Author: geissert Date: 2010-09-30 18:09:37 +0000 (Thu, 30 Sep 2010) New Revision: 15401 Removed: data/open-issues.txt data/resources Modified: data/ospu-candidates.txt data/package-tags Log: some cleanup, removing etch (and older or unmaintained) stuff Deleted: data/open-issues.txt ==================================================================--- data/open-issues.txt 2010-09-30 10:15:34 UTC (rev 15400) +++ data/open-issues.txt 2010-09-30 18:09:37 UTC (rev 15401) @@ -1,32 +0,0 @@ -=== none - -From the graphicsmagick 1.1.7-1 upload: - - * magick/constitute.c: Apply upstream fix for potential NULL pointer - dereference in ReadImage(). - -Does this have a CVE name? -Does it affect imagemagick? - -=== jmm - -tikiwiki has been uploaded to the archive a month ago. All previous issues -in it should be reviewed, whether they''re fixed and CVE/list updated -accordingly. - -=== none - -From the freewheeling 0.5pre4-5 upload: - . - * Fixes various gcc-4.0 warnings (uninitialised variables, non-void - functions never returning, wrong printf format strings) - * Fixed 2 buffer overflows in fweelin_core_dsp.cc - -Are any of these exploitable issues? - -=== none - -ffmpeg creates libavcodec only statically. It should be evaluated if there''s -really a compelling reason, as it requires massive recompiles for every security -update. If upstream is reluctant this could be done locally for Etch at least. - Modified: data/ospu-candidates.txt ==================================================================--- data/ospu-candidates.txt 2010-09-30 10:15:34 UTC (rev 15400) +++ data/ospu-candidates.txt 2010-09-30 18:09:37 UTC (rev 15401) @@ -2,967 +2,3 @@ but which could be fixed in a oldstable point update if people feel like it. If someone wants to address these, please add a note about it and get in contact with debian-release at lists.debian.org - --- - -acidbase (CVE-2007-5578) -notified maintainer - --- - -aegis (CVE-2008-4938) -#496400 -notified maintainer - --- - -apertium (CVE-2008-4939) -#496395 -notified maintainer - --- - -asterisk (CVE-2009-0041) -#513413 -notified maintainer - -CVE-2008-3903 -#522528 -notified maintainer - --- - -audacity (CVE-2007-6061) -http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=453283 -notified maintainer - --- - -auctex (no CVE) -#506961 -notified maintainer - --- - -audiolink (CVE-2008-4942) -#496433 -notified maintainer - --- - -avahi (CVE-2009-0758) -#517683 -notified maintainer - --- - -aview (CVE-2008-4935) -#496422 -notified maintainer - --- - -backuppc (CVE-2009-3369) -#542218 -notified maintainer - --- - -beagle (CVE-2005-4791) -notified maintainer - --- - -blam (CVE-2005-4791) -notified maintainer - --- - -bluez-libs/bluez-utils (CVE-2008-2374) -https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2374 -notified maintainer - --- - -boost (CVE-2008-0172/CVE-2008-0171) -#461236 -notified maintainer - --- - -bugzilla (CVE-2008-2103) -#480190 -notified maintainer - -CVE-2008-4437 -#502019 -notified maintainer - -bugzilla (CVE-2009-0481 to CVE-2009-0485) -notified maintainer - --- - -burn: (no CVE yet) -#542329 -notified maintainer through bug report - --- - -byacc (CVE-2008-3196) -#491182 -notified maintainer - --- - -bzip2 (CVE-2008-1372) -#471670 -Maintainer has been notified - --- - -cdcontrol -#496438 -notified maintainer - --- - -cdrw-taper (CVE-2008-4945) -#496380 -notified maintainer - --- - -cecilia (CVE-2008-1832) -#476321 -notified maintainer - --- - -chillispot -#500181 -notified maintainer - --- - -comix (CVE-2008-1568) -#462840 -notified