[Secure-testing-commits] r15555 - data/CVE
Moritz Muehlenhoff
jmm-guest at alioth.debian.org
Tue Nov 2 22:09:16 UTC 2010
Author: jmm-guest
Date: 2010-11-02 22:09:15 +0000 (Tue, 02 Nov 2010)
New Revision: 15555
Modified:
data/CVE/list
Log:
- monotone fixed, not in Lenny
- new rails issue only affects more recent releases
- remove a few historic webkit TODOs
- two freetype issues
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2010-11-02 14:22:28 UTC (rev 15554)
+++ data/CVE/list 2010-11-02 22:09:15 UTC (rev 15555)
@@ -105,7 +105,8 @@
CVE-2010-4099 (ess.pm in NitroSecurity NitroView ESM 8.4.0a, when ESSPMDebug is ...)
NOT-FOR-US: NitroSecurity NitroView
CVE-2010-4098 (monotone before 0.48.1, when configured to allow remote commands, ...)
- TODO: check
+ - monotone 0.48-3
+ [lenny] - monotone <not-affected> (Vulnerable feature introduced in 0.46)
CVE-2010-4097 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in ...)
NOT-FOR-US: Aardvark Topsites PHP
CVE-2010-4095 (Directory traversal vulnerability in the FTP client in Serengeti ...)
@@ -494,7 +495,7 @@
CVE-2010-3934 (The browser in Research In Motion (RIM) BlackBerry Device Software ...)
NOT-FOR-US: BlackBerry Device Software
CVE-2010-3933 (Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested ...)
- TODO: check
+ - rails <not-affected> (Only affects >= 2.3.9, which is not yet in the archive)
CVE-2010-3932
RESERVED
CVE-2010-3931
@@ -664,6 +665,7 @@
[squeeze] - eglibc 2.11.2-6+squeeze1
CVE-2010-3855
RESERVED
+ - freetype <unfixed> (bug filed)
CVE-2010-3854
RESERVED
CVE-2010-3853
@@ -789,6 +791,7 @@
RESERVED
CVE-2010-3814
RESERVED
+ - freetype <unfixed> (bug filed)
CVE-2010-3813
RESERVED
CVE-2010-3812
@@ -1156,7 +1159,7 @@
CVE-2010-3655 (Stack-based buffer overflow in dirapi.dll in Adobe Shockwave Player ...)
NOT-FOR-US: Adobe Shockwave Player
CVE-2010-3654 (Adobe Flash Player 10.1.85.3 and earlier on Windows, Mac OS X, Linux, ...)
- TODO: check
+ NOT-FOR-US: Adobe Flash
CVE-2010-3653 (The Director module (dirapi.dll) in Adobe Shockwave Player before ...)
NOT-FOR-US: Adobe Shockwave
CVE-2010-3652
@@ -1345,7 +1348,7 @@
NOTE: http://code.google.com/p/pyftpdlib/issues/detail?id=104
CVE-2010-3493 (Multiple race conditions in smtpd.py in the smtpd module in Python ...)
- python3.1 3.1.2+20100829-1
- - python2.6 <unfixed> (low; bug #601690)
+ - python2.6 2.6.6-1 (low; bug #601690)
- python2.5 <unfixed>
[lenny] - python2.5 <no-dsa> (Minor issue)
CVE-2010-3492 (The asyncore module in Python before 3.2 does not properly handle ...)
@@ -4845,7 +4848,6 @@
CVE-2010-2264 (The Cascading Style Sheets (CSS) implementation in WebKit in Apple ...)
- webkit <undetermined>
- chromium-browser 6.0.466.0~r52279-1
- TODO: someone with access to webkit security list please track down commit
NOTE: This is a large series of risky behaviour-changing changesets.
NOTE: upstream changelog says this is fixed in 1.2.3, but i'm doubtful of that
CVE-2010-2263 (nginx 0.8 before 0.8.40 and 0.7 before 0.7.66, when running on ...)
@@ -5685,7 +5687,6 @@
CVE-2010-1940 (Apple Safari 4.0.5 on Windows sends the "Authorization: Basic" header ...)
- chromium-browser <not-affected>
- webkit <not-affected>
- TODO: someone with access to the webkit security list please track down commit
NOTE: Safari-specific. Chromium and Safari have totally separate HTTP stacks.
CVE-2010-1939 (Use-after-free vulnerability in Apple Safari 4.0.5 on Windows allows ...)
- chromium-browser <not-affected>
@@ -6156,7 +6157,6 @@
- webkit <undetermined>
- chromium-browser <undetermined>
NOTE: claimed fixed in upstream webkit 1.2.4 changelog, but no info currently available
- TODO: check
CVE-2010-1780 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0.1 on ...)
- webkit 1.2.5-1
- chromium-browser 5.0.375.125~r53311-1
@@ -6202,7 +6202,6 @@
CVE-2010-1769 (WebKit in Apple iTunes before 9.2 on Windows, and Apple iOS before 4 ...)
- webkit <undetermined>
- chromium-browser 5.0.375.55~r47796-1
- TODO: someone with access to the webkit security list please track down commit
CVE-2010-1768 (Unspecified vulnerability in Apple iTunes before 9.1 allows local ...)
NOT-FOR-US: Apple iTunes
CVE-2010-1767 (Cross-site request forgery (CSRF) vulnerability in ...)
@@ -6234,7 +6233,6 @@
- chromium-browser 5.0.375.55~r47796-1
NOTE: https://bugs.webkit.org/show_bug.cgi?id=39008
NOTE: http://trac.webkit.org/changeset/59486
- TODO: recheck newer webkit uploads
CVE-2010-1762 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari ...)
- webkit 1.2.2-1
- chromium-browser 5.0.375.55~r47796-1
@@ -6267,7 +6265,6 @@
NOTE: is CVE-2010-2441 a dup of this?
NOTE: chromium-sec don't have info
NOTE: Sounds like it could be iPhone specific
- TODO: someone with access to the webkit security list please track down the commit
CVE-2010-1756 (The Settings application in Apple iOS before 4 on the iPhone and iPod ...)
NOT-FOR-US: Apple iPhone
CVE-2010-1755 (Safari in Apple iOS before 4 on the iPhone and iPod touch does not ...)
@@ -6286,7 +6283,6 @@
NOTE: apple hasn't disclosed enough info to check
NOTE: From Apple's advisory: "This issue does not affect Mac OS X systems." Implies it may be outside of WebKit
NOTE: chromium-sec don't have info
- TODO: someone with access to the webkit security list please track down the commit
CVE-2010-1749 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on ...)
- webkit 1.2.1-2
- chromium-browser 5.0.342.9~r43360-1
More information about the Secure-testing-commits
mailing list