thr3ads.net - Secure testing commits - [Secure-testing-commits] r13241

If this information is useful, please help other people find it:
Share via:
Michael Gilbert
2009-Nov-09 02:51 UTC
[Secure-testing-commits] r13241 - data/CVE

Author: gilbert-guest
Date: 2009-11-09 02:51:03 +0000 (Mon, 09 Nov 2009)
New Revision: 13241

Modified:
   data/CVE/list
Log:
prototypejs bugs submitted

Modified: data/CVE/list
==================================================================---
data/CVE/list	2009-11-08 21:14:17 UTC (rev 13240)
+++ data/CVE/list	2009-11-09 02:51:03 UTC (rev 13241)
@@ -1792,9 +1792,67 @@
 	NOTE: Introduced in 2.23.4
 CVE-2008-7220 (Unspecified vulnerability in Prototype JavaScript framework ...)
 	- prototypejs 1.6.0.2-1
-	- asterisk 1:1.6.2.0~rc3-1
+	- asterisk 1:1.6.2.0~rc3-1 (low; bug #555220)
+	[etch] - asterisk <no-dsa> (Minor issue)
 	[lenny] - asterisk <no-dsa> (Minor issue)
-	[etch] - asterisk <no-dsa> (Minor issue)
+	- auth2db <unfixed> (low; bug #555217)
+	[lenny] - auth2db <no-dsa> (minor issue)
+	- libaws <unfixed> (low; bug #555221)
+	[etch] - libaws <no-dsa> (minor issue)
+	[lenny] - libaws <no-dsa> (minor issue)
+	- libjson-ruby <unfixed> (low; bug #555223)
+	[lenny] - libjson-ruby <no-dsa> (minor issue)
+	- lucene2 <unfixed> (low; bug #555225)
+	[etch] - lucene2 <not-affected> (prototype.js not present)
+	[lenny] - lucene2 <no-dsa> (minor issue)
+	- glpi 0.72.3-1 (low; bug #555228)
+	[etch] - glpi <no-dsa> (minor issue)
+	[lenny] - glpi <no-dsa> (minor issue)
+	- knowledgeroot <unfixed> (low; bug #555229)
+	[etch] - knowledgeroot <no-dsa> (minor issue)
+	[lenny] - knowledgeroot <no-dsa> (minor issue)
+	- mt-daapd 0.9~r1696.dfsg-6 (low; bug #555231)
+	[etch] - mt-daapd <no-dsa> (minor issue)
+	- mediatomb <unfixed> (low; bug #555232)
+	[lenny] - mediatomb <no-dsa> (minor issue)
+	- op-panel <unfixed> (low; bug #555234)
+	- ebug-http <unfixed> (low; bug #555235)
+	- poker-network <unfixed> (low; bug #555237)
+	[etch] - poker-network <no-dsa> (minor issue)
+	- webhelpers <unfixed> (low; bug #555239)
+	[etch] - webhelpers <not-affected> (prototype.js not present)
+	[lenny] - webhelpers <no-dsa> (minor issue)
+	- qwik <unfixed> (low; bug #555240)
+	[etch] - qwik <no-dsa> (minor issue)
+	[lenny] - qwik <no-dsa> (minor issue)
+	- wordpress <unfixed> (low; bug #555242)
+	[etch] - wordpress <not-affected> (prototype.js not present)
+	[lenny] - wordpress <no-dsa> (minor issue)
+	- exaile <unfixed> (low; bug #555244)
+	[lenny] - exaile <no-dsa> (minor issue)
+	- hobix <unfixed> (low; bug #555246)
+	[lenny] - hobix <no-dsa> (minor issue)
+	- pixelpost <unfixed> (low; bug #555248)
+	[lenny] - pixelpost <no-dsa> (minor issue)
+	- symfony <unfixed> (low; bug #555250)
+	[lenny] - symfony <no-dsa> (minor issue)
+	- jscropperui <unfixed> (low; bug #555255)
+	[lenny] - jscropperui <no-dsa> (minor issue)
+	- rt-extension-emailcompletion <unfixed> (low; bug #555258)
+	- scriptaculous 1.8.3-1 (low; bug #555259)
+	- activeldap 1.0.9-1 (low; bug #555263)
+	[lenny] - activeldap <no-dsa> (minor issue)
+	- mantis 1.1.8+dfsg-3 (low; bug #555264)
+	[lenny] - mantis <no-dsa> (minor issue)
+	- otrs2 <unfixed> (low; bug #555266)
+	[etch] - otrs2 <not-affected> (prototype.js not present)
+	[lenny] - otrs2 <not-affected> (prototype.js not present)
+	- webcalendar <unfixed> (low; bug #555268)
+	[lenny] - webcalendar <not-affected> (prototype.js not present)
