thr3ads.net - Secure testing commits - [Secure-testing-commits] r16887

If this information is useful, please help other people find it:
Share via:
Moritz Muehlenhoff
2011-Jul-04 16:58 UTC
[Secure-testing-commits] r16887 - in data: . CVE DSA

Author: jmm
Date: 2011-07-04 16:58:01 +0000 (Mon, 04 Jul 2011)
New Revision: 16887

Modified:
   data/CVE/list
   data/DSA/list
   data/next-point-update.txt
   data/spu-candidates.txt
Log:
evince and php5 fixed
new chrome issue
new torque issue (FD, please file bug/create ticket)
php/sockets issue doesn''t affect Lenny
dbus CVEfied, fix old entry
remove spu updates from candidate list, which have been released
add dokuwiki spu upload
CVE-2011-2605 was also fixed by recent iceweasel/iceape/xulrunner DSA
NFUs


Modified: data/CVE/list
==================================================================---
data/CVE/list	2011-07-04 07:28:33 UTC (rev 16886)
+++ data/CVE/list	2011-07-04 16:58:01 UTC (rev 16887)
@@ -3,79 +3,86 @@
 	[squeeze] - stardict <no-dsa> (minor information disclosure)
 	[lenny] - stardict <no-dsa> (minor information disclosure)
 CVE-2011-2641 (Opera 11.11 allows remote attackers to cause a denial of service
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2640 (Opera before 11.10 allows remote attackers to cause a denial of
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2639 (Opera before 11.10 does not properly handle hidden animated GIF
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2638 (Unspecified vulnerability in Opera before 11.10 allows remote
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2637 (Unspecified vulnerability in Opera before 11.10 allows remote
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2636 (Unspecified vulnerability in Opera before 11.10 allows remote
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2635 (The Cascading Style Sheets (CSS) implementation in Opera before
11.10 ...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2634 (Opera before 11.10 allows remote attackers to hijack (1)
searches and ...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2633 (Unspecified vulnerability in Opera before 11.11 allows remote
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2632 (Opera before 11.11 does not properly handle destruction of a
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2631 (The Cascading Style Sheets (CSS) implementation in Opera before
11.11 ...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2630 (Opera before 11.11 allows user-assisted remote attackers to
cause a ...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2629 (Unspecified vulnerability in Opera before 11.11 allows remote
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2628 (Opera before 11.11 does not properly implement FRAMESET
elements, ...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2627 (Unspecified vulnerability in the DOM implementation in Opera
before ...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2626 (Opera before 11.50 allows remote attackers to cause a denial of
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2625 (Opera before 11.50 allows remote attackers to cause a denial of
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2624 (Opera before 11.50 allows user-assisted remote attackers to
cause a ...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2623 (Unspecified vulnerability in the SVG BiDi implementation in
Opera ...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2622 (Unspecified vulnerability in the Web Workers implementation in
Opera ...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2621 (Unspecified vulnerability in Opera before 11.50 allows remote
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2620 (Unspecified vulnerability in Opera before 11.50 allows remote
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2619 (Opera before 11.50 allows remote attackers to cause a denial of
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2618 (Opera before 11.50 allows remote attackers to cause a denial of
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2617 (Unspecified vulnerability in Opera before 11.50 allows remote
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2616 (Unspecified vulnerability in Opera before 11.50 allows remote
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2615 (Unspecified vulnerability in Opera before 11.50 allows remote
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2614 (The SVG implementation in Opera before 11.50 allows remote
attackers ...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2613 (The Array.prototype.join method in Opera before 11.50 allows
remote ...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2612 (Unspecified vulnerability in Opera before 11.50 allows remote
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2611 (Unspecified vulnerability in the printing functionality in Opera
...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2610 (Unspecified vulnerability in Opera before 11.50 has unknown
