Author: derevko-guest
Date: 2009-08-04 10:53:17 +0000 (Tue, 04 Aug 2009)
New Revision: 12474
Modified:
data/CVE/list
Log:
- NFUs
- CVE-2009-2654: xulrunner is affected
- certificate spoofing via null characters issue got a CVE, CVE-2009-2408
- CVE-2009-2409: nss and gnutls26 fixed in unstable, openssl is unfixed
Modified: data/CVE/list
==================================================================---
data/CVE/list 2009-08-04 09:14:18 UTC (rev 12473)
+++ data/CVE/list 2009-08-04 10:53:17 UTC (rev 12474)
@@ -3,37 +3,39 @@
NOTE: Posting on full-disclosure contains details
TODO: Seems to affect Mplayer as well, so likely in ffmpeg-debian, needs to be
checked
CVE-2009-2655 (mshtml.dll in Microsoft Internet Explorer 7 and 8 on Windows XP
SP3 ...)
- TODO: check
+ NOT-FOR-US: Microsoft Internet Explorer
CVE-2009-2654 (Mozilla Firefox 3.5.1 and earlier allows remote attackers to
spoof the ...)
- TODO: check
+ - xulrunner <unfixed> (low; bug #539891)
CVE-2009-2653 (** DISPUTED ** ...)
- TODO: check
+ NOT-FOR-US: Microsoft Windows
CVE-2009-2652 (Unspecified vulnerability in Solaris Trusted Extensions in Sun
Solaris ...)
- TODO: check
+ NOT-FOR-US: Solaris Trusted Extensions
CVE-2008-6891 (Multiple cross-site scripting (XSS) vulnerabilities in ASP Forum
...)
- TODO: check
+ NOT-FOR-US: ASP Forum Script
CVE-2008-6890 (SQL injection vulnerability in messages.asp in ASP Forum Script
allows ...)
- TODO: check
+ NOT-FOR-US: ASP Forum Script
CVE-2008-6889 (SQL injection vulnerability in Merchantsadd.asp in ASPReferral
5.3 ...)
- TODO: check
+ NOT-FOR-US: ASPReferral
CVE-2008-6888 (Cross-site scripting (XSS) vulnerability in signup.asp in Pre
...)
- TODO: check
+ NOT-FOR-US: Pre Classified Listings
CVE-2008-6887 (SQL injection vulnerability in detailad.asp in Pre Classified
Listings ...)
- TODO: check
+ NOT-FOR-US: Pre Classified Listings
CVE-2008-6886 (RSA EnVision 3.5.0, 3.5.1, 3.5.2, and 3.7.0 does not properly
restrict ...)
- TODO: check
+ NOT-FOR-US: RSA EnVision
CVE-2008-6885 (Cross-site scripting (XSS) vulnerability in pmlite.php in XOOPS
2.3.1 ...)
- TODO: check
+ NOT-FOR-US: XOOPS
CVE-2008-6884 (Multiple directory traversal vulnerabilities in XOOPS 2.3.1,
when ...)
- TODO: check
+ NOT-FOR-US: XOOPS
CVE-2009-XXXX [poppler: buffer overflow in abiword backend]
- poppler <unfixed> (low; bug #534680)
-CVE-2009-XXXX [openssl: certificate spoofing via null characters]
+CVE-2009-2408 (Mozilla Firefox before 3.5 and NSS before 3.12.3 do not properly
...)
- openssl <unfixed> (medium; bug #539499)
- - iceweasel <unfixed> (medium)
+ - xulrunner <unfixed> (medium)
+ - nss 3.12.3-1 (medium)
NOTE: asked maintainer to check whether openssl affected
NOTE: fixed in iceweasel 3.0.13 and 3.5.2, which have yet to be uploaded
TODO: check whether other web browsers are affected and file bugs
+ TODO: check if xulrunner and related packages are really affected (they should
use the system version of NSS)
CVE-2009-2651 (main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows
remote ...)
- asterisk <unfixed> (low; bug #539473)
[etch] - asterisk <not-affected> (Vulnerable code not present)
@@ -671,9 +673,10 @@
CVE-2009-2410 (The local_handler_callback function in ...)
NOT-FOR-US: sssd
CVE-2009-2409 (The NSS library before 3.12.3, as used in Firefox; GnuTLS before
2.6.4 ...)
- TODO: check
-CVE-2009-2408 (Mozilla Firefox before 3.5 and NSS before 3.12.3 do not properly
...)
- TODO: check
+ - nss 3.12.3-1 (low; bug #539895)
+ - openssl <unfixed> (low; bug #539899)
+ - gnutls26 2.6.4-1 (low; bug #539901)
+ TODO: check - gnutls13 <removed>
CVE-2009-2407 (Heap-based buffer overflow in the parse_tag_3_packet function in
...)
{DSA-1845-1 DSA-1844-1}
- linux-2.6 2.6.30-5 (medium)