Secure testing commits - Sep 2010 - r15266 - data/CVE

Author: jmm-guest
Date: 2010-09-05 14:51:37 +0000 (Sun, 05 Sep 2010)
New Revision: 15266

Modified:
   data/CVE/list
Log:
- strongswan issue doesn''t affect stable
- struts is in the archive
- jboss is partly in the archive


Modified: data/CVE/list
==================================================================---
data/CVE/list	2010-09-04 18:04:51 UTC (rev 15265)
+++ data/CVE/list	2010-09-05 14:51:37 UTC (rev 15266)
@@ -1481,6 +1481,7 @@
 	NOT-FOR-US: Cisco
 CVE-2010-2628 (The IKE daemon in strongSwan 4.3.x before 4.3.7 and 4.4.x before
4.4.1 ...)
 	- strongswan 4.4.1-1
+	[lenny] - strongswan <not-affected> (Vulnerability introduced in 4.3.3)
 CVE-2010-2627 (Multiple directory traversal vulnerabilities in the Refractor 2
...)
 	NOT-FOR-US: Refractor 2
 CVE-2010-2626 (index.pl in Miyabi CGI Tools SEO Links 1.02 allows remote
attackers to ...)
@@ -1815,7 +1816,7 @@
 CVE-2010-2496
 	RESERVED
 CVE-2010-2493 (The default configuration of the deployment descriptor (aka
web.xml) ...)
-	NOT-FOR-US: JBoss Enterprise SOA Platform
+	- jbossas4 <not-affected> (Only builds a few libraries, not the full
application server, #581226)
 CVE-2010-2492
 	RESERVED
 CVE-2010-2491 [roundup XSS]
@@ -1867,7 +1868,7 @@
 CVE-2010-2475
 	RESERVED
 CVE-2010-2474 (JBoss Enterprise Service Bus (ESB) before 4.7 CP02 in JBoss
Enterprise ...)
-	NOT-FOR-US: JBoss Enterprise
+	- jbossas4 <not-affected> (Only builds a few libraries, not the full
application server, #581226)
 CVE-2010-2470 (Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6.1 and 3.7
through ...)
 	- bugzilla <not-affected> (Only affects 3.5 to 3.7)
 CVE-2010-2476 [syscp open_basedir bypassing]
@@ -3345,7 +3346,7 @@
 CVE-2010-1871 (JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise
Application ...)
 	- jbossas4 <not-affected> (Only builds a few libraries, not the full
application server, #581226)
 CVE-2010-1870 (The OGNL extensive expression evaluation capability in XWork in
Struts ...)
-	NOT-FOR-US: struts2
+	TODO: Check, there''s libstruts1.2-java and
libspring-webmvc-struts-2.5-java, which could be affected
 CVE-2010-1869 (Stack-based buffer overflow in the parser function in
GhostScript 8.70 ...)
 	{DSA-2080-1}
 	- ghostscript 8.71~dfsg-4

On Sun,  5 Sep 2010 14:51:49 +0000 Moritz Muehlenhoff wrote:
> Author: jmm-guest
> Date: 2010-09-05 14:51:37 +0000 (Sun, 05 Sep 2010)
> New Revision: 15266
> 
> Modified:
>    data/CVE/list
> Log:
> - strongswan issue doesn''t affect stable
> - struts is in the archive
from my reading of the issue, the problem relies on an issue in xwork
which struts < 2 doesn''t have.  that''s why i marked it NFU,
but
not-affected is probably better.

mike

On Sun, Sep 05, 2010 at 02:16:46PM -0400, Michael Gilbert
wrote:
> On Sun,  5 Sep 2010 14:51:49 +0000 Moritz Muehlenhoff wrote:
> 
> > Author: jmm-guest
> > Date: 2010-09-05 14:51:37 +0000 (Sun, 05 Sep 2010)
> > New Revision: 15266
> > 
> > Modified:
> >    data/CVE/list
> > Log:
> > - strongswan issue doesn''t affect stable
> > - struts is in the archive
> 
> from my reading of the issue, the problem relies on an issue in xwork
> which struts < 2 doesn''t have.  that''s why i marked it
NFU, but
> not-affected is probably better.
Ok, feel free to update, I only noticed the commit and wanted to point
out that Struts is in the archive so that it doesn''t get missed.

Cheers,
        Moritz