more cleanups

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@2935 e39458fd-73e7-0310-bf30-c45bca0a0e42

3 files changed, 22 insertions, 28 deletions

diff --git a/data/CVE/1999.list b/data/CVE/1999.list
index ce6ba05aae..d816202eb0 100644
--- a/data/CVE/1999.list
+++ b/data/CVE/1999.list
@@ -14,7 +14,7 @@ CVE-1999-1582 (By design, the "established" command on the Cisco PIX f
 CVE-1999-1581 (Memory leak in Simple Network Management Protocol (SNMP) agent ...)
 	NOT-FOR-US: Windows
 CVE-1999-1580 (SunOS sendmail 5.59 through 5.65 uses popen to process a forwarding ...)
-	NOT-FOR-US: Sun's sendmail
+	- sendmail <not-affected> (Sun-specific)
 CVE-1999-1579 (The Cenroll ActiveX control (xenroll.dll) for Terminal Server Editions ...)
 	NOT-FOR-US: Windows
 CVE-1999-1578 (Buffer overflow in Registration Wizard ActiveX control (regwizc.dll, ...)
diff --git a/data/CVE/2001.list b/data/CVE/2001.list
index 36114c5649..5acd01565b 100644
--- a/data/CVE/2001.list
+++ b/data/CVE/2001.list
@@ -286,9 +286,9 @@ CVE-2001-1446 (Find-By-Content in Mac OS X 10.0 through 10.0.4 creates world-rea
 CVE-2001-1445 (Unknown vulnerability in the SMTP server in Lotus Domino 5.0 through ...)
 	NOT-FOR-US: Lotus Domino
 CVE-2001-1444 (The Kerberos Telnet protocol, as implemented by KTH Kerberos IV and ...)
-	NOTE: Generic protocol flaw
+	NOT-FOR-US: Generic protocol flaw
 CVE-2001-1443 (KTH Kerberos IV and Kerberos V (Heimdal) for Telnet clients do not ...)
-	NOTE: Generic protocol flaw
+	NOT-FOR-US: Generic protocol flaw
 CVE-2001-1442 (Buffer overflow in innfeed for ISC InterNetNews (INN) before 2.3.0 ...)
 	- inn2 2.3.3+20020922-1
 	- innfeed 0.10.1.7-7
diff --git a/data/CVE/2005.list b/data/CVE/2005.list
index 11b2fe9677..0c62aae539 100644
--- a/data/CVE/2005.list
+++ b/data/CVE/2005.list
@@ -6478,8 +6478,7 @@ CVE-2005-1179 (Unknown vulnerability in Xerox MicroServer Web Server for various
 CVE-2005-1178 (SQL injection vulnerability in Oracle Forms 10g allows remote ...)
 	NOT-FOR-US: Oracle
 CVE-2005-1177 (Unknown vulnerability in (1) Webmin and (2) Usermin before 1.200 ...)
-	NOTE: According to maintainer posting in debian-release this does only affect 1.190
-	NOTE: and not the version in Sarge
+	- webmin 1.200-1
 CVE-2005-1176 (Race condition in JFS2 on AIX 5.2 and 5.3, when deleting a file while ...)
 	NOT-FOR-US: AIX
 CVE-2005-1175 (Heap-based buffer overflow in the Key Distribution Center (KDC) in MIT ...)
@@ -6600,7 +6599,6 @@ CVE-2005-1127 (Format string vulnerability in the log function in Net::Server 0.
 CVE-2005-1126 (The SIOCGIFCONF ioctl (ifconf function) in FreeBSD 4.x through 4.11 ...)
 	NOT-FOR-US: Free BSD
 CVE-2005-1125 (Race condition in libsafe 2.0.16 and earlier, when running in ...)
-	NOTE: Has been removed from Sarge
 	- libsafe <unfixed> (bug #305070; medium)
 CVE-2005-1124 (Unknown vulnerability in the libgss Generic Security Services Library ...)
 	NOT-FOR-US: Solaris
@@ -6610,7 +6608,6 @@ CVE-2005-1122 (Format string vulnerability in cgi.c for Monkey daemon (monkeyd)
 	NOT-FOR-US: monkeyd
 CVE-2005-1121 (Format string vulnerability in the my_xlog function in lib.c for Oops! ...)
