Author: geissert
Date: 2009-11-28 19:05:53 +0000 (Sat, 28 Nov 2009)
New Revision: 13394
Modified:
data/CVE/list
data/DSA/list
Log:
php-mail got a second CVE, two rails issues
Modified: data/CVE/list
==================================================================---
data/CVE/list 2009-11-27 18:26:46 UTC (rev 13393)
+++ data/CVE/list 2009-11-28 19:05:53 UTC (rev 13394)
@@ -1,3 +1,11 @@
+CVE-2009-XXXX [rails insufficient escaping XSS]
+ - rails <unfixed> (low)
+ TODO: check
+ NOTE:
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1
+CVE-2008-XXXX [rails CSRF]
+ - rails <unfixed>
+ TODO: check
+ NOTE:
http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
CVE-2009-4073 (The printing functionality in Microsoft Internet Explorer 8
allows ...)
TODO: check
CVE-2009-4072 (Unspecified vulnerability in Opera before 10.10 has unknown
impact and ...)
@@ -117,6 +125,12 @@
NOTE: http://pear.php.net/advisory20091114-01.txt
NOTE: the fix by upstream should be double checked,
NOTE: escapeshellcmd might not be the most appropriate function either
+CVE-2009-4111 [command injection in the Mail pear module - $recipients part]
+ RESERVED
+ {DSA-1938-1}
+ - php-mail 1.1.14-2 (medium; bug #557121)
+ [lenny] - php-mail 1.1.14-1+lenny1
+ [etch] - php-mail 1.1.6-2+etch1
CVE-2009-4023 [command injection in the Mail pear module]
RESERVED
{DSA-1938-1}
Modified: data/DSA/list
==================================================================---
data/DSA/list 2009-11-27 18:26:46 UTC (rev 13393)
+++ data/DSA/list 2009-11-28 19:05:53 UTC (rev 13394)
@@ -10,7 +10,7 @@
[etch] - libvorbis 1.1.2.dfsg-1.4+etch1
[lenny] - libvorbis 1.2.0.dfsg-3.1+lenny1
[23 Nov 2009] DSA-1938-1 php-mail - insufficient input sanitising
- {CVE-2009-4023}
+ {CVE-2009-4023 CVE-2009-4111}
[etch] - php-mail 1.1.6-2+etch1
[lenny] - php-mail 1.1.14-1+lenny1
[21 Nov 2009] DSA-1937-1 gforge - cross-site scripting