Moritz Muehlenhoff
2005-Oct-24 12:35 UTC
[Secure-testing-commits] r2551 - in data: CVE DSA
Author: jmm-guest Date: 2005-10-24 12:35:07 +0000 (Mon, 24 Oct 2005) New Revision: 2551 Modified: data/CVE/list data/DSA/list Log: adapt the rest of november''s DSAs to the new format Modified: data/CVE/list ==================================================================--- data/CVE/list 2005-10-24 11:05:29 UTC (rev 2550) +++ data/CVE/list 2005-10-24 12:35:07 UTC (rev 2551) @@ -12848,6 +12848,8 @@ - libgd 1.8.4-36.1 CVE-2004-0989 (Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and ...) {DSA-582-1} + - libxml 1:1.8.17-9 + - libxml2 2.6.11-5 CVE-2004-0988 (Integer overflow on Apple QuickTime before 6.5.2, when running on ...) NOT-FOR-US: Apple CVE-2004-0987 (Buffer overflow in the process_menu function in yardradius 1.0.20 ...) @@ -12864,9 +12866,11 @@ {DSA-586-1} - ruby1.8 1.8.1+1.8.2pre2-4 - ruby1.6 1.6.8-12 + - ruby <removed> CVE-2004-0982 (Buffer overflow in the getauthfromURL function in httpget.c in mpg123 ...) {DSA-578-1} - mpg123 0.59r-18 + NOTE: Original fix in -17 was incomplete CVE-2004-0981 (Buffer overflow in the EXIF parsing routine in ImageMagick before ...) {DSA-593-1} - imagemagick 6:6.0.6.2-1.5 (bug #278401) @@ -12895,13 +12899,15 @@ CVE-2004-0972 (The lvmcreate_initrd script in the lvm package in Trustix Secure Linux ...) {DSA-583-1} NOTE: lvmcreate_initrd not in debian + NOTE: It''s fixed in the changelog, so above note is possibly wrong + - lvm10 1:1.0.8-8 CVE-2004-0971 (The krb5-send-pr script in the kerberos5 (krb5) package in Trustix ...) NOTE: not shipped in deb - krb5 <unfixed> (bug #278271; low) - arla 0.36.2-11 CVE-2004-0970 (The (1) gzexe, (2) zdiff, and (3) znew scripts in the gzip package, as ...) {DSA-588-1} - NOTE: sarge is not vulnerable as our version uses set -C + - gzip <not-affected> (recent versions not vulnerable as our version uses set -C) CVE-2004-0969 (The groffer script in the Groff package 1.18 and later versions, as ...) - groff 1.18.1.1-2 CVE-2004-0968 (The catchsegv script in glibc 2.3.2 and earlier allows local users to ...) @@ -12917,9 +12923,9 @@ NOT-FOR-US: HP-UX CVE-2004-0964 (Buffer overflow in Zinf 2.2.1 on Windows, and other older versions for ...) {DSA-587-1} - NOTE: not vulnerable according to http://www.debian.org/security/nonvulns-sarge - NOTE: DSA says zinf not vulnerable in sarge - - zinf 2.2.5 + - zinf <not-affected> (According to DSA-587 not affected, as module was rewritten) + - freeamp <removed> + NOTE: Changelog claims a possibly related fix in 2.2.5? CVE-2004-0963 (Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and ...) NOT-FOR-US: windows CVE-2004-0962 (Apple Remote Desktop Client 1.2.4 executes a GUI application as root ...) @@ -13112,6 +13118,7 @@ NOTE: only affects source package, not used in binary - cupsys <unfixed> (bug #324460; unimportant) - tetex-bin 2.0.2-23 + - xpdf 3.00-9 CVE-2004-0887 (SUSE Linux Enterprise Server 9 on the S/390 platform does not properly ...) NOTE: waldi provided this info - linux-kernel-image-2.6.8-s390 2.6.8-3 @@ -13664,6 +13671,7 @@ NOT-FOR-US: JRun CVE-2004-0645 (Buffer overflow in the wvHandleDateTimePicture function in wv library ...) {DSA-579-1 DSA-550-1} + - abiword <not-affected> (According to DSA-759 sid is not affected) CVE-2004-0644 (The asn1buf_skiptail function in the ASN.1 decoder library for MIT ...) {DSA-543-1} CVE-2004-0643 (Double-free vulnerability in the krb5_rd_cred function for MIT ...) Modified: data/DSA/list ==================================================================--- data/DSA/list 2005-10-24 11:05:29 UTC (rev 2550) +++ data/DSA/list 2005-10-24 12:35:07 UTC (rev 2551) @@ -1202,41 +1202,42 @@ [woody] - gnats 3.999.beta1+cvs20020303-2 [09 Nov 2004] DSA-589-1 libgd - integer overflows {CVE-2004-0990} - - libgd 1.8.4-36.1 + [woody] - libgd 1.8.4-17.woody3 [08 Nov 2004] DSA-588-1 gzip - insecure temporary files {CVE-2004-0970} - NOTE: dsa says sid not affected + [woody] - gzip 1.3.2-3woody3 [08 Nov 2004] DSA-587-1 freeamp - buffer overflow {CVE-2004-0964} - NOTE: DSA says zinf not vulnerable in sarge + [woody] - freeamp 2.1.1.0-4woody2 + NOTE: Was later renamed to zinf [08 Nov 2004] DSA-586-1 ruby - infinite loop {CVE-2004-0983} - - ruby1.6 1.6.8-12 - - ruby1.8 1.8.1+1.8.2pre2-4 + [woody] - ruby 1.6.7-3woody4 [05 Nov 2004] DSA-585-1 shadow - programming error {CVE-2004-1001} - - shadow 1:4.0.3-30.3 + [woody] - shadow 20000902-12woody1 [04 Nov 2004] DSA-584-1 dhcp - format string vulnerability {CVE-2004-1006} - - dhcp 2.0pl5-19.1 + [woody] - dhcp 2.0pl5-11woody1 [03 Nov 2004] DSA-583-1 lvm10 - insecure temporary directory {CVE-2004-0972} + [woody] - lvm10 1.0.4-5woody2 [02 Nov 2004] DSA-582-1 libxml - buffer overflow {CVE-2004-0989} - - libxml 1:1.8.17-9 - - libxml2 2.6.11-5 + [woody] - libxml 1.8.17-2woody2 + [woody] - libxml2 2.4.19-4woody2 [01 Nov 2004] DSA-581-1 xpdf - integer overflows {CVE-2004-0888} - - xpdf 3.00-9 + [woody] - xpdf 1.00-3.2 [01 Nov 2004] DSA-580-1 iptables - missing initialisation {CVE-2004-0986} - - iptables 1.2.11-4 + [woody] - iptables 1.2.6a-5.0woody2 [01 Nov 2004] DSA-579-1 abiword - buffer overflow {CVE-2004-0645} - NOTE: according to DSA, sid''s abiword is not affected. sarge is same + [woody] - abiword 1.0.2+cvs.2002.06.05-1woody2 [01 Nov 2004] DSA-578-1 mpg123 - buffer overflow {CVE-2004-0982} - - mpg123 0.59r-17 + [woody] - mpg123 0.59r-13woody4 [29 Oct 2004] DSA-577-1 postgresql - symlink vulnerability {CVE-2004-0977} - postgresql 7.4.6-1