Author: derevko-guest
Date: 2009-09-10 08:36:51 +0000 (Thu, 10 Sep 2009)
New Revision: 12780
Modified:
data/CVE/list
data/spu-candidates.txt
Log:
- NFUs
- two minor no-dsa candidate mod_proxy_ftp issues
- CVE-2008-607{0,1,2) were fixed in graphicsmagick 1.2.3-1
- two new rails issues
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2009-09-10 05:35:54 UTC (rev 12779)
+++ data/CVE/list 2009-09-10 08:36:51 UTC (rev 12780)
@@ -25,13 +25,19 @@
CVE-2009-3098 (Unspecified vulnerability in the Portal in HP Operations
Dashboard 2.1 ...)
NOT-FOR-US: HP Operations Dashboard
CVE-2009-3097 (Multiple unspecified vulnerabilities in HP Performance Insight
5.3 on ...)
- TODO: check
+ NOT-FOR-US: HP Performance Insight
CVE-2009-3096 (Multiple unspecified vulnerabilities in HP Performance Insight
5.3 ...)
NOT-FOR-US: HP Performance Insight
CVE-2009-3095 (The mod_proxy_ftp module in the Apache HTTP Server allows
remote ...)
+ - apache2 <unfixed> (unknown; bug #545951)
TODO: check
+ NOTE: as of 20090910 this disclosure has no actionable information
+ NOTE: based on a VulnDisco commercial 0day
CVE-2009-3094 (The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c
in the ...)
- TODO: check
+ - apache2 <unfixed> (low; bug #545951)
+ NOTE: no-dsa candidate.
+ NOTE: mod_proxy_ftp should be enabled. with -mpm-prefork only a child
crashes, not a really DoS
+ NOTE: when doing reverse proxy, servers to which requests are proxied
are usually trusted
CVE-2009-3093 (Unspecified vulnerability on the ASUS WL-500W wireless router
has ...)
NOT-FOR-US: ASUS WL-500W
CVE-2009-3092 (Buffer overflow on the ASUS WL-500W wireless router has unknown
impact ...)
@@ -43,11 +49,11 @@
CVE-2009-3089 (IBM Tivoli Directory Server (TDS) 6.0 allows remote attackers
to cause ...)
NOT-FOR-US: IBM Tivoli Directory Server
CVE-2009-3088 (Heap-based buffer overflow in ibmdiradm in IBM Tivoli Directory
Server ...)
- TODO: check
+ NOT-FOR-US: IBM Tivoli Directory Server
CVE-2009-3087 (Unspecified vulnerability in nserver.exe in the server in IBM
Lotus ...)
NOT-FOR-US: IBM Lotus Domino
CVE-2009-3086 (A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and
2.3.x ...)
- TODO: check
+ - rails <unfixed> (low; bug #545063)
CVE-2009-3085 (The XMPP protocol plugin in libpurple in Pidgin before 2.6.2
does not ...)
TODO: check
CVE-2009-3084 (The msn_slp_process_msg function in
libpurple/protocols/msn/slpcall.c ...)
@@ -326,7 +332,7 @@
NOTE: This is a web site issue (open redirector), not a browser problem.
- iceweasel <unfixed> (unimportant)
CVE-2009-3009 (Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x
before ...)
- TODO: check
+ - rails <unfixed> (low; bug #545063)
CVE-2009-3008 (K-Meleon 1.5.3 allows context-dependent attackers to spoof the
address ...)
NOT-FOR-US: K-Meleon
CVE-2009-3007 (Mozilla Firefox 3.5.1 and SeaMonkey 1.1.17, and Flock 2.5.1,
allow ...)
@@ -9142,11 +9148,11 @@
CVE-2008-6073 (StorageCrypt 2.0.1 does not properly encrypt disks, which
allows local ...)
NOT-FOR-US: StorageCrypt
CVE-2008-6072 (Multiple unspecified vulnerabilities in GraphicsMagick before
1.1.14, ...)
- - graphicsmagick <unfixed>
+ - graphicsmagick 1.2.3-1
CVE-2008-6071 (Heap-based buffer overflow in the DecodeImage function in ...)
- - graphicsmagick <unfixed>
+ - graphicsmagick 1.2.3-1
CVE-2008-6070 (Multiple heap-based buffer underflows in the ReadPALMImage
function in ...)
- - graphicsmagick <unfixed>
+ - graphicsmagick 1.2.3-1
CVE-2008-6069 (SQL injection vulnerability in e107chat.php in the eChat plugin
4.2 ...)
NOT-FOR-US: eChat plugin
CVE-2008-6068 (SQL injection vulnerability in the JoomlaDate (com_joomladate)
...)
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2009-09-10 05:35:54 UTC (rev 12779)
+++ data/spu-candidates.txt 2009-09-10 08:36:51 UTC (rev 12780)
@@ -31,12 +31,6 @@
--
-burn: (no CVE yet)
-#542329
-notified maintainer through bug report
-
---
-
compiz-fusion-plugins-main (CVE-2008-6514)
notified maintainer
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
