Secure testing commits - Feb 2010 - r14051 - data/CVE

Author: jmm-guest
Date: 2010-02-07 18:03:23 +0000 (Sun, 07 Feb 2010)
New Revision: 14051

Modified:
   data/CVE/list
Log:
Revert commit: The flash plugin is _not_ shipped by Debian.
Having it installed through the installer script is in
no way covered by security support


Modified: data/CVE/list
==================================================================---
data/CVE/list	2010-02-07 06:37:10 UTC (rev 14050)
+++ data/CVE/list	2010-02-07 18:03:23 UTC (rev 14051)
@@ -462,7 +462,7 @@
 CVE-2010-0379 (Multiple unspecified vuilnerabilities in the Macromedia Flash
ActiveX ...)
 	NOT-FOR-US: Macromedia Flash ActiveX
 CVE-2010-0378 (Use-after-free vulnerability in Adobe Flash Player 6.0.79, as
...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2010-0377 (SQL injection vulnerability in modules/arcade/index.php in PHP
MySpace ...)
 	NOT-FOR-US: PHP MySpace Gold Edition
 CVE-2010-0376 (Cross-site scripting (XSS) vulnerability in product_list.php in
...)
@@ -3463,19 +3463,19 @@
 	NOTE: but the "fixes" linked from the advisory only change code in
kdelibs
 	NOTE: more info at oss-sec threads
 CVE-2009-3800 (Multiple unspecified vulnerabilities in Adobe Flash Player
before ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-3799 (Integer overflow in the Verifier::parseExceptionHandlers
function in ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-3798 (Adobe Flash Player before 10.0.42.34 and Adobe AIR before 1.5.3
might ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-3797 (Adobe Flash Player 10.x before 10.0.42.34 and Adobe AIR before
1.5.3 ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-3796 (Adobe Flash Player before 10.0.42.34 and Adobe AIR before 1.5.3
might ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-3795
 	RESERVED
 CVE-2009-3794 (Heap-based buffer overflow in Adobe Flash Player before
10.0.42.34 and ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-3793
 	RESERVED
 CVE-2009-3792 (Directory traversal vulnerability in Adobe Flash Media Server
(FMS) ...)
@@ -9697,23 +9697,23 @@
 CVE-2009-1871
 	RESERVED
 CVE-2009-1870 (Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18,
and ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-1869 (Integer overflow in the ActionScript Virtual Machine 2 (AVM2)
abcFile ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-1868 (Heap-based buffer overflow in Adobe Flash Player before
9.0.246.0 and ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-1867 (Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18,
and ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-1866 (Stack-based buffer overflow in Adobe Flash Player before
9.0.246.0 and ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-1865 (Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18,
and ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-1864 (Heap-based buffer overflow in Adobe Flash Player before
9.0.246.0 and ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-1863 (Unspecified vulnerability in Adobe Flash Player before 9.0.246.0
and ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-1862 (Unspecified vulnerability in Adobe Reader and Acrobat 9.x
through ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-1861 (Multiple heap-based buffer overflows in Adobe Reader 7 and
Acrobat 7 ...)
 	NOT-FOR-US: Adobe Reader
 CVE-2009-1860 (Unspecified vulnerability in Adobe Shockwave Player before
11.5.0.600 ...)
@@ -14762,13 +14762,13 @@
 CVE-2009-0523 (Cross-site scripting (XSS) vulnerability in Adobe RoboHelp
Server 6 ...)
 	NOT-FOR-US: Adobe RoboHelp
 CVE-2009-0522 (Adobe Flash Player 9.x before 9.0.159.0 and 10.x before
10.0.22.87 on ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-0521 (Untrusted search path vulnerability in Adobe Flash Player 9.x
before ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-0520 (Adobe Flash Player 9.x before 9.0.159.0 and 10.x before
10.0.22.87 ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-0519 (Unspecified vulnerability in Adobe Flash Player 9.x before
9.0.159.0 ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2009-0518 (VI Client in VMware VirtualCenter before 2.5 Update 4, VMware
ESXi 3.5 ...)
 	NOT-FOR-US: VMware
 CVE-2009-0517 (Eval injection vulnerability in index.php in phpSlash 0.8.1.1
and ...)
@@ -17459,7 +17459,7 @@
 	- iceape 1.1.14-1
 	- xulrunner 1.9.0.5-1
 CVE-2008-5499 (Unspecified vulnerability in Adobe Flash Player for Linux