impact and ...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2609 (Opera before 11.50 does not properly restrict data: URIs, which
makes ...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2608 (ovbbccb.exe 6.20.50.0 and earlier in HP OpenView Performance
Agent ...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2011-2607 (Cross-site scripting (XSS) vulnerability in IBM Rational Team
Concert ...)
 	NOT-FOR-US: IBM Rational Team Concert
 CVE-2011-2606 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM
Rational ...)
 	NOT-FOR-US: IBM Rational Team Concert
 CVE-2011-2605 (CRLF injection vulnerability in the ...)
-	TODO: check
+	{DSA-2269-1 DSA-2268-1}
+	- xulrunner <removed>
+	[lenny] - xulrunner 1.9.0.19-12
+	- iceweasel 3.5.19-3
+	[lenny] - iceweasel <not-affected> (Lenny''s iceweasel uses
Xulrunner from the xulrunner source pkg)
+	- iceape 2.0.14-3
+	[lenny] - iceape <not-affected> (Only a stub package)
+	- icedove 3.1.11-1
 CVE-2011-2604 (The Intel G41 driver 6.14.10.5355 on Windows XP SP3 allows
remote ...)
 	NOT-FOR-US: Windows XP
 CVE-2011-2603 (The NVIDIA 9400M driver 6.2.6 on Mac OS X 10.6.7 allows remote
...)
@@ -87,7 +94,8 @@
 CVE-2011-2600 (The GPU support functionality in Windows XP does not properly
restrict ...)
 	NOT-FOR-US: Windows XP
 CVE-2011-2599 (Google Chrome 11 does not block use of a cross-domain image as a
WebGL ...)
-	TODO: check
+	- chromium-browser <unfixed>
+	- webkit <undetermined>
 CVE-2011-2598 (The WebGL implementation in Mozilla Firefox 4.x allows remote
...)
 	- xulrunner <not-affected> (Only affects Firefox 4.0, not yet in
unstable)
 	- iceweasel <not-affected> (Only affects Firefox 4.0, not yet in
unstable)
@@ -307,7 +315,7 @@
 CVE-2011-2510 [dokuwiki XSS in RSS code]
 	RESERVED
 	- dokuwiki 0.0.20110525a-1 (low; bug #631818)
-	[squeeze] - dokuwiki <no-dsa> (Minor issue)
+	[squeeze] - dokuwiki <no-dsa> (Minor issue, will be fixed in point
update)
 	[lenny] - dokuwiki <no-dsa> (Minor issue)
 CVE-2011-2509
 	RESERVED
@@ -378,7 +386,7 @@
 	- libcrypt-eksblowfish-perl <not-affected> (discovered and corrected in
initial release in 2007)
 	- php5-suhosin <unfixed> (bug #631283)
 	- postgresql <unfixed> (bug #631285)
-	- php5 <unfixed> (bug #631347)
+	- php5 5.3.6-13 (bug #631347)
 	NOTE: http://openwall.com/lists/oss-security/2011/06/20/2
 CVE-2011-2482
 	RESERVED
@@ -987,7 +995,9 @@
 CVE-2011-2201
 	RESERVED
 CVE-2011-2200 (The _dbus_header_byteswap function in dbus-marshal-header.c in
D-Bus ...)
-	TODO: check
+	- dbus 1.4.12-1 (low; bug #629938)
+	[squeeze] - dbus 1.2.24-4+squeeze1
+	[lenny] - dbus <no-dsa> (Minor issue)
 CVE-2011-2197 (The cross-site scripting (XSS) prevention feature in Ruby on
Rails 2.x ...)
 	TODO: check
 CVE-2011-2196
@@ -995,7 +1005,7 @@
 CVE-2011-2195
 	RESERVED
 CVE-2011-2193 (Multiple buffer overflows in Terascale Open-Source Resource and
Queue ...)
-	TODO: check
+	- torque <unfixed>
 CVE-2011-2192 [libcurl inappropriate GSSAPI delegation]
 	RESERVED
 	{DSA-2271-1}
@@ -1716,7 +1726,8 @@
 CVE-2011-1939
 	RESERVED
 CVE-2011-1938 (Stack-based buffer overflow in the socket_connect function in
...)
-	- php5 <unfixed> (low)
+	- php5 5.3.6-13 (low)
+	[lenny] - php5 <not-affected> (The Lenny version doesn''t use
memcpy)
 CVE-2011-1937 (Cross-site scripting (XSS) vulnerability in Webmin 1.540 and
earlier ...)
 	NOT-FOR-US: Webmin
 CVE-2011-1936
@@ -1815,7 +1826,7 @@
 CVE-2011-1909
 	RESERVED
 CVE-2011-1908 (Integer overflow in the Type 1 font decoder in the FreeType
engine in ...)
-	TODO: check
+	NOT-FOR-US: Foxit Reader
 CVE-2011-1906 (Trustwave WebDefend Enterprise before 5.0 7.01.903-1.4 stores
specific ...)
 	NOT-FOR-US: Trustwave WebDefend Enterprise
 CVE-2011-1905 (Multiple cross-site request forgery (CSRF) vulnerabilities in
...)
@@ -2233,7 +2244,7 @@
 	{DSA-2264-1 DSA-2240-1}
 	- linux-2.6 <unfixed> (low)
 CVE-2011-1775 (The CSecurityTLS::processMsg function in
common/rfb/CSecurityTLS.cxx ...)
-	TODO: check
+	NOT-FOR-US: TigerVNC
 CVE-2011-1774
 	RESERVED
 	- xmlsec1 1.2.14-1.1
@@ -2287,7 +2298,7 @@
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=700867
 	NOTE:
http://git.fedorahosted.org/git/?p=sssd.git;a=commitdiff;h=fffdae81651b460f3d2c119c56d5caa09b4de42a
 CVE-2011-1757 (DJabberd 0.84 and earlier does not properly detect recursion
during ...)
-	TODO: check
+	NOTE: DJabberd
 CVE-2011-1756 (modules/xmpp/serv_xmpp.c in Citadel 7.86 and earlier does not
properly ...)
 	{DSA-2250-1}
 	- citadel <unfixed> (medium)
@@ -6175,7 +6186,7 @@
 	- dtc 0.32.10-1
 CVE-2011-0433 [linetoken() buffer overflow]
 	RESERVED
-	- evince <unfixed> (bug #614668)
+	- evince 2.32.0-1 (bug #614668)
 	- vftool <unfixed> (low; bug #614669)
 	[squeeze] - vftool <no-dsa> (Minor issue)
 	[lenny] - vftool <no-dsa> (Minor issue)
@@ -14208,9 +14219,6 @@
 	NOT-FOR-US: Adobe Reader
 CVE-2010-2200
 	RESERVED
-	- dbus 1.4.12-1 (low; bug #629938)
-	[squeeze] - dbus 1.2.24-4+squeeze1
-	[lenny] - dbus <no-dsa> (Minor issue)
 CVE-2010-2199 (lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the
...)
 	- rpm <unfixed> (bug #584257; unimportant)
 	NOTE: Marking as unimportant since rpm isn''t used as a package
manager

