Florian Weimer
2005-Sep-29 21:06 UTC
[Secure-testing-commits] r2240 - bin data/CAN data/CVE data/DSA
Author: fw
Date: 2005-09-29 21:06:02 +0000 (Thu, 29 Sep 2005)
New Revision: 2240
Modified:
bin/tracker.cgi
data/CAN/list
data/CVE/list
data/DSA/list
Log:
Add tons of missing epochs in versions.
http://idssi.enyo.de/tracker/data/missing-epochs contains a list of
problematic source packages. The remaining ones should be okay.
Modified: bin/tracker.cgi
==================================================================---
bin/tracker.cgi 2005-09-29 19:52:19 UTC (rev 2239)
+++ bin/tracker.cgi 2005-09-29 21:06:02 UTC (rev 2240)
@@ -657,6 +657,8 @@
(''status/itp'', ''ITPs with potential
security issues''),
(''data/unknown-packages'',
''Packages names not found in the archive''),
+ (''data/missing-epochs'',
+ ''Package versions which might lack an
epoch''),
(''data/funny-versions'',
''Packages with strange version numbers''),
(''data/releases'',
@@ -765,6 +767,43 @@
print_footer()
+ def print_missing_epochs():
+ db = security_db.DB(''../data/security.db'')
+ print_title("Missing epochs in package versions")
+
+ def gen():
+ old_bug = ''''
+ old_pkg = ''''
+ for bug, pkg, ver1, ver2 in db.cursor().execute(
+ """SELECT DISTINCT bug_name, n.package,
+ n.fixed_version, sp.version
+ FROM package_notes AS n, source_packages AS sp
+ WHERE n.package_kind = ''source''
+ AND n.fixed_version NOT LIKE ''%:%''
+ AND n.fixed_version <> ''0''
+ AND n.bug_origin = ''''
+ AND sp.name = n.package
+ AND sp.version LIKE ''%:%''
+ ORDER BY bug_name, package"""):
+ if bug == old_bug:
+ bug = ''''
+ else:
+ old_bug = bug
+ old_pkg = ''''
+ bug = make_xref(bug)
+ if pkg == old_pkg:
+ pkg = ''''
+ else:
+ old_pkg = pkg
+ pkg = make_source_package_ref(pkg)
+ yield bug, pkg, ver1, ver2
+
+ print_table(gen(),
+ caption=("Bug", "Package", "Version
1", "Version 2"),
+ replacement="No source package version with missing
epochs.")
+
+ print_footer()
+
def print_unknown_packages():
db = security_db.DB(''../data/security.db'')
print_title("Unknown packages")
@@ -968,6 +1007,7 @@
commands = {''/data/releases'' : print_releases,
''/data/funny-versions'' :
print_funny_versions,
+ ''/data/missing-epochs'' :
print_missing_epochs,
''/data/unknown-packages'' :
print_unknown_packages,
''/status/release/testing'' :
print_testing_status,
''/status/release/unstable'' :
print_unstable_status,
Modified: data/CAN/list
==================================================================---
data/CAN/list 2005-09-29 19:52:19 UTC (rev 2239)
+++ data/CAN/list 2005-09-29 21:06:02 UTC (rev 2240)
@@ -1781,7 +1781,7 @@
- egroupware 1.0.0.009.dfsg-1 (bug #323350; high)
- phpwiki <unfixed> (unimportant)
NOTE: phpwiki has disabled the XMLRPC in the last upload, it orphaned as well,
should be fixed anyway
- - php4 4.3.10-16etch1 (bug #323366; high)
+ - php4 4:4.3.10-16etch1 (bug #323366; high)
TODO: check php5
CAN-2005-2497
RESERVED
@@ -4669,7 +4669,7 @@
- phpgroupware 0.9.16.006-1 (high)
- egroupware 1.0.0.007-3.dfsg-1 (high)
- phpwiki 1.3.7-4 (high)
- - php4 4.3.10-16etch1 (high; bug #316447)
+ - php4 4:4.3.10-16etch1 (high; bug #316447)
NOTE: horde3 is not affected by this issue, they ship different XMLRPC code
CAN-2005-1920 (The (1) Kate and (2) Kwrite applications in KDE KDE 3.2.x
through ...)
{DSA-804-1}
@@ -5064,7 +5064,7 @@
{DSA-789-1 DTSA-15-1}
- shtool 2.0.1-2 (low)
- mysql-ocaml 1.0.3-6 (low)
- - php4 4.3.10-16etch1 (low)
+ - php4 4:4.3.10-16etch1 (low)
NOTE: the patch applied to NMU #311206 fixes both CAN-2005-1759 and
CAN-2005-1751
CAN-2004-2136 (dm-crypt on Linux kernel 2.6.x, when used on certain file
systems ...)
NOTE: This looks like a minor issue, the paper is from Feb 2004, check whether
this still applies
@@ -6605,7 +6605,7 @@
NOTE: no bug ever filed for this one
- pysvn 1.1.2-3
CAN-2005-XXXX [mailutils: sql injection vulnerability in sql authentication
module]
- - mailutils 0.6.1-2
+ - mailutils 1:0.6.1-2
CAN-2005-XXXX [maradns: More frequent rekeying to mitigate possible AES
attacks]
- maradns 1.0.27-1
CAN-2005-2352 [Temp file races in gs-gpl addons scripts]
@@ -6688,7 +6688,7 @@
CAN-2005-XXXX [Buffer overflow in elog''s header buffer]
- elog 2.5.7+r1558-3
CAN-2005-XXXX [Unspeficied security issue in ipsec-tool''s single DES
support]
- - ipsec-tools 0.5.2-1
+ - ipsec-tools 1:0.5.2-1
CAN-2005-1452 (Serendipity before 0.8 allows Chief users to "hide
plugins installed ...)
