thr3ads.net - Secure testing commits - [Secure-testing-commits] r6986

If this information is useful, please help other people find it:
Share via:
jmm-guest at alioth.debian.org
2007-Oct-16 21:11 UTC
[Secure-testing-commits] r6986 - data/CVE

Author: jmm-guest
Date: 2007-10-16 21:11:28 +0000 (Tue, 16 Oct 2007)
New Revision: 6986

Modified:
   data/CVE/list
Log:
- track madwifi by source package name and record it as non-free
- mplayer and one of the vorbis issues unimportant
- no-dsa for minor ircd issues
- rewrite some issues postponed for stable updates, so that they
  don''t show up in the mean time, this will be changed once the
  next stable update is released. The tracker cannot record two
  states, so we need this little hack


Modified: data/CVE/list
==================================================================---
data/CVE/list	2007-10-16 20:43:59 UTC (rev 6985)
+++ data/CVE/list	2007-10-16 21:11:28 UTC (rev 6986)
@@ -21,7 +21,8 @@
 CVE-2007-5449 (SQL injection vulnerability in searchresult.php in Softbiz
Recipes ...)
 	NOT-FOR-US: Softbiz Recipes Portal Script
 CVE-2007-5448 (Madwifi 0.9.3.2 and earlier allows remote attackers to cause a
denial ...)
-	- madwifi-source <unfixed> (medium; bug #446824)
+	- madwifi <unfixed> (medium; bug #446824)
+	[etch] - madwidi <no-dsa> (Non-free not supported)
 	NOTE: this results in a kernel panic
 CVE-2007-5447 (ioncube_loader_win_5.2.dll in the ionCube Loader 6.5 extension
for PHP ...)
 	NOT-FOR-US: ionCube
@@ -1391,8 +1392,8 @@
 	NOT-FOR-US: Media Player Classic
 CVE-2007-4938 (Heap-based buffer overflow in libmpdemux/aviheader.c in MPlayer
1.0rc1 ...)
 	{DTSA-65-1}
-	- mplayer 1.0~rc1-16.1 (bug #443478; low)
-	NOTE: just a NULL pointer dereference.
+	- mplayer 1.0~rc1-16.1 (bug #443478; unimportant)
+	NOTE: just a NULL pointer dereference, not treated as a security problem for
this class of applications
 CVE-2007-4937 (CS Guestbook stores sensitive information under the web root
with ...)
 	NOT-FOR-US: CS Guestbook
 CVE-2007-4936 (Unspecified vulnerability in Office Efficiencies SafeSquid 4.1.x
has ...)
@@ -2595,13 +2596,16 @@
 CVE-2007-4412 (Multiple cross-site scripting (XSS) vulnerabilities in Headstart
...)
 	NOT-FOR-US: Deskpro
 CVE-2007-4411 (ircu 2.10.12.05 and earlier allows remote attackers to discover
the ...)
-	- ircd-ircu 2.10.12.10.dfsg1-1 (bug #439314)
+	- ircd-ircu 2.10.12.10.dfsg1-1 (low; bug #439314)
+	[etch] - ircd-ircu <no-dsa> (Minor issue)
 CVE-2007-4410 (ircu 2.10.12.05 and earlier does not properly synchronize a kick
...)
-	- ircd-ircu 2.10.12.10.dfsg1-1 (bug #439314)
+	- ircd-ircu 2.10.12.10.dfsg1-1 (low; bug #439314)
+	[etch] - ircd-ircu <no-dsa> (Minor issue)
 CVE-2007-4409 (Race condition in ircu 2.10.12.01 through 2.10.12.05 allows
remote ...)
 	- ircd-ircu <not-affected> (Version affected not yet in unstable,
maintainer informed)
 CVE-2007-4408 (ircu 2.10.12.05 and earlier ignores timestamps in bounces, which
...)
-	- ircd-ircu 2.10.12.10.dfsg1-1 (bug #439314)
+	- ircd-ircu 2.10.12.10.dfsg1-1 (low; bug #439314)
+	[etch] - ircd-ircu <no-dsa> (Minor issue)
 CVE-2007-4407 (ircu 2.10.12.03 and 2.10.12.04 does not associate a timestamp
with ops ...)
 	- ircd-ircu <not-affected> (Version affected not yet in unstable,
maintainer informed)
 CVE-2007-4406 (ircu 2.10.12.01 through 2.10.12.04 does not remove ops privilege
after ...)
@@ -3358,7 +3362,9 @@
 CVE-2007-4066 (Multiple buffer overflows in Xiph.Org libvorbis before 1.2.0
