Author: jmm-guest Date: 2009-06-02 18:46:41 +0000 (Tue, 02 Jun 2009) New Revision: 12018 Modified: data/CVE/list Log: - two torrentflux issues which have been lingering as unfixed w/o a bug report for too long - libnet-dns-perl as fixed in Lenny, since the kernel provides src port randomisation, which should be good enough Modified: data/CVE/list ==================================================================--- data/CVE/list 2009-06-02 17:59:35 UTC (rev 12017) +++ data/CVE/list 2009-06-02 18:46:41 UTC (rev 12018) @@ -479,7 +479,6 @@ - ajaxterm <unfixed> (medium; bug #528938) CVE-2009-1789 (mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and ...) - eggdrop 1.6.19-1.2 (medium; bug #528778) - NOTE: CVE id request on oss-sec CVE-2009-XXXX [cron: Incomplete fix for CVE-2006-2607 (setgid() and initgroups() not checked] - cron 3.0pl1-106 (low; bug #528434) [lenny] - cron <no-dsa> (Minor issue) @@ -1942,9 +1941,9 @@ CVE-2008-6586 (Cross-site request forgery (CSRF) vulnerability in gui/index.php in ...) NOT-FOR-US: ?Torrent (uTorrent) WebUI CVE-2008-6585 (Cross-site request forgery (CSRF) vulnerability in html/admin.php in ...) - - torrentflux <unfixed> + - torrentflux <unfixed> (bug filed) CVE-2008-6584 (html/index.php in TorrentFlux 2.3 allows remote authenticated users to ...) - - torrentflux <unfixed> + - torrentflux <unfixed> (bug filed) CVE-2008-6583 (Buffer overflow in BS.player 2.27 build 959 allows remote attackers to ...) NOT-FOR-US: BS.player CVE-2009-1274 (Integer overflow in the qt_error parse_trak_atom function in ...) @@ -17174,7 +17173,7 @@ - adns 1.4-2 (unimportant; bug #492698) NOTE: adns is not suitable to use with untrusted responses, documented in README.Debian - udns <unfixed> (bug #493599) - - libnet-dns-perl <unfixed> (low; bug #492700) + - libnet-dns-perl 0.63-2 (low; bug #492700) NOTE: Source port randomization from Lenny kernel should provide sufficient protection NOTE: since this is just a Perl nodule for DNS queries and not a high-profile server app like NOTE: Bind, it''s unlikely that a home-grown fix will provide an implementation of higher