10.0.12.36, ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2008-5498 (Array index error in the imageRotate function in PHP 5.2.8 and
earlier ...)
 	- php5 <not-affected> (php5 links to the shared lib)
 	- libgd2 <not-affected> (code is specific to php''s libgd)
@@ -17772,11 +17772,11 @@
 CVE-2008-5364 (Stack-based buffer overflow in the getPlus ActiveX control in
gp.ocx ...)
 	NOT-FOR-US: getPlus
 CVE-2008-5363 (The ActionScript 2 virtual machine in Adobe Flash Player 10.x
before ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2008-5362 (The DefineConstantPool action in the ActionScript 2 virtual
machine in ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2008-5361 (The ActionScript 2 virtual machine in Adobe Flash Player 10.x
before ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2008-5617 (The ACL handling in rsyslog 3.12.1 to 3.20.0, 4.1.0, and 4.1.1
does ...)
 	- rsyslog 3.18.6-1 (bug #508027)
 CVE-2008-5624 (PHP 5 before 5.2.7 does not properly initialize the page_uid and
...)
@@ -19156,17 +19156,17 @@
 CVE-2008-4824 (Multiple unspecified vulnerabilities in Adobe Flash Player 10.x
before ...)
 	NOT-FOR-US: Adobe Flash Player
 CVE-2008-4823 (Cross-site scripting (XSS) vulnerability in Adobe Flash Player
...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2008-4822 (Adobe Flash Player 9.0.124.0 and earlier does not properly
interpret ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2008-4821 (Adobe Flash Player 9.0.124.0 and earlier, when a Mozilla browser
is ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2008-4820 (Unspecified vulnerability in the Flash Player ActiveX control in
Adobe ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2008-4819 (Unspecified vulnerability in Adobe Flash Player 9.0.124.0 and
earlier ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2008-4818 (Cross-site scripting (XSS) vulnerability in Adobe Flash Player
...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2008-4817 (The Download Manager in Adobe Acrobat Professional and Reader
8.1.2 ...)
 	NOT-FOR-US: Adobe Acrobat
 CVE-2008-4816 (Unspecified vulnerability in the Download Manager in Adobe
Reader ...)
@@ -19826,7 +19826,7 @@
 CVE-2008-4547 (Heap-based buffer overflow in the PdvrAtl.PdvrOcx.1 ActiveX
control ...)
 	NOT-FOR-US: DVRHOST Web CMS
 CVE-2008-4546 (Adobe Flash Player 9.0.45.0, 9.0.112.0, 9.0.124.0, and
10.0.12.10 ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2008-4558 (Array index error in VLC media player 0.9.2 allows remote
attackers to ...)
 	- vlc 0.9.3-1 (medium; bug #502314)
 	[etch] - vlc <not-affected> (introduced in 0.9.0)
@@ -19923,7 +19923,7 @@
 CVE-2008-4504 (Heap-based buffer overflow in Mplayer.exe in Herosoft Inc. Hero
DVD ...)
 	NOT-FOR-US: Herosoft Inc. Hero DVD Player
 CVE-2008-4503 (The Settings Manager in Adobe Flash Player 9.0.124.0 and earlier
...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2008-4482 (The XML parser in Xerces-C++ before 3.0.0 allows
context-dependent ...)
 	- xerces-c2 <unfixed> (unimportant; bug #502102)
 	NOTE: Hardly a security issue, anyone who''s concerned about this
should use Xerces 3
@@ -20135,9 +20135,7 @@
 	- ibackup <removed> (low; bug #496432)
 	[etch] - ibackup <no-dsa> (Minor issues)
 CVE-2008-4401 (ActionScript in Adobe Flash Player 9.0.124.0 and earlier does
not ...)
-	- flashplugin-nonfree 1.7.2
-	[etch] - flashplugin-nonfree <no-dsa> (Contrib not supported)
-	[lenny] - flashplugin-nonfree <no-dsa> (Contrib not supported)
+	NOT-FOR-US: Adobe Flash
 CVE-2008-4400 (Unspecified vulnerability in asdbapi.dll in CA ARCserve Backup
...)
 	NOT-FOR-US: CA ARCserve Backup
 CVE-2008-4399 (Unspecified vulnerability in the database engine service in ...)
@@ -21466,11 +21464,9 @@
 CVE-2008-3874 (Cross-site scripting (XSS) vulnerability in account.php in
Lussumo ...)
 	NOT-FOR-US: Lussumo Vanilla
 CVE-2008-3873 (The System.setClipboard method in ActionScript in Adobe Flash
Player ...)
-	- flashplugin-nonfree <undetermined>
+	NOT-FOR-US: Adobe Flash
 CVE-2008-3872 (Adobe Flash Player 8.0.39.0 and earlier, and 9.x up to
9.0.115.0, ...)
-	- flashplugin-nonfree 1:1.4
-	[etch] - flashplugin-nonfree <no-dsa> (Contrib not supported)
-	NOTE: automatically downloads latest update from adobe which is 9.0.124.0
currently
+	NOT-FOR-US: Adobe Flash
 CVE-2008-3871 (Multiple format string vulnerabilities in UltraISO 9.3.1.2633,
and ...)
 	NOT-FOR-US: UltraISO
 CVE-2008-3870 (Integer overflow in sadmind in Sun Solaris 8 and 9 allows remote
...)

