Thanks for clearing that up. If it will be a while until you can fully
document the <undetermined> flag in the narrative_introduction, could you
at
least clarify over email how it should be used? It seems like it''s the
same
as "TODO: check" but where the package has been identified.
-Johnathan
On Tue, Jul 26, 2011 at 8:22 PM, Michael Gilbert <
gilbert-guest at alioth.debian.org> wrote:
> Author: gilbert-guest
> Date: 2011-07-27 03:22:14 +0000 (Wed, 27 Jul 2011)
> New Revision: 17007
>
> Modified:
> data/CVE/list
> Log:
> rfps=itps in security tracking sense; a kernel issue fixed earlier than
> currently tracked
>
> Modified: data/CVE/list
> ==================================================================> ---
data/CVE/list 2011-07-27 00:49:58 UTC (rev 17006)
> +++ data/CVE/list 2011-07-27 03:22:14 UTC (rev 17007)
> @@ -798,7 +798,7 @@
> {DSA-2276-2 DSA-2276-1}
> - asterisk 1:1.8.4.4~dfsg-1 (bug #632029)
> CVE-2011-2534 (Buffer overflow in the clusterip_proc_write function in
> ...)
> - - linux-2.6 2.6.39-1 (low)
> + - linux-2.6 2.6.32-34 (low)
> CVE-2011-2533 (The configure script in D-Bus (aka DBus) 1.2.x before
> 1.2.28 allows ...)
> - dbus 1.3.2~git20100715.821f99c-1 (unimportant)
> NOTE: Compile-time only
> @@ -5934,8 +5934,7 @@
> CVE-2011-0746 (Cross-site request forgery (CSRF) vulnerability in ...)
> NOT-FOR-US: ZyXEL O2 DSL Router
> CVE-2011-0745 (SugarCRM before 6.1.3 does not properly handle reloads and
> direct ...)
> - NOT-FOR-US: SugarCRM
> - NOTE: there is an RFP for SugarCRM #457876
> + - sugarcrm-ce-5.0 <itp> (bug #457876)
> CVE-2011-0744
> RESERVED
> CVE-2011-0743
> @@ -20062,7 +20061,7 @@
> CVE-2010-0466
> RESERVED
> CVE-2010-0465 (Cross-site scripting (XSS) vulnerability in the online
> Documents ...)
> - NOT-FOR-US: SugarCRM
> + - sugarcrm-ce-5.0 <itp> (bug #457876)
> CVE-2010-0464 (Roundcube 0.3.1 and earlier does not request that the web
> browser ...)
> - roundcube 0.3.1-3 (bug #569660)
> CVE-2010-0463 (Horde IMP 4.3.6 and earlier does not request that the web
> browser ...)
> @@ -20144,6 +20143,7 @@
> CVE-2010-0431 (QEMU-KVM, as used in the Hypervisor (aka rhev-hypervisor)
> in Red Hat ...)
> - qemu-kvm <not-affected> (QXL support not yet present in
Debian
> packages)
> - kvm <not-affected> (QXL support not yet present in Debian
> packages)
> + TODO: recheck newer uploads
> CVE-2010-0430
> RESERVED
> CVE-2010-0429 (libspice, as used in QEMU-KVM in the Hypervisor (aka
> rhev-hypervisor) ...)
> @@ -26347,7 +26347,7 @@
> CVE-2009-2979 (Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7,
> and ...)
> NOT-FOR-US: Adobe
> CVE-2009-2978 (SQL injection vulnerability in SugarCRM 4.5.1o and earlier,
> 5.0.0k and ...)
> - NOT-FOR-US: SugarCRM
> + - sugarcrm-ce-5.0 <itp> (bug #457876)
> CVE-2009-2977 (The Cisco Security Monitoring, Analysis and Response System
> (CS-MARS) ...)
> NOT-FOR-US: Cisco
> CVE-2009-2976 (Cisco Aironet Lightweight Access Point (AP) devices send
> the contents ...)
> @@ -29193,7 +29193,7 @@
> CVE-2009-2147 (SQL injection vulnerability in fdown.php in phpWebThings
> 1.5.2 and ...)
> NOT-FOR-US: phpWebThings
> CVE-2009-2146 (Unrestricted file upload vulnerability in the Compose Email
> feature in ...)
> - NOT-FOR-US: SugarCRM
> + - sugarcrm-ce-5.0 <itp> (bug #457876)
> CVE-2009-2145 (Multiple cross-site scripting (XSS) vulnerabilities in
> transLucid 1.75 ...)
> NOT-FOR-US: transLucid
> CVE-2009-2144 (SQL injection vulnerability in the FireStats plugin before
> ...)
