[Secure-testing-commits] r11636 - data/CVE
Kees Cook
kees at alioth.debian.org
Fri Apr 17 01:25:52 UTC 2009
Author: kees
Date: 2009-04-17 01:25:52 +0000 (Fri, 17 Apr 2009)
New Revision: 11636
Modified:
data/CVE/list
Log:
Sync from Ubuntu CVE tracker...
unfixed: archivemail azureus clamav evolution-data-server ghostscript graphicsmagick iceape iceweasel jbossas4 libapache2-mod-perl2 libstruts1.2-java linux-2.6 ntp openjdk-6 python2.4 python2.5 sun-java5 sun-java6 tomcat5.5 torrentflux typo3-src wireshark xulrunner
fixed: lighttpd tunapie
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2009-04-16 21:14:13 UTC (rev 11635)
+++ data/CVE/list 2009-04-17 01:25:52 UTC (rev 11636)
@@ -163,15 +163,15 @@
- php4 <not-affected> (the JSON extension was introduced in php5.2)
- php-json-ext <unfixed>
CVE-2009-1269 (Unspecified vulnerability in Wireshark 0.99.6 through 1.0.6 allows ...)
- TODO: check
+ - wireshark <unfixed>
CVE-2009-1268 (The Check Point High-Availability Protocol (CPHAP) dissector in ...)
- TODO: check
+ - wireshark <unfixed>
CVE-2009-1267 (Unspecified vulnerability in the LDAP dissector in Wireshark 0.99.2 ...)
- TODO: check
+ - wireshark <unfixed>
CVE-2009-1266
RESERVED
CVE-2009-1265 (Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux ...)
- TODO: check
+ - linux-2.6 <unfixed>
CVE-2009-1264 (Frontend User Registration (sr_feuser_register) extension 2.5.20 and ...)
NOT-FOR-US: Frontend User Registration (sr_feuser_register) extension
CVE-2009-1263 (SQL injection vulnerability in sub_commententry.php in the BookJoomlas ...)
@@ -193,7 +193,7 @@
CVE-2009-1255
RESERVED
CVE-2008-6679 (Buffer overflow in the BaseFont writer module in Ghostscript 8.62, and ...)
- TODO: check
+ - ghostscript <unfixed>
CVE-2008-6678 (SQL injection vulnerability in asp/includes/contact.asp in QuickerSite ...)
NOT-FOR-US: QuickerSite
CVE-2008-6677 (Unrestricted file upload vulnerability in ...)
@@ -239,7 +239,7 @@
CVE-2008-6657 (Cross-site request forgery (CSRF) vulnerability in index.php in Simple ...)
NOT-FOR-US: Simple Machines Forum
CVE-2007-6725 (The CCITTFax decoding filter in Ghostscript 8.60, 8.61, and possibly ...)
- TODO: check
+ - ghostscript <unfixed>
CVE-2009-XXXX [roundup: insufficient access checks in web frontend]
- roundup <unfixed> (bug #518768)
[etch] - roundup 1.2.1-10+etch1
@@ -259,10 +259,10 @@
- clamav 0.94.dfsg.2-1~volatile2 (medium; bug #523016)
CVE-2009-1254 (James Stone Tunapie 2.1 allows remote attackers to execute arbitrary ...)
{DSA-1764-1}
- TODO: check
+ - tunapie 2.1.17-1
CVE-2009-1253 (James Stone Tunapie 2.1 allows local users to overwrite arbitrary ...)
{DSA-1764-1}
- TODO: check
+ - tunapie 2.1.17-1
CVE-2009-1252
RESERVED
CVE-2009-1251 (Heap-based buffer overflow in the cache manager in the client in ...)
@@ -360,7 +360,7 @@
CVE-2008-6622 (SQL injection vulnerability in choosecard.php in WEBBDOMAIN Post Card ...)
NOT-FOR-US: WEBBDOMAIN Multi Languages WebShop Online
CVE-2008-6621 (Unspecified vulnerability in GraphicsMagick before 1.2.3 allows remote ...)
- TODO: check
+ - graphicsmagick <unfixed>
CVE-2008-6620 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
NOT-FOR-US: GraFX miniCWB
CVE-2008-6619 (Unrestricted file upload vulnerability in class/ApplyDB.php in ...)
@@ -421,7 +421,7 @@
CVE-2008-6595 (SQL injection vulnerability in the pmk_rssnewsexport extension for ...)
NOT-FOR-US: pmk_rssnewsexport extension for TYPO3
CVE-2008-6594 (SQL injection vulnerability in the cm_rdfexport extension for TYPO3 ...)
- TODO: check
+ - typo3-src <unfixed>
CVE-2008-6593 (SQL injection vulnerability in LightNEasy/lightneasy.php in LightNEasy ...)
NOT-FOR-US: LightNEasy SQLite
CVE-2008-6592 (thumbsup.php in Thumbs-Up 1.12, as used in LightNEasy "no database" ...)
@@ -435,13 +435,13 @@
CVE-2008-6588 (Aztech ADSL2/2+ 4-port router has a default "isp" account with a ...)
