thr3ads.net - Secure testing commits - [Secure-testing-commits] r11628

If this information is useful, please help other people find it:
Share via:

Joey Hess

2009-Apr-15 21:14 UTC

[Secure-testing-commits] r11628 - data/CVE

Author: joeyh
Date: 2009-04-15 21:14:22 +0000 (Wed, 15 Apr 2009)
New Revision: 11628

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
==================================================================---
data/CVE/list	2009-04-15 19:52:05 UTC (rev 11627)
+++ data/CVE/list	2009-04-15 21:14:22 UTC (rev 11628)
@@ -1,9 +1,19 @@
+CVE-2009-1294
+	RESERVED
+CVE-2009-1293
+	RESERVED
+CVE-2009-1292 (UCM-CQ in IBM Rational ClearCase 7.0.0.x before 7.0.0.5, 7.0.1.x
...)
+	TODO: check
+CVE-2008-6723 (TurnkeyForms Entertainment Portal 2.0 allows remote attackers to
...)
+	TODO: check
+CVE-2008-6722 (Novell Access Manager 3 SP4 does not properly expire X.509
certificate ...)
+	TODO: check
+CVE-2008-6721 (SQL injection vulnerability in index.php in AJ Square AJ Article
...)
+	TODO: check
 CVE-2009-XXXX [clamav: UPack crash]
-	{DSA-1771-1}
 	- clamav 0.95.1+dfsg-1
 	NOTE: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1552
 CVE-2009-XXXX [clamav: cli_url_canon]
-	{DSA-1771-1}
 	- clamav 0.95.1+dfsg-1
 	[etch] - clamav <not-affected> (vulnerable code not present)
 	[lenny] - clamav <not-affected> (vulnerable code not present)
@@ -232,8 +242,10 @@
 CVE-2009-XXXX [Wireshark: The Check Point High-Availability Protocol (CPHAP)
dissector could crash.]
 	- wireshark <unfixed>
 CVE-2008-6680 (libclamav/pe.c in ClamAV before 0.95 allows remote attackers to
cause ...)
+	{DSA-1771-1}
 	- clamav 0.94.dfsg.2-1~volatile2 (medium; bug #523016)
 CVE-2009-1270 (libclamav/untar.c in ClamAV before 0.95 allows remote attackers
to ...)
+	{DSA-1771-1}
 	- clamav 0.94.dfsg.2-1~volatile2 (medium; bug #523016)
 CVE-2009-1254 (James Stone Tunapie 2.1 allows remote attackers to execute
arbitrary ...)
 	{DSA-1764-1}
@@ -1145,98 +1157,98 @@
 	RESERVED
 CVE-2009-1018
 	RESERVED
-CVE-2009-1017
-	RESERVED
-CVE-2009-1016
-	RESERVED
+CVE-2009-1017 (Unspecified vulnerability in the BI Publisher component in
Oracle ...)
+	TODO: check
+CVE-2009-1016 (Unspecified vulnerability in the WebLogic Server component in
BEA ...)
+	TODO: check
 CVE-2009-1015
 	RESERVED
-CVE-2009-1014
-	RESERVED
-CVE-2009-1013
-	RESERVED
-CVE-2009-1012
-	RESERVED
-CVE-2009-1011
-	RESERVED
-CVE-2009-1010
-	RESERVED
-CVE-2009-1009
-	RESERVED
-CVE-2009-1008
-	RESERVED
+CVE-2009-1014 (Unspecified vulnerability in the PeopleSoft Enterprise
PeopleTools ...)
+	TODO: check
+CVE-2009-1013 (Unspecified vulnerability in the PeopleSoft Enterprise
PeopleTools ...)
+	TODO: check
+CVE-2009-1012 (Unspecified vulnerability in the WebLogic Server component in
BEA ...)
+	TODO: check
