Author: nion
Date: 2010-01-14 12:43:10 +0000 (Thu, 14 Jan 2010)
New Revision: 13814
Modified:
data/CVE/list
Log:
- NFUs
- CVE-2010-0220 (xulrunner) non-issue
- CVE-2009-4592/CVE-2009-4591 fix validated, CVE-2009-4590 needs more fixing
- CVE-2009-4587 non issue on unix systems
- new mysqld issue (CVE-2009-4484)
- cveified viewvc, CVE-2009-361{8,9} fixed in viewvc 1.0.9-1
Modified: data/CVE/list
==================================================================---
data/CVE/list 2010-01-14 10:59:45 UTC (rev 13813)
+++ data/CVE/list 2010-01-14 12:43:10 UTC (rev 13814)
@@ -73,7 +73,7 @@
CVE-2009-4603 (Unspecified vulnerability in sapstartsrv.exe in the SAP Kernel
6.40, ...)
NOT-FOR-US: SAP Kernel
CVE-2009-4602 (Cross-site scripting (XSS) vulnerability in the Randomizer
module 5.x ...)
- TODO: check
+ NOT-FOR-US: Randomizer module for Drupal
CVE-2009-4601 (Cross-site scripting (XSS) vulnerability in
basic_search_result.php in ...)
NOT-FOR-US: ZeeJobsite
CVE-2009-4600 (SQL injection vulnerability in realestate20/loginaction.php in
NetArt ...)
@@ -83,11 +83,11 @@
CVE-2009-4598 (SQL injection vulnerability in the JPhoto (com_jphoto) component
1.0 ...)
NOT-FOR-US: Joomla
CVE-2009-4597 (Multiple SQL injection vulnerabilities in index.php in PHP
Inventory ...)
- TODO: check
+ NOT-FOR-US: PHP Inventory
CVE-2009-4596 (Cross-site scripting (XSS) vulnerability in index.php in PHP
Inventory ...)
- TODO: check
+ NOT-FOR-US: PHP Inventory
CVE-2009-4595 (SQL injection vulnerability in index.php in PHP Inventory 1.2
allows ...)
- TODO: check
+ NOT-FOR-US: PHP Inventory
CVE-2010-0277 (slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4
and ...)
- pidgin <unfixed>
TODO: check
@@ -98,11 +98,11 @@
CVE-2010-0274 (Unspecified vulnerability in the Edit Contact scene in
Ultra-light ...)
NOT-FOR-US: IBM Lotus iNotes
CVE-2010-0273 (Unspecified vulnerability in Sun Java System Web Server 7.0
Update 6 ...)
- TODO: check
+ NOT-FOR-US: Sun Java System Web Server
CVE-2010-0272 (Heap-based buffer overflow in Sun Java System Web Server 7.0
Update 6 ...)
- TODO: check
+ NOT-FOR-US: Sun Java System Web Server
CVE-2010-0271 (hald in Sun OpenSolaris snv_51 through snv_130 does not have the
...)
- TODO: check
+ NOT-FOR-US: hald in Sun OpenSolaris
CVE-2010-0270
RESERVED
CVE-2010-0269
@@ -204,7 +204,8 @@
CVE-2010-0221 (Kingston DataTraveler BlackBox (DTBB), DataTraveler Secure
Privacy ...)
NOT-FOR-US: Kingston USB flash drives
CVE-2010-0220 (The nsObserverList::FillObserverArray function in ...)
- TODO: check
+ - xulrunner <unfixed> (unimportant)
+ NOTE: browser DoS not treated as security issue
CVE-2009-4605 [phpMyAdmin 2.11.10 unserialize fix]
RESERVED
- phpmyadmin 4:3.2.4-1
@@ -216,18 +217,19 @@
NOT-FOR-US: Bftpd
CVE-2009-4592 (Unspecified vulnerability in base_local_rules.php in Basic
Analysis ...)
- acidbase 1.4.4-1
- TODO: check
CVE-2009-4591 (SQL injection vulnerability in Basic Analysis and Security
Engine ...)
- acidbase 1.4.4-1
- TODO: check
CVE-2009-4590 (Cross-site scripting (XSS) vulnerability in base_local_rules.php
in ...)
- - acidbase 1.4.4-1
- TODO: check
+ - acidbase <unfixed>
+ NOTE: 1.4.5 fixed more XSS issues in this file
+ TODO: report bug
CVE-2009-4588 (Heap-based buffer overflow in the WindsPlayerIE.View.1 ActiveX
control ...)
NOT-FOR-US: AwingSoft Awakening
CVE-2009-4587 (Cherokee Web Server 0.5.4 allows remote attackers to cause a
denial of ...)
- TODO: check
- NOTE: looks like a windows-specific issue
+ - cherokee <undetermined> (unimportant)
+ NOTE: this only works on windows and dos as you are not allowed
+ NOTE: to use a file name with AUX and any or no extension as this is a
+ NOTE: reserved device name. cherokee was lacking error handling...
CVE-2009-4586 (Multiple cross-site scripting (XSS) vulnerabilities in
index.html in ...)
NOT-FOR-US: Wowd client
CVE-2010-0219
@@ -717,12 +719,13 @@
[lenny] - nginx <no-dsa> (issue not really specific to the httpd)
NOTE: http://www.ush.it/team/ush/hack_httpd_escape/adv.txt
CVE-2009-4486 (Stack-based buffer overflow in the eDirectory plugin in Novell
...)
