From 2b5e6f25b2b64e75c69e1692203047b279333bce Mon Sep 17 00:00:00 2001
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Mon, 30 Nov 2009 18:18:21 +0000
Subject: * cleanup of open issues for unstable: - dovecot, acidbase, iodine
 fixed - one bugzilla issue doesn't affect Debian versions - treat apache
 issue as enhancement bug, not a security issue - two more java issues fixed -
 hex-a-hop issue hardly a security issue - add bug for open-iscsi - mark
 dnspython as not-affected for the DNS issue, since it   provides only a stub
 resolver, which is fine in combination   with kernel randomisation * some
 older kernel issues don't affect etch * xpdf has been removed from Squeeze,
 yeah!

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@13407 e39458fd-73e7-0310-bf30-c45bca0a0e42
---
 data/CVE/list             | 39 +++++++++++++++++----------------------
 data/problematic-packages |  9 +++++----
 2 files changed, 22 insertions(+), 26 deletions(-)

(limited to 'data')

diff --git a/data/CVE/list b/data/CVE/list
index 174b7deccd..db31dbdeb8 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -272,10 +272,9 @@ CVE-2009-3898 (Directory traversal vulnerability in ...)
 	[etch] - nginx <no-dsa> (upload rights required)
 	[lenny] - nginx <no-dsa> (upload rights required)
 CVE-2009-3897 (Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of ...)
-	- dovecot <unfixed> (medium; bug #557601)
+	- dovecot 1:1.2.8-1 (medium; bug #557601)
 	[lenny] - dovecot <not-affected> (Only affects 1.2.x)
 	[etch] - dovecot <not-affected> (Only affects 1.2.x)
-	NOTE: http://www.dovecot.org/list/dovecot-news/2009-November/000143.html, CVE requested on oss-sec
 CVE-2009-4017 (PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number of ...)
 	{DSA-1940-1}
 	- php5 5.2.11.dfsg.1-2 (medium)
@@ -342,6 +341,7 @@ CVE-2009-3940 (Unspecified vulnerability in Guest Additions in Sun xVM VirtualBo
 	- virtualbox-guest-additions 3.0.10-1
 CVE-2009-3939 (The poll_mode_io file for the megaraid_sas driver in the Linux kernel ...)
 	- linux-2.6 <unfixed> (low)
+	[etch] - linux-2.6 <not-affected> (Vulnerable code not present)
 	- linux-2.6.24 <removed> (low)
 CVE-2009-4004 (Buffer overflow in the kvm_vcpu_ioctl_x86_setup_mce function in ...)
 	- linux-2.6 <unfixed> (medium)
@@ -460,6 +460,7 @@ CVE-2009-3890 (Unrestricted file upload vulnerability in the wp_check_filetype .
 	- wordpress 2.8.6-1 (low)
 CVE-2009-3889 (The dbg_lvl file for the megaraid_sas driver in the Linux kernel ...)
 	- linux-2.6 2.6.27-1 (low)
+	[etch] - linux-2.6 <not-affected> (Vulnerable code not present)
 	- linux-2.6.24 <removed> (low)
 CVE-2009-3888 (The do_mmap_pgoff function in mm/nommu.c in the Linux kernel before ...)
 	- linux-2.6 <unfixed> (unimportant)
@@ -736,7 +737,7 @@ CVE-2009-XXXX [NULL dereferences, similar to Adobe's CVE-2009-0658]
 	- ghostscript <unfixed> (unimportant)
 	- xpdf <unfixed> (unimportant)
 CVE-2009-XXXX [multiple vulnerabilities in acidbase; XSS + possible sql injection]
-	- acidbase <unfixed> (bug #552235)
+	- acidbase 1.4.4-1 (bug #552235)
 CVE-2009-XXXX [multiple vulnerabilities in jetty]
 	- jetty <unfixed> (bug #553644)
 	TODO: check
@@ -1786,8 +1787,8 @@ CVE-2009-3388