+CVE-2009-1011 (Unspecified vulnerability in the Outside In Technology component
in ...)
+	TODO: check
+CVE-2009-1010 (Unspecified vulnerability in the Outside In Technology component
in ...)
+	TODO: check
+CVE-2009-1009 (Unspecified vulnerability in the Outside In Technology component
in ...)
+	TODO: check
+CVE-2009-1008 (Unspecified vulnerability in the Outside In Technology component
in ...)
+	TODO: check
 CVE-2009-1007
 	RESERVED
-CVE-2009-1006
-	RESERVED
-CVE-2009-1005
-	RESERVED
-CVE-2009-1004
-	RESERVED
-CVE-2009-1003
-	RESERVED
-CVE-2009-1002
-	RESERVED
-CVE-2009-1001
-	RESERVED
-CVE-2009-1000
-	RESERVED
-CVE-2009-0999
-	RESERVED
-CVE-2009-0998
-	RESERVED
-CVE-2009-0997
-	RESERVED
-CVE-2009-0996
-	RESERVED
-CVE-2009-0995
-	RESERVED
-CVE-2009-0994
-	RESERVED
-CVE-2009-0993
-	RESERVED
-CVE-2009-0992
-	RESERVED
-CVE-2009-0991
-	RESERVED
-CVE-2009-0990
-	RESERVED
-CVE-2009-0989
-	RESERVED
-CVE-2009-0988
-	RESERVED
+CVE-2009-1006 (Unspecified vulnerability in the JRockit component in BEA
Product ...)
+	TODO: check
+CVE-2009-1005 (Unspecified vulnerability in the Oracle Data Service Integrator
...)
+	TODO: check
+CVE-2009-1004 (Unspecified vulnerability in the WebLogic Server component in
BEA ...)
+	TODO: check
+CVE-2009-1003 (Unspecified vulnerability in the WebLogic Server component in
BEA ...)
+	TODO: check
+CVE-2009-1002 (Unspecified vulnerability in the WebLogic Server component in
BEA ...)
+	TODO: check
+CVE-2009-1001 (Unspecified vulnerability in the WebLogic Portal component in
BEA ...)
+	TODO: check
+CVE-2009-1000 (The Oracle Applications Framework component in Oracle E-Business
Suite ...)
+	TODO: check
+CVE-2009-0999 (Unspecified vulnerability in the Oracle Application Object
Library ...)
+	TODO: check
+CVE-2009-0998 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS -
...)
+	TODO: check
+CVE-2009-0997 (Unspecified vulnerability in the Database Vault component in
Oracle ...)
+	TODO: check
+CVE-2009-0996 (Unspecified vulnerability in the BI Publisher component in
Oracle ...)
+	TODO: check
+CVE-2009-0995 (Unspecified vulnerability in the Oracle Applications Framework
...)
+	TODO: check
+CVE-2009-0994 (Unspecified vulnerability in the BI Publisher component in
Oracle ...)
+	TODO: check
+CVE-2009-0993 (Unspecified vulnerability in the OPMN component in Oracle
Application ...)
+	TODO: check
+CVE-2009-0992 (Unspecified vulnerability in the Advanced Queuing component in
Oracle ...)
+	TODO: check
+CVE-2009-0991 (Unspecified vulnerability in the Listener component in Oracle
Database ...)
+	TODO: check
+CVE-2009-0990 (Unspecified vulnerability in the BI Publisher component in
Oracle ...)
+	TODO: check
+CVE-2009-0989 (Unspecified vulnerability in the BI Publisher component in
Oracle ...)
+	TODO: check
+CVE-2009-0988 (Unspecified vulnerability in the Password Policy component in
