Author: geissert
Date: 2009-10-15 23:17:21 +0000 (Thu, 15 Oct 2009)
New Revision: 13025
Modified:
data/CVE/list
Log:
Two openoffice.org, one amsn and one kvirc issues to be verified
NFUs
Modified: data/CVE/list
==================================================================---
data/CVE/list 2009-10-15 21:51:42 UTC (rev 13024)
+++ data/CVE/list 2009-10-15 23:17:21 UTC (rev 13025)
@@ -1,5 +1,5 @@
CVE-2009-3699 (Stack-based buffer overflow in libcsa.a (aka the calendar daemon
...)
- TODO: check
+ NOT-FOR-US: IBM AIX
CVE-2009-3698 (An unspecified function in the Dalvik API in Android 1.5 and
earlier ...)
NOT-FOR-US: Dalvik API in Android
CVE-2009-3697 [phpMyAdmin XSS/SQL inj PMASA-2009-6]
@@ -544,7 +544,7 @@
CVE-2009-3460
RESERVED
CVE-2009-3459 (Unspecified vulnerability in Adobe Reader and Acrobat 9.1.3 and
...)
- TODO: check
+ NOT-FOR-US: Adobe Acrobat
CVE-2009-3458
RESERVED
CVE-2009-3457 (Cisco ACE XML Gateway (AXG) and ACE Web Application Firewall
(WAF) ...)
@@ -1047,6 +1047,7 @@
CVE-2009-3240 (Cross-site scripting (XSS) vulnerability in the Happy Linux
XF-Section ...)
NOT-FOR-US: module for XOOPS
CVE-2009-3239 (Buffer overflow in the EMF parser implementation in
OpenOffice.org ...)
+ - openoffice.org <unfixed>
TODO: check
CVE-2009-3238 (The get_random_int function in drivers/char/random.c in the
Linux ...)
TODO: check
@@ -1364,7 +1365,7 @@
CVE-2009-3127
RESERVED
CVE-2009-3126 (Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1,
Windows ...)
- TODO: check
+ NOT-FOR-US: Microsoft Internet Explorer
CVE-2009-3162 (Cross-site scripting (XSS) vulnerability in Multi Website 1.5
allows ...)
NOT-FOR-US: Multi Website
CVE-2009-3161 (The server in IBM WebSphere MQ 7.0.0.1, 7.0.0.2, and 7.0.1.0
allows ...)
@@ -1793,9 +1794,9 @@
CVE-2009-3031
RESERVED
CVE-2009-3030 (Cross-site scripting (XSS) vulnerability in Symantec ...)
- TODO: check
+ NOT-FOR-US: Symantec SecurityExpressions Audit and Compliance Server
CVE-2009-3029 (Cross-site scripting (XSS) vulnerability in the console in
Symantec ...)
- TODO: check
+ NOT-FOR-US: Symantec SecurityExpressions Audit and Compliance Server
CVE-2009-3028
RESERVED
CVE-2009-3027
@@ -2106,6 +2107,7 @@
CVE-2008-7071 (SQL injection vulnerability in authenticate.php in Chipmunk
Topsites ...)
NOT-FOR-US: Chipmunk Topsites
CVE-2008-7070 (Argument injection vulnerability in the URI handler in KVIrc
3.4.2 ...)
+ - kvirc <unfixed>
TODO: check
CVE-2008-7069 (All Club CMS (ACCMS) 0.0.2 and earlier stores sensitive
information ...)
NOT-FOR-US: All Club CMS (ACCMS)
@@ -2354,9 +2356,9 @@
CVE-2009-2899
RESERVED
CVE-2009-2898 (Cross-site scripting (XSS) vulnerability in the Alerts list
feature in ...)
- TODO: check
+ NOT-FOR-US: SpringSource Hyperic HQ
CVE-2009-2897 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
- TODO: check
+ NOT-FOR-US: SpringSource Hyperic HQ
CVE-2009-2896 (Buffer overflow in KMplayer 2.9.4.1433 and earlier allows remote
...)
