Author: gilbert-guest
Date: 2010-04-13 22:53:22 +0000 (Tue, 13 Apr 2010)
New Revision: 14473
Modified:
data/CVE/list
data/DSA/list
Log:
xulrunner triage; php4 removed
Modified: data/CVE/list
==================================================================---
data/CVE/list 2010-04-13 22:12:40 UTC (rev 14472)
+++ data/CVE/list 2010-04-13 22:53:22 UTC (rev 14473)
@@ -2702,10 +2702,10 @@
- cupsys <removed>
- cups 1.4.2-9.1
CVE-2009-4630 (Mozilla Necko, as used in Firefox, SeaMonkey, and other
applications, ...)
- - xulrunner <unfixed> (low)
+ - xulrunner 1.9.0.1-1 (low)
[etch] - xulrunner <not-affected> (dns prefetching implemented in
xulrunner 1.9.1)
[lenny] - xulrunner <not-affected> (dns prefetching implemented in
xulrunner 1.9.1)
- - iceape <unfixed> (low)
+ - iceape 2.0-1 (low)
[etch] - iceape <not-affected> (dns prefetching implemented in xulrunner
1.9.1)
[lenny] - iceape <not-affected> (dns prefetching implemented in
xulrunner 1.9.1)
NOTE: mozilla''s dns prefetching leads to disclosure of the
user''s network location
@@ -3397,7 +3397,7 @@
CVE-2010-0183
RESERVED
CVE-2010-0182 (The XMLDocument::load function in Mozilla Firefox before 3.5.9
and ...)
- - xulrunner <unfixed> (low)
+ - xulrunner 1.9.1.9-1 (low)
[lenny] - xulrunner <no-dsa> (Minor issue, no upstream fix for 3.0
series)
- iceape 2.0.4-1
- icedove 3.0.4-1
@@ -3448,23 +3448,44 @@
[lenny] - iceape <not-affected> (Only a stub package)
[lenny] - xulrunner <not-affected> (Only affects Firefox >= 3.5)
CVE-2010-0172 (toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in
the ...)
- TODO: check
+ - xulrunner <not-affected> (vulnerable code introduced in firefox 3.6)
+ - iceape <not-affected> (vulnerable code introduced in firefox 3.6)
+ NOTE: recheck when versions based on firefox 3.6 get uploaded
CVE-2010-0171 (Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and
3.6.x ...)
- TODO: check
+ - xulrunner 1.9.1.8-1
+ - iceape 2.0.3-1
+ [lenny] - iceape <not-affected> (Lenny package only provide xpcom stubs)
+ - icedove 3.0.2-1
CVE-2010-0170 (Mozilla Firefox 3.6 before 3.6.2 does not offer plugins the
expected ...)
- TODO: check
+ - xulrunner <not-affected> (vulnerable code introduced in firefox 3.6)
+ - iceape <not-affected> (vulnerable code introduced in firefox 3.6)
+ NOTE: recheck when versions based on firefox 3.6 get uploaded
CVE-2010-0169 (The CSSLoaderImpl::DoSheetComplete function in ...)
- TODO: check
+ - xulrunner 1.9.1.8-1
+ - iceape 2.0.3-1
+ [lenny] - iceape <not-affected> (Lenny package only provide xpcom stubs)
+ - icedove 3.0.2-1
CVE-2010-0168 (The nsDocument::MaybePreLoadImage function in ...)
- TODO: check
+ - xulrunner <not-affected> (vulnerable code introduced in firefox 3.6)
+ - iceape <not-affected> (vulnerable code introduced in firefox 3.6)
+ NOTE: recheck when versions based on firefox 3.6 get uploaded
CVE-2010-0167 (The browser engine in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x
...)
- TODO: check
+ - xulrunner 1.9.1.8-1
+ - iceape 2.0.3-1
+ [lenny] - iceape <not-affected> (Lenny package only provide xpcom stubs)
+ - icedove 3.0.2-1
CVE-2010-0166 (The gfxTextRun::SanitizeGlyphRuns function in ...)
- TODO: check
+ - xulrunner <not-affected> (vulnerable code introduced in firefox 3.6)
+ - iceape <not-affected> (vulnerable code introduced in firefox 3.6)
+ NOTE: recheck when versions based on firefox 3.6 get uploaded
CVE-2010-0165 (The TraceRecorder::traverseScopeChain function in
js/src/jstracer.cpp ...)
- TODO: check
+ - xulrunner <not-affected> (vulnerable code introduced in firefox 3.6)
+ - iceape <not-affected> (vulnerable code introduced in firefox 3.6)
+ NOTE: recheck when versions based on firefox 3.6 get uploaded
CVE-2010-0164 (Use-after-free vulnerability in the ...)
- TODO: check
+ - xulrunner <not-affected> (vulnerable code introduced in firefox 3.6)
+ - iceape <not-affected> (vulnerable code introduced in firefox 3.6)
+ NOTE: recheck when versions based on firefox 3.6 get uploaded
CVE-2010-0163 (Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19
...)
