Author: jmm Date: 2012-01-03 19:05:56 +0000 (Tue, 03 Jan 2012) New Revision: 18008 Modified: data/CVE/list data/spu-candidates.txt Log: jenkins-winstone fixed nagios and ejabberd no-dsa remove john entry, this only added support for the new style of hashes, not a sec issue drop gmime entry, regular bug remove old kdebase entry, konqueror not supported security-wise Firefox not affected by BEAST attack Modified: data/CVE/list ==================================================================--- data/CVE/list 2012-01-03 19:04:25 UTC (rev 18007) +++ data/CVE/list 2012-01-03 19:05:56 UTC (rev 18008) @@ -2234,7 +2234,7 @@ - namazu2 2.0.21-1 (low) [squeeze] - namazu2 <no-dsa> (Minor issue) CVE-2011-4344 (Cross-site scripting (XSS) vulnerability in Jenkins Core in CloudBees ...) - - jenkins-winstone <unfixed> (bug #649900) + - jenkins-winstone 0.9.10-jenkins-29+dfsg-1 (bug #649900) CVE-2011-4343 RESERVED CVE-2011-4342 @@ -2303,7 +2303,8 @@ NOT-FOR-US: Joomla CVE-2011-4320 [ejabberd DoS in pubsub module] RESERVED - - ejabberd 2.1.9-1 + - ejabberd 2.1.9-1 (low) + [squeeze] - ejabberd <no-dsa> (Only triggerable with malformed config file) NOTE: https://support.process-one.net/browse/EJAB-1498 CVE-2011-4319 (Cross-site scripting (XSS) vulnerability in the i18n translations ...) - rails <not-affected> (Only affects RoR 3.0 and above) @@ -5214,7 +5215,8 @@ [squeeze] - sun-java6 <no-dsa> (Non-free not supported) - openjdk-6 6b23~pre11-1 - openjdk-7 7~b147-2.0-1 - - iceweasel <unfixed> + - iceweasel <not-affected> + NOTE: http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/ - chromium-browser <unfixed> - webkit <unfixed> NOTE: strictly speaking this is no lighttpd issue, but lighttpd adds a workaround @@ -7879,7 +7881,6 @@ - postgresql-9.0 9.0.5-1 (bug #631285) - postgresql-9.1 9.1~rc1-1 - php5 5.3.6-13 (bug #631347) - - john 1.7.8-1 NOTE: http://openwall.com/lists/oss-security/2011/06/20/2 CVE-2011-2482 RESERVED @@ -8602,7 +8603,9 @@ NOT-FOR-US: CRE Loaded CVE-2011-2477 (Multiple cross-site scripting (XSS) vulnerabilities in config.c in ...) - icinga 1.4.1-1 + [squeeze] - icinga <no-dsa> (Minor issue) - nagios3 <unfixed> + [squeeze] - nagios3 <no-dsa> (Minor issue) CVE-2011-2476 (Cross-site scripting (XSS) vulnerability in Coppermine Photo Gallery ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2011-2208 [Alpha-specific issue] @@ -11134,8 +11137,6 @@ NOT-FOR-US: WebSphere CVE-2011-1306 (Unspecified vulnerability in the Scratchpad application in Google ...) NOT-FOR-US: Google ChromeOS -CVE-2011-XXXX [gmime segfault] - - gmime2.4 2.4.23-1 (bug #616366) CVE-2011-1305 (Race condition in Google Chrome before 11.0.696.57 on Linux and Mac OS ...) - chromium-browser 11.0.696.65~r84435-1 [squeeze] - chromium-browser <no-dsa> (minor issue) @@ -11389,7 +11390,7 @@ - webkit <unfixed> NOTE: http://trac.webkit.org/changeset/79476 CVE-2011-1202 (The xsltGenerateIdFunction function in functions.c in libxslt 1.1.26 ...) - - libxslt 1.1.26-7 (bug #617413) + - libxslt 1.1.26-7 (low; bug #617413) - xulrunner <removed> [lenny] - xulrunner <no-dsa> (minor issue) - iceweasel 3.5.19-1 @@ -14899,8 +14900,9 @@ - icedove 3.1.11-1 [lenny] - icedove <end-of-life> CVE-2011-0082 (The X.509 certificate validation functionality in Mozilla Firefox ...) - - xulrunner <removed> - - iceweasel <unfixed> (low; bug #627552) + - xulrunner <removed> (unimportant) + - iceweasel <unfixed> (unimportant; bug #627552) + NOTE: Negligable impact CVE-2011-0081 (Unspecified vulnerability in the browser engine in Mozilla Firefox ...) {DSA-2235-1 DSA-2228-1 DSA-2227-1} - xulrunner <not-affected> (Only affects Firefox 4.0/3.6, not yet in unstable) @@ -36693,10 +36695,7 @@ - webkit 1.2 (low; bug #532514) NOTE: The implementations for UNIX seems fine, might be fixed earlier [lenny] - webkit <no-dsa> (Minor issue) - - kdebase <unfixed> (low; bug #532519) - [squeeze] - kdebase <no-dsa> (Minor issue) - [lenny] - kdebase <no-dsa> (Minor issue) - [etch] - kdebase <no-dsa> (Minor issue) + - kdebase <unfixed> (unimportant; bug #532519) - w3m <unfixed> (unimportant; bug #532521) NOTE: w3m doesn''t have Javascript support and the boundary issue is harmles - chromium-browser <undetermined> (bug #520324) Modified: data/spu-candidates.txt ==================================================================--- data/spu-candidates.txt 2012-01-03 19:04:25 UTC (rev 18007) +++ data/spu-candidates.txt 2012-01-03 19:05:56 UTC (rev 18008) @@ -85,6 +85,12 @@ -- +icinga (CVE-2011-1523, CVE-2011-2477) +http://tracker.nagios.org/view.php?id=207 +https://dev.icinga.org/issues/1605 + +-- + kdeutils (CVE-2011-2725) #635541 maintainers notified in bug log @@ -101,9 +107,10 @@ -- -nagios3 (CVE-2011-1523) +nagios3 (CVE-2011-1523, CVE-2011-2477) #629127 http://tracker.nagios.org/view.php?id=207 +https://dev.icinga.org/issues/1605 --