secure-testing/data/spu-candidates.txt

This file records minor security issues, which do not warrant a DSA,
but which could be fixed in a stable point update if people feel like
it. If someone wants to address these, please add a note about it
and get in contact with debian-release@lists.debian.org

--

asterisk (CVE-2009-0041)
#513413
notified maintainer

CVE-2008-3903
#522528
notified maintainer

--

avahi (CVE-2009-0758)
#517683
notified maintainer

--

backuppc [BackupPC ClientNameAlias ssh rsync backup security bypass]
#542218

--

bugzilla (CVE-2009-0481 to CVE-2009-0485)
notified maintainer

--

buildbot (CVE-2009-2959, CVE-2009-2967)
#543822
notified maintainer

--

compiz-fusion-plugins-main (CVE-2008-6514)
notified maintainer

--

cron: Incomplete fix for CVE-2006-2607 (setgid() and initgroups() not checked
#528434
notified maintainer

--

evolution (CVE-2009-1631)
#526409
notified maintainer through initial bugreport

--

firebird2.0 (CVE-2009-2620)
#539477
notified maintainer

--

gnutls26 (CVE-2009-1417)
#531614
notified maintainer

--

gri (no CVE)
fixed in gri 2.12.18-1:
"Improve security when creating temporary files."
notified maintainer

--

gupnp (CVE-2009-2174)
#534594
notified maintainer

--

htmldoc (CVE-2009-3050)
#537637

--

kde4libs (CVE-2009-2702)
#546218

--

kfreebsd-6
[freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl]
http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc
notified maintainer

[freebsd Local information disclosure via direct pipe writes] (CVE-2009-1935)
http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc
notified maintainer

--

kfreebsd-7
[freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl]
http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc
notified maintainer

[freebsd Local information disclosure via direct pipe writes] (CVE-2009-1935)
http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc
notified maintainer

--

kvm 82-1 (CVE-2008-5714)
#509997
notified maintainer

--

lcms (CVE-2009-0793)
notified maintainer through initial bugreport

--

libpam-ssh (CVE-2009-1273)
#535877
maintainer notified through initial bug report, said he would work on an update

--

libpng (CVE-2009-2042)
#533676
notified maintainer

--

libsndfile
potential dos via crafted input
#530831

--

libvorbis (CVE-2008-2009)
notified maintainer and release team

--

memcached (CVE-2009-1255)
notified maintainer

--

mimedecode
potential dos/crash due to invalid input
orphaned
#530430

--

movabletype-opensource (CVE-2009-2492)
#537935
notified maintainer

--

mpg123 (CVE-2009-1301)
notified maintainer

--

neon27 (CVE-2009-2474)
#542926
notified maintainer

--

neon26 (CVE-2009-2474)
#542926
notified maintainer

--

ntop (CVE-2009-2732)
#543312
notified maintainer through initial bugreport

--

postfix (CVE-2009-2939)
notified maintainer

--

squid (CVE-2009-0801)
#521053

--

squid3 (CVE-2009-0801)
#521052

--

net-snmp (CVE-2008-6123)
Noah will see to it.

--

ocsinventory-server (CVE-2009-3040, CVE-2009-3042, CVE-2009-1443)
#541995

--

open-iscsi (CVE-2009-1297)
notified maintainer in initial bug report

--

openldap
#253838
notified maintainer

--

owl (CVE-2009-0363)
#515118

--

pam (CVE-2009-0579)
#514437
asked maintainer in mail

--

pidgin (CVE-2009-1889, CVE-2009-3083, CVE-2009-3084, CVE-2009-3085)
#535790
http://developer.pidgin.im/ticket/9483
http://developer.pidgin.im/viewmtn/revision/info/9bac0a540156fb1848eedd61c8630737dee752c7

--

pptp-linux (no CVE)
#523476
Ola will prepare a fix in a point update

--

rails (CVE-2009-3086)
bug #545063

--

slim (CVE-2009-1756)
bug #529306
Maintainer notified through followup in #529306

--

smarty (CVE-2009-1669)
#529810
http://groups.google.com/group/smarty-svn/browse_thread/thread/b2da2e5d1ef8b462
notified maintainer

