diff options
author | Henri Salo <henri@nerv.fi> | 2015-10-28 06:04:26 +0000 |
---|---|---|
committer | Henri Salo <henri@nerv.fi> | 2015-10-28 06:04:26 +0000 |
commit | 6560be7f3f7f1a379d59dcfda520f90568fc94c3 (patch) | |
tree | 1ef76e1e93e036408077ee6d57ff77c464e40779 | |
parent | 220e4dae3fc30c747194a9b65fe89635af51d873 (diff) |
Cleanup double space after dot in notes to improve readability.
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@37391 e39458fd-73e7-0310-bf30-c45bca0a0e42
-rw-r--r-- | data/CVE/2002.list | 2 | ||||
-rw-r--r-- | data/CVE/2003.list | 2 | ||||
-rw-r--r-- | data/CVE/2004.list | 2 | ||||
-rw-r--r-- | data/CVE/2005.list | 4 | ||||
-rw-r--r-- | data/CVE/2006.list | 16 | ||||
-rw-r--r-- | data/CVE/2007.list | 10 | ||||
-rw-r--r-- | data/CVE/2008.list | 8 | ||||
-rw-r--r-- | data/CVE/2009.list | 8 | ||||
-rw-r--r-- | data/CVE/2010.list | 2 | ||||
-rw-r--r-- | data/CVE/2011.list | 2 | ||||
-rw-r--r-- | data/CVE/2013.list | 2 | ||||
-rw-r--r-- | data/CVE/2014.list | 2 |
12 files changed, 30 insertions, 30 deletions
diff --git a/data/CVE/2002.list b/data/CVE/2002.list index 94abf0951d..93476e5e18 100644 --- a/data/CVE/2002.list +++ b/data/CVE/2002.list @@ -1000,7 +1000,7 @@ CVE-2002-1977 (Network Associates PGP 7.0.4 and 7.1 does not time out according CVE-2002-1976 (ifconfig, when used on the Linux kernel 2.2 and later, does not report ...) - net-tools <unfixed> (unimportant) NOTE: This seems to be a misunderstanding of what the PROMISC flag - NOTE: is about. ifconfig reports properly when it is set using + NOTE: is about. ifconfig reports properly when it is set using NOTE: "ifconfig promisc". CVE-2002-1975 (Sharp Zaurus PDA SL-5000D and SL-5500 uses a salt of "A0" to encrypt ...) NOT-FOR-US: Zaurus hardware diff --git a/data/CVE/2003.list b/data/CVE/2003.list index d2f077e6fd..8307be6da6 100644 --- a/data/CVE/2003.list +++ b/data/CVE/2003.list @@ -2813,7 +2813,7 @@ CVE-2003-0299 (The IMAP Client, as used in mutt 1.4.1 and Balsa 2.0.10, allows r NOT-FOR-US: Historic mutt and Balsa issues, only a crasher anyway CVE-2003-0298 (The IMAP Client for Mozilla 1.3 and 1.4a allows remote malicious IMAP ...) - mozilla 2:1.5-1 - NOTE: May have been fixed in an earlier version. Not clear how + NOTE: May have been fixed in an earlier version. Not clear how NOTE: Mozilla's a/b versions map to the Debian version. CVE-2003-0297 (c-client IMAP Client, as used in imap-2002b and Pine 4.53, allows ...) - uw-imap 7:2002c diff --git a/data/CVE/2004.list b/data/CVE/2004.list index f4769b27a2..6170270ffc 100644 --- a/data/CVE/2004.list +++ b/data/CVE/2004.list @@ -5777,7 +5777,7 @@ CVE-2004-0175 (Directory traversal vulnerability in scp for OpenSSH before 3.4p1 [sarge] - openssh <no-dsa> (Minor issue) NOTE: The directory traversal part has been fixed in OpenSSH 3.9p1. NOTE: The "SUID/SGID across trust boundaries" issue remains, but is - NOTE: largely theoretic. This is a rediscovery of CVE-2000-0992. + NOTE: largely theoretic. This is a rediscovery of CVE-2000-0992. NOTE: jmm: 3.9p1 thus marked as fixed version CVE-2004-0174 (Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using ...) - apache 1.3.29.0.2-5 diff --git a/data/CVE/2005.list b/data/CVE/2005.list index d7191c435c..47dee8be65 100644 --- a/data/CVE/2005.list +++ b/data/CVE/2005.list @@ -1339,7 +1339,7 @@ CVE-2005-4305 (Cross-site scripting (XSS) vulnerability in Edgewall Trac 0.9, 0. [sarge] - trac <unfixed> (medium) NOTE: upstream bts at http://trac.edgewall.org/ticket/2473 claims this is NOTE: fixed in http://trac.edgewall.org/changeset/2724 but it's a fairly - NOTE: invasive set of patches to backport. basically most instances + NOTE: invasive set of patches to backport. basically most instances NOTE: of input being escape()'d are no longer done so, and instead a