Oracle ...)
+	TODO: check
 CVE-2009-0987
 	RESERVED
-CVE-2009-0986
-	RESERVED
-CVE-2009-0985
-	RESERVED
-CVE-2009-0984
-	RESERVED
-CVE-2009-0983
-	RESERVED
-CVE-2009-0982
-	RESERVED
-CVE-2009-0981
-	RESERVED
-CVE-2009-0980
-	RESERVED
-CVE-2009-0979
-	RESERVED
-CVE-2009-0978
-	RESERVED
-CVE-2009-0977
-	RESERVED
-CVE-2009-0976
-	RESERVED
-CVE-2009-0975
-	RESERVED
-CVE-2009-0974
-	RESERVED
-CVE-2009-0973
-	RESERVED
-CVE-2009-0972
-	RESERVED
+CVE-2009-0986 (Unspecified vulnerability in the Workspace Manager component in
Oracle ...)
+	TODO: check
+CVE-2009-0985 (Unspecified vulnerability in the Core RDBMS component in Oracle
...)
+	TODO: check
+CVE-2009-0984 (Unspecified vulnerability in the Database Vault component in
Oracle ...)
+	TODO: check
+CVE-2009-0983 (Unspecified vulnerability in the Portal component in Oracle ...)
+	TODO: check
+CVE-2009-0982 (Unspecified vulnerability in the PeopleSoft Enterprise
PeopleTools ...)
+	TODO: check
+CVE-2009-0981 (Unspecified vulnerability in the Application Express component
in ...)
+	TODO: check
+CVE-2009-0980 (Unspecified vulnerability in the SQLX Functions component in
Oracle ...)
+	TODO: check
+CVE-2009-0979 (Unspecified vulnerability in the Resource Manager component in
Oracle ...)
+	TODO: check
+CVE-2009-0978 (Unspecified vulnerability in the Workspace Manager component in
Oracle ...)
+	TODO: check
+CVE-2009-0977 (Unspecified vulnerability in the Advanced Queuing component in
Oracle ...)
+	TODO: check
+CVE-2009-0976 (Unspecified vulnerability in the Workspace Manager component in
Oracle ...)
+	TODO: check
+CVE-2009-0975 (Unspecified vulnerability in the Workspace Manager component in
Oracle ...)
+	TODO: check
+CVE-2009-0974 (Unspecified vulnerability in the Portal component in Oracle ...)
+	TODO: check
+CVE-2009-0973 (Unspecified vulnerability in the Cluster Ready Services
component in ...)
+	TODO: check
+CVE-2009-0972 (Unspecified vulnerability in the Workspace Manager component in
Oracle ...)
+	TODO: check
 CVE-2008-6503 (Multiple cross-site scripting (XSS) vulnerabilities in
PrestaShop ...)
 	NOT-FOR-US: PrestaShop
 CVE-2008-6502 (Directory traversal vulnerability in Pro Chat Rooms 3.0.2 allows
...)
@@ -1843,8 +1855,7 @@
 CVE-2009-0793 (cmsxform.c in LittleCMS (aka lcms or liblcms) 1.18, as used in
OpenJDK ...)
 	{DSA-1769-1}
 	TODO: check
-CVE-2009-0792 [integer overflows in argyll]
-	RESERVED
+CVE-2009-0792 (Multiple integer overflows in icc.c in the International Color
...)
 	- argyll <unfixed> (low; bug #523427)
 CVE-2009-0791
 	RESERVED
@@ -2348,8 +2359,8 @@
 	RESERVED
 CVE-2009-0682
 	RESERVED
-CVE-2009-0681
-	RESERVED
+CVE-2009-0681 (PGP Desktop before 9.10 allows local users to (1) cause a denial
of ...)
+	TODO: check
 CVE-2009-0680 (cgi-bin/welcome/VPN_only in the web interface in Netgear SSL312
