diff options
author | Moritz Muehlenhoff <jmm@debian.org> | 2011-01-10 17:31:36 +0000 |
---|---|---|
committer | Moritz Muehlenhoff <jmm@debian.org> | 2011-01-10 17:31:36 +0000 |
commit | ef6cc9a01a4b3b9a7a367bd17c84f708bc12fc2e (patch) | |
tree | 1377c12297297e04b806a5ecf42ef56cc129f2c9 /data | |
parent | 5f120424cd4e97c0c80f373d290acd0c0b9d445f (diff) |
- new pimd issue
- mark two minor games priv esc as unimportant
- debian's mono not affected by moonlight issue
- libgd/wmf only used to write images
- libgd/plt-scheme no-dsa
- dhcp issue doesn't affect any Debian release
- filed bugs for xen and evince issues
- ftpcopy no-dsa
- split calibre into two IDs, both fixed in sid
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@15825 e39458fd-73e7-0310-bf30-c45bca0a0e42
Diffstat (limited to 'data')
-rw-r--r-- | data/CVE/list | 72 | ||||
-rw-r--r-- | data/embedded-code-copies | 2 |
2 files changed, 44 insertions, 30 deletions
diff --git a/data/CVE/list b/data/CVE/list index b63207c53c..c8c59feb3b 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -7,11 +7,11 @@ CVE-2010-4645 [php5 DoS via strtod hitting x87 unit bug] [lenny] - php5 <unfixed> (high) NOTE: lenny9 doesn't appear to be affected, for a reason still unknown CVE-2011-XXXX [Crash with long HOME environment variable] - - toppler <unfixed> (bug #608979) - TODO: check + - toppler <unfixed> (unimportant; bug #608979) + NOTE: Negligable privilege escalation CVE-2011-XXXX [Crash with long HOME environment variable] - - lbreakout2 <unfixed> (bug #608980) - TODO: check + - lbreakout2 <unfixed> (unimportant; bug #608980) + NOTE: Negligable privilege escalation CVE-2011-XXXX [Crash with long GGI_DISPLAY environment variable] - zhcon <unfixed> (bug #608981) TODO: check @@ -20,6 +20,8 @@ CVE-2011-0343 [syslog-ng log permissions] [lenny] - syslog-ng <not-affected> (Freebsd-specific, which is not supported in Lenny) CVE-2010-XXXX [XSS in ftpls] - ftpcopy <unfixed> (bug #607494) + [squeeze] - ftpcopy <no-dsa> (Minor issue) + [lenny] - ftpcopy <no-dsa> (Minor issue) CVE-2011-0285 RESERVED CVE-2011-0284 @@ -749,8 +751,11 @@ CVE-2010-4580 (Opera before 11.00 does not clear WAP WML form fields after manua NOT-FOR-US: Opera CVE-2010-4579 (Opera before 11.00 does not properly constrain dialogs to appear on ...) NOT-FOR-US: Opera -CVE-2010-XXXX [calibre XSS and file disclosure] - - calibre <unfixed> (bug #608822) +CVE-2010-XXXX [calibre XSS] + - calibre 0.7.38+dfsg-1 (bug #608822) + NOTE: http://www.waraxe.us/advisory-77.html +CVE-2010-XXXX [calibre file disclosure] + - calibre 0.7.38+dfsg-1 (bug #608822) NOTE: http://www.waraxe.us/advisory-77.html CVE-2010-XXXX [webkit info leak] - webkit <unfixed> (low) @@ -1019,6 +1024,7 @@ CVE-2011-0008 RESERVED CVE-2011-0007 RESERVED + - pimd 2.1.6-1 (bug #609304) CVE-2011-0006 RESERVED - linux-2.6 2.6.32-30 @@ -1484,8 +1490,8 @@ CVE-2010-4314 CVE-2010-4313 (Unrestricted file upload vulnerability in fileman_file_upload.php in ...) NOT-FOR-US: Orbis CMS CVE-2010-4312 (The default configuration of Apache Tomcat 6.x does not include the ...) - - tomcat6 <unfixed> (bug #608286) - NOTE: CVE Description seems incomplete as there's also an XSS issue. + - tomcat6 <unfixed> (unimportant; bug #608286) + NOTE: S CVE-2010-4311 (Free Simple Software 1.0 stores passwords in cleartext, which allows ...) NOT-FOR-US: Free Simple Software CVE-2010-4310 @@ -1649,9 +1655,9 @@ CVE-2010-4256 [linux: pipe_fcntl local DoS] - linux-2.6 <unfixed> CVE-2010-4255 [linux: Xen direct pv guest access crash] RESERVED - - xen <unfixed> + - xen <unfixed> (bug #609531) CVE-2010-4254 (Mono, when Moonlight before 2.3.0.1 or 2.99.x before 2.99.0.10 is ...) - - moon <unfixed> (bug #608288) + - moon <not-affected> (Debian's version of Moonlight is not affected, see #608288) CVE-2010-4253 RESERVED CVE-2010-4252 (OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly ...) @@ -3286,11 +3292,9 @@ CVE-2010-3618 (PGP Desktop 10.0.x before 10.0.3 SP2 and 10.1.0 before 10.1.0 SP1 CVE-2010-3617 RESERVED CVE-2010-3616 (ISC DHCP server 4.2 before 4.2.0-P2, when configured to use failover ...) - - iscp-dhcp <unfixed> - - dhcp3 <removed> - - dhcp <removed> - TODO: check - NOTE: probably doesn't affect squeeze: https://lists.isc.org/pipermail/dhcp-users/2010-December/012368.html + - isc-dhcp <not-affected> (Only affects 4.2.x) + - dhcp3 <not-affected> (Only