Author: jmm-guest Date: 2010-01-27 18:34:28 +0000 (Wed, 27 Jan 2010) New Revision: 13932 Modified: data/CVE/list data/spu-candidates.txt Log: Lenny status triage: - multiple no-dsa - acidbase CVEfied - ocsinventory unimportant Modified: data/CVE/list ==================================================================--- data/CVE/list 2010-01-27 18:30:52 UTC (rev 13931) +++ data/CVE/list 2010-01-27 18:34:28 UTC (rev 13932) @@ -6,8 +6,9 @@ - postgresql-8.4 <unfixed> NOTE: CVE id requested on oss-sec CVE-2010-XXXX [bozohttpd DoS on incomplete requests] - - bozohttpd <unfixed> (bug #566325) - TODO: check + - bozohttpd <unfixed> (low; bug #566325) + [lenny] - bozohttpd <no-dsa> (Minor issue) + [etch] - bozohttpd <no-dsa> (Minor issue) CVE-2010-XXXX [maradns null pointer dereference] - maradns <unfixed> (low) [lenny] - maradns <no-dsa> (minor issue) @@ -20,6 +21,7 @@ NOTE: http://osvdb.org/show/osvdb/61203 CVE-2010-XXXX [sqlite: info leak] - sqlite3 <unfixed> (low; bug #566326) + [lenny] - sqlite3 <no-dsa> (Minor information leak) CVE-2010-XXXX [backup-manager: make sure password is not written to world-readable files] - backup-manager <undetermined> (low) TODO: after next stable point release: [lenny] - backup-manager 0.7.7-2 @@ -130,7 +132,8 @@ CVE-2009-4614 (Multiple PHP remote file inclusion vulnerabilities in Moa Gallery ...) NOT-FOR-US: Moa Gallery CVE-2010-XXXX [zope standard_error_message XSS] - - zope2.10 <unfixed> + - zope2.10 <removed> (low) + [lenny] - zope2.10 <no-dsa> (Minor issue) - zope2.11 <removed> - zope2.9 <removed> NOTE: https://mail.zope.org/pipermail/zope-announce/2010-January/002229.html @@ -502,10 +505,16 @@ NOT-FOR-US: Bftpd CVE-2009-4592 (Unspecified vulnerability in base_local_rules.php in Basic Analysis ...) - acidbase 1.4.4-1 + [lenny] - acidbase <no-dsa> (Minor issue) + [etch] - acidbase <no-dsa> (Minor issue) CVE-2009-4591 (SQL injection vulnerability in Basic Analysis and Security Engine ...) - acidbase 1.4.4-1 + [lenny] - acidbase <no-dsa> (Minor issue) + [etch] - acidbase <no-dsa> (Minor issue) CVE-2009-4590 (Cross-site scripting (XSS) vulnerability in base_local_rules.php in ...) - acidbase <unfixed> + [lenny] - acidbase <no-dsa> (Minor issue) + [etch] - acidbase <no-dsa> (Minor issue) NOTE: 1.4.5 fixed more XSS issues in this file TODO: report bug CVE-2009-4588 (Heap-based buffer overflow in the WindsPlayerIE.View.1 ActiveX control ...) @@ -1173,6 +1182,8 @@ - trac 0.11.6-1 CVE-2009-4404 (Unspecified vulnerability in t-prot (TOFU Protection) before 2.8 ...) - t-prot 2.8-1 (low) + [etch] - t-prot <no-dsa> (Minor issue) + [lenny] - t-prot <no-dsa> (Minor issue) CVE-2009-4403 (Cross-site scripting (XSS) vulnerability in index.php in Rumba XML 1.8 ...) NOT-FOR-US: Rumba XML CVE-2009-4402 (The default configuration of SQL-Ledger 2.8.24 allows remote attackers ...) @@ -1737,6 +1748,7 @@ TODO: next point update: [lenny] - xfs 1:1.0.8-2.2+lenny1 CVE-2009-XXXX [xserver-xorg: inherits user''s mask] - xorg-server 2:1.7.2-1 (low; bug #555308) + [lenny] - xorg-server <no-dsa> (Minor issue) CVE-2009-4296 (SQL injection vulnerability in the Taxonomy Timer module 5.x-1.8 and ...) NOT-FOR-US: Taxonomy Timer module for Drupal CVE-2009-4295 (Sun Ray Server Software 4.0 and 4.1 does not generate a unique DSA ...) @@ -3014,8 +3026,6 @@ - ghostscript <unfixed> (unimportant) - gs-gpl <removed> (unimportant) - xpdf <unfixed> (unimportant) -CVE-2009-XXXX [multiple vulnerabilities in acidbase; XSS + possible sql injection] - - acidbase 1.4.4-1 (bug #552235) CVE-2009-XXXX [multiple vulnerabilities in jetty] - jetty <unfixed> (unimportant; bug #553644) NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt @@ -6471,13 +6481,11 @@ CVE-2008-6974 (Multiple cross-site request forgery (CSRF) vulnerabilities in ...) NOT-FOR-US: DD-WRT CVE-2009-3040 (Multiple SQL injection vulnerabilities in Open Computer and Software ...) - - ocsinventory-server 1.02.1-2 (low; bug #541995) - [lenny] - ocsinventory-server <no-dsa> (Minor issue) - NOTE: Authentication is needed + - ocsinventory-server 1.02.1-2 (unimportant; bug #541995) + NOTE: Authentication is needed, only supported in trusted environments, see debtags CVE-2009-3042 (SQL injection vulnerability in machine.php in Open Computer and ...) - - ocsinventory-server 1.02.1-2 (low; bug #541995) - [lenny] - ocsinventory-server <no-dsa> (Minor issue) - NOTE: Authentication is needed + - ocsinventory-server 1.02.1-2 (unimportant; bug #541995) + NOTE: Authentication is needed, only supported in trusted environments, see debtags CVE-2009-2763 RESERVED CVE-2009-XXXX [logrotate race condition could lead to file disclosure] @@ -10431,8 +10439,8 @@ CVE-2009-1444 (PHP remote file inclusion vulnerability in indexk.php in WebPortal CMS ...) NOT-FOR-US: WebPortal CMS CVE-2009-1443 (Multiple unspecified vulnerabilities in the Server component in OCS ...) - - ocsinventory-server 1.02-1 - NOTE: unspecified vulnerabilities, unknow impact + - ocsinventory-server 1.02-1 (unimportant) + NOTE: Only supported in trusted environments, see debtags CVE-2009-1442 (Multiple integer overflows in Skia, as used in Google Chrome 1.x ...) NOT-FOR-US: skia CVE-2009-1441 (Heap-based buffer overflow in the ParamTraits<SkBitmap>::Read function ...) @@ -16453,8 +16461,9 @@ CVE-2008-5661 (The IPv4 Forwarding feature in Sun Solaris 10 and OpenSolaris snv_47 ...) NOT-FOR-US: Sun Solaris CVE-2008-5659 (The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and ...) - - classpath 2:0.98-1 (bug #512532; medium) - - libgnucrypto-java <removed> (medium; bug #559789) + - classpath 2:0.98-1 (bug #512532; low) + - libgnucrypto-java <removed> (low; bug #559789) + [lenny] - libgnucrypto-java <no-dsa> (Minor issue) CVE-2008-5657 (CRLF injection vulnerability in Quassel Core before 0.3.0.3 allows ...) - quassel 0.2~rc1-1.1 (bug #506550) CVE-2008-5656 (Cross-site scripting (XSS) vulnerability in the frontend plugin for ...) @@ -18786,6 +18795,7 @@ - kadu 0.6.0.2-3 (low; bug #504429) - ekg 1:1.8~rc0-1 (low) - centerim 4.22.9-1 (low; bug #559782) + [lenny] - centerim <no-dsa> (Minor issue) - qutecom <not-affected> (does not use libgadu embed; bug #559784) CVE-2008-4769 (Directory traversal vulnerability in the get_category_template ...) {DSA-1871-2 DSA-1871-1} Modified: data/spu-candidates.txt ==================================================================--- data/spu-candidates.txt 2010-01-27 18:30:52 UTC (rev 13931) +++ data/spu-candidates.txt 2010-01-27 18:34:28 UTC (rev 13932) @@ -6,6 +6,10 @@ -- +acidbase (CVE-2009-4590, CVE-2009-4591, CVE-2009-4592) + +-- + asterisk (CVE-2009-0041) #513413 notified maintainer @@ -45,6 +49,11 @@ -- +centerim (CVE-2008-4776) +#559782 + +-- + compiz-fusion-plugins-main (CVE-2008-6514) notified maintainer @@ -102,6 +111,11 @@ -- +libgnucrypto-java (CVE-2008-5659) +#559789 + +-- + gnutls26 (CVE-2009-1417) #531614 notified maintainer @@ -267,6 +281,10 @@ -- +t-prot (CVE-2009-4404) + +-- + net-snmp (CVE-2008-6123) Noah will see to it. @@ -350,6 +368,11 @@ -- +sqlite +#566326 + +-- + tau (CVE-2008-5157) #506348 notified maintainer @@ -412,7 +435,16 @@ -- +xserver-xorg (no CVE) +#555308 + +-- + ziproxy (CVE-2009-0804) #521051 notified maintainer +-- + +zope2.10 (no CVE) +https://mail.zope.org/pipermail/zope-announce/2010-January/002229.html