Author: gilbert-guest Date: 2010-02-23 03:23:19 +0000 (Tue, 23 Feb 2010) New Revision: 14140 Modified: data/CVE/list Log: webkit triage Modified: data/CVE/list ==================================================================--- data/CVE/list 2010-02-23 00:58:48 UTC (rev 14139) +++ data/CVE/list 2010-02-23 03:23:19 UTC (rev 14140) @@ -3525,11 +3525,7 @@ - chromium-browser <itp> (low; bug #520324) CVE-2009-3932 (The Gears plugin in Google Chrome before 3.0.195.32 allows ...) - chromium-browser <itp> (low; bug #520324) - - webkit <unfixed> (low; bug #560905) - - qt4-x11 <undetermined> (bug #561760) - [etch] - qt4-x11 <not-affected> (webkit support introduced in version 4.4) - - kdelibs <undetermined> (bug #561765) - - kde4libs <undetermined> (bug #561762) + NOTE: gears is only implemented in chromium CVE-2009-3931 (Incomplete blacklist vulnerability in browser/download/download_exe.cc ...) - chromium-browser <itp> (low; bug #520324) CVE-2009-3930 (Multiple integer overflows in Christos Zoulas file before 5.02 allow ...) @@ -7127,7 +7123,8 @@ CVE-2009-2842 (Apple Safari before 4.0.4 does not properly implement certain (1) Open ...) NOT-FOR-US: Apple Safari CVE-2009-2841 (WebKit in Apple Safari before 4.0.4 on Mac OS X does not perform the ...) - - webkit <undetermined> (medium; bug #559759) + - webkit 1.1.21-1 (medium; bug #559759) + NOTE: http://trac.webkit.org/changeset/49480 - qt4-x11 <undetermined> (bug #561760) [etch] - qt4-x11 <not-affected> (webkit support introduced in version 4.4) - kdelibs <not-affected> (No support for HTML5 video tags) @@ -7185,8 +7182,9 @@ CVE-2009-2817 (Buffer overflow in Apple iTunes before 9.0.1 allows remote attackers ...) NOT-FOR-US: Apple iTunes CVE-2009-2816 (The implementation of Cross-Origin Resource Sharing (CORS) in WebKit, ...) - - webkit <unfixed> (medium; bug #559759) + - webkit 1.1.21-1 (medium; bug #559759) [lenny] - webkit <not-affected> (vulnerable code not present) + NOTE: http://trac.webkit.org/changeset/47494 CVE-2009-2815 (The Telephony component in Apple iPhone OS before 3.1 does not ...) NOT-FOR-US: Apple iPhone OS CVE-2009-2814 (Cross-site scripting (XSS) vulnerability in the Wiki Server in Apple ...) @@ -7228,8 +7226,8 @@ CVE-2009-2798 (Heap-based buffer overflow in Apple QuickTime before 7.6.4 allows ...) NOT-FOR-US: Apple QuickTime CVE-2009-2797 (The WebKit component in Safari in Apple iPhone OS before 3.1, and ...) - - webkit <unfixed> (medium; bug #559759) - TODO: someone needs to gain membership to the webkit security list so we can actually check these issues + - webkit 1.1.21-1 (medium; bug #559759) + NOTE: http://trac.webkit.org/changeset/42483 CVE-2009-2796 (The UIKit component in Apple iPhone OS 3.0, and iPhone OS 3.0.1 for ...) NOT-FOR-US: Apple iPhone OS CVE-2009-2795 (Heap-based buffer overflow in the Recovery Mode component in Apple ...) @@ -20976,8 +20974,7 @@ CVE-2008-4232 (Safari in Apple iPhone OS 2.0 through 2.1 and iPhone OS for iPod touch ...) NOT-FOR-US: Safari CVE-2008-4231 (Safari in Apple iPhone OS 1.0 through 2.1 and iPhone OS for iPod touch ...) - - webkit <unfixed> (medium; bug #535793) - TODO: work with upstream to determine affected/not-affected webkit versions + NOT-FOR-US: Apple CVE-2008-4230 (The Passcode Lock feature in Apple iPhone OS 1.0 through 2.1 and ...) NOT-FOR-US: Apple CVE-2008-4229 (Race condition in the Passcode Lock feature in Apple iPhone OS 2.0 ...) @@ -25674,8 +25671,9 @@ CVE-2008-2321 (Unspecified vulnerability in CoreGraphics in Apple Mac OS X 10.4.11 ...) NOT-FOR-US: Apple Mac OS X CVE-2008-2320 (Stack-based buffer overflow in CarbonCore in Apple Mac OS X 10.4.11 ...) - - webkit <unfixed> (medium; bug #535793) - TODO: work with upstream to determine affected/not-affected webkit versions + NOT-FOR-US: Apple Mac OS X + NOTE: the original apple advisory (HT3613) is completely different from the current CVE + NOTE: description. it claims that this is a webkit issue, which is completely wrong CVE-2008-2319 RESERVED CVE-2008-2318 (The WOHyperlink implementation in WebObjects in Apple Xcode tools ...)