Secure testing commits - Aug 2009 - r12595 - in data: CVE DSA

Author: derevko-guest
Date: 2009-08-14 20:16:54 +0000 (Fri, 14 Aug 2009)
New Revision: 12595

Modified:
   data/CVE/list
   data/DSA/list
Log:
- CVE-2007-4483 already covered by DSA-1285-1
- CVE-2009-2336 and CVE-2009-2335 marked as unimportant
- wordpress in etch is not affected by CVE-2008-5278, CVE-2008-2392,
CVE-2007-3544, CVE-2007-3543
- CVE-2009-2730 fixed in gnutls26 2.8.3-1


Modified: data/CVE/list
==================================================================---
data/CVE/list	2009-08-14 19:31:52 UTC (rev 12594)
+++ data/CVE/list	2009-08-14 20:16:54 UTC (rev 12595)
@@ -154,7 +154,7 @@
 CVE-2009-2731
 	RESERVED
 CVE-2009-2730 (libgnutls in GnuTLS before 2.8.2 does not properly handle a
''\0'' ...)
-	- gnutls26 <unfixed> (low; bug #541439)
+	- gnutls26 2.8.3-1 (low; bug #541439)
 	- gnutls13 <removed>
 CVE-2009-2729
 	RESERVED
@@ -1396,9 +1396,11 @@
 CVE-2008-6848 (Cross-site scripting (XSS) vulnerability in index.php in
phpGreetCards ...)
 	NOT-FOR-US: phpGreetCards
 CVE-2009-2336 (The forgotten mail interface in WordPress and WordPress MU
before ...)
-	- wordpress 2.8.3-1 (low; bug #536724)
+	- wordpress 2.8.3-1 (unimportant; bug #536724)
+	NOTE: Minor information leak
 CVE-2009-2335 (WordPress and WordPress MU before 2.8.1 exhibit different
behavior for ...)
-	- wordpress 2.8.3-1 (low; bug #536724)
+	- wordpress 2.8.3-1 (unimportant; bug #536724)
+	NOTE: Minor information leak
 CVE-2009-2334 (wp-admin/admin.php in WordPress and WordPress MU before 2.8.1
does not ...)
 	- wordpress 2.8.3-1 (low; bug #536724)
 CVE-2009-2333 (Multiple directory traversal vulnerabilities in CMS Chainuk 1.2
and ...)
@@ -10964,6 +10966,8 @@
 	NOTE: CVE id requested denied
 CVE-2008-5278 (Cross-site scripting (XSS) vulnerability in the self_link
function in ...)
 	- wordpress 2.5.1-11 (low; bug #507193)
+	[etch] - wordpress <not-affected> (Vulnerable code not present)
+	NOTE: introduced in 2.5
 CVE-2008-5286 (Integer overflow in the _cupsImageReadPNG function in CUPS
1.1.17 ...)
 	{DSA-1677-1}
 	- cups 1.3.8-1lenny4 (bug #507183; medium)
@@ -17867,6 +17871,8 @@
 	NOT-FOR-US: EntertainmentScript
 CVE-2008-2392 (Unrestricted file upload vulnerability in WordPress 2.5.1 and
earlier ...)
 	- wordpress 2.5.1-4 (low; bug #485807)
+	[etch] - wordpress <not-affected> (Vulnerable code not present)
+	NOTE: Unrestricted file upload vulnerability was introduced in 2.3.0
 CVE-2008-2391 (SubSonic allows remote attackers to bypass pagesize limits and
cause a ...)
 	NOT-FOR-US: SubSonic
 CVE-2008-2390 (Hpufunction.dll 4.0.0.1 in HP Software Update exposes the unsafe
(1) ...)
@@ -32089,8 +32095,10 @@
 	NOT-FOR-US: Warzone
 CVE-2007-3544 (Unrestricted file upload vulnerability in (1) wp-app.php and (2)
...)
 	- wordpress 2.2.2-1
+	[etch] - wordpress <not-affected> (Vulnerable code not present)
 CVE-2007-3543 (Unrestricted file upload vulnerability in WordPress before 2.2.1
and ...)
 	- wordpress 2.2.1-1
+	[etch] - wordpress <not-affected> (Vulnerable code not present)
 CVE-2007-3542 (Cross-site scripting (XSS) vulnerability in admin/auth.php in
Pluxml ...)
 	NOT-FOR-US: Pluxml
 CVE-2007-3541 (Cross-site scripting (XSS) vulnerability in Kurinton sHTTPd
20070408 ...)

Modified: data/DSA/list
==================================================================---
data/DSA/list	2009-08-14 19:31:52 UTC (rev 12594)
+++ data/DSA/list	2009-08-14 20:16:54 UTC (rev 12595)
@@ -2055,7 +2055,7 @@
 	{CVE-2007-0005 CVE-2007-0958 CVE-2007-1357 CVE-2007-1592}
 	[etch] - linux-2.6 2.6.18.dfsg.1-12etch1
 [01 May 2007] DSA-1285-1 wordpress
-	{CVE-2007-1622 CVE-2007-1893 CVE-2007-1894 CVE-2007-1897}
+	{CVE-2007-1622 CVE-2007-1893 CVE-2007-1894 CVE-2007-1897 CVE-2007-4483}
 	[etch] - wordpress 2.0.10-1
 [01 May 2007] DSA-1284-1 qemu
 	{CVE-2007-1320 CVE-2007-1321 CVE-2007-1322 CVE-2007-1366 CVE-2007-5729
CVE-2007-5730}

