thr3ads.net - Secure testing commits - [Secure-testing-commits] r12914

If this information is useful, please help other people find it:
Share via:
Giuseppe Iuculano
2009-Oct-02 08:07 UTC
[Secure-testing-commits] r12914 - in data: CVE DSA

Author: derevko-guest
Date: 2009-10-02 08:07:14 +0000 (Fri, 02 Oct 2009)
New Revision: 12914

Modified:
   data/CVE/list
   data/DSA/list
Log:
- NFUs
- CVE-2009-3474 CVE-2009-3475 CVE-2009-3476 fixed in DSA-1895-1 and DSA-1896-1
- CVE-2009-3490: wget ''\0'' character issue
- chromium-browser itp


Modified: data/CVE/list
==================================================================---
data/CVE/list	2009-10-01 04:19:30 UTC (rev 12913)
+++ data/CVE/list	2009-10-02 08:07:14 UTC (rev 12914)
@@ -1,79 +1,85 @@
 CVE-2009-3505 (SQL injection vulnerability in view_news.php in Vastal I-Tech
MMORPG ...)
-	TODO: check
+	NOT-FOR-US: Vastal I-Tech MMORPG Zone
 CVE-2009-3504 (SQL injection vulnerability in offers_buy.php in Alibaba Clone
3.0 ...)
-	TODO: check
+	NOT-FOR-US: Alibaba Clone
 CVE-2009-3503 (Multiple SQL injection vulnerabilities in search.aspx in
BPowerHouse ...)
-	TODO: check
+	NOT-FOR-US: BPowerHouse BPHolidayLettings
 CVE-2009-3502 (SQL injection vulnerability in music.php in BPowerHouse BPMusic
1.0 ...)
-	TODO: check
+	NOT-FOR-US: BPowerHouse BPMusic
 CVE-2009-3501 (SQL injection vulnerability in students.php in BPowerHouse
BPStudents ...)
-	TODO: check
+	NOT-FOR-US: BPowerHouse BPStudents
 CVE-2009-3500 (Multiple SQL injection vulnerabilities in BPowerHouse BPGames
1.0 ...)
-	TODO: check
+	NOT-FOR-US: BPowerHouse BPGames
 CVE-2009-3499 (SQL injection vulnerability in employee.aspx in BPowerHouse ...)
-	TODO: check
+	NOT-FOR-US: BPowerHouse BPLawyerCaseDocuments
 CVE-2009-3498 (SQL injection vulnerability in php/update_article_hits.php in
HBcms ...)
-	TODO: check
+	NOT-FOR-US: HBcms
 CVE-2009-3497 (SQL injection vulnerability in view_listing.php in Vastal I-Tech
Agent ...)
-	TODO: check
+	NOT-FOR-US: Vastal I-Tech Agent
 CVE-2009-3496 (Cross-site scripting (XSS) vulnerability in view_mag.php in
Vastal ...)
-	TODO: check
+	NOT-FOR-US: Vastal I-Tech DVD Zone
 CVE-2009-3495 (SQL injection vulnerability in view_mag.php in Vastal I-Tech DVD
Zone ...)
-	TODO: check
+	NOT-FOR-US: Vastal I-Tech DVD Zone
 CVE-2009-3494 (Multiple SQL injection vulnerabilities in index.php in T-HTB
Manager ...)
-	TODO: check
+	NOT-FOR-US: T-HTB Manager
 CVE-2009-3493 (Multiple cross-site scripting (XSS) vulnerabilities in Zenas
...)
-	TODO: check
+	NOT-FOR-US: Zenas PaoBacheca Guestbook
 CVE-2009-3492 (Multiple PHP remote file inclusion vulnerabilities in Loggix
Project ...)
-	TODO: check
+	NOT-FOR-US: Loggix Project
 CVE-2009-3491 (SQL injection vulnerability in the Kinfusion SportFusion ...)
-	TODO: check
+	NOT-FOR-US: Kinfusion SportFusion
 CVE-2009-3490 (GNU Wget before 1.12 does not properly handle a
''\0'' character in a ...)
-	TODO: check
+	- wget <unfixed> (medium; bug #549293) 
 CVE-2009-3489 (Adobe Photoshop Elements 8.0 installs the Adobe Active File
Monitor V8 ...)
-	TODO: check
+	NOT-FOR-US: Adobe Photoshop Elements
 CVE-2009-3488 (Cross-site scripting (XSS) vulnerability in the Bibliography
(aka ...)
-	TODO: check
+	NOT-FOR-US: Drupal Bibliography Module
 CVE-2009-3487 (Multiple cross-site scripting (XSS) vulnerabilities in the J-Web
...)
-	TODO: check
+	NOT-FOR-US: J-Web interface in Juniper JUNOS
 CVE-2009-3486 (Multiple cross-site scripting (XSS) vulnerabilities in the J-Web
...)
-	TODO: check
+	NOT-FOR-US: J-Web interface in Juniper JUNOS
 CVE-2009-3485 (Cross-site scripting (XSS) vulnerability in the J-Web interface
in ...)
-	TODO: check
+	NOT-FOR-US: J-Web interface in Juniper JUNOS
 CVE-2009-3484 (Stack-based buffer overflow in Core FTP 2.1 build 1612 allows
...)
-	TODO: check
+	NOT-FOR-US: Core FTP
 CVE-2009-3483 (Heap-based buffer overflow in the Create New Site feature in
...)
-	TODO: check
+	NOT-FOR-US: CuteFTP
 CVE-2009-3482 (TrustPort Antivirus before 2.8.0.2266 and PC Security before
...)
-	TODO: check
+	NOT-FOR-US: TrustPort Antivirus and PC Security
 CVE-2009-3481 (A certain interface in the iCRM Basic (com_icrmbasic) component
...)
-	TODO: check
