thr3ads.net - Secure testing commits - [Secure-testing-commits] r7780

If this information is useful, please help other people find it:
Share via:
jmm-guest at alioth.debian.org
2008-Jan-01 18:14 UTC
[Secure-testing-commits] r7780 - data/CVE

Author: jmm-guest
Date: 2008-01-01 18:14:17 +0000 (Tue, 01 Jan 2008)
New Revision: 7780

Modified:
   data/CVE/list
Log:
- rewrite non-free fixes pending for r3 as no-dsa again, otherwise
  they show up in the list of unfixed issues, they can be fixed
  on time of r3 release
- one rsync issue unimportant
- python, skktools, pulseaudio no-dsa
- fix flashplugin issue


Modified: data/CVE/list
==================================================================---
data/CVE/list	2008-01-01 17:34:15 UTC (rev 7779)
+++ data/CVE/list	2008-01-01 18:14:17 UTC (rev 7780)
@@ -219,7 +219,8 @@
 CVE-2007-XXXX [unace unspecified security issue related to uninitialized
variable]
 	- unace-nonfree 2.5-3
 	[sarge] - unace-nonfree <no-dsa> (non-free not supported)
-	[etch] - unace-nonfree 2.5-1etch1
+	[etch] - unace-nonfree <no-dsa> (non-free not supported)
+	TODO: r3 release:	[etch] - unace-nonfree 2.5-1etch1
 CVE-2007-6507 (SpntSvc.exe daemon in Trend Micro ServerProtect 5.58 for
Windows, ...)
 	NOT-FOR-US: Trend Micro ServerProtect
 CVE-2007-6506 (The HPRulesEngine.ContentCollection.1 ActiveX Control in ...)
@@ -980,7 +981,8 @@
 CVE-2007-6200 (Unspecified vulnerability in rsync before 3.0.0pre6, when
running a ...)
 	- rsync 2.6.9-6 (low; bug #453652)
 CVE-2007-6199 (rsync before 3.0.0pre6, when running a writable rsync daemon
that is ...)
-	- rsync 2.6.9-6 (low; bug #453652)
+	- rsync 2.6.9-6 (unimportant; bug #453652)
+	NOTE: Security feature enhancement, not really a security problem
 CVE-2007-6198 (portal/server.pt in the Plumtree portal in BEA AquaLogic
Interaction ...)
 	NOT-FOR-US: Plumtree
 CVE-2007-6197 (The Plumtree portal in BEA AquaLogic Interaction 5.0.2 through
5.0.4 ...)
@@ -3429,8 +3431,8 @@
 	NOT-FOR-US: Softbiz Recipes Portal Script
 CVE-2007-5448 (Madwifi 0.9.3.2 and earlier allows remote attackers to cause a
denial ...)
 	- madwifi 1:0.9.3.2-2 (medium; bug #446824)
-	[etch] - madwifi 1:0.9.2+r1842.20061207-2etch2
-	NOTE: this results in a kernel panic
+	[etch] - madwifi <no-dsa> (Non-free not supported)
+	TODO: r3 release: [etch] - madwifi 1:0.9.2+r1842.20061207-2etch2
 CVE-2007-5447 (ioncube_loader_win_5.2.dll in the ionCube Loader 6.5 extension
for PHP ...)
 	NOT-FOR-US: ionCube
 CVE-2007-5446 (Absolute path traversal vulnerability in a certain ActiveX
control in ...)
@@ -4853,7 +4855,10 @@
 	NOTE: Duplicate of CVE-2007-3913
 CVE-2007-4965 (Multiple integer overflows in the imageop module in Python 2.5.1
and ...)
 	- python2.5 <unfixed> (low; bug #443333)
+	[etch] - python2.5 <no-dsa> (Minor issue)
+	[sarge] - python2.5 <no-dsa> (Minor issue)
 	- python2.4 <unfixed> (low; bug #443335)
+	[etch] - python2.4 <no-dsa> (Minor issue)
