Secure testing team - Jul 2009 - r12343 - in data: CVE DSA

Author: gilbert-guest
Date: 2009-07-15 02:09:02 +0000 (Wed, 15 Jul 2009)
New Revision: 12343

Modified:
   data/CVE/list
   data/DSA/list
Log:
fix tracking for DSA-1833


Modified: data/CVE/list
==================================================================---
data/CVE/list	2009-07-14 21:14:22 UTC (rev 12342)
+++ data/CVE/list	2009-07-15 02:09:02 UTC (rev 12343)
@@ -1373,7 +1373,6 @@
 	{DSA-1833-1}
 	- dhcp3 <unfixed> (low)
 	[etch] - dhcp3 <not-affected> (problematic assert is not present)
-	[lenny] - dhcp3 3.1.1-6+lenny2 (low)
 CVE-2009-1891 (The mod_deflate module in Apache httpd 2.2.11 and earlier
compresses ...)
 	- apache2 2.2.11-7 (medium; bug #534712)
 CVE-2009-1890 (The stream_reqbody_cl function in mod_proxy_http.c in the
mod_proxy ...)
@@ -5610,8 +5609,6 @@
 	RESERVED
 	{DSA-1833-1}
 	- dhcp3 <unfixed> (medium)
-	[etch] - dhcp3 3.0.4-13+etch2 (medium)
-	[lenny] - dhcp3 3.1.1-6+lenny2 (medium)
 	NOTE: dhcp in etch is not affected.
 CVE-2009-0691 (The Foxit JPEG2000/JBIG2 Decoder add-on before 2.0.2009.616 for
Foxit ...)
 	NOT-FOR-US: Foxit JPEG2000/JBIG2 Decoder add-on

Modified: data/DSA/list
==================================================================---
data/DSA/list	2009-07-14 21:14:22 UTC (rev 12342)
+++ data/DSA/list	2009-07-15 02:09:02 UTC (rev 12343)
@@ -1,5 +1,9 @@
 [14 Jul 2009] DSA-1833-1 dhcp3 - arbitrary code execution
-	{CVE-2009-0692 CVE-2009-1892}
+	{CVE-2009-0692}
+	[etch] - dhcp3 3.0.4-13+etch2
+	[lenny] - dhcp3 3.1.1-6+lenny2
+        {CVE-2009-1892}
+        [lenny] - dhcp3 3.1.1-6+lenny2
 [13 Jul 2009] DSA-1832-1 camlimages - arbitrary code execution
 	{CVE-2009-2295}
 	[etch] - camlimages 2.20-8+etch1

On 7/14/09, Michael Gilbert wrote:
> Author: gilbert-guest
> Date: 2009-07-15 02:09:02 +0000 (Wed, 15 Jul 2009)
> New Revision: 12343
>
> Modified:
>    data/CVE/list
>    data/DSA/list
> Log:
> fix tracking for DSA-1833
>
>
> Modified: data/CVE/list
> ==================================================================> ---
data/CVE/list	2009-07-14 21:14:22 UTC (rev 12342)
> +++ data/CVE/list	2009-07-15 02:09:02 UTC (rev 12343)
> @@ -1373,7 +1373,6 @@
>  	{DSA-1833-1}
>  	- dhcp3 <unfixed> (low)
>  	[etch] - dhcp3 <not-affected> (problematic assert is not present)
> -	[lenny] - dhcp3 3.1.1-6+lenny2 (low)
>  CVE-2009-1891 (The mod_deflate module in Apache httpd 2.2.11 and earlier
> compresses ...)
>  	- apache2 2.2.11-7 (medium; bug #534712)
>  CVE-2009-1890 (The stream_reqbody_cl function in mod_proxy_http.c in the
> mod_proxy ...)
> @@ -5610,8 +5609,6 @@
>  	RESERVED
>  	{DSA-1833-1}
>  	- dhcp3 <unfixed> (medium)
> -	[etch] - dhcp3 3.0.4-13+etch2 (medium)
> -	[lenny] - dhcp3 3.1.1-6+lenny2 (medium)
>  	NOTE: dhcp in etch is not affected.
>  CVE-2009-0691 (The Foxit JPEG2000/JBIG2 Decoder add-on before 2.0.2009.616
> for Foxit ...)
>  	NOT-FOR-US: Foxit JPEG2000/JBIG2 Decoder add-on
>
> Modified: data/DSA/list
> ==================================================================> ---
data/DSA/list	2009-07-14 21:14:22 UTC (rev 12342)
> +++ data/DSA/list	2009-07-15 02:09:02 UTC (rev 12343)
> @@ -1,5 +1,9 @@
>  [14 Jul 2009] DSA-1833-1 dhcp3 - arbitrary code execution
> -	{CVE-2009-0692 CVE-2009-1892}
> +	{CVE-2009-0692}
> +	[etch] - dhcp3 3.0.4-13+etch2
> +	[lenny] - dhcp3 3.1.1-6+lenny2
> +        {CVE-2009-1892}
> +        [lenny] - dhcp3 3.1.1-6+lenny2
>  [13 Jul 2009] DSA-1832-1 camlimages - arbitrary code execution
>  	{CVE-2009-2295}
>  	[etch] - camlimages 2.20-8+etch1
i think this is a case where the tracker isn''t sufficiently flexible.
it would be very useful to be able to specify different fixed versions
as attempted above in the same DSA.

the other option, Florian''s tracking, left the security
tracker''s DSA
page empty.

any thoughts?

mike