NOT-FOR-US: KMPlayer: http://www.kmplayer.com
CVE-2009-2895 (SQL injection vulnerability in rss.php in Ultimate Regnow
Affiliate ...)
@@ -3177,7 +3179,7 @@
CVE-2009-2685
RESERVED
CVE-2009-2684 (Multiple cross-site scripting (XSS) vulnerabilities in Jetdirect
and ...)
- TODO: check
+ NOT-FOR-US: Embedded Web Server in HP printers
CVE-2009-2683 (Unspecified vulnerability in the Sender module in HP Remote
Graphics ...)
NOT-FOR-US: HP Remote Graphics
CVE-2009-2682 (Unspecified vulnerability in Role-Based Access Control (RBAC) in
HP ...)
@@ -3663,23 +3665,23 @@
CVE-2009-2533 (rmserver in RealNetworks Helix Server and Helix Mobile Server
before ...)
NOT-FOR-US: RealNetworks Helix Server and Helix Mobile Server
CVE-2009-2532 (Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008
Gold ...)
- TODO: check
+ NOT-FOR-US: Microsoft Windows Vista
CVE-2009-2531 (Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly
...)
- TODO: check
+ NOT-FOR-US: Microsoft Internet Explorer
CVE-2009-2530 (Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly
...)
- TODO: check
+ NOT-FOR-US: Microsoft Internet Explorer
CVE-2009-2529 (Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, 7, and 8 does
not ...)
- TODO: check
+ NOT-FOR-US: Microsoft Internet Explorer
CVE-2009-2528 (GDI+ in Microsoft Office XP SP3 does not properly handle
malformed ...)
- TODO: check
+ NOT-FOR-US: Microsoft Office XP
CVE-2009-2527 (Heap-based buffer overflow in Microsoft Windows Media Player 6.4
...)
- TODO: check
+ NOT-FOR-US: Microsoft Windows Media Player
CVE-2009-2526 (Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold
and ...)
- TODO: check
+ NOT-FOR-US: Microsoft Windows Vista
CVE-2009-2525 (Microsoft Windows Media Runtime, as used in DirectShow WMA Voice
...)
- TODO: check
+ NOT-FOR-US: Microsoft Windows Media Runtime
CVE-2009-2524 (Integer underflow in the NTLM authentication feature in the
Local ...)
- TODO: check
+ NOT-FOR-US: Microsoft Windows XP
CVE-2009-2523
RESERVED
CVE-2009-2522
@@ -3691,13 +3693,13 @@
CVE-2009-2519 (The DHTML Editing Component ActiveX control in Microsoft Windows
2000 ...)
NOT-FOR-US: Microsoft Windows
CVE-2009-2518 (Integer overflow in GDI+ in Microsoft Office XP SP3 allows
remote ...)
- TODO: check
+ NOT-FOR-US: Microsoft Office XP
CVE-2009-2517 (The kernel in Microsoft Windows Server 2003 SP2 does not
properly ...)
- TODO: check
+ NOT-FOR-US: Microsoft Windows Server 2003
CVE-2009-2516 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server
2003 ...)
- TODO: check
+ NOT-FOR-US: Microsoft Windows 2000
CVE-2009-2515 (Integer underflow in the kernel in Microsoft Windows 2000 SP4,
XP SP2 ...)
- TODO: check
+ NOT-FOR-US: Microsoft Windows 2000
CVE-2009-2514
RESERVED
CVE-2009-2513
@@ -3705,35 +3707,35 @@
CVE-2009-2512
RESERVED
CVE-2009-2511 (Integer overflow in the CryptoAPI component in Microsoft Windows
2000 ...)
- TODO: check
+ NOT-FOR-US: Microsoft Windows 2000
CVE-2009-2510 (The CryptoAPI component in Microsoft Windows 2000 SP4, Windows
XP SP2 ...)
- TODO: check
+ NOT-FOR-US: Microsoft Windows 2000
CVE-2009-2509
RESERVED
CVE-2009-2508
RESERVED
CVE-2009-2507 (A certain ActiveX control in the Indexing Service in Microsoft
Windows ...)
