Author: jmm-guest Date: 2010-10-07 20:43:15 +0000 (Thu, 07 Oct 2010) New Revision: 15439 Modified: data/CVE/list Log: - new chrome issues - hipo removed - cleanup older non issues and mark several older issues as fixed - mark vdr as unimportant, debug only - numpy fixed Modified: data/CVE/list ==================================================================--- data/CVE/list 2010-10-07 18:36:27 UTC (rev 15438) +++ data/CVE/list 2010-10-07 20:43:15 UTC (rev 15439) @@ -97,9 +97,11 @@ CVE-2010-3731 (Buffer overflow in the Administration Server component in IBM DB2 UDB ...) NOT-FOR-US: IBM DB2 UDB 9.5 CVE-2010-3730 (Google Chrome before 6.0.472.62 does not properly use information ...) - TODO: check + - webkit <undetermined> + - chromium-browser <undetermined> CVE-2010-3729 (The SPDY protocol implementation in Google Chrome before 6.0.472.62 ...) - TODO: check + - webkit <undetermined> + - chromium-browser <undetermined> CVE-2010-3728 RESERVED CVE-2010-XXXX [amanda code injection] @@ -848,7 +850,7 @@ CVE-2008-XXXX [greylistd bypass] - greylistd 0.8.7+nmu2 (low; bug #464084) CVE-2010-XXXX [numpy memory corruption] - - python-numpy <unfixed> (medium; bug #581058) + - python-numpy 1:1.4.1-5 (bug #581058) NOTE: http://projects.scipy.org/numpy/changeset/8364 CVE-2010-XXXX [glob processing issue] - sudo 1.7.0-1 (low; bug #565223; bug #580342) @@ -973,7 +975,8 @@ RESERVED CVE-2010-3387 RESERVED - - vdr <unfixed> (bug #598308) + - vdr <unfixed> (unimportant; bug #598308) + NOTE: Only affects a debugging tool, see bug #598308 CVE-2010-3386 RESERVED - ust <unfixed> (bug #598309) @@ -1056,7 +1059,8 @@ [lenny] - ike <no-dsa> (Minor issue) CVE-2010-3360 RESERVED - - hipo <unfixed> (bug #598291) + - hipo <removed> (bug #598291) + [lenny] - hipo <no-dsa> (Minor issue) CVE-2010-3359 [gargoyle: insecure library loading] RESERVED - gargoyle-free 2009-08-25-2 @@ -8766,9 +8770,6 @@ - dillo <removed> NOTE: http://hg.dillo.org/dillo/file/tip/ChangeLog NOTE: it is not clear whether the issue affects pre-2.x versions -CVE-2010-XXXX [pidgin remote dos] - - pidgin <unfixed> (low; bug #562720) - [lenny] - pidgin <no-dsa> (Minor issue) CVE-2010-XXXX [phpbb3 weak captcha] - phpbb3 3.0.7-PL1-1 (unimportant; bug #570011) CVE-2010-0634 (Unspecified vulnerability in Fast Lexical Analyzer Generator (flex) ...) @@ -12725,7 +12726,7 @@ CVE-2009-3801 (SQL injection vulnerability in index.php in OpenDocMan 1.2.5 allows ...) NOT-FOR-US: OpenDocMan CVE-2009-XXXX [multiple missing input sanity checks in KDE] - - kdelibs <unfixed> (low) + - kdelibs 4:3.5.10.dfsg.1-3 (low) - kde4libs 4:4.3.4-1 (low) [lenny] - kde4libs <no-dsa> (Minor issue) [lenny] - kdelibs <no-dsa> (minor and unlikely to be exploited) @@ -13087,9 +13088,7 @@ - vxl 1.13.0-2 (low; bug #560945) - xulrunner <unfixed> (unimportant; bug #560946) - texlive-bin <not-affected> (Files are not compiled in, see #560948) - - vnc4 <unfixed> (low; bug #560949) - [etch] - vnc4 <no-dsa> (minor issue) - [lenny] - vnc4 <no-dsa> (minor issue) + - vnc4 <not-affected> (Not affected, see bug #560949) - xotcl 1.6.5-1.2 (low; bug #560950) [lenny] - xotcl <no-dsa> (minor issue) CVE-2009-3719 (Cross-site scripting (XSS) vulnerability in comment.asp in Battle Blog ...) @@ -18754,6 +18753,7 @@ - webkit <unfixed> (low; bug #532514) [lenny] - webkit <no-dsa> (Minor issue) - kdebase <unfixed> (low; bug #532519) + [squeeze] - kdebase <no-dsa> (Minor issue) [lenny] - kdebase <no-dsa> (Minor issue) [etch] - kdebase <no-dsa> (Minor issue) - w3m <unfixed> (unimportant; bug #532521) @@ -19642,7 +19642,6 @@ CVE-2009-1685 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari ...) - webkit 1.0.1-4 (bug #535793) - kdelibs <not-affected> - - kde4libs <unfixed> - qt4-x11 4:4.6.2-4 (low) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/34574 @@ -22844,12 +22843,8 @@ CVE-2009-0802 (Qbik WinGate, when transparent interception mode is enabled, uses the ...) NOT-FOR-US: Qbik WinGate CVE-2009-0801 (Squid, when transparent interception mode is enabled, uses the HTTP ...) - - squid <unfixed> (low; bug #521053) - [etch] - squid <no-dsa> (Minor issue) - [lenny] - squid <no-dsa> (Minor issue) - - squid3 <unfixed> (low; bug #521052) - [etch] - squid3 <no-dsa> (Minor issue) - [lenny] - squid3 <no-dsa> (Minor issue) + - squid <unfixed> (unimportant; bug #521053) + - squid3 <unfixed> (unimportant; bug #521052) NOTE: This only affects HTTP connections and only in transparent mode NOTE: Also, same origin validations in the browsers still apply and keep this mostly harmless NOTE: http://marc.info/?l=squid-dev&m=123542836103750&w=4 @@ -33525,10 +33520,8 @@ - gaim <removed> [lenny] - gaim <not-affected> (gaim is now a transitional package depending on pidgin with its own source package) CVE-2008-2956 (Memory leak in Pidgin 2.0.0, and possibly other versions, allows ...) - - pidgin <unfixed> (low; bug #488632) - [lenny] - pidgin <no-dsa> (Minor issue) - - gaim <removed> - [lenny] - gaim <not-affected> (gaim is now a transitional package depending on pidgin with its own source package) + - pidgin <unfixed> (unimportant; bug #488632) + NOTE: Non-issue per analysis of Pidgin upstream developers, should be rejected CVE-2008-2957 (The UPnP functionality in Pidgin 2.0.0, and possibly other versions, ...) - pidgin 2.4.3-4 (low; bug #488632) - gaim <removed>