thr3ads.net - Secure testing commits - [Secure-testing-commits] r12757

If this information is useful, please help other people find it:
Share via:
Moritz Muehlenhoff
2009-Sep-07 17:39 UTC
[Secure-testing-commits] r12757 - in data: . CVE DSA

Author: jmm-guest
Date: 2009-09-07 17:39:41 +0000 (Mon, 07 Sep 2009)
New Revision: 12757

Modified:
   data/CVE/list
   data/DSA/list
   data/ospu-candidates.txt
   data/spu-candidates.txt
Log:
- gri, buildbot no-dsa
- xulrunner fixes for Lenny
- sdm, burn fixed
- remove silc temp entry
- gaim not affected in lenny, only a transitional package


Modified: data/CVE/list
==================================================================---
data/CVE/list	2009-09-07 13:21:56 UTC (rev 12756)
+++ data/CVE/list	2009-09-07 17:39:41 UTC (rev 12757)
@@ -53,6 +53,7 @@
 CVE-2008-7159 [silc ASN1 encoding format string vulnerability]
 	RESERVED
 	{DSA-1879-1}
+	[lenny] - silc-toolkit 1.1.7-2+lenny1
 	- silc-toolkit 1.1.10-1 (low)
 	- silc-client 1.1-2 (low)
 	- silc-server <not-affected> (Vulnerable code not present)
@@ -278,11 +279,6 @@
 	NOT-FOR-US: Carmosa phpCart
 CVE-2008-7107 (easdrv.sys in ESET Smart Security 3.0.667.0 allows local users
to ...)
 	NOT-FOR-US: ESET Smart Security
-CVE-2009-XXXX [multiple security issues in silc-toolkit]
-	- silc-toolkit 1.1.10-1 (medium)
-	[etch] - silc-toolkit <not-affected> (Vulnerable code not present)
-	NOTE: CVE ids requested
-	TODO: clarify affectedness of silc-client and silc-server
 CVE-2009-2999
 	RESERVED
 CVE-2009-XXXX [serveez: buffer overflow in header parser]
@@ -381,6 +377,7 @@
 	NOT-FOR-US: VMware Studio
 CVE-2009-2967 (Multiple cross-site scripting (XSS) vulnerabilities in Buildbot
0.7.6 ...)
 	- buildbot 0.7.11p3-1
+	[lenny] - buildbot <no-dsa> (Minor issue)
 	[etch] - buildbot <not-affected> (According to the vendor 0.7.5 and
earlier are not affected)
 CVE-2008-7094 (Campaign/CampaignListener in the listener server in Unica
Affinium ...)
 	NOT-FOR-US: Affinium Campaign
@@ -418,6 +415,7 @@
 	NOT-FOR-US: CuteFlow
 CVE-2009-2959 (Cross-site scripting (XSS) vulnerability in the waterfall web
status ...)
 	- buildbot 0.7.11p3-1 (low; bug #543822)
+	[lenny] - buildbot <no-dsa> (Minor issue)
 	[etch] - buildbot <not-affected> (According to the vendor 0.7.5 and
earlier are not affected)
 CVE-2009-2958 (The tftp_request function in tftp.c in dnsmasq before 2.50, when
...)
 	{DSA-1876-1}
@@ -731,7 +729,7 @@
 	NOTE: no-dsa candidate
 	TODO: request CVE id
 CVE-2009-XXXX [burn: Insecure escaping of file names]
-	- burn <unfixed> (low; bug #542329)
+	- burn 0.4.5-1 (low; bug #542329)
 	[lenny] - burn 0.4.3-2.1+lenny1
 	[etch] - burn <no-dsa> (Minor issue)
 CVE-2009-2880
@@ -1342,6 +1340,8 @@
 	TODO: request cve id
 CVE-2009-XXXX [gri: insecure temp file generation]
 	- gri 2.12.18-1 (low)
+	[etch] - gri <no-dsa> (Minor issue)
+	[lenny] - gri <no-dsa> (Minor issue)
 CVE-2009-2715 (Sun VirtualBox 2.2 through 3.0.2 r49928 allows guest OS users to
cause ...)
 	- virtualbox-ose 3.0.4-dfsg-1 (medium)
 CVE-2009-2714 (Unspecified vulnerability in Sun VirtualBox 3.0.0 and 3.0.2
allows ...)
@@ -1446,6 +1446,7 @@
 	- pidgin 2.6.2 (low)
 	[lenny] - pidgin <no-dsa> (Minor issue)
 	[etch] - pidgin <no-dsa> (Minor issue)
+	[lenny] - gaim <not-affected> (Only a transitional package)
 	- gaim <removed>
 	NOTE: this is only a null ptr dereference and can only be triggered by a rogue
irc server
 CVE-2009-2702
@@ -1469,6 +1470,7 @@
 CVE-2009-2694 (The msn_slplink_process_msg function in ...)
 	{DSA-1870-1}
 	- pidgin 2.5.9-1 (medium; bug #542486)
+	[lenny] - gaim <not-affected> (Only a transitional package)
 	- gaim <removed>
 CVE-2009-2693
 	RESERVED
@@ -1589,7 +1591,7 @@
 	NOTE: Affected version only available in experimental, only Firefox 3.5
 	TODO: check when 3.5 gets uploaded to unstable
 CVE-2009-2664 (The js_watch_set function in js/src/jsdbgapi.cpp in the
JavaScript ...)
-	- xulrunner <unfixed>
+	- xulrunner 1.9.0.13-1
 	[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer
covered by security support)
 CVE-2009-2663 (libvorbis before r16182, as used in Mozilla Firefox 3.5.x before
3.5.2 ...)
 	- libvorbis 1.2.0.dfsg-6 (medium; bug #540958)
@@ -1597,7 +1599,7 @@
 	NOTE: vorbis support added in 1.9.0.13 and 1.9.1.0, which have not yet entered
the archive
 	TODO: recheck when 1.9.0.13 or 1.9.1.x enter stable/unstable
 CVE-2009-2662 (The browser engine in Mozilla Firefox 3.5.x before 3.5.2 allows
remote ...)
-	- xulrunner <unfixed>
+	- xulrunner 1.9.0.13-1
 	[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer
covered by security support)
 CVE-2009-2661 (The asn1_length function in strongSwan 2.8 before 2.8.11, 4.2
before ...)
 	- strongswan <unfixed> (bug #540144)
@@ -1656,13 +1658,10 @@
 	{DSA-1874-1}
 	- openssl <unfixed> (medium; bug #539449)
 	- openssl097 <removed>
-	- xulrunner <unfixed> (medium)
-	[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer
covered by security support)
 	- nss 3.12.3-1 (medium; bug #539934)  
 	NOTE: asked maintainer to check whether openssl affected
 	NOTE: fixed in iceweasel 3.0.13 and 3.5.2, which have yet to be uploaded
 	TODO: check whether other web browsers are affected and file bugs
-	TODO: check if xulrunner and related packages are really affected (they should
use the system version of NSS)
 CVE-2009-2651 (main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows
remote ...)
 	- asterisk <unfixed> (low; bug #539473)
 	[etch] - asterisk <not-affected> (Vulnerable code not present)
@@ -11680,7 +11679,7 @@
 	- bacula <unfixed> (unimportant; bug #509301)
 	NOTE: script is an example
 CVE-2008-5372 (sdm-login in sdm-terminal 0.4.0b allows local users to overwrite
...)
-	- sdm <unfixed> (unimportant; bug #509331)
+	- sdm 0.4.1-1 (unimportant; bug #509331)
 	NOTE: Not really a bug since only "touch" is used on the temp file
 CVE-2008-5371 (screenie in screenie 1.30.0 allows local users to overwrite
arbitrary ...)
 	- screenie 1.30.0-5.1 (low; bug #509332)

