Author: jmm Date: 2011-01-27 20:04:26 +0000 (Thu, 27 Jan 2011) New Revision: 15990 Modified: data/CVE/list Log: - hplip fixed - otrs issues don''t affect Lenny - qemu unimportant - update bip description - mark remaining webkit/lenny issues as no-dsa Modified: data/CVE/list ==================================================================--- data/CVE/list 2011-01-27 17:03:49 UTC (rev 15989) +++ data/CVE/list 2011-01-27 20:04:26 UTC (rev 15990) @@ -1820,7 +1820,7 @@ - ccid 1.3.11-2 (unimportant; bug #607780) NOTE: CVE requested, http://seclists.org/oss-sec/2010/q4/356 NOTE: Theoretical attack -CVE-2011-XXXX [unspecified denial of service] +CVE-2011-XXXX [remote DoS when case of the characters of a nickname is modified] - bip 0.8.7-1 [squeeze] - bip 0.8.2-1squeeze3 [lenny] - bip <not-affected> (Vulnerable code not present) @@ -1948,8 +1948,9 @@ RESERVED CVE-2011-0011 [qemu-kvm: Setting VNC password to empty string silently disables all authentication] RESERVED - - qemu <unfixed> (bug #611134) - - kvm <removed> (bug #611134) + - qemu <unfixed> (unimportant; bug #611134) + - kvm <removed> (unimportant; bug #611134) + NOTE: Harmless implementation bug, see discussion in #611134 CVE-2011-0010 (check.c in sudo 1.7.x before 1.7.4p5, when a Runas group is ...) - sudo 1.7.4p4-6 (bug #609641) [lenny] - sudo <not-affected> (Only affects 1.7.x) @@ -2570,7 +2571,7 @@ CVE-2010-4268 (SQL injection vulnerability in the Pulse Infotech Flip Wall ...) NOT-FOR-US: Pulse Infotech CVE-2010-4267 (Stack-based buffer overflow in the hpmud_get_pml function in ...) - - hplip <unfixed> (bug #610960) + - hplip 3.10.6-2 (bug #610960) CVE-2010-4266 RESERVED CVE-2010-4265 (The ...) @@ -2717,6 +2718,7 @@ - yui 2.8.2r1~squeeze-1 (bug #603513) CVE-2010-4206 (Array index error in the FEBlend::apply function in ...) - webkit 1.2.6-1 + [lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 6.0.472.63~r59945-2 NOTE: http://trac.webkit.org/changeset/70652 CVE-2010-4205 (Google Chrome before 7.0.517.44 does not properly handle the data ...) @@ -2726,6 +2728,7 @@ NOTE: http://trac.webkit.org/changeset/70550 CVE-2010-4204 (WebKit, as used in Google Chrome before 7.0.517.44, webkitgtk before ...) - webkit 1.2.6-1 + [lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 6.0.472.63~r59945-2 NOTE: https://bugs.webkit.org/show_bug.cgi?id=48281 NOTE: http://trac.webkit.org/changeset/70517 @@ -2746,11 +2749,13 @@ NOTE: http://trac.webkit.org/changeset/69936 CVE-2010-4198 (WebKit, as used in Google Chrome before 7.0.517.44, webkitgtk before ...) - webkit 1.2.6-1 + [lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 6.0.472.63~r59945-2 NOTE: http://trac.webkit.org/changeset/69735 NOTE: style fix change set: http://trac.webkit.org/changeset/69801 CVE-2010-4197 (Use-after-free vulnerability in WebKit, as used in Google Chrome ...) - webkit 1.2.6-1 + [lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 6.0.472.63~r59945-2 NOTE: http://trac.webkit.org/changeset/70594 CVE-2010-4196 @@ -3042,6 +3047,7 @@ - linux-2.6 2.6.32-29 (low) CVE-2010-4071 (Cross-site scripting (XSS) vulnerability in AgentTicketZoom in OTRS ...) - otrs2 2.4.9+dfsg1-1 + [lenny] - otrs2 <not-affected> (Only affects OTRS 2.4) CVE-2010-4070 (Integer overflow in librpc.dll in portmap.exe (aka the ISM Portmapper ...) NOT-FOR-US: portmap.exe CVE-2010-4069 (Stack-based buffer overflow in IBM Informix Dynamic Server (IDS) 7.x ...) @@ -3117,6 +3123,7 @@ NOT-FOR-US: Opera CVE-2010-4042 (Google Chrome before 7.0.517.41 does not properly handle element maps, ...) - webkit 1.2.6-1 + [lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps) - chromium-browser 6.0.472.63~r59945-1 NOTE: http://trac.webkit.org/changeset/68096 CVE-2010-4041 (The sandbox implementation in Google Chrome before 7.0.517.41 on Linux ...) @@ -3708,6 +3715,7 @@ - freetype 2.4.2-2.1 (bug #602221) CVE-2010-3813 (The WebCore::HTMLLinkElement::process function in ...) - webkit 1.2.6-1 + [lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps) - chromium-browser <undetermined> CVE-2010-3812 (Integer overflow in the Text::wholeText method in dom/Text.cpp in ...) - webkit 1.2.6-1 @@ -4635,6 +4643,7 @@ NOT-FOR-US: Oracle Siebel Suite CVE-2010-3476 (Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before ...) - otrs2 2.4.8+dfsg1-1 + [lenny] - otrs2 <not-affected> (Only affects OTRS 2.3 and 2.4) CVE-2010-3475 (IBM DB2 9.7 before FP3 does not properly enforce privilege ...) NOT-FOR-US: IBM DB2 CVE-2010-3474 (IBM DB2 9.7 before FP3 does not perform the expected drops or ...) @@ -8392,6 +8401,7 @@ RESERVED CVE-2010-2080 (Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket ...) - otrs2 2.4.8+dfsg1-1 + [lenny] - otrs2 <not-affected> (Only affects OTRS 2.3 and 2.4) CVE-2009-4879 (The Identity Server in Novell Access Manager before 3.1 SP1 allows ...) NOT-FOR-US: Novell Access Manager CVE-2009-4878 (Unspecified vulnerability in the Administration Console in Novell ...) @@ -9177,6 +9187,7 @@ NOTE: Chromium uses a totally different regexp implementation. CVE-2010-1791 (Integer signedness error in WebKit in Apple Safari before 5.0.1 on Mac ...) - webkit 1.2.6-1 + [lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps) - chromium-browser <not-affected> NOTE: this is specific to Safari''s JavaScript engine CVE-2010-1790 (WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and ...)