- TODO: check
+ NOT-FOR-US: Microsoft Windows
CVE-2009-2506
RESERVED
CVE-2009-2505
RESERVED
CVE-2009-2504 (Multiple integer overflows in unspecified APIs in GDI+ in
Microsoft ...)
- TODO: check
+ NOT-FOR-US: Microsoft products
CVE-2009-2503 (GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and
SP3, ...)
- TODO: check
+ NOT-FOR-US: Microsoft products
CVE-2009-2502 (Buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP1,
Windows ...)
- TODO: check
+ NOT-FOR-US: Microsoft products
CVE-2009-2501 (Heap-based buffer overflow in GDI+ in Microsoft Internet
Explorer 6 ...)
- TODO: check
+ NOT-FOR-US: Microsoft products
CVE-2009-2500 (Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1,
Windows ...)
- TODO: check
+ NOT-FOR-US: Microsoft products
CVE-2009-2499 (Microsoft Windows Media Format Runtime 9.0, 9.5, and 11; and
Microsoft ...)
NOT-FOR-US: Microsoft Windows Media Format Runtime
CVE-2009-2498 (Microsoft Windows Media Format Runtime 9.0, 9.5, and 11 and
Windows ...)
NOT-FOR-US: Microsoft Windows Media Format Runtime
CVE-2009-2497 (The Common Language Runtime (CLR) in Microsoft .NET Framework
2.0, 2.0 ...)
- TODO: check
+ NOT-FOR-US: Microsoft products
CVE-2009-2496 (Heap-based buffer overflow in the Office Web Components ActiveX
...)
NOT-FOR-US: Microsoft Office XP
CVE-2009-2495 (The Active Template Library (ATL) in Microsoft Visual Studio
.NET 2003 ...)
@@ -4767,6 +4769,7 @@
CVE-2008-6833 (Directory traversal vulnerability in commsrss.php in fuzzylime
(cms) ...)
NOT-FOR-US: fuzzylime
CVE-2009-2140 (Multiple heap-based buffer overflows in ...)
+ - openoffice.org <unfixed>
TODO: check
CVE-2009-2139 (Heap-based buffer overflow in
svtools/source/filter.vcl/wmf/enhwmf.cxx ...)
{DSA-1880-1}
@@ -6364,7 +6367,7 @@
NOTE: fixed over a year ago in debian; but fedora finally got around to
addressing the issue recently
NOTE: FEDORA-2009-3639 (http://lwn.net/Articles/331605)
CVE-2009-1547 (Unspecified vulnerability in Microsoft Internet Explorer 5.01
SP4, 6, ...)
- TODO: check
+ NOT-FOR-US: Microsoft Internet Explorer
CVE-2009-1546 (Integer overflow in Avifil32.dll in the Windows Media file
handling ...)
NOT-FOR-US: Microsoft Windows
CVE-2009-1545 (Unspecified vulnerability in Avifil32.dll in the Windows Media
file ...)
@@ -10321,7 +10324,7 @@
CVE-2009-0556 (Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3,
and ...)
NOT-FOR-US: Microsoft Office
CVE-2009-0555 (Microsoft Windows Media Runtime, as used in DirectShow WMA Voice
...)
- TODO: check
+ NOT-FOR-US: Microsoft Windows
CVE-2009-0554 (Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows
XP SP2 ...)
NOT-FOR-US: Microsoft Internet Explorer
CVE-2009-0553 (Microsoft Internet Explorer 6 SP1, 6 and 7 on Windows XP SP2 and
SP3, ...)
@@ -12057,9 +12060,9 @@
CVE-2009-0092
RESERVED
CVE-2009-0091 (Microsoft .NET Framework 2.0, 2.0 SP1, and 3.5 does not properly
...)
- TODO: check
+ NOT-FOR-US: Microsoft .NET Framework
CVE-2009-0090 (Microsoft .NET Framework 1.0 SP3, 1.1 SP1, and 2.0 SP1 does not
...)
- TODO: check
+ NOT-FOR-US: Microsoft .NET Framework
CVE-2009-0089 (Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000
SP4, XP ...)
