Author: helmut-guest
Date: 2011-10-13 14:55:07 +0000 (Thu, 13 Oct 2011)
New Revision: 17415
Modified:
data/CVE/list
Log:
CVE update, mostly NFUs
Modified: data/CVE/list
==================================================================---
data/CVE/list 2011-10-13 13:15:16 UTC (rev 17414)
+++ data/CVE/list 2011-10-13 14:55:07 UTC (rev 17415)
@@ -1284,11 +1284,11 @@
CVE-2004-2770
REJECTED
CVE-2011-3577 (IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through
7.0.0.3 ...)
- TODO: check
+ NOT-FOR-US: IBM WebSphere Commerce
CVE-2011-3576 (Cross-site scripting (XSS) vulnerability in IBM Lotus Domino
8.5.2 ...)
- TODO: check
+ NOT-FOR-US: IBM Lotus Domino
CVE-2011-3575 (Stack-based buffer overflow in the NSFComputeEvaluateExt
function in ...)
- TODO: check
+ NOT-FOR-US: IBM Lotus Domino
CVE-2011-3574
RESERVED
CVE-2011-3573
@@ -1434,7 +1434,7 @@
- ffmpeg <removed>
- ffmpeg-debian <end-of-life>
CVE-2011-3503 (Untrusted search path vulnerability in eSignal 10.6.2425.1208,
and ...)
- TODO: check
+ NOT-FOR-US: eSignal
CVE-2011-3502 (The web server in Cogent DataHub 7.1.1.63 and earlier allows
remote ...)
TODO: check
CVE-2011-3501 (Integer overflow in Cogent DataHub 7.1.1.63 and earlier allows
remote ...)
@@ -1442,31 +1442,31 @@
CVE-2011-3500 (Directory traversal vulnerability in the web server in Cogent
DataHub ...)
TODO: check
CVE-2011-3499 (Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote
...)
- TODO: check
+ NOT-FOR-US: Progea Movicon / PowerHMI
CVE-2011-3498 (Heap-based buffer overflow in Progea Movicon / PowerHMI
11.2.1085 and ...)
- TODO: check
+ NOT-FOR-US: Progea Movicon / PowerHMI
CVE-2011-3497 (service.exe in Measuresoft ScadaPro 4.0.0 and earlier allows
remote ...)
- TODO: check
+ NOT-FOR-US: Measuresoft ScadaPro
CVE-2011-3496 (service.exe in Measuresoft ScadaPro 4.0.0 and earlier allows
remote ...)
- TODO: check
+ NOT-FOR-US: Measuresoft ScadaPro
CVE-2011-3495 (Multiple directory traversal vulnerabilities in service.exe in
...)
- TODO: check
+ NOT-FOR-US: Measuresoft ScadaPro
CVE-2011-3494 (WinSig.exe in eSignal 10.6.2425 and earlier allows remote
attackers to ...)
- TODO: check
+ NOT-FOR-US: eSignal
CVE-2011-3493 (Multiple stack-based buffer overflows in the DH_OneSecondTick
function ...)
TODO: check
CVE-2011-3492 (Stack-based buffer overflow in Azeotech DAQFactory 5.85 build
1853 and ...)
- TODO: check
+ NOT-FOR-US: Azeotech DAQFactory
CVE-2011-3491 (Heap-based buffer overflow in Progea Movicon / PowerHMI
11.2.1085 and ...)
- TODO: check
+ NOT-FOR-US: Progea Movicon / PowerHMI
CVE-2011-3490 (Multiple stack-based buffer overflows in service.exe in
Measuresoft ...)
- TODO: check
+ NOT-FOR-US: Measuresoft ScadaPro
CVE-2011-3489 (RnaUtility.dll in RsvcHost.exe 2.30.0.23 in Rockwell RSLogix 19
and ...)
- TODO: check
+ NOT-FOR-US: Rockwell RSLogix
CVE-2011-3488 (Use-after-free vulnerability in Equis MetaStock 11 and earlier
allows ...)
