Author: derevko-guest Date: 2009-11-01 10:45:03 +0000 (Sun, 01 Nov 2009) New Revision: 13165 Modified: data/CVE/list data/spu-candidates.txt Log: - wireshark issues - CVE-2009-3765: mutt not-affected, our mutt is linked against gnutls - CVE-2009-3641: DoS while printing specially-crafted IPv6 packet using the -v option in snort - CVE-2009-3616: Multiple use-after-free vulnerabilities in qemu and kvm - CVE-2006-5031: fixed in cakephp 1.1.13.4450-1 - CVE-2006-4067: fixed in cakephp 1.1.13.4450-1 Modified: data/CVE/list ==================================================================--- data/CVE/list 2009-11-01 09:01:09 UTC (rev 13164) +++ data/CVE/list 2009-11-01 10:45:03 UTC (rev 13165) @@ -5,7 +5,7 @@ CVE-2009-3830 (The download functionality in Team Services in Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2009-3829 (Integer overflow in wiretap/erf.c in Wireshark before 1.2.2 allows ...) - TODO: check + - wireshark 1.2.2-1 (bug #553583) CVE-2009-3828 (The web interface for Everfocus EDR1600 DVR allows remote attackers to ...) NOT-FOR-US: Everfocus EDR1600 DVR CVE-2009-3827 @@ -159,13 +159,11 @@ RESERVED CVE-2009-3767 (libraries/libldap/tls_o.c in OpenLDAP, when OpenSSL is used, does not ...) - openldap <unfixed> (medium; bug #553432) - TODO: check CVE-2009-3766 (mutt_ssl.c in mutt 1.5.16, when OpenSSL is used, does not verify the ...) - mutt <unfixed> (medium; bug #553433) CVE-2009-3765 (mutt_ssl.c in mutt 1.5.19 and 1.5.20, when OpenSSL is used, does not ...) - - mutt <unfixed> - TODO: check - NOTE: probably not an issue, as our mutt is linked against gnutls + - mutt <not-affected> (uses GnuTLS and not OpenSSL) + NOTE: our mutt is linked against gnutls CVE-2009-3764 RESERVED CVE-2009-3763 @@ -477,7 +475,7 @@ CVE-2009-3642 (Multiple SQL injection vulnerabilities in the Call Logging feature in ...) NOT-FOR-US: FrontRange HEAT CVE-2009-3641 (Snort before 2.8.5.1, when the -v option is enabled, allows remote ...) - TODO: check + - snort <unfixed> (medium; bug #553584) CVE-2009-3640 (The update_cr8_intercept function in arch/x86/kvm/x86.c in the KVM ...) - linux-2.6 <unfixed> (medium) [etch] - linux-2.6 <not-affected> (introduced in 2.6.25) @@ -564,8 +562,11 @@ CVE-2009-3617 (Format string vulnerability in the AbstractCommand::onAbort function ...) - aria2 1.6.2-1 (low) CVE-2009-3616 (Multiple use-after-free vulnerabilities in vnc.c in the VNC server in ...) - - qemu <unfixed> - TODO: check + - qemu <unfixed> (medium; bug #553589) + [lenny] - qemu <not-affected> (Vulnerable code not present) + [etch] - qemu <not-affected> (Vulnerable code not present) + - kvm <unfixed> (medium; bug #553590) + [lenny] - kvm <not-affected> (Vulnerable code not present) CVE-2009-3615 (The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and ...) - pidgin 2.6.3-1 NOTE: http://pidgin.im/news/security/?id=41 @@ -737,16 +738,13 @@ CVE-2009-3552 RESERVED CVE-2009-3551 (Off-by-one error in the dissect_negprot_response function in ...) - - wireshark <unfixed> - TODO: check + - wireshark <unfixed> (low; bug #553583) NOTE: http://www.wireshark.org/security/wnpa-sec-2009-07.html CVE-2009-3550 (The DCERPC/NT dissector in Wireshark 0.10.10 through 1.0.9 and 1.2.0 ...) - - wireshark <unfixed> - TODO: check + - wireshark <unfixed> (low; bug #553583) NOTE: http://www.wireshark.org/security/wnpa-sec-2009-07.html CVE-2009-3549 (packet-paltalk.c in the Paltalk dissector in Wireshark 1.2.0 through ...) - - wireshark <unfixed> - TODO: check + - wireshark <unfixed> (low; bug #553583) NOTE: http://www.wireshark.org/security/wnpa-sec-2009-07.html CVE-2009-3548 RESERVED @@ -48789,8 +48787,7 @@ CVE-2006-5032 (PHP remote file inclusion vulnerability in dix.php3 in PHPartenaire ...) NOT-FOR-US: PHPartenaire CVE-2006-5031 (Directory traversal vulnerability in app/webroot/js/vendors.php in ...) - - cakephp <unfixed> - TODO: check + - cakephp 1.1.13.4450-1 CVE-2006-5030 (SQL injection vulnerability in modules/messages/index.php in exV2 ...) NOT-FOR-US: exV2 CVE-2006-5029 (SQL injection vulnerability in thread.php in WoltLab Burning Board ...) @@ -51003,8 +51000,7 @@ CVE-2006-4068 (The pswd.js script relies on the client to calculate whether a ...) NOT-FOR-US: pswd.js CVE-2006-4067 (Cross-site scripting (XSS) vulnerability in cake/libs/error.php in ...) - - cakephp <unfixed> - TODO: check + - cakephp 1.1.13.4450-1 CVE-2006-4066 (The Graphical Device Interface Plus library (gdiplus.dll) in Microsoft ...) NOT-FOR-US: Microsoft CVE-2006-4065 (Multiple PHP remote file inclusion vulnerabilities in Dmitry Sheiko ...) Modified: data/spu-candidates.txt ==================================================================--- data/spu-candidates.txt 2009-11-01 09:01:09 UTC (rev 13164) +++ data/spu-candidates.txt 2009-11-01 10:45:03 UTC (rev 13165) @@ -287,13 +287,6 @@ -- -smarty (CVE-2009-1669) -#529810 -http://groups.google.com/group/smarty-svn/browse_thread/thread/b2da2e5d1ef8b462 -notified maintainer - --- - tau (CVE-2008-5157) #506348 notified maintainer