Author: nion
Date: 2010-02-01 13:30:31 +0000 (Mon, 01 Feb 2010)
New Revision: 13989
Modified:
data/CVE/list
Log:
- gnome screensaver (inhibitor not removed when connection is closed) fixed in
2.28.0-2
- CVE-2008-7248 fixed at least since 2.2.3-1
- CVE-2009-4016 fixed in ircd-ratbox 3.0.6.dfsg-1 (different patch but fixed)
- dansguardian tmp issue has been pebcak
- twiki, qwik and swftools have been removed
- CVE-2009-1892 fixed in isc-dhcp 3.1.2p1-2
- CVE-2007-2385 fixed in jifty 0.91117-1
Modified: data/CVE/list
==================================================================---
data/CVE/list 2010-02-01 09:14:43 UTC (rev 13988)
+++ data/CVE/list 2010-02-01 13:30:31 UTC (rev 13989)
@@ -1759,7 +1759,7 @@
CVE-2009-4267
RESERVED
CVE-2009-XXXX [gnome-screensaver inhibitor not removed when connection is
closed]
- - gnome-screensaver <unfixed> (low; bug #560895)
+ - gnome-screensaver 2.28.0-2 (low; bug #560895)
[etch] - gnome-screensaver <not-affected> (vulnerable code introduced in
2.28)
[lenny] - gnome-screensaver <not-affected> (vulnerable code introduced
in 2.28)
TODO: request CVE id
@@ -2273,7 +2273,7 @@
- rails 2.2.3-2 (low; bug #558685)
NOTE:
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1
CVE-2008-7248 (Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not
verify ...)
- - rails <unfixed> (medium; bug #558685)
+ - rails 2.2.3-1 (medium; bug #558685)
[lenny] - rails <not-affected> (Vulnerable code not present)
NOTE:
http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
CVE-2009-4073 (The printing functionality in Microsoft Internet Explorer 8
allows ...)
@@ -2469,7 +2469,7 @@
CVE-2009-4016 [ircd integer underflow]
RESERVED
{DSA-1980-1}
- - ircd-ratbox <unfixed> (medium; bug #567191)
+ - ircd-ratbox 3.0.6.dfsg-1 (medium; bug #567191)
- ircd-hybrid <unfixed> (medium; bug #567192)
- oftc-hybrid <unfixed> (medium; bug #567193)
CVE-2009-4015
@@ -2726,8 +2726,6 @@
CVE-2009-XXXX [eglibc: ldd arbitrary code execution]
- eglibc 2.10.1-7 (unimportant; bug #552518)
- glibc <removed> (unimportant)
-CVE-2009-XXXX [dansguardian: not blocking sites]
- - dansguardian <unfixed> (unimportant; bug #548108)
CVE-2009-3924 (Buffer overflow in pbsv.dll, as used in Soldier of Fortune II
and ...)
NOT-FOR-US: Soldier of Fortune
CVE-2009-3923 (The VirtualBox 2.0.8 and 2.0.10 web service in Sun Virtual
Desktop ...)
@@ -3687,13 +3685,13 @@
- xpdf <unfixed> (medium; bug #551287)
- poppler 0.12.2-1 (medium; bug #551289)
- kdegraphics 4:4.0 (medium; bug #551290)
- - swftools <unfixed> (medium; bug #551291)
+ - swftools <removed> (medium; bug #551291)
CVE-2009-3608 (Integer overflow in the ObjectStream::ObjectStream function in
XRef.cc ...)
{DSA-1941-1}
- xpdf <unfixed> (medium; bug #551287)
- poppler 0.12.2-1 (medium; bug #551289)
- kdegraphics 4:4.0 (medium; bug #551290)
- - swftools <unfixed> (medium; bug #551291)
+ - swftools <removed> (medium; bug #551291)
CVE-2009-3607 (Integer overflow in the create_surface_from_thumbnail_data
function in ...)
{DSA-1941-1}
- poppler 0.12.2-1 (medium; bug #551289)
@@ -3702,7 +3700,7 @@
- xpdf <unfixed> (medium; bug #551287)
- poppler 0.12.2-1 (medium; bug #551289)
- kdegraphics 4:4.0 (medium; bug #551290)
- - swftools <unfixed> (medium; bug #551291)
+ - swftools <removed> (medium; bug #551291)
CVE-2009-3605 (Multiple integer overflows in Poppler 0.10.5 and earlier allow
remote ...)
