Secure testing commits - Dec 2009 - r13658 - data/CVE

Author: derevko-guest
Date: 2009-12-26 18:24:10 +0000 (Sat, 26 Dec 2009)
New Revision: 13658

Modified:
   data/CVE/list
Log:
- NFUs
- CVE-2009-4422: Multiple cross-site scripting (XSS) vulnerabilities in
libphp-jpgraph
- CVE-2009-4412: Unrestricted file upload vulnerability in Serendipity
- CVE-2009-4405: fixed in trac 0.11.6-1
- CVE-2009-4404: fixed in t-prot 2.8-1
- sql-ledger issues
- wireshark issues fixed in 1.2.5-1
- CVE-2009-4270: Stack-based buffer overflow in ghostscript)


Modified: data/CVE/list
==================================================================---
data/CVE/list	2009-12-26 15:56:47 UTC (rev 13657)
+++ data/CVE/list	2009-12-26 18:24:10 UTC (rev 13658)
@@ -1,13 +1,13 @@
 CVE-2009-4423 (SQL injection vulnerability in index.php in weenCompany 4.0.0
allows ...)
-	TODO: check
+	NOT-FOR-US: weenCompany
 CVE-2009-4422 (Multiple cross-site scripting (XSS) vulnerabilities in the ...)
-	TODO: check
+	- libphp-jpgraph <unfixed> (low; bug #562633)
 CVE-2009-4421 (Directory traversal vulnerability in languages_cgi.php in Simple
PHP ...)
-	TODO: check
+	NOT-FOR-US: Simple PHP Blog
 CVE-2009-4420 (Buffer overflow in the bd daemon in F5 Networks BIG-IP
Application ...)
 	TODO: check
 CVE-2009-4419 (Intel Q35, GM45, PM45 Express, Q45, and Q43 Express chipsets in
the ...)
-	TODO: check
+	NOT-FOR-US: Intel Q35, GM45, PM45 Express, Q45, and Q43 Express chipsets
 CVE-2009-4418 (The unserialize function in PHP 5.3.0 and earlier allows ...)
 	- php5 <unfixed> (low)
 CVE-2009-4417 (The shutdown function in the Zend_Log_Writer_Mail class in Zend
...)
@@ -21,29 +21,26 @@
 CVE-2009-4414 (SQL injection vulnerability in phpgwapi
/inc/class.auth_sql.inc.php in ...)
 	- phpgroupware 1:0.9.16.012+dfsg-9
 CVE-2009-4412 (Unrestricted file upload vulnerability in Serendipity before 1.5
...)
-	- serendipity <unfixed>
-	TODO: check
+	- serendipity <unfixed> (low; bug #562634)
 CVE-2009-4411 (The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when
...)
-	- acl <unfixed> (bug #499076)
+	- acl <unfixed> (low; bug #499076)
 	[etch] - acl <not-affected> (Vulnerable code not present)
-	TODO: check
 CVE-2009-4409 (The (1) CHAP and (2) MS-CHAP-V2 authentication capabilities in
the PPP ...)
-	TODO: check
+	NOT-FOR-US: Internet Initiative Japan SEIL/B1 firmware
 CVE-2009-4408 (Multiple cross-site scripting (XSS) vulnerabilities in
models.parser ...)
-	TODO: check
+	NOT-FOR-US: PyForum
 CVE-2009-4407 (Multiple cross-site request forgery (CSRF) vulnerabilities in
PyForum ...)
-	TODO: check
+	NOT-FOR-US: PyForum
 CVE-2009-4406 (Cross-site scripting (XSS) vulnerability in Forms/login1 in
American ...)
-	TODO: check
+	NOT-FOR-US: APC Switched Rack PDU AP7932 B2
 CVE-2009-4405 (Multiple unspecified vulnerabilities in Trac before 0.11.6 have
...)
-	- trac <unfixed>
-	TODO: check
