thr3ads.net - Secure testing commits - [Secure-testing-commits] r14928

If this information is useful, please help other people find it:
Share via:
Raphael Geissert
2010-Jun-29 23:42 UTC
[Secure-testing-commits] r14928 - data/CVE

Author: geissert
Date: 2010-06-29 23:42:48 +0000 (Tue, 29 Jun 2010)
New Revision: 14928

Modified:
   data/CVE/list
Log:
new issues in: bugzilla, libpng, python-paste
some NFUs


Modified: data/CVE/list
==================================================================---
data/CVE/list	2010-06-29 23:32:21 UTC (rev 14927)
+++ data/CVE/list	2010-06-29 23:42:48 UTC (rev 14928)
@@ -1,3 +1,8 @@
+CVE-2010-XXXX [XSS in paste.httpexceptions]
+	- python-paste 1.7.4-1
+	NOTE: http://bitbucket.org/ianb/paste/changeset/fcae59df8b56
+	NOTE: CVE requested
+	TODO: evaluate
 CVE-2010-2515 (Multiple SQL injection vulnerabilities in index.php in the JFaq
...)
 	TODO: check
 CVE-2010-2514 (Cross-site scripting (XSS) vulnerability in the JFaq (com_jfaq)
...)
@@ -13,19 +18,19 @@
 CVE-2010-2509 (Multiple cross-site scripting (XSS) vulnerabilities in 2daybiz
Web ...)
 	TODO: check
 CVE-2010-2508 (SQL injection vulnerability in user-profile.php in 2daybiz Video
...)
-	TODO: check
+	NOT-FOR-US: 2daybiz Video
 CVE-2010-2507 (Directory traversal vulnerability in the Picasa2Gallery ...)
 	TODO: check
 CVE-2010-2506 (Cross-site scripting (XSS) vulnerability in debug.cgi in Linksys
...)
-	TODO: check
+	NOT-FOR-US: Linksys
 CVE-2010-2505 (Soft SaschArt SasCAM Webcam Server 2.6.5, 2.7, and earlier
allows ...)
 	TODO: check
 CVE-2010-2504 (Splunk 4.0 through 4.0.10 and 4.1 through 4.1.1 allows remote
...)
-	TODO: check
+	NOT-FOR-US: Splunk
 CVE-2010-2503 (Multiple cross-site scripting (XSS) vulnerabilities in Splunk
4.0 ...)
-	TODO: check
+	NOT-FOR-US: Splunk
 CVE-2010-2502 (Multiple directory traversal vulnerabilities in Splunk 4.0
through ...)
-	TODO: check
+	NOT-FOR-US: Splunk
 CVE-2010-2501
 	RESERVED
 CVE-2010-2500
@@ -89,7 +94,7 @@
 CVE-2010-2471
 	RESERVED
 CVE-2010-2470 (Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6.1 and 3.7
through ...)
-	TODO: check
+	- bugzilla <undetermined>
 CVE-2010-XXXX [syscp open_basedir bypassing]
 	- syscp <unfixed> (bug #587481)
 	NOTE: CVE id requested on oss-sec
@@ -118,11 +123,11 @@
 CVE-2010-2458 (Cross-site scripting (XSS) vulnerability in video.php in 2daybiz
Video ...)
 	TODO: check
 CVE-2010-2457 (Cross-site scripting (XSS) vulnerability in index.php in
K-Search ...)
-	TODO: check
+	NOT-FOR-US: K-Search
 CVE-2010-2456 (Multiple directory traversal vulnerabilities in index.php in
Linker ...)
 	TODO: check
 CVE-2010-2455 (Opera does not properly manage the address bar between the
request to ...)
-	TODO: check
+	NOT-FOR-US: Opera
 CVE-2010-2454 (Apple Safari does not properly manage the address bar between
the ...)
 	TODO: check
 CVE-2010-2453
@@ -622,8 +627,13 @@
 	NOTE: http://www.ocert.org/advisories/ocert-2010-001.html
 CVE-2010-2250
 	RESERVED
-CVE-2010-2249
+CVE-2010-2249 [memory leak in libpng]
 	RESERVED
+	- libpng <unfixed> (low)
+	- freeimage <undetermined>
+	- tuxonice-userui <unfixed>
+	TODO: check
+	TODO: binNMU tuxonice-userui once libpng is fixed
 CVE-2010-2248 [os/2 smb issue]
 	RESERVED
 	- linux-2.6 2.6.32-12 (low)
@@ -677,7 +687,8 @@
 CVE-2010-2226
 	RESERVED
 CVE-2010-2225 (Use-after-free vulnerability in the SplObjectStorage
unserializer in ...)
-	- php5 <undetermined>
+	- php5 <unfixed>
+	NOTE: some vectors mitigated by suhosin patch, but more info is needed
 	TODO: check
 CVE-2010-2224 (The snapshot merging functionality in Red Hat Enterprise ...)
 	NOT-FOR-US: Reh Hat Enterprise Virtualization Manager (RHEV-M)
@@ -3524,10 +3535,15 @@
 	RESERVED
 CVE-2010-1206 (The startDocumentLoad function in
browser/base/content/browser.js in ...)
 	TODO: check
-CVE-2010-1205
+CVE-2010-1205 [memory write out of bounds]
 	RESERVED
+	- libpng <unfixed>
+	- freeimage <undetermined>
+	- tuxonice-userui <unfixed>
+	TODO: check
+	TODO: binNMU tuxonice-userui once libpng is fixed
 CVE-2010-1204 (Search.pm in Bugzilla 2.17.1 through 3.2.6, 3.3.1 through 3.4.6,
3.5.1 ...)
-	TODO: check
+	- bugzilla <undetermined>
 CVE-2010-1203 (The JavaScript engine in Mozilla Firefox 3.6.x before 3.6.4
allow ...)
 	- xulrunner <not-affected> (Only affects Firefox 3.6, i.e xulrunner
1.9.2)
 CVE-2010-1202 (Multiple unspecified vulnerabilities in the JavaScript engine in
...)
@@ -6633,7 +6649,7 @@
 	- iceape 2.0.4-1
 	[lenny] - iceape <not-affected> (Only a stub package)
 CVE-2010-0180 (Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6 and 3.7,
when ...)
-	TODO: check
+	- bugzilla <undetermined>
 CVE-2010-0179 (Mozilla Firefox before 3.0.19 and 3.5.x before 3.5.8, and
SeaMonkey ...)
 	{DSA-2027-1}
 	- xulrunner 1.9.1.9-1
Secure testing commits - Jun 2010 - r14928 - data/CVE

[Secure-testing-commits] r14928 - data/CVE