{DSA-1941-1}
- poppler 0.12.2-1 (medium; bug #551289)
@@ -3711,13 +3709,13 @@
- xpdf <unfixed> (medium; bug #551287)
- poppler 0.12.2-1 (medium; bug #551289)
- kdegraphics 4:4.0 (medium; bug #551290)
- - swftools <unfixed> (medium; bug #551291)
+ - swftools <removed> (medium; bug #551291)
CVE-2009-3603 (Integer overflow in the SplashBitmap::SplashBitmap function in
Xpdf ...)
{DSA-1941-1}
- xpdf <unfixed> (medium; bug #551287)
- poppler 0.12.2-1 (medium; bug #551289)
- kdegraphics 4:4.0 (medium; bug #551290)
- - swftools <unfixed> (medium; bug #551291)
+ - swftools <removed> (medium; bug #551291)
CVE-2009-3591 (Dopewars 1.5.12 allows remote attackers to cause a denial of
service ...)
- dopewars 1.5.12-9 (low; bug #550913)
[etch] - dopewars <no-dsa> (negligible issue)
@@ -4939,7 +4937,7 @@
- poker-network 1.7.6-1 (low; bug #555237)
[etch] - poker-network <no-dsa> (minor issue)
- webhelpers 0.3.4-2 (low; bug #555239)
- - qwik <unfixed> (low; bug #555240)
+ - qwik <removed> (low; bug #555240)
[etch] - qwik <no-dsa> (minor issue)
[lenny] - qwik <no-dsa> (minor issue)
- wordpress 2.5.0-2 (low; bug #555242)
@@ -9198,7 +9196,7 @@
NOT-FOR-US: Red Hat dhcpd init script for DHCP
CVE-2009-1892 (dhcpd in ISC DHCP 3.0.4 and 3.1.1, when the
dhcp-client-identifier and ...)
{DSA-1833-2 DSA-1833-1}
- - isc-dhcp <unfixed> (low; bug #539492)
+ - isc-dhcp 3.1.2p1-2 (low; bug #539492)
- dhcp3 3.1.2p1-2 (low; bug #549584)
[etch] - dhcp3 <not-affected> (problematic assert is not present)
CVE-2009-1891 (The mod_deflate module in Apache httpd 2.2.11 and earlier
compresses ...)
@@ -10839,7 +10837,7 @@
CVE-2009-1340
RESERVED
CVE-2009-1339 (Cross-site request forgery (CSRF) vulnerability in TWiki before
4.3.1 ...)
- - twiki <unfixed> (bug #526258)
+ - twiki <removed> (bug #526258)
NOTE: We should probably request removal from unstable, replaced by foswiki
CVE-2009-1338 (The kill_something_info function in kernel/signal.c in the Linux
...)
{DSA-1800-1 DSA-1787-1}
@@ -11605,7 +11603,7 @@
[etch] - poppler <not-affected> (SplashBitmap code not present)
- xpdf <unfixed>
- kdegraphics 4:4.0
- - swftools <unfixed>
+ - swftools <removed>
CVE-2009-1187 (Integer overflow in the JBIG2 decoding feature in Poppler before
...)
- poppler 0.10.6-1 (medium; bug #524806)
CVE-2009-1186 (Buffer overflow in the util_path_encode function in ...)
@@ -11626,7 +11624,7 @@
- xpdf 3.02-1.4+lenny1 (medium; bug #524809)
[squeeze] - xpdf 3.02-1.4+lenny1
- kdegraphics 4:4.0 (medium; bug #524810)
- - swftools <unfixed> (medium; bug #527449)
+ - swftools <removed> (medium; bug #527449)
CVE-2009-1182 (Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf
3.02pl2 and ...)
{DSA-1793-1 DSA-1790-1}
- poppler 0.10.6-1 (medium; bug #524806)
@@ -11634,7 +11632,7 @@
- xpdf 3.02-1.4+lenny1 (medium; bug #524809)
[squeeze] - xpdf 3.02-1.4+lenny1
- kdegraphics 4:4.0-1 (medium; bug #524810)
- - swftools <unfixed> (medium; bug #527449)
+ - swftools <removed> (medium; bug #527449)
CVE-2009-1181 (The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and
earlier, ...)
