On Tue, 11 Aug 2009 17:17:11 +0200, Moritz Muehlenhoff wrote: > Hi Michael, > > On Mon, Aug 10, 2009 at 11:59:52PM +0000, Michael Gilbert wrote: > > Author: gilbert-guest > > Date: 2009-08-10 23:59:52 +0000 (Mon, 10 Aug 2009) > > New Revision: 12558 > > > > Modified: > > data/CVE/list > > data/embedded-code-copies > > Log: > > - fix typo > > - apache issue doesn't warrant a dsa > > > [email protected]> > > > > > Modified: data/CVE/list > > =================================================================== > > --- data/CVE/list 2009-08-10 23:56:52 UTC (rev 12557) > > +++ data/CVE/list 2009-08-10 23:59:52 UTC (rev 12558) > > @@ -1,5 +1,7 @@ > > CVE-2009-XXXX [apache2: xml-based firewall bypass / port scanning] > > - apache2 <unfixed> (low; bug #540862) > > + [etch] - apache2 <no-dsa> (minor issue) > > + [lenny] - apache2 <no-dsa> (minor issue) > > CVE-2009-XXXX [linux-2.6: parisc eisa underflow] > > - linux-2.6 <unfixed> (low) > > - linux-2.6.24 <removed> > > Stefan's followup indicates that Apache isn't affected at all, > so this would rather be a <not-affected>?
i think that it would make more sense to continue tracking the issue until someone has a chance to test whether the exploit actually works or not. also, i think that it should be reassigned to xerces, since the flaw happens to be in xml parsing, rather than apache itself... mike _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
