Author: derevko-guest Date: 2009-07-03 18:56:34 +0000 (Fri, 03 Jul 2009) New Revision: 12264 Modified: data/CVE/list Log: - NFUs - CVE-2009-2285 already fixed in tiff 3.8.2-12 - CVE-2008-6845 fixed in clamav 0.94.dfsg-1 - CVE-2009-2210, CVE-2009-1392 fixed in icedove 2.0.0.22-1 - CVE-2008-6838 seems a duplicate of CVE-2008-3258 - zoph upstream reported another Cross-Site Scripting Vulnerability Modified: data/CVE/list ==================================================================--- data/CVE/list 2009-07-03 18:45:28 UTC (rev 12263) +++ data/CVE/list 2009-07-03 18:56:34 UTC (rev 12264) @@ -51,7 +51,8 @@ CVE-2009-2287 (The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel ...) TODO: check CVE-2009-2285 (Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 ...) - TODO: check + - tiff 3.8.2-12 (low; bug #534137) + NOTE: this doesn''t allow code execution, only a crash. CVE-2009-2283 (Multiple cross-site scripting (XSS) vulnerabilities in the help jsp ...) NOT-FOR-US: Sun Java Web Console in Solaris CVE-2009-2282 (The Virtual Network Terminal Server daemon (vntsd) for Logical Domains ...) @@ -61,17 +62,17 @@ CVE-2008-6846 (Multiple stack-based buffer overflows in avast! Linux Home Edition ...) NOT-FOR-US: avast! Linux Home Edition CVE-2008-6845 (The unpack feature in ClamAV 0.93.3 and earlier allows remote ...) - TODO: check + - clamav 0.94.dfsg-1 CVE-2008-6844 (The registration view (/user/register) in eZ Publish 3.5.6 and ...) - TODO: check + NOT-FOR-US: eZ Publish CVE-2008-6843 (Directory traversal vulnerability in index.php in Fantastico, as used ...) NOT-FOR-US: Fantastico CVE-2008-6842 (Directory traversal vulnerability in ...) - TODO: check + NOT-FOR-US: Pluck CVE-2008-6841 (PHP remote file inclusion vulnerability in the Green Mountain ...) - TODO: check + NOT-FOR-US: component for Joomla! CVE-2008-6840 (Multiple PHP remote file inclusion vulnerabilities in V-webmail 1.6.4 ...) - TODO: check + NOT-FOR-US: V-webmail CVE-2009-XXXX [multiple drupal issues] - drupal6 <unfixed> (bug #535435) - drupal5 <unfixed> (bug #535476) @@ -179,7 +180,7 @@ CVE-2009-2234 (Multiple SQL injection vulnerabilities in admin.php in VICIDIAL Call ...) NOT-FOR-US: VICIDIAL Call Center Suite CVE-2009-2210 (Mozilla Thunderbird before 2.0.0.22 and SeaMonkey before 1.1.17 allow ...) - - icedove <unfixed> + - icedove 2.0.0.22-1 - iceape <unfixed> - kompozer <not-affected> (mail suite not compiled) TODO: check on the details once the Mozilla bug has been made public @@ -189,9 +190,14 @@ NOT-FOR-US: TGS Content Management CVE-2008-6838 (Cross-site scripting (XSS) vulnerability in search.php in Zoph 0.7.2.1 ...) - zoph <unfixed> (low; bug #535188) + NOTE: it seems a duplicate of CVE-2008-3258 CVE-2008-6837 (SQL injection vulnerability in Zoph 0.7.2.1 allows remote attackers to ...) - zoph <unfixed> (bug #535188) NOTE: the details are unknown +CVE-2009-XXXX [Zoph Cross-Site Scripting Vulnerability] + - zoph <unfixed> (low; bug #535188) + NOTE: http://sourceforge.net/tracker/?func=detail&aid=2815898&group_id=69353&atid=524249 + NOTE: http://sourceforge.net/project/shownotes.php?group_id=69353&release_id=694128 CVE-2008-6836 (Cross-site request forgery (CSRF) vulnerability in OpenID 5.x before ...) NOT-FOR-US: OpenID module for Drupal CVE-2008-6835 (Cross-site scripting (XSS) vulnerability in OpenID 5.x before 5.x-1.2, ...) @@ -2353,7 +2359,7 @@ - xulrunner 1.9.0.11-1 [squeeze] - xulrunner 1.9.0.11-0lenny1 [etch] - xulrunner <no-dsa> (Mozilla packages from oldstable no longer covered by security support) - - icedove <unfixed> + - icedove 2.0.0.22-1 TODO: determine whether icedove truely affected or whether issue solely within xulrunner CVE-2009-1391 (Off-by-one error in the inflate function in Zlib.xs in ...) - perl 5.10.0-23 (medium; bug #532736)