Secure testing team - Dec 2005 - r3085 - data/CVE doc

Author: jmm-guest
Date: 2005-12-18 12:21:13 +0000 (Sun, 18 Dec 2005)
New Revision: 3085

Modified:
   data/CVE/list
   doc/narrative_introduction
Log:
more syntax conversions
note in narrative-introduction that oldstable is now fully supported


Modified: data/CVE/list
==================================================================---
data/CVE/list	2005-12-18 12:02:31 UTC (rev 3084)
+++ data/CVE/list	2005-12-18 12:21:13 UTC (rev 3085)
@@ -16124,10 +16124,14 @@
 	[sarge] - kernel-source-2.6.8 2.6.8-8
 	- kernel-source-2.4.27 2.4.27-7
 CVE-2004-0813 (Unknown vulnerability in the SG_IO functionality in ide-cd
allows ...)
-	NOTE: ide-cd SG_IO vulnerability
-	NOTE: fixed in recent 2.6 and 2.4 kernels
+	- linux-2.6 <not-affected> (Fixed before upload into archive)
+	- kernel-source-2.4.27 <not-affected> (Fixed before upload into archive)
+	TODO: Check, when this was fixed in 2.4
+	TOOD: Check, when this was fixed in 2.6
 CVE-2004-0812 (Unknown vulnerability in the Linux kernel before 2.4.23, on the
AMD ...)
-	NOTE: only affects kernels before 2.4.23 on amd64
+	- linux-2.6 <not-affected>
+	- kernel-source-2.4.27 <not-affected> (Fixed before upload into archive)
+	TODO: Check, when this was fixed in 2.4
 CVE-2004-0811 (Unknown vulnerability in Apache 2.0.51 prevents &quot;the
merging of the ...)
 	- apache2 2.0.52
 CVE-2004-0810 (Buffer overflow in Netopia Timbuktu 7.0.3 allows remote
attackers to ...)
@@ -16179,8 +16183,8 @@
 	{DSA-538}
 	- rsync 2.6.2-3
 CVE-2004-0791 (Multiple TCP/IP and ICMP implementations allow remote attackers
to ...)
-	NOTE: All 2.4 and 2.6 kernels verify the TCP sequence numbering when errors
occur
-	NOTE: Kernel will never abort due to an ICMP packet
+	- kernel-source-2.4.27 <not-affected> (Kernel verifies the TCP sequence
nr. on errors, will never abort)
+	- linux-2.6 <not-affected> (Kernel verifies the TCP sequence nr. on
errors, will never abort)
 CVE-2004-0790 (Multiple TCP/IP and ICMP implementations allow remote attackers
to ...)
 	- kernel-source-2.6.8 2.6.8-16 (bug #305664)
 	- kernel-source-2.4.27 2.4.27-10 (bug #305664)
@@ -16191,9 +16195,9 @@
 	- gtk+2.0 2.4.9-2
 	- gdk-pixbuf 0.22.0-7
 CVE-2004-0787 (Cross-site scripting (XSS) vulnerability in the web frontend in
OpenCA ...)
-	NOT-FOR-US: seems OpenCA is 
+	NOT-FOR-US: OpenCA
 CVE-2004-0786 (The IPv6 URI parsing routines in the apr-util library for Apache
...)
-	NOTE: not vulnerable according to
http://www.debian.org/security/nonvulns-sarge
+	- apache <not-affected>	(not vulnerable according to
http://www.debian.org/security/nonvulns-sarge)
 	- apache2 2.0.51
 CVE-2004-0785 (Multiple buffer overflows in Gaim before 0.82 allow remote
attackers ...)
 	- gaim 1:0.82
@@ -16217,7 +16221,7 @@
 CVE-2004-0778 (CVS 1.11.x before 1.11.17, and 1.12.x before 1.12.9, allows
remote ...)
 	- cvs 1:1.12.9
 CVE-2004-0777 (Format string vulnerability in the auth_debug function in
Courier-IMAP ...)
-	NOTE: not vulnerable according to
http://www.debian.org/security/nonvulns-sarge
+	[sarge] - courier <not-affected> (not vulnerable; #266723)
 	- courier-imap 2.2.2
 CVE-2004-0776
 	RESERVED
@@ -16292,11 +16296,11 @@
 CVE-2004-0748 (mod_ssl in Apache 2.0.50 and earlier allows remote attackers to
cause ...)
 	- apache2 2.0.51
 CVE-2004-0747 (Buffer overflow in Apache 2.0.50 and earlier allows local users
to ...)
-	NOTE: not vulnerable according to
http://www.debian.org/security/nonvulns-sarge
+	[sarge] - apache2 <not-affected>
 	- apache2 2.0.51
 CVE-2004-0746 (Konqueror in KDE 3.2.3 and earlier allows web sites to set
cookies for ...)
-	- kdelibs 4:3.2.3-3.sarge.1
-	NOTE: in t-p-u; 4.3.3 in unstable also fixes it
+	[sarge] - kdelibs 4:3.2.3-3.sarge.1
+	- kdelibs 4:3.3
 CVE-2004-0745 (LHA 1.14 and earlier allows attackers to execute arbitrary
commands ...)
 	- lha 1.14i-10 (bug #279870)
 CVE-2004-0744 (The TCP/IP Networking component in Mac OS X before 10.3.5 allows
...)
@@ -16346,13 +16350,14 @@