NOT-FOR-US: Aztech port router
CVE-2008-6587 (Cross-site request forgery (CSRF) vulnerability in index.tmpl in Vuze ...)
- TODO: check
+ - azureus <unfixed>
CVE-2008-6586 (Cross-site request forgery (CSRF) vulnerability in gui/index.php in ...)
NOT-FOR-US: ?Torrent (uTorrent) WebUI
CVE-2008-6585 (Cross-site request forgery (CSRF) vulnerability in html/admin.php in ...)
- TODO: check
+ - torrentflux <unfixed>
CVE-2008-6584 (html/index.php in TorrentFlux 2.3 allows remote authenticated users to ...)
- TODO: check
+ - torrentflux <unfixed>
CVE-2008-6583 (Buffer overflow in BS.player 2.27 build 959 allows remote attackers to ...)
NOT-FOR-US: BS.player
CVE-2009-1274 (Integer overflow in the qt_error parse_trak_atom function in ...)
@@ -1859,16 +1859,16 @@
CVE-2009-0797
RESERVED
CVE-2009-0796 (Cross-site scripting (XSS) vulnerability in Status.pm in ...)
- TODO: check
+ - libapache2-mod-perl2 <unfixed>
CVE-2009-0795 [af_rose/x25 DoS]
REJECTED
- linux-2.6 <unfixed>
- linux-2.6.24 <unfixed>
CVE-2009-0794 (Integer overflow in the PulseAudioTargetDataL class in ...)
- TODO: check
+ - openjdk-6 <unfixed>
CVE-2009-0793 (cmsxform.c in LittleCMS (aka lcms or liblcms) 1.18, as used in OpenJDK ...)
{DSA-1769-1}
- TODO: check
+ - openjdk-6 <unfixed>
CVE-2009-0792 (Multiple integer overflows in icc.c in the International Color ...)
- argyll <unfixed> (low; bug #523427)
CVE-2009-0791
@@ -2445,7 +2445,9 @@
CVE-2009-0653 (OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an ...)
- openssl 0.9.8-1 (bug #517791)
CVE-2009-0652 (Mozilla Firefox 3.0.6 does not properly prevent the literal rendering ...)
- TODO: check
+ - iceape <unfixed>
+ - xulrunner <unfixed>
+ - iceweasel <unfixed>
CVE-2009-0651 (Unspecified vulnerability in the Veritas network daemon (aka vnetd) in ...)
NOT-FOR-US: Veritas network daemon
CVE-2009-0650 (Stack-based buffer overflow in the GetStatsFromLine function in TPTEST ...)
@@ -2924,7 +2926,7 @@
- gs-gpl <removed>
- gs-esp <removed>
CVE-2009-0582 (The ntlm_challenge function in the NTLM SASL authentication mechanism ...)
- TODO: check
+ - evolution-data-server <unfixed>
CVE-2009-0581 (Memory leak in LittleCMS (aka lcms or liblcms) before 1.18beta2, as ...)
{DSA-1769-1 DSA-1745-1}
- lcms 1.18.dfsg-1 (bug #522446)
@@ -3405,11 +3407,11 @@
CVE-2008-6073 (StorageCrypt 2.0.1 does not properly encrypt disks, which allows local ...)
NOT-FOR-US: StorageCrypt
CVE-2008-6072 (Multiple unspecified vulnerabilities in GraphicsMagick before 1.1.14, ...)
- TODO: check
+ - graphicsmagick <unfixed>
CVE-2008-6071 (Heap-based buffer overflow in the DecodeImage function in ...)
- TODO: check
+ - graphicsmagick <unfixed>
CVE-2008-6070 (Multiple heap-based buffer underflows in the ReadPALMImage function in ...)
- TODO: check
+ - graphicsmagick <unfixed>
CVE-2008-6069 (SQL injection vulnerability in e107chat.php in the eChat plugin 4.2 ...)
NOT-FOR-US: eChat plugin
CVE-2008-6068 (SQL injection vulnerability in the JoomlaDate (com_joomladate) ...)
@@ -3996,7 +3998,8 @@
- dia 0.96.1-7.1 (low; bug #504251)
[etch] - dia <no-dsa> (Minor issue, only vulnerable when called from certain dir)
CVE-2008-5983 (Untrusted search path vulnerability in the PySys_SetArgv API function ...)
- TODO: check
+ - python2.5 <unfixed>
+ - python2.4 <unfixed>
CVE-2008-5982 (Format string vulnerability in BMC PATROL Agent before 3.7.30 allows ...)
NOT-FOR-US: BMC PATROL Agent
CVE-2009-0323 (Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0 ...)
@@ -4313,7 +4316,7 @@
CVE-2009-0197 (Integer overflow in the FORMATS Plugin before 4.23 for IrfanView ...)
NOT-FOR-US: IrfanView
CVE-2009-0196
- RESERVED
+ - ghostscript <unfixed>
CVE-2009-0195
RESERVED
CVE-2009-0194
@@ -4414,7 +4417,7 @@
CVE-2009-0160
RESERVED
CVE-2009-0159 (Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c ...)
