Author: thijs
Date: 2010-06-27 13:03:04 +0000 (Sun, 27 Jun 2010)
New Revision: 14910
Modified:
data/CVE/list
Log:
changes with point release 5.0.5
Modified: data/CVE/list
==================================================================---
data/CVE/list 2010-06-27 04:03:20 UTC (rev 14909)
+++ data/CVE/list 2010-06-27 13:03:04 UTC (rev 14910)
@@ -905,12 +905,10 @@
TODO: File bug
CVE-2010-2073 (auth_db_config.py in Pyftpd 0.8.4 contains hard-coded usernames
and ...)
- pyftpd 0.8.5 (low; bug #585776)
- TODO: next point release: [lenny] - pyftpd 0.8.4.6+lenny1
- [lenny] - pyftpd <no-dsa> (Minor issue)
+ [lenny] - pyftpd 0.8.4.6+lenny1
CVE-2010-2072 (Pyftpd 0.8.4 creates log files with predictable names in a
temporary ...)
- pyftpd 0.8.5 (low; bug #585773)
- TODO: next point release: [lenny] - pyftpd 0.8.4.6+lenny1
- [lenny] - pyftpd <no-dsa> (Minor issue)
+ [lenny] - pyftpd 0.8.4.6+lenny1
CVE-2010-2071 (The btrfs_xattr_set_acl function in fs/btrfs/acl.c in btrfs in
the ...)
- linux-2.6 <unfixed>
[lenny] - linux-2.6 <not-affected> (btrfs introduced in 2.6.29)
@@ -2638,7 +2636,7 @@
NOTE: http://www.videolan.org/security/sa1003.html
CVE-2010-1440 (Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX
Live ...)
- texlive-bin 2009-6 (low; bug #580668)
- [lenny] - texlive-bin <no-dsa> (minor issue)
+ [lenny] - texlive-bin 2007.dfsg.2-4+lenny3
CVE-2010-1439 (yum-rhn-plugin in Red Hat Network Client Tools (aka
rhn-client-tools) ...)
NOT-FOR-US: Red Hat Network Client Tools
CVE-2010-1438 (Web Application Finger Printer (WAFP) 0.01-26c3 uses fixed
pathnames ...)
@@ -3424,13 +3422,11 @@
- linux-2.6 2.6.32-12
CVE-2010-1161 (Race condition in GNU nano before 2.2.4, when run by root to
edit a ...)
- nano 2.2.4-1 (low; bug #577817)
- [lenny] - nano <no-dsa> (minor issue)
- TODO: next point update: [lenny] - nano 2.0.7-5
+ [lenny] - nano 2.0.7-5
NOTE: http://www.openwall.com/lists/oss-security/2010/04/14/4
CVE-2010-1160 (GNU nano before 2.2.4 does not verify whether a file has been
changed ...)
- nano 2.2.4-1 (low; bug #577817)
- [lenny] - nano <no-dsa> (minor issue)
- TODO: next point update: [lenny] - nano 2.0.7-5
+ [lenny] - nano 2.0.7-5
NOTE: http://www.openwall.com/lists/oss-security/2010/04/14/4
CVE-2010-1158 (Integer overflow in the regular expression engine in Perl 5.8.x
allows ...)
- perl <not-affected> (re engine rewritten for 5.10 to address issues
such as this; and proof-of-concept not effective)
@@ -3842,8 +3838,7 @@
NOT-FOR-US: CommonSense CMS
CVE-2010-XXXX [alien-arena: server dos]
- alien-arena 7.33-5 (low; bug #575621)
- [lenny] - alien-arena <no-dsa> (Contrib not supported)
- TODO: next point release [lenny] - alien-arena 7.0-1+lenny2
+ [lenny] - alien-arena 7.0-1+lenny2
CVE-2010-XXXX [phpCAS XSS in final_uri; PHPCAS-52]
- glpi 0.72.4-2 (bug #574760)
NOTE: http://www.ja-sig.org/issues/browse/PHPCAS-52
@@ -4451,7 +4446,7 @@
- moin 1.9.2-3 (low; bug #575995)
CVE-2010-0827 (Integer overflow in dvips in TeX Live 2009 and earlier, and
teTeX, ...)
- texlive-bin 2009-6 (low; bug #580669)
- [lenny] - texlive-bin <no-dsa> (minor issue)
+ [lenny] - texlive-bin 2007.dfsg.2-4+lenny3
CVE-2010-0826 (The Free Software Foundation (FSF) Berkeley DB NSS module (aka
...)
- libnss-db <unfixed> (low; bug #577057)
[lenny] - libnss-db <no-dsa> (Minor issue)
@@ -4724,7 +4719,7 @@
NOTE: http://www.openssl.org/news/secadv_20100324.txt
CVE-2010-0739 (Integer overflow in the predospecial function in dospecial.c in
dvips ...)
