CVE-2009-5159 (Invision Power Board (aka IPB or IP.Board) 2.x through 3.0.4, when Int ...) NOT-FOR-US: Invision Power Board CVE-2009-5158 (The google-analyticator plugin before 5.2.1 for WordPress has insuffic ...) NOT-FOR-US: google-analyticator plugin for WordPress CVE-2009-5157 (On Linksys WAG54G2 1.00.10 devices, there is authenticated command inj ...) NOT-FOR-US: Linksys CVE-2009-5156 (An issue was discovered on ASMAX AR-804gu 66.34.1 devices. There is Co ...) NOT-FOR-US: ASMAX AR-804gu 66.34.1 devices CVE-2009-5155 (In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp i ...) [experimental] - gnulib 20180621~6979c25-1 - gnulib 20140202+stable-3.2 (bug #924613) [stretch] - gnulib (Minor issue) [jessie] - gnulib (Minor issue) - glibc 2.28-1 [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) - eglibc NOTE: http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272 NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793 NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32806 NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34238 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=11053 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18986 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672 CVE-2009-5154 (An issue was discovered on MOBOTIX S14 MX-V4.2.1.61 devices. There is ...) NOT-FOR-US: MOBOTIX CVE-2009-5153 (In Novell NetWare before 6.5 SP8, a stack buffer overflow in processin ...) NOT-FOR-US: Novell NetWare CVE-2009-5152 (Absolute Computrace Agent, as distributed on certain Dell Inspiron sys ...) NOT-FOR-US: Absolute Computrace Agent CVE-2009-5151 (The stub component of Absolute Computrace Agent V70.785 executes code ...) NOT-FOR-US: Absolute Computrace Agent CVE-2009-5150 (Absolute Computrace Agent V80.845 and V80.866 does not have a digital ...) NOT-FOR-US: Absolute Computrace Agent CVE-2009-5149 (Arris DG860A, TG862A, and TG862G devices with firmware TS0703128_10061 ...) NOT-FOR-US: Arris hardware CVE-2009-5148 RESERVED CVE-2009-5147 (DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 6 ...) {DLA-300-1 DLA-299-1} - ruby1.8 [wheezy] - ruby1.8 (Minor issue) - ruby1.9.1 [wheezy] - ruby1.9.1 (Minor issue) - ruby2.0 - ruby2.1 (bug #796344) [jessie] - ruby2.1 2.1.5-2+deb8u3 - ruby2.2 (Does not contain DL, cf note and corresponding CVE-2015-7551) NOTE: https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b NOTE: Although the is upstream commit mentioned, the corresponding change does not NOTE: seem to be contained in e.g. latest 1.9.1 and 2.1. E.g. NOTE: https://sources.debian.org/src/ruby2.1/2.1.5-4/ext/dl/handle.c/#L120 does not NOTE: contain the change. NOTE: In https://github.com/ruby/ruby/commit/07308c4d30b8c5260e5366c8eed2abf054d86fe7 NOTE: Discussion http://seclists.org/oss-sec/2015/q3/220 NOTE: DL has been replaced in 2.2 with Fiddle which has the same problem according to maintainer. CVE-2009-5146 REJECTED CVE-2009-5145 (Cross-site scripting (XSS) vulnerability in ZMI pages that use the man ...) - zope2.12 2.12.10-1 CVE-2009-5144 (mod-gnutls does not validate client certificates when "GnuTLSClientVer ...) - mod-gnutls 0.5.6-1 (bug #578663) NOTE: http://issues.outoforder.cc/view.php?id=93 CVE-2009-5143 (GE Healthcare Discovery 530C has a password of #bigguy1 for the (1) ac ...) NOT-FOR-US: GE Healthcare Discovery 530C CVE-2009-5142 (Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb 1 ...) NOT-FOR-US: TimThumb CVE-2009-5141 (Format string vulnerability in War FTP Daemon (warftpd) 1.82 RC 12 all ...) NOT-FOR-US: War FTP Daemon CVE-2009-5140 (The SIP implementation on the Linksys SPA2102 phone adapter provides h ...) NOT-FOR-US: Linksys CVE-2009-5139 (The SIP implementation on the Gizmo5 software phone provides hashed cr ...) NOT-FOR-US: Gizmo5 CVE-2009-5138 (GnuTLS before 2.7.6, when the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag ...) - gnutls26 2.7.12-1 - gnutls28 (Only affects versions before 2.7.6) NOTE: Only affects version prior of 2.7.6, fix: https://gitlab.com/gnutls/gnutls/commit/c8dcbedd1fdc312f5b1a70fcfbc1afe235d800cd NOTE: and the issue has different root than CVE-2014-1959 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1069301 CVE-2009-5137 (Stack-based buffer overflow in Mini-stream CastRipper 2.50.70 allows r ...) NOT-FOR-US: CastRipper CVE-2009-5136 (The policy definition evaluator in Condor before 7.4.2 does not proper ...) - condor (Fixed before initial upload) CVE-2009-5135 (The Java XML parser in Echo before 2.1.1 and 3.x before 3.0.b6 allows ...) NOT-FOR-US: Echo CVE-2009-5134 (Buffer overflow in the "create torrent dialog" functionality in uTorre ...) NOT-FOR-US: uTorrent CVE-2009-5133 RESERVED CVE-2009-5132 (The Filtering Service in Websense Web Security and Web Filter before 6 ...) NOT-FOR-US: Websense CVE-2009-5131 (The Receive Service in Websense Email Security before 7.1 does not rec ...) NOT-FOR-US: Websense CVE-2009-5130 (The Rules Service in Websense Email Security before 7.1 allows remote ...) NOT-FOR-US: Websense CVE-2009-5129 (The Websense V10000 appliance before 1.0.1 allows remote attackers to ...) NOT-FOR-US: Websense CVE-2009-5128 (The Websense V10000 appliance before 1.0.1 allows remote attackers to ...) NOT-FOR-US: Websense CVE-2009-5127 (The Antivirus component in Comodo Internet Security before 3.8.64739.4 ...) NOT-FOR-US: Comodo Internet Security CVE-2009-5126 (The Antivirus component in Comodo Internet Security before 3.8.65951.4 ...) NOT-FOR-US: Comodo Internet Security CVE-2009-5125 (Comodo Internet Security before 3.9.95478.509 allows remote attackers ...) NOT-FOR-US: Comodo Internet Security CVE-2009-5124 (The Antivirus component in Comodo Internet Security before 3.11.108364 ...) NOT-FOR-US: Comodo Internet Security CVE-2009-5123 (The Antivirus component in Comodo Internet Security before 3.11.108364 ...) NOT-FOR-US: Comodo Internet Security CVE-2009-5122 (The Personal Email Manager component in Websense Email Security before ...) NOT-FOR-US: Websense CVE-2009-5121 (Websense Email Security 7.1 before Hotfix 4 allows remote attackers to ...) NOT-FOR-US: Websense CVE-2009-5120 (The default configuration of Apache Tomcat in Websense Manager in Webs ...) NOT-FOR-US: Websense CVE-2009-5119 (The default configuration of Apache Tomcat in Websense Manager in Webs ...) NOT-FOR-US: Websense CVE-2009-5118 (Untrusted search path vulnerability in McAfee VirusScan Enterprise bef ...) NOT-FOR-US: McAfee CVE-2009-5117 (The Web Post Protection feature in McAfee Host Data Loss Prevention (D ...) NOT-FOR-US: McAfee CVE-2009-5116 (McAfee LinuxShield 1.5.1 and earlier does not properly implement clien ...) NOT-FOR-US: McAfee CVE-2009-5115 (McAfee Common Management Agent (CMA) 3.5.5 through 3.5.5.588 and 3.6.0 ...) NOT-FOR-US: McAfee CVE-2009-5114 (Directory traversal vulnerability in wgarcmin.cgi in WebGlimpse 2.18.7 ...) NOT-FOR-US: WebGlimpse CVE-2009-5113 (Cross-site scripting (XSS) vulnerability in wgarcmin.cgi in WebGlimpse ...) NOT-FOR-US: WebGlimpse CVE-2009-5112 (wgarcmin.cgi in WebGlimpse 2.18.7 and earlier allows remote attackers ...) NOT-FOR-US: WebGlimpse CVE-2009-5111 (GoAhead WebServer allows remote attackers to cause a denial of service ...) NOT-FOR-US: GoAhead WebServer CVE-2009-5110 (dhttpd allows remote attackers to cause a denial of service (daemon ou ...) - dhttpd (low; bug #533665) [squeeze] - dhttpd (Minor issue) [lenny] - dhttpd (Minor issue) CVE-2009-5109 (Stack-based buffer overflow in Mini-Stream Ripper 3.0.1.1 allows remot ...) NOT-FOR-US: Mini-Stream Ripper CVE-2009-5108 REJECTED CVE-2009-5107 REJECTED CVE-2009-5106 REJECTED CVE-2009-5105 REJECTED CVE-2009-5104 REJECTED CVE-2009-5103 (Cross-site scripting (XSS) vulnerability in ATCOM Netvolution 1.0 ASP ...) NOT-FOR-US: ATCOM Netvolution CVE-2009-5102 (SQL injection vulnerability in default.asp in ATCOM Netvolution 1.0 AS ...) NOT-FOR-US: ATCOM Netvolution CVE-2009-5101 (Pentaho BI Server 1.7.0.1062 and earlier includes the session ID (JSES ...) NOT-FOR-US: Pentaho BI Server CVE-2009-5100 (Pentaho BI Server 1.7.0.1062 and earlier does not set the autocomplete ...) NOT-FOR-US: Pentaho BI Server CVE-2009-5099 (Cross-site scripting (XSS) vulnerability in ViewAction in Pentaho BI S ...) NOT-FOR-US: Pentaho BI Server CVE-2009-5098 (The LunaSysMgr process in Palm Pre WebOS 1.1 and earlier, when not vie ...) NOT-FOR-US: Palm WebOS CVE-2009-5097 (Palm Pre WebOS 1.1 and earlier processes JavaScript in email messages, ...) NOT-FOR-US: Palm WebOS CVE-2009-5096 (Cross-site scripting (XSS) vulnerability in the Flag Content module 5. ...) NOT-FOR-US: Drupal module Flag Content NOTE: might get packaged CVE-2009-5095 (PHP remote file inclusion vulnerability in index_inc.php in ea gBook 0 ...) NOT-FOR-US: ea gBook CVE-2009-5094 (SQL injection vulnerability in info.php in CMS Faethon 2.2.0 Ultimate ...) NOT-FOR-US: CMS Faethon CVE-2009-5093 (Directory traversal vulnerability in gastbuch.php in Gästebuch (G ...) NOT-FOR-US: Gastebuch CVE-2009-5092 (Cross-site scripting (XSS) vulnerability in the management interface i ...) NOT-FOR-US: Microsoft FAST ESP CVE-2009-5091 (SQL injection vulnerability in page.php in Vlinks 1.0.3 and 1.1.6 allo ...) NOT-FOR-US: Vlinks CVE-2009-5090 (SQL injection vulnerability in editcomments.php in Bloggeruniverse Bet ...) NOT-FOR-US: Bloggeruniverse Beta 2 CVE-2009-5089 (Directory traversal vulnerability in index.php in IdeaCart 0.02 and 0. ...) NOT-FOR-US: IdeaCart CVE-2009-5088 (SQL injection vulnerability in secure/index.php in IdeaCart 0.02 allow ...) NOT-FOR-US: IdeaCart CVE-2009-5087 (Directory traversal vulnerability in geohttpserver in Geovision Digita ...) NOT-FOR-US: Geovision Digital Video Surveillance System CVE-2009-5086 (Cross-site scripting (XSS) vulnerability in Appliance Configuration Ma ...) NOT-FOR-US: Juniper IDP CVE-2009-5085 (IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.2, whe ...) NOT-FOR-US: Tivoli CVE-2009-5084 (IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.2, whe ...) NOT-FOR-US: Tivoli CVE-2009-5083 (IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.2, whe ...) NOT-FOR-US: Tivoli CVE-2009-5082 (The (1) configure and (2) config.guess scripts in GNU troff (aka groff ...) - groff 1.20.1-5 (unimportant; bug #538338) NOTE: Only exploitable during build CVE-2009-5081 (The (1) config.guess, (2) contrib/groffer/perl/groffer.pl, and (3) con ...) - groff 1.20.1-5 (unimportant) NOTE: Only exploitable during build CVE-2009-5080 (The (1) contrib/eqn2graph/eqn2graph.sh, (2) contrib/grap2graph/grap2gr ...) - groff 1.20.1-5 (low; bug #538330) [lenny] - groff (Minor issue) CVE-2009-5079 (The (1) gendef.sh, (2) doc/fixinfo.sh, and (3) contrib/gdiffmk/tests/r ...) - groff 1.20.1-5 (unimportant) CVE-2009-5078 (contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 launch ...) - groff 1.20.1-5 (low; bug #538338) [etch] - groff (pdfroff not yet present) [lenny] - groff (pdfroff not yet present) CVE-2009-5077 (CRE Loaded before 6.2.14 allows remote attackers to bypass authenticat ...) NOT-FOR-US: CRE Loaded CVE-2009-5076 (CRE Loaded before 6.2.14, and possibly other versions before 6.3.x, al ...) NOT-FOR-US: CRE Loaded CVE-2009-5075 (Monkey's Audio before 4.02 allows remote attackers to cause a denial o ...) NOT-FOR-US: Monkey's Audio CVE-2009-5074 (Unspecified vulnerability in the MojoX::Dispatcher::Static implementat ...) - libmojolicious-perl (Fixed before initial upload) CVE-2009-5073 (IBM Tivoli Directory Server (TDS) 6.0 before 6.0.0.59 (aka 6.0.0.8-TIV ...) NOT-FOR-US: Tivoli CVE-2009-5072 (Memory leak in the ldap_explode_dn function in IBM Tivoli Directory Se ...) NOT-FOR-US: Tivoli CVE-2009-5071 (Unspecified vulnerability in Palm Pre WebOS before 1.2.1 has unknown i ...) NOT-FOR-US: Palm WebOS CVE-2009-5070 REJECTED CVE-2009-5069 REJECTED CVE-2009-5068 (There is a file disclosure vulnerability in SMF (Simple Machines Forum ...) NOT-FOR-US: Simple Machines Forum CVE-2009-5067 (Directory traversal vulnerability in html2ps before 1.0b6 allows remot ...) - html2ps 1.0b7-1 (low; bug #548633) [squeeze] - html2ps (Minor issue) CVE-2009-5066 (twiddle.sh in JBoss AS 5.0 and EAP 5.0 and earlier accepts credentials ...) - jbossas4 (twiddle.sh is included in the source package, but not in any of the binary packages) CVE-2009-5065 (Cross-site scripting (XSS) vulnerability in feedparser.py in Universal ...) - feedparser 5.0.1-1 (low; bug #617998) [squeeze] - feedparser (Minor issue) [lenny] - feedparser (Minor issue) CVE-2009-5064 (** DISPUTED ** ldd in the GNU C Library (aka glibc or libc6) 2.13 and ...) - eglibc 2.10.1-7 - glibc 2.10.1-7 NOTE: Obscure attack CVE-2009-5063 (Memory leak in the embedded_profile_len function in pngwutil.c in libp ...) - libpng 1.2.39-1 (unimportant) CVE-2009-5062 (IBM Lotus Quickr 8.1 before 8.1.0.15 services for Lotus Domino on AIX ...) NOT-FOR-US: IBM Lotus Quickr CVE-2009-5061 (Unspecified vulnerability in IBM Lotus Quickr 8.1 before 8.1.0.14 serv ...) NOT-FOR-US: IBM Lotus Quickr CVE-2009-5060 (Unspecified vulnerability in IBM Lotus Quickr 8.1 before 8.1.0.11 serv ...) NOT-FOR-US: IBM Lotus Quickr CVE-2009-5059 (Unspecified vulnerability in IBM Lotus Quickr 8.1 before 8.1.0.10 serv ...) NOT-FOR-US: IBM Lotus Quickr CVE-2009-5058 (Unspecified vulnerability in IBM Lotus Quickr 8.1 before 8.1.0.5 servi ...) NOT-FOR-US: IBM Lotus Quickr CVE-2009-5057 (The S/MIME feature in Open Ticket Request System (OTRS) before 2.3.4 d ...) - otrs2 2.4.5-1 (low) [lenny] - otrs2 (Minor issue) CVE-2009-5056 (Open Ticket Request System (OTRS) before 2.4.0-beta2 does not properly ...) - otrs2 2.4.5-1 (low) [lenny] - otrs2 (Minor issue) CVE-2009-5055 (Open Ticket Request System (OTRS) before 2.4.4 grants ticket access on ...) - otrs2 2.4.5-1 (low) [lenny] - otrs2 (Minor issue) CVE-2009-5054 (Smarty before 3.0.0 beta 4 does not consider the umask value when sett ...) - smarty3 3.0~rc1-1 - smarty [squeeze] - smarty (Unsupported in squeeze-lts) CVE-2009-5053 (Unspecified vulnerability in Smarty before 3.0.0 beta 6 allows remote ...) - smarty3 3.0~rc1-1 - smarty [squeeze] - smarty (Unsupported in squeeze-lts) CVE-2009-5052 (Multiple unspecified vulnerabilities in Smarty before 3.0.0 beta 6 hav ...) - smarty3 3.0~rc1-1 - smarty [squeeze] - smarty (Unsupported in squeeze-lts) CVE-2009-5051 (Hastymail2 before RC 8 does not set the secure flag for the session co ...) - hastymail CVE-2009-5040 (CallManager Express (CME) on Cisco IOS before 15.0(1)XA allows remote ...) NOT-FOR-US: Cisco IOS CVE-2009-5039 (Memory leak in the gk_circuit_info_do_in_acf function in the H.323 imp ...) NOT-FOR-US: Cisco IOS CVE-2009-5038 (Cisco IOS before 15.0(1)XA does not properly handle IRC traffic during ...) NOT-FOR-US: Cisco IOS CVE-2009-5037 (Cisco Adaptive Security Appliances (ASA) 5500 series devices with soft ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-5036 (traveler.exe in IBM Lotus Notes Traveler before 8.0.1.3 CF1 allows rem ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2009-5035 (The Nokia client in IBM Lotus Notes Traveler before 8.5.0.2 does not p ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2009-5034 (IBM Lotus Notes Traveler before 8.5.0.2 allows remote authenticated us ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2009-5033 (IBM Lotus Notes Traveler before 8.5.0.2 does not properly handle a "* ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2009-5032 (The encrypted e-mail feature in IBM Lotus Notes Traveler before 8.5.0. ...) NOT-FOR-US: IBM Lotus Notes Traveler CVE-2009-5031 (ModSecurity before 2.5.11 treats request parameter values containing s ...) - modsecurity-apache (Fixed before initial upload) - libapache-mod-security 2.5.12-1 NOTE: https://www.modsecurity.org/fisheye/browse/modsecurity/m2/branches/2.5.x/apache2/msc_multipart.c?r2=1419&r1=1366 NOTE: https://www.openwall.com/lists/oss-security/2012/06/22/1 NOTE: https://www.openwall.com/lists/oss-security/2012/06/22/2 CVE-2009-5030 (The tcd_free_encode function in tcd.c in OpenJPEG 1.3 through 1.5 allo ...) {DSA-2629-1} - openjpeg 1.3+dfsg-4.1 (medium; bug #672455) NOTE: Upstream ticket http://code.google.com/p/openjpeg/issues/detail?id=5 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=812317 CVE-2009-5029 (Integer overflow in the __tzfile_read function in glibc before 2.15 al ...) - eglibc 2.13-24 (low; bug #656108) [squeeze] - eglibc 2.11.3-3 - glibc 2.13-24 NOTE: http://support.novell.com/security/cve/CVE-2009-5029.html NOTE: https://bugzilla.suse.com/show_bug.cgi?id=735850 CVE-2009-5028 (Stack-based buffer overflow in Namazu before 2.0.20 allows remote atta ...) - namazu2 2.0.20-1.0 (low) CVE-2009-5027 REJECTED CVE-2009-5026 (The executable comment feature in MySQL 5.0.x before 5.0.93 and 5.1.x ...) - mysql-5.1 5.1.53-1 CVE-2009-5025 (A backdoor (aka BMSA-2009-07) was found in PyForum v1.0.3 where an att ...) NOT-FOR-US: PyForum CVE-2009-5024 (ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_l ...) {DSA-2563-1} - viewvc 1.1.5-1.3 (bug #671482) CVE-2009-5023 (The (1) dshield.conf, (2) mail-buffered.conf, (3) mynetwatchman.conf, ...) - fail2ban 0.8.4+svn20110323-1 (low; bug #544232) [lenny] - fail2ban (Minor issue) [squeeze] - fail2ban 0.8.4-3+squeeze1 CVE-2009-5022 (Heap-based buffer overflow in tif_ojpeg.c in the OJPEG decoder in LibT ...) {DSA-2256-1} - tiff 3.9.5-1 (bug #624287) - tiff3 (fixed before initial upload) [lenny] - tiff (3.9+ only) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=1999 CVE-2009-5021 (Cobbler before 1.6.1 does not properly determine whether an installati ...) - cobbler (Fixed before initial upload) CVE-2009-5020 (Open redirect vulnerability in awredir.pl in AWStats before 6.95 allow ...) - awstats 6.9.5~dfsg-1 (unimportant) CVE-2009-5019 (Web Wiz NewsPad stores sensitive information under the web root with i ...) NOT-FOR-US: Web Wiz NewsPad CVE-2009-5017 (Mozilla Firefox before 3.6 Beta 3 does not properly handle overlong UT ...) - xulrunner [wheezy] - xulrunner (no detailed information available) CVE-2009-5016 (Integer overflow in the xml_utf8_decode function in ext/xml/xml.c in P ...) - php5 5.3.3-4 [lenny] - php5 5.2.6.dfsg.1-1+lenny10 [squeeze] - php5 5.3.3-7+squeeze1 NOTE: Also fixed by debian/patches/CVE-2010-3870.patch CVE-2009-5015 (The URL dispatch mechanism in TurboGears2 (aka tg2) before 2.0.2 expos ...) - turbogears2 2.0.3-1 CVE-2009-5014 (The default quickstart configuration of TurboGears2 (aka tg2) before 2 ...) - turbogears2 2.0.3-1 CVE-2009-5013 (Memory leak in the on_dtp_close function in ftpserver.py in pyftpdlib ...) - python-pyftpdlib 0.5.2-1 CVE-2009-5012 (ftpserver.py in pyftpdlib before 0.5.2 does not require the l permissi ...) - python-pyftpdlib 0.5.2-1 CVE-2009-5011 (Race condition in the FTPHandler class in ftpserver.py in pyftpdlib be ...) - python-pyftpdlib 0.5.2-1 CVE-2009-5010 (Race condition in the FTPHandler class in ftpserver.py in pyftpdlib be ...) - python-pyftpdlib (Fixed before initial upload to the archive) CVE-2009-5009 (Double free vulnerability in OpenConnect before 1.40 might allow remot ...) - openconnect 1.40-1 CVE-2009-5008 (Cisco Secure Desktop (CSD), when used in conjunction with an AnyConnec ...) NOT-FOR-US: isco Secure Desktop CVE-2009-5007 (The Cisco trial client on Linux for Cisco AnyConnect SSL VPN allows lo ...) NOT-FOR-US: Cisco AnyConnect SSL VPN trial client CVE-2009-5006 (The SessionAdapter::ExchangeHandlerImpl::checkAlternate function in br ...) - qpid-cpp (Fixed before initial upload to archive) CVE-2009-5005 (The Cluster::deliveredEvent function in cluster/Cluster.cpp in Apache ...) - qpid-cpp (Fixed before initial upload to archive) CVE-2009-5004 (qpid-cpp 1.0 crashes when a large message is sent and the Digest-MD5 m ...) - qpid-cpp (Fixed before initial upload to archive) CVE-2009-5003 (SQL injection vulnerability in click.php in e-soft24 Banner Exchange S ...) NOT-FOR-US: e-soft24 Banner Exchange Script CVE-2009-5002 (The Workplace (aka WP) component in IBM FileNet P8 Application Engine ...) NOT-FOR-US: IBM FileNet P8 Application Engine CVE-2009-5001 (The Workplace (aka WP) component in IBM FileNet P8 Application Engine ...) NOT-FOR-US: IBM FileNet P8 Application Engine CVE-2009-5000 (Multiple cross-site scripting (XSS) vulnerabilities in the Workplace ( ...) NOT-FOR-US: IBM FileNet P8 Application Engine CVE-2009-4999 (Cross-site scripting (XSS) vulnerability in the Workplace (aka WP) com ...) NOT-FOR-US: IBM FileNet P8 Application Engine CVE-2009-4998 (The Workplace (aka WP) component in IBM FileNet P8 Application Engine ...) NOT-FOR-US: IBM FileNet P8 Application Engine CVE-2009-4997 (gnome-power-manager 2.27.92 does not properly implement the lock_on_su ...) - gnome-power-manager 2.28.0-1 (unimportant) CVE-2009-4996 NOTE: Disputed non-issue CVE-2009-4995 (Cross-site scripting (XSS) vulnerability in frmTickets.aspx in Smarter ...) NOT-FOR-US: SmarterTools SmarterTrack CVE-2009-4994 (Cross-site scripting (XSS) vulnerability in frmKBSearch.aspx in Smarte ...) NOT-FOR-US: SmarterTools SmarterTrack CVE-2009-4993 (PHP remote file inclusion vulnerability in home.php in LM Starmail Pai ...) NOT-FOR-US: LM Starmail Paidmail CVE-2009-4992 (SQL injection vulnerability in paidbanner.php in LM Starmail Paidmail ...) NOT-FOR-US: LM Starmail Paidmail CVE-2009-4991 (Cross-site scripting (XSS) vulnerability in users/resume_register.php ...) NOT-FOR-US: Omnistar Recruiting CVE-2009-4990 (Cross-site scripting (XSS) vulnerability in the Webform report module ...) NOT-FOR-US: Webform report module for Drupal CVE-2009-4989 (Cross-site scripting (XSS) vulnerability in index.php in AJ Auction Pr ...) NOT-FOR-US: AJ Auction Pro OOPD CVE-2009-4988 (Stack-based buffer overflow in NT_Naming_Service.exe in SAP Business O ...) NOT-FOR-US: SAP Business One CVE-2009-4987 (admin/header.php in Scripteen Free Image Hosting Script 2.3 allows rem ...) NOT-FOR-US: Scripteen Free Image Hosting Script CVE-2009-4986 (Directory traversal vulnerability in index.php in In-Portal 4.3.1, whe ...) NOT-FOR-US: In-Portal CVE-2009-4985 (SQL injection vulnerability in browse.php in Accessories Me PHP Affili ...) NOT-FOR-US: Accessories Me PHP Affiliate Script CVE-2009-4984 (Multiple cross-site scripting (XSS) vulnerabilities in Accessories Me ...) NOT-FOR-US: Accessories Me PHP Affiliate Script CVE-2009-4983 (Multiple cross-site scripting (XSS) vulnerabilities in Silurus Classif ...) NOT-FOR-US: Silurus Classifieds CVE-2009-4982 (SQL injection vulnerability in the select function in Irokez CMS 0.7.1 ...) NOT-FOR-US: Irokez CMS CVE-2009-4981 (Multiple cross-site request forgery (CSRF) vulnerabilities in Photokor ...) NOT-FOR-US: Photokorn Gallery CVE-2009-4980 (Multiple cross-site scripting (XSS) vulnerabilities in Photokorn Galle ...) NOT-FOR-US: Photokorn Gallery CVE-2009-4979 (Multiple SQL injection vulnerabilities in search.php in Photokorn Gall ...) NOT-FOR-US: Photokorn Gallery CVE-2009-4978 (Directory traversal vulnerability in down.php in MyBackup 1.4.0 allows ...) NOT-FOR-US: MyBackup CVE-2009-4977 (PHP remote file inclusion vulnerability in index.php in MyBackup 1.4.0 ...) NOT-FOR-US: MyBackup CVE-2009-4976 (Cross-site scripting (XSS) vulnerability in webkitpart.cpp in kwebkitp ...) - webkitkde 0.4svn1059630-1 CVE-2009-4975 (Cross-site scripting (XSS) vulnerability in webview.cpp in QtDemoBrows ...) - rekonq 0.5.0-1 CVE-2009-4974 (Directory traversal vulnerability in box_display.php in TotalCalendar ...) NOT-FOR-US: TotalCalendar CVE-2009-4973 (SQL injection vulnerability in rss.php in TotalCalendar 2.4 allows rem ...) NOT-FOR-US: TotalCalendar CVE-2009-4972 (Cross-site scripting (XSS) vulnerability in index.php (aka the log in ...) NOT-FOR-US: SimpleID CVE-2009-4971 (SQL injection vulnerability in the AJAX Chat (vjchat) extension before ...) NOT-FOR-US: AJAX Chat CVE-2009-4970 (SQL injection vulnerability in the t3m_affiliate extension 0.5.0 for T ...) NOT-FOR-US: TYPO3 addon CVE-2009-4969 (SQL injection vulnerability in the Solidbase Bannermanagement (SBbanne ...) NOT-FOR-US: TYPO3 addon CVE-2009-4968 (SQL injection vulnerability in the Event Registration (event_registr) ...) NOT-FOR-US: TYPO3 addon CVE-2009-4967 (SQL injection vulnerability in the Car (car) extension before 0.1.1 fo ...) NOT-FOR-US: TYPO3 addon CVE-2009-4966 (SQL injection vulnerability in the AST ZipCodeSearch (ast_addresszipse ...) NOT-FOR-US: TYPO3 addon CVE-2009-4965 (SQL injection vulnerability in the AIRware Lexicon (air_lexicon) exten ...) NOT-FOR-US: TYPO3 addon CVE-2009-4964 (Stack-based buffer overflow in KSP 2006 FINAL allows remote attackers ...) NOT-FOR-US: KSP CVE-2009-4963 (Cross-site scripting (XSS) vulnerability in the Commerce extension bef ...) NOT-FOR-US: TYPO3 addon CVE-2009-4962 (Stack-based buffer overflow in Fat Player 0.6b allows remote attackers ...) NOT-FOR-US: Fat Player CVE-2009-4961 (Lanai Core 0.6 allows remote attackers to obtain configuration informa ...) NOT-FOR-US: Lanai Core CVE-2009-4960 (Directory traversal vulnerability in modules/backup/download.php in La ...) NOT-FOR-US: Lanai Core CVE-2009-4959 (SQL injection vulnerability in the T3M E-Mail Marketing Tool (t3m) ext ...) NOT-FOR-US: T3M E-Mail Marketing Tool CVE-2009-4958 (SQL injection vulnerability in video.php in EMO Breeder Manager (aka E ...) NOT-FOR-US: EMO Breader Manager CVE-2009-4957 (Directory traversal vulnerability in loadpanel.php in Interspire Activ ...) NOT-FOR-US: Interspire ActiveKB CVE-2009-4956 (Cross-site scripting (XSS) vulnerability in the Visitor Tracking (ws_s ...) NOT-FOR-US: typo3 third party component (ws_stats) CVE-2009-4955 (SQL injection vulnerability in the ultraCards (th_ultracards) extensio ...) NOT-FOR-US: typo3 third party component (th_ultracards) CVE-2009-4954 (SQL injection vulnerability in the Versatile Calendar Extension [VCE] ...) NOT-FOR-US: typo3 third party component (sk_calendar) CVE-2009-4953 (Cross-site scripting (XSS) vulnerability in the Userdata Create/Edit ( ...) NOT-FOR-US: typo3 third party component (sg_userdata) CVE-2009-4952 (Directory traversal vulnerability in the Directory Listing (dir_listin ...) NOT-FOR-US: typo3 third party component (dir_listing) CVE-2009-4951 (Unspecified vulnerability in the ClickStream Analyzer [output] (altern ...) NOT-FOR-US: typo3 third party component (alternet_csa_out) CVE-2009-4950 (SQL injection vulnerability in the A21glossary Advanced Output (a21glo ...) NOT-FOR-US: typo3 third party component (a21glossary_advanced_output) CVE-2009-4949 (SQL injection vulnerability in the Store Locator extension before 1.2. ...) NOT-FOR-US: typo3 third party component (locator) CVE-2009-4948 (Cross-site scripting (XSS) vulnerability in the Store Locator extensio ...) NOT-FOR-US: typo3 third party component (locator) CVE-2009-4947 (SQL injection vulnerability in frmLoginPwdReminderPopup.aspx in Q2 Sol ...) NOT-FOR-US: Q2 Solutions ConnX CVE-2009-4946 (Directory traversal vulnerability in the Messaging (com_messaging) com ...) NOT-FOR-US: Joomla! Messaging CVE-2009-4945 (AdPeeps 8.5d1 has a default password of admin for the admin account, w ...) NOT-FOR-US: AdPeeps CVE-2009-4944 (Multiple cross-site scripting (XSS) vulnerabilities in ATRC ACollab 1. ...) NOT-FOR-US: ATRC ACollab CVE-2009-4943 (index.php in AdPeeps 8.5d1 allows remote attackers to obtain sensitive ...) NOT-FOR-US: AdPeeps CVE-2009-4942 (Cross-site request forgery (CSRF) vulnerability in ACollab 1.2 allows ...) NOT-FOR-US: ATRC ACollab CVE-2009-4941 (Cross-site scripting (XSS) vulnerability in sign_in.php in ATRC AColla ...) NOT-FOR-US: ATRC ACollab CVE-2009-4940 (SQL injection vulnerability in index.php in Zeus Cart 2.3 and earlier ...) NOT-FOR-US: Zeus Cart CVE-2009-4939 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ad ...) NOT-FOR-US: AdPeeps CVE-2009-4938 (SQL injection vulnerability in the JVideo! (com_jvideo) component 0.3. ...) NOT-FOR-US: JVideo CVE-2009-4937 (Cross-site scripting (XSS) vulnerability in Small Pirate (SPirate) 2.1 ...) NOT-FOR-US: SPirate CVE-2009-4936 (Multiple SQL injection vulnerabilities in Small Pirate (SPirate) 2.1 a ...) NOT-FOR-US: SPirate CVE-2009-4935 (SQL injection vulnerability in ogp_show.php in Online Guestbook Pro al ...) NOT-FOR-US: Online Guestbook Pro CVE-2009-4934 (Cross-site scripting (XSS) vulnerability in index.php in Online Photo ...) NOT-FOR-US: Online Photo Pro CVE-2009-4933 (Multiple SQL injection vulnerabilities in login.php in EZ Webitor allo ...) NOT-FOR-US: EZ Webitor CVE-2009-4932 (Stack-based buffer overflow in 1by1 1.67 (aka 1.6.7.0) allows remote a ...) NOT-FOR-US: 1by1 CVE-2009-4931 (Stack-based buffer overflow in Groovy Media Player 1.1.0 allows remote ...) NOT-FOR-US: Groovy Media Player CVE-2009-4930 (Cross-site scripting (XSS) vulnerability in the twbkwbis.P_SecurityQue ...) NOT-FOR-US: SunGard Banner Student System CVE-2009-4929 (admin/manage_users.php in TotalCalendar 2.4 does not require administr ...) NOT-FOR-US: TotalCalendar CVE-2009-4928 (PHP remote file inclusion vulnerability in config.php in TotalCalendar ...) NOT-FOR-US: TotalCalendar CVE-2009-4927 (WB News 2.1.2 allows remote attackers to bypass authentication and gai ...) NOT-FOR-US: WB News CVE-2009-4926 (Multiple cross-site scripting (XSS) vulnerabilities in Online Contact ...) NOT-FOR-US: Online Contact Manager CVE-2009-4925 (Multiple SQL injection vulnerabilities in Portale e-commerce Creasito ...) NOT-FOR-US: Portale e-commerce Creasito CVE-2009-4924 (Dan Pascu python-cjson 1.0.5 does not properly handle a ['/'] argument ...) - python-cjson 1.0.5-4 (low; bug #593302) [lenny] - python-cjson (Minor issue) CVE-2009-4923 (Unspecified vulnerability in the DTLS implementation on Cisco Adaptive ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4922 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4921 (Cisco Adaptive Security Appliances (ASA) 5580 series devices with soft ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4920 (Unspecified vulnerability in CTM on Cisco Adaptive Security Appliances ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4919 (Buffer overflow on Cisco Adaptive Security Appliances (ASA) 5580 serie ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4918 (Cisco Adaptive Security Appliances (ASA) 5580 series devices with soft ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4917 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4916 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4915 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4914 (Memory leak on Cisco Adaptive Security Appliances (ASA) 5580 series de ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4913 (The IPv6 implementation on Cisco Adaptive Security Appliances (ASA) 55 ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4912 (Cisco Adaptive Security Appliances (ASA) 5580 series devices with soft ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4911 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4910 (Cross-site scripting (XSS) vulnerability in the WebVPN portal on Cisco ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-4909 (admin/index.php in oBlog allows remote attackers to conduct brute-forc ...) NOT-FOR-US: oBlog CVE-2009-4908 (Multiple cross-site scripting (XSS) vulnerabilities in oBlog allow rem ...) NOT-FOR-US: oBlog CVE-2009-4907 (Multiple cross-site request forgery (CSRF) vulnerabilities in oBlog al ...) NOT-FOR-US: oBlog CVE-2009-4906 (Cross-site request forgery (CSRF) vulnerability in index.php in Acc PH ...) NOT-FOR-US: Acc PHP eMail CVE-2009-4905 (Multiple cross-site request forgery (CSRF) vulnerabilities in index.ph ...) NOT-FOR-US: Acc Statistics CVE-2009-4904 (article.php in oBlog does not properly restrict comments, which allows ...) NOT-FOR-US: oBlog CVE-2009-4903 (Cross-site scripting (XSS) vulnerability in index.php in oBlog allows ...) NOT-FOR-US: oBlog CVE-2009-4902 (Buffer overflow in the MSGFunctionDemarshall function in winscard_svc. ...) - pcsc-lite (Covered by initial CVE-2010-0407 fix) NOTE: See https://bugzilla.redhat.com/show_bug.cgi?id=596426#c20 for an explanation NOTE: of the weird CVE assignments on this one CVE-2009-4901 (The MSGFunctionDemarshall function in winscard_svc.c in the PC/SC Smar ...) - pcsc-lite (Covered by initial CVE-2010-0407 fix) NOTE: See https://bugzilla.redhat.com/show_bug.cgi?id=596426#c20 for an explanation NOTE: of the weird CVE assignments on this one CVE-2009-4900 (pixelpost 1.7.1 has XSS ...) - pixelpost (bug #597224) NOTE: http://www.pixelpost.org/blog/2009/09/02/pixelpost-173-security-update/ CVE-2009-4899 (pixelpost 1.7.1 has SQL injection ...) - pixelpost (bug #597224) NOTE: http://www.pixelpost.org/blog/2009/09/02/pixelpost-173-security-update/ CVE-2009-4898 (Cross-site request forgery (CSRF) vulnerability in TWiki before 4.3.2 ...) NOT-FOR-US: TWiki CVE-2009-4897 (Buffer overflow in gs/psi/iscan.c in Ghostscript 8.64 and earlier allo ...) {DSA-2093-1} - ghostscript 8.70~dfsg-1 CVE-2009-4896 (Multiple directory traversal vulnerabilities in the mlmmj-php-admin we ...) {DSA-2073-1} - mlmmj 1.2.17-1.1 (bug #588038) CVE-2009-4895 (Race condition in the tty_fasync function in drivers/char/tty_io.c in ...) {DSA-2094-1} - linux-2.6 2.6.32-9 CVE-2009-4894 (Multiple cross-site scripting (XSS) vulnerabilities in profile.php in ...) NOT-FOR-US: PunBB CVE-2009-4893 (Buffer overflow in UnrealIRCd 3.2beta11 through 3.2.8, when allow::opt ...) - unrealircd (bug #515130) CVE-2009-4892 (SQL injection vulnerability in Content Management System WEBjump! allo ...) NOT-FOR-US: Content Management System WEBjump! CVE-2009-4891 (SQL injection vulnerability in index.php in CS-Cart 2.0.0 Beta 3 allow ...) NOT-FOR-US: CS-Cart CVE-2009-4890 (Multiple cross-site scripting (XSS) vulnerabilities in the login appli ...) NOT-FOR-US: vBook CVE-2009-4889 (SQL injection vulnerability in books.php in the Book Panel (book_panel ...) NOT-FOR-US: book_panel module for php-fusion CVE-2009-4888 (Cross-site scripting (XSS) vulnerability in poster.php in PHortail 1.2 ...) NOT-FOR-US: PHortail CVE-2009-4887 (PHP remote file inclusion vulnerability in index.php in CMS S.Builder ...) NOT-FOR-US: CMS S.Builder CVE-2009-4886 (Multiple directory traversal vulnerabilities in phpCommunity 2 2.1.8 a ...) NOT-FOR-US: phpCommunity CVE-2009-4885 (Cross-site scripting (XSS) vulnerability in templates/1/login.php in p ...) NOT-FOR-US: phpCommunity CVE-2009-4884 (Multiple SQL injection vulnerabilities in phpCommunity 2 2.1.8, when m ...) NOT-FOR-US: phpCommunity CVE-2009-4883 (SQL injection vulnerability in index.php in PHPRecipeBook 2.24 and 2.3 ...) NOT-FOR-US: PHPRecipeBook CVE-2009-4882 (Cross-site scripting (XSS) vulnerability in zc/publisher/html.rb in Zo ...) {DSA-2056-1} - zonecheck 2.1.1-1 (bug #583290) CVE-2009-4881 (Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in ...) {DSA-2058-1} - eglibc 2.10.1-1 (unimportant) - glibc 2.11.1-1 (unimportant) NOTE: http://sourceware.org/git/?p=glibc.git;a=commit;h=153aa31b93be22e01b236375fb02a9f9b9a0195f CVE-2009-4880 (Multiple integer overflows in the strfmon implementation in the GNU C ...) {DSA-2058-1} - eglibc 2.11.1-1 (unimportant) - glibc 2.11.1-1 (unimportant) NOTE: http://sourceware.org/git/?p=glibc.git;a=commit;h=199eb0de8d673fb23aa127721054b4f1803d61f3 CVE-2009-4879 (The Identity Server in Novell Access Manager before 3.1 SP1 allows att ...) NOT-FOR-US: Novell Access Manager CVE-2009-4878 (Unspecified vulnerability in the Administration Console in Novell Acce ...) NOT-FOR-US: Novell Access Manager CVE-2009-4877 (Multiple cross-site request forgery (CSRF) vulnerabilities in WebGUI b ...) - webgui 7.7.22-1 CVE-2009-4876 (admin/cikkform.php in Netrix CMS 1.0 allows remote attackers to modify ...) NOT-FOR-US: Netrix CMS CVE-2009-4875 (FCKeditor.Java 2.4 allows remote attackers to cause a denial of servic ...) NOT-FOR-US: FCKeditor.Java, different than fckeditor in the archive CVE-2009-4874 (TalkBack 2.3.14 does not properly restrict access to the edit comment ...) NOT-FOR-US: TalkBack CVE-2009-4873 (Stack-based buffer overflow in the HTTP server in Rhino Software Serv- ...) NOT-FOR-US: Rhino Software Serv-U Web Client CVE-2009-4872 (Multiple SQL injection vulnerabilities in globepersonnel_login.asp in ...) NOT-FOR-US: Logoshows BBS CVE-2009-4871 (SQL injection vulnerability in globepersonnel_forum.asp in Logoshows B ...) NOT-FOR-US: Logoshows BBS CVE-2009-4870 (Multiple SQL injection vulnerabilities in login.php in PHPCityPortal a ...) NOT-FOR-US: PHPCityPortal CVE-2009-4869 (Cross-site scripting (XSS) vulnerability in index.php in Nasim