NOTE: Markup() function replaces them, and special checks are done NOTE: on rendered HTML output to prevent XSS code from being displayed. @@ -3398,7 +3398,7 @@ CVE-2005-3392 (Unspecified vulnerability in PHP before 4.4.1, when using the vir [sarge] - php4 <no-dsa> (Safe mode violations not supported) - php5 5.1.1-1 (bug #336654; low) NOTE: According to CVE, this is a safe mode violation, - NOTE: therefore low impact. (According to SuSE, it's an + NOTE: therefore low impact. (According to SuSE, it's an NOTE: information leak.) CVE-2005-3391 (Multiple vulnerabilities in PHP before 4.4.1 allow remote attackers to ...) - php4 4:4.4.2-1 (bug #336645; bug #354678; low) diff --git a/data/CVE/2006.list b/data/CVE/2006.list index 1a310d9e64..d99d276b39 100644 --- a/data/CVE/2006.list +++ b/data/CVE/2006.list @@ -1152,7 +1152,7 @@ CVE-2006-6731 (Multiple buffer overflows in Sun Java Development Kit (JDK) and J - sun-java5 1.5.0-08-1 CVE-2006-6730 (OpenBSD and NetBSD permit usermode code to kill the display server and ...) NOTE: Access to DMA-capable hardware such as graphics cards can, - NOTE: by design, bypass security restrictions. Not a real issue. + NOTE: by design, bypass security restrictions. Not a real issue. CVE-2006-6729 (Cross-site scripting (XSS) vulnerability in a-blog 1.51 and earlier ...) NOT-FOR-US: a-blog CVE-2006-6728 (Unspecified vulnerability in the info request mechanism in LAN ...) @@ -10308,7 +10308,7 @@ CVE-2006-2660 (Buffer consumption vulnerability in the tempnam function in PHP 5 - php4 4:4.4.4-1 (unimportant) - php5 5.1.6-1 (unimportant) NOTE: using a long enough path (>MAXPATHLEN) allows you to have - NOTE: tempnam create a file without the temp extension. sounds like + NOTE: tempnam create a file without the temp extension. sounds like NOTE: another shoot yourself in the foot issue, since the local user NOTE: could just as easily create the file manually, and if the NOTE: tempnam function is taking unsanitized input, it's an @@ -11061,8 +11061,8 @@ CVE-2006-2314 (PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before . - pygresql 3.8-1.1 (medium) [sarge] - pygresql <not-affected> (Already includes proper quoting) NOTE: Beginning with version 7.5.4, postgresql is a transition - NOTE: package which does not contain actual code. That's why - NOTE: it's marked as fixed here. (Previous versions are vulnerable.) + NOTE: package which does not contain actual code. That's why + NOTE: it's marked as fixed here. (Previous versions are vulnerable.) NOTE: The following packages needed to adapted to cope with the new system: NOTE: psycopg 1.1.21-5 (bug #369230) NOTE: python-pgsql 2.4.0-8 (bug #369250) @@ -11075,8 +11075,8 @@ CVE-2006-2313 (PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before . - postgresql-7.4 1:7.4.13-1 (high) - postgresql-8.1 8.1.4-1 (high) NOTE: Beginning with version 7.5.4, postgresql is a transition - NOTE: package which does not contain actual code. That's why - NOTE: it's marked as fixed here. (Previous versions are vulnerable.) + NOTE: package which does not contain actual code. That's why + NOTE: it's marked as fixed here. (Previous versions are vulnerable.) CVE-2006-2312 (Argument injection vulnerability in the URI handler in Skype 2.0.