> @@ -33376,11 +33376,11 @@
> CVE-2009-0895 (Integer overflow in Novell eDirectory 8.7.3.x before
> 8.7.3.10 ftf2 and ...)
> NOT-FOR-US: Novell eDirectory
> CVE-2009-0894 (Heap-based buffer overflow in the decoder_create function
> in the ...)
> + - xvidcore <undetermined>
> TODO: check
> - NOTE: xvidcore ITP (bug #531040) accepted in unstable on
> 2011-07-26.
> CVE-2009-0893 (Multiple heap-based buffer overflows in
> xvidcore/src/decoder.c in the ...)
> + - xvidcore <undetermined>
> TODO: check
> - NOTE: xvidcore ITP (bug #531040) accepted in unstable on
> 2011-07-26.
> CVE-2009-0892 (The administrative console in IBM WebSphere Application
> Server (WAS) ...)
> NOT-FOR-US: IBM WebSphere
> CVE-2009-0891 (The Web Services Security component in IBM WebSphere
> Application ...)
> @@ -46290,7 +46290,7 @@
> CVE-2008-2046 (Cross-site scripting (XSS) vulnerability in index.php in
> Softpedia ...)
> NOT-FOR-US: Softpedia
> CVE-2008-2045 (Absolute path traversal vulnerability in SugarCRM Sugar
> Community ...)
> - NOT-FOR-US: SugarCRM
> + - sugarcrm-ce-5.0 <itp> (bug #457876)
> CVE-2008-2044 (includes/library.php in netOffice Dwins 1.3 p2 compares the
> ...)
> NOT-FOR-US: netOffice Dwins
> CVE-2008-2043 (Multiple cross-site request forgery (CSRF) vulnerabilities
> in cPanel, ...)
> @@ -49195,11 +49195,9 @@
> CVE-2008-0852 (freeSSHd 1.2 and earlier allows remote attackers to cause a
> denial of ...)
> NOT-FOR-US: freeSSHd
> CVE-2008-0851 (Multiple cross-site scripting (XSS) vulnerabilities in
> Dokeos 1.8.4 ...)
> - NOT-FOR-US: Dokeos
> - NOTE: there is an RFP for Dokeos #433352
> + - dokeos <itp> (bug #433352)
> CVE-2008-0850 (Multiple SQL injection vulnerabilities in Dokeos 1.8.4
> allow remote ...)
> - NOT-FOR-US: Dokeos
> - NOTE: there is an RFP for Dokeos #433352
> + - dokeos <itp> (bug #433352)
> CVE-2008-0849 (SQL injection vulnerability in index.php in the Downloads
> ...)
> NOT-FOR-US: com_downloads component for Mambo and Joomla!
> CVE-2008-0848 (Cross-site scripting (XSS) vulnerability in lostsheep.php
> in Crafty ...)
> @@ -69362,7 +69360,7 @@
> CVE-2006-6713 (Buffer overflow in Hitachi Directory Server 2 P-2444-A124
> before ...)
> NOT-FOR-US: Hitachi Directory Server
> CVE-2006-6712 (Cross-site scripting (XSS) vulnerability in SugarCRM Open
> Source ...)
> - NOT-FOR-US: SugarCRM Open Source
> + - sugarcrm-ce-5.0 <itp> (bug #457876)
> CVE-2006-6711 (PHP remote file inclusion vulnerability in
> compteur/mapage.php in ...)
> NOT-FOR-US: Newxooper
> CVE-2006-6710 (Multiple PHP remote file inclusion vulnerabilities in
> PgmReloaded ...)
> @@ -73058,7 +73056,7 @@
> CVE-2006-5083 (PHP remote file inclusion vulnerability in ...)
> NOT-FOR-US: Integrated MODs (IM) Portal
> CVE-2006-5082 (Unspecified vulnerability in Sugar Suite Open Source
> (SugarCRM) before ...)
> - NOT-FOR-US: Sugar Suite Open Source (SugarCRM)
> + - sugarcrm-ce-5.0 <itp> (bug #457876)
> CVE-2006-5081 (PHP remote file inclusion vulnerability in acc.php in
> QuickBlogger ...)
> NOT-FOR-US: QuickBlogger
> CVE-2006-5080 (Cross-site scripting (XSS) vulnerability in the search
> function in Six ...)
> @@ -78872,7 +78870,7 @@
> CVE-2006-2557 (PHP remote file inclusion vulnerability in
> extras/poll/poll.php in ...)
