Author: nion
Date: 2009-03-10 15:22:14 +0000 (Tue, 10 Mar 2009)
New Revision: 11369
Modified:
data/CVE/list
data/DTSA/list
Log:
- add typo3 cve ids
- NFUs
- new squid issue (CVE-2009-0801)
- CVE-2008-6176 fixed in drupal5,6/5.12-1,6.6-1
- CVE-2008-6170 fixed in drupal6 6.9-1
- CVE-2009-{0578, 0365} fixed in network-manager-applet/network-manager
0.7.0.99-1
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2009-03-10 15:02:36 UTC (rev 11368)
+++ data/CVE/list 2009-03-10 15:22:14 UTC (rev 11369)
@@ -31,7 +31,7 @@
CVE-2008-6414 (SQL injection vulnerability in detail.php in AJ Auction Pro
Platinum ...)
NOT-FOR-US: AJ Auction Pro Platinum
CVE-2008-6413 (Cross-site scripting (XSS) vulnerability in the Answers module
...)
- TODO: check
+ NOT-FOR-US: Answers module for Drupal
CVE-2008-6412 (Unspecified vulnerability in Vignette Content Management
7.3.0.5, ...)
NOT-FOR-US: Vignette Content Management
CVE-2008-6411 (Explay CMS 2.1 and earlier allows remote attackers to bypass
...)
@@ -67,13 +67,13 @@
CVE-2009-0819 (sql/item_xmlfunc.cc in MySQL before 5.1.32 allows remote
authenticated ...)
- mysql-dfsg-5.0 <not-affected> (Vulnerable code introduced in 5.1.5)
CVE-2009-0818 (Cross-site scripting (XSS) vulnerability in the ...)
- TODO: check
+ NOT-FOR-US: Taxonomy Theme module for Drupal
CVE-2009-0817 (Cross-site scripting (XSS) vulnerability in the Protected Node
module ...)
- TODO: check
+ NOT-FOR-US: Protected Node module for Drupal
CVE-2009-0816 (Cross-site scripting (XSS) vulnerability in the backend user
interface ...)
- TODO: check
+ - typo3-src 4.2.6-1 (low; bug #514713)
CVE-2009-0815 (The jumpUrl mechanism in class.tslib_fe.php in TYPO3 4.0 before
...)
- TODO: check
+ - typo3-src 4.2.6-1 (medium; bug #514713)
CVE-2009-0814 (Cross-site scripting (XSS) vulnerability in Widgets.aspx in
Blogsa 1.0 ...)
NOT-FOR-US: Blogsa
CVE-2009-0813 (Insecure method vulnerability in the ImeraIEPlugin ActiveX
control ...)
@@ -102,7 +102,9 @@
CVE-2009-0802 (Qbik WinGate, when transparent interception mode is enabled,
uses the ...)
NOT-FOR-US: Qbik WinGate
CVE-2009-0801 (Squid, when transparent interception mode is enabled, uses the
HTTP ...)
- TODO: check
+ - squid <unfixed> (low)
+ - squid3 <unfixed> (low)
+ TODO: report bug
CVE-2009-0800
RESERVED
CVE-2009-0799
@@ -910,7 +912,8 @@
CVE-2008-6177 (Multiple directory traversal vulnerabilities in LightBlog 9.8,
when ...)
NOT-FOR-US: LightBlog
CVE-2008-6176 (bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6,
when the ...)
- TODO: check
+ - drupal5 5.12-1 (low; bug #519114)
+ - drupal6 6.6-1 (low; bug #519115)
CVE-2008-6175 (SilverSHielD 1.0.2.34 allows remote attackers to cause a denial
of ...)
NOT-FOR-US: SilverSHielD
CVE-2008-6174 (Cross-site scripting (XSS) vulnerability in
admin/postlister/index.php ...)
@@ -920,9 +923,10 @@
CVE-2008-6172 (Directory traversal vulnerability in captcha/captcha_image.php
in the ...)
NOT-FOR-US: Joomla!
CVE-2008-6171 (Drupal 5.x before 5.12 and 6.x before 6.6, when the server is
...)
- TODO: check
+ TODO: check back with mitre
+ NOTE: looks like a dupe of CVE-2008-6176
CVE-2008-6170 (Cross-site scripting (XSS) vulnerability in Drupal 5.x before
5.12 and ...)
- TODO: check
+ - drupal6 6.9-1 (low)
CVE-2008-6169 (Cross-site request forgery (CSRF) vulnerability in the
Localization ...)
NOT-FOR-US: Localization modules for Drupal
CVE-2008-6168 (Cross-site scripting (XSS) vulnerability in search.php in
miniPortail ...)
@@ -1126,7 +1130,7 @@
CVE-2009-0579
RESERVED
CVE-2009-0578 (network-manager-applet in Ubuntu 8.10 does not properly verify
...)
- TODO: check
+ - network-manager-applet 0.7.0.99-1 (medium)
CVE-2009-0577 (Integer overflow in the WriteProlog function in texttops in
CUPS ...)
NOT-FOR-US: RedHat specific, because they had a problem applying the
fix for CVE-2008-3640
CVE-2009-0576 (Unspecified vulnerability in Sun Java System Directory Server
5.2 p6 ...)
@@ -1455,9 +1459,6 @@
NOT-FOR-US: BMForum
CVE-2009-0489 (The DBus configuration file for Wicd before 1.5.9 allows
arbitrary ...)
- wicd 1.5.9-1
-CVE-2009-XXXX [typo3 information disclosure & xss]
- - typo3-src 4.2.6-1 (medium; bug #514713)
- [lenny] - typo3-src 4.2.5-1+lenny1
CVE-2009-0479 (Multiple SQL injection vulnerabilities in admin/admin_login.php
in ...)
NOT-FOR-US: Online Grades
CVE-2009-0477 (Unspecified vulnerability in the process (aka proc) filesystem
in Sun ...)
@@ -1906,7 +1907,8 @@
RESERVED
- wesnoth 1:1.4.7-4
CVE-2009-0365 (The dbus request handler in (1) network-manager-applet and (2)
...)
- TODO: check
+ - network-manager-applet 0.7.0.99-1 (medium)
+ - network-manager 0.7.0.99-1 (medium)
CVE-2009-0364
RESERVED
CVE-2009-0363 (Multiple buffer overflows in (a) BarnOwl before 1.0.5 and (b)
owl ...)
@@ -2515,7 +2517,7 @@
CVE-2009-0187 (Stack-based buffer overflow in Orbit Downloader 2.8.2 and
2.8.3, and ...)
NOT-FOR-US: Orbit Downloader
CVE-2009-0186 (Integer overflow in libsndfile 1.0.18, as used in Winamp and
other ...)
- TODO: check
+ - libsndfile 1.0.19-1 (medium)
CVE-2009-0185
RESERVED
CVE-2009-0184 (Multiple buffer overflows in the torrent parsing implementation
in ...)
Modified: data/DTSA/list
===================================================================
--- data/DTSA/list 2009-03-10 15:02:36 UTC (rev 11368)
+++ data/DTSA/list 2009-03-10 15:22:14 UTC (rev 11369)
@@ -576,6 +576,7 @@
{CVE-2009-0490}
[lenny] - audacity 1.3.5-2+lenny1
[February 10th, 2009] DTSA-193-1 typo3 - several vulnerabilities
+ {CVE-2009-0816 CVE-2009-0815}
[lenny] - typo3-src 4.2.5-1+lenny1
[February 11th, 2009] DTSA-194-1 samizdat - cross-site scripting
{CVE-2009-0359}
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
