Author: gilbert-guest
Date: 2010-04-05 00:38:39 +0000 (Mon, 05 Apr 2010)
New Revision: 14399
Modified:
data/CVE/list
Log:
update kdelibs tracking based on Moritz''s findings
Modified: data/CVE/list
==================================================================---
data/CVE/list 2010-04-04 22:33:36 UTC (rev 14398)
+++ data/CVE/list 2010-04-05 00:38:39 UTC (rev 14399)
@@ -6849,7 +6849,12 @@
CVE-2009-3385 (The mail component in Mozilla SeaMonkey before 1.1.19 does not
...)
TODO: check
CVE-2009-3384 (Multiple unspecified vulnerabilities in WebKit in Apple Safari
before ...)
- - webkit <not-affected> (Windows-specific)
+ - webkit 1.1.17-2 (medium; bug #559759)
+ - qt4-x11 <undetermined> (bug #561760)
+ [etch] - qt4-x11 <not-affected> (webkit support introduced in version
4.4)
+ - kdelibs <not-affected> (vulnerable code not present)
+ - kde4libs <not-affected> (vulnerable code not present)
+ NOTE: http://trac.webkit.org/changeset/48725
CVE-2009-3383 (Multiple unspecified vulnerabilities in the JavaScript engine in
...)
- xulrunner 1.9.1.4-1
[lenny] - xulrunner <not-affected> (Only affects Firefox 3.5)
@@ -8881,6 +8886,9 @@
CVE-2009-2816 (The implementation of Cross-Origin Resource Sharing (CORS) in
WebKit, ...)
- webkit 1.1.21-1 (medium; bug #559759)
[lenny] - webkit <not-affected> (vulnerable code not present)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
NOTE: http://trac.webkit.org/changeset/47494
CVE-2009-2815 (The Telephony component in Apple iPhone OS before 3.1 does not
...)
NOT-FOR-US: Apple iPhone OS
@@ -8924,6 +8932,9 @@
NOT-FOR-US: Apple QuickTime
CVE-2009-2797 (The WebKit component in Safari in Apple iPhone OS before 3.1,
and ...)
- webkit 1.1.21-1 (medium; bug #559759)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
NOTE: http://trac.webkit.org/changeset/42483
CVE-2009-2796 (The UIKit component in Apple iPhone OS 3.0, and iPhone OS 3.0.1
for ...)
NOT-FOR-US: Apple iPhone OS
@@ -10329,6 +10340,8 @@
CVE-2009-2419 (Use-after-free vulnerability in the servePendingRequests
function in ...)
- webkit 1.1.10-1
- kdelibs <unfixed> (low)
+ - kde4libs <unfixed> (low)
+ - qt4-x11 <undetermined>
CVE-2009-2418
RESERVED
CVE-2009-2417 (lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when
OpenSSL is ...)
@@ -10978,6 +10991,9 @@
CVE-2009-2195 (Buffer overflow in WebKit in Apple Safari before 4.0.3 allows
remote ...)
- webkit 1.1.12-1 (medium)
[lenny] - webkit <not-affected> (Vulnerable code not present)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=517273
NOTE: http://trac.webkit.org/changeset/45696
CVE-2009-2194 (Apple Mac OS X 10.5 before 10.5.8 does not properly share file
...)
@@ -12170,6 +12186,8 @@
- qt4-x11 <unfixed> (low; bug #538403)
[etch] - qt4-x11 <not-affected> (webkit support introduced in version
4.4)
- webkit 1.1.13-1 (low; bug #538402)
+ - kdelibs <unfixed> (unimportant)
+ - kde4libs <unfixed> (unimportant)
NOTE: http://www.thespanner.co.uk/2009/06/19/minor-safari-cross-domain-bug/
CVE-2009-1723 (CFNetwork in Apple Mac OS X 10.5 before 10.5.8 places an
incorrect URL ...)
NOT-FOR-US: CFNetwork in Apple Mac OS X
@@ -12187,25 +12205,38 @@
CVE-2009-1718 (WebKit in Apple Safari before 4.0 allows user-assisted remote
...)
- webkit 1.1.12-1 (medium; bug #535793)
[lenny] - webkit <no-dsa> (Minor issue)
+ - kdelibs <unfixed> (unimportant)
+ - kde4libs <unfixed> (unimportant)
+ - qt4-x11 <undetermined> (unimportant)
CVE-2009-1717 (Integer overflow in Terminal in Apple Mac OS X 10.5 before
10.5.7 ...)
NOT-FOR-US: Mac OS X
CVE-2009-1716 (CFNetwork in Apple Safari before 4.0 on Windows does not
properly ...)
NOT-FOR-US: CFNetwork in Apple
CVE-2009-1715 (Cross-site scripting (XSS) vulnerability in Web Inspector in
WebKit in ...)
- webkit 1.0.1-4 (medium; bug #535793)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
CVE-2009-1714 (Cross-site scripting (XSS) vulnerability in Web Inspector in
WebKit in ...)