allows ...)
 	NOT-FOR-US: Netgear
 CVE-2009-0679 (Cross-site scripting (XSS) vulnerability in the Your Account
module in ...)
@@ -2955,16 +2966,16 @@
 	NOT-FOR-US: Microsoft Office
 CVE-2009-0555
 	RESERVED
-CVE-2009-0554
-	RESERVED
-CVE-2009-0553
-	RESERVED
-CVE-2009-0552
-	RESERVED
-CVE-2009-0551
-	RESERVED
-CVE-2009-0550
-	RESERVED
+CVE-2009-0554 (Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows
XP SP2 ...)
+	TODO: check
+CVE-2009-0553 (Microsoft Internet Explorer 6 SP1, 6 and 7 on Windows XP SP2 and
SP3, ...)
+	TODO: check
+CVE-2009-0552 (Unspecified vulnerability in Microsoft Internet Explorer 5.01
SP4, 6 ...)
+	TODO: check
+CVE-2009-0551 (Microsoft Internet Explorer 6 SP1, 6 and 7 on Windows XP SP2 and
SP3, ...)
+	TODO: check
+CVE-2009-0550 (Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000
SP4, XP ...)
+	TODO: check
 CVE-2009-0549
 	RESERVED
 CVE-2009-0548 (Cross-site scripting (XSS) vulnerability in the Additional
Report ...)
@@ -3957,7 +3968,7 @@
 	NOT-FOR-US: Asp Project Management
 CVE-2009-0279 (SQL injection vulnerability in comentar.php in Pardal CMS 0.2.0
and ...)
 	NOT-FOR-US: Pardal CMS
-CVE-2008-5987 (Untrusted search path vulnerability in the Python interface in
eog ...)
+CVE-2008-5987 (Untrusted search path vulnerability in the Python interface in
Eye of ...)
 	- eog 2.22.3-2 (bug #504352; low)
 	[etch] - eog <not-affected> (Vulnerable code not present)
 CVE-2008-5986 (Untrusted search path vulnerability in the (1) &quot;VST
plugin with Python ...)
@@ -4205,12 +4216,12 @@
 	RESERVED
 CVE-2009-0238 (Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007
SP1; ...)
 	NOT-FOR-US: Microsoft
-CVE-2009-0237
-	RESERVED
+CVE-2009-0237 (Cross-site scripting (XSS) vulnerability in cookieauth.dll in
the HTML ...)
+	TODO: check
 CVE-2009-0236
 	RESERVED
-CVE-2009-0235
-	RESERVED
+CVE-2009-0235 (Stack-based buffer overflow in the Word 97 text converter in
WordPad ...)
+	TODO: check
 CVE-2009-0234 (The DNS Resolver Cache Service (aka DNSCache) in Windows DNS
Server in ...)
 	NOT-FOR-US: Microsoft Windows
 CVE-2009-0233 (The DNS Resolver Cache Service (aka DNSCache) in Windows DNS
Server in ...)
@@ -4388,8 +4399,8 @@
 	RESERVED
 CVE-2009-0160
 	RESERVED
-CVE-2009-0159
-	RESERVED
+CVE-2009-0159 (Stack-based buffer overflow in the cookedprint function in
ntpq/ntpq.c ...)
+	TODO: check
 CVE-2009-0158
 	RESERVED
 CVE-2009-0157
@@ -4512,7 +4523,7 @@
 	RESERVED
 CVE-2009-0116
 	RESERVED
-CVE-2009-0115 (multipath-tools in SUSE openSUSE 10.3 through 11.0 and SUSE
Linux ...)
+CVE-2009-0115 (The Device Mapper multipathing driver (aka multipath-tools or
...)
 	{DSA-1767-1}
 	- multipath-tools 0.4.8-15 (low; bug #522813)
 CVE-2008-5901 (iyzi Forum 1.0 beta 3 stores sensitive information under the web
root ...)