 CVE-2007-4964 (WinImage 8.10 and earlier allows remote attackers to cause a
denial of ...)
 	NOT-FOR-US: WinImage
 CVE-2007-4963 (Visual truncation vulnerability in WinImage 8.10 and earlier
allows ...)
@@ -6378,9 +6383,9 @@
 CVE-2007-4325 (PHP remote file inclusion vulnerability in index.php in
Gaestebuch 1.5 ...)
 	NOT-FOR-US: Gaestebuch
 CVE-2007-4324 (ActionScript 3 (AS3) in Adobe Flash Player 9.0.47.0, and other
...)
-	- flashplugin-nonfree <not-affected> (This package just downloads the
plugin from adobe.com which has an updated version)
-	[etch] - flashplugin-nonfree <no-dsa> (non-free not supported)
-	[sarge] - flashplugin-nonfree <no-dsa> (non-free not supported)
+	- flashplugin-nonfree 9.0.115.0.1
+	[etch] - flashplugin-nonfree 9.0.115.0.1~etch1
+	[sarge] - flashplugin-nonfree <no-dsa> (Non-free not supported)
 CVE-2007-4323 (DenyHosts 2.6 does not properly parse sshd log files, which
allows ...)
 	- denyhosts 2.6-2.1 (bug #438162; medium)
 CVE-2007-4322 (BlockHosts before 2.0.4 does not properly parse (1) sshd and (2)
...)
@@ -7284,7 +7289,9 @@
 	{DSA-1386-1}
 	- wesnoth 1.2.7-1
 CVE-2007-3916 (The main function in skkdic-expr.c in SKK Tools 1.2 allows local
users ...)
-	- skktools 1.2+0.20061004-3
+	- skktools 1.2+0.20061004-3 (low)
+	[sarge] - skktools <no-dsa> (Minor issue)
+	[etch] - skktools <no-dsa> (Minor issue)
 CVE-2007-3915
 	RESERVED
 CVE-2007-3914
@@ -12313,6 +12320,7 @@
 CVE-2007-1804 (PulseAudio 0.9.5 allows remote attackers to cause a denial of
service ...)
 	{DTSA-44-1}
 	- pulseaudio 0.9.6-1 (low)
+	[etch] - pulseaudio <no-dsa> (Minor issue)
 CVE-2007-1803 (Unspecified vulnerability in MailDwarf 3.01 and earlier allows
remote ...)
 	NOT-FOR-US: MailDwarf
 CVE-2007-1802 (Cross-site scripting (XSS) vulnerability in MailDwarf 3.01 and
earlier ...)
@@ -15039,7 +15047,8 @@
 	[etch] - rar <no-dsa> (Non-free)
 	- unrar-nonfree 1:3.7.3-1 (high; bug #410580)
 	[sarge]	- unrar-nonfree 1:3.5.2-0.2
-	[etch] - unrar-nonfree 1:3.5.4-1.1
+	[etch] - unrar-nonfree <no-dsa> (Non-free not supported)
+	TODO: r3 release	[etch] - unrar-nonfree 1:3.5.4-1.1
 	NOTE: amavid-new automatically uses "rar -p-" or "unrar
-p-",
 	NOTE: which probably turns this into remote code execution
 	NOTE: clamav can also call unrar -p-, but AFAICS not in default configuration
@@ -20420,8 +20429,8 @@
 	- wireshark 0.99.4-1 (bug #396258; medium)
 CVE-2006-5467 (The cgi.rb CGI library for Ruby 1.8 allows remote attackers to
cause a ...)
 	{DSA-1235-1 DSA-1234-1}
-	- ruby1.8 1.8.5-3 (medium; bug #398457)
-	- ruby1.9 1.9.0+20070606-1 (medium)
+	- ruby1.8 1.8.5-3 (low; bug #398457)
+	- ruby1.9 1.9.0+20070606-1 (low)
 	NOTE: ruby1.9 not to be released with etch
 	NOTE: etch and testing affected
 CVE-2006-5466 (Heap-based buffer overflow in the showQueryPackage function in
librpm ...)
Secure testing commits - Jan 2008 - r7780 - data/CVE

[Secure-testing-commits] r7780 - data/CVE
