thr3ads.net - Secure testing commits - [Secure-testing-commits] r15387

If this information is useful, please help other people find it:
Share via:
Moritz Muehlenhoff
2010-Sep-29 17:27 UTC
[Secure-testing-commits] r15387 - in data: . CVE DSA

Author: jmm-guest
Date: 2010-09-29 17:26:54 +0000 (Wed, 29 Sep 2010)
New Revision: 15387

Modified:
   data/CVE/list
   data/DSA/list
   data/spu-candidates.txt
Log:
- multiple CVE IDs assigned for typo3 DSA
- ardour and brostol fixed and no-dsa for Lenny
- new Chromium/Webkit issue
- NFUs

Further cleanups of issues w/o a CVE ID:
- remove /dev/mem entry, this is a hardening feature not a vulnerability
- remove gmanedit and warzone entries, not a vulnerability as config
  files are under local control
- remove duplicated piwigo entry


Modified: data/CVE/list
==================================================================---
data/CVE/list	2010-09-29 06:41:11 UTC (rev 15386)
+++ data/CVE/list	2010-09-29 17:26:54 UTC (rev 15387)
@@ -1,3 +1,35 @@
+CVE-2010-3659 [Multiple security issues]
+	- typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3660 [Multiple security issues]
+	- typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3661 [Multiple security issues]
+	- typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3662 [Multiple security issues]
+	- typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3663 [Multiple security issues]
+	- typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3664 [Multiple security issues]
+	- typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3665 [Multiple security issues]
+	- typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3666 [Multiple security issues]
+	- typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3667 [Multiple security issues]
+	- typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3668 [Multiple security issues]
+	- typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3669 [Multiple security issues]
+	- typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3670 [Multiple security issues]
+	- typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3671 [Multiple security issues]
+	- typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3672 [Multiple security issues]
+	- typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3673 [Multiple security issues]
+	- typo3-src 4.3.5-1 (bug #590719)
+CVE-2010-3674 [Multiple security issues]
+	- typo3-src 4.3.5-1 (bug #590719)
 CVE-2010-XXXX [wireshark: BER dissector]
 	- wireshark <unfixed> (low)
 	[lenny] - wireshark <no-dsa> (Only leads to a crash)
@@ -501,8 +533,10 @@
 	NOTE: see 4C88DB97.1060602 at redhat.com for details
 CVE-2010-3400 (The js_InitRandom function in the JavaScript implementation in
Mozilla ...)
 	TODO: check
+	NOTE: These will likely be rejected, Mozilla people will clarify with MITRE
 CVE-2010-3399 (The js_InitRandom function in the JavaScript implementation in
Mozilla ...)
 	TODO: check
+	NOTE: These will likely be rejected, Mozilla people will clarify with MITRE
 CVE-2010-3398 (Unspecified vulnerability in the webcontainer implementation in
IBM ...)
 	NOT-FOR-US: IBM Lotus Sametime Connect
 CVE-2010-3397 (Untrusted search path vulnerability in PGP Desktop 9.9.0 Build
397, ...)
@@ -635,13 +669,15 @@
 	RESERVED
 CVE-2010-3351
 	RESERVED
-	- bristol <unfixed> (bug #598285)
+	- bristol 0.60.5-2 (bug #598285)
+	[lenny] - bristol <no-dsa> (Minor issue)
 CVE-2010-3350
 	RESERVED
 	- bareftp <unfixed> (bug #598284)
 CVE-2010-3349
 	RESERVED
-	- ardour <unfixed> (bug #598282)
+	- ardour 1:2.8.11-2 (low; bug #598282)
+	[lenny] - ardour <no-dsa> (Minor issue)
 CVE-2010-3348
 	RESERVED
 CVE-2010-3347
@@ -797,10 +833,6 @@
 	TODO: check
 CVE-2010-3279 (The default configuration of the CCAgent option before 9.0.8.4
in the ...)
 	TODO: check
-CVE-2010-XXXX [piwigo multiple vulnerabilities]
-	- piwigo <unfixed>
-	TODO: check, secunia only reported the XSS one
-	NOTE: http://www.exploit-db.com/exploits/14973/
 CVE-2010-3294 (Cross-site scripting (XSS) vulnerability in apc.php in the
Alternative ...)
 	- php-apc <unfixed> (unimportant)
 	NOTE: vulnerable script is, mainly, for debugging purposes
@@ -1620,7 +1652,6 @@
 	- libmikmod 3.1.11-6.3
 CVE-2010-2970 (Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin
1.9.x ...)
 	- moin 1.9.3-1 (low)
-	TODO: check
 CVE-2010-2969 (Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin
1.7.3 ...)
 	- moin <undetermined>
 	TODO: check
@@ -1810,9 +1841,6 @@
