Author: jmm-guest
Date: 2010-09-09 20:54:18 +0000 (Thu, 09 Sep 2010)
New Revision: 15300
Modified:
data/CVE/list
Log:
- older Mozilla rng seed issue CVEfied
- record latest Mozilla updates for xulrunner (now provided by iceweasel source
package) -> old entries still need to be rewritten to reflect the source name
change
- tiff crasher fixed in 3.9.4
- NFUs
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2010-09-09 20:05:47 UTC (rev 15299)
+++ data/CVE/list 2010-09-09 20:54:18 UTC (rev 15300)
@@ -232,27 +232,35 @@
CVE-2010-3169 [Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)]
RESERVED
{DSA-2106-1}
- - xulrunner <unfixed>
+ - xulrunner <removed>
+ - iceweasel 3.5.12-1
+ [lenny] - iceweasel <not-affected> (Lenny's iceweasel uses Xulrunner
from the xulrunner source pkg)
- icedove <unfixed>
- iceape 2.0.7-1
[lenny] - iceape <not-affected> (Only a stub package)
CVE-2010-3168 [XUL tree removal crash and remote code execution]
RESERVED
{DSA-2106-1}
- - xulrunner <unfixed>
+ - xulrunner <removed>
+ - iceweasel 3.5.12-1
+ [lenny] - iceweasel <not-affected> (Lenny's iceweasel uses Xulrunner
from the xulrunner source pkg)
- icedove <unfixed>
- iceape 2.0.7-1
[lenny] - iceape <not-affected> (Only a stub package)
CVE-2010-3167 [Dangling pointer vulnerability in nsTreeContentView]
RESERVED
{DSA-2106-1}
- - xulrunner <unfixed>
+ - xulrunner <removed>
+ - iceweasel 3.5.12-1
+ [lenny] - iceweasel <not-affected> (Lenny's iceweasel uses Xulrunner
from the xulrunner source pkg)
- icedove <unfixed>
- iceape 2.0.7-1
[lenny] - iceape <not-affected> (Only a stub package)
CVE-2010-3166 [Heap buffer overflow in nsTextFrameUtils::TransformText]
RESERVED
- - xulrunner <unfixed>
+ - xulrunner <removed>
+ - iceweasel 3.5.12-1
+ [lenny] - iceweasel <not-affected> (Lenny's iceweasel uses Xulrunner
from the xulrunner source pkg)
[lenny] - xulrunner <not-affected> (Doesn't affect Xulrunner 1.9.0 code
base)
- icedove <unfixed>
[lenny] - icedove <not-affected> (Doesn't affect Xulrunner 1.9.0 code
base)
@@ -1005,7 +1013,7 @@
CVE-2010-2875 (Integer signedness error in Adobe Shockwave Player before
11.5.8.612 ...)
NOT-FOR-US: Adobe Shockwave Player
CVE-2010-2874 (Unspecified vulnerability in Adobe Shockwave Player before
11.5.8.612 ...)
- TODO: check
+ NOT-FOR-US: Adobe Shockwave Player
CVE-2010-2873 (Adobe Shockwave Player before 11.5.8.612 does not properly
validate ...)
NOT-FOR-US: Adobe Shockwave Player
CVE-2010-2872 (Adobe Shockwave Player before 11.5.8.612 does not properly
validate an ...)
@@ -1197,7 +1205,6 @@
- linux-2.6 2.6.32-22
CVE-2010-2802 (Cross-site scripting (XSS) vulnerability in MantisBT before
1.2.2 ...)
- mantis <not-affected> (vulnerable code introduced in 1.2.x)
- TODO: confirm 1.1.x is not affected
NOTE: http://www.mantisbt.org/bugs/view.php?id=11952
CVE-2010-2801 (Integer signedness error in the Quantum decompressor in
cabextract ...)
{DSA-2087-1}
@@ -1344,41 +1351,53 @@
CVE-2010-2769 [Copy-and-paste or drag-and-drop into designMode document allows
XSS]
RESERVED
{DSA-2106-1}
- - xulrunner <unfixed>
+ - xulrunner <removed>
+ - iceweasel 3.5.12-1
+ [lenny] - iceweasel <not-affected> (Lenny's iceweasel uses Xulrunner
from the xulrunner source pkg)
- icedove <unfixed>
- iceape 2.0.7-1
[lenny] - iceape <not-affected> (Only a stub package)
CVE-2010-2768 [UTF-7 XSS by overriding document charset using <object> type
attribute]
RESERVED
{DSA-2106-1}
- - xulrunner <unfixed>
+ - xulrunner <removed>
+ - iceweasel 3.5.12-1
+ [lenny] - iceweasel <not-affected> (Lenny's iceweasel uses Xulrunner
from the xulrunner source pkg)
- icedove <unfixed>
- iceape 2.0.7-1
[lenny] - iceape <not-affected> (Only a stub package)
CVE-2010-2767 [Dangling pointer vulnerability using DOM plugin array]
RESERVED
{DSA-2106-1}
- - xulrunner <unfixed>
+ - xulrunner <removed>
+ - iceweasel 3.5.12-1
+ [lenny] - iceweasel <not-affected> (Lenny's iceweasel uses Xulrunner
from the xulrunner source pkg)
- icedove <unfixed>
- iceape 2.0.7-1
[lenny] - iceape <not-affected> (Only a stub package)
CVE-2010-2766 [Crash and remote code execution in normalizeDocument]
RESERVED
{DSA-2106-1}
- - xulrunner <unfixed>
+ - xulrunner <removed>
