[Secure-testing-commits] r11955 - data/CVE

Fri May 22 19:51:11 UTC 2009

Author: jmm-guest
Date: 2009-05-22 19:51:11 +0000 (Fri, 22 May 2009)
New Revision: 11955

Modified:
   data/CVE/list
Log:
- minor evolution issue can be fixed with other issues
- new kernel issue
- new pidgin issues (update to be released soon)
- new openssl issues
- add explicit etch status for older neon issue
- add some kvm issues


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2009-05-22 09:14:10 UTC (rev 11954)
+++ data/CVE/list	2009-05-22 19:51:11 UTC (rev 11955)
@@ -125,8 +125,11 @@
 CVE-2009-1631 (The Mailer component in Evolution 2.26.1 and earlier uses ...)
 	- evolution <unfixed> (low; bug #526409)
 	NOTE: minor issue, perhaps a no-dsa tag for etch and lenny will be appropiate? 
+	NOTE: This is minor, but since other Evolution issues need to be fixed anyway
+	NOTE: it can be fixed along
 CVE-2009-1630 (The nfs_permission function in fs/nfs/dir.c in the NFS client ...)
-	TODO: check
+	- linux-2.6 <unfixed>
+	- linux-2.6.24 <removed>
 CVE-2009-1629 (ajaxterm.js in AjaxTerm 0.10 and earlier generates session IDs with ...)
 	- ajaxterm <unfixed> (medium; bug #528938) 
 CVE-2009-XXXX [eggdrop buffer overflow]
@@ -411,7 +414,9 @@
 	[etch] - linux-2.6 <not-affected> (vulnerable code introduced in 2.6.29)
 	[lenny] - linux-2.6 <not-affected> (vulnerable code introduced in 2.6.29)
 	NOTE: vulnerability introduced in commit d84f4f99, which has only been included in the kernel since 2.6.29
+	NOTE: However, d84f4f99 was introduced on 13th Nov 2008, so must've been included in 2.6.28 at least?
 	NOTE: it has been confirmed that an exploit in the wild is making use of this vulnerability
+	TODO: Verify exploit on earlier kernels
 CVE-2009-1526 (JBMC Software DirectAdmin before 1.334 allows local users to create or ...)
 	NOT-FOR-US: Directadmin
 CVE-2009-1525 (CMD_DB in JBMC Software DirectAdmin before 1.334 allows remote ...)
@@ -830,17 +835,29 @@
 CVE-2009-1379 (Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment ...)
 	TODO: check
 CVE-2009-1378 (Multiple memory leaks in the dtls1_process_out_of_seq_message function ...)
-	TODO: check
+	- openssl <unfixed>
+	- openssl097 <not-affected> (DTLS support was introduced in 0.9.8)
+	TODO: File bug
 CVE-2009-1377 (The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and ...)
-	TODO: check
-CVE-2009-1376
+	- openssl <unfixed>
+	- openssl097 <not-affected> (DTLS support was introduced in 0.9.8)
+	TODO: File bug
+CVE-2009-1376 [new pidgin issues]
 	RESERVED
-CVE-2009-1375
+	- pidgin 2.5.6-1
+	- gaim <removed>
+CVE-2009-1375 [new pidgin issues]
 	RESERVED
-CVE-2009-1374
+	- pidgin 2.5.6-1
+	- gaim <removed>
+CVE-2009-1374 [new pidgin issues]
 	RESERVED
-CVE-2009-1373
+	- pidgin 2.5.6-1
+	- gaim <removed>
+CVE-2009-1373 [new pidgin issues]
 	RESERVED
+	- pidgin 2.5.6-1
+	- gaim <removed>
 CVE-2009-1365 (Unspecified vulnerability in Adobe Flash Media Server (FMS) before ...)
 	NOT-FOR-US: Adobe Flash Media Server
 CVE-2009-1364 (Use-after-free vulnerability in the embedded GD library in libwmf ...)
@@ -11395,6 +11412,7 @@
 	NOTE: mechanism in the first place.
 CVE-2008-3746 (neon 0.28.0 through 0.28.2 allows remote servers to cause a denial of ...)
 	- neon27 0.28.2-4
+	- neon26 <not-affected> (Issue was introduced in 0.28)
 CVE-2008-3739 (Cross-site scripting (XSS) vulnerability in (1) System Consultants ...)
 	NOT-FOR-US: La!Cooda WIZ
 CVE-2008-3738 (Session fixation vulnerability in SpaceTag LacoodaST 2.1.3 and earlier ...)
@@ -22801,9 +22819,11 @@
 CVE-2007-5730 (Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly ...)
 	{DSA-1284-1}
 	- qemu 0.9.0-2 (bug #424070)
+	TODO: Affects KVM, check status
 CVE-2007-5729 (The NE2000 emulator in QEMU 0.8.2 allows local users to execute ...)
 	{DSA-1284-1}
 	- qemu 0.9.0-2 (bug #424070)
+	TODO: Affects KVM, check status
 CVE-2007-5728 (Cross-site scripting (XSS) vulnerability in phpPgAdmin 3.5 to 4.1.1, ...)
 	{DSA-1693-1}
 	- phppgadmin 4.1.3-0.1 (bug #449103; low)
@@ -30408,6 +30428,7 @@
 CVE-2007-2893 (Heap-based buffer overflow in the bx_ne2k_c::rx_frame function in ...)
 	{DSA-1351-1}
 	- bochs 2.3+20070705-1 (low; bug #427144)
+	TODO: Affects KVM, check status
 CVE-2007-2892 (Cross-site scripting (XSS) vulnerability in news.asp in ASP-Nuke 2.0.7 ...)
 	NOT-FOR-US: ASP-Nuke
 CVE-2007-2891 (Multiple PHP remote file inclusion vulnerabilities in FirmWorX 0.1.2 ...)