 	{DSA-726-1}
-	NOTE: Not part of Sarge due to FTBFS on ia64 and alpha
 	- oops <unfixed> (bug #307360; high)
 CVE-2005-1120 (Multiple cross-site scripting (XSS) vulnerabilities in IlohaMail ...)
 	- ilohamail <unfixed> (bug #304525; medium)
@@ -6638,12 +6635,11 @@ CVE-2005-1110 (Stack-based buffer overflow in the RespondeHTTPPendiente function
 CVE-2005-1109 (The filtering of URLs in JunkBuster before 2.0.2-r3 allows remote ...)
 	{DSA-713-1}
 	- junkbuster <removed> (bug #304793)
-	NOTE: checked privoxy, is not vulnerable
+	- privoxy <not-affected>
 CVE-2005-1108 (The ij_untrusted_url function in JunkBuster 2.0.2-r2, with ...)
 	{DSA-713-1}
-	NOTE: only part of Woody, has been removed from Sarge and sid
-	NOT-FOR-US: Junkbuster
-	NOTE: checked privoxy, is not vulnerable
+	- junkbuster <removed>
+	- privoxy <not-affected>
 CVE-2005-1107 (McAfee Internet Security Suite 2005 uses insecure default ACLs for ...)
 	NOT-FOR-US: McAfee
 CVE-2005-XXXX [Remote DoS vulnerabilities in postgrey]
@@ -6731,12 +6727,10 @@ CVE-2005-1068 (Cross-site scripting (XSS) vulnerability in sCssBoard 1.11 and ea
 CVE-2005-1067 (Vulnerability in Access_user Class before 1.75 allows local users to ...)
 	NOT-FOR-US: Access_user class
 CVE-2005-1066 (Race condition in rpdump in Pine 4.62 and earlier allows local users ...)
-	NOTE: the affected binary is not included in pine binary packages
-	NOTE: and the maintainer refuses to maintain code that is not
-	NOTE: see bug #304547
+	- pine 4.63-1 (unimportant)
+	NOTE: Not shipped in the binary package
 CVE-2005-1065 (tetex in Novell Linux Desktop 9 allows local users to determine the ...)
-	NOTE: we do not seem to be vulnerable; /var/cache/fonts is not
-	NOTE: writiable by normal users in Debian, only by root.
+	- tetex-base <not-affected> (/var/cache/fonts is not writable by normal users in Debian)
 CVE-2005-1064 (The copy_symlink function in rsnapshot 1.2.0 and 1.1.x before 1.1.7 ...)
 	- rsnapshot 1.2.1-1
 CVE-2005-1063 (The administration protocol for Kerio WinRoute Firewall 6.x up to ...)
@@ -6785,11 +6779,12 @@ CVE-2005-1043 (exif.c in PHP before 4.3.11 allows remote attackers to cause a de
 CVE-2005-1042 (Integer overflow in the exif_process_IFD_TAG function in exif.c in PHP ...)
 	- php4 4:4.3.10-10 (bug #306003)
 CVE-2005-1041 (The fib_seq_start function in fib_hash.c in Linux kernel allows local ...)
-	- kernel-source-2.6.11 2.6.11-1
-	- kernel-source-2.6.8 2.6.8-16
-	NOTE: does not affect 2.4.27 per horms
+	- linux-2.6 <not-affected> (Fixed before upload into archive)
+	[sarge] - kernel-source-2.6.8 2.6.8-16
+	- kernel-source-2.4.27 <not-affected>
+	TODO: Check, when this was fixed
 CVE-2005-1040 (Multiple unknown vulnerabilities in netapplet in Novell Linux Desktop ...)
-	NOTE: Debian is not affected; see bug # 310833
+	- netapplet <not-affected> (Not vulerable, see bug #310833)
 CVE-2005-1039 (Race condition in Core Utilities (coreutils) 5.2.1, when (1) mkdir, ...)
 	- coreutils <unfixed> (bug #304556; low)
 CVE-2005-1038 (crontab in Vixie cron 4.1, when running with the -e option, allows ...)
