[Secure-testing-commits] r13611 - data/CVE
Moritz Muehlenhoff
jmm-guest at alioth.debian.org
Sun Dec 20 10:09:00 UTC 2009
Author: jmm-guest
Date: 2009-12-20 10:09:00 +0000 (Sun, 20 Dec 2009)
New Revision: 13611
Modified:
data/CVE/list
Log:
revert previous commit: CVE/list is not a dumping ground for issues
someone should check based on embedded-code-copies.
If something is added to CVE/list as unfixed it needs to be checked
beforehand.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2009-12-20 09:14:53 UTC (rev 13610)
+++ data/CVE/list 2009-12-20 10:09:00 UTC (rev 13611)
@@ -1185,9 +1185,6 @@
CVE-2009-3932 (The Gears plugin in Google Chrome before 3.0.195.32 allows ...)
- chromium-browser <itp> (low; bug #520324)
- webkit <unfixed> (low; bug #560905)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-3931 (Incomplete blacklist vulnerability in browser/download/download_exe.cc ...)
- chromium-browser <itp> (low; bug #520324)
CVE-2009-3930 (Multiple integer overflows in Christos Zoulas file before 5.02 allow ...)
@@ -2807,9 +2804,6 @@
RESERVED
CVE-2009-3384 (Multiple unspecified vulnerabilities in WebKit in Apple Safari before ...)
- webkit 1.1.17-2 (medium; bug #559759)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-3383 (Multiple unspecified vulnerabilities in the JavaScript engine in ...)
- xulrunner 1.9.1.4-1
[lenny] - xulrunner <not-affected> (Only affects Firefox 3.5)
@@ -4315,9 +4309,6 @@
CVE-2009-2953 (Mozilla Firefox 3.0.6 through 3.0.13, and 3.5.x, allows remote ...)
- xulrunner <unfixed> (unimportant; bug #557753)
- webkit <unfixed> (unimportant; bug #557752)
- - qt4-x11 <unfixed> (unimportant; bug #561760)
- - kdelibs <unfixed> (unimportant; bug #561765)
- - kde4libs <unfixed> (unimportant; bug #561762)
NOTE: browser denial-of-services are considered unimportant
CVE-2009-2952 (Unspecified vulnerability in the pollwakeup function in Sun Solaris ...)
NOT-FOR-US: Sun Solaris
@@ -4770,9 +4761,6 @@
NOT-FOR-US: Apple Safari
CVE-2009-2841 (WebKit in Apple Safari before 4.0.4 on Mac OS X does not perform the ...)
- webkit <unfixed> (medium; bug #559759)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
TODO: work with upstream to determine affected/not-affected versions
CVE-2009-2840 (Spotlight in Apple Mac OS X 10.5.8 does not properly handle temporary ...)
NOT-FOR-US: Apple Mac OS X
@@ -4829,9 +4817,6 @@
CVE-2009-2816 (The implementation of Cross-Origin Resource Sharing (CORS) in WebKit, ...)
- webkit <unfixed> (medium; bug #559759)
[lenny] - webkit <not-affected> (vulnerable code not present)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-2815 (The Telephony component in Apple iPhone OS before 3.1 does not ...)
NOT-FOR-US: Apple iPhone OS
CVE-2009-2814 (Cross-site scripting (XSS) vulnerability in the Wiki Server in Apple ...)
@@ -4874,9 +4859,6 @@
NOT-FOR-US: Apple QuickTime
CVE-2009-2797 (The WebKit component in Safari in Apple iPhone OS before 3.1, and ...)
- webkit <unfixed> (medium; bug #559759)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
TODO: someone needs to gain membership to the webkit security list so we can actually check these issues
CVE-2009-2796 (The UIKit component in Apple iPhone OS 3.0, and iPhone OS 3.0.1 for ...)
NOT-FOR-US: Apple iPhone OS
@@ -6268,9 +6250,6 @@
NOT-FOR-US: Apple Safari
CVE-2009-2419 (Use-after-free vulnerability in the servePendingRequests function in ...)
- webkit 1.1.10-1
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-2418
RESERVED
CVE-2009-2417 (lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is ...)