--

tau (CVE-2008-5157)
#506348
notified maintainer

--

texlive-bin (CVE-2009-1284)
#520920
https://bugzilla.redhat.com/show_bug.cgi?id=492136

--

udev (#462655)
notified maintainer

--

planet (CVE-2009-2937)
bug #546178
notified maintainer through initial bugreport

--

webkit (CVE-2008-4724)
#520052
asked maintainer

--

xemacs21 (CVE-2008-2142)
bug #480877
notified maintainer

xemacs21 (CVE-2009-2688)
#540470
Patches at https://bugzilla.redhat.com/show_bug.cgi?id=511994
notified maintainer

--

xen-3 (CVE-2008-4993)
#496367
notified maintainer

--

xerces-c (CVE-2009-1885)
#540297

--

xfig
25_mkstemp added in 1:3.2.5.a-1
notified maintainer

--

xscreensaver (no CVE)
#539699
notified maintainer

--

ziproxy (CVE-2009-0804)
#521051
1	This file records minor security issues, which do not warrant a DSA,
2	but which could be fixed in a stable point update if people feel like
3	it. If someone wants to address these, please add a note about it
4	and get in contact with debian-release@lists.debian.org
5
6	--
7
8	asterisk (CVE-2009-0041)
9	#513413
10	notified maintainer
11
12	CVE-2008-3903
13	#522528
14	notified maintainer
15
16	--
17
18	avahi (CVE-2009-0758)
19	#517683
20	notified maintainer
21
22	--
23
24	backuppc [BackupPC ClientNameAlias ssh rsync backup security bypass]
25	#542218
26
27	--
28
29	bugzilla (CVE-2009-0481 to CVE-2009-0485)
30	notified maintainer
31
32	--
33
34	buildbot (CVE-2009-2959, CVE-2009-2967)
35	#543822
36	notified maintainer
37
38	--
39
40	compiz-fusion-plugins-main (CVE-2008-6514)
41	notified maintainer
42
43	--
44
45	cron: Incomplete fix for CVE-2006-2607 (setgid() and initgroups() not checked
46	#528434
47	notified maintainer
48
49	--
50
51	evolution (CVE-2009-1631)
52	#526409
53	notified maintainer through initial bugreport
54
55	--
56
57	firebird2.0 (CVE-2009-2620)
58	#539477
59	notified maintainer
60
61	--
62
63	gnutls26 (CVE-2009-1417)
64	#531614
65	notified maintainer
66
67	--
68
69	gri (no CVE)
70	fixed in gri 2.12.18-1:
71	"Improve security when creating temporary files."
72	notified maintainer
73
74	--
75
76	gupnp (CVE-2009-2174)
77	#534594
78	notified maintainer
79
80	--
81
82	htmldoc (CVE-2009-3050)
83	#537637
84
85	--
86
87	kde4libs (CVE-2009-2702)
88	#546218
89
90	--
91
92	kfreebsd-6
93	[freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl]
94	http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc
95	notified maintainer
96
97	[freebsd Local information disclosure via direct pipe writes] (CVE-2009-1935)
98	http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc
99	notified maintainer
100
101	--
102
103	kfreebsd-7
104	[freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl]
105	http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc
106	notified maintainer
107
108	[freebsd Local information disclosure via direct pipe writes] (CVE-2009-1935)
109	http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc
110	notified maintainer
111
112	--
113
114	kvm 82-1 (CVE-2008-5714)
115	#509997
116	notified maintainer
117
118	--
119
120	lcms (CVE-2009-0793)
121	notified maintainer through initial bugreport
122
123	--
124
125	libpam-ssh (CVE-2009-1273)
126	#535877
