Author: jmm-guest
Date: 2010-01-05 22:27:45 +0000 (Tue, 05 Jan 2010)
New Revision: 13727
Modified:
data/CVE/list
Log:
* ancient imp issue fixed
* kdelibs not-affected by ltdl issue
* libannodx ltdl no-dsa
* add note for recent horde comment
* polipo no-dsa
* mark one php issue as non-issue per PHP policy
Modified: data/CVE/list
==================================================================---
data/CVE/list 2010-01-05 21:14:30 UTC (rev 13726)
+++ data/CVE/list 2010-01-05 22:27:45 UTC (rev 13727)
@@ -303,7 +303,9 @@
CVE-2009-4419 (Intel Q35, GM45, PM45 Express, Q45, and Q43 Express chipsets in
the ...)
NOT-FOR-US: Intel Q35, GM45, PM45 Express, Q45, and Q43 Express chipsets
CVE-2009-4418 (The unserialize function in PHP 5.3.0 and earlier allows ...)
- - php5 <unfixed> (low)
+ - php5 <unfixed> (unimportant)
+ NOTE: Only exploitable by malicious script, not treated as a security issue
+ NOTE: per Debian PHP security policy
CVE-2009-4417 (The shutdown function in the Zend_Log_Writer_Mail class in Zend
...)
NOTE: the CVE talks about the Zend Framework, but the culprit
NOTE: is actually piwik
@@ -983,7 +985,9 @@
[etch] - xfig <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=543905
CVE-2009-4413 (The httpClientDiscardBody function in client.c in Polipo 0.9.8,
...)
- - polipo <unfixed> (medium; bug #560779)
+ - polipo <unfixed> (low; bug #560779)
+ [etch] - polipo <no-dsa> (Minor issue)
+ [lenny] - polipo <no-dsa> (Minor issue)
CVE-2009-4224 (Multiple PHP remote file inclusion vulnerabilities in SweetRice
0.5.4, ...)
NOT-FOR-US: SweetRice
CVE-2009-4223 (PHP remote file inclusion vulnerability in adm/krgourl.php in
KR-Web ...)
@@ -2239,12 +2243,10 @@
[lenny] - hercules <no-dsa> (Minor issue)
[etch] - hercules <no-dsa> (Minor issue)
- jags 1.0.4-1 (low; bug #559816)
- - kdelibs <unfixed> (low; bug #559817)
- [etch] - kdelibs <no-dsa> (Minor issue)
- [lenny] - kdelibs <no-dsa> (Minor issue)
+ - kdelibs <not-affected> (dl_open open loads from fixed paths)
- libannodex <removed> (low; bug #559818)
- [lenny] - libannodex <removed> (low; bug #559818)
- [etch] - libannodex <removed> (low; bug #559818)
+ [lenny] - libannodex <no-dsa> (Minor issue)
+ [etch] - libannodex <no-dsa> (Minor issue)
- libextractor 0.5.23+dfsg-4 (low; bug #559819)
[etch] - libextractor <no-dsa> (Minor issue)
[lenny] - libextractor <no-dsa> (Minor issue)
@@ -2615,7 +2617,7 @@
- kvm <removed> (medium; bug #562076)
CVE-2009-3637 [alien-arena remote arbitrary code execution]
RESERVED
- - alien-arena <unfixed> (high; bug #552038)
+ - alien-arena <unfixed> (medium; bug #552038)
[lenny] - alien-arena <no-dsa> (Contrib not supported)
TODO: next point-release: [lenny] - alien-arena 7.0-1+lenny1
CVE-2009-3636 (Cross-site scripting (XSS) vulnerability in the Install Tool
...)
@@ -3557,7 +3559,9 @@
CVE-2009-3306 (PHP remote file inclusion vulnerability in include/header.php in
...)
NOT-FOR-US: ClearSite
CVE-2009-3305 (Polipo 1.0.4, and possibly other versions, allows remote
attackers to ...)
- - polipo 1.0.4-1.1 (bug #547047)
+ - polipo 1.0.4-1.1 (low; bug #547047)
+ [etch] - polipo <no-dsa> (Minor issue)
+ [lenny] - polipo <no-dsa> (Minor issue)
CVE-2009-3304 (GForge 4.5.14, 4.7 rc2, and 4.8.2 allows local users to
overwrite ...)
{DSA-1945-1}
- gforge 4.8.2-1
@@ -3766,6 +3770,7 @@
CVE-2009-3237 (Multiple cross-site scripting (XSS) vulnerabilities in Horde
...)
- horde3 3.3.5+debian0-1 (low)
[lenny] - horde3 3.2.2+debian0-2+lenny1
+ NOTE: horde3 issue fixed in backport of latest DSA, DSA however did not fix
etch
CVE-2009-3235 (Multiple stack-based buffer overflows in the Sieve plugin in
Dovecot ...)
{DSA-1893-1 DSA-1892-1}
- cyrus-imapd-2.2 2.2.13-17 (medium; bug #547947)
@@ -12545,12 +12550,10 @@
CVE-2009-0689 (Array index error in the (1) dtoa implementation in dtoa.c (aka
...)
{DSA-1931-1}
- nspr 4.8-2
- [etch] - nspr <no-dsa> (Mozilla packages from oldstable no longer
covered by security support)
+ [etch] - nspr <end-of-life> (Mozilla packages from oldstable no longer
covered by security support)
- kdelibs 4:3.5.10.dfsg.1-3 (medium; bug #559265)
- kde4libs 4:4.3.4-1 (medium; bug #559266)
- TODO: check and merge with 2009-1563?
TODO: Someone posted a long list of dtoa embedded to debian-devel some time
ago
- NOTE: CVE-2009-1563 will be marked REJECTED by MITRE.
NOTE: http://securityreason.com/achievement_securityalert/74
CVE-2009-0688 (Multiple buffer overflows in the CMU Cyrus SASL library before
2.1.23 ...)
{DSA-1807-1 DTSA-200-1 DTSA-201-1}
@@ -16968,9 +16971,8 @@
- kfreebsd-7 7.1-1
[lenny] - kfreebsd-7 7.0-7lenny1
CVE-2008-5161 (Error handling in the SSH protocol in (1) SSH Tectia Client and
Server ...)
- - openssh 1:5.2p1-1 (low; bug #506115)
+ - openssh 1:5.1p1-5 (low; bug #506115)
[etch] - openssh <no-dsa> (Minor issue, see
http://www.openssh.org/txt/cbc.adv)
- [lenny] - openssh <no-dsa> (Minor issue, see
http://www.openssh.org/txt/cbc.adv)
CVE-2008-5185 (The highlighting functionality in geshi.php in GeSHi before
1.0.8 ...)
{DTSA-179-1}
- geshi 1.0.8.1-1 (medium)
@@ -64519,7 +64521,7 @@
CVE-2005-4081 (Multiple SQL injection vulnerabilities in Alisveristr E-commerce
allow ...)
NOT-FOR-US: Alisveristr E-commerce
CVE-2005-4080 (Horde IMP 4.0.4 and earlier does not sanitize strings containing
UTF16 ...)
- - imp4 <unfixed> (bug #342654; unimportant)
+ - imp4 4.0.4-1 (bug #342654; unimportant)
NOTE: Internet Explorer bug, most definitely fixed since long, didn''t
check though
CVE-2005-4079 (The register_globals emulation in phpMyAdmin 2.7.0 rc1 allows
remote ...)
- phpmyadmin <not-affected> (Affects only 2.7.0)