[Secure-testing-team] [Secure-testing-commits] r12343 - in data: CVE DSA

Michael S Gilbert michael.s.gilbert at gmail.com
Wed Jul 15 02:39:15 UTC 2009 

On 7/14/09, Michael Gilbert wrote:
> Author: gilbert-guest
> Date: 2009-07-15 02:09:02 +0000 (Wed, 15 Jul 2009)
> New Revision: 12343
>
> Modified:
>    data/CVE/list
>    data/DSA/list
> Log:
> fix tracking for DSA-1833
>
>
> Modified: data/CVE/list
> ===================================================================
> --- data/CVE/list	2009-07-14 21:14:22 UTC (rev 12342)
> +++ data/CVE/list	2009-07-15 02:09:02 UTC (rev 12343)
> @@ -1373,7 +1373,6 @@
>  	{DSA-1833-1}
>  	- dhcp3 <unfixed> (low)
>  	[etch] - dhcp3 <not-affected> (problematic assert is not present)
> -	[lenny] - dhcp3 3.1.1-6+lenny2 (low)
>  CVE-2009-1891 (The mod_deflate module in Apache httpd 2.2.11 and earlier
> compresses ...)
>  	- apache2 2.2.11-7 (medium; bug #534712)
>  CVE-2009-1890 (The stream_reqbody_cl function in mod_proxy_http.c in the
> mod_proxy ...)
> @@ -5610,8 +5609,6 @@
>  	RESERVED
>  	{DSA-1833-1}
>  	- dhcp3 <unfixed> (medium)
> -	[etch] - dhcp3 3.0.4-13+etch2 (medium)
> -	[lenny] - dhcp3 3.1.1-6+lenny2 (medium)
>  	NOTE: dhcp in etch is not affected.
>  CVE-2009-0691 (The Foxit JPEG2000/JBIG2 Decoder add-on before 2.0.2009.616
> for Foxit ...)
>  	NOT-FOR-US: Foxit JPEG2000/JBIG2 Decoder add-on
>
> Modified: data/DSA/list
> ===================================================================
> --- data/DSA/list	2009-07-14 21:14:22 UTC (rev 12342)
> +++ data/DSA/list	2009-07-15 02:09:02 UTC (rev 12343)
> @@ -1,5 +1,9 @@
>  [14 Jul 2009] DSA-1833-1 dhcp3 - arbitrary code execution
> -	{CVE-2009-0692 CVE-2009-1892}
> +	{CVE-2009-0692}
> +	[etch] - dhcp3 3.0.4-13+etch2
> +	[lenny] - dhcp3 3.1.1-6+lenny2
> +        {CVE-2009-1892}
> +        [lenny] - dhcp3 3.1.1-6+lenny2
>  [13 Jul 2009] DSA-1832-1 camlimages - arbitrary code execution
>  	{CVE-2009-2295}
>  	[etch] - camlimages 2.20-8+etch1

i think this is a case where the tracker isn't sufficiently flexible.
it would be very useful to be able to specify different fixed versions
as attempted above in the same DSA.

the other option, Florian's tracking, left the security tracker's DSA
page empty.

any thoughts?

mike

More information about the Secure-testing-team mailing list