Author: jmw Date: 2012-03-11 15:41:38 +0000 (Sun, 11 Mar 2012) New Revision: 18645 Modified: data/ospu-candidates.txt Log: eol lenny Modified: data/ospu-candidates.txt ==================================================================--- data/ospu-candidates.txt 2012-03-11 12:06:07 UTC (rev 18644) +++ data/ospu-candidates.txt 2012-03-11 15:41:38 UTC (rev 18645) @@ -1,926 +1,6 @@ This file records minor security issues, which do not warrant a DSA, -but which could be fixed in a oldstable point update if people feel like +but which could be fixed in a stable point update if people feel like it. If someone wants to address these, please add a note about it and get in contact with debian-release at lists.debian.org -feh (CVE-2011-1031, CVE-2011-0702) -#612035 -waiting unstable - -- - -abcm2ps (CVE-2010-3441, CVE-2010-4743, CVE-2010-4744) -#577014 -awaiting maintainer response - --- - -acidbase (CVE-2009-4590, CVE-2009-4591, CVE-2009-4592) -notified maintainer - -CVE-2009-4839 CVE-2009-4838 CVE-2009-4837 -maintainer contacted us, notified about spu status - --- - -acpid (CVE-2011-1159) -https://bugzilla.redhat.com/show_bug.cgi?id=688698 - --- - -acl (CVE-2009-4411) -#499076 -notified maintainer -awaiting maintainer response - --- - -aptitude (CVE-2011-XXXX) -#612034 - --- - -ax25-tools (CVE-2011-2910) -#638918 -waiting unstable - --- - -babel (CVE-2009-3736) -#559843 -notified maintainer -awaiting maintainer response - --- - -bugzilla (CVE-2009-0481 to CVE-2009-0485) -notified maintainer - -CVE-2010-1204 -notified maintainer through initial bugreport - --- - -buildbot (CVE-2009-2959, CVE-2009-2967) -#543822 -notified maintainer - --- - -calendarserver -#605157 - --- - -ccid (CVE-2010-4530) -#607780 - --- - -centerim -CVE-2009-3720 - --- - -compiz-fusion-plugins-main (CVE-2008-6514) -notified maintainer - --- - -couchdb (CVE-2010-0009) -#576304 -notified maintainer - --- - -cron: Incomplete fix for CVE-2006-2607 (setgid() and initgroups() not checked -#528434 -notified maintainer - --- - -cups (CVE-2009-3553) -#557740 -maintainer notified in initial bug report -Initial patch was incomplete; - -cups (CVE-2010-0302) -#572940 -notified maintainer - --- - -dbus-glib (CVE-2010-1172) -#592753 - --- - -devil (CVE-2009-3994) -#560080 -notified maintainer - --- - -dokuwiki (XML-RPC vulns) -maintainer is working on uploads - --- - -dopewars (CVE-2009-3591) -#550913 -notified maintainer - --- - -dstat (CVE-2009-3894) -http://svn.rpmforge.net/svn/trunk/tools/dstat/ChangeLog -notified maintainer - -dstat (CVE-2009-4081) -#559667 -notified maintainer - --- - -eclipse (CVE-2010-4647) -#611849 -awaiting maintainer response - --- - -evolution (CVE-2009-1631) -#526409 -notified maintainer through initial bugreport - --- - -exim4 (CVE-2010-2023, CVE-2010-2024) -notified maintainers - --- - -fail2ban [fail2ban: Insecure creating/writing to tmpfile] -#544232 - --- - -fastjar (CVE-2010-0831, CVE-2010-2322) - --- - -fcron (CVE-2010-0791) -#572587 -notified maintainer through initial bugreport - --- - -feedparser -CVE-2011-1158 [sanitizer doesn''t strip unsafe URI schemes] -CVE-2011-1157 [sanitization can be bypassed by malformed XML comments] -CVE-2011-1156 [invalid text in XML declaration causes sanitizer to crash] -CVE-2011-XXXX [XSS vuln] -#617998 -waiting unstable - --- - -feh (CVE-2011-XXXX) -#612035 - --- - - -flash-kernel temp file handling (fixed in 2.33) - - --- - -foo2zjs (CVE-2011-2684) -maintainer notified in initial bug report - --- - -gif2png (CVE-2010-4695/CVE-2010-4696) -#610479 -awaiting maintainer response - --- - -gnome-shell (CVE-2010-4000) - --- - -gnome-subtitles (CVE-2010-3357) -#598289 - --- - -CVE-2008-XXXX [greylistd bypass] -#464084 - --- - -ika (CVE-2010-3361) -#5982925B -notified maintainer - --- - -imp4 (CVE-2010-0463) -#569661 -notified maintainer - --- - -libgnucrypto-java (CVE-2008-5659) -#559789 -removed - --- - -gnome-schedule -#605169 - --- - -gnucash (CVE-2010-3999) -#603329 - --- - -gnumed-client -#605159 - --- - -gnutls26 (CVE-2009-1417) -#531614 -notified maintainer - --- - -gri (no CVE) -fixed in gri 2.12.18-1: -"Improve security when creating temporary files." -notified maintainer - --- - -gupnp (CVE-2009-2174) -#534594 -notified maintainer - --- - -hammerhead (CVE-2011-3204) -#639890 -waiting unstable - --- - -htmldoc (CVE-2009-3050) -#537637 -notified maintainer through initial bugreport - --- - -hypermail (CVE-2010-4339) -#598743 - --- - -hypre (CVE-2009-3736) -#559834 -notified maintainer - --- - -iceweasel (CVE-2009-0777) -#576466 -notified maintainer - --- - -ironpython -#605158 - --- - -kde4libs (CVE-2009-2702) -#546218 -notified maintainer - -kde4libs (CVE-2009-0689) -notified maintainer - --- - -kdeutils (CVE-2011-2725) -#635541 - --- - -keepalived (CVE-2011-1784) -#626281 - --- - -kfreebsd-6 -[freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl] -http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc -notified maintainer - -[freebsd Local information disclosure via direct pipe writes] (CVE-2009-1935) -http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc -notified maintainer - --- - -kfreebsd-7 -[freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl] -http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc -notified maintainer - -[freebsd Local information disclosure via direct pipe writes] (CVE-2009-1935) -http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc -notified maintainer - --- - -krb5 (CVE-2011-0281/CVE-2010-0282) -maintainer preparing upload (r16154) - -krb5 (CVE-2011-0284) -#618517 -waiting unstable - --- - -kvm 82-1 (CVE-2008-5714) -#509997 -notified maintainer - --- - -lcms (CVE-2009-0793) -notified maintainer through initial bugreport - --- - -libesmtp (CVE-2010-1192) -#572960 -maintainer contacted us, notified about spu status - --- - -libnss-db (CVE-2010-0826) -#577057 - --- - -liboggz (CVE-2009-3377) -Fixed in 0.9.9-1 -Too intrusive to backport, needs to be updated to 0.9.9. Requires additional rebuild of rev dep. - --- - -libglpng (CVE-2010-1516) - --- - -libpoe-component-irc-perl -#581194 -maintainer contacted us - --- - -libsndfile -potential dos via crafted input -#530831 -notified maintainer - --- - -libvorbis (CVE-2008-2009) -notified maintainer and release team - --- - -libstruts1.2-java (CVE-2008-2025) -#528352 -notified maintainer - --- - -linux-ftpd: null ptr dereference -#572813 -notified maintainer - --- - -logrotate [logrotate race condition could lead to file disclosure] -Fixed in sid in 3.7.8-4 - --- - -makepasswd (no CVE ID) -#564559 -notified maintainer - --- - -mako (CVE-2010-2480) -http://bugs.python.org/issue9061 - --- - -mapserver (CVE-2010-3484, CVE-2010-3485) -fixed in 5.6.4-1 - --- - -maradns -http://maradns.org/download/maradns-1.4.02-parse_segfault.patch -notified maintainer - --- - -matrixssl -CVE-2009-3555 - - --- - -mcabber (CVE-2009-3720/CVE-2009-3560) -#601053 -awaiting maintainer response - --- - -mediatomb (CVE-2010-XXXX) -#580120 -Interface should be disabled in a point update, no real fix - --- - -memcached (CVE-2009-1255) -notified maintainer - --- - -mercurial (CVE-2010-4237) -#598841 - --- - -mimedecode -potential dos/crash due to invalid input -orphaned -#530430 - --- - -mingetty -#597382 - --- - -mono-debugger (CVE-2010-3369) -#598299 - --- - -mutt (CVE-2011-1429) -#619216 - --- - -mpg123 (CVE-2009-1301) -notified maintainer - --- - -neon27 (CVE-2009-2474) -#542926 -notified maintainer - --- - -neon26 (CVE-2009-2474) -#542926 -notified maintainer - --- - -net-snmp (CVE-2008-6123) -Noah will see to it. - --- - -network-manager-applet (CVE-2009-4144) -#560067 -notified maintainer through initial bugreport - -CVE-2009-4145 -#563371 -notified maintainer through initial bugreport - --- - -ntop (CVE-2009-2732) -#543312 -notified maintainer through initial bugreport - --- - -open-vm-tools (CVE-2011-1681) - --- - -otrs2 (CVE-2011-2746) -http://otrs.org/advisory/OSA-2011-03-en/ - --- - -perl (CVE-2011-3597) - --- - -phpbb3 (CVE-2010-1630, 1627) - --- - -pidgin CVE-2011-XXXX -http://www.pidgin.im/news/security/?id=50 - --- - -postfix (CVE-2009-2939) -notified maintainer - --- - -prosody (CVE-2011-2205) -#579087 -Also requires additional fix in lua-expat - --- - -puppet (CVE-2009-3564, CVE-2010-0156) - --- - -python2.4 (CVE-2011-1015) -http://bugs.python.org/issue2254 - --- - -python2.5 (CVE-2011-1015) -http://bugs.python.org/issue2254 - - - -python-numpy (CVE-2010-XXXX [numpy memory corruption]) -#581058 -http://projects.scipy.org/numpy/changeset/8364 - --- - -rdesktop (CVE-2011-1595) -#623552 -https://bugzilla.redhat.com/attachment.cgi?id=492845&action=diff&context=patch&collapsed=&headers=1&format=raw - --- - -roaraudio (CVE-2010-3362) -#598295 - --- - -ruby1.8 (CVE-2010-0541, CVE-2011-1004, CVE-2011-1005) -#615517, #615518 -awaiting maintainer response - -CVE-2011-3624 - --- - -ruby1.9 (CVE-2010-0541, CVE-2011-1004) -#615519 -awaiting maintainer response - -CVE-2011-3624 - --- - -squid (CVE-2009-0801) -#521053 -notified maintainer - --- - -squid3 (CVE-2009-0801) -#521052 -notified maintainer - --- - -stunnel (CVE-2011-XXXX) -http://www.stunnel.org/?page=sdf_ChangeLog (v4.35) - --- - -tangerine (CVE-2010-3381) -#598302 - --- - -t-prot (CVE-2009-4404) -notified maintainer - --- - -texmacs (CVE-2010-3394) -#598424 - --- - -tomcat-native (CVE-2009-3555) - --- - -torcs (CVE-2010-3384) -#598306 - --- - -vte (CVE-2011-2198) -#629688 -awaiting maintainer response - --- - -ocsinventory-server (CVE-2009-3040, CVE-2009-3042, CVE-2009-1443) -#541995 -notified maintainer - --- - -offlineimap (CVE-2010-4533, CVE-2010-4532) -#606962 - --- - -openldap (CVE-2011-1024/CVE-2011-1025/CVE-2011-1081) -#617606 -maintainer preparing upload - --- - -openldap -#253838 -notified maintainer - --- - -overkill (no CVE