[Secure-testing-commits] r16055 - data/CVE
Moritz Muehlenhoff
jmm at alioth.debian.org
Thu Feb 3 22:33:14 UTC 2011
Author: jmm
Date: 2011-02-03 22:33:14 +0000 (Thu, 03 Feb 2011)
New Revision: 16055
Modified:
data/CVE/list
Log:
- two piwigo issues fixed before initial upload
- vbox not-affected
- yui non-issue
- jboss not-affected
- remove some historic TODOs
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2011-02-03 21:15:33 UTC (rev 16054)
+++ data/CVE/list 2011-02-03 22:33:14 UTC (rev 16055)
@@ -239,7 +239,8 @@
CVE-2011-0650 (Cross-site request forgery (CSRF) vulnerability in Greenbone Security ...)
NOT-FOR-US: Greenbone Security Manager appliance
CVE-2010-4710 (Cross-site scripting (XSS) vulnerability in the addItem method in the ...)
- TODO: check
+ - yui <unfixed> (unimportant)
+ NOTE: Mostly a case of mis-documentation
CVE-2010-4709 (Heap-based buffer overflow in Automated Solutions Modbus/TCP Master ...)
NOT-FOR-US: Automated Solutions Modbus/TCP Master
CVE-2011-0649
@@ -1218,7 +1219,6 @@
- xpdf <not-affected> (no stackheight)
- poppler <not-affected> (stackheights introduced after 0.12)
NOTE: http://cgit.freedesktop.org/poppler/poppler/commit/?id=8284008aa8230a92ba08d547864353d3290e9bf9
- TODO: recheck when poppler > 0.12 gets uploaded
CVE-2010-4653
RESERVED
- kdegraphics 4.0
@@ -1871,7 +1871,6 @@
- perl <undetermined>
- libcgi-pm-perl <undetermined>
- libcgi-simple-perl <undetermined>
- - bugzilla <unfixed>
TODO: check
NOTE: http://www.bugzilla.org/security/3.2.9/
CVE-2010-4571
@@ -2437,7 +2436,7 @@
CVE-2010-4415 (Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows local ...)
NOT-FOR-US: Solaris
CVE-2010-4414 (Unspecified vulnerability in Oracle VM VirtualBox 4.0 allows local ...)
- TODO: check
+ - virtualbox-ose <not-affected> (Support for extensions was added in 4.x, see #611925)
CVE-2010-4413 (Unspecified vulnerability in the Scheduler Agent component in Oracle ...)
NOT-FOR-US: Oracle Database
CVE-2010-4412 (Multiple cross-site scripting (XSS) vulnerabilities in pfSense 2 beta ...)
@@ -11279,7 +11278,6 @@
- webkit <not-affected> (v8 and webgl not yet included)
- chromium-browser 5.0.375.29~r46008-1
NOTE: http://trac.webkit.org/changeset/55376
- TODO: recheck as newer webkits get uploaded
CVE-2010-1232 (Google Chrome before 4.1.249.1036 allows remote attackers to cause a ...)
- webkit 1.1.90-1
[lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps)
@@ -15150,7 +15148,6 @@
CVE-2009-XXXX [ampache DoS and CSRF]
- ampache 3.5.3-1 (low)
[lenny] - ampache <no-dsa> (minor issue)
- TODO: request CVE and publish more details
CVE-2009-4423 (SQL injection vulnerability in index.php in weenCompany 4.0.0 allows ...)
NOT-FOR-US: weenCompany
CVE-2009-4422 (Multiple cross-site scripting (XSS) vulnerabilities in the ...)
@@ -15168,7 +15165,6 @@
CVE-2009-4417 (The shutdown function in the Zend_Log_Writer_Mail class in Zend ...)
NOTE: the CVE talks about the Zend Framework, but the culprit
NOTE: is actually piwik
- TODO: discuss it on oss-sec
CVE-2009-4416 (Cross-site scripting (XSS) vulnerability in login.php in phpGroupWare ...)
{DSA-1978-1}
- phpgroupware 1:0.9.16.012+dfsg-9
@@ -15521,7 +15517,6 @@
CVE-2010-0051 (WebKit in Apple Safari before 4.0.5 does not properly validate the ...)
NOTE: http://trac.webkit.org/changeset/52784
NOTE: duplicate of CVE-2010-0651
- TODO: request rejection for this CVE
CVE-2010-0050 (Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 ...)
- chromium-browser 6.0.466.0~r52279-1
- webkit 1.1.90-1 (bug #574064)
@@ -16406,8 +16401,7 @@
CVE-2009-4040 (Cross-site scripting (XSS) vulnerability in phpMyFAQ before 2.0.17 and ...)
NOT-FOR-US: phpMyFAQ
CVE-2009-4039 (Cross-site scripting (XSS) vulnerability in Piwigo before 2.0.6 allows ...)
- - piwigo <undetermined>
- TODO: check
+ - piwigo <not-affected> (Fixed before initial upload to the archive)
CVE-2009-4038 (Multiple cross-site scripting (XSS) vulnerabilities in NCH Software ...)
NOT-FOR-US: NCH Software Axon Virtual PBX
CVE-2009-4037 (Multiple SQL injection vulnerabilities in FrontAccounting (FA) before ...)
@@ -18066,7 +18060,6 @@
- php5 <not-affected> (the php packages use the system libgd2)
NOTE: http://svn.php.net/viewvc?view=revision&revision=289557
NOTE: <20091015173822.084de220 at redhat.com> in OSS-sec
- TODO: check
CVE-2009-3545 (DataWizard Technologies FtpXQ FTP Server 3.0 allows remote ...)