maintainer - --- - -cron: Incomplete fix for CVE-2006-2607 (setgid() and initgroups() not checked -#528434 -notified maintainer - --- - -cupsys (CVE-2008-5377) -notified maintainer - --- - -cyrus-sasl2 (no CVE) -#465561 -notified maintainer - --- - -devil (CVE-2009-3994) -#560080 -notified maintainer - --- - -dia (CVE-2008-5984) -#504251 -notified maintainer - --- - -digitaldj (CVE-2008-4948) -#496399 -notified maintainer - --- - -dopewars (CVE-2009-3591) -#550913 -notified maintainer - --- - -dstat (CVE-2009-3894) -http://svn.rpmforge.net/svn/trunk/tools/dstat/ChangeLog -notified maintainer - -dstat (CVE-2009-4081) -#559667 -notified maintainer - --- - -ed (CVE-2008-3916) -Fix from 0.7-2 -notified maintainer - --- - -emacs21 (CVE-2007-6109/CVE-2008-1694) -bug #455433, bug #476612 -notified maintainer - -emacs21 (CVE-2008-2142) -bug #480877 -notified maintainer - --- - -emacs-jabber (CVE-2008-4952) -#496428 -notified maintainer - --- - -emacspeak (CVE-2008-4191) -#496431 -notified maintainer - --- - -epiphany-browser (CVE-2008-5985) -#504363 -notified maintainer - --- - -evolution (CVE-2008-1108, CVE-2008-1109) -#484639 -notified maintainer - -evolution (no CVE) -#484639 -notified maintainer - -evolution (CVE-2009-1631) -#526409 -notified maintainer through initial bugreport - --- - -exiv2 (CVE-2008-2696) -bug #486328 -http://dev.robotbattle.com/cgi-bin/viewvc.cgi/exiv2/trunk/src/nikonmn.cpp?r1=1473&r2=1499 -notified maintainer - --- - -flac123 (CVE-2007-3507) -notified maintainer - --- - -fml (CVE-2008-4954) -#496370 -notified maintainer - --- - -freeradius (CVE-2008-4474) -#496489 -notified maintainer - --- - -fwbuilder (CVE-2008-4956) -#496406 -notified maintainer - --- - -gedit (CVE-2009-0314) -#513513 -notified maintainer - --- - -gdrae -#496378 -notified maintainer - --- - -glib2.0 (CVE-2009-3289) -https://bugzilla.gnome.org/show_bug.cgi?id=593406 -notified maintainer - --- - -gmanedit (CVE-2008-3971) -#497835 -notified maintainer - --- - -gnutls13 (CVE-2009-1417) -#531614 -notified maintainer - --- - -gpsdrive (CVE-2008-5704, CVE-2008-5703, CVE-2008-5380) -#496436, #508597, #508595 -notified maintainer - --- - -gri (no CVE) -fixed in gri 2.12.18-1: -"Improve security when creating temporary files." -notified maintainer - --- - -hplip (CVE-2008-2940/CVE-2008-2941) -#499842 -notified maintainer - --- - -htmldoc (CVE-2009-3050) -#537637 -notified maintainer through initial bugreport - --- - -hypre (CVE-2009-3736) -#559834 -notified maintainer - --- - -ipsec-tools (CVE-2008-3651) -http://sourceforge.net/mailarchive/forum.php?thread_name=48a0c7a0.qPeWZAE0PY8bDDq%2B%25olel%40ans.pl&forum_name=ipsec-tools-devel -notified maintainer - -ipsec-tools (CVE-2008-3652) -#501026 -https://bugzilla.redhat.com/show_bug.cgi?id=456660 -notified maintainer - --- - -kaya (CVE-2008-6428) -notified maintainer - --- - -konwert (CVE-2008-4964) -#496379 -notified maintainer - --- - -lcms (CVE-2009-0793) -notified maintainer through initial bugreport - --- - -libapache2-mod-perl2 (CVE-2007-1349) -http://svn.apache.org/viewvc?view=rev&revision=521584 -#433549 -notified maintainer - --- - -libpam-ssh (CVE-2007-0844) -#410236 -notified maintainer - --- - -libsamplerate (CVE-2008-5008) -https://bugzilla.redhat.com/attachment.cgi?id=323069 -notified maintainer - --- -libsndfile -potential dos via crafted input -#530831 - --- - -libpam-ssh (CVE-2009-1273) -#535877 -maintainer notified through initial bug report - --- - -libpng (CVE-2008-1382) -#476669 -notified maintainer - -libpng (CVE-2009-2042) -#533676 -notified