Author: derevko-guest
Date: 2009-12-21 22:09:22 +0000 (Mon, 21 Dec 2009)
New Revision: 13620
Modified:
data/CVE/list
data/spu-candidates.txt
Log:
CVE-2009-4079 and CVE-2009-4078 fixed in redmine 0.9.0~svn2902-1
CVE-2009-3701 fixed in horde3 3.3.6+debian0-1
jbossas4 issues
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2009-12-21 21:14:18 UTC (rev 13619)
+++ data/CVE/list 2009-12-21 22:09:22 UTC (rev 13620)
@@ -748,11 +748,9 @@
CVE-2009-4080 (Multiple unspecified vulnerabilities in ldap_cachemgr (aka the
LDAP ...)
NOT-FOR-US: ldap_cachemgr in Sun Solaris
CVE-2009-4079 (Cross-site request forgery (CSRF) vulnerability in Redmine
0.8.5 and ...)
- - redmine <unfixed>
- TODO: check
+ - redmine 0.9.0~svn2902-1
CVE-2009-4078 (Multiple cross-site scripting (XSS) vulnerabilities in Redmine
0.8.5 ...)
- - redmine <unfixed>
- TODO: check
+ - redmine 0.9.0~svn2902-1
CVE-2009-4077 (Cross-site request forgery (CSRF) vulnerability in Roundcube
Webmail ...)
- roundcube 0.3-1
CVE-2009-4076 (Cross-site request forgery (CSRF) vulnerability in Roundcube
Webmail ...)
@@ -1894,8 +1892,10 @@
RESERVED
CVE-2009-3701 [horde XSS via PHP_SELF]
RESERVED
- - horde3 <unfixed>
- TODO: check
+ - horde3 3.3.6+debian0-1 (low)
+ [lenny] - horde3 <no-dsa> (minor issue)
+ [etch] - horde3 <no-dsa> (minor issue)
+ NOTE: In order to successfully exploit this vulnerability the targeted
user has to be logged as an administrator.
CVE-2009-3700 (Buffer overflow in sgLog.c in squidGuard 1.3 and 1.4 allows
remote ...)
- squidguard <unfixed> (low; bug #553319)
CVE-2009-3699 (Stack-based buffer overflow in libcsa.a (aka the calendar
daemon ...)
@@ -2375,7 +2375,8 @@
{DSA-1934-1}
NOTE: See separate CVE-2009-3555 file in SVN
CVE-2009-3554 (Twiddle in Red Hat JBoss Enterprise Application Platform (aka
JBoss ...)
- TODO: check
+ - jbossas4 <unfixed> (bug #562000)
+ [lenny] - jbossas4 <no-dsa> (Contrib not supported)
CVE-2009-3553 (Use-after-free vulnerability in the abstract file-descriptor
handling ...)
- cups 1.4.2-4 (low; bug #557740)
- cupsys <not-affected> (vulnerable code introduced in 1.3.x)
@@ -6304,7 +6305,8 @@
[etch] - linux-2.6 <not-affected> (ecryptfs not yet present)
- linux-2.6.24 <removed>
CVE-2009-2405 (Multiple cross-site scripting (XSS) vulnerabilities in the Web
Console ...)
- TODO: check
+ - jbossas4 <unfixed> (bug #562000)
+ [lenny] - jbossas4 <no-dsa> (Contrib not supported)
CVE-2009-2404 (Heap-based buffer overflow in a regular-expression parser in
Mozilla ...)
{DSA-1874-1}
- nss 3.12.3-1 (low; bug #539934)
@@ -9084,7 +9086,8 @@
{DSA-1802-2}
- squirrelmail 2:1.4.19-1
CVE-2009-1380 (Cross-site scripting (XSS) vulnerability in JMX-Console in
JBossAs in ...)
- TODO: check
+ - jbossas4 <unfixed> (bug #562000)
+ [lenny] - jbossas4 <no-dsa> (Contrib not supported)
CVE-2009-1379 (Use-after-free vulnerability in the
dtls1_retrieve_buffered_fragment ...)
- openssl 0.9.8k-1 (low; bug #530400)
[lenny] - openssl 0.9.8g-15+lenny3
@@ -15132,7 +15135,7 @@
- linux-2.6 2.6.29-1
- linux-2.6.24 <removed>
CVE-2009-0027 (The request handler in JBossWS in JBoss Enterprise Application
...)
- - jbossas4 <unfixed>
+ - jbossas4 <unfixed> (bug #562000)
[lenny] - jbossas4 <no-dsa> (Contrib not supported)
CVE-2009-0026 (Multiple cross-site scripting (XSS) vulnerabilities in Apache
...)
NOT-FOR-US: Apache Jackrabbit
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2009-12-21 21:14:18 UTC (rev 13619)
+++ data/spu-candidates.txt 2009-12-21 22:09:22 UTC (rev 13620)
@@ -119,6 +119,10 @@
--
+horde3 (CVE-2009-3701)
+
+--
+
htmldoc (CVE-2009-3050)
#537637
notified maintainer through initial bugreport
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
