Author: gilbert-guest Date: 2010-01-24 23:48:49 +0000 (Sun, 24 Jan 2010) New Revision: 13900 Modified: data/CVE/list data/embedded-code-copies Log: various new issues; many libltdl, prototype, and expat issues fixed Modified: data/CVE/list ==================================================================--- data/CVE/list 2010-01-24 23:31:05 UTC (rev 13899) +++ data/CVE/list 2010-01-24 23:48:49 UTC (rev 13900) @@ -8,6 +8,19 @@ [lenny] - gtk+2.0 <not-affected> (issue only exposed by gnome-screensaver 2.28) [etch] - gtk+2.0 <not-affected> (issue only exposed by gnome-screensaver 2.28) NOTE: http://osvdb.org/show/osvdb/61203 +CVE-2010-XXXX [sqlite: info leak] + - sqlite3 <unfixed> (low; bug #566326) +CVE-2010-XXXX [backup-manager: make sure password is not written to world-readable files] + - backup-manager <undetermined> (low) + TODO: after next stable point release: [lenny] - backup-manager 0.7.7-2 + NOTE: http://lists.debian.org/debian-release/2010/01/msg00181.html +CVE-2010-XXXX [sudosh3: many security weaknesses] + - sudosh3 <unfixed> (high; bug #566142) + NOTE: package is likely to be removed +CVE-2010-XXXX [phpbb: many issues] + - phpbb <undetermined> + NOTE: http://www.openwall.com/lists/oss-security/2010/01/16/2 + TODO: check CVE-2010-0379 (Multiple unspecified vuilnerabilities in the Macromedia Flash ActiveX ...) TODO: check CVE-2010-0378 (Use-after-free vulnerability in Adobe Flash Player 6.0.79, as ...) @@ -193,6 +206,7 @@ CVE-2010-0319 (Cross-site scripting (XSS) vulnerability in index.php in Docmint 1.0 ...) NOT-FOR-US: Docmint CVE-2010-0318 (The replay functionality for ZFS Intent Log (ZIL) in FreeBSD 7.1, 7.2, ...) + - kfreebsd-6 <not-affected> (vulnerable code introduced in freebsd 7) - kfreebsd-7 7.2-10 (bug #566684) - kfreebsd-8 8.0-2 CVE-2010-0317 (Novell Netware 6.5 SP8 allows remote attackers to cause a denial of ...) @@ -268,8 +282,10 @@ RESERVED CVE-2010-0291 RESERVED -CVE-2010-0290 +CVE-2010-0290 [bind: CVE-2009-4022 fix incomplete] RESERVED + - bind <unfixed> + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=554851#c7 CVE-2010-0289 [dokuwiki CSRF] RESERVED {DSA-1976-1} @@ -3109,7 +3125,7 @@ - hamlib <unfixed> (low; bug #559814) [lenny] - hamlib <no-dsa> (Minor issue) [etch] - hamlib <no-dsa> (Minor issue) - - hercules <unfixed> (low; bug #559815) + - hercules 3.06-1.2 (low; bug #559815) [lenny] - hercules <no-dsa> (Minor issue) [etch] - hercules <no-dsa> (Minor issue) - jags 1.0.4-1 (low; bug #559816) @@ -3140,7 +3156,7 @@ [lenny] - siproxd <no-dsa> (Minor issue) [etch] - siproxd <no-dsa> (Minor issue) - ski <unfixed> (low; bug #559828) - - synfig <unfixed> (low; bug #559829) + - synfig 0.62.00-1 (low; bug #559829) [lenny] - synfig <no-dsa> (Minor issue) - xmlsec1 1.2.14-1 (unimportant; bug #559831) NOTE: Embedded code copy isn''t used @@ -3267,7 +3283,7 @@ - grmonitor <removed> (unimportant; bug #560931) - iceape <unfixed> (unimportant; bug #560932) - insighttoolkit 3.16.0-1 (unimportant; bug #560933) - - paraview <unfixed> (unimportant; bug #560935) + - paraview 3.6.2-1 (unimportant; bug #560935) - poco <unfixed> (unimportant; bug #560936) - simgear <unfixed> (unimportant; bug #560937) - smart <unfixed> (low; bug #560953) @@ -3750,7 +3766,7 @@ - grmonitor <removed> (unimportant; bug #560931) - iceape <unfixed> (unimportant; bug #560932) - insighttoolkit 3.16.0-1 (unimportant; bug #560933) - - paraview <unfixed> (unimportant; bug #560935) + - paraview 3.6.2-1 (unimportant; bug #560935) - poco <unfixed> (unimportant; bug #560936) - simgear <unfixed> (unimportant; bug #560937) - smart <unfixed> (low; bug #560953) @@ -4854,7 +4870,7 @@ - otrs2 2.3.4-6 (low; bug #555266) [etch] - otrs2 <not-affected> (prototype.js not present) [lenny] - otrs2 <not-affected> (prototype.js not present) - - webcalendar <unfixed> (low; bug #555268) + - webcalendar 1.2~b1-2 (low; bug #555268) [lenny] - webcalendar <not-affected> (prototype.js not present) - libhtml-prototype-perl 1.48-3 (low; bug #558977) [etch] - libhtml-prototype-perl <no-dsa> (minor issue) @@ -5400,7 +5416,7 @@ CVE-2008-7149 (Unspecified vulnerability in AgileWiki before 0.10.1 has unknown ...) NOT-FOR-US: AgileWiki CVE-2008-7148 (Unspecified vulnerability in Synfig Animation Studio before 0.61.08 ...) - NOT-FOR-US: Synfig Animation Studio + - synfig 0.61.08-1 CVE-2008-7147 (Multiple cross-site scripting (XSS) vulnerabilities in IntraLearn ...) NOT-FOR-US: IntraLearn Software IntraLearn CVE-2008-7146 (IntraLearn Software IntraLearn 2.1, and possibly other versions before ...) @@ -30087,9 +30103,7 @@ CVE-2007-6673 (Cross-site scripting (XSS) vulnerability in Makale Scripti allows ...) NOT-FOR-US: Makale Scripti CVE-2007-6672 (Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass ...) - - jetty <not-affected> (medium; bug #462793; bug #559765) - NOTE: only applies to version >= 6 - TODO: maintainer checking on status; follow up + - jetty 6.1.18-1 (medium; bug #462793; bug #559765) CVE-2007-6671 (SQL injection vulnerability in login_form.asp in Instant Softwares ...) NOT-FOR-US: Instant Softwares Dating Site CVE-2007-6670 (SQL injection vulnerability in search.php in PHCDownload 1.1.0 allows ...) @@ -41715,7 +41729,7 @@ - activeldap <not-affected> (fixed since initial inclusion) - mantis <not-affected> (fixed since initial inclusion) - otrs2 <not-affected> (fixed since initial inclusion) - - webcalendar <unfixed> (low; bug #555268) + - webcalendar 1.2~b1-2 (low; bug #555268) [lenny] - webcalendar <not-affected> (prototype.js not present) - plone3 <removed> (low; bug #555274) - wesnoth <not-affected> (fixed since initial inclusion) Modified: data/embedded-code-copies ==================================================================--- data/embedded-code-copies 2010-01-24 23:31:05 UTC (rev 13899) +++ data/embedded-code-copies 2010-01-24 23:48:49 UTC (rev 13900) @@ -757,7 +757,7 @@ - libv8 <not-affected> (contains a google-specific implementation of prototype.js) - mantis 1.1.2+dfsg-1 (embed; bug #555265) - otrs2 2.3.4-6 (embed; bug #555267) - - webcalendar <unfixed> (embed; bug #555269) + - webcalendar 1.2~b1-2 (embed; bug #555269) - redmine 0.9.0~svn2907-1 (embed; bug #555270) - jifty 0.90519-1 (embed; bug #555271) - jquery 1.4-1 (embed; bug #555272) @@ -883,11 +883,6 @@ - kdepimlibs 4.2.0-1 (fork) - claws-mail-extra-plugins <unfixed> (fork) -libltdl3 - - kdelibs <unfixed> (embed) - NOTE: it''s been said it sets RT_GLOBAL (or something like that) at runtime and version in experimental of libltdl can optionally set it - - synfig <unfixed> (embed) - harfbuzz - qt4-x11 <unfixed> (embed) - pango1.0 <unfixed> (embed) @@ -1141,7 +1136,7 @@ - insighttoolkit 3.16.0-1 (embed) NOTE: insighttoolkit might''ve been fixed earlier - libparagui1.1 1.0.2-1 (embed) - - paraview <unfixed> (embed) + - paraview 3.6.2-1 (embed) - poco <unfixed> (embed) - simgear <unfixed> (embed) - sitecopy 1:0.16.0-1 @@ -1594,7 +1589,7 @@ NOTE: The etch version of graphviz was the earliest version checked, might be fixed earlier - guile-1.6 1.6.8-7 (embed) - hamlib <unfixed> (embed) - - hercules <unfixed> (embed) + - hercules 3.06-1.2 (embed) - jags 1.0.4-3 (embed; bug #560864) - kdelibs <unfixed> (embed) - libannodex <removed> (embed) @@ -1608,7 +1603,7 @@ - redland <unfixed> (embed) - siproxd <unfixed> (embed) - ski <unfixed> (embed) - - synfig <unfixed> (embed) + - synfig 0.62.00-1 (embed) - unixodbc 2.2.4-5 (embed) - xmlsec1 <not-affected> (Doesn''t enable dynamic loading of crypto modules) - clamav 0.95+dfsg-1 (embed)