- TODO: check
+ NOT-FOR-US: iManager
CVE-2009-4485
RESERVED
CVE-2009-4484 (Buffer overflow in the server in MySQL 5.0.51a on Linux allows
remote ...)
- - mysql-dfsg-5.0 <removed>
- TODO: check
+ - mysql-dfsg-5.0 <removed> (medium)
+ - mysql-dfsg-5.1 <unfixed> (medium)
+ NOTE: maintainer working on updates
CVE-2009-4483 (Unspecified vulnerability in LDAP3A.exe in MailSite 8.0.4 allows
...)
NOT-FOR-US: MailSite
CVE-2009-4482 (Buffer overflow in MediaServer.exe in TVersity 1.6 allows remote
...)
@@ -995,35 +998,35 @@
CVE-2010-0081
RESERVED
CVE-2010-0080 (Unspecified vulnerability in the PeopleSoft Enterprise HCM -
eProfile ...)
- TODO: check
+ NOT-FOR-US: PeopleSoft Enterprise HCM
CVE-2010-0079 (Multiple vulnerabilities in the JRockit component in BEA Product
Suite ...)
- TODO: check
+ NOT-FOR-US: BEA Product Suite
CVE-2010-0078 (Unspecified vulnerability in the WebLogic Server component in
BEA ...)
- TODO: check
+ NOT-FOR-US: BEA Product Suite
CVE-2010-0077 (Unspecified vulnerability in the CRM Technical Foundation
(mobile) ...)
- TODO: check
+ NOT-FOR-US: Oracle E-Business Suite
CVE-2010-0076 (Unspecified vulnerability in the Application Express Application
...)
- TODO: check
+ NOT-FOR-US: Oracle Database
CVE-2010-0075 (Unspecified vulnerability in the Oracle HRMS (Self Service)
component ...)
- TODO: check
+ NOT-FOR-US: Oracle E-Business Suite
CVE-2010-0074 (Unspecified vulnerability in the WebLogic Server component in
BEA ...)
- TODO: check
+ NOT-FOR-US: BEA Product Suite
CVE-2010-0073
RESERVED
CVE-2010-0072 (Unspecified vulnerability in the Oracle Secure Backup component
in ...)
- TODO: check
+ NOT-FOR-US: Oracle Secure Backup
CVE-2010-0071 (Unspecified vulnerability in the Listener component in Oracle
Database ...)
- TODO: check
+ NOT-FOR-US: Oracle Database
CVE-2010-0070 (Unspecified vulnerability in the Oracle Containers for J2EE
component ...)
- TODO: check
+ NOT-FOR-US: Oracle Application Server
CVE-2010-0069 (Unspecified vulnerability in the WebLogic Server component in
BEA ...)
- TODO: check
+ NOT-FOR-US: BEA Product Suite
CVE-2010-0068 (Unspecified vulnerability in the WebLogic Server component in
BEA ...)
- TODO: check
+ NOT-FOR-US: BEA Product Suite
CVE-2010-0067 (Unspecified vulnerability in the Oracle Containers for J2EE
component ...)
- TODO: check
+ NOT-FOR-US: Oracle Application Server
CVE-2010-0066 (Unspecified vulnerability in the Access Manager Identity Server
...)
- TODO: check
+ NOT-FOR-US: Oracle Application Server
CVE-2009-4378 (The IPMI dissector in Wireshark 1.2.0 through 1.2.4, when
running on ...)
- wireshark <not-affected> (Windows-specific)
CVE-2009-4377 (The (1) SMB and (2) SMB2 dissectors in Wireshark 0.9.0 through
1.2.4 ...)
@@ -3289,9 +3292,9 @@
- linux-2.6 2.6.32-1 (medium)
- linux-2.6.24 <removed> (medium)
CVE-2009-3619 (Unspecified vulnerability in ViewVC 1.0 before 1.0.9 and 1.1
before ...)
- - viewvc <unfixed> (low; bug #560903)
+ - viewvc 1.0.9-1 (low; bug #545779; bug #560903)
CVE-2009-3618 (Cross-site scripting (XSS) vulnerability in viewvc.py in ViewVC
1.0 ...)
- - viewvc <unfixed> (low; bug #560903)
+ - viewvc 1.0.9-1 (low; bug #545779; bug #560903)
CVE-2009-3617 (Format string vulnerability in the AbstractCommand::onAbort
function ...)
- aria2 1.6.2-1 (low)
[lenny] - aria2 <not-affected> (Vulnerable code not present)
@@ -4955,9 +4958,6 @@
NOT-FOR-US: Diigo Toolbar and Diigolet
CVE-2008-7183 (PHP remote file inclusion vulnerability in eva/index.php in EVA
CMS ...)
NOT-FOR-US: EVA CMS
-CVE-2009-XXXX [viewvc: XSS and illegal characters while printing name-value
pairs]
- - viewvc 1.0.9-1 (low; bug #545779)
- NOTE: CVE id has been requested, fixed in 1.1.2
CVE-2009-3082 (SQL injection vulnerability in wcategory.php in Snow Hall
Silurus ...)
NOT-FOR-US: Snow Hall Silurus System
CVE-2009-3081 (SQL injection vulnerability in index.php in Uiga Church Portal
allows ...)