{DSA-1793-1 DSA-1790-1}
- poppler 0.10.6-1 (medium; bug #524806)
@@ -11642,7 +11640,7 @@
- xpdf 3.02-1.4+lenny1 (medium; bug #524809)
[squeeze] - xpdf 3.02-1.4+lenny1
- kdegraphics 4:4.0-1 (medium; bug #524810)
- - swftools <unfixed> (medium; bug #527449)
+ - swftools <removed> (medium; bug #527449)
CVE-2009-1180 (The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and
earlier, ...)
{DSA-1793-1 DSA-1790-1}
- poppler 0.10.6-1 (medium; bug #524806)
@@ -11650,7 +11648,7 @@
- xpdf 3.02-1.4+lenny1 (medium; bug #524809)
[squeeze] - xpdf 3.02-1.4+lenny1
- kdegraphics 4:4.0-1 (medium; bug #524810)
- - swftools <unfixed> (medium; bug #527449)
+ - swftools <removed> (medium; bug #527449)
CVE-2009-1179 (Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and
earlier, ...)
{DSA-1793-1 DSA-1790-1}
- poppler 0.10.6-1 (medium; bug #524806)
@@ -11658,7 +11656,7 @@
- xpdf 3.02-1.4+lenny1 (medium; bug #524809)
[squeeze] - xpdf 3.02-1.4+lenny1
- kdegraphics 4:4.0-1 (medium; bug #524810)
- - swftools <unfixed> (medium; bug #527449)
+ - swftools <removed> (medium; bug #527449)
CVE-2009-1178 (Unspecified vulnerability in the server in IBM Tivoli Storage
Manager ...)
NOT-FOR-US: Tivoli
CVE-2009-1177 (Multiple stack-based buffer overflows in maptemplate.c in
mapserv in ...)
@@ -12970,7 +12968,7 @@
- xpdf 3.02-1.4+lenny1 (medium; bug #524809)
[squeeze] - xpdf 3.02-1.4+lenny1
- kdegraphics 4:4.0 (medium; bug #524810)
- - swftools <unfixed> (medium; bug #527449)
+ - swftools <removed> (medium; bug #527449)
CVE-2009-0799 (The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and
earlier, ...)
{DSA-1793-1 DSA-1790-1}
- poppler 0.10.6-1 (medium; bug #524806)
@@ -12978,7 +12976,7 @@
- xpdf 3.02-1.4+lenny1 (medium; bug #524809)
[squeeze] - xpdf 3.02-1.4+lenny1
- kdegraphics 4:4.0 (medium; bug #524810)
- - swftools <unfixed> (medium; bug #527449)
+ - swftools <removed> (medium; bug #527449)
CVE-2009-0798 (ACPI Event Daemon (acpid) before 1.0.10 allows remote attackers
to ...)
{DSA-1786-1}
- acpid 1.0.10-1 (medium)
@@ -15641,7 +15639,7 @@
- xpdf 3.02-1.4+lenny1 (medium; bug #524809)
[squeeze] - xpdf 3.02-1.4+lenny1
- kdegraphics 4:4.0 (medium; bug #524810)
- - swftools <unfixed> (medium; bug #527449)
+ - swftools <removed> (medium; bug #527449)
CVE-2009-0165 (Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and
earlier, as ...)
{DSA-1793-1 DSA-1790-1}
- xpdf 3.02-1.4+lenny1 (low; bug #524809)
@@ -15698,7 +15696,7 @@
- xpdf 3.02-1.4+lenny1 (medium; bug #524809)
[squeeze] - xpdf 3.02-1.4+lenny1
- kdegraphics 4:4.0 (medium; bug #524810)
- - swftools <unfixed> (medium; bug #527449)
+ - swftools <removed> (medium; bug #527449)
CVE-2009-0146 (Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2
and ...)
{DSA-1793-1 DSA-1790-1}
- poppler 0.10.6-1 (medium; bug #524806)
@@ -15707,7 +15705,7 @@
- xpdf 3.02-1.4+lenny1 (medium; bug #524809)
[squeeze] - xpdf 3.02-1.4+lenny1
- kdegraphics 4:4.0 (medium; bug #524810)
- - swftools <unfixed> (medium; bug #527449)
+ - swftools <removed> (medium; bug #527449)
CVE-2009-0145 (CoreGraphics in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7,
iPhone ...)
