Author: jmm Date: 2012-07-06 15:19:56 +0000 (Fri, 06 Jul 2012) New Revision: 19673 Modified: data/CVE/list data/next-point-update.txt data/spu-candidates.txt Log: fixup old mozilla entry bugzilla no-dsa asterisk bugnum (CVE ID requested for one issue) wireshark will be fixed in point update xen fixed in sid new vlc issue (CVE ID requested) filed bug for ubuntu-sso-client add data for old/resolved Mozilla issue Modified: data/CVE/list ==================================================================--- data/CVE/list 2012-07-06 06:42:55 UTC (rev 19672) +++ data/CVE/list 2012-07-06 15:19:56 UTC (rev 19673) @@ -1,3 +1,5 @@ +CVE-2012-XXXX [VLC Ogg demuxer heap overflow] + - vlc 2.0.2-1 CVE-2012-XXXX [naxsi: file disclosure in nx_extract] - nginx 1.2.1-2 [squeeze] - nginx <not-affected> (naxsi package was introduced in 1.1.18-1) @@ -87,10 +89,10 @@ CVE-2012-3813 RESERVED CVE-2012-XXXX [AST-2012-010: Possible resource leak on uncompleted re-invite transactions] - - asterisk <unfixed> + - asterisk <unfixed> (bug #680470) CVE-2012-3812 [AST-2012-011: Remote crash vulnerability in voice mail application] RESERVED - - asterisk <unfixed> + - asterisk <unfixed> (bug #680470) CVE-2012-3811 (Unrestricted file upload vulnerability in ImageUpload.ashx in the ...) NOT-FOR-US: Not in Debian CVE-2012-3810 @@ -5262,6 +5264,7 @@ NOTE: Not suitable for code injection CVE-2012-1595 (The pcap_process_pseudo_header function in wiretap/pcap-common.c in ...) - wireshark 1.6.6-1 (bug #666058) + [squeeze] - wireshark <no-dsa> (Minor issue, will be fixed through spu) CVE-2012-1594 (epan/dissectors/packet-ieee80211.c in the IEEE 802.11 dissector in ...) - wireshark 1.6.6-1 (unimportant; bug #666058) NOTE: Not suitable for code injection @@ -8143,8 +8146,7 @@ - iceweasel <not-affected> (Only affects Firefox on Windows) CVE-2012-0453 (Cross-site request forgery (CSRF) vulnerability in xmlrpc.cgi in ...) - bugzilla <removed> - NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=725663 - NOTE: upstream bug only talks about 4.x but afaict the vulnerable code already exists in 3.x + [squeeze] - bugzilla <no-dsa> (Minor issue) CVE-2012-0452 (Use-after-free vulnerability in Mozilla Firefox 10.x before 10.0.1, ...) - icedove <not-affected> (Introduced in Thunderbird 10) - iceweasel 10.0.1-1 @@ -10205,7 +10207,7 @@ - qemu-kvm 1.0+dfsg-5 - xen-qemu-dm-4.0 <removed> [squeeze] - xen <not-affected> (vulnerable code not present) - - xen <unfixed> (medium) + - xen 4.1.3~rc1+hg-20120614.a9c0a89c08f2-1 (medium) CVE-2012-0028 (The robust futex implementation in the Linux kernel before 2.6.28 does ...) - linux-2.6 2.6.32-1 CVE-2012-0027 (The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle ...) @@ -11052,7 +11054,7 @@ CVE-2011-4409 (The Ubuntu One Client for Ubuntu 10.04 LTS, 11.04, 11.10, and 12.04 ...) NOT-FOR-US: Ubuntu One CVE-2011-4408 (The Single Sign On Client (ubuntu-sso-client) for Ubuntu 11.04 and ...) - - ubuntu-sso-client <unfixed> + - ubuntu-sso-client <unfixed> (bug #680492) CVE-2011-4407 [apt-add-repository does not perform ssl verification where it *needs* to] RESERVED - software-properties 0.76.7debian2+nmu2 @@ -13390,10 +13392,11 @@ CVE-2011-3672 RESERVED CVE-2011-3671 (Use-after-free vulnerability in the nsHTMLSelectElement function in ...) - TODO: check - - icedove <unfixed> - - iceweasel <unfixed> - - iceape <unfixed> + - xulrunner <not-affected> (Only affects Firefox >= 4) + - iceweasel 9.0-1 + [lenny] - iceweasel <not-affected> (Only affects Firefox >= 4) + [squeeze] - iceweasel <not-affected> (Only affects Firefox >= 4) + - iceape <not-affected> (Only affects Firefox >= 4) CVE-2011-3670 (Mozilla Firefox before 3.6.26 and 4.x through 6.0, Thunderbird before ...) {DSA-2406-1 DSA-2402-1 DSA-2400-1} - icedove 7.0-1 Modified: data/next-point-update.txt ==================================================================--- data/next-point-update.txt 2012-07-06 06:42:55 UTC (rev 19672) +++ data/next-point-update.txt 2012-07-06 15:19:56 UTC (rev 19673) @@ -6,5 +6,9 @@ [squeeze] - vte 1:0.24.3-4 CVE-2012-0946 [squeeze] - nvidia-graphics-drivers 195.36.31-6squeeze1 +CVE-2012-1595 + [squeeze] - wireshark 1.2.11-6+squeeze7 +CVE-2012-1593 + [squeeze] - wireshark 1.2.11-6+squeeze7 Modified: data/spu-candidates.txt ==================================================================--- data/spu-candidates.txt 2012-07-06 06:42:55 UTC (rev 19672) +++ data/spu-candidates.txt 2012-07-06 15:19:56 UTC (rev 19673) @@ -42,11 +42,12 @@ -- -bugzilla (CVE-2012-0440, CVE-2012-0448, CVE-2012-0465, CVE-2012-0466) +bugzilla (CVE-2012-0440, CVE-2012-0448, CVE-2012-0453, CVE-2012-0465, CVE-2012-0466) https://bugzilla.mozilla.org/show_bug.cgi?id=728639 https://bugzilla.mozilla.org/show_bug.cgi?id=745397 https://bugzilla.mozilla.org/show_bug.cgi?id=714472 https://bugzilla.mozilla.org/show_bug.cgi?id=718319 +https://bugzilla.mozilla.org/show_bug.cgi?id=725663 --