Secure testing team - Jun 2009 - r12161 - data/CVE

Author: derevko-guest
Date: 2009-06-19 09:09:04 +0000 (Fri, 19 Jun 2009)
New Revision: 12161

Modified:
   data/CVE/list
Log:
Reverted changes in packages accepted in stable/oldstable. Those entries have to
be changed
when the stable/oldstable update has actually been released, and not when a
package is accepted in
stable/oldstable. Sorry for the trouble.


Modified: data/CVE/list
==================================================================---
data/CVE/list	2009-06-19 07:59:21 UTC (rev 12160)
+++ data/CVE/list	2009-06-19 09:09:04 UTC (rev 12161)
@@ -350,7 +350,7 @@
 	NOTE: exploitability limited, DoS rather obscure attack scenario
 CVE-2009-1956 (Off-by-one error in the apr_brigade_vprintf function in Apache
...)
 	- apr-util 1.3.7+dfsg-1 (low)
-	[lenny] - apr-util 1.2.12+dfsg-8+lenny3
+	TODO: next point release: [lenny] - apr-util 1.2.12+dfsg-8+lenny3
 CVE-2009-1955 (The expat XML parser in the apr_xml_* interface in xml/apr_xml.c
in ...)
 	{DSA-1812-1}
 	- apr-util 1.3.7+dfsg-1 (medium)
@@ -1286,7 +1286,8 @@
 	NOT-FOR-US: DFLabs
 CVE-2008-6792 (system-tools-backends before 2.6.0-1ubuntu1.1 in Ubuntu 8.10, as
used ...)
 	- system-tools-backends 2.6.0-6.1 (low; bug #527952)
-	[lenny] - system-tools-backends 2.6.0-2lenny3
+	[lenny] - system-tools-backends <no-dsa> (Minor issue, scheduled for
next point update)
+	TODO: add after r2 [lenny] - system-tools-backends 2.6.0-2lenny3
 	[etch] - system-tools-backends <not-affected> (SHA was added to crypt(3)
post-etch)
 CVE-2009-1581 (functions/mime.php in SquirrelMail before 1.4.18 does not
protect the ...)
 	{DSA-1802-1}
@@ -2706,10 +2707,11 @@
 CVE-2009-1215 (Race condition in GNU screen 4.0.3 allows local users to create
or ...)
 	- screen 4.0.3-13 (low; bug #521123)
 	[etch] - screen <not-affected> (etch version predates #433338)
-	[lenny] - screen 4.0.3-11+lenny1
+	[lenny] - screen <no-dsa> (Minor issue)
+	TODO: add after r2 [lenny] - screen 4.0.3-11+lenny1
 CVE-2009-1214 (GNU screen 4.0.3 creates the /tmp/screen-exchange temporary file
with ...)
 	- screen 4.0.3-13 (unimportant; bug #521123)
-	[lenny] - screen 4.0.3-11+lenny1
+	TODO: add after r2 [lenny] - screen 4.0.3-11+lenny1
 	NOTE: documented behaviour "or the public accessible
screen-exchange", see man screen
 CVE-2009-1213 (Cross-site request forgery (CSRF) vulnerability in
attachment.cgi in ...)
 	- bugzilla <unfixed> (low; bug #514143)
@@ -3344,7 +3346,8 @@
 	NOT-FOR-US: Apple Safari
 CVE-2009-1041 (The ktimer feature (sys/kern/kern_time.c) in FreeBSD 7.0, 7.1,
and 7.2 ...)
 	- kfreebsd-7 7.1-3
-	[lenny] - kfreebsd-7 7.0-7lenny1
+	[lenny] - kfreebsd-7 <no-dsa> (KFreebsd not supported)
+	TODO: lenny r02 [lenny] - kfreebsd-7 7.0-7lenny1
 CVE-2008-6511 (Open redirect vulnerability in login.jsp in Openfire 3.6.0a and
...)
 	NOT-FOR-US: Openfire
 CVE-2008-6510 (Cross-site scripting (XSS) vulnerability in login.jsp in the
Admin ...)
@@ -8993,7 +8996,8 @@
 	- kfreebsd-6 <unfixed>
 	[lenny] - kfreebsd-6 <no-dsa> (KFreebsd not supported)
 	- kfreebsd-7 7.1-1
-	[lenny] - kfreebsd-7 7.0-7lenny1
+	[lenny] - kfreebsd-7 <no-dsa> (KFreebsd not supported)
+	TODO: lenny r02 [lenny] - kfreebsd-7 7.0-7lenny1
 CVE-2008-5161 (Error handling in the SSH protocol in (1) SSH Tectia Client and
Server ...)
 	- openssh <unfixed> (low; bug #506115)
 	[etch] - openssh <no-dsa> (Minor issue, see
http://www.openssh.org/txt/cbc.adv)
@@ -26824,7 +26828,8 @@
 	[etch] - perl <not-affected> (Was merged into Perl as of 5.10)
 	- libarchive-tar-perl 1.38-1 (low; bug #449544)
 	[sarge] - libarchive-tar-perl <no-dsa> (Minor issue)
-	[etch] - libarchive-tar-perl 1.38-3~etch1
+	[etch] - libarchive-tar-perl <no-dsa> (Minor issue)
+	TODO: next point release [etch] - libarchive-tar-perl 1.38-3~etch1
 CVE-2007-4828 (Cross-site scripting (XSS) vulnerability in the API
pretty-printing ...)
 	- mediawiki 1.10.2-1 (low; bug #442255)
 	[etch] - mediawiki <not-affected> (Does not include the vulnerable code)

