Author: jmm-guest
Date: 2009-11-12 22:49:53 +0000 (Thu, 12 Nov 2009)
New Revision: 13281
Modified:
data/CVE/list
Log:
- grub2 fixed, doesn''t affect Lenny
- convert expat embedded issues to TODOs until they''re triaged
- one mozilla issue only affects xulrunner, not iceweasel
- proftpd is also affected by the general TLS issue, track it for now
- cups fixed
Modified: data/CVE/list
==================================================================---
data/CVE/list 2009-11-12 21:14:19 UTC (rev 13280)
+++ data/CVE/list 2009-11-12 22:49:53 UTC (rev 13281)
@@ -51,7 +51,8 @@
CVE-2009-3906
RESERVED
CVE-2009-XXXX [grub2: password bypass]
- - grub2 <unfixed> (high; bug #555195)
+ - grub2 1.97+experimental.20091110-1 (bug #555195)
+ [lenny] - grub2 <not-affected> (Password authentication not yet present)
NOTE: fixed in upstream verion 1.97.1
CVE-2009-3905 (Multiple cross-site scripting (XSS) vulnerabilities in e-Courier
CMS ...)
NOT-FOR-US: e-Courier CMS
@@ -162,8 +163,7 @@
CVE-2009-3851 (Trusted Extensions in Sun Solaris 10 interferes with the
operation of ...)
NOT-FOR-US: Sun Solaris 10
CVE-2009-3850 (Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to
...)
- - blender <unfixed> (low)
- TODO: determine whether this is a no-dsa issue.
+ - blender <unfixed> (unimportant)
NOTE: attack vector is social engineering to get the user to open
NOTE: a malicious .blend file. by design, blend files support
NOTE: all python operations, so ultimately any code can be executed
@@ -476,46 +476,46 @@
- w3c-libwww <removed> (low; bug #551938)
[etch] - w3c-libwww <no-dsa> (Minor issue, only used by fringe apps)
- python-xml <unfixed> (low; bug #551939)
- - python2.5 <unfixed> (low)
- - python2.4 <unfixed> (low)
- - wxwindows2.4 <removed> (low)
- - wxwidgets2.6 <unfixed> (low)
- - wxwidgets2.8 <unfixed> (low)
- - celementtree <unfixed> (low)
- - audacity <unfixed> (low)
- - matanza <unfixed> (low)
- - tdom <unfixed> (low)
- - udunits <unfixed> (low)
+ TODO: check - python2.5 <unfixed> (low)
+ TODO: check - python2.4 <unfixed> (low)
+ TODO: check - wxwindows2.4 <removed> (low)
+ TODO: check - wxwidgets2.6 <unfixed> (low)
+ TODO: check - wxwidgets2.8 <unfixed> (low)
+ TODO: check - celementtree <unfixed> (low)
+ TODO: check - audacity <unfixed> (low)
+ TODO: check - matanza <unfixed> (low)
+ TODO: check - tdom <unfixed> (low)
+ TODO: check - udunits <unfixed> (low)
- apr-util <not-affected> (links to system expat)
- - ayttm <unfixed> (low)
- - cableswig <unfixed> (low)
- - cadaver <unfixed> (low)
- - cmake <unfixed> (low)
- - coin3 <unfixed> (low)
- - gdcm <unfixed> (low)
- - ghostscript <unfixed> (low)
- - grmonitor <unfixed> (low)
- - iceape <unfixed> (low)
- - insighttoolkit <unfixed> (low)
- - libparagui1.1 <unfixed> (low)
- - paraview <unfixed> (low)
- - poco <unfixed> (low)
- - simgear <unfixed> (low)
- - sitecopy <unfixed> (low)
- - smart <unfixed> (low)
- - swish-e <unfixed> (low)
- - tla <unfixed> (low)
- - vtk <unfixed> (low)
- - wbxml2 <unfixed> (low)
- - xmlrpc-c <unfixed> (low)
