[Secure-testing-commits] r14726 - data/CVE

Michael Gilbert gilbert-guest at alioth.debian.org
Sat May 22 02:20:28 UTC 2010 

Author: gilbert-guest
Date: 2010-05-22 02:20:21 +0000 (Sat, 22 May 2010)
New Revision: 14726

Modified:
   data/CVE/list
Log:
check-new-issues run

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2010-05-22 01:51:46 UTC (rev 14725)
+++ data/CVE/list	2010-05-22 02:20:21 UTC (rev 14726)
@@ -1,10 +1,8 @@
 CVE-2010-2007 (Multiple cross-site request forgery (CSRF) vulnerabilities in LetoDMS ...)
 	- mydms <unfixed> (bug #582587; medium)
-	[lenny] - mydms <unfixed> (bug #582587; medium)
 	NOTE: seems to have changed name to letoDMS
 CVE-2010-2006 (Directory traversal vulnerability in op/op.Login.php in LetoDMS ...)
 	- mydms <unfixed> (bug #582587; medium)
-	[lenny] - mydms <unfixed> (bug #582587; medium)
 	NOTE: seems to have changed name to letoDMS
 CVE-2010-2005 (Multiple PHP remote file inclusion vulnerabilities in DataLife Engine ...)
 	NOT-FOR-US: Datalife Engine
@@ -13,15 +11,15 @@
 CVE-2010-2003 (Cross-site scripting (XSS) vulnerability in misc/get_admin.php in ...)
 	NOT-FOR-US: Advanced Poll
 CVE-2010-2002 (Cross-site scripting (XSS) vulnerability in the Wordfilter module 5.x ...)
-	- drupal6 <not-affected> (Vulnerable code not present)
+        NOT-FOR-US: Wordfilter module for Drupal
 CVE-2010-2001 (Cross-site scripting (XSS) vulnerability in the CiviRegister module ...)
-	- drupal6 <not-affected> (Vulnerable code not present)
+        NOT-FOR-US: CiviRegister module for Drupal
 CVE-2010-2000 (Cross-site scripting (XSS) vulnerability in the Bibliography (Biblio) ...)
-	- drupal6 <not-affected> (Vulnerable code not present)
+        NOT-FOR-US: Biblio module for Drupal
 CVE-2010-1999 (Directory traversal vulnerability in scr/soustab.php in OpenMairie ...)
-	NOT-FOR-US: OpenMairie Opencatalogue
+        NOT-FOR-US: OpenMairie
 CVE-2010-1998 (Cross-site scripting (XSS) vulnerability in the CCK TableField module ...)
-	- drupal6 <not-affected> (Vulnerable code not present)
+        NOT-FOR-US: CCK TableField module for Drupal
 CVE-2010-1997 (Cross-site scripting (XSS) vulnerability in admin/edit.php in Saurus ...)
 	NOT-FOR-US: Saurus CMS
 CVE-2010-1996 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in ...)
@@ -33,46 +31,59 @@
 CVE-2010-1993 (Opera 9.52 does not properly handle an IFRAME element with a mailto: ...)
 	NOT-FOR-US: Opera
 CVE-2010-1992 (Google Chrome 1.0.154.48 executes a mail application in situations ...)
-	- chromium-browser <not-affected> (Linux version seems to be unaffected)
+	- chromium-browser <unfixed> (unimportant)
 	NOTE: http://translate.google.com/translate?hl=en&u=http://websecurity.com.ua/4206/&sl=uk&tl=en
-	NOTE: tested with Chromium, only seems to open 1 new window, but does not cause DoS
-	NOTE: might be better to re-test later
+	NOTE: poc is just one window, but can be changed to open many
+	NOTE: this is a dos-only attack, so its considered unimportant
 CVE-2010-1991 (Microsoft Internet Explorer 6.0.2900.2180, 7, and 8.0.7600.16385 ...)
 	NOT-FOR-US: Microsoft Internet Explorer
 CVE-2010-1990 (Mozilla Firefox 3.6.x, 3.5.x, 3.0.19, and earlier, and SeaMonkey, ...)
-	 - iceweasel <unfixed> (bug #582590; medium)
-	 [lenny] - iceweasel <unfixed> (bug #582590; medium)
+	- xulrunner <unfixed> (unimportant; bug #582590)
+	- iceape <unfixed> (unimportant)
+	NOTE: browser dos attacks are not considered security-relevant
 CVE-2010-1989 (Opera 9.52 executes a mail application in situations where an IMG ...)
 	NOT-FOR-US: Opera
 CVE-2010-1988 (Mozilla Firefox 3.6.3 on Windows XP SP3 allows remote attackers to ...)
-	TODO: check
+	- xulrunner <unfixed> (unimportant)
+	- iceape <unfixed> (unimportant)
+	NOTE: these poc's do lead to heavy resource consumption on xulrunner 1.9.1.9, but it does not crash (that may be a windows-specific symptom)
