secure-testing/data/spu-candidates.txt

This file records minor security issues, which do not warrant a DSA,
but which could be fixed in a stable point update if people feel like
it. If someone wants to address these, please add a note about it
and get in contact with debian-release@lists.debian.org

--

asterisk (CVE-2009-0041)
#513413
notified maintainer

CVE-2008-3903
#522528
notified maintainer

--

avahi (CVE-2009-0758)
#517683
notified maintainer

--

bugzilla (CVE-2009-0481 to CVE-2009-0485)
notified maintainer

--

buildbot (CVE-2009-2959, CVE-2009-2967)
#543822
notified maintainer

--

compiz-fusion-plugins-main (CVE-2008-6514)
notified maintainer

--

cron: Incomplete fix for CVE-2006-2607 (setgid() and initgroups() not checked
#528434
notified maintainer

--

evolution (CVE-2009-1631)
#526409
notified maintainer through initial bugreport

--

firebird2.0 (CVE-2009-2620)
#539477
notified maintainer

--

gnutls26 (CVE-2009-1417)
#531614
notified maintainer

--

gri (no CVE)
fixed in gri 2.12.18-1:
"Improve security when creating temporary files."
notified maintainer

--

gupnp (CVE-2009-2174)
#534594

--

htmldoc (CVE-2009-3050)
#537637

--

kde4libs (CVE-2009-2702)
#546218

--

kfreebsd-6
[freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl]
http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc
notified maintainer

[freebsd Local information disclosure via direct pipe writes] (CVE-2009-1935)
http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc
notified maintainer

--

kfreebsd-7
[freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl]
http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc
notified maintainer

[freebsd Local information disclosure via direct pipe writes] (CVE-2009-1935)
http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc
notified maintainer

--

kvm 82-1 (CVE-2008-5714)
#509997
notified maintainer

--

lcms (CVE-2009-0793)
notified maintainer through initial bugreport

--

libpam-ssh (CVE-2009-1273)
#535877
maintainer notified through initial bug report, said he would work on an update

--

libpng (CVE-2009-2042)
#533676
notified maintainer

--

libsndfile
potential dos via crafted input
#530831

--

libvorbis (CVE-2008-2009)
notified maintainer and release team

--

memcached (CVE-2009-1255)
notified maintainer

--

mimedecode
potential dos/crash due to invalid input
orphaned
#530430

--

movabletype-opensource (CVE-2009-2492)
#537935

--

mpg123 (CVE-2009-1301)
notified maintainer

--

neon27 (CVE-2009-2474)
#542926

--

neon26 (CVE-2009-2474)
#542926

--

ntop (CVE-2009-2732)
#543312

--

squid (CVE-2009-0801)
#521053

--

squid3 (CVE-2009-0801)
#521052

--

net-snmp (CVE-2008-6123)
Noah will see to it.

--

ocsinventory-server (CVE-2009-3040, CVE-2009-3042, CVE-2009-1443)
#541995

--

open-iscsi (CVE-2009-1297)
notified maintainer in initial bug report

--

openldap
#253838
notified maintainer

--

owl (CVE-2009-0363)
#515118

--

pam (CVE-2009-0579)
#514437
asked maintainer in mail

--

pidgin (CVE-2009-1889, CVE-2009-3083, CVE-2009-3084, CVE-2009-3085)
#535790
http://developer.pidgin.im/ticket/9483
http://developer.pidgin.im/viewmtn/revision/info/9bac0a540156fb1848eedd61c8630737dee752c7

--

pptp-linux (no CVE)
#523476
Ola will prepare a fix in a point update

--

slim (CVE-2009-1756)
bug #529306
Maintainer notified through followup in #529306

--

smarty (CVE-2009-1669)
#529810
http://groups.google.com/group/smarty-svn/browse_thread/thread/b2da2e5d1ef8b462
notified maintainer

--

tau (CVE-2008-5157)
#506348
notified maintainer

--

texlive-bin (CVE-2009-1284)
#520920
https://bugzilla.redhat.com/show_bug.cgi?id=492136

--

udev (#462655)
notified maintainer

--

webkit (CVE-2008-4724)
#520052
asked maintainer

--

xemacs21 (CVE-2008-2142)
bug #480877
notified maintainer

xemacs21 (CVE-2009-2688)
#540470
Patches at https://bugzilla.redhat.com/show_bug.cgi?id=511994
notified maintainer

