Author: jmm-guest
Date: 2009-06-05 17:37:14 +0000 (Fri, 05 Jun 2009)
New Revision: 12050
Modified:
data/CVE/list
Log:
- NFUs
- two issues in ITPed xvid
- m2crypto non-issue
Modified: data/CVE/list
==================================================================---
data/CVE/list 2009-06-04 22:20:27 UTC (rev 12049)
+++ data/CVE/list 2009-06-05 17:37:14 UTC (rev 12050)
@@ -152,13 +152,13 @@
CVE-2008-6817 (Mole Group Lastminute Script 4.0 and earlier stores passwords in
...)
NOT-FOR-US: Mole Group Lastminute Script
CVE-2004-2764 (Sun SDK and Java Runtime Environment (JRE) 1.4.2 through
1.4.2_04, ...)
- TODO: check
+ NOT-FOR-US: Historic issues in proprietary Java
CVE-2004-2763 (The default configuration of Sun ONE/iPlanet Web Server 4.1 SP1
...)
- TODO: check
+ NOT-FOR-US: Sun ONE iPlanet Web Server
CVE-2003-1573 (The PointBase 4.6 database component in the J2EE 1.4 reference
...)
- TODO: check
+ NOT-FOR-US: Historic issues in proprietary Java
CVE-2003-1572 (Sun Java Media Framework (JMF) 2.1.1 through 2.1.1c allows
unsigned ...)
- TODO: check
+ NOT-FOR-US: Historic issues in proprietary Java
CVE-2009-XXXX [GStreamer Good Plug-ins PNG Processing Integer Overflow]
- gst-plugins-good0.10 0.10.15-2 (bug #531631)
CVE-2009-XXXX [strongSwan Two Denial of Service Vulnerabilities]
@@ -1328,7 +1328,7 @@
CVE-2009-1385
RESERVED
CVE-2009-1384 (pam_krb5 2.2.14 through 2.3.4, as used in Red Hat Enterprise
Linux ...)
- TODO: check
+ NOT-FOR-US: Different code base than Debian''s libpam-krb5
CVE-2009-1383
RESERVED
CVE-2009-1382
@@ -1856,7 +1856,6 @@
[squeeze] - memcachedb <no-dsa> (Minor issue)
NOTE: why are weaknesses in security hardening features like ASLR considered
minor?
NOTE: even though this is not directly a vulnerability itself, part of this
application''s armor is now missing; making it easier for unknown
vulnerabilities to be effective.
- TODO: reevaluate debian''s position on weaknesses in security
hardening features
CVE-2008-6679 (Buffer overflow in the BaseFont writer module in Ghostscript
8.62, and ...)
- ghostscript 8.64~dfsg-1 (medium; bug #524803)
CVE-2008-6678 (SQL injection vulnerability in asp/includes/contact.asp in
QuickerSite ...)
@@ -3199,9 +3198,9 @@
CVE-2009-0895
RESERVED
CVE-2009-0894 (Heap-based buffer overflow in the decoder_create function in the
...)
- NOT-FOR-US: Xvid
+ - xvidcore <itp> (bug #531040)
CVE-2009-0893 (Multiple heap-based buffer overflows in xvidcore/src/decoder.c
in the ...)
- NOT-FOR-US: Xvid
+ - xvidcore <itp> (bug #531040)
CVE-2009-0892 (The administrative console in IBM WebSphere Application Server
(WAS) ...)
NOT-FOR-US: IBM WebSphere
CVE-2009-0891 (The Web Services Security component in IBM WebSphere Application
...)
@@ -6282,7 +6281,10 @@
{DTSA-185-1}
- slurm-llnl 1.3.13-1 (bug #511511)
CVE-2009-0127 (** DISPUTED ** M2Crypto does not properly check the return value
from ...)
- - m2crypto <unfixed> (bug #511515)
+ - m2crypto <unfixed> (bug #511515; unimportant)
+ NOTE: m2crypto provides a direct mapping of the OpenSSL functions, no
incorrect
+ NOTE: call sites are known, if such are found they should be fixed in the
respective
+ NOTE: applications
CVE-2009-0126 (The decrypt_public function in lib/crypt.cpp in the client in
Berkeley ...)
{DSA-1718-1}
- boinc 6.2.14-3 (bug #511521)