Guest B ...) NOT-FOR-US: Nasim Guest Book CVE-2009-4868 (Cross-site scripting (XSS) vulnerability in Hitron Soft Answer Me 1.0 ...) NOT-FOR-US: Hitron Soft Answer Me CVE-2009-4867 (Buffer overflow in Tuniac 090517c allows remote attackers to cause a d ...) NOT-FOR-US: Tuniac CVE-2009-4866 (Cross-site scripting (XSS) vulnerability in search.cgi in Matt's Scrip ...) NOT-FOR-US: Matt's Script Archive (MSA) Simple Search CVE-2009-4865 (Multiple SQL injection vulnerabilities in escorts_search.php in I-Esco ...) NOT-FOR-US: I-Escorts Directory Script and Agency Script CVE-2009-4864 (Multiple cross-site scripting (XSS) vulnerabilities in escorts_search. ...) NOT-FOR-US: I-Escorts Directory Script and Agency Script CVE-2009-4863 (Stack-based buffer overflow in UltraPlayer Media Player 2.112 allows r ...) NOT-FOR-US: UltraPlayer Media Player CVE-2009-4862 (Multiple SQL injection vulnerabilities in Alwasel 1.5 allow remote att ...) NOT-FOR-US: Alwasel CVE-2009-4861 (Cross-site scripting (XSS) vulnerability in shownews.php in SupportPRO ...) NOT-FOR-US: SupportPRO SupportDesk CVE-2009-4860 (SQL injection vulnerability in demo.php in Typing Pal 1.0 and earlier ...) NOT-FOR-US: Typing Pal CVE-2009-4859 (Multiple cross-site scripting (XSS) vulnerabilities in Online Work Ord ...) NOT-FOR-US: Online Work Order Suite (OWOS) CVE-2009-4858 (Cross-site scripting (XSS) vulnerability in questiondetail.php in Yaho ...) NOT-FOR-US: Yahoo Answers Clone CVE-2009-4857 (Cross-site scripting (XSS) vulnerability in login.php in PHP Photo Vot ...) NOT-FOR-US: PHP Photo Vote CVE-2009-4856 (Cross-site scripting (XSS) vulnerability in subitems.php in PHP Easy S ...) NOT-FOR-US: PHP Easy Shopping Cart CVE-2009-4855 NOT-FOR-US: Bogus issue claimed for typo3 NOTE: See http://secure.t3sec.info/blog/post/2009/08/06/typo3-cms-40-showuid-exploit-not-a-vulnerability/4.2.5-1+lenny3 CVE-2009-4854 (addons/import.php in TalkBack 2.3.14 allows remote attackers to execut ...) NOT-FOR-US: TalkBack CVE-2009-4853 (Multiple cross-site scripting (XSS) vulnerabilities in JumpBox before ...) NOT-FOR-US: JumpBox CVE-2009-4852 (Multiple cross-site scripting (XSS) vulnerabilities in SemanticScuttle ...) NOT-FOR-US: SemanticScuttle CVE-2009-4851 (The activation resend function in the Profiles module in XOOPS before ...) NOT-FOR-US: XOOPS CVE-2009-4850 (The Awingsoft Awakening Winds3D Viewer plugin 3.5.0.9 allows remote at ...) NOT-FOR-US: Awingsoft Awakening Winds3D Viewer CVE-2009-4849 (Multiple cross-site request forgery (CSRF) vulnerabilities in ToutVirt ...) NOT-FOR-US: ToutVirtual VirtualIQ Pro CVE-2009-4848 (Multiple cross-site scripting (XSS) vulnerabilities in ToutVirtual Vir ...) NOT-FOR-US: ToutVirtual VirtualIQ Pro CVE-2009-4847 (Deliantra Server before 2.82 allows remote authenticated users to caus ...) NOT-FOR-US: Deliantra Server CVE-2009-4846 (Multiple buffer overflows in Deliantra Server before 2.82 allow remote ...) NOT-FOR-US: Deliantra Server CVE-2009-4845 (The configuration page in ToutVirtual VirtualIQ Pro 3.2 build 7882 con ...) NOT-FOR-US: ToutVirtual VirtualIQ Pro CVE-2009-4844 (ToutVirtual VirtualIQ Pro 3.2 build 7882 does not restrict access to t ...) NOT-FOR-US: ToutVirtual VirtualIQ Pro CVE-2009-4843 (ToutVirtual VirtualIQ Pro before 3.5 build 8691 does not require admin ...) NOT-FOR-US: ToutVirtual VirtualIQ Pro CVE-2009-4842 (Multiple cross-site scripting (XSS) vulnerabilities in ToutVirtual Vir ...) NOT-FOR-US: ToutVirtual VirtualIQ Pro CVE-2009-4841 (Heap-based buffer overflow in the SonicMediaPlayer ActiveX control in ...) NOT-FOR-US: Roxio CinePlayer CVE-2009-4840 (Heap-based buffer overflow in the IAManager ActiveX control in IAManag ...) NOT-FOR-US: Roxio CinePlayer CVE-2009-4839 (Multiple cross-site scripting (XSS) vulnerabilities in Basic Analysis ...) - acidbase 1.4.5-1 (bug #587819) [lenny] - acidbase (Minor issue) CVE-2009-4838 (SQL injection vulnerability in base_ag_common.php in Basic Analysis an ...) - acidbase 1.4.4-1 (low) [lenny] - acidbase (Minor issue) CVE-2009-4837 (Multiple cross-site scripting (XSS) vulnerabilities in Basic Analysis ...) - acidbase 1.4.4-1 (low) [lenny] - acidbase (Minor issue) CVE-2009-4836 (Eval injection vulnerability in system/services/init.php in Movie PHP ...) NOT-FOR-US: Movie PHP Script CVE-2009-4835 (The (1) htk_read_header, (2) alaw_init, (3) ulaw_init, (4) pcm_init, ( ...) - libsndfile 1.0.21-3 (unimportant; bug #530831) NOTE: application crash only, so not security-relevant CVE-2009-4834 (lib.php in Zeroboard 4.1 pl7 allows remote attackers to execute arbitr ...) NOT-FOR-US: Zeroboard CVE-2009-4833 (MySQL Connector/NET before 6.0.4, when using encryption, does not veri ...) NOT-FOR-US: MySQL Connector/NET CVE-2009-4832 (The dlpcrypt.sys kernel driver 0.1.1.27 in DESlock+ 4.0.2 allows local ...) NOT-FOR-US: DLPCryptCore CVE-2009-4831 (Cerulean Studios Trillian 3.1 Basic does not check SSL certificates du ...) NOT-FOR-US: Cerulean Studios Trillian CVE-2009-4830 (Unspecified vulnerability in OpenX 2.8.1 and 2.8.2 allows remote attac ...) - openx (bug #513771) CVE-2009-4829 (Cross-site scripting (XSS) vulnerability in the Automated Logout modul ...) NOT-FOR-US: Automated Logout module for drupal CVE-2009-4828 (Cross-site request forgery (CSRF) vulnerability in administration/admi ...) NOT-FOR-US: Ad Manager Pro CVE-2009-4827 (Cross-site request forgery (CSRF) vulnerability in admin.php in Mail M ...) NOT-FOR-US: Mail Manager Pro CVE-2009-4826 (Cross-site request forgery (CSRF) vulnerability in hosting/admin_ac.ph ...) NOT-FOR-US: ScriptsEz Mini Hosting Panel CVE-2009-4825 (8pixel.net Blog 4 stores sensitive information under the web root with ...) NOT-FOR-US: 8pixel.net Blog CVE-2009-4824 (Unspecified vulnerability in Kolab Webclient before 1.2.0 in Kolab Ser ...) {DSA-1897-1} - kolab-webclient - horde3 3.3.5+debian0-1 NOTE: package only in experimental; claimed fixed in version 20091202, but not enough info to check NOTE: http://kolab.org/cgi-bin/viewcvs-kolab.cgi/*checkout*/server/patches/horde-webmail/1.2.0/tg/Attic/t_framework_H_JS_Form_FixFormSecurityForImageUploads.diff?rev=1.1.2.1&only_with_tag=kolab_2_2_branch CVE-2009-4823 (Cross-site scripting (XSS) vulnerability in frontend/x3/files/fileop.h ...) NOT-FOR-US: cPanel CVE-2009-4822 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ka ...) NOT-FOR-US: Kasseler CMS CVE-2009-4821 (The D-Link DIR-615 with firmware 3.10NA does not require administrativ ...) NOT-FOR-US: D-Link DIR-615 CVE-2009-4820 (Angelo-Emlak 1.0 stores sensitive information under the web root with ...) NOT-FOR-US: Angelo-Emlak CVE-2009-4819 (Multiple unrestricted file upload vulnerabilities in upload.php in PHP ...) NOT-FOR-US: PHPhotoalbum CVE-2009-4818 (Unrestricted file upload vulnerability in upload.php in PHPSimplicity ...) NOT-FOR-US: PHPSimplicity of Upload CVE-2009-4817 (Unrestricted file upload vulnerability in Element-IT Ultimate Uploader ...) NOT-FOR-US: Element-IT Ultimate Uploader CVE-2009-4816 (Directory traversal vulnerability in api/download_checker.php in MegaL ...) NOT-FOR-US: MegaLab The Uploader CVE-2009-4815 (Directory traversal vulnerability in Serv-U before 9.2.0.1 allows remo ...) NOT-FOR-US: Serv-U CVE-2009-4814 (Cross-site scripting (XSS) vulnerability in Wolfram Research webMathem ...) NOT-FOR-US: Wolfram Research webMathematica CVE-2009-4813 (Cross-site scripting (XSS) vulnerability in myps.php in MyBB (aka MyBu ...) NOT-FOR-US: MyBB CVE-2009-4812 (Wolfram Research webMathematica allows remote attackers to obtain sens ...) NOT-FOR-US: Wolfram Research webMathematica CVE-2009-4811 (VMware Authentication Daemon 1.0 in vmware-authd.exe in the VMware Aut ...) NOT-FOR-US: VMware CVE-2009-4810 (The Secure Remote Password (SRP) implementation in Samhain before 2.5. ...) - samhain 2.5.4-1 (unimportant) NOTE: Support for client/server operation is not enabled in the Debian packages CVE-2009-4809 (Directory traversal vulnerability in thumbnail.ghp in Easy File Sharin ...) NOT-FOR-US: Easy File Sharing Web Server CVE-2009-4808 (admin.php in Graugon PHP Article Publisher 1.0 allows remote attackers ...) NOT-FOR-US: Graugon PHP Article Publisher CVE-2009-4807 (Multiple SQL injection vulnerabilities in Graugon PHP Article Publishe ...) NOT-FOR-US: Graugon PHP Article Publisher CVE-2009-4806 (admin/save_user.asp in Digital Interchange Document Library 1.0.1 does ...) NOT-FOR-US: Digital Interchange Document Library CVE-2009-4805 (Multiple SQL injection vulnerabilities in EZ-Blog Beta 1, when magic_q ...) NOT-FOR-US: EZ-Blog CVE-2009-4804 (Cross-site scripting (XSS) vulnerability in the Calendar Base (cal) ex ...) NOT-FOR-US: cal extension for typo3 CVE-2009-4803 (SQL injection vulnerability in the Accessibility Glossary (a21glossary ...) NOT-FOR-US: a21glossary extension for typo3 CVE-2009-4802 (SQL injection vulnerability in the Flat Manager (flatmgr) extension be ...) NOT-FOR-US: fsatmgr extension for typo3 CVE-2009-4801 (EZ-Blog Beta 1 does not require authentication, which allows remote at ...) NOT-FOR-US: EZ-Blog CVE-2009-4800 (Directory traversal vulnerability in Sysax Multi Server 4.3 and 4.5 al ...) NOT-FOR-US: Sysax Multi Server CVE-2009-4799 (Diskos CMS 6.x stores sensitive information under the web root with in ...) NOT-FOR-US: Diskos CMS CVE-2009-4798 (Multiple SQL injection vulnerabilities in Diskos CMS 6.x allow remote ...) NOT-FOR-US: Diskos CMS CVE-2009-4797 (SQL injection vulnerability in browse.php in JobHut 1.2 and earlier al ...) NOT-FOR-US: JobHut CVE-2009-4796 (Multiple SQL injection vulnerabilities in the ExecuteQueries function ...) NOT-FOR-US: glFusion CVE-2009-4795 (Multiple SQL injection vulnerabilities in Xlight FTP Server before 3.2 ...) NOT-FOR-US: Xlight FTP Server CVE-2009-4794 (Multiple SQL injection vulnerabilities in Community CMS 0.5 allow remo ...) NOT-FOR-US: Community CMS CVE-2009-4793 (Unrestricted file upload vulnerability in adminpanel/scripts/addphotos ...) NOT-FOR-US: BandSite CMS CVE-2009-4792 (SQL injection vulnerability in includes/content/member_content.php in ...) NOT-FOR-US: BandSite CMS CVE-2009-4791 (Multiple SQL injection vulnerabilities in Family Connections (aka FCMS ...) NOT-FOR-US: Family Connections CVE-2009-4790 (Multiple directory traversal vulnerabilities in Sysax Multi Server 4.5 ...) NOT-FOR-US: Sysax Multi Server CVE-2009-4789 (Multiple PHP remote file inclusion vulnerabilities in the MojoBlog com ...) NOT-FOR-US: mojoblog component for joomla! CVE-2009-4788 (Multiple open redirect vulnerabilities in Pligg 1.0.2 and earlier allo ...) NOT-FOR-US: Pligg CVE-2009-4787 (Multiple cross-site request forgery (CSRF) vulnerabilities in Pligg be ...) NOT-FOR-US: Pligg CVE-2009-4786 (Multiple cross-site scripting (XSS) vulnerabilities in Pligg before 1. ...) NOT-FOR-US: Pligg CVE-2009-4785 (SQL injection vulnerability in the Quick News (com_quicknews) componen ...) NOT-FOR-US: com_quicknews component for joomla! CVE-2009-4784 (SQL injection vulnerability in the Joaktree (com_joaktree) component 1 ...) NOT-FOR-US: com_joaktree component for joomla! CVE-2009-4783 (Multiple SQL injection vulnerabilities in Theeta CMS, possibly 0.01, a ...) NOT-FOR-US: Theeta CMS CVE-2009-4782 (Multiple cross-site scripting (XSS) vulnerabilities in Theeta CMS, pos ...) NOT-FOR-US: Theeta CMS CVE-2009-4781 (TUKEVA Password Reminder before 1.0.0.4 uses a hard-coded password for ...) NOT-FOR-US: TUKEVA Password Reminder CVE-2009-4780 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in ph ...) NOT-FOR-US: phpMyFAQ CVE-2009-4779 (Multiple PHP remote file inclusion vulnerabilities in NukeHall 0.3 and ...) NOT-FOR-US: NukeHall CVE-2009-4778 (Multiple unspecified vulnerabilities in the PDF distiller in the Attac ...) NOT-FOR-US: BlackBerry PDF distiller CVE-2009-4777 (Unspecified vulnerability in multiple versions of Hitachi JP1/Automati ...) NOT-FOR-US: Hitachi Job Management / System Observer CVE-2009-4776 (Buffer overflow in Hitachi Cosminexus V4 through V8, Processing Kit fo ...) NOT-FOR-US: Hitachi Cosminexus CVE-2009-4775 (Format string vulnerability in Ipswitch WS_FTP Professional 12 before ...) NOT-FOR-US: Ipswitch WS_FTP Professional CVE-2009-4774 (Unspecified vulnerability in Sun Solaris 10 and OpenSolaris snv_49 thr ...) NOT-FOR-US: OpenSolaris CVE-2009-4773 (Cross-site request forgery (CSRF) vulnerability in the order-managemen ...) NOT-FOR-US: Ubercart module for Drupal CVE-2009-4772 (Unspecified vulnerability in the PayPal Website Payments Standard func ...) NOT-FOR-US: Ubercart module for Drupal CVE-2009-4771 (The PayPal Website Payments Standard functionality in the Ubercart mod ...) NOT-FOR-US: Ubercart module for Drupal CVE-2009-4770 (The FTP server component in httpdx 1.4, 1.4.5, 1.4.6, 1.4.6b, and 1.5 ...) NOT-FOR-US: httpdx CVE-2009-4769 (Multiple format string vulnerabilities in the tolog function in httpdx ...) NOT-FOR-US: httpdx CVE-2009-4768 (Unspecified vulnerability in the JASS script interpreter in Warcraft I ...) NOT-FOR-US: World of Warcraft CVE-2009-4767 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Pl ...) NOT-FOR-US: Plohni Shoutbox CVE-2009-4766 (YP Portal MS-Pro Surumu (aka MS-Pro Portal Scripti) 1.0 and 1.2 stores ...) NOT-FOR-US: MS-Pro Portal Scripti CVE-2009-4765 (CNR Hikaye Portal 2.0 stores sensitive information under the web root ...) NOT-FOR-US: CNR Hikaye Portal CVE-2009-4764 (Adobe Reader 8.x and 9.x on Windows is able to execute EXE files that ...) NOT-FOR-US: Adobe Reader CVE-2009-4763 (Unspecified vulnerability in the ClickHeat plugin, as used in phpMyVis ...) NOT-FOR-US: ClickHeat plugin CVE-2009-4762 (MoinMoin 1.7.x before 1.7.3 and 1.8.x before 1.8.3 checks parent ACLs ...) - moin 1.9.2-1 (bug #569975; medium) [lenny] - moin 1.7.1-3+lenny3 (bug #569975; medium) NOTE: see http://www.debian.org/security/2010/dsa-2014 CVE-2009-4761 (Stack-based buffer overflow in Mini-stream RM Downloader allows remote ...) NOT-FOR-US: Mini-stream RM Downloader CVE-2009-4760 (Winn ASP Guestbook 1.01 Beta stores sensitive information under the we ...) NOT-FOR-US: Winn ASP Guestbook CVE-2009-4759 (Buffer overflow in BrotherSoft BMXPlay 0.4.4b allows remote attackers ...) NOT-FOR-US: BrotherSoft BMXPlay CVE-2009-4758 (Stack-based buffer overflow in dicas Mpegable Player 2.12 allows remot ...) NOT-FOR-US: Mpegable Player CVE-2009-4757 (Stack-based buffer overflow in BrotherSoft EW-MusicPlayer 0.8 allows r ...) NOT-FOR-US: BrotherSoft EW-MusicPlayer CVE-2009-4756 (Stack-based buffer overflow in TraktorBeatport.exe 1.0.0.283 in Beatpo ...) NOT-FOR-US: Beatport Player CVE-2009-4755 (Multiple stack-based buffer overflows in Mercury Audio Player 1.21 all ...) NOT-FOR-US: Mercury Audio Player CVE-2009-4754 (Stack-based buffer overflow in Mercury Audio Player 1.21 allows remote ...) NOT-FOR-US: Mercury Audio Player CVE-2009-4753 (Multiple buffer overflows in the FTP server on the Addonics NAS Adapte ...) NOT-FOR-US: Addonics NAS Adapter NASU2FW41 CVE-2009-4752 (PHP remote file inclusion vulnerability in anzeiger/start.php in Swing ...) NOT-FOR-US: Swinger Club Portal CVE-2009-4751 (SQL injection vulnerability in anzeiger/start.php in Swinger Club Port ...) NOT-FOR-US: Swinger Club Portal CVE-2009-4750 (PHP remote file inclusion vulnerability in home.php in Top Paidmailer ...) NOT-FOR-US: Top Paidmailer CVE-2009-4749 (Multiple SQL injection vulnerabilities in PHP Live! 3.2.1 and 3.2.2 al ...) NOT-FOR-US: PHP Live! CVE-2009-4748 (SQL injection vulnerability in mycategoryorder.php in the My Category ...) NOT-FOR-US: My Category Order plugin for wordpress CVE-2009-4747 (PHP remote file inclusion vulnerability in public/code/cp_html2xhtmlba ...) NOT-FOR-US: All In One Control Panel (AIOCP) CVE-2009-4746 (Cross-site scripting (XSS) vulnerability in index.php in Dreamlevels D ...) NOT-FOR-US: Dreamlevels DreamPoll CVE-2009-4745 (Multiple SQL injection vulnerabilities in index.php in Dreamlevels Dre ...) NOT-FOR-US: Dreamlevels DreamPoll CVE-2009-4744 (Cross-site scripting (XSS) vulnerability in the Contact module in Expo ...) NOT-FOR-US: Exponent CMS CVE-2009-4743 (Multiple cross-site scripting (XSS) vulnerabilities in history-storage ...) NOT-FOR-US: AfterLogic WebMail CVE-2009-4742 (Multiple SQL injection vulnerabilities in Docebo 3.6.0.3 allow remote ...) NOT-FOR-US: Docebo CVE-2009-4741 (Unspecified vulnerability in the Extras Manager before 2.0.0.67 in Sky ...) NOT-FOR-US: Skype CVE-2009-4740 (Directory traversal vulnerability in the Webesse E-Card (ws_ecard) ext ...) NOT-FOR-US: ws_ecard extension for typo3 CVE-2009-4739 (PHP remote file inclusion vulnerability in index.php in SkaDate Dating ...) NOT-FOR-US: SkaDate Dating CVE-2009-4738 (Unspecified vulnerability in JustSystems Corporation ATOK 2006 through ...) NOT-FOR-US: JustSystems Corporation CVE-2009-4737 (Stack-based buffer overflow in JustSystems Corporation Ichitaro 13, 20 ...) NOT-FOR-US: JustSystems Corporation Ichitaro CVE-2009-4736 (Cross-site scripting (XSS) vulnerability in search.php in CommonSense ...) NOT-FOR-US: CommonSense CMS CVE-2009-4735 (SQL injection vulnerability in login.php in Allomani Audio & Video ...) NOT-FOR-US: Allomani Audio & Video Library CVE-2009-4734 (SQL injection vulnerability in login.php in Allomani Movies Library (M ...) NOT-FOR-US: Allomani Movies Library CVE-2009-4733 (SQL injection vulnerability in checkuser.php in SimpleLoginSys 0.5, wh ...) NOT-FOR-US: SimpleLoginSys CVE-2009-4732 (SQL injection vulnerability in tt/index.php in TT Web Site Manager 0.5 ...) NOT-FOR-US: TT Web Site Manager CVE-2009-4731 (SQL injection vulnerability in photos.php in Model Agency Manager PRO ...) NOT-FOR-US: Model Agency Manager PRO CVE-2009-4730 (SQL injection vulnerability in report.php in x10 Adult Media Script 1. ...) NOT-FOR-US: Adult Media Script CVE-2009-4729 (Multiple cross-site scripting (XSS) vulnerabilities in x10 Adult Media ...) NOT-FOR-US: Adult Media Script CVE-2009-4728 (SQL injection vulnerability in the administrative interface in Questio ...) NOT-FOR-US: Questions Answered CVE-2009-4727 (SQL injection vulnerability in x/login in JungleScripts Ajax Short Url ...) NOT-FOR-US: JungleScripts Ajax Short Url CVE-2009-4726 (Directory traversal vulnerability in download.php in Quickdev 4 PHP al ...) NOT-FOR-US: Quickdev 4 PHP CVE-2009-4725 (Directory traversal vulnerability in modules/aljazeera/admin/setup.php ...) NOT-FOR-US: Arab Portal CVE-2009-4724 (SQL injection vulnerability in shop.htm in PaymentProcessorScript.net ...) NOT-FOR-US: PaymentProcessorScript.net PPScript CVE-2009-4723 (Directory traversal vulnerability in confirm.php in Netpet CMS 1.9 all ...) NOT-FOR-US: Netpet CMS CVE-2009-4722 (SQL injection vulnerability in the CheckLogin function in includes/fun ...) NOT-FOR-US: Limny CVE-2009-4721 (Multiple SQL injection vulnerabilities in Admin/index.asp in Andrews-W ...) NOT-FOR-US: Andrews-Web BannerAd CVE-2009-4720 (SQL injection vulnerability in cgi-bin/gnudip.cgi in GnuDIP 2.1.1 allo ...) - gnudip (medium; bug #539452) CVE-2009-4719 (SQL injection vulnerability in index.php in Discloser 0.0.4 rc2 allows ...) NOT-FOR-US: Discloser CVE-2009-4718 (SQL injection vulnerability in visitorduration.php in Gonafish WebStat ...) NOT-FOR-US: Gonafish WebStatCaffe CVE-2009-4717 (Multiple cross-site scripting (XSS) vulnerabilities in Gonafish WebSta ...) NOT-FOR-US: Gonafish WebStatCaffe CVE-2009-4716 (Cross-site scripting (XSS) vulnerability in results.php in EDGEPHP EZW ...) NOT-FOR-US: EDGEPHP EZWebSearch CVE-2009-4715 (Cross-site scripting (XSS) vulnerability in rates.php in Real Time Cur ...) NOT-FOR-US: Real Time Currency Exchange CVE-2009-4714 (Cross-site scripting (XSS) vulnerability in the quiz module for XOOPS ...) NOT-FOR-US: XOOPS Celepar CVE-2009-4713 (Multiple cross-site scripting (XSS) vulnerabilities in the Qas (aka Qu ...) NOT-FOR-US: XOOPS Celepar CVE-2009-4712 (SQL injection vulnerability in index.php in Tukanas Classifieds (aka E ...) NOT-FOR-US: EasyClassifieds CVE-2009-4711 (SQL injection vulnerability in the CoolURI (cooluri) extension before ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4710 (SQL injection vulnerability in the Reset backend password (cwt_resetbe ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4709 (SQL injection vulnerability in the datamints Newsticker (datamints_new ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4708 (SQL injection vulnerability in the [Gobernalia] Front End News Submitt ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4707 (Cross-site scripting (XSS) vulnerability in the [Gobernalia] Front End ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4706 (Cross-site scripting (XSS) vulnerability in the Mailform (mailform) ex ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4705 (Cross-site scripting (XSS) vulnerability in the Twitter Search (twitte ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4704 (Unspecified vulnerability in the Webesse E-Card (ws_ecard) extension 1 ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4703 (SQL injection vulnerability in the Webesse Image Gallery (ws_gallery) ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4702 (SQL injection vulnerability in the Tour Extension (pm_tour) extension ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4701 (SQL injection vulnerability in the Myth download (myth_download) exten ...) NOT-FOR-US: typo3 third-party extension CVE-2009-4700 (Directory traversal vulnerability in index.php in SkaDate Dating allow ...) NOT-FOR-US: SkaDate Dating CVE-2009-4699 (Multiple cross-site scripting (XSS) vulnerabilities in SkaDate Dating ...) NOT-FOR-US: SkaDate Dating CVE-2009-4698 (Multiple SQL injection vulnerabilities in the Qas (aka Quas) module fo ...) NOT-FOR-US: XOOPS Celepar CVE-2009-4697 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ra ...) NOT-FOR-US: RadNICS Gold 5 CVE-2009-4696 (SQL injection vulnerability in index.php in RadNICS Gold 5 allows remo ...) NOT-FOR-US: RadNICS Gold 5 CVE-2009-4695 (SQL injection vulnerability in index.php in RadScripts RadLance Gold 7 ...) NOT-FOR-US: RadScripts RadLance Gold CVE-2009-4694 (Cross-site scripting (XSS) vulnerability in index.php in RadScripts Ra ...) NOT-FOR-US: RadScripts RadLance Gold CVE-2009-4693 (Multiple PHP remote file inclusion vulnerabilities in GraFX MiniCWB 2. ...) NOT-FOR-US: GraFX MiniCWB CVE-2009-4692 (Cross-site scripting (XSS) vulnerability in index.php in RadScripts Ra ...) NOT-FOR-US: RadScripts RadLance Gold CVE-2009-4691 (SQL injection vulnerability in addlink.php in Classified Linktrader Sc ...) NOT-FOR-US: Classified Linktrader Script CVE-2009-4690 (Multiple cross-site scripting (XSS) vulnerabilities in YourFreeWorld P ...) NOT-FOR-US: YourFreeWorld Programs Rating Script CVE-2009-4689 (SQL injection vulnerability in index.php in PHP Shopping Cart Selling ...) NOT-FOR-US: PHP Shopping Cart Selling Website Script CVE-2009-4688 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in PH ...) NOT-FOR-US: PHP Shopping Cart Selling Website Script CVE-2009-4687 (SQL injection vulnerability in silentum_guestbook.php in Silentum Gues ...) NOT-FOR-US: Silentum Guestbook CVE-2009-4686 (Cross-site scripting (XSS) vulnerability in account.php in phplemon Ad ...) NOT-FOR-US: phplemon AdQuick CVE-2009-4685 (Cross-site scripting (XSS) vulnerability in celebrities.php in PHP Scr ...) NOT-FOR-US: PHP Scripts Now Astrology CVE-2009-4684 (Cross-site scripting (XSS) vulnerability in index.php in EZodiak allow ...) NOT-FOR-US: EZodiak CVE-2009-4683 (Directory traversal vulnerability in vote.php in Good/Bad Vote allows ...) NOT-FOR-US: Good/Bad Vote CVE-2009-4682 (Cross-site scripting (XSS) vulnerability in vote.php in Good/Bad Vote ...) NOT-FOR-US: Good/Bad Vote CVE-2009-4681 (Cross-site scripting (XSS) vulnerability in search.php in phpDirectory ...) NOT-FOR-US: phpDirectorySource CVE-2009-4680 (SQL injection vulnerability in search.php in phpDirectorySource 1.x al ...) NOT-FOR-US: phpDirectorySource CVE-2009-4679 (Directory traversal vulnerability in the inertialFATE iF Portfolio Nex ...) NOT-FOR-US: com_if_nexus component for Joomla! CVE-2009-4678 (Cross-site scripting (XSS) vulnerability in index.php in Winn Guestboo ...) NOT-FOR-US: Winn Guestbook CVE-2009-4677 (Cross-site scripting (XSS) vulnerability in search.php in phpFK PHP Fo ...) NOT-FOR-US: phpFK PHP Forum CVE-2009-4676 (Stack-based buffer overflow in JetCast.exe 2.0.4.1109 in jetAudio 7.5. ...) NOT-FOR-US: JetCast.exe CVE-2009-4675 (admin/admin_info/index.php in the Mole Group Gastro Portal (Restaurant ...) NOT-FOR-US: Mole Group Gastro Portal CVE-2009-4674 (admin/admin.php in Mole Group Sky Hunter Airline Ticket Sale Script an ...) NOT-FOR-US: Mole Group Sky Hunter Airline Ticket Sale Script and Bus Ticket CVE-2009-4673 (SQL injection vulnerability in profile.php in Mole Group Adult Portal ...) NOT-FOR-US: Mole Group Adult Portal Script CVE-2009-4672 (Directory traversal vulnerability in main.php in the WP-Lytebox plugin ...) NOT-FOR-US: WP-Lytebox plugin for WordPress CVE-2009-4671 (Login.php in RoomPHPlanning 1.6 allows remote attackers to bypass auth ...) NOT-FOR-US: RoomPHPlanning CVE-2009-4670 (admin/delitem.php in RoomPHPlanning 1.6 does not require authenticatio ...) NOT-FOR-US: RoomPHPlanning CVE-2009-4669 (Multiple SQL injection vulnerabilities in RoomPHPlanning 1.6 allow rem ...) NOT-FOR-US: RoomPHPlanning CVE-2009-4668 (Stack-based buffer overflow in JetCast.exe 2.0.4.1109 in jetAudio 7.5. ...) NOT-FOR-US: JetCast.exe CVE-2009-4667 (SQL injection vulnerability in form.php in WebMember 1.0 allows remote ...) NOT-FOR-US: WebMember CVE-2009-4666 (Multiple PHP remote file inclusion vulnerabilities in Webradev Downloa ...) NOT-FOR-US: Webradev Download Protect CVE-2009-4665 (Directory traversal vulnerability in CuteSoft_Client/CuteEditor/Load.a ...) NOT-FOR-US: Cute Editor CVE-2009-4664 (Firewall Builder 3.0.4, 3.0.5, and 3.0.6, when running on Linux, allow ...) - fwbuilder 3.0.7-1 (bug #547390; medium) [lenny] - fwbuilder (only versions 3.0.4, 3.0.5 and 3.0.6 are affected) - libfwbuilder 3.0.7-1 (bug #547390; medium) [lenny] - libfwbuilder (only versions 3.0.4, 3.0.5 and 3.0.6 are affected) NOTE: m68k package in debports in still affected at version 3.0.5 NOTE: see http://www.fwbuilder.org/docs/firewall_builder_release_notes.html#3.0.7 CVE-2009-4663 (Heap-based buffer overflow in the Quiksoft EasyMail Objects 6 ActiveX ...) NOT-FOR-US: Quiksoft EasyMail Objects CVE-2009-4662 (Cross-site scripting (XSS) vulnerability in the WebAccess component in ...) NOT-FOR-US: Novell GroupWise CVE-2009-4661 (Multiple buffer overflows in BigAnt Server 2.50 SP6 and earlier allow ...) NOT-FOR-US: BigAnt Server CVE-2009-4660 (Stack-based buffer overflow in the AntServer Module (AntServer.exe) in ...) NOT-FOR-US: BigAnt IM Server CVE-2009-4659 (Unspecified vulnerability in MP3-Cutter Ease Audio Cutter 1.20 allows ...) NOT-FOR-US: MP3-Cutter Ease Audio Cutter CVE-2009-4658 (Xerver 4.32 allows remote authenticated users to cause a denial of ser ...) NOT-FOR-US: Xerver CVE-2009-4657 (The administrator package for Xerver 4.32 does not require authenticat ...) NOT-FOR-US: Xerver CVE-2009-4656 (Stack-based buffer overflow in E-Soft DJ Studio Pro 4.2 including 4.2. ...) NOT-FOR-US: E-Soft DJ Studio Pro CVE-2009-4652 (The (1) Conn_GetCipherInfo and (2) Conn_UsesSSL functions in src/ngirc ...) - ngircd 15-0.1 [lenny] - ngircd (SSL/TLS support not yet present) CVE-2009-4655 (The dhost web service in Novell eDirectory 8.8.5 uses a predictable se ...) NOT-FOR-US: Novell eDirectory CVE-2009-4654 (Stack-based buffer overflow in the dhost module in Novell eDirectory 8 ...) NOT-FOR-US: Novell eDirectory CVE-2009-4653 (Stack-based buffer overflow in the dhost module in Novell eDirectory 8 ...) NOT-FOR-US: Novell eDirectory CVE-2009-4651 (Multiple cross-site scripting (XSS) vulnerabilities in the Webee Comme ...) NOT-FOR-US: Webee Comments component for Joomla! CVE-2009-4650 (SQL injection vulnerability in the Webee Comments (com_webeecomment) c ...) NOT-FOR-US: Webee Comments component for Joomla! CVE-2009-4649 (Multiple cross-site scripting (XSS) vulnerabilities in geccBBlite 0.1 ...) NOT-FOR-US: geccBBlite CVE-2009-4648 (Accellion Secure File Transfer Appliance before 8_0_105 does not prope ...) NOT-FOR-US: Accellion Secure File Transfer Appliance CVE-2009-4647 (Cross-site scripting (XSS) vulnerability in Accellion Secure File Tran ...) NOT-FOR-US: Accellion Secure File Transfer Appliance CVE-2009-4646 (Static code injection vulnerability in the administrative web interfac ...) NOT-FOR-US: Accellion Secure File Transfer Appliance CVE-2009-4645 (Directory traversal vulnerability in web_client_user_guide.html in Acc ...) NOT-FOR-US: Accellion Secure File Transfer Appliance CVE-2009-4644 (Accellion Secure File Transfer Appliance before 8_0_105 allows remote ...) NOT-FOR-US: Accellion Secure File Transfer Appliance CVE-2009-5050 (konversation before 1.2.3 allows attackers to cause a denial of servic ...) - konversation 1.2.3-1 (low) [lenny] - konversation (Doesn't affect the combination of kdelibs/QT in Lenny) NOTE: http://bugs.kde.org/show_bug.cgi?id=219985 CVE-2009-4643 (Stack-based buffer overflow in dsInstallerService.dll in the Juniper I ...) NOT-FOR-US: Juniper Installer Service CVE-2009-XXXX [ffmpeg potentially remaining vulnerabilities after DSA 2000] - ffmpeg 4:0.5.1-1 (medium; bug #570713) - ffmpeg-debian CVE-2009-4642 (gnome-screensaver 2.26.1 relies on the gnome-session D-Bus interface t ...) - gnome-screensaver 2.26.1-2 [lenny] - gnome-screensaver (vulnerability introduced in 2.26) NOTE: only an issue under certain desktop environments such as xfce CVE-2009-4641 (gnome-screensaver 2.28.0 does not resume adherence to its activation s ...) - gnome-screensaver 2.28.0-2 (low; bug #569667) [etch] - gnome-screensaver (Vulnerable code not present) [lenny] - gnome-screensaver (Vulnerable code not present) CVE-2009-4640 (Array index error in vorbis_dec.c in FFmpeg 0.5 allows remote attacker ...) {DSA-2000-1} - ffmpeg 4:0.5+svn20090706-3 (bug #550442) - ffmpeg-debian CVE-2009-4639 (The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows re ...) - ffmpeg 7:2.4.1-1 (unimportant; bug #550442) - ffmpeg-debian (unimportant) NOTE: denial-of-service only, so not worth worrying about NOTE: http://thread.gmane.org/gmane.comp.video.ffmpeg.devel/97154/focus=97156 NOTE: http://thread.gmane.org/gmane.comp.video.ffmpeg.issues/6111/focus=6116 CVE-2009-4638 (Integer overflow in FFmpeg 0.5 allows remote attackers to cause a deni ...) {DSA-2000-1} - ffmpeg 4:0.5+svn20090706-3 (bug #550442) - ffmpeg-debian CVE-2009-4637 (FFmpeg 0.5 allows remote attackers to cause a denial of service (crash ...) {DSA-2000-1} - ffmpeg 4:0.5+svn20090706-3 (bug #550442) - ffmpeg-debian CVE-2009-4636 (FFmpeg 0.5 allows remote attackers to cause a denial of service (hang) ...) {DSA-2000-1} - ffmpeg 4:0.5+svn20090706-3 (bug #550442) - ffmpeg-debian CVE-2009-4635 (FFmpeg 0.5 allows remote attackers to cause a denial of service and po ...) {DSA-2000-1} - ffmpeg 4:0.5+svn20090706-3 (bug #550442) - ffmpeg-debian CVE-2009-4634 (Multiple integer underflows in FFmpeg 0.5 allow remote attackers to ca ...) {DSA-2000-1} - ffmpeg 4:0.5+svn20090706-3 (bug #550442) - ffmpeg-debian CVE-2009-4633 (vorbis_dec.c in FFmpeg 0.5 uses an assignment operator when a comparis ...) {DSA-2000-1} - ffmpeg 4:0.5+svn20090706-3 (bug #550442) - ffmpeg-debian CVE-2009-4632 (oggparsevorbis.c in FFmpeg 0.5 does not properly perform certain point ...) {DSA-2000-1} - ffmpeg 4:0.5+svn20090706-3 (bug #550442) - ffmpeg-debian CVE-2009-4631 (Off-by-one error in the VP3 decoder (vp3.c) in FFmpeg 0.5 allows remot ...) {DSA-2000-1} - ffmpeg 4:0.5+svn20090706-3 (bug #550442) - ffmpeg-debian CVE-2009-4630 (Mozilla Necko, as used in Firefox, SeaMonkey, and other applications, ...) - xulrunner 1.9.1-1 (low) [etch] - xulrunner (dns prefetching implemented in xulrunner 1.9.1) [lenny] - xulrunner (dns prefetching implemented in xulrunner 1.9.1) - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0-1 (low) [etch] - iceape (dns prefetching implemented in xulrunner 1.9.1) [lenny] - iceape (dns prefetching implemented in xulrunner 1.9.1) NOTE: mozilla's dns prefetching leads to disclosure of the user's network location CVE-2009-4629 (Mozilla Necko, as used in Thunderbird 3.0.1, SeaMonkey, and other appl ...) - icedove 3.0.2-1 (unimportant) [etch] - icedove (dns prefetching implemented in xulrunner 1.9.1) [lenny] - icedove (dns prefetching implemented in xulrunner 1.9.1) - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape (unimportant) [etch] - iceape (dns prefetching implemented in xulrunner 1.9.1) [lenny] - iceape (dns prefetching implemented in xulrunner 1.9.1) CVE-2009-4628 (SQL injection vulnerability in the TemplatePlaza.com TPDugg (com_tpdug ...) NOT-FOR-US: Joomla! CVE-2009-4627 (Directory traversal vulnerability in sources/_template_parser.php in M ...) NOT-FOR-US: Moa Gallery CVE-2009-4626 (Directory traversal vulnerability in menu.php in phpNagios 1.2.0 allow ...) NOT-FOR-US: phpNagios CVE-2009-4625 (SQL injection vulnerability in the updateOnePage function in component ...) NOT-FOR-US: Joomla! CVE-2009-4624 (SQL injection vulnerability in download.php in Nicecoder iDesk allows ...) NOT-FOR-US: Nicecoder iDesk CVE-2009-4623 (Multiple PHP remote file inclusion vulnerabilities in Advanced Comment ...) NOT-FOR-US: Advanced Comment System CVE-2009-4622 (PHP remote file inclusion vulnerability in admin/admin_news_bot.php in ...) NOT-FOR-US: Drunken:Golem Gaming Portal CVE-2009-4621 (SQL injection vulnerability in the JiangHu Inn plugin 1.1 and earlier ...) NOT-FOR-US: Discuz CVE-2009-4620 (SQL injection vulnerability in the Joomloc (com_joomloc) component 1.0 ...) NOT-FOR-US: Joomla! CVE-2009-4619 (SQL injection vulnerability in the Lucy Games (com_lucygames) componen ...) NOT-FOR-US: Joomla! CVE-2009-4618 (Multiple SQL injection vulnerabilities in Tourism Script Bus Script al ...) NOT-FOR-US: Tourism Script Bus Script CVE-2009-4617 (Multiple SQL injection vulnerabilities in Tourism Script Accommodation ...) NOT-FOR-US: Tourism Script Accommodation Hotel Booking Portal Script CVE-2009-4616 (Cross-site scripting (XSS) vulnerability in search.php in MYRE Holiday ...) NOT-FOR-US: MYRE Holiday Rental Manager CVE-2009-4615 (SQL injection vulnerability in review.php in MYRE Holiday Rental Manag ...) NOT-FOR-US: MYRE Holiday Rental Manager CVE-2009-4614 (Multiple PHP remote file inclusion vulnerabilities in Moa Gallery 1.2. ...) NOT-FOR-US: Moa Gallery CVE-2009-4613 (SQL injection vulnerability in realestate20/loginaction.php in NetArt ...) NOT-FOR-US: NetArt Media Real Estate Portal CVE-2009-4612 (Multiple cross-site scripting (XSS) vulnerabilities in the WebApp JSP ...) - jetty 6.1.22-1 (bug #575789) CVE-2009-4611 (Mort Bay Jetty 6.x through 6.1.22 and 7.0.0 writes backtrace data with ...) - jetty 6.1.22-1 (unimportant; bug #553644) NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt NOTE: The affected apps are not shipped in the package, see #553644 CVE-2009-4610 (Multiple cross-site scripting (XSS) vulnerabilities in Mort Bay Jetty ...) - jetty (low; bug #575790) NOTE: the exploitable servlet is not shipped in Debian packages CVE-2009-4609 (The Dump Servlet in Mort Bay Jetty 6.x and 7.0.0 allows remote attacke ...) - jetty (low; bug #575791) NOTE: the exploitable servlet is not shipped in Debian packages CVE-2009-4608 (Cross-site scripting (XSS) vulnerability in Canon IT Solutions Inc. AC ...) NOT-FOR-US: ACCESSGUARDIAN CVE-2009-4607 (The command line interface in Overland Storage Snap Server 410 with Gu ...) NOT-FOR-US: Overland Storage Snap Server CVE-2009-4606 (South River Technologies WebDrive 9.02 build 2232 installs the WebDriv ...) NOT-FOR-US: South River Technologies WebDrive CVE-2009-4604 (PHP remote file inclusion vulnerability in mamboleto.php in the Fernan ...) NOT-FOR-US: Joomla! CVE-2009-4603 (Unspecified vulnerability in sapstartsrv.exe in the SAP Kernel 6.40, 7 ...) NOT-FOR-US: SAP Kernel CVE-2009-4602 (Cross-site scripting (XSS) vulnerability in the Randomizer module 5.x ...) NOT-FOR-US: Randomizer module for Drupal CVE-2009-4601 (Cross-site scripting (XSS) vulnerability in basic_search_result.php in ...) NOT-FOR-US: ZeeJobsite CVE-2009-4600 (SQL injection vulnerability in realestate20/loginaction.php in NetArt ...) NOT-FOR-US: NetArt Media Real Estate Portal CVE-2009-4599 (Multiple SQL injection vulnerabilities in the JS Jobs (com_jsjobs) com ...) NOT-FOR-US: Joomla! CVE-2009-4598 (SQL injection vulnerability in the JPhoto (com_jphoto) component 1.0 f ...) NOT-FOR-US: Joomla! CVE-2009-4597 (Multiple SQL injection vulnerabilities in index.php in PHP Inventory 1 ...) NOT-FOR-US: PHP Inventory CVE-2009-4596 (Cross-site scripting (XSS) vulnerability in index.php in PHP Inventory ...) NOT-FOR-US: PHP Inventory CVE-2009-4595 (SQL injection vulnerability in index.php in PHP Inventory 1.2 allows r ...) NOT-FOR-US: PHP Inventory CVE-2009-4605 (scripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before 2 ...) {DSA-2034-1} - phpmyadmin 4:3.2.4-1 NOTE: vulnerable code does not in the 3.x series (sid and squeeze checked) NOTE: http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=13149 NOTE: there is still at least one unserialize() call on _POST data CVE-2009-4594 (Unspecified vulnerability in IBM Lotus iNotes (aka Domino Web Access o ...) NOT-FOR-US: IBM Lotus iNotes CVE-2009-4593 (The bftpdutmp_log function in bftpdutmp.c in Bftpd before 2.4 does not ...) NOT-FOR-US: Bftpd CVE-2009-4592 (Unspecified vulnerability in base_local_rules.php in Basic Analysis an ...) - acidbase 1.4.4-1 [lenny] - acidbase (Minor issue) [etch] - acidbase (Minor issue) CVE-2009-4591 (SQL injection vulnerability in Basic Analysis and Security Engine (BAS ...) - acidbase 1.4.4-1 [lenny] - acidbase (Minor issue) [etch] - acidbase (Minor issue) CVE-2009-4590 (Cross-site scripting (XSS) vulnerability in base_local_rules.php in Ba ...) - acidbase 1.4.4-1 [lenny] - acidbase (Minor issue) [etch] - acidbase (Minor issue) NOTE: 1.4.5 fixed more XSS issues in this file CVE-2009-4588 (Heap-based buffer overflow in the WindsPlayerIE.View.1 ActiveX control ...) NOT-FOR-US: AwingSoft Awakening CVE-2009-4587 (Cherokee Web Server 0.5.4 allows remote attackers to cause a denial of ...) - cherokee (Only affects Windows and DOS) NOTE: this only works on windows and dos as you are not allowed NOTE: to use a file name with AUX and any or no extension as this is a NOTE: reserved device name. cherokee was lacking error handling... CVE-2009-4586 (Multiple cross-site scripting (XSS) vulnerabilities in index.html in W ...) NOT-FOR-US: Wowd client CVE-2009-4585 (UranyumSoft Listing Service stores sensitive information under the web ...) NOT-FOR-US: UranyumSoft Listing Service CVE-2009-4584 (admin.php in dB Masters Multimedia Links Directory 3.1.3 allows remote ...) NOT-FOR-US: dB Masters Multimedia Links Directory CVE-2009-4583 (SQL injection vulnerability in the DhForum (com_dhforum) component for ...) NOT-FOR-US: component for Joomla! CVE-2009-4582 (SQL injection vulnerability in detail.php in the Dictionary module for ...) NOT-FOR-US: XOOPS module CVE-2009-4581 (Directory traversal vulnerability in modules/admincp.php in RoseOnline ...) NOT-FOR-US: RoseOnlineCMS CVE-2009-4580 (Multiple cross-site scripting (XSS) vulnerabilities in Hasta Blog 2.3 ...) NOT-FOR-US: Hasta Blog CVE-2009-4579 (Cross-site scripting (XSS) vulnerability in the Artist avenue (com_art ...) NOT-FOR-US: component for Joomla! CVE-2009-4578 (Cross-site scripting (XSS) vulnerability in the Facileforms (com_facil ...) NOT-FOR-US: component for Joomla! CVE-2009-4577 (SQL injection vulnerability in the MDForum module 2.x through 2.07 for ...) NOT-FOR-US: MDForum module for MAXdev MDPro CVE-2009-4576 (SQL injection vulnerability in the BeeHeard (com_beeheard) component 1 ...) NOT-FOR-US: component for Joomla! CVE-2009-4575 (Cross-site scripting (XSS) vulnerability in the Q-Personel (com_qperso ...) NOT-FOR-US: component for Joomla! CVE-2009-4574 (SQL injection vulnerability in country_escorts.php in I-Escorts Direct ...) NOT-FOR-US: I-Escorts Directory Script CVE-2009-4573 (Multiple cross-site scripting (XSS) vulnerabilities in the Joomulus (m ...) NOT-FOR-US: component for Joomla! CVE-2009-4572 (Cross-site request forgery (CSRF) vulnerability in PhpShop 0.8.1 allow ...) NOT-FOR-US: PhpShop CVE-2009-4571 (Multiple SQL injection vulnerabilities in index.php in PhpShop 0.8.1 a ...) NOT-FOR-US: PhpShop CVE-2009-4570 (Cross-site scripting (XSS) vulnerability in PhpShop 0.8.1 allows remot ...) NOT-FOR-US: PhpShop CVE-2009-4569 (SQL injection vulnerability in elkagroup Image Gallery allows remote a ...) NOT-FOR-US: elkagroup Image Gallery CVE-2009-4568 (Cross-site scripting (XSS) vulnerability in Webmin before 1.500 and Us ...) - webmin CVE-2009-4567 (Multiple cross-site scripting (XSS) vulnerabilities in editprofile.php ...) NOT-FOR-US: Viscacha CVE-2009-4566 (SQL injection vulnerability in index.php in Zenphoto 1.2.5 allows remo ...) NOT-FOR-US: Zenphoto CVE-2009-4564 (SQL injection vulnerability in index.php in Zenphoto 1.2.5, when the Z ...) NOT-FOR-US: Zenphoto CVE-2009-4563 (Cross-site request forgery (CSRF) vulnerability in zp-core/admin-optio ...) NOT-FOR-US: Zenphoto CVE-2009-4562 (Cross-site scripting (XSS) vulnerability in zp-core/admin.php in Zenph ...) NOT-FOR-US: Zenphoto CVE-2009-4561 (Multiple SQL injection vulnerabilities in Admin/index.php in WebLeague ...) NOT-FOR-US: WebLeague CVE-2009-4560 (SQL injection vulnerability in profile.php in WebLeague 2.2.0 allows r ...) NOT-FOR-US: WebLeague CVE-2009-4559 (Cross-site scripting (XSS) vulnerability in the Submitted By module 6. ...) NOT-FOR-US: module for Drupal CVE-2009-4558 (The Image Assist module 5.x-1.x before 5.x-1.8, 5.x-2.x before 2.0-alp ...) NOT-FOR-US: module for Drupal CVE-2009-4557 (Cross-site scripting (XSS) vulnerability in the Image Assist module 5. ...) NOT-FOR-US: module for Drupal CVE-2009-4556 (Quick Heal AntiVirus Plus 2009 10.00 SP1 and Quick Heal Total Security ...) NOT-FOR-US: Quick Heal products CVE-2009-4555 (Multiple cross-site request forgery (CSRF) vulnerabilities in AgoraCar ...) NOT-FOR-US: AgoraCart CVE-2009-4554 (Multiple cross-site scripting (XSS) vulnerabilities in Snitz Forums 20 ...) NOT-FOR-US: Snitz Forums CVE-2009-4553 (Stack-based buffer overflow in iRehearse allows remote attackers to ca ...) NOT-FOR-US: iRehearse CVE-2009-4552 (Cross-site scripting (XSS) vulnerability in the Survey Pro module for ...) NOT-FOR-US: module for Miniweb CVE-2009-4551 (SQL injection vulnerability in the Survey Pro module for Miniweb 2.0 a ...) NOT-FOR-US: module for Miniweb CVE-2009-4550 (SQL injection vulnerability in the Kunena Forum (com_kunena) component ...) NOT-FOR-US: component for Joomla! CVE-2009-4549 (Stack-based buffer overflow in A2 Media Player Pro 2.51 allows remote ...) NOT-FOR-US: A2 Media Player Pro CVE-2009-4548 (Multiple cross-site scripting (XSS) vulnerabilities in ViArt Helpdesk ...) NOT-FOR-US: ViArt Helpdesk CVE-2009-4547 (Multiple cross-site scripting (XSS) vulnerabilities in ViArt CMS 3.x a ...) NOT-FOR-US: ViArt CMS CVE-2009-4546 (globepersonnel_login.asp in Logoshows BBS 2.0 allows remote attackers ...) NOT-FOR-US: Logoshows BBS CVE-2009-4545 (Logoshows BBS 2.0 stores sensitive information under the web root with ...) NOT-FOR-US: Logoshows BBS CVE-2009-4544 (Cross-site scripting (XSS) vulnerability in kbase/kbase.php in Cromoso ...) NOT-FOR-US: Cromosoft Technologies Facil Helpdesk CVE-2009-4543 (PHP remote file inclusion vulnerability in index.php in Cromosoft Tech ...) NOT-FOR-US: Cromosoft Technologies Facil Helpdesk CVE-2009-4542 (Cross-site scripting (XSS) vulnerability in newticket.php in IsolSoft ...) NOT-FOR-US: IsolSoft Support Center CVE-2009-4541 (Multiple PHP remote file inclusion vulnerabilities in IsolSoft Support ...) NOT-FOR-US: IsolSoft Support Center CVE-2009-4540 (SQL injection vulnerability in page.php in Mini CMS 1.0.1 allows remot ...) NOT-FOR-US: Mini CMS CVE-2009-4539 (Cross-site scripting (XSS) vulnerability in main.php in SQLiteManager ...) NOT-FOR-US: SQLiteManager CVE-2009-4538 (drivers/net/e1000e/netdev.c in the e1000e driver in the Linux kernel 2 ...) {DSA-2005-1 DSA-1996-1} - linux-2.6 2.6.32-6 (low; bug #564114) [etch] - linux-2.6 (does not have e1000e driver) - linux-2.6.24 (low) NOTE: just like CVE-2009-4536 but was reported later CVE-2009-4537 (drivers/net/r8169.c in the r8169 driver in the Linux kernel 2.6.32.3 a ...) {DSA-2053-1} - linux-2.6 2.6.32-11 (medium; bug #564110; bug #591581) - linux-2.6.24 (medium) CVE-2009-4536 (drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel ...) {DSA-2005-1 DSA-2003-1 DSA-1996-1} - linux-2.6 2.6.32-6 (low; bug #564114) - linux-2.6.24 (low) CVE-2009-4535 (Mongoose 2.8.0 and earlier allows remote attackers to obtain the sourc ...) NOT-FOR-US: Mongoose CVE-2009-4534 (Open redirect vulnerability in the FAQ Ask module 5.x and 6.x before 6 ...) NOT-FOR-US: module for Drupal CVE-2009-4533 (The Webform module 5.x before 5.x-2.8 and 6.x before 6.x-2.8, a module ...) NOT-FOR-US: module for Drupal CVE-2009-4532 (Cross-site scripting (XSS) vulnerability in the Webform module 5.x bef ...) NOT-FOR-US: module for Drupal CVE-2009-4531 (httpdx 1.4.4 and earlier allows remote attackers to obtain the source ...) NOT-FOR-US: httpdx CVE-2009-4530 (Mongoose 2.8.0 and earlier allows remote attackers to obtain the sourc ...) NOT-FOR-US: Mongoose CVE-2009-4529 (InterVations NaviCOPA Web Server 3.0.1.2 and earlier allows remote att ...) NOT-FOR-US: InterVations NaviCOPA Web Server CVE-2009-4528 (The Organic Groups (OG) Vocabulary module 6.x before 6.x-1.0 for Drupa ...) NOT-FOR-US: module for Drupal CVE-2009-4527 (The Shibboleth authentication module 5.x before 5.x-3.4 and 6.x before ...) NOT-FOR-US: module for Drupal CVE-2009-4526 (The Send by e-mail sub-module in the Print (aka Printer, e-mail and PD ...) NOT-FOR-US: module for Drupal CVE-2009-4525 (Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e- ...) NOT-FOR-US: module for Drupal CVE-2009-4524 (Cross-site scripting (XSS) vulnerability in the RealName module 6.x-1. ...) NOT-FOR-US: module for Drupal CVE-2009-4523 (Cross-site scripting (XSS) vulnerability in index.php in Zainu 1.0 all ...) NOT-FOR-US: Zainu CVE-2009-4522 (Cross-site scripting (XSS) vulnerability in search.5.html in BloofoxCM ...) NOT-FOR-US: BloofoxCMS CVE-2009-4521 (Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse ...) NOT-FOR-US: Eclipse Business Intelligence and Reporting Tools CVE-2009-4520 (The CCK Comment Reference module 5.x before 5.x-1.2 and 6.x before 6.x ...) NOT-FOR-US: module for Drupal CVE-2009-4519 (Multiple unspecified vulnerabilities in Ortro before 1.3.4 have unknow ...) NOT-FOR-US: Ortro CVE-2009-4518 (Cross-site scripting (XSS) vulnerability in the Insert Node module 5.x ...) NOT-FOR-US: module for Drupal CVE-2009-4517 (Cross-site request forgery (CSRF) vulnerability in the FAQ Ask module ...) NOT-FOR-US: module for Drupal CVE-2009-4516 (Cross-site scripting (XSS) vulnerability in the FAQ Ask module 5.x and ...) NOT-FOR-US: module for Drupal CVE-2009-4515 (The Storm module 6.x before 6.x-1.25 for Drupal does not enforce privi ...) NOT-FOR-US: module for Drupal CVE-2009-4514 (Cross-site scripting (XSS) vulnerability in the OpenSocial Shindig-Int ...) NOT-FOR-US: module for Drupal CVE-2009-4513 (Multiple cross-site scripting (XSS) vulnerabilities in the Workflow mo ...) NOT-FOR-US: module for Drupal CVE-2009-4512 (Directory traversal vulnerability in index.php in Oscailt 3.3, when Us ...) NOT-FOR-US: Oscailt CVE-2009-4511 (Multiple directory traversal vulnerabilities in the web administration ...) NOT-FOR-US: TANDBERG Video Communication Server CVE-2009-4510 (The SSH service on the TANDBERG Video Communication Server (VCS) befor ...) NOT-FOR-US: TANDBERG Video Communication Server CVE-2009-4509 (The administrative web console on the TANDBERG Video Communication Ser ...) NOT-FOR-US: TANDBERG Video Communication Server CVE-2009-4508 RESERVED CVE-2009-4507 RESERVED CVE-2009-4506 RESERVED CVE-2009-4505 (Multiple cross-site scripting (XSS) vulnerabilities in OpenCMS OAMP Co ...) NOT-FOR-US: OpenCMS CVE-2009-4504 RESERVED CVE-2009-4503 RESERVED CVE-2009-4502 (The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, whe ...) - zabbix 1:1.8-1 (bug #562613) CVE-2009-4501 (The zbx_get_next_field function in libs/zbxcommon/str.c in Zabbix Serv ...) - zabbix 1:1.8-1 (bug #562613) CVE-2009-4500 (The process_trap function in trapper/trapper.c in Zabbix Server before ...) - zabbix 1:1.8-1 (bug #562613) CVE-2009-4499 (SQL injection vulnerability in the get_history_lastid function in the ...) - zabbix 1:1.8-1 (bug #562613) CVE-2009-4498 (The node_process_command function in Zabbix Server before 1.8 allows r ...) - zabbix 1:1.8-1 (bug #562613) CVE-2009-4497 (Cross-site scripting (XSS) vulnerability in LXR Cross Referencer 0.9.5 ...) {DSA-2092-1} - lxr-cvs 0.9.5+cvs20071020-1.1 (low; bug #575745) NOTE: http://sourceforge.net/mailarchive/forum.php?thread_name=E1NS2s4-0001PE-F2@3bkjzd1.ch3.sourceforge.com&forum_name=lxr-developer CVE-2009-4496 (Boa 0.94.14rc21 writes data to a log file without sanitizing non-print ...) - boa 0.94.14rc21-4 (unimportant; bug #578035) NOTE: The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487 CVE-2009-4495 (Yaws 1.85 writes data to a log file without sanitizing non-printable c ...) - yaws (unimportant) NOTE: The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487 CVE-2009-4494 (AOLserver 4.5.1 writes data to a log file without sanitizing non-print ...) - aolserver4 (unimportant) NOTE: The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487 CVE-2009-4493 (Orion Application Server 2.0.7 writes data to a log file without sanit ...) NOT-FOR-US: Orion httpd CVE-2009-4492 (WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patc ...) - ruby1.8 1.8.7.249-1 (unimportant; bug #564598) - ruby1.9 (unimportant; bug #564647) - ruby1.9.1 1.9.1.378-1 (unimportant; bug #564646) NOTE: The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487 NOTE: same as CVE-2009-4487 CVE-2009-4491 (thttpd 2.25b0 writes data to a log file without sanitizing non-printab ...) - thttpd (unimportant) NOTE: The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487 CVE-2009-4490 (mini_httpd 1.19 writes data to a log file without sanitizing non-print ...) - mini-httpd (unimportant) NOTE: The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487 CVE-2009-4489 (header.c in Cherokee before 0.99.32 writes data to a log file without ...) - cherokee 0.99.37-1 (unimportant) NOTE: The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487 CVE-2009-4488 (** DISPUTED ** Varnish 2.0.6 writes data to a log file without sanitiz ...) - varnish (unimportant) NOTE: The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487 CVE-2009-4487 (nginx 0.7.64 writes data to a log file without sanitizing non-printabl ...) - nginx (unimportant) NOTE: The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487 CVE-2009-4486 (Stack-based buffer overflow in the eDirectory plugin in Novell iManage ...) NOT-FOR-US: iManager CVE-2009-4485 REJECTED CVE-2009-4484 (Multiple stack-based buffer overflows in the CertDecoder::GetName func ...) {DSA-1997-1} - mysql-dfsg-5.0 (medium) - mysql-5.1 5.1.41-4 (medium) - cyassl (Fixed before initial upload to archive) NOTE: http://web.archive.org/web/20100129040903/http://intevydis.blogspot.com:80/2010/01/mysq-yassl-stack-overflow.html NOTE: http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0/revision/2837.1.1 CVE-2009-4483 (Unspecified vulnerability in LDAP3A.exe in MailSite 8.0.4 allows remot ...) NOT-FOR-US: MailSite CVE-2009-4482 (Buffer overflow in MediaServer.exe in TVersity 1.6 allows remote attac ...) NOT-FOR-US: TVersity CVE-2009-4481 REJECTED CVE-2009-4480 (Buffer overflow in the web service in AzeoTech DAQFactory 5.77 might a ...) NOT-FOR-US: AzeoTech DAQFactory CVE-2009-4479 (LDAP3A.exe in MailSite 8.0.4 allows remote attackers to cause a denial ...) NOT-FOR-US: MailSite CVE-2009-4478 (Multiple cross-site scripting (XSS) vulnerabilities in Xstate Real Est ...) NOT-FOR-US: Xstate Real Estate CVE-2009-4477 (SQL injection vulnerability in page.html in Xstate Real Estate 1.0 all ...) NOT-FOR-US: Xstate Real Estate CVE-2009-4476 (Stack-based buffer overflow in HAURI ViRobot Desktop 5.5 before 2009-0 ...) NOT-FOR-US: HAURI ViRobot Desktop CVE-2009-4475 (SQL injection vulnerability in the Joomlub (com_joomlub) component for ...) NOT-FOR-US: component for Joomla! CVE-2009-4474 (SQL injection vulnerability in the Mike de Boer zoom (com_zoom) compon ...) NOT-FOR-US: Mambo component CVE-2009-4473 (Multiple cross-site scripting (XSS) vulnerabilities in WorkArea/Conten ...) NOT-FOR-US: Ektron CMS400.NET CVE-2009-4472 (Multiple PHP remote file inclusion vulnerabilities in PHPope 1.0.0 and ...) NOT-FOR-US: PHPope CVE-2009-4471 (Multiple PHP remote file inclusion vulnerabilities in FreeSchool 1.1.0 ...) NOT-FOR-US: FreeSchool CVE-2009-4470 (SQL injection vulnerability in boardrule.php in DVBBS 2.0 allows remot ...) NOT-FOR-US: DVBBS CVE-2009-4469 (Multiple cross-site scripting (XSS) vulnerabilities in pagenumber.inc. ...) NOT-FOR-US: phpPowerCards CVE-2009-4468 (Cross-site scripting (XSS) vulnerability in misc.php in DeluxeBB 1.3 a ...) NOT-FOR-US: DeluxeBB CVE-2009-4467 (misc.php in DeluxeBB 1.3 allows remote attackers to register accounts ...) NOT-FOR-US: DeluxeBB CVE-2009-4466 (DeluxeBB 1.3 allows remote attackers to obtain sensitive information v ...) NOT-FOR-US: DeluxeBB CVE-2009-4465 (DeluxeBB 1.3 stores sensitive information under the web root with insu ...) NOT-FOR-US: DeluxeBB CVE-2009-4464 (Cross-site scripting (XSS) vulnerability in searchadvance.asp in Activ ...) NOT-FOR-US: Active Business Directory CVE-2009-4463 (Intellicom NetBiter WebSCADA devices use default passwords for the HIC ...) NOT-FOR-US: Intellicom NetBiter WebSCADA CVE-2009-4462 (Stack-based buffer overflow in the NetBiterConfig utility (NetBiterCon ...) NOT-FOR-US: Intellicom NetBiter WebSCADA CVE-2009-4461 (Multiple cross-site scripting (XSS) vulnerabilities in FlatPress 0.909 ...) - flatpress (bug #466297) CVE-2009-4460 (Multiple cross-site scripting (XSS) vulnerabilities in Auto-Surf Traff ...) NOT-FOR-US: Auto-Surf Traffic Exchange Script CVE-2009-4459 (Redmine 0.8.7 and earlier uses the title tag before defining the chara ...) - redmine 0.9.1-1 (bug #563940) CVE-2009-4565 (sendmail before 8.14.4 does not properly handle a '\0' character in a ...) {DSA-1985-1} - sendmail 8.14.3-9.1 (medium; bug #564581) NOTE: http://www.sendmail.org/releases/8.14.4 CVE-2009-4458 (Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.5.2 a ...) NOT-FOR-US: FreePBX CVE-2009-4457 (Multiple unspecified vulnerabilities in the Vsftpd Webmin module befor ...) - webmin CVE-2009-4456 (SQL injection vulnerability in news_detail.php in Green Desktiny 2.3.1 ...) NOT-FOR-US: Green Desktiny CVE-2009-4455 (The default configuration of Cisco ASA 5500 Series Adaptive Security A ...) NOT-FOR-US: Cisco CVE-2009-4454 (vccleaner in VideoCache 1.9.2 allows local users with Squid proxy user ...) - videocache (bug #505329) CVE-2009-4453 (Insecure method vulnerability in SoftCab Sound Converter ActiveX contr ...) NOT-FOR-US: SoftCab Sound Converter ActiveX CVE-2009-4452 (Kaspersky Anti-Virus 5.0 (5.0.712); Antivirus Personal 5.0.x; Anti-Vir ...) NOT-FOR-US: Kaspersky Anti-Viru CVE-2009-4451 (Unrestricted file upload vulnerability in upper.php in kandalf upper 0 ...) NOT-FOR-US: kandalf upper CVE-2009-4450 (Multiple cross-site scripting (XSS) vulnerabilities in map.php in Live ...) NOT-FOR-US: LiveZilla CVE-2009-4449 (Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10 ...) NOT-FOR-US: MyBB CVE-2009-4448 (inc/functions_time.php in MyBB (aka MyBulletinBoard) 1.4.10, and possi ...) NOT-FOR-US: MyBB CVE-2009-4447 (Jax Guestbook 3.5.0 allows remote attackers to bypass authentication a ...) NOT-FOR-US: Jax Guestbook CVE-2009-4446 (Cross-site scripting (XSS) vulnerability in admin.php in phpInstantGal ...) NOT-FOR-US: phpInstantGallery CVE-2009-4445 (Microsoft Internet Information Services (IIS), when used in conjunctio ...) NOT-FOR-US: Microsoft CVE-2009-4444 (Microsoft Internet Information Services (IIS) 5.x and 6.x uses only th ...) NOT-FOR-US: Microsoft CVE-2009-4443 (Unspecified vulnerability in the psearch (aka persistent search) funct ...) NOT-FOR-US: Sun Java System Directory Server Enterprise Edition CVE-2009-4442 (Directory Proxy Server (DPS) in Sun Java System Directory Server Enter ...) NOT-FOR-US: Sun Java System Directory Server Enterprise Edition CVE-2009-4441 (Directory Proxy Server (DPS) in Sun Java System Directory Server Enter ...) NOT-FOR-US: Sun Java System Directory Server Enterprise Edition CVE-2009-4440 (Directory Proxy Server (DPS) in Sun Java System Directory Server Enter ...) NOT-FOR-US: Sun Java System Directory Server Enterprise Edition CVE-2009-4439 (Unspecified vulnerability in the Query Compiler, Rewrite, and Optimize ...) NOT-FOR-US: DB2 CVE-2009-4438 (The Query Compiler, Rewrite, and Optimizer component in IBM DB2 9.1 be ...) NOT-FOR-US: DB2 CVE-2009-4437 (Multiple SQL injection vulnerabilities in Active Auction House 3.6 all ...) NOT-FOR-US: Active Auction House 3.6 CVE-2009-4436 (Multiple SQL injection vulnerabilities in Active Web Softwares eWebqui ...) NOT-FOR-US: Active Web Softwares eWebquiz CVE-2009-4435 (Multiple directory traversal vulnerabilities in F3Site 2009 allow remo ...) NOT-FOR-US: F3Site 2009 CVE-2009-4434 (Directory traversal vulnerability in index.php in IDevSpot iSupport 1. ...) NOT-FOR-US: IDevSpot CVE-2009-4433 (Multiple cross-site scripting (XSS) vulnerabilities in IDevSpot iSuppo ...) NOT-FOR-US: IDevSpot CVE-2009-4432 (SQL injection vulnerability in index.php in CodeMight VideoCMS 3.1 all ...) NOT-FOR-US: CodeMight VideoCMS CVE-2009-4431 (PHP remote file inclusion vulnerability in cal_popup.php in the Anythi ...) NOT-FOR-US: Joomla addon CVE-2009-4430 (SQL injection vulnerability in index.php in VirtueMart 1.0 allows remo ...) NOT-FOR-US: VirtueMart CVE-2009-4429 (Cross-site scripting (XSS) vulnerability in the Sections module 5.x be ...) NOT-FOR-US: Drupal addon CVE-2009-4428 (SQL injection vulnerability in the JoomPortfolio (com_joomportfolio) c ...) NOT-FOR-US: Joomla addon CVE-2009-4427 (Directory traversal vulnerability in cmd.php in phpLDAPadmin 1.1.0.5 a ...) {DSA-1965-1} - phpldapadmin 1.1.0.7-1.1 (medium; bug #561975) [etch] - phpldapadmin (Vulnerable code not present) CVE-2009-4426 (Multiple directory traversal vulnerabilities in Ignition 1.2, when mag ...) NOT-FOR-US: Ignition CVE-2009-4425 (Cross-site scripting (XSS) vulnerability in index.php in iDevCart 1.09 ...) NOT-FOR-US: iDevCart CVE-2009-4424 (SQL injection vulnerability in results.php in the Pyrmont plugin 2 for ...) NOT-FOR-US: Wordpress plugin CVE-2009-XXXX [ampache DoS and CSRF] - ampache 3.5.3-1 (low) [lenny] - ampache (minor issue) CVE-2009-4423 (SQL injection vulnerability in index.php in weenCompany 4.0.0 allows r ...) NOT-FOR-US: weenCompany CVE-2009-4422 (Multiple cross-site scripting (XSS) vulnerabilities in the GetURLArgum ...) - libphp-jpgraph (Vulnerable code not present) CVE-2009-4421 (Directory traversal vulnerability in languages_cgi.php in Simple PHP B ...) NOT-FOR-US: Simple PHP Blog CVE-2009-4420 (Buffer overflow in the bd daemon in F5 Networks BIG-IP Application Sec ...) NOT-FOR-US: F5 Networks BIG-IP Application Security Manager (ASM) and Protocol Security Manager (PSM) CVE-2009-4419 (Intel Q35, GM45, PM45 Express, Q45, and Q43 Express chipsets in the SI ...) NOT-FOR-US: Intel Q35, GM45, PM45 Express, Q45, and Q43 Express chipsets CVE-2009-4418 (The unserialize function in PHP 5.3.0 and earlier allows context-depen ...) - php5 (unimportant) NOTE: Only exploitable by malicious script, not treated as a security issue NOTE: per Debian PHP security policy CVE-2009-4417 (The shutdown function in the Zend_Log_Writer_Mail class in Zend Framew ...) NOTE: the CVE talks about the Zend Framework, but the culprit NOTE: is actually piwik CVE-2009-4416 (Cross-site scripting (XSS) vulnerability in login.php in phpGroupWare ...) {DSA-1978-1} - phpgroupware 1:0.9.16.012+dfsg-9 CVE-2009-4415 (Multiple directory traversal vulnerabilities in phpGroupWare 0.9.16.12 ...) {DSA-1978-1} - phpgroupware 1:0.9.16.012+dfsg-9 CVE-2009-4414 (SQL injection vulnerability in phpgwapi /inc/class.auth_sql.inc.php in ...) {DSA-1978-1} - phpgroupware 1:0.9.16.012+dfsg-9 CVE-2009-4412 (Unrestricted file upload vulnerability in Serendipity before 1.5 allow ...) - serendipity 1.5.3-1 (low; bug #562634) CVE-2009-4411 (The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when runni ...) - acl 2.2.49-2 (low; bug #499076) [etch] - acl (Vulnerable code not present) [lenny] - acl (Minor issue, symlink attack not always as root) NOTE: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499076#51 CVE-2009-4409 (The (1) CHAP and (2) MS-CHAP-V2 authentication capabilities in the PPP ...) NOT-FOR-US: Internet Initiative Japan SEIL/B1 firmware CVE-2009-4408 (Multiple cross-site scripting (XSS) vulnerabilities in models.parser i ...) NOT-FOR-US: PyForum CVE-2009-4407 (Multiple cross-site request forgery (CSRF) vulnerabilities in PyForum ...) NOT-FOR-US: PyForum CVE-2009-4406 (Cross-site scripting (XSS) vulnerability in Forms/login1 in American P ...) NOT-FOR-US: APC Switched Rack PDU AP7932 B2 CVE-2009-4405 (Multiple unspecified vulnerabilities in Trac before 0.11.6 have unknow ...) - trac 0.11.6-1 (low) [lenny] - trac (Minor information disclosure) CVE-2009-4404 (Unspecified vulnerability in t-prot (TOFU Protection) before 2.8 allow ...) - t-prot 2.8-1 (low) [etch] - t-prot (Minor issue) [lenny] - t-prot (Minor issue) CVE-2009-4403 (Cross-site scripting (XSS) vulnerability in index.php in Rumba XML 1.8 ...) NOT-FOR-US: Rumba XML CVE-2009-4402 (The default configuration of SQL-Ledger 2.8.24 allows remote attackers ...) - sql-ledger (unimportant; bug #562639) NOTE: Only supported behind an authenticated HTTP zone, see README.Debian CVE-2009-4410 (The fuse_ioctl_copy_user function in the ioctl handler in fs/fuse/file ...) - linux-2.6 2.6.32-1 (low) [etch] - linux-2.6 (vulnerable code introduced in 2.6.29) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.29) - linux-2.6.24 (vulnerable code introduced in 2.6.29) CVE-2009-4401 (SQL injection vulnerability in the Parish Administration Database (ste ...) NOT-FOR-US: ste_parish_admin typo3 extension CVE-2009-4400 (Cross-site scripting (XSS) vulnerability in the Parish Administration ...) NOT-FOR-US: ste_parish_admin typo3 extension CVE-2009-4399 (SQL injection vulnerability in the Parish of the Holy Spirit Religious ...) NOT-FOR-US: hs_religiousartgallery typo3 extension CVE-2009-4398 (Cross-site scripting (XSS) vulnerability in the Parish of the Holy Spi ...) NOT-FOR-US: hs_religiousartgallery typo3 extension CVE-2009-4397 (Cross-site scripting (XSS) vulnerability in the Diocese of Portsmouth ...) NOT-FOR-US: pd_resources typo3 extension CVE-2009-4396 (SQL injection vulnerability in the Diocese of Portsmouth Resources Dat ...) NOT-FOR-US: pd_resources typo3 extension CVE-2009-4395 (Cross-site scripting (XSS) vulnerability in the Random Prayer 2 (ste_p ...) NOT-FOR-US: ste_prayer2 typo3 extension CVE-2009-4394 (SQL injection vulnerability in the Random Prayer 2 (ste_prayer2) exten ...) NOT-FOR-US: ste_prayer2 typo3 extension CVE-2009-4393 (SQL injection vulnerability in the Document Directorys (danp_documentd ...) NOT-FOR-US: danp_documentdirs CVE-2009-4392 (SQL injection vulnerability in the XDS Staff List (xds_staff) extensio ...) NOT-FOR-US: xds_staff typo3 extension CVE-2009-4391 (Cross-site scripting (XSS) vulnerability in the File list (dr_blob) ex ...) NOT-FOR-US: dr_blob typo3 extension CVE-2009-4390 (SQL injection vulnerability in the Car (car) extension 0.1.1 for TYPO3 ...) NOT-FOR-US: car typo3 extension CVE-2009-4389 (Unspecified vulnerability in the Watchdog (aba_watchdog) extension 2.0 ...) NOT-FOR-US: aba_watchdog typo3 extension CVE-2009-4388 (Cross-site scripting (XSS) vulnerability in the ListMan (nl_listman) e ...) NOT-FOR-US: nl_listman typo3 extension CVE-2009-4387 (The cross-site scripting (XSS) protection mechanism in ShowInContentAr ...) NOT-FOR-US: ManageEngine Password Manager Pro (PMP) CVE-2009-4386 (SQL injection vulnerability in hotel_tiempolibre_ext.php in Venalsur B ...) NOT-FOR-US: Venalsur Booking Centre Booking System CVE-2009-4385 (Multiple cross-site request forgery (CSRF) vulnerabilities in Scriptse ...) NOT-FOR-US: Scriptsez.net Ez Poll Hoster CVE-2009-4384 (Multiple cross-site scripting (XSS) vulnerabilities in Scriptsez.net E ...) NOT-FOR-US: Scriptsez.net Ez Poll Hoster CVE-2009-4383 (Directory traversal vulnerability in Pforum.php in Rocomotion P forum ...) NOT-FOR-US: Rocomotion P forum CVE-2009-4382 (Cross-site scripting (XSS) vulnerability in module.php in PHPFABER CMS ...) NOT-FOR-US: PHPFABER CMS CVE-2009-4381 (Cross-site scripting (XSS) vulnerability in index.php in texmedia Mill ...) NOT-FOR-US: texmedia Million Pixel Script CVE-2009-4380 (Multiple SQL injection vulnerabilities in Valarsoft Webmatic before 3. ...) NOT-FOR-US: Valarsoft Webmatic CVE-2009-4379 (Multiple cross-site scripting (XSS) vulnerabilities in Valarsoft Webma ...) NOT-FOR-US: Valarsoft Webmatic CVE-2009-4378 (The IPMI dissector in Wireshark 1.2.0 through 1.2.4 on Windows allows ...) - wireshark (Windows-specific) CVE-2009-4377 (The (1) SMB and (2) SMB2 dissectors in Wireshark 0.9.0 through 1.2.4 a ...) {DSA-1983-1} - wireshark 1.2.5-1 [etch] - wireshark (Minor issue) CVE-2009-4376 (Buffer overflow in the daintree_sna_read function in the Daintree SNA ...) - wireshark 1.2.5-1 [lenny] - wireshark (Only affects Wireshark 1.2.x) [etch] - wireshark (Only affects Wireshark 1.2.x) CVE-2009-4375 (SQL injection vulnerability in repository/repository_attachment.php in ...) NOT-FOR-US: AlienVault Open Source Security Information Management CVE-2009-4374 (Directory traversal vulnerability in repository/repository_attachment. ...) NOT-FOR-US: AlienVault Open Source Security Information Management CVE-2009-4373 (Unrestricted file upload vulnerability in repository/repository_attach ...) NOT-FOR-US: AlienVault Open Source Security Information Management CVE-2009-4372 (AlienVault Open Source Security Information Management (OSSIM) 2.1.5, ...) NOT-FOR-US: AlienVault Open Source Security Information Management CVE-2009-4371 (Cross-site scripting (XSS) vulnerability in the Locale module (modules ...) - drupal6 6.15-1 (low; bug #562165) [lenny] - drupal6 6.6-3lenny4 - drupal5 5.21-1 [lenny] - drupal5 (Minor issue, requires auth) CVE-2009-4370 (Cross-site scripting (XSS) vulnerability in the Menu module (modules/m ...) - drupal6 6.15-1 (low; bug #562165) [lenny] - drupal6 6.6-3lenny4 - drupal5 5.21-1 [lenny] - drupal5 (Minor issue, requires auth) CVE-2009-4369 (Cross-site scripting (XSS) vulnerability in the Contact module (module ...) - drupal6 6.15-1 (low; bug #562165) [lenny] - drupal6 6.6-3lenny4 - drupal5 5.21-1 (low) [lenny] - drupal5 (Minor issue, requires auth) CVE-2009-4368 (Multiple unspecified vulnerabilities in Centreon before 2.1.4 have unk ...) - centreon-web (bug #913903) CVE-2009-4367 (The Staging Webservice ("sitecore modules/staging/service/api.asmx") i ...) NOT-FOR-US: Sitecore Staging Module CVE-2009-4366 (Cross-site scripting (XSS) vulnerability in index.php in ScriptsEz Ez ...) NOT-FOR-US: ScriptsEz Ez Blog CVE-2009-4365 (Multiple cross-site request forgery (CSRF) vulnerabilities in admin.ph ...) NOT-FOR-US: ScriptsEz Ez Blog CVE-2009-4364 (Cross-site scripting (XSS) vulnerability in index.php in ScriptsEz Ez ...) NOT-FOR-US: ScriptsEz Ez Blog CVE-2009-4363 (Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framewo ...) {DSA-1966-1} - horde3 3.3.6+debian0-1 (low) CVE-2009-4362 (Multiple buffer overflows in qosmod in IBM AIX 6.1 allow local users t ...) NOT-FOR-US: IBM AIX CVE-2009-4361 (Multiple buffer overflows in qoslist in IBM AIX 6.1 allow local users ...) NOT-FOR-US: IBM AIX CVE-2009-4360 (SQL injection vulnerability in modules/content/index.php in the Conten ...) NOT-FOR-US: XOOPS CVE-2009-4359 (Cross-site scripting (XSS) vulnerability in folder.php in the SmartMed ...) NOT-FOR-US: XOOPS CVE-2009-4358 (freebsd-update in FreeBSD 8.0, 7.2, 7.1, 6.4, and 6.3 uses insecure pe ...) NOT-FOR-US: freebsd-update CVE-2009-4357 (CQWeb (aka the web interface) in IBM Rational ClearQuest before 7.1.1 ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2009-4356 (Multiple integer overflows in the jpeg.w5s and png.w5s filters in Wina ...) NOT-FOR-US: Winamp CVE-2009-4355 (Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib ...) {DSA-1970-1} - openssl 0.9.8k-8 (low) [etch] - openssl (affects only 0.9.8f and later) NOTE: apache2 packages in squeeze/sid do not seem to allow exploit CVE-2009-4354 (TransWARE Active! mail 2003 build 2003.0139.0871 and earlier does not ...) NOT-FOR-US: TransWARE Active CVE-2009-4353 (The Mobile Edition of TransWARE Active! mail 2003 build 2003.0139.0871 ...) NOT-FOR-US: TransWARE Active CVE-2009-4352 (Multiple cross-site scripting (XSS) vulnerabilities in TransWARE Activ ...) NOT-FOR-US: TransWARE Active CVE-2009-4351 (SQL injection vulnerability in ADMIN/loginaction.php in WSCreator 1.1, ...) NOT-FOR-US: WSCreator CVE-2009-4350 (SQL injection vulnerability in index.php in Arctic Issue Tracker 2.1.1 ...) NOT-FOR-US: Arctic Issue Tracker CVE-2009-4349 (Cross-site request forgery (CSRF) vulnerability in administration/admi ...) NOT-FOR-US: Link Up Gold CVE-2009-4348 (Cross-site scripting (XSS) vulnerability in index.php in Harold Bakker ...) NOT-FOR-US: Harold Bakker's NewsScript CVE-2009-4347 (Cross-site scripting (XSS) vulnerability in daloradius-users/login.php ...) NOT-FOR-US: daloRADIUS CVE-2009-4346 (Cross-site scripting (XSS) vulnerability in the Frontend news submitte ...) NOT-FOR-US: fe_rtenews typo3 extension CVE-2009-4345 (Cross-site scripting (XSS) vulnerability in the vShoutbox (vshoutbox) ...) NOT-FOR-US: vShoutbox typo3 extension CVE-2009-4344 (Cross-site scripting (XSS) vulnerability in the ZID Linkliste (zid_lin ...) NOT-FOR-US: zid_linklist typo3 extension CVE-2009-4343 (Cross-site scripting (XSS) vulnerability in the Training Company Datab ...) NOT-FOR-US: trainincdb typo3 extension CVE-2009-4342 (SQL injection vulnerability in the Job Exchange (jobexchange) extensio ...) NOT-FOR-US: jobexchange typo3 extension CVE-2009-4341 (SQL injection vulnerability in the No indexed Search (no_indexed_searc ...) NOT-FOR-US: no_indexed_search typo3 extension CVE-2009-4340 (Cross-site scripting (XSS) vulnerability in the No indexed Search (no_ ...) NOT-FOR-US: no_indexed_search typo3 extension CVE-2009-4339 (SQL injection vulnerability in the Subscription (mf_subscription) exte ...) NOT-FOR-US: mf_subscription typo3 extension CVE-2009-4338 (SQL injection vulnerability in the Flash SlideShow (slideshow) extensi ...) NOT-FOR-US: slideshow typo3 extension CVE-2009-4337 (SQL injection vulnerability in the Diocese of Portsmouth Calendar (pd_ ...) NOT-FOR-US: pd_calendar typo3 extension CVE-2009-4336 (Cross-site scripting (XSS) vulnerability in the Diocese of Portsmouth ...) NOT-FOR-US: pd_calendar typo3 extension CVE-2009-4335 (Multiple unspecified vulnerabilities in bundled stored procedures in t ...) NOT-FOR-US: IBM DB2 CVE-2009-4334 (The Self Tuning Memory Manager (STMM) component in IBM DB2 9.1 before ...) NOT-FOR-US: IBM DB2 CVE-2009-4333 (The Relational Data Services component in IBM DB2 9.5 before FP5 allow ...) NOT-FOR-US: IBM DB2 CVE-2009-4332 (db2pd in the Problem Determination component in IBM DB2 9.1 before FP7 ...) NOT-FOR-US: IBM DB2 CVE-2009-4331 (The Install component in IBM DB2 9.5 before FP5 and 9.7 before FP1 con ...) NOT-FOR-US: IBM DB2 CVE-2009-4330 (Unspecified vulnerability in db2licm in the Engine Utilities component ...) NOT-FOR-US: IBM DB2 CVE-2009-4329 (Unspecified vulnerability in the Engine Utilities component in IBM DB2 ...) NOT-FOR-US: IBM DB2 CVE-2009-4328 (Unspecified vulnerability in the DRDA Services component in IBM DB2 9. ...) NOT-FOR-US: IBM DB2 CVE-2009-4327 (The Common Code Infrastructure component in IBM DB2 9.5 before FP5 and ...) NOT-FOR-US: IBM DB2 CVE-2009-4326 (The RAND scalar function in the Common Code Infrastructure component i ...) NOT-FOR-US: IBM DB2 CVE-2009-4325 (The Client Interfaces component in IBM DB2 8.2 before FP18, 9.1 before ...) NOT-FOR-US: IBM DB2 CVE-2009-XXXX [libhaml-ruby XSS issue] - libhaml-ruby 2.2.8-1 CVE-2009-XXXX [roundup: unspecified issue] - roundup 1.4.11-1 CVE-2009-4324 (Use-after-free vulnerability in the Doc.media.newPlayer method in Mult ...) NOT-FOR-US: Adobe Reader and Acrobat 8.0 CVE-2009-4323 (The installation for Zen Cart stores sensitive information and insecur ...) NOT-FOR-US: Zen Cart CVE-2009-4322 (extras/ipn_test_return.php in Zen Cart allows remote attackers to obta ...) NOT-FOR-US: Zen Cart CVE-2009-4321 (extras/curltest.php in Zen Cart 1.3.8 and 1.3.8a, and possibly other v ...) NOT-FOR-US: Zen Cart CVE-2009-4320 (Cross-site scripting (XSS) vulnerability in searchform.php in The Next ...) NOT-FOR-US: The Next Generation of Genealogy Sitebuilding CVE-2009-4319 (PHP remote file inclusion vulnerability in js/bbcodepress/bbcode-form. ...) NOT-FOR-US: eoCMS CVE-2009-4318 (Cross-site scripting (XSS) vulnerability in index.php in Real Estate M ...) NOT-FOR-US: Real Estate Manager CVE-2009-4317 (Cross-site scripting (XSS) vulnerability in index.php in ScriptsEz Ez ...) NOT-FOR-US: ScriptsEz CVE-2009-4316 (Cross-site scripting (XSS) vulnerability in searchresults_main.php in ...) NOT-FOR-US: ZeeLyrics CVE-2009-4315 (Directory traversal vulnerability in admin/ajaxsave.php in Nuggetz CMS ...) NOT-FOR-US: Nuggetz CMS CVE-2009-4314 (Sun Ray Server Software 4.1 on Solaris 10, when Automatic Multi-Group ...) NOT-FOR-US: Sun Ray Server Software CVE-2009-4313 (ir32_32.dll 3.24.15.3 in the Indeo32 codec in Microsoft Windows 2000 S ...) NOT-FOR-US: Microsoft CVE-2009-4312 (Unspecified vulnerability in the Indeo codec in Microsoft Windows 2000 ...) NOT-FOR-US: Microsoft CVE-2009-4311 (Unspecified vulnerability in the Indeo codec in Microsoft Windows 2000 ...) NOT-FOR-US: Microsoft CVE-2009-4310 (Stack-based buffer overflow in the Intel Indeo41 codec for Windows Med ...) NOT-FOR-US: Microsoft CVE-2009-4309 (Heap-based buffer overflow in the Intel Indeo41 codec for Windows Medi ...) NOT-FOR-US: Microsoft CVE-2009-4308 (The ext4_decode_error function in fs/ext4/super.c in the ext4 filesyst ...) {DSA-2005-1} - linux-2.6 2.6.32-1 (medium) [etch] - linux-2.6 (ext4 introduced in 2.6.19) [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 (medium) CVE-2009-4307 (The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kerne ...) {DSA-2443-1} - linux-2.6 2.6.32-2 (low) [etch] - linux-2.6 (vulnerable code introduced in 2.6.27) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.27) - linux-2.6.24 (vulnerabile code introduced in 2.6.27) CVE-2009-4306 (Unspecified vulnerability in the EXT4_IOC_MOVE_EXT (aka move extents) ...) - linux-2.6 2.6.32-2 (medium) [etch] - linux-2.6 (vulnerable code introduced in 2.6.31) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.31) - linux-2.6.24 (vulnerable code introduced in 2.6.31) CVE-2009-4291 RESERVED CVE-2009-4290 RESERVED CVE-2009-4289 RESERVED CVE-2009-4288 RESERVED CVE-2009-4287 RESERVED CVE-2009-4286 RESERVED CVE-2009-4285 RESERVED CVE-2009-4284 RESERVED CVE-2009-4283 RESERVED CVE-2009-4282 RESERVED CVE-2009-4281 RESERVED CVE-2009-4280 RESERVED CVE-2009-4279 RESERVED CVE-2009-4278 RESERVED CVE-2009-4277 RESERVED CVE-2009-4276 REJECTED CVE-2009-4275 REJECTED CVE-2009-4274 (Stack-based buffer overflow in converter/ppm/xpmtoppm.c in netpbm befo ...) {DSA-2026-1 DTSA-206-1} - netpbm-free 2:10.0-12.2 (medium; bug #569060) CVE-2009-4273 (stap-server in SystemTap before 1.1 allows remote attackers to execute ...) - systemtap 1.1-1 (bug #568865) [lenny] - systemtap (Server component not yet present) [etch] - systemtap (Server component not yet present) CVE-2009-4272 (A certain Red Hat patch for net/ipv4/route.c in the Linux kernel 2.6.1 ...) - linux-2.6 2.6.31-1 (medium) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.27) [etch] - linux-2.6 (vulnerable code introduced in 2.6.27) - linux-2.6.24 (vulnerable code introduced in 2.6.27) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=545411 CVE-2009-4271 (The Linux kernel 2.6.9 through 2.6.17 on the x86_64 and amd64 platform ...) - linux-2.6 2.6.18-1 CVE-2009-4270 (Stack-based buffer overflow in the errprintf function in base/gsmisc.c ...) {DSA-2080-1} - ghostscript 8.70~dfsg-2.1 (medium; bug #562643) CVE-2009-4269 (The password hash generation algorithm in the BUILTIN authentication f ...) - derby (Fixed before initial upload to Debian) NOTE: https://issues.apache.org/jira/browse/DERBY-4483 CVE-2009-4268 REJECTED CVE-2009-4267 (The console in Apache jUDDI 3.0.0 does not properly escape line feeds, ...) NOT-FOR-US: Apache jUDDI CVE-2009-XXXX [gnome-screensaver inhibitor not removed when connection is closed] - gnome-screensaver 2.28.0-2 (low; bug #560895) [etch] - gnome-screensaver (vulnerable code introduced in 2.28) [lenny] - gnome-screensaver (vulnerable code introduced in 2.28) NOTE: the code in etch's version is more different but it seems to be affected NOTE: http://git.gnome.org/browse/gnome-screensaver/commit/?id=284c9924969a49dbf2d5fae1d680d3310c4df4a3 CVE-2009-5018 (Stack-based buffer overflow in gif2png.c in gif2png 2.5.3 and earlier ...) - gif2png 2.5.2-1 (low; bug #550978) [etch] - gif2png (minor issue) [lenny] - gif2png (minor issue) CVE-2009-XXXX [browser-based css info disclosure] - xulrunner (unimportant; bug #560108) - webkit (unimportant; bug #560870) - qt4-x11 (unimportant; bug #561754) - kdelibs (unimportant; bug #561752) - kde4libs (unimportant; bug #561753) - kazehakase (unimportant; bug #560871) - epiphany-browser (unimportant; bug #560872) - galeon (unimportant; bug #560873) - dillo (unimportant; bug #560874) NOTE: Minor design issue CVE-2009-XXXX [xpat2: save game permissions issue] - xpat2 1.07-17 (unimportant; bug #560087) CVE-2009-4144 (NetworkManager (NM) 0.7.2 does not ensure that the configured Certific ...) - network-manager-applet 0.7.2-2 (low; bug #560067) [lenny] - network-manager-applet (WPA/enterprise was added in 0.7.2) - network-manager (vulnerable code is in -applet, which is a source package on its own as of 0.6.5) CVE-2009-XXXX [unsafe xfs] - xfs 1:1.0.8-6 (low; bug #521107) [etch] - xfs (minor issue) [lenny] - xfs 1:1.0.8-2.2+lenny1 CVE-2009-XXXX [xserver-xorg: inherits user's mask] - xorg-server 2:1.7.2-1 (low; bug #555308) [lenny] - xorg-server 2:1.4.2-10.lenny3 CVE-2009-4296 (SQL injection vulnerability in the Taxonomy Timer module 5.x-1.8 and e ...) NOT-FOR-US: Taxonomy Timer module for Drupal CVE-2009-4295 (Sun Ray Server Software 4.0 and 4.1 does not generate a unique DSA pri ...) NOT-FOR-US: Sun Ray Server Software CVE-2009-4294 (Unspecified vulnerability in the Authentication Manager (aka utauthd) ...) NOT-FOR-US: Sun Ray Server Software CVE-2009-4293 (Internet Initiative Japan SEIL/X1, SEIL/X2, and SEIL/B1 firmware 2.30 ...) NOT-FOR-US: Internet Initiative Japan CVE-2009-4292 (Buffer overflow in the URL filtering function in Internet Initiative J ...) NOT-FOR-US: Internet Initiative Japan CVE-2009-4266 (Cross-site scripting (XSS) vulnerability in search.php in YABSoft Adva ...) NOT-FOR-US: YABSoft Advanced Image Hosting (AIH) Script CVE-2009-4265 (Stack-based buffer overflow in Ideal Administration 2009 9.7.1, and po ...) NOT-FOR-US: Ideal Administration CVE-2009-4264 (PHP remote file inclusion vulnerability in components/core/connect.php ...) NOT-FOR-US: AROUNDMe CVE-2009-4263 (SQL injection vulnerability in main_forum.php in PTCPay GeN3 forum 1.3 ...) NOT-FOR-US: PTCPay CVE-2009-4262 (Harold Bakker's NewsScript (HB-NS) 1.3 allows remote attackers to obta ...) NOT-FOR-US: Harold Bakker's Newscript HB-NS CVE-2009-XXXX [php-net-ping argument injection] - php-net-ping 2.4.2-1.1 (medium) [etch] - php-net-ping 2.4.2-1+etch1 [lenny] - php-net-ping 2.4.2-1+lenny1 CVE-2009-4305 (SQL injection vulnerability in the SCORM module in Moodle 1.8 before 1 ...) {DSA-1986-1} - moodle 1.8.2.dfsg-6 (medium; bug #559531) NOTE: MSA-09-0031 CVE-2009-4304 (Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 does not use a random pa ...) {DSA-2115-1} - moodle 1.9.8-1 (bug #559531) [lenny] - moodle (Minor issue) [etch] - moodle (Minor issue) NOTE: MSA-09-0029 CVE-2009-4303 (Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 stores (1) password hash ...) {DSA-1986-1} - moodle 1.8.2.dfsg-6 (bug #559531) NOTE: MSA-09-0028 CVE-2009-4302 (login/index_form.html in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 ...) {DSA-1986-1} - moodle 1.8.2.dfsg-6 (bug #559531) NOTE: MSA-09-0027 CVE-2009-4301 (mnet/lib.php in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7, when MN ...) {DSA-1986-1} - moodle 1.8.2.dfsg-6 (bug #559531) NOTE: MSA-09-0026 CVE-2009-4300 (Multiple unspecified authentication plugins in Moodle 1.8 before 1.8.1 ...) {DSA-2115-1} - moodle 1.9.8-1 (bug #559531) [lenny] - moodle (Minor issue) [etch] - moodle (Minor issue) NOTE: MSA-09-0025 CVE-2009-4299 (mod/glossary/showentry.php in the Glossary module for Moodle 1.8 befor ...) {DSA-1986-1} - moodle 1.8.2.dfsg-6 (bug #559531) NOTE: MSA-09-0024 CVE-2009-4298 (The LAMS module (mod/lams) for Moodle 1.8 before 1.8.11 and 1.9 before ...) {DSA-1986-1} - moodle 1.8.2.dfsg-6 (bug #559531) NOTE: MSA-09-0023 CVE-2009-4297 (Multiple cross-site request forgery (CSRF) vulnerabilities in Moodle 1 ...) {DSA-1986-1} - moodle 1.8.2.dfsg-6 (bug #559531) NOTE: MSA-09-0022 CVE-2009-5042 (python-docutils allows insecure usage of temporary files ...) - python-docutils 0.6-2 (low; bug #560755) [etch] - python-docutils (vulnerable code introduced in 0.5) [lenny] - python-docutils 0.5-2+lenny1 NOTE: cve requested CVE-2009-4261 (Multiple directory traversal vulnerabilities in the iallocator framewo ...) {DSA-1959-1} - ganeti 2.0.5-1 (low) NOTE: http://www.ocert.org/advisories/ocert-2009-019.html CVE-2009-4260 RESERVED CVE-2009-4259 RESERVED CVE-2009-4258 RESERVED CVE-2009-4257 (Heap-based buffer overflow in datatype/smil/common/smlpkt.cpp in smlre ...) NOT-FOR-US: RealPlayer CVE-2009-4256 (Multiple SQL injection vulnerabilities in cource.php in AlefMentor 2.0 ...) NOT-FOR-US: AlefMentor CVE-2009-4255 (Cross-site scripting (XSS) vulnerability in the You!Hostit! template 1 ...) NOT-FOR-US: Joomla! component CVE-2009-4254 (PowerPhlogger 2.2.5 allows remote attackers to obtain sensitive inform ...) NOT-FOR-US: PowerPhlogger CVE-2009-4253 (Cross-site scripting (XSS) vulnerability in dspStats.php in PowerPhlog ...) NOT-FOR-US: PowerPhlogger CVE-2009-4252 (Cross-site scripting (XSS) vulnerability in images.php in Image Hostin ...) NOT-FOR-US: Image Hosting Script DPI CVE-2009-4251 (Stack-based buffer overflow in Jasc Paint Shop Pro 8.10 (aka Corel Pai ...) NOT-FOR-US: Jasc Paint Shop Pro CVE-2009-4250 (Multiple cross-site scripting (XSS) vulnerabilities in CutePHP CuteNew ...) NOT-FOR-US: CuteNews CVE-2009-4249 (Multiple cross-site scripting (XSS) vulnerabilities in CutePHP CuteNew ...) NOT-FOR-US: CuteNews CVE-2009-4248 (Buffer overflow in the RTSPProtocol::HandleSetParameterRequest functio ...) NOT-FOR-US: RealPlayer CVE-2009-4247 (Stack-based buffer overflow in protocol/rtsp/rtspclnt.cpp in RealNetwo ...) NOT-FOR-US: RealPlayer CVE-2009-4246 (Stack-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer ...) NOT-FOR-US: RealPlayer CVE-2009-4245 (Heap-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer 1 ...) NOT-FOR-US: RealPlayer CVE-2009-4244 (Heap-based buffer overflow in RealNetworks RealPlayer 10; RealPlayer 1 ...) NOT-FOR-US: RealPlayer CVE-2009-4243 (RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12 ...) NOT-FOR-US: RealPlayer CVE-2009-4242 (Heap-based buffer overflow in the CGIFCodec::GetPacketBuffer function ...) NOT-FOR-US: RealPlayer CVE-2009-4241 (Heap-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer 1 ...) NOT-FOR-US: RealPlayer CVE-2009-4240 (Multiple buffer overflows in unspecified setuid executables in the Dat ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2009-4239 (Cross-site scripting (XSS) vulnerability in the Web console in IBM Inf ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2009-4238 (Multiple SQL injection vulnerabilities in TestLink before 1.8.5 allow ...) NOT-FOR-US: TestLink CVE-2009-4237 (Multiple cross-site scripting (XSS) vulnerabilities in TestLink before ...) NOT-FOR-US: TestLink CVE-2009-4236 (The process function in data/class/pages/admin/customer/LC_Page_Admin_ ...) NOT-FOR-US: EC-CUBE CVE-2009-4235 (acpid 1.0.4 sets an unrestrictive umask, which might allow local users ...) {DSA-1960-1} - acpid 1.0.6 (low; bug #560771) NOTE: all versions set umask(0), might be worth double-checking what it opens CVE-2009-4234 (Cross-site scripting (XSS) vulnerability in loginpages/error_user.shtm ...) NOT-FOR-US: Micronet Network Access Controller CVE-2009-4233 (Cross-site scripting (XSS) vulnerability in modules/mod_yj_whois.php i ...) NOT-FOR-US: Joomla! component CVE-2009-4232 (The Kide Shoutbox (com_kide) component 0.4.6 for Joomla! does not prop ...) NOT-FOR-US: Joomla! component CVE-2009-4231 (Directory traversal vulnerability in as/lib/plugins.php in SweetRice 0 ...) NOT-FOR-US: SweetRice CVE-2009-4230 (Multiple stack-based buffer overflows in src/Task.cc in the FastCGI pr ...) NOT-FOR-US: IIPImage Server CVE-2009-4229 (Multiple SQL injection vulnerabilities in ActiveWebSoftwares Active Bi ...) NOT-FOR-US: ActiveWebSoftwares Active Bids CVE-2009-4226 (Race condition in the IP module in the kernel in Sun OpenSolaris snv_1 ...) NOT-FOR-US: OpenSolaris kernel CVE-2009-4225 (Stack-based buffer overflow in the PestPatrol ActiveX control (ppctl.d ...) NOT-FOR-US: PestPatrol CVE-2009-4228 (Stack consumption vulnerability in u_bound.c in Xfig 3.2.5b and earlie ...) - xfig (unimportant) CVE-2009-4227 (Stack-based buffer overflow in the read_1_3_textobject function in f_r ...) - xfig 1:3.2.5.b-1 (low; bug #559274) [lenny] - xfig (Minor issue) [etch] - xfig (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=543905 CVE-2009-4413 (The httpClientDiscardBody function in client.c in Polipo 0.9.8, 0.9.12 ...) {DSA-2002-1} - polipo 1.0.4-2 (low; bug #560779) [etch] - polipo (Minor issue) [lenny] - polipo (Minor issue) CVE-2009-4224 (Multiple PHP remote file inclusion vulnerabilities in SweetRice 0.5.4, ...) NOT-FOR-US: SweetRice CVE-2009-4223 (PHP remote file inclusion vulnerability in adm/krgourl.php in KR-Web 1 ...) NOT-FOR-US: KR-Web CVE-2009-4222 (phpBazar 2.1.1fix and earlier does not require administrative authenti ...) NOT-FOR-US: phpBazar CVE-2009-4221 (SQL injection vulnerability in classified.php in phpBazar 2.1.1fix and ...) NOT-FOR-US: phpBazar CVE-2009-4220 (PHP remote file inclusion vulnerability in includes/classes/pctemplate ...) NOT-FOR-US: PointComma CVE-2009-4219 (Stack-based buffer overflow in the MYACTIVEX.MyActiveXCtrl.1 ActiveX c ...) NOT-FOR-US: Haihaisoft Universal Player CVE-2009-4218 (Multiple SQL injection vulnerabilities in files/login.asp in JiRo's Ba ...) NOT-FOR-US: JiRo's Banner System eXperience (JBSX) CVE-2009-4217 (SQL injection vulnerability in the Itamar Elharar MusicGallery (com_mu ...) NOT-FOR-US: Joomla! component CVE-2009-4216 (Directory traversal vulnerability in funzioni/lib/menulast.php in klin ...) NOT-FOR-US: klinza CVE-2009-4215 (Panda Global Protection 2010, Internet Security 2010, and Antivirus Pr ...) NOT-FOR-US: Panda CVE-2009-4213 RESERVED CVE-2009-4212 (Multiple integer underflows in the (1) AES and (2) RC4 decryption func ...) {DSA-1969-1} - krb5 1.8+dfsg~alpha1-1 CVE-2009-4211 (The U.S. Defense Information Systems Agency (DISA) Security Readiness ...) NOT-FOR-US: U.S. Defense Information Systems Agency (DISA) Security Readiness Review (SRR) script CVE-2009-4210 (The Indeo codec in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Ser ...) NOT-FOR-US: Microsoft CVE-2009-4209 (Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php ...) NOT-FOR-US: moziloCMS CVE-2009-4208 (SQL injection vulnerability in the os_news module in Open-school (OS) ...) NOT-FOR-US: Open-school CVE-2009-4207 (Cross-site scripting (XSS) vulnerability in the Webform module 5.x bef ...) NOT-FOR-US: module for Drupal CVE-2009-4206 (SQL injection vulnerability in admin.link.modify.php in Million Dollar ...) NOT-FOR-US: Million Dollar Text Links CVE-2009-4205 (Directory traversal vulnerability in admin.php in Flashlight Free Edit ...) NOT-FOR-US: Flashlight Free Edition CVE-2009-4204 (SQL injection vulnerability in read.php in Flashlight Free Edition all ...) NOT-FOR-US: Flashlight Free Edition CVE-2009-4203 (Multiple SQL injection vulnerabilities in admin/aclass/admin_func.php ...) NOT-FOR-US: Arab Portal CVE-2009-4202 (Directory traversal vulnerability in the Omilen Photo Gallery (com_omp ...) NOT-FOR-US: Joomla! component CVE-2009-4201 (Multiple stack-based buffer overflows in Mp3 Tag Assistant Professiona ...) NOT-FOR-US: Mp3 Tag Assistant Professional CVE-2009-4200 (SQL injection vulnerability in the Seminar (com_seminar) component 1.2 ...) NOT-FOR-US: Joomla! component CVE-2009-4199 (Multiple SQL injection vulnerabilities in the Mambo Resident (aka Mos ...) NOT-FOR-US: Joomla! component CVE-2009-4198 (SQL injection vulnerability in my_orders.php in MyMiniBill allows remo ...) NOT-FOR-US: MyMiniBill CVE-2009-4197 (rpwizPppoe.htm in Huawei MT882 V100R002B020 ARG-T running firmware 3.7 ...) NOT-FOR-US: Huawei MT882 V100R002B020 CVE-2009-4196 (Multiple cross-site scripting (XSS) vulnerabilities in multiple script ...) NOT-FOR-US: Huawei MT882 V100R002B020 CVE-2009-4195 (Buffer overflow in Adobe Illustrator CS4 14.0.0, CS3 13.0.3 and earlie ...) NOT-FOR-US: Adobe Illustrator CVE-2009-4194 (Directory traversal vulnerability in Golden FTP Server 4.30 Free and P ...) NOT-FOR-US: Golden FTP CVE-2009-4192 (Directory traversal vulnerability in dialog/file_manager.php in Inters ...) NOT-FOR-US: Interspire Knowledge Manager CVE-2009-4191 (Unspecified vulnerability in the kernel in Sun Solaris 10 and OpenSola ...) NOT-FOR-US: Sun Solaris CVE-2009-4190 (Unspecified vulnerability in the kernel in Sun OpenSolaris 2009.06 all ...) NOT-FOR-US: Sun Solaris CVE-2009-4189 (HP Operations Manager has a default password of OvW*busr1 for the ovwe ...) NOT-FOR-US: HP Operations Manager CVE-2009-4188 (HP Operations Dashboard has a default password of j2deployer for the j ...) NOT-FOR-US: HP Operations Dashboard CVE-2009-4187 (Multiple cross-site scripting (XSS) vulnerabilities in the Gateway com ...) NOT-FOR-US: Sun Java System Portal Server CVE-2009-4186 (Stack consumption vulnerability in Apple Safari 4.0.3 on Windows allow ...) NOT-FOR-US: Apple Safari CVE-2009-4185 (Cross-site scripting (XSS) vulnerability in proxy/smhui/getuiinfo in H ...) NOT-FOR-US: HP System Management Homepage CVE-2009-4184 (Unspecified vulnerability in HP Enterprise Cluster Master Toolkit (ECM ...) NOT-FOR-US: HP Enterprise Cluster Master Toolkit CVE-2009-4183 (Unspecified vulnerability in HP OpenView Storage Data Protector 6.00 a ...) NOT-FOR-US: HP OpenView Storage Data Protector CVE-2009-4182 (Multiple unspecified vulnerabilities in HP Web Jetadmin 10.2, when a r ...) NOT-FOR-US: HP Web Jetadmin CVE-2009-4181 (Stack-based buffer overflow in ovwebsnmpsrv.exe in HP OpenView Network ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-4180 (Stack-based buffer overflow in snmpviewer.exe in HP OpenView Network N ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-4179 (Stack-based buffer overflow in ovalarm.exe in HP OpenView Network Node ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-4178 (Heap-based buffer overflow in OvWebHelp.exe in HP OpenView Network Nod ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-4177 (Buffer overflow in webappmon.exe in HP OpenView Network Node Manager ( ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-4176 (Multiple heap-based buffer overflows in ovsessionmgr.exe in HP OpenVie ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-4175 (CutePHP CuteNews 1.4.6 and UTF-8 CuteNews before 8b allows remote atta ...) NOT-FOR-US: CuteNews CVE-2009-4174 (The editnews module in CutePHP CuteNews 1.4.6 and UTF-8 CuteNews befor ...) NOT-FOR-US: CuteNews CVE-2009-4173 (Cross-site request forgery (CSRF) vulnerability in CutePHP CuteNews 1. ...) NOT-FOR-US: CuteNews CVE-2009-4172 (Cross-site scripting (XSS) vulnerability in index.php in CutePHP CuteN ...) NOT-FOR-US: CuteNews CVE-2009-4171 (An ActiveX control in YahooBridgeLib.dll for Yahoo! Messenger 9.0.0.21 ...) NOT-FOR-US: ActiveX CVE-2009-4170 (WP-Cumulus Plug-in 1.20 for WordPress, and possibly other versions, al ...) NOT-FOR-US: WP-Cumulus Plug-in 1.20 for WordPress CVE-2009-4169 (Cross-site scripting (XSS) vulnerability in wp-cumulus.php in the WP-C ...) NOT-FOR-US: WP-Cumulus Plug-in 1.20 for WordPress CVE-2009-4168 (Cross-site scripting (XSS) vulnerability in Roy Tanck tagcloud.swf, as ...) NOT-FOR-US: WP-Cumulus Plug-in 1.20 for WordPress CVE-2009-4167 (Unspecified vulnerability in the Automatic Base Tags for RealUrl (lt_b ...) NOT-FOR-US: TYPO3 extension CVE-2009-4166 (SQL injection vulnerability in the Trips (mchtrips) extension 2.0.0 fo ...) NOT-FOR-US: TYPO3 extension CVE-2009-4165 (SQL injection vulnerability in the simple Glossar (simple_glossar) ext ...) NOT-FOR-US: TYPO3 extension CVE-2009-4164 (Cross-site scripting (XSS) vulnerability in the simple Glossar (simple ...) NOT-FOR-US: TYPO3 extension CVE-2009-4163 (SQL injection vulnerability in the TW Productfinder (tw_productfinder) ...) NOT-FOR-US: TYPO3 extension CVE-2009-4162 (Unspecified vulnerability in the DB Integration (wfqbe) extension 1.3. ...) NOT-FOR-US: TYPO3 extension CVE-2009-4161 (Cross-site scripting (XSS) vulnerability in the [AN] Search it! (an_se ...) NOT-FOR-US: TYPO3 extension CVE-2009-4160 (Unspecified vulnerability in the Simple download-system with counter a ...) NOT-FOR-US: TYPO3 extension CVE-2009-4159 (Cross-site scripting (XSS) vulnerability in the newsletter configurati ...) NOT-FOR-US: TYPO3 extension CVE-2009-4158 (SQL injection vulnerability in the Calendar Base (cal) extension befor ...) NOT-FOR-US: TYPO3 extension CVE-2009-4157 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in th ...) NOT-FOR-US: Joomla! CVE-2009-4156 (PHP remote file inclusion vulnerability in modules/pms/index.php in Ci ...) NOT-FOR-US: Ciamos CMS CVE-2009-4155 (Multiple SQL injection vulnerabilities in Eshopbuilde CMS allow remote ...) NOT-FOR-US: Eshopbuilde CVE-2009-4154 (Directory traversal vulnerability in includes/feedcreator.class.php in ...) NOT-FOR-US: Elxis CMS CVE-2009-4153 (Unspecified vulnerability in the XMLAccess component in IBM WebSphere ...) NOT-FOR-US: IBM WebSphere CVE-2009-4152 (Cross-site scripting (XSS) vulnerability in the Collaboration componen ...) NOT-FOR-US: IBM WebSphere CVE-2009-4151 (Session fixation vulnerability in html/Elements/SetupSessionCookie in ...) {DSA-1944-1} - request-tracker3.6 3.6.9-2 (low) - request-tracker3.4 CVE-2009-4150 (dasauto in IBM DB2 8 before FP18, 9.1 before FP8, 9.5 before FP4, and ...) NOT-FOR-US: IBM DB2 CVE-2009-4149 (Cross-site scripting (XSS) vulnerability in the web interface in CA Se ...) NOT-FOR-US: CA Service Desk CVE-2009-4148 (DAZ Studio 2.3.3.161, 2.3.3.163, and 3.0.1.135 allows remote attackers ...) NOT-FOR-US: DAZ Studio CVE-2009-4147 (The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld- ...) - kfreebsd-6 (the affected file -rtld.c- is not in the archive, not even kFreeBSD) CVE-2009-4146 (The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld- ...) - kfreebsd-6 (the affected file -rtld.c- is not in the archive, not even kFreeBSD) CVE-2009-4145 (nm-connection-editor in NetworkManager (NM) 0.7.x exports connection o ...) - network-manager-applet 0.7.2-2 (low; bug #563371) - network-manager (-editor introduced in 0.7 on the -applet package) [lenny] - network-manager-applet (-editor was introduced in 0.7) CVE-2009-4143 (PHP before 5.2.12 does not properly handle session data, which has uns ...) {DSA-2001-1} - php5 5.2.12.dfsg.1-1 (low) CVE-2009-4142 (The htmlspecialchars function in PHP before 5.2.12 does not properly h ...) {DSA-2001-1} - php5 5.2.12.dfsg.1-1 (medium) CVE-2009-4141 (Use-after-free vulnerability in the fasync_helper function in fs/fcntl ...) - linux-2.6 2.6.32-6 [lenny] - linux-2.6 (vulnerable code introduced in 2.6.28) [etch] - linux-2.6 (vulnerable code introduced in 2.6.28) - linux-2.6.24 (vulnerable code introduced in 2.6.28) NOTE: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=53281b6d3 CVE-2009-4140 (Unrestricted file upload vulnerability in ofc_upload_image.php in Open ...) - piwik (bug #506933) CVE-2009-4139 (Cross-site request forgery (CSRF) vulnerability in the Spacewalk Java ...) NOT-FOR-US: spacewalk-java CVE-2009-4138 (drivers/firewire/ohci.c in the Linux kernel before 2.6.32-git9, when p ...) {DSA-2005-1} - linux-2.6 2.6.32-3 (medium) [etch] - linux-2.6 (ohci introduced in 2.6.22) [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 (medium) CVE-2009-4137 (The loadContentFromCookie function in core/Cookie.php in Piwik before ...) - piwik (bug #506933) CVE-2009-4136 (PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1. ...) {DSA-1964-1} - postgresql-7.4 - postgresql-8.1 - postgresql-8.2 - postgresql-8.3 8.3.9-1 (low) - postgresql-8.4 8.4.2-1 (low) CVE-2009-4135 (The distcheck rule in dist-check.mk in GNU coreutils 5.2.1 through 8.1 ...) - coreutils (this issue only affects the coreutils build process; bug #560898) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=545439 CVE-2009-4134 (Buffer underflow in the rgbimg module in Python 2.5 allows remote atta ...) - python3.1 (rgbimgmodule no longer included in source) - python2.7 (rgbimgmodule no longer included in source) - python2.6 (rgbimgmodule no longer included in source) - python2.5 2.5.5-11 (low; bug #603162) [lenny] - python2.5 (Minor issue) - python2.4 (low) [lenny] - python2.4 (Minor issue) CVE-2009-4133 (Condor 6.5.4 through 7.2.4, 7.3.x, and 7.4.0, as used in MRG, Grid for ...) - condor (Fixed before initial upload to archive) CVE-2009-4132 REJECTED CVE-2009-4131 (The EXT4_IOC_MOVE_EXT (aka move extents) ioctl implementation in the e ...) - linux-2.6 2.6.32-2 (medium) [etch] - linux-2.6 (introduced in 2.6.31) [lenny] - linux-2.6 (introduced in 2.6.31) - linux-2.6.24 (introduced in 2.6.31) CVE-2009-XXXX [monkey DoS] - monkey 0.9.3-1 (low) [lenny] - monkey (Minor issue, fringe package) CVE-2009-4130 (Visual truncation vulnerability in the MakeScriptDialogTitle function ...) - xulrunner (bug #565521) [wheezy] - xulrunner (no detailed information available) CVE-2009-4129 (Race condition in Mozilla Firefox allows remote attackers to produce a ...) - xulrunner (bug #565521) [wheezy] - xulrunner (no detailed information available) CVE-2009-4128 (GNU GRand Unified Bootloader (GRUB) 2 1.97 only compares the submitted ...) - grub2 1.97+20091115-1 (bug #555195) [lenny] - grub2 (Password authentication not yet present) - grub (only affects grub2) CVE-2009-4127 (Unspecified vulnerability in Wikipedia Toolbar extension before 0.5.9. ...) NOT-FOR-US: Wikipedia Toolbar extension for Firefox CVE-2009-4126 RESERVED CVE-2009-4125 RESERVED CVE-2009-4124 (Heap-based buffer overflow in the rb_str_justify function in string.c ...) - ruby1.9.1 1.9.1.376-1 - ruby1.9 (bug #572817) - ruby1.8 NOTE: http://www.ruby-lang.org/en/news/2009/12/07/heap-overflow-in-string/ CVE-2009-4123 RESERVED CVE-2009-4122 RESERVED CVE-2009-4121 (Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.CM ...) NOT-FOR-US: Quick CMS CVE-2009-4120 (Multiple cross-site request forgery (CSRF) vulnerabilities in Quick.Ca ...) NOT-FOR-US: Quick.Cart CVE-2009-4119 (Cross-site scripting (XSS) vulnerability in Feed Element Mapper module ...) NOT-FOR-US: module for Drupal CVE-2009-4118 (The StartServiceCtrlDispatcher function in the cvpnd service (cvpnd.ex ...) NOT-FOR-US: Cisco VPN client for Windows CVE-2009-4117 (Multiple stack-based buffer overflows in pdf_shade4.c in MuPDF before ...) NOT-FOR-US: MuPDF CVE-2009-4116 (Multiple directory traversal vulnerabilities in CutePHP CuteNews 1.4.6 ...) NOT-FOR-US: CutePHP CVE-2009-4115 (Multiple static code injection vulnerabilities in the Categories modul ...) NOT-FOR-US: CutePHP CuteNews CVE-2009-4114 (kl1.sys in Kaspersky Anti-Virus 2010 9.0.0.463, and possibly other ver ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2009-4113 (Static code injection vulnerability in the Categories module in CutePH ...) NOT-FOR-US: CutePHP CuteNews CVE-2009-4110 (Cross-site scripting (XSS) vulnerability in the search functionality i ...) NOT-FOR-US: DotNetNuke CVE-2009-4109 (The install wizard in DotNetNuke 4.0 through 5.1.4 does not prevent an ...) NOT-FOR-US: DotNetNuke CVE-2009-4108 (XM Easy Personal FTP Server 5.8.0 allows remote authenticated users to ...) NOT-FOR-US: XM Easy Personal FTP Server CVE-2009-4107 (Buffer overflow in Invisible Browsing 5.0.52 allows user-assisted remo ...) NOT-FOR-US: Invisible Browsing CVE-2009-4106 (Unrestricted file upload vulnerability in admintools/editpage-2.php in ...) NOT-FOR-US: Agoko CMS CVE-2009-4105 (TYPSoft FTP Server 1.10 allows remote authenticated users to cause a d ...) NOT-FOR-US: TYPSoft FTP Server CVE-2009-4104 (SQL injection vulnerability in Lyften Designs LyftenBloggie (com_lyfte ...) NOT-FOR-US: Joomla! component CVE-2009-4103 (Buffer overflow in Robo-FTP 3.6.17, and possibly other versions, allow ...) NOT-FOR-US: Robo-FTP CVE-2009-4102 (Sage 1.4.3 and earlier extension for Firefox performs certain operatio ...) {DSA-1951-1} - firefox-sage 1.4.3-4 (medium; bug #559267) CVE-2009-4101 (infoRSS 1.1.4.2 and earlier extension for Firefox performs certain ope ...) NOT-FOR-US: infoRSS extension for Firefox CVE-2009-4100 (Yoono extension before 6.1.1 for Firefox performs certain operations w ...) NOT-FOR-US: Yoono extension for Firefox CVE-2009-4099 (SQL injection vulnerability in the Google Calendar GCalendar (com_gcal ...) NOT-FOR-US: Joomla! Component CVE-2009-4098 (Unrestricted file upload vulnerability in banner-edit.php in OpenX ads ...) - openx (bug #513771) CVE-2009-4097 (Stack-based buffer overflow in the MplayInputFile function in Serenity ...) NOT-FOR-US: Serenity Audio Player CVE-2009-4096 (RADIO istek scripti 2.5 stores sensitive information under the web roo ...) NOT-FOR-US: RADIO istek scripti CVE-2009-4095 (myPhile 1.2.1 allows remote attackers to bypass authentication via an ...) NOT-FOR-US: myPhile CVE-2009-4094 (PHP remote file inclusion vulnerability in class/php/d4m_ajax_pagenav. ...) NOT-FOR-US: Joomla! component CVE-2009-4093 (Multiple cross-site scripting (XSS) vulnerabilities in comments.php in ...) NOT-FOR-US: Simplog CVE-2009-4092 (Cross-site request forgery (CSRF) vulnerability in user.php in Simplog ...) NOT-FOR-US: Simplog CVE-2009-4091 (comments.php in Simplog 0.9.3.2, and possibly earlier, does not proper ...) NOT-FOR-US: Simplog CVE-2009-4090 (Unrestricted file upload vulnerability in ajax/addComment.php in telep ...) NOT-FOR-US: telepark.wiki CVE-2009-4089 (telepark.wiki 2.4.23 and earlier allows remote attackers to bypass aut ...) NOT-FOR-US: telepark.wiki CVE-2009-4088 (Multiple directory traversal vulnerabilities in telepark.wiki 2.4.23 a ...) NOT-FOR-US: telepark.wiki CVE-2009-4087 (Cross-site scripting (XSS) vulnerability in index.php in telepark.wiki ...) NOT-FOR-US: telepark.wiki CVE-2009-4086 (CRLF injection vulnerability in Xerver HTTP Server 4.31 and 4.32 allow ...) NOT-FOR-US: Xerver HTTP Server CVE-2009-4085 (PHP remote file inclusion vulnerability in assets/plugins/mp3_id/mp3_i ...) NOT-FOR-US: PHP Traverser CVE-2009-4084 (SQL injection vulnerability in the search feature in e107 0.7.16 and e ...) NOT-FOR-US: e107 CVE-2009-4083 (Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.16 and ...) NOT-FOR-US: e107 CVE-2009-4082 (PHP remote file inclusion vulnerability in forums/Forum_Include/index. ...) NOT-FOR-US: Outreach Project Tool CVE-2009-4081 (Untrusted search path vulnerability in dstat before r3199 allows local ...) - dstat (Fixed/tracked as CVE-2009-3894) NOTE: This second ID is about the same issue, but for an older version, see NOTE: http://bugs.gentoo.org/show_bug.cgi?id=293497 NOTE: For Debian we'll just use CVE-2009-3894 and mark this one as not-affected CVE-2009-4080 (Multiple unspecified vulnerabilities in ldap_cachemgr (aka the LDAP cl ...) NOT-FOR-US: ldap_cachemgr in Sun Solaris CVE-2009-4079 (Cross-site request forgery (CSRF) vulnerability in Redmine 0.8.5 and e ...) - redmine 0.9.0~svn2902-1 CVE-2009-4078 (Multiple cross-site scripting (XSS) vulnerabilities in Redmine 0.8.5 a ...) - redmine 0.9.0~svn2902-1 CVE-2009-4077 (Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0 ...) - roundcube 0.3-1 CVE-2009-4076 (Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0 ...) - roundcube 0.3-1 CVE-2009-4075 (Unspecified vulnerability in the timeout mechanism in sshd in Sun Sola ...) NOT-FOR-US: Sun Solaris CVE-2009-4074 (The XSS Filter in Microsoft Internet Explorer 8 allows remote attacker ...) NOT-FOR-US: Microsoft Internet Explorer 8 CVE-2009-4214 (Cross-site scripting (XSS) vulnerability in the strip_tags function in ...) {DSA-2301-1 DSA-2260-1} - rails 2.2.3-2 (low; bug #558685) NOTE: http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1 CVE-2009-4073 (The printing functionality in Microsoft Internet Explorer 8 allows rem ...) NOT-FOR-US: Microsoft Internet Explorer 8 CVE-2009-4072 (Unspecified vulnerability in Opera before 10.10 has unknown impact and ...) NOT-FOR-US: Opera CVE-2009-4071 (Opera before 10.10, when exception stacktraces are enabled, places scr ...) NOT-FOR-US: Opera CVE-2009-4070 (SQL injection vulnerability in GForge 4.5.14, 4.7.3, and possibly othe ...) {DSA-1818-1} - gforge 4.7.3-2 CVE-2009-4069 (Multiple cross-site scripting (XSS) vulnerabilities in GForge 4.5.14, ...) {DSA-1818-1} - gforge 4.7.3-2 CVE-2009-4068 RESERVED CVE-2009-4067 (Buffer overflow in the auerswald_probe function in the Auerswald Linux ...) {DSA-2310-1} - linux-2.6 2.6.28-1 (low) NOTE: Driver was removed in 2.6.27 CVE-2009-4066 (Multiple cross-site request forgery (CSRF) vulnerabilities in the "My ...) NOT-FOR-US: module for Drupal CVE-2009-4065 (Cross-site scripting (XSS) vulnerability in the settings page in the S ...) NOT-FOR-US: module for Drupal CVE-2009-4064 (Cross-site scripting (XSS) vulnerability in the Gallery Assist module ...) NOT-FOR-US: module for Drupal CVE-2009-4063 (Cross-site scripting (XSS) vulnerability in the Subgroups for Organic ...) NOT-FOR-US: module for Drupal CVE-2009-4062 (Multiple cross-site scripting (XSS) vulnerabilities in the Printfriend ...) NOT-FOR-US: module for Drupal CVE-2009-4061 (Multiple cross-site scripting (XSS) vulnerabilities in the Agreement m ...) NOT-FOR-US: module for Drupal CVE-2009-4060 (SQL injection vulnerability in includes/content/viewProd.inc.php in Cu ...) NOT-FOR-US: CubeCart CVE-2009-4059 (SQL injection vulnerability in the JoomClip (com_joomclip) component f ...) NOT-FOR-US: component for Joomla! CVE-2009-4058 (SQL injection vulnerability in allauctions.php in Telebid Auction Scri ...) NOT-FOR-US: Telebid Auction Script CVE-2009-4057 (SQL injection vulnerability in the inertialFATE iF Portfolio Nexus (co ...) NOT-FOR-US: component for Joomla! CVE-2009-4056 (Directory traversal vulnerability in admin/popup.php in Betsy CMS 3.5 ...) NOT-FOR-US: Betsy CMS CVE-2009-4055 (rtp.c in Asterisk Open Source 1.2.x before 1.2.37, 1.4.x before 1.4.27 ...) {DSA-1952-1} - asterisk 1:1.6.2.0~rc7-1 (bug #559103) [etch] - asterisk (Etch Packages no longer covered by security support) CVE-2009-4054 REJECTED CVE-2009-4053 (Multiple directory traversal vulnerabilities in Home FTP Server 1.10.1 ...) NOT-FOR-US: Home FTP Server CVE-2009-4052 (Multiple cross-site scripting (XSS) vulnerabilities in the JSF Widget ...) NOT-FOR-US: IBM Rational Application Developer for WebSphere CVE-2009-4051 (Home FTP Server 1.10.1.139 allows remote attackers to cause a denial o ...) NOT-FOR-US: Home FTP Server CVE-2009-4050 (Directory traversal vulnerability in get_file.php in phpMyBackupPro 2. ...) NOT-FOR-US: phpMyBackupPro CVE-2009-4049 (Heap-based buffer overflow in aswRdr.sys (aka the TDI RDR driver) in a ...) NOT-FOR-US: avast CVE-2009-4048 (Dxmsoft XM Easy Personal FTP Server 5.8.0 allows remote authenticated ...) NOT-FOR-US: Dxmsoft XM Easy Personal FTP Server CVE-2009-4047 (Multiple cross-site scripting (XSS) vulnerabilities in PHD Help Desk 1 ...) NOT-FOR-US: PHD Help Desk CVE-2009-4112 (Cacti 0.8.7e and earlier allows remote authenticated administrators to ...) [experimental] - cacti 1.2.0~beta2+ds1-1 - cacti 1.2.1+ds1-1 (unimportant; bug #561339) NOTE: 4B0E1566.1070509@moritz-naumann.com in bugtraq NOTE: as one requires admin access to cacti, upstream will implement a whitelist NOTE: https://github.com/Cacti/cacti/issues/1072 CVE-2009-4032 (Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7e al ...) {DSA-1954-1} - cacti 0.8.7e-1.1 (low; bug #561338) NOTE: http://docs.cacti.net/#cross-site_scripting_fixes NOTE: http://www.cacti.net/download_patches.php NOTE: incomplete, probably another CVE id will be allocated: https://bugzilla.redhat.com/show_bug.cgi?id=541279#c17 CVE-2009-4046 (Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x b ...) NOT-FOR-US: FrontAccounting CVE-2009-4045 (Multiple SQL injection vulnerabilities in FrontAccounting (FA) before ...) NOT-FOR-US: FrontAccounting CVE-2009-4044 (The Web Services module 6.x for Drupal does not perform the expected a ...) NOT-FOR-US: Web Services module for Drupal CVE-2009-4043 (Cross-site scripting (XSS) vulnerability in the AddToAny module 5.x be ...) NOT-FOR-US: module for Drupal CVE-2009-4042 (Cross-site scripting (XSS) vulnerability in the RootCandy theme 6.x be ...) NOT-FOR-US: theme for Drupal CVE-2009-4041 (UseBB 1.0.9 before 1.0.10 allows remote attackers to cause a denial of ...) NOT-FOR-US: UseBB CVE-2009-4040 (Cross-site scripting (XSS) vulnerability in phpMyFAQ before 2.0.17 and ...) NOT-FOR-US: phpMyFAQ CVE-2009-4039 (Cross-site scripting (XSS) vulnerability in Piwigo before 2.0.6 allows ...) - piwigo (Fixed before initial upload to the archive) CVE-2009-4038 (Multiple cross-site scripting (XSS) vulnerabilities in NCH Software Ax ...) NOT-FOR-US: NCH Software Axon Virtual PBX CVE-2009-4037 (Multiple SQL injection vulnerabilities in FrontAccounting (FA) before ...) NOT-FOR-US: FrontAccounting CVE-2009-4036 REJECTED CVE-2009-4035 (The FoFiType1::parse function in fofi/FoFiType1.cc in Xpdf 3.0.0, gpdf ...) - kdegraphics 4:4.0.0-1 - xpdf 3.01-1 - poppler 0.5.1-1 - swftools 0.9.2+ds1-2 NOTE: was silently fixed by upstream xpdf, fix propagated to poppler in 4b4fc5c017b/2005-09-14 NOTE: but at least version 0.4.5 does *not* contain the ship. NOTE: Was fixed somewhere between 0.4.5 and 0.5.1 CVE-2009-4034 (PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1. ...) {DSA-1964-1} - postgresql-7.4 - postgresql-8.1 - postgresql-8.2 - postgresql-8.3 8.3.9-1 (low) - postgresql-8.4 8.4.2-1 (low) CVE-2009-4033 (A certain Red Hat patch for acpid 1.0.4 effectively triggers a call to ...) - acpid (problem in redhat-specific patch; debian uses sensible permissions 0664) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=515062 CVE-2009-4031 (The do_insn_fetch function in arch/x86/kvm/emulate.c in the x86 emulat ...) {DSA-1962-1} - linux-2.6 2.6.32-3 (low) [lenny] - linux-2.6 2.6.26-21 [etch] - linux-2.6 (kvm introduced in 2.6.25) - linux-2.6.24 (kvm introduced in 2.6.25) - kvm (low; bug #562075) CVE-2009-4030 (MySQL 5.1.x before 5.1.41 allows local users to bypass certain privile ...) {DSA-1997-1} - mysql-5.1 5.1.43-1 - mysql-dfsg-5.0 CVE-2009-4029 (The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, an ...) - automake 1:1.4-p6-13.1 [lenny] - automake (Minor issue) - automake1.9 1.9.6+nogfdl-3.1 [lenny] - automake1.9 (Minor issue) - automake1.7 1.7.9-9.1 [lenny] - automake1.7 (Minor issue) - automake1.10 1:1.10.3-1 [lenny] - automake1.10 (Minor issue) NOTE: spu will be released to avoid spreading the bug even further NOTE: http://lists.gnu.org/archive/html/automake/2009-12/msg00012.html CVE-2009-4028 (The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x b ...) - mysql-5.1 (Vulnerable code not present) - mysql-dfsg-5.0 (Vulnerable code not present) NOTE: built with --without-openssl CVE-2009-4027 (Race condition in the mac80211 subsystem in the Linux kernel before 2. ...) {DSA-1996-1 DTSA-204-1} - linux-2.6 2.6.32-1 (medium) [etch] - linux-2.6 (introduced in 2.6.26) - linux-2.6.24 (introduced in 2.6.26) CVE-2009-4026 (The mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next-2009 ...) {DTSA-204-1} - linux-2.6 2.6.32-1 (medium) [etch] - linux-2.6 (introduced in 2.6.30) [lenny] - linux-2.6 (introduced in 2.6.30) - linux-2.6.24 (introduced in 2.6.30) CVE-2009-4025 (Argument injection vulnerability in the traceroute function in Tracero ...) NOT-FOR-US: Net_Traceroute PEAR module CVE-2009-4024 (Argument injection vulnerability in the ping function in Ping.php in t ...) {DSA-1949-1} - php-net-ping 2.4.2-1.1 (medium) NOTE: fix applied by upstream is incomplete, reported to oss-sec CVE-2009-4111 (Argument injection vulnerability in Mail/sendmail.php in the Mail pack ...) {DSA-1938-1} - php-mail 1.1.14-2 (medium; bug #557121) [lenny] - php-mail 1.1.14-1+lenny1 [etch] - php-mail 1.1.6-2+etch1 CVE-2009-4023 (Argument injection vulnerability in the sendmail implementation of the ...) {DSA-1938-1} - php-mail 1.1.14-2 (medium; bug #557121) [lenny] - php-mail 1.1.14-1+lenny1 [etch] - php-mail 1.1.6-2+etch1 CVE-2009-4022 (Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before ...) {DSA-1961-1} - bind9 1:9.6.1.dfsg.P2-1 (medium) NOTE: https://www.isc.org/node/504 NOTE: Only affects installations with trust anchors, but then the NOTE: consequences are quite severe. CVE-2009-4020 (Stack-based buffer overflow in the hfs subsystem in the Linux kernel 2 ...) {DSA-2005-1 DSA-2003-1} - linux-2.6 2.6.32-3 (medium) [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 (medium) CVE-2009-4019 (mysqld in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 does not ( ...) {DSA-1997-1} - mysql-5.1 5.1.41-1 - mysql-dfsg-5.0 NOTE: http://web.archive.org/web/20140722233305/http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html NOTE: http://web.archive.org/web/20140723045533/http://dev.mysql.com/doc/refman/5.0/en/news-5-0-88.html NOTE: http://bugs.mysql.com/47780 NOTE: http://bugs.mysql.com/48291 CVE-2009-4018 (The proc_open function in ext/standard/proc_open.c in PHP before 5.2.1 ...) - php5 5.2.11.dfsg.1-1 (unimportant) NOTE: safe_mode bypass CVE-2009-4016 (Integer underflow in the clean_string function in irc_string.c in (1) ...) {DSA-1980-1} - ircd-ratbox 3.0.6.dfsg-1 (medium; bug #567191) - ircd-hybrid 1:7.2.2.dfsg.2-6.1 (medium; bug #567192) - oftc-hybrid 1.6.3.dfsg-1.1 (medium; bug #567193) CVE-2009-4015 (Lintian 1.23.x through 1.23.28, 1.24.x through 1.24.2.1, and 2.x befor ...) {DSA-1979-1} - lintian 2.3.2 (medium) CVE-2009-4014 (Multiple format string vulnerabilities in Lintian 1.23.x through 1.23. ...) {DSA-1979-1} - lintian 2.3.2 (medium) CVE-2009-4013 (Multiple directory traversal vulnerabilities in Lintian 1.23.x through ...) {DSA-1979-1} - lintian 2.3.2 (medium) CVE-2009-4012 (Multiple integer overflows in LibThai before 0.1.13 might allow contex ...) {DSA-1971-1} - libthai 0.1.13-1 CVE-2009-4011 (dtc-xen 0.5.x before 0.5.4 suffers from a race condition where an atta ...) - dtc-xen 0.5.4-1 [lenny] - dtc-xen (Only affects 0.5.x) CVE-2009-4010 (Unspecified vulnerability in PowerDNS Recursor before 3.1.7.2 allows r ...) {DSA-1968-2 DSA-1968-1} - pdns-recursor 3.1.7.2-1 (high) CVE-2009-4009 (Buffer overflow in PowerDNS Recursor before 3.1.7.2 allows remote atta ...) {DSA-1968-1} - pdns-recursor 3.1.7.2-1 (high) [etch] - pdns-recursor (vulnerable code not present) CVE-2009-4008 (Unbound before 1.4.4 does not send responses for signed zones after mi ...) {DSA-2243-1} - unbound 1.4.4-1 (low) CVE-2009-4007 (Unspecified vulnerability in the NormaliseTrainConsist function in src ...) - openttd 0.7.5-1 [lenny] - openttd 0.6.2-1+lenny1 CVE-2009-4006 (Stack-based buffer overflow in the TEA decoding algorithm in RhinoSoft ...) NOT-FOR-US: Serv-U FTP server CVE-2009-4005 (The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the L ...) {DSA-2005-1 DSA-2003-1} - linux-2.6 2.6.32-1 (low) [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 (low) CVE-2009-4003 (Multiple integer overflows in Adobe Shockwave Player before 11.5.6.606 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2009-4002 (Heap-based buffer overflow in Adobe Shockwave Player before 11.5.6.606 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2009-4001 (Integer overflow in XnView before 1.97.2 might allow remote attackers ...) NOT-FOR-US: XnView CVE-2009-4000 (Directory traversal vulnerability in goform/formExportDataLogs in HP P ...) NOT-FOR-US: HP Power Manager CVE-2009-3999 (Stack-based buffer overflow in goform/formExportDataLogs in HP Power M ...) NOT-FOR-US: HP Power Manager CVE-2009-3998 RESERVED CVE-2009-3997 (Integer overflow in IN_MOD.DLL (aka the Module Decoder Plug-in) in Win ...) NOT-FOR-US: winamp CVE-2009-3996 (Heap-based buffer overflow in IN_MOD.DLL (aka the Module Decoder Plug- ...) {DSA-2071-1} - libmikmod 3.1.11-6.2 (bug #575742) - pysol-sound-server (unimportant) NOTE: pysol-sound-server embeds a mikmod copy, but only reads to local files CVE-2009-3995 (Multiple heap-based buffer overflows in IN_MOD.DLL (aka the Module Dec ...) {DSA-2081-1 DSA-2071-1} - libmikmod 3.1.11-6.2 (bug #575742) - pysol-sound-server (unimportant) NOTE: pysol-sound-server embeds a mikmod copy, but only reads to local files CVE-2009-3994 (Stack-based buffer overflow in the GetUID function in src-IL/src/il_di ...) - devil 1.7.8-6 (low; bug #560080) [lenny] - devil (Minor issue) [etch] - devil (Minor issue) CVE-2009-3993 REJECTED CVE-2009-3992 REJECTED CVE-2009-3991 REJECTED CVE-2009-3990 REJECTED CVE-2009-3989 (Bugzilla before 3.0.11, 3.2.x before 3.2.6, 3.4.x before 3.4.5, and 3. ...) - bugzilla 3.4.7.0-1 (unimportant) NOTE: http://www.bugzilla.org/security/3.0.10/ CVE-2009-3988 (Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMon ...) {DSA-1999-1} - xulrunner 1.9.1.8-1 [etch] - xulrunner - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0.3-1 [lenny] - iceape (Lenny package only provide xpcom stubs) CVE-2009-3987 (The GeckoActiveXObject function in Mozilla Firefox before 3.0.16 and 3 ...) - xulrunner (Windows-specific vulnerability) CVE-2009-3986 (Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey be ...) {DSA-1956-1} - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - xulrunner 1.9.1.6-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3985 (Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey be ...) {DSA-1956-1} - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - xulrunner 1.9.1.6-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3984 (Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey be ...) {DSA-1956-1} - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - xulrunner 1.9.1.6-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3983 (Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey be ...) {DSA-1956-1} - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - xulrunner 1.9.1.6-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3982 (Multiple unspecified vulnerabilities in the JavaScript engine in Mozil ...) - xulrunner 1.9.1.6-1 [lenny] - xulrunner (Only affects Firefox 3.5) [etch] - xulrunner (Only affects Firefox 3.5) CVE-2009-3981 (Unspecified vulnerability in the browser engine in Mozilla Firefox bef ...) {DSA-1956-1} - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - xulrunner 1.9.1 NOTE: Only affects Firefox 3 CVE-2009-3980 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - xulrunner 1.9.1.6-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) [lenny] - xulrunner (Only affects Firefox 3.5) CVE-2009-3979 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-1956-1} - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - xulrunner 1.9.1.6-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) CVE-2009-3978 (The nsGIFDecoder2::GifWrite function in decoders/gif/nsGIFDecoder2.cpp ...) - xulrunner 1.9.1.5-1 (unimportant) NOTE: Browser crashes not treated as security issues CVE-2009-3977 (Multiple buffer overflows in a certain ActiveX control in ActiveDom.oc ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-3976 (Buffer overflow in Labtam ProFTP 2.9 allows remote FTP servers to caus ...) NOT-FOR-US: Labtam ProFTP CVE-2009-3975 (SQL injection vulnerability in index.php in Moa Gallery 1.1.0 and 1.2. ...) NOT-FOR-US: Moa Gallery CVE-2009-3974 (Multiple SQL injection vulnerabilities in Invision Power Board (IPB or ...) NOT-FOR-US: Invision Power Board CVE-2009-3973 (SQL injection vulnerability in index.php in Turnkey Arcade Script allo ...) NOT-FOR-US: Turnkey Arcade Script CVE-2009-3972 (SQL injection vulnerability in the Q-Proje Siirler Bileseni (com_siirl ...) NOT-FOR-US: component for Joomla! CVE-2009-3971 (SQL injection vulnerability in the jTips (com_jtips) component 1.0.7 a ...) NOT-FOR-US: component for Joomla! CVE-2009-3970 (SQL injection vulnerability in index.php in PHP Dir Submit (aka Websit ...) NOT-FOR-US: PHP Dir Submit CVE-2009-3969 (Stack-based buffer overflow in Faslo Player 7.0 allows remote attacker ...) NOT-FOR-US: Faslo Player CVE-2009-3968 (Multiple SQL injection vulnerabilities in ITechBids 8.0 allow remote a ...) NOT-FOR-US: ITechBids CVE-2009-3967 (SQL injection vulnerability in browse.php in Ed Charkow SuperCharged L ...) NOT-FOR-US: Ed Charkow SuperCharged Linking CVE-2009-3966 (Arcade Trade Script 1.0 allows remote attackers to bypass authenticati ...) NOT-FOR-US: Arcade Trade Script CVE-2009-3965 (SQL injection vulnerability in rating.php in New 5 star Rating 1.0 all ...) NOT-FOR-US: New 5 star Rating CVE-2009-3964 (SQL injection vulnerability in the NinjaMonials (com_ninjacentral) com ...) NOT-FOR-US: component for Joomla! CVE-2009-3898 (Directory traversal vulnerability in src/http/modules/ngx_http_dav_mod ...) - nginx 0.7.63-1 (low; bug #557389) [etch] - nginx (upload rights required) [lenny] - nginx (upload rights required) CVE-2009-3897 (Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of ce ...) - dovecot 1:1.2.8-1 (medium; bug #557601) [lenny] - dovecot (Only affects 1.2.x) [etch] - dovecot (Only affects 1.2.x) CVE-2009-4017 (PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number ...) {DSA-1940-1} - php5 5.2.11.dfsg.1-2 (medium) - php4 (medium) NOTE: workarounds include using 5.3.1 or php5-suhosin NOTE: 4B068517.802@acunetix.com on bugtraq explains it CVE-2009-3080 (Array index error in the gdth_read_event function in drivers/scsi/gdth ...) {DSA-2005-1 DSA-2003-1} - linux-2.6 2.6.32-1 (medium) [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 (medium) NOTE: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=690e744869f3262855b83b4fb59199cf142765b0 CVE-2009-4021 (The fuse_direct_io function in fs/fuse/file.c in the fuse subsystem in ...) {DSA-2005-1 DSA-2003-1} - linux-2.6 2.6.32-1 (low) [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 (low) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=538734 CVE-2009-3963 (Multiple unspecified vulnerabilities in XOOPS before 2.4.0 Final have ...) NOT-FOR-US: XOOPS CVE-2009-3962 (The management interface on the 2wire Gateway 1700HG, 1701HG, 1800HW, ...) NOT-FOR-US: 2wire Gateway CVE-2009-3961 (SQL injection vulnerability in user.php in Super Serious Stats (aka su ...) NOT-FOR-US: Super Serious Stats CVE-2009-3960 (Unspecified vulnerability in BlazeDS 3.2 and earlier, as used in LiveC ...) NOT-FOR-US: LiveCycle CVE-2009-3959 (Integer overflow in the U3D implementation in Adobe Reader and Acrobat ...) NOT-FOR-US: Adobe Reader and Acrobat 8.0 CVE-2009-3958 (Multiple stack-based buffer overflows in the NOS Microsystems getPlus ...) NOT-FOR-US: Adobe Reader and Acrobat 8.0 CVE-2009-3957 (Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows ...) NOT-FOR-US: Adobe Reader and Acrobat 8.0 CVE-2009-3956 (The default configuration of Adobe Reader and Acrobat 9.x before 9.3, ...) NOT-FOR-US: Adobe Reader and Acrobat 8.0 CVE-2009-3955 (Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows ...) NOT-FOR-US: Adobe Reader and Acrobat 8.0 CVE-2009-3954 (The 3D implementation in Adobe Reader and Acrobat 9.x before 9.3, and ...) NOT-FOR-US: Adobe Reader and Acrobat 8.0 CVE-2009-3953 (The U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, 8.x ...) NOT-FOR-US: Adobe Reader and Acrobat 8.0 CVE-2009-3952 (Buffer overflow in Adobe Illustrator CS3 13.0.3 and earlier and Illust ...) NOT-FOR-US: Adobe Illustrator CVE-2009-3951 (Unspecified vulnerability in the Flash Player ActiveX control in Adobe ...) NOT-FOR-US: Flash Player CVE-2009-3950 (Multiple cross-site scripting (XSS) vulnerabilities in Bractus SunTrac ...) NOT-FOR-US: Bractus SunTrack CVE-2009-3949 (cp/profile.php in VivaPrograms Infinity 2.0.5 and earlier does not req ...) NOT-FOR-US: VivaPrograms Infinity CVE-2009-3948 (JetAudio 7.5.3 COWON Media Center allows remote attackers to cause a d ...) NOT-FOR-US: JetAudio CVE-2009-3947 (Buffer overflow in the FTP service on the Tandberg MXP F7.0 allows rem ...) NOT-FOR-US: Tandberg MXP F7.0 CVE-2009-3946 (Joomla! before 1.5.15 allows remote attackers to read an extension's X ...) NOT-FOR-US: Joomla! CVE-2009-3945 (Unspecified vulnerability in the Front-End Editor in the com_content c ...) NOT-FOR-US: component in Joomla! CVE-2009-3944 (Research In Motion (RIM) BlackBerry Browser on the BlackBerry 8800 all ...) NOT-FOR-US: BlackBerry Browser on the BlackBerry 8800 CVE-2009-3943 (Microsoft Internet Explorer 6 through 6.0.2900.2180 and 7 through 7.0. ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-3942 (Martin Lambers msmtp before 1.4.19, when OpenSSL is used, does not pro ...) - msmtp (uses GnuTLS and not OpenSSL; bug #557324) CVE-2009-3941 (Martin Lambers mpop before 1.0.19, when OpenSSL is used, does not prop ...) - mpop (uses GnuTLS and not OpenSSL; bug #557326) CVE-2009-3940 (Unspecified vulnerability in Guest Additions in Sun xVM VirtualBox 1.6 ...) - virtualbox-guest-additions 3.0.10-1 CVE-2009-3939 (The poll_mode_io file for the megaraid_sas driver in the Linux kernel ...) {DSA-1996-1} - linux-2.6 2.6.32-6 (low) [etch] - linux-2.6 (Vulnerable code not present) - linux-2.6.24 (low) CVE-2009-4004 (Buffer overflow in the kvm_vcpu_ioctl_x86_setup_mce function in arch/x ...) - linux-2.6 2.6.32-1 (medium) [etch] - linux-2.6 (kvm introduced in 2.6.25) [lenny] - linux-2.6 (vulnerable code not present) - linux-2.6.24 (kvm introduced in 2.6.25) - kvm 88+dfsg-2 (medium; bug #557736) [lenny] - kvm (vulnerable code not present) NOTE: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a9e38c3e01ad242fe2a625354cf065c34b01e3aa CVE-2009-3937 (Memory leak in Solaris TCP sockets in Sun OpenSolaris snv_106 through ...) NOT-FOR-US: Sun OpenSolaris CVE-2009-3936 (Unspecified vulnerability in Citrix Online Plug-in for Windows 11.0.x ...) NOT-FOR-US: Citrix Online Plug-in CVE-2009-3935 (Multiple unspecified vulnerabilities in the Advanced Management Module ...) NOT-FOR-US: IBM BladeCenter CVE-2009-3934 (The WebFrameLoaderClient::dispatchDidChangeLocationWithinPage function ...) - chromium-browser (Only 0.x is affected) - webkit (chrome-specific issue) CVE-2009-3933 (WebKit before r50173, as used in Google Chrome before 3.0.195.32, allo ...) - webkit (chromium-specific issue in their timer) - qt4-x11 (chromium-specific issue in their timer) - kdelibs (chromium-specific issue in their timer) - kde4libs (chromium-specific issue in their timer) - chromium-browser (Only 0.x is affected) CVE-2009-3932 (The Gears plugin in Google Chrome before 3.0.195.32 allows user-assist ...) - chromium-browser (Only 0.x is affected) - webkit (gears is only implemented in chromium) CVE-2009-3931 (Incomplete blacklist vulnerability in browser/download/download_exe.cc ...) - chromium-browser (Only 3.x is affected) - webkit (chrome-specific issue) CVE-2009-3930 (Multiple integer overflows in Christos Zoulas file before 5.02 allow u ...) - file 5.03-1 [lenny] - file [etch] - file CVE-2009-3929 REJECTED CVE-2009-3928 REJECTED CVE-2009-3927 REJECTED CVE-2009-3926 REJECTED CVE-2009-3925 REJECTED CVE-2009-XXXX [eglibc: ldd arbitrary code execution] - eglibc 2.10.1-7 (unimportant; bug #552518) - glibc 2.10.1-7 (unimportant; bug #552518) CVE-2009-3924 (Buffer overflow in pbsv.dll, as used in Soldier of Fortune II and poss ...) NOT-FOR-US: Soldier of Fortune CVE-2009-3923 (The VirtualBox 2.0.8 and 2.0.10 web service in Sun Virtual Desktop Inf ...) NOT-FOR-US: Sun Virtual Desktop Infrastructure CVE-2009-3922 (Multiple cross-site request forgery (CSRF) vulnerabilities in the User ...) NOT-FOR-US: module for Drupal CVE-2009-3921 (The Smartqueue_og module 5.x before 5.x-1.3 and 6.x before 6.x-1.0-rc3 ...) NOT-FOR-US: module for Drupal CVE-2009-3920 (An administration page in the NGP COO/CWP Integration (crmngp) module ...) NOT-FOR-US: module for Drupal CVE-2009-3919 (Cross-site scripting (XSS) vulnerability in the NGP COO/CWP Integratio ...) NOT-FOR-US: module for Drupal CVE-2009-3918 (Cross-site scripting (XSS) vulnerability in the Zoomify module 5.x bef ...) NOT-FOR-US: module for Drupal CVE-2009-3917 (Cross-site scripting (XSS) vulnerability in the S5 Presentation Player ...) NOT-FOR-US: module for Drupal CVE-2009-3916 (Cross-site scripting (XSS) vulnerability in the Node Hierarchy module ...) NOT-FOR-US: module for Drupal CVE-2009-3915 (Cross-site scripting (XSS) vulnerability in the "Separate title and UR ...) NOT-FOR-US: module for Drupal CVE-2009-3914 (Cross-site scripting (XSS) vulnerability in the Temporary Invitation m ...) NOT-FOR-US: module for Drupal CVE-2009-3913 (SQL injection vulnerability in summary.php in Xerox Fiery Webtools all ...) NOT-FOR-US: Xerox Fiery Webtools CVE-2009-3912 (Directory traversal vulnerability in index.php in TFTgallery 0.13 allo ...) NOT-FOR-US: TFTgallery CVE-2009-3911 (Cross-site scripting (XSS) vulnerability in settings.php in TFTgallery ...) NOT-FOR-US: TFTgallery CVE-2009-3910 RESERVED CVE-2009-3909 (Integer overflow in the read_channel_data function in plug-ins/file-ps ...) - gimp 2.6.7-1.1 (medium; bug #556750) NOTE: http://secunia.com/secunia_research/2009-43/ CVE-2009-3908 REJECTED CVE-2009-3907 REJECTED CVE-2009-3906 REJECTED CVE-2009-3905 (Multiple cross-site scripting (XSS) vulnerabilities in e-Courier CMS a ...) NOT-FOR-US: e-Courier CMS CVE-2009-3904 (classes/session/cc_admin_session.php in CubeCart 4.3.4 does not proper ...) NOT-FOR-US: CubeCart CVE-2009-3903 (Multiple cross-site scripting (XSS) vulnerabilities in jspui/index.jsp ...) NOT-FOR-US: ManageEngine Netflow Analyzer 7.5 build 7500 CVE-2009-3902 (Directory traversal vulnerability in Cherokee Web Server 0.5.4 and ear ...) - cherokee (Only windows version is affected) CVE-2009-3901 (Multiple cross-site scripting (XSS) vulnerabilities in e-Courier CMS a ...) NOT-FOR-US: e-Courier CMS CVE-2009-3900 (Unspecified vulnerability in the Cluster Management component in IBM P ...) NOT-FOR-US: IBM PowerHA CVE-2009-3899 (Memory leak in the Sockets Direct Protocol (SDP) driver in Sun Solaris ...) NOT-FOR-US: Sun Solaris CVE-2009-3896 (src/http/ngx_http_parse.c in nginx (aka Engine X) 0.1.0 through 0.4.14 ...) {DSA-1920-1} - nginx 0.7.62-1 CVE-2009-3895 (Heap-based buffer overflow in the exif_entry_fix function (aka the tag ...) - libexif 0.6.19-1 (medium; bug #557137) [lenny] - libexif (Only 0.6.18 is affected) [etch] - libexif (Only 0.6.18 is affected) CVE-2009-3894 (Multiple untrusted search path vulnerabilities in dstat before 0.7.0 a ...) - dstat 0.7.0-1 (low; bug #557989) [lenny] - dstat (Minor issue) [etch] - dstat (Minor issue) NOTE: http://svn.rpmforge.net/svn/trunk/tools/dstat/ChangeLog CVE-2009-3893 RESERVED CVE-2009-3891 (Cross-site scripting (XSS) vulnerability in wp-admin/press-this.php in ...) - wordpress 2.8.6-1 (low) [etch] - wordpress (Vulnerable code not present) [lenny] - wordpress (Vulnerable code not present) CVE-2009-3890 (Unrestricted file upload vulnerability in the wp_check_filetype functi ...) - wordpress 2.8.6-1 (low) [etch] - wordpress (Vulnerable code not present) [lenny] - wordpress (Vulnerable code not present) CVE-2009-3889 (The dbg_lvl file for the megaraid_sas driver in the Linux kernel befor ...) {DSA-2005-1} - linux-2.6 2.6.27-1 (low) [etch] - linux-2.6 (Vulnerable code not present) [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 (low) CVE-2009-3888 (The do_mmap_pgoff function in mm/nommu.c in the Linux kernel before 2. ...) - linux-2.6 (Vulnerable code not built) - linux-2.6.24 (Vulnerable code not built) CVE-2009-3887 (ytnef has directory traversal ...) - ytnef (bug #567631) [lenny] - ytnef (Minor issue) NOTE: http://www.ocert.org/advisories/ocert-2009-013.html NOTE: This doesn't affect Evolution, the TNEF plugin is external CVE-2009-3886 (The Java Web Start implementation in Sun Java SE 6 before Update 17 do ...) - openjdk-6 6b17-1.7-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3885 (Sun Java SE 5.0 before Update 22 and 6 before Update 17 on Windows all ...) - openjdk-6 (a problem in code that is unused on non-windows platforms) - sun-java6 (a problem in code that is unused on non-windows platforms) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=530114 CVE-2009-3884 (The TimeZone.getTimeZone method in Sun Java SE 5.0 before Update 22 an ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3883 (Multiple unspecified vulnerabilities in the Windows Pluggable Look and ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3882 (Multiple unspecified vulnerabilities in the Swing implementation in Su ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3881 (Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3880 (The Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3879 (Multiple unspecified vulnerabilities in the (1) X11 and (2) Win32Graph ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3878 (Buffer overflow in Sun Java System Web Server 7.0 Update 6 has unspeci ...) NOT-FOR-US: Sun Java System Web Server CVE-2009-3877 (Unspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before Upd ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3876 (Unspecified vulnerability in Sun Java SE in JDK and JRE 5.0 before Upd ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3875 (The MessageDigest.isEqual function in Java Runtime Environment (JRE) i ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3874 (Integer overflow in the JPEGImageReader implementation in the ImageI/O ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3873 (The JPEG Image Writer in Sun Java SE in JDK and JRE 5.0 before Update ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3872 (Unspecified vulnerability in the JPEG JFIF Decoder in Sun Java SE in J ...) - openjdk-6 6b17-1.7-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3871 (Heap-based buffer overflow in the setBytePixels function in the Abstra ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3869 (Stack-based buffer overflow in the setDiffICM function in the Abstract ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3868 (Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3867 (Stack-based buffer overflow in the HsbParser.getSoundBank function in ...) - openjdk-6 6b17-1.7-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3866 (The Java Web Start Installer in Sun Java SE in JDK and JRE 6 before Up ...) - openjdk-6 6b17-1.7-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3865 (The launch method in the Deployment Toolkit plugin in Java Runtime Env ...) - openjdk-6 6b17-1.7-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3864 (The Java Update functionality in Java Runtime Environment (JRE) in Sun ...) - openjdk-6 6b17 (unimportant) - sun-java6 6-17-1 (unimportant) NOTE: a problem in their updater, which is irrelevant since debian NOTE: updates are provided by the security team CVE-2009-3863 (Buffer overflow in the gxmim1.dll ActiveX control in Novell Groupwise ...) NOT-FOR-US: ActiveX CVE-2009-3862 (The NDSD process in Novell eDirectory 8.7.3 before 8.7.3.10 ftf2 and e ...) NOT-FOR-US: Novell eDirectory CVE-2009-3861 (Stack-based buffer overflow in SafeNet SoftRemote 10.8.5 (Build 2) and ...) NOT-FOR-US: SafeNet SoftRemote CVE-2009-3860 (Multiple insecure method vulnerabilities in Idefense Labs COMRaider al ...) NOT-FOR-US: Idefense Labs COMRaider CVE-2009-3859 (Buffer overflow in eEye Retina WiFi Scanner 1.0.8.68, as used in Retin ...) NOT-FOR-US: Retina Network Security Scanner CVE-2009-3858 (Cross-site scripting (XSS) vulnerability in GejoSoft allows remote att ...) NOT-FOR-US: GejoSoft CVE-2009-3857 (Buffer overflow in Softonic International SciTE 1.72 allows user-assis ...) NOT-FOR-US: Softonic International SciTE CVE-2009-3856 (Cross-site scripting (XSS) vulnerability in the default URI in news/ i ...) NOT-FOR-US: Twilight CMS CVE-2009-3855 (Multiple unspecified vulnerabilities in the (1) UNIX and (2) Linux bac ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2009-3854 (Buffer overflow in the traditional client scheduler in the client in I ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2009-3853 (Stack-based buffer overflow in the client acceptor daemon (CAD) schedu ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2009-3852 (Unspecified vulnerability in the XML component in IBM Runtimes for Jav ...) NOT-FOR-US: IBM Runtimes for Java Technology 5.0.0 CVE-2009-3851 (Trusted Extensions in Sun Solaris 10 interferes with the operation of ...) NOT-FOR-US: Sun Solaris 10 CVE-2009-3850 (Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execut ...) - blender (unimportant) NOTE: attack vector is social engineering to get the user to open NOTE: a malicious .blend file. by design, blend files support NOTE: all python operations, so ultimately any code can be executed CVE-2009-3849 (Multiple stack-based buffer overflows in HP OpenView Network Node Mana ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-3848 (Stack-based buffer overflow in nnmRptConfig.exe in HP OpenView Network ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-3847 (Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-3846 (Multiple heap-based buffer overflows in ovlogin.exe in HP OpenView Net ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-3845 (The port-3443 HTTP server in HP OpenView Network Node Manager (OV NNM) ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-3844 (Stack-based buffer overflow in the OmniInet process in HP OpenView Dat ...) NOT-FOR-US: HP OpenView Data Protector Application CVE-2009-3843 (HP Operations Manager 8.10 on Windows contains a "hidden account" in t ...) NOT-FOR-US: HP Operations Manager CVE-2009-3842 (Unspecified vulnerability on the HP Color LaserJet M3530 Multifunction ...) NOT-FOR-US: HP Color LaserJet CVE-2009-3841 (Unspecified vulnerability in HP Discovery & Dependency Mapping Inv ...) NOT-FOR-US: HP Discovery & Dependency Mapping CVE-2009-3840 (The embedded database engine service (aka ovdbrun.exe) in HP OpenView ...) NOT-FOR-US: HP OpenView CVE-2009-3839 (Unspecified vulnerability in the Solaris Trusted Extensions Policy con ...) NOT-FOR-US: Sun Solaris CVE-2009-3838 (Stack-based buffer overflow in Pegasus Mail (PMail) 4.41 and possibly ...) NOT-FOR-US: Pegasus Mail CVE-2009-3837 (Stack-based buffer overflow in Eureka Email 2.2q allows remote POP3 se ...) NOT-FOR-US: Eureka Email CVE-2009-3836 (ArubaOS 3.3.1.x, 3.3.2.x, RN 3.1.x, 3.4.x, and 3.3.2.x-FIPS on the Aru ...) NOT-FOR-US: ArubaOS CVE-2009-3835 (SQL injection vulnerability in the JShop (com_jshop) component for Joo ...) NOT-FOR-US: Joomla! CVE-2009-3834 (SQL injection vulnerability in the Photoblog (com_photoblog) component ...) NOT-FOR-US: Joomla! CVE-2009-3833 (Cross-site scripting (XSS) vulnerability in index.php in TFTgallery 0. ...) NOT-FOR-US: TFTgallery CVE-2009-3832 (Opera before 10.01 on Windows does not prevent use of Web fonts in ren ...) NOT-FOR-US: Opera CVE-2009-3831 (Opera before 10.01 allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Opera CVE-2009-3830 (The download functionality in Team Services in Microsoft Office ShareP ...) NOT-FOR-US: Microsoft CVE-2009-3829 (Integer overflow in wiretap/erf.c in Wireshark before 1.2.2 allows rem ...) {DSA-1942-1} - wireshark 1.2.2-1 (bug #553583) CVE-2009-3828 (The web interface for Everfocus EDR1600 DVR allows remote attackers to ...) NOT-FOR-US: Everfocus EDR1600 DVR CVE-2009-3827 RESERVED CVE-2009-3826 (Multiple buffer overflows in squidGuard 1.4 allow remote attackers to ...) {DSA-2040-1} - squidguard 1.2.0-9 (low; bug #553319) CVE-2009-3825 (Multiple directory traversal vulnerabilities in GenCMS 2006 allow remo ...) NOT-FOR-US: GenCMS CVE-2009-3824 (Directory traversal vulnerability in include/processor.php in Greenwoo ...) NOT-FOR-US: Greenwood PHP Content Manager CVE-2009-3823 (Directory traversal vulnerability in myhtml.php in Mobilelib GOLD 3.0, ...) NOT-FOR-US: Mobilelib GOLD CVE-2009-3822 (PHP remote file inclusion vulnerability in Fiji Web Design Ajax Chat ( ...) NOT-FOR-US: com_ajaxchat component for Joomla CVE-2009-3821 (Cross-site scripting (XSS) vulnerability in the Apache Solr Search (so ...) NOT-FOR-US: Apache Solr Search extension for TYPO3 CVE-2009-3820 (SQL injection vulnerability in the Flagbit Filebase (fb_filebase) exte ...) NOT-FOR-US: Flagbit Filebase extension for TYPO3 CVE-2009-3819 (Unspecified vulnerability in the Random Images (maag_randomimage) exte ...) NOT-FOR-US: Random Images extension for TYPO3 CVE-2009-3818 (Unspecified vulnerability in the session handling feature in freeCap C ...) NOT-FOR-US: freeCap CAPTCHA for TYPO3 CVE-2009-3817 (PHP remote file inclusion vulnerability in doc/releasenote.php in the ...) NOT-FOR-US: com_booklibrary component for Joomla! CVE-2009-3816 (Multiple cross-site scripting (XSS) vulnerabilities in Activities page ...) NOT-FOR-US: IBM Lotus Connections CVE-2009-3815 (RunCMS 2M1, when running with certain error_reporting levels, allows r ...) NOT-FOR-US: RunCMS 2M1 CVE-2009-3814 (Static code injection vulnerability in RunCMS 2M1 allows remote authen ...) NOT-FOR-US: RunCMS 2M1 CVE-2009-3813 (Multiple SQL injection vulnerabilities in RunCMS 2M1 allow remote auth ...) NOT-FOR-US: RunCMS 2M1 CVE-2009-3812 (Heap-based buffer overflow in OtsAV DJ trial version 1.85.64.0, Radio ...) NOT-FOR-US: OtsAV products CVE-2009-3811 (Stack-based buffer overflow in Music Tag Editor 1.61 build 212 allows ...) NOT-FOR-US: Music Tag Editor CVE-2009-3810 (Heap-based buffer overflow in Acoustica MP3 Audio Mixer 2.471 allows r ...) NOT-FOR-US: Acoustica MP3 Audio Mixer CVE-2009-3809 (Acoustica MP3 Audio Mixer 1.0 and possibly 2.471 allows remote attacke ...) NOT-FOR-US: Acoustica MP3 Audio Mixer CVE-2009-3808 (MixSense DJ Studio 1.0.0.1 allows remote attackers to cause a denial o ...) NOT-FOR-US: MixSense DJ Studio CVE-2009-3807 (Stack-based buffer overflow in MixVibes 7.043 Pro allows remote attack ...) NOT-FOR-US: MixVibes CVE-2009-3806 (SQL injection vulnerability in feedback_js.php in DedeCMS 5.1 allows r ...) NOT-FOR-US: DedeCMS CVE-2009-3805 (gpg2.exe in Gpg4win 2.0.1, as used in KDE Kleopatra 2.0.11, allows rem ...) NOT-FOR-US: Gpg4win NOTE: looks like an issue in gpg2 for windows (gpg4win.org), not specific NOTE: to kleopatra CVE-2009-3804 (Multiple SQL injection vulnerabilities in modules/forum/post.php in Ru ...) NOT-FOR-US: RunCMS 2M1 CVE-2009-3803 (Multiple cross-site scripting (XSS) vulnerabilities in Amiro.CMS 5.4.0 ...) NOT-FOR-US: Amiro.CMS CVE-2009-3802 (Amiro.CMS 5.4.0.0 and earlier allows remote attackers to obtain sensit ...) NOT-FOR-US: Amiro.CMS CVE-2009-3801 (SQL injection vulnerability in index.php in OpenDocMan 1.2.5 allows re ...) NOT-FOR-US: OpenDocMan CVE-2009-XXXX [multiple missing input sanity checks in KDE] - kdelibs 4:3.5.10.dfsg.1-3 (low) - kde4libs 4:4.3.4-1 (low) [lenny] - kde4libs (Minor issue) [lenny] - kdelibs (minor and unlikely to be exploited) [etch] - kdelibs (minor and unlikely to be exploited) NOTE: http://www.ocert.org/advisories/ocert-2009-015.html NOTE: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/pre-2014-advisories/ NOTE: advisory mentions kmail and ark (from kdepim and kdeutils, respectively) NOTE: but the "fixes" linked from the advisory only change code in kdelibs NOTE: more info at oss-sec threads CVE-2009-3800 (Multiple unspecified vulnerabilities in Adobe Flash Player before 10.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2009-3799 (Integer overflow in the Verifier::parseExceptionHandlers function in A ...) NOT-FOR-US: Adobe Flash Player CVE-2009-3798 (Adobe Flash Player before 10.0.42.34 and Adobe AIR before 1.5.3 might ...) NOT-FOR-US: Adobe Flash Player CVE-2009-3797 (Adobe Flash Player 10.x before 10.0.42.34 and Adobe AIR before 1.5.3 m ...) NOT-FOR-US: Adobe Flash Player CVE-2009-3796 (Adobe Flash Player before 10.0.42.34 and Adobe AIR before 1.5.3 might ...) NOT-FOR-US: Adobe Flash Player CVE-2009-3795 REJECTED CVE-2009-3794 (Heap-based buffer overflow in Adobe Flash Player before 10.0.42.34 and ...) NOT-FOR-US: Adobe Flash Player CVE-2009-3793 (Unspecified vulnerability in Adobe Flash Player before 9.0.277.