Author: jmm Date: 2011-10-14 15:57:21 +0000 (Fri, 14 Oct 2011) New Revision: 17423 Modified: data/CVE/list Log: - new etherape issue (no-dsa) - new cyrus issue (front desk, please create ticket) - new webkit issues (likely also chromium) - NFUs Modified: data/CVE/list ==================================================================--- data/CVE/list 2011-10-14 09:02:12 UTC (rev 17422) +++ data/CVE/list 2011-10-14 15:57:21 UTC (rev 17423) @@ -1,12 +1,6 @@ CVE-2011-XXXX [Ruby 1.9.2-p290 WEBrick::HTTPRequest X-Forwarded-*] TODO: check NOTE: http://www.openwall.com/lists/oss-security/2011/10/12/5 -CVE-2011-XXXX [XSS in phorum before 5.2.18] - TODO: check - NOTE: http://www.openwall.com/lists/oss-security/2011/10/10/7 -CVE-2011-XXXX [fluxbb: only affected with FORUM_BEHIND_REVERSE_PROXY enabled] - TODO: check - NOTE: http://www.openwall.com/lists/oss-security/2011/10/10/9 CVE-2011-XXXX [media-video/vlc-1.0.2: Multiple stack-based buffer overflows in ASF, AVI, MP4 demuxers] TODO: check NOTE: https://bugs.gentoo.org/show_bug.cgi?id=285370 @@ -1148,27 +1142,22 @@ [lenny] - conky 1.6.0-2+lenny1 CVE-2011-3615 [unknown security issue in simple machines forum] RESERVED - TODO: check - NOTE: http://www.openwall.com/lists/oss-security/2011/10/09/3 + NOT-FOR-US: Simple Machines Forum CVE-2011-3614 [vanilla plugin access control] RESERVED - NOTE: http://www.openwall.com/lists/oss-security/2011/10/09/2 + NOT-FOR-US: Vanilla Forums CVE-2011-3613 [vanilla forums cookie theft] RESERVED - TODO: check - NOTE: http://www.openwall.com/lists/oss-security/2011/10/09/2 + NOT-FOR-US: Vanilla Forums CVE-2011-3612 [HTB22913: Multiple CSRF in UseBB] RESERVED - TODO: check - NOTE: http://www.openwall.com/lists/oss-security/2011/10/09/1 + NOT-FOR-US: UseBB CVE-2011-3611 [HTB22914: Local File Inclusion in UseBB] RESERVED - TODO: check - NOTE: http://www.openwall.com/lists/oss-security/2011/10/09/1 + NOT-FOR-US: UseBB CVE-2011-3610 [serendipity freetag plugin before 3.30 and probably others] RESERVED - TODO: check - NOTE: http://www.openwall.com/lists/oss-security/2011/10/08/2 + NOT-FOR-US: Serendipity plugin CVE-2011-3609 RESERVED CVE-2011-3608 @@ -1276,12 +1265,17 @@ RESERVED CVE-2011-3581 RESERVED + - ldns <unfixed> + NOTE: http://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=403 + NOTE: https://secunia.com/advisories/46153/ + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=741024 + TODO: File bug CVE-2011-3580 (IceWarp WebMail in IceWarp Mail Server before 10.3.3 allows remote ...) - TODO: check + NOT-FOR-US: IceWarp Mail Server CVE-2011-3579 (server/webmail.php in IceWarp WebMail in IceWarp Mail Server before ...) - TODO: check + NOT-FOR-US: IceWarp Mail Server CVE-2011-3578 (Cross-site scripting (XSS) vulnerability in ...) - TODO: check + TODO: check, whether this was fixed in the DSA for CVE-2011-3357 CVE-2004-2770 REJECTED CVE-2011-3577 (IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.3 ...) @@ -1437,11 +1431,11 @@ CVE-2011-3503 (Untrusted search path vulnerability in eSignal 10.6.2425.1208, and ...) NOT-FOR-US: eSignal CVE-2011-3502 (The web server in Cogent DataHub 7.1.1.63 and earlier allows remote ...) - TODO: check + NOT-FOR-US: Cogent DataHub CVE-2011-3501 (Integer overflow in Cogent DataHub 7.1.1.63 and earlier allows remote ...) - TODO: check + NOT-FOR-US: Cogent DataHub CVE-2011-3500 (Directory traversal vulnerability in the web server in Cogent DataHub ...) - TODO: check + NOT-FOR-US: Cogent DataHub CVE-2011-3499 (Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote ...) NOT-FOR-US: Progea Movicon / PowerHMI CVE-2011-3498 (Heap-based buffer overflow in Progea Movicon / PowerHMI 11.2.1085 and ...) @@ -1455,7 +1449,7 @@ CVE-2011-3494 (WinSig.exe in eSignal 10.6.2425 and earlier allows remote attackers to ...) NOT-FOR-US: eSignal CVE-2011-3493 (Multiple stack-based buffer overflows in the DH_OneSecondTick function ...) - TODO: check + NOT-FOR-US: Cogent DataHub CVE-2011-3492 (Stack-based buffer overflow in Azeotech DAQFactory 5.85 build 1853 and ...) NOT-FOR-US: Azeotech DAQFactory CVE-2011-3491 (Heap-based buffer overflow in Progea Movicon / PowerHMI 11.2.1085 and ...) @@ -1469,11 +1463,13 @@ CVE-2011-3487 (Directory traversal vulnerability in CarelDataServer.exe in Carel ...) NOT-FOR-US: Carel PlantVisor CVE-2011-3486 (Beckhoff TwinCAT 2.11.0.2004 and earlier allows remote attackers to ...) - TODO: check + NOT-FOR-US: Beckhoff TwinCAT CVE-2011-3485 RESERVED CVE-2011-3481 (The index_get_ids function in index.c in imapd in Cyrus IMAP Server ...) - TODO: check + - cyrus-imapd-2.2 <unfixed> + - cyrus-imapd-2.4 2.4.11-1 + - kolab-cyrus-imapd <unfixed> CVE-2011-3480 RESERVED CVE-2011-3479 @@ -1609,9 +1605,9 @@ CVE-2009-5099 (Cross-site scripting (XSS) vulnerability in ViewAction in Pentaho BI ...) TODO: check CVE-2009-5098 (The LunaSysMgr process in Palm Pre WebOS 1.1 and earlier, when not ...) - TODO: check + NOT-FOR-US: Palm WebOS CVE-2009-5097 (Palm Pre WebOS 1.1 and earlier processes JavaScript in email messages, ...) - TODO: check + NOT-FOR-US: Palm WebOS CVE-2009-5096 (Cross-site scripting (XSS) vulnerability in the Flag Content module ...) NOT-FOR-US: Drupal module Flag Content NOTE: might get packaged @@ -1759,9 +1755,9 @@ [lenny] - php5 <not-affected> (Introduced in 5.3.7) CVE-2011-3378 RESERVED - - rpm <unfixed> (low) - NOTE: Marking as unimportant since rpm isn''t used as a package manager - TODO: File bug + - rpm <unfixed> (low; bug #645325) + [squeeze] - rpm <no-dsa> (rpm isn''t used a a package manager, very limited attack vector) + [lenny] - rpm <no-dsa> (rpm isn''t used a a package manager, very limited attack vector) CVE-2011-3377 RESERVED CVE-2011-3376 @@ -1787,7 +1783,9 @@ CVE-2011-3370 RESERVED CVE-2011-3369 (The add_conversation function in conversations.c in EtherApe before ...) - TODO: check + - etherape <unfixed> (low; bug #645324) + [lenny] - etherape <no-dsa> (Minor issue) + [squeeze] - etherape <no-dsa> (Minor issue) CVE-2011-3368 (The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, ...) - apache2 2.2.21-2 (medium) NOTE: http://article.gmane.org/gmane.comp.apache.announce/61 @@ -1907,7 +1905,7 @@ CVE-2011-3333 RESERVED CVE-2011-3332 (Stack-based buffer overflow in Iceni Argus 6.20 and earlier and Infix ...) - TODO: check + NOT-FOR-US: Iceni Argus CVE-2011-3331 RESERVED CVE-2011-3330 @@ -2103,32 +2101,40 @@ CVE-2011-3245 RESERVED CVE-2011-3244 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) - TODO: check + - chromium-browser <undetermined> + - webkit <undetermined> CVE-2011-3243 RESERVED CVE-2011-3242 RESERVED CVE-2011-3241 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) - TODO: check + - chromium-browser <undetermined> + - webkit <undetermined> CVE-2011-3240 RESERVED CVE-2011-3239 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) - TODO: check + - chromium-browser <undetermined> + - webkit <undetermined> CVE-2011-3238 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) - TODO: check + - chromium-browser <undetermined> + - webkit <undetermined> CVE-2011-3237 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) - TODO: check + - chromium-browser <undetermined> + - webkit <undetermined> CVE-2011-3236 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) - TODO: check + - chromium-browser <undetermined> + - webkit <undetermined> CVE-2011-3235 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) - TODO: check + - chromium-browser <undetermined> + - webkit <undetermined> CVE-2011-3234 (Google Chrome before 14.0.835.163 does not properly handle boxes, ...) - chromium-browser 14.0.835.163~r101024-1 [squeeze] - chromium-browser <not-affected> - webkit <undetermined> NOTE: http://trac.webkit.org/changeset/92132 CVE-2011-3233 (WebKit, as used in Apple iTunes before 10.5, allows man-in-the-middle ...) - TODO: check + - chromium-browser <undetermined> + - webkit <undetermined> CVE-2011-3232 (YARR, as used in Mozilla Firefox before 7.0, Thunderbird before 7.0, ...) - xulrunner <not-affected> (Only affects Firefox >= 4) - iceweasel 7.0-1 @@ -2161,7 +2167,7 @@ CVE-2011-3220 RESERVED CVE-2011-3219 (Buffer overflow in CoreMedia, as used in Apple iTunes before 10.5, ...) - TODO: check + NOT-FOR-US: Apple CoreMedia CVE-2011-3218 RESERVED CVE-2011-3217