 	- chromium-browser 5.0.375.125~r53311-1
 CVE-2010-2896 (IBM FileNet Content Manager (CM) 4.0.0, 4.0.1, 4.5.0, and 4.5.1
before ...)
 	NOT-FOR-US: IBM FileNet Content Manager
-CVE-2010-XXXX [Multiple security issues]
-	- typo3-src 4.3.5-1 (bug #590719)
-	[lenny] - typo3-src 4.2.5-1+lenny4
 CVE-2010-XXXX [flaw that allows unsigned code to access any file on the machine
(accessible to the user) and write to it.]
 	- openjdk-6  6b18-1.8.1-1
 CVE-2010-XXXX [flaw in NetX that allows arbitrary unsigned apps to set any java
property]
@@ -1970,23 +1998,23 @@
 CVE-2010-2837 (The SIPStationInit implementation in Cisco Unified
Communications ...)
 	NOT-FOR-US: Cisco
 CVE-2010-2836 (Memory leak in the SSL VPN feature in Cisco IOS 12.4, 15.0, and
15.1, ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2010-2835 (Cisco IOS 12.2 through 12.4 and 15.0 through 15.1, Cisco IOS XE
2.5.x ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2010-2834 (Cisco IOS 12.2 through 12.4 and 15.0 through 15.1, Cisco IOS XE
2.5.x ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2010-2833 (Unspecified vulnerability in the NAT for H.225.0 implementation
in ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2010-2832 (Unspecified vulnerability in the NAT for H.323 implementation in
Cisco ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2010-2831 (Unspecified vulnerability in the NAT for SIP implementation in
Cisco ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2010-2830 (The IGMPv3 implementation in Cisco IOS 12.2, 12.3, 12.4, and
15.0 and ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2010-2829 (Unspecified vulnerability in the H.323 implementation in Cisco
IOS ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2010-2828 (Unspecified vulnerability in the H.323 implementation in Cisco
IOS ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2010-2827 (Cisco IOS 15.1(2)T allows remote attackers to cause a denial of
...)
 	NOT-FOR-US: Cisco
 CVE-2010-2826 (SQL injection vulnerability in Cisco Wireless Control System
(WCS) ...)
@@ -4641,11 +4669,14 @@
 CVE-2010-1826
 	RESERVED
 CVE-2010-1825 (Use-after-free vulnerability in WebKit, as used in Google Chrome
...)
-	TODO: check
+	- webkit <undetermined>
+	- chromium-browser <undetermined>
 CVE-2010-1824 (Use-after-free vulnerability in WebKit, as used in Google Chrome
...)
-	TODO: check
+	- webkit <undetermined>
+	- chromium-browser <undetermined>
 CVE-2010-1823 (Use-after-free vulnerability in WebKit before r65958, as used in
...)
-	TODO: check
+	- webkit <undetermined>
+	- chromium-browser <undetermined>
 CVE-2010-1822
 	RESERVED
 CVE-2010-1821
@@ -7769,11 +7800,6 @@
 CVE-2010-XXXX [argyll unsafe udev rules]
 	- argyll <not-affected> (issue with redhat-specific changes to the
package)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=560050
-CVE-2010-XXXX [warzone2100 stack overflow]
-	- warzone2100 <undetermined> (unimportant)
-	NOTE: https://bugs.launchpad.net/ubuntu/+source/warzone2100/+bug/520432
-	NOTE: supposedly fixed in version 2.3
-	NOTE: Triggered through config files, not a security issue
 CVE-2010-2473 [Blocked user session regeneration]
 	RESERVED
 	{DSA-2016-1}
@@ -20290,11 +20316,6 @@
 	NOT-FOR-US: Sun Java System Directory Server
 CVE-2009-1331 (Integer overflow in Microsoft Windows Media Player (WMP) ...)
 	NOT-FOR-US: Windows Media Player
-CVE-2009-XXXX [linux-2.6: /dev/mem rootkit vulnerability]
-	- linux-2.6 2.6.29-1 (unimportant; bug #524373)
-	[etch] - linux-2.6 <no-dsa> (the solution, STRICT_DEVMEM=Y, could
potentially lead to unanticipated compatibility problems in the stable releases)
-	[lenny] - linux-2.6 <no-dsa> (the solution, STRICT_DEVMEM=Y, could
potentially lead to unanticipated compatiblity problems in the stable releases)
-	NOTE: This is about an additional hardening feature, not a security issue
 CVE-2009-XXXX [pptp-linux: unrestrictive pptpsetup permissions]
 	- pptp-linux 1.7.2-3 (low; bug #523476)
 	[lenny] - pptp-linux <no-dsa> (Minor issue)
@@ -30423,9 +30444,6 @@
 CVE-2008-3914 (Multiple unspecified vulnerabilities in ClamAV before 0.94 have
...)
 	{DSA-1660-1}
 	- clamav 0.94.dfsg-1
-CVE-2008-XXXX [buffer overflow via crafted configuration file (COMMAND)]
-	- gmanedit 0.4.1-1.1 (unimportant; bug #497835)
-	NOTE: you can execute commands via this with a valid configuration string
anyway
 CVE-2008-3934 (Unspecified vulnerability in Wireshark (formerly Ethereal)
0.99.6 ...)
 	{DTSA-167-1}
 	- wireshark 1.0.3-1 (bug #497878)

