Secure testing commits - Oct 2008 - r10150 - data/CVE

Author: jmm-guest
Date: 2008-10-22 20:36:12 +0000 (Wed, 22 Oct 2008)
New Revision: 10150

Modified:
   data/CVE/list
Log:
- new kernel issue
- debtorrent only applies for some update scenarios
- cupsys has been renamed to cups and cupsys removed
- fix vim entry
- old mozilla issue fixed in xulrunner


Modified: data/CVE/list
==================================================================---
data/CVE/list	2008-10-22 17:42:52 UTC (rev 10149)
+++ data/CVE/list	2008-10-22 20:36:12 UTC (rev 10150)
@@ -33,8 +33,9 @@
 CVE-2008-4619 (The RPC subsystem in Sun Solaris 9 allows remote attackers to
cause a ...)
 	NOT-FOR-US: Sun Solaris
 CVE-2008-4618 (The Stream Control Transmission Protocol (sctp) implementation
in the ...)
-	- linux-2.6 2.6.26-10 (low)
-	- linux-2.6.24 <unfixed> (low)
+	- linux-2.6 2.6.26-10
+	- linux-2.6.24 <unfixed>
+	NOTE: ba0166708ef4da7eeb61dd92bbba4d5a749d6561
 CVE-2008-4617 (SQL injection vulnerability in the actualite module 1.0 for
Joomla! ...)
 	NOT-FOR-US: actualite module for Joomla!
 CVE-2008-4616 (The SpamBam plugin for WordPress allows remote attackers to
bypass ...)
@@ -1032,7 +1033,9 @@
 	- chillispot <unfixed> (low; bug #500181)
 	[etch] - chillispot <no-dsa> (minor issue)
 CVE-2008-XXXX [unsafe usage of temp file]
-	- debtorrent <unfixed> (bug #500180)
+	- debtorrent <unfixed> (unimportant; bug #500180)
+	NOTE: Only exploitable when upgrading from an ancient version, package also
not in Etch
+	NOTE: Marking as unimportant
 CVE-2008-4189
 	REJECTED
 CVE-2008-4188 (Unspecified vulnerability in the TYPO3 Secure Directory
(kw_secdir) ...)
@@ -1226,7 +1229,6 @@
 	- joomla <itp> (bug #326398)
 CVE-2008-4101 (Vim 3.0 through 7.x before 7.2.010 does not properly escape ...)
 	- vim 2:7.2.010-1 (bug #500381)
-	[etch] - vim 1:7.1.314-3+lenny1
 	[lenny] - vim 1:7.1.314-3+lenny1
 CVE-2008-4098 (MySQL before 5.0.67 allows local users to bypass certain
privilege ...)
 	TODO: check
@@ -2500,15 +2502,15 @@
 	NOT-FOR-US: Mac OS
 CVE-2008-3641 (The Hewlett-Packard Graphics Language (HPGL) filter in CUPS
before ...)
 	{DSA-1656-1}
-	- cupsys 1.3.8-1lenny2 (medium)
+	- cupsys <removed>
 	- cups 1.3.8-1lenny2 (medium)
 CVE-2008-3640 (Integer overflow in the WriteProlog function in texttops in CUPS
...)
 	{DSA-1656-1}
-	- cupsys 1.3.8-1lenny2 (medium)
+	- cupsys <removed>
 	- cups 1.3.8-1lenny2 (medium)
 CVE-2008-3639 (Heap-based buffer overflow in the read_rle16 function in
imagetops in ...)
 	{DSA-1656-1}
-	- cupsys 1.3.8-1lenny2 (medium)
+	- cupsys <removed>
 	- cups 1.3.8-1lenny2 (medium)
 CVE-2008-3638 (Java on Apple Mac OS X 10.5.4 and 10.5.5 does not prevent
applets from ...)
 	NOT-FOR-US: Mac OSX
@@ -2744,7 +2746,11 @@
 	{DSA-1654-1}
 	- libxml2 2.6.32.dfsg-4 (bug #498768)
 CVE-2008-3528 (The error-reporting functionality in (1) fs/ext2/dir.c, (2) ...)
-	TODO: check
+	- linux-2.6 <unfixed>
+	- linux-2.6.24 <unfixed>
+	NOTE: cdbf6dba28e8e6268c8420857696309470009fd9 (ext3)
+	NOTE: bd39597cbd42a784105a04010100e27267481c67 (ext2)
+	NOTE: 9d9f177572d9e4eba0f2e18523b44f90dd51fe74 (ext4)
 CVE-2008-3527
 	RESERVED
 CVE-2008-3526 (Integer overflow in the sctp_setsockopt_auth_key function in
...)
@@ -7293,7 +7299,7 @@
 CVE-2008-1548 (Multiple cross-site scripting (XSS) vulnerabilities in Aeries
Browser ...)
 	NOT-FOR-US: Eagle Software Aries Student Information System
 CVE-2008-1547 (Open redirect vulnerability in exchweb/bin/redir.asp in
Microsoft ...)
-	TODO: check
+	NOT-FOR-US: Outlook
 CVE-2008-1546 (servlet/MIMEReceiveServlet in the web controller for Mitsubishi
...)
 	NOT-FOR-US: Mitsubishi Electric GB-50 and GB-50A air-conditioning control
systems
 CVE-2008-1545 (The setRequestHeader method of the XMLHttpRequest object in
Microsoft ...)
@@ -9999,7 +10005,7 @@
 CVE-2008-0420 (modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp in Mozilla Firefox
...)
 	- iceape 1.1.8-1
 	- iceweasel 2.0.0.12-1
-	TODO: check xulrunner
+	- xulrunner 1.8.1.12-1
 	NOTE: The initial advisory claimed Thunderbird/Icedove were vulnerable, but
clarified
 	NOTE: later, see
http://www.mozilla.org/security/announce/2008/mfsa2008-07.html
 CVE-2008-0419 (Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8
allows ...)