[Secure-testing-commits] r12264 - data/CVE

Giuseppe Iuculano derevko-guest at alioth.debian.org
Fri Jul 3 18:56:36 UTC 2009


Author: derevko-guest
Date: 2009-07-03 18:56:34 +0000 (Fri, 03 Jul 2009)
New Revision: 12264

Modified:
   data/CVE/list
Log:
- NFUs
- CVE-2009-2285 already fixed in tiff 3.8.2-12
- CVE-2008-6845 fixed in clamav 0.94.dfsg-1
- CVE-2009-2210, CVE-2009-1392 fixed in icedove 2.0.0.22-1
- CVE-2008-6838 seems a duplicate of CVE-2008-3258
- zoph upstream reported another Cross-Site Scripting Vulnerability 


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2009-07-03 18:45:28 UTC (rev 12263)
+++ data/CVE/list	2009-07-03 18:56:34 UTC (rev 12264)
@@ -51,7 +51,8 @@
 CVE-2009-2287 (The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel ...)
 	TODO: check
 CVE-2009-2285 (Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 ...)
-	TODO: check
+	- tiff 3.8.2-12 (low; bug #534137)
+	NOTE: this doesn't allow code execution, only a crash.
 CVE-2009-2283 (Multiple cross-site scripting (XSS) vulnerabilities in the help jsp ...)
 	NOT-FOR-US: Sun Java Web Console in Solaris 
 CVE-2009-2282 (The Virtual Network Terminal Server daemon (vntsd) for Logical Domains ...)
@@ -61,17 +62,17 @@
 CVE-2008-6846 (Multiple stack-based buffer overflows in avast! Linux Home Edition ...)
 	NOT-FOR-US: avast! Linux Home Edition
 CVE-2008-6845 (The unpack feature in ClamAV 0.93.3 and earlier allows remote ...)
-	TODO: check
+	- clamav 0.94.dfsg-1
 CVE-2008-6844 (The registration view (/user/register) in eZ Publish 3.5.6 and ...)
-	TODO: check
+	NOT-FOR-US: eZ Publish
 CVE-2008-6843 (Directory traversal vulnerability in index.php in Fantastico, as used ...)
 	NOT-FOR-US: Fantastico
 CVE-2008-6842 (Directory traversal vulnerability in ...)
-	TODO: check
+	NOT-FOR-US: Pluck
 CVE-2008-6841 (PHP remote file inclusion vulnerability in the Green Mountain ...)
-	TODO: check
+	NOT-FOR-US: component for Joomla!
 CVE-2008-6840 (Multiple PHP remote file inclusion vulnerabilities in V-webmail 1.6.4 ...)
-	TODO: check
+	NOT-FOR-US: V-webmail
 CVE-2009-XXXX [multiple drupal issues]
 	- drupal6 <unfixed> (bug #535435)
 	- drupal5 <unfixed> (bug #535476)
@@ -179,7 +180,7 @@
 CVE-2009-2234 (Multiple SQL injection vulnerabilities in admin.php in VICIDIAL Call ...)
 	NOT-FOR-US: VICIDIAL Call Center Suite
 CVE-2009-2210 (Mozilla Thunderbird before 2.0.0.22 and SeaMonkey before 1.1.17 allow ...)
-	- icedove <unfixed>
+	- icedove 2.0.0.22-1
 	- iceape <unfixed>
 	- kompozer <not-affected> (mail suite not compiled)
 	TODO: check on the details once the Mozilla bug has been made public
@@ -189,9 +190,14 @@
 	NOT-FOR-US: TGS Content Management
 CVE-2008-6838 (Cross-site scripting (XSS) vulnerability in search.php in Zoph 0.7.2.1 ...)
 	- zoph <unfixed> (low; bug #535188)
+	NOTE: it seems a duplicate of CVE-2008-3258 
 CVE-2008-6837 (SQL injection vulnerability in Zoph 0.7.2.1 allows remote attackers to ...)
 	- zoph <unfixed> (bug #535188)
 	NOTE: the details are unknown
+CVE-2009-XXXX [Zoph Cross-Site Scripting Vulnerability]
+	- zoph <unfixed> (low; bug #535188)
+	NOTE: http://sourceforge.net/tracker/?func=detail&aid=2815898&group_id=69353&atid=524249
+	NOTE: http://sourceforge.net/project/shownotes.php?group_id=69353&release_id=694128
 CVE-2008-6836 (Cross-site request forgery (CSRF) vulnerability in OpenID 5.x before ...)
 	NOT-FOR-US: OpenID module for Drupal
 CVE-2008-6835 (Cross-site scripting (XSS) vulnerability in OpenID 5.x before 5.x-1.2, ...)
@@ -2353,7 +2359,7 @@
 	- xulrunner 1.9.0.11-1
 	[squeeze] - xulrunner 1.9.0.11-0lenny1
 	[etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer covered by security support)
-	- icedove <unfixed>
+	- icedove 2.0.0.22-1
 	TODO: determine whether icedove truely affected or whether issue solely within xulrunner
 CVE-2009-1391 (Off-by-one error in the inflate function in Zlib.xs in ...)
 	- perl 5.10.0-23 (medium; bug #532736)




More information about the Secure-testing-commits mailing list