[Secure-testing-commits] r17423 - data/CVE

Moritz Muehlenhoff jmm at alioth.debian.org
Fri Oct 14 15:57:21 UTC 2011


Author: jmm
Date: 2011-10-14 15:57:21 +0000 (Fri, 14 Oct 2011)
New Revision: 17423

Modified:
   data/CVE/list
Log:
- new etherape issue (no-dsa)
- new cyrus issue (front desk, please create ticket)
- new webkit issues (likely also chromium)
- NFUs


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2011-10-14 09:02:12 UTC (rev 17422)
+++ data/CVE/list	2011-10-14 15:57:21 UTC (rev 17423)
@@ -1,12 +1,6 @@
 CVE-2011-XXXX [Ruby 1.9.2-p290 WEBrick::HTTPRequest X-Forwarded-*]
 	TODO: check
 	NOTE: http://www.openwall.com/lists/oss-security/2011/10/12/5
-CVE-2011-XXXX [XSS in phorum before 5.2.18]
-	TODO: check
-	NOTE: http://www.openwall.com/lists/oss-security/2011/10/10/7
-CVE-2011-XXXX [fluxbb: only affected with FORUM_BEHIND_REVERSE_PROXY enabled]
-	TODO: check
-	NOTE: http://www.openwall.com/lists/oss-security/2011/10/10/9
 CVE-2011-XXXX [media-video/vlc-1.0.2: Multiple stack-based buffer overflows in ASF, AVI, MP4 demuxers]
 	TODO: check
 	NOTE: https://bugs.gentoo.org/show_bug.cgi?id=285370
@@ -1148,27 +1142,22 @@
 	[lenny] - conky 1.6.0-2+lenny1
 CVE-2011-3615 [unknown security issue in simple machines forum]
 	RESERVED
-	TODO: check
-	NOTE: http://www.openwall.com/lists/oss-security/2011/10/09/3
+	NOT-FOR-US: Simple Machines Forum
 CVE-2011-3614 [vanilla plugin access control]
 	RESERVED
-	NOTE: http://www.openwall.com/lists/oss-security/2011/10/09/2
+	NOT-FOR-US: Vanilla Forums
 CVE-2011-3613 [vanilla forums cookie theft]
 	RESERVED
-	TODO: check
-	NOTE: http://www.openwall.com/lists/oss-security/2011/10/09/2
+	NOT-FOR-US: Vanilla Forums
 CVE-2011-3612 [HTB22913: Multiple CSRF in UseBB]
 	RESERVED
-	TODO: check
-	NOTE: http://www.openwall.com/lists/oss-security/2011/10/09/1
+	NOT-FOR-US: UseBB
 CVE-2011-3611 [HTB22914: Local File Inclusion in UseBB]
 	RESERVED
-	TODO: check
-	NOTE: http://www.openwall.com/lists/oss-security/2011/10/09/1
+	NOT-FOR-US: UseBB
 CVE-2011-3610 [serendipity freetag plugin before 3.30 and probably others]
 	RESERVED
-	TODO: check
-	NOTE: http://www.openwall.com/lists/oss-security/2011/10/08/2
+	NOT-FOR-US: Serendipity plugin
 CVE-2011-3609
 	RESERVED
 CVE-2011-3608
@@ -1276,12 +1265,17 @@
 	RESERVED
 CVE-2011-3581
 	RESERVED
+	- ldns <unfixed>
+	NOTE: http://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=403
+	NOTE: https://secunia.com/advisories/46153/
+	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=741024
+	TODO: File bug
 CVE-2011-3580 (IceWarp WebMail in IceWarp Mail Server before 10.3.3 allows remote ...)
-	TODO: check
+	NOT-FOR-US: IceWarp Mail Server
 CVE-2011-3579 (server/webmail.php in IceWarp WebMail in IceWarp Mail Server before ...)
-	TODO: check
+	NOT-FOR-US: IceWarp Mail Server
 CVE-2011-3578 (Cross-site scripting (XSS) vulnerability in ...)
-	TODO: check
+	TODO: check, whether this was fixed in the DSA for CVE-2011-3357
 CVE-2004-2770
 	REJECTED
 CVE-2011-3577 (IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.3 ...)
@@ -1437,11 +1431,11 @@
 CVE-2011-3503 (Untrusted search path vulnerability in eSignal 10.6.2425.1208, and ...)
 	NOT-FOR-US: eSignal
 CVE-2011-3502 (The web server in Cogent DataHub 7.1.1.63 and earlier allows remote ...)
-	TODO: check
+	NOT-FOR-US: Cogent DataHub
 CVE-2011-3501 (Integer overflow in Cogent DataHub 7.1.1.63 and earlier allows remote ...)
-	TODO: check
+	NOT-FOR-US: Cogent DataHub
 CVE-2011-3500 (Directory traversal vulnerability in the web server in Cogent DataHub ...)
-	TODO: check
+	NOT-FOR-US: Cogent DataHub
 CVE-2011-3499 (Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote ...)
 	NOT-FOR-US: Progea Movicon / PowerHMI
 CVE-2011-3498 (Heap-based buffer overflow in Progea Movicon / PowerHMI 11.2.1085 and ...)
@@ -1455,7 +1449,7 @@
 CVE-2011-3494 (WinSig.exe in eSignal 10.6.2425 and earlier allows remote attackers to ...)
 	NOT-FOR-US: eSignal
 CVE-2011-3493 (Multiple stack-based buffer overflows in the DH_OneSecondTick function ...)
-	TODO: check
+	NOT-FOR-US: Cogent DataHub
 CVE-2011-3492 (Stack-based buffer overflow in Azeotech DAQFactory 5.85 build 1853 and ...)
 	NOT-FOR-US: Azeotech DAQFactory
 CVE-2011-3491 (Heap-based buffer overflow in Progea Movicon / PowerHMI 11.2.1085 and ...)
