[Secure-testing-commits] r12885 - data/CVE

Fri Sep 25 14:36:29 UTC 2009

Author: derevko-guest
Date: 2009-09-25 14:36:28 +0000 (Fri, 25 Sep 2009)
New Revision: 12885

Modified:
   data/CVE/list
Log:
- NFUs
- glib2.0 minor issue
- CVE-2009-3287 fixed in thin 1.2.4-1
- CVE-2009-3237 fixed in horde3 3.3.5+debian0-1
- CVE-2008-721{8,9} old horde issues
- Insecure pid directory permissions for postfix
- CVE-2009-2701 fixed in zodb 1:3.9.0-1


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2009-09-25 11:55:39 UTC (rev 12884)
+++ data/CVE/list	2009-09-25 14:36:28 UTC (rev 12885)
@@ -29,33 +29,33 @@
 CVE-2009-3320 (Cross-site scripting (XSS) vulnerability in scrivi.php in Zenas ...)
 	NOT-FOR-US: Zenas PaoLink (aka Pao-Link)
 CVE-2009-3319 (SQL injection vulnerability in poems.php in DCI-Designs Dawaween 1.03 ...)
-	TODO: check
+	NOT-FOR-US: DCI-Designs Dawaween
 CVE-2009-3318 (Directory traversal vulnerability in the Roland Breedveld Album ...)
-	TODO: check
+	NOT-FOR-US: Roland Breedveld Album (com_album) component 1.14 for Joomla!
 CVE-2009-3317 (PHP remote file inclusion vulnerability in pages/pageHeader.php in ...)
-	TODO: check
+	NOT-FOR-US: OpenSiteAdmin
 CVE-2009-3316 (SQL injection vulnerability in the JReservation (com_jreservation) ...)
-	TODO: check
+	NOT-FOR-US: JReservation (com_jreservation) component 1.0 and 1.5 for Joomla!
 CVE-2009-3315 (SQL injection vulnerability in admin/index.php in NeLogic Nephp ...)
-	TODO: check
+	NOT-FOR-US: NeLogic Nephp Publisher Enterprise
 CVE-2009-3314 (SQL injection vulnerability in ladders.php in Elite Gaming Ladders 3.2 ...)
-	TODO: check
+	NOT-FOR-US: Elite Gaming Ladders
 CVE-2009-3313 (Multiple SQL injection vulnerabilities in FMyClone 2.3 allow remote ...)
-	TODO: check
+	NOT-FOR-US: FMyClone
 CVE-2009-3312 (PHP remote file inclusion vulnerability in php/init.poll.php in ...)
-	TODO: check
+	NOT-FOR-US: phpPollScript
 CVE-2009-3311 (Cross-site scripting (XSS) vulnerability in index.php in ...)
-	TODO: check
+	NOT-FOR-US: RSSMediaScript
 CVE-2009-3310 (SQL injection vulnerability in index.php in Zainu 1.0 allows remote ...)
-	TODO: check
+	NOT-FOR-US: Zainu
 CVE-2009-3309 (SQL injection vulnerability in index.cfm in CF ShopKart 5.4 beta ...)
-	TODO: check
+	NOT-FOR-US: CF ShopKart
 CVE-2009-3308 (SQL injection vulnerability in show-cat.php in FanUpdate 2.2.1 allows ...)
-	TODO: check
+	NOT-FOR-US: FanUpdate
 CVE-2009-3307 (Multiple PHP remote file inclusion vulnerabilities in FSphp 0.2.1 ...)
-	TODO: check
+	NOT-FOR-US: FSphp
 CVE-2009-3306 (PHP remote file inclusion vulnerability in include/header.php in ...)
-	TODO: check
+	NOT-FOR-US: ClearSite
 CVE-2009-3305
 	RESERVED
 CVE-2009-3304
@@ -90,15 +90,16 @@
 	- php5 5.2.11.dfsg.1-1
 	TODO: check etch, lenny and php4
 CVE-2009-3289 (The g_file_copy function in glib 2.0 sets the permissions of a target ...)
-	TODO: check
+	- glib2.0 2.22.0-1 (low)
+	NOTE: no-dsa candidate, minor issue
 CVE-2009-3287 (lib/thin/connection.rb in Thin web server before 1.2.4 relies on the ...)
-	TODO: check
+	- thin 1.2.4-1 (low)
 CVE-2009-3285
 	RESERVED
 CVE-2009-3284 (Directory traversal vulnerability in phpspot PHP BBS, PHP Image ...)
-	TODO: check
+	NOT-FOR-US: phpspot Products
 CVE-2009-3283 (Cross-site scripting (XSS) vulnerability in phpspot PHP BBS, PHP Image ...)
-	TODO: check
+	NOT-FOR-US: phpspot Products
 CVE-2009-3282
 	RESERVED
 CVE-2009-3281
@@ -106,23 +107,23 @@
 CVE-2009-3280 (Integer signedness error in the find_ie function in ...)
 	TODO: check
 CVE-2009-3279 (The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 ...)
-	TODO: check
+	NOT-FOR-US: QNAP TS-239 Pro and TS-639
 CVE-2009-3278 (The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 ...)
-	TODO: check
+	NOT-FOR-US: QNAP TS-239 Pro and TS-639 
 CVE-2009-3277 (DataVault.Tesla/Impl/TypeSystem/AssociationHelper.cs in datavault ...)
-	TODO: check
+	NOT-FOR-US: datavault
 CVE-2009-3276 (Zoran/WinFormsAdvansed/RegeularDataToXML/Form1.cs in WinFormsAdvansed ...)
-	TODO: check
+	NOT-FOR-US: NASD CORE.NET Terelik (aka corenet1)