- texlive-bin 2009-6 (low; bug #560668)
- [lenny] - texlive-bin <no-dsa> (minor issue)
+ [lenny] - texlive-bin 2007.dfsg.2-4+lenny3
CVE-2010-0738 (The JMX-Console web application in JBossAs in Red Hat JBoss
Enterprise ...)
- jbossas4 <not-affected> (Only builds a few libraries, not the full
application server, #581226)
CVE-2010-0737
@@ -5090,9 +5085,8 @@
CVE-2010-0624 (Heap-based buffer overflow in the rmt_read__ function in ...)
- cpio 2.11-1 (low)
- tar 1.23-1 (low)
- [lenny] - cpio <no-dsa> (Minor issue)
- [lenny] - tar <no-dsa> (Minor issue)
- TODO: add after r5 [lenny] - tar 1.20-1+lenny1
+ [lenny] - tar 1.20-1+lenny1
+ [lenny] - cpio 2.9-13lenny1
CVE-2010-0621
RESERVED
CVE-2010-0620 (Directory traversal vulnerability in the SSL Service in EMC
HomeBase ...)
@@ -5680,8 +5674,7 @@
- pcsc-lite 1.5.4-1
CVE-2010-0406 (OpenTTD before 1.0.1 allows remote attackers to cause a denial
of ...)
- openttd 1.0.1-1
- [lenny] - openttd <no-dsa> (Contrib not supported)
- TODO: next point update: [lenny] - openttd 0.6.2-1+lenny2
+ [lenny] - openttd 0.6.2-1+lenny2
CVE-2010-0405
RESERVED
CVE-2010-0404 (Multiple SQL injection vulnerabilities in phpGroupWare (phpgw)
before ...)
@@ -5692,12 +5685,10 @@
- phpgroupware 1:0.9.16.016+dfsg-1 (bug #584518)
CVE-2010-0402 (OpenTTD before 1.0.1 does not properly validate index values of
...)
- openttd 1.0.1-1
- [lenny] - openttd <no-dsa> (Contrib not supported)
- TODO: next point update: [lenny] - openttd 0.6.2-1+lenny2
+ [lenny] - openttd 0.6.2-1+lenny2
CVE-2010-0401 (OpenTTD before 1.0.1 accepts a company password for
authentication in ...)
- openttd 1.0.1-1
- [lenny] - openttd <no-dsa> (Contrib not supported)
- TODO: next point update: [lenny] - openttd 0.6.2-1+lenny2
+ [lenny] - openttd 0.6.2-1+lenny2
CVE-2010-0400 (SQL injection vulnerability in lib/user.php in mahara 1.0.4
allows ...)
{DSA-2030-1}
- mahara 1.2.4-1 (medium)
@@ -9329,7 +9320,7 @@
[etch] - smart <no-dsa> (minor issue)
[lenny] - smart <no-dsa> (minor issue)
- tla 1.3.5+dfsg-15 (unimportant; bug #560940)
- TODO: next point update: [lenny] - tla 1.3.5+dfsg-14+lenny1
+ [lenny] - tla 1.3.5+dfsg-14+lenny1
- xmlrpc-c <unfixed> (low; bug #560942)
[etch] - xmlrpc-c <no-dsa> (minor issue)
[lenny] - xmlrpc-c <no-dsa> (minor issue)
@@ -9582,8 +9573,7 @@
- linux-2.6.24 <not-affected> (vulnerable code introduced in 2.6.31)
CVE-2009-3622 (Algorithmic complexity vulnerability in wp-trackback.php in
WordPress ...)
- wordpress 2.8.5-1
- [lenny] - wordpress <no-dsa> (Minor issue)
- TODO: next point update: [lenny] - wordpress 2.5.1-11+lenny3
+ [lenny] - wordpress 2.5.1-11+lenny3
[etch] - wordpress 2.0.10-1etch6
NOTE: http://seclists.org/fulldisclosure/2009/Oct/263
CVE-2009-3621 (net/unix/af_unix.c in the Linux kernel 2.6.31.4 and earlier
allows ...)
@@ -9815,7 +9805,7 @@
[etch] - smart <no-dsa> (minor issue)
[lenny] - smart <no-dsa> (minor issue)
- tla 1.3.5+dfsg-15 (unimportant; bug #560940)
- TODO: next point update: [lenny] - tla 1.3.5+dfsg-14+lenny1
+ [lenny] - tla 1.3.5+dfsg-14+lenny1
- xmlrpc-c <unfixed> (low; bug #560942)
[etch] - xmlrpc-c <no-dsa> (minor issue)
[lenny] - xmlrpc-c <no-dsa> (minor issue)
@@ -10657,8 +10647,7 @@
NOTE: browser denial-of-services are unimportant
CVE-2009-3245 (OpenSSL before 0.9.8m does not check for a NULL return value
from ...)