- TODO: check
+ NOT-FOR-US: Equis MetaStock
CVE-2011-3487 (Directory traversal vulnerability in CarelDataServer.exe in
Carel ...)
- TODO: check
+ NOT-FOR-US: Carel PlantVisor
CVE-2011-3486 (Beckhoff TwinCAT 2.11.0.2004 and earlier allows remote attackers
to ...)
TODO: check
CVE-2011-3485
@@ -1586,21 +1586,21 @@
CVE-2011-3425
RESERVED
CVE-2011-3424 (Session fixation vulnerability in the Managed File Transfer
server in ...)
- TODO: check
+ NOT-FOR-US: TIBCO Managed File Transfer Internet Server
CVE-2011-3423 (Cross-site scripting (XSS) vulnerability in the Managed File
Transfer ...)
- TODO: check
+ NOT-FOR-US: TIBCO Managed File Transfer Internet Server
CVE-2010-4839 (SQL injection vulnerability in the Event Registration plugin
5.32 and ...)
- TODO: check
+ NOT-FOR-US: Wordpress plugin Event Registration
CVE-2010-4838 (SQL injection vulnerability in the JSupport (com_jsupport)
component ...)
- TODO: check
+ - joomla <itp> (bug #571794)
CVE-2010-4837 (Cross-site scripting (XSS) vulnerability in the JSupport ...)
- TODO: check
+ - joomla <itp> (bug #571794)
CVE-2010-4836 (Cross-site scripting (XSS) vulnerability in register.html in
PHPShop ...)
- TODO: check
+ NOT-FOR-US: PHPShop
CVE-2010-4835 (Directory traversal vulnerability in index.php in OneOrZero AIMS
2.6.0 ...)
- TODO: check
+ NOT-FOR-US: OneOrZero AIMS
CVE-2010-4834 (Multiple SQL injection vulnerabilities in index.php in OneOrZero
AIMS ...)
- TODO: check
+ NOT-FOR-US: OneOrZero AIMS
CVE-2009-5101 (Pentaho BI Server 1.7.0.1062 and earlier includes the session ID
...)
TODO: check
CVE-2009-5100 (Pentaho BI Server 1.7.0.1062 and earlier does not set the
autocomplete ...)
@@ -1612,7 +1612,8 @@
CVE-2009-5097 (Palm Pre WebOS 1.1 and earlier processes JavaScript in email
messages, ...)
TODO: check
CVE-2009-5096 (Cross-site scripting (XSS) vulnerability in the Flag Content
module ...)
- TODO: check
+ NOT-FOR-US: Drupal module Flag Content
+ NOTE: might get packaged
CVE-2011-XXXX [Django several vulnerabilities]
- python-django 1.3.1-1 (bug #641405)
NOTE:
https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
@@ -1696,17 +1697,17 @@
CVE-2011-3393 (Multiple cross-site scripting (XSS) vulnerabilities in
findagent.php ...)
NOT-FOR-US: MYRE Real Estate
CVE-2009-5095 (PHP remote file inclusion vulnerability in index_inc.php in ea
gBook ...)
- TODO: check
+ NOT-FOR-US: ea gBook
CVE-2009-5094 (SQL injection vulnerability in info.php in CMS Faethon 2.2.0
Ultimate ...)
- TODO: check
+ NOT-FOR-US: CMS Faethon
CVE-2009-5093 (Directory traversal vulnerability in gastbuch.php in
Gästebuch ...)
- TODO: check
+ NOT-FOR-US: Gastebuch
CVE-2009-5092 (Cross-site scripting (XSS) vulnerability in the management
interface ...)
- TODO: check
+ NOT-FOR-US: Microsoft FAST ESP
CVE-2009-5091 (SQL injection vulnerability in page.php in Vlinks 1.0.3 and
1.1.6 ...)