NOT-FOR-US: CoreGraphics in Apple Mac OS X
CVE-2009-0144 (CFNetwork in Apple Mac OS X 10.5 before 10.5.7 does not properly
parse ...)
@@ -17566,9 +17564,9 @@
CVE-2008-5306 (SQL injection vulnerability in admin/index.php in PG Real Estate
...)
NOT-FOR-US: PG Real Estate Solution
CVE-2008-5305 (Eval injection vulnerability in TWiki before 4.2.4 allows remote
...)
- - twiki <unfixed> (medium; bug #508257)
+ - twiki <removed> (medium; bug #508257)
CVE-2008-5304 (Cross-site scripting (XSS) vulnerability in TWiki before 4.2.4
allows ...)
- - twiki <unfixed> (low; bug #508256)
+ - twiki <removed> (low; bug #508256)
CVE-2008-5303 (Race condition in the rmtree function in File::Path 1.08 ...)
{DSA-1678-1}
- perl 5.10.0-18
@@ -34207,7 +34205,7 @@
NOTE: cups uses xpdf-utils and poppler-utils
- libextractor 0.5.12-1
NOTE: libextractor uses internal pdf decoder since 0.5.12-1, thus marking as
fixed
- - swftools <unfixed> (medium; bug #527449)
+ - swftools <removed> (medium; bug #527449)
CVE-2007-5392 (Integer overflow in the DCTStream::reset method in
xpdf/Stream.cc in ...)
{DSA-1537-1 DSA-1509-1 DSA-1480-1 DTSA-85-1 DTSA-86-1}
- poppler 0.6.2-1 (medium; bug #450628)
@@ -34225,7 +34223,7 @@
NOTE: cups uses xpdf-utils and poppler-utils
- libextractor 0.5.12-1
NOTE: libextractor uses internal pdf decoder since 0.5.12-1, thus marking as
fixed
- - swftools <unfixed> (medium; bug #527449)
+ - swftools <removed> (medium; bug #527449)
CVE-2003-1357 (ProxyView has a default administrator password of Administrator
for ...)
NOT-FOR-US: ProxyView
CVE-2003-1356 (The "file handling" in sort in HP-UX 10.01
through 10.20, and 11.00 ...)
@@ -37019,7 +37017,7 @@
NOTE: cups uses xpdf-utils and poppler-utils since version 1.1.22-7
- libextractor 0.5.12-1
NOTE: libextractor uses internal pdf decoder since 0.5.12-1, thus marking as
fixed
- - swftools <unfixed> (medium; bug #527449)
+ - swftools <removed> (medium; bug #527449)
CVE-2007-4351 (Off-by-one error in the ippReadIO function in cups/ipp.c in CUPS
1.3.3 ...)
{DSA-1407-1 DTSA-81-1}
- cupsys 1.3.4-1 (medium; bug #448866)
@@ -39326,7 +39324,7 @@
- libextractor 0.5.12-1
NOTE: libextractor uses internal pdf decoder since 0.5.12-1, thus marking as
fixed
- ipe <not-affected> (Does not include the vulnerable code)
- - swftools <unfixed> (bug #527449)
+ - swftools <removed> (bug #527449)
CVE-2007-3386 (Cross-site scripting (XSS) vulnerability in the Host Manager
Servlet ...)
{DSA-1447-1}
- tomcat5.5 5.5.25-1
@@ -41758,7 +41756,7 @@
- bcfg2 <not-affected> (present in source but not included in any binary
files)
- serendipity <unfixed> (low; bug #557746)
- moodle <not-affected> (uses system libjs-yui)
- - jifty <unfixed> (low; bug #557748)
+ - jifty 0.91117-1 (low; bug #557748)
- webgui <not-affected> (uses system libjs-yui)
- loggerhead <not-affected> (uses system libjs-yui)
NOTE: see
http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
@@ -41801,7 +41799,7 @@
- poker-network 1.7.6-1 (low; bug #555237)
[etch] - poker-network <no-dsa> (minor issue)
- webhelpers <not-affected> (fixed since initial inclusion)
- - qwik <unfixed> (low; bug #555240)
+ - qwik <removed> (low; bug #555240)
[etch] - qwik <no-dsa> (minor issue)
[lenny] - qwik <no-dsa> (minor issue)
- wordpress <not-affected> (fixed since initial inclusion)