- openssl 0.9.8m-1 (low; bug #575433)
- [lenny] - openssl <no-dsa> (minor issue)
- TODO: next point update: [lenny] - openssl 0.9.8g-15+lenny7
+ [lenny] - openssl 0.9.8g-15+lenny7
CVE-2009-3244 (Heap-based buffer overflow in the SwDir.dll ActiveX control in
Adobe ...)
NOT-FOR-US: Adobe ShockWave Player
CVE-2009-3243 (Unspecified vulnerability in the TLS dissector in Wireshark
1.2.0 and ...)
@@ -10865,8 +10854,7 @@
[etch] - libaws <no-dsa> (minor issue)
[lenny] - libaws <no-dsa> (minor issue)
- libjson-ruby 1.1.4-1 (low; bug #555223)
- [lenny] - libjson-ruby <no-dsa> (Minor issue)
- TODO: next point update [lenny] - libjson-ruby 1.1.2-1+lenny1
+ [lenny] - libjson-ruby 1.1.2-1+lenny1
- lucene2 2.9.1+ds1-2 (unimportant; bug #555225)
[etch] - lucene2 <not-affected> (prototype.js not present)
NOTE: prototype.js copy unused per #555225
@@ -15243,8 +15231,7 @@
[etch] - xerces-c <no-dsa> (Minor issue)
[lenny] - xerces-c <no-dsa> (Minor issue)
- xerces-c2 2.8.0+deb1-2 (low; bug #541986)
- [lenny] - xerces-c2 <no-dsa> (Minor issue)
- TODO: next point update: [lenny] - xerces-c2 2.8.0-3+lenny1
+ [lenny] - xerces-c2 2.8.0-3+lenny1
- xerces27 <removed>
[etch] - xerces27 <no-dsa> (Minor issue)
CVE-2009-1884 (Off-by-one error in the bzinflate function in Bzip2.xs in the
...)
@@ -15939,8 +15926,7 @@
NOT-FOR-US: phpWebNews
CVE-2009-1756 (SLiM Simple Login Manager 1.3.0 places the X authority magic
cookie ...)
- slim 1.3.1-2 (low; bug #529306)
- [lenny] - slim <no-dsa> (Minor issue)
- TODO: next point update: [lenny] - slim 1.3.0-1+lenny2
+ [lenny] - slim 1.3.0-1+lenny2
CVE-2009-1755 (Off-by-one error in the packet_read_query_section function in
packet.c ...)
{DSA-1803-1}
- nsd3 3.2.2-1 (medium; bug #529418)
@@ -17142,8 +17128,7 @@
- linux-2.6.24 <not-affected> (introduced in 2.6.29)
CVE-2009-1297 (iscsi_discovery in open-iscsi in SUSE openSUSE 10.3 through 11.1
and ...)
- open-iscsi 2.0.871-1 (low; bug #547011)
- [lenny] - open-iscsi <no-dsa> (Minor issue)
- TODO: next lenny spu [- open-iscsi 2.0.870~rc3-0.4.1]
+ [lenny] - open-iscsi 2.0.870~rc3-0.4.1
[etch] - open-iscsi <not-affected> (Vulnerable script not yet present)
CVE-2009-1296 (The eCryptfs support utilities (ecryptfs-utils) 73-0ubuntu6.1 on
...)
- ecryptfs-utils 75-2 (unimportant; bug #532372)
@@ -17756,8 +17741,7 @@
{DSA-2050-1 DSA-2028-1}
- poppler 0.10.6-1 (medium; bug #524806)
[etch] - poppler <not-affected> (SplashBitmap code not present)
- [lenny] - poppler <no-dsa> (Will be fixed through a point update)
- TODO: next stable release: [lenny] - poppler 0.8.7-3.1
+ [lenny] - poppler 0.8.7-3.1
- xpdf 3.02-2 (bug #575779)
- kdegraphics 4:4.0
- swftools <removed>
@@ -19144,8 +19128,7 @@
RESERVED
CVE-2009-0796 (Cross-site scripting (XSS) vulnerability in Status.pm in ...)
- libapache2-mod-perl2 2.0.4-6 (low; bug #567635)
- [lenny] - libapache2-mod-perl2 <no-dsa> (Minor issue)
- TODO: next point update [lenny] - libapache2-mod-perl2 2.0.4-5+lenny1
+ [lenny] - libapache2-mod-perl2 2.0.4-5+lenny1
- apache <removed>
[etch] - apache <no-dsa> (minor issue)
CVE-2009-0795
@@ -25056,7 +25039,7 @@
- ekg 1:1.8~rc0-1 (low)
- centerim 4.22.9-1 (low; bug #559782)
[lenny] - centerim <no-dsa> (Minor issue)
- TODO: next point update: [lenny] - centerim 4.22.5-1+lenny1
+ NOTE: claimed to be fixed in point update but is not: [lenny] - centerim
4.22.5-1+lenny1
- qutecom <not-affected> (does not use libgadu embed; bug #559784)
CVE-2008-4769 (Directory traversal vulnerability in the get_category_template
...)
{DSA-1871-2 DSA-1871-1}