yet) -#549310 - --- - -owl (CVE-2009-0363) -#515118 -notified maintainer - --- - -pam (CVE-2009-0579) -#514437 -asked maintainer in mail - -CVE-2010-4708/CVE-2010-4707/CVE-2010-4706 - --- - -pidgin (CVE-2009-1889, CVE-2009-3085) -#535790 -http://developer.pidgin.im/ticket/9483 -http://developer.pidgin.im/viewmtn/revision/info/9bac0a540156fb1848eedd61c8630737dee752c7 -notified maintainer - --- - -pptp-linux (no CVE) -#523476 -Ola will prepare a fix in a point update - --- - -prewikka (CVE-2010-2058) -#584469 - - --- - -puppet (CVE-2009-3564) -#551073 -notified maintainer in initial bug report - -CVE-2010-0156 -#https://bugzilla.redhat.com/show_bug.cgi?id=502881 -notified maintainer - --- - -python-4suite (CVE-2009-3560, CVE-2009-3720) -#560914 -notified maintainer - --- - -python-cjson (CVE-2009-4924) -#593302 - --- - -python2.4 (CVE-2010-2089, CVE-2010-1634, CVE-2010-1450, CVE-2010-1449, CVE-2009-4134) - - --- - -python2.5 (CVE-2010-2089, CVE-2010-1634, CVE-2010-1450, CVE-2010-1449, CVE-2009-4134, CVE-2010-3493) - --- - -qtparted (CVE-2010-3375) -#598301 - --- - -rails (CVE-2009-3086) -bug #545063 -notified maintainer - --- - -scilab (CVE-2010-3378) -#598423; #598422 - --- - -shibboleth-sp2: world-readable key (no CVE) -#571631 -notified maintainer through bugreport - --- - -snappea -#605151 - --- - -squid (CVE-2010-0639) -#572553 -Maintainer notified through initial bugreport - --- - -squid3 (CVE-2010-0639) -#572554 -Maintainer notified through initial bugreport - --- - -sqlite -#566326 - --- - -tau (CVE-2008-5157) -#506348 -notified maintainer - --- - -tcptrack (CVE-2011-2903) -#551092 - --- - -teamspeak-client -#598304 - --- - -teamspeak-server -#598305 - --- - -trac (CVE-2009-4405) -notified maintainer - --- - -udev (#462655) -notified maintainer - --- - -vftool (CVE-2011-0433) -https://bugzilla.gnome.org/show_bug.cgi?id=640923 -bug #614669 -awaiting maintainer response - --- - -planet (CVE-2009-2937) -bug #546178 -notified maintainer through initial bugreport - --- - -w3m (CVE-2010-2074) -maintainer notified through bug report - --- - -webkit (CVE-2008-4724) -#520052 -asked maintainer - --- - -widelands -#617960 -maintainer preparing upload - --- - -xemacs21 (CVE-2008-2142) -bug #480877 -notified maintainer - -xemacs21 (CVE-2009-2688) -#540470 -Patches at https://bugzilla.redhat.com/show_bug.cgi?id=511994 -notified maintainer - --- - -xen-3 (CVE-2008-4993) -#496367 -notified maintainer - --- - -xerces-c2 (CVE-2009-1885) -#541986 -notified maintainer - --- - -xfig -25_mkstemp added in 1:3.2.5.a-1 -notified maintainer - -CVE-2009-4228/CVE-2009-4227 -#559274) -https://bugzilla.redhat.com/show_bug.cgi?id=543905 -notified maintainer - --- - -xmp (CVE-2007-6731, CVE-2007-6732) -#546730 -notified maintainer - --- - -ytnef (CVE-2009-3887, CVE-2009-3721) -notified maintainer - --- - -ziproxy (CVE-2009-0804) -#521051 -notified maintainer - --- - -zope2.10 (no CVE) -https://mail.zope.org/pipermail/zope-announce/2010-January/002229.html - --- - -zoph (CVE-2008-6838, CVE-2008-6837, CVE-2009-2343) -http://sourceforge.net/tracker/?func=detail&aid=2815898&group_id=69353&atid=524249 -http://sourceforge.net/project/shownotes.php?group_id=69353&release_id=694128 -notified maintainer - --- - -quassel -#640960 - ---