Author: jmm-guest Date: 2010-11-16 22:17:43 +0000 (Tue, 16 Nov 2010) New Revision: 15591 Modified: data/CVE/list Log: - new yaws issue (open in Squeeze, likely open in Lenny) - new turbogears issue (already resolved in Squeeze, not in Lenny) - new dhcp issue (open in Squeeze, not in Lenny) - new php5 issues (three open in Squeze, two open in Lenny) - texmacs fix was insufficient and reopened - mercurial CVEfied - NFUs Modified: data/CVE/list ==================================================================--- data/CVE/list 2010-11-16 21:14:37 UTC (rev 15590) +++ data/CVE/list 2010-11-16 22:17:43 UTC (rev 15591) @@ -1,5 +1,3 @@ -CVE-2010-4237 - RESERVED CVE-2010-4236 (Untrusted search path vulnerability in estaskwrapper in IBM OmniFind ...) TODO: check CVE-2010-4235 @@ -117,7 +115,7 @@ CVE-2010-4182 (Untrusted search path vulnerability in the Data Access Objects (DAO) ...) NOT-FOR-US: Microsoft Windows CVE-2010-4181 (Directory traversal vulnerability in Yaws 1.89 allows remote attackers ...) - TODO: check + - yaws <unfixed> (bug filed) CVE-2010-4180 RESERVED CVE-2010-4179 @@ -161,7 +159,8 @@ CVE-2010-4159 RESERVED CVE-2010-4156 (The mb_strcut function in Libmbfl 1.1.0, as used in PHP 5.3.x through ...) - TODO: check + - php5 <unfixed> (bug filed) + [lenny] - php5 <not-affected> (Only affects 5.3.x) CVE-2010-4155 (Multiple cross-site scripting (XSS) vulnerabilities in eXV2 CMS 2.10 ...) NOT-FOR-US: eXV2 CMS CVE-2010-4154 (Directory traversal vulnerability in Rhino Software, Inc. FTP Voyager ...) @@ -175,9 +174,9 @@ CVE-2010-4150 RESERVED CVE-2009-5015 (The URL dispatch mechanism in TurboGears2 (aka tg2) before 2.0.2 ...) - TODO: check + - turbogears2 2.0.3-1 CVE-2009-5014 (The default quickstart configuration of TurboGears2 (aka tg2) before ...) - TODO: check + - turbogears2 2.0.3-1 CVE-2008-7265 (The pr_data_xfer function in ProFTPD before 1.3.2rc3 allows remote ...) TODO: check CVE-2010-4203 (WebM libvpx (aka the VP8 Codec SDK) before 0.9.5, as used in Google ...) @@ -604,7 +603,7 @@ CVE-2010-3978 RESERVED CVE-2010-3977 (Multiple cross-site scripting (XSS) vulnerabilities in ...) - TODO: check + NOT-FOR-US: cForm wordpress plugin CVE-2010-3976 (Untrusted search path vulnerability in Adobe Flash Player before ...) NOT-FOR-US: Adobe Flash Player CVE-2010-3975 (Untrusted search path vulnerability in Adobe Flash Player 9 allows ...) @@ -827,9 +826,9 @@ CVE-2010-3872 RESERVED CVE-2010-3871 (Cross-site scripting (XSS) vulnerability in ...) - TODO: check + - mahara <unfixed> (bug filed) CVE-2010-3870 (The utf8_decode function in PHP before 5.3.4 does not properly handle ...) - TODO: check + - php5 <unfixed> (bug filed) CVE-2010-3869 RESERVED CVE-2010-3868 @@ -846,7 +845,7 @@ CVE-2010-3864 RESERVED CVE-2010-3863 (Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize ...) - TODO: check + NOT-FOR-US: Apache Shiro / JSecurity CVE-2010-3862 RESERVED CVE-2010-3861 @@ -923,7 +922,8 @@ RESERVED - libapache-authenhook-perl 2.00-04+pristine-2 (low; bug #599712) [lenny] - libapache-authenhook-perl <no-dsa> (Will be fixed in stable update) -CVE-2010-XXXX +CVE-2010-4237 + RESERVED - mercurial 1.6.4-1 (low; bug #598841) CVE-2010-3840 RESERVED @@ -1230,9 +1230,9 @@ - pidgin 2.7.4-1 [squeeze] - pidgin 2.7.3-1+squeeze1 CVE-2010-3710 (Stack consumption vulnerability in the filter_var function in PHP ...) - - php5 5.3.3-3 (bug filed) + - php5 5.3.3-3 (bug #601619) CVE-2010-3709 (The ZipArchive::getArchiveComment function in PHP 5.2.x through 5.2.14 ...) - TODO: check + - php5 <unfixed> (bug filed) CVE-2010-3708 RESERVED CVE-2010-3707 (plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and ...) @@ -1448,7 +1448,9 @@ CVE-2010-3612 RESERVED CVE-2010-3611 (ISC DHCP server 4.0 before 4.0.2, 4.1 before 4.1.2, and 4.2 before ...) - TODO: check + - isc-dhcp <unfixed> + - dhcp3 <not-affected> (Only affects DHCP 4.x) + - dhcp <not-affected> (Only affects DHCP 4.x) CVE-2010-3610 RESERVED CVE-2010-3609 @@ -2075,7 +2077,7 @@ CVE-2010-3395 RESERVED CVE-2010-3394 (The (1) texmacs and (2) tm_mupad_help scripts in TeXmacs 1.0.7.4 place ...) - - texmacs 1:1.0.7.4-3 (bug #598424) + - texmacs <unfixed> (bug #598424) CVE-2010-3393 (magics-config in Magics++ 2.10.0 places a zero-length directory name ...) - magics++ 2.10.0.dfsg-5.1 (bug #598418) CVE-2010-3392 @@ -4157,7 +4159,7 @@ CVE-2010-2638 (Unspecified vulnerability in IBM WebSphere MQ 7.0 before 7.0.1.5 ...) TODO: check CVE-2010-2637 (IBM WebSphere MQ 6.0 before 6.0.2.9 and 7.0 before 7.0.1.1 does not ...) - TODO: check + NOT-FOR-US: IBM WebSphere CVE-2010-2636 (Multiple cross-site scripting (XSS) vulnerabilities in sample store ...) NOT-FOR-US: IBM WebSphere Commerce CVE-2010-2635 (SQL injection vulnerability in IBM WebSphere Commerce 6.0 before ...) @@ -4271,7 +4273,7 @@ CVE-2010-2584 (The Upload method in the RealPage Module Upload ActiveX control in ...) NOT-FOR-US: RealPage Module ActiveX Controls CVE-2010-2583 (Stack-based buffer overflow in SonicWALL SSL-VPN End-Point ...) - TODO: check + NOT-FOR-US: SonicWALL CVE-2010-2582 (An unspecified function in TextXtra.x32 in Adobe Shockwave Player ...) NOT-FOR-US: Adobe Shockwave Player CVE-2010-2581 (dirapi.dll in Adobe Shockwave Player before 11.5.9.615 allows remote ...)