affects 4.2.x) + - dhcp <not-affected> (Only affects 4.2.x) CVE-2010-3615 (named in ISC BIND 9.7.2-P2 does not check all intended locations for ...) - bind9 1:9.7.2.dfsg.P3-1 (bug #605876) NOTE: http://ftp.isc.org/isc/bind9/9.7.2-P3/RELEASE-NOTES-BIND-9.7.2-P3.html @@ -6043,16 +6047,16 @@ CVE-2010-2644 (IBM WebSphere Service Registry and Repository (WSRR) 7.0.0 before NOT-FOR-US: IBM WebSphere Service Registry and Repository CVE-2010-2643 RESERVED - - evince <unfixed> + - evince <unfixed> (bug #609534) CVE-2010-2642 RESERVED - - evince <unfixed> + - evince <unfixed> (bug #609534) CVE-2010-2641 RESERVED - - evince <unfixed> + - evince <unfixed> (bug #609534) CVE-2010-2640 RESERVED - - evince <unfixed> + - evince <unfixed> (bug #609534) CVE-2010-2639 (IBM WebSphere Commerce Enterprise 7.0 before 7.0.0.2 allows remote ...) NOT-FOR-US: IBM WebSphere Commerce Enterprise 7.0 CVE-2010-2638 (Unspecified vulnerability in IBM WebSphere MQ 7.0 before 7.0.1.5 ...) @@ -16795,8 +16799,10 @@ CVE-2009-3547 (Multiple race conditions in fs/pipe.c in the Linux kernel before - linux-2.6.24 <removed> (high) CVE-2009-3546 (The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before ...) {DSA-1936-1} - - libwmf <unfixed> - - plt-scheme <unfixed> + - libwmf <unfixed> (unimportant) + - plt-scheme <unfixed> (low; bug #601525) + [squeeze] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot) + [lenny] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot) - graphviz <unfixed> - libgd2 2.0.36~rc1~dfsg-3.1 (medium; bug #552534) - php5 <not-affected> (the php packages use the system libgd2) @@ -48802,8 +48808,10 @@ CVE-2007-4893 (wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpr CVE-2007-4892 (Multiple SQL injection vulnerabilities in SWSoft Plesk 7.6.1, 8.1.0, ...) NOT-FOR-US: Plesk (Windows) CVE-2007-XXXX [libgd2: gdImageColorTransparent can write outside buffer] - - libwmf <unfixed> - - plt-scheme <unfixed> + - libwmf <unfixed> (unimportant) + - plt-scheme <unfixed> (low; bug #601525) + [squeeze] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot) + [lenny] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot) - graphviz <unfixed> - libgd2 2.0.35.dfsg-3 [etch] - libgd2 2.0.33-5.2etch1 @@ -50952,8 +50960,10 @@ CVE-2007-3997 (The (1) MySQL and (2) MySQLi extensions in PHP 4 before 4.4.8, an CVE-2007-3996 (Multiple integer overflows in libgd in PHP before 5.2.4 allow remote ...) {DSA-1613-1} - libgd2 2.0.35.dfsg-1 (bug #443456; medium) - - libwmf <unfixed> - - plt-scheme <unfixed> + - libwmf <unfixed> (unimportant) + - plt-scheme <unfixed> (low; bug #601525) + [squeeze] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot) + [lenny] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot) - graphviz <unfixed> NOTE: Debian's PHP packages are linked dynamically against libgd NOTE: see http://www.php.net/releases/5_2_4.php @@ -52220,16 +52230,20 @@ CVE-2007-3478 (Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c CVE-2007-3477 (The (a) imagearc and (b) imagefilledarc functions in GD Graphics ...) {DSA-1613-1} - libgd2 2.0.35.dfsg-1 (low) - - libwmf <unfixed> - - plt-scheme <unfixed> + - libwmf <unfixed> (unimportant) + - plt-scheme <unfixed> (low; bug #601525) + [squeeze] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot) + [lenny] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot) - graphviz <unfixed> NOTE: CPU consumption DoS TODO: check CVE-2007-3476 (Array index error in gd_gif_in.c in the GD Graphics Library (libgd) ...) {DSA-1613-1} - libgd2 2.0.35.dfsg-1 (low) - - libwmf <unfixed> - - plt-scheme <unfixed> + - libwmf <unfixed> (unimportant) + - plt-scheme <unfixed> (low; bug #601525) + [squeeze] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot) + [lenny] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot) - graphviz <unfixed> NOTE: can write a 0 to a 4k window in heap, very unlikely to be controllable. TODO: check diff --git a/data/embedded-code-copies b/data/embedded-code-copies index 225930c96b..9a22cd5627 100644 --- a/data/embedded-code-copies +++ b/data/embedded-code-copies @@ -581,7 +581,7 @@ libgd2 NOTE: lib/gd seems to be 2.0.33 - wml 2.0.11ds2-1 (embed) - libwmf <unfixed> (embed) - NOTE: derived from gd 1.6.3 + NOTE: derived from gd 1.6.3, but only used to write images - plt-scheme <unfixed> (embed; bug #601525) - texlive-bin 2009-1 (embed) |