*.104 ...) NOT-FOR-US: Skype CVE-2006-2311 (Cross-site scripting (XSS) vulnerability in BlueDragon Server and ...) @@ -11533,7 +11533,7 @@ CVE-2006-2106 (Cross-site scripting (XSS) vulnerability in Edgewall Software Tra [sarge] - trac <unfixed> (medium) NOTE: http://trac.edgewall.org/changeset/3201 NOTE: http://trac.edgewall.org/changeset/3287 - NOTE: the second reference fixes a regression in the first. i *believe* + NOTE: the second reference fixes a regression in the first. i *believe* NOTE: that these correctly solve the problem, though we really ought NOTE: to run this by upstream or the reporter. CVE-2006-2105 (Directory traversal vulnerability in index.php in Jupiter CMS 1.1.4 ...) @@ -15224,7 +15224,7 @@ CVE-2006-0527 (BIND 4 (BIND4) and BIND 8 (BIND8), if used as a target forwarder, - bind 1:8.4.7-1 (low) [sarge] - bind <no-dsa> (Architectual limitatiom, upgrade to BIND 9 as a a fix) NOTE: BIND 8 is unsuitable for forwarder use because of its - NOTE: architecture. Upgrade to BIND 9 as a fix. + NOTE: architecture. Upgrade to BIND 9 as a fix. NOTE: This was fixed in sid by documenting it as an unfixable design limitation CVE-2006-0526 (The default configuration of the America Online (AOL) client software ...) NOT-FOR-US: AOL diff --git a/data/CVE/2007.list b/data/CVE/2007.list index 7c1053e0a8..fa2bd896ea 100644 --- a/data/CVE/2007.list +++ b/data/CVE/2007.list @@ -4802,7 +4802,7 @@ CVE-2007-4752 (ssh in OpenSSH before 4.7 does not properly handle when an untrus [sarge] - openssh <no-dsa> (minor issue in weak security measure) NOTE: An exploit needs limited control over the machine running a NOTE: trusted X client, so this is only a slight privilege - NOTE: escalation. The X Security extension is merely an afterthought + NOTE: escalation. The X Security extension is merely an afterthought NOTE: and is unlikely to provide strong security guarantees. CVE-2007-4748 (Buffer overflow in the PowerPlayer.dll ActiveX control in PPStream ...) NOT-FOR-US: PowerPlayer @@ -9345,7 +9345,7 @@ CVE-2007-2833 (Emacs 21 allows user-assisted attackers to cause a denial of serv {DSA-1316-1} - emacs21 21.4a+1-5.1 (bug #408929; low) - emacs-snapshot <removed> - NOTE: The bug is not present in emacs22 22.2+1-1. It was probably + NOTE: The bug is not present in emacs22 22.2+1-1. It was probably NOTE: fixed before the first emacs22 upload. CVE-2007-2832 (Cross-site scripting (XSS) vulnerability in the web application ...) NOT-FOR-US: Cisco @@ -10467,7 +10467,7 @@ CVE-2007-2380 (The Microsoft Atlas framework exchanges data using JavaScript Obj NOT-FOR-US: Microsoft Atlas CVE-2007-2379 (The jQuery framework exchanges data using JavaScript Object Notation ...) - jquery <unfixed> (unimportant) - NOTE: the paper in this reference is a guideline on how to avoid writing unsafe jquery applications. there really isn't anything to fix in the library itself. + NOTE: the paper in this reference is a guideline on how to avoid writing unsafe jquery applications. there really isn't anything to fix in the library itself. NOTE: https://www.fortify.com/vulncat/en/vulncat/javascript/javascript_hijacking_ad_hoc_ajax.html CVE-2007-2378 (The Google Web Toolkit (GWT) framework exchanges data using JavaScript ...) - gwt <removed> (unimportant; bug #563542) @@ -12011,7 +12011,7 @@ CVE-2007-1700 (The session extension in PHP 4 before 4.4.5, and PHP 5 before 5.2 [etch] - php4 6:4.4.4-8+etch1 [sarge] - php4 4:4.3.10-21 NOTE: This was fixed as a side-effect of previous security fixes, noting the - NOTE: status as of DSA-1286 as fixed version. likewise the oldstable + NOTE: status as of DSA-1286 as fixed version. likewise the oldstable NOTE: version was fixed. CVE-2007-1699 (Multiple PHP remote file inclusion vulnerabilities in the SWmenu ...) NOT-FOR-US: Mambo module SWmenu @@ -15485,7 +15485,7 @@ CVE-2007-0227 (slocate 3.1 does not properly manage database entries that specif [sarge] - slocate <not-affected> (Performs correct access checks) [etch] - slocate <no-dsa> (Minor issue) NOTE: slocate will allow users to find files in directories with the - NOTE: executable bit set but without the readable bit set. This is + NOTE: executable bit set but without the readable bit set. This is NOTE: an information leak. CVE-2007-0226 (SQL injection vulnerability in wbsearch.aspx in uniForum 4 and earlier ...) NOT-FOR-US: uniForum diff --git