Modified: data/DSA/list
==================================================================---
data/DSA/list	2010-09-29 06:41:11 UTC (rev 15386)
+++ data/DSA/list	2010-09-29 17:26:54 UTC (rev 15387)
@@ -50,6 +50,7 @@
 	{CVE-2010-2935 CVE-2010-2936}
 	[lenny] - openoffice.org 1:2.4.1+dfsg-1+lenny8
 [29 Aug 2010] DSA-2098-1 typo3-src - several vulnerabilities
+	{CVE-2010-3659 CVE-2010-3660 CVE-2010-3661 CVE-2010-3662 CVE-2010-3663
CVE-2010-3664 CVE-2010-3665 CVE-2010-3666 CVE-2010-3667 CVE-2010-3668
CVE-2010-3669 CVE-2010-3670 CVE-2010-3671 CVE-2010-3672 CVE-2010-3673
CVE-2010-3674}
 	[lenny] - typo3-src 4.2.5-1+lenny4
 [29 Aug 2010] DSA-2097-1 phpmyadmin - several vulnerabilities
 	{CVE-2010-3055 CVE-2010-3056}

Modified: data/spu-candidates.txt
==================================================================---
data/spu-candidates.txt	2010-09-29 06:41:11 UTC (rev 15386)
+++ data/spu-candidates.txt	2010-09-29 17:26:54 UTC (rev 15387)
@@ -26,6 +26,11 @@
 
 --
 
+ardour (CVE-2010-3349)
+#598282
+
+--
+
 asterisk (CVE-2009-0041)
 #513413
 notified maintainer
@@ -48,6 +53,11 @@
 
 --
 
+bristol (CVE-2010-3351)
+#598285
+
+--
+
 bugzilla (CVE-2009-0481 to CVE-2009-0485)
 notified maintainer
Secure testing commits - Sep 2010 - r15387 - in data: . CVE DSA

[Secure-testing-commits] r15387 - in data: . CVE DSA
