Author: gilbert-guest Date: 2010-05-11 03:19:19 +0000 (Tue, 11 May 2010) New Revision: 14668 Modified: data/CVE/list Log: NFUs and various new issues Modified: data/CVE/list ==================================================================--- data/CVE/list 2010-05-10 23:33:03 UTC (rev 14667) +++ data/CVE/list 2010-05-11 03:19:19 UTC (rev 14668) @@ -263,19 +263,20 @@ CVE-2010-1724 (Multiple cross-site scripting (XSS) vulnerabilities in Zikula ...) NOT-FOR-US: Zikula Application Framework CVE-2009-4841 (Heap-based buffer overflow in the SonicMediaPlayer ActiveX control in ...) - TODO: check + NOT-FOR-US: Roxio CinePlayer CVE-2009-4840 (Heap-based buffer overflow in the IAManager ActiveX control in ...) - TODO: check + NOT-FOR-US: Roxio CinePlayer CVE-2009-4839 (Multiple cross-site scripting (XSS) vulnerabilities in Basic Analysis ...) - TODO: check + NOT-FOR-US: Basic Analysis Security Engine (BASE) CVE-2009-4838 (SQL injection vulnerability in base_ag_common.php in Basic Analysis ...) - TODO: check + NOT-FOR-US: Basic Analysis Security Engine (BASE) CVE-2009-4837 (Multiple cross-site scripting (XSS) vulnerabilities in Basic Analysis ...) - TODO: check + NOT-FOR-US: Basic Analysis and Security Engine (BASE) CVE-2009-4836 (Eval injection vulnerability in system/services/init.php in Movie PHP ...) - TODO: check + NOT-FOR-US: Movie PHP Script CVE-2009-4835 (The (1) htk_read_header, (2) alaw_init, (3) ulaw_init, (4) pcm_init, ...) - TODO: check + - libsndfile <unfixed> (unimportant; bug #530831) + NOTE: application crash only, so not security-relevant CVE-2010-1723 (Directory traversal vulnerability in the iNetLanka Contact Us Draw ...) NOT-FOR-US: com_drawroot component for joomla! CVE-2010-1722 (Directory traversal vulnerability in the Online Market (com_market) ...) @@ -301,7 +302,7 @@ CVE-2010-1712 (Multiple cross-site scripting (XSS) vulnerabilities in ...) NOT-FOR-US: Webmobo WB News CVE-2010-1711 (Cross-site scripting (XSS) vulnerability in carga_foto_al.php in ...) - TODO: check + NOT-FOR-US: Siestta CVE-2010-1710 (Directory traversal vulnerability in login.php in Siestta 2.0, when ...) NOT-FOR-US: Siestta CVE-2010-1709 (Multiple cross-site scripting (XSS) vulnerabilities in upload.cgi in ...) @@ -396,8 +397,10 @@ - chromium-browser <undetermined> TODO: check CVE-2010-1664 (Google Chrome before 4.1.249.1064 does not properly handle HTML5 ...) + - chromium-browser <undetermined> TODO: check CVE-2010-1663 (The Google URL Parsing Library (aka google-url or GURL) in Google ...) + - chromium-browser <undetermined> TODO: check CVE-2010-1662 (Cross-site scripting (XSS) vulnerability in acpmoderate.php in ...) NOT-FOR-US: PHP-Quick-Arcade @@ -567,15 +570,16 @@ CVE-2010-1588 (SQL injection vulnerability in the Getwebsess function in ...) NOT-FOR-US: Rocksalt International VP-ASP Shopping Cart CVE-2010-1587 (The Jetty ResourceHandler in Apache ActiveMQ 5.x before 5.3.2 and ...) - TODO: check + NOT-FOR-US: Apache ActiveMQ CVE-2010-1586 (Open redirect vulnerability in red2301.html in HP System Management ...) NOT-FOR-US: HP System Management Homepage CVE-2010-1585 (The nsIScriptableUnescapeHTML.parseFragment method in Mozilla Firefox ...) + - xulrunner <undetermined> TODO: check CVE-2010-1584 RESERVED CVE-2010-1583 (SQL injection vulnerability in the loadByKey function in the ...) - TODO: check + NOT-FOR-US: Tirzen Framework CVE-2010-1582 RESERVED CVE-2010-1581 @@ -635,7 +639,8 @@ CVE-2009-4825 (8pixel.net Blog 4 stores sensitive information under the web root with ...) NOT-FOR-US: 8pixel.net Blog CVE-2009-4824 (Unspecified vulnerability in Kolab Webclient before 1.2.0 in Kolab ...) - TODO: check + - kolab-webclient <undetermined> + NOTE: package only in experimental; claimed fixed in version 20091202, but not enough info to check CVE-2009-4823 (Cross-site scripting (XSS) vulnerability in ...) NOT-FOR-US: cPanel CVE-2009-4822 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in ...) @@ -818,6 +823,7 @@ CVE-2010-1491 (Directory traversal vulnerability in the MMS Blog (com_mmsblog) ...) NOT-FOR-US: com_mmsblog component for joomla! CVE-2009-4810 (The Secure Remote Password (SRP) implementation in Samhain before ...) + - samhain <undetermined> TODO: check CVE-2009-4809 (Directory traversal vulnerability in thumbnail.ghp in Easy File ...) NOT-FOR-US: Easy File Sharing Web Server @@ -1053,7 +1059,7 @@ CVE-2010-1439 RESERVED CVE-2010-1438 (Web Application Finger Printer (WAFP) 0.01-26c3 uses fixed pathnames ...) - TODO: check + - wafp <itp> (bug #562949) CVE-2010-1437 [keyring issue] RESERVED - linux-2.6 <unfixed> @@ -1071,8 +1077,10 @@ CVE-2010-1430 RESERVED CVE-2010-1429 (Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) ...) + - jbossas4 <undetermined> TODO: check CVE-2010-1428 (The Web Console (aka web-console) in JBossAs in Red Hat JBoss ...) + - jbossas4 <undetermined> TODO: check CVE-2010-1427 (Cross-site scripting (XSS) vulnerability in the SearchHighlight plugin ...) NOT-FOR-US: MODx Evolution @@ -1396,7 +1404,7 @@ CVE-2010-1280 RESERVED CVE-2010-1279 (Multiple unspecified vulnerabilities in Adobe Photoshop CS4 11.x ...) - TODO: check + NOT-FOR-US: Adobe Photoshop CVE-2010-1278 (Buffer overflow in the Atlcom.get_atlcom ActiveX control in gp.ocx in ...) NOT-FOR-US: Adobe Download Manager CVE-2010-1277 (SQL injection vulnerability in the user.authenticate method in the API ...) @@ -1739,8 +1747,10 @@ [lenny] - nano <no-dsa> (minor issue) NOTE: http://www.openwall.com/lists/oss-security/2010/04/14/4 CVE-2010-1158 (Integer overflow in the regular expression engine in Perl 5.8.x allows ...) + - perl <undetermined> TODO: check CVE-2010-1157 (Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might ...) + - tomcat6 <undetermined> TODO: check CVE-2010-1156 (core/nicklist.c in Irssi before 0.8.15 allows remote attackers to ...) - irssi 0.8.15-1 (low) @@ -1841,8 +1851,9 @@ CVE-2010-1127 (Microsoft Internet Explorer 6 and 7 does not initialize certain data ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-1126 (The JavaScript implementation in WebKit allows remote attackers to ...) - TODO: check + - webkit <not-affected> (proof-of-concept not effective; windows-only?) CVE-2010-1125 (The JavaScript implementation in Mozilla Firefox 3.x allows remote ...) + - xulrunner <undetermined> TODO: check CVE-2010-1124 (bos.rte.libc 5.3.9.4 on IBM AIX 5.3 does not properly support reading ...) NOT-FOR-US: IBM AIX @@ -2077,6 +2088,8 @@ CVE-2010-1030 (Unspecified vulnerability in HP-UX B.11.31, with AudFilter rules ...) NOT-FOR-US: HP-UX CVE-2010-1029 (Stack consumption vulnerability in the WebCore::CSSSelector function ...) + - webkit <not-affected> (proof-of-concept not effective) + - chromium-browser <undetermined> TODO: check CVE-2010-1027 (SQL injection vulnerability in the Meet Travelmates (travelmate) ...) NOT-FOR-US: travelmate extension for typo3 @@ -2167,7 +2180,7 @@ CVE-2010-0996 (Unrestricted file upload vulnerability in e107 before 0.7.20 allows ...) NOT-FOR-US: e107 CVE-2010-0995 (Stack-based buffer overflow in Internet Download Manager (IDM) before ...) - TODO: check + NOT-FOR-US: Internet Download Manager CVE-2010-0994 (Multiple buffer overflows in src/vl/vlDAT.cpp in Visualization Library ...) NOT-FOR-US: Visualization Library CVE-2010-0993 (Unrestricted file upload vulnerability in Pulse CMS Basic 1.2.2 and ...) @@ -3418,7 +3431,7 @@ CVE-2010-0595 RESERVED CVE-2010-0594 (Cross-site scripting (XSS) vulnerability in Cisco Router and Security ...) - TODO: check + NOT-FOR-US: Cisco Router and Security Device Manager CVE-2010-0593 (The Cisco RVS4000 4-port Gigabit Security Router before 1.3.2.0, ...) NOT-FOR-US: Cisco RVS4000 Router CVE-2010-0592 (The CTI Manager service in Cisco Unified Communications Manager (aka ...) @@ -3657,6 +3670,8 @@ CVE-2010-0525 (Mail in Apple Mac OS X before 10.6.3 does not properly enforce the key ...) NOT-FOR-US: Apple Mail CVE-2010-0524 (The default configuration of the FreeRADIUS server in Apple Mac OS X ...) + - freeradius <undetermined> + NOTE: very likely os X specific (problem in their default settings), but needs checked TODO: check CVE-2010-0523 (Wiki Server in Apple Mac OS X 10.5.8 does not restrict the file types ...) NOT-FOR-US: Apple Wiki Server @@ -3861,7 +3876,7 @@ - openssl <not-affected> (Kerberos support not enabled) NOTE: http://www.openwall.com/lists/oss-security/2010/03/03/5 CVE-2010-0432 (Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open ...) - TODO: check + NOT-FOR-US: Apache Open For Business Project (OFBiz) CVE-2010-0431 RESERVED CVE-2010-0430 @@ -5003,7 +5018,7 @@ CVE-2010-0102 RESERVED CVE-2010-0101 (The embedded HTTP server in multiple Lexmark laser and inkjet printers ...) - TODO: check + NOT-FOR-US: Lexmark printers and MarkNet devices CVE-2010-0100 RESERVED CVE-2010-0099 @@ -5641,7 +5656,7 @@ CVE-2010-0059 (CoreAudio in Apple Mac OS X before 10.6.3 allows remote attackers to ...) NOT-FOR-US: Apple CoreAudio CVE-2010-0058 (freshclam in ClamAV in Apple Mac OS X 10.5.8 with Security Update ...) - TODO: check + - clamav <not-affected> (apple-specific configuration issue) CVE-2010-0057 (AFP Server in Apple Mac OS X before 10.6.3 does not prevent guest use ...) NOT-FOR-US: Apple AFP Server CVE-2010-0056 (Buffer overflow in Cocoa spell checking in AppKit in Apple Mac OS X ...)