Author: nion Date: 2012-02-20 11:42:37 +0000 (Mon, 20 Feb 2012) New Revision: 18490 Modified: data/CVE/list data/spu-candidates.txt Log: - mathopd should be fixed via spu - NFUs - CVE-2012-0904 seems to be a non-issue (vlc) - CVE-2012-0789 fixed in php5 5.3.9-1 Modified: data/CVE/list ==================================================================--- data/CVE/list 2012-02-20 10:50:39 UTC (rev 18489) +++ data/CVE/list 2012-02-20 11:42:37 UTC (rev 18490) @@ -212,57 +212,57 @@ CVE-2012-1088 RESERVED CVE-2012-1087 (Cross-site scripting (XSS) vulnerability in the Post data records to ...) - TODO: check + NOT-FOR-US: bc_post2facebook extension for TYPO3 CVE-2012-1086 (Cross-site scripting (XSS) vulnerability in the UrlTool (aeurltool) ...) - TODO: check + NOT-FOR-US: aeurltool extension for TYPO3 CVE-2012-1085 (Unspecified vulnerability in the BE User Switch (beuserswitch) ...) - TODO: check + NOT-FOR-US: beuserswitch for TYPO3 CVE-2012-1084 (Cross-site scripting (XSS) vulnerability in the BE User Switch ...) - TODO: check + NOT-FOR-US: beuserswitch for TYPO3 CVE-2012-1083 (Cross-site request forgery (CSRF) vulnerability in the Terminal PHP ...) - TODO: check + NOT-FOR-US: terminal extension TYPO3 CVE-2012-1082 (Cross-site scripting (XSS) vulnerability in the Terminal PHP Shell ...) - TODO: check + NOT-FOR-US: terminal extension TYPO3 CVE-2012-1081 (Cross-site scripting (XSS) vulnerability in the Yet another Google ...) - TODO: check + NOT-FOR-US: ya_googlesearch extension for TYPO3 CVE-2012-1080 (Cross-site scripting (XSS) vulnerability in the Euro Calculator ...) - TODO: check + NOT-FOR-US: skt_eurocalc extension for TYPO3 CVE-2012-1079 (Unspecified vulnerability in the Webservices for TYPO3 ...) - TODO: check + NOT-FOR-US: typo3_webservice extension for TYPO3 CVE-2012-1078 (The System Utilities (sysutils) extension 1.0.3 and earlier for TYPO3 ...) - TODO: check + NOT-FOR-US: sysutils extension for TYPO3 CVE-2012-1077 (SQL injection vulnerability in the Post data records to facebook ...) - TODO: check + NOT-FOR-US: bc_post2facebook extension for TYPO3 CVE-2012-1076 (Cross-site scripting (XSS) vulnerability in the Documents download ...) - TODO: check + NOT-FOR-US: rtg_files extension for TYPO3 CVE-2012-1075 (SQL injection vulnerability in the Documents download (rtg_files) ...) - TODO: check + NOT-FOR-US: rtg_files extension for TYPO3 CVE-2012-1074 (SQL injection vulnerability in the White Papers (mm_whtppr) extension ...) - TODO: check + NOT-FOR-US: mm_whtppr extension for TYPO3 CVE-2012-1073 (Cross-site scripting (XSS) vulnerability in the Category-System ...) - TODO: check + NOT-FOR-US: toi_category extension for TYPO3 CVE-2012-1072 (SQL injection vulnerability in the Category-System (toi_category) ...) - TODO: check + NOT-FOR-US: toi_category extension for TYPO3 CVE-2012-1071 (SQL injection vulnerability in the Kitchen recipe (mv_cooking) ...) - TODO: check + NOT-FOR-US: mv_cooking extension for TYPO3 CVE-2012-1070 (Cross-site scripting (XSS) vulnerability in the Modern FAQ (irfaq) ...) - TODO: check + NOT-FOR-US: irfaq extension for TYPO3 CVE-2012-1069 (Cross-site scripting (XSS) vulnerability in module/kb/search_word in ...) - TODO: check + NOT-FOR-US: lknSupport CVE-2012-1068 (Cross-site scripting (XSS) vulnerability in the rc_ajax function in ...) - TODO: check + NOT-FOR-US: WP-RecentComments plugin for WordPress CVE-2012-1067 (SQL injection vulnerability in the WP-RecentComments plugin 2.0.7 for ...) - TODO: check + NOT-FOR-US: WP-RecentComments plugin for WordPress CVE-2012-1066 (Cross-site scripting (XSS) vulnerability in the template module in ...) - TODO: check + NOT-FOR-US: SmartyCMS CVE-2012-1065 (Insecure method vulnerability in TuxScripting.dll in the TuxSystem ...) - TODO: check + NOT-FOR-US: TuxSystem CVE-2012-1064 RESERVED CVE-2011-5080 (Cross-site scripting (XSS) vulnerability in ...) - TODO: check + NOT-FOR-US: jftcaforms extension for TYPO3 CVE-2011-5079 (Open redirect vulnerability in the Modern FAQ (irfaq) extension 1.1.2 ...) - TODO: check + NOT-FOR-US: irfaq extension for TYPO3 CVE-2010-5085 (Multiple cross-site request forgery (CSRF) vulnerabilities in ...) TODO: check CVE-2010-5084 (The cross-site request forgery (CSRF) protection mechanism in e107 ...) @@ -270,35 +270,38 @@ CVE-2010-5083 (SQL injection vulnerability in the Web_Links module for PHP-Nuke 8.0 ...) TODO: check CVE-2012-1063 (Multiple SQL injection vulnerabilities in ManageEngine Applications ...) - TODO: check + NOT-FOR-US: ManageEngine Applications Manager CVE-2012-1062 (Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine ...) - TODO: check + NOT-FOR-US: ManageEngine Applications Manager CVE-2012-1061 (SQL injection vulnerability in GForge Advanced Server 6.0.0 and other ...) - TODO: check + NOT-FOR-US: GForge Advanced Server CVE-2012-1060 (Multiple cross-site scripting (XSS) vulnerabilities in ...) - TODO: check + NOT-FOR-US: Taxonomy module for Drupal CVE-2012-1059 (Cross-site scripting (XSS) vulnerability in the shirt module in ...) - TODO: check + NOT-FOR-US: shirt module in OSCommerce CVE-2012-1058 (Cross-site request forgery (CSRF) vulnerability in Flyspray 0.9.9.6 ...) - TODO: check + NOT-FOR-US: Flyspray CVE-2012-1057 (Cross-site request forgery (CSRF) vulnerability in the clickthrough ...) - TODO: check + NOT-FOR-US: Forward module for Drupal CVE-2012-1056 (The Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 ...) - TODO: check + NOT-FOR-US: Forward module for Drupal CVE-2012-1055 (Heap-based buffer overflow in PhotoLine 17.01 and possibly other ...) - TODO: check + NOT-FOR-US: PhotoLine CVE-2012-1054 RESERVED CVE-2012-1053 RESERVED CVE-2012-1052 (Buffer overflow in IvanView 1.2.15 allows remote attackers to execute ...) - TODO: check + NOT-FOR-US: IvanView CVE-2012-1051 (Heap-based buffer overflow in Xjp2.dll in the JPEG2000 plug-in in ...) - TODO: check + NOT-FOR-US: XnView CVE-2012-1050 (Directory traversal vulnerability in Mathopd 1.4.x and 1.5.x before ...) - TODO: check + - mathopd <unfixed> (low; bug #660627) + [lenny] - mathopd <no-dsa> (Minor issue, configuration specific) + [squeeze] - mathopd <no-dsa> (Minor issue, configuration specific) + NOTE: this is only an issue in specific configurations but not in the Debian configuration CVE-2012-1049 (Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine ...) - TODO: check + NOT-FOR-US: ManageEngine ADManager Plus CVE-2012-1048 (Cross-site scripting (XSS) vulnerability in ...) NOT-FOR-US: eFront Community++ CVE-2012-1047 (Directory traversal vulnerability in the WWWHELP Service ...) @@ -387,7 +390,7 @@ CVE-2011-5076 (SQL injection vulnerability in model/comment.class.php in HDWiki 5.0, ...) NOT-FOR-US: HDWiki CVE-2012-1009 (NetSarang Xlpd 4 Build 0100 and NetSarang Xmanager Enterprise 4 Build ...) - TODO: check + NOT-FOR-US: NetSarang CVE-2012-1008 (OfficeSIP Server 3.1 allows remote attackers to cause a denial of ...) NOT-FOR-US: OfficeSIP Server