thr3ads.net - Secure testing team - [Secure-testing-commits] r13611

If this information is useful, please help other people find it:
Share via:

Moritz Muehlenhoff

2009-Dec-20 10:09 UTC

[Secure-testing-commits] r13611 - data/CVE

Author: jmm-guest
Date: 2009-12-20 10:09:00 +0000 (Sun, 20 Dec 2009)
New Revision: 13611

Modified:
   data/CVE/list
Log:
revert previous commit: CVE/list is not a dumping ground for issues
someone should check based on embedded-code-copies.
If something is added to CVE/list as unfixed it needs to be checked
beforehand.


Modified: data/CVE/list
==================================================================---
data/CVE/list	2009-12-20 09:14:53 UTC (rev 13610)
+++ data/CVE/list	2009-12-20 10:09:00 UTC (rev 13611)
@@ -1185,9 +1185,6 @@
 CVE-2009-3932 (The Gears plugin in Google Chrome before 3.0.195.32 allows ...)
 	- chromium-browser <itp> (low; bug #520324)
 	- webkit <unfixed> (low; bug #560905)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-3931 (Incomplete blacklist vulnerability in
browser/download/download_exe.cc ...)
 	- chromium-browser <itp> (low; bug #520324)
 CVE-2009-3930 (Multiple integer overflows in Christos Zoulas file before 5.02
allow ...)
@@ -2807,9 +2804,6 @@
 	RESERVED
 CVE-2009-3384 (Multiple unspecified vulnerabilities in WebKit in Apple Safari
before ...)
 	- webkit 1.1.17-2 (medium; bug #559759)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-3383 (Multiple unspecified vulnerabilities in the JavaScript engine in
...)
 	- xulrunner 1.9.1.4-1
 	[lenny] - xulrunner <not-affected> (Only affects Firefox 3.5)
@@ -4315,9 +4309,6 @@
 CVE-2009-2953 (Mozilla Firefox 3.0.6 through 3.0.13, and 3.5.x, allows remote
...)
 	- xulrunner <unfixed> (unimportant; bug #557753)
 	- webkit <unfixed> (unimportant; bug #557752)
-	- qt4-x11 <unfixed> (unimportant; bug #561760)
-	- kdelibs <unfixed> (unimportant; bug #561765)
-	- kde4libs <unfixed> (unimportant; bug #561762)
 	NOTE: browser denial-of-services are considered unimportant
 CVE-2009-2952 (Unspecified vulnerability in the pollwakeup function in Sun
Solaris ...)
 	NOT-FOR-US: Sun Solaris
@@ -4770,9 +4761,6 @@
 	NOT-FOR-US: Apple Safari
 CVE-2009-2841 (WebKit in Apple Safari before 4.0.4 on Mac OS X does not perform
the ...)
 	- webkit <unfixed> (medium; bug #559759)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 	TODO: work with upstream to determine affected/not-affected versions
 CVE-2009-2840 (Spotlight in Apple Mac OS X 10.5.8 does not properly handle
temporary ...)
 	NOT-FOR-US: Apple Mac OS X
@@ -4829,9 +4817,6 @@
 CVE-2009-2816 (The implementation of Cross-Origin Resource Sharing (CORS) in
WebKit, ...)
 	- webkit <unfixed> (medium; bug #559759)
 	[lenny] - webkit <not-affected> (vulnerable code not present)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-2815 (The Telephony component in Apple iPhone OS before 3.1 does not
...)
 	NOT-FOR-US: Apple iPhone OS
 CVE-2009-2814 (Cross-site scripting (XSS) vulnerability in the Wiki Server in
Apple ...)
@@ -4874,9 +4859,6 @@
 	NOT-FOR-US: Apple QuickTime
 CVE-2009-2797 (The WebKit component in Safari in Apple iPhone OS before 3.1,
and ...)
 	- webkit <unfixed> (medium; bug #559759)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 	TODO: someone needs to gain membership to the webkit security list so we can
actually check these issues
 CVE-2009-2796 (The UIKit component in Apple iPhone OS 3.0, and iPhone OS 3.0.1
for ...)
 	NOT-FOR-US: Apple iPhone OS
@@ -6268,9 +6250,6 @@
 	NOT-FOR-US: Apple Safari
 CVE-2009-2419 (Use-after-free vulnerability in the servePendingRequests
function in ...)
 	- webkit 1.1.10-1
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-2418
 	RESERVED
 CVE-2009-2417 (lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when
OpenSSL is ...)
@@ -6914,9 +6893,6 @@
 CVE-2009-2195 (Buffer overflow in WebKit in Apple Safari before 4.0.3 allows
