links2, exiv2 no-dsa

add php to packages with special security support add one missing mozilla CVE ID, which was split off one moin issue doesn't affect etch two dnsmasq issues don't affect etch, dnsmasq CVEfied one iceweasel issue Mac specific add note on firebird in etch one issues marked as php is only relevant to libgd git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@9522 e39458fd-73e7-0310-bf30-c45bca0a0e42
author: Moritz Muehlenhoff <jmm@debian.org> 2008-08-06 19:37:44 +0000
committer: Moritz Muehlenhoff <jmm@debian.org> 2008-08-06 19:37:44 +0000
commit: 42cc120730e76d5301973c85d39e7d9053776703 (patch)
tree: d59baf604debacc0a353bd04c914b4d0a1c405c9 /data
parent: b7baf6ff1ff60332bbd897534f604923945f8070 (diff)
4 files changed, 26 insertions, 11 deletions
diff --git a/data/CVE/list b/data/CVE/list
index 1c044fbdeb..e4a7cfbdb6 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -89,7 +89,8 @@ CVE-2008-3383 (SQL injection vulnerability in mojoAuto.cgi in MojoAuto allows re
 CVE-2008-3382 (SQL injection vulnerability in mojoClassified.cgi in MojoClassifieds ...)
 	NOT-FOR-US: MojoClassifieds
 CVE-2008-3381 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
-	- moin 1.7.1-1
+	- moin 1.7.1-1 (low)
+	[etch] - moin <not-affected> (Vulnerable macro not present)
 CVE-2008-3380 (Cross-site scripting (XSS) vulnerability in ajaxp_backend.php in ...)
 	NOT-FOR-US: MyioSoft EasyBookMarker
 CVE-2008-3379 (Cross-site scripting (XSS) vulnerability in Snark VisualPic 0.3.1 ...)
@@ -134,6 +135,8 @@ CVE-2008-3360 (Stack-based buffer overflow in the HTML parser in IntelliTamper 2
 	NOT-FOR-US: IntelliTamper
 CVE-2008-3359 (SQL injection vulnerability in register.php in Steve Bourgeois and ...)
 	- owl-dms <unfixed> (bug #493372)
+	NOTE: Hardly maintained and very few users, long standing sec issues in Etch,
+	TODO: we should remove this from Lenny w/o maintainer reaction
 CVE-2008-3358
 	RESERVED
 CVE-2008-3357
@@ -152,6 +155,7 @@ CVE-2008-3351 (SQL injection vulnerability in atomPhotoBlog.php in Atom PhotoBlo
 	NOT-FOR-US: Atom PhotoBlog
 CVE-2008-3350 (dnsmasq 2.43 allows remote attackers to cause a denial of service ...)
 	- dnsmasq 2.44-1 (low)
+	[etch] - dnsmasq <not-affected> (Issue was introduced in 2.43)
 CVE-2008-3349 (Multiple unspecified vulnerabilities in NetApp Data ONTAP, as used on ...)
 	NOT-FOR-US: NetApp Data ONTAP
 CVE-2008-3348 (Cross-site scripting (XSS) vulnerability in ...)
@@ -416,7 +420,7 @@ CVE-2008-3215 (libclamav/petite.c in ClamAV before 0.93.3 allows remote attacker
 	{DSA-1616-2}
 	- clamav 0.93.1.dfsg-1.1 (medium)
 CVE-2008-3214 (dnsmasq 2.25 allows remote attackers to cause a denial of service ...)
-	- dnsmasq 2.44-1 (low)
+	- dnsmasq 2.26-1 (medium)
 CVE-2008-3213 (SQL injection vulnerability in secciones/tablon/tablon.php in WebCMS ...)
 	NOT-FOR-US: WebCMS
 CVE-2008-3212 (Multiple SQL injection vulnerabilities in Scripteen Free Image Hosting ...)
@@ -448,7 +452,8 @@ CVE-2008-3200 (SQL injection vulnerability in vlc_forum.php in Avlc Forum as of
 CVE-2008-3199 (Multiple unspecified vulnerabilities in ReSIProcate before 1.3.4 allow ...)
 	NOT-FOR-US: ReSIProcate
 CVE-2008-3198 (Mozilla Firefox 3.x before 3.0.1 allows remote attackers to inject ...)
-	TODO: check
+	- iceweasel 3.0.1-1 (low)
+	NOTE: http://www.mozilla.org/security/announce/2008/mfsa2008-35.html
 CVE-2008-3195
 	RESERVED
 CVE-2008-3194 (Multiple directory traversal vulnerabilities in ...)
@@ -1056,11 +1061,10 @@ CVE-2008-2935 [libxslt heap overflow]
 	- libxslt 1.1.24-2 (bug #493162)
 	NOTE: http://www.ocert.org/advisories/ocert-2008-009.html
 CVE-2008-2934 (Mozilla Firefox 3 before 3.0.1 on Mac OS X allows remote attackers to ...)
-	TODO: check
+	- iceweasel <not-affected> (MacOS-specific)
 CVE-2008-2933 (Mozilla Firefox before 2.0.0.16, and 3.x before 3.0.1, interprets '|' ...)
 	{DSA-1615-1 DSA-1614-1}
 	- iceweasel 3.0.1-1 (low)
-	NOTE: http://www.mozilla.org/security/announce/2008/mfsa2008-35.html
 CVE-2008-2932
 	RESERVED
 CVE-2008-2931 (The do_change_type function in fs/namespace.c in the Linux kernel ...)
@@ -1272,10 +1276,6 @@ CVE-2008-3140 (The syslog dissector in Wireshark (formerly Ethereal) 1.0.0 allow
 CVE-2008-3141 (Unspecified vulnerability in the RMI dissector in Wireshark (formerly ...)
 	- wireshark 1.0.1-1 (low; bug #488834)
 	NOTE: http://www.wireshark.org/security/wnpa-sec-2008-03.html
-CVE-2008-XXXX [dnsmasq crash on renewing non-existent lease]
-	- dnsmasq 2.26-1 (medium)
-	NOTE: CVE id requested by Ubuntu
-	NOTE: http://freshmeat.net/projects/dnsmasq/?branch_id=1991&release_id=217681
 CVE-2008-2952 (liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to ...)
 	{DTSA-151-1}
 	- openldap2.3 <removed> (low; bug #488710)
@@ -3493,6 +3493,7 @@ CVE-2008-1881 (Stack-based buffer overflow in the ParseSSA function ...)
 	- vlc 0.8.6.e-2.1 (medium; bug #477805)
 CVE-2008-1880 (The default configuration of Firebird before 2.0.3.12981.0-r6 on ...)
 	- firebird2 <removed>
+	[etch] - firebird2 <no-dsa> (Firebird 1.5 no longer supported, see last DSA)
 	- firebird2.0 2.0.3.12981.ds1-14 (bug #481389)
 	NOTE: on debian after the installation firebird2.0-super is disabled, to enable it
 	NOTE: you need to call dpkg-reconfigure
@@ -15404,7 +15405,7 @@ CVE-2007-3997 (The (1) MySQL and (2) MySQLi extensions in PHP 4 before 4.4.8, an
 CVE-2007-3996 (Multiple integer overflows in libgd in PHP before 5.2.4 allow remote ...)
 	{DSA-1613-1}
 	- libgd2 2.0.35.dfsg-1 (bug #443456; medium)
-	- php5 5.2.4-1 (medium)
+	NOTE: Debian's PHP packages are linked dynamically against libgd
 	NOTE: see http://www.php.net/releases/5_2_4.php
 CVE-2007-3995
 	RESERVED
diff --git a/data/DSA/list b/data/DSA/list
index 3a2408b696..8cdc1d829f 100644
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -38,7 +38,7 @@
 	{CVE-2008-2785 CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2811 CVE-2008-2933}
 	[etch] - xulrunner 1.8.0.15~pre080614d-0etch1
 [23 Jul 2008] DSA-1614-1 iceweasel - several vulnerabilities
-	{CVE-2008-2785 CVE-2008-2933}
+	{CVE-2008-2785 CVE-2008-2933 CVE-2008-3198}
 	[etch] - iceweasel 2.0.0.16-0etch1
 [22 Jul 2008] DSA-1613-1 libgd2 - multiple vulnerabilities
 	{CVE-2007-2445 CVE-2007-3476 CVE-2007-3477 CVE-2007-3996}
diff --git a/data/package-tags b/data/package-tags
index bc64269789..0b7e853c07 100644
--- a/data/package-tags
+++ b/data/package-tags
@@ -8,5 +8,8 @@
 [etch] sql-ledger <limited-support> (Only supported behind an authenticated HTTP zone)
 [lenny] sql-ledger <limited-support> (Only supported behind an authenticated HTTP zone)
 