 CVE-2004-0722 (Integer overflow in the SOAPParameter object constructor in (1)
...)
 	- mozilla 2:1.6
 CVE-2004-0721 (Konqueror 3.1.3, 3.2.2, and possibly other versions does not
properly ...)
-	- konqueror 4:3.2.3-1.sarge.1
-	- kdelibs 4:3.2.3-3.sarge.1
-	NOTE: in t-p-u; also fixed in 4.3.3 in unstable
+	[sarge] - kdebase 4:3.2.3-1.sarge.1
+	[sarge] - kdelibs 4:3.2.3-3.sarge.1
+	- kdelibs 4:3.3.0-1
+	- kdebase 4:3.3.0-1
 CVE-2004-0720 (Safari 1.2.2 does not properly prevent a frame in one domain
from ...)
 	NOT-FOR-US: Safari
 CVE-2004-0719 (Internet Explorer for Mac 5.2.3, Internet Explorer 6 on Windows
XP, ...)
-	NOTE: not-fos-us (Microsoft)
+	NOT-FOR-US: Microsoft
 CVE-2004-0718 (The (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4)
...)
 	{DSA-810-1 DSA-777-1 DSA-775-1 DTSA-7-1 DTSA-8-2 DTSA-14-1}
 	NOTE: This has been fixed in mozilla-firefox 0.8 and mozilla 1.6, but recent
@@ -16384,15 +16389,21 @@
 CVE-2004-0707 (SQL injection vulnerability in editusers.cgi in Bugzilla 2.16.x
before ...)
 	- bugzilla 2.16.7-0.1
 CVE-2004-0706 (Bugzilla 2.17.5 through 2.17.7 embeds the password in an image
URL, ...)
-	NOTE: bugzilla 2.16.x is not affected, only 2.17 which is not yet in Debian
+	[woody] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable)
+	[sarge] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable)
+	- bugzilla 2.18-1
 CVE-2004-0705 (Multiple cross-site scripting (XSS) vulnerabilities in (1) ...)
 	- bugzilla 2.16.7-0.1
 CVE-2004-0704 (Unknown vulnerability in (1) duplicates.cgi and (2) buglist.cgi
in ...)
 	- bugzilla 2.16.7-0.1
 CVE-2004-0703 (Unknown vulnerability in the administrative controls in Bugzilla
...)
-	NOTE: bugzilla 2.16.x is not affected, only 2.17 which is not yet in Debian
+	[woody] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable)
+	[sarge] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable)
+	- bugzilla 2.18-1
 CVE-2004-0702 (DBI in Bugzilla 2.17.1 through 2.17.7 displays the database
password ...)
-	NOTE: bugzilla 2.16.x is not affected, only 2.17 which is not yet in Debian
+	[woody] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable)
+	[sarge] - bugzilla <not-affected> (Only 2.17.* versions are vulnerable)
+	- bugzilla 2.18-1
 CVE-2004-0701 (Sun Ray Server Software (SRSS) 1.3 and 2.0 for Solaris 2.6, 7
and 8 ...)
 	NOT-FOR-US: Solaris
 CVE-2004-0700 (Format string vulnerability in the mod_proxy hook functions
function ...)
@@ -16424,8 +16435,8 @@
 	- qt-x11-free 3:3.3.3-4
 	- qt-copy <removed>
 CVE-2004-0690 (The DCOPServer in KDE 3.2.3 and earlier allows local users to
gain ...)
-	- kdelibs 4:3.2.3-3.sarge.1
-	NOTE: in t-p-u, 4.3.3 in unstable is also fixed
+	[sarge] - kdelibs 4:3.2.3-3.sarge.1
+	- kdelibs 4:3.3.0-1
 CVE-2004-0689 (KDE before 3.3.0 does not properly handle when certain symbolic
links ...)
 	{DSA-539}
 	- kdelibs 4:3.3.0-1
@@ -16433,7 +16444,6 @@
 	{DSA-561-1 DSA-560-1}
 	NOTE: Matej Vela has checked that these are backported to lesstif1 as well
 	- lesstif1-1 1:0.93.94-10
-	NOTE: openmotif is non-free
 	- openmotif 2.2.3-1.1 (bug #308819; low)
 	- xfree86 4.3.0.dfsg.1-8
 	- xorg-x11 <not-affected> (Fixed before introduction into archive)
@@ -16441,14 +16451,13 @@
 	{DSA-561-1 DSA-560-1}
 	NOTE: Matej Vela has checked that these are backported to lesstif1 as well
 	- lesstif1-1 1:0.93.94-10
-	NOTE: openmotif is non-free
 	- openmotif 2.2.3-1.1 (bug #308819; low)
 	- xfree86 4.3.0.dfsg.1-8
 	- xorg-x11 <not-affected> (Fixed before introduction into archive)
 CVE-2004-0686 (Buffer overflow in Samba 2.2.x to 2.2.9, and 3.0.0 to 3.0.4,
when the ...)
 	- samba 3.0.5 (bug #260839; bug #260838)
 CVE-2004-0685 (Certain USB drivers in the Linux 2.4 kernel use the copy_to_user
...)
-	NOTE: Fixed in upstream 2.4.27
+	- kernel-source-2.4.27 2.4.27-1
 CVE-2004-0684 (WebSphere Edge Component Caching Proxy in WebSphere Edge Server
5.02, ...)
 	NOT-FOR-US: WebSphere Edge Server
 CVE-2004-0683 (Symantec Norton AntiVirus 2002 and 2003 allows remote attackers
to ...)