- TODO: check
+ - ntp <unfixed>
CVE-2009-0158
RESERVED
CVE-2009-0157
@@ -5409,7 +5412,7 @@
- linux-2.6 2.6.29-1
- linux-2.6.24 <unfixed>
CVE-2009-0027 (The request handler in JBossWS in JBoss Enterprise Application ...)
- TODO: check
+ - jbossas4 <unfixed>
CVE-2009-0026 (Multiple cross-site scripting (XSS) vulnerabilities in Apache ...)
NOT-FOR-US: Apache Jackrabbit
CVE-2009-0025 (BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check ...)
@@ -5602,7 +5605,7 @@
CVE-2008-5526 (DrWeb Anti-virus 4.44.0.09170, when Internet Explorer 6 or 7 is used, ...)
NOT-FOR-US: DrWeb Anti-virus
CVE-2008-5525 (ClamAV 0.94.1 and possibly 0.93.1, when Internet Explorer 6 or 7 is ...)
- TODO: check
+ - clamav <unfixed>
NOTE: CVE claims it only happens when Internet Explorer 6 or 7 is used, but ClamAV doesn't have any special code for IE
CVE-2008-5524 (CAT-QuickHeal 10.00 and possibly 9.50, when Internet Explorer 6 or 7 ...)
NOT-FOR-US: CAT-QuickHeal
@@ -5615,7 +5618,7 @@
CVE-2008-5520 (AhnLab V3 2008.12.4.1 and possibly 2008.9.13.0, when Internet Explorer ...)
NOT-FOR-US: AhnLab V3
CVE-2008-5519 (The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat ...)
- TODO: check
+ - tomcat5.5 <unfixed>
CVE-2008-5518
RESERVED
CVE-2008-5517 (The web interface in git (gitweb) 1.5.x before 1.5.6 allows remote ...)
@@ -7641,7 +7644,9 @@
NOTE: not reproducible using iceweasel 3.0.1
CVE-2008-4723 (Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox ...)
{CVE-2008-4724}
- TODO: check
+ - iceape <unfixed>
+ - xulrunner <unfixed>
+ - iceweasel <unfixed>
NOTE: http://www.jorgan.users.cg.yu/ seems to be the original source
NOTE: Not enough details to tell if this is a real vulnerability.
NOTE: My guess is that file names containing <>& are incorrectly
@@ -13994,7 +13999,9 @@
CVE-2008-2087 (SQL injection vulnerability in search_result.php in Softbiz Web Host ...)
NOT-FOR-US: Softbiz Web Host Directory Script
CVE-2008-2086 (Sun Java Web Start and Java Plug-in for JDK and JRE 6 Update 10 and ...)
- TODO: check
+ - openjdk-6 <unfixed>
+ - sun-java5 <unfixed>
+ - sun-java6 <unfixed>
CVE-2008-2084 (SQL injection vulnerability in topics.php in the MyArticles 0.6 beta-1 ...)
NOT-FOR-US: MyArticles
CVE-2008-2083 (SQL injection vulnerability in directory.php in Prozilla Hosting ...)
@@ -14121,7 +14128,7 @@
CVE-2008-2026 (Cross-site scripting (XSS) vulnerability in WebID/IISWebAgentIF.dll in ...)
NOT-FOR-US: RSA Authentication Agent
CVE-2008-2025 (Cross-site scripting (XSS) vulnerability in Apache Struts before ...)
- TODO: check
+ - libstruts1.2-java <unfixed>
CVE-2008-2024 (Cross-site scripting (XSS) vulnerability in index.php in miniBB 2.2, ...)
NOT-FOR-US: miniBB
CVE-2008-2023 (Multiple SQL injection vulnerabilities in PD9 Software MegaBBS 2.2 ...)
@@ -29267,7 +29274,7 @@
CVE-2007-2842
RESERVED
CVE-2007-2841 [lighttpd DoS]
- RESERVED
+ - lighttpd 1.4.16-1 (bug #428368)
NOTE: Duplicate of CVE-2007-3947, was assigned from Debian CNA and clashed with MITRE
NOTE: assignment
CVE-2007-2840
@@ -42623,7 +42630,7 @@
{DSA-1177-1}
- usermin <removed> (bug #374609)
CVE-2006-4245
- RESERVED
+ - archivemail <unfixed>
CVE-2006-4244 (SQL-Ledger 2.4.4 through 2.6.17 authenticates users by verifying that ...)
{DSA-1239-1}
- sql-ledger 2.6.18-1 (medium; bug #386519)
@@ -45262,7 +45269,6 @@
{DSA-1112}
- mysql-dfsg-5.0 5.0.19-1 (bug #373913; high)
CVE-2006-3100 [termnetd buffer overflow]
- RESERVED
- termpkg 3.3-7 (bug #358028; medium)
CVE-2006-3085 (xt_sctp in netfilter for Linux kernel before 2.6.17.1 allows attackers ...)
- linux-2.6 2.6.16-15
More information about the Secure-testing-commits
mailing list