+	- trac 0.11.6-1
 CVE-2009-4404 (Unspecified vulnerability in t-prot (TOFU Protection) before 2.8
...)
-	TODO: check
+	 - t-prot 2.8-1
 CVE-2009-4403 (Cross-site scripting (XSS) vulnerability in index.php in Rumba
XML 1.8 ...)
-	TODO: check
+	NOT-FOR-US: Rumba XML
 CVE-2009-4402 (The default configuration of SQL-Ledger 2.8.24 allows remote
attackers ...)
-	TODO: check
+	- sql-ledger <unfixed> (bug #562639)
 CVE-2009-4410 (The fuse_ioctl_copy_user function in the ioctl handler in ...)
 	- linux-2.6 2.6.32-1 (low)
 	[etch] - linux-2.6 <not-affected> (vulnerable code introduced in 2.6.29)
@@ -156,11 +153,11 @@
 CVE-2010-0066
 	RESERVED
 CVE-2009-4378 (The IPMI dissector in Wireshark 1.2.0 through 1.2.4, when
running on ...)
-	TODO: check
+	- wireshark 1.2.5-1
 CVE-2009-4377 (The (1) SMB and (2) SMB2 dissectors in Wireshark 0.9.0 through
1.2.4 ...)
-	TODO: check
+	- wireshark 1.2.5-1
 CVE-2009-4376 (Buffer overflow in the daintree_sna_read function in the
Daintree SNA ...)
-	TODO: check
+	- wireshark 1.2.5-1
 CVE-2009-4375 (SQL injection vulnerability in
repository/repository_attachment.php in ...)
 	NOT-FOR-US: AlienVault Open Source Security Information Management
 CVE-2009-4374 (Directory traversal vulnerability in ...)
@@ -523,7 +520,7 @@
 CVE-2009-4271
 	RESERVED
 CVE-2009-4270 (Stack-based buffer overflow in the errprintf function in
base/gsmisc.c ...)
-	TODO: check
+	- ghostscript <unfixed> (medium; bug #562643)
 CVE-2009-4269
 	RESERVED
 CVE-2009-4268
@@ -879,7 +876,7 @@
 	[etch] - linux-2.6 <not-affected> (ohci introduced in 2.6.22)
 	- linux-2.6.24 <removed> (medium)
 CVE-2009-4137 (The loadContentFromCookie function in core/Cookie.php in Piwik
before ...)
-	TODO: check
+	NOT-FOR-US: Piwik
 CVE-2009-4136 (PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x
before ...)
 	- postgresql-7.4 <removed>
 	- postgresql-8.1 <removed>
@@ -2481,15 +2478,15 @@
 	- request-tracker3.4 <removed>
 	- request-tracker3.6 3.6.9-2 (low)
 CVE-2009-3584 (SQL-Ledger 2.8.24 does not set the secure flag for the session
cookie ...)
-	TODO: check
+	- sql-ledger <unfixed> (bug #562639)
 CVE-2009-3583 (Directory traversal vulnerability in the Preferences menu item
in ...)
-	TODO: check
+	- sql-ledger <unfixed> (bug #562639)
 CVE-2009-3582 (Multiple SQL injection vulnerabilities in the delete subroutine
in ...)
-	TODO: check
+	- sql-ledger <unfixed> (bug #562639)
 CVE-2009-3581 (Multiple cross-site scripting (XSS) vulnerabilities in
SQL-Ledger ...)
-	TODO: check
+	- sql-ledger <unfixed> (bug #562639)
 CVE-2009-3580 (Cross-site request forgery (CSRF) vulnerability in am.pl in
SQL-Ledger ...)
-	TODO: check
+	- sql-ledger <unfixed> (bug #562639)
 CVE-2009-3578 (Autodesk Maya 8.0, 8.5, 2008, 2009, and 2010 and Alias Wavefront
Maya ...)
 	NOT-FOR-US: Autodesk Maya
 CVE-2009-3577 (Autodesk 3D Studio Max (3DSMax) 6 through 9 and 2008 through
2010 ...)