- TODO: check
+ NOT-FOR-US: Vlinks
CVE-2009-5090 (SQL injection vulnerability in editcomments.php in
Bloggeruniverse ...)
- TODO: check
+ NOT-FOR-US: Bloggeruniverse Beta 2
CVE-2009-5089 (Directory traversal vulnerability in index.php in IdeaCart 0.02
and ...)
NOT-FOR-US: IdeaCart
CVE-2009-5088 (SQL injection vulnerability in secure/index.php in IdeaCart 0.02
...)
@@ -1724,7 +1725,7 @@
CVE-2011-3390 (Multiple cross-site scripting (XSS) vulnerabilities in index.php
in ...)
NOT-FOR-US: IBM OpenAdmin Too
CVE-2010-4833 (Untrusted search path vulnerability in ...)
- TODO: check
+ - gtk+2.0 <not-affected> (win32 specific)
CVE-2011-3350 [masqmail improper privilege dropping]
RESERVED
- masqmail 0.2.30-1 (low; bug #638002)
@@ -2259,7 +2260,8 @@
RESERVED
{DSA-2310-1 DSA-2303-1}
CVE-2011-3187 (The to_s method in ...)
- TODO: check
+ - rails <undetermined>
+ NOTE: 3.x only?
CVE-2011-3186 (CRLF injection vulnerability in ...)
{DSA-2301-1}
- rails 2.3.14
@@ -2980,7 +2982,7 @@
CVE-2011-2933
RESERVED
CVE-2011-2932 (Cross-site scripting (XSS) vulnerability in ...)
- TODO: check
+ - rails <undetermined>
CVE-2011-2931 (Cross-site scripting (XSS) vulnerability in the strip_tags
helper in ...)
{DSA-2301-1}
- rails 2.3.14
@@ -2988,7 +2990,7 @@
{DSA-2301-1}
- rails 2.3.14
CVE-2011-2929 (The template selection functionality in ...)
- TODO: check
+ - rails <undetermined>
CVE-2011-2928 (The befs_follow_link function in fs/befs/linuxvfs.c in the Linux
...)
{DSA-2310-1 DSA-2303-1}
- linux-2.6 3.0.0-2
@@ -3508,9 +3510,9 @@
[squeeze] - openarena 0.8.5-5+squeeze1
- ioquake3 1.36+svn1946-4
CVE-2011-2763 (The web interface on the LifeSize Room appliance LS_RM1_3.5.3
(11) and ...)
- TODO: check
+ NOT-FOR-US: LifeSize Room appliance
CVE-2011-2762 (The web interface on the LifeSize Room appliance LS_RM1_3.5.3
(11) ...)
- TODO: check
+ NOT-FOR-US: LifeSize Room appliance
CVE-2011-2761 (Google Chrome 14.0.794.0 does not properly handle a reload of a
page ...)
- chromium-browser <undetermined>
[squeeze] - chromium-browser <not-affected>
@@ -3552,7 +3554,7 @@
CVE-2011-2747 (Google Picasa before 3.6 Build 105.67 does not properly handle
invalid ...)
NOT-FOR-US: Google Picasa
CVE-2011-2746 (Unspecified vulnerability in
Kernel/Modules/AdminPackageManager.pm in ...)
- TODO: check
+ - otrs2 <undetermined>
CVE-2011-2745 (upload_handler.php in the swfupload extension in Chyrp 2.0 and
earlier ...)
NOT-FOR-US: Chyrp
CVE-2011-2744 (Directory traversal vulnerability in Chyrp 2.1 and earlier
allows ...)
@@ -3568,7 +3570,7 @@
CVE-2011-2739
RESERVED
CVE-2011-2738 (Multiple unspecified vulnerabilities in Cisco Unified Service
Monitor ...)
- TODO: check
+ NOT-FOR-US: Cisco Unified Service Monitor, CiscoWorks LAN Management Solution
CVE-2011-2737 (RSA enVision 3.x and 4.x before 4 SP4 P3 allows remote attackers
to ...)