@@ -6842,10 +6837,6 @@ CVE-2005-XXXX [Some security issues in mod_security]
 CVE-2005-XXXX [imms: Arbitrary command execution through inproper filename escaping]
 	NOTE: Already fixed in 2.0.1-3.1, but 2.0.3 claims to have a better fix
 	- imms 2.0.3-1
-CVE-2005-XXXX [Multiple non-descript problems in PHP4]
-	NOTE: Reported by NGSS and fixed in 4.3.11, but they decided not to reveal the
-	NOTE: details before July 12th. The security fixes are accompanied by dozens of
-	NOTE: non-security bugfixes, so it's not obvious from the diff either.
 CVE-2005-XXXX [Variable function calls in Smarty allow bypassing security settings]
 	- smarty 2.6.9-1
 CVE-2005-XXXX [Possible problem with insecure usage of sscanf in obexftp client]
@@ -6914,7 +6905,6 @@ CVE-2005-0989 (The find_replen function in jsstr.c in the the Javascript engine
 CVE-2005-0988 (Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a ...)
 	{DSA-752-1}
 	- gzip 1.3.5-10
-	NOTE: Essentially the same as CVE-2005-0953
 CVE-2005-0987 (Unknown vulnerability in IRC Services NickServ LISTLINKS before 5.0.50 ...)
 	NOT-FOR-US: IRC Services NickServ
 CVE-2005-0986 (NLSCCSTR.DLL in the web service in IBM Lotus Domino Server 6.5.1, ...)
@@ -6936,7 +6926,9 @@ CVE-2005-0979 (Multiple buffer overflows in RUMBA 7.3 and earlier allow remote .
 CVE-2005-0978 (Directory traversal vulnerability in the Object Push service in IVT ...)
 	NOT-FOR-US: IVT BlueSoleil
 CVE-2005-0977 (The shmem_nopage function in shmem.c for the tmpfs driver in Linux ...)
-	- kernel-source-2.6.8 2.6.8-16 (bug #303177)
+	TODO: Check 2.4 and when this was fixed upstream
+	[sarge] - kernel-source-2.6.8 2.6.8-16 (bug #303177)
+	- linux-2.6 <not-affected> (Fixed before upload into archive)
 CVE-2005-0976 (AppleWebKit (WebCore and WebKit), as used in multiple products such as ...)
 	NOT-FOR-US: Apple
 CVE-2005-0975 (Integer signedness error in the parse_machfile function in the mach-o ...)
@@ -6958,7 +6950,7 @@ CVE-2005-0968 (Computer Associates (CA) eTrust Intrusion Detection 3.0 allows re
 CVE-2005-0967 (Gaim 1.2.0 allows remote attackers to cause a denial of service ...)
 	- gaim 1:1.2.1-1
 CVE-2005-XXXX [Insecure tempfile handling in openwebmail CGI scripts]
-	NOTE: Was once part of Debian, but has been removed
+	- openwebmail <removed>
 CVE-2005-0966 (The IRC protocol plugin in Gaim 1.2.0, and possibly earlier versions, ...)
 	- gaim 1:1.2.1-1 (bug #303581)
 CVE-2005-0965 (The gaim_markup_strip_html function in Gaim 1.2.0, and possibly ...)
@@ -7073,7 +7065,9 @@ CVE-2005-0917 (PHP remote code injection vulnerability in index_header.php for .
 	NOT-FOR-US: EncapsBB 
 CVE-2005-0916 (AIO in the Linux kernel 2.6.11 on the PPC64 or IA64 architectures with ...)
 	- kernel-source-2.6.8 2.6.8-16
-	NOTE: 2.4 doesn't seem to be vulnerable
+	- kernel-source-2.4.27 <not-affected>
+	TODO: Check, when this was fixed
+	- linux-2.6 <not-affected> (Fixed before upload into archive)
 CVE-2005-0915 (Webmasters-Debutants WD Guestbook 2.8 allows remote attackers to ...)
 	NOT-FOR-US: Webmasters-Debutants WD Guestbook
 CVE-2005-0914 (Multiple cross-site scripting (XSS) vulnerabilities in CPG Dragonfly ...)