[VIM] Old CVE ids, public, but still "RESERVED"
Raphael Geissert
geissert at debian.org
Wed Feb 12 08:18:17 CST 2014
Hi again,
It appears that some of the issues in the lists I previously sent have
been processed lately, so I figured I could provide the list of issues
with a year between 2001 and 2010.
This batch contains the ids followed by any information that can be
found in our text database.
HTH.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
-------------- next part --------------
CVE-2001-1593 [insecure use of /tmp]
- a2ps <unfixed> (low; bug #737385)
[wheezy] - a2ps <no-dsa> (Minor issue)
[squeeze] - a2ps <no-dsa> (Minor issue)
CVE-2004-2776
NOT-FOR-US: Montitorix
CVE-2002-2439
- gcc-4.1 <removed>
[squeeze] - gcc-4.1 <no-dsa> (Potentially affected apps need to be recompiled, if such issues are spotted in apps, these cases can be fixed on a case-by-case basis)
- gcc-4.3 <removed>
[squeeze] - gcc-4.3 <no-dsa> (Potentially affected apps need to be recompiled, if such issues are spotted in apps, these cases can be fixed on a case-by-case basis)
- gcc-4.4 <unfixed> (low)
[squeeze] - gcc-4.4 <no-dsa> (Potentially affected apps need to be recompiled, if such issues are spotted in apps, these cases can be fixed on a case-by-case basis)
[wheezy] - gcc-4.4 <no-dsa> (Potentially affected apps need to be recompiled, if such issues are spotted in apps, these cases can be fixed on a case-by-case basis)
- gcc-4.6 <unfixed> (low)
[wheezy] - gcc-4.6 <no-dsa> (Potentially affected apps need to be recompiled, if such issues are spotted in apps, these cases can be fixed on a case-by-case basis)
- gcc-4.7 <unfixed> (low; bug #710830)
[wheezy] - gcc-4.7 <no-dsa> (Potentially affected apps need to be recompiled, if such issues are spotted in apps, these cases can be fixed on a case-by-case basis)
- gcc-4.8 4.8.0-1 (low)
NOTE: Are there apps known to be exploitable through this?
NOTE: Any application using unguarded memory allocation would be susceptible to DoS anyway?
NOTE: This should be addressed in jessie by getting this fixed in gcc 4.7, so that the archive is
NOTE: properly rebuild with a fixed version from the start
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2002-2439
CVE-2002-2438
NOT-FOR-US: ancient linux 2.4 issue
CVE-2006-7246
- wpasupplicant 0.7.3-1
[squeeze] - wpasupplicant <no-dsa> (Minor issue)
- network-manager 0.9.4.0-1
[squeeze] - network-manager <no-dsa> (Minor issue)
NOTE: might be fixed earlier; I checked the source versions in Wheezy
CVE-2005-4890 [login: tty hijacking possible in "su" via TIOCSTI ioctl]
- shadow 1:4.1.5-1 (low; bug #628843)
[squeeze] - shadow <no-dsa> (Minor issue)
[lenny] - shadow <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=173008
- sudo 1.7.4p4 (low; bug #657784)
NOTE: sudo might be fixed earlier, use_pty present in stable
CVE-2006-4245
- archivemail 0.6.2-2
CVE-2006-4243 [linux vserver priviledge escalation in remount code]
- linux-2.6 2.6.17-9
CVE-2006-3100 [termnetd buffer overflow]
- termpkg 3.3-7 (bug #358028; medium)
CVE-2006-0062 [Potential xlockmore bypass]
- xlockmore 1:5.13-2.1 (bug #309760)
CVE-2006-0061 [xlock segfaults when using libpam-opensc]
- xlockmore 1:5.22-1.2 (bug #318123; bug #399003; low)
[sarge] - xlockmore <no-dsa> (Minor issue)
CVE-2005-3056 [TWiki INCLUDE function allows arbitrary shell command execution ]