+	NOT-FOR-US: Joomla component
 CVE-2009-3480 (SQL injection vulnerability in the iCRM Basic (com_icrmbasic)
...)
-	TODO: check
+	NOT-FOR-US: Joomla component
 CVE-2009-3479 (Cross-site scripting (XSS) vulnerability in Bibliography
(Biblio) 5.x ...)
-	TODO: check
+	NOT-FOR-US: Bibliography
 CVE-2009-3478 (Argument injection vulnerability in (1) ...)
-	TODO: check
+	NOT-FOR-US: Bibliography
 CVE-2009-3477 (The Blackberry Browser in RIM BlackBerry Device Software 4.5.0
before ...)
-	TODO: check
+	NOT-FOR-US: Blackberry Browser in RIM BlackBerry Device Software
 CVE-2009-3476 (Buffer overflow in OpenSAML before 1.1.3 as used in Internet2
...)
-	TODO: check
+	- xmltooling 1.2.2-1
+	- opensaml <removed>
+	- shibboleth-sp <removed>
 CVE-2009-3475 (Internet2 Shibboleth Service Provider software 1.3.x before
1.3.3 and ...)
-	TODO: check
+	- xmltooling 1.2.2-1
+	- opensaml <removed>
+	- shibboleth-sp <removed>
 CVE-2009-3474 (OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as
used by ...)
-	TODO: check
+	- xmltooling 1.2.2-1
+	- opensaml <removed>
+	- shibboleth-sp <removed>
 CVE-2009-3473 (IBM DB2 9.1 before FP8 does not require the SETSESSIONUSER
privilege ...)
-	TODO: check
+	NOT-FOR-US: IBM DB2
 CVE-2009-3472 (IBM DB2 8 before FP18, 9.1 before FP8, and 9.5 before FP4 allows
...)
-	TODO: check
+	NOT-FOR-US: IBM DB2
 CVE-2009-3471 (IBM DB2 8 before FP18, 9.1 before FP8, and 9.5 before FP4 does
not ...)
-	TODO: check
+	NOT-FOR-US: IBM DB2
 CVE-2009-3470 (IBM Informix Dynamic Server (IDS) 10.00 before 10.00.xC11, 11.10
...)
-	TODO: check
+	NOT-FOR-US: IBM Informix Dynamic Server (IDS) 
 CVE-2009-3469 (Cross-site scripting (XSS) vulnerability in ...)
-	TODO: check
+	NOT-FOR-US: IBM Lotus Connections
 CVE-2009-3468 (Multiple unspecified vulnerabilities in Common Desktop
Environment ...)
-	TODO: check
+	NOT-FOR-US: Common Desktop Environment (CDE) in Sun Solaris 
 CVE-2009-3467
 	RESERVED
 CVE-2009-3466
@@ -95,27 +101,27 @@
 CVE-2009-3458
 	RESERVED
 CVE-2009-3457 (Cisco ACE XML Gateway (AXG) and ACE Web Application Firewall
(WAF) ...)
-	TODO: check
+	NOT-FOR-US: Cisco ACE XML Gateway (AXG) and ACE Web Application Firewall (WAF)
 CVE-2009-3456 (Google Chrome, possibly 3.0.195.21 and earlier, does not
properly ...)
-	TODO: check
+	- chromium-browser <itp> (bug #520324)
 CVE-2009-3455 (Apple Safari, possibly before 4.0.3, on Mac OS X does not
properly ...)
-	TODO: check
+	NOT-FOR-US: Apple Safari
 CVE-2009-3454 (Microsoft Internet Explorer does not properly handle a
''\0'' character ...)
-	TODO: check
+	NOT-FOR-US: Microsoft Internet Explorer
 CVE-2009-3453 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Lotus
...)
-	TODO: check
+	NOT-FOR-US: IBM Lotus Quickr
 CVE-2009-3452 (WebCoreModule.ashx in RADactive I-Load before 2008.2.5.0 allows
remote ...)
-	TODO: check
+	NOT-FOR-US: RADactive I-Load
 CVE-2009-3451 (Directory traversal vulnerability in WebCoreModule.ashx in
RADactive ...)
-	TODO: check
+	NOT-FOR-US: RADactive
 CVE-2009-3450 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
-	TODO: check
+	NOT-FOR-US: RADactive I-Load
 CVE-2009-3449 (MP3 Collector 2.3 allows remote attackers to cause a denial of
service ...)
-	TODO: check
+	NOT-FOR-US: MP3 Collector
 CVE-2009-3448 (npvmgr.exe in BakBone NetVault Backup 8.22 Build 29 allows
remote ...)
-	TODO: check
+	NOT-FOR-US: BakBone NetVault Backup
 CVE-2009-3447 (Unrestricted file upload vulnerability in RADactive I-Load
before ...)
-	TODO: check
+	NOT-FOR-US: RADactive I-Load
 CVE-2009-XXXX [ffmpeg missing input sanitization/crashes]
 	- ffmpeg <unfixed>
 	- ffmpeg-debian <removed>
@@ -2705,11 +2711,11 @@
 CVE-2009-2684
 	RESERVED
 CVE-2009-2683 (Unspecified vulnerability in the Sender module in HP Remote
Graphics ...)
-	TODO: check
+	NOT-FOR-US: HP Remote Graphics 
 CVE-2009-2682 (Unspecified vulnerability in Role-Based Access Control (RBAC) in
HP ...)
 	NOT-FOR-US: HP-UX
 CVE-2009-2681 (Unspecified vulnerability in HP ProCurve Identity Driven Manager
(IDM) ...)
-	TODO: check
+	NOT-FOR-US: HP ProCurve Identity Driven Manager
 CVE-2009-2680 (Unspecified vulnerability in the Remote Management Interface
(RMI) for ...)
 	NOT-FOR-US: HP StorageWorks
 CVE-2009-2679

