Author: derevko-guest Date: 2009-12-21 22:09:22 +0000 (Mon, 21 Dec 2009) New Revision: 13620 Modified: data/CVE/list data/spu-candidates.txt Log: CVE-2009-4079 and CVE-2009-4078 fixed in redmine 0.9.0~svn2902-1 CVE-2009-3701 fixed in horde3 3.3.6+debian0-1 jbossas4 issues Modified: data/CVE/list ==================================================================--- data/CVE/list 2009-12-21 21:14:18 UTC (rev 13619) +++ data/CVE/list 2009-12-21 22:09:22 UTC (rev 13620) @@ -748,11 +748,9 @@ CVE-2009-4080 (Multiple unspecified vulnerabilities in ldap_cachemgr (aka the LDAP ...) NOT-FOR-US: ldap_cachemgr in Sun Solaris CVE-2009-4079 (Cross-site request forgery (CSRF) vulnerability in Redmine 0.8.5 and ...) - - redmine <unfixed> - TODO: check + - redmine 0.9.0~svn2902-1 CVE-2009-4078 (Multiple cross-site scripting (XSS) vulnerabilities in Redmine 0.8.5 ...) - - redmine <unfixed> - TODO: check + - redmine 0.9.0~svn2902-1 CVE-2009-4077 (Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail ...) - roundcube 0.3-1 CVE-2009-4076 (Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail ...) @@ -1894,8 +1892,10 @@ RESERVED CVE-2009-3701 [horde XSS via PHP_SELF] RESERVED - - horde3 <unfixed> - TODO: check + - horde3 3.3.6+debian0-1 (low) + [lenny] - horde3 <no-dsa> (minor issue) + [etch] - horde3 <no-dsa> (minor issue) + NOTE: In order to successfully exploit this vulnerability the targeted user has to be logged as an administrator. CVE-2009-3700 (Buffer overflow in sgLog.c in squidGuard 1.3 and 1.4 allows remote ...) - squidguard <unfixed> (low; bug #553319) CVE-2009-3699 (Stack-based buffer overflow in libcsa.a (aka the calendar daemon ...) @@ -2375,7 +2375,8 @@ {DSA-1934-1} NOTE: See separate CVE-2009-3555 file in SVN CVE-2009-3554 (Twiddle in Red Hat JBoss Enterprise Application Platform (aka JBoss ...) - TODO: check + - jbossas4 <unfixed> (bug #562000) + [lenny] - jbossas4 <no-dsa> (Contrib not supported) CVE-2009-3553 (Use-after-free vulnerability in the abstract file-descriptor handling ...) - cups 1.4.2-4 (low; bug #557740) - cupsys <not-affected> (vulnerable code introduced in 1.3.x) @@ -6304,7 +6305,8 @@ [etch] - linux-2.6 <not-affected> (ecryptfs not yet present) - linux-2.6.24 <removed> CVE-2009-2405 (Multiple cross-site scripting (XSS) vulnerabilities in the Web Console ...) - TODO: check + - jbossas4 <unfixed> (bug #562000) + [lenny] - jbossas4 <no-dsa> (Contrib not supported) CVE-2009-2404 (Heap-based buffer overflow in a regular-expression parser in Mozilla ...) {DSA-1874-1} - nss 3.12.3-1 (low; bug #539934) @@ -9084,7 +9086,8 @@ {DSA-1802-2} - squirrelmail 2:1.4.19-1 CVE-2009-1380 (Cross-site scripting (XSS) vulnerability in JMX-Console in JBossAs in ...) - TODO: check + - jbossas4 <unfixed> (bug #562000) + [lenny] - jbossas4 <no-dsa> (Contrib not supported) CVE-2009-1379 (Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment ...) - openssl 0.9.8k-1 (low; bug #530400) [lenny] - openssl 0.9.8g-15+lenny3 @@ -15132,7 +15135,7 @@ - linux-2.6 2.6.29-1 - linux-2.6.24 <removed> CVE-2009-0027 (The request handler in JBossWS in JBoss Enterprise Application ...) - - jbossas4 <unfixed> + - jbossas4 <unfixed> (bug #562000) [lenny] - jbossas4 <no-dsa> (Contrib not supported) CVE-2009-0026 (Multiple cross-site scripting (XSS) vulnerabilities in Apache ...) NOT-FOR-US: Apache Jackrabbit Modified: data/spu-candidates.txt ==================================================================--- data/spu-candidates.txt 2009-12-21 21:14:18 UTC (rev 13619) +++ data/spu-candidates.txt 2009-12-21 22:09:22 UTC (rev 13620) @@ -119,6 +119,10 @@ -- +horde3 (CVE-2009-3701) + +-- + htmldoc (CVE-2009-3050) #537637 notified maintainer through initial bugreport