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2009-3792 (Directory traversal vulnerability in Adobe Flash Media Server (FMS) be ...) NOT-FOR-US: Adobe Flash Media Server CVE-2009-3791 (Unspecified vulnerability in Adobe Flash Media Server (FMS) before 3.5 ...) NOT-FOR-US: Adobe Flash Media Server CVE-2009-3790 (Heap-based buffer overflow in FormMax (formerly AcroForm) evaluation 3 ...) NOT-FOR-US: FormMax CVE-2009-3789 (Multiple cross-site scripting (XSS) vulnerabilities in OpenDocMan 1.2. ...) NOT-FOR-US: OpenDocMan CVE-2009-3788 (SQL injection vulnerability in index.php in OpenDocMan 1.2.5 allows re ...) NOT-FOR-US: OpenDocMan CVE-2009-3787 (files.php in Vivvo CMS 4.1.5.1 allows remote attackers to conduct dire ...) NOT-FOR-US: Vivvo CMS CVE-2009-3786 (Cross-site scripting (XSS) vulnerability in Organic Groups (OG) Vocabu ...) NOT-FOR-US: module for Drupal CVE-2009-3785 (Multiple cross-site request forgery (CSRF) vulnerabilities in Simplene ...) NOT-FOR-US: module for Drupal CVE-2009-3784 (Open redirect vulnerability in Simplenews Statistics 6.x before 6.x-2. ...) NOT-FOR-US: module for Drupal CVE-2009-3783 (Cross-site scripting (XSS) vulnerability in Simplenews Statistics 6.x ...) NOT-FOR-US: module for Drupal CVE-2009-3782 (Unspecified vulnerability in Userpoints 6.x before 6.x-1.1, a module f ...) NOT-FOR-US: module for Drupal CVE-2009-3781 (The filefield_file_download function in FileField 6.x-3.1, a module fo ...) NOT-FOR-US: module for Drupal CVE-2009-3780 (Cross-site scripting (XSS) vulnerability in Abuse 5.x before 5.x-2.1 a ...) NOT-FOR-US: module for Drupal CVE-2009-3779 (Cross-site scripting (XSS) vulnerability in vCard 5.x before 5.x-1.4 a ...) NOT-FOR-US: module for Drupal CVE-2009-3778 (SQL injection vulnerability in Moodle Course List 6.x before 6.x-1.2, ...) NOT-FOR-US: module for Drupal CVE-2009-5045 (Dump Servlet information leak in jetty before 6.1.22. ...) - jetty 6.1.22-1 (unimportant; bug #553644) NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt NOTE: The affected apps are not shipped in the package, see #553644 CVE-2009-5046 (JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22. ...) - jetty 6.1.22-1 (unimportant; bug #553644) NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt NOTE: The affected apps are not shipped in the package, see #553644 CVE-2009-5047 REJECTED CVE-2009-5048 (Cookie Dump Servlet stored XSS vulnerability in jetty though 6.1.20. ...) - jetty 6.1.22-1 (unimportant; bug #553644) NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt NOTE: The affected apps are not shipped in the package, see #553644 CVE-2009-5049 (WebApp JSP Snoop page XSS in jetty though 6.1.21. ...) - jetty 6.1.22-1 (unimportant; bug #553644) NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt NOTE: The affected apps are not shipped in the package, see #553644 CVE-2009-XXXX [cherokee 0.5.4 DoS] - cherokee (not reproducible) NOTE: <4089.110.37.64.157.1256562313.squirrel@mail.xc0re.net> in bugtraq NOTE: not reproducible in etch's 0.5.5 nor sid's 0.99.22-1.1 CVE-2009-3777 RESERVED CVE-2009-3776 RESERVED CVE-2009-3775 RESERVED CVE-2009-3774 RESERVED CVE-2009-3773 RESERVED CVE-2009-3772 RESERVED CVE-2009-3771 RESERVED CVE-2009-3770 RESERVED CVE-2009-3769 RESERVED CVE-2009-3768 RESERVED CVE-2009-3767 (libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other ...) {DSA-1943-1} - openldap 2.4.17-2.1 (low; bug #553432) - openldap2.3 CVE-2009-3766 (mutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenS ...) - mutt (uses GnuTLS and not OpenSSL) NOTE: our mutt is linked against gnutls, bug #553433 CVE-2009-3765 (mutt_ssl.c in mutt 1.5.19 and 1.5.20, when OpenSSL is used, does not p ...) - mutt (uses GnuTLS and not OpenSSL) NOTE: our mutt is linked against gnutls CVE-2009-3764 (Unspecified vulnerability in the OpenSSO component in Oracle OpenSSO E ...) NOT-FOR-US: Oracle OpenSSO CVE-2009-3763 (Unspecified vulnerability in the Access Manager / OpenSSO component in ...) NOT-FOR-US: Oracle OpenSSO CVE-2009-3762 (Unspecified vulnerability in Oracle OpenSSO Enterprise 8.0 allows remo ...) NOT-FOR-US: Oracle OpenSSO CVE-2009-3761 RESERVED CVE-2009-3760 (Static code injection vulnerability in config/writeconfig.php in the s ...) NOT-FOR-US: Citrix XenCenterWeb CVE-2009-3759 (Multiple cross-site request forgery (CSRF) vulnerabilities in sample c ...) NOT-FOR-US: Citrix XenCenterWeb CVE-2009-3758 (SQL injection vulnerability in login.php in sample code in the XenServ ...) NOT-FOR-US: Citrix XenCenterWeb CVE-2009-3757 (Multiple cross-site scripting (XSS) vulnerabilities in sample code in ...) NOT-FOR-US: Citrix XenCenterWeb CVE-2009-3756 (phpBMS 0.96 allows remote attackers to obtain sensitive information vi ...) NOT-FOR-US: phpBMS CVE-2009-3755 (Multiple cross-site scripting (XSS) vulnerabilities in phpBMS 0.96 all ...) NOT-FOR-US: phpBMS CVE-2009-3754 (Multiple SQL injection vulnerabilities in phpBMS 0.96 allow remote att ...) NOT-FOR-US: phpBMS CVE-2009-3753 (Unrestricted file upload vulnerability in Opial 1.0 allows remote atta ...) NOT-FOR-US: Opial CVE-2009-3752 (SQL injection vulnerability in home.php in Opial 1.0 allows remote att ...) NOT-FOR-US: Opial CVE-2009-3751 (Cross-site scripting (XSS) vulnerability in home.php in Opial 1.0 allo ...) NOT-FOR-US: Opial CVE-2009-3750 (SQL injection vulnerability in read.php in ToyLog 0.1 allows remote at ...) NOT-FOR-US: ToyLog CVE-2009-3749 (The Web Administrator service (STEMWADM.EXE) in Websense Personal Emai ...) NOT-FOR-US: Websense Personal Email Manager CVE-2009-3748 (Multiple cross-site scripting (XSS) vulnerabilities in the Web Adminis ...) NOT-FOR-US: Websense Personal Email Manager CVE-2009-3747 (Cross-site scripting (XSS) vulnerability in index.php in TBmnetCMS 1.0 ...) NOT-FOR-US: TBmnetCMS CVE-2009-3746 (XScreenSaver in Sun Solaris 10, when the accessibility feature is enab ...) NOT-FOR-US: XScreenSaver in Sun Solaris 10 CVE-2009-3745 (Cross-site scripting (XSS) vulnerability in the help pages in IBM Rati ...) NOT-FOR-US: IBM Rational AppScan Enterprise Edition CVE-2009-3744 (rep_serv.exe 6.3.1.3 in the server in EMC RepliStor allows remote atta ...) NOT-FOR-US: EMC RepliStor CVE-2009-3743 (Off-by-one error in the Ins_MINDEX function in the TrueType bytecode i ...) - ghostscript 8.71~dfsg-1 CVE-2009-3742 (Cross-site scripting (XSS) vulnerability in Liferay Portal before 5.3. ...) - liferay-portal (bug #569819) CVE-2009-3741 REJECTED CVE-2009-3740 RESERVED CVE-2009-3739 (Multiple unspecified vulnerabilities on the Rockwell Automation AB Mic ...) NOT-FOR-US: Micrologix CVE-2009-3738 RESERVED CVE-2009-3737 (The Oracle Siebel Option Pack for IE ActiveX control does not properly ...) NOT-FOR-US: Oracle Siebel Option Pack CVE-2009-3736 (ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as us ...) {DSA-1958-1} - libtool 2.2.6b-1 (low; bug #559797) - arts (Uses absolute path to the sound backend) - bochs (additional hardening in this package prevents this type of attack; bug #559799) - camserv (low; bug #559800) NOTE: requested camserv removal [lenny] - camserv (Minor issue) [etch] - camserv (Minor issue) - collectd 4.8.2-1 (low; bug #559801) [lenny] - collectd (Minor issue) [etch] - collectd (Minor issue) - cvsnt 2.5.04.3236-1.2 (low; bug #559803) [etch] - cvsnt (Minor issue) [lenny] - cvsnt (Minor issue) - ggobi 2.1.9~20091212-1 (low; bug #559806) [etch] - ggobi (Minor issue) [lenny] - ggobi (Minor issue) - gnash 0.8.7-2 (low; bug #559808) [lenny] - gnash (Minor issue) - gnu-smalltalk 3.1-2 (low; bug #559809) [lenny] - gnu-smalltalk (Minor issue) [etch] - gnu-smalltalk (Minor issue) - graphicsmagick 1.3.5-6 (low; bug #559811) [lenny] - graphicsmagick (Minor issue, can be fixed along with later updates) [etch] - graphicsmagick (Minor issue, can be fixed along with later updates) - guile-1.6 1.6.8-7 (low; bug #559813) [etch] - guile-1.6 (Minor issue) [lenny] - guile-1.6 (Minor issue) - hamlib 1.2.10-1 (low; bug #559814) [lenny] - hamlib 1.2.7.1-1+lenny1 [etch] - hamlib (Minor issue) - hercules 3.06-1.2 (low; bug #559815) [lenny] - hercules (Minor issue) [etch] - hercules (Minor issue) - jags 1.0.4-1 (low; bug #559816) - kdelibs (dl_open open loads from fixed paths) - libannodex (low; bug #559818) [lenny] - libannodex (Minor issue) [etch] - libannodex (Minor issue) - libextractor 0.5.23+dfsg-4 (low; bug #559819) [etch] - libextractor (Minor issue) [lenny] - libextractor (Minor issue) - libmcrypt (not included in any of the binary packages; bug #559820) - libtunepimp 0.5.3-7.3 (low; bug #559821) [lenny] - libtunepimp (Minor issue) [etch] - libtunepimp (Minor issue) - mp4h 1.3.1-4.1 (low; bug #559822) [etch] - mp4h (Minor issue) [lenny] - mp4h (Minor issue) - naim (low; bug #559823) [lenny] - naim (Minor issue) [etch] - naim (Minor issue) - parser-mysql 10.3-2 (unimportant; bug #559824) - pinball 0.3.1-11 (low; bug #559825) [lenny] - pinball (Minor issue) [etch] - pinball (Minor issue) - redland 1.0.10-1 (low; bug #559826) [etch] - redland (Versions prior to 1.0.9 don't use libtool/libltdl) [lenny] - redland (Versions prior to 1.0.9 don't use libtool/libltdl) - siproxd 1:0.8.1-1 (low; bug #559827) [lenny] - siproxd (Minor issue) [etch] - siproxd (Minor issue) - ski (low; bug #559828) - synfig 0.62.00-1 (low; bug #559829) [lenny] - synfig (Minor issue) - xmlsec1 1.2.14-1 (unimportant; bug #559831) NOTE: Embedded code copy isn't used - clamav 0.95+dfsg-1 (low; bug #559832) [lenny] - clamav (Minor issue) [etch] - clamav (Minor issue) - imagemagick 6:6.2.3.1-1 (low; bug #559833) [lenny] - imagemagick (Minor issue) [etch] - imagemagick (Minor issue) - hypre 2.4.0b-5 (low; bug #559834) [etch] - hypre (Minor issue) [lenny] - hypre (Minor issue) - lam 7.1.2-1.6 (low; bug #559835) [lenny] - lam (Minor issue) [etch] - lam (Minor issue) - openmpi 1.3.3-4 (low; bug #559836) [lenny] - openmpi (Minor issue) [etch] - openmpi (Minor issue) - parser 3.4.0-2 (unimportant; bug #559837) NOTE: users with write access can modify configuration to load new extensions, see #559837 - pdsh (Only loads from /usr/lib/pdsh, which is controlled by root) - sdcc 2.9.0-5 (low; bug #559840) [lenny] - sdcc (Minor issue) [etch] - sdcc (Minor issue) - proftpd-dfsg (Only loads from /usr/lib/proftpd) - babel 1.4.0.dfsg-5 (low; bug #559843) [lenny] - babel (Minor issue) - libprelude 0.9.14-2 (low; bug #559844) [etch] - libprelude (Minor issue) - heartbeat 2.1.4-7 (unimportant; bug #559845) NOTE: the dlopened path is always below /usr/lib/heartbeat, which isn't under control of an attacker NOTE: From Squeeze onwards the system copy of ltdl is used, use the current version from Squeeze, NOTE: might've been fixed earlier - graphviz 2.26.3-14 (low; bug #702436) [squeeze] - graphviz 2.26.3-5+squeeze1 CVE-2009-3735 (The ActiveScan Installer ActiveX control in as2stubie.dll before 1.3.3 ...) NOT-FOR-US: ActiveScan Installer ActiveX control CVE-2009-3734 (Unspecified vulnerability in the management console in the S2 Security ...) NOT-FOR-US: S2 Security Linear eMerge Access Control System CVE-2009-XXXX [mandos 0600 file being included in initrd] - mandos 1.0.13-1 (bug #551907) CVE-2009-3733 (Directory traversal vulnerability in VMware Server 1.x before 1.0.10 b ...) - vmware-package CVE-2009-3732 (Format string vulnerability in vmware-vmrc.exe build 158248 in VMware ...) NOT-FOR-US: VMware CVE-2009-3731 (Multiple cross-site scripting (XSS) vulnerabilities in WebWorks Help 2 ...) NOT-FOR-US: WebWorks Help CVE-2009-3730 (Multiple cross-site scripting (XSS) vulnerabilities in the ReqWeb Help ...) NOT-FOR-US: ReqWeb CVE-2009-3729 (Unspecified vulnerability in the TrueType font parsing functionality i ...) - openjdk-6 6b17-1.7-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3728 (Directory traversal vulnerability in the ICC_Profile.getInstance metho ...) - openjdk-6 6b17~pre3-1 (medium; bug #560908) - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-3727 (Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0 ...) {DSA-1952-1} - asterisk 1:1.6.2.0~rc6-1 [lenny] - asterisk (Minor issue) [etch] - asterisk (Etch Packages no longer covered by security support) CVE-2009-3726 (The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client i ...) {DSA-2005-1 DSA-2003-1} - linux-2.6 2.6.31-1 (medium) [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 (medium) CVE-2009-3725 (The connector layer in the Linux kernel before 2.6.31.5 does not requi ...) {DSA-2012-1} - linux-2.6 2.6.31-1 (medium) [etch] - linux-2.6 (Vulnerable code not present) - linux-2.6.24 (medium) CVE-2009-3724 (python-markdown2 before 1.0.1.14 has multiple cross-site scripting (XS ...) NOT-FOR-US: python-markdown2 (not our markdown, different code base) CVE-2009-3723 (asterisk allows calls on prohibited networks ...) [etch] - asterisk [lenny] - asterisk - asterisk 1:1.6.2.0~rc3-2 (medium; bug #552756) NOTE: http://downloads.asterisk.org/pub/security/AST-2009-007.html CVE-2009-3722 (The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem in t ...) {DSA-1962-1} [etch] - linux-2.6 (issue introduced in 2.6.30-rc1) [lenny] - linux-2.6 (issue introduced in 2.6.30-rc1) - linux-2.6 2.6.31-1 (low) - kvm 88+dfsg-2 (low; bug #557739) NOTE: http://bugzilla.redhat.com/531660 NOTE: https://git.kernel.org/linus/0a79b009525b160081d75cef5dbf45817956acf2 CVE-2009-3721 [ytnef buffer overflow] RESERVED - ytnef (bug #567631) [lenny] - ytnef (Minor issue) NOTE: http://www.ocert.org/advisories/ocert-2009-013.html NOTE: This doesn't affect Evolution, the TNEF plugin is external CVE-2009-3720 (The updatePosition function in lib/xmltok_impl.c in libexpat in Expat ...) {DSA-1977-1 DSA-1921-1} - expat 2.0.1-5 (low; bug #551936) - mcabber 0.10.0-1 (low; bug #601053) [lenny] - mcabber (Minor issue) - w3c-libwww (low; bug #551938) [etch] - w3c-libwww (Minor issue, only used by fringe apps) - python-xml (low; bug #560951) [etch] - python-xml (minor issue) [lenny] - python-xml 0.8.4-10.1+lenny1 - python2.5 2.5.4-3.1 (low; bug #560912) - python2.4 2.4.4-3etch3 (low; bug #560913) - python-4suite 1.0.2-7.2 (low; bug #560914) [etch] - python-4suite (Minor issue) [lenny] - python-4suite (Minor issue) - wxwindows2.4 (unimportant; bug #560915) - wxwidgets2.6 2.6.3.2.2-4 (unimportant; bug #560916) - wxwidgets2.8 2.8.10.1-2 (unimportant; bug #560917) - audacity 1.3.2-1 (unimportant; bug #560919) - matanza (unimportant; bug #560920) - tdom 0.8.3~20080525-1 (low; bug #560921) [etch] - tdom (minor issue) - udunits 2.1.8-4 (unimportant; bug #560922) - ayttm 0.6.1-2 (low; bug #560924) [etch] - ayttm (minor issue) [lenny] - ayttm (minor issue) - cableswig (unimportant; bug #560925) - cadaver (unimportant; bug #560926) - centerim 4.22.10-1 (low) [lenny] - centerim (Minor issue) - cmake 2.6.0-6 (unimportant; bug #560927) - coin3 (unimportant; bug #560928) - gdcm 2.0.14-2 (low; bug #560929) - ghostscript 8.71~dfsg-2 (unimportant; bug #560930) - gs-gpl (unimportant) - grmonitor (unimportant; bug #560931) - iceape (unimportant; bug #560932) - insighttoolkit 3.16.0-1 (unimportant; bug #560933) - paraview 3.6.2-1 (unimportant; bug #560935) - poco 1.3.6p1-1 (unimportant; bug #560936) - simgear 2.10.0-1 (unimportant; bug #560937) - smart 1.2-5 (low; bug #560953) [etch] - smart (minor issue) [lenny] - smart (minor issue) - tla 1.3.5+dfsg-15 (unimportant; bug #560940) [lenny] - tla 1.3.5+dfsg-14+lenny1 - xmlrpc-c 1.06.27-1.1 (low; bug #560942) [etch] - xmlrpc-c (minor issue) [lenny] - xmlrpc-c (minor issue) - iceweasel (uses xulrunner; bug #560943) - kompozer 1:0.8~b1-2 (unimportant; bug #560944) - vxl 1.13.0-2 (low; bug #560945) - xulrunner (unimportant; bug #560946) - texlive-bin (Files are not compiled in, see #560948) - vnc4 (Not affected, see bug #560949) - xotcl 1.6.5-1.2 (low; bug #560950) [lenny] - xotcl (minor issue) CVE-2009-3719 (Cross-site scripting (XSS) vulnerability in comment.asp in Battle Blog ...) NOT-FOR-US: Battle Blog CVE-2009-3718 (SQL injection vulnerability in admin/authenticate.asp in Battle Blog 1 ...) NOT-FOR-US: Battle Blog CVE-2009-3717 (Heap-based buffer overflow in LucVil PatPlayer 3.9 allows remote attac ...) NOT-FOR-US: LucVil PatPlayer CVE-2009-3716 (Unrestricted file upload vulnerability in admin.php in MCshoutbox 1.1 ...) NOT-FOR-US: MCshoutbox CVE-2009-3715 (Multiple SQL injection vulnerabilities in scr_login.php in MCshoutbox ...) NOT-FOR-US: MCshoutbox CVE-2009-3714 (Cross-site scripting (XSS) vulnerability in admin_login.php in MCshout ...) NOT-FOR-US: MCshoutbox CVE-2009-3713 (SQL injection vulnerability in fichero.php in MorcegoCMS 1.7.6 and ear ...) NOT-FOR-US: MorcegoCMS CVE-2009-3712 (Multiple SQL injection vulnerabilities in Ebay Clone 2009 allow remote ...) NOT-FOR-US: Ebay Clone 2009 CVE-2009-3711 (Stack-based buffer overflow in the h_handlepeer function in http.cpp i ...) NOT-FOR-US: httpdx CVE-2009-3710 (RioRey RIOS 4.6.6 and 4.7.0 uses an undocumented, hard-coded username ...) NOT-FOR-US: RioRey RIOS CVE-2009-3709 (Stack-based buffer overflow in the Meta Content Optimizer in Konae Tec ...) NOT-FOR-US: Konae Technologies Alleycode HTML Editor CVE-2009-3708 (Stack-based buffer overflow in the Meta Content Optimizer in Konae Tec ...) NOT-FOR-US: Konae Technologies Alleycode HTML Editor CVE-2009-3707 (VMware Authentication Daemon 1.0 in vmware-authd.exe in the VMware Aut ...) NOT-FOR-US: VMware CVE-2009-3706 (Unspecified vulnerability in the ZFS filesystem in Sun Solaris 10, and ...) NOT-FOR-US: ZFS filesystem in Sun Solaris CVE-2009-3705 (PHP remote file inclusion vulnerability in debugger.php in Achievo bef ...) NOT-FOR-US: Achievo CVE-2009-3704 (ZoIPer 2.22, and possibly other versions before 2.24 Library 5324, all ...) NOT-FOR-US: ZoIPer CVE-2009-3703 (Multiple SQL injection vulnerabilities in the WP-Forum plugin before 2 ...) NOT-FOR-US: WordPress plugin CVE-2009-3702 (Multiple absolute path traversal vulnerabilities in PHP-Calendar 1.1 a ...) NOT-FOR-US: PHP-Calendar CVE-2009-3701 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) {DSA-1966-1} - horde3 3.3.6+debian0-1 (low) NOTE: In order to successfully exploit this vulnerability the targeted user has to be logged as an administrator. CVE-2009-3700 (Buffer overflow in sgLog.c in squidGuard 1.3 and 1.4 allows remote att ...) {DSA-2040-1} - squidguard 1.2.0-9 (low; bug #553319) CVE-2009-3699 (Stack-based buffer overflow in libcsa.a (aka the calendar daemon libra ...) NOT-FOR-US: IBM AIX CVE-2009-3698 (An unspecified function in the Dalvik API in Android 1.5 and earlier a ...) NOT-FOR-US: Dalvik API in Android CVE-2009-3697 (SQL injection vulnerability in the PDF schema generator functionality ...) {DSA-1918-1} - phpmyadmin 4:3.2.2.1-1 [etch] - phpmyadmin (Vulnerable code not present) CVE-2009-3696 (Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.11.x before 2 ...) {DSA-1918-1} - phpmyadmin 4:3.2.2.1-1 CVE-2009-3610 REJECTED CVE-2009-3695 (Algorithmic complexity vulnerability in the forms library in Django 1. ...) {DSA-1905-1} - python-django 1.1.1-1 (medium; bug #550457) [etch] - python-django (introduced in 1.0) [lenny] - python-django 1.0.2-1+lenny2 CVE-2009-3694 (Directory traversal vulnerability in config/config.php in ezRecipe-Zee ...) NOT-FOR-US: ezRecipe-Zee 91 CVE-2009-3693 (Directory traversal vulnerability in the Persits.XUpload.2 ActiveX con ...) NOT-FOR-US: Persits.XUpload.2 ActiveX CVE-2009-3691 (Multiple integer overflows in setnet32.exe 3.50.0.13752 in IBM Informi ...) NOT-FOR-US: IBM Informix Client SDK CVE-2009-3690 RESERVED CVE-2009-3689 REJECTED CVE-2009-3688 REJECTED CVE-2009-3687 REJECTED CVE-2009-3686 REJECTED CVE-2009-3685 REJECTED CVE-2009-3684 REJECTED CVE-2009-3683 REJECTED CVE-2009-3682 REJECTED CVE-2009-3681 REJECTED CVE-2009-3680 REJECTED CVE-2009-3679 REJECTED CVE-2009-3678 (Integer overflow in cdd.dll in the Canonical Display Driver (CDD) in M ...) NOT-FOR-US: Microsoft Windows CVE-2009-3677 (The Internet Authentication Service (IAS) in Microsoft Windows 2000 SP ...) NOT-FOR-US: Microsoft Internet Authentication Service CVE-2009-3676 (The SMB client in the kernel in Microsoft Windows Server 2008 R2 and W ...) NOT-FOR-US: Microsoft Windows Server CVE-2009-3675 (LSASS.exe in the Local Security Authority Subsystem Service (LSASS) in ...) NOT-FOR-US: Microsoft Local Security Authority Subsystem Service CVE-2009-3674 (Microsoft Internet Explorer 8 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-3673 (Microsoft Internet Explorer 7 and 8 does not properly handle objects i ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-3672 (Microsoft Internet Explorer 6 and 7 does not properly handle objects i ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-3671 (Microsoft Internet Explorer 8 does not properly handle objects in memo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-3670 (Stack-based buffer overflow in KSP Sound Player 2009 R2 and R2.1 allow ...) NOT-FOR-US: KSP Sound Player CVE-2009-3669 (SQL injection vulnerability in the foobla Suggestions (com_foobla_sugg ...) NOT-FOR-US: Joomla! component CVE-2009-3668 (Cross-site scripting (XSS) vulnerability in ardguest.php in Ardguest 1 ...) NOT-FOR-US: Ardguest 1.8 CVE-2009-3667 (SQL injection vulnerability in admin/index.php in AdsDX 3.05 allows re ...) NOT-FOR-US: AdsDX CVE-2009-3666 (Cross-site scripting (XSS) vulnerability in index.php in Nullam Blog 0 ...) NOT-FOR-US: Nullam Blog CVE-2009-3665 (Multiple SQL injection vulnerabilities in index.php in Nullam Blog 0.1 ...) NOT-FOR-US: Nullam Blog CVE-2009-3664 (Multiple directory traversal vulnerabilities in index.php in Nullam Bl ...) NOT-FOR-US: Nullam Blog CVE-2009-3663 (Format string vulnerability in the h_readrequest function in http.c in ...) NOT-FOR-US: httpdx CVE-2009-3662 (FileCopa FTP Server 5.01 allows remote attackers to cause a denial of ...) NOT-FOR-US: FileCopa FTP Server CVE-2009-3661 (Multiple SQL injection vulnerabilities in the DJ-Catalog (com_djcatalo ...) NOT-FOR-US: component for Joomla! CVE-2009-3660 (PHP remote file inclusion vulnerability in libraries/database.php in E ...) NOT-FOR-US: Efront CVE-2009-3659 (SQL injection vulnerability in file/stats.php in BS Counter 2.5.3 allo ...) NOT-FOR-US: BS Counter CVE-2009-3658 (Use-after-free vulnerability in the Sb.SuperBuddy.1 ActiveX control (s ...) NOT-FOR-US: Sb.SuperBuddy.1 ActiveX CVE-2009-3657 (Session fixation vulnerability in Shared Sign-On 5.x and 6.x, a module ...) NOT-FOR-US: module for Drupal CVE-2009-3656 (Cross-site request forgery (CSRF) vulnerability in Shared Sign-On 5.x ...) NOT-FOR-US: module for Drupal CVE-2009-3655 (Rhino Software Serv-U 7.0.0.1 through 8.2.0.3 allows remote attackers ...) NOT-FOR-US: Rhino Software Serv-U CVE-2009-3654 (Unspecified vulnerability in Boost before 6.x-1.03, a module for Drupa ...) NOT-FOR-US: module for Drupal CVE-2009-3653 (Cross-site scripting (XSS) vulnerability in the additional links inter ...) NOT-FOR-US: module for Drupal CVE-2009-3652 (Cross-site scripting (XSS) vulnerability in Organic Groups (OG) 5.x-7. ...) NOT-FOR-US: module for Drupal CVE-2009-3651 (Cross-site scripting (XSS) vulnerability in the "Monitor browsers' fea ...) NOT-FOR-US: module for Drupal CVE-2009-3650 (Cross-site scripting (XSS) vulnerability in Dex 5.x-1.0 and earlier an ...) NOT-FOR-US: module for Drupal CVE-2009-3649 (Cross-site scripting (XSS) vulnerability in forums/index.php in Power ...) NOT-FOR-US: PBBoard CVE-2009-3648 (Cross-site scripting (XSS) vulnerability in Service Links 6.x-1.0, a m ...) NOT-FOR-US: module for Drupal CVE-2009-3647 (Cross-site scripting (XSS) vulnerability in emaullinks.php in YABSoft ...) NOT-FOR-US: YABSoft Mega File Hosting Script (aka MFH or MFHS) CVE-2009-3646 (InterVations NaviCOPA Web Server 3.01 allows remote attackers to obtai ...) NOT-FOR-US: NaviCOPA Web Server CVE-2009-3645 (SQL injection vulnerability in the JoomlaCache CB Resume Builder (com_ ...) NOT-FOR-US: JoomlaCache CVE-2009-3644 (SQL injection vulnerability in the Soundset (com_soundset) component 1 ...) NOT-FOR-US: Joomla component CVE-2009-3643 (Dxmsoft XM Easy Personal FTP Server 5.8.0 allows remote attackers to c ...) NOT-FOR-US: Dxmsoft XM Easy Personal FTP Server CVE-2009-3642 (Multiple SQL injection vulnerabilities in the Call Logging feature in ...) NOT-FOR-US: FrontRange HEAT CVE-2009-3641 (Snort before 2.8.5.1, when the -v option is enabled, allows remote att ...) - snort 2.8.5.2-1 (unimportant; bug #553584) NOTE: current debian packages are not compiled with support for ipv6 CVE-2009-3640 (The update_cr8_intercept function in arch/x86/kvm/x86.c in the KVM sub ...) - linux-2.6 2.6.31-1 (medium) [lenny] - linux-2.6 (introduced post 2.6.27) [etch] - linux-2.6 (introduced post 2.6.27) - linux-2.6.24 (introduced post 2.6.27) - kvm 88+dfsg-2 (medium; bug #557737) [lenny] - kvm (Vulnerable code not present) CVE-2009-3639 (The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2 ...) {DSA-1925-1} - proftpd-dfsg 1.3.2a-2 (low) NOTE: http://bugs.proftpd.org/show_bug.cgi?id=3275 CVE-2009-3638 (Integer overflow in the kvm_dev_ioctl_get_supported_cpuid function in ...) {DSA-1962-1 DSA-1927-1} - linux-2.6 2.6.31-1 (medium) [etch] - linux-2.6 (introduced in 2.6.25) NOTE: fixed in upstream 2.6.32-rc4 - linux-2.6.24 (introduced in 2.6.25) - kvm (medium; bug #562076) CVE-2009-3637 (Stack-based buffer overflow in the M_AddToServerList function in clien ...) - alien-arena 7.33-1 (medium; bug #552038) [lenny] - alien-arena 7.0-1+lenny1 CVE-2009-3636 (Cross-site scripting (XSS) vulnerability in the Install Tool subcompon ...) {DSA-1926-1} - typo3-src 4.2.10-1 (medium; bug #552020) CVE-2009-3635 (The Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x befor ...) {DSA-1926-1} - typo3-src 4.2.10-1 (medium; bug #552020) CVE-2009-3634 (Cross-site scripting (XSS) vulnerability in the Frontend Login Box (ak ...) {DSA-1926-1} - typo3-src 4.2.10-1 (medium; bug #552020) CVE-2009-3633 (Cross-site scripting (XSS) vulnerability in the t3lib_div::quoteJSvalu ...) {DSA-1926-1} - typo3-src 4.2.10-1 (medium; bug #552020) CVE-2009-3632 (SQL injection vulnerability in the traditional frontend editing featur ...) {DSA-1926-1} - typo3-src 4.2.10-1 (medium; bug #552020) CVE-2009-3631 (The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1 ...) {DSA-1926-1} - typo3-src 4.2.10-1 (medium; bug #552020) CVE-2009-3630 (The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1 ...) {DSA-1926-1} - typo3-src 4.2.10-1 (medium; bug #552020) CVE-2009-3629 (Multiple cross-site scripting (XSS) vulnerabilities in the Backend sub ...) {DSA-1926-1} - typo3-src 4.2.10-1 (medium; bug #552020) CVE-2009-3628 (The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1 ...) {DSA-1926-1} - typo3-src 4.2.10-1 (medium; bug #552020) CVE-2009-3627 (The decode_entities function in util.c in HTML-Parser before 3.63 allo ...) {DSA-1923-1} - libhtml-parser-perl 3.64-1 (bug #552531) NOTE: http://secunia.com/advisories/37155/ CVE-2009-3626 (Perl 5.10.1 allows context-dependent attackers to cause a denial of se ...) - perl 5.10.1-6 (bug #552291) [lenny] - perl (Vulnerable code not present) [etch] - perl (Vulnerable code not present) CVE-2009-3625 (Directory traversal vulnerability in www/index.php in Sahana 0.6.2.2 a ...) - sahana (bug #497414) CVE-2009-3624 (The get_instantiation_keyring function in security/keys/keyctl.c in th ...) - linux-2.6 2.6.31-2 (low) [etch] - linux-2.6 (vulnerable code introduced in 2.6.29) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.29) - linux-2.6.24 (vulnerable code introduced in 2.6.29) NOTE: fixed upstream in 2.6.32-rc5 CVE-2009-3623 (The lookup_cb_cred function in fs/nfsd/nfs4callback.c in the nfsd4 sub ...) - linux-2.6 2.6.31-1 (medium) [etch] - linux-2.6 (vulnerable code introduced in 2.6.31) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.31) - linux-2.6.24 (vulnerable code introduced in 2.6.31) CVE-2009-3622 (Algorithmic complexity vulnerability in wp-trackback.php in WordPress ...) - wordpress 2.8.5-1 [lenny] - wordpress 2.5.1-11+lenny3 [etch] - wordpress 2.0.10-1etch6 NOTE: http://seclists.org/fulldisclosure/2009/Oct/263 CVE-2009-3621 (net/unix/af_unix.c in the Linux kernel 2.6.31.4 and earlier allows loc ...) {DSA-1929-1 DSA-1928-1 DSA-1927-1} - linux-2.6 2.6.31-2 (low) - linux-2.6.24 (low) CVE-2009-3620 (The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-g ...) {DSA-1928-1 DSA-1927-1} - linux-2.6 2.6.32-1 (medium) - linux-2.6.24 (medium) NOTE: https://git.kernel.org/linus/7dc482dfeeeefcfd000d4271c4626937406756d7 CVE-2009-3619 (Unspecified vulnerability in ViewVC 1.0 before 1.0.9 and 1.1 before 1. ...) - viewvc 1.0.9-1 (low; bug #545779; bug #560903) CVE-2009-3618 (Cross-site scripting (XSS) vulnerability in viewvc.py in ViewVC 1.0 be ...) - viewvc 1.0.9-1 (low; bug #545779; bug #560903) CVE-2009-3617 (Format string vulnerability in the AbstractCommand::onAbort function i ...) - aria2 1.6.2-1 (low) [lenny] - aria2 (Vulnerable code not present) [etch] - aria2 (Vulnerable code not present) CVE-2009-3616 (Multiple use-after-free vulnerabilities in vnc.c in the VNC server in ...) - qemu 0.11.0-1 (medium; bug #553589) [lenny] - qemu (Vulnerable code not present) [etch] - qemu (Vulnerable code not present) - kvm (medium; bug #553590) [lenny] - kvm (Vulnerable code not present) CVE-2009-3615 (The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adiu ...) {DSA-1932-1} - pidgin 2.6.3-1 NOTE: http://pidgin.im/news/security/?id=41 CVE-2009-3614 (liboping 1.3.2 allows users reading arbitrary files upon the local sys ...) - liboping 1.3.3-1 (low; bug #548684) [lenny] - liboping (doesn't have -f option yet) [etch] - liboping (doesn't have -f option yet) CVE-2009-3613 (The swiotlb functionality in the r8169 driver in drivers/net/r8169.c i ...) {DSA-1928-1 DSA-1915-1} - linux-2.6 2.6.29-1 (medium) - linux-2.6.24 NOTE: https://www.openwall.com/lists/oss-security/2009/10/15/4 CVE-2009-3612 (The tcf_fill_node function in net/sched/cls_api.c in the netlink subsy ...) {DSA-1929-1 DSA-1928-1 DSA-1927-1} - linux-2.6 2.6.31-2 (low) - linux-2.6.24 (low) CVE-2009-3611 (common/snapshots.py in Back In Time (aka backintime) 0.9.26 changes ce ...) - backintime 0.9.26-3 (bug #543785) CVE-2009-3609 (Integer overflow in the ImageStream::ImageStream function in Stream.cc ...) {DSA-2050-1 DSA-2028-1 DSA-1941-1} - xpdf 3.02-2 (medium; bug #551287) - poppler 0.12.2-1 (medium; bug #551289) - kdegraphics 4:4.0 (medium; bug #551290) - swftools 0.9.2+ds1-2 CVE-2009-3608 (Integer overflow in the ObjectStream::ObjectStream function in XRef.cc ...) {DSA-2050-1 DSA-2028-1 DSA-1941-1} - xpdf 3.02-2 (medium; bug #551287) - poppler 0.12.2-1 (medium; bug #551289) - kdegraphics 4:4.0 (medium; bug #551290) - swftools 0.9.2+ds1-2 CVE-2009-3607 (Integer overflow in the create_surface_from_thumbnail_data function in ...) {DSA-1941-1} - poppler 0.12.2-1 (medium; bug #551289) CVE-2009-3606 (Integer overflow in the PSOutputDev::doImageL1Sep function in Xpdf bef ...) {DSA-2050-1 DSA-2028-1 DSA-1941-1} - xpdf 3.02-2 (medium; bug #551287) - poppler 0.12.2-1 (medium; bug #551289) - kdegraphics 4:4.0 (medium; bug #551290) - swftools 0.9.2+ds1-2 CVE-2009-3605 (Multiple integer overflows in Poppler 0.10.5 and earlier allow remote ...) {DSA-1941-1} - poppler 0.12.2-1 (medium; bug #551289) CVE-2009-3604 (The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x before ...) {DSA-2050-1 DSA-2028-1 DSA-1941-1} - xpdf 3.02-2 (medium; bug #551287) - poppler 0.12.2-1 (medium; bug #551289) - kdegraphics 4:4.0 (medium; bug #551290) - swftools 0.9.2+ds1-2 CVE-2009-3603 (Integer overflow in the SplashBitmap::SplashBitmap function in Xpdf 3. ...) {DSA-2050-1 DSA-2028-1 DSA-1941-1} - xpdf 3.02-2 (medium; bug #551287) - poppler 0.12.2-1 (medium; bug #551289) - kdegraphics 4:4.0 (medium; bug #551290) - swftools 0.9.2+ds1-2 CVE-2009-3591 (Dopewars 1.5.12 allows remote attackers to cause a denial of service ( ...) - dopewars 1.5.12-9 (low; bug #550913) [etch] - dopewars (negligible issue) [lenny] - dopewars (neglibigble issue) CVE-2009-3589 (incron 0.5.5 does not initialize supplementary groups when running a p ...) - incron 0.5.7-1 CVE-2009-3588 (Unspecified vulnerability in the arclib component in the Anti-Virus en ...) NOT-FOR-US: eTrust Antivirus CVE-2009-3587 (Unspecified vulnerability in the arclib component in the Anti-Virus en ...) NOT-FOR-US: eTrust Antivirus CVE-2009-3586 (Off-by-one error in src/http.c in CoreHTTP 0.5.3.1 and earlier allows ...) NOT-FOR-US: CoreHTTP CVE-2009-3585 (Session fixation vulnerability in html/Elements/SetupSessionCookie in ...) {DSA-1944-1} - request-tracker3.4 - request-tracker3.6 3.6.9-2 (low) CVE-2009-3584 (SQL-Ledger 2.8.24 does not set the secure flag for the session cookie ...) - sql-ledger (unimportant; bug #562639) NOTE: Only supported behind an authenticated HTTP zone, see README.Debian CVE-2009-3583 (Directory traversal vulnerability in the Preferences menu item in SQL- ...) - sql-ledger (unimportant; bug #562639) NOTE: Only supported behind an authenticated HTTP zone, see README.Debian CVE-2009-3582 (Multiple SQL injection vulnerabilities in the delete subroutine in SQL ...) - sql-ledger (unimportant; bug #562639) NOTE: Only supported behind an authenticated HTTP zone, see README.Debian CVE-2009-3581 (Multiple cross-site scripting (XSS) vulnerabilities in SQL-Ledger 2.8. ...) - sql-ledger (unimportant; bug #562639) NOTE: Only supported behind an authenticated HTTP zone, see README.Debian CVE-2009-3580 (Cross-site request forgery (CSRF) vulnerability in am.pl in SQL-Ledger ...) - sql-ledger (unimportant; bug #562639) NOTE: Only supported behind an authenticated HTTP zone, see README.Debian CVE-2009-3578 (Autodesk Maya 8.0, 8.5, 2008, 2009, and 2010 and Alias Wavefront Maya ...) NOT-FOR-US: Autodesk Maya CVE-2009-3577 (Autodesk 3D Studio Max (3DSMax) 6 through 9 and 2008 through 2010 allo ...) NOT-FOR-US: Autodesk CVE-2009-3576 (Autodesk Softimage 7.x and Softimage XSI 6.x allow remote attackers to ...) NOT-FOR-US: Autodesk Softimage CVE-2009-3575 (Buffer overflow in DHTRoutingTableDeserializer.cc in aria2 0.15.3, 1.2 ...) {DSA-1957-1} - aria2 1.2.0-1 (low; bug #551070) [etch] - aria2 (Vulnerable code not present) CVE-2009-3571 (Unspecified vulnerability in OpenOffice.org (OOo) has unknown impact a ...) NOT-FOR-US: Unidentified exploit for OpenOffice, hasn't materialised in any form CVE-2009-3570 (Unspecified vulnerability in OpenOffice.org (OOo) has unspecified impa ...) NOT-FOR-US: Unidentified exploit for OpenOffice, hasn't materialised in any form CVE-2009-3569 (Stack-based buffer overflow in OpenOffice.org (OOo) allows remote atta ...) NOT-FOR-US: Unidentified exploit for OpenOffice, hasn't materialised in any form CVE-2009-3568 (Comment RSS 5.x before 5.x-2.2 and 6.x before 6.x-2.2, a module for Dr ...) NOT-FOR-US: module for Drupal CVE-2009-3692 (Unspecified vulnerability in the VBoxNetAdpCtl configuration tool in S ...) - virtualbox-ose 3.0.8-dfsg-1 [lenny] - virtualbox-ose (vulnerable code not present) CVE-2009-3602 (Unbound before 1.3.4 does not properly verify signatures for NSEC3 rec ...) {DSA-1963-1} - unbound 1.3.4-1 (low) NOTE: http://unbound.net/pipermail/unbound-users/2009-October/000852.html CVE-2009-3601 (Cross-site scripting (XSS) vulnerability in demo_page.php in Scriptsez ...) NOT-FOR-US: Scriptsez Ultimate Poll CVE-2009-3600 (HUBScript 1.0 allows remote attackers to obtain configuration informat ...) NOT-FOR-US: HUBScript CVE-2009-3599 (Cross-site scripting (XSS) vulnerability in single_winner1.php in HUBS ...) NOT-FOR-US: HUBScript CVE-2009-3598 (Cross-site scripting (XSS) vulnerability in survey_result.php in eCard ...) NOT-FOR-US: eCardMAX FormXP CVE-2009-3597 (Digitaldesign CMS 0.1 stores sensitive information under the web root ...) NOT-FOR-US: Digitaldesign CMS CVE-2009-3596 (JoxTechnology Ajox Poll does not properly restrict access to admin/man ...) NOT-FOR-US: JoxTechnology Ajox Poll CVE-2009-3595 (SQL injection vulnerability in results.php in VS PANEL 7.5.5 allows re ...) NOT-FOR-US: VS PANEL CVE-2009-3594 (Cross-site scripting (XSS) vulnerability in bpost.php in BLOB Blog Sys ...) NOT-FOR-US: BLOB Blog System CVE-2009-3593 (Multiple cross-site scripting (XSS) vulnerabilities in Freelancers 1.0 ...) NOT-FOR-US: Freelancers CVE-2009-3592 (Cross-site scripting (XSS) vulnerability in customer/home.php in Quali ...) NOT-FOR-US: Qualiteam X-Cart CVE-2009-3590 (SQL injection vulnerability in showcat.php in VS PANEL 7.3.6 allows re ...) NOT-FOR-US: VS PANEL CVE-2009-3574 (Tuniac 090517c allows remote attackers to cause a denial of service (c ...) NOT-FOR-US: Tuniac CVE-2009-3573 (Multiple insecure method vulnerabilities in the PDIControl.PDI.1 Activ ...) NOT-FOR-US: ActiveX CVE-2009-3572 (OpenBSD 4.4, 4.5, and 4.6, when running on an i386 kernel, does not pr ...) NOT-FOR-US: OpenBSD CVE-2009-3567 (Cross-site scripting (XSS) vulnerability in modules/tickets/functions_ ...) NOT-FOR-US: Kayako SupportSuite and eSupport CVE-2009-3579 (Cross-site scripting (XSS) vulnerability in the CookieDump.java sample ...) - jetty (unimportant) NOTE: http://www.coresecurity.com/content/jetty-persistent-xss NOTE: only an example application CVE-2009-3566 (McAfee IntruShield Network Security Manager (NSM) before 5.1.11.8.1 do ...) NOT-FOR-US: McAfee IntruShield Network Security Manager CVE-2009-3565 (Multiple cross-site scripting (XSS) vulnerabilities in intruvert/jsp/m ...) NOT-FOR-US: McAfee IntruShield Network Security Manager CVE-2009-3564 (puppetmasterd in puppet 0.24.6 does not reset supplementary groups whe ...) - puppet 0.25.1-3 (low; bug #551073) [etch] - puppet (minor issue) [lenny] - puppet (minor issue) CVE-2009-3563 (ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote ...) {DSA-1948-1} - ntp 1:4.2.4p8+dfsg-1 (medium; bug #560074) CVE-2009-3562 (Cross-site scripting (XSS) vulnerability in Xerver HTTP Server 4.32 al ...) NOT-FOR-US: Xerver HTTP Server CVE-2009-3561 (Directory traversal vulnerability in Xerver HTTP Server 4.32 allows re ...) NOT-FOR-US: Xerver HTTP Server CVE-2009-3560 (The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, a ...) {DSA-1977-1 DSA-1953-2 DSA-1953-1} - expat 2.0.1-6 (low; bug #560901) - mcabber 0.10.0-1 (low; bug #601053) [lenny] - mcabber (Minor issue) - w3c-libwww [etch] - w3c-libwww (Minor issue, only used by fringe apps) - python-xml (low; bug #560951) [etch] - python-xml (minor issue) [lenny] - python-xml 0.8.4-10.1+lenny1 - python2.5 2.5.4-3.1 (low; bug #560912) - python2.4 2.4.4-3+etch3 (low; bug #560913) - python2.6 2.6.4-4 - python-4suite 1.0.2-7.2 (low; bug #560914) [etch] - python-4suite (Minor issue) [lenny] - python-4suite (Minor issue) - wxwindows2.4 (unimportant; bug #560915) - wxwidgets2.6 2.6.3.2.2-4 (unimportant; bug #560916) - wxwidgets2.8 2.8.10.1-2 (unimportant; bug #560917) - audacity 1.3.2-1 (unimportant; bug #560919) - matanza (unimportant; bug #560920) - tdom 0.8.3~20080525-1 (low; bug #560921) [etch] - tdom (minor issue) - udunits 2.1.8-4 (unimportant; bug #560922) - ayttm 0.6.1-2 (low; bug #560924) [etch] - ayttm (minor issue) [lenny] - ayttm (minor issue) - cableswig (unimportant; bug #560925) - cadaver (unimportant; bug #560926) - cmake 2.6.0-6 (unimportant; bug #560927) - coin3 (unimportant; bug #560928) - gdcm 2.0.14-2 (low; bug #560929) - ghostscript 8.71~dfsg-2 (unimportant; bug #560930) - gs-gpl (unimportant) - grmonitor (unimportant; bug #560931) - iceape (unimportant; bug #560932) - insighttoolkit 3.16.0-1 (unimportant; bug #560933) - paraview 3.6.2-1 (unimportant; bug #560935) - poco 1.3.6p1-1 (unimportant; bug #560936) - simgear 2.10.0-1 (unimportant; bug #560937) - smart 1.2-5.1 (low; bug #560953) [etch] - smart (minor issue) [lenny] - smart (minor issue) - tla 1.3.5+dfsg-15 (unimportant; bug #560940) [lenny] - tla 1.3.5+dfsg-14+lenny1 - xmlrpc-c 1.06.27-1.1 (low; bug #560942) [etch] - xmlrpc-c (minor issue) [lenny] - xmlrpc-c (minor issue) - iceweasel (uses xulrunner; bug #560943) - kompozer 1:0.8~b1-2 (low; bug #560944) - vxl 1.13.0-2 (low; bug #560945) - xulrunner (unimportant; bug #560946) - texlive-bin (Files are not compiled in, see #560948) - vnc4 (Not affected, see bug #560949) - xotcl (Vulnerable code not present in embedded Expat copy) CVE-2009-3559 - php5 (unimportant) NOTE: safe_mode regression CVE-2009-3558 (The posix_mkfifo function in ext/posix/posix.c in PHP before 5.2.12 an ...) - php5 5.2.12.dfsg.1-1 (unimportant) NOTE: open_basedir bypass CVE-2009-3557 (The tempnam function in ext/standard/file.c in PHP before 5.2.12 and 5 ...) - php5 5.2.12.dfsg.1-1 (unimportant) NOTE: safe_mode bypass CVE-2009-3556 (A certain Red Hat configuration step for the qla2xxx driver in the Lin ...) - linux-2.6 (redhat-specific configuration issue) - linux-2.6.24 (redhat-specific configuration issue) CVE-2009-3555 (The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as us ...) {DSA-3253-1 DSA-2626-1 DSA-2141-2 DSA-2141-1 DSA-1934-1 DLA-400-1} - apache2 2.2.14-2 - openssl 0.9.8k-6 - nss 3.12.6-1 - sun-java5 [lenny] - sun-java5 (Minor issue) - sun-java6 6.19-1 [lenny] - sun-java6 6-22-0lenny NOTE: Update 22 for Sun Java implemented the new RFC extension - openjdk-6 6b18-1.8.2-1 - nginx 0.7.64-1 - matrixssl 1.8.8-1 [lenny] - matrixssl (Fringe SSL implementation, can be fixed in spu) - tomcat-native 1.1.18-1 [lenny] - tomcat-native (Minor issue) - gnutls26 (safely handles renegotiation; however support for RFC 5746 would be useful) - polarssl 1.2.0-1 (bug #704946) - classpath - zorp 3.9.2-1 [squeeze] - zorp (Minor issue) [lenny] - zorp (Minor issue) - lighttpd 1.4.30-1 - pound 2.6-6.1 (bug #765649) [jessie] - pound (Minor issue) NOTE: the anti_beast.patch in pound 2.6-2 has some provision for this issue too but it seems to be broken, cf #765649 NOTE: for any of the currently unfixed implementations, you can solve the problem by disabling renegotiation NOTE: the following implement RFC 5746: NOTE: - openssl 0.9.8m-1 NOTE: - apache 2.2.15-1 NOTE: - nss 3.12.6-1 NOTE: - sun-java6 6.19-1 CVE-2009-3554 (Twiddle in Red Hat JBoss Enterprise Application Platform (aka JBoss EA ...) - jbossas4 4.2.2.GA-1 (bug #562000) [lenny] - jbossas4 (Contrib not supported) CVE-2009-3553 (Use-after-free vulnerability in the abstract file-descriptor handling ...) {DSA-2176-1} - cups 1.4.2-4 (low; bug #557740) [lenny] - cups (Minor issue) - cupsys (vulnerable code introduced in 1.3.x) NOTE: http://www.cups.org/newsgroups.php/s1+gcups.bugs?s1+gcups.bugs+v4+T+Q3200 CVE-2009-3552 (In RHEV-M VDC 2.2.0, it was found that the SSL certificate was not ver ...) NOT-FOR-US: Red Hat Enterprise Virtualization Manager CVE-2009-3551 (Off-by-one error in the dissect_negprot_response function in packet-sm ...) - wireshark 1.2.3-1 (low; bug #553583) [lenny] - wireshark (Only affects Wireshark 1.2.x) [etch] - wireshark (Only affects Wireshark 1.2.x) CVE-2009-3550 (The DCERPC/NT dissector in Wireshark 0.10.10 through 1.0.9 and 1.2.0 t ...) {DSA-1942-1} - wireshark 1.2.3-1 (low; bug #553583) CVE-2009-3549 (packet-paltalk.c in the Paltalk dissector in Wireshark 1.2.0 through 1 ...) - wireshark 1.2.3-1 (low; bug #553583) [lenny] - wireshark (Only affects Wireshark 1.2.x) [etch] - wireshark (Only affects Wireshark 1.2.x) CVE-2009-3548 (The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 th ...) - tomcat6 (Windows only) CVE-2009-3547 (Multiple race conditions in fs/pipe.c in the Linux kernel before 2.6.3 ...) {DSA-1929-1 DSA-1928-1 DSA-1927-1} - linux-2.6 2.6.31-2 (high) - linux-2.6.24 (high) CVE-2009-3546 (The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5. ...) {DSA-1936-1} - libwmf (unimportant) - racket 5.0.2-1 (unimportant; bug #601525) NOTE: Only present in one of the sample pl-scheme packages (plot) - libgd2 2.0.36~rc1~dfsg-3.1 (medium; bug #552534) - php5 (the php packages use the system libgd2) NOTE: http://svn.php.net/viewvc?view=revision&revision=289557 NOTE: <20091015173822.084de220@redhat.com> in OSS-sec CVE-2009-3545 (DataWizard Technologies FtpXQ FTP Server 3.0 allows remote authenticat ...) NOT-FOR-US: DataWizard Technologies FtpXQ FTP Server CVE-2009-3544 (Xerver HTTP Server 4.32 allows remote attackers to obtain the source c ...) NOT-FOR-US: Xerver HTTP Server CVE-2009-3527 (Race condition in the Pipe (IPC) close function in FreeBSD 6.3 and 6.4 ...) - kfreebsd-6 [lenny] - kfreebsd-6 (KFreebsd not supported) CVE-2009-3526 RESERVED CVE-2009-XXXX [kfreebsd: Devfs / VFS NULL pointer race condition] - kfreebsd-6 [lenny] - kfreebsd-6 (KFreebsd not supported) - kfreebsd-7 7.2-9 (bug #549871) [lenny] - kfreebsd-7 (KFreebsd not supported) CVE-2009-3543 (SQL injection vulnerability in _phenotype/admin/login.php in Phenotype ...) NOT-FOR-US: Phenotype CMS CVE-2009-3542 (Directory traversal vulnerability in ls.php in LittleSite (aka LS or L ...) NOT-FOR-US: LittleSite CVE-2009-3541 (PHP remote file inclusion vulnerability in CoupleDB.php in PHPGenealog ...) NOT-FOR-US: PHPGenealogy CVE-2009-3540 (Cross-site scripting (XSS) vulnerability in listads.php in YourFreeWor ...) NOT-FOR-US: YourFreeWorld Ultra Classifieds Pro CVE-2009-3539 (Multiple cross-site scripting (XSS) vulnerabilities in YourFreeWorld U ...) NOT-FOR-US: YourFreeWorld Ultra Classifieds Pro CVE-2009-3538 (Directory traversal vulnerability in thumb.php in Clear Content 1.1 al ...) NOT-FOR-US: Clear Content CVE-2009-3537 (Multiple stack-based buffer overflows in EpicDJSoftware EpicDJ 1.3.9.1 ...) NOT-FOR-US: EpicDJSoftware EpicDJ CVE-2009-3536 (Multiple stack-based buffer overflows in EpicDJSoftware EpicVJ 1.2.8.0 ...) NOT-FOR-US: EpicDJSoftware EpicVJ CVE-2009-3535 (Directory traversal vulnerability in image.php in Clear Content 1.1 al ...) NOT-FOR-US: Clear Content CVE-2009-3534 (Directory traversal vulnerability in index.php in LionWiki 3.0.3, when ...) NOT-FOR-US: LionWiki CVE-2009-3533 (SQL injection vulnerability in report.php in Meeting Room Booking Syst ...) NOT-FOR-US: Meeting Room Booking System CVE-2009-3532 (Multiple SQL injection vulnerabilities in login.asp (aka the login scr ...) NOT-FOR-US: LogRover CVE-2009-3531 (SQL injection vulnerability in vnews.php in Universe CMS 1.0.6 allows ...) NOT-FOR-US: Universe CMS CVE-2009-3530 (Cross-site scripting (XSS) vulnerability in storefront.php in RadScrip ...) NOT-FOR-US: RadScripts RadBids Gold CVE-2009-3529 (SQL injection vulnerability in index.php in RadScripts RadBids Gold 4 ...) NOT-FOR-US: RadScripts RadBids Gold CVE-2009-3528 (SQL injection vulnerability in Profile.php in MyMsg 1.0.3 allows remot ...) NOT-FOR-US: MyMsg CVE-2009-3525 (The pyGrub boot loader in Xen 3.0.3, 3.3.0, and Xen-3.3.1 does not sup ...) - xen-3 (unimportant) - xen-unstable (unimportant) NOTE: This is an enhancement, not a security issue. NOTE: A user must have access to a guest hard drive image in order to boot it, NOTE: so he can simply mount the drive and remove the password option. CVE-2009-5041 (overkill has buffer overflow via long player names that can corrupt da ...) - overkill 0.16-14.1 (bug #549310; low) [lenny] - overkill (Minor issue) [etch] - overkill (Minor issue) CVE-2009-3524 (Unspecified vulnerability in ashWsFtr.dll in avast! Home and Professio ...) NOT-FOR-US: avast! Home and Professional CVE-2009-3523 (aavmKer4.sys in avast! Home and Professional for Windows before 4.8.13 ...) NOT-FOR-US: avast! Home and Professional CVE-2009-3522 (Stack-based buffer overflow in aswMon2.sys in avast! Home and Professi ...) NOT-FOR-US: avast! Home and Professional CVE-2009-3521 (Multiple cross-site scripting (XSS) vulnerabilities in the Visualizati ...) NOT-FOR-US: WebSphere CVE-2009-3520 (Cross-site request forgery (CSRF) vulnerability in the Your_account mo ...) NOT-FOR-US: CMSphp CVE-2009-3519 (Multiple memory leaks in the IP module in the kernel in Sun Solaris 8 ...) NOT-FOR-US: Sun Solaris CVE-2009-3518 (Argument injection vulnerability in the iim: URI handler in IBMIM.exe ...) NOT-FOR-US: IBM Installation Manager CVE-2009-3517 (nfs.ext in IBM AIX 5.3.x through 5.3.9 and 6.1.0 through 6.1.2 does no ...) NOT-FOR-US: IBM AIX CVE-2009-3516 (gssd in IBM AIX 5.3.x through 5.3.9 and 6.1.0 through 6.1.2 does not p ...) NOT-FOR-US: IBM AIX CVE-2009-3515 (Directory traversal vulnerability in dnet_admin/index.php in d.net CMS ...) NOT-FOR-US: d.net CMS CVE-2009-3514 (Multiple SQL injection vulnerabilities in d.net CMS allow remote attac ...) NOT-FOR-US: d.net CMS CVE-2009-3513 (Multiple cross-site scripting (XSS) vulnerabilities in Pilot Group (PG ...) NOT-FOR-US: Pilot Group (PG) eTraining CVE-2009-3512 (Multiple cross-site scripting (XSS) vulnerabilities in MyWeight 1.0 al ...) NOT-FOR-US: MyWeight CVE-2009-3511 (Multiple PHP remote file inclusion vulnerabilities in justVisual 1.2 a ...) NOT-FOR-US: justVisual CVE-2009-3510 (SQL injection vulnerability in viewListing.php in linkSpheric 0.74 Bet ...) NOT-FOR-US: linkSpheric CVE-2009-3509 (Cross-site scripting (XSS) vulnerability in admin/admin_index.php in C ...) NOT-FOR-US: CJ Dynamic Poll PRO CVE-2009-3508 (Multiple directory traversal vulnerabilities in MUJE CMS 1.0.4.34 allo ...) NOT-FOR-US: MUJE CMS CVE-2009-3507 (Directory traversal vulnerability in modules.php in CMSphp 0.21 allows ...) NOT-FOR-US: CMSphp CVE-2009-3506 (Multiple cross-site scripting (XSS) vulnerabilities in CMSphp 0.21 all ...) NOT-FOR-US: CMSphp CVE-2009-3505 (SQL injection vulnerability in view_news.php in Vastal I-Tech MMORPG Z ...) NOT-FOR-US: Vastal I-Tech MMORPG Zone CVE-2009-3504 (SQL injection vulnerability in offers_buy.php in Alibaba Clone 3.0 all ...) NOT-FOR-US: Alibaba Clone CVE-2009-3503 (Multiple SQL injection vulnerabilities in search.aspx in BPowerHouse B ...) NOT-FOR-US: BPowerHouse BPHolidayLettings CVE-2009-3502 (SQL injection vulnerability in music.php in BPowerHouse BPMusic 1.0 al ...) NOT-FOR-US: BPowerHouse BPMusic CVE-2009-3501 (SQL injection vulnerability in students.php in BPowerHouse BPStudents ...) NOT-FOR-US: BPowerHouse BPStudents CVE-2009-3500 (Multiple SQL injection vulnerabilities in BPowerHouse BPGames 1.0 allo ...) NOT-FOR-US: BPowerHouse BPGames CVE-2009-3499 (SQL injection vulnerability in employee.aspx in BPowerHouse BPLawyerCa ...) NOT-FOR-US: BPowerHouse BPLawyerCaseDocuments CVE-2009-3498 (SQL injection vulnerability in php/update_article_hits.php in HBcms 1. ...) NOT-FOR-US: HBcms CVE-2009-3497 (SQL injection vulnerability in view_listing.php in Vastal I-Tech Agent ...) NOT-FOR-US: Vastal I-Tech Agent CVE-2009-3496 (Cross-site scripting (XSS) vulnerability in view_mag.php in Vastal I-T ...) NOT-FOR-US: Vastal I-Tech DVD Zone CVE-2009-3495 (SQL injection vulnerability in view_mag.php in Vastal I-Tech DVD Zone ...) NOT-FOR-US: Vastal I-Tech DVD Zone CVE-2009-3494 (Multiple SQL injection vulnerabilities in index.php in T-HTB Manager 0 ...) NOT-FOR-US: T-HTB Manager CVE-2009-3493 (Multiple cross-site scripting (XSS) vulnerabilities in Zenas PaoBachec ...) NOT-FOR-US: Zenas PaoBacheca Guestbook CVE-2009-3492 (Multiple PHP remote file inclusion vulnerabilities in Loggix Project 9 ...) NOT-FOR-US: Loggix Project CVE-2009-3491 (SQL injection vulnerability in the Kinfusion SportFusion (com_sportfus ...) NOT-FOR-US: Kinfusion SportFusion CVE-2009-3490 (GNU Wget before 1.12 does not properly handle a '\0' character in a do ...) {DSA-1904-1} - wget 1.12-1 (medium; bug #549293) CVE-2009-3489 (Adobe Photoshop Elements 8.0 installs the Adobe Active File Monitor V8 ...) NOT-FOR-US: Adobe Photoshop Elements CVE-2009-3488 (Cross-site scripting (XSS) vulnerability in the Bibliography (aka Bibl ...) NOT-FOR-US: Drupal Bibliography Module CVE-2009-3487 (Multiple cross-site scripting (XSS) vulnerabilities in the J-Web inter ...) NOT-FOR-US: J-Web interface in Juniper JUNOS CVE-2009-3486 (Multiple cross-site scripting (XSS) vulnerabilities in the J-Web inter ...) NOT-FOR-US: J-Web interface in Juniper JUNOS CVE-2009-3485 (Cross-site scripting (XSS) vulnerability in the J-Web interface in Jun ...) NOT-FOR-US: J-Web interface in Juniper JUNOS CVE-2009-3484 (Stack-based buffer overflow in Core FTP 2.1 build 1612 allows user-ass ...) NOT-FOR-US: Core FTP CVE-2009-3483 (Heap-based buffer overflow in the Create New Site feature in GlobalSCA ...) NOT-FOR-US: CuteFTP CVE-2009-3482 (TrustPort Antivirus before 2.8.0.2266 and PC Security before 2.0.0.129 ...) NOT-FOR-US: TrustPort Antivirus and PC Security CVE-2009-3481 (A certain interface in the iCRM Basic (com_icrmbasic) component 1.4.2. ...) NOT-FOR-US: Joomla component CVE-2009-3480 (SQL injection vulnerability in the iCRM Basic (com_icrmbasic) componen ...) NOT-FOR-US: Joomla component CVE-2009-3479 (Cross-site scripting (XSS) vulnerability in Bibliography (Biblio) 5.x ...) NOT-FOR-US: Bibliography CVE-2009-3478 (Argument injection vulnerability in (1) src/content/js/connection/sftp ...) NOT-FOR-US: Bibliography CVE-2009-3477 (The Blackberry Browser in RIM BlackBerry Device Software 4.5.0 before ...) NOT-FOR-US: Blackberry Browser in RIM BlackBerry Device Software CVE-2009-3476 (Buffer overflow in OpenSAML before 1.1.3 as used in Internet2 Shibbole ...) {DSA-1895-2 DSA-1896-1 DSA-1895-1} - xmltooling 1.2.2-1 - opensaml 3.0.0-2 - opensaml2 2.2.1-1 - shibboleth-sp 3.0.2+dfsg1-2 - shibboleth-sp2 2.2.1+dfsg-1 CVE-2009-3475 (Internet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and ...) {DSA-1895-2 DSA-1896-1 DSA-1895-1} - xmltooling 1.2.2-1 - opensaml 3.0.0-2 - opensaml2 2.2.1-1 - shibboleth-sp 3.0.2+dfsg1-2 - shibboleth-sp2 2.2.1+dfsg-1 CVE-2009-3474 (OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by ...) {DSA-1895-2 DSA-1896-1 DSA-1895-1} - xmltooling 1.2.2-1 - opensaml 3.0.0-2 - opensaml2 2.2.1-1 - shibboleth-sp 3.0.2+dfsg1-2 - shibboleth-sp2 2.2.1+dfsg-1 [lenny] - opensaml 1.1.1-2+lenny1 [lenny] - opensaml2 2.0-2+lenny1 CVE-2009-3473 (IBM DB2 9.1 before FP8 does not require the SETSESSIONUSER privilege f ...) NOT-FOR-US: IBM DB2 CVE-2009-3472 (IBM DB2 8 before FP18, 9.1 before FP8, and 9.5 before FP4 allows remot ...) NOT-FOR-US: IBM DB2 CVE-2009-3471 (IBM DB2 8 before FP18, 9.1 before FP8, 9.5 before FP4, and 9.7 before ...) NOT-FOR-US: IBM DB2 CVE-2009-3470 (IBM Informix Dynamic Server (IDS) 10.00 before 10.00.xC11, 11.10 befor ...) NOT-FOR-US: IBM Informix Dynamic Server (IDS) CVE-2009-3469 (Cross-site scripting (XSS) vulnerability in profiles/html/simpleSearch ...) NOT-FOR-US: IBM Lotus Connections CVE-2009-3468 (Multiple unspecified vulnerabilities in Common Desktop Environment (CD ...) NOT-FOR-US: Common Desktop Environment (CDE) in Sun Solaris CVE-2009-3467 (Cross-site scripting (XSS) vulnerability in an unspecified method in A ...) NOT-FOR-US: Adobe ColdFusion CVE-2009-3466 (Adobe Shockwave Player before 11.5.2.602 allows remote attackers to ex ...) NOT-FOR-US: Adobe Shockwave Player CVE-2009-3465 (Adobe Shockwave Player before 11.5.2.602 allows remote attackers to ex ...) NOT-FOR-US: Adobe Shockwave Player CVE-2009-3464 (Adobe Shockwave Player before 11.5.2.602 allows remote attackers to ex ...) NOT-FOR-US: Adobe Shockwave Player CVE-2009-3463 (Array index error in Adobe Shockwave Player before 11.5.2.602 allows r ...) NOT-FOR-US: Adobe Shockwave Player CVE-2009-3462 (Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x b ...) NOT-FOR-US: Adobe CVE-2009-3461 (Unspecified vulnerability in Adobe Acrobat 9.x before 9.2 allows attac ...) NOT-FOR-US: Adobe CVE-2009-3460 (Adobe Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x throu ...) NOT-FOR-US: Adobe CVE-2009-3459 (Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1. ...) NOT-FOR-US: Adobe Acrobat CVE-2009-3458 (Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x b ...) NOT-FOR-US: Adobe CVE-2009-3457 (Cisco ACE XML Gateway (AXG) and ACE Web Application Firewall (WAF) bef ...) NOT-FOR-US: Cisco ACE XML Gateway (AXG) and ACE Web Application Firewall (WAF) CVE-2009-3456 (Google Chrome, possibly 3.0.195.21 and earlier, does not properly hand ...) - chromium-browser - webkit NOTE: This was caused by a bug in NSS (CVE-2009-2408). chromium-browser uses libnss3 CVE-2009-3455 (Apple Safari, possibly before 4.0.3, on Mac OS X does not properly han ...) NOT-FOR-US: Apple Safari CVE-2009-3454 REJECTED CVE-2009-3453 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Lotus Quick ...) NOT-FOR-US: IBM Lotus Quickr CVE-2009-3452 (WebCoreModule.ashx in RADactive I-Load before 2008.2.5.0 allows remote ...) NOT-FOR-US: RADactive I-Load CVE-2009-3451 (Directory traversal vulnerability in WebCoreModule.ashx in RADactive I ...) NOT-FOR-US: RADactive CVE-2009-3450 (Multiple cross-site scripting (XSS) vulnerabilities in WebCoreModule.a ...) NOT-FOR-US: RADactive I-Load CVE-2009-3449 (MP3 Collector 2.3 allows remote attackers to cause a denial of service ...) NOT-FOR-US: MP3 Collector CVE-2009-3448 (npvmgr.exe in BakBone NetVault Backup 8.22 Build 29 allows remote atta ...) NOT-FOR-US: BakBone NetVault Backup CVE-2009-3447 (Unrestricted file upload vulnerability in RADactive I-Load before 2008 ...) NOT-FOR-US: RADactive I-Load CVE-2009-XXXX [xen-tools: world readable disk image files] - xen-tools 4.2~beta1-1 (low; bug #548909) [lenny] - xen-tools 3.9-4+lenny1 CVE-2009-3446 (SQL injection vulnerability in the MyRemote Video Gallery (com_mytube) ...) NOT-FOR-US: com_mytube component for Joomla! CVE-2009-3445 (Unspecified vulnerability in Code-Crafters Ability Mail Server before ...) NOT-FOR-US: Ability Mail Server CVE-2009-3444 (Cross-site scripting (XSS) vulnerability in email.php in e107 0.7.16 a ...) NOT-FOR-US: e107 CVE-2009-3443 (SQL injection vulnerability in the Fastball (com_fastball) component 1 ...) NOT-FOR-US: com_fastball component for Joomla! CVE-2009-3442 (The Meta tags (aka Nodewords) module before 6.x-1.1 for Drupal does no ...) NOT-FOR-US: Nodewords module for Drupal CVE-2009-3441 (Open Source Security Information Management (OSSIM) before 2.1.2 allow ...) NOT-FOR-US: Open Source Security Information Management CVE-2009-3440 (Cross-site scripting (XSS) vulnerability in Open Source Security Infor ...) NOT-FOR-US: Open Source Security Information Management CVE-2009-3439 (Multiple SQL injection vulnerabilities in Open Source Security Informa ...) NOT-FOR-US: Open Source Security Information Management CVE-2009-3438 (SQL injection vulnerability in the JoomlaFacebook (com_facebook) compo ...) NOT-FOR-US: com_facebook component for Joomla! CVE-2009-3437 (Cross-site scripting (XSS) vulnerability in the live preview feature i ...) NOT-FOR-US: Markdown Preview module for Drupal CVE-2009-3436 (Multiple SQL injection vulnerabilities in forum.asp in MaxWebPortal al ...) NOT-FOR-US: MaxWebPortal CVE-2009-3435 (Cross-site scripting (XSS) vulnerability in the variable editor in the ...) NOT-FOR-US: Devel module for Drupal CVE-2009-3434 (SQL injection vulnerability in the Tupinambis (com_tupinambis) compone ...) NOT-FOR-US: com_tupinambis for Mambo and Joomla! CVE-2009-3433 (Unspecified vulnerability in clsetup in the configuration utility in S ...) NOT-FOR-US: Sun Solaris Cluster CVE-2009-3432 (Unspecified vulnerability in xscreensaver in Sun Solaris 10, and OpenS ...) NOT-FOR-US: Sun OpenSolaris xscreensaver CVE-2009-3431 (Stack consumption vulnerability in Adobe Reader and Acrobat 9.1.3, 9.1 ...) NOT-FOR-US: Adobe Acrobat CVE-2009-3892 (Cross-site scripting (XSS) vulnerability in Best Practical Solutions R ...) - request-tracker3.8 3.8.5-1 (bug #546829) - request-tracker3.6 3.6.9-1 (bug #546778) [etch] - request-tracker3.6 (vulnerable code not present) [lenny] - request-tracker3.6 3.6.7-5+lenny2 NOTE: CVE id requested CVE-2009-3430 (SQL injection vulnerability in login.php in Allomani Mobile 2.5 allows ...) NOT-FOR-US: Allomani Mobile CVE-2009-3429 (Stack-based buffer overflow in Pirate Radio Destiny Media Player 1.61 ...) NOT-FOR-US: Pirate Radio Destiny Media Player CVE-2009-3428 (Stack-based buffer overflow in Easy Music Player 1.0.0.2 allows remote ...) NOT-FOR-US: Easy Music Player CVE-2009-3427 (Cross-site scripting (XSS) vulnerability in Kayako SupportSuite 3.50.0 ...) NOT-FOR-US: Kayako SupportSuite CVE-2009-3426 (PHP remote file inclusion vulnerability in includes/file_manager/speci ...) NOT-FOR-US: MaxCMS CVE-2009-3425 (Directory traversal vulnerability in includes/inc.thcms_admin_dirtree. ...) NOT-FOR-US: MaxCMS CVE-2009-3424 (Multiple PHP remote file inclusion vulnerabilities in MaxCMS 3.11.20b, ...) NOT-FOR-US: MaxCMS CVE-2009-3423 (login.php in Zenas PaoLink 1.0, when register_globals is enabled, allo ...) NOT-FOR-US: Zenas PaoLink CVE-2009-3422 (login.php in Zenas PaoLiber 1.1, when register_globals is enabled, all ...) NOT-FOR-US: Zenas PaoLiber CVE-2009-3421 (login.php in Zenas PaoBacheca Guestbook 2.1, when register_globals is ...) NOT-FOR-US: Zenas PaoBacheca Guestbook CVE-2009-3420 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in th ...) NOT-FOR-US: Miniweb Publisher module CVE-2009-3419 (SQL injection vulnerability in index.php in the Publisher module 2.0 f ...) NOT-FOR-US: Miniweb Publisher module CVE-2009-3418 (Multiple SQL injection vulnerabilities in Plume CMS 1.2.3 allow (1) re ...) NOT-FOR-US: Plume CMS CVE-2009-3417 (SQL injection vulnerability in the IDoBlog (com_idoblog) component 1.1 ...) NOT-FOR-US: IDoBlog component Joomla CVE-2009-3416 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-3415 (Unspecified vulnerability in the Oracle OLAP component in Oracle Datab ...) NOT-FOR-US: Oracle Database CVE-2009-3414 (Unspecified vulnerability in the Oracle Spatial component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2009-3413 (Unspecified vulnerability in the Oracle Spatial component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2009-3412 (Unspecified vulnerability in the Unzip component in Oracle Database 9. ...) NOT-FOR-US: Oracle Database and Oracle Application Server CVE-2009-3411 (Unspecified vulnerability in the Oracle Data Pump component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-3410 (Unspecified vulnerability in the RDBMS component in Oracle Database 11 ...) NOT-FOR-US: Oracle Database CVE-2009-3409 (Unspecified vulnerability in the PeopleSoft Enterprise HCM (TAM) compo ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-3408 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-3407 (Unspecified vulnerability in the Portal component in Oracle Applicatio ...) NOT-FOR-US: Oracle Application Server CVE-2009-3406 (Unspecified vulnerability in the JD Edwards Tools component in Oracle ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-3405 (Unspecified vulnerability in the JD Edwards Tools component in Oracle ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-3404 (Unspecified vulnerability in the PeopleSoft PeopleTools & Enterpri ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-3403 (Unspecified vulnerability in the JRockit component in BEA Product Suit ...) NOT-FOR-US: BEA Product Suite CVE-2009-3402 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-3401 (Unspecified vulnerability in the Oracle Applications Technology Stack ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-3400 (Unspecified vulnerability in the Oracle Advanced Benefits component in ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-3399 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA Product Suite CVE-2009-3398 REJECTED CVE-2009-3397 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-3396 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA Product Suite CVE-2009-3395 (Unspecified vulnerability in the AutoVue component in Oracle E-Busines ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-3394 REJECTED CVE-2009-3393 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-3392 (Unspecified vulnerability in the Agile Engineering Data Management (ED ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-4193 (Merkaartor 0.14 allows local users to append data to arbitrary files v ...) - merkaartor 0.14+svnfixes~20090912-2 (low; bug #548546) [lenny] - merkaartor (vulnerable code not present) NOTE: does not run as root so minor issue. CVE-2009-XXXX [SA-CORE-2009-008] - drupal6 6.14-1 (bug #547140) [lenny] - drupal6 6.6-3lenny3 CVE-2009-3391 RESERVED CVE-2009-3390 (Multiple unspecified vulnerabilities in the (1) iscsiadm and (2) iscsi ...) NOT-FOR-US: iscsiadm and iscsitadm programs in Sun Solaris 10 CVE-2009-3389 (Integer overflow in libtheora in Xiph.Org Theora before 1.1, as used i ...) {DSA-2045-1} - libtheora 1.1 (bug #572950) [etch] - libtheora (vulnerable code not present) - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - xulrunner 1.9.1.6-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) [lenny] - xulrunner (Video playback capabilities were added in 3.5) CVE-2009-3388 (liboggplay in Mozilla Firefox 3.5.x before 3.5.6 and SeaMonkey before ...) - liboggplay 0.2.1~git20091227-1.1 (bug #575743) - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - xulrunner 1.9.1.6-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) [lenny] - xulrunner (Video playback capabilities were added in 3.5) CVE-2009-3387 (Bugzilla 3.3.1 through 3.4.4, 3.5.1, and 3.5.2 does not allow group re ...) - bugzilla 3.4.7.0-1 [lenny] - bugzilla (Only Bugzilla >= 3.3 is affected) CVE-2009-3386 (Template.pm in Bugzilla 3.3.2 through 3.4.3 and 3.5 through 3.5.1 allo ...) - bugzilla 3.4.7.0-1 [lenny] - bugzilla (Only Bugzilla >= 3.3 is affected) CVE-2009-3385 (The mail component in Mozilla SeaMonkey before 1.1.19 does not properl ...) {DSA-1922-1} - xulrunner 1.9.0.15-1 - iceweasel 3.5.11-2 [lenny] - iceweasel (Iceweasel in Lenny links against xulrunner) - iceape 2.0-1 [lenny] - iceape (stub package) CVE-2009-3384 (Multiple unspecified vulnerabilities in WebKit in Apple Safari before ...) - webkit 1.1.17-2 (medium; bug #559759) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - qt4-x11 4:4.6.2-4 (bug #561760) [lenny] - qt4-x11 (Minor impact, no apps in Lenny which use qtwebkit ) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against, Lenny is affected [etch] - qt4-x11 (webkit support introduced in version 4.4) - kdelibs (vulnerable code not present) - kde4libs (vulnerable code not present) NOTE: http://trac.webkit.org/changeset/48725 CVE-2009-3383 (Multiple unspecified vulnerabilities in the JavaScript engine in Mozil ...) - xulrunner 1.9.1.4-1 [lenny] - xulrunner (Only affects Firefox 3.5) [etch] - xulrunner (Only affects Firefox 3.5) CVE-2009-3382 (layout/base/nsCSSFrameConstructor.cpp in the browser engine in Mozilla ...) {DSA-1922-1} - xulrunner 1.9.1.4-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) CVE-2009-3381 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - xulrunner 1.9.1.4-1 [lenny] - xulrunner (Only affects Firefox 3.5) [etch] - xulrunner (Only affects Firefox 3.5) CVE-2009-3380 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-1922-1} - xulrunner 1.9.1.4-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) CVE-2009-3379 (Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla ...) {DSA-1939-1} - libvorbisidec 1.0.2+svn18153-0.1 (bug #669196) [squeeze] - libvorbisidec (Minor issue, no dev-deps) - libvorbis 1.2.3-1 (medium) - xulrunner 1.9.1.4-1 [lenny] - xulrunner (Only affects Firefox 3.5) [etch] - xulrunner (Only affects Firefox 3.5) CVE-2009-3378 (The oggplay_data_handle_theora_frame function in media/liboggplay/src/ ...) - xulrunner 1.9.1.4-1 [etch] - xulrunner (ogg support added in firefox 3.5) [lenny] - xulrunner (ogg support added in firefox 3.5) - liboggplay 0.2.1~git20091120-1 (medium; bug #552743) CVE-2009-3377 (Multiple unspecified vulnerabilities in liboggz before cf5feeaab69b05e ...) - xulrunner 1.9.1.4-1 [lenny] - xulrunner (Only affects Firefox 3.5) [etch] - xulrunner (Only affects Firefox 3.5) - liboggz 0.9.9-1 (low) [lenny] - liboggz (Too intrusive to backport, needs to be updated to 0.9.9. Requires additional rebuild of rev dep) CVE-2009-3376 (Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey be ...) {DSA-1922-1} - xulrunner 1.9.1.4-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) CVE-2009-3375 (content/html/document/src/nsHTMLDocument.cpp in Mozilla Firefox 3.0.x ...) {DSA-1922-1} - xulrunner 1.9.1.4-1 [etch] - xulrunner (Only affects Firefox 3.x) CVE-2009-3374 (The XPCVariant::VariantDataToJS function in the XPCOM implementation i ...) {DSA-1922-1} - xulrunner 1.9.1.4-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) CVE-2009-3373 (Heap-based buffer overflow in the GIF image parser in Mozilla Firefox ...) {DSA-1922-1} - xulrunner 1.9.1.4-1 [etch] - xulrunner (Only affects Firefox 3.x) CVE-2009-3372 (Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey be ...) {DSA-1922-1} - xulrunner 1.9.1.4-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) CVE-2009-3371 (Use-after-free vulnerability in Mozilla Firefox 3.5.x before 3.5.4 all ...) - xulrunner 1.9.1.4-1 [etch] - xulrunner (web workers introduced in firefox 3.5) [lenny] - xulrunner (web workers introduced in firefox 3.5) - kompozer (unimportant; bug #555326) NOTE: kompozer shares the browser engine with Firefox, but JavaScript is not enabled CVE-2009-3370 (Mozilla Firefox before 3.0.15, and 3.5.x before 3.5.4, allows remote a ...) {DSA-1922-1} - xulrunner 1.9.1.4-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) CVE-2009-3368 (Cross-site scripting (XSS) vulnerability in the Hotel Booking Reservat ...) NOT-FOR-US: component for Joomla! CVE-2009-3367 (Multiple cross-site scripting (XSS) vulnerabilities in An image galler ...) NOT-FOR-US: An image gallery 1.0 CVE-2009-3366 (Directory traversal vulnerability in navigation.php in An image galler ...) NOT-FOR-US: An image gallery 1.0 CVE-2009-3365 (PHP remote file inclusion vulnerability in add-ons/modules/sysmanager/ ...) NOT-FOR-US: Aurora CMS CVE-2009-3364 (Stack-based buffer overflow in FTPShell Client 4.1 RC2 allows remote F ...) NOT-FOR-US: FTPShell Client CVE-2009-3363 (Cross-site scripting (XSS) vulnerability in the BUEditor module 5.x be ...) NOT-FOR-US: a module for Drupal CVE-2009-3362 (PHP remote file inclusion vulnerability in printnews.php3 in SZNews 2. ...) NOT-FOR-US: SZNews CVE-2009-3361 (SQL injection vulnerability in index.php in PHP-IPNMonitor allows remo ...) NOT-FOR-US: PHP-IPNMonitor CVE-2009-3360 (Multiple cross-site scripting (XSS) vulnerabilities in Datemill 1.0 al ...) NOT-FOR-US: Datemill CVE-2009-3359 (Multiple cross-site scripting (XSS) vulnerabilities in Match Agency Bi ...) NOT-FOR-US: Match Agency BiZ CVE-2009-3358 (SQL injection vulnerability in profile.php in Tourism Scripts Adult Po ...) NOT-FOR-US: Tourism Scripts Adult CVE-2009-3357 (Multiple SQL injection vulnerabilities in the Hotel Booking Reservatio ...) NOT-FOR-US: component for Joomla! CVE-2009-3356 (SQL injection vulnerability in index.php in Image voting 1.0 allows re ...) NOT-FOR-US: Image voting CVE-2009-3355 (Cross-site scripting (XSS) vulnerability in profile.php in Datetopia B ...) NOT-FOR-US: Datetopia Buy Dating Site CVE-2009-3354 (Multiple unspecified vulnerabilities in the Rest API module for Drupal ...) NOT-FOR-US: Rest API module for Drupal CVE-2009-3353 (Multiple unspecified vulnerabilities in the Node2Node module for Drupa ...) NOT-FOR-US: Node2Node module for Drupal CVE-2009-3352 (Multiple unspecified vulnerabilities in the quota_by_role (Quota by ro ...) NOT-FOR-US: quota_by_role (Quota by role) module for Drupal CVE-2009-3351 (Multiple unspecified vulnerabilities in the Node Browser module for Dr ...) NOT-FOR-US: Node Browser module for Drupal CVE-2009-3350 (Multiple unspecified vulnerabilities in the Subdomain Manager module f ...) NOT-FOR-US: Subdomain Manager module for Drupal CVE-2009-3349 (SQL injection vulnerability in Datavore Gyro 5.0 allows remote attacke ...) NOT-FOR-US: Datavore Gyro CVE-2009-3348 (Cross-site scripting (XSS) vulnerability in Datavore Gyro 5.0 allows r ...) NOT-FOR-US: Datavore Gyro CVE-2009-3347 (Buffer overflow on the D-Link DIR-400 wireless router allows remote at ...) NOT-FOR-US: D-Link DIR-400 wireless router CVE-2009-3346 (Unspecified vulnerability in SAP Crystal Reports Server 2008 allows re ...) NOT-FOR-US: SAP Crystal Reports Server CVE-2009-3345 (Heap-based buffer overflow in SAP Crystal Reports Server 2008 has unkn ...) NOT-FOR-US: SAP Crystal Reports Server CVE-2009-3344 (Unspecified vulnerability in SAP Crystal Reports Server 2008 on Window ...) NOT-FOR-US: SAP Crystal Reports Server CVE-2009-3343 (SQL injection vulnerability in details.asp in HotWeb Rentals allows re ...) NOT-FOR-US: HotWeb Rentals CVE-2009-3342 (SQL injection vulnerability in frontend/assets/ajax/checkusername.php ...) NOT-FOR-US: component for Joomla! CVE-2009-3341 (Buffer overflow on the Linksys WRT54GL wireless router allows remote a ...) NOT-FOR-US: Linksys WRT54GL wireless router CVE-2009-3340 (Unspecified vulnerability in FreeSSHD 1.2.4 allows remote attackers to ...) NOT-FOR-US: FreeSSHD CVE-2009-3339 (Unspecified vulnerability in McAfee Email and Web Security Appliance 5 ...) NOT-FOR-US: McAfee Email and Web Security Appliance CVE-2009-3338 (Stack-based buffer overflow in EffectMatrix (E.M.) Magic Morph 1.95b a ...) NOT-FOR-US: Magic Morph CVE-2009-3337 (SQL injection vulnerability in the Freetag (serendipity_event_freetag) ...) NOT-FOR-US: plugin for Serendipity CVE-2009-3336 (SQL injection vulnerability in auction_details.php in PHP Pro Bid allo ...) NOT-FOR-US: PHP Pro