NOT-FOR-US: RSA enVision
CVE-2011-2736 (RSA enVision 4.x before 4 SP4 P3 places cleartext administrative
...)
@@ -3644,6 +3646,7 @@
- openoffice.org 1:3.3.0-1
NOTE: Since 3.3.0 openoffice.org is a transitional source package to migrate
to libreoffice
CVE-2011-2712 (Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x
before ...)
+ NOT-FOR-US: Apache Wicket
TODO: check
CVE-2011-2711 (Cross-site scripting (XSS) vulnerability in the print_fileinfo
...)
NOT-FOR-US: cgit
@@ -3676,7 +3679,8 @@
NOTE: http://www.nodefense.org/eglibc.txt
NOTE: fixed well before 2.13-10, but that is the present testing version that
was available to check
CVE-2011-2701 (The ocsp_check function in rlm_eap_tls.c in FreeRADIUS 2.1.11,
when ...)
- TODO: check
+ - freeradius <not-affected>
+ NOTE: introduced in 2.1.11, even sid ships 2.1.10+dfsg-3+b2
CVE-2011-2700 (Multiple buffer overflows in the si4713_write_econtrol_string
function ...)
{DSA-2303-1}
- linux-2.6 3.0.0-1
@@ -3804,7 +3808,8 @@
CVE-2011-2661 (Multiple cross-site scripting (XSS) vulnerabilities in WebAccess
in ...)
TODO: check
CVE-2011-2660 (The modify_resolvconf_suse script in the vpnc package before
...)
- TODO: check
+ - vpnc <not-affected>
+ NOTE: This only affects the SUSE packaging.
CVE-2011-2659
RESERVED
CVE-2011-2658
@@ -3816,27 +3821,27 @@
CVE-2011-2655
RESERVED
CVE-2011-2654 (The RPC implementation in the server in Novell Cloud Manager
1.1.2 ...)
- TODO: check
+ NOT-FOR-US: Novell Cloud Manager
CVE-2011-2653
RESERVED
CVE-2011-2652 (Cross-site scripting (XSS) vulnerability in Kiwi before 3.74.2,
as ...)
- TODO: check
+ NOT-FOR-US: Kiwi, SUSE Studio
CVE-2011-2651 (Unspecified vulnerability in the file browser in Kiwi before
3.74.2, ...)
- TODO: check
+ NOT-FOR-US: Kiwi, SUSE Studio
CVE-2011-2650 (Cross-site scripting (XSS) vulnerability in Kiwi before 3.74.2,
as ...)
- TODO: check
+ NOT-FOR-US: Kiwi, SUSE Studio
CVE-2011-2649 (Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4,
allows ...)
- TODO: check
+ NOT-FOR-US: Kiwi, SUSE Studio
CVE-2011-2648 (Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE
...)
- TODO: check
+ NOT-FOR-US: Kiwi, SUSE Studio
CVE-2011-2647 (Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE
...)
- TODO: check
+ NOT-FOR-US: Kiwi, SUSE Studio
CVE-2011-2646 (Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE
...)
- TODO: check
+ NOT-FOR-US: Kiwi, SUSE Studio
CVE-2011-2645 (Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE
...)
- TODO: check
+ NOT-FOR-US: Kiwi, SUSE Studio
CVE-2011-2644 (Cross-site scripting (XSS) vulnerability in Kiwi before 3.74.2,
as ...)
- TODO: check
+ NOT-FOR-US: Kiwi, SUSE Studio
CVE-2011-2643 (Directory traversal vulnerability in sql.php in phpMyAdmin 3.4.x
...)
- phpmyadmin 4:3.4.3.2-1
[squeeze] - phpmyadmin <not-affected> (Vulnerable code not present)
@@ -3969,7 +3974,8 @@
CVE-2011-2595 (Multiple stack-based buffer overflows in ACDSee FotoSlate 4.0
Build ...)