NOT-FOR-US: Serendipity
CAN-2005-1451 (The media manager in Serendipity before 0.8 allows remote
attackers to ...)
@@ -6878,7 +6878,7 @@
NOTE: Incorrect open() call was introduced after 4.0.3 (the version in Sarge,
fixed in 4.0.8)
CAN-2005-XXXX [Insecure tempfile generation in shadow''s vipw]
NOTE: Fixed in 4.0.3-33 for sid, Sarge would need an update through t-p-u
- - shadow 4.0.3-33
+ - shadow 1:4.0.3-33
CAN-2005-1364 (Multiple SQL injection vulnerabilities in MetaBid Auctions allow
...)
NOT-FOR-US: MetaBid Auctions
CAN-2005-1363 (Multiple SQL injection vulnerabilities in MetaCart 2.0 for
PayFlow ...)
@@ -7306,7 +7306,7 @@
CAN-2001-1460 (SQL injection vulnerability in article.php in PostNuke 0.62
through ...)
NOT-FOR-US: PostNuke
CAN-2001-1459 (OpenSSH 2.9 and earlier does not initiate a Pluggable
Authentication ...)
- - openssh 3.0.1p1-1
+ - openssh 1:3.0.1p1-1
CAN-2001-1458 (Directory traversal vulnerability in Novell GroupWise 5.5 and
6.0 ...)
NOT-FOR-US: Novell Groupwise
CAN-2001-1457 (Buffer overflow in CrazyWWWBoard 2000p4 and 2000LEp5 allows
remote ...)
@@ -7363,11 +7363,11 @@
CAN-2000-1222 (AIX sysback before 4.2.1.13 uses a relative path to find and
execute ...)
NOT-FOR-US: AIX
CAN-2000-1221 (The line printer daemon (lpd) in the lpr package in multiple
Linux ...)
- - lpr 0.48-1
+ - lpr 1:0.48-1
CAN-2000-1220 (The line printer daemon (lpd) in the lpr package in multiple
Linux ...)
- - lpr 0.48-1
+ - lpr 1:0.48-1
CAN-2000-1219 (The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier
does not ...)
- - gcc-3.3 3.3.4-1
+ - gcc-3.3 1:3.3.4-1
CAN-2000-1218 (The default configuration for the domain name resolver for
Microsoft ...)
NOT-FOR-US: Windows
CAN-2000-1217 (Microsoft Windows 2000 before Service Pack 2 (SP2), when running
in a ...)
@@ -7727,15 +7727,15 @@
NOT-FOR-US: PunBB
CAN-2005-1046 (Buffer overflow in the kimgio library for KDE 3.4.0 allows
remote ...)
{DSA-714-1}
- - kdelibs 3.3.2-6
+ - kdelibs 4:3.3.2-6
CAN-2005-1045 (OpenText FirstClass 8.0 client does not properly sanitize
strings ...)
NOT-FOR-US: OpenText
CAN-2005-1044
REJECTED
CAN-2005-1043 (exif.c in PHP before 4.3.11 allows remote attackers to cause a
denial ...)
- - php4 4.3.10-10
+ - php4 4:4.3.10-10
CAN-2005-1042 (Integer overflow in the exif_process_IFD_TAG function in exif.c
in PHP ...)
- - php4 4.3.10-10
+ - php4 4:4.3.10-10
CAN-2005-1041 (The fib_seq_start function in fib_hash.c in Linux kernel allows
local ...)
- kernel-source-2.6.11 2.6.11-1
- kernel-source-2.6.8 2.6.8-16
@@ -7857,7 +7857,7 @@
CAN-2005-0991 (RC.BOOT in IBM AIX 5.1, 5.2, and 5.3 does not "use a
secure location ...)
NOT-FOR-US: AIX
CAN-2005-0990 (unshar (unshar.c) in sharutils 4.2.1 allows local users to
overwrite ...)
- - sharutils 4.2.1-13
+ - sharutils 1:4.2.1-13
CAN-2005-0989 (The find_replen function in jsstr.c in the the Javascript engine
for ...)
{DSA-781-1}
- mozilla 2:1.7.7-1
@@ -8196,7 +8196,7 @@
NOTE: According to Horms from the Debian kernel team 2.6.8 and 2.6.11 are not
NOTE: affected, 2.4 doesn''t include sysfs anyway, see 306137
CAN-2005-0866 (cdrecord before 4:2.0, when DEBUG is enabled, allows local users
to ...)
- - cdrtools 2.01+01a01-4
+ - cdrtools 4:2.01+01a01-4
CAN-2004-1771 (Scalable OGo (SOGo) 1.0 allows remote authenticated users to
bypass ...)
NOT-FOR-US: Scalable OGo (SOGo)
CAN-2002-1628 (Directory traversal vulnerability in vote.cgi for Mike Spice
Mike''s ...)
@@ -8513,10 +8513,10 @@
CAN-2005-0755 (Heap-based buffer overflow in RealPlayer 10 and earlier, Helix
Player ...)
- helix-player 1.0.4-1
CAN-2005-0754 (Kommander in KDE 3.2 through KDE 3.4.0 executes data files
without ...)
