Author: jmm-guest
Date: 2010-06-04 17:30:30 +0000 (Fri, 04 Jun 2010)
New Revision: 14797
Modified:
data/CVE/list
Log:
"Unfixed in sid" cleanup:
- aircrack-ng, shibboleth-sp2 fixed
- asterisk design issue fixed by documenting best practices
- remove duped asterisk entry, already tracked as CVE-2010-2214
- marking fcron as unimportant, limited by system groups
- mark two older Mozilla issues as unimportant; the impact is
negligable
- kdegraphics from KDE 4.4 uses Okular which links dynamically
against poppler
- linux-ftpd not-affected
Modified: data/CVE/list
==================================================================---
data/CVE/list 2010-06-04 15:13:34 UTC (rev 14796)
+++ data/CVE/list 2010-06-04 17:30:30 UTC (rev 14797)
@@ -2205,7 +2205,7 @@
NOTE: http://git.kernel.org/linus/b525c06cdbd8a3963f0173ccd23f9147d4c384b5
CVE-2010-1159 [aircrack-ng EAPOL buffer overflow]
RESERVED
- - aircrack-ng <unfixed> (low; bug #577758)
+ - aircrack-ng 1:1.1-1 (low; bug #577758)
[lenny] - aircrack-ng <no-dsa> (low)
[etch] - aircrack-ng <no-dsa> (low)
NOTE: http://pyrit.googlecode.com/svn/tags/opt/aircrackng_exploit.py
@@ -3517,7 +3517,7 @@
CVE-2010-XXXX [irssi emote leak]
- irssi-plugin-otr <unfixed> (unimportant; bug #569506)
CVE-2010-XXXX [shibboleth-sp2: world-readable key]
- - shibboleth-sp2 <unfixed> (low; bug #571631)
+ - shibboleth-sp2 2.3.1+dfsg-2 (low; bug #571631)
[lenny] - shibboleth-sp2 <no-dsa> (Minor issue)
- shibboleth-sp <not-affected> (Vulnerable code not present)
CVE-2010-1192 (libESMTP, probably 1.0.4 and earlier, does not properly handle a
''\0'' ...)
@@ -3539,8 +3539,7 @@
[lenny] - drupal6 6.6-3lenny5
NOTE: http://drupal.org/node/731710
CVE-2010-XXXX [linux-ftpd: null ptr dereference]
- - linux-ftpd <unfixed> (low; bug #572813)
- [lenny] - linux-ftpd <no-dsa> (Minor issue)
+ - linux-ftpd <not-affected> (Performs proper length checks, see #572813)
CVE-2010-0824
RESERVED
CVE-2010-0823
@@ -3607,9 +3606,9 @@
{DSA-2049-1}
- barnowl 1.5.1-1 (bug #574418)
CVE-2010-0792 (fcrontab in fcron before 3.0.5 allows local users to read
arbitrary ...)
- - fcron <unfixed> (low; bug #572587)
- [lenny] - fcron <no-dsa> (Minor issue)
- NOTE: http://seclists.org/fulldisclosure/2010/Mar/97
+ - fcron <unfixed> (unimportant; bug #572587)
+ NOTE: On Debian runs suid/sgid fcron and the issue is limited to the exposure
+ NOTE: of the content of crontabs
CVE-2010-0791 (The (1) ncpmount, (2) ncpumount, and (3) ncplogin programs in
ncpfs ...)
- ncpfs 2.2.6-7 (bug #572937)
[lenny] - ncpfs <no-dsa> (Minor issue)
@@ -3876,7 +3875,8 @@
CVE-2010-0686 (WebAccess in VMware VirtualCenter 2.0.2 and 2.5, VMware Server
2.0, ...)
NOT-FOR-US: VMware Server
CVE-2010-0685 (The design of the dialplan functionality in Asterisk Open Source
...)
- - asterisk <unfixed>
+ - asterisk 1:1.6.2.6-1
+ NOTE: Design limitation documented in that version
[lenny] - asterisk <no-dsa> (Unfixable design issue, best practice docs
need to be followed)
[squeeze] - asterisk <no-dsa> (Unfixable design issue, best practice
docs need to be followed)
CVE-2010-0684 (Cross-site scripting (XSS) vulnerability in
createDestination.action ...)
@@ -3886,9 +3886,6 @@
CVE-2010-0682 (WordPress 2.9 before 2.9.2 allows remote authenticated users to
read ...)
- wordpress 2.9.2-1 (low)
[lenny] - wordpress <not-affected> (Only affects Wordpress >= 2.9)
-CVE-2010-XXXX [http://downloads.digium.com/pub/security/AST-2010-003.pdf]
- - asterisk <unfixed>
- [lenny] - asterisk <not-affected> (Only affects Asterisk 1.6)
CVE-2010-XXXX [multiple typo issues]
- typo3-src 4.3.2-1 (bug #571151)
[lenny] - typo3-src 4.2.5-1+lenny3
@@ -4732,14 +4729,12 @@
[lenny] - iceape <not-affected> (dns prefetching implemented in
xulrunner 1.9.1)
NOTE: mozilla''s dns prefetching leads to disclosure of the
user''s network location
CVE-2009-4629 (Mozilla Necko, as used in Thunderbird 3.0.1, SeaMonkey, and
other ...)
- - icedove 3.0.2-1 (low)
+ - icedove 3.0.2-1 (unimportant)
[etch] - icedove <not-affected> (dns prefetching implemented in
xulrunner 1.9.1)
[lenny] - icedove <not-affected> (dns prefetching implemented in
xulrunner 1.9.1)
- - iceape <unfixed> (low)
+ - iceape <unfixed> (unimportant)
[etch] - iceape <not-affected> (dns prefetching implemented in xulrunner
1.9.1)
[lenny] - iceape <not-affected> (dns prefetching implemented in
xulrunner 1.9.1)
- NOTE: mozilla''s dns prefetching leads to disclosure of the
user''s network location
- TODO: this may be unimportant since mozilla has chosen to ignore the issue
CVE-2005-4885 (Unspecified vulnerability on certain Sun StorEdge 6130 (SE6130)
...)
NOT-FOR-US: Sun StorEdge 6130
CVE-2004-2766 (Webmail in Sun ONE Messaging Server 6.1 and iPlanet Messaging
Server ...)
@@ -20743,9 +20738,8 @@
CVE-2008-5914 (An unspecified function in the JavaScript implementation in
Apple ...)
NOT-FOR-US: Apple
CVE-2008-5913 (An unspecified function in the JavaScript implementation in
Mozilla ...)
- - xulrunner <unfixed> (low; bug #559792)
- [lenny] - xulrunner <no-dsa> (Minor issue)
- - iceape <unfixed>
+ - xulrunner <unfixed> (unimportant; bug #559792)
+ - iceape <unfixed> (unimportant)
[lenny] - iceape <not-affected> (Just a stub package)
NOTE: fixed upstream
https://bugzilla.mozilla.org/show_bug.cgi?id=cve-2008-5913
TODO: check next set of MFSA''s
@@ -20786,7 +20780,7 @@
{DSA-1793-1 DSA-1790-1}
- xpdf 3.02-1.4+lenny1 (low; bug #524809)
[squeeze] - xpdf 3.02-1.4+lenny1
- - kdegraphics <unfixed> (low; bug #528369)
+ - kdegraphics 4:4.0 (low; bug #528369)
CVE-2009-0164 (The web interface for CUPS before 1.3.10 does not validate the
HTTP ...)
- cups 1.3.10-1 (low)
[lenny] - cups <no-dsa> (Minor issue, needs several prerequirements for
attack)