@@ -6914,9 +6893,6 @@
CVE-2009-2195 (Buffer overflow in WebKit in Apple Safari before 4.0.3 allows remote ...)
- webkit 1.1.12-1 (medium)
[lenny] - webkit <not-affected> (Vulnerable code not present)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=517273
NOTE: http://trac.webkit.org/changeset/45696
CVE-2009-2194 (Apple Mac OS X 10.5 before 10.5.8 does not properly share file ...)
@@ -7460,9 +7436,6 @@
NOT-FOR-US: MHF Media Pro
CVE-2009-XXXX [predictable random number generator used in web browsers]
- webkit <unfixed> (low; bug #532514)
- - qt4-x11 <unfixed> (low; bug #561759)
- - kdelibs <unfixed> (low; bug #561757)
- - kde4libs <unfixed> (low; bug #561758)
[lenny] - webkit <no-dsa> (Minor issue)
- xulrunner <unfixed> (low; bug #532516)
[lenny] - xulrunner <no-dsa> (Minor issue)
@@ -8112,8 +8085,6 @@
CVE-2009-1724 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari ...)
- qt4-x11 <unfixed> (low; bug #538403)
- webkit 1.1.13-1 (low; bug #538402)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
NOTE: http://www.thespanner.co.uk/2009/06/19/minor-safari-cross-domain-bug/
CVE-2009-1723 (CFNetwork in Apple Mac OS X 10.5 before 10.5.8 places an incorrect URL ...)
NOT-FOR-US: CFNetwork in Apple Mac OS X
@@ -8131,51 +8102,30 @@
CVE-2009-1718 (WebKit in Apple Safari before 4.0 allows user-assisted remote ...)
- webkit 1.1.12-1 (medium; bug #535793)
[lenny] - webkit <no-dsa> (Minor issue)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-1717 (Integer overflow in Terminal in Apple Mac OS X 10.5 before 10.5.7 ...)
NOT-FOR-US: Mac OS X
CVE-2009-1716 (CFNetwork in Apple Safari before 4.0 on Windows does not properly ...)
NOT-FOR-US: CFNetwork in Apple
CVE-2009-1715 (Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in ...)
- webkit 1.0.1-4 (medium; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-1714 (Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in ...)
{DSA-1950-1}
- webkit 1.1.12-1 (low; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
NOTE: http://trac.webkit.org/changeset/36359
CVE-2009-1713 (The XSLT functionality in WebKit in Apple Safari before 4.0 does not ...)
- webkit 1.0.1-4 (medium; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
NOTE: http://trac.webkit.org/changeset/34533
CVE-2009-1712 (WebKit in Apple Safari before 4.0 does not prevent remote loading of ...)
{DSA-1950-1}
- webkit 1.1.12-1 (medium; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
NOTE: http://trac.webkit.org/changeset/41568
CVE-2009-1711 (WebKit in Apple Safari before 4.0 does not properly initialize memory ...)
{DSA-1950-1}
- webkit 1.1.12-1 (medium; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
NOTE: http://trac.webkit.org/changeset/36918
CVE-2009-1710 (WebKit in Apple Safari before 4.0 allows remote attackers to spoof the ...)
{DSA-1950-1}
- webkit 1.1.12-1 (medium; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-1709 (Use-after-free vulnerability in the garbage-collection implementation ...)
{DSA-1866-1}
- webkit 0~svn32442-1
@@ -8183,7 +8133,6 @@
- kde4libs <not-affected> (Vulnerable code not present)
- kdegraphics 4:4.0 (medium; bug #534951)
NOTE: kdegraphics >4.0 not affected since ksvg is only in 3.5.x series)
- - qt4-x11 4.5.0-1 (medium; bug #534947)
CVE-2009-1708 (Apple Safari before 4.0 does not prevent calls to the open-help-anchor ...)
NOT-FOR-US: Apple Safari
CVE-2009-1707 (Race condition in the Reset Safari implementation in Apple Safari ...)
@@ -8197,82 +8146,43 @@
CVE-2009-1703 (WebKit in Apple Safari before 4.0 does not prevent references to file: ...)