a/data/CVE/2008.list b/data/CVE/2008.list index bcefc68ffd..4210bd9f45 100644 --- a/data/CVE/2008.list +++ b/data/CVE/2008.list @@ -7594,7 +7594,7 @@ CVE-2008-4109 (A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; b {DSA-1638-1 CVE-2006-5051} - openssh 1:4.6p1-1 (low) NOTE: The patch backported for CVE-2006-5051 was incorrect and did not - NOTE: fully address the issue. The upstream fix in 4.4p1 was + NOTE: fully address the issue. The upstream fix in 4.4p1 was NOTE: right, and it the next unstable upload after that was 4.6p1. CVE-2008-4100 (GNU adns 1.4 and earlier uses a fixed source port and sequential ...) - adns 1.4-2 (unimportant; bug #492698) @@ -8887,14 +8887,14 @@ CVE-2008-3528 (The error-reporting functionality in (1) fs/ext2/dir.c, (2) ...) NOTE: Comment from tytso: NOTE: Note: some people thinks this represents a security bug, since it NOTE: might make the system go away while it is printing a large number of - NOTE: console messages, especially if a serial console is involved. Hence, + NOTE: console messages, especially if a serial console is involved. Hence, NOTE: it has been assigned CVE-2008-3528, but it requires that the attacker NOTE: either has physical access to your machine to insert a USB disk with a NOTE: corrupted filesystem image (at which point why not just hit the power NOTE: button), or is otherwise able to convince the system administrator to NOTE: mount an arbitrary filesystem image (at which point why not just NOTE: include a setuid shell or world-writable hard disk device file or some - NOTE: such). Me, I think they're just being silly. + NOTE: such). Me, I think they're just being silly. CVE-2008-3527 (arch/i386/kernel/sysenter.c in the Virtual Dynamic Shared Objects ...) {DSA-1687-1} - linux-2.6 2.6.21-1 @@ -11719,7 +11719,7 @@ CVE-2008-2321 (Unspecified vulnerability in CoreGraphics in Apple Mac OS X 10.4. CVE-2008-2320 (Stack-based buffer overflow in CarbonCore in Apple Mac OS X 10.4.11 ...) NOT-FOR-US: Apple Mac OS X NOTE: the original apple advisory (HT3613) is completely different from the current CVE - NOTE: description. it claims that this is a webkit issue, which is completely wrong + NOTE: description. it claims that this is a webkit issue, which is completely wrong CVE-2008-2319 RESERVED CVE-2008-2318 (The WOHyperlink implementation in WebObjects in Apple Xcode tools ...) diff --git a/data/CVE/2009.list b/data/CVE/2009.list index f7c9021fce..dd802a3888 100644 --- a/data/CVE/2009.list +++ b/data/CVE/2009.list @@ -3187,7 +3187,7 @@ CVE-2009-3851 (Trusted Extensions in Sun Solaris 10 interferes with the operatio CVE-2009-3850 (Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to ...) - blender <unfixed> (unimportant) NOTE: attack vector is social engineering to get the user to open - NOTE: a malicious .blend file. by design, blend files support + NOTE: a malicious .blend file. by design, blend files support NOTE: all python operations, so ultimately any code can be executed CVE-2009-3849 (Multiple stack-based buffer overflows in HP OpenView Network Node ...) NOT-FOR-US: HP OpenView Network Node Manager @@ -11910,7 +11910,7 @@ CVE-2009-0676 (The sock_getsockopt function in net/core/sock.c in the Linux kern NOTE: Original fix was incomplete/risky, see: NOTE: <http://marc.info/?l=linux-kernel&m=123540732700371&w=2> NOTE: Reproducer in <https://bugzilla.redhat.com/show_bug.cgi?id=486305> - NOTE: lacks initialzer for len. Leak confirmed with fixed reproducer. + NOTE: lacks initialzer for len. Leak confirmed with fixed reproducer. CVE-2009-0675 (The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux ...) {DSA-1794-1 DSA-1787-1 DSA-1749-1} - linux-2.6 2.6.29-1 (low) @@ -11996,8 +11996,8 @@ CVE-2009-XXXX [sysvinit: no-root option in expert installer exposes locally expl NOTE: hardly