- - kdewebdev 3.3.2-6
+ - kdewebdev 4:3.3.2-6
CAN-2005-0753 (Buffer overflow in CVS before 1.11.20 allows remote attackers to
...)
{DSA-742-1}
- - cvs 1.12.9-13
+ - cvs 1:1.12.9-13
CAN-2005-0752 (The Plugin Finder Service (PFS) in Firefox before 1.0.3 allows
remote ...)
- mozilla-firefox 1.0.3-1
CAN-2005-0751
@@ -9041,7 +9041,7 @@
NOT-FOR-US: Cisco
CAN-2005-0596 (PHP 4 (PHP4) allows attackers to cause a denial of service
(daemon ...)
NOTE: Fixed in CVS after 4.3.4 release; see
http://bugs.php.net/bug.php?id=27037
- - php4 4.3.8-1
+ - php4 4:4.3.8-1
CAN-2005-0595 (Buffer overflow in ext.dll in BadBlue 2.55 allows remote
attackers ...)
NOT-FOR-US: BadBlue
CAN-2005-0594 (Buffer overflow in the Netinfo Setup Tool (NeST) allows local
users to ...)
@@ -9306,7 +9306,7 @@
CAN-2005-0525 (The php_next_marker function in image.c for PHP 4.2.2, 4.3.9,
4.3.10 ...)
{DSA-729-1 DSA-708-1}
- php4 4:4.3.10-10
- - php3 3.0.18-31
+ - php3 3:3.0.18-31
CAN-2005-0524 (The php_handle_iff function in image.c for PHP 4.2.2, 4.3.9,
4.3.10 ...)
NOTE: php3 not affected
- php4 4:4.3.10-10
@@ -10050,7 +10050,7 @@
- imagemagick 6:6.0.6.2-2.2
CAN-2005-0396 (Desktop Communication Protocol (DCOP) daemon, aka dcopserver, in
KDE ...)
NOTE: fix in -4 was broken
- - kdelibs 3.3.2-6
+ - kdelibs 4:3.3.2-6
CAN-2005-0395
REJECTED
CAN-2005-0394
@@ -10191,7 +10191,7 @@
CAN-2004-1472 (Symantec Enterprise Firewall/VPN Appliances 100, 200, and 200R
running ...)
NOT-FOR-US: Symantec Enterprise Firewall/VPN Appliances
CAN-2004-1471 (Format string vulnerability in wrapper.c in CVS 1.12.x through
1.12.8, ...)
- - cvs 1.12.9
+ - cvs 1:1.12.9
CAN-2004-1470 (CRLF injection vulnerability in SnipSnap 0.5.2a, and other
versions ...)
NOT-FOR-US: snipsnap
CAN-2004-1469 (Format string vulnerability in the log function in SUS 2.0.2,
and ...)
@@ -10877,7 +10877,7 @@
CAN-2005-0163
RESERVED
CAN-2005-0162 (Stack-based buffer overflow in the get_internal_addresses
function in ...)
- - openswan 2.2.0-6
+ - openswan 2.3.0-2
NOTE: does not seem to affect freeswan
CAN-2005-0161 (Multiple directory traversal vulnerabilities in unace 1.2b allow
...)
- unace 1.2b-3
@@ -11121,7 +11121,7 @@
- xpdf 3.00-13
- gpdf 2.8.2-1.2
- pdftohtml 0.36-11
- - kdegraphics 3.3.2-2
+ - kdegraphics 4:3.3.2-2
- tetex-bin 2.0.2-26
NOTE: only affects source package, not used in binary
- cupsys <unfixed> (bug #324459; unimportant)
@@ -11258,10 +11258,10 @@
RESERVED
CAN-2004-1343 (CVS 1.12 and earlier on Debian GNU/Linux does not properly
handle when ...)
{DSA-715-1}
- - cvs 1.12.9-11
+ - cvs 1:1.12.9-11
CAN-2004-1342 (CVS 1.12 and earlier on Debian GNU/Linux, when using the repouid
...)
{DSA-715-1}
- - cvs 1.12.9-11
+ - cvs 1:1.12.9-11
CAN-2004-1341 (Cross-site scripting (XSS) vulnerability in info2www before
1.2.2.9 ...)
{DSA-711-1}
CAN-2004-1340 (Debian GNU/Linux 3.0 installs the libpam-radius-auth package
with the ...)
@@ -12235,9 +12235,9 @@
CAN-2004-0960 (FreeRADIUS before 1.0.1 allows remote attackers to cause a
denial of ...)
- freeradius 1.0.1
CAN-2004-0959 (rfc1867.c in PHP before 5.0.2 allows local users to upload files
to ...)
- - php4 4.3.9
+ - php4 4:4.3.9
CAN-2004-0958 (php_variables.c in PHP before 5.0.2 allows remote attackers to
read ...)
- - php4 4.3.9
+ - php4 4:4.3.9
CAN-2004-0957 (Unknown vulnerability in MySQL 3.23.58 and earlier, when a local
user ...)
{DSA-707-1}
- mysql-dfsg-4.1 4.1.10a-6
@@ -12407,7 +12407,7 @@
CAN-2004-0892 (Microsoft Proxy Server 2.0 and Microsoft ISA Server 2000 (which
is ...)
NOT-FOR-US: Microsoft
CAN-2004-0891 (Buffer overflow in the MSN protocol handler for gaim 0.79 to
1.0.1 ...)
- - gaim 1.0.2
+ - gaim 1:1.0.2
CAN-2004-0890
REJECTED
CAN-2004-0889 (Multiple integer overflows in xpdf 3.0, and other packages that
use ...)
