Moritz Muehlenhoff
2010-Sep-27 16:32 UTC
[Secure-testing-commits] r15377 - in data: . CVE DSA
Author: jmm-guest
Date: 2010-09-27 16:32:43 +0000 (Mon, 27 Sep 2010)
New Revision: 15377
Modified:
data/CVE/list
data/DSA/list
data/next-point-update.txt
Log:
- add git-core DSA
- kvm fixed in next point update
- add missing epochs
- several CVE IDs are being requested, cleanup a few
entries:
remove vlc dupe, already tracked CVE-2010-2062
remove phpldapadmin entry, not a direct vulnerability, just a
violation of our PHP security policies
remove webkit/dns lookup bug, not a security issue
remove sudo config issue, not a security issue, just a wish for
different default configuration
remove greylistd issue, not a security issue
remove network-manager issue, a lack of a security feature, not
a vulnerability
remove kupfer issue, not a vulnerability
Modified: data/CVE/list
==================================================================---
data/CVE/list 2010-09-27 09:47:24 UTC (rev 15376)
+++ data/CVE/list 2010-09-27 16:32:43 UTC (rev 15377)
@@ -341,18 +341,10 @@
- mingetty 1.07-2 (medium; bug #597382)
CVE-2010-XXXX [config file world readable]
- sabnzbdplus 0.5.4-1 (low; bug #593829)
-CVE-2010-XXXX [pin shown locally in cleartext]
- - network-manager <unfixed> (low; bug #592364)
CVE-2010-XXXX [signature verification issue]
- dpkg 1.15.1 (unimportant; bug #592115)
-CVE-2010-XXXX [recipient domain checks in exim acl]
- - greylistd 0.8.7+nmu2 (low; bug #591678)
CVE-2008-XXXX [greylistd bypass]
- greylistd 0.8.7+nmu2 (low; bug #464084)
-CVE-2010-XXXX [stores passwords in cleartext converted to base64]
- - kupfer 0+v201-2 (medium; bug #598288)
-CVE-2010-XXXX [register_globals needs to be turned off]
- - phpldapadmin 1.2.0.5-1.1 (low; bug #587536)
CVE-2010-XXXX [numpy memory corruption]
- python-numpy <unfixed> (medium; bug #581058)
NOTE: http://projects.scipy.org/numpy/changeset/8364
@@ -2707,7 +2699,6 @@
- cacti 0.8.7g-1
CVE-2010-2542 (Stack-based buffer overflow in the is_git_directory function in
...)
- git-core 1:1.7.1-1.1 (low; bug #590026)
- [lenny] - git-core 1:1.5.6.5-3+lenny3.1
CVE-2010-2541 (Buffer overflow in ftmulti.c in the ftmulti demo program in
FreeType ...)
{DSA-2105-1}
- freetype 2.4.2-1 (low)
@@ -6023,10 +6014,6 @@
CVE-2010-2449 [gource: predictable log file located in /tmp]
RESERVED
- gource 0.26-2 (low; bug #577958)
-CVE-2010-XXXX [webkit: lots of dns lookups]
- - webkit <unfixed> (unimportant; bug #578019)
- NOTE: i find it questionable whether this is really a security issue...
- NOTE: iceweasel behaves the same way...it''s probably the page caching
feature
CVE-2010-1564
REJECTED
CVE-2010-1372 (SQL injection vulnerability in the HD FLV Player
(com_hdflvplayer) ...)
@@ -7671,9 +7658,6 @@
NOT-FOR-US: Xerver
CVE-2009-4656 (Stack-based buffer overflow in E-Soft DJ Studio Pro 4.2
including ...)
NOT-FOR-US: E-Soft DJ Studio Pro
-CVE-2010-XXXX [sudo weakness]
- - sudo <unfixed> (unimportant; bug #567614)
- NOTE: Hardening configuration option, not a vulnerability
CVE-2010-XXXX [esmtp: world-readable config file]
- esmtp 1.2-3 (unimportant; bug #568925)
NOTE: Documentation advises against adding password data to the respective
config file
@@ -8237,7 +8221,7 @@
CVE-2009-4643 (Stack-based buffer overflow in dsInstallerService.dll in the
Juniper ...)
