jmm-guest at alioth.debian.org
2008-Oct-10 22:08 UTC
[Secure-testing-commits] r10053 - data/CVE
Author: jmm-guest Date: 2008-10-10 22:08:43 +0000 (Fri, 10 Oct 2008) New Revision: 10053 Modified: data/CVE/list Log: Lenny triage: - mark libnet-dns-perl/CVE-2008-1447 as fixed for Lenny - one webcalendar issue doesn''t affect Lenny - mark some browser non-issues as such - one firefox issue fixed in the past already Modified: data/CVE/list ==================================================================--- data/CVE/list 2008-10-10 21:14:12 UTC (rev 10052) +++ data/CVE/list 2008-10-10 22:08:43 UTC (rev 10053) @@ -7266,7 +7266,12 @@ - adns 1.4-2 (unimportant; bug #492698) NOTE: adns is not suitable to use with untrusted responses, documented in README.Debian - udns <unfixed> (bug #493599) - - libnet-dns-perl <unfixed> (low; bug #492700) + - libnet-dns-perl 0.63-2 (low; bug #492700) + NOTE: Source port randomization from Lenny kernel should provide sufficient protection + NOTE: since this is just a Perl nodule for DNS queries and not a high-profile server app like + NOTE: Bind, it''s unlikely that a home-grown fix will provide an implementation of higher + NOTE: cryptographical quality. Marking the version from Lenny as fixed, since Lenny includes + NOTE: a kernel which provides source port randomization - ruby1.9 1.9.0.2-6 (low) NOTE: Unbound, djbdns, pdnsd and PowerDNS are affected by the underlying protocol issue, but NOTE: already use source port randomization. @@ -9494,6 +9499,7 @@ - openldap2 <not-affected> (slapd not built) CVE-2007-6696 (Multiple cross-site scripting (XSS) vulnerabilities in WebCalendar ...) - webcalendar 1.1.6-7 (bug #466935) + [lenny] - webcalendar <not-affected> (See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466935#37) CVE-2007-6695 (Cross-site scripting (XSS) vulnerability in index.php in Drake CMS ...) NOT-FOR-US: Drake CMS CVE-2008-0664 (The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, ...) @@ -20246,9 +20252,9 @@ CVE-2007-3146 (Zen Help Desk 2.1 stores sensitive information under the web root with ...) NOT-FOR-US: Zen Help Desk CVE-2007-3145 (Visual truncation vulnerability in Galeon 2.0.1 allows remote ...) - - galeon <unfixed> (low; bug #429216) - [sarge] - galeon <no-dsa> (Minor issue) - [etch] - galeon <no-dsa> (Minor issue) + - galeon <unfixed> (unimportant; bug #429216) + NOTE: Hardly a problem, Galeon''s rotting any way and doesn''t offer up-to-date + NOTE: phishing protections anyway CVE-2007-3144 (Visual truncation vulnerability in Mozilla 1.7.12 allows remote ...) - iceweasel <unfixed> (low) [etch] - iceweasel <no-dsa> (Minor issue) @@ -23529,8 +23535,10 @@ CVE-2007-1763 (The ATI kernel driver (atikmdag.sys) in Microsoft Windows Vista allows ...) NOT-FOR-US: Microsoft CVE-2007-1762 (Mozilla Firefox 2.0.0.1 through 2.0.0.3 does not canonicalize URLs ...) - - iceweasel <unfixed> (low; bug #445515) - [etch] - iceweasel <no-dsa> (Minor issue) + - iceweasel <unfixed> (unimportant; bug #445515) + NOTE: I don''t believe this has relevant security impact, such a black list + NOTE: will register URLs found in the wild and the used adresses will be + NOTE: volatile anyway CVE-2007-1761 RESERVED CVE-2007-1760 @@ -23583,8 +23591,10 @@ CVE-2007-1737 (Opera 9.10 does not check URLs embedded in (1) object or (2) iframe ...) NOT-FOR-US: Opera CVE-2007-1736 (Mozilla Firefox 2.0.0.3 does not check URLs embedded in (1) object or ...) - - iceweasel <unfixed> (low) - [etch] - iceweasel <no-dsa> (Minor issue) + - iceweasel <unfixed> (unimportant) + NOTE: I don''t believe this has relevant security impact, such a black list + NOTE: will register URLs found in the wild and the used adresses will be + NOTE: volatile anyway CVE-2007-1735 (Stack-based buffer overflow in Corel WordPerfect Office X3 ...) NOT-FOR-US: Corel WordPerfect CVE-2007-1734 (The DCCP support in the do_dccp_getsockopt function in ...) @@ -26265,8 +26275,8 @@ [etch] - stlport5 5.0.2-12 [sarge] - stlport5 <not-affected> (Vulnerable code not compiled in) CVE-2007-0802 (Mozilla Firefox 2.0.0.1 allows remote attackers to bypass the Phishing ...) - - iceweasel <unfixed> (low) - [etch] - iceweasel <no-dsa> (Minor issue) + - iceweasel 2.0.0.16-1 (low) + NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=367538 CVE-2007-0801 (The nsExternalAppHandler::SetUpTempFile function in Mozilla Firefox ...) - iceweasel 2.0.0.2+dfsg-1 (low) - firefox <removed> (low)