{DSA-2025-1}
- icedove <unfixed> (medium)
@@ -3475,7 +3496,9 @@
- iceape 2.0.3-1
[lenny] - iceape <not-affected> (Lenny package only provide xpcom stubs)
CVE-2010-0161 (The nsAuthSSPI::Unwrap function in
extensions/auth/nsAuthSSPI.cpp in ...)
- TODO: check
+ - xulrunner 1.9.1.8-1
+ - iceape 2.0.3-1
+ [lenny] - iceape <not-affected> (Lenny package only provide xpcom stubs)
CVE-2010-0160 (The Web Worker functionality in Mozilla Firefox 3.0.x before
3.0.18 ...)
- xulrunner 1.9.1.8-1
[etch] - xulrunner <not-affected> (web workers introduced in gecko
1.9.1)
@@ -7200,7 +7223,9 @@
- bugzilla <not-affected> (Only 3.3 onwards are affected)
TODO: recheck, once a more recent (3.3.x or 3.4.x) version has been uploaded
CVE-2009-3385 (The mail component in Mozilla SeaMonkey before 1.1.19 does not
...)
- TODO: check
+ - xulrunner 1.9.0.15-1
+ - iceape 2.0-1
+ [lenny] - iceape <not-affected> (stub package)
CVE-2009-3384 (Multiple unspecified vulnerabilities in WebKit in Apple Safari
before ...)
- webkit 1.1.17-2 (medium; bug #559759)
- qt4-x11 <undetermined> (bug #561760)
@@ -7452,7 +7477,6 @@
NOTE: a missing limit on the nesting level of TIFF files, and
NOTE: missing EOF checks, possibly leading to NULL dereferences
NOTE: experimental is likely to be affected (as of 5.3.0)
- TODO: check php4
CVE-2009-3291 (The php_openssl_apply_verification_policy function in PHP before
...)
{DSA-1940-1}
- php5 5.2.11.dfsg.1-1 (low)
@@ -7461,7 +7485,6 @@
NOTE: seems to be related to handling of \0 on CN
NOTE: not worth a dsa on its own, php doesn''t verify certificates by
default
NOTE: experimental is likely to be affected (as of 5.3.0)
- TODO: check php4
CVE-2009-3289 (The g_file_copy function in glib 2.0 sets the permissions of a
target ...)
- glib2.0 2.22.0-1 (low)
[lenny] - glib2.0 2.16.6-3
@@ -9755,7 +9778,6 @@
{DSA-1940-1}
- php5 5.2.11.dfsg.1-1 (low; bug #540605)
[etch] - php5 <no-dsa> (too risky to fix it there)
- TODO: check php4
NOTE: requires the script itself to set and then restore a config var
CVE-2009-XXXX [php5: ''open_basedir'' bypass]
- php5 <unfixed> (unimportant; bug #540606)
Modified: data/DSA/list
==================================================================---
data/DSA/list 2010-04-13 22:12:40 UTC (rev 14472)
+++ data/DSA/list 2010-04-13 22:53:22 UTC (rev 14473)
@@ -97,7 +97,7 @@
{CVE-2009-4631 CVE-2009-4632 CVE-2009-4633 CVE-2009-4634 CVE-2009-4635
CVE-2009-4636 CVE-2009-4637 CVE-2009-4638 CVE-2009-4640}
[lenny] - ffmpeg-debian 0.svn20080206-18+lenny1
[18 Feb 2010] DSA-1999-1 xulrunner - several vulnerabilities
- {CVE-2009-1571 CVE-2009-3988 CVE-2010-0159 CVE-2010-0162}
+ {CVE-2009-1571 CVE-2009-3988 CVE-2010-0159 CVE-2010-0162 CVE-2010-0167
CVE-2010-0169 CVE-2010-0171}
[lenny] - xulrunner 1.9.0.18-1
[17 Feb 2010] DSA-1998-1 kdelibs - arbitrary code execution
{CVE-2009-0689}
@@ -397,7 +397,7 @@
[etch] - libhtml-parser-perl 3.55-1+etch1
[lenny] - libhtml-parser-perl 3.56-1+lenny1
[28 Oct 2009] DSA-1922-1 xulrunner - several vulnerabilities
- {CVE-2009-3007 CVE-2009-3274 CVE-2009-3370 CVE-2009-3372 CVE-2009-3373
CVE-2009-3374 CVE-2009-3375 CVE-2009-3376 CVE-2009-3380 CVE-2009-3382}
+ {CVE-2009-3007 CVE-2009-3274 CVE-2009-3370 CVE-2009-3372 CVE-2009-3373
CVE-2009-3374 CVE-2009-3375 CVE-2009-3376 CVE-2009-3380 CVE-2009-3382
CVE-2009-3385}
[lenny] - xulrunner 1.9.0.15-0lenny1
[28 Oct 2009] DSA-1921-1 expat - denial of service
{CVE-2009-3720}