- - iceweasel <unfixed> (low)
- - kompozer 1:0.8~b1-2 (low)
- - vxl <unfixed> (low)
- - xulrunner <unfixed> (low)
+ TODO: check - ayttm <unfixed> (low)
+ TODO: check - cableswig <unfixed> (low)
+ TODO: check - cadaver <unfixed> (low)
+ TODO: check - cmake <unfixed> (low)
+ TODO: check - coin3 <unfixed> (low)
+ TODO: check - gdcm <unfixed> (low)
+ TODO: check - ghostscript <unfixed> (low)
+ TODO: check - grmonitor <unfixed> (low)
+ TODO: check - iceape <unfixed> (low)
+ TODO: check - insighttoolkit <unfixed> (low)
+ TODO: check - libparagui1.1 <unfixed> (low)
+ TODO: check - paraview <unfixed> (low)
+ TODO: check - poco <unfixed> (low)
+ TODO: check - simgear <unfixed> (low)
+ TODO: check - sitecopy <unfixed> (low)
+ TODO: check - smart <unfixed> (low)
+ TODO: check - swish-e <unfixed> (low)
+ TODO: check - tla <unfixed> (low)
+ TODO: check - vtk <unfixed> (low)
+ TODO: check - wbxml2 <unfixed> (low)
+ TODO: check - xmlrpc-c <unfixed> (low)
+ TODO: check - iceweasel <unfixed> (low)
+ TODO: check - kompozer 1:0.8~b1-2 (low)
+ TODO: check - vxl <unfixed> (low)
+ TODO: check - xulrunner <unfixed> (low)
- apache2 <not-affected> (links to system expat)
- - texlive-bin <unfixed> (low)
- - vnc4 <unfixed> (low)
- - xotcl <unfixed> (low)
+ TODO: check - texlive-bin <unfixed> (low)
+ TODO: check - vnc4 <unfixed> (low)
+ TODO: check - xotcl <unfixed> (low)
CVE-2009-3719 (Cross-site scripting (XSS) vulnerability in comment.asp in
Battle Blog ...)
NOT-FOR-US: Battle Blog
CVE-2009-3718 (SQL injection vulnerability in admin/authenticate.asp in Battle
Blog ...)
@@ -944,6 +944,7 @@
- gnutls13 <removed>
- nss <unfixed>
- xyssl <unfixed>
+ - proftpd-dfsg 1.3.2b-2
- polarssl <unfixed>
- matrixssl <unfixed>
- pike7.6 <unfixed>
@@ -1434,10 +1435,6 @@
- xulrunner 1.9.1.4-1
[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer
covered by security support)
CVE-2009-3371 (Use-after-free vulnerability in Mozilla Firefox 3.5.x before
3.5.4 ...)
- - icedove <unfixed> (bug #555313)
- - iceweasel 3.5.4-1
- [etch] - iceweasel <not-affected> (web workers introduced in firefox
3.5)
- [lenny] - iceweasel <not-affected> (web workers introduced in firefox
3.5)
- xulrunner 1.9.1.4-1
[etch] - xulrunner <not-affected> (web workers introduced in firefox
3.5)
[lenny] - xulrunner <not-affected> (web workers introduced in firefox
3.5)
@@ -1986,6 +1983,7 @@
[lenny] - jscropperui <no-dsa> (minor issue)
- rt-extension-emailcompletion <unfixed> (low; bug #555258)
- scriptaculous 1.8.3-1 (low; bug #555259)
+ [lenny] - scriptaculous <no-dsa> (Minor issue)
- activeldap 1.0.9-1 (low; bug #555263)
[lenny] - activeldap <no-dsa> (minor issue)
- mantis 1.1.8+dfsg-3 (low; bug #555264)
@@ -3361,7 +3359,7 @@
RESERVED
CVE-2009-2820 (CUPS in Apple Mac OS X before 10.6.2 does not properly handle
(1) HTTP ...)
{DSA-1933-1}
- - cups <unfixed> (low; bug #555666)
+ - cups 1.4.2-1 (low; bug #555666)
- cupsys <removed>
CVE-2009-2819 (AFP Client in Apple Mac OS X 10.5.8 allows remote AFP servers to
...)
TODO: check