Modified: data/DSA/list
==================================================================---
data/DSA/list	2009-10-01 04:19:30 UTC (rev 12913)
+++ data/DSA/list	2009-10-02 08:07:14 UTC (rev 12914)
@@ -3,11 +3,13 @@
 	[etch] - horde3 3.1.3-4etch6
 	[lenny] - horde3 3.2.2+debian0-2+lenny1
 [28 Sep 2009] DSA-1896-1 opensaml shibboleth-sp - potential code execution
+	{CVE-2009-3474 CVE-2009-3475 CVE-2009-3476}
 	[etch] - opensaml 1.1a-2+etch1
 	[etch] - shibboleth-sp 1.3f.dfsg1-2+etch1
 	[lenny] - opensaml 1.1.1-2+lenny1
 	[lenny] - shibboleth-sp 1.3.1.dfsg1-3+lenny1
 [24 Sep 2009] DSA-1895-1 xmltooling - potential code execution
+	{CVE-2009-3474 CVE-2009-3475 CVE-2009-3476}
 	[lenny] - xmltooling 1.0-2+lenny1
 [24 Sep 2009] DSA-1894-1 newt - arbitrary code execution
 	{CVE-2009-2905}
Secure testing commits - Oct 2009 - r12914 - in data: CVE DSA

[Secure-testing-commits] r12914 - in data: CVE DSA