a security issue, if an attacker has local access to the machine and you NOTE: don't use encryption or something similar you have lost anyway NOTE: - this ^ philosophy is flawed; it should not be trivial to get root just because you - NOTE: have local access to the machine. it is worth it to make it as difficult as - NOTE: possible without impacting authorized users. otherwise, why spend so much effort + NOTE: have local access to the machine. it is worth it to make it as difficult as + NOTE: possible without impacting authorized users. otherwise, why spend so much effort NOTE: to make sure xscreensaver, gdm, and login are rock solid? NOTE: - i would like to track as low, rather than unimportant CVE-2009-0753 (Absolute path traversal vulnerability in MLDonkey 2.8.4 through 2.9.7 ...) diff --git a/data/CVE/2010.list b/data/CVE/2010.list index b21be69756..fad9845a3a 100644 --- a/data/CVE/2010.list +++ b/data/CVE/2010.list @@ -8860,7 +8860,7 @@ CVE-2010-1807 (WebKit in Apple Safari 4.x before 4.1.2 and 5.x before 5.0.2; And NOTE: https://bugs.webkit.org/show_bug.cgi?id=43461 NOTE: the problem is that the standard-library strtod() NOTE: parses "NAN(payload)" as a NaN with a user-defined payload, which is bad for the nan-boxing - NOTE: scheme used by webkit (and mozilla). The fix is not to accept "NAN(payload)". + NOTE: scheme used by webkit (and mozilla). The fix is not to accept "NAN(payload)". NOTE: test-case: -parseFloat("NAN(ffffeeeeeff0f)") NOTE: reproduced with epiphany CVE-2010-1806 (Use-after-free vulnerability in Apple Safari 4.x before 4.1.2 and 5.x ...) diff --git a/data/CVE/2011.list b/data/CVE/2011.list index fd3dd3a754..a586c41196 100644 --- a/data/CVE/2011.list +++ b/data/CVE/2011.list @@ -4394,7 +4394,7 @@ CVE-2011-3573 (Unspecified vulnerability in Oracle Communications Unified 7.0 al CVE-2011-3572 RESERVED CVE-2011-3571 (Unspecified vulnerability in the Virtual Desktop Infrastructure (VDI) ...) - NOTE: CVE was misused by Oracle. Replaced by CVE-2012-0507. + NOTE: CVE was misused by Oracle. Replaced by CVE-2012-0507. CVE-2011-3570 (Unspecified vulnerability in Oracle Communications Unified 7.0 allows ...) NOT-FOR-US: Oracle Communications Unified CVE-2011-3569 (Unspecified vulnerability in the Oracle Web Services Manager component ...) diff --git a/data/CVE/2013.list b/data/CVE/2013.list index d471ac208f..4cd62b09a9 100644 --- a/data/CVE/2013.list +++ b/data/CVE/2013.list @@ -39,7 +39,7 @@ CVE-2013-7440 [incorrect wildcard matching rules] [squeeze] - python2.5 <no-dsa> (Minor issue) NOTE: https://bugs.python.org/issue17997#msg194950 NOTE: https://hg.python.org/cpython/rev/10d0edadbcdd - NOTE: The CVE is only about refusing multiple wildcards. Backporting that part only is not so difficult. + NOTE: The CVE is only about refusing multiple wildcards. Backporting that part only is not so difficult. CVE-2013-7439 (Multiple off-by-one errors in the (1) MakeBigReq and (2) SetReqLen ...) {DSA-3224-1 DLA-199-1} - libx11 2:1.6.0-1 diff --git a/data/CVE/2014.list b/data/CVE/2014.list index ca5ca02a62..b7a7989acc 100644 --- a/data/CVE/2014.list +++ b/data/CVE/2014.list @@ -191,7 +191,7 @@ CVE-2014-9718 (The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionalit NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3251bdcf1c67427d964517053c3d185b46e618e8 (v2.2.0-rc2) NOTE: http://www.openwall.com/lists/oss-security/2015/03/24/4 NOTE: Per maintainer not a security issue: - NOTE: Qemu either leaks memory or loops infinitely. Memory leakage can be easily + NOTE: Qemu either leaks memory or loops infinitely. Memory leakage can be easily NOTE: mitigated using some kind of resource limits in security-sensitive environments, NOTE: and looping can trivially be done inside the virtual machine just fine, achieving NOTE: the same effect |