On Sun,  7 Feb 2010 18:03:29 +0000 Moritz Muehlenhoff wrote:
> Author: jmm-guest
> Date: 2010-02-07 18:03:23 +0000 (Sun, 07 Feb 2010)
> New Revision: 14051
> 
> Modified:
>    data/CVE/list
> Log:
> Revert commit: The flash plugin is _not_ shipped by Debian.
> Having it installed through the installer script is in
> no way covered by security support
all of non-free is unsupported.  how is this any different?  regardless
of security support, packages in the archive should be tracked.  i
really wish you would bring these things up with me first so we can
discuss beforehand.  commit/decommit is no fun.

mike

On Sun, Feb 07, 2010 at 01:07:09PM -0500, Michael Gilbert
wrote:
> On Sun,  7 Feb 2010 18:03:29 +0000 Moritz Muehlenhoff wrote:
> 
> > Author: jmm-guest
> > Date: 2010-02-07 18:03:23 +0000 (Sun, 07 Feb 2010)
> > New Revision: 14051
> > 
> > Modified:
> >    data/CVE/list
> > Log:
> > Revert commit: The flash plugin is _not_ shipped by Debian.
> > Having it installed through the installer script is in
> > no way covered by security support
> 
> all of non-free is unsupported.  how is this any different?  regardless
> of security support, packages in the archive should be tracked.
It doesn''t contain the Flash plugin, it''s just an installer.
Anyone
you uses, it needs to check for Adobe advisories on his own. We''ve
decided to treat external installer packages like this one two years
ago.
> i really wish you would bring these things up with me first so we can
> discuss beforehand.  commit/decommit is no fun.
Exactly, if _you_ had asked before committing it, I wouldn''t have had
to revert it :-)

Cheers,
        Moritz

On Sun, Feb 7, 2010 at 1:16 PM, Moritz Muehlenhoff
wrote:
> It doesn''t contain the Flash plugin, it''s just an
installer. Anyone
> you uses, it needs to check for Adobe advisories on his own. We''ve
> decided to treat external installer packages like this one two years
> ago.
ok, so the thing is that its not going to show up in the tracker
anyway as soon as i commit my patches, which i plan to do this
afternoon.

mike