diff options
author | Moritz Muehlenhoff <jmm@debian.org> | 2008-08-06 19:37:44 +0000 |
---|---|---|
committer | Moritz Muehlenhoff <jmm@debian.org> | 2008-08-06 19:37:44 +0000 |
commit | 42cc120730e76d5301973c85d39e7d9053776703 (patch) | |
tree | d59baf604debacc0a353bd04c914b4d0a1c405c9 | |
parent | b7baf6ff1ff60332bbd897534f604923945f8070 (diff) |
links2, exiv2 no-dsa
add php to packages with special security support
add one missing mozilla CVE ID, which was split off
one moin issue doesn't affect etch
two dnsmasq issues don't affect etch, dnsmasq CVEfied
one iceweasel issue Mac specific
add note on firebird in etch
one issues marked as php is only relevant to libgd
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@9522 e39458fd-73e7-0310-bf30-c45bca0a0e42
-rw-r--r-- | data/CVE/list | 21 | ||||
-rw-r--r-- | data/DSA/list | 2 | ||||
-rw-r--r-- | data/package-tags | 3 | ||||
-rw-r--r-- | data/spu-candidates.txt | 11 |
4 files changed, 26 insertions, 11 deletions
diff --git a/data/CVE/list b/data/CVE/list index 1c044fbdeb..e4a7cfbdb6 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -89,7 +89,8 @@ CVE-2008-3383 (SQL injection vulnerability in mojoAuto.cgi in MojoAuto allows re CVE-2008-3382 (SQL injection vulnerability in mojoClassified.cgi in MojoClassifieds ...) NOT-FOR-US: MojoClassifieds CVE-2008-3381 (Multiple cross-site scripting (XSS) vulnerabilities in ...) - - moin 1.7.1-1 + - moin 1.7.1-1 (low) + [etch] - moin <not-affected> (Vulnerable macro not present) CVE-2008-3380 (Cross-site scripting (XSS) vulnerability in ajaxp_backend.php in ...) NOT-FOR-US: MyioSoft EasyBookMarker CVE-2008-3379 (Cross-site scripting (XSS) vulnerability in Snark VisualPic 0.3.1 ...) @@ -134,6 +135,8 @@ CVE-2008-3360 (Stack-based buffer overflow in the HTML parser in IntelliTamper 2 NOT-FOR-US: IntelliTamper CVE-2008-3359 (SQL injection vulnerability in register.php in Steve Bourgeois and ...) - owl-dms <unfixed> (bug #493372) + NOTE: Hardly maintained and very few users, long standing sec issues in Etch, + TODO: we should remove this from Lenny w/o maintainer reaction CVE-2008-3358 RESERVED CVE-2008-3357 @@ -152,6 +155,7 @@ CVE-2008-3351 (SQL injection vulnerability in atomPhotoBlog.php in Atom PhotoBlo NOT-FOR-US: Atom PhotoBlog CVE-2008-3350 (dnsmasq 2.43 allows remote attackers to cause a denial of service ...) - dnsmasq 2.44-1 (low) + [etch] - dnsmasq <not-affected> (Issue was introduced in 2.43) CVE-2008-3349 (Multiple unspecified vulnerabilities in NetApp Data ONTAP, as used on ...) NOT-FOR-US: NetApp Data ONTAP CVE-2008-3348 (Cross-site scripting (XSS) vulnerability in ...) @@ -416,7 +420,7 @@ CVE-2008-3215 (libclamav/petite.c in ClamAV before 0.93.3 allows remote attacker {DSA-1616-2} - clamav 0.93.1.dfsg-1.1 (medium) CVE-2008-3214 (dnsmasq 2.25 allows remote attackers to cause a denial of service ...) - - dnsmasq 2.44-1 (low) + - dnsmasq 2.26-1 (medium) CVE-2008-3213 (SQL injection vulnerability in secciones/tablon/tablon.php in WebCMS ...) NOT-FOR-US: WebCMS CVE-2008-3212 (Multiple SQL injection vulnerabilities in Scripteen Free Image Hosting ...) @@ -448,7 +452,8 @@ CVE-2008-3200 (SQL injection vulnerability in vlc_forum.php in Avlc Forum as of CVE-2008-3199 (Multiple unspecified vulnerabilities in ReSIProcate before 1.3.4 allow ...) NOT-FOR-US: ReSIProcate CVE-2008-3198 (Mozilla Firefox 3.x before 3.0.1 allows remote attackers to inject ...) - TODO: check + - iceweasel 3.0.1-1 (low) + NOTE: http://www.mozilla.org/security/announce/2008/mfsa2008-35.html CVE-2008-3195 RESERVED CVE-2008-3194 (Multiple directory traversal vulnerabilities in ...) @@ -1056,11 +1061,10 @@ CVE-2008-2935 [libxslt heap overflow] - libxslt 1.1.24-2 (bug #493162) NOTE: http://www.ocert.org/advisories/ocert-2008-009.html CVE-2008-2934 (Mozilla Firefox 3 before 3.0.1 on Mac OS X allows remote attackers to ...) - TODO: check + - iceweasel <not-affected> (MacOS-specific) CVE-2008-2933 (Mozilla Firefox before 2.0.0.16, and 3.x before 3.0.1, interprets '|' ...) {DSA-1615-1 DSA-1614-1} - iceweasel 3.0.1-1 (low) - NOTE: http://www.mozilla.org/security/announce/2008/mfsa2008-35.html CVE-2008-2932 RESERVED CVE-2008-2931 (The do_change_type function in fs/namespace.c in the Linux kernel ...) @@ -1272,10 +1276,6 @@ CVE-2008-3140 (The syslog dissector in Wireshark (formerly Ethereal) 1.0.0 allow CVE-2008-3141 (Unspecified vulnerability in the RMI dissector in Wireshark (formerly ...) - wireshark 1.0.1-1 (low; bug #488834) NOTE: http://www.wireshark.org/security/wnpa-sec-2008-03.html -CVE-2008-XXXX [dnsmasq crash on renewing non-existent lease] - - dnsmasq 2.26-1 (medium) - NOTE: CVE id requested by Ubuntu - NOTE: http://freshmeat.net/projects/dnsmasq/?branch_id=1991&release_id=217681 CVE-2008-2952 (liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to ...) {DTSA-151-1} - openldap2.3 <removed> (low; bug #488710) @@ -3493,6 +3493,7 @@ CVE-2008-1881 (Stack-based buffer overflow in the ParseSSA function ...) - vlc 0.8.6.e-2.1 (medium; bug #477805) CVE-2008-1880 (The default configuration of Firebird before 2.0.3.12981.0-r6 on ...) - firebird2 <removed> + [etch] - firebird2 <no-dsa> (Firebird 1.5 no longer supported, see last DSA) - firebird2.0 2.0.3.12981.ds1-14 (bug #481389) NOTE: on debian after the installation firebird2.0-super is disabled, to enable it NOTE: you need to call dpkg-reconfigure @@ -15404,7 +15405,7 @@ CVE-2007-3997 (The (1) MySQL and (2) MySQLi extensions in PHP 4 before 4.4.8, an CVE-2007-3996 (Multiple integer overflows in libgd in PHP before 5.2.4 allow remote ...) {DSA-1613-1} - libgd2 2.0.35.dfsg-1 (bug #443456; medium) - - php5 5.2.4-1 (medium) + NOTE: Debian's PHP packages are linked dynamically against libgd NOTE: see http://www.php.net/releases/5_2_4.php CVE-2007-3995 RESERVED diff --git a/data/DSA/list b/data/DSA/list index 3a2408b696..8cdc1d829f 100644 --- a/data/DSA/list +++ b/data/DSA/list @@ -38,7 +38,7 @@ {CVE-2008-2785 CVE-2008-2798 CVE-2008-2799 CVE-2008-2800 CVE-2008-2801 CVE-2008-2802 CVE-2008-2803 CVE-2008-2805 CVE-2008-2807 CVE-2008-2808 CVE-2008-2809 CVE-2008-2811 CVE-2008-2933} [etch] - xulrunner 1.8.0.15~pre080614d-0etch1 [23 Jul 2008] DSA-1614-1 iceweasel - several vulnerabilities - {CVE-2008-2785 CVE-2008-2933} + {CVE-2008-2785 CVE-2008-2933 CVE-2008-3198} [etch] - iceweasel 2.0.0.16-0etch1 [22 Jul 2008] DSA-1613-1 libgd2 - multiple vulnerabilities {CVE-2007-2445 CVE-2007-3476 CVE-2007-3477 CVE-2007-3996} diff --git a/data/package-tags b/data/package-tags index bc64269789..0b7e853c07 100644 --- a/data/package-tags +++ b/data/package-tags @@ -8,5 +8,8 @@ [etch] sql-ledger <limited-support> (Only supported behind an authenticated HTTP zone) [lenny] sql-ledger <limited-support> (Only supported behind an authenticated HTTP zone) +[etch] php5 <limited-support> (See README.Debian.security for the PHP security policy) +[etch] php4 <limited-support> (See README.Debian.security for the PHP security policy) +[lenny] php5 <limited-support> (See README.Debian.security for the PHP security policy) [etch] adns <limited-support> (Stub resolver that should only be used with trusted recursors) [lenny] adns <limited-support> (Stub resolver that should only be used with trusted recursors) diff --git a/data/spu-candidates.txt b/data/spu-candidates.txt index 3966e8585c..cb71489813 100644 --- a/data/spu-candidates.txt +++ b/data/spu-candidates.txt @@ -67,6 +67,12 @@ notified maintainer -- +exiv2 (CVE-2008-2696) +bug #486328) +http://dev.robotbattle.com/cgi-bin/viewvc.cgi/exiv2/trunk/src/nikonmn.cpp?r1=1473&r2=1499 + +-- + flac123 (CVE-2007-3507) notified maintainer @@ -105,6 +111,11 @@ notified maintainer -- +links2 (CVE-2008-3329) +bug #492744) + +-- + linux-ftpd-ssl (CVE-2007-6263) #454733 notified maintainer |