@@ -12649,9 +12649,9 @@
NOTE: not vulnerable according to
http://www.debian.org/security/nonvulns-sarge
- apache2 2.0.51
CAN-2004-0785 (Multiple buffer overflows in Gaim before 0.82 allow remote
attackers ...)
- - gaim 0.82
+ - gaim 1:0.82
CAN-2004-0784 (The smiley theme functionality in Gaim before 0.82 allows remote
...)
- - gaim 0.82
+ - gaim 1:0.82
CAN-2004-0783 (Stack-based buffer overflow in xpm_extract_color (io-xpm.c) in
the XPM ...)
{DSA-549-1}
CAN-2004-0782 (Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM
image ...)
@@ -12664,7 +12664,7 @@
- mozilla 2:1.7
- mozilla-firefox 0.9
CAN-2004-0778 (CVS 1.11.x before 1.11.17, and 1.12.x before 1.12.9, allows
remote ...)
- - cvs 1.12.9
+ - cvs 1:1.12.9
CAN-2004-0777 (Format string vulnerability in the auth_debug function in
Courier-IMAP ...)
NOTE: not vulnerable according to
http://www.debian.org/security/nonvulns-sarge
- courier-imap 2.2.2
@@ -13090,7 +13090,7 @@
CAN-2004-0585
REJECTED
CAN-2004-0584 (Unknown vulnerability in Horde IMP 3.2.3 and earlier, before a
...)
- - imp 3.2.4
+ - imp3 3.2.4
CAN-2004-0583 (The account lockout functionality in (1) Webmin 1.140 and (2)
Usermin ...)
{DSA-526}
- usermin 1.090-1
@@ -15907,7 +15907,7 @@
CAN-2003-0212 (handleAccept in rinetd before 0.62 does not properly resize the
...)
{DSA-289}
CAN-2003-0211 (Memory leak in xinetd 2.3.10 allows remote attackers to cause a
denial ...)
- - xinetd 2.3.11
+ - xinetd 1:2.3.11
CAN-2003-0210 (Buffer overflow in the administration service (CSAdmin) for
Cisco ...)
NOT-FOR-US: cisco
CAN-2003-0209 (Integer overflow in the TCP stream reassembly module (stream4)
for ...)
@@ -16452,7 +16452,7 @@
- postgresql 7.2.2-2
CAN-2002-1395 (Internet Message (IM) 141-18 and earlier uses predictable file
and ...)
{DSA-202}
- - im 141-20
+ - im 1:141-20
CAN-2002-1393 (Multiple vulnerabilities in KDE 2 and KDE 3.x through 3.0.5 do
not ...)
{DSA-243 DSA-242 DSA-241 DSA-240 DSA-239 DSA-238 DSA-237 DSA-236 DSA-235
DSA-234}
NOTE: KDE2 not in sarge
@@ -16562,7 +16562,7 @@
NOT-FOR-US: Macromedia
CAN-2002-1306 (Multiple buffer overflows in LISa on KDE 2.x for 2.1 and later,
and ...)
{DSA-214}
- - kdenetwork 2.2.2-14.20
+ - kdenetwork 4:2.2.2-14.20
CAN-2002-1305
RESERVED
CAN-2002-1304
Modified: data/CVE/list
==================================================================---
data/CVE/list 2005-09-29 19:52:19 UTC (rev 2239)
+++ data/CVE/list 2005-09-29 21:06:02 UTC (rev 2240)
@@ -74,7 +74,7 @@
CVE-2004-0131
NOTE: not-for-us (gnu radiusd, not in debian)
CVE-2004-0129
- - phpmyadmin 2.6.0-pl2
+ - phpmyadmin 2:2.6.0-pl2
CVE-2004-0128
NOTE: not-for-us (phpgedview, not in debian)
CVE-2004-0126
@@ -180,7 +180,7 @@
NOTE: I have mailed Tollef Fog Heen <tfheen@debian.org> about this.
NOTE: Tollef Fog Heen reply to me that 2.1 versions are not vulnerable
CVE-2003-0988
- - kdepim 3.1.5-1
+ - kdepim 4:3.1.5-1
CVE-2003-0985
{DSA-475 DSA-470 DSA-450 DSA-442 DSA-440 DSA-439 DSA-427 DSA-423 DSA-417
DSA-413}
NOTE: fixed in 2.4.24-rc1
@@ -219,7 +219,7 @@
{DSA-255}
- tcpdump 3.7.1-1.2
CVE-2003-0107
- - zlib 1.1.4-10
+ - zlib 1:1.1.4-10
CVE-2003-0104
NOTE: not-for-us (peopletools)
CVE-2003-0103
@@ -230,7 +230,7 @@
CVE-2003-0100
NOTE: not-for-us (cisco)
CVE-2003-0097
- - php4 4.3.2+rc3-1
+ - php4 4:4.3.2+rc3-1
CVE-2003-0095
NOTE: not-for-us (oracle)
CVE-2003-0094
@@ -261,7 +261,7 @@
{DSA-380}
- xfree86 4.2.1-11
CVE-2003-0070
- - vte 0.11.10-1
+ - vte 1:0.11.10-1
CVE-2003-0069
- putty 0.54-1
CVE-2003-0068
@@ -273,7 +273,7 @@
NOTE: never vulnerable to the problem described.
NOTE: this CVE is bogus.
CVE-2003-0066
- - rxvt 2.6.4-6.1
+ - RXVT 1:2.6.4-6.1
NOTE: woody version are still vulnerable (bug #244810).
