secure-testing/data/spu-candidates.txt

This file records minor security issues, which do not warrant a DSA,
but which could be fixed in a stable point update if people feel like
it. If someone wants to address these, please add a note about it
and get in contact with debian-release@lists.debian.org

--

asterisk (CVE-2009-0041)
#513413
notified maintainer

CVE-2008-3903
#522528
notified maintainer

--

avahi (CVE-2009-0758)
#517683
notified maintainer

--

backuppc (CVE-2009-3369)
#542218
notified maintainer

--

bugzilla (CVE-2009-0481 to CVE-2009-0485)
notified maintainer

--

buildbot (CVE-2009-2959, CVE-2009-2967)
#543822
notified maintainer

--

compiz-fusion-plugins-main (CVE-2008-6514)
notified maintainer

--

cron: Incomplete fix for CVE-2006-2607 (setgid() and initgroups() not checked
#528434
notified maintainer

--

dopewars (CVE-2009-3591)
#550913
notified maintainer

--

evolution (CVE-2009-1631)
#526409
notified maintainer through initial bugreport

--

firebird2.0 (CVE-2009-2620)
#539477
notified maintainer

--

glib2.0 (CVE-2009-3289)
https://bugzilla.gnome.org/show_bug.cgi?id=593406 
notified maintainer

--

gnutls26 (CVE-2009-1417)
#531614
notified maintainer

--

gri (no CVE)
fixed in gri 2.12.18-1:
"Improve security when creating temporary files."
notified maintainer

--

gupnp (CVE-2009-2174)
#534594
notified maintainer

--

htmldoc (CVE-2009-3050)
#537637
notified maintainer through initial bugreport

--

kde4libs (CVE-2009-2702)
#546218
notified maintainer

--

kfreebsd-6
[freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl]
http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc
notified maintainer

[freebsd Local information disclosure via direct pipe writes] (CVE-2009-1935)
http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc
notified maintainer

--

kfreebsd-7
[freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl]
http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc
notified maintainer

[freebsd Local information disclosure via direct pipe writes] (CVE-2009-1935)
http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc
notified maintainer

--

kvm 82-1 (CVE-2008-5714)
#509997
notified maintainer

--

lcms (CVE-2009-0793)
notified maintainer through initial bugreport

--

libpam-ssh (CVE-2009-1273)
#535877
maintainer notified through initial bug report, said he would work on an update

--

libpng (CVE-2009-2042)
#533676
notified maintainer

--

libsndfile
potential dos via crafted input
#530831

--

libvorbis (CVE-2008-2009)
notified maintainer and release team

--

memcached (CVE-2009-1255)
notified maintainer

--

mimedecode
potential dos/crash due to invalid input
orphaned
#530430

--

movabletype-opensource (CVE-2009-2492)
#537935
notified maintainer

--

mpg123 (CVE-2009-1301)
notified maintainer

--

neon27 (CVE-2009-2474)
#542926
notified maintainer

--

neon26 (CVE-2009-2474)
#542926
notified maintainer

--

ntop (CVE-2009-2732)
#543312
notified maintainer through initial bugreport

--

postfix (CVE-2009-2939)
notified maintainer

--

squid (CVE-2009-0801)
#521053

--

squid3 (CVE-2009-0801)
#521052

--

net-snmp (CVE-2008-6123)
Noah will see to it.

--

ocsinventory-server (CVE-2009-3040, CVE-2009-3042, CVE-2009-1443)
#541995
notified maintainer

--

open-iscsi (CVE-2009-1297)
notified maintainer in initial bug report

--

openldap
#253838
notified maintainer

--

overkill (no CVE yet)
#549310

--

owl (CVE-2009-0363)
#515118
notified maintainer

--

pam (CVE-2009-0579)
#514437
asked maintainer in mail

--

pidgin (CVE-2009-1889, CVE-2009-3083, CVE-2009-3084, CVE-2009-3085)
#535790
http://developer.pidgin.im/ticket/9483
http://developer.pidgin.im/viewmtn/revision/info/9bac0a540156fb1848eedd61c8630737dee752c7
notified maintainer

