[Secure-testing-commits] r12474 - data/CVE

Tue Aug 4 10:53:17 UTC 2009

Author: derevko-guest
Date: 2009-08-04 10:53:17 +0000 (Tue, 04 Aug 2009)
New Revision: 12474

Modified:
   data/CVE/list
Log:
- NFUs
- CVE-2009-2654: xulrunner is affected
- certificate spoofing via null characters issue got a CVE, CVE-2009-2408
- CVE-2009-2409: nss and gnutls26 fixed in unstable, openssl is unfixed


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2009-08-04 09:14:18 UTC (rev 12473)
+++ data/CVE/list	2009-08-04 10:53:17 UTC (rev 12474)
@@ -3,37 +3,39 @@
 	NOTE: Posting on full-disclosure contains details
 	TODO: Seems to affect Mplayer as well, so likely in ffmpeg-debian, needs to be checked 
 CVE-2009-2655 (mshtml.dll in Microsoft Internet Explorer 7 and 8 on Windows XP SP3 ...)
-	TODO: check
+	NOT-FOR-US: Microsoft Internet Explorer
 CVE-2009-2654 (Mozilla Firefox 3.5.1 and earlier allows remote attackers to spoof the ...)
-	TODO: check
+	 - xulrunner <unfixed> (low; bug #539891)
 CVE-2009-2653 (** DISPUTED ** ...)
-	TODO: check
+	NOT-FOR-US: Microsoft Windows
 CVE-2009-2652 (Unspecified vulnerability in Solaris Trusted Extensions in Sun Solaris ...)
-	TODO: check
+	NOT-FOR-US: Solaris Trusted Extensions
 CVE-2008-6891 (Multiple cross-site scripting (XSS) vulnerabilities in ASP Forum ...)
-	TODO: check
+	NOT-FOR-US: ASP Forum Script
 CVE-2008-6890 (SQL injection vulnerability in messages.asp in ASP Forum Script allows ...)
-	TODO: check
+	NOT-FOR-US: ASP Forum Script
 CVE-2008-6889 (SQL injection vulnerability in Merchantsadd.asp in ASPReferral 5.3 ...)
-	TODO: check
+	NOT-FOR-US: ASPReferral
 CVE-2008-6888 (Cross-site scripting (XSS) vulnerability in signup.asp in Pre ...)
-	TODO: check
+	NOT-FOR-US: Pre Classified Listings
 CVE-2008-6887 (SQL injection vulnerability in detailad.asp in Pre Classified Listings ...)
-	TODO: check
+	NOT-FOR-US: Pre Classified Listings
 CVE-2008-6886 (RSA EnVision 3.5.0, 3.5.1, 3.5.2, and 3.7.0 does not properly restrict ...)
-	TODO: check
+	NOT-FOR-US: RSA EnVision
 CVE-2008-6885 (Cross-site scripting (XSS) vulnerability in pmlite.php in XOOPS 2.3.1 ...)
-	TODO: check
+	NOT-FOR-US: XOOPS
 CVE-2008-6884 (Multiple directory traversal vulnerabilities in XOOPS 2.3.1, when ...)
-	TODO: check
+	NOT-FOR-US: XOOPS
 CVE-2009-XXXX [poppler: buffer overflow in abiword backend]
 	- poppler <unfixed> (low; bug #534680)
-CVE-2009-XXXX [openssl: certificate spoofing via null characters]
+CVE-2009-2408 (Mozilla Firefox before 3.5 and NSS before 3.12.3 do not properly ...)
 	- openssl <unfixed> (medium; bug #539499)
-	- iceweasel <unfixed> (medium)
+	- xulrunner <unfixed> (medium)
+	- nss 3.12.3-1 (medium)  
 	NOTE: asked maintainer to check whether openssl affected
 	NOTE: fixed in iceweasel 3.0.13 and 3.5.2, which have yet to be uploaded
 	TODO: check whether other web browsers are affected and file bugs
+	TODO: check if xulrunner and related packages are really affected (they should use the system version of NSS)
 CVE-2009-2651 (main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows remote ...)
 	- asterisk <unfixed> (low; bug #539473)
 	[etch] - asterisk <not-affected> (Vulnerable code not present)
@@ -671,9 +673,10 @@
 CVE-2009-2410 (The local_handler_callback function in ...)
 	NOT-FOR-US: sssd
 CVE-2009-2409 (The NSS library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 ...)
-	TODO: check
-CVE-2009-2408 (Mozilla Firefox before 3.5 and NSS before 3.12.3 do not properly ...)
-	TODO: check
+	- nss 3.12.3-1 (low; bug #539895)
+	- openssl <unfixed> (low; bug #539899)
+	- gnutls26 2.6.4-1 (low; bug #539901)
+	TODO: check - gnutls13 <removed>
 CVE-2009-2407 (Heap-based buffer overflow in the parse_tag_3_packet function in ...)
 	{DSA-1845-1 DSA-1844-1}
 	- linux-2.6 2.6.30-5 (medium)


