thr3ads.net - Secure testing commits - [Secure-testing-commits] r9522

If this information is useful, please help other people find it:
Share via:
jmm-guest at alioth.debian.org
2008-Aug-06 19:37 UTC
[Secure-testing-commits] r9522 - in data: . CVE DSA

Author: jmm-guest
Date: 2008-08-06 19:37:44 +0000 (Wed, 06 Aug 2008)
New Revision: 9522

Modified:
   data/CVE/list
   data/DSA/list
   data/package-tags
   data/spu-candidates.txt
Log:
links2, exiv2 no-dsa
add php to packages with special security support
add one missing mozilla CVE ID, which was split off
one moin issue doesn''t affect etch
two dnsmasq issues don''t affect etch, dnsmasq CVEfied
one iceweasel issue Mac specific
add note on firebird in etch
one issues marked as php is only relevant to libgd


Modified: data/CVE/list
==================================================================---
data/CVE/list	2008-08-06 15:53:23 UTC (rev 9521)
+++ data/CVE/list	2008-08-06 19:37:44 UTC (rev 9522)
@@ -89,7 +89,8 @@
 CVE-2008-3382 (SQL injection vulnerability in mojoClassified.cgi in
MojoClassifieds ...)
 	NOT-FOR-US: MojoClassifieds
 CVE-2008-3381 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
-	- moin 1.7.1-1
+	- moin 1.7.1-1 (low)
+	[etch] - moin <not-affected> (Vulnerable macro not present)
 CVE-2008-3380 (Cross-site scripting (XSS) vulnerability in ajaxp_backend.php in
...)
 	NOT-FOR-US: MyioSoft EasyBookMarker
 CVE-2008-3379 (Cross-site scripting (XSS) vulnerability in Snark VisualPic
0.3.1 ...)
@@ -134,6 +135,8 @@
 	NOT-FOR-US: IntelliTamper
 CVE-2008-3359 (SQL injection vulnerability in register.php in Steve Bourgeois
and ...)
 	- owl-dms <unfixed> (bug #493372)
+	NOTE: Hardly maintained and very few users, long standing sec issues in Etch,
+	TODO: we should remove this from Lenny w/o maintainer reaction
 CVE-2008-3358
 	RESERVED
 CVE-2008-3357
@@ -152,6 +155,7 @@
 	NOT-FOR-US: Atom PhotoBlog
 CVE-2008-3350 (dnsmasq 2.43 allows remote attackers to cause a denial of
service ...)
 	- dnsmasq 2.44-1 (low)
+	[etch] - dnsmasq <not-affected> (Issue was introduced in 2.43)
 CVE-2008-3349 (Multiple unspecified vulnerabilities in NetApp Data ONTAP, as
used on ...)
 	NOT-FOR-US: NetApp Data ONTAP
 CVE-2008-3348 (Cross-site scripting (XSS) vulnerability in ...)
@@ -416,7 +420,7 @@
 	{DSA-1616-2}
 	- clamav 0.93.1.dfsg-1.1 (medium)
 CVE-2008-3214 (dnsmasq 2.25 allows remote attackers to cause a denial of
service ...)
-	- dnsmasq 2.44-1 (low)
+	- dnsmasq 2.26-1 (medium)
 CVE-2008-3213 (SQL injection vulnerability in secciones/tablon/tablon.php in
WebCMS ...)
 	NOT-FOR-US: WebCMS
 CVE-2008-3212 (Multiple SQL injection vulnerabilities in Scripteen Free Image
Hosting ...)
@@ -448,7 +452,8 @@
 CVE-2008-3199 (Multiple unspecified vulnerabilities in ReSIProcate before 1.3.4
allow ...)
 	NOT-FOR-US: ReSIProcate
 CVE-2008-3198 (Mozilla Firefox 3.x before 3.0.1 allows remote attackers to
inject ...)
-	TODO: check
+	- iceweasel 3.0.1-1 (low)
+	NOTE: http://www.mozilla.org/security/announce/2008/mfsa2008-35.html
 CVE-2008-3195
 	RESERVED
 CVE-2008-3194 (Multiple directory traversal vulnerabilities in ...)
@@ -1056,11 +1061,10 @@
 	- libxslt 1.1.24-2 (bug #493162)
 	NOTE: http://www.ocert.org/advisories/ocert-2008-009.html
 CVE-2008-2934 (Mozilla Firefox 3 before 3.0.1 on Mac OS X allows remote
attackers to ...)
-	TODO: check
+	- iceweasel <not-affected> (MacOS-specific)
 CVE-2008-2933 (Mozilla Firefox before 2.0.0.16, and 3.x before 3.0.1,
interprets ''|'' ...)
 	{DSA-1615-1 DSA-1614-1}
 	- iceweasel 3.0.1-1 (low)
-	NOTE: http://www.mozilla.org/security/announce/2008/mfsa2008-35.html
 CVE-2008-2932
 	RESERVED
 CVE-2008-2931 (The do_change_type function in fs/namespace.c in the Linux
kernel ...)
@@ -1272,10 +1276,6 @@
 CVE-2008-3141 (Unspecified vulnerability in the RMI dissector in Wireshark
(formerly ...)
 	- wireshark 1.0.1-1 (low; bug #488834)
 	NOTE: http://www.wireshark.org/security/wnpa-sec-2008-03.html
-CVE-2008-XXXX [dnsmasq crash on renewing non-existent lease]
-	- dnsmasq 2.26-1 (medium)
-	NOTE: CVE id requested by Ubuntu
-	NOTE:
http://freshmeat.net/projects/dnsmasq/?branch_id=1991&release_id=217681
 CVE-2008-2952 (liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers
to ...)
 	{DTSA-151-1}
 	- openldap2.3 <removed> (low; bug #488710)
@@ -3493,6 +3493,7 @@
 	- vlc 0.8.6.e-2.1 (medium; bug #477805)
 CVE-2008-1880 (The default configuration of Firebird before 2.0.3.12981.0-r6 on
...)
 	- firebird2 <removed>
+	[etch] - firebird2 <no-dsa> (Firebird 1.5 no longer supported, see last
DSA)
 	- firebird2.0 2.0.3.12981.ds1-14 (bug #481389)
 	NOTE: on debian after the installation firebird2.0-super is disabled, to
enable it
 	NOTE: you need to call dpkg-reconfigure
@@ -15404,7 +15405,7 @@
 CVE-2007-3996 (Multiple integer overflows in libgd in PHP before 5.2.4 allow
remote ...)
 	{DSA-1613-1}
 	- libgd2 2.0.35.dfsg-1 (bug #443456; medium)
-	- php5 5.2.4-1 (medium)
+	NOTE: Debian''s PHP packages are linked dynamically against libgd
 	NOTE: see http://www.php.net/releases/5_2_4.php
 CVE-2007-3995
 	RESERVED