CVE-2003-0065
NOTE: not-for-us (uxterm not in Debian)
@@ -325,9 +325,9 @@
NOTE: never vulnerable to the problem described.
NOTE: this CVE is bogus.
CVE-2003-0023
- - rxvt 2.6.4-6.1
+ - rxvt 1:2.6.4-6.1
CVE-2003-0022
- - rxvt 2.6.4-6.1
+ - rxvt 1:2.6.4-6.1
CVE-2003-0021
- eterm 0.9.2-1
NOTE: According to upstream changelog and
http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
@@ -515,7 +515,7 @@
- lynx-ssl 1:2.8.4.1b-3.1
CVE-2002-1403
{DSA-219}
- - dhcpcd 1.3.22pl2-2
+ - dhcpcd 1:1.3.22pl2-2
NOTE: Debian sarge uses dhcp >= 2.0
CVE-2002-1396
- php4 4:4.3.2+rc3-1
@@ -728,13 +728,13 @@
NOTE: not-for-us (CISCO)
CVE-2002-1221
{DSA-196}
- - bind 8.3.3-3
+ - bind 1:8.3.3-3
CVE-2002-1220
{DSA-196}
- - bind 8.3.3-3
+ - bind 1:8.3.3-3
CVE-2002-1219
{DSA-196}
- - bind 8.3.3-3
+ - bind 1:8.3.3-3
CVE-2002-1214
NOTE: not-for-us (Microsoft)
CVE-2002-1211
@@ -755,8 +755,8 @@
- bugzilla 2.16.0-2.1
CVE-2002-1195
{DSA-169}
- - php3 3.0.18-23.2
- - php4 4.2.3-3
+ - php3 3:3.0.18-23.2
+ - php4 4:4.2.3-3
CVE-2002-1193
{DSA-172}
NOTE: tkmail not in testing/unstable
@@ -1034,7 +1034,7 @@
CVE-2002-0853
NOTE: not-for-us (Cisco)
CVE-2002-0851
- - isdnutils 3.2
+ - isdnutils 1:3.2
CVE-2002-0850
NOTE: not-for-us (PGP corporate desktop)
CVE-2002-0848
Modified: data/DSA/list
==================================================================---
data/DSA/list 2005-09-29 19:52:19 UTC (rev 2239)
+++ data/DSA/list 2005-09-29 21:06:02 UTC (rev 2240)
@@ -157,7 +157,7 @@
NOTE: fixed in testing at time of DSA
[29 Aug 2005] DSA-789-1 php4 - several
{CAN-2005-1751 CAN-2005-1921 CAN-2005-2498}
- - php4 4.3.10-16etch1 (high)
+ - php4 4:4.3.10-16etch1 (high)
NOTE: not fixed in testing at time of DSA (not uploaded yet)
[29 Aug 2005] DSA-788-1 kismet - several
{CAN-2005-2626 CAN-2005-2627}
@@ -247,7 +247,7 @@
NOTE: not fixed in testing at time of DSA (Debian server outage)
[27 Jul 2005] DSA-767-1 ekg - integer overflows
{CAN-2005-1852}
- - ekg 1.5+20050718+1.6rc3-1 (medium)
+ - ekg 1:1.5+20050718+1.6rc3-1 (medium)
NOTE: not fixed in testing at time of DSA (Debian server outage)
[26 Jul 2005] DSA-766-1 webcalendar - authorisation failure
{CAN-2005-2320}
@@ -276,7 +276,7 @@
NOTE: not fixed in testing at time of DSA (only 0/2 days old)
[18 Jul 2005] DSA-760-1 ekg - several
{CAN-2005-1850 CAN-2005-1851 CAN-2005-1916}
- - ekg 1.5+20050712+1.6rc2-1 (low)
+ - ekg 1:1.5+20050712+1.6rc2-1 (low)
NOTE: not fixed in testing at time of DSA (waiting on dependencies, not built
on five archs)
[18 Jul 2005] DSA-759-1 phppgadmin - missing input sanitising
{CAN-2005-2256}
@@ -324,11 +324,11 @@
NOTE: not fixed in testing at time of DSA (waiting on dependencies)
[11 Jul 2005] DSA-750-1 dhcpcd - out-of-bound memory access
{CAN-2005-1848}
- - dhcpcd 1.3.22pl4-22
+ - dhcpcd 1:1.3.22pl4-22
NOTE: fixed in testing at time of DSA
[10 Jul 2005] DSA-749-1 ettercap - format string error
{CAN-2005-1796}
- - ettercap 0.7.3-1 (medium)
+ - ettercap 1:0.7.3-1 (medium)
NOTE: fixed in testing at time of DSA
[10 Jul 2005] DSA-747-1 egroupware - input validation error
{CAN-2005-1921}
@@ -377,7 +377,7 @@
NOTE: not fixed in testing at time of DSA (uploaded with low urgency only, one
fix missing for sid)
[05 Jul 2005] DSA-734-1 gaim - denial of service
{CAN-2005-1269 CAN-2005-1934}
- - gaim 1.3.1-1
+ - gaim 1:1.3.1-1
NOTE: not fixed in testing at time of DSA (not built on sparc)
[01 Jul 2005] DSA-736-2 spamassassin - mail header parsing error
{CAN-2005-1266}
@@ -401,7 +401,7 @@
NOTE: not fixed in testing at time of DSA (reserved)
[03 Jun 2005] DSA-732-1 mailutils - several