Modified: data/DSA/list
==================================================================---
data/DSA/list	2011-07-04 07:28:33 UTC (rev 16886)
+++ data/DSA/list	2011-07-04 16:58:01 UTC (rev 16887)
@@ -9,7 +9,7 @@
 	{CVE-2011-0083 CVE-2011-0085 CVE-2011-2362 CVE-2011-2363 CVE-2011-2365
CVE-2011-2371 CVE-2011-2373 CVE-2011-2374 CVE-2011-2376 }
 	[squeeze] - iceape 2.0.11-6
 [01 Jul 2011] DSA-2268-1 iceweasel - several
-	{CVE-2011-0083 CVE-2011-0085 CVE-2011-2362 CVE-2011-2363 CVE-2011-2365
CVE-2011-2371 CVE-2011-2373 CVE-2011-2374 CVE-2011-2376 }
+	{CVE-2011-0083 CVE-2011-0085 CVE-2011-2362 CVE-2011-2363 CVE-2011-2365
CVE-2011-2371 CVE-2011-2373 CVE-2011-2374 CVE-2011-2376 CVE-2011-2605 }
 	[squeeze] - iceweasel 3.5.16-8
 	[lenny] - xulrunner 1.9.0.19-12
 [01 Jul 2011] DSA-2267-1 perl - restriction bypass

Modified: data/next-point-update.txt
==================================================================---
data/next-point-update.txt	2011-07-04 07:28:33 UTC (rev 16886)
+++ data/next-point-update.txt	2011-07-04 16:58:01 UTC (rev 16887)
@@ -1,3 +1,5 @@
 CVE-2011-1498
 	[squeeze] - httpcomponents-client 4.0.1-1squeeze1
+CVE-2011-2510
+	[squeeze] - dokuwiki 0.0.20091225c-10+squeeze2
 

Modified: data/spu-candidates.txt
==================================================================---
data/spu-candidates.txt	2011-07-04 07:28:33 UTC (rev 16886)
+++ data/spu-candidates.txt	2011-07-04 16:58:01 UTC (rev 16887)
@@ -21,11 +21,6 @@
 
 --
 
-dokuwiki (XML-RPC vulns)
-maintainer is working on uploads
-
---
-
 fail2ban [fail2ban: Insecure creating/writing to tmpfile]
 #544232
 
@@ -68,13 +63,6 @@
 
 --
 
-openldap (CVE-2011-1024/CVE-2011-1025/CVE-2011-1081)
-#617606
-maintainer preparing upload
-thijs prepared upload
-
---
-
 tesseract (CVE-2011-1136)
 #612032
 awaiting maintainer response
Secure testing commits - Jul 2011 - r16887 - in data: . CVE DSA

[Secure-testing-commits] r16887 - in data: . CVE DSA
