[Secure-testing-commits] r13365 - data/CVE
Joey Hess
joeyh at alioth.debian.org
Tue Nov 24 09:14:23 UTC 2009
Author: joeyh
Date: 2009-11-24 09:14:23 +0000 (Tue, 24 Nov 2009)
New Revision: 13365
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2009-11-24 05:46:19 UTC (rev 13364)
+++ data/CVE/list 2009-11-24 09:14:23 UTC (rev 13365)
@@ -182,20 +182,23 @@
CVE-2009-3964 (SQL injection vulnerability in the NinjaMonials (com_ninjacentral) ...)
NOT-FOR-US: component for Joomla!
CVE-2009-3898 [ngingx webdav directory traversal]
+ RESERVED
- nginx 0.7.63-1 (low; bug #557389)
[etch] - nginx <no-dsa> (upload rights required)
[lenny] - nginx <no-dsa> (upload rights required)
CVE-2009-3897 [dovecot 0777 base_dir creation]
+ RESERVED
- dovecot <unfixed> (medium; bug #557601)
[lenny] - dovecot <not-affected> (Only affects 1.2.x)
[etch] - dovecot <not-affected> (Only affects 1.2.x)
NOTE: http://www.dovecot.org/list/dovecot-news/2009-November/000143.html, CVE requested on oss-sec
CVE-2009-4017 [php temporary files exhaustion DoS]
+ RESERVED
- php5 5.2.11.dfsg.1-2 (medium)
- php4 <unfixed> (medium)
NOTE: workarounds include using 5.3.1 or php5-suhosin
NOTE: 4B068517.802 at acunetix.com on bugtraq explains it
-CVE-2009-3080 [array indexing error in gdth_read_event() in drivers/scsi/gdth.c]
+CVE-2009-3080 (Array index error in the gdth_read_event function in ...)
- linux-2.6 <unfixed> (medium)
- linux-2.6.24 <removed> (medium)
NOTE: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=690e744869f3262855b83b4fb59199cf142765b0
@@ -2918,6 +2921,7 @@
CVE-2009-3008 (K-Meleon 1.5.3 allows context-dependent attackers to spoof the address ...)
NOT-FOR-US: K-Meleon
CVE-2009-3007 (Mozilla Firefox 3.5.1 and SeaMonkey 1.1.17, and Flock 2.5.1, allow ...)
+ {DSA-1922-1}
- xulrunner 1.9.1.3-3 (low)
- iceape 2.0-1 (low)
- webkit <not-affected> (proof-of-concept did not work)
@@ -38926,14 +38930,14 @@
CVE-2007-2385 (The Yahoo! UI framework exchanges data using JavaScript Object ...)
- yui <unfixed> (low; bug #557745)
[lenny] - yui <no-dsa> (minor issue)
- - bcfg2 <not-affected> (present in source but not included in any binary files)
- - serendipity <unfixed> (low; bug #557746)
+ - bcfg2 <not-affected> (present in source but not included in any binary files)
+ - serendipity <unfixed> (low; bug #557746)
[etch] - serendipity <no-dsa> (minor issue)
[lenny] - serendipity <no-dsa> (minor issue)
- - moodle <not-affected> (uses system libjs-yui)
- - jifty <unfixed> (low; bug #557748)
- - webgui <not-affected> (uses system libjs-yui)
- - loggerhead <not-affected> (uses system libjs-yui)
+ - moodle <not-affected> (uses system libjs-yui)
+ - jifty <unfixed> (low; bug #557748)
+ - webgui <not-affected> (uses system libjs-yui)
+ - loggerhead <not-affected> (uses system libjs-yui)
NOTE: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
NOTE: This allows to steal data from affected websites. Therefore web applications should
NOTE: only be considered vunerabile if they process confidential data.
More information about the Secure-testing-commits
mailing list