+	TODO: check 3.6.3
 CVE-2010-1987 (Mozilla Firefox 3.6.3 on Windows XP SP3 allows remote attackers to ...)
-	TODO: check
+	- xulrunner <unfixed> (unimportant)
+	- iceape <unfixed> (unimportant)
+	NOTE: these poc's do lead to heavy resource consumption on xulrunner 1.9.1.9, but it does not crash (that may be a windows-specific symptom)
+	TODO: check 3.6.3
 CVE-2010-1986 (Mozilla Firefox 3.6.3 on Windows XP SP3 allows remote attackers to ...)
-	TODO: check
+	- xulrunner <unfixed> (unimportant)
+	- iceape <unfixed> (unimportant)
+	NOTE: these poc's do lead to heavy resource consumption on xulrunner 1.9.1.9, but it does not crash (that may be a windows-specific symptom)
+	TODO: check 3.6.3
 CVE-2010-1985 (Multiple cross-site scripting (XSS) vulnerabilities in the ...)
-	TODO: check
+	NOT-FOR-US: Six Apart Movable type
 CVE-2010-1984 (Cross-site scripting (XSS) vulnerability in the Taxonomy Breadcrumb ...)
-	TODO: check
+	NOT-FOR-US: Taxonomy Breadcrumb module for Drupal
 CVE-2010-1983 (Directory traversal vulnerability in the redTWITTER (com_redtwitter) ...)
-	TODO: check
+	NOT-FOR-US: com_redtwitter component for joomla!
 CVE-2010-1982 (Directory traversal vulnerability in the JA Voice (com_javoice) ...)
-	TODO: check
+	NOT-FOR-US: com_javoice component for joomla!
 CVE-2010-1981 (Directory traversal vulnerability in the Fabrik (com_fabrik) component ...)
-	TODO: check
+	NOT-FOR-US: com_fabrik component for joomla!
 CVE-2010-1980 (Directory traversal vulnerability in joomlaflickr.php in the Joomla ...)
-	TODO: check
+	NOT-FOR-US: com_joomlaflickr component for joomla!
 CVE-2010-1979 (Directory traversal vulnerability in the Affiliate Datafeeds ...)
-	TODO: check
+	NOT-FOR-US: com_datafeeds component for joomla!
 CVE-2010-1978 (PHP remote file inclusion vulnerability in default_theme.php in ...)
-	TODO: check
+	NOT-FOR-US: FreePHPBlogSoftware
 CVE-2010-1977 (Directory traversal vulnerability in the J!WHMCS Integrator ...)
-	TODO: check
+	NOT-FOR-US: com_jwhmcs component for joomla!
 CVE-2010-1976 (Cross-site scripting (XSS) vulnerability in the Taxonomy Breadcrumb ...)
-	TODO: check
+	NOT-FOR-US: Taxonomy Breadcrumb module for Drupal
 CVE-2010-1975 (PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, ...)
+	- postgresql-8.4 <undetermined>
+	- postgresql-8.3 <undetermined>
 	TODO: check
 CVE-2010-1974 (Multiple unspecified vulnerabilities in the Safe (aka Safe.pm) module ...)
+	- perl <undetermined>
 	TODO: check
 CVE-2010-1973
 	RESERVED
@@ -107,19 +118,19 @@
 CVE-2010-1958
 	RESERVED
 CVE-2010-1957 (Directory traversal vulnerability in the Love Factory ...)
-	TODO: check
+	NOT-FOR-US: com_lovefactory component for joomla!
 CVE-2010-1956 (Directory traversal vulnerability in the Gadget Factory ...)
-	TODO: check
+	NOT-FOR-US: com_gadgetfactory component for joomla!
 CVE-2010-1955 (Directory traversal vulnerability in the Deluxe Blog Factory ...)
-	TODO: check
+	NOT-FOR-US: com_blogfactory component for joomla!
 CVE-2010-1954 (Directory traversal vulnerability in the iNetLanka Multiple root ...)
-	TODO: check
+	NOT-FOR-US: com_multiroot component for joomla!
 CVE-2010-1953 (Directory traversal vulnerability in the iNetLanka Multiple Map ...)
-	TODO: check
+	NOT-FOR-US: com_multimap component for joomla!
 CVE-2010-1952 (Directory traversal vulnerability in the BeeHeard (com_beeheard) and ...)
-	TODO: check
+	NOT-FOR-US: com_beeheard component for joomla!
 CVE-2010-1951 (Multiple directory traversal vulnerabilities in 60cycleCMS allow ...)
-	TODO: check
+	NOT-FOR-US: 60cycleCMS
 CVE-2010-1950 (SQL injection vulnerability in the Online News Paper Manager ...)
 	NOT-FOR-US: Online News Paper Manager
 CVE-2010-1949 (SQL injection vulnerability in the Online News Paper Manager ...)
@@ -856,13 +867,16 @@
 CVE-2010-1631
 	RESERVED
 CVE-2010-1630 (Unspecified vulnerability in posting.php in phpBB before 3.0.5 has ...)