@@ -4596,8 +4607,8 @@
 	RESERVED
 CVE-2009-0101
 	RESERVED
-CVE-2009-0100
-	RESERVED
+CVE-2009-0100 (Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007
SP1; ...)
+	TODO: check
 CVE-2009-0099 (The Electronic Messaging System Microsoft Data Base (EMSMDB32)
...)
 	NOT-FOR-US: Microsoft
 CVE-2009-0098 (Microsoft Exchange 2000 Server SP3, Exchange Server 2003 SP2,
and ...)
@@ -4618,32 +4629,32 @@
 	RESERVED
 CVE-2009-0090
 	RESERVED
-CVE-2009-0089
-	RESERVED
-CVE-2009-0088
-	RESERVED
-CVE-2009-0087
-	RESERVED
-CVE-2009-0086
-	RESERVED
+CVE-2009-0089 (Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000
SP4, XP ...)
+	TODO: check
+CVE-2009-0088 (The WordPerfect 6.x Converter in Microsoft Office Word 2000 SP3
and ...)
+	TODO: check
+CVE-2009-0087 (Unspecified vulnerability in the Word 6 text converter in
WordPad in ...)
+	TODO: check
+CVE-2009-0086 (Integer underflow in Windows HTTP Services (aka WinHTTP) in
Microsoft ...)
+	TODO: check
 CVE-2009-0085 (The Secure Channel (aka SChannel) authentication component in
...)
 	NOT-FOR-US: Microsoft Windows
-CVE-2009-0084
-	RESERVED
+CVE-2009-0084 (DirectShow in Microsoft DirectX 8.1 and 9.0 does not properly
...)
+	TODO: check
 CVE-2009-0083 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, and
Server ...)
 	NOT-FOR-US: Microsoft Windows
 CVE-2009-0082 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server
2003 ...)
 	NOT-FOR-US: Microsoft Windows
 CVE-2009-0081 (The graphics device interface (GDI) implementation in the kernel
in ...)
 	NOT-FOR-US: Microsoft Windows
-CVE-2009-0080
-	RESERVED
-CVE-2009-0079
-	RESERVED
-CVE-2009-0078
-	RESERVED
-CVE-2009-0077
-	RESERVED
+CVE-2009-0080 (The ThreadPool class in Windows Vista Gold and SP1, and Server
2008, ...)
+	TODO: check
+CVE-2009-0079 (The RPCSS service in Microsoft Windows XP SP2 and SP3 and Server
2003 ...)
+	TODO: check
+CVE-2009-0078 (The Windows Management Instrumentation (WMI) provider in
Microsoft ...)
+	TODO: check
+CVE-2009-0077 (The firewall engine in Microsoft Forefront Threat Management
Gateway, ...)
+	TODO: check
 CVE-2009-0076 (Microsoft Internet Explorer 7, when XHTML strict mode is used,
allows ...)
 	NOT-FOR-US: Microsoft
 CVE-2009-0075 (Microsoft Internet Explorer 7 does not properly handle errors
during ...)
@@ -25203,8 +25214,8 @@
 	NOT-FOR-US: Volume Manager Scheduler Service
 CVE-2007-4515 (Buffer overflow in a certain ActiveX control in YVerInfo.dll
before ...)
 	NOT-FOR-US: Yahoo! Messenger
-CVE-2007-4514
-	RESERVED
+CVE-2007-4514 (Unspecified vulnerability in HP ProCurve Manager and HP ProCurve
...)
+	TODO: check
 CVE-2007-4513 (Multiple stack-based buffer overflows in IBM AIX 5.2 and 5.3
allow ...)
 	NOT-FOR-US: IBM AIX
 CVE-2007-4512 (Cross-site scripting (XSS) vulnerability in Sophos Anti-Virus
for ...)

