Joey Hess
2005-Oct-19 23:18 UTC
[Secure-testing-commits] r2464 - / data data/CVE data/DSA tsck
Author: joeyh
Date: 2005-10-19 23:17:58 +0000 (Wed, 19 Oct 2005)
New Revision: 2464
Modified:
TODO
data/CVE/list
data/DSA/list
data/README
data/resources
tsck/tsck.py
Log:
misc other CAN references, should be complete now except for the python
code
Modified: TODO
==================================================================--- TODO
2005-10-19 23:12:59 UTC (rev 2463)
+++ TODO 2005-10-19 23:17:58 UTC (rev 2464)
@@ -39,7 +39,7 @@
* Create a repo of security patches
-* Add user tags to security bugs to add a CAN number and a "tracked"
for each analyzed
+* Add user tags to security bugs to add a CVE number and a "tracked"
for each analyzed
security bug.
* Retroactive updating of the list for not-affected and others
Modified: data/CVE/list
==================================================================---
data/CVE/list 2005-10-19 23:12:59 UTC (rev 2463)
+++ data/CVE/list 2005-10-19 23:17:58 UTC (rev 2464)
@@ -5345,7 +5345,7 @@
- websieve <unfixed> (bug #311838; low)
NOTE: second half of bug suggets lack of escaping of user data
NOTE: could be used to compromise program somehow
- NOTE: that is not covered by the CAN though due to vagueness
+ NOTE: that is not covered by the CVE though due to vagueness
CVE-2005-1840 (Directory traversal vulnerability in class.layout_phpcms.php in
phpCMS ...)
NOT-FOR-US: phpCMS
CVE-2005-1839 (Multiple SQL injection vulnerabilities in Doug Luxem Liberum
Help Desk ...)
@@ -10151,8 +10151,8 @@
CVE-2004-1575 (The XML parser in Xerces-C++ 2.5.0 allows remote attackers to
cause a ...)
- xerces25 2.5.0-4
- xerces24 2.4.0-4
- NOTE: maintainer believe that this CAN doesn''t apply to xerces23 (see
bug #296432)
- NOTE: maintainer believe that this CAN doesn''t apply to xerces21 (see
bug #296466)
+ NOTE: maintainer believe that this CVE doesn''t apply to xerces23 (see
bug #296432)
+ NOTE: maintainer believe that this CVE doesn''t apply to xerces21 (see
bug #296466)
CVE-2004-1574 (Buffer overflow in Vypress Messenger 3.5.1 and earlier allows
remote ...)
NOT-FOR-US: Vypress
CVE-2004-1573 (The documentation for AJ-Fork 167 implies that users should set
...)
@@ -12689,7 +12689,7 @@
RESERVED
CVE-2004-0994 (Multiple integer overflows in xzgv 0.8 and earlier allow remote
...)
{DSA-614-1}
- NOTE: only indication that it''s this CAN is in the debian package
changelog
+ NOTE: only indication that it''s this CVE is in the debian package
changelog
- xzgv 0.8-3
CVE-2004-0993 (Buffer overflow in hpsockd before 0.6 allows remote attackers to
cause ...)
{DSA-604-1}
@@ -12741,7 +12741,7 @@
CVE-2004-0975 (The der_chop script in the openssl package in Trustix Secure
Linux 1.5 ...)
{DSA-603-1}
- openssl 0.9.7e-3
- NOTE: also includes other security fixes than this CAN
+ NOTE: also includes other security fixes than this CVE
CVE-2004-0974 (The netatalk package in Trustix Secure Linux 1.5 through 2.1,
and ...)
NOTE: local; low
- netatalk 1.6.4a-1
@@ -14022,7 +14022,7 @@
{DSA-518}
CVE-2004-0410
RESERVED
- NOTE: An empty CAN, never published.
+ NOTE: An empty CVE, never published.
CVE-2004-0409 (Stack-based buffer overflow in the Socks-5 proxy code for XChat
1.8.0 ...)