+	- plone3 <unfixed> (low; bug #555274)
+	- wesnoth <unfixed> (low; bug #555266)
+	[etch] - wesnoth <not-affected> (prototype.js not present)
+	[lenny] - wesnoth <not-affected> (prototype.js not present)
 CVE-2008-7219 (Horde Kronolith H3 2.1 before 2.1.7 and 2.2 before 2.2-RC2; Nag
H3 2.1 ...)
 	- kronolith2 2.1.7-1 (unknown)
 	- nag2 2.1.4-1 (unknown)
@@ -38430,7 +38488,56 @@
 	NOTE: only be considered vunerabile if they process confidential data.
 	NOTE: The frameworks should be fixed in any case.
 CVE-2007-2383 (The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges
data ...)
-	TODO: check glpi hobix knowledgeroot libbio-ruby1.8 mt-daapd op-panel
poker-web python-webhelpers qwik rails wordpress
+	- prototypejs <not-affected> (fixed before initial upload)
+	- auth2db <unfixed> (low; bug #555217)
+	[etch] - auth2db <no-dsa> (minor issue)
+	[lenny] - auth2db <no-dsa> (minor issue)
+	- asterisk 1:1.6.2.0~rc3-1 (low; bug #555220)
+	[etch] - asterisk <no-dsa> (minor issue)
+	[lenny] - asterisk <no-dsa> (minor issue)
+	- libaws <unfixed> (low; bug #555221)
+	[etch] - libaws <no-dsa> (minor issue)
+	[lenny] - libaws <no-dsa> (minor issue)
+	- libjson-ruby <not-affected> (has prototype.js >= 1.5.1)
+	- lucene2 <unfixed> (low; bug #555225)
+	[etch] - lucene2 <not-affected> (prototype.js not present)
+	[lenny] - lucene2 <no-dsa> (minor issue)
+	- glpi 0.72.3-1 (low; bug #555228)
+	[etch] - glpi <no-dsa> (minor issue)
+	[lenny] - glpi <no-dsa> (minor issue)
+	- knowledgeroot <unfixed> (low; bug #555229)
+	[etch] - knowledgeroot <no-dsa> (minor issue)
+	[lenny] - knowledgeroot <no-dsa> (minor issue)
+	- mt-daapd 0.9~r1696.dfsg-6 (low; bug #555231)
+	[etch] - mt-daapd <no-dsa> (minor issue)
+	- mediatomb 0.11.0-3 (low; bug #555232)
+	- op-panel <unfixed> (low; bug #555234)
+	- ebug-http <unfixed> (low; bug #555235)
+	- poker-network <unfixed> (low; bug #555237)
+	[etch] - poker-network <no-dsa> (minor issue)
+	- webhelpers <not-affected> (fixed since initial inclusion)
+	- qwik <unfixed> (low; bug #555240)
+	[etch] - qwik <no-dsa> (minor issue)
+	[lenny] - qwik <no-dsa> (minor issue)
+	- wordpress <not-affected> (fixed since initial inclusion)
+	- exaile <not-affected> (fixed since initial inclusion)
+	- hobix <unfixed> (low; bug #555246)
+	[lenny] - hobix <no-dsa> (minor issue)
+	- pixelpost <unfixed> (low; bug #555248)
+	[lenny] - pixelpost <no-dsa> (minor issue)
+	- symfony <unfixed> (low; bug #555250)
+	[lenny] - symfony <no-dsa> (minor issue)
+	- jscropperui <unfixed> (low; bug #555255)
+	[lenny] - jscropperui <no-dsa> (minor issue)
+	- rt-extension-emailcompletion <not-affected> (fixed since initial
inclusion)
+	- scriptaculous <not-affected> (fixed since initial inclusion)
+	- activeldap <not-affected> (fixed since initial inclusion)
+	- mantis <not-affected> (fixed since initial inclusion)
+	- otrs2 <not-affected> (fixed since initial inclusion)
+	- webcalendar <unfixed> (low; bug #555268)
+	[lenny] - webcalendar <not-affected> (prototype.js not present)
+	- plone3 <unfixed> (low; bug #555274)
+	- wesnoth <not-affected> (fixed since initial inclusion)
 	NOTE: see
http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
 	NOTE: This allows to steal data from affected websites. Therefore web
applications should
 	NOTE: only be considered vunerabile if they process confidential data.
Secure testing commits - Nov 2009 - r13241 - data/CVE

[Secure-testing-commits] r13241 - data/CVE