NOT-FOR-US: DataWizard Technologies FtpXQ FTP Server
CVE-2009-3544 (Xerver HTTP Server 4.32 allows remote attackers to obtain the source ...)
@@ -18711,7 +18704,6 @@
- php5 <not-affected> (the php packages use the system libgd2)
- php4 <not-affected> (the php packages use the system libgd2)
NOTE: the transparent colours functionality is only on php5's bundled libgd2
- TODO: watch for possible merge of the transparent colours functionality into libgd2
CVE-2009-3292 (Unspecified vulnerability in PHP before 5.2.11, and 5.3.x before ...)
{DSA-1940-1}
- php5 5.2.11.dfsg.1-1 (low)
@@ -20119,8 +20111,7 @@
CVE-2009-2934 (Multiple stack-based buffer overflows in xaudio.dll in Programmed ...)
NOT-FOR-US: Programmed Integration PIPL
CVE-2009-2933 (SQL injection vulnerability in comments.php in Piwigo before 2.0.3 ...)
- - piwigo <undetermined>
- TODO: check
+ - piwigo <not-affected> (Fixed before initial upload to the archive)
CVE-2009-2932 (Cross-site scripting (XSS) vulnerability in uddiclient/process in the ...)
NOT-FOR-US: SAP NetWeaver
CVE-2009-2931 (Directory traversal vulnerability in p.php in SlideShowPro Director ...)
@@ -21777,7 +21768,6 @@
- neon26 <not-affected> (neon26 is compiled to use libxml2 instead of expat)
- neon <removed>
[etch] - neon <not-affected> (neon is compiled to use libxml2 instead of expat)
- TODO: check whether gnome-vfs2 and litmus are also not-affected; do they also libxml2?
CVE-2009-2472 (Mozilla Firefox before 3.0.12 does not always use ...)
{DSA-1840-1}
- xulrunner 1.9.0.12-1
@@ -22845,8 +22835,6 @@
[etch] - dhttpd <no-dsa> (Minor issue)
[lenny] - dhttpd <no-dsa> (Minor issue)
- lighttpd <not-affected>
- TODO: follow-up with maintainers (exploit site says these servers vulnerable, but i have not checked, asked maintainers to do so)
- TODO: determine if any of the other webservers are affected
CVE-2009-2107 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in ...)
NOT-FOR-US: Webmedia Explorer
CVE-2009-XXXX [ShowConfigTab unintentionally grants rights intended for SuperUsers]
@@ -27867,7 +27855,6 @@
- kdelibs 4:3.5.10.dfsg.1-3 (medium; bug #559265)
- kde4libs 4:4.3.4-1 (medium; bug #559266)
[lenny] - kde4libs <no-dsa> (Only uses by a few packages in Lenny, hardly any attack vector)
- TODO: Someone posted a long list of dtoa embedded to debian-devel some time ago
CVE-2009-0688 (Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 ...)
{DSA-1807-1 DTSA-200-1 DTSA-201-1}
- cyrus-sasl2 2.1.23.dfsg1-1 (bug #528749)
@@ -36924,8 +36911,7 @@
CVE-2008-3274 (The default configuration of Red Hat Enterprise IPA 1.0.0 and FreeIPA ...)
NOT-FOR-US: FreeIPA
CVE-2008-3273 (JBoss Enterprise Application Platform (aka JBossEAP or EAP) before ...)
- - jbossas4 <undetermined>
- TODO: check
+ - jbossas4 <not-affected> (Only provides a few class libs)
CVE-2008-3272 (The snd_seq_oss_synth_make_info function in ...)
{DSA-1636-1 DSA-1630-1}
- linux-2.6.24 2.6.24-6~etchnhalf.5
@@ -50095,7 +50081,6 @@
[lenny] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot)
- libgd2 2.0.35.dfsg-3
[etch] - libgd2 2.0.33-5.2etch1
- TODO: check
CVE-2007-4891 (A certain ActiveX control in PDWizard.ocx 6.0.0.9782 and earlier in ...)
NOT-FOR-US: PDWizard
CVE-2007-4890 (Absolute directory traversal vulnerability in a certain ActiveX ...)
@@ -52246,7 +52231,6 @@
[lenny] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot)
NOTE: Debian's PHP packages are linked dynamically against libgd
NOTE: see http://www.php.net/releases/5_2_4.php
- TODO: check
CVE-2007-3995
RESERVED
CVE-2007-3994
@@ -53514,7 +53498,6 @@
[squeeze] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot)
[lenny] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot)
NOTE: CPU consumption DoS
- TODO: check
CVE-2007-3476 (Array index error in gd_gif_in.c in the GD Graphics Library (libgd) ...)
{DSA-1613-1}
- libgd2 2.0.35.dfsg-1 (low)
@@ -53523,7 +53506,6 @@
[squeeze] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot)
[lenny] - plt-scheme <no-dsa> (Only present in one of the sample packages (plot)
NOTE: can write a 0 to a 4k window in heap, very unlikely to be controllable.
- TODO: check
CVE-2007-3475 (The GD Graphics Library (libgd) before 2.0.35 allows user-assisted ...)
- libgd2 <unfixed> (unimportant)
NOTE: out-of-band memory read, does not appear attacker controlled.
More information about the Secure-testing-commits
mailing list