Author: jmm-guest
Date: 2010-07-01 20:19:08 +0000 (Thu, 01 Jul 2010)
New Revision: 14945
Modified:
data/CVE/list
data/spu-candidates.txt
Log:
- moodle fixed
- adapt severity of tiff crashers; without real security impact
- bugnums
- acidbase issue (mostly fixed, all no-dsa)
- rewrite cherokee entry
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2010-07-01 19:43:34 UTC (rev 14944)
+++ data/CVE/list 2010-07-01 20:19:08 UTC (rev 14945)
@@ -104,22 +104,13 @@
RESERVED
CVE-2010-2483 [OOB read in TIFFRGBAImageGet()]
RESERVED
- - tiff <unfixed> (low)
- - freeimage <undetermined>
- - libtk-img <undetermined>
- - gdal <undetermined>
+ - tiff <unfixed> (unimportant)
CVE-2010-2482 [NULL pointer dereference due to invalid td_stripbytecount]
RESERVED
- - tiff 3.9.4-1 (low)
- - freeimage <undetermined>
- - libtk-img <undetermined>
- - gdal <undetermined>
+ - tiff 3.9.4-1 (unimportant)
CVE-2010-2481 [OOB read in TIFFExtractData()]
RESERVED
- - tiff 3.9.4-1 (low)
- - freeimage <undetermined>
- - libtk-img <undetermined>
- - gdal <undetermined>
+ - tiff 3.9.4-1 (unimportant)
CVE-2010-2480 [XSS in python mako's escape.cgi]
RESERVED
- python-mako <undetermined>
@@ -127,7 +118,7 @@
NOTE: http://bugs.python.org/issue9061
CVE-2010-2478 [kernel buffer overflow in ETHTOOL_GRXCLSRLALL]
RESERVED
- - linux-2.6 <undetermined>
+ - linux-2.6 <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=608950
NOTE: http://thread.gmane.org/gmane.linux.network/164869
CVE-2010-2477 [XSS in paste.httpexceptions]
@@ -144,7 +135,6 @@
CVE-2010-2476 [syscp open_basedir bypassing]
RESERVED
- syscp <unfixed> (bug #587481)
- NOTE: CVE id requested on oss-sec
CVE-2010-2469 (The Linear eMerge 50 and 5000 uses a default password of eMerge
for ...)
NOT-FOR-US: Linear eMerge
CVE-2010-2468 (The S2 Security NetBox 2.x and 3.x, as used in the Linear
eMerge 50 ...)
@@ -172,11 +162,11 @@
CVE-2010-2457 (Cross-site scripting (XSS) vulnerability in index.php in
K-Search ...)
NOT-FOR-US: K-Search
CVE-2010-2456 (Multiple directory traversal vulnerabilities in index.php in
Linker ...)
- TODO: check
+ NOT-FOR-US: Linker IMG
CVE-2010-2455 (Opera does not properly manage the address bar between the
request to ...)
NOT-FOR-US: Opera
CVE-2010-2454 (Apple Safari does not properly manage the address bar between
the ...)
- TODO: check
+ - webkit <undetermined>
CVE-2010-2453
RESERVED
CVE-2009-4909 (admin/index.php in oBlog allows remote attackers to conduct ...)
@@ -718,13 +708,13 @@
CVE-2010-2232
RESERVED
CVE-2010-2231 (Cross-site request forgery (CSRF) vulnerability in ...)
- - moodle <unfixed> (bug #586280)
+ - moodle 1.9.9-1 (bug #586280)
CVE-2010-2230 (The KSES text cleaning filter in lib/weblib.php in Moodle
before ...)
- - moodle <unfixed> (bug #586280)
+ - moodle 1.9.9-1 (bug #586280)
CVE-2010-2229 (Multiple cross-site scripting (XSS) vulnerabilities in
blog/index.php ...)
- - moodle <unfixed> (bug #586280)
+ - moodle 1.9.9-1 (bug #586280)
CVE-2010-2228 (Cross-site scripting (XSS) vulnerability in the MNET
access-control ...)