Modified: data/DSA/list
==================================================================---
data/DSA/list	2009-09-07 13:21:56 UTC (rev 12756)
+++ data/DSA/list	2009-09-07 17:39:41 UTC (rev 12757)
@@ -27,7 +27,7 @@
 	{CVE-2009-2404 CVE-2009-2408 CVE-2009-2409}
 	[lenny] - nss 3.12.3.1-0lenny1
 [26 Aug 2009] DSA-1873-1 xulrunner - spoofing vulnerabilities
-	{CVE-2009-2654}
+	{CVE-2009-2654 CVE-2009-2662 CVE-2009-2664}
 	[lenny] - xulrunner 1.9.0.13-0lenny1
 [25 Aug 2009] DSA-1833-2 dhcp3 - arbitrary code execution
 	{CVE-2009-0692 CVE-2009-1892}

Modified: data/ospu-candidates.txt
==================================================================---
data/ospu-candidates.txt	2009-09-07 13:21:56 UTC (rev 12756)
+++ data/ospu-candidates.txt	2009-09-07 17:39:41 UTC (rev 12757)
@@ -282,6 +282,12 @@
 
 --
 
+gri (no CVE)
+fixed in gri 2.12.18-1:
+"Improve security when creating temporary files."
+
+--
+
 hplip (CVE-2008-2940/CVE-2008-2941)
 #499842
 notified maintainer

Modified: data/spu-candidates.txt
==================================================================---
data/spu-candidates.txt	2009-09-07 13:21:56 UTC (rev 12756)
+++ data/spu-candidates.txt	2009-09-07 17:39:41 UTC (rev 12757)
@@ -26,6 +26,11 @@
 
 --
 
+buildbot (CVE-2009-2959, CVE-2009-2967)
+#543822
+
+--
+
 burn: (no CVE yet)
 #542329
 notified maintainer through bug report
@@ -61,6 +66,12 @@
 
 --
 
+gri (no CVE)
+fixed in gri 2.12.18-1:
+"Improve security when creating temporary files."
+
+--
+
 kfreebsd-6
 [freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl]
 http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc
Secure testing commits - Sep 2009 - r12757 - in data: . CVE DSA

[Secure-testing-commits] r12757 - in data: . CVE DSA
