug #492700)
NOTE: Source port randomization from Lenny kernel should provide
sufficient protection
NOTE: since this is just a Perl nodule for DNS queries and not a
high-profile server app like
NOTE: Bind, it's unlikely that a home-grown fix will provide an
implementation of higher
@@ -12336,7 +12340,8 @@
- ruby1.9 1.9.0.2-6 (low)
NOTE: Unbound, djbdns, pdnsd and PowerDNS are affected by the
underlying protocol issue, but
NOTE: already use source port randomization.
- NOTE: Marking non-caching stub resolvers as low since these really
should be fixed, but are much less vulnerable than a caching server.
+ NOTE: Marking non-caching stub resolvers as low since these really
should be fixed,
+ NOTE: but are much less vulnerable than a caching server.
CVE-2008-1446 (Integer overflow in the Internet Printing Protocol (IPP) ISAPI
...)
NOT-FOR-US: Microsoft
CVE-2008-1445 (Active Directory on Microsoft Windows 2000 Server SP4, XP
Professional ...)
@@ -19935,7 +19940,7 @@
- iceape 1.1.5
NOTE: MFSA2007-33
CVE-2007-5333 (Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and
4.1.0 ...)
- - tomcat5.5 5.5.26-1 (medium; bug #465645)
+ - tomcat5.5 5.5.26-1 (low; bug #465645)
- tomcat5 <removed>
CVE-2007-5332 (Multiple unspecified vulnerabilities in (1) mediasvr and (2)
caloggerd ...)
NOT-FOR-US: ARCServe BackUp
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2009-02-13 21:14:13 UTC (rev 11209)
+++ data/spu-candidates.txt 2009-02-13 21:30:33 UTC (rev 11210)
@@ -316,6 +316,11 @@
--
+mailscanner (CVE-2008-5312, CVE-2008-5313)
+#506353
+
+--
+
mecab (CVE-2007-3231)
#429174
notified maintainer
@@ -545,6 +550,11 @@
--
+tqsllib 2.0-8 (CVE-2009-0124)
+#511509
+
+--
+
trickle
#513456
notified maintainer
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
