CVE-2008-2009 vulnerability already fixed; additional hardening features to be considered as an spu/ospu candidate

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@11775 e39458fd-73e7-0310-bf30-c45bca0a0e42

3 files changed, 14 insertions, 0 deletions

diff --git a/data/CVE/list b/data/CVE/list
index 26910c6b36..ca67638bac 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -14821,6 +14821,10 @@ CVE-2008-2010 (Unspecified vulnerability in Apple QuickTime Player on Windows XP
 	NOT-FOR-US: Windows
 CVE-2008-2009 (Xiph.org libvorbis before 1.0 does not properly check for ...)
 	- libvorbis 1.2.0.dfsg-4 (bug #482039)
+	[etch] - libvorbis <no-dsa> (actual vulnerability fixed pre-1.0)
+	[lenny] - libvorbis <no-dsa> (actual vulnerability fixed pre-1.0)
+	NOTE: additional hardening features have already been added to the unstable
+	NOTE: packages that would be useful to have in stable, so proposing as spu/ospu
 CVE-2008-2008 (Buffer overflow in the Display Names message feature in Cerulean ...)
 	NOT-FOR-US: Cerulean Studios Trillian Basic
 CVE-2008-2007
diff --git a/data/ospu-candidates.txt b/data/ospu-candidates.txt
index 4c91b15137..3ee2d2e708 100644
--- a/data/ospu-candidates.txt
+++ b/data/ospu-candidates.txt
@@ -310,6 +310,11 @@ notified maintainer
 
 --
 
+libvorbis (CVE-2008-2009)
+notified maintainer and release team
+
+--
+
 liferea (CVE-2005-4791)
 notified maintainer
 
diff --git a/data/spu-candidates.txt b/data/spu-candidates.txt
index bc7a896c3d..90ce54dc36 100644
--- a/data/spu-candidates.txt
+++ b/data/spu-candidates.txt
@@ -32,6 +32,11 @@ kvm 82-1 (CVE-2008-5714)
 
 --
 
+libvorbis (CVE-2008-2009)
+notified maintainer and release team
+
+--
+
 mpfr (CVE-2009-0757)
 notified maintainer