- webkit 1.1.12-1 (low; bug #535793)
[lenny] - webkit <no-dsa> (Minor issue)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-1702 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari ...)
- webkit 1.1.12-1 (low; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-1701 (Use-after-free vulnerability in the JavaScript DOM implementation in ...)
- webkit 1.1.12-1 (medium; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
NOTE: invasive patch to backport.
CVE-2009-1700 (The XSLT implementation in WebKit in Apple Safari before 4.0, iPhone ...)
- webkit 1.1.12-1 (low; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-1699 (The XSL stylesheet implementation in WebKit in Apple Safari before ...)
- webkit 1.0.1-4 (medium; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-1698 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and ...)
{DSA-1950-1 DSA-1868-1 DSA-1867-1}
- webkit 1.1.5-1 (medium; bug #534946)
NOTE: http://trac.webkit.org/changeset/42081
- - kdelibs 4:3.5.10.dfsg.1-2.1 (medium; bug #534952)
- - kde4libs 4:4.3.0-1 (medium; bug #534949)
- - qt4-x11 4:4.5.2-1 (medium; bug #534947)
CVE-2009-1697 (CRLF injection vulnerability in WebKit in Apple Safari before 4.0, ...)
{DSA-1950-1}
- webkit 1.1.15.2-1 (medium; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-1696 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and ...)
- webkit 1.1.12-1 (medium; bug #535793)
[lenny] - webkit <not-affected> (Vulnerable code not present)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-1695 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari ...)
{DSA-1950-1}
- webkit 1.1.12-1 (low; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-1694 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and ...)
{DSA-1950-1}
- webkit 1.1.12-1 (low; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-1693 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and ...)
{DSA-1950-1}
- webkit 1.1.12-1 (medium; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
NOTE: http://trac.webkit.org/changeset/35928
CVE-2009-1692 (WebKit before r41741, as used in Apple iPhone OS 1.0 through 2.2.1, ...)
{DSA-1950-1}
- webkit 1.1.12-1 (low; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
NOTE: upstream (undisclosed) bug report is https://bugs.webkit.org/show_bug.cgi?id=23319
NOTE: http://trac.webkit.org/changeset/41741
CVE-2009-1691 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari ...)
- webkit 1.1.12-1 (medium; bug #535793)
[lenny] - webkit <not-affected> (Vulnerable code not present)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
NOTE: http://trac.webkit.org/changeset/32791
CVE-2009-1690 (Use-after-free vulnerability in WebKit, as used in Apple Safari before ...)
{DSA-1950-1 DSA-1868-1 DSA-1867-1}
@@ -8285,15 +8195,9 @@
CVE-2009-1689 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari ...)
- webkit 1.1.12-1 (low; bug #535793)
[lenny] - webkit <not-affected> (Vulnerable code not present)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-1688 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari ...)
- webkit 1.1.12-1 (low; bug #535793)
[lenny] - webkit <not-affected> (Vulnerable code not present)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-1687 (The JavaScript garbage collector in WebKit in Apple Safari before 4.0, ...)
{DSA-1950-1 DSA-1868-1 DSA-1867-1}
- webkit 1.1.5-1 (medium; bug #534946)
@@ -8304,20 +8208,11 @@
CVE-2009-1686 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and ...)
- webkit 1.1.12-1 (medium; bug #535793)
[lenny] - webkit <not-affected> (Vulnerable code not present)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-1685 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari ...)
- webkit 1.0.1-4 (medium; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-1684 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari ...)
{DSA-1950-1}
- webkit 1.1.12-1 (low; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-1683 (The Telephony component in Apple iPhone OS 1.0 through 2.2.1 and ...)
NOT-FOR-US: iPhone
CVE-2009-1682 (Apple Safari before 4.0 does not properly check for revoked Extended ...)
@@ -8325,9 +8220,6 @@
CVE-2009-1681 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and ...)
{DSA-1950-1}
- webkit 1.1.12-1 (low; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2009-1680 (Safari in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for iPod ...)
