[Secure-testing-commits] r9384 - data/CVE
nion at alioth.debian.org
nion at alioth.debian.org
Mon Jul 21 12:23:51 UTC 2008
Author: nion
Date: 2008-07-21 12:23:50 +0000 (Mon, 21 Jul 2008)
New Revision: 9384
Modified:
data/CVE/list
Log:
drupal cveified (CVE-2008-32[19-23]), parts also affect drupal-4.7
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2008-07-21 11:51:52 UTC (rev 9383)
+++ data/CVE/list 2008-07-21 12:23:50 UTC (rev 9384)
@@ -165,12 +165,28 @@
NOT-FOR-US: ancient issue
CVE-2008-3229 [buffer overflow in XAUTHORITY handling in op]
- op <not-affected> (not configured with xauth support)
-CVE-2008-XXXX [several issues in last upstream announcement]
- - drupal5 5.8-1 (bug #490559)
- - drupal-4.7 <not-affected>
- NOTE: http://drupal.org/node/280571
- NOTE: Upstream advisory states that drupal5 is only affected to a few of the issues
- NOTE: drupal-4.7 is not mentioned as vulnerable
+CVE-2008-3218 [multiple XSS related to free tagging taxonomy terms not properly handled in node preview]
+ - drupal5 <not-affected> (Vulnerable code not present, feature introduced in 6.0)
+ - drupal-4.7 <not-affected> (Vulnerable code not present, feature introduced in 6.0)
+CVE-2008-3219 [filter_xss_admin doesnt prevent use of object HTML tag in administrator input]
+ - drupal5 5.8-1 (low; bug #490559)
+ - drupal-4.7 <unfixed> (low)
+ TODO: report drupal-4.7 bug (see modules/filter.module line 1113, object is returned as valid)
+CVE-2008-3220 [CSRF might delete translated strings]
+ - drupal5 5.8-1 (low; bug #490559)
+ - drupal-4.7 <not-affected> (Vulnerable code not present)
+ NOTE: drupal-4.7 uses the locale_admin_string_delete callback which returns a confirmation dialog
+CVE-2008-3221 [CSRF might delete openid identities]
+ - drupal5 <not-affected> (Vulnerable code not present, openids introduced in 6.0)
+ - drupal-4.7 <not-affected> (Vulnerable code not present, openids introduced in 6.0)
+CVE-2008-3222 [session fixation vulnerability]
+ - drupal5 5.8-1 (low; bug #490559)
+ - drupal-4.7 <unfixed> (low)
+ TODO: report drupal-4.7 bug (see modules/user.module line 964, sess_regenerate() needs to be called)
+ NOTE: before login action
+CVE-2008-3223 [SQL Injection in Schema API]
+ - drupal5 <not-affected> (Vulnerable code not present, introduced in 6.0)
+ - drupal-4.7 <not-affected> (Vulnerable code not present, introduced in 6.0)
CVE-2008-3145 [DoS via injecting a series of malformed packets]
RESERVED
- wireshark <unfixed> (low)
More information about the Secure-testing-commits
mailing list