--

xen-3 (CVE-2008-4993)
#496367
notified maintainer

--

xerces-c (CVE-2009-1885)
#540297

--

xfig
25_mkstemp added in 1:3.2.5.a-1
notified maintainer

--

xscreensaver (no CVE)
#539699
notified maintainer

--

ziproxy (CVE-2009-0804)
#521051
1	This file records minor security issues, which do not warrant a DSA,
2	but which could be fixed in a stable point update if people feel like
3	it. If someone wants to address these, please add a note about it
4	and get in contact with debian-release@lists.debian.org
5
6	--
7
8	asterisk (CVE-2009-0041)
9	#513413
10	notified maintainer
11
12	CVE-2008-3903
13	#522528
14	notified maintainer
15
16	--
17
18	avahi (CVE-2009-0758)
19	#517683
20	notified maintainer
21
22	--
23
24	bugzilla (CVE-2009-0481 to CVE-2009-0485)
25	notified maintainer
26
27	--
28
29	buildbot (CVE-2009-2959, CVE-2009-2967)
30	#543822
31	notified maintainer
32
33	--
34
35	compiz-fusion-plugins-main (CVE-2008-6514)
36	notified maintainer
37
38	--
39
40	cron: Incomplete fix for CVE-2006-2607 (setgid() and initgroups() not checked
41	#528434
42	notified maintainer
43
44	--
45
46	evolution (CVE-2009-1631)
47	#526409
48	notified maintainer through initial bugreport
49
50	--
51
52	firebird2.0 (CVE-2009-2620)
53	#539477
54	notified maintainer
55
56	--
57
58	gnutls26 (CVE-2009-1417)
59	#531614
60	notified maintainer
61
62	--
63
64	gri (no CVE)
65	fixed in gri 2.12.18-1:
66	"Improve security when creating temporary files."
67	notified maintainer
68
69	--
70
71	gupnp (CVE-2009-2174)
72	#534594
73
74	--
75
76	htmldoc (CVE-2009-3050)
77	#537637
78
79	--
80
81	kde4libs (CVE-2009-2702)
82	#546218
83
84	--
85
86	kfreebsd-6
87	[freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl]
88	http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc
89	notified maintainer
90
91	[freebsd Local information disclosure via direct pipe writes] (CVE-2009-1935)
92	http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc
93	notified maintainer
94
95	--
96
97	kfreebsd-7
98	[freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl]
99	http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc
100	notified maintainer
101
102	[freebsd Local information disclosure via direct pipe writes] (CVE-2009-1935)
103	http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc
104	notified maintainer
105
106	--
107
108	kvm 82-1 (CVE-2008-5714)
109	#509997
110	notified maintainer
111
112	--
113
114	lcms (CVE-2009-0793)
115	notified maintainer through initial bugreport
116
117	--
118
119	libpam-ssh (CVE-2009-1273)
120	#535877
121	maintainer notified through initial bug report, said he would work on an update
122
123	--
124
125	libpng (CVE-2009-2042)
126	#533676
127	notified maintainer
128
129	--
130
131	libsndfile
132	potential dos via crafted input
133	#530831
134
135	--
136
137	libvorbis (CVE-2008-2009)
138	notified maintainer and release team
139
140	--
141
142	memcached (CVE-2009-1255)
143	notified maintainer
144
145	--
146
147	mimedecode
148	potential dos/crash due to invalid input
149	orphaned
150	#530430
151
152	--
153
154	movabletype-opensource (CVE-2009-2492)
155	#537935
156
157	--
158
159	mpg123 (CVE-2009-1301)
160	notified maintainer
161
162	--
163
164	neon27 (CVE-2009-2474)
165	#542926
166
167	--
168
169	neon26 (CVE-2009-2474)
170	#542926
171
172	--
173
174	ntop (CVE-2009-2732)
175	#543312
176
177	--
178
179	squid (CVE-2009-0801)
180	#521053
181
182	--
183
184	squid3 (CVE-2009-0801)
185	#521052
186
187	--
188
189	net-snmp (CVE-2008-6123)
190	Noah will see to it.
191
192	--
193
194	ocsinventory-server (CVE-2009-3040, CVE-2009-3042, CVE-2009-1443)
195	#541995
196
197	--
198
199	open-iscsi (CVE-2009-1297)
200	notified maintainer in initial bug report
201
202	--
203
204	openldap
205	#253838
206	notified maintainer
207
208	--
209
210	owl (CVE-2009-0363)
211	#515118
212
213	--
214
215	pam (CVE-2009-0579)
216	#514437
217	asked maintainer in mail
218
219	--
220
221	pidgin (CVE-2009-1889, CVE-2009-3083, CVE-2009-3084, CVE-2009-3085)
222	#535790
223	http://developer.pidgin.im/ticket/9483
224	http://developer.pidgin.im/viewmtn/revision/info/9bac0a540156fb1848eedd61c8630737dee752c7
225
226	--
227
228	pptp-linux (no CVE)
229	#523476
230	Ola will prepare a fix in a point update
231
232	--
233
234	slim (CVE-2009-1756)
235	bug #529306
236	Maintainer notified through followup in #529306
237
238	--
239
240	smarty (CVE-2009-1669)
241	#529810
242	http://groups.google.com/group/smarty-svn/browse_thread/thread/b2da2e5d1ef8b462
243	notified maintainer
244
245	--
246
247	tau (CVE-2008-5157)
248	#506348
249	notified maintainer
250
251	--
252
253	texlive-bin (CVE-2009-1284)
254	#520920
255	https://bugzilla.redhat.com/show_bug.cgi?id=492136
256
257	--
258
259	udev (#462655)
260	notified maintainer
261
262	--
263
264	webkit (CVE-2008-4724)
265	#520052
266	asked maintainer
267
268	--
269
270	xemacs21 (CVE-2008-2142)
271	bug #480877
272	notified maintainer
273
274	xemacs21 (CVE-2009-2688)
275	#540470
276	Patches at https://bugzilla.redhat.com/show_bug.cgi?id=511994
277	notified maintainer
278
279	--
280
281	xen-3 (CVE-2008-4993)
282	#496367
283	notified maintainer
284
285	--
286
287	xerces-c (CVE-2009-1885)
288	#540297
289
290	--
291
292	xfig
293	25_mkstemp added in 1:3.2.5.a-1
294	notified maintainer
295
296	--
297
298	xscreensaver (no CVE)
299	#539699
300	notified maintainer
301
302	--
303
304	ziproxy (CVE-2009-0804)
305	#521051