Michael S. Gilbert

2009-Apr-16 16:04 UTC

head link

[Secure-testing-commits] r11628 - data/CVE

hello all,

was it desirable to remove the DSA tags from the temporarily named
clamav issues in this commit?

On Wed, 15 Apr 2009 21:14:23 +0000, Joey Hess wrote:
> Author: joeyh
> Date: 2009-04-15 21:14:22 +0000 (Wed, 15 Apr 2009)
> New Revision: 11628
> 
> Modified:
>    data/CVE/list
> Log:
> automatic update
>  CVE-2009-XXXX [clamav: UPack crash]
> -	{DSA-1771-1}
>  	- clamav 0.95.1+dfsg-1
>  	NOTE: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1552
>  CVE-2009-XXXX [clamav: cli_url_canon]
> -	{DSA-1771-1}
>  	- clamav 0.95.1+dfsg-1
>  	[etch] - clamav <not-affected> (vulnerable code not present)
>  	[lenny] - clamav <not-affected> (vulnerable code not present)

Thijs Kinkhorst

2009-Apr-16 17:36 UTC

head link

[Secure-testing-commits] r11628 - data/CVE

Hi Michael

On tongersdei 16 April 2009, Michael S. Gilbert wrote:> was it desirable to remove the DSA tags from the temporarily named
> clamav issues in this commit?
Desirable perhaps not, but it is how the current implementation works: 
data/DSA/list is used as the canonical list of DSA''s that have been
released,
and these are mapped to their data/CVE/list counterparts. Because these 
issues have no CVE names assigned yet, we have nothing to cross reference 
them from data/DSA/list.

I''m not sure how a better implementation would look like, since I would
like
to keep the feature that data/DSA/list lists the DSA''s, and that
removing CVE
from a listing in that file will have it removed from data/CVE/list 
automatically.


cheers,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: This is a digitally signed message part.
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20090416/189a0118/attachment.pgp>

Michael S. Gilbert

2009-Apr-17 03:21 UTC

head link

[Secure-testing-commits] r11628 - data/CVE

On Thu, 16 Apr 2009 19:36:04 +0200 Thijs Kinkhorst wrote:
> Hi Michael
> 
> On tongersdei 16 April 2009, Michael S. Gilbert wrote:
> > was it desirable to remove the DSA tags from the temporarily named
> > clamav issues in this commit?
> 
> Desirable perhaps not, but it is how the current implementation works: 
> data/DSA/list is used as the canonical list of DSA''s that have
been released,
> and these are mapped to their data/CVE/list counterparts. Because these 
> issues have no CVE names assigned yet, we have nothing to cross reference 
> them from data/DSA/list.
> 
> I''m not sure how a better implementation would look like, since I
would like
> to keep the feature that data/DSA/list lists the DSA''s, and that
removing CVE
> from a listing in that file will have it removed from data/CVE/list 
> automatically.
wouldn''t it just be a matter of (python pseudocode):

if cve_number.endswith( ''XXXX'' ):
    no DSA stripping logic
else:
    DSA stripping logic

Nico Golde

2009-Apr-17 09:26 UTC

head link

[Secure-testing-commits] r11628 - data/CVE

Hi,
* Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-04-17
09:59]:> On Thu, 16 Apr 2009 19:36:04 +0200 Thijs Kinkhorst wrote:
> > On tongersdei 16 April 2009, Michael S. Gilbert wrote:
> > > was it desirable to remove the DSA tags from the temporarily
named
> > > clamav issues in this commit?
> > 
> > Desirable perhaps not, but it is how the current implementation works:
> > data/DSA/list is used as the canonical list of DSA''s that
have been released,
> > and these are mapped to their data/CVE/list counterparts. Because
these
> > issues have no CVE names assigned yet, we have nothing to cross
reference
> > them from data/DSA/list.
> > 
> > I''m not sure how a better implementation would look like,
since I would like
> > to keep the feature that data/DSA/list lists the DSA''s, and
that removing CVE
> > from a listing in that file will have it removed from data/CVE/list 
> > automatically.
> 
> wouldn''t it just be a matter of (python pseudocode):
> 
> if cve_number.endswith( ''XXXX'' ):
>     no DSA stripping logic
> else:
>     DSA stripping logic
Just use the distribution tags in the CVE list file as you 
need to add the CVE id anyway when you got one and then just 
remove the distribution tags and add the ids to the DSA 
list. This should be a lot cleaner.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20090417/4f72f92e/attachment.pgp>

Secure testing commits - Apr 2009 - r11628 - data/CVE

[Secure-testing-commits] r11628 - data/CVE

[Secure-testing-commits] r11628 - data/CVE

[Secure-testing-commits] r11628 - data/CVE

[Secure-testing-commits] r11628 - data/CVE

[Secure-testing-commits] r11628 - data/CVE