[Secure-testing-commits] r5850 - data/CVE

stef-guest at alioth.debian.org stef-guest at alioth.debian.org
Wed May 16 20:35:36 UTC 2007 

Author: stef-guest
Date: 2007-05-16 20:35:35 +0000 (Wed, 16 May 2007)
New Revision: 5850

Modified:
   data/CVE/list
Log:
CVE-2007-1401: new php4 issue
add some info about possible javascript hijacking vulns
NFUs


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2007-05-16 19:48:50 UTC (rev 5849)
+++ data/CVE/list	2007-05-16 20:35:35 UTC (rev 5850)
@@ -437,15 +437,34 @@
 	RESERVED
 CVE-2007-2385 (The Yahoo! UI framework exchanges data using JavaScript Object ...)
 	TODO: check yui
-	TODO: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
+	NOTE: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
+	NOTE: This allows to steal data from affected websites. Therefore web applications should
+	NOTE: only be considered vunerabile if they process confidential data.
+	NOTE: The frameworks should be fixed in any case.
 CVE-2007-2384 (The Script.aculo.us framework exchanges data using JavaScript Object ...)
 	TODO: check glpi knowledgeroot mt-daapd op-panel python-webhelpers qwik rails wordpress
+	NOTE: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
+	NOTE: This allows to steal data from affected websites. Therefore web applications should
+	NOTE: only be considered vunerabile if they process confidential data.
+	NOTE: The frameworks should be fixed in any case.
 CVE-2007-2383 (The Prototype (prototypejs) framework exchanges data using JavaScript ...)
 	TODO: check glpi hobix knowledgeroot libbio-ruby1.8 mt-daapd op-panel poker-web python-webhelpers qwik rails wordpress 
+	NOTE: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
+	NOTE: This allows to steal data from affected websites. Therefore web applications should
+	NOTE: only be considered vunerabile if they process confidential data.
+	NOTE: The frameworks should be fixed in any case.
 CVE-2007-2382 (The Moo.fx framework exchanges data using JavaScript Object Notation ...)
-	NOT-FOR-US: MochiKit framework
+	TODO: check
+	NOTE: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
+	NOTE: This allows to steal data from affected websites. Therefore web applications should
+	NOTE: only be considered vunerabile if they process confidential data.
+	NOTE: The frameworks should be fixed in any case.
 CVE-2007-2381 (The MochiKit framework exchanges data using JavaScript Object Notation ...)
 	TODO: check python-paste
+	NOTE: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
+	NOTE: This allows to steal data from affected websites. Therefore web applications should
+	NOTE: only be considered vunerabile if they process confidential data.
+	NOTE: The frameworks should be fixed in any case.
 CVE-2007-2380 (The Microsoft Atlas framework exchanges data using JavaScript Object ...)
 	NOT-FOR-US: Microsoft Atlas
 CVE-2007-2379 (The jQuery framework exchanges data using JavaScript Object Notation ...)
@@ -2701,7 +2720,8 @@
 CVE-2007-1402 (The Rediff Toolbar 2.0 ActiveX control in redifftoolbar.dll allows ...)
 	NOT-FOR-US: Rediff Toolbar ActiveX control
 CVE-2007-1401 (Buffer overflow in the crack extension (CrackLib), as bundled with PHP ...)
-	TODO: check
+	- php4 <unfixed>
+	TODO: check php5
 CVE-2007-1400 (Plash permits sandboxed processes to open /dev/tty, which allows local ...)
 	NOT-FOR-US: Plash
 CVE-2007-1399 (Stack-based buffer overflow in the zip:// URL wrapper in PECL ZIP ...)
@@ -5661,7 +5681,7 @@
 CVE-2007-0324 (Multiple buffer overflows in the LizardTech DjVu Browser Plug-in ...)
 	NOT-FOR-US: LizardTech DjVu Browser Plug-in
 CVE-2007-0323 (Buffer overflow in the SetLanguage function in Research In Motion ...)
-	TODO: check
+	NOT-FOR-US: Research In Motion (RIM) TeamOn Import Object ActiveX control
 CVE-2007-0322
 	RESERVED
 CVE-2007-0321 (Buffer overflow in the Update Service Agent ActiveX Control in ...)
@@ -5903,9 +5923,9 @@
 CVE-2007-0222 (Directory traversal vulnerability in the EmChartBean server side ...)
 	NOT-FOR-US: Oracle Application Server
 CVE-2007-0221 (IMAP support in Microsoft Exchange Server 2000 SP3 allows remote ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2007-0220 (Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2007-0219 (Microsoft Internet Explorer 5.01, 6, and 7 uses certain COM objects ...)
 	NOT-FOR-US: Microsoft
 CVE-2007-0218
@@ -5919,7 +5939,7 @@
 CVE-2007-0214 (The HTML Help ActiveX control (Hhctrl.ocx) in Microsoft Windows 2000 ...)
 	NOT-FOR-US: Microsoft
 CVE-2007-0213 (Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007 does ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2007-0212
 	RESERVED
 CVE-2007-0211 (The hardware detection functionality in the Windows Shell in Microsoft ...)
@@ -6504,7 +6524,7 @@
 CVE-2007-0040
 	RESERVED
 CVE-2007-0039 (The Exchange Collaboration Data Objects (EXCDO) functionality in ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2007-0038 (Stack-based buffer overflow in the animated cursor code in Microsoft ...)
 	NOT-FOR-US: Microsoft
 CVE-2007-0037

More information about the Secure-testing-commits mailing list