@@ -1469,11 +1463,13 @@
 CVE-2011-3487 (Directory traversal vulnerability in CarelDataServer.exe in Carel ...)
 	NOT-FOR-US: Carel PlantVisor
 CVE-2011-3486 (Beckhoff TwinCAT 2.11.0.2004 and earlier allows remote attackers to ...)
-	TODO: check
+	NOT-FOR-US: Beckhoff TwinCAT
 CVE-2011-3485
 	RESERVED
 CVE-2011-3481 (The index_get_ids function in index.c in imapd in Cyrus IMAP Server ...)
-	TODO: check
+	- cyrus-imapd-2.2 <unfixed>
+	- cyrus-imapd-2.4 2.4.11-1
+	- kolab-cyrus-imapd <unfixed>
 CVE-2011-3480
 	RESERVED
 CVE-2011-3479
@@ -1609,9 +1605,9 @@
 CVE-2009-5099 (Cross-site scripting (XSS) vulnerability in ViewAction in Pentaho BI ...)
 	TODO: check
 CVE-2009-5098 (The LunaSysMgr process in Palm Pre WebOS 1.1 and earlier, when not ...)
-	TODO: check
+	NOT-FOR-US: Palm WebOS
 CVE-2009-5097 (Palm Pre WebOS 1.1 and earlier processes JavaScript in email messages, ...)
-	TODO: check
+	NOT-FOR-US: Palm WebOS
 CVE-2009-5096 (Cross-site scripting (XSS) vulnerability in the Flag Content module ...)
 	NOT-FOR-US: Drupal module Flag Content
 	NOTE: might get packaged
@@ -1759,9 +1755,9 @@
 	[lenny] - php5 <not-affected> (Introduced in 5.3.7)
 CVE-2011-3378
 	RESERVED
-	- rpm <unfixed> (low)
-	NOTE: Marking as unimportant since rpm isn't used as a package manager
-	TODO: File bug
+	- rpm <unfixed> (low; bug #645325)
+	[squeeze] - rpm <no-dsa> (rpm isn't used a a package manager, very limited attack vector)
+	[lenny] - rpm <no-dsa> (rpm isn't used a a package manager, very limited attack vector)
 CVE-2011-3377
 	RESERVED
 CVE-2011-3376
@@ -1787,7 +1783,9 @@
 CVE-2011-3370
 	RESERVED
 CVE-2011-3369 (The add_conversation function in conversations.c in EtherApe before ...)
-	TODO: check
+	- etherape <unfixed> (low; bug #645324)
+	[lenny] - etherape <no-dsa> (Minor issue)
+	[squeeze] - etherape <no-dsa> (Minor issue)
 CVE-2011-3368 (The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, ...)
 	- apache2 2.2.21-2 (medium)
 	NOTE: http://article.gmane.org/gmane.comp.apache.announce/61
@@ -1907,7 +1905,7 @@
 CVE-2011-3333
 	RESERVED
 CVE-2011-3332 (Stack-based buffer overflow in Iceni Argus 6.20 and earlier and Infix ...)
-	TODO: check
+	NOT-FOR-US: Iceni Argus
 CVE-2011-3331
 	RESERVED
 CVE-2011-3330
@@ -2103,32 +2101,40 @@
 CVE-2011-3245
 	RESERVED
 CVE-2011-3244 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...)
-	TODO: check
+	- chromium-browser <undetermined>
+	- webkit <undetermined>
 CVE-2011-3243
 	RESERVED
 CVE-2011-3242
 	RESERVED
 CVE-2011-3241 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...)
-	TODO: check
+	- chromium-browser <undetermined>
+	- webkit <undetermined>
 CVE-2011-3240
 	RESERVED
 CVE-2011-3239 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...)
-	TODO: check
+	- chromium-browser <undetermined>
+	- webkit <undetermined>
 CVE-2011-3238 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...)
-	TODO: check
+	- chromium-browser <undetermined>
+	- webkit <undetermined>
 CVE-2011-3237 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...)
-	TODO: check
+	- chromium-browser <undetermined>
+	- webkit <undetermined>
 CVE-2011-3236 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...)
-	TODO: check
+	- chromium-browser <undetermined>
+	- webkit <undetermined>
 CVE-2011-3235 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...)
-	TODO: check
+	- chromium-browser <undetermined>
+	- webkit <undetermined>
 CVE-2011-3234 (Google Chrome before 14.0.835.163 does not properly handle boxes, ...)
 	- chromium-browser 14.0.835.163~r101024-1
 	[squeeze] - chromium-browser <not-affected>
 	- webkit <undetermined>
 	NOTE: http://trac.webkit.org/changeset/92132
 CVE-2011-3233 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...)
-	TODO: check
+	- chromium-browser <undetermined>
+	- webkit <undetermined>
 CVE-2011-3232 (YARR, as used in Mozilla Firefox before 7.0, Thunderbird before 7.0, ...)
 	- xulrunner <not-affected> (Only affects Firefox >= 4)
 	- iceweasel 7.0-1
@@ -2161,7 +2167,7 @@
 CVE-2011-3220
 	RESERVED
 CVE-2011-3219 (Buffer overflow in CoreMedia, as used in Apple iTunes before 10.5, ...)
-	TODO: check
+	NOT-FOR-US: Apple CoreMedia
 CVE-2011-3218
 	RESERVED
 CVE-2011-3217




More information about the Secure-testing-commits mailing list