allow ...)
 	NOTE: svn revisionsions fixing this:
https://bugzilla.redhat.com/show_bug.cgi?id=249780
 CVE-2007-4065 (lib/vorbisfile.c in libvorbisfile in Xiph.Org libvorbis before
1.2.0 ...)
-	NOTE: svn revisionsions fixing this:
https://bugzilla.redhat.com/show_bug.cgi?id=249780
+	- libvorbis <unfixed> (unimportant)
+	NOTE: Just an infinite loop in an enduser multimedia libarary, not treated as
a vulnerability
+	NOTE: svn revisionions fixing this:
https://bugzilla.redhat.com/show_bug.cgi?id=249780
 CVE-2007-4064 (Multiple cross-site scripting (XSS) vulnerabilities in Drupal
5.x ...)
 	- drupal 4.7.7-1 (low)
 	- drupal5 5.2-1 (low)
@@ -3846,7 +3852,8 @@
 	- linux-2.6 2.6.22-4
 CVE-2007-3847 (The date handling code in modules/proxy/proxy_util.c (mod_proxy)
in ...)
 	- apache2 2.2.6-1 (bug #441845; low)
-	[etch] - apache2 2.2.3-4+etch3 (bug #441845; low)
+	[etch] - apache2 <no-dsa> (Scheduled for next point release)
+	NOTE:	[etch] - apache2 2.2.3-4+etch3 (bug #441845; low)
 CVE-2007-3846 (Directory traversal vulnerability in Subversion before 1.4.5, as
used ...)
 	NOT-FOR-US: TortoiseSVN on Windows
 CVE-2007-3845 (Mozilla Firefox before 2.0.0.6, Thunderbird before 1.5.0.13 and
2.x ...)
@@ -5182,10 +5189,9 @@
 	NOT-FOR-US: Cerulean Studios Trillian
 CVE-2007-3304 (Apache httpd 1.3.37, 2.0.59, and 2.2.4 with the Prefork MPM
module, ...)
 	- apache <removed> (low)
-	[etch] - apache <unfixed> (low)
-	[sarge] - apache <unfixed> (low)
 	- apache2 2.2.4-2 (low)
-	[etch] - apache2 2.2.3-4+etch2
+	[etch] - apache2 <no-dsa> (Scheduled for next point release)
+	NOTE: [etch] - apache2 2.2.3-4+etch2
 	[sarge] - apache2 2.0.54-5sarge2 (low)
 CVE-2007-3303 (Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module,
allows ...)
 	- apache2 <unfixed> (unimportant)
@@ -7198,7 +7204,8 @@
 CVE-2007-2452 (Heap-based buffer overflow in the visit_old_format function in
...)
 	- findutils 4.2.31-1 (low; bug #426862)
 	[sarge] - findutils <no-dsa> (Not vulnerable in default configuration,
minor issue)
-	[etch] - findutils 4.2.28-1etch1 (low)
+	[etch] - findutils <no-dsa> (Scheduled for next point release)
+	NOTE:	[etch] - findutils 4.2.28-1etch1 (low)
 CVE-2007-2451 (Unspecified vulnerability in drivers/crypto/geode-aes.c in
GEODE-AES ...)
 	- linux-2.6 2.6.21-3
 	[etch] - linux-2.6 <not-affected> (Vulnerable code not present,
introduced in 2.6.20)
@@ -8561,7 +8568,8 @@
 	- apache2 2.2.4-1 (low)
 	- apache <unfixed> (low)
 	[sarge] - apache2 2.0.54-5sarge2
-	[etch] - apache2 2.2.3-4+etch2
+	NOTE:	[etch] - apache2 2.2.3-4+etch2
+	[etch] - apache2 <no-dsa> (Scheduled for next point release)
 	NOTE: see
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/cache/cache_util.c?view=markup&pathrev=551944
 	NOTE: see
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/cache/cache_util.c?r1=463503&r2=551944&pathrev=551944
 	NOTE: vulnerable code in src/modules/proxy/proxy_cache.c starting in line 1132
@@ -16179,7 +16187,8 @@
 CVE-2006-5752 (Cross-site scripting (XSS) vulnerability in mod_status.c in the
...)
 	- apache2 2.2.4-2 (low)
 	[sarge] - apache2 2.0.54-5sarge2
-	[etch] - apache2 2.2.3-4+etch2
+	NOTE: [etch] - apache2 2.2.3-4+etch2
+	[etch] - apache2 <no-dsa> (Scheduled for next point release)
 	- apache <removed> (low)
 CVE-2006-5751 (Integer overflow in the get_fdb_entries function in ...)
 	{DSA-1233}
Secure testing commits - Oct 2007 - r6986 - data/CVE

[Secure-testing-commits] r6986 - data/CVE