+ - iceweasel 3.5.12-1
+ [lenny] - iceweasel <not-affected> (Lenny's iceweasel uses Xulrunner
from the xulrunner source pkg)
- icedove <unfixed>
- iceape 2.0.7-1
[lenny] - iceape <not-affected> (Only a stub package)
CVE-2010-2765 [Frameset integer overflow vulnerability]
RESERVED
{DSA-2106-1}
- - xulrunner <unfixed>
+ - xulrunner <removed>
+ - iceweasel 3.5.12-1
+ [lenny] - iceweasel <not-affected> (Lenny's iceweasel uses Xulrunner
from the xulrunner source pkg)
- icedove <unfixed>
- iceape 2.0.7-1
[lenny] - iceape <not-affected> (Only a stub package)
CVE-2010-2764 [Information leak via XMLHttpRequest statusText]
RESERVED
- - xulrunner <unfixed>
+ - xulrunner <removed>
+ - iceweasel 3.5.12-1
+ [lenny] - iceweasel <not-affected> (Lenny's iceweasel uses Xulrunner
from the xulrunner source pkg)
[lenny] - xulrunner <not-affected> (Doesn't affect Xulrunner 1.9.0 code
base)
- icedove <unfixed>
[lenny] - icedove <not-affected> (Doesn't affect Xulrunner 1.9.0 code
base)
@@ -1387,7 +1406,9 @@
CVE-2010-2763 [XSS using SJOW scripted function]
RESERVED
{DSA-2106-1}
- - xulrunner <unfixed>
+ - xulrunner <removed>
+ - iceweasel 3.5.12-1
+ [lenny] - iceweasel <not-affected> (Lenny's iceweasel uses Xulrunner
from the xulrunner source pkg)
- icedove <unfixed>
- iceape 2.0.7-1
[lenny] - iceape <not-affected> (Only a stub package)
@@ -1399,7 +1420,9 @@
CVE-2010-2760 [Dangling pointer vulnerability in nsTreeSelection]
RESERVED
{DSA-2106-1}
- - xulrunner <unfixed>
+ - xulrunner <removed>
+ - iceweasel 3.5.12-1
+ [lenny] - iceweasel <not-affected> (Lenny's iceweasel uses Xulrunner
from the xulrunner source pkg)
- icedove <unfixed>
- iceape 2.0.7-1
[lenny] - iceape <not-affected> (Only a stub package)
@@ -1459,7 +1482,7 @@
CVE-2010-2740
RESERVED
CVE-2010-2739 (Buffer overflow in the CreateDIBPalette function in win32k.sys
in ...)
- TODO: check
+ NOT-FOR-US: Windows
CVE-2010-2738
RESERVED
CVE-2010-2737
@@ -2105,7 +2128,7 @@
CVE-2010-2484 (The strrchr function in PHP 5.2 before 5.2.14 allows
context-dependent ...)
- php5 5.3.3-1 (unimportant)
CVE-2010-2483 (The TIFFRGBAImageGet function in LibTIFF 3.9.0 allows remote
attackers ...)
- - tiff <unfixed> (unimportant)
+ - tiff 3.9.4-1 (unimportant)
CVE-2010-2482 (LibTIFF 3.9.4 and earlier does not properly handle an invalid
...)
- tiff 3.9.4-1 (unimportant)
CVE-2010-2481 (The TIFFExtractData macro in LibTIFF before 3.9.4 does not
properly ...)
@@ -2550,7 +2573,7 @@
CVE-2009-4899
RESERVED
CVE-2009-4898 (Cross-site request forgery (CSRF) vulnerability in TWiki before
4.3.2 ...)
- TODO: check
+ NOT-FOR-US: TWiki
CVE-2009-4897 (Buffer overflow in gs/psi/iscan.c in Ghostscript 8.64 and
earlier ...)
{DSA-2093-1}
- ghostscript 8.70~dfsg-1
@@ -4668,7 +4691,7 @@
CVE-2010-1508
RESERVED
CVE-2010-1507 (WebYaST in yast2-webclient in SUSE Linux Enterprise (SLE) 11 on
the ...)
- TODO: check
+ NOT-FOR-US: YAST
CVE-2010-1506 (The Google V8 bindings in Google Chrome before 4.1.249.1059
allow ...)
- chromium-browser 5.0.375.29~r46008-1
- webkit <not-affected> (doesn't use v8 bindings yet)
@@ -17350,9 +17373,6 @@
CVE-2009-XXXX [predictable random number generator used in web browsers]
- webkit <unfixed> (low; bug #532514)
[lenny] - webkit <no-dsa> (Minor issue)
- - xulrunner <unfixed> (low; bug #532516)
- [lenny] - xulrunner <no-dsa> (Minor issue)
- [etch] - xulrunner <no-dsa> (Minor issue)
- kdebase <unfixed> (low; bug #532519)
[lenny] - kdebase <no-dsa> (Minor issue)
[etch] - kdebase <no-dsa> (Minor issue)
@@ -24138,9 +24158,10 @@
CVE-2008-5914 (An unspecified function in the JavaScript implementation in
Apple ...)
NOT-FOR-US: Apple
CVE-2008-5913 (The Math.random function in the JavaScript implementation in
Mozilla ...)
- - xulrunner 1.9.1.10-1 (unimportant; bug #559792)
+ - xulrunner 1.9.1.10-1 (unimportant; bug #559792; bug #532516)
- iceape 2.0.5-1 (unimportant)
[lenny] - iceape <not-affected> (Just a stub package)
+ - xulrunner <unfixed> (low)
CVE-2008-5912 (An unspecified function in the JavaScript implementation in
Microsoft ...)
NOT-FOR-US: Microsoft
CVE-2008-5911 (Multiple buffer overflows in RealNetworks Helix Server and
Helix ...)
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