NOT-FOR-US: Microsoft Windows
CVE-2009-0088 (The WordPerfect 6.x Converter (WPFT632.CNV, 1998.1.27.0) in
Microsoft ...)
@@ -38295,8 +38298,8 @@
CVE-2007-2196 (** DISPUTED ** ...)
NOT-FOR-US: Jambook module for Mambo and Joomla
CVE-2007-2195 (aMSN (aka Alvaro''s Messenger) 0.96 and earlier allows
remote attackers ...)
+ - amsn <unfixed>
TODO: check
- NOTE: package amsn
CVE-2007-2194 (Stack-based buffer overflow in XnView 1.90.3 allows
user-assisted ...)
NOT-FOR-US: XnView
CVE-2007-2193 (Stack-based buffer overflow in the ID_X.apl plugin in ACDSee 9.0
Build ...)
Michael Gilbert
2009-Oct-16 15:08 UTC
[Secure-testing-team] [Secure-testing-commits] r13025 - data/CVE
On Thu, 15 Oct 2009 23:17:21 +0000, Raphael Geissert wrote:> Author: geissert > Date: 2009-10-15 23:17:21 +0000 (Thu, 15 Oct 2009) > New Revision: 13025 > > Modified: > data/CVE/list > Log: > Two openoffice.org, one amsn and one kvirc issues to be verifiedmay i re-suggest submitting a bug report when you don''t have time to fully triage the issue so we can get more eyeballs on the problem sooner; hopefully leading to a more rapid response time (of course this is assuming an active and caring maintainer, which tends to not be the case most of the time)? it''s easy with the report-vuln script. mike
Raphael Geissert
2009-Oct-22 05:04 UTC
[Secure-testing-team] [Secure-testing-commits] r13025 - data/CVE
Michael Gilbert wrote: [...]> > may i re-suggest submitting a bug report when you don''t have time to > fully triage the issue so we can get more eyeballs on the problem > sooner; hopefully leading to a more rapid response time (of course this > is assuming an active and caring maintainer, which tends to not be the > case most of the time)? it''s easy with the report-vuln script. >In the case of at least one (IIRC) of the go-oo issues I think it was already addressed by a CVE that was assigned to oo.o only. The amsn issue is rather old and has probably been already fixed. For those reasons I hesitated to file bug reports. Maybe we should bring this up again and try to reach a concensus on whether we should try to involve maintainers the most (without falling on the "the maintainer is handling it so we have nothing to do" side). Btw, it might be time to send a "bits from the sec and testing sec teams" email. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Michael Gilbert
2009-Oct-23 02:08 UTC
[Secure-testing-team] [Secure-testing-commits] r13025 - data/CVE
On Thu, 22 Oct 2009 00:04:40 -0500 Raphael Geissert wrote:> Michael Gilbert wrote: > [...] > > > > may i re-suggest submitting a bug report when you don''t have time to > > fully triage the issue so we can get more eyeballs on the problem > > sooner; hopefully leading to a more rapid response time (of course this > > is assuming an active and caring maintainer, which tends to not be the > > case most of the time)? it''s easy with the report-vuln script. > > > > In the case of at least one (IIRC) of the go-oo issues I think it was > already addressed by a CVE that was assigned to oo.o only. The amsn issue > is rather old and has probably been already fixed. > > For those reasons I hesitated to file bug reports. Maybe we should bring > this up again and try to reach a concensus on whether we should try to > involve maintainers the most (without falling on the "the maintainer is > handling it so we have nothing to do" side).i have been under the impression that the security team remains responsible for issues regardless of whether bug a big is submitted or not. i see the bug report as a venue to try to get the maintainer involved (if they are willing, which sadly isn''t often) and to track detailed progress without overwhelming the tracker. i think that involving the maintainer does no harm, and we should certainly not consider issues off our plate just because a bug is submitted. in fact, we should remain involved as much as possible throughout the entire lifetime of the issue. we do need someone to say somewhat forcefully, "security is everyone''s responsibility, so if you get a security report, it should be your highest priority (in most circumstances)." mike