diff options
author | Moritz Muehlenhoff <jmm@debian.org> | 2009-01-30 16:35:55 +0000 |
---|---|---|
committer | Moritz Muehlenhoff <jmm@debian.org> | 2009-01-30 16:35:55 +0000 |
commit | 25490397d634db5f7ae860bb64459d6779b41f73 (patch) | |
tree | d90506c89f772f1da2c871af36d0b521049887f2 /data | |
parent | 26215cf42e7804365b2afd1a3e201461a42de590 (diff) |
new kernel issues
NFUs
gnumeric fixed
evolution no-dsa
ktorrent CVEfied
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@11115 e39458fd-73e7-0310-bf30-c45bca0a0e42
Diffstat (limited to 'data')
-rw-r--r-- | data/CVE/list | 37 | ||||
-rw-r--r-- | data/spu-candidates.txt | 8 |
2 files changed, 28 insertions, 17 deletions
diff --git a/data/CVE/list b/data/CVE/list index 33de98a5ac..f84b63a61b 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -1,11 +1,12 @@ CVE-2009-0322 (drivers/firmware/dell_rbu.c in the Linux kernel before 2.6.27.13, and ...) - TODO: check + - linux-2.6 <unfixed> + - linux-2.6.24 <removed> CVE-2009-0321 (Apple Safari 3.2.1 (aka AppVer 3.525.27.1) on Windows allows remote ...) NOT-FOR-US: Apple Safari on Windows CVE-2009-0320 (Microsoft Windows XP, Server 2003 and 2008, and Vista exposes I/O ...) NOT-FOR-US: Microsoft Windows CVE-2009-0319 (Unspecified vulnerability in the autofs module in the kernel in Sun ...) - TODO: check + NOT-FOR-US: Solaris CVE-2008-6004 (Cross-site scripting (XSS) vulnerability in search.php in AJ Auction ...) NOT-FOR-US: AJ Auction Pro Platinum CVE-2008-6003 (SQL injection vulnerability in sellers_othersitem.php in AJ Auction ...) @@ -17,15 +18,15 @@ CVE-2008-6001 (index.php in ADN Forum 1.0b and earlier allows remote attackers t CVE-2008-6000 (The GDTdiIcpt.sys driver in G DATA AntiVirus 2008, InternetSecurity ...) NOT-FOR-US: G DATA AntiVirus CVE-2008-5999 (Cross-site scripting (XSS) vulnerability in the Ajax Checklist module ...) - TODO: check + NOT-FOR-US: Ajax Checklist module for Drupal CVE-2008-5998 (Multiple SQL injection vulnerabilities in the ajax_checklist_save ...) - TODO: check + NOT-FOR-US: Ajax Checklist module for Drupal CVE-2008-5997 (Absolute path traversal vulnerability in ...) NOT-FOR-US: Omnicom Content Platform CVE-2008-5996 (Cross-site scripting (XSS) vulnerability in the Simplenews module 5.x ...) - TODO: check + NOT-FOR-US: Simplenews module for Drupal CVE-2008-5995 (Cross-site scripting (XSS) vulnerability in the freeCap CAPTCHA ...) - TODO: check + NOT-FOR-US: freeCap CAPTCHA extension for Typo3 CVE-2008-5994 (Cross-site scripting (XSS) vulnerability in index.php in Check Point ...) NOT-FOR-US: Check Point Connectra CVE-2008-5993 (Directory traversal vulnerability in image.php in Barcode Generator 1D ...) @@ -33,7 +34,7 @@ CVE-2008-5993 (Directory traversal vulnerability in image.php in Barcode Generat CVE-2008-5992 (Multiple SQL injection vulnerabilities in Jetik Emlak Sistem A (ESA) ...) NOT-FOR-US: Jetik Emlak Sistem CVE-2008-5991 (Directory traversal vulnerability in docs.php in MailWatch for ...) - TODO: check + NOT-FOR-US: MailWatch for MailScanner CVE-2008-5990 (Directory traversal vulnerability in connect/init.inc in emergecolab ...) NOT-FOR-US: emergecolab CVE-2008-5989 (Directory traversal vulnerability in defs.php in PHPcounter 1.3.2 and ...) @@ -56,7 +57,7 @@ CVE-2009-XXXX [ffmpeg 4x issue] CVE-2009-XXXX [file inclusion vuln in util/barcode.php and XSS in horde3] - horde3 3.2.2+debian0-2 (bug #513265) CVE-2009-0318 (Untrusted search path vulnerability in the GObject Python interpreter ...) - - gnumeric <unfixed> (low; bug #513418) + - gnumeric 1.8.4-3 (low; bug #513418) TODO: next point release: [etch] - gnumeric 1.6.3-5.1+etch2 [etch] - gnumeric <no-dsa> (Minor issue) CVE-2009-0317 (Untrusted search path vulnerability in the Python language bindings ...) @@ -176,7 +177,9 @@ CVE-2009-0273 CVE-2009-0272 RESERVED CVE-2009-0269 (fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel ...) - TODO: check + - linux-2.6 <unfixed> + [etch] - linux-2.6 <not-affected> (ecryptfs was merged in 2.6.19) + - linux-2.6.24 <removed> CVE-2009-0265 (Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not ...) - bind9 <not-affected> (vulnerable code not present, introduced in 9.6.x) CVE-2008-5968 (Directory traversal vulnerability in print.php in PHP iCalendar 2.24 ...) @@ -652,13 +655,15 @@ CVE-2009-0123 (Unspecified vulnerability in Apple Safari on Mac OS X 10.5 and Wi CVE-2009-0122 (hplip.postinst in HP Linux Imaging and Printing (HPLIP) 2.7.7 and ...) - hplip <not-affected> (only a bug in ubuntus postinst script, we use our own postinst which is not vulnerable) CVE-2008-5907 (The png_check_keyword function in pngwutil.c in libpng before 1.0.42, ...) - - libpng <unfixed> (low; bug #512665) + - libpng <unfixed> (unimportant; bug #512665) CVE-2008-5906 (Eval injection vulnerability in the web interface plugin in KTorrent ...) - - ktorrent2.2 2.2.8.dfsg.1-1 + - ktorrent2.2 2.2.8.dfsg.1-1 (bug #504178) - ktorrent 3.1.4+dfsg.1-1 + [etch] - ktorrent <not-affected> (Doesn't include the web interface) CVE-2008-5905 (The web interface plugin in KTorrent before 3.1.4 allows remote ...) - - ktorrent2.2 2.2.8.dfsg.1-1 + - ktorrent2.2 2.2.8.dfsg.1-1 (bug #504178) - ktorrent 3.1.4+dfsg.1-1 + [etch] - ktorrent <not-affected> (Doesn't include the web interface) CVE-2009-XXXX [unspecified multiple Drupal vulnerabilies, likely some overlap with the next temp entry] - drupal6 6.6-3 CVE-2009-XXXX [unspecified Drupal SQL injection] @@ -3556,11 +3561,6 @@ CVE-2008-4803 (Cross-site scripting (XSS) vulnerability in index.php in Simple P NOT-FOR-US: Simple PHP Scripts gallery CVE-2008-4802 (Cross-site scripting (XSS) vulnerability in complete.php in Simple PHP ...) NOT-FOR-US: Simple PHP Scripts blog -CVE-2008-XXXX [ktorrent issues] - - ktorrent2.2 2.2.8.dfsg.1-1 (bug #504178) - - ktorrent 3.1.4+dfsg.1-1 - [etch] - ktorrent <not-affected> (Doesn't include the web interface) - NOTE: CVE requested CVE-2008-5076 (htop 0.7 writes process names to a terminal without sanitizing ...) - htop <unfixed> (unimportant; bug #504144) NOTE: That scenario is too constructed to call it a security issue, especially @@ -9037,6 +9037,7 @@ CVE-2008-2667 (SQL injection vulnerability in the Courier Authentication Library - courier-authlib 0.60.1-2.1 (bug #485424) CVE-2008-XXXX [missing sanity checks allow DoS via mis-formated timestamp] - evolution 2.22.2-1.1 (low; bug #484639) + [etch] - evolution <no-dsa> (Minor issue) CVE-2008-2559 (Integer overflow in Borland Interbase 2007 SP2 (8.1.0.256) allows ...) NOT-FOR-US: Borland Interbase CVE-2008-2558 (CRE Loaded 6.2.13.1 and earlier does not set the "Secure" attribute ...) @@ -12486,10 +12487,12 @@ CVE-2008-1110 (Buffer overflow in demuxers/demux_asf.c (aka the ASF demuxer) in [sarge] - xine-lib <not-affected> (Not affected per assessment of maintainer) CVE-2008-1109 (Heap-based buffer overflow in Evolution 2.22.1 allows user-assisted ...) - evolution 2.22.2-1.1 (low; bug #484639) + [etch] - evolution <no-dsa> (Minor issue) NOTE: Requires that the user accepts the iCalendar request and replies NOTE: to it from the "Calendars" window. CVE-2008-1108 (Buffer overflow in Evolution 2.22.1, when the ITip Formatter plugin is ...) - evolution 2.22.2-1.1 (low; bug #484639) + [etch] - evolution <no-dsa> (Minor issue) NOTE: Requires that the ITip Formatter plugin is disabled, which is enabled by default. CVE-2008-1107 RESERVED diff --git a/data/spu-candidates.txt b/data/spu-candidates.txt index d3c7dbd6af..8b43979825 100644 --- a/data/spu-candidates.txt +++ b/data/spu-candidates.txt @@ -167,6 +167,14 @@ notified maintainer -- +evolution (CVE-2008-1108, CVE-2008-1109) +#484639 + +evolution (no CVE) +#484639 + +-- + exiv2 (CVE-2008-2696) bug #486328 http://dev.robotbattle.com/cgi-bin/viewvc.cgi/exiv2/trunk/src/nikonmn.cpp?r1=1473&r2=1499 |