-	TODO: check
+	- phpbb3 <unfixed>
 CVE-2010-1629 (Cross-site scripting (XSS) vulnerability in Phorum before 5.2.15 ...)
-	TODO: check
+	NOT-FOR-US: Phorum
 CVE-2010-1628 (Ghostscript 8.64, 8.70, and possibly other versions allows ...)
-	TODO: check
+	- ghostscript <unfixed>
+	NOTE: no upstream fix available, see issue #1 in ubuntu bug report:
+	NOTE: https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/546009
+	NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=691295
 CVE-2010-1627 (feed.php in phpBB 3.0.7 before 3.0.7-PL1 does not properly check ...)
-	TODO: check
+	- phpbb3 <unfixed>
 CVE-2010-1626
 	RESERVED
 	- mysql-dfsg-5.1 <unfixed>
@@ -1408,7 +1422,7 @@
 	- wireshark <unfixed> (unimportant)
 	NOTE: Not triggerable remotely
 CVE-2010-1454 (com.springsource.tcserver.serviceability.rmi.JmxSocketListener in ...)
-	TODO: check
+	NOT-FOR-US: VMware
 CVE-2010-1453 (Cross-site scripting (XSS) vulnerability in the Login form in Piwik ...)
 	- piwik <itp> (bug #506933)
 CVE-2010-1452
@@ -1424,6 +1438,8 @@
 	- lxr-cvs <unfixed>
 	TODO: prod maintainer (and find out why we have lxr and lxr-cvs)
 CVE-2010-1447 (PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, ...)
+	- postgresql-8.4 <undetermined>
+	- postgresql-8.3 <undetermined>
 	TODO: check
 CVE-2010-1446 [kgbd issue]
 	RESERVED
@@ -2458,7 +2474,7 @@
 CVE-2010-1040 (The &quot;IP address range limitation&quot; function in OpenPNE 1.6 through 1.8, ...)
 	NOT-FOR-US: OpenPNE
 CVE-2010-1039 (Unspecified vulnerability in NFS/ONCplus B.11.31_09 and earlier on HP ...)
-	TODO: check
+	NOT-FOR-US: HP-UX
 CVE-2010-1038 (Unspecified vulnerability in HP System Insight Manager before 6.0 ...)
 	NOT-FOR-US: HP System Insight Manager
 CVE-2010-1037 (Cross-site request forgery (CSRF) vulnerability in HP System Insight ...)
@@ -2563,9 +2579,9 @@
 	[lenny] - kdenetwork <not-affected> (Metalink plugin not yet present)
 	NOTE: http://seclists.org/fulldisclosure/2010/May/165
 CVE-2010-0999 (Directory traversal vulnerability in Free Download Manager (FDM) ...)
-	TODO: check
+	NOT-FOR-US: Free Download Manager
 CVE-2010-0998 (Multiple stack-based buffer overflows in Free Download Manager (FDM) ...)
-	TODO: check
+	NOT-FOR-US: Free Download Manager
 CVE-2010-0997 (Cross-site scripting (XSS) vulnerability in ...)
 	NOT-FOR-US: e107
 CVE-2010-0996 (Unrestricted file upload vulnerability in e107 before 0.7.20 allows ...)
@@ -3315,13 +3331,13 @@
 CVE-2010-0778
 	RESERVED
 CVE-2010-0777 (The Web Container in IBM WebSphere Application Server (WAS) 6.0 before ...)
-	TODO: check
+	NOT-FOR-US: IBM WebSphere Application Server
 CVE-2010-0776 (The Web Container in IBM WebSphere Application Server (WAS) 6.0 before ...)
-	TODO: check
+	NOT-FOR-US: IBM WebSphere Application Server
 CVE-2010-0775 (Unspecified vulnerability in IBM WebSphere Application Server (WAS) ...)
-	TODO: check
+	NOT-FOR-US: IBM WebSphere Application Server
 CVE-2010-0774 (The (1) JAX-RPC WS-Security 1.0 and (2) JAX-WS runtime implementations ...)
-	TODO: check
+	NOT-FOR-US: IBM WebSphere Application Server
 CVE-2010-0773
 	RESERVED
 CVE-2010-0772 (Unspecified vulnerability in the channel process in IBM WebSphere MQ ...)
@@ -82852,9 +82868,11 @@
 CVE-2004-1734 (PHP remote file inclusion vulnerability in Mantis 0.19.0a allows ...)
 	- mantis 0.19.2-1
 CVE-2004-1733 (Directory traversal vulnerability in MyDMS 1.4.2 and other versions ...)
-	NOT-FOR-US: MyDMS
+	- mydms <undetermined>
+	TODO: check
 CVE-2004-1732 (SQL injection vulnerability in out.ViewFolder.php in MyDMS before ...)
-	NOT-FOR-US: MyDMS
+	- mydms <undetermined>
+	TODO: check
 CVE-2004-1731 (signup_page.php in Mantis bugtracker allows remote attackers to send ...)
 	- mantis 0.19.0-1
 CVE-2004-1730 (Cross-site scripting (XSS) vulnerability in Mantis bugtracker allows ...)

More information about the Secure-testing-commits mailing list