 CVE-2009-3275 (Blocks/Common/Src/Configuration/Manageability/Adm/AdmContentBuilder.cs ...)
-	TODO: check
+	NOT-FOR-US: Microsoft patterns & practices Enterprise Library
 CVE-2009-3274 (Mozilla Firefox 3.6a1, 3.5.2, and earlier 2.x and 3.x versions on ...)
 	TODO: check
 CVE-2009-3273 (iPhone Mail in Apple iPhone OS, and iPhone OS for iPod touch, does not ...)
-	TODO: check
+	NOT-FOR-US: Apple iPhone
 CVE-2009-3272 (Stack consumption vulnerability in WebKit.dll in WebKit in Apple ...)
 	TODO: check
 CVE-2009-3271 (Apple Safari on iPhone OS 3.0.1 allows remote attackers to cause a ...)
-	TODO: check
+	NOT-FOR-US: Apple Safari on iPhone OS 3.0.1
 CVE-2009-3290 (The kvm_emulate_hypercall function in arch/x86/kvm/x86.c in KVM in the ...)
 	- linux-2.6 <unfixed> (high)
 	[etch] - linux-2.6 <not-affected> (introduced in 2.6.25)
@@ -212,7 +213,7 @@
 CVE-2009-3238 (The get_random_int function in drivers/char/random.c in the Linux ...)
 	TODO: check
 CVE-2009-3237 (Multiple cross-site scripting (XSS) vulnerabilities in Horde ...)
-	TODO: check
+	- horde3 3.3.5+debian0-1
 CVE-2009-3235 (Multiple stack-based buffer overflows in the Sieve plugin in Dovecot ...)
 	{DSA-1893-1 DSA-1892-1}
 	- cyrus-imapd-2.2 2.2.13-17 (medium; bug #547947)
@@ -296,7 +297,7 @@
 CVE-2009-3201 (Integer overflow in Media Player Classic 6.4.9 allows user-assisted ...)
 	NOT-FOR-US: Media Player Classic
 CVE-2009-3200 (The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 ...)
-	TODO: check
+	NOT-FOR-US: QNAP TS-239 Pro and TS-639 Pro
 CVE-2009-3199 (Uebimiau Webmail 3.2.0-2.0 stores sensitive information under the web ...)
 	NOT-FOR-US: Uebimiau Webmail
 CVE-2009-3198 (Cross-site scripting (XSS) vulnerability in search.php in JCE-Tech ...)
@@ -381,9 +382,15 @@
 CVE-2008-7220 (Unspecified vulnerability in Prototype JavaScript framework ...)
 	- prototypejs 1.6.0.2-1
 CVE-2008-7219 (Horde Kronolith H3 2.1 before 2.1.7 and 2.2 before 2.2-RC2; Nag H3 2.1 ...)
-	TODO: check
+	- kronolith2 2.1.7-1 (unknown)
+	- nag2 2.1.4-1 (unknown)
+	- mnemo2 2.1.2-1 (unknown)
 CVE-2008-7218 (Unspecified vulnerability in the Horde API in Horde 3.1 before 3.1.6 ...)
-	TODO: check
+	- horde3 3.1.6-1 (unknown)
+	- turba2 2.1.7-1 (unknown)
+	- kronolith2 2.1.7-1 (unknown)
+	- nag2 2.1.4-1 (unknown)
+	- mnemo2 2.1.2-1 (unknown)
 CVE-2008-7217 (Microsoft Office 2008 for Mac, when running on Macintosh systems that ...)
 	NOT-FOR-US: Microsoft Office
 CVE-2007-6732 (Multiple buffer overflows in the dtt_load function in ...)
@@ -1318,7 +1325,7 @@
 CVE-2009-2940
 	RESERVED
 CVE-2009-2939 (The postfix.postinst script in the Debian GNU/Linux and Ubuntu postfix ...)
-	TODO: check
+	- postfix 2.6.5-3 (low)
 CVE-2009-2938
 	RESERVED
 CVE-2009-2937 (Cross-site scripting (XSS) vulnerability in Planet 2.0 and Planet ...)
@@ -1964,11 +1971,11 @@
 CVE-2009-2745
 	RESERVED
 CVE-2009-2744 (Unspecified vulnerability in IBM WebSphere Application Server (WAS) ...)
-	TODO: check
+	NOT-FOR-US: IBM WebSphere Application Server
 CVE-2009-2743 (IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27 does not ...)
-	TODO: check
+	NOT-FOR-US: IBM WebSphere Application Server
 CVE-2009-2742 (Cross-site scripting (XSS) vulnerability in Eclipse Help in IBM ...)
-	TODO: check
+	NOT-FOR-US: IBM WebSphere Application Server
 CVE-2009-2741 (Unspecified vulnerability in the wberuntimeear application in the test ...)
 	NOT-FOR-US: IBM WebSphere Business Events 
 CVE-2009-2740 (kmxIds.sys before 7.3.1.18 in CA Host-Based Intrusion Prevention ...)
@@ -2264,7 +2271,9 @@
 	- kde4libs <unfixed> (low; bug #546218)
 	[lenny] - kde4libs <no-dsa> (Minor issue)
 CVE-2009-2701 (Unspecified vulnerability in the Zope Enterprise Objects (ZEO) ...)
-	TODO: check
+	- zodb 1:3.9.0-1
+	[etch] - zodb <not-affected> (The vulnerability was introduced in ZODB 3.8)
+	[lenny] - zodb <not-affected> (The vulnerability was introduced in ZODB 3.8)
 CVE-2009-2700 (src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not ...)
 	- qt4-x11 <unfixed> (medium; bug #545793)
 	[etch] - qt4-x11 <not-affected> (QSsl* classes were introduced in Qt 4.3)