{CAN-2005-1520 CAN-2005-1521 CAN-2005-1522 CAN-2005-1523}
- - mailutils 0.6.1-4
+ - mailutils 1:0.6.1-4
NOTE: fixed in testing at time of DSA
[02 Jun 2005] DSA-731-1 krb4 - buffer overflows
{CAN-2005-0468 CAN-2005-0469}
@@ -413,7 +413,7 @@
NOTE: fixed in testing at time of DSA
[26 May 2005] DSA-729-1 php4 - missing input sanitising
{CAN-2005-0525}
- - php4 4.3.10-10
+ - php4 4:4.3.10-10
NOTE: fixed in testing at time of DSA
[25 May 2005] DSA-728-1 qpopper - missing privilege release
{CAN-2005-1151 CAN-2005-1152}
@@ -464,11 +464,11 @@
NOTE: fixed in testing at time of DSA
[27 Apr 2005] DSA-716-1 gaim - denial of service
{CAN-2005-0472}
- - gaim 1.1.3-1
+ - gaim 1:1.1.3-1
NOTE: fixed in testing at time of DSA
[27 Apr 2005] DSA-715-1 cvs - several
{CAN-2004-1342 CAN-2004-1343}
- - cvs 1.12.9-12
+ - cvs 1:1.12.9-12
NOTE: not fixed in testing at time of DSA
[26 Apr 2005] DSA-714-1 kdelibs - several
{CAN-2005-1046}
@@ -496,7 +496,7 @@
- libexif 0.6.9-5
[15 Apr 2005] DSA-708-1 php3 - missing input sanitising
{CAN-2005-0525}
- - php3 3.0.18-31
+ - php3 3:3.0.18-31
[13 Apr 2005] DSA-707-1 mysql - several
{CAN-2004-0957 CAN-2005-0709 CAN-2005-0710 CAN-2005-0711}
- mysql-dfsg 4.0.24-5
@@ -518,7 +518,7 @@
- krb5 1.3.6-1
[01 Apr 2005] DSA-702-1 imagemagick - several
{CAN-2005-0397 CAN-2005-0759 CAN-2005-0760 CAN-2005-0762}
- - imagemagick 6.0.6.2-2.2
+ - imagemagick 6:6.0.6.2-2.2
[31 Mar 2005] DSA-701-1 samba - integer overflows
{CAN-2004-1154}
- samba 3.0.10-1
@@ -570,7 +570,7 @@
NOTE: not fixed in testing at time of DSA
[23 Feb 2005] DSA-689-1 libapache-mod-python - missing input sanitising
{CAN-2005-0088}
- - libapache-mod-python 2.7.10-4
+ - libapache-mod-python 2:2.7.10-4
NOTE: fixed in testing at time of DSA
- libapache2-mod-python 3.1.3-3
NOTE: fixed in testing at time of DSA
@@ -609,7 +609,7 @@
NOTE: does not apply for sarge, program is not setuid anymore
[14 Feb 2005] DSA-680-1 htdig - unsanitised input
{CAN-2005-0085}
- - htdig 3.1.6-11
+ - htdig 1:3.1.6-11
NOTE: fixed in testing at time of DSA
[14 Feb 2005] DSA-679-1 toolchain-source - insecure temporary files
{CAN-2005-0159}
@@ -657,7 +657,7 @@
NOTE: also affects emacs21 in unstable, fixed
[04 Feb 2005] DSA-669-1 php3 - several
{CAN-2004-0594 CAN-2004-0595}
- - php3 3.0.18-27
+ - php3 3:3.0.18-27
NOTE: fixed in testing at time of DSA
[04 Feb 2005] DSA-668-1 postgresql - privilege escalation
{CAN-2005-0227}
@@ -683,12 +683,12 @@
NOTE: not fixed in testing at time of DSA
[02 Feb 2005] DSA-663-1 prozilla - buffer overflows
{CAN-2004-1120}
- - prozilla 1.3.7.3-1
+ - prozilla 1:1.3.7.3-1
NOTE: fixed in testing at time of DSA
[01 Feb 2005] DSA-662-1 squirrelmail - several
{CAN-2005-0104 CAN-2005-0152}
NOTE: CAN-2005-0152 only exists in 1.2.6 version
- - squirrelmail 1.4.4
+ - squirrelmail 2:1.4.4
NOTE: fixed in testing at time of DSA
[20 Apr 2005] DSA-661-2 f2c - insecure temporary files
{CAN-2005-0017 CAN-2005-0018}
@@ -752,7 +752,7 @@
NOTE: not fixed in testing at time of DSA
[19 Jan 2005] DSA-646-1 imagemagick - buffer overflow
{CAN-2005-0005}
- - imagemagick 6.0.6.2-2
+ - imagemagick 6:6.0.6.2-2
NOTE: not fixed in testing at time of DSA
[19 Jan 2005] DSA-645-1 cupsys - buffer overflow
{CAN-2005-0064}
@@ -803,7 +803,7 @@
NOTE: not fixed in testing at time of DSA
[11 Jan 2005] DSA-634-1 hylafax - weak hostname and username validation
{CAN-2004-1182}
- - hylafax 4.2.1-1
+ - hylafax 1:4.2.1-1
NOTE: fixed in testing at time of DSA
[11 Jan 2005] DSA-633-1 bmv - insecure temporary file
{CAN-2003-0014}
@@ -881,7 +881,7 @@