 CVE-2009-3387
 	RESERVED
 CVE-2009-3386 (Template.pm in Bugzilla 3.3.2 through 3.4.3 and 3.5 through 3.5.1 ...)
-	- bugzilla <unfixed>
-	TODO: check
+	- bugzilla <not-affected> (Only 3.3 onwards are affected)
+	TODO: recheck, once a more recent (3.3.x or 3.4.x) version has been uploaded
 CVE-2009-3385
 	RESERVED
 CVE-2009-3384 (Multiple unspecified vulnerabilities in WebKit in Apple Safari before ...)
@@ -1994,7 +1995,7 @@ CVE-2009-3301
 CVE-2009-3300 (Multiple cross-site scripting (XSS) vulnerabilities in the Identity ...)
 	- shibboleth-sp2 2.3+dfsg-1 (medium; bug #555608)
 	- shibboleth-sp <removed> (medium)
-	NOTE: xmltooling also needs to be updated, changed in sid in 1.3.1-1
+	NOTE: xmltooling/opensaml2 also needs to be updated, changed in sid in 1.3.1-1/2.3-1
 CVE-2009-3299 (Cross-site scripting (XSS) vulnerability in the resume blocktype in ...)
 	{DSA-1924-1}
 	- mahara 1.1.7-1 (low)
@@ -4287,9 +4288,8 @@ CVE-2009-XXXX [groff: uses insecure temp files]
 	[lenny] - groff <not-affected> (pdfroff not yet present)
 	NOTE: requested CVE ids
 CVE-2009-XXXX [apache2: only first 8 characters used to validate password]
-	- apache2 <unfixed> (low; bug #539246)
-	[lenny] - apache2 <no-dsa> (Standard behaviour of crypt)
-	[etch] - apache2 <no-dsa> (Standard behaviour of crypt)
+	- apache2 <unfixed> (unimportant; bug #539246)
+	NOTE: Standard behaviour of crypt, enhancement bug for stronger method
 CVE-2009-XXXX [gnudips: remote privilege escalation]
 	- gnudip <unfixed> (medium; bug #539452)
 	TODO: request CVE id
@@ -5262,7 +5262,7 @@ CVE-2009-2409 (The Network Security Services (NSS) library before 3.12.3, as use
 	- openssl 0.9.8k-4 (low; bug #539899)
 	- gnutls26 2.4.2-5 (low; bug #539901)
 	- gnutls13 <removed>
-	- sun-java6 <unfixed>
+	- sun-java6 6-17-1
 	[lenny] - sun-java6 <no-dsa> (Non-free not supported)
 CVE-2009-2407 (Heap-based buffer overflow in the parse_tag_3_packet function in ...)
 	{DSA-1845-1 DSA-1844-1}
@@ -7450,8 +7450,8 @@ CVE-2009-1589 (Unspecified vulnerability in CGI RESCUE MiniBBS22 before 1.01 all
 CVE-2009-1588 (Cross-site scripting (XSS) vulnerability in CGI RESCUE MiniBBS 8t ...)
 	NOT-FOR-US: CGI RESCUE MiniBBS
 CVE-2009-XXXX [hex-a-hop: buffer overflow in loading save games]
-	- hex-a-hop <unfixed> (low; bug #528250)
-	[lenny] - hex-a-hop <no-dsa> (Minor issue, very obscure attack vector)
+	- hex-a-hop <unfixed> (unimportant; bug #528250)
+	NOTE: That's a simple bug, it's silly to treat this as a security issue
 CVE-2009-1587 (index.php in PHP Site Lock 2.0 allows remote attackers to bypass ...)
 	NOT-FOR-US: PHP Site Lock
 CVE-2009-1586 (Stack-based buffer overflow in the NZB importer feature in GrabIt ...)
@@ -7981,7 +7981,7 @@ CVE-2009-1413 (Google Chrome 1.0.x does not cancel timeouts upon a page transiti
 CVE-2009-1412 (Argument injection vulnerability in the chromehtml: protocol handler ...)
 	- chromium-browser <itp> (bug #520324)
 CVE-2009-XXXX [iodine: DoS against iodined triggerable by authenticated users]
-	- iodine <unfixed> (low)
+	- iodine 0.5.1 (low)
 	[lenny] - iodine 0.4.2-2~lenny1 
 CVE-2009-XXXX [ntop: access.log permissions]
 	- ntop <not-affected> (fedora-specific configuration issue; debian package not affected)
