Secure testing team - Oct 2009 - r13052 - data/CVE

Author: jmm-guest
Date: 2009-10-19 22:46:26 +0000 (Mon, 19 Oct 2009)
New Revision: 13052

Modified:
   data/CVE/list
Log:
revert, don''t convert TODOs to unfixed entries unless you''ve
looked
  into the actual issue


Modified: data/CVE/list
==================================================================---
data/CVE/list	2009-10-19 22:43:48 UTC (rev 13051)
+++ data/CVE/list	2009-10-19 22:46:26 UTC (rev 13052)
@@ -69969,11 +69969,9 @@
 	- mysql-ocaml 1.0.3-6 (bug #314464; unimportant)
 	- php4 4:4.3.10-16 (low)
 CVE-2004-2136 (dm-crypt on Linux kernel 2.6.x, when used on certain file
systems ...)
-	- linux-2.6 <unfixed> (low)
-	- linux-2.6.24 <removed> (low)
+	TODO: This looks like a minor issue, the paper is from Feb 2004, check whether
this still applies
 CVE-2004-2135 (cryptoloop on Linux kernel 2.6.x, when used on certain file
systems ...)
-	- linux-2.6 <unfixed> (low)
-	- linux-2.6.24 <removed> (low)
+	TODO: This looks like a minor issue, the paper is from Feb 2004, check whether
this still applies
 CVE-2004-2134 (Oracle toplink mapping workBench uses a weak encryption
algorithm for ...)
 	NOT-FOR-US: Oracle
 CVE-2004-2133 (Certain third-party packages for CVSup 16.1h, such as SuSE
Linux, ...)

On Mon, 19 Oct 2009 22:46:26 +0000, Moritz Muehlenhoff
wrote:
> Author: jmm-guest
> Date: 2009-10-19 22:46:26 +0000 (Mon, 19 Oct 2009)
> New Revision: 13052
> 
> Modified:
>    data/CVE/list
> Log:
> revert, don''t convert TODOs to unfixed entries unless
you''ve looked
>   into the actual issue
it''s not really a TODO for the secure-testing team anymore now that
it''s
handed over to kernel-sec, but i accept your changes since it''s
somewhat
irrelevant whether we track it as a TODO or an open issue.

mike

On Mon, 19 Oct 2009 19:00:07 -0400, Michael Gilbert
wrote:
> On Mon, 19 Oct 2009 22:46:26 +0000, Moritz Muehlenhoff wrote:
> > Author: jmm-guest
> > Date: 2009-10-19 22:46:26 +0000 (Mon, 19 Oct 2009)
> > New Revision: 13052
> > 
> > Modified:
> >    data/CVE/list
> > Log:
> > revert, don''t convert TODOs to unfixed entries unless
you''ve looked
> >   into the actual issue
> 
> it''s not really a TODO for the secure-testing team anymore now
that it''s
> handed over to kernel-sec, but i accept your changes since it''s
somewhat
> irrelevant whether we track it as a TODO or an open issue.
oh, and not to complain, but part of the reason why these issues
weren''t
on anyone''s plate (for five years no less) is the fact that they were
being tracked as TODOs in our tracker.  consequently, they were never
addressed or even considered for passing on to kernel-sec.  it may have
been a different story if they were tracked as open issues since they
would appear in debsecan and on the tracker pages where many eyeballs
are looking.

mike