{DSA-493}
- xchat 2.0.8-1
Modified: data/DSA/list
==================================================================---
data/DSA/list 2005-10-19 23:12:59 UTC (rev 2463)
+++ data/DSA/list 2005-10-19 23:17:58 UTC (rev 2464)
@@ -919,7 +919,7 @@
[19 Jan 2005] DSA-645-1 cupsys - buffer overflow
{CVE-2005-0064}
NOTE: cupsys not affected in sarge, though other programs are vulnerable
- NOTE: see CAN/list
+ NOTE: see CVE/list
NOTE: not fixed in testing at time of DSA
[18 Jan 2005] DSA-644-1 chbg - buffer overflow
{CVE-2004-1264}
@@ -1075,11 +1075,11 @@
- openssl 0.9.7e-3
[29 Nov 2004] DSA-602-1 libgd2 - integer overlow
{CVE-2004-0941 CVE-2004-0990}
- NOTE: different from fixes from earlier DSA for these CANs; 2004-0941 new
+ NOTE: different from fixes from earlier DSA for these CVEs; 2004-0941 new
- libgd2 2.0.33-1.1
[29 Nov 2004] DSA-601-1 libgd1 - integer overflow
{CVE-2004-0941 CVE-2004-0990}
- NOTE: different from fixes from earlier DSA for these CANs; 2004-0941 new
+ NOTE: different from fixes from earlier DSA for these CVEs; 2004-0941 new
- libgd 1.8.4-36.1
[25 Nov 2004] DSA-599-1 tetex-bin - integer overflows
{CVE-2004-0888}
@@ -2363,7 +2363,7 @@
- tcpdump 3.7.2-1
[10 Dec 2002] DSA-205 gtetrinet - buffer overflow
- gtetrinet 0.4.4-1
- NOTE: no CAN not CVE for this one
+ NOTE: no CVE for this one
[05 Dec 2002] DSA-204 kdelibs - arbitrary program execution
{CVE-2002-1281 CVE-2002-1282}
- kdelibs 4:3.1.0-1
@@ -2419,14 +2419,14 @@
{CVE-2001-0131 CVE-2002-1233}
- apache 1.3.27-1
TODO: CVE-2002-0843 appears to be listed twice in this DSA
- TODO: (once with NO-CAN)
+ TODO: (once with NO-CVE)
[04 Nov 2002] DSA-187 apache - several vulnerabilities
{CVE-2002-0839 CVE-2002-0840 CVE-2002-0843}
- apache 1.3.27-0.1
{CVE-2001-0131 CVE-2002-1233}
- apache 1.3.27-1
TODO: CVE-2002-0843 appears to be listed twice in this DSA
- TODO: (once with NO-CAN)
+ TODO: (once with NO-CVE)
[01 Nov 2002] DSA-186 log2mail - buffer overflow
{CVE-2002-1251}
- log2mail 0.2.6-1
Modified: data/README
==================================================================---
data/README 2005-10-19 23:12:59 UTC (rev 2463)
+++ data/README 2005-10-19 23:17:58 UTC (rev 2464)
@@ -29,7 +29,7 @@
description, put it in square brackets instead.
{id id id}
This is used to link to other ids that describe the same hole.
- Generally used to link DSAs to CAN''s and CVEs and back.
+ Generally used to link DSAs to CVEs and back.
UPCASE
Any word in upper case, typically NOTE, HELP, TODO, RESERVED,
REJECTED, NOT-FOR-US.
Modified: data/resources
==================================================================---
data/resources 2005-10-19 23:12:59 UTC (rev 2463)
+++ data/resources 2005-10-19 23:17:58 UTC (rev 2464)
@@ -1,8 +1,7 @@
-Full CAN and CVE lists:
-http://cve.mitre.org/cve/candidates/downloads/full-can.html
-http://cve.mitre.org/cve/downloads/full-cve.html
+Full CVE lists:
+http://www.cve.mitre.org/cve/downloads/
-CANs that do not affect sarge (maintained by regular security team):
+CVEs that do not affect sarge (maintained by regular security team):
http://www.debian.org/security/nonvulns-sarge
Ultra Monkey kernel security database:
Modified: tsck/tsck.py
==================================================================---
tsck/tsck.py 2005-10-19 23:12:59 UTC (rev 2463)
+++ tsck/tsck.py 2005-10-19 23:17:58 UTC (rev 2464)
@@ -94,7 +94,7 @@
print "Generating system-specific security overview for " + suite
for i in vulns:
- if i.startswith("CAN-"):
+ if i.startswith("CVE-"):
if len(cve) > 0 and len(pkg_name) > 0:
if source_packages.has_key(pkg_name):