Secure testing commits - Dec 2011 - r17765 - data/CVE

Author: jmm
Date: 2011-12-08 18:20:25 +0000 (Thu, 08 Dec 2011)
New Revision: 17765

Modified:
   data/CVE/list
Log:
updates/CVE assignments on libav/ffmpeg
new krb issue only affecting testing and sid


Modified: data/CVE/list
==================================================================---
data/CVE/list	2011-12-08 06:21:52 UTC (rev 17764)
+++ data/CVE/list	2011-12-08 18:20:25 UTC (rev 17765)
@@ -19,18 +19,9 @@
 CVE-2011-4670 (Multiple cross-site scripting (XSS) vulnerabilities in vTiger
CRM ...)
 	NOT-FOR-US: vTiger CRM
 CVE-2011-4669 (SQL injection vulnerability in wp-users.php in WordPress Users
plugin ...)
-	TODO: check
-CVE-2011-XXXX [FFmpeg Libavcodec memory corruption remote code execution]
-	- libav <unfixed>
-	- mplayer <unfixed>
-	- kino <unfixed>
-	- chromium-browser <unfixed>
-	- ffmpeg <removed>
-	- ffmpeg-debian <end-of-life>
-	NOTE: http://www.openwall.com/lists/oss-security/2011/12/04/1
-	TODO: evaluate severity
+	NOT-FOR-US: Wordpress plugin
 CVE-2011-4668 (IBM Tivoli Netcool/Reporter 2.2 before 2.2.0.8 allows remote
attackers ...)
-	TODO: check
+	NOT-FOR-US: Tivoli
 CVE-2011-4667
 	RESERVED
 CVE-2011-4666
@@ -212,8 +203,12 @@
 	RESERVED
 CVE-2011-4580
 	RESERVED
-CVE-2011-4579
+CVE-2011-4579 [SVQ1 issue]
 	RESERVED
+	- libav <unfixed>
+	- ffmpeg <removed>
+	- ffmpeg-debian <end-of-life>
+	NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=4931c8f0f10bf8dedcf626104a6b85bfefadc6f2
 CVE-2011-4578 [acpid insecure umasks for calling external scripts]
 	RESERVED
 	- acpid 1:2.0.11-1
@@ -737,7 +732,7 @@
 CVE-2011-4365
 	RESERVED
 	NOTE: duplicate of CVE-2011-4090
-CVE-2011-4364
+CVE-2011-4364 [vmd_decode buffer overflow]
 	RESERVED
 	- libav <unfixed>
 	- ffmpeg <removed>
@@ -787,16 +782,25 @@
 	- libav <unfixed>
 	- ffmpeg <removed>
 	- ffmpeg-debian <end-of-life>
+	NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=c693aa6f71b4f539cf9df67ba42f4b1932981687
+	NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=bb4b0ad83b13c3af57675e80163f3f333adef96f
+	NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e0966eb140b3569b3d6b5b5008961944ef229c06
 CVE-2011-4352 [VP3 integer overflow]
 	RESERVED
 	- libav <unfixed>
 	- ffmpeg <removed>
 	- ffmpeg-debian <end-of-life>
+	NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=eef5c35b4352ec49ca41f6198bee8a976b1f81e5
 CVE-2011-4351 [QDM2 buffer overflow]
 	RESERVED
 	- libav <unfixed>
 	- ffmpeg <removed>
 	- ffmpeg-debian <end-of-life>
+	NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=491eaf35ae1f9b619441314bec33766e31580184
+	NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=291d74a46d32183653db07818c7b3407fd50a288
+	NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=7d49f79f1cd47783a963a757a6563b9cac29db62
+	NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=14db3af4f26dad8e6ddf2147e96ccc710952ad4d
+	NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=895d258e9ba065d035dd30dbc622423031f0185c
 CVE-2011-4350
 	RESERVED
 	- yaws 1.91-2 (bug #650009)
@@ -1509,7 +1513,6 @@
 	{DSA-2346-2 DSA-2346-1}
 	- proftpd-dfsg 1.3.4~rc3-2 (high; bug #648373)
 	[lenny] - proftpd-dfsg <not-affected> (vulnerable functionality not
present)
-	[squeeze] - proftpd-dfsg 1.3.3a-6squeeze4
 	NOTE: http://bugs.proftpd.org/show_bug.cgi?id=3711
 CVE-2011-4129
 	RESERVED
@@ -8844,6 +8847,9 @@
 	NOT-FOR-US: HP Photosmart
 CVE-2011-1530
 	RESERVED
+	- krb5 <unfixed>
+	[squeeze] - krb5 <not-affected> (Only affecs 1.9 and higher)
+	[lenny] - krb5 <not-affected> (Only affecs 1.9 and higher)
 CVE-2011-1529 (The lookup_lockout_policy function in the Key Distribution
Center ...)
 	- krb5 1.10+dfsg~alpha1-1 (low; bug #646367)
 	[lenny] - krb5 <not-affected> (Introduced in 1.8)