CVE-2012-1007 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts ...) @@ -620,7 +623,8 @@ CVE-2012-0905 (SQL injection vulnerability in deV!L''z Clanportal (DZCP) Gamebase ...) NOT-FOR-US: deV!L''z Clanportal CVE-2012-0904 (VLC media player 1.1.11 allows remote attackers to cause a denial of ...) - TODO: check + - vlc <not-affected> + NOTE: not reproducible, no public fix from the vlc team either CVE-2012-0903 (Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Desktop ...) NOT-FOR-US: Zimbra Desktop CVE-2012-0902 (AirTies Air 4450 1.1.2.18 allows remote attackers to cause a denial of ...) @@ -783,7 +787,7 @@ - php5 5.3.10-1 NOTE: http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/ CVE-2012-0829 (Multiple cross-site request forgery (CSRF) vulnerabilities in Mibew ...) - TODO: check + NOT-FOR-US: Mibew Messenger CVE-2012-0828 RESERVED - xchat <not-affected> (Only affects Xchat on Windows and Maemo) @@ -905,7 +909,7 @@ CVE-2012-0790 (Cross-site scripting (XSS) vulnerability in smokeping_cgi in Smokeping ...) - smokeping 2.6.7-1 (bug #659899) CVE-2012-0789 (Memory leak in the timezone functionality in PHP before 5.3.9 allows ...) - TODO: check + - php5 5.3.9-1 CVE-2012-0788 (The PDORow implementation in PHP before 5.3.9 does not properly ...) {DSA-2408-1} - php5 5.3.9-1 @@ -955,7 +959,7 @@ CVE-2012-0768 RESERVED CVE-2012-0767 (Cross-site scripting (XSS) vulnerability in Adobe Flash Player before ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2012-0766 (The Shockwave 3D Asset component in Adobe Shockwave Player before ...) NOT-FOR-US: Adobe Shockwave Player CVE-2012-0765 (Multiple cross-site scripting (XSS) vulnerabilities in Adobe RoboHelp ...) @@ -1915,7 +1919,7 @@ CVE-2012-0353 RESERVED CVE-2012-0352 (Cisco NX-OS 4.2.x before 4.2(1)SV1(5.1) on Nexus 1000v series ...) - TODO: check + NOT-FOR-US: Cisco NX-OS CVE-2012-0351 RESERVED CVE-2012-0350 @@ -3208,7 +3212,7 @@ - virtualbox-guest-additions-iso 4.1.8-1 (bug #659951) [squeeze] - virtualbox-guest-additions-iso <not-affected> (Vulnerable code not present, see #659950) CVE-2012-0104 (Unspecified vulnerability in Oracle GlassFish Enterprise Server 3.0.1 ...) - TODO: check + NOT-FOR-US: Oracle GlassFish Enterprise Server CVE-2012-0103 (Unspecified vulnerability in Oracle Solaris 11 Express allows local ...) NOT-FOR-US: Oracle Solaris Kernel CVE-2012-0102 (Unspecified vulnerability in the MySQL Server component in Oracle ...) @@ -3254,7 +3258,7 @@ CVE-2012-0082 (Unspecified vulnerability in the Core RDBMS component in Oracle ...) NOT-FOR-US: Oracle Database Server CVE-2012-0081 (Unspecified vulnerability in Oracle GlassFish Enterprise Server 3.1.1 ...) - TODO: check + NOT-FOR-US: Oracle GlassFish Enterprise Server CVE-2012-0080 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2012-0079 (Unspecified vulnerability in Oracle OpenSSO 7.1 and 8.0 allows remote ...) @@ -3870,7 +3874,7 @@ CVE-2011-4609 RESERVED CVE-2011-4608 (mod_cluster in JBoss Enterprise Application Platform 5.1.2 for Red Hat ...) - TODO: check + NOT-FOR-US: JBoss Enterprise Application Platform CVE-2011-4607 [http://seclists.org/oss-sec/2011/q4/500] RESERVED - putty 0.62-1 (unimportant) Modified: data/spu-candidates.txt ==================================================================--- data/spu-candidates.txt 2012-02-20 10:50:39 UTC (rev 18489) +++ data/spu-candidates.txt 2012-02-20 11:42:37 UTC (rev 18490) @@ -290,3 +290,7 @@ -- zorp (CVE-2009-3555) + +-- + +mathopd (CVE-2012-1050)