remote ...)
 	- webkit 1.1.12-1 (medium)
 	[lenny] - webkit <not-affected> (Vulnerable code not present)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=517273
 	NOTE: http://trac.webkit.org/changeset/45696
 CVE-2009-2194 (Apple Mac OS X 10.5 before 10.5.8 does not properly share file
...)
@@ -7460,9 +7436,6 @@
 	NOT-FOR-US: MHF Media Pro
 CVE-2009-XXXX [predictable random number generator used in web browsers]
 	- webkit <unfixed> (low; bug #532514)
-	- qt4-x11 <unfixed> (low; bug #561759)
-	- kdelibs <unfixed> (low; bug #561757)
-	- kde4libs <unfixed> (low; bug #561758)
 	[lenny] - webkit <no-dsa> (Minor issue)
 	- xulrunner <unfixed> (low; bug #532516)	
 	[lenny] - xulrunner <no-dsa> (Minor issue)
@@ -8112,8 +8085,6 @@
 CVE-2009-1724 (Cross-site scripting (XSS) vulnerability in WebKit in Apple
Safari ...)
 	- qt4-x11 <unfixed> (low; bug #538403)
 	- webkit 1.1.13-1 (low; bug #538402)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 	NOTE: http://www.thespanner.co.uk/2009/06/19/minor-safari-cross-domain-bug/
 CVE-2009-1723 (CFNetwork in Apple Mac OS X 10.5 before 10.5.8 places an
incorrect URL ...)
 	NOT-FOR-US: CFNetwork in Apple Mac OS X
@@ -8131,51 +8102,30 @@
 CVE-2009-1718 (WebKit in Apple Safari before 4.0 allows user-assisted remote
...)
 	- webkit 1.1.12-1 (medium; bug #535793)
 	[lenny] - webkit <no-dsa> (Minor issue)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-1717 (Integer overflow in Terminal in Apple Mac OS X 10.5 before
10.5.7 ...)
 	NOT-FOR-US: Mac OS X
 CVE-2009-1716 (CFNetwork in Apple Safari before 4.0 on Windows does not
properly ...)
 	NOT-FOR-US: CFNetwork in Apple
 CVE-2009-1715 (Cross-site scripting (XSS) vulnerability in Web Inspector in
WebKit in ...)
 	- webkit 1.0.1-4 (medium; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-1714 (Cross-site scripting (XSS) vulnerability in Web Inspector in
WebKit in ...)
 	{DSA-1950-1}
 	- webkit 1.1.12-1 (low; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 	NOTE: http://trac.webkit.org/changeset/36359
 CVE-2009-1713 (The XSLT functionality in WebKit in Apple Safari before 4.0 does
not ...)
 	- webkit 1.0.1-4 (medium; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 	NOTE: http://trac.webkit.org/changeset/34533
 CVE-2009-1712 (WebKit in Apple Safari before 4.0 does not prevent remote
loading of ...)
 	{DSA-1950-1}
 	- webkit 1.1.12-1 (medium; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 	NOTE: http://trac.webkit.org/changeset/41568
 CVE-2009-1711 (WebKit in Apple Safari before 4.0 does not properly initialize
memory ...)
 	{DSA-1950-1}
 	- webkit 1.1.12-1 (medium; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 	NOTE: http://trac.webkit.org/changeset/36918
 CVE-2009-1710 (WebKit in Apple Safari before 4.0 allows remote attackers to
spoof the ...)
 	{DSA-1950-1}
 	- webkit 1.1.12-1 (medium; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-1709 (Use-after-free vulnerability in the garbage-collection
implementation ...)
 	{DSA-1866-1}
 	- webkit 0~svn32442-1
@@ -8183,7 +8133,6 @@
 	- kde4libs <not-affected> (Vulnerable code not present)
 	- kdegraphics 4:4.0 (medium; bug #534951)
 	NOTE: kdegraphics >4.0 not affected since ksvg is only in 3.5.x series)
-	- qt4-x11 4.5.0-1 (medium; bug #534947)
 CVE-2009-1708 (Apple Safari before 4.0 does not prevent calls to the
open-help-anchor ...)
 	NOT-FOR-US: Apple Safari
 CVE-2009-1707 (Race condition in the Reset Safari implementation in Apple
Safari ...)
@@ -8197,82 +8146,43 @@
 CVE-2009-1703 (WebKit in Apple Safari before 4.0 does not prevent references to
file: ...)
 	- webkit 1.1.12-1 (low; bug #535793)
 	[lenny] - webkit <no-dsa> (Minor issue)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-1702 (Cross-site scripting (XSS) vulnerability in WebKit in Apple
Safari ...)
 	- webkit 1.1.12-1 (low; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-1701 (Use-after-free vulnerability in the JavaScript DOM
