Author: jmm Date: 2012-05-11 06:37:36 +0000 (Fri, 11 May 2012) New Revision: 19211 Modified: data/CVE/list data/spu-candidates.txt Log: qpid-cpp issues fixed before initial upload to archive no-dsa: krb5 fixed: krb5, drupal7, icedove Modified: data/CVE/list ==================================================================--- data/CVE/list 2012-05-10 23:44:42 UTC (rev 19210) +++ data/CVE/list 2012-05-11 06:37:36 UTC (rev 19211) @@ -2281,16 +2281,16 @@ - libstruts1.2-java <not-affected> (Only applies to Struts 2, see bug #657870) CVE-2012-1591 RESERVED - - drupal7 <unfixed> (bug #671402) + - drupal7 7.14-1 (bug #671402) CVE-2012-1590 RESERVED - - drupal7 <unfixed> (bug #671402) + - drupal7 7.14-1 (bug #671402) CVE-2012-1589 RESERVED - - drupal7 <unfixed> (bug #671402) + - drupal7 7.14-1 (bug #671402) CVE-2012-1588 RESERVED - - drupal7 <unfixed> (bug #671402) + - drupal7 7.14-1 (bug #671402) CVE-2012-1587 RESERVED NOTE: To be rejected @@ -3459,13 +3459,11 @@ {DSA-2466-1} - ruby-actionpack-2.3 2.3.14-3 (bug #668607) - rails 2.3.14 - [squeeze] - rails <unfixed> NOTE: (code lives within ruby-actionpack in unstable) CVE-2012-1098 (Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before ...) - ruby-actionpack-2.3 <unfixed> (bug #668977) - rails 2.3.14 NOTE: (code lives within ruby-actionpack in unstable) - [squeeze] - rails <unfixed> CVE-2012-1097 RESERVED {DSA-2443-1} @@ -3677,7 +3675,7 @@ RESERVED CVE-2012-1012 RESERVED - - krb5 <unfixed> (bug #670918) + - krb5 1.10.1+dfsg-1 (bug #670918) [squeeze] - krb5 <not-affected> (vulnerable code not present) NOTE: bug was introduced in krb5 1.10 CVE-2012-1011 (actions.php in the AllWebMenus plugin 1.1.8 for WordPress allows ...) @@ -4048,10 +4046,7 @@ CVE-2012-0862 [xinetd enables unintentional services over tcpmux port] RESERVED - xinetd <unfixed> (bug #672381) - NOTE: Red Hat bug https://bugzilla.redhat.com/show_bug.cgi?id=790940 - NOTE: Red Hat proposed patch https://bugzilla.redhat.com/attachment.cgi?id=583311 - NOTE: http://seclists.org/oss-sec/2012/q2/283 - NOTE: http://osvdb.org/show/osvdb/81774 + [squeeze] - xinetd <no-dsa> (Minor issue) CVE-2012-0861 RESERVED CVE-2012-0860 @@ -4995,14 +4990,14 @@ NOT-FOR-US: 3S CoDeSys CVE-2012-0479 (Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, ...) {DSA-2464-1 DSA-2458-1 DSA-2457-1} - - icedove <unfixed> + - icedove 10.0.4-1 [squeeze] - icedove <not-affected> (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel <not-affected> (Vulnerable code not present) - iceape 2.7.4-1 [squeeze] - iceape <not-affected> (Vulnerable code not present) CVE-2012-0478 (The texImage2D implementation in the WebGL subsystem in Mozilla ...) - - icedove <unfixed> + - icedove 10.0.4-1 [squeeze] - icedove <not-affected> (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel <not-affected> (Vulnerable code not present) @@ -5010,7 +5005,7 @@ [squeeze] - iceape <not-affected> (Vulnerable code not present) CVE-2012-0477 (Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox ...) {DSA-2464-1 DSA-2458-1 DSA-2457-1} - - icedove <unfixed> + - icedove 10.0.4-1 [squeeze] - icedove <not-affected> (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel <not-affected> (Vulnerable code not present) @@ -5019,7 +5014,7 @@ CVE-2012-0476 RESERVED CVE-2012-0475 (Mozilla Firefox 4.x through 11.0, Thunderbird 5.0 through 11.0, and ...) - - icedove <unfixed> (low) + - icedove 10.0.4-1 [squeeze] - icedove <no-dsa> (Minor issue, also not fixed in ESV branch) - iceweasel 12.0-1 (low) [squeeze] - iceweasel <no-dsa> (Minor issue, also not fixed in ESV branch) @@ -5027,14 +5022,14 @@ [squeeze] - iceape <no-dsa> (Minor issue, also not fixed in ESV branch) NOTE: Fixed in Thunderbird 12 and Seamonkey 2.9 CVE-2012-0474 (Cross-site scripting (XSS) vulnerability in the docshell ...) - - icedove <unfixed> + - icedove 10.0.4-1 [squeeze] - icedove <not-affected> (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel <not-affected> (Vulnerable code not present) - iceape 2.7.4-1 [squeeze] - iceape <not-affected> (Vulnerable code not present) CVE-2012-0473 (The WebGLBuffer::FindMaxUshortElement function in Mozilla Firefox 4.x ...) - - icedove <unfixed> + - icedove 10.0.4-1 [squeeze] - icedove <not-affected> (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel <not-affected> (Vulnerable code not present) @@ -5046,7 +5041,7 @@ - iceape <not-affected> (Windows-specific) CVE-2012-0471 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox 4.x ...) {DSA-2464-1 DSA-2458-1 DSA-2457-1} - - icedove <unfixed> + - icedove 10.0.4-1 [squeeze] - icedove <not-affected> (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel <not-affected> (Vulnerable code not present) @@ -5054,14 +5049,14 @@ [squeeze] - iceape <not-affected> (Vulnerable code not present) CVE-2012-0470 (Heap-based buffer overflow in the ...) {DSA-2464-1 DSA-2458-1 DSA-2457-1} - - icedove <unfixed> + - icedove 10.0.4-1 [squeeze] - icedove <not-affected> (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel <not-affected> (Vulnerable code not present) - iceape 2.7.4-1 [squeeze] - iceape <not-affected> (Vulnerable code not present) CVE-2012-0469 (Use-after-free vulnerability in the ...) - - icedove <unfixed> + - icedove 10.0.4-1 [squeeze] - icedove <not-affected> (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel <not-affected> (Vulnerable code not present) @@ -5073,7 +5068,7 @@ - iceape <not-affected> (Only affects Firefox 11 and above) CVE-2012-0467 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2464-1 DSA-2458-1 DSA-2457-1} - - icedove <unfixed> + - icedove 10.0.4-1 [squeeze] - icedove <not-affected> (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel <not-affected> (Vulnerable code not present) @@ -8863,6 +8858,7 @@ RESERVED CVE-2011-4151 (The krb5_db2_lockout_audit function in the Key Distribution Center ...) - krb5 1.10+dfsg~alpha1-1 (low; bug #646367) + [squeeze] - krb5 <no-dsa> (Minor issue) [lenny] - krb5 <not-affected> (introduced in 1.8) CVE-2010-4967 (SQL injection vulnerability in default.asp in ATCOM Netvolution 2.5.6 ...) NOT-FOR-US: ATCOM Netvolution @@ -12213,7 +12209,7 @@ - chromium-browser 18.0.1025.142~r129054-1 CVE-2011-3062 (Off-by-one error in the OpenType Sanitizer in Google Chrome before ...) - chromium-browser 18.0.1025.142~r129054-1 - - icedove <unfixed> + - icedove 10.0.4-1 [squeeze] - icedove <not-affected> (Vulnerable code not present) - iceweasel 10.0.4esr-1 [squeeze] - iceweasel <not-affected> (Vulnerable code not present) @@ -23655,15 +23651,12 @@ CVE-2009-5007 (The Cisco trial client on Linux for Cisco AnyConnect SSL VPN allows ...) NOT-FOR-US: Cisco AnyConnect SSL VPN trial client CVE-2009-5006 (The SessionAdapter::ExchangeHandlerImpl::checkAlternate function in ...) - - qpid-cpp <unfixed> - TODO: check + - qpid-cpp <not-affected> (Fixed before initial upload to archive) CVE-2009-5005 (The Cluster::deliveredEvent function in cluster/Cluster.cpp in Apache ...) - - qpid-cpp <unfixed> - TODO: check + - qpid-cpp <not-affected> (Fixed before initial upload to archive) CVE-2009-5004 RESERVED - - qpid-cpp <unfixed> - TODO: check + - qpid-cpp <not-affected> (Fixed before initial upload to archive) CVE-2010-3845 RESERVED - libapache-authenhook-perl 2.00-04+pristine-2 (low; bug #599712) @@ -25886,8 +25879,7 @@ - linux-2.6 2.6.32-25 [lenny] - linux-2.6 <not-affected> (vulnerable code introduced in 2.6.30) CVE-2010-3083 (sys/ssl/SslSocket.cpp in qpidd in Apache Qpid, as used in Red Hat ...) - - qpid-cpp <unfixed> - TODO: check + - qpid-cpp <not-affected> (Fixed before initial upload to archive) CVE-2010-3082 (Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 ...) - python-django 1.2.3-1 (low; bug #596205) NOTE: http://www.djangoproject.com/weblog/2010/sep/08/security-release/ Modified: data/spu-candidates.txt ==================================================================--- data/spu-candidates.txt 2012-05-10 23:44:42 UTC (rev 19210) +++ data/spu-candidates.txt 2012-05-11 06:37:36 UTC (rev 19211) @@ -204,6 +204,12 @@ -- +krb5 (CVE-2011-4151) +#646367 + + +-- + libgssglue (CVE-2011-2709) patch in bug #670256 @@ -440,6 +446,12 @@ -- +xinetd (CVE-2012-0862) +https://bugzilla.redhat.com/show_bug.cgi?id=790940 + + +-- + zendframework (CVE-2011-1939) http://framework.zend.com/security/advisory/ZF2011-02