Bid CVE-2009-3335 (SQL injection vulnerability in the TurtuShout component 0.11 for Jooml ...) NOT-FOR-US: TurtuShout component 0.11 for Joomla! CVE-2009-3334 (SQL injection vulnerability in the Lhacky! Extensions Cave Joomla! Int ...) NOT-FOR-US: Lhacky! Extensions Cave Joomla! CVE-2009-3333 (PHP remote file inclusion vulnerability in koesubmit.php in the koeSub ...) NOT-FOR-US: koeSubmit (com_koesubmit) component 1.0 for Mambo CVE-2009-3332 (SQL injection vulnerability in the JBudgetsMagic (com_jbudgetsmagic) c ...) NOT-FOR-US: BudgetsMagic (com_jbudgetsmagic) component for Joomla! CVE-2009-3331 (Multiple PHP remote file inclusion vulnerabilities in DDL CMS 1.0 allo ...) NOT-FOR-US: DDL CMS CVE-2009-3330 (SQL injection vulnerability in index.php in cP Creator 2.7.1, when mag ...) NOT-FOR-US: cP Creator CVE-2009-3329 (Stack-based buffer overflow in Winplot 1.25.0.1 allows user-assisted r ...) NOT-FOR-US: Winplot CVE-2009-3328 (Cross-site scripting (XSS) vulnerability in sign.php in WX-Guestbook 1 ...) NOT-FOR-US: WX-Guestbook CVE-2009-3327 (Multiple SQL injection vulnerabilities in WX-Guestbook 1.1.208 allow r ...) NOT-FOR-US: WX-Guestbook CVE-2009-3326 (SQL injection vulnerability in index.php in CMScontrol Content Managem ...) NOT-FOR-US: CMScontrol CVE-2009-3325 (SQL injection vulnerability in the Focusplus Developments Survey Manag ...) NOT-FOR-US: Survey Manager (com_surveymanager) component 1.5.0 for Joomla! CVE-2009-3324 (PHP remote file inclusion vulnerability in include/prodler.class.php i ...) NOT-FOR-US: ProdLer CVE-2009-3323 (Multiple PHP remote file inclusion vulnerabilities in BAnner ROtation ...) NOT-FOR-US: BAnner ROtation System mini (BAROSmini) CVE-2009-3322 (The Siemens Gigaset SE361 WLAN router allows remote attackers to cause ...) NOT-FOR-US: Siemens Gigaset SE361 WLAN router CVE-2009-3321 (SQL injection vulnerability in SaphpLesson 4.3, when magic_quotes_gpc ...) NOT-FOR-US: SaphpLesson CVE-2009-3320 (Cross-site scripting (XSS) vulnerability in scrivi.php in Zenas PaoLin ...) NOT-FOR-US: Zenas PaoLink (aka Pao-Link) CVE-2009-3319 (SQL injection vulnerability in poems.php in DCI-Designs Dawaween 1.03 ...) NOT-FOR-US: DCI-Designs Dawaween CVE-2009-3318 (Directory traversal vulnerability in the Roland Breedveld Album (com_a ...) NOT-FOR-US: Roland Breedveld Album (com_album) component 1.14 for Joomla! CVE-2009-3317 (PHP remote file inclusion vulnerability in pages/pageHeader.php in Ope ...) NOT-FOR-US: OpenSiteAdmin CVE-2009-3316 (SQL injection vulnerability in the JReservation (com_jreservation) com ...) NOT-FOR-US: JReservation (com_jreservation) component 1.0 and 1.5 for Joomla! CVE-2009-3315 (SQL injection vulnerability in admin/index.php in NeLogic Nephp Publis ...) NOT-FOR-US: NeLogic Nephp Publisher Enterprise CVE-2009-3314 (SQL injection vulnerability in ladders.php in Elite Gaming Ladders 3.2 ...) NOT-FOR-US: Elite Gaming Ladders CVE-2009-3313 (Multiple SQL injection vulnerabilities in FMyClone 2.3 allow remote at ...) NOT-FOR-US: FMyClone CVE-2009-3312 (PHP remote file inclusion vulnerability in php/init.poll.php in phpPol ...) NOT-FOR-US: phpPollScript CVE-2009-3311 (Cross-site scripting (XSS) vulnerability in index.php in RSSMediaScrip ...) NOT-FOR-US: RSSMediaScript CVE-2009-3310 (SQL injection vulnerability in index.php in Zainu 1.0 allows remote at ...) NOT-FOR-US: Zainu CVE-2009-3309 (SQL injection vulnerability in index.cfm in CF ShopKart 5.4 beta allow ...) NOT-FOR-US: CF ShopKart CVE-2009-3308 (SQL injection vulnerability in show-cat.php in FanUpdate 2.2.1 allows ...) NOT-FOR-US: FanUpdate CVE-2009-3307 (Multiple PHP remote file inclusion vulnerabilities in FSphp 0.2.1 allo ...) NOT-FOR-US: FSphp CVE-2009-3306 (PHP remote file inclusion vulnerability in include/header.php in Clear ...) NOT-FOR-US: ClearSite CVE-2009-3305 (Polipo 1.0.4, and possibly other versions, allows remote attackers to ...) {DSA-2002-1} - polipo 1.0.4-1.1 (low; bug #547047) [etch] - polipo (Minor issue) [lenny] - polipo (Minor issue) CVE-2009-3304 (GForge 4.5.14, 4.7 rc2, and 4.8.2 allows local users to overwrite arbi ...) {DSA-1945-1} - gforge 4.8.2-1 CVE-2009-3303 (Cross-site scripting (XSS) vulnerability in www/help/tracker.php in GF ...) {DSA-1937-1} - gforge 4.8.1-3 (low) CVE-2009-3302 (filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remot ...) {DSA-1995-1 DTSA-205-1} - openoffice.org 1:3.1.1-16 CVE-2009-3301 (Integer underflow in filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) be ...) {DSA-1995-1 DTSA-205-1} - openoffice.org 1:3.1.1-16 CVE-2009-3300 (Multiple cross-site scripting (XSS) vulnerabilities in the Identity Pr ...) {DSA-1947-1} - shibboleth-sp2 2.3+dfsg-1 (medium; bug #555608) - shibboleth-sp 3.0.2+dfsg1-2 (medium) - opensaml2 2.3-1 (medium) NOTE: xmltooling also needs to be updated, changed in sid in 1.3.1-1 CVE-2009-3299 (Cross-site scripting (XSS) vulnerability in the resume blocktype in Ma ...) {DSA-1924-1} - mahara 1.1.7-1 (low) NOTE: http://mahara.org/interaction/forum/topic.php?id=1170 CVE-2009-3298 (Mahara before 1.0.13, and 1.1.x before 1.1.7, allows remote authentica ...) {DSA-1924-1} - mahara 1.1.7-1 (low) NOTE: http://mahara.org/interaction/forum/topic.php?id=1169 CVE-2009-3297 [mount race conditions] REJECTED CVE-2009-3296 (Multiple integer overflows in tiffread.c in CamlImages 2.2 might allow ...) {DSA-1912-2 DSA-1912-1} - camlimages 1:3.0.1-5 (low) - advi 1.6.0-15 (low; bug #551282) CVE-2009-3295 (The prep_reprocess_req function in kdc/do_tgs_req.c in the cross-realm ...) - krb5 1.7+dfsg-4 (medium) [lenny] - krb5 (code introduced in 1.7) [etch] - krb5 (code introduced in 1.7) CVE-2009-3294 (The popen API function in TSRM/tsrm_win32.c in PHP before 5.2.11 and 5 ...) - php5 (win32-specific) CVE-2009-3293 (Unspecified vulnerability in the imagecolortransparent function in PHP ...) - php5 (the php packages use the system libgd2) - php4 (the php packages use the system libgd2) NOTE: the transparent colours functionality is only on php5's bundled libgd2 CVE-2009-3292 (Unspecified vulnerability in PHP before 5.2.11, and 5.3.x before 5.3.1 ...) {DSA-1940-1} - php5 5.2.11.dfsg.1-1 (low) NOTE: unknown impact, it is related to missing sanity checks NOTE: when determining the length of sections of jpg headers NOTE: a missing limit on the nesting level of TIFF files, and NOTE: missing EOF checks, possibly leading to NULL dereferences NOTE: experimental is likely to be affected (as of 5.3.0) CVE-2009-3291 (The php_openssl_apply_verification_policy function in PHP before 5.2.1 ...) {DSA-1940-1} - php5 5.2.11.dfsg.1-1 (low) [lenny] - php5 (rather unimportant) [etch] - php5 (rather unimportant) NOTE: seems to be related to handling of \0 on CN NOTE: not worth a dsa on its own, php doesn't verify certificates by default NOTE: experimental is likely to be affected (as of 5.3.0) CVE-2009-3289 (The g_file_copy function in glib 2.0 sets the permissions of a target ...) - glib2.0 2.22.0-1 (low) [lenny] - glib2.0 2.16.6-3 [etch] - glib2.0 (Minor issue) CVE-2009-3287 (lib/thin/connection.rb in Thin web server before 1.2.4 relies on the X ...) - thin 1.2.4-1 (low) CVE-2009-3285 RESERVED CVE-2009-3284 (Directory traversal vulnerability in phpspot PHP BBS, PHP Image Captur ...) NOT-FOR-US: phpspot Products CVE-2009-3283 (Cross-site scripting (XSS) vulnerability in phpspot PHP BBS, PHP Image ...) NOT-FOR-US: phpspot Products CVE-2009-3282 (Integer overflow in the vmx86 kernel extension in VMware Fusion before ...) NOT-FOR-US: VMware Fusion CVE-2009-3281 (The vmx86 kernel extension in VMware Fusion before 2.0.6 build 196839 ...) NOT-FOR-US: VMware Fusion CVE-2009-3280 (Integer signedness error in the find_ie function in net/wireless/scan. ...) - linux-2.6 2.6.31-1 (medium) - linux-2.6.24 (vulnerable code not present) [etch] - linux-2.6 (vulnerable code not present) [lenny] - linux-2.6 (vulnerable code not present) CVE-2009-3279 (The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 062 ...) NOT-FOR-US: QNAP TS-239 Pro and TS-639 CVE-2009-3278 (The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 062 ...) NOT-FOR-US: QNAP TS-239 Pro and TS-639 CVE-2009-3277 (DataVault.Tesla/Impl/TypeSystem/AssociationHelper.cs in datavault allo ...) NOT-FOR-US: datavault CVE-2009-3276 (Zoran/WinFormsAdvansed/RegeularDataToXML/Form1.cs in WinFormsAdvansed ...) NOT-FOR-US: NASD CORE.NET Terelik (aka corenet1) CVE-2009-3275 (Blocks/Common/Src/Configuration/Manageability/Adm/AdmContentBuilder.cs ...) NOT-FOR-US: Microsoft patterns & practices Enterprise Library CVE-2009-3274 (Mozilla Firefox 3.6a1, 3.5.3, 3.5.2, and earlier 3.5.x versions, and 3 ...) {DSA-1922-1} - xulrunner 1.9.1.4-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) CVE-2009-3273 (iPhone Mail in Apple iPhone OS, and iPhone OS for iPod touch, does not ...) NOT-FOR-US: Apple iPhone CVE-2009-3272 (Stack consumption vulnerability in WebKit.dll in WebKit in Apple Safar ...) - qt4-x11 (unimportant) [etch] - qt4-x11 (webkit support introduced in version 4.4) - kdelibs (unimportant) - kde4libs (unimportant) NOTE: browser crashers are not considered security-relevant CVE-2009-3271 (Apple Safari on iPhone OS 3.0.1 allows remote attackers to cause a den ...) NOT-FOR-US: Apple Safari on iPhone OS 3.0.1 CVE-2009-3290 (The kvm_emulate_hypercall function in arch/x86/kvm/x86.c in KVM in the ...) {DSA-1915-1 DSA-1907-1 DTSA-203-1} - linux-2.6 2.6.31-1 (medium) [etch] - linux-2.6 (introduced in 2.6.25) - linux-2.6.24 (introduced in 2.6.25) - kvm 85+dfsg-4.1 (high; bug #548975) CVE-2009-3288 (The sg_build_indirect function in drivers/scsi/sg.c in Linux kernel 2. ...) - linux-2.6 2.6.31-1 (low) [etch] - linux-2.6 (introduced in 2.6.28) [lenny] - linux-2.6 (introduced in 2.6.28) - linux-2.6.24 (introduced in 2.6.28) CVE-2009-3286 (NFSv4 in the Linux kernel 2.6.18, and possibly other versions, does no ...) {DSA-1929-1 DSA-1928-1 DSA-1915-1} - linux-2.6 2.6.30-1 (low) - linux-2.6.24 CVE-2009-3270 (Microsoft Internet Explorer 7 through 7.0.6000.16711 allows remote att ...) NOT-FOR-US: Microsoft Internet Explorer 7 CVE-2009-3269 (Opera 9.52 and earlier allows remote attackers to cause a denial of se ...) NOT-FOR-US: Opera CVE-2009-3268 (Google Chrome 1.0.154.48 and earlier allows remote attackers to cause ...) - chromium-browser (Only 1.x is affected) NOTE: browser denial of services not considered security-relevant CVE-2009-3267 (Microsoft Internet Explorer 6 through 6.0.2900.2180, and 7.0.6000.1671 ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-3266 (Opera before 10.01 does not properly restrict HTML in a (1) RSS or (2) ...) NOT-FOR-US: Opera CVE-2009-3265 (Cross-site scripting (XSS) vulnerability in Opera 9 and 10 allows remo ...) NOT-FOR-US: Opera CVE-2009-3264 (The getSVGDocument method in Google Chrome before 3.0.195.21 omits an ...) - chromium-browser (Only 3.x is affected) - libv8 1.3.11+dfsg-1 - webkit (libv8 issue) CVE-2009-3263 (Cross-site scripting (XSS) vulnerability in Google Chrome 2.x and 3.x ...) - chromium-browser (Only 3.x is affected) - webkit (chrome-specific issue) NOTE: http://seclists.org/fulldisclosure/2009/Sep/201 NOTE: other browsers are not affected (only chrome and opera) CVE-2009-3262 (Cross-site scripting (XSS) vulnerability in the Self Service UI (SSUI) ...) NOT-FOR-US: IBM Tivoli Identity Manager CVE-2009-3261 (update/update_0.1.2_to_0.2.php in LiveStreet 0.2 does not require admi ...) NOT-FOR-US: LiveStreet CVE-2009-3260 (Cross-site scripting (XSS) vulnerability in LiveStreet 0.2 allows remo ...) NOT-FOR-US: LiveStreet CVE-2009-3259 (Multiple SQL injection vulnerabilities in RASH Quote Management System ...) NOT-FOR-US: RASH Quote Management System (RQMS) CVE-2009-3258 (vtiger CRM before 5.1.0 allows remote authenticated users, with certai ...) NOT-FOR-US: vtiger CRM CVE-2009-3257 (vtiger CRM before 5.1.0 allows remote authenticated users to bypass th ...) NOT-FOR-US: vtiger CRM CVE-2009-3256 (Cross-site scripting (XSS) vulnerability in include/ajax/blogInfo.php ...) NOT-FOR-US: LiveStreet CVE-2009-3255 (SQL injection vulnerability in RASH Quote Management System (RQMS) 1.2 ...) NOT-FOR-US: RASH Quote Management System (RQMS) CVE-2009-3254 (Multiple stack-based buffer overflows in Ultimate Player 1.56 beta all ...) NOT-FOR-US: Ultimate Player CVE-2009-3253 (Stack-based buffer overflow in TriceraSoft Swift Ultralite 1.032 allow ...) NOT-FOR-US: TriceraSoft Swift Ultralite CVE-2009-3252 (Multiple SQL injection vulnerabilities in news.php in Rock Band CMS 0. ...) NOT-FOR-US: Rock Band CMS CVE-2009-3251 (include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remo ...) NOT-FOR-US: vtiger CRM CVE-2009-3250 (The saveForwardAttachments procedure in the Compose Mail functionality ...) NOT-FOR-US: vtiger CRM CVE-2009-3249 (Multiple directory traversal vulnerabilities in vtiger CRM 5.0.4 allow ...) NOT-FOR-US: vtiger CRM CVE-2009-3248 (Cross-site request forgery (CSRF) vulnerability in the RSS module in v ...) NOT-FOR-US: vtiger CRM CVE-2009-3247 (Cross-site scripting (XSS) vulnerability in the Activities module in v ...) NOT-FOR-US: vtiger CRM CVE-2009-3246 (SQL injection vulnerability in spnews.php in MyBuxScript PTC-BUX allow ...) NOT-FOR-US: MyBuxScript PTC-BUX CVE-2009-3245 (OpenSSL before 0.9.8m does not check for a NULL return value from bn_w ...) - openssl 0.9.8m-1 (low; bug #575433) [lenny] - openssl 0.9.8g-15+lenny7 CVE-2009-3244 (Heap-based buffer overflow in the SwDir.dll ActiveX control in Adobe S ...) NOT-FOR-US: Adobe ShockWave Player CVE-2009-3243 (Unspecified vulnerability in the TLS dissector in Wireshark 1.2.0 and ...) - wireshark (Windows-only issue) CVE-2009-3242 (Unspecified vulnerability in packet.c in the GSM A RR dissector in Wir ...) - wireshark 1.2.2-1 (low; bug #547704) [etch] - wireshark (Only affects 1.2.x) [lenny] - wireshark (Only affects 1.2.x) CVE-2009-3241 (Unspecified vulnerability in the OpcUa (OPC UA) dissector in Wireshark ...) {DSA-1942-1} - wireshark 1.2.2-1 (low; bug #547704) [etch] - wireshark (Only affects >= 0.99.6) [lenny] - wireshark 1.0.2-3+lenny6 CVE-2009-3240 (Cross-site scripting (XSS) vulnerability in the Happy Linux XF-Section ...) NOT-FOR-US: module for XOOPS CVE-2009-3239 REJECTED CVE-2009-3238 (The get_random_int function in drivers/char/random.c in the Linux kern ...) {DSA-1929-1 DSA-1928-1 DSA-1927-1} - linux-2.6 2.6.30-1 (low) - linux-2.6.24 (low) CVE-2009-3237 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Applicati ...) {DSA-1966-1} - horde3 3.3.5+debian0-1 (low) [lenny] - horde3 3.2.2+debian0-2+lenny1 NOTE: horde3 issue fixed in backport of latest DSA, DSA however did not fix etch CVE-2009-3235 (Multiple stack-based buffer overflows in the Sieve plugin in Dovecot 1 ...) {DSA-1893-1 DSA-1892-1} - cyrus-imapd-2.2 2.2.13-17 (medium; bug #547947) - kolab-cyrus-imapd 2.2.13-5.1 (medium; bug #547712) - dovecot 1:1.2.1-1 (medium; bug #546656) NOTE: This is a different vulnerability than CVE-2009-2632, it covers a few additional buffer overflows CVE-2009-3228 (The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem ...) {DSA-1929-1 DSA-1928-1 DSA-1927-1} - linux-2.6 2.6.31-1 (low) - linux-2.6.24 (low) CVE-2009-3236 (The form library in Horde Application Framework 3.2 before 3.2.5 and 3 ...) {DSA-1897-1} - horde3 3.3.5+debian0-1 (medium; bug #547318) CVE-2009-3234 (Buffer overflow in the perf_copy_attr function in kernel/perf_counter. ...) - linux-2.6 (Introduced in 2.6.31, fixed in Debian package before initial 2.6.31 upload) - linux-2.6.24 (Introduced in 2.6.31) CVE-2009-3227 (Cross-site scripting (XSS) vulnerability in index.php in AlmondSoft Al ...) NOT-FOR-US: AlmondSoft Almond Classifieds Ads Enterprise CVE-2009-3226 (SQL injection vulnerability in index.php in AlmondSoft Almond Classifi ...) NOT-FOR-US: AlmondSoft Almond Classifieds Ads Enterprise CVE-2009-3225 (Multiple cross-site scripting (XSS) vulnerabilities in AlmondSoft Almo ...) NOT-FOR-US: AlmondSoft Almond Classifieds Wap and Pro CVE-2009-3224 (SQL injection vulnerability in index.php in Super Mod System, when usi ...) NOT-FOR-US: Super Mod System CVE-2009-3223 (SQL injection vulnerability in ppc-add-keywords.php in Inout Adserver ...) NOT-FOR-US: Inout Adserver CVE-2009-3222 (Cross-site scripting (XSS) vulnerability in index.php in FreeWebScript ...) NOT-FOR-US: FreeWebScriptz Honest Traffic CVE-2009-3221 (Stack-based buffer overflow in Audio Lib Player (ALP) allows remote at ...) NOT-FOR-US: Audio Lib Player (ALP) CVE-2009-3220 (PHP remote file inclusion vulnerability in cp_html2txt.php in All In O ...) NOT-FOR-US: All In One Control Panel CVE-2009-3219 (Directory traversal vulnerability in a.php in AR Web Content Manager ( ...) NOT-FOR-US: AR Web Content Manager CVE-2009-3218 (SQL injection vulnerability in control/login.php in AR Web Content Man ...) NOT-FOR-US: AR Web Content Manager CVE-2009-3217 (SQL injection vulnerability in the admin module in iWiccle 1.01 allows ...) NOT-FOR-US: iWiccle CVE-2009-3216 (Multiple directory traversal vulnerabilities in iWiccle 1.01, when mag ...) NOT-FOR-US: iWiccle CVE-2009-3215 (SQL injection vulnerability in IXXO Cart Standalone before 3.9.6.1, an ...) NOT-FOR-US: IXXO Cart Standalone CVE-2009-3214 (Multiple stack-based buffer overflows in Photodex ProShow Gold 4.0.254 ...) NOT-FOR-US: Photodex ProShow Gold CVE-2009-3213 (Stack-based buffer overflow in broid 1.0 Beta 3a allows remote attacke ...) NOT-FOR-US: broid CVE-2009-3212 (SQL injection vulnerability in VivaPrograms Infinity Script 2.x.x, whe ...) NOT-FOR-US: VivaPrograms Infinity Script CVE-2009-3211 (Directory traversal vulnerability in VivaPrograms Infinity Script 2.x. ...) NOT-FOR-US: VivaPrograms Infinity Script CVE-2009-3210 (Multiple cross-site scripting (XSS) vulnerabilities in the Print (aka ...) NOT-FOR-US: Print (aka Printer, e-mail and PDF versions) Drupal module (3rd party module) CVE-2009-3209 (SQL injection vulnerability in remove.php in PHP eMail Manager 3.3.0 a ...) NOT-FOR-US: PHP eMail Manager CVE-2009-3208 (Multiple SQL injection vulnerabilities in phpfreeBB 1.0 allow remote a ...) NOT-FOR-US: phpfreeBB CVE-2009-3207 (The ImageCache module 5.x before 5.x-2.5 and 6.x before 6.x-2.0-beta10 ...) NOT-FOR-US: ImageCache module for Drupal (3rd party module) CVE-2009-3206 (Multiple cross-site scripting (XSS) vulnerabilities in the ImageCache ...) NOT-FOR-US: ImageCache module for Drupal (3rd party module) CVE-2009-3205 (SQL injection vulnerability in main.php in CBAuthority allows remote a ...) NOT-FOR-US: CBAuthority CVE-2009-3204 (Multiple cross-site scripting (XSS) vulnerabilities in Stiva Forum 1.0 ...) NOT-FOR-US: Stiva Forum CVE-2009-3203 (SQL injection vulnerability in store.php in AJ Auction Pro OOPD 2.x al ...) NOT-FOR-US: AJ Auction Pro OOPD CVE-2009-3202 (Cross-site scripting (XSS) vulnerability in search.php in ULoKI PHP Fo ...) NOT-FOR-US: ULoKI PHP Forum CVE-2009-3201 (Integer overflow in Media Player Classic 6.4.9 allows user-assisted re ...) NOT-FOR-US: Media Player Classic CVE-2009-3200 (The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 062 ...) NOT-FOR-US: QNAP TS-239 Pro and TS-639 Pro CVE-2009-3199 (Uebimiau Webmail 3.2.0-2.0 stores sensitive information under the web ...) NOT-FOR-US: Uebimiau Webmail CVE-2009-3198 (Cross-site scripting (XSS) vulnerability in search.php in JCE-Tech Aff ...) NOT-FOR-US: Affiliate Master CVE-2009-3197 (Cross-site scripting (XSS) vulnerability in search.php in JCE-Tech PHP ...) NOT-FOR-US: JCE-Tech PHP Calendars CVE-2009-3196 (Cross-site scripting (XSS) vulnerability in index.php in JCE-Tech PHP ...) NOT-FOR-US: JCE-Tech PHP Video Script CVE-2009-3195 (Multiple cross-site scripting (XSS) vulnerabilities in JCE-Tech Auctio ...) NOT-FOR-US: JCE-Tech Auction RSS Content Script CVE-2009-3194 (Cross-site scripting (XSS) vulnerability in index.php in JCE-Tech Sear ...) NOT-FOR-US: JCE-Tech SearchFeed Script CVE-2009-3193 (SQL injection vulnerability in the DigiFolio (com_digifolio) component ...) NOT-FOR-US: component for Joomla! CVE-2009-3192 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Li ...) NOT-FOR-US: LinkorCMS CVE-2009-3191 (Multiple cross-site scripting (XSS) vulnerabilities in PAD Site Script ...) NOT-FOR-US: PAD Site Scripts CVE-2009-3190 (Multiple SQL injection vulnerabilities in PAD Site Scripts 3.6 allow r ...) NOT-FOR-US: PAD Site Scripts CVE-2009-3189 (Cross-site scripting (XSS) vulnerability in search.php in DigiOz Guest ...) NOT-FOR-US: DigiOz Guestbook CVE-2009-3188 (PHP remote file inclusion vulnerability in save.php in phpSANE 0.5.0 a ...) NOT-FOR-US: phpSANE CVE-2009-3187 (Cross-site scripting (XSS) vulnerability in gamelist.php in Stand Alon ...) NOT-FOR-US: Stand Alone Arcade CVE-2009-3186 (Multiple cross-site scripting (XSS) vulnerabilities in VideoGirls BiZ ...) NOT-FOR-US: VideoGirls BiZ CVE-2009-3185 (SQL injection vulnerability in plugin.php in the Crazy Star plugin 2.0 ...) NOT-FOR-US: Crazy Star plugin 2.0 for Discuz! CVE-2009-3184 (Multiple SQL injection vulnerabilities in index.php in Pirates of The ...) NOT-FOR-US: Pirates of The Caribbean CVE-2009-3233 (changetrack 4.3 allows local users to execute arbitrary commands via C ...) {DSA-1891-1} - changetrack 4.5-2 (medium; bug #546791) CVE-2009-3183 (Heap-based buffer overflow in w in Sun Solaris 8 through 10, and OpenS ...) NOT-FOR-US: Sun Solaris CVE-2009-3166 (token.cgi in Bugzilla 3.4rc1 through 3.4.1 places a password in a URL ...) - bugzilla 3.4.7.0-1 [lenny] - bugzilla (Only Bugzilla >= 3.3 is affected) CVE-2009-3165 (SQL injection vulnerability in the Bug.create WebService function in B ...) {DSA-1913-1} - bugzilla 3.2.5.0-1 (low; bug #547132) [etch] - bugzilla (Vulnerable code not present) NOTE: Introduced in 2.23.4 CVE-2009-3182 (Unrestricted file upload vulnerability in admin/editor/filemanager/bro ...) NOT-FOR-US: Anantasoft Gazelle CMS CVE-2009-3181 (Directory traversal vulnerability in Anantasoft Gazelle CMS 1.0 allows ...) NOT-FOR-US: Anantasoft Gazelle CMS CVE-2009-3180 (Anantasoft Gazelle CMS 1.0 allows remote attackers to conduct a passwo ...) NOT-FOR-US: Anantasoft Gazelle CMS CVE-2009-3179 (Multiple unspecified vulnerabilities in Symantec Altiris Deployment So ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2009-3178 (Unspecified vulnerability in mm.exe in Symantec Altiris Deployment Sol ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2009-3177 (Unspecified vulnerability in Kaspersky Online Scanner 7.0 has unknown ...) NOT-FOR-US: Kaspersky Online Scanner CVE-2009-3176 (Buffer overflow in the ActiveX control in Novell iPrint Client 4.38 al ...) NOT-FOR-US: Novell iPrint Client CVE-2009-3175 (Multiple SQL injection vulnerabilities in Model Agency Manager PRO (fo ...) NOT-FOR-US: Model Agency Manager PRO CVE-2009-3174 (PHP remote file inclusion vulnerability in fonctions_racine.php in OBO ...) NOT-FOR-US: OBOphiX CVE-2009-3173 (Unrestricted file upload vulnerability in admin/add_album.php in The R ...) NOT-FOR-US: Rat CMS Alpha CVE-2009-3172 (Unspecified vulnerability in Hitachi Groupmax Groupware Server 07-00 t ...) NOT-FOR-US: Hitachi Groupmax Groupware Server CVE-2009-3171 (Multiple cross-site scripting (XSS) vulnerabilities in Anantasoft Gaze ...) NOT-FOR-US: Anantasoft Gazelle CMS CVE-2009-3170 (Stack-based buffer overflow in AIMP2 Audio Converter 2.53 (build 330) ...) NOT-FOR-US: AIMP2 Audio Converter CVE-2009-3169 (Multiple unspecified vulnerabilities in Hitachi JP1/File Transmission ...) NOT-FOR-US: Hitachi CVE-2009-3168 (Mevin Productions Basic PHP Events Lister 2.0 does not properly restri ...) NOT-FOR-US: Mevin Productions Basic PHP Events Lister CVE-2009-3167 (Directory traversal vulnerability in index.php in Anantasoft Gazelle C ...) NOT-FOR-US: Anantasoft Gazelle CMS CVE-2009-3232 (pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GN ...) - pam 1.0.1-10 (bug #519927) [lenny] - pam (pam-auth-update not yet present) [etch] - pam (pam-auth-update not yet present) CVE-2009-3229 (The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8 ...) {DSA-1900-1} - postgresql-8.4 8.4.1-1 - postgresql-8.3 8.3.8-1 - postgresql-8.1 - postgresql-7.4 CVE-2009-3230 (The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8 ...) {DSA-1900-1} - postgresql-8.4 8.4.1-1 - postgresql-8.3 8.3.8-1 - postgresql-8.1 - postgresql-7.4 CVE-2009-3231 (The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 befor ...) {DSA-1900-1} - postgresql-8.4 8.4.1-1 - postgresql-8.3 8.3.8-1 - postgresql-8.1 - postgresql-7.4 CVE-2009-3164 (Unspecified vulnerability in the IPv6 networking stack in Sun Solaris ...) NOT-FOR-US: Solaris CVE-2009-3163 (Multiple format string vulnerabilities in lib/silcclient/command.c in ...) {DSA-1879-1} - silc-toolkit 1.1.10-1 (medium) - silc-client 1.1-2 (medium) - silc-server 1.1.2-1 (medium) NOTE: silc-client/silc-server use libsilc from silc-toolkit since 1.1-2 CVE-2009-3145 REJECTED CVE-2009-3144 REJECTED CVE-2009-3143 REJECTED CVE-2009-3142 REJECTED CVE-2009-3141 REJECTED CVE-2009-3140 REJECTED CVE-2009-3139 REJECTED CVE-2009-3138 REJECTED CVE-2009-3137 REJECTED CVE-2009-3136 REJECTED CVE-2009-3135 (Stack-based buffer overflow in Microsoft Office Word 2002 SP3 and 2003 ...) NOT-FOR-US: Microsoft Office CVE-2009-3134 (Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Offic ...) NOT-FOR-US: Microsoft Office CVE-2009-3133 (Microsoft Office Excel 2002 SP3, Office 2004 and 2008 for Mac, and Ope ...) NOT-FOR-US: Microsoft Office CVE-2009-3132 (Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Offic ...) NOT-FOR-US: Microsoft Office CVE-2009-3131 (Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Offic ...) NOT-FOR-US: Microsoft Office CVE-2009-3130 (Heap-based buffer overflow in Microsoft Office Excel 2002 SP3, Office ...) NOT-FOR-US: Microsoft Office CVE-2009-3129 (Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Offic ...) NOT-FOR-US: Microsoft Office CVE-2009-3128 (Microsoft Office Excel 2002 SP3 and 2003 SP3, and Office Excel Viewer ...) NOT-FOR-US: Microsoft Office CVE-2009-3127 (Microsoft Office Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for ...) NOT-FOR-US: Microsoft Office CVE-2009-3126 (Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-3162 (Cross-site scripting (XSS) vulnerability in Multi Website 1.5 allows r ...) NOT-FOR-US: Multi Website CVE-2009-3161 (The server in IBM WebSphere MQ 7.0.0.1, 7.0.0.2, and 7.0.1.0 allows at ...) NOT-FOR-US: IBM WebSpHere MQ CVE-2009-3160 (IBM WebSphere MQ 6.x through 6.0.2.7, 7.0.0.0, 7.0.0.1, 7.0.0.2, and 7 ...) NOT-FOR-US: IBM WebSphere MQ CVE-2009-3159 (Unspecified vulnerability in the rriDecompress function in IBM WebSphe ...) NOT-FOR-US: IBM WebSphere MQ CVE-2009-3158 (admin/files.php in simplePHPWeb 0.2 does not require authentication, w ...) NOT-FOR-US: simplePHPWeb CVE-2009-3157 (Cross-site scripting (XSS) vulnerability in the Calendar module 6.x be ...) NOT-FOR-US: Calendar module for Drupal CVE-2009-3156 (Cross-site scripting (XSS) vulnerability in the Date Tools sub-module ...) NOT-FOR-US: Date module for Drupal CVE-2009-3155 (Cross-site scripting (XSS) vulnerability in gmap.php in the Almond Cla ...) NOT-FOR-US: Almond Classifieds component for Joomla! CVE-2009-3154 (SQL injection vulnerability in the Almond Classifieds (com_aclassf) co ...) NOT-FOR-US: Almond Classifieds component for Joomla! CVE-2009-3153 (Multiple cross-site scripting (XSS) vulnerabilities in x10 MP3 Search ...) NOT-FOR-US: x10 MP3 Search engine CVE-2009-3152 (Multiple cross-site scripting (XSS) vulnerabilities in becommunity/com ...) NOT-FOR-US: NTSOFT BBS E-Market Professional CVE-2009-3151 (Directory traversal vulnerability in actions/downloadFile.php in Ultri ...) NOT-FOR-US: Ultrize TimeSheet CVE-2009-3150 (SQL injection vulnerability in index.php in Multi Website 1.5 allows r ...) NOT-FOR-US: Multi Website CVE-2009-3149 (Directory traversal vulnerability in _css/js.php in Elgg 1.5, when mag ...) - elgg (bug #526197) CVE-2009-3148 (Multiple SQL injection vulnerabilities in PortalXP Teacher Edition 1.2 ...) NOT-FOR-US: PortalXP Teacher Edition CVE-2009-3147 (Cross-site scripting (XSS) vulnerability in showproduct.php in ReviewP ...) NOT-FOR-US: ReviewPost Pro CVE-2009-3146 (Cross-site scripting (XSS) vulnerability in search_advance.php in Arti ...) NOT-FOR-US: ArticleFriend Script CVE-2009-3125 (SQL injection vulnerability in the Bug.search WebService function in B ...) - bugzilla 3.4.7.0-1 [lenny] - bugzilla (Only Bugzilla >= 3.3 is affected) CVE-2009-3124 (Directory traversal vulnerability in get_message.cgi in QuarkMail allo ...) NOT-FOR-US: QuarkMail CVE-2009-3123 (Directory traversal vulnerability in gallery/gallery.php in Wap-Motor ...) NOT-FOR-US: Wap-Motor CVE-2009-3122 (The Ajax Table module 5.x for Drupal does not perform access control, ...) NOT-FOR-US: Ajax Table module module for Drupal CVE-2009-3121 (Cross-site scripting (XSS) vulnerability in the Ajax Table module 5.x ...) NOT-FOR-US: Ajax Table module module for Drupal CVE-2009-3120 (Cross-site scripting (XSS) vulnerability in public/index.php in BIGACE ...) NOT-FOR-US: BIGACE Web CMS CVE-2009-3119 (SQL injection vulnerability in screen.php in the Download System mSF ( ...) NOT-FOR-US: PHP-Fusion CVE-2009-3118 (SQL injection vulnerability in mod/poll/comment.php in the vote module ...) NOT-FOR-US: Danneo CMS CVE-2009-3117 (SQL injection vulnerability in category.php in Snow Hall Silurus Syste ...) NOT-FOR-US: Snow Hall Silurus System CVE-2009-3116 (SQL injection vulnerability in index.php in Uiga Church Portal allows ...) NOT-FOR-US: Uiga Church Portal CVE-2009-3115 (SolarWinds TFTP Server 9.2.0.111 and earlier allows remote attackers t ...) NOT-FOR-US: SolarWinds TFTP Server CVE-2009-3114 (The RSS reader widget in IBM Lotus Notes 8.0 and 8.5 saves items from ...) NOT-FOR-US: IBM Lotus Notes CVE-2009-3113 (Unspecified vulnerability in OXID eShop Professional, Enterprise, and ...) NOT-FOR-US: OXID eShop Professional CVE-2009-3112 (Unspecified vulnerability in OXID eShop Professional, Enterprise, and ...) NOT-FOR-US: OXID eShop Professional CVE-2009-3111 (The rad_decode function in FreeRADIUS before 1.1.8 allows remote attac ...) - freeradius 2.0.0-1 (low) CVE-2009-3110 (Race condition in the file transfer functionality in Symantec Altiris ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2009-3109 (Unspecified vulnerability in the AClient agent in Symantec Altiris Dep ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2009-3108 (The Aclient GUI in Symantec Altiris Deployment Solution 6.9.x before 6 ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2009-3107 (Symantec Altiris Deployment Solution 6.9.x before 6.9 SP3 Build 430 do ...) NOT-FOR-US: Symantec Altiris Deployment Solution CVE-2009-3106 (The Servlet Engine/Web Container component in IBM WebSphere Applicatio ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-3105 (Cross-site scripting (XSS) vulnerability in IBM Lotus iNotes (aka Domi ...) NOT-FOR-US: IBM Lotus iNotes CVE-2009-3104 (Unspecified vulnerability in Symantec Norton AntiVirus 2005 through 20 ...) NOT-FOR-US: Symantec Norton AntiVirus CVE-2009-3103 (Array index error in the SMBv2 protocol implementation in srv2.sys in ...) NOT-FOR-US: Microsoft CVE-2009-3102 (The doHotCopy subroutine in socket-server.pl in Zmanda Recovery Manage ...) NOT-FOR-US: Zmanda Recovery Manager CVE-2009-3101 (xscreensaver (aka Gnome-XScreenSaver) in Sun Solaris 10, and OpenSolar ...) - xscreensaver (OpenSolaris-specific, patch 120094-22 causes this) CVE-2009-3100 (xscreensaver (aka Gnome-XScreenSaver) in Sun Solaris 9 and 10, OpenSol ...) - xscreensaver (OpenSolaris-specific, patch 120094-22 causes this) CVE-2009-3099 (Unspecified vulnerability in HP OpenView Operations Manager 8.1 on Win ...) NOT-FOR-US: HP OpenView Operations Manager CVE-2009-3098 (Unspecified vulnerability in the Portal in HP Operations Dashboard 2.1 ...) NOT-FOR-US: HP Operations Dashboard CVE-2009-3097 (Multiple unspecified vulnerabilities in HP Performance Insight 5.3 on ...) NOT-FOR-US: HP Performance Insight CVE-2009-3096 (Multiple unspecified vulnerabilities in HP Performance Insight 5.3 all ...) NOT-FOR-US: HP Performance Insight CVE-2009-3095 (The mod_proxy_ftp module in the Apache HTTP Server allows remote attac ...) {DSA-1934-1} - apache2 2.2.13-2 (low; bug #545951) [etch] - apache2 (minor issue) [lenny] - apache2 2.2.9-10+lenny5 (low; bug #545951) NOTE: The attacker needs to have valid credentials for the FTP server, which NOTE: makes this irrelevant in most cases. Based on a VulnDisco commercial 0day. CVE-2009-3094 (The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the ...) {DSA-1934-1} - apache2 2.2.13-2 (low; bug #545951) [etch] - apache2 (minor issue) [lenny] - apache2 2.2.9-10+lenny5 (low; bug #545951) CVE-2009-3093 (Unspecified vulnerability on the ASUS WL-500W wireless router has unkn ...) NOT-FOR-US: ASUS WL-500W CVE-2009-3092 (Buffer overflow on the ASUS WL-500W wireless router has unknown impact ...) NOT-FOR-US: ASUS WL-500W CVE-2009-3091 (Unspecified vulnerability on the ASUS WL-330gE has unknown impact and ...) NOT-FOR-US: ASUS WL-330gE CVE-2009-3090 (Unspecified vulnerability in IBM Tivoli Directory Server (TDS) 6.0 on ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2009-3089 (IBM Tivoli Directory Server (TDS) 6.0 allows remote attackers to cause ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2009-3088 (Heap-based buffer overflow in ibmdiradm in IBM Tivoli Directory Server ...) NOT-FOR-US: IBM Tivoli Directory Server CVE-2009-3087 (Unspecified vulnerability in nserver.exe in the server in IBM Lotus Do ...) NOT-FOR-US: IBM Lotus Domino CVE-2009-3086 (A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x be ...) {DSA-2260-1} - rails 2.2.3-1 (low; bug #545063) [etch] - rails (Minor issue) CVE-2009-3085 (The XMPP protocol plugin in libpurple in Pidgin before 2.6.2 does not ...) - pidgin 2.6.2-1 (low) [lenny] - pidgin (Minor issue) CVE-2009-3084 (The msn_slp_process_msg function in libpurple/protocols/msn/slpcall.c ...) {DSA-2038-1} - pidgin 2.6.2-1 (low) CVE-2009-3083 (The msn_slp_sip_recv function in libpurple/protocols/msn/slp.c in the ...) {DSA-2038-1} - pidgin 2.6.2-1 (low) CVE-2009-3082 (SQL injection vulnerability in wcategory.php in Snow Hall Silurus Syst ...) NOT-FOR-US: Snow Hall Silurus System CVE-2009-3081 (SQL injection vulnerability in index.php in Uiga Church Portal allows ...) NOT-FOR-US: Uiga Church Portal CVE-2009-3079 (Unspecified vulnerability in Mozilla Firefox before 3.0.14, and 3.5.x ...) {DSA-1886-1} - iceweasel 3.0.14-1 [etch] - iceweasel (Mozilla packages from oldstable no longer covered by security support) CVE-2009-3078 (Visual truncation vulnerability in Mozilla Firefox before 3.0.14, and ...) {DSA-1885-1} - xulrunner 1.9.0.14-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3077 (Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, does not proper ...) {DSA-1885-1} - xulrunner 1.9.0.14-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3076 (Mozilla Firefox before 3.0.14 does not properly implement certain dial ...) {DSA-1885-1} - xulrunner 1.9.0.14-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3075 (Multiple unspecified vulnerabilities in the JavaScript engine in Mozil ...) {DSA-2025-1 DSA-1885-1} - xulrunner 1.9.0.14-1 - icedove 3.0~rc2-2 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3074 (Unspecified vulnerability in the JavaScript engine in Mozilla Firefox ...) {DSA-1885-1} - xulrunner 1.9.0.14-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3073 (Unspecified vulnerability in the JavaScript engine in Mozilla Firefox ...) - xulrunner (Only affects Firefox 3.5.x) [lenny] - xulrunner (Only affects Firefox 3.5.x) [etch] - xulrunner (Only affects Firefox 3.5.x) CVE-2009-3072 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-2025-1 DSA-1885-1} - xulrunner 1.9.0.14-1 - icedove 3.0~rc2-2 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3071 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-1885-1} - xulrunner 1.9.0.14-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3070 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-1885-1} - xulrunner 1.9.0.14-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-3069 (Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5 ...) - xulrunner (Only affects Firefox 3.5.x) [lenny] - xulrunner (Only affects Firefox 3.5.x) [etch] - xulrunner (Only affects Firefox 3.5.x) CVE-2009-3068 (Unrestricted file upload vulnerability in the RoboHelpServer Servlet ( ...) NOT-FOR-US: Adobe RoboHelp Server CVE-2009-3067