Author: jmm Date: 2011-12-13 17:07:59 +0000 (Tue, 13 Dec 2011) New Revision: 17783 Modified: data/CVE/list data/spu-candidates.txt Log: - rampart no-dsa - fabric fixed in sid - update spu-candidates file for several older no-dsa issues - remove old dtc-xen entry, disputed by upstream - netqmail and qmail packages don''t include/apply the affected TLS patch Modified: data/CVE/list ==================================================================--- data/CVE/list 2011-12-13 10:21:45 UTC (rev 17782) +++ data/CVE/list 2011-12-13 17:07:59 UTC (rev 17783) @@ -7076,7 +7076,8 @@ CVE-2011-2333 RESERVED CVE-2011-2329 (The rampart_timestamp_token_validate function in ...) - - rampart <unfixed> (bug #631221) + - rampart <unfixed> (low; bug #631221) + [squeeze] - rampart <no-dsa> (Minor issue) CVE-2011-2327 (Unspecified vulnerability in the Oracle Communications Unified ...) NOT-FOR-US: Oracle Sun Products Suite CVE-2011-2326 @@ -7430,7 +7431,7 @@ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=711170 NOTE: CVE request and discussion: http://www.openwall.com/lists/oss-security/2011/06/06/3 CVE-2011-2185 (Fabric before 1.1.0 allows local users to overwrite arbitrary files ...) - - fabric <unfixed> (low; bug #629003) + - fabric 1.1.2-1 (low; bug #629003) [squeeze] - fabric <no-dsa> (Minor issue) CVE-2011-2475 (Format string vulnerability in ECTrace.dll in the iMailGateway service ...) NOT-FOR-US: Sybase OneBridge Mobile Data Suite @@ -9263,11 +9264,6 @@ - mahara 1.2.5-1 [lenny] - mahara 1.0.4-4+lenny10 NOTE: http://htmlpurifier.org/news/2011/0327-4.3.0-released -CVE-2011-XXXX [dtc-xen Remote authenticated root exploit] - - dtc-xen <unfixed> (bug #611680) - [squeeze] - dtc-xen <no-dsa> (minor issue) - [lenny] - dtc-xen <no-dsa> (minor issue) - NOTE: maintainer claims you shouldn''t grant access to the SOAP daemon to a user you do not trust. CVE-2011-1517 RESERVED CVE-2011-1516 (The kSBXProfileNoNetwork and kSBXProfileNoInternet sandbox profiles in ...) @@ -9636,10 +9632,9 @@ CVE-2011-1432 (The STARTTLS implementation in SCO SCOoffice Server does not properly ...) NOT-FOR-US: SCO SCOoffice Server CVE-2011-1431 (The STARTTLS implementation in qmail-smtpd.c in qmail-smtpd in the ...) - - qmail <unfixed> - - netqmail <unfixed> - [lenny] - qmail <no-dsa> (non-free doesn''t get security support) - [squeeze] - qmail <no-dsa> (non-free doesn''t get security support) + - qmail <unfixed> (unimportant) + NOTE: The TLS patch is shipped in the source package, but it''s not applied + - netqmail <not-affected> (Doesn''t include the TLS patch) CVE-2011-1430 (The STARTTLS implementation in the server in Ipswitch IMail 11.03 and ...) NOT-FOR-US: Ipswitch IMail CVE-2011-1429 (Mutt does not verify that the smtps server hostname matches the domain ...) Modified: data/spu-candidates.txt ==================================================================--- data/spu-candidates.txt 2011-12-13 10:21:45 UTC (rev 17782) +++ data/spu-candidates.txt 2011-12-13 17:07:59 UTC (rev 17783) @@ -20,6 +20,17 @@ -- +etherape (CVE-2011-3369) +#645324 + +-- + +fabric (CVE-2011-2185) +#629003 + + +-- + fail2ban [fail2ban: Insecure creating/writing to tmpfile] #544232 awaiting maintainer response @@ -30,15 +41,16 @@ CVE-2011-1158 [sanitizer doesn''t strip unsafe URI schemes] CVE-2011-1157 [sanitization can be bypassed by malformed XML comments] CVE-2011-1156 [invalid text in XML declaration causes sanitizer to crash] -CVE-2011-XXXX [XSS vuln] +CVE-2009-5065 [XSS vuln] #617998 awaiting maintainer response -- -feh (CVE-2011-0702) +feh (CVE-2011-0702, CVE-2011-1031) #612035 -awaiting maintainer response +https://derf.homelinux.org/git/feh/commit/?id=23421a86cc826dd30f3dc4f62057fafb04b3ac40 +https://derf.homelinux.org/git/feh/commit/?id=29ab0855f044ef2fe9c295b72abefcb37f0861a5 -- @@ -146,6 +158,11 @@ -- +rampart (CVE-2011-2329) +#631221 + +-- + rdesktop (CVE-2011-1595) #623552 https://bugzilla.redhat.com/attachment.cgi?id=492845&action=diff&context=patch&collapsed=&headers=1&format=raw