On Fri, Aug 14, 2009 at 4:16 PM, Giuseppe Iuculano
wrote:
> --- data/DSA/list ? ? ? 2009-08-14 19:31:52 UTC (rev 12594)
> +++ data/DSA/list ? ? ? 2009-08-14 20:16:54 UTC (rev 12595)
> @@ -2055,7 +2055,7 @@
> ? ? ? ?{CVE-2007-0005 CVE-2007-0958 CVE-2007-1357 CVE-2007-1592}
> ? ? ? ?[etch] - linux-2.6 2.6.18.dfsg.1-12etch1
> ?[01 May 2007] DSA-1285-1 wordpress
> - ? ? ? {CVE-2007-1622 CVE-2007-1893 CVE-2007-1894 CVE-2007-1897}
> + ? ? ? {CVE-2007-1622 CVE-2007-1893 CVE-2007-1894 CVE-2007-1897
CVE-2007-4483}
> ? ? ? ?[etch] - wordpress 2.0.10-1
> ?[01 May 2007] DSA-1284-1 qemu
> ? ? ? ?{CVE-2007-1320 CVE-2007-1321 CVE-2007-1322 CVE-2007-1366
CVE-2007-5729 CVE-2007-5730}
i  don''t mean to question the accuracy of this change, but just out of
curiousity, how did an issue with a cve assigned in august 2007 [0]
get fixed in may 2007?  i understand that that''s a short (3 month)
difference and debian could have been aware ahead of cve assignment.

mike

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4483

Michael S Gilbert ha scritto:
> i  don''t mean to question the accuracy of this change, but just
out of
> curiousity, how did an issue with a cve assigned in august 2007 [0]
> get fixed in may 2007?  i understand that that''s a short (3 month)
> difference and debian could have been aware ahead of cve assignment.
Because in DSA-1285-1 the security team uploaded a new upstream security
release, 2.0.10-1, and that issue was fixed in 2.1.3 and 2.0.10 (legacy
version).

Cheers,
Giuseppe

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090814/bc681b9f/attachment.pgp>

On Fri, 14 Aug 2009 22:46:49 +0200, Giuseppe Iuculano
wrote:
> Michael S Gilbert ha scritto:
> > i  don''t mean to question the accuracy of this change, but
just out of
> > curiousity, how did an issue with a cve assigned in august 2007 [0]
> > get fixed in may 2007?  i understand that that''s a short (3
month)
> > difference and debian could have been aware ahead of cve assignment.
> 
> Because in DSA-1285-1 the security team uploaded a new upstream security
> release, 2.0.10-1, and that issue was fixed in 2.1.3 and 2.0.10 (legacy
version).
ok, i can''t find that claimed in the 2.0.10 etch package nor in any of
the upstream announcements, and there are no code references from mitre
to check against. perhaps i have missed something or you have verified
against the proof-of-concept?

mike

>> Because in DSA-1285-1 the security team uploaded a new upstream
security
>> release, 2.0.10-1, and that issue was fixed in 2.1.3 and 2.0.10 (legacy
version).
>
> ok, i can''t find that claimed in the 2.0.10 etch package nor in
any of
> the upstream announcements, and there are no code references from mitre
> to check against. perhaps i have missed something or you have verified
> against the proof-of-concept?
perhaps this is the commit you''ve checked against [0]?  that seems to
be for 2007-1622.

[0] http://core.trac.wordpress.org/ticket/4092

On Fri, Aug 14, 2009 at 5:16 PM, Michael S
Gilbert<michael.s.gilbert at gmail.com> wrote:
>>> Because in DSA-1285-1 the security team uploaded a new upstream
security
>>> release, 2.0.10-1, and that issue was fixed in 2.1.3 and 2.0.10
(legacy version).
>>
>> ok, i can''t find that claimed in the 2.0.10 etch package nor
in any of
>> the upstream announcements, and there are no code references from mitre
>> to check against. perhaps i have missed something or you have verified
>> against the proof-of-concept?
>
> perhaps this is the commit you''ve checked against [0]? ?that seems
to
> be for 2007-1622.
>
> [0] http://core.trac.wordpress.org/ticket/4092
maybe the two are the same since the descriptions sound very similar,
but if that''s the case, wouldn''t one get REJECTED?

mike

Michael S. Gilbert ha scritto:
> ok, i can''t find that claimed in the 2.0.10 etch package nor in
any of
> the upstream announcements, and there are no code references from mitre
> to check against. perhaps i have missed something or you have verified
> against the proof-of-concept?
Yes, I checked against the PoC, but also upstream confirmed[1] that

[1]http://wordpress.org/development/2007/04/wordpress-213-and-2010/

Cheers,
Giuseppe.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090814/29611f09/attachment.pgp>

On Fri, Aug 14, 2009 at 5:29 PM, Giuseppe Iuculano<giuseppe at
iuculano.it> wrote:
> Yes, I checked against the PoC, but also upstream confirmed[1] that
>
> [1]http://wordpress.org/development/2007/04/wordpress-213-and-2010/
i still don''t see CVE-2007-4483 claimed fixed there.  so the
difference bettween 1622 and 4483 is the affected file:
wp-includes/vars.php vs. wp-content/themes/classic/index.php.

hence, 4483 is specific to the classic theme, so you will need to test
the proof-of-concept when using that theme.

mike

Michael S Gilbert ha scritto:
>> [1]http://wordpress.org/development/2007/04/wordpress-213-and-2010/
> 
> i still don''t see CVE-2007-4483 claimed fixed there.  so the
- "These releases include fixes for several publicly known minor XSS
issues"
- CVE-2007-4483 claimed wordpress 2.1.3 as fixed version
- PoC doesn''t work in 2.0.10

We haven''t any code references for this XSS issue, so with the above
considerations I think is reasonable to deduce it was fixed in 2.0.10.

> so you will need to test
> the proof-of-concept when using that theme.
Yes, I tested the proof-of-concept with the classic theme.


Cheers,
Giuseppe.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090815/fd311726/attachment.pgp>