- twiki 20040902-2 (bug #330733; high)
CVE-2005-2349 [Directory traversal in zoo]
- zoo 2.10-4 (low; bug #309594)
CVE-2005-2350 [Cross Site Scripting in websieve]
- websieve <removed> (bug #311838; low)
CVE-2005-2351 [Minor DoS condition in mutt due to preditable tempfiles]
- mutt 1.5.20-7 (bug #311296; unimportant)
[sarge] - mutt <no-dsa> (Minor annoyance, not a real DoS)
NOTE: An "attacker" could achieve the same by simply filling up /tmp
CVE-2005-2352 [Temp file races in gs-gpl addons scripts]
- gs-gpl 8.56.dfsg.1-1 (bug #291373; unimportant)
CVE-2005-2354 [nvu uses old copy of mozilla xpcom]
NOTE: have not checked to see which security holes are in it exactly
- nvu <removed> (bug #306822; medium)
CVE-2005-2356
NOTE: This was assigned to an eskuel non-issue before due to Red Hat typos
-------------- next part --------------
CVE-2007-6745 [clamav floating point exception in OLE2 scanner DoS]
- clamav 0.91.2-1~volatile1
[etch] - clamav <not-affected> (Vulnerable code not present)
[sarge] - clamav <not-affected> (Vulnerable code not present)
CVE-2007-5743
- viewvc 1.0.3-2.1 (bug #416696)
CVE-2007-3915 [mondo insecure handling of temporary files]
- mondo 2.24-2 (low)
CVE-2007-2841 [lighttpd DoS]
- lighttpd 1.4.16-1 (bug #428368)
NOTE: Duplicate of CVE-2007-3947, was assigned from Debian CNA and clashed with MITRE
NOTE: assignment
CVE-2007-0899 [Possible heap overflow in libclamav/fsg.c]
{DSA-1263-1}
- clamav 0.90-1
[etch] - clamav 0.88.7-2
CVE-2007-0241
- linux-2.6 2.6.18.dfsg.1-12
-------------- next part --------------
CVE-2008-7291 [gri: insecure temp file generation]
- gri 2.12.18-1 (low)
[etch] - gri <no-dsa> (Minor issue)
[lenny] - gri <no-dsa> (Minor issue)
CVE-2008-7272 [iceweasel-firegpg: Passphrase and Cleartext Recovery]
- iceweasel-firegpg <removed> (bug #514386)
CVE-2008-7273 [iceweasel-firegpg: Passphrase and Cleartext Recovery]
- iceweasel-firegpg <removed> (bug #514386)
CVE-2008-3793
NOT-FOR-US: Adobe Flash
CVE-2008-3277
- ibutils <not-affected> (RedHat-specific)
-------------- next part --------------
CVE-2009-5068
NOT-FOR-US: Simple Machines Forum
CVE-2009-5025 [PyForum XSS+CSRF]
NOT-FOR-US: PyForum
CVE-2009-5023 [fail2ban: Insecure creating/writing to tmpfile]
- fail2ban 0.8.4+svn20110323-1 (low; bug #544232)
[lenny] - fail2ban <no-dsa> (Minor issue)
[squeeze] - fail2ban <no-dsa> (Minor issue)
CVE-2009-5004
- qpid-cpp <not-affected> (Fixed before initial upload to archive)
CVE-2009-4900 [pixelpost XSS]
- pixelpost <removed> (bug #597224)
NOTE: http://www.pixelpost.org/blog/2009/09/02/pixelpost-173-security-update/
CVE-2009-4899 [pixelpost SQL injection]
- pixelpost <removed> (bug #597224)
NOTE: http://www.pixelpost.org/blog/2009/09/02/pixelpost-173-security-update/
CVE-2009-5050 [konversation DoS]
- konversation 1.2.3-1 (low)
[lenny] - konversation <not-affected> (Doesn't affect the combination of kdelibs/QT in Lenny)
NOTE: http://bugs.kde.org/show_bug.cgi?id=219985
CVE-2009-5042 [docutils insecure usage of temporary files]
- python-docutils 0.6-2 (low; bug #560755)
[etch] - python-docutils <not-affected> (vulnerable code introduced in 0.5)
[lenny] - python-docutils 0.5-2+lenny1
NOTE: cve requested
CVE-2009-4067
{DSA-2310-1}
- linux-2.6 2.6.28-1 (low)
NOTE: Driver was removed in 2.6.27