Modified: doc/narrative_introduction
==================================================================---
doc/narrative_introduction	2005-12-18 12:02:31 UTC (rev 3084)
+++ doc/narrative_introduction	2005-12-18 12:21:13 UTC (rev 3085)
@@ -320,7 +320,7 @@
 thus be used to
 - Present the security history of a package
 - Provide overviews of vulnerable packages in stable, testing, sid and
-  soon oldstable (it still has some false positives, wrt packages in
+  oldstable (it still has some false positives, wrt packages in
   stable that are present in stable, but not vulnerable, but these
   will be ironed out soon)
 - Generate a list of packages that are subject to security problems, but

On Monday 19 December 2005 18:37, Moritz Muehlenhoff
wrote:
> Woody is fully supported to the same extent that Sarge is supported
> by the tracker. It just has more false positives. See the svn
> commit logs for more information.
Woody may also have false negatives, i.e. missing entries for some old 
CVEs that affect woody. Sarge should not have any false negatives.

* Stefan Fritsch:
>> What''s your problem with this one?  It''s there, as
far as I can
>> tell.
>
> Shouldn''t it appear on 
> http://idssi.enyo.de/tracker/status/release/oldstable ?
> It doesn''t.
It seems as if stunnel was in woody/non-US.  I incorrectly assumed
that woody already had crypto-in-main.  I''m not sure if it''s
worth the
trouble to add more code to deal with non-US.

Stefan Fritsch wrote:
> On Sunday 18 December 2005 13:21, Moritz Muehlenhoff wrote:
> > note in narrative-introduction that oldstable is now fully
> > supported
> 
> this is not really true. AIUI, when we checked the old CVEs last year, 
> we did not check whether versions in woody were affected. In many 
> cases this would have meant a lot of work
Woody is fully supported to the same extent that Sarge is supported
by the tracker. It just has more false positives. See the svn commit
logs for more information.

Cheers,
        Moritz

On Monday 19 December 2005 18:37, Florian Weimer wrote:
> * Stefan Fritsch:
> > BTW, one case that should be in the tracker but is not:
> >
> > stunnel #278942 CVE-2003-0740
> >
> > What is wrong here?
>
> What''s your problem with this one?  It''s there, as far as
I can
> tell.
Shouldn''t it appear on 
http://idssi.enyo.de/tracker/status/release/oldstable ?
It doesn''t.

Stefan

Stefan Fritsch wrote:
> On Monday 19 December 2005 18:37, Moritz Muehlenhoff wrote:
> > Woody is fully supported to the same extent that Sarge is supported
> > by the tracker. It just has more false positives. See the svn
> > commit logs for more information.
> 
> Woody may also have false negatives, i.e. missing entries for some old 
> CVEs that affect woody. Sarge should not have any false negatives.
I''ve corrected all CVE/list entries which had missing entries back
until
somewhere in 2003, and the rest should be fixed soon.

Cheers,
        Moritz

Hi,

On Sunday 18 December 2005 13:21, Moritz Muehlenhoff
wrote:
> note in narrative-introduction that oldstable is now fully
> supported
this is not really true. AIUI, when we checked the old CVEs last year, 
we did not check whether versions in woody were affected. In many 
cases this would have meant a lot of work (when the version in an 
advisory was a lot newer than the woody version). Most of these cases 
should appear in the tracker nonetheless, but some do not (e.g. 
package removed or renamed between woody and sarge). So the oldstable 
information has to be considered incomplete (btw, this is already 
stated on the tracker page).

BTW, one case that should be in the tracker but is not:

stunnel #278942 CVE-2003-0740

What is wrong here?

Cheers,
Stefan

* Stefan Fritsch:
> BTW, one case that should be in the tracker but is not:
>
> stunnel #278942 CVE-2003-0740
>
> What is wrong here?
What''s your problem with this one?  It''s there, as far as I
can tell.