{DSA-1950-1}
- webkit 1.1.12-1 (low; bug #535793)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
NOTE: http://trac.webkit.org/changeset/36359
CVE-2009-1713 (The XSLT functionality in WebKit in Apple Safari before 4.0 does
not ...)
{DSA-1988-1}
- webkit 1.0.1-4 (medium; bug #535793)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
- qt4-x11 4:4.5.2-2
[etch] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
NOTE: http://trac.webkit.org/changeset/34533
CVE-2009-1712 (WebKit in Apple Safari before 4.0 does not prevent remote
loading of ...)
{DSA-1988-1 DSA-1950-1}
- webkit 1.1.12-1 (medium; bug #535793)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
- qt4-x11 4:4.5.2-2
[etch] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
NOTE: http://trac.webkit.org/changeset/41568
@@ -12213,15 +12244,21 @@
{DSA-1988-1 DSA-1950-1}
- webkit 1.1.12-1 (medium; bug #535793)
NOTE: http://trac.webkit.org/changeset/36918
+ - kdelibs <not-affected>
+ - kde4libs <undetermined>
- qt4-x11 4:4.5.2-1
[etch] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
CVE-2009-1710 (WebKit in Apple Safari before 4.0 allows remote attackers to
spoof the ...)
{DSA-1950-1}
- webkit 1.1.12-1 (medium; bug #535793)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
CVE-2009-1709 (Use-after-free vulnerability in the garbage-collection
implementation ...)
{DSA-1866-1}
- webkit 0~svn32442-1
NOTE: fixed in upstream commit http://trac.webkit.org/changeset/32230
+ - kdelibs <not-affected> (vulnerable code in kdegraphics)
- kde4libs <not-affected> (Vulnerable code not present)
- kdegraphics 4:4.0 (medium; bug #534951)
NOTE: kdegraphics >4.0 not affected since ksvg is only in 3.5.x series)
@@ -12238,16 +12275,30 @@
CVE-2009-1703 (WebKit in Apple Safari before 4.0 does not prevent references to
file: ...)
- webkit 1.1.12-1 (low; bug #535793)
[lenny] - webkit <no-dsa> (Minor issue)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
CVE-2009-1702 (Cross-site scripting (XSS) vulnerability in WebKit in Apple
Safari ...)
- webkit 1.1.12-1 (low; bug #535793)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
CVE-2009-1701 (Use-after-free vulnerability in the JavaScript DOM
implementation in ...)
- webkit 1.1.12-1 (medium; bug #535793)
+ - kdelibs <not-affected>
+ - kde4libs <undetermined>
+ - qt4-x11 <undetermined>
NOTE: invasive patch to backport.
CVE-2009-1700 (The XSLT implementation in WebKit in Apple Safari before 4.0,
iPhone ...)
- webkit 1.1.12-1 (low; bug #535793)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
CVE-2009-1699 (The XSL stylesheet implementation in WebKit in Apple Safari
before ...)
{DSA-1988-1}
- webkit 1.0.1-4 (medium; bug #535793)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
- qt4-x11 4:4.5.2-2
[etch] - qt4-x11 <not-affected> (QTWebkit was introduced in 4.4)
CVE-2009-1698 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and ...)
@@ -12261,28 +12312,49 @@
CVE-2009-1697 (CRLF injection vulnerability in WebKit in Apple Safari before
4.0, ...)
{DSA-1950-1}
- webkit 1.1.15.2-1 (medium; bug #535793)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
CVE-2009-1696 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and ...)
- webkit 1.1.12-1 (medium; bug #535793)
[lenny] - webkit <not-affected> (Vulnerable code not present)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
CVE-2009-1695 (Cross-site scripting (XSS) vulnerability in WebKit in Apple
Safari ...)
{DSA-1950-1}
- webkit 1.1.12-1 (low; bug #535793)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
CVE-2009-1694 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and ...)
{DSA-1950-1}
- webkit 1.1.12-1 (low; bug #535793)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
CVE-2009-1693 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and ...)
{DSA-1950-1}
- webkit 1.1.12-1 (medium; bug #535793)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
NOTE: http://trac.webkit.org/changeset/35928
CVE-2009-1692 (WebKit before r41741, as used in Apple iPhone OS 1.0 through
2.2.1, ...)
{DSA-1950-1}
- webkit 1.1.12-1 (low; bug #535793)
+ - kdelibs <unfixed> (unimportant)
+ - kde4libs <unfixed> (unimportant)
+ - qt4-x11 <undetermined> (unimportant)
NOTE: upstream (undisclosed) bug report is
https://bugs.webkit.org/show_bug.cgi?id=23319
NOTE: http://trac.webkit.org/changeset/41741
CVE-2009-1691 (Cross-site scripting (XSS) vulnerability in WebKit in Apple
Safari ...)
- webkit 1.1.12-1 (medium; bug #535793)
[lenny] - webkit <not-affected> (Vulnerable code not present)
NOTE: http://trac.webkit.org/changeset/32791
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
CVE-2009-1690 (Use-after-free vulnerability in WebKit, as used in Apple Safari
before ...)
{DSA-1988-1 DSA-1950-1 DSA-1868-1 DSA-1867-1}
- webkit 1.1.5-1 (medium; bug #534946)
@@ -12295,9 +12367,15 @@
CVE-2009-1689 (Cross-site scripting (XSS) vulnerability in WebKit in Apple
Safari ...)
- webkit 1.1.12-1 (low; bug #535793)
[lenny] - webkit <not-affected> (Vulnerable code not present)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
CVE-2009-1688 (Cross-site scripting (XSS) vulnerability in WebKit in Apple
Safari ...)
- webkit 1.1.12-1 (low; bug #535793)
[lenny] - webkit <not-affected> (Vulnerable code not present)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
CVE-2009-1687 (The JavaScript garbage collector in WebKit in Apple Safari
before 4.0, ...)
{DSA-1988-1 DSA-1950-1 DSA-1868-1 DSA-1867-1}
- webkit 1.1.5-1 (medium; bug #534946)
@@ -12309,11 +12387,20 @@
CVE-2009-1686 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and ...)
- webkit 1.1.12-1 (medium; bug #535793)
[lenny] - webkit <not-affected> (Vulnerable code not present)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
CVE-2009-1685 (Cross-site scripting (XSS) vulnerability in WebKit in Apple
Safari ...)
- webkit 1.0.1-4 (medium; bug #535793)
+ - kdelibs <not-affected>
+ - kde4libs <unfixed>
+ - qt4-x11 <undetermined>
CVE-2009-1684 (Cross-site scripting (XSS) vulnerability in WebKit in Apple
Safari ...)
{DSA-1950-1}
- webkit 1.1.12-1 (low; bug #535793)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
CVE-2009-1683 (The Telephony component in Apple iPhone OS 1.0 through 2.2.1 and
...)
NOT-FOR-US: iPhone
CVE-2009-1682 (Apple Safari before 4.0 does not properly check for revoked
Extended ...)
@@ -12321,6 +12408,9 @@
CVE-2009-1681 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1,
and ...)
{DSA-1950-1}
- webkit 1.1.12-1 (low; bug #535793)
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
CVE-2009-1680 (Safari in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for
iPod ...)
NOT-FOR-US: Safari in Apple iPhone OS
CVE-2009-1679 (The Profiles component in Apple iPhone OS 1.0 through 2.2.1 and
iPhone ...)
@@ -21533,8 +21623,9 @@
CVE-2008-4724 (Multiple cross-site scripting (XSS) vulnerabilities in Google
Chrome ...)
- webkit 1.1.7-1 (low; bug #520052)
[lenny] - webkit <no-dsa> (Minor issue)
- NOTE: webkit properly handles this issue with respect to extensions such as
jpg and txt, but not in general; for example, the attack works for odp, xls, etc
extensions (only tested with midori 0.1.4)
- NOTE: not reproducible using iceweasel 3.0.1
+ - kdelibs <not-affected>
+ - kde4libs <not-affected>
+ - qt4-x11 <undetermined>
CVE-2008-4723 (Multiple cross-site scripting (XSS) vulnerabilities in Mozilla
Firefox ...)
- iceweasel <not-affected>
NOTE: firefox not affected, see https://bugzilla.redhat.com/468397
@@ -24314,6 +24405,7 @@
RESERVED
CVE-2008-3632 (Use-after-free vulnerability in WebKit in Apple iPod touch 1.1
through ...)
- webkit 1.0.1-4 (bug #499771)
+ NOTE: http://trac.webkit.org/changeset/34815
CVE-2008-3631 (Application Sandbox in Apple iPod touch 2.0 through 2.0.2, and
iPhone ...)
NOT-FOR-US: Apple iPod
CVE-2008-3630 (mDNSResponder in Apple Bonjour for Windows before 1.0.5, when an
...)
@@ -27427,6 +27519,8 @@
CVE-2008-2307 (Unspecified vulnerability in WebKit in Apple Safari before
3.1.2, as ...)
- webkit 1.0.1-1
- kdelibs <unfixed>
+ - kde4libs <unfixed>
+ - qt4-x11 <undetermined>
NOTE: http://trac.webkit.org/changeset/34204
CVE-2008-2306 (Apple Safari before 3.1.2 on Windows does not properly interpret
the ...)
NOT-FOR-US: Windows issue
@@ -32249,7 +32343,10 @@
NOT-FOR-US: Mapbender
CVE-2008-0298 (KHTML WebKit as used in Apple Safari 2.x allows remote attackers
to ...)
- webkit <unfixed> (unimportant)
- NOTE: khtml originates from konqueror. browser crashes are considered
unimportant
+ - qt4-x11 <unfixed> (unimportant)
+ - kdelibs <unfixed> (unimportant)
+ - kde4libs <unfixed> (unimportant)
+ NOTE: browser crashes are considered unimportant
CVE-2008-0297 (PhotoKorn allows remote attackers to obtain database credentials
via a ...)
NOT-FOR-US: PhotoKorn
CVE-2008-0296 (Heap-based buffer overflow in the libaccess_realrtsp plugin in
...)