On Fri, 19 Jun 2009 09:09:05 +0000, Giuseppe Iuculano
wrote:
> Author: derevko-guest
> Date: 2009-06-19 09:09:04 +0000 (Fri, 19 Jun 2009)
> New Revision: 12161
> 
> Modified:
>    data/CVE/list
> Log:
> Reverted changes in packages accepted in stable/oldstable. Those entries
have to be changed
> when the stable/oldstable update has actually been released, and not when a
package is accepted in
> stable/oldstable. Sorry for the trouble.
i don''t see the need for this reversion.  if the tracker has these new
versions, which have not yet entered the archive, then it does not mark
the older version (that''s still in the archive) as fixed or anything
that would be confusing or incorrect. in fact, i think that it is more
useful to track the fixed version whether or not it has entered the
archive yet.

maybe i''ve missed something?  what is the philosophy behind this
decision?

mike

Michael S. Gilbert ha scritto:
> i don''t see the need for this reversion.  if the tracker has these
new
> versions, which have not yet entered the archive, then it does not mark
> the older version (that''s still in the archive) as fixed or
anything
> that would be confusing or incorrect. in fact, i think that it is more
> useful to track the fixed version whether or not it has entered the
> archive yet.
> 
> maybe i''ve missed something?  what is the philosophy behind this
> decision?
As Moritz pointed me out, adding entries for packages accepted in stable but not
yet entered in the archive makes more difficult to track issues which still need
to be addressed for a DSA.

Cheers,
Giuseppe.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090619/bdcaaa29/attachment.pgp>

On Fri, 19 Jun 2009 22:13:32 +0200, Giuseppe Iuculano
wrote:
> Michael S. Gilbert ha scritto:
> > i don''t see the need for this reversion.  if the tracker has
these new
> > versions, which have not yet entered the archive, then it does not
mark
> > the older version (that''s still in the archive) as fixed or
anything
> > that would be confusing or incorrect. in fact, i think that it is more
> > useful to track the fixed version whether or not it has entered the
> > archive yet.
> > 
> > maybe i''ve missed something?  what is the philosophy behind
this
> > decision?
> 
> As Moritz pointed me out, adding entries for packages accepted in stable
but not
> yet entered in the archive makes more difficult to track issues which still
need
> to be addressed for a DSA.
yes, but all of these are for a an upcoming point release, correct?  and
hence will not be involved in any upcoming DSA?  from my perspective,
that doesn''t make tracking TODO DSAs any more difficult.

i still don''t see the problem.

mike

On Fri, Jun 19, 2009 at 04:28:53PM -0400, Michael S. Gilbert
wrote:
> On Fri, 19 Jun 2009 22:13:32 +0200, Giuseppe Iuculano wrote:
> > Michael S. Gilbert ha scritto:
> > > i don''t see the need for this reversion.  if the tracker
has these new
> > > versions, which have not yet entered the archive, then it does
not mark
> > > the older version (that''s still in the archive) as fixed
or anything
> > > that would be confusing or incorrect. in fact, i think that it is
more
> > > useful to track the fixed version whether or not it has entered
the
> > > archive yet.
> > > 
> > > maybe i''ve missed something?  what is the philosophy
behind this
> > > decision?
> > 
> > As Moritz pointed me out, adding entries for packages accepted in
stable but not
> > yet entered in the archive makes more difficult to track issues which
still need
> > to be addressed for a DSA.
> 
> yes, but all of these are for a an upcoming point release, correct?  and
> hence will not be involved in any upcoming DSA?  from my perspective,
> that doesn''t make tracking TODO DSAs any more difficult.
> 
> i still don''t see the problem.
All these issues still need to be marked no-dsa until the fixed package
has actually been released with a point release.

Cheers,
        Moritz

On Sun, 21 Jun 2009 21:33:10 +0200 Moritz Muehlenhoff wrote:
> On Fri, Jun 19, 2009 at 04:28:53PM -0400, Michael S. Gilbert wrote:
> > On Fri, 19 Jun 2009 22:13:32 +0200, Giuseppe Iuculano wrote:
> > > Michael S. Gilbert ha scritto:
> > > > i don''t see the need for this reversion.  if the
tracker has these new
> > > > versions, which have not yet entered the archive, then it
does not mark
> > > > the older version (that''s still in the archive) as
fixed or anything
> > > > that would be confusing or incorrect. in fact, i think that
it is more
> > > > useful to track the fixed version whether or not it has
entered the
> > > > archive yet.
> > > > 
> > > > maybe i''ve missed something?  what is the
philosophy behind this
> > > > decision?
> > > 
> > > As Moritz pointed me out, adding entries for packages accepted in
stable but not
> > > yet entered in the archive makes more difficult to track issues
which still need
> > > to be addressed for a DSA.
> > 
> > yes, but all of these are for a an upcoming point release, correct? 
and
> > hence will not be involved in any upcoming DSA?  from my perspective,
> > that doesn''t make tracking TODO DSAs any more difficult.
> > 
> > i still don''t see the problem.
> 
> All these issues still need to be marked no-dsa until the fixed package
> has actually been released with a point release.
ok, i see now.  the philosophy here is prevent these issues from
popping up in the tracker as presently affected (via the <no-dsa> tag).

Dann Frasier''s <pending> idea (bug #482577) would be useful in
this type
of situation.

mike