Secure testing commits - Feb 2006 - r3477 - in data: . CVE DSA

Author: jmm-guest
Date: 2006-02-14 11:40:47 +0000 (Tue, 14 Feb 2006)
New Revision: 3477

Modified:
   data/CVE/list
   data/DSA/list
   data/embedded-code-copies
Log:
new xpdf issue
remove mydns dupe


Modified: data/CVE/list
==================================================================---
data/CVE/list	2006-02-14 09:47:16 UTC (rev 3476)
+++ data/CVE/list	2006-02-14 11:40:47 UTC (rev 3477)
@@ -806,8 +806,6 @@
 	- mediawiki <unfixed> (low)
 CVE-2005-4666 (Cross-site scripting (XSS) vulnerability in PHlyMail before 3.3
Beta1 ...)
 	NOT-FOR-US: PHlyMail
-CVE-2006-XXXX [mydns remote DoS]
-	- mydns 1.1.0+pre-3 (medium)
 CVE-2006-0353 (unix_random.c in lshd for lsh 2.0.1 leaks file descriptors
related to ...)
 	{DSA-956-1}
 	- lsh-utils 2.0.1cdbs-4 (low; bug #349303)
@@ -3718,7 +3716,7 @@
 	- helix-player <unfixed> (unknown)
 	NOTE: http://service.real.com/help/faq/security/security111605.html
 CVE-2005-XXXX [maradns risk mitigation against AES side channel attacks by
Shamir et al.]
-	- maradns 1.0.35-1
+	- maradns 1.0.35-1 (unimportant)
 CVE-2005-3731 (Unspecified vulnerability in yaSSL before 1.0.6 has unknown
impact and ...)
 	NOT-FOR-US: yaSSL 
 CVE-2005-3730 (Multiple cross-site scripting (XSS) vulnerabilities in ...)

Modified: data/DSA/list
==================================================================---
data/DSA/list	2006-02-14 09:47:16 UTC (rev 3476)
+++ data/DSA/list	2006-02-14 11:40:47 UTC (rev 3477)
@@ -1,3 +1,7 @@
+[14 Feb 2006] DSA-971-1 xpdf - buffer overflow
+        {CVE-2006-0301}
+        [sarge] - xpdf 3.00-13.5
+	NOTE: fixed in testing at time of DSA
 [14 Feb 2006] DSA-970-1 kronolith - missing input sanitising
         {CVE-2005-4189}
         [sarge] - kronolith 1.1.4-2sarge1

Modified: data/embedded-code-copies
==================================================================---
data/embedded-code-copies	2006-02-14 09:47:16 UTC (rev 3476)
+++ data/embedded-code-copies	2006-02-14 11:40:47 UTC (rev 3477)
@@ -6,7 +6,7 @@
 gpdf
 pdftohtml
 kdegraphics/kpdf
-tetex-bin (the very latest tetex-bin started to use poppler)
+tetex-bin (links to poppler since 3.0-12)
 cupsys (only older releases, recent ones use xpdf-utils, it''s still
present in the src, though)
 poppler
 koffice

* Moritz Muehlenhoff:
> remove mydns dupe
> -CVE-2006-XXXX [mydns remote DoS]
> -	- mydns 1.1.0+pre-3 (medium)
>  CVE-2006-0353 (unix_random.c in lshd for lsh 2.0.1 leaks file descriptors
related to ...)
>  	{DSA-956-1}
>  	- lsh-utils 2.0.1cdbs-4 (low; bug #349303)
> @@ -3718,7 +3716,7 @@
>  	- helix-player <unfixed> (unknown)
>  	NOTE: http://service.real.com/help/faq/security/security111605.html
>  CVE-2005-XXXX [maradns risk mitigation against AES side channel attacks by
Shamir et al.]
> -	- maradns 1.0.35-1
> +	- maradns 1.0.35-1 (unimportant)
Ahem, mydns is not maradns, I think.

Florian Weimer wrote:
> > remove mydns dupe
> 
> > -CVE-2006-XXXX [mydns remote DoS]
> > -	- mydns 1.1.0+pre-3 (medium)
> >  CVE-2006-0353 (unix_random.c in lshd for lsh 2.0.1 leaks file
descriptors related to ...)
> >  	{DSA-956-1}
> >  	- lsh-utils 2.0.1cdbs-4 (low; bug #349303)
> > @@ -3718,7 +3716,7 @@
> >  	- helix-player <unfixed> (unknown)
> >  	NOTE: http://service.real.com/help/faq/security/security111605.html
> >  CVE-2005-XXXX [maradns risk mitigation against AES side channel
attacks by Shamir et al.]
> > -	- maradns 1.0.35-1
> > +	- maradns 1.0.35-1 (unimportant)
> 
> Ahem, mydns is not maradns, I think.
That is certainly true, but mydns is already covered here:

CVE-2006-0351 (Unspecified &quot;critical denial-of-service
vulnerability&quot; in MyDNS before ...)
        {DSA-963-1}
        [sarge] - mydns 1.0.0-4sarge1
        - mydns 1.1.0+pre-3 (medium; bug #348826)

Cheers,
        Moritz