@@ -8391,7 +8391,7 @@ CVE-2009-1299
 CVE-2009-1298
 	RESERVED
 CVE-2009-1297 (iscsi_discovery in open-iscsi in SUSE openSUSE 10.3 through 11.1 and ...)
-	- open-iscsi <unfixed> (low; bug filed)
+	- open-iscsi <unfixed> (low; bug #547011)
 	[lenny] - open-iscsi <no-dsa> (Minor issue)
 	[etch] - open-iscsi <not-affected> (Vulnerable script not yet present)
 CVE-2009-1296 (The eCryptfs support utilities (ecryptfs-utils) 73-0ubuntu6.1 on ...)
@@ -15307,9 +15307,6 @@ CVE-2008-5161 (Error handling in the SSH protocol in (1) SSH Tectia Client and S
 	- openssh <unfixed> (low; bug #506115)
 	[etch] - openssh <no-dsa> (Minor issue, see http://www.openssh.org/txt/cbc.adv)
 	[lenny] - openssh <no-dsa> (Minor issue, see http://www.openssh.org/txt/cbc.adv)
-	NOTE: I don't see this as being minor (a 1 in 262,144 chance of recovering 32 plaintext bits is rather good)
-	NOTE: See http://www.theregister.co.uk/2009/05/19/open_ssh_hack/
-	TODO: reassess severity
 CVE-2008-5185 (The highlighting functionality in geshi.php in GeSHi before 1.0.8 ...)
 	{DTSA-179-1}
 	- geshi 1.0.8.1-1 (medium)
@@ -22707,7 +22704,7 @@ CVE-2008-2086 (Sun Java Web Start and Java Plug-in for JDK and JRE 6 Update 10 a
 	- sun-java5 <unfixed>
 	[etch] - sun-java5 <no-dsa> (Non-free not supported)
 	[lenny] - sun-java5 <no-dsa> (Non-free not supported)
-	- sun-java6 <unfixed>
+	- sun-java6 6-10-1
 	[lenny] - sun-java6 <no-dsa> (Non-free not supported)
 CVE-2008-2084 (SQL injection vulnerability in topics.php in the MyArticles 0.6 beta-1 ...)
 	NOT-FOR-US: MyArticles
@@ -24207,10 +24204,8 @@ CVE-2008-1447 (The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0
 	- dnsmasq 2.43-1 (medium; bug #490123)
 	- pdnsd 1.2.6-par-11 (bug #502275)
 	- python-dns 2.3.1-5 (low; bug #490217)
-	- dnspython <unfixed> (low; bug #492465)
-	[etch] - dnspython <no-dsa> (Just a stub resolver, 2.6.24 kernel from 4.0r4 provides source port randomisation)
-	[lenny] - dnspython <no-dsa> (Just a stub resolver, Linux kernel provides source port randomisation)
-	NOTE: Upstream is planning to add its own randomisation
+	- dnspython <unfixed> (unimportant; bug #492465)
+	NOTE: Just a stub resolver Linux kernel provides source port randomisation
 	- adns 1.4-2 (unimportant; bug #492698)
 	NOTE: adns is not suitable to use with untrusted responses, documented in README.Debian
 	- udns <unfixed> (bug #493599)
diff --git a/data/problematic-packages b/data/problematic-packages
index 7e7b8546e4..9db793e150 100644
--- a/data/problematic-packages
+++ b/data/problematic-packages
@@ -13,8 +13,8 @@ SF: pinged maintainer on 2009-11-29
 
 ----
 
-bugzilla: (June 2009)
-No reply to security bugs #514143 in unstable in 4 months.
+bugzilla: (Nov 2009)
+Maintainer active again, package is still quite old, though 3.2
 
 ----
 
@@ -30,6 +30,7 @@ Group maintained by Java Team, but no reply to RC security bug
 
 ----
 
-xpdf: (May 2009)
+xpdf: (Nov 2009)
 No maintainer upload for two years, frequent security issues.
-Filed RC bug about maintenance status: #527840
+Removed from Squeeze, remaining packages using xpdf-* have been
+NMUed to use poppler
\ No newline at end of file
-- 
cgit v1.2.3