maintainer - --- - -libvorbis (CVE-2008-2009) -notified maintainer and release team - --- - -liferea (CVE-2005-4791) -notified maintainer - --- - -lighttpd (CVE-2007-3948) -#434888 -Was accidentally omitted during DSA 1362, but doesn''t warrant a DSA on it''s own. -http://trac.lighttpd.net/trac/changeset/1873?format=diff&new=1873 -http://trac.lighttpd.net/trac/ticket/1216 -notified maintainer - --- - -links2 (CVE-2008-3329) -bug #492744 -notified maintainer - --- - -linux-ftpd (CVE-2008-4247) -#500278 -notified maintainer - --- - -linux-ftpd-ssl (CVE-2007-6263) -#454733 -notified maintainer - --- - -mailscanner (CVE-2008-5312, CVE-2008-5313) -#506353 -notified maintainer - --- - -mecab (CVE-2007-3231) -#429174 -notified maintainer - --- - -mercurial (CVE-2008-4297) -#500781 -notified maintainer - --- - -mgetty (CVE-2008-4936) -#496403 -notified maintainer - --- - -mgt -#496434 -notified maintainer - --- - -memcached (CVE-2009-1255) -bug #527330 -notified maintainer - --- - -mimedecode -potential dos/crash due to invalid input -#530430 -orphaned - --- - -mksh (CVE-2008-1845) -notified maintainer - --- - -mldonkey (CVE-2007-4100) -#435439 -notified maintainer - --- - -mnogosearch (CVE-2007-5588) -#447753 -notified maintainer - --- - -motion (CVE-2008-2654) -#484572 -notified maintainer - --- - -mpg123 (CVE-2009-1301) -notified maintainer - --- - -multi-gnome-terminal (CVE-2008-5143) -notified maintainer - --- - -myspell -#496392 -notified maintainer - --- - -neon (CVE-2009-2474) -#542926 -notified maintainer - --- - -neon26 (CVE-2009-2474) -#542926 -notified maintainer - --- - -net-snmp (CVE-2008-6123) -Noah will see to it. - --- - -network-manager (CVE-2009-4144) -#560067 -notified maintainer through initial bugreport - -CVE-2009-4145 -#563371 -notified maintainer through initial bugreport - --- - -nfs-utils (CVE-2008-4552) -notified maintainer - --- - -ngircd (CVE-2008-0285) -notified maintainer - --- - -ntop (CVE-2009-2732) -#543312 -notified maintainer through initial bugreport - --- - -nvi -#496462 -notified maintainer - --- - -openldap -#253838 -notified maintainer - --- - -overkill (no CVE yet) -#549310 - --- - -owl (CVE-2009-0363) -#515118 -notified maintainer - --- - -p3nfs (CVE-2008-5154) -bug #506270 -notified maintainer - --- - -pam (CVE-2009-0579) -#514437 -asked maintainer in mail - --- - -paramiko (CVE-2008-0299) -#460706 -notified maintainer - --- - -planet (CVE-2009-2937) -bug #546178 -notified maintainer through initial bugreport - --- - -postfix (CVE-2009-2939) -notified maintainer - -postfix (CVE-2008-2937) -notified maintainer - --- - -pptp-linux (no CVE) -#523476 -Ola will prepare a fix in a point update - --- - -puppet (CVE-2009-3564) -#551073 -notified maintainer in initial bug report - --- - -python-4suite (CVE-2009-3560, CVE-2009-3720) -#560914 -notified maintainer - --- - -python2.4 (CVE-2008-4864, CVE-2008-5031) -#504620 -notified maintainer - -python2.5 (CVE-2008-4864, CVE-2008-5031) -#504619 -notified maintainer - --- - -r-base (CVE-2008-3931) -#496418 -notified maintainer - --- - -rails (CVE-2009-3086) -bug #545063 -notified maintainer - --- - -rancid (CVE-2008-4979) -#496426 -notified maintainer - --- - -rccp (CVE-2008-4980) -#496364 -notified maintainer - --- - -realtimebattle (CVE-2008-4981) -#496385 -notified maintainer - --- - -redhat-cluster (CVE-2008-4192, CVE-2008-4579, CVE-2008-4580) -#496410 -notified maintainer - --- - -rkhunter (CVE-2008-4982) -#496375 -notified maintainer - --- - -rsync (CVE-2007-6200) -#453652 -notified maintainer - --- - -sabre (CVE-2008-4406, CVE-2008-4407) -#433996 -notified maintainer - --- - -scilab (CVE-2008-4983) -#496414 -notified maintainer - --- - -sgml2x (CVE-2008-6397) -#496368 -notified maintainer - --- - -sip-tester (CVE-2008-1959, CVE-2008-2085) -#479039 -notified maintainer - --- - -slocate (CVE-2007-0227) -#411937 -notified maintainer - --- - -smb4k (CVE-2007-0475, CVE-2007-0474, CVE-2007-0473, CVE-2007-0472) -notified maintainer - --- - -sng -#496407 -notified maintainer - --- - -squid (CVE-2009-0801) -#521053 - --- - -squid3 (CVE-2009-0801) -#521052 - --- - -ssmtp (CVE-2008-3962) -#498366 -notified maintainer - --- - -sylpheed (CVE-2007-2958) -#441854 -http://www.colino.net/claws-mail/getpatchset.php3?ver=2.10.0cvs153 fixes the bug -notified maintainer - --- - -sympa (CVE-2008-4476) -#496405; bug #494969 -notified maintainer - --- - -tau (CVE-2008-5157) -#506348 -notified maintainer - --- - -tcl8.3/tcl8.4 (CVE-2007-4772) -notified maintainer - -tcl8.3/tcl8.4 (CVE-2007-6067) -notified maintainer - --- - -tetex-bin (CVE-2009-1284) -#520920 -https://bugzilla.redhat.com/show_bug.cgi?id=492136 - --- - -texlive-bin (CVE-2007-5935 CVE-2007-5936 CVE-2007-5937) -notified maintainer - --- - -tintin++ (CVE-2008-0673 CVE-2008-0672 CVE-2008-0671) -#465643 -notified maintainer - --- - -tomboy (CVE-2005-4790) -notified maintainer - --- - -tqsllib 2.0-8 (CVE-2009-0124) -#511509 -notified maintainer - --- - -trac (CVE-2008-5646 CVE-2008-5647) -#509342, #505197 -notified maintainer - --- - -trickle (CVE-2009-0415) -#513456 -notified maintainer - --- - -udev -#462655 -notified maintainer - --- - -unp (CVE-2007-6610) -#448437 -notified maintainer - --- - -vobcopy (CVE-2007-5718) -bug #448319 -notified maintainer - --- - -wdiff [insecure tempfile in wdiff] -bug #425254 -notified maintainer - --- - -wims (CVE-2008-4986) -#496387 -notified maintainer - --- - -wyrd (CVE-2008-0806) -bug #466382 -notified maintainer - --- - -xastir (CVE-2008-4987) -#496383 -notified maintainer - --- - -xcal (CVE-2008-4988) -#496393 -notified maintainer - --- - -xcftools (CVE-2009-2175) -#533361 -orphaned -Jan Hauke Rahm will prepare a package for stable and oldstable (#533361) - --- - -xchat (CVE-2009-0315) -#513509 -notified maintainer - --- - -xemacs21 (CVE-2007-6109/CVE-2008-1694) -bug #457764, bug #476613 -notified maintainer - -xemacs21 (CVE-2008-2142) -bug #480877 -notified maintainer - -xemacs21 (CVE-2009-2688) -#540470 -Patches at https://bugzilla.redhat.com/show_bug.cgi?id=511994 -notified maintainer - --- - -xen-3 (CVE-2008-4993) -#496367 -notified maintainer - --- - -xerces-c2 (CVE-2009-1885) -#541986 -notified maintainer - --- - -xerces27 (CVE-2009-1885) -notified maintainer - --- - -xfce4 (CVE-2007-6351 CVE-2007-6352) -notified maintainer - --- - -xfig -25_mkstemp added in 1:3.2.5.a-1 -notified maintainer - - -CVE-2009-4228/CVE-2009-4227 -#559274) -https://bugzilla.redhat.com/show_bug.cgi?id=543905 - --- - -xmcd (CVE-2008-4994) -#496416 -notified maintainer - --- - -xmp (CVE-2007-6731, CVE-2007-6732) -#546730 - --- - -xscreensaver (no CVE) -#539699 -notified maintainer - --- - -zabbix (CVE-2008-1353) -bug #471678 -notified maintainer - --- - -zope-cmfplone (CVE-2008-1394) -notified maintainer - --- - -zsh (CVE-2007-6209) -bug #454073) -notified maintainer - Modified: data/package-tags ==================================================================--- data/package-tags 2010-09-30 10:15:34 UTC (rev 15400) +++ data/package-tags 2010-09-30 18:09:37 UTC (rev 15401) @@ -1,32 +1,22 @@ # In this file we keep the debtags