Author: gilbert-guest Date: 2009-07-05 04:19:00 +0000 (Sun, 05 Jul 2009) New Revision: 12274 Modified: data/CVE/list Log: new kernel issue triage and bug submitted for pidgin issue Modified: data/CVE/list ==================================================================--- data/CVE/list 2009-07-05 03:30:28 UTC (rev 12273) +++ data/CVE/list 2009-07-05 04:19:00 UTC (rev 12274) @@ -52,7 +52,10 @@ CVE-2009-2289 (Cross-site scripting (XSS) vulnerability in index.php in Arcade Trade ...) NOT-FOR-US: Arcade Trade Script CVE-2009-2287 (The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel ...) - TODO: check + - linux-2.6 <unfixed> (low) + - linux-2.6.24 <removed> + NOTE: upstream 2.6.30 does not contain the patch for this issue + TODO: check 2.6.31 when it is released CVE-2009-2285 (Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 ...) - tiff 3.8.2-12 (low; bug #534137) NOTE: this doesn''t allow code execution, only a crash. @@ -1017,7 +1020,7 @@ RESERVED - apache2 <unfixed> CVE-2009-1889 (The OSCAR protocol implementation in Pidgin before 2.5.8 misinterprets ...) - - pidgin 2.5.8-1 (low) + - pidgin 2.5.8-1 (low; bug #535790) NOTE: http://developer.pidgin.im/ticket/9483 NOTE: http://developer.pidgin.im/viewmtn/revision/info/9bac0a540156fb1848eedd61c8630737dee752c7 CVE-2009-1888 (The acl_group_override function in smbd/posix_acls.c in smbd in Samba ...) @@ -2377,8 +2380,13 @@ - linux-2.6 2.6.26-16 (high; bug #532376) - linux-2.6.24 <removed> NOTE: potential for kernel memory corruption by remote attacker -CVE-2009-1388 +CVE-2009-1388 [linux-2.6: deadlock between ptrace and coredump] RESERVED + - linux-2.6 <not-affected> (problem in redhat-specific kernel patches) + - linux-2.6.24 <removed> + NOTE: i can''t find the ptrace_start() code in any of the debian kernels, + NOTE: so my best guess is that this is a problem in a redhat-specific patch + NOTE: see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1388 CVE-2009-1387 (The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in ...) - openssl 0.9.8k-2 (low; bug #532037) - openssl097 <not-affected> (DTLS support was introduced in 0.9.8)