- - moodle <unfixed> (bug #586280)
+ - moodle 1.9.9-1 (bug #586280)
CVE-2010-2227
RESERVED
CVE-2010-2226 [xfs SWAPEXT ioctl permissions bypass]
@@ -2040,11 +2030,14 @@
CVE-2009-4840 (Heap-based buffer overflow in the IAManager ActiveX control in
...)
NOT-FOR-US: Roxio CinePlayer
CVE-2009-4839 (Multiple cross-site scripting (XSS) vulnerabilities in Basic
Analysis ...)
- - acidbase <undetermined>
-CVE-2009-4838 (SQL injection vulnerability in base_ag_common.php in Basic
Analysis ...)
- - acidbase <undetermined>
+ - acidbase <unfixed> (bug filed)
+ [lenny] - acidbase <no-dsa> (Minor issue)
+CVE-2009-4838
+ - acidbase 1.4.4-1 (low)
+ [lenny] - acidbase <no-dsa> (Minor issue)
CVE-2009-4837 (Multiple cross-site scripting (XSS) vulnerabilities in Basic
Analysis ...)
- - acidbase <undetermined>
+ - acidbase 1.4.4-1 (low)
+ [lenny] - acidbase <no-dsa> (Minor issue)
CVE-2009-4836 (Eval injection vulnerability in system/services/init.php in
Movie PHP ...)
NOT-FOR-US: Movie PHP Script
CVE-2009-4835 (The (1) htk_read_header, (2) alaw_init, (3) ulaw_init, (4)
pcm_init, ...)
@@ -3598,7 +3591,7 @@
- tuxonice-userui <unfixed>
TODO: binNMU tuxonice-userui once libpng is fixed
CVE-2010-1204 (Search.pm in Bugzilla 2.17.1 through 3.2.6, 3.3.1 through
3.4.6, 3.5.1 ...)
- - bugzilla <unfixed> (low; bug filed)
+ - bugzilla <unfixed> (low; bug #587663)
[lenny] - bugzilla <no-dsa> (Minor issue)
CVE-2010-1203 (The JavaScript engine in Mozilla Firefox 3.6.x before 3.6.4
allow ...)
- xulrunner <not-affected> (Only affects Firefox 3.6, i.e xulrunner
1.9.2)
@@ -5323,7 +5316,7 @@
- ffmpeg 0.5.1-1 (medium; bug #570713; bug #550442)
- ffmpeg-debian <removed> (medium)
CVE-2010-XXXX [dillo improper restriction of path in cookies]
- - dillo <undetermined>
+ - dillo <removed>
NOTE: http://hg.dillo.org/dillo/file/tip/ChangeLog
NOTE: it is not clear whether the issue affects pre-2.x versions
CVE-2010-XXXX [pidgin remote dos]
@@ -6604,7 +6597,7 @@
CVE-2009-4588 (Heap-based buffer overflow in the WindsPlayerIE.View.1 ActiveX
control ...)
NOT-FOR-US: AwingSoft Awakening
CVE-2009-4587 (Cherokee Web Server 0.5.4 allows remote attackers to cause a
denial of ...)
- - cherokee <undetermined> (unimportant)
+ - cherokee <not-affected> (Only affects Windows and DOS)
NOTE: this only works on windows and dos as you are not allowed
NOTE: to use a file name with AUX and any or no extension as this is a
NOTE: reserved device name. cherokee was lacking error handling...
Modified: data/spu-candidates.txt
===================================================================
--- data/spu-candidates.txt 2010-07-01 19:43:34 UTC (rev 14944)
+++ data/spu-candidates.txt 2010-07-01 20:19:08 UTC (rev 14945)
@@ -15,6 +15,9 @@
acidbase (CVE-2009-4590, CVE-2009-4591, CVE-2009-4592)
notified maintainer
+CVE-2009-4839 CVE-2009-4838 CVE-2009-4837
+
+
--
acl (CVE-2009-4411)
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