- ethereal 0.10.8-1
[20 Dec 2004] DSA-612-1 a2ps - unsanitised input
{CAN-2004-1170}
- - a2ps 4.13b-4.2
+ - a2ps 1:4.13b-4.2
[20 Dec 2004] DSA-611-1 htget - buffer overflow
{CAN-2004-0852}
NOTE: htget not in sarge or unstable
@@ -976,7 +976,7 @@
{CAN-2004-0972}
[02 Nov 2004] DSA-582-1 libxml - buffer overflow
{CAN-2004-0989}
- - libxml 1.8.17-9
+ - libxml 1:1.8.17-9
- libxml2 2.6.11-5
[01 Nov 2004] DSA-581-1 xpdf - integer overflows
{CAN-2004-0888}
@@ -1054,7 +1054,7 @@
NOTE: not affected according to DSA
[07 Oct 2004] DSA-560-1 lesstif1-1 - integer and stack overflows
{CAN-2004-0687 CAN-2004-0688}
- - lesstif1-1 0.93.94-10
+ - lesstif1-1 1:0.93.94-10
[06 Oct 2004] DSA-559-1 net-acct - insecure temporary file
{CAN-2004-0851}
- net-acct 0.71-7
@@ -1095,7 +1095,7 @@
- imlib+png2 1.9.14-16.2
[16 Sep 2004] DSA-547-1 imagemagick - buffer overflows
{CAN-2004-0827}
- - imagemagick 6.0.6.2-1
+ - imagemagick 6:6.0.6.2-1
[16 Sep 2004] DSA-546-1 gdk-pixbuf - multiple holes
{CAN-2004-0753 CAN-2004-0782 CAN-2004-0788}
- gdk-pixbuf 0.22.0-7
@@ -1114,10 +1114,10 @@
NOTE: not affected according to DSA
[30 Aug 2004] DSA-542-1 qt - unsanitised input
{CAN-2004-0691 CAN-2004-0692 CAN-2004-0693}
- - qt-x11-free 3.3.3-4
+ - qt-x11-free 3:3.3.3-4
[25 Aug 2004] DSA-541 icecast-server - cross site scripting
{CAN-2004-0781}
- - icecast-server 1.3.12-8
+ - icecast-server 1:1.3.12-8
[18 Aug 2004] DSA-540 mysql-dfsg - insecure file creation
{CAN-2004-0457}
- mysql-dfsg 4.0.20-11
@@ -1188,10 +1188,10 @@
- cvs 1:1.12.9-1
[14 Jun 2004] DSA-518 kdelibs - unsanitised input
{CAN-2004-0411}
- - kdelibs 3.2.3
+ - kdelibs 4:3.2.3
[10 Jun 2004] DSA-517 cvs - buffer overflow
{CAN-2004-0414}
- - cvs 1.12.9-1
+ - cvs 1:1.12.9-1
[07 Jun 2004] DSA-516 postgresql - buffer overflow
{CAN-2004-0547}
- postgresql 07.03.0200-3.
@@ -1230,7 +1230,7 @@
- neon 0.24.6.dfsg-1
[19 May 2004] DSA-505 cvs - heap overflow
{CAN-2004-0396}
- - cvs 1.12.5-6
+ - cvs 1:1.12.5-6
[18 May 2004] DSA-504 heimdal - missing input sanitising
{CAN-2004-0434}
- heimdal 0.6.2-1
@@ -1388,7 +1388,7 @@
NOTE: 2.2.19 not present. Did not check newer kernels.
[03 Mar 2004] DSA-455 libxml - buffer overflows
{CAN-2004-0110}
- - libxml 1.8.17-5
+ - libxml 1:1.8.17-5
- libxml2 2.6.6-1
[02 Mar 2004] DSA-454 linux-kernel-2.2.22-alpha - failing function and TLB
flush
{CAN-2004-0077}
@@ -1466,7 +1466,7 @@
NOTE: 2.4.17 not present. Did not check newer kernels.
[03 Feb 2004] DSA-432 crawl - buffer overflow
{CAN-2004-0103}
- - crawl 4.0.0beta26-4
+ - crawl 1:4.0.0beta26-4
[01 Feb 2004] DSA-431 perl - information leak
{CAN-2003-0618}
- perl 5.8.3-3
@@ -1498,7 +1498,7 @@
{CAN-2003-0001 CAN-2003-0018 CAN-2003-0127 CAN-2003-0461 CAN-2003-0462
CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552
CAN-2003-0961 CAN-2003-0985}
NOTE: 2.4.17 not present. Did not check newer kernels.
[13 Jan 2004] DSA-422 cvs - remote vulnerability
- - cvs 1.11.11
+ - cvs 1:1.11.11
[12 Jan 2004] DSA-421 mod-auth-shadow - password expiration
{CAN-2004-0041}
- mod-auth-shadow 1.4-1
@@ -1563,7 +1563,7 @@
- hylafax 1:4.1.8-1
[11 Nov 2003] DSA-400 omega-rpg - buffer overflow
{CAN-2003-0932}
- - omega-rpg 0.90-pa9-11
+ - omega-rpg 1:0.90-pa9-11
[10 Nov 2003] DSA-399 epic4 - buffer overflow
{CAN-2003-0328}
- epic4 1:1.1.11.20030409-2
@@ -2157,7 +2157,7 @@
[31 Dec 2002] DSA-219 dhcpcd - remote command execution
{CAN-2002-1403}
- - dhcpcd 1.3.22pl2-2
+ - dhcpcd 1:1.3.22pl2-2
[30 Dec 2002] DSA-218 bugzilla - cross site scripting
NOTE: not in testing, fixed in unstable (bugzilla 2.16.2-1).