+[etch] php5 <limited-support> (See README.Debian.security for the PHP security policy)
+[etch] php4 <limited-support> (See README.Debian.security for the PHP security policy)
+[lenny] php5 <limited-support> (See README.Debian.security for the PHP security policy)
 [etch] adns <limited-support> (Stub resolver that should only be used with trusted recursors)
 [lenny] adns <limited-support> (Stub resolver that should only be used with trusted recursors)
diff --git a/data/spu-candidates.txt b/data/spu-candidates.txt
index 3966e8585c..cb71489813 100644
--- a/data/spu-candidates.txt
+++ b/data/spu-candidates.txt
@@ -67,6 +67,12 @@ notified maintainer
 
 --
 
+exiv2 (CVE-2008-2696)
+bug #486328)
+http://dev.robotbattle.com/cgi-bin/viewvc.cgi/exiv2/trunk/src/nikonmn.cpp?r1=1473&r2=1499
+
+--
+
 flac123 (CVE-2007-3507)
 notified maintainer
 
@@ -105,6 +111,11 @@ notified maintainer
 
 --
 
+links2 (CVE-2008-3329)
+bug #492744)
+
+--
+
 linux-ftpd-ssl (CVE-2007-6263)
 #454733
 notified maintainer
author	Moritz Muehlenhoff <jmm@debian.org>	2008-08-06 19:37:44 +0000
committer	Moritz Muehlenhoff <jmm@debian.org>	2008-08-06 19:37:44 +0000
commit	42cc120730e76d5301973c85d39e7d9053776703 (patch)
tree	d59baf604debacc0a353bd04c914b4d0a1c405c9 /data
parent	b7baf6ff1ff60332bbd897534f604923945f8070 (diff)