for packages in "main" # where special conditions apply -[etch] kfreebsd-5 <unsupported> (FreeBSD not yet supported) [lenny] kfreebsd-6 <unsupported> (FreeBSD not yet supported) [lenny] kfreebsd-7 <unsupported> (FreeBSD not yet supported) -[etch] iceweasel <unsupported> (Support was dropped for oldstable) -[etch] xulrunner <unsupported> (Support was dropped for oldstable) -[etch] icedove <unsupported> (Support was dropped for oldstable) - -[etch] sql-ledger <limited-support> (Only supported behind an authenticated HTTP zone) [lenny] sql-ledger <limited-support> (Only supported behind an authenticated HTTP zone) [squeeze] sql-ledger <limited-support> (Only supported behind an authenticated HTTP zone) -[etch] php5 <limited-support> (See README.Debian.security for the PHP security policy) -[etch] php4 <limited-support> (See README.Debian.security for the PHP security policy) [lenny] php5 <limited-support> (See README.Debian.security for the PHP security policy) -[etch] adns <limited-support> (Stub resolver that should only be used with trusted recursors) +[squeeze] php5 <limited-support> (See README.Debian.security for the PHP security policy) + [lenny] adns <limited-support> (Stub resolver that should only be used with trusted recursors) -[etch] ltp <limited-support> (Testsuite, only supported on non-production non-multiuser systems) [lenny] ltp <limited-support> (Testsuite, only supported on non-production non-multiuser systems) +[squeeze] ltp <limited-support> (Testsuite, only supported on non-production non-multiuser systems) [sid] vmware-package <unsupported> (Only a build script for native upstream tarballs, not supported) -[etch] rails <unsupported> (Unusable, should be removed) - -[etch] clamav <unsupported> (No signature updates anymore, should be taken from volatile) [lenny] clamav <unsupported> (No signature updates anymore, should be taken from volatile) [sid] kompozer <unsupported> (vulnerable to all xulrunner issues, but intended use is not for untrusted or networked sources) @@ -35,13 +25,9 @@ [lenny] ocsinventory-server <limited-support> (Only supported behind an authenticated HTTP zone) [squeeze] ocsinventory-server <limited-support> (Only supported behind an authenticated HTTP zone) -[etch] asterisk <unsupported> (Support was dropped for oldstable) - -[etch] wireshark <limited-support> (Not suitable for network monitoring / intrusion detection, DoS issues fixed with low priority through point updates) [lenny] wireshark <limited-support> (Not suitable for network monitoring / intrusion detection, DoS issues fixed with low priority through point updates) [squeeze] wireshark <limited-support> (Not suitable for network monitoring / intrusion detection, DoS issues fixed with low priority through point updates) -[etch] acidbase <limited-support> (Only supported behind an authenticated HTTP zone for trusted users) [lenny] acidbase <limited-support> (Only supported behind an authenticated HTTP zone for trusted users) [squeeze] acidbase <limited-support> (Only supported behind an authenticated HTTP zone for trusted users) Deleted: data/resources ==================================================================--- data/resources 2010-09-30 10:15:34 UTC (rev 15400) +++ data/resources 2010-09-30 18:09:37 UTC (rev 15401) @@ -1,8 +0,0 @@ -Full CVE lists: -http://cve.mitre.org/data/downloads/ - -CVEs that do not affect sarge (maintained by regular security team): -http://www.debian.org/security/nonvulns-sarge - -Ultra Monkey kernel security database: -http://www.ultramonkey.org/bugs/cve/