Author: jmm-guest Date: 2010-04-22 19:44:54 +0000 (Thu, 22 Apr 2010) New Revision: 14548 Modified: data/CVE/list Log: - no-dsa for several qtwebkit issues - sun java no-dsa - kfreebsd not-dsa - iceape not-affected - xemacs21 no-dsa - xmlsec1 no-dsa - xulrunner issue is windows-specific Modified: data/CVE/list ==================================================================--- data/CVE/list 2010-04-22 01:01:05 UTC (rev 14547) +++ data/CVE/list 2010-04-22 19:44:54 UTC (rev 14548) @@ -255,6 +255,7 @@ RESERVED CVE-2010-1423 (Argument injection vulnerability in the URI handler in (a) Java NPAPI ...) - sun-java6 <unfixed> (high) + [lenny] - sun-java6 <no-dsa> (Non-free not supported) CVE-2010-XXXX [gource: predictable log file located in /tmp] - gource 0.26-2 (low; bug #577958) CVE-2010-XXXX [webkit: lots of dns lookups] @@ -1819,6 +1820,7 @@ - emacs22 <unfixed> (low) [lenny] - emacs22 <no-dsa> (Minor issue) - xemacs21 <unfixed> (low) + [lenny] - xemacs21 <no-dsa> (Minor issue) [lenny] - xmacs21 <no-dsa> (Minor issue) - emacs23 <unfixed> (low) TODO: check and file bugs, can still be fixed through spus by the maintainers @@ -3490,9 +3492,9 @@ [lenny] - lib3ds <no-dsa> (Minor issue) [etch] - lib3ds <no-dsa> (Minor issue) NOTE: http://www.coresecurity.com/content/google-sketchup-vulnerability - TODO: check affected versions and file bug NOTE: issue was published saying it affects google sketchup, NOTE: but the vulnerable code is in lib3ds + NOTE: http://code.google.com/p/lib3ds/issues/detail?id=9 CVE-2010-0279 (Unrestricted file upload vulnerability in upload.php in BTS-GI Read ...) NOT-FOR-US: BTS-GI Read excel CVE-2010-0278 (A certain ActiveX control in msgsc.14.0.8089.726.dll in Microsoft ...) @@ -3856,9 +3858,8 @@ - iceape 2.0.3-1 [lenny] - iceape <not-affected> (Lenny package only provide xpcom stubs) CVE-2010-0161 (The nsAuthSSPI::Unwrap function in extensions/auth/nsAuthSSPI.cpp in ...) - - xulrunner 1.9.1.8-1 - - iceape 2.0.3-1 - [lenny] - iceape <not-affected> (Lenny package only provide xpcom stubs) + - xulrunner <not-affected> (Windows-specific) + - iceape <not-affected> (Windows-specific) CVE-2010-0160 (The Web Worker functionality in Mozilla Firefox 3.0.x before 3.0.18 ...) - xulrunner 1.9.1.8-1 [etch] - xulrunner <not-affected> (web workers introduced in gecko 1.9.1) @@ -7596,6 +7597,7 @@ CVE-2009-3384 (Multiple unspecified vulnerabilities in WebKit in Apple Safari before ...) - webkit 1.1.17-2 (medium; bug #559759) - qt4-x11 4:4.6.2-4 (bug #561760) + [lenny] - qt4-x11 <no-dsa> (Minor impact, no apps in Lenny which use qtwebkit ) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against, Lenny is affected [etch] - qt4-x11 <not-affected> (webkit support introduced in version 4.4) - kdelibs <not-affected> (vulnerable code not present) @@ -10437,6 +10439,7 @@ CVE-2009-2649 (The IATA (ata) driver in FreeBSD 6.0 and 8.0, when read access to /dev ...) - kfreebsd-8 8.0-1 (bug #572811) - kfreebsd-7 7.3-1 (bug #572811) + [lenny] - kfreebsd-7 <no-dsa> (KFreebsd not supported) - kfreebsd-6 <removed> (bug #572811) [lenny] - kfreebsd-6 <no-dsa> (KFreebsd not supported) CVE-2009-2648 (FlashDen Guestbook allows remote attackers to obtain configuration ...) @@ -12988,6 +12991,7 @@ - kdelibs <not-affected> - kde4libs <not-affected> - qt4-x11 <unfixed> (low) + [lenny] - qt4-x11 <no-dsa> (Minor impact, no apps in Lenny which use qtwebkit ) NOTE: http://trac.webkit.org/changeset/36359 CVE-2009-1713 (The XSLT functionality in WebKit in Apple Safari before 4.0 does not ...) {DSA-1988-1} @@ -13126,6 +13130,7 @@ - kdelibs <not-affected> - kde4libs <not-affected> - qt4-x11 <unfixed> + [lenny] - qt4-x11 <no-dsa> (Minor impact, no apps in Lenny which use qtwebkit ) NOTE: http://trac.webkit.org/changeset/35928 CVE-2009-1692 (WebKit before r41741, as used in Apple iPhone OS 1.0 through 2.2.1, ...) {DSA-1950-1} @@ -18960,6 +18965,7 @@ {DSA-1995-1 DSA-1849-1 DTSA-205-1} - xml-security-c 1.4.0-4 - xmlsec1 1.2.12-1 + [lenny] - xmlsec1 <no-dsa> (Minor issue) - mono 2.4.2.3+dfsg-1 NOTE: http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html NOTE: http://anonsvn.mono-project.com/viewvc?view=rev&revision=137891 @@ -19080,6 +19086,7 @@ CVE-2008-5913 (An unspecified function in the JavaScript implementation in Mozilla ...) - xulrunner <unfixed> (bug #559792) - iceape <unfixed> + [lenny] - iceape <not-affected> (Just a stub package) NOTE: fixed upstream https://bugzilla.mozilla.org/show_bug.cgi?id=cve-2008-5913 TODO: check next set of MFSA''s CVE-2008-5912 (An unspecified function in the JavaScript implementation in Microsoft ...) @@ -25221,6 +25228,7 @@ CVE-2008-3632 (Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through ...) - webkit 1.0.1-4 (bug #499771) - qt4-x11 4:4.6.2-4 (bug #561760) + [lenny] - qt4-x11 <no-dsa> (Minor impact, no apps in Lenny which use qtwebkit ) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against, Lenny is affected NOTE: http://trac.webkit.org/changeset/34815 CVE-2008-3631 (Application Sandbox in Apple iPod touch 2.0 through 2.0.2, and iPhone ...) @@ -28339,6 +28347,7 @@ - kdelibs <unfixed> - kde4libs <unfixed> - qt4-x11 4:4.6.2-4 + [lenny] - qt4-x11 <no-dsa> (Minor impact, no apps in Lenny which use qtwebkit ) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/34204 CVE-2008-2306 (Apple Safari before 3.1.2 on Windows does not properly interpret the ...) @@ -60967,6 +60976,7 @@ - webkit 1.0.1-1 (bug #535793) NOTE: http://trac.webkit.org/changeset/33380 - qt4-x11 4:4.6.2-4 (low; bug #561760) + [lenny] - qt4-x11 <no-dsa> (Minor impact, no apps in Lenny which use qtwebkit ) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against, Lenny is affected - kdelibs <not-affected> (bug #561765) - kde4libs <undetermined> (bug #561762)