implementation in ...)
 	- webkit 1.1.12-1 (medium; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 	NOTE: invasive patch to backport.
 CVE-2009-1700 (The XSLT implementation in WebKit in Apple Safari before 4.0,
iPhone ...)
 	- webkit 1.1.12-1 (low; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-1699 (The XSL stylesheet implementation in WebKit in Apple Safari
before ...)
 	- webkit 1.0.1-4 (medium; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-1698 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and ...)
 	{DSA-1950-1 DSA-1868-1 DSA-1867-1}
 	- webkit 1.1.5-1 (medium; bug #534946)
 	NOTE: http://trac.webkit.org/changeset/42081
-	- kdelibs 4:3.5.10.dfsg.1-2.1 (medium; bug #534952)
-	- kde4libs 4:4.3.0-1 (medium; bug #534949)
-	- qt4-x11 4:4.5.2-1 (medium; bug #534947)
 CVE-2009-1697 (CRLF injection vulnerability in WebKit in Apple Safari before
4.0, ...)
 	{DSA-1950-1}
 	- webkit 1.1.15.2-1 (medium; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-1696 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and ...)
 	- webkit 1.1.12-1 (medium; bug #535793)
 	[lenny] - webkit <not-affected> (Vulnerable code not present)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-1695 (Cross-site scripting (XSS) vulnerability in WebKit in Apple
Safari ...)
 	{DSA-1950-1}
 	- webkit 1.1.12-1 (low; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-1694 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and ...)
 	{DSA-1950-1}
 	- webkit 1.1.12-1 (low; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-1693 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and ...)
 	{DSA-1950-1}
 	- webkit 1.1.12-1 (medium; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 	NOTE: http://trac.webkit.org/changeset/35928
 CVE-2009-1692 (WebKit before r41741, as used in Apple iPhone OS 1.0 through
2.2.1, ...)
 	{DSA-1950-1}
 	- webkit 1.1.12-1 (low; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 	NOTE: upstream (undisclosed) bug report is
https://bugs.webkit.org/show_bug.cgi?id=23319
 	NOTE: http://trac.webkit.org/changeset/41741
 CVE-2009-1691 (Cross-site scripting (XSS) vulnerability in WebKit in Apple
Safari ...)
 	- webkit 1.1.12-1 (medium; bug #535793)
 	[lenny] - webkit <not-affected> (Vulnerable code not present)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 	NOTE: http://trac.webkit.org/changeset/32791
 CVE-2009-1690 (Use-after-free vulnerability in WebKit, as used in Apple Safari
before ...)
 	{DSA-1950-1 DSA-1868-1 DSA-1867-1}
@@ -8285,15 +8195,9 @@
 CVE-2009-1689 (Cross-site scripting (XSS) vulnerability in WebKit in Apple
Safari ...)
 	- webkit 1.1.12-1 (low; bug #535793)
 	[lenny] - webkit <not-affected> (Vulnerable code not present)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-1688 (Cross-site scripting (XSS) vulnerability in WebKit in Apple
Safari ...)
 	- webkit 1.1.12-1 (low; bug #535793)
 	[lenny] - webkit <not-affected> (Vulnerable code not present)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-1687 (The JavaScript garbage collector in WebKit in Apple Safari
before 4.0, ...)
 	{DSA-1950-1 DSA-1868-1 DSA-1867-1}
 	- webkit 1.1.5-1 (medium; bug #534946)
@@ -8304,20 +8208,11 @@
 CVE-2009-1686 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and ...)
 	- webkit 1.1.12-1 (medium; bug #535793)
 	[lenny] - webkit <not-affected> (Vulnerable code not present)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-1685 (Cross-site scripting (XSS) vulnerability in WebKit in Apple
Safari ...)
 	- webkit 1.0.1-4 (medium; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-1684 (Cross-site scripting (XSS) vulnerability in WebKit in Apple
Safari ...)
 	{DSA-1950-1}
 	- webkit 1.1.12-1 (low; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-1683 (The Telephony component in Apple iPhone OS 1.0 through 2.2.1 and
...)
 	NOT-FOR-US: iPhone