Modified: data/DSA/list
==================================================================---
data/DSA/list	2008-08-06 15:53:23 UTC (rev 9521)
+++ data/DSA/list	2008-08-06 19:37:44 UTC (rev 9522)
@@ -38,7 +38,7 @@
 	{CVE-2008-2785 CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801
CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808
CVE-2008-2809 CVE-2008-2811 CVE-2008-2933}
 	[etch] - xulrunner 1.8.0.15~pre080614d-0etch1
 [23 Jul 2008] DSA-1614-1 iceweasel - several vulnerabilities
-	{CVE-2008-2785 CVE-2008-2933}
+	{CVE-2008-2785 CVE-2008-2933 CVE-2008-3198}
 	[etch] - iceweasel 2.0.0.16-0etch1
 [22 Jul 2008] DSA-1613-1 libgd2 - multiple vulnerabilities
 	{CVE-2007-2445 CVE-2007-3476 CVE-2007-3477 CVE-2007-3996}

Modified: data/package-tags
==================================================================---
data/package-tags	2008-08-06 15:53:23 UTC (rev 9521)
+++ data/package-tags	2008-08-06 19:37:44 UTC (rev 9522)
@@ -8,5 +8,8 @@
 [etch] sql-ledger <limited-support> (Only supported behind an
authenticated HTTP zone)
 [lenny] sql-ledger <limited-support> (Only supported behind an
authenticated HTTP zone)
 
+[etch] php5 <limited-support> (See README.Debian.security for the PHP
security policy)
+[etch] php4 <limited-support> (See README.Debian.security for the PHP
security policy)
+[lenny] php5 <limited-support> (See README.Debian.security for the PHP
security policy)
 [etch] adns <limited-support> (Stub resolver that should only be used
with trusted recursors)
 [lenny] adns <limited-support> (Stub resolver that should only be used
with trusted recursors)

Modified: data/spu-candidates.txt
==================================================================---
data/spu-candidates.txt	2008-08-06 15:53:23 UTC (rev 9521)
+++ data/spu-candidates.txt	2008-08-06 19:37:44 UTC (rev 9522)
@@ -67,6 +67,12 @@
 
 --
 
+exiv2 (CVE-2008-2696)
+bug #486328)
+http://dev.robotbattle.com/cgi-bin/viewvc.cgi/exiv2/trunk/src/nikonmn.cpp?r1=1473&r2=1499
+
+--
+
 flac123 (CVE-2007-3507)
 notified maintainer
 
@@ -105,6 +111,11 @@
 
 --
 
+links2 (CVE-2008-3329)
+bug #492744)
+
+--
+
 linux-ftpd-ssl (CVE-2007-6263)
 #454733
 notified maintainer
Secure testing commits - Aug 2008 - r9522 - in data: . CVE DSA

[Secure-testing-commits] r9522 - in data: . CVE DSA