--

pptp-linux (no CVE)
#523476
Ola will prepare a fix in a point update

--

rails (CVE-2009-3086)
bug #545063
notified maintainer

--

slim (CVE-2009-1756)
bug #529306
Maintainer notified through followup in #529306

--

smarty (CVE-2009-1669)
#529810
http://groups.google.com/group/smarty-svn/browse_thread/thread/b2da2e5d1ef8b462
notified maintainer

--

tau (CVE-2008-5157)
#506348
notified maintainer

--

texlive-bin (CVE-2009-1284)
#520920
https://bugzilla.redhat.com/show_bug.cgi?id=492136

--

udev (#462655)
notified maintainer

--

planet (CVE-2009-2937)
bug #546178
notified maintainer through initial bugreport

--

webkit (CVE-2008-4724)
#520052
asked maintainer

--

xemacs21 (CVE-2008-2142)
bug #480877
notified maintainer

xemacs21 (CVE-2009-2688)
#540470
Patches at https://bugzilla.redhat.com/show_bug.cgi?id=511994
notified maintainer

--

xen-3 (CVE-2008-4993)
#496367
notified maintainer

--

xerces-c2 (CVE-2009-1885)
#541986
notified maintainer


--

xfig
25_mkstemp added in 1:3.2.5.a-1
notified maintainer

--

xscreensaver (no CVE)
#539699
notified maintainer

--

ziproxy (CVE-2009-0804)
#521051
1	This file records minor security issues, which do not warrant a DSA,
2	but which could be fixed in a stable point update if people feel like
3	it. If someone wants to address these, please add a note about it
4	and get in contact with debian-release@lists.debian.org
5
6	--
7
8	asterisk (CVE-2009-0041)
9	#513413
10	notified maintainer
11
12	CVE-2008-3903
13	#522528
14	notified maintainer
15
16	--
17
18	avahi (CVE-2009-0758)
19	#517683
20	notified maintainer
21
22	--
23
24	backuppc (CVE-2009-3369)
25	#542218
26	notified maintainer
27
28	--
29
30	bugzilla (CVE-2009-0481 to CVE-2009-0485)
31	notified maintainer
32
33	--
34
35	buildbot (CVE-2009-2959, CVE-2009-2967)
36	#543822
37	notified maintainer
38
39	--
40
41	compiz-fusion-plugins-main (CVE-2008-6514)
42	notified maintainer
43
44	--
45
46	cron: Incomplete fix for CVE-2006-2607 (setgid() and initgroups() not checked
47	#528434
48	notified maintainer
49
50	--
51
52	dopewars (CVE-2009-3591)
53	#550913
54	notified maintainer
55
56	--
57
58	evolution (CVE-2009-1631)
59	#526409
60	notified maintainer through initial bugreport
61
62	--
63
64	firebird2.0 (CVE-2009-2620)
65	#539477
66	notified maintainer
67
68	--
69
70	glib2.0 (CVE-2009-3289)
71	https://bugzilla.gnome.org/show_bug.cgi?id=593406
72	notified maintainer
73
74	--
75
76	gnutls26 (CVE-2009-1417)
77	#531614
78	notified maintainer
79
80	--
81
82	gri (no CVE)
83	fixed in gri 2.12.18-1:
84	"Improve security when creating temporary files."
85	notified maintainer
86
87	--
88
89	gupnp (CVE-2009-2174)
90	#534594
91	notified maintainer
92
93	--
94
95	htmldoc (CVE-2009-3050)
96	#537637
97	notified maintainer through initial bugreport
98
99	--
100
101	kde4libs (CVE-2009-2702)
102	#546218
103	notified maintainer
104
105	--
106
107	kfreebsd-6
108	[freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl]
109	http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc
110	notified maintainer
111
112	[freebsd Local information disclosure via direct pipe writes] (CVE-2009-1935)
113	http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc
114	notified maintainer
115
116	--
117
118	kfreebsd-7
119	[freebsd Missing permission check on SIOCSIFINFO_IN6 ioctl]
120	http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc
121	notified maintainer
122
123	[freebsd Local information disclosure via direct pipe writes] (CVE-2009-1935)
124	http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc
125	notified maintainer
126
127	--
128