 CVE-2009-1682 (Apple Safari before 4.0 does not properly check for revoked
Extended ...)
@@ -8325,9 +8220,6 @@
 CVE-2009-1681 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and ...)
 	{DSA-1950-1}
 	- webkit 1.1.12-1 (low; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2009-1680 (Safari in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for
iPod ...)
 	NOT-FOR-US: Safari in Apple iPhone OS
 CVE-2009-1679 (The Profiles component in Apple iPhone OS 1.0 through 2.2.1 and
iPhone ...)
@@ -10959,7 +10851,6 @@
 	- qt4-x11 4:4.5.2-1 (medium; bug #532718)
 	- webkit 1.1.5-1 (medium; bug #532724; bug #532725)
 	NOTE: http://trac.webkit.org/changeset/43590
-	- kdelibs <unfixed> (low; bug #561765)
 	- kde4libs 4:4.3.0-1 (medium; bug #534917)
 	[lenny] - kde4libs <not-affected> (khtml doesn''t have SVG
support)
 	NOTE: http://websvn.kde.org/?view=rev&revision=983302
@@ -17488,9 +17379,6 @@
 CVE-2008-4724 (Multiple cross-site scripting (XSS) vulnerabilities in Google
Chrome ...)
 	- webkit 1.1.7-1 (low; bug #520052)
 	[lenny] - webkit <no-dsa> (Minor issue)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 	NOTE: webkit properly handles this issue with respect to extensions such as
jpg and txt, but not in general; for example, the attack works for odp, xls, etc
extensions (only tested with midori 0.1.4)
 	NOTE: not reproducible using iceweasel 3.0.1
 CVE-2008-4723 (Multiple cross-site scripting (XSS) vulnerabilities in Mozilla
Firefox ...)
@@ -18653,9 +18541,6 @@
 	NOT-FOR-US: Safari
 CVE-2008-4231 (Safari in Apple iPhone OS 1.0 through 2.1 and iPhone OS for iPod
touch ...)
 	- webkit <unfixed> (medium; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 	TODO: work with upstream to determine affected/not-affected webkit versions
 CVE-2008-4230 (The Passcode Lock feature in Apple iPhone OS 1.0 through 2.1 and
...)
 	NOT-FOR-US: Apple
@@ -20278,9 +20163,6 @@
 	RESERVED
 CVE-2008-3632 (Use-after-free vulnerability in WebKit in Apple iPod touch 1.1
through ...)
 	- webkit 1.0.1-4 (bug #499771)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 CVE-2008-3631 (Application Sandbox in Apple iPod touch 2.0 through 2.0.2, and
iPhone ...)
 	NOT-FOR-US: Apple iPod
 CVE-2008-3630 (mDNSResponder in Apple Bonjour for Windows before 1.0.5, when an
...)
@@ -23358,9 +23240,6 @@
 	NOT-FOR-US: Apple Mac OS X
 CVE-2008-2320 (Stack-based buffer overflow in CarbonCore in Apple Mac OS X
10.4.11 ...)
 	- webkit <unfixed> (medium; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 	TODO: work with upstream to determine affected/not-affected webkit versions
 CVE-2008-2319
 	RESERVED
@@ -23394,9 +23273,6 @@
 	NOT-FOR-US: Alias Manager in Apple Mac OS X
 CVE-2008-2307 (Unspecified vulnerability in WebKit in Apple Safari before
3.1.2, as ...)
 	- webkit 1.0.1-1
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 	NOTE: http://trac.webkit.org/changeset/34204
 CVE-2008-2306 (Apple Safari before 3.1.2 on Windows does not properly interpret
the ...)
 	NOT-FOR-US: Windows issue
@@ -25075,9 +24951,6 @@
 	NOT-FOR-US: iPhone
 CVE-2008-1588 (Safari on Apple iPhone before 2.0 and iPod touch before 2.0
allows ...)
 	- webkit <unfixed> (medium; bug #535793)
-	- qt4-x11 <unfixed> (low; bug #561760)
-	- kdelibs <unfixed> (low; bug #561765)
-	- kde4libs <unfixed> (low; bug #561762)
 	TODO: work with upstream to determine affected/not-affected webkit versions
 CVE-2008-1587
 	RESERVED
@@ -28205,9 +28078,6 @@
 	NOT-FOR-US: Mapbender
 CVE-2008-0298 (KHTML WebKit as used in Apple Safari 2.x allows remote attackers
to ...)
 	- webkit <unfixed> (unimportant)
-	- qt4-x11 <unfixed> (unimportant; bug #561760)
-	- kdelibs <unfixed> (unimportant; bug #561765)
-	- kde4libs <unfixed> (unimportant; bug #561762)
 	NOTE: khtml originates from konqueror. browser crashes are considered
unimportant
 CVE-2008-0297 (PhotoKorn allows remote attackers to obtain database credentials
via a ...)
 	NOT-FOR-US: PhotoKorn