> NOT-FOR-US: Newsportal
> CVE-2006-2556 (Cross-site scripting (XSS) vulnerability in Florian Amrhein
> NewsPortal ...)
> - NOT-FOR-US: newsportal
> + - newsportal <itp> (bug #149069)
> NOTE: RFP #149069 closed after no activity since too long time
> CVE-2006-2555 (The parse_command function in Genecys 0.2 and earlier
> allows remote ...)
> NOT-FOR-US: Genecys
> @@ -79092,7 +79090,7 @@
> CVE-2006-2461 (BEA WebLogic Server before 8.1 Service Pack 4 does not
> properly set ...)
> NOT-FOR-US: BEA
> CVE-2006-2460 (Sugar Suite Open Source (SugarCRM) 4.2 and earlier, when
> ...)
> - NOT-FOR-US: SugarCRM
> + - sugarcrm-ce-5.0 <itp> (bug #457876)
> CVE-2006-2459 (SQL injection vulnerability in messages.php in PHP-Fusion
> 6.00.307 and ...)
> NOT-FOR-US: PHP-Fusion
> CVE-2006-2458 (Multiple heap-based buffer overflows in Libextractor 0.5.13
> and ...)
> @@ -86360,9 +86358,9 @@
> CVE-2005-4088 (SQL injection vulnerability in index.php in phpForumPro 2.2
> allows ...)
> NOT-FOR-US: phpForumPro
> CVE-2005-4087 (PHP remote file include vulnerability in acceptDecline.php
> in Sugar ...)
> - NOT-FOR-US: SugarCRM
> + - sugarcrm-ce-5.0 <itp> (bug #457876)
> CVE-2005-4086 (Directory traversal vulnerability in acceptDecline.php in
> Sugar Suite ...)
> - NOT-FOR-US: SugarCRM
> + - sugarcrm-ce-5.0 <itp> (bug #457876)
> CVE-2005-4085 (Buffer overflow in BlueCoat (a) WinProxy before 6.1a and
> (b) the web ...)
> NOT-FOR-US: BlueCoat WinProxy
> CVE-2005-4084 (xs_edit.php in the phpBB eXtreme Styles module 2.2.1 and
> earlier ...)
> @@ -100242,7 +100240,7 @@
> CVE-2005-0267 (index.php in FlatNuke 2.5.1 allows remote attackers to
> create an ...)
> NOT-FOR-US: FlatNuke
> CVE-2005-0266 (Cross-site scripting (XSS) vulnerability in index.php in
> SugarCRM 1.X ...)
> - NOT-FOR-US: SugerCRM
> + - sugarcrm-ce-5.0 <itp> (bug #457876)
> CVE-2005-0265 (Multiple SQL injection vulnerabilities in browse.php in OWL
> 0.7 and ...)
> NOT-FOR-US: OWL intranet
> CVE-2005-0264 (Multiple cross-site scripting (XSS) vulnerabilities in
> browse.php in ...)
> @@ -101348,13 +101346,13 @@
> CVE-2004-1229 (Cross-site scripting vulnerability in the parser for
> Gadu-Gadu allows ...)
> NOT-FOR-US: Gadu-Gadu
> CVE-2004-1228 (The install scripts in SugarCRM Sugar Sales 2.0.1c and
> earlier are not ...)
> - NOT-FOR-US: SugarCRM Sugar Sales
> + - sugarcrm-ce-5.0 <itp> (bug #457876)
> CVE-2004-1227 (Directory traversal vulnerability in SugarCRM Sugar Sales
> 2.0.1c and ...)
> - NOT-FOR-US: SugarCRM Sugar Sales
> + - sugarcrm-ce-5.0 <itp> (bug #457876)
> CVE-2004-1226 (SugarCRM Sugar Sales 2.0.1c and earlier allows remote
> attackers to ...)
> - NOT-FOR-US: SugarCRM Sugar Sales
> + - sugarcrm-ce-5.0 <itp> (bug #457876)
> CVE-2004-1225 (SQL injection vulnerability in SugarCRM Sugar Sales before
> 2.0.1a ...)
> - NOT-FOR-US: SugarCRM Sugar Sales
> + - sugarcrm-ce-5.0 <itp> (bug #457876)
> CVE-2004-1224 (Off-by-one error in the mtr_curses_keyaction function for
> mtr 0.55 ...)
> - mtr 0.67-1
> CVE-2004-1223 (The Management Agent in F-Secure Policy Manager 5.11.2810
> allows ...)
>
>
> _______________________________________________
> Secure-testing-commits mailing list
> Secure-testing-commits at lists.alioth.debian.org
>
>
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20110726/10efdbb1/attachment-0001.html>