129	kvm 82-1 (CVE-2008-5714)
130	#509997
131	notified maintainer
132
133	--
134
135	lcms (CVE-2009-0793)
136	notified maintainer through initial bugreport
137
138	--
139
140	libpam-ssh (CVE-2009-1273)
141	#535877
142	maintainer notified through initial bug report, said he would work on an update
143
144	--
145
146	libpng (CVE-2009-2042)
147	#533676
148	notified maintainer
149
150	--
151
152	libsndfile
153	potential dos via crafted input
154	#530831
155
156	--
157
158	libvorbis (CVE-2008-2009)
159	notified maintainer and release team
160
161	--
162
163	memcached (CVE-2009-1255)
164	notified maintainer
165
166	--
167
168	mimedecode
169	potential dos/crash due to invalid input
170	orphaned
171	#530430
172
173	--
174
175	movabletype-opensource (CVE-2009-2492)
176	#537935
177	notified maintainer
178
179	--
180
181	mpg123 (CVE-2009-1301)
182	notified maintainer
183
184	--
185
186	neon27 (CVE-2009-2474)
187	#542926
188	notified maintainer
189
190	--
191
192	neon26 (CVE-2009-2474)
193	#542926
194	notified maintainer
195
196	--
197
198	ntop (CVE-2009-2732)
199	#543312
200	notified maintainer through initial bugreport
201
202	--
203
204	postfix (CVE-2009-2939)
205	notified maintainer
206
207	--
208
209	squid (CVE-2009-0801)
210	#521053
211
212	--
213
214	squid3 (CVE-2009-0801)
215	#521052
216
217	--
218
219	net-snmp (CVE-2008-6123)
220	Noah will see to it.
221
222	--
223
224	ocsinventory-server (CVE-2009-3040, CVE-2009-3042, CVE-2009-1443)
225	#541995
226	notified maintainer
227
228	--
229
230	open-iscsi (CVE-2009-1297)
231	notified maintainer in initial bug report
232
233	--
234
235	openldap
236	#253838
237	notified maintainer
238
239	--
240
241	overkill (no CVE yet)
242	#549310
243
244	--
245
246	owl (CVE-2009-0363)
247	#515118
248	notified maintainer
249
250	--
251
252	pam (CVE-2009-0579)
253	#514437
254	asked maintainer in mail
255
256	--
257
258	pidgin (CVE-2009-1889, CVE-2009-3083, CVE-2009-3084, CVE-2009-3085)
259	#535790
260	http://developer.pidgin.im/ticket/9483
261	http://developer.pidgin.im/viewmtn/revision/info/9bac0a540156fb1848eedd61c8630737dee752c7
262	notified maintainer
263
264	--
265
266	pptp-linux (no CVE)
267	#523476
268	Ola will prepare a fix in a point update
269
270	--
271
272	rails (CVE-2009-3086)
273	bug #545063
274	notified maintainer
275
276	--
277
278	slim (CVE-2009-1756)
279	bug #529306
280	Maintainer notified through followup in #529306
281
282	--
283
284	smarty (CVE-2009-1669)
285	#529810
286	http://groups.google.com/group/smarty-svn/browse_thread/thread/b2da2e5d1ef8b462
287	notified maintainer
288
289	--
290
291	tau (CVE-2008-5157)
292	#506348
293	notified maintainer
294
295	--
296
297	texlive-bin (CVE-2009-1284)
298	#520920
299	https://bugzilla.redhat.com/show_bug.cgi?id=492136
300
301	--
302
303	udev (#462655)
304	notified maintainer
305
306	--
307
308	planet (CVE-2009-2937)
309	bug #546178
310	notified maintainer through initial bugreport
311
312	--
313
314	webkit (CVE-2008-4724)
315	#520052
316	asked maintainer
317
318	--
319
320	xemacs21 (CVE-2008-2142)
321	bug #480877
322	notified maintainer
323
324	xemacs21 (CVE-2009-2688)
325	#540470
326	Patches at https://bugzilla.redhat.com/show_bug.cgi?id=511994
327	notified maintainer
328
329	--
330
331	xen-3 (CVE-2008-4993)
332	#496367
333	notified maintainer
334
335	--
336
337	xerces-c2 (CVE-2009-1885)
338	#541986
339	notified maintainer
340
341
342	--
343
344	xfig
345	25_mkstemp added in 1:3.2.5.a-1
346	notified maintainer
347
348	--
349
350	xscreensaver (no CVE)
351	#539699
352	notified maintainer
353
354	--
355
356	ziproxy (CVE-2009-0804)
357	#521051