NOT-FOR-US: Juniper Installer Service
CVE-2009-XXXX [ffmpeg vulnerabilities]
- - ffmpeg 0.5.1-1 (medium; bug #570713; bug #550442)
+ - ffmpeg 4:0.5.1-1 (medium; bug #570713; bug #550442)
- ffmpeg-debian <removed> (medium)
CVE-2010-XXXX [dillo improper restriction of path in cookies]
- dillo <removed>
@@ -16304,15 +16288,6 @@
NOT-FOR-US: MDaemon WorldClient
CVE-2008-6892 (SQL injection vulnerability in lire/index.php in Peel 3.1 allows
...)
NOT-FOR-US: Peel
-CVE-2009-XXXX [VLC: integer underflow in Real RTSP]
- - vlc 1.0.1-1
- [lenny] - vlc 0.8.6.h-4+lenny2.3
- - mplayer 2:1.0~rc3+svn20100502-3 (medium; bug #581245)
- [lenny] - mplayer 1.0~rc2-17+lenny3.2
- - xine-lib <not-affected> (immune due to additional check in
xio_rw_abbort())
- NOTE:
http://git.videolan.org/?p=vlc.git;a=commitdiff;h=dc74600c97eb834c08674676e209afa842053aca
- NOTE:
http://dzcore.wordpress.com/2009/07/27/dzc-2009-001-the-movie-player-and-vlc-media-player-real-data-transport-parsing-integer-underflow/
- NOTE: DSA-2043 and DSA-2044
CVE-2009-2655 (mshtml.dll in Microsoft Internet Explorer 7 and 8 on Windows XP
SP3 ...)
NOT-FOR-US: Microsoft Internet Explorer
CVE-2009-2654 (Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows
remote ...)
@@ -20190,7 +20165,7 @@
CVE-2008-6727 (Cross-site scripting (XSS) vulnerability in Ultimate PHP Board
(UPB) ...)
NOT-FOR-US: Ultimate PHP Board
CVE-2009-XXXX [git-core in Debian has non-root-owned files under /usr]
- - git-core 1.6.2.1-1 (bug #516669)
+ - git-core 1:1.6.2.1-1 (bug #516669)
CVE-2009-1341 (Memory leak in the dequote_bytea function in quote.c in the
DBD::Pg ...)
{DSA-1780-1}
- libdbd-pg-perl 2.1.3-1
@@ -73706,7 +73681,7 @@
- linux-2.6 2.6.15-1
- kernel-source-2.4.27 <not-affected> (2.4''s proc_file_lseek
contains a sanity check)
CVE-2005-XXXX [xshisen follows symlinks for shared gid games files]
- - xshisen 1.51-1-1.2 (bug #291613)
+ - xshisen 1:1.51-1-1.2 (bug #291613)
CVE-2006-0062 [Potential xlockmore bypass]
RESERVED
- xlockmore 1:5.13-2.1 (bug #309760)
Modified: data/DSA/list
==================================================================---
data/DSA/list 2010-09-27 09:47:24 UTC (rev 15376)
+++ data/DSA/list 2010-09-27 16:32:43 UTC (rev 15377)
@@ -1,3 +1,6 @@
+[26 Sep 2010] DSA-2114-1 git-core
+ {CVE-2010-2542}
+ [lenny] - git-core 1:1.5.6.5-3+lenny4
[20 Sep 2010] DSA-2113-1 drupal6 - several vulnerabilities
{CVE-2010-3091 CVE-2010-3092 CVE-2010-3093 CVE-2010-3094}
[lenny] - drupal6 6.6-3lenny6
Modified: data/next-point-update.txt
==================================================================---
data/next-point-update.txt 2010-09-27 09:47:24 UTC (rev 15376)
+++ data/next-point-update.txt 2010-09-27 16:32:43 UTC (rev 15377)
@@ -6,4 +6,7 @@
[lenny] - xen-tools 3.9-4+lenny1
CVE-2010-2574
[lenny] - mantis 1.1.6+dfsg-2lenny2
+CVE-2010-2784
+ [lenny] - kvm 72+dfsg-5~lenny6
+