gilbert-guest at alioth.debian.org
2009-Feb-25 06:09 UTC
[Secure-testing-commits] r11261 - data/CVE
Author: gilbert-guest Date: 2009-02-25 06:09:12 +0000 (Wed, 25 Feb 2009) New Revision: 11261 Modified: data/CVE/list Log: updating severities of latest kernel issues - CVE-2007-6514: medium severity based on potential for accessing content - CVE-2008-6107: low severity since issue is a local denial of service - CVE-2009-0029: medium severity since it may be possible to gain priviledges - CVE-2009-0031: low severity since issue is a local denial of service - CVE-2009-0065: high severity since impact is unknown and nvd severity is rated as high - CVE-2009-0269: medium severity since it is possible to cause memory corruption - CVE-2009-0322: low severity since it is a local denial of service Modified: data/CVE/list ==================================================================--- data/CVE/list 2009-02-25 05:46:32 UTC (rev 11260) +++ data/CVE/list 2009-02-25 06:09:12 UTC (rev 11261) @@ -534,8 +534,9 @@ CVE-2008-6108 (Cross-site scripting (XSS) vulnerability in result.php in Galatolo ...) NOT-FOR-US: Galatolo WebManager CVE-2008-6107 (The (1) sys32_mremap function in arch/sparc64/kernel/sys_sparc32.c, ...) - - linux-2.6 <unfixed> + - linux-2.6 <unfixed> (low) - linux-2.6.24 <removed> + NOTE: should this be considered a problem in lenny/squeeze/sid since description says that the problem applies to kernels before 2.6.25.4? CVE-2008-6106 (Cross-site request forgery (CSRF) vulnerability in IBM Workplace for ...) NOT-FOR-US: IBM Workplace for Business Controls CVE-2008-6105 (Cross-site scripting (XSS) vulnerability in IBM Workplace for Business ...) @@ -1186,7 +1187,7 @@ CVE-2009-0324 (Multiple SQL injection vulnerabilities in BibCiter 1.4 allow remote ...) NOT-FOR-US: BibCiter CVE-2009-0322 (drivers/firmware/dell_rbu.c in the Linux kernel before 2.6.27.13, and ...) - - linux-2.6 <unfixed> + - linux-2.6 <unfixed> (low) - linux-2.6.24 <removed> CVE-2009-0321 (Apple Safari 3.2.1 (aka AppVer 3.525.27.1) on Windows allows remote ...) NOT-FOR-US: Apple Safari on Windows @@ -1361,7 +1362,7 @@ CVE-2009-0272 (Cross-site request forgery (CSRF) vulnerability in Novell GroupWise ...) NOT-FOR-US: Novell GroupWise CVE-2009-0269 (fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel ...) - - linux-2.6 <unfixed> + - linux-2.6 <unfixed> (medium) [etch] - linux-2.6 <not-affected> (ecryptfs was merged in 2.6.19) - linux-2.6.24 <removed> CVE-2009-0265 (Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not ...) @@ -2057,7 +2058,7 @@ CVE-2009-0066 (Multiple unspecified vulnerabilities in Intel system software for ...) TODO: will be presented at Black Hat CVE-2009-0065 (Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control ...) - - linux-2.6 2.6.26-14 + - linux-2.6 2.6.26-14 (high) - linux-2.6.24 <removed> CVE-2009-0064 RESERVED @@ -2727,12 +2728,12 @@ CVE-2009-0032 (CUPS on Mandriva Linux 2008.0, 2008.1, 2009.0, Corporate Server (CS) ...) NOT-FOR-US: issue affects pdfdistiller CVE-2009-0031 (Memory leak in the keyctl_join_session_keyring function ...) - - linux-2.6 <unfixed> + - linux-2.6 <unfixed> (low) - linux-2.6.24 <removed> CVE-2009-0030 (A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID ...) - squirrelmail <not-affected> (RedHat-specific regression) CVE-2009-0029 (The ABI in the Linux kernel 2.6.28 and earlier on s390, powerpc, ...) - - linux-2.6 <unfixed> + - linux-2.6 <unfixed> (medium) - linux-2.6.24 <removed> CVE-2009-0028 RESERVED @@ -16634,7 +16635,7 @@ CVE-2007-6508 (Directory traversal vulnerability in view.php in xeCMS 1.0 allows ...) NOT-FOR-US: xeCMS CVE-2007-6514 (Apache HTTP Server, when running on Linux with a document root on a ...) - - linux-2.6 <unfixed> + - linux-2.6 <unfixed> (medium) NOTE: While labeled as an Apache flaw, this needs to be fixed in smbfs NOTE: This is likely already fixed in recent kernels, but we need to pin point NOTE: a fixed version
Hi Michael> Modified: > data/CVE/list > Log: > updating severities of latest kernel issues > - CVE-2007-6514: medium severity based on potential for accessing content > - CVE-2008-6107: low severity since issue is a local denial of service > - CVE-2009-0029: medium severity since it may be possible to gain > priviledges - CVE-2009-0031: low severity since issue is a local denial of > service - CVE-2009-0065: high severity since impact is unknown and nvd > severity is rated as high - CVE-2009-0269: medium severity since it is > possible to cause memory corruption - CVE-2009-0322: low severity since it > is a local denial of serviceJust in case, if you are unsure about these ones, just check with the kernel team. Dann is the one providing stable-sec support there. They normally have more information about the issues, since they track them separately. Cheers Steffen -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. Url : http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20090225/f413771e/attachment.pgp