Michael Gilbert

2009-Dec-20 21:11 UTC

head link

[Secure-testing-team] [Secure-testing-commits] r13611 - data/CVE

On Sun, 20 Dec 2009 10:09:00 +0000 Moritz Muehlenhoff wrote:
> Author: jmm-guest
> Date: 2009-12-20 10:09:00 +0000 (Sun, 20 Dec 2009)
> New Revision: 13611
> 
> Modified:
>    data/CVE/list
> Log:
> revert previous commit: CVE/list is not a dumping ground for issues
> someone should check based on embedded-code-copies.
the information inserted in this commit was derived from
embedded-code-copies, so it is accurate.
> If something is added to CVE/list as unfixed it needs to be checked
> beforehand.
as stated in the bug reports, i have asked the maintainers to check
these problems themselves.  once they get back to me, i will update the
tracking based on their feedback.  i understand that this is certainly
not ideal, but there are no other viable options given the fact that
there an incredibly high number of untriaged embeds right now. if i am
ever going to get through this embedded code copies triage, i need a
way to record partial progress.  otherwise, it will be impossible (at
least for one person).

so, i had to decide between either this or TODOs (or not doing anything
at all), and you had mentioned previously that you don''t want any more
noise in the TODO list.  so, here are the tradeoffs:

TODO:
- disadvantage: clutters TODO page
- advantage: does not indicate issues are <unfixed> when they are in an
uncertain state
- disadvantage: increases likeliness of issues getting forgotten since
TODO page is overloaded

<unfixed>:
- advantage: doesn''t clutter TODO page
- disadvantage: it isn''t really known that the problem is
<unfixed>,
but that fact is included in the bug report
- advantage: shows up in package page so developer is more aware that
they have something they need to work on
- advantage: shows up in debsecan indicating something needs to be done
- as a general aside, it has seemed to be ok recently to use <unfixed>
for untriaged or partially triaged issues, so why can''t this also be
done for the packages potentially affected by embedded code?

don''t do either:
- advantage: absolutely no clutter
- disadvantage: legitimate important security problems go unaddressed
since they are not being tracked.

i''ve also just thought of a fourth option; an additional file called
in-progress (or an <in-progress> status in data/CVE/list):
- advantage: no clutter in TODO list and no issues marked as <unfixed>
when that hasn''t been determined yet
- disadvantage: information is separate from main files, and will
include primarily duplicated information anyway
- disadvantage: differs from normal way of working
- disadvantage: info stored there won''t show up anywhere else (in
tracker or package pages), so it will not show up in front of as many
eyes

thank you for any additional guidance based on this feedback.

best wishes,
mike

Michael Gilbert

2009-Dec-20 21:26 UTC

head link

[Secure-testing-team] [Secure-testing-commits] r13611 - data/CVE

On Sun, 20 Dec 2009 16:11:40 -0500 Michael Gilbert wrote:
> On Sun, 20 Dec 2009 10:09:00 +0000 Moritz Muehlenhoff wrote:
> 
> > Author: jmm-guest
> > Date: 2009-12-20 10:09:00 +0000 (Sun, 20 Dec 2009)
> > New Revision: 13611
> > 
> > Modified:
> >    data/CVE/list
> > Log:
> > revert previous commit: CVE/list is not a dumping ground for issues
> > someone should check based on embedded-code-copies.
>
> thank you for any additional guidance based on this feedback.
i also wanted to mention that at some point i would like to be able to
automatically run the inject-embedded-code-copies script so that
embedding packages automatically show up in the CVE list as soon as
possible -- in order to raise awareness of embeds and hopefully address
them sooner.

in order to do this, i need to have all of the current embeds tracked
or marked as not-affected first.  so my plan was to slowly enter this
information, which may be partial at times, but that partiality will be
spelled out in the associated bug report.  and eventually, i would be
able to turn it on.

if i can''t use the CVE list as the place to do this work, then this
will never happen, because it is going to take a very long time before
we figure out whether all of the embeds can be declared <unfixed> or
<not-affected>.

another option, would be to set up my script to only automatically
insert embeds after a given CVE (perhaps the first 2010 issue), and then
i could use the in-progress file to track all of the existing issues.

anyway, this is a difficult process, and i hope that you understand
that.  i would very much like assistance in this matter, but without
that, i would be satisfied if there were less interference.

best wishes,
mike

Secure testing team - Dec 2009 - r13611 - data/CVE

[Secure-testing-commits] r13611 - data/CVE

[Secure-testing-team] [Secure-testing-commits] r13611 - data/CVE

[Secure-testing-team] [Secure-testing-commits] r13611 - data/CVE