NOT-FOR-US: Safari in Apple iPhone OS
CVE-2009-1679 (The Profiles component in Apple iPhone OS 1.0 through 2.2.1 and iPhone ...)
@@ -10959,7 +10851,6 @@
- qt4-x11 4:4.5.2-1 (medium; bug #532718)
- webkit 1.1.5-1 (medium; bug #532724; bug #532725)
NOTE: http://trac.webkit.org/changeset/43590
- - kdelibs <unfixed> (low; bug #561765)
- kde4libs 4:4.3.0-1 (medium; bug #534917)
[lenny] - kde4libs <not-affected> (khtml doesn't have SVG support)
NOTE: http://websvn.kde.org/?view=rev&revision=983302
@@ -17488,9 +17379,6 @@
CVE-2008-4724 (Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome ...)
- webkit 1.1.7-1 (low; bug #520052)
[lenny] - webkit <no-dsa> (Minor issue)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
NOTE: webkit properly handles this issue with respect to extensions such as jpg and txt, but not in general; for example, the attack works for odp, xls, etc extensions (only tested with midori 0.1.4)
NOTE: not reproducible using iceweasel 3.0.1
CVE-2008-4723 (Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox ...)
@@ -18653,9 +18541,6 @@
NOT-FOR-US: Safari
CVE-2008-4231 (Safari in Apple iPhone OS 1.0 through 2.1 and iPhone OS for iPod touch ...)
- webkit <unfixed> (medium; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
TODO: work with upstream to determine affected/not-affected webkit versions
CVE-2008-4230 (The Passcode Lock feature in Apple iPhone OS 1.0 through 2.1 and ...)
NOT-FOR-US: Apple
@@ -20278,9 +20163,6 @@
RESERVED
CVE-2008-3632 (Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through ...)
- webkit 1.0.1-4 (bug #499771)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
CVE-2008-3631 (Application Sandbox in Apple iPod touch 2.0 through 2.0.2, and iPhone ...)
NOT-FOR-US: Apple iPod
CVE-2008-3630 (mDNSResponder in Apple Bonjour for Windows before 1.0.5, when an ...)
@@ -23358,9 +23240,6 @@
NOT-FOR-US: Apple Mac OS X
CVE-2008-2320 (Stack-based buffer overflow in CarbonCore in Apple Mac OS X 10.4.11 ...)
- webkit <unfixed> (medium; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
TODO: work with upstream to determine affected/not-affected webkit versions
CVE-2008-2319
RESERVED
@@ -23394,9 +23273,6 @@
NOT-FOR-US: Alias Manager in Apple Mac OS X
CVE-2008-2307 (Unspecified vulnerability in WebKit in Apple Safari before 3.1.2, as ...)
- webkit 1.0.1-1
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
NOTE: http://trac.webkit.org/changeset/34204
CVE-2008-2306 (Apple Safari before 3.1.2 on Windows does not properly interpret the ...)
NOT-FOR-US: Windows issue
@@ -25075,9 +24951,6 @@
NOT-FOR-US: iPhone
CVE-2008-1588 (Safari on Apple iPhone before 2.0 and iPod touch before 2.0 allows ...)
- webkit <unfixed> (medium; bug #535793)
- - qt4-x11 <unfixed> (low; bug #561760)
- - kdelibs <unfixed> (low; bug #561765)
- - kde4libs <unfixed> (low; bug #561762)
TODO: work with upstream to determine affected/not-affected webkit versions
CVE-2008-1587
RESERVED
@@ -28205,9 +28078,6 @@
NOT-FOR-US: Mapbender
CVE-2008-0298 (KHTML WebKit as used in Apple Safari 2.x allows remote attackers to ...)
- webkit <unfixed> (unimportant)
- - qt4-x11 <unfixed> (unimportant; bug #561760)
- - kdelibs <unfixed> (unimportant; bug #561765)
- - kde4libs <unfixed> (unimportant; bug #561762)
NOTE: khtml originates from konqueror. browser crashes are considered unimportant
CVE-2008-0297 (PhotoKorn allows remote attackers to obtain database credentials via a ...)
NOT-FOR-US: PhotoKorn
More information about the Secure-testing-commits
mailing list