127	maintainer notified through initial bug report, said he would work on an update
128
129	--
130
131	libpng (CVE-2009-2042)
132	#533676
133	notified maintainer
134
135	--
136
137	libsndfile
138	potential dos via crafted input
139	#530831
140
141	--
142
143	libvorbis (CVE-2008-2009)
144	notified maintainer and release team
145
146	--
147
148	memcached (CVE-2009-1255)
149	notified maintainer
150
151	--
152
153	mimedecode
154	potential dos/crash due to invalid input
155	orphaned
156	#530430
157
158	--
159
160	movabletype-opensource (CVE-2009-2492)
161	#537935
162	notified maintainer
163
164	--
165
166	mpg123 (CVE-2009-1301)
167	notified maintainer
168
169	--
170
171	neon27 (CVE-2009-2474)
172	#542926
173	notified maintainer
174
175	--
176
177	neon26 (CVE-2009-2474)
178	#542926
179	notified maintainer
180
181	--
182
183	ntop (CVE-2009-2732)
184	#543312
185	notified maintainer through initial bugreport
186
187	--
188
189	postfix (CVE-2009-2939)
190	notified maintainer
191
192	--
193
194	squid (CVE-2009-0801)
195	#521053
196
197	--
198
199	squid3 (CVE-2009-0801)
200	#521052
201
202	--
203
204	net-snmp (CVE-2008-6123)
205	Noah will see to it.
206
207	--
208
209	ocsinventory-server (CVE-2009-3040, CVE-2009-3042, CVE-2009-1443)
210	#541995
211
212	--
213
214	open-iscsi (CVE-2009-1297)
215	notified maintainer in initial bug report
216
217	--
218
219	openldap
220	#253838
221	notified maintainer
222
223	--
224
225	owl (CVE-2009-0363)
226	#515118
227
228	--
229
230	pam (CVE-2009-0579)
231	#514437
232	asked maintainer in mail
233
234	--
235
236	pidgin (CVE-2009-1889, CVE-2009-3083, CVE-2009-3084, CVE-2009-3085)
237	#535790
238	http://developer.pidgin.im/ticket/9483
239	http://developer.pidgin.im/viewmtn/revision/info/9bac0a540156fb1848eedd61c8630737dee752c7
240
241	--
242
243	pptp-linux (no CVE)
244	#523476
245	Ola will prepare a fix in a point update
246
247	--
248
249	rails (CVE-2009-3086)
250	bug #545063
251
252	--
253
254	slim (CVE-2009-1756)
255	bug #529306
256	Maintainer notified through followup in #529306
257
258	--
259
260	smarty (CVE-2009-1669)
261	#529810
262	http://groups.google.com/group/smarty-svn/browse_thread/thread/b2da2e5d1ef8b462
263	notified maintainer
264
265	--
266
267	tau (CVE-2008-5157)
268	#506348
269	notified maintainer
270
271	--
272
273	texlive-bin (CVE-2009-1284)
274	#520920
275	https://bugzilla.redhat.com/show_bug.cgi?id=492136
276
277	--
278
279	udev (#462655)
280	notified maintainer
281
282	--
283
284	planet (CVE-2009-2937)
285	bug #546178
286	notified maintainer through initial bugreport
287
288	--
289
290	webkit (CVE-2008-4724)
291	#520052
292	asked maintainer
293
294	--
295
296	xemacs21 (CVE-2008-2142)
297	bug #480877
298	notified maintainer
299
300	xemacs21 (CVE-2009-2688)
301	#540470
302	Patches at https://bugzilla.redhat.com/show_bug.cgi?id=511994
303	notified maintainer
304
305	--
306
307	xen-3 (CVE-2008-4993)
308	#496367
309	notified maintainer
310
311	--
312
313	xerces-c (CVE-2009-1885)
314	#540297
315
316	--
317
318	xfig
319	25_mkstemp added in 1:3.2.5.a-1
320	notified maintainer
321
322	--
323
324	xscreensaver (no CVE)
325	#539699
326	notified maintainer
327
328	--
329
330	ziproxy (CVE-2009-0804)
331	#521051