Author: jmm-guest Date: 2009-11-18 18:49:37 +0000 (Wed, 18 Nov 2009) New Revision: 13313 Added: data/CVE-2009-3555 Modified: data/CVE/list Log: track pdf NULL derefs as non-issues move tracking of TLS issue into a separate file Modified: data/CVE/list ==================================================================--- data/CVE/list 2009-11-18 12:53:20 UTC (rev 13312) +++ data/CVE/list 2009-11-18 18:49:37 UTC (rev 13313) @@ -394,9 +394,8 @@ CVE-2009-3778 (SQL injection vulnerability in Moodle Course List 6.x before 6.x-1.2, ...) NOT-FOR-US: module for Drupal CVE-2009-XXXX [NULL dereferences, similar to Adobe''s CVE-2009-0658] - - ghostscript <unfixed> - - xpdf <unfixed> - TODO: check poppler and friends, file bugs + - ghostscript <unfixed> (unimportant) + - xpdf <unfixed> (unimportant) CVE-2009-XXXX [multiple vulnerabilities in acidbase; XSS + possible sql injection] - acidbase <unfixed> (bug #552235) CVE-2009-XXXX [multiple vulnerabilities in jetty] @@ -1013,31 +1012,7 @@ RESERVED CVE-2009-3555 (The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as ...) {DSA-1934-1} - - openssl 0.9.8k-6 (bug #555829) - - openssl097 <removed> - - gnutls26 <unfixed> - - gnutls13 <removed> - - nss <unfixed> - - xyssl <unfixed> - - proftpd-dfsg 1.3.2b-2 - - polarssl <unfixed> - - matrixssl <unfixed> - - pike7.6 <unfixed> - - classpath <unfixed> - - gcj-4.1 <unfixed> - - gcj-4.2 <unfixed> - - gcj-4.3 <unfixed> - - gcj-4.4 <unfixed> - - zorp <unfixed> - - openjdk-6 <unfixed> - - sun-java5 <removed> - [etch] - sun-java5 <no-dsa> (non-free not supported) - [lenny] - sun-java5 <no-dsa> (non-free not supported) - - sun-java6 <unfixed> - [lenny] - sun-java6 <no-dsa> (non-free not supported) - TODO: check - TODO: I haven''t checked if all the java ssl implementations are actually used. - NOTE: This may need fixes in TLS/SSL using packages, too. + NOTE: See separate CVE-2009-3555 file in SVN CVE-2009-3554 RESERVED CVE-2009-3553 Added: data/CVE-2009-3555 ==================================================================--- data/CVE-2009-3555 (rev 0) +++ data/CVE-2009-3555 2009-11-18 18:49:37 UTC (rev 13313) @@ -0,0 +1,26 @@ +A generic position statement will be send by Florian. + +SSL implementations in the archive: + +- openssl -> Disabled SSL/TLS renegotiations in 0.9.8k-6 in unstable (bug #555829) +- openssl097 (oldstable only) +- gnutls26 +- gnutls13 (oldstable only) +- nss +- xyssl +- polarssl +- matrixssl +- pike7.6 +- classpath +- gcj-4.1 +- gcj-4.2 +- gcj-4.3 +- gcj-4.4 +- zorp +- openjdk-6 +- sun-java5 +- sun-java6 + +Applications, which have been modified: +- proftpd-dfsg -> Disabled SSL/TLS renegotiations in 1.3.2b-2 in unstable +- apache2 -> Disabled client-initiated SSL/TLS renegs in 2.2.14-2, only partial fix, also issued as DSA 1934 for stable