[27 Dec 2002] DSA-217 typespeed - buffer overflow
@@ -2171,7 +2171,7 @@
- cyrus-imapd 1.5.19-9.10
[20 Dec 2002] DSA-214 kdnetwork - buffer overflows
{CAN-2002-1306}
- - kdenetwork 2.2.2-14.20
+ - kdenetwork 4:2.2.2-14.20
NOTE: there is a typo in the DSA, the name of the package is kdenetwork.
[19 Dec 2002] DSA-213 libpng - buffer overflow
{CAN-2002-1363}
@@ -2210,7 +2210,7 @@
- smb2www 980804-17
[03 Dec 2002] DSA-202 im - insecure temporary files
{CAN-2002-1395}
- - im 141-20
+ - im 1:141-20
[02 Dec 2002] DSA-201 freeswan - denial of service
{CAN-2002-0666 VU#459371}
- freeswan 1.99-1
@@ -2228,7 +2228,7 @@
- courier 0.40.0-1
[14 Nov 2002] DSA-196 bind - several vulnerabilities
{CAN-2002-0029 CAN-2002-1219 CAN-2002-1220 CAN-2002-1221}
- - bind 8.3.3-3
+ - bind 1:8.3.3-3
[13 Nov 2002] DSA-195 apache-perl - several vulnerabilities
{CAN-2002-0839 CAN-2002-0840 CAN-2002-0843 CAN-2001-0131 CAN-2002-1233}
- apache-perl 1.3.26-1.1-1.27-3-1
@@ -2237,13 +2237,13 @@
- masqmail 0.2.15-1
[11 Nov 2002] DSA-193 kdenetwork - buffer overflow
{CAN-2002-1247}
- - kdenetwork 2.2.2-14.3
+ - kdenetwork 4:2.2.2-14.3
[08 Nov 2002] DSA-192 html2ps - arbitrary code execution
{CAN-2002-1275}
- html2ps 1.0b3-2
[07 Nov 2002] DSA-191 squirrelmail - cross site scripting
{CAN-2002-1131 CAN-2002-1132 CAN-2002-1276}
- - squirrelmail 1.2.8-1.1
+ - squirrelmail 1:1.2.8-1.1
[07 Nov 2002] DSA-190 wmaker - buffer overflow
{CAN-2002-1277}
- wmaker 0.80.1-4
@@ -2279,7 +2279,7 @@
- krb5 1.2.6-2
[28 Oct 2002] DSA-182 kdegraphics - buffer overflow
{CAN-2002-0838}
- - kdegraphics 2.2.2-6.9
+ - kdegraphics 4:2.2.2-6.9
[22 Oct 2002] DSA-181 libapache-mod-ssl - cross site scripting
{CAN-2002-1157}
- libapache-mod-ssl 2.8.9-2.3
@@ -2297,7 +2297,7 @@
- pam 0.76-6
[16 Oct 2002] DSA-176 gv - buffer overflow
{CAN-2002-0838}
- - gv 3.5.8-27
+ - gv 1:3.5.8-27
[15 Oct 2002] DSA-175 syslog-ng - buffer overflow
{CAN-2002-1200}
- syslog-ng 1.5.21-1
@@ -2320,16 +2320,16 @@
NOTE: only 4.0.4-4 in testing (which seems to be vulnerable)
[25 Sep 2002] DSA-169 htcheck - cross site scripting
{CAN-2002-1195}
- - htcheck 1.1-1.2
+ - htcheck 1:1.1-1.2
[18 Sep 2002] DSA-168 php - bypassing safe_mode, CRLF injection
{CAN-2002-0985 CAN-2002-0986}
- - php3 3.0.18-23.2
- - php4 4.2.3-3
+ - php3 3:3.0.18-23.2
+ - php4 4:4.2.3-3
NOTE: php3 is not in testing, it seems to be wait for tiff and gcc transition
NOTE: and is out of date on alpha and arm
[16 Sep 2002] DSA-167 kdelibs - cross site scripting
{CAN-2002-1151}
- - kdelibs 2.2.2-14
+ - kdelibs 4:2.2.2-14
NOTE: there is a typo in the DSA that mentionned Konquerer instead of kdelibs
[13 Sep 2002] DSA-166 purity - buffer overflows
{CAN-2002-1124}
@@ -2360,13 +2360,13 @@
NOTE: python2.3 is not vulnerable
[27 Aug 2002] DSA-158 gaim - arbitrary program execution
{CVE-2002-0989}
- - gaim 0.59.1-2
+ - gaim 1:0.59.1-2
[23 Aug 2002] DSA-157 irssi-text - denial of service
{CAN-2002-0983}
- irssi-text 0.8.5-2
[22 Aug 2002] DSA-156 epic4-script-light - arbitrary script execution
{CVE-2002-0984}
- - epic4-script-light 2.7.30p5-2
+ - epic4-script-light 1:2.7.30p5-2
[17 Aug 2002] DSA-155 kdelibs - privacy escalation with Konqueror
{CAN-2002-0970}
- kdelibs 4:2.2.2-14
@@ -2381,7 +2381,7 @@
NOTE: not in testing (was fixed in unstable 0.68-1)
[13 Aug 2002] DSA-151 xinetd - pipe exposure
{CVE-2002-0871}
- - xinetd 2.3.7-1
+ - xinetd 1:2.3.7-1
[13 Aug 2002] DSA-150 interchange - illegal file exposition
{CAN-2002-0874}
- interchange 4.8.6-1