Author: jmm-guest Date: 2009-08-03 22:07:13 +0000 (Mon, 03 Aug 2009) New Revision: 12468 Modified: data/CVE/list Log: - new vlc issue likely affecting ffmpeg or mplayer - asterisk already tracked - revised mapserver fix Modified: data/CVE/list ==================================================================--- data/CVE/list 2009-08-03 21:14:35 UTC (rev 12467) +++ data/CVE/list 2009-08-03 22:07:13 UTC (rev 12468) @@ -1,3 +1,7 @@ +CVE-2009-XXXX [VLC: integer underflow in Real RTSP] + - vlc 1.0.1-1 + NOTE: Posting on full-disclosure contains details + TODO: Seems to affect Mplayer as well, so likely in ffmpeg-debian, needs to be checked CVE-2009-2655 (mshtml.dll in Microsoft Internet Explorer 7 and 8 on Windows XP SP3 ...) TODO: check CVE-2009-2654 (Mozilla Firefox 3.5.1 and earlier allows remote attackers to spoof the ...) @@ -22,12 +26,6 @@ TODO: check CVE-2008-6884 (Multiple directory traversal vulnerabilities in XOOPS 2.3.1, when ...) TODO: check -CVE-2009-XXXX [asterisk DoS] - - asterisk <unfixed> - [lenny] - asterisk <not-affected> (Vulnerable code introduced in 1.6) - [etch] - asterisk <not-affected> (Vulnerable code introduced in 1.6) - TODO: report bug - NOTE: AST-2009-004 CVE-2009-XXXX [poppler: buffer overflow in abiword backend] - poppler <unfixed> (low; bug #534680) CVE-2009-XXXX [openssl: certificate spoofing via null characters] @@ -39,6 +37,7 @@ [etch] - asterisk <not-affected> (Vulnerable code not present) [lenny] - asterisk <not-affected> (Vulnerable code not present) [squeeze] - asterisk <not-affected> (Vulnerable code not present) + NOTE: AST-2009-004 CVE-2009-2650 (Heap-based buffer overflow in Sorcerer Software MultiMedia Jukebox 4.0 ...) NOT-FOR-US: Sorcerer Software MultiMedia Jukebox CVE-2009-2649 (The IATA (ata) driver in FreeBSD 6.0 and 8.0, when read access to /dev ...) @@ -51,7 +50,6 @@ NOT-FOR-US: Research In Motion (RIM) BlackBerry Enterprise Server (BES) CVE-2009-2645 REJECTED - NOT-FOR-US: ** REJECT ** CVE-2009-2644 (Race condition in the Solaris Auditing subsystem in Sun Solaris 9 and ...) NOT-FOR-US: Sun Solaris CVE-2008-6883 (SQL injection vulnerability in the Live Chat (com_livechat) component ...) @@ -434,8 +432,8 @@ - vlc <not-affected> (The vulnerability affects Windows builds only) CVE-2009-2479 (Mozilla Firefox 3.0.x, 3.5, and 3.5.1 on Windows allows remote ...) - xulrunner <not-affected> - NOTE: Affected version only available in experimental, only Firefox 3.5 - TODO: check when 3.5 gets uploaded to unstable + NOTE: Affected version only available in experimental, only Firefox 3.5, + NOTE: Fixed in experimental in 1.9.1.1-1 CVE-2009-2478 (Mozilla Firefox 3.5 allows remote attackers to cause a denial of ...) - xulrunner <not-affected> (unimportant) NOTE: browser crashes not treated as security issues @@ -5493,8 +5491,8 @@ - mapserver 5.2.2-1 (unimportant; bug #523027) NOTE: this doesn''t work under linux as the root from the directory traversal needs to exist CVE-2009-0840 (Heap-based buffer underflow in the readPostBody function in cgiutil.c ...) - - mapserver 5.2.2-1 (medium; bug #523027) - NOTE: http://www.openwall.com/lists/oss-security/2009/06/22/2 + - mapserver 5.4.2-1 (medium; bug #523027) + NOTE: Initial fix was incomplete CVE-2009-0839 (Stack-based buffer overflow in mapserv.c in mapserv in MapServer 4.x ...) - mapserver 5.2.2-1 (medium; bug #523027) CVE-2009-0838 (The crypto pseudo device driver in Sun Solaris 10, and OpenSolaris ...)