NOT-FOR-US: ACDSee FotoSlate
CVE-2011-2594 (Heap-based buffer overflow in KMPlayer 3.0.0.1441, and possibly
other ...)
- TODO: check
+ NOT-FOR-US: KMPlayer
+ NOTE: This is http://www.kmplayer.com and not our kmplayer package.
CVE-2011-2593
RESERVED
CVE-2011-2592
@@ -4003,7 +4009,7 @@
CVE-2011-2578
RESERVED
CVE-2011-2577 (Unspecified vulnerability in Cisco TelePresence C Series
Endpoints, ...)
- TODO: check
+ NOT-FOR-US: Cisco TelePresence
CVE-2011-2576
RESERVED
CVE-2011-2575
@@ -4074,6 +4080,8 @@
TODO: check
CVE-2011-2542
RESERVED
+ - libsoup2.4 <undetermined>
+ NOTE: sid is probably fixed
CVE-2011-2541
RESERVED
CVE-2011-2540
@@ -4876,9 +4884,9 @@
CVE-2011-2227 (Cross-site scripting (XSS) vulnerability in Novell Identity
Manager ...)
TODO: check
CVE-2011-2226 (Cross-site scripting (XSS) vulnerability in Kiwi before 3.74.2,
as ...)
- TODO: check
+ NOT-FOR-US: Kiwi, SUSE Studio
CVE-2011-2225 (Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE
...)
- TODO: check
+ NOT-FOR-US: Kiwi, SUSE Studio
CVE-2011-2224 (The Mobility Pack before 1.2 in Novell Data Synchronizer 1.x
through ...)
NOT-FOR-US: Novell Data Synchronizer
CVE-2011-2223 (The Mobility Pack before 1.2 in Novell Data Synchronizer 1.x
through ...)
@@ -4920,7 +4928,7 @@
[squeeze] - tomcat6 <no-dsa> (Minor issue)
- tomcat7 7.0.16-3 (low; bug #632882)
CVE-2011-2201 (The Data::FormValidator module 4.66 and earlier for Perl, when
...)
- TODO: check
+ - libdata-formvalidator-perl <undetermined>
CVE-2011-2200 (The _dbus_header_byteswap function in dbus-marshal-header.c in
D-Bus ...)
- dbus 1.4.12-1 (low; bug #629938)
[squeeze] - dbus 1.2.24-4+squeeze1
@@ -6505,7 +6513,7 @@
CVE-2011-1658 (ld.so in the GNU C Library (aka glibc or libc6) 2.13 and earlier
...)
TODO: check
CVE-2011-1657 (The (1) ZipArchive::addGlob and (2) ZipArchive::addPattern
functions ...)
- TODO: check
+ - php <undetermined>
CVE-2011-1656
RESERVED
CVE-2011-1655 (The management.asmx module in the Management Web Service in the
...)
@@ -10366,7 +10374,7 @@
CVE-2011-0344 (Multiple stack-based buffer overflows in unspecified CGI
programs in ...)
NOT-FOR-US: Unified Maintenance Tool
CVE-2011-0342 (Multiple buffer overflows in the InduSoft ISSymbol ActiveX
control in ...)
- TODO: check
+ NOT-FOR-US: InduSoft ISSymbol ActiveX
CVE-2011-0341 (Stack-based buffer overflow in the pdfmoz_onmouse function in
...)
NOT-FOR-US: MuPDF plug-in for Firefox
CVE-2011-0340 (Multiple buffer overflows in the ISSymbol ActiveX control in
...)
@@ -10428,7 +10436,7 @@
CVE-2011-0312
RESERVED
CVE-2011-0311 (The class file parser in IBM Java before 1.4.2 SR13 FP9, as used
in ...)
- TODO: check
+ NOT-FOR-US: IBM Java
CVE-2011-0310 (Buffer overflow in IBM WebSphere MQ 7.0 before 7.0.1.4 allows
remote ...)
NOT-FOR-US: IBM WebSphere MQ
CVE-2011-0309