CVE-2009-4011 [dtc-xen race condition]
- dtc-xen 0.5.4-1
[lenny] - dtc-xen <not-affected> (Only affects 0.5.x)
CVE-2009-3887 [ytnef path traversal]
- ytnef <removed> (bug #567631)
[lenny] - ytnef <no-dsa> (Minor issue)
NOTE: http://www.ocert.org/advisories/ocert-2009-013.html
NOTE: This doesn't affect Evolution, the TNEF plugin is external
CVE-2009-5045 [multiple vulnerabilities in jetty]
- jetty 6.1.22-1 (unimportant; bug #553644)
NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
NOTE: The affected apps are not shipped in the package, see #553644
CVE-2009-5046 [multiple vulnerabilities in jetty]
- jetty 6.1.22-1 (unimportant; bug #553644)
NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
NOTE: The affected apps are not shipped in the package, see #553644
CVE-2009-5047 [multiple vulnerabilities in jetty]
- jetty 6.1.22-1 (unimportant; bug #553644)
NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
NOTE: The affected apps are not shipped in the package, see #553644
CVE-2009-5048 [multiple vulnerabilities in jetty]
- jetty 6.1.22-1 (unimportant; bug #553644)
NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
NOTE: The affected apps are not shipped in the package, see #553644
CVE-2009-5049 [multiple vulnerabilities in jetty]
- jetty 6.1.22-1 (unimportant; bug #553644)
NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
NOTE: The affected apps are not shipped in the package, see #553644
CVE-2009-3724
NOT-FOR-US: python-markdown2 (not our markdown, different code base)
CVE-2009-3723 [Unauthorized calls allowed on prohibited networks in asterisk]
[etch] - asterisk <not-affected>
[lenny] - asterisk <not-affected>
- asterisk 1:1.6.2.0~rc3-2 (medium; bug #552756)
NOTE: http://downloads.asterisk.org/pub/security/AST-2009-007.html
CVE-2009-3721 [ytnef buffer overflow]
- ytnef <removed> (bug #567631)
[lenny] - ytnef <no-dsa> (Minor issue)
NOTE: http://www.ocert.org/advisories/ocert-2009-013.html
NOTE: This doesn't affect Evolution, the TNEF plugin is external
CVE-2009-3614 [oping suid 0 arbitrary file disclosure]
- liboping 1.3.3-1 (low; bug #548684)
[lenny] - liboping <not-affected> (doesn't have -f option yet)
[etch] - liboping <not-affected> (doesn't have -f option yet)
CVE-2009-3552
NOT-FOR-US: Red Hat Enterprise Virtualization Manager
CVE-2009-5041 [buffer overflow in overkill]
- overkill 0.16-14.1 (bug #549310; low)
[lenny] - overkill <no-dsa> (Minor issue)
[etch] - overkill <no-dsa> (Minor issue)
CVE-2009-5043 [burn: Insecure escaping of file names]
- burn 0.4.5-1 (low; bug #542329)
[lenny] - burn 0.4.3-2.1+lenny1
[etch] - burn <no-dsa> (Minor issue)
CVE-2009-2802
- mantis <not-affected> (Only affects 1.2.x)
NOTE: http://www.mantisbt.org/bugs/view.php?id=11952
NOTE: http://www.mantisbt.org/blog/?p=113
CVE-2009-0035 [alsainfo insecure temp file usage]
- alsa-driver 1.0.20-1 (unimportant)
NOTE: alsainfo not built into source package
-------------- next part --------------
CVE-2010-5111 [echoping buffer overflows]
- echoping 6.0.2-4 (low; bug #606808)
[squeeze] - echoping <no-dsa> (Minor issue)
NOTE: Upstream fix http://sourceforge.net/p/echoping/bugs/55/
NOTE: https://bugs.gentoo.org/show_bug.cgi?id=349569
NOTE: http://xforce.iss.net/xforce/xfdb/64141
NOTE: http://secunia.com/advisories/42619/
CVE-2010-5110 [poppler: JPEG error handler]
- poppler 0.16.3-1 (bug #722705)
CVE-2010-5109 [libytnef: buffer overflow]
- libytnef 1.5-5 (low; bug #705468)
[squeeze] - libytnef <no-dsa> (Minor issue)
[wheezy] - libytnef <no-dsa> (Minor issue)
- claws-mail-extra-plugins <unfixed> (low)
[squeeze] - claws-mail-extra-plugins <no-dsa> (Minor issue)
[wheezy] - claws-mail-extra-plugins <no-dsa> (Minor issue)
CVE-2010-5108 [Trac Ticket Modification Workflow Permission Restriction Bypass]
- trac 0.11.7-1 (bug #573260)
CVE-2010-5105 [blender /tmp/quit.blend temp file issue]
- blender <unfixed> (low; bug #584621)
[squeeze] - blender <no-dsa> (Minor issue)
[wheezy] - blender <no-dsa> (Minor issue)
CVE-2010-5077 [quake3 reflective UDP denial of service]
{DSA-2442-1}
- openarena 0.8.5-6 (medium; bug #665656)
- ioquake3 <not-affected> (fixed before upload)
- tremulous 1.1.0-8 (bug #665842)
[squeeze] - tremulous 1.1.0-7~squeeze1
CVE-2010-4820 [ghostscript split from CVE-2010-2055]
- ghostscript 8.71~dfsg2-6.1
[lenny] - ghostscript <no-dsa> (too risky for regressions)
CVE-2010-4817 [overwriting of arbitrary file via symlinks]
- pithos 0.3.5-1
CVE-2010-4815
NOT-FOR-US: coppermine gallery
CVE-2010-4777
- perl <unfixed> (unimportant; bug #628836)
NOTE: Only affects Perl builds with enabled assertions, i.e. the debugperl binary from perl-debug
CVE-2010-4664
- consolekit 0.4.2-1 (low)
[squeeze] - consolekit <no-dsa> (Minor issue)
CVE-2010-4662
NOT-FOR-US: pmwiki
CVE-2010-4661 [arbitrary kernel module loading]
- udisks 1.0.3-1
[squeeze] - udisks <no-dsa> (Minor issue)
NOTE: upstream bug https://bugs.freedesktop.org/show_bug.cgi?id=32232
NOTE: fixed by http://cgit.freedesktop.org/udisks/commit/?id=c933a929f07421ec747cebb24d5e620fc2b97037
CVE-2010-4660
- statusnet <itp> (bug #491723)
CVE-2010-4659
- statusnet <itp> (bug #491723)
CVE-2010-4658
- statusnet <itp> (bug #491723)
CVE-2010-4657 [xmlTextWriterWriteAttribute heap disclosure]
- php5 <unfixed> (low)
[wheezy] - php5 <no-dsa> (Minor issue)
[squeeze] - php5 <no-dsa> (Minor issue)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=631551
NOTE: This was initially reported to be a bug in libxml2, but it later showed that PHP
NOTE: is using the libxml2 API in an incorrect manner
CVE-2010-4654 [Malformed commands may cause corruption of the internal stack]
- kdegraphics <not-affected> (no stackheight)
- xpdf <not-affected> (no stackheight)
- poppler 0.16.3-1
[lenny] - poppler <not-affected> (stackheights introduced after 0.12)
[squeeze] - poppler <not-affected> (stackheights introduced after 0.12)
NOTE: http://cgit.freedesktop.org/poppler/poppler/commit/?id=8284008aa8230a92ba08d547864353d3290e9bf9
CVE-2010-4653 [integer overflow when parsing CharCodes for fonts]
- kdegraphics 4.0
- xpdf 3.02-9
- poppler 0.16.3-1 (low)
[lenny] - poppler <no-dsa> (minor issue)
[squeeze] - poppler 0.12.4-1.2+squeeze1
NOTE: http://cgit.freedesktop.org/poppler/poppler/commit/?id=cad66a7d25abdb6aa15f3aa94a35737b119b2659
CVE-2010-4533 [offlineimap uses SSLv2]
- offlineimap <unfixed> (low; bug #606962)
[wheezy] - offlineimap <no-dsa> (Long-standing, documented behaviour, can be updated in spu if needed)
[squeeze] - offlineimap <no-dsa> (Long-standing, documented behaviour, can be updated in spu if needed)
[lenny] - offlineimap <no-dsa> (Long-standing, documented behaviour, can be updated in spu if needed)
CVE-2010-4532 [no SSL cert validation]
- offlineimap 6.3.2~rc3-2 (low; bug #603450)
[squeeze] - offlineimap <no-dsa> (Long-standing, documented behaviour, can be updated in spu if needed)
[lenny] - offlineimap <no-dsa> (Long-standing, documented behaviour, can be updated in spu if needed)
CVE-2010-4245
- pootle 2.0.5-0.3 (low; bug #604060)
[lenny] - pootle <not-affected> (Vulnerable code not present)
CVE-2010-4241
- tikiwiki <removed>
CVE-2010-4240
- tikiwiki <removed>
CVE-2010-4239
- tikiwiki <removed>
CVE-2010-4178
- mysql-gui-tools <unfixed> (low; bug #605542)
[squeeze] - mysql-gui-tools <no-dsa> (Minor issue)
[lenny] - mysql-gui-tools <no-dsa> (Minor issue)
CVE-2010-4177
- mysql-gui-tools <unfixed> (low; bug #605542)
[squeeze] - mysql-gui-tools <no-dsa> (Minor issue)
[lenny] - mysql-gui-tools <no-dsa> (Minor issue)
CVE-2010-3857 [JBoss BRMS XSS via UUID parameter]
- jbossas4 <not-affected> (Vulnerable code not present)
NOTE: JBoss 5 only; fixed in 5.1.0
CVE-2010-3844
- ettercap <unfixed> (unimportant; bug #600130)
NOTE: Very far-fetched attack vector
CVE-2010-3843
- ettercap <unfixed> (unimportant; bug #600130)
NOTE: Very far-fetched attack vector
CVE-2010-3845
- libapache-authenhook-perl 2.00-04+pristine-2 (low; bug #599712)
[lenny] - libapache-authenhook-perl 2.00-04+pristine-1+lenny1
CVE-2010-4237
- mercurial 1.6.4-1 (low; bug #598841)
[lenny] - mercurial <no-dsa> (Minor issue)
CVE-2010-3659 [Multiple security issues]
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3660 [Multiple security issues]
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3661 [Multiple security issues]
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3662 [Multiple security issues]
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3663 [Multiple security issues]
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3664 [Multiple security issues]
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3665 [Multiple security issues]
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3666 [Multiple security issues]
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3667 [Multiple security issues]
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3668 [Multiple security issues]
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3669 [Multiple security issues]
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3670 [Multiple security issues]
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3671 [Multiple security issues]
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3672 [Multiple security issues]
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3673 [Multiple security issues]
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3674 [Multiple security issues]
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3440 [babiloo insecure downloading and unpacking of dictionary files]
- babiloo 2.0.11-1 (low; bug #591995)
CVE-2010-3439 [alien-arena: server dos]
- alien-arena 7.33-5 (low; bug #575621)
[lenny] - alien-arena 7.0-1+lenny2
CVE-2010-3438 [Insufficient stripping of CR/LF allows arbitrary IRC command execution]
- libpoe-component-irc-perl 6.32+dfsg-1
[lenny] - libpoe-component-irc-perl 5.84+dfsg-1+lenny1 (bug #581194)
CVE-2010-3375
- qtparted 0.4.5-8 (low; bug #598301)
[lenny] - qtparted <no-dsa> (Minor issue)
CVE-2010-3373
- paxtest 1:0.9.9-1 (unimportant; bug #598413)
CVE-2010-3359 [gargoyle: insecure library loading]
- gargoyle-free 2009-08-25-2
NOTE: http://groups.google.com/group/garglk-dev/browse_thread/thread/1c92ab6f24d5ebe6
CVE-2010-3305 [pixel CSRF]
- pixelpost <removed> (bug #597224)
CVE-2010-3299 [ruby on rails: padding oracle attack]
- rails <unfixed> (unimportant)
NOTE: http://seclists.org/oss-sec/2010/q3/415
NOTE: http://seclists.org/oss-sec/2010/q3/413
NOTE: http://usenix.org/events/woot10/tech/full_papers/Rizzo.pdf
CVE-2010-3295 [drivers/net/tulip/de4x5.c: reading uninitialized stack memory]
NOTE: assigned to linux-2.6, but claimed not a problem: http://www.openwall.com/lists/oss-security/2010/09/15/2
NOTE: will probably get rejected
CVE-2010-3282
NOT-FOR-US: Red Hat Directory Server
CVE-2010-3293 [mailscanner virus updates DoS]
- mailscanner <removed> (bug #596397; unimportant)
NOTE: or even unimportant, the script is not used by default
CVE-2010-3292 [mailscanner may use spoofed data]
- mailscanner <removed> (bug #596396; low)
[squeeze] - mailscanner <no-dsa> (Minor issue)
CVE-2010-3095 [mailscanner incomplete fix for CVE-2008-5313]
- mailscanner 4.79.11-2.1 (bug #596403)
CVE-2010-3090 [mailman, will be rejected]
NOT-FOR-US: ** REJECT ** mailman
CVE-2010-2783
- openjdk-6 6b18-1.8.1-1
CVE-2010-2548
- openjdk-6 6b18-1.8.1-1
CVE-2010-2490 [murmur DoS via malformed client query]
- mumble 1.2.2-4 (bug #587713)
[lenny] - mumble <no-dsa> (Minor issue)
- qt4-x11 <not-affected> (low; bug #587713)
CVE-2010-2488 [znc null pointer deref]
{DSA-2069-1}
- znc 0.090-2 (bug #584929)
CVE-2010-2476 [syscp open_basedir bypassing]
- syscp <removed> (bug #587481)
CVE-2010-2247 [makepasswd: insecure passwords generated with default settings]
- makepasswd 1.10-5 (low; bug #564559)
[lenny] - makepasswd 1.10-3+lenny1
CVE-2010-2243 [timekeeping oops]
- linux-2.6 2.6.32-11
[lenny] - linux-2.6 <not-affected> (Vulnerable code not present)
CVE-2010-2236
NOT-FOR-US: Red Hat Satellite
CVE-2010-2222
NOT-FOR-US: Red Hat Directory Server
CVE-2010-2064
- rpcbind 0.2.0-4.1
NOTE: This version changed the state directory to /var/run/rpcbind, which is only writable by root
CVE-2010-2062 [VLC: integer underflow in Real RTSP]
{DSA-2044-1 DSA-2043-1}
- vlc 1.0.1-1
[lenny] - vlc 0.8.6.h-4+lenny2.3
- mplayer 2:1.0~rc3+svn20100502-3 (medium; bug #581245)
[lenny] - mplayer 1.0~rc2-17+lenny3.2
- xine-lib <not-affected> (immune due to additional check in xio_rw_abbort())
NOTE: http://git.videolan.org/?p=vlc.git;a=commitdiff;h=dc74600c97eb834c08674676e209afa842053aca
NOTE: http://dzcore.wordpress.com/2009/07/27/dzc-2009-001-the-movie-player-and-vlc-media-player-real-data-transport-parsing-integer-underflow/
NOTE: DSA-2043 and DSA-2044
CVE-2010-2061
- rpcbind 0.2.0-4.1
CVE-2010-1765
- webkit <not-affected> (doesn't include cf code)
- chromium-browser 5.0.375.55~r47796-1
NOTE: https://bugs.webkit.org/show_bug.cgi?id=37933
NOTE: http://trac.webkit.org/changeset/57995
CVE-2010-1678
- mapserver 5.6.5-2
NOTE: http://trac.osgeo.org/mapserver/ticket/3641
CVE-2010-1673 [ikiwiki xss due to insufficient html scrubbing]
- ikiwiki 3.20101112
[squeeze] - ikiwiki 3.20100815.2
[lenny] - ikiwiki <not-affected>
CVE-2010-2447 [gitolite "not filtering src/ or hooks/ from pathnames"]
- gitolite 1.4.2-1 (low)
NOTE: http://secunia.com/advisories/39587/
CVE-2010-1445 [Heap buffer overflow in RTMP access]
- vlc 1.0.6-1
[lenny] - vlc <not-affected> (Vulnerable code not present)
NOTE: http://www.videolan.org/security/sa1003.html
CVE-2010-1444 [Invalid memory access in ZIP archive decompressor]
- vlc 1.0.6-1
[lenny] - vlc <not-affected> (Vulnerable code not present)
NOTE: http://www.videolan.org/security/sa1003.html
CVE-2010-1443 [Invalid memory access in XSPF playlist parser]
- vlc 1.0.6-1 (unimportant)
NOTE: http://www.videolan.org/security/sa1003.html
CVE-2010-1442 [Invalid memory access in AVI, ASF, Matroska (MKV) demuxers]
- vlc 1.0.6-1
[lenny] - vlc 0.8.6.h-4+lenny3
NOTE: http://www.videolan.org/security/sa1003.html
CVE-2010-1441 [Heap buffer overflow vulnerability in A/52, DTS and MPEG Audio decoders]
- vlc 1.0.6-1
[lenny] - vlc 0.8.6.h-4+lenny3
NOTE: http://www.videolan.org/security/sa1003.html
CVE-2010-2449 [gource: predictable log file located in /tmp]
- gource 0.26-2 (low; bug #577958)
CVE-2010-1154
- irssi 0.8.15-1 (low)
[lenny] - irssi <no-dsa> (Minor issue)
CVE-2010-2446 [Rbot Owner Reaction Command Execution]
- rbot 0.9.14-2 (bug #575286)
[lenny] - rbot <not-affected> ("reaction" plugin not present in 0.9.10)
[etch] - rbot <not-affected> ("reaction" plugin not present in 0.9.10)
CVE-2010-0747 [linux-2.6 drbd connector issue]
{DSA-2015-1}
- linux-2.6 <not-affected> (drbd introduced for the first time in 2.6.32-12, which included the fix for this issue, so no supported debian kernel was ever affected)
- drbd8 2:8.3.7-1
[lenny] - drbd8 2:8.0.14-2+lenny1
NOTE: CVE requested at http://www.openwall.com/lists/oss-security/2010/03/11/9
CVE-2010-2450 [shibboleth-sp2: world-readable key]
- shibboleth-sp2 2.3.1+dfsg-2 (low; bug #571631)
[lenny] - shibboleth-sp2 <no-dsa> (Minor issue)
- shibboleth-sp <not-affected> (Vulnerable code not present)
CVE-2010-2473 [Blocked user session regeneration]
{DSA-2016-1}
- drupal6 6.18-1 (bug #592716)
CVE-2010-2472 [Locale module cross site scripting]
{DSA-2016-1}
- drupal6 6.18-1 (bug #592716)
CVE-2010-2471 [Open redirection]
{DSA-2016-1}
- drupal6 6.18-1 (bug #592716)
CVE-2010-2250 [Installation cross site scripting]
{DSA-2016-1}
- drupal6 6.18-1 (bug #592716)
CVE-2010-0749
- transmission 1.92-1 (unimportant; bug #574507)
CVE-2010-0748 [transmission magnet links parser buffer overflow]
- transmission 1.92-1 (medium; bug #574507)
[lenny] - transmission <not-affected> (Support for Magnet links not yet available)
CVE-2010-0737
NOT-FOR-US: JBoss Operations Network
CVE-2010-0474
{DSA-2188-1}
- webkit <undetermined>
CVE-2010-0398 [autokey arbitrary file overwriting via symlinks]
- autokey 0.61.3-2
CVE-2010-0207 [xpdf: XRef table parsing infinite loop]
- kdegraphics 4.0 (unimportant)
- xpdf <unfixed> (unimportant)
- poppler 0.16.3-1 (unimportant)
[squeeze] - poppler 0.12.4-1.2+squeeze1
NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=28172
NOTE: Just a crasher, not treated as a security issue
CVE-2010-0206 [xpdf: Invalid pointer dereference by processing JBIG2 PDF stream objects]
- kdegraphics 4.0 (unimportant)
- xpdf <unfixed> (unimportant)
- poppler 0.16.3-1 (unimportant)
[squeeze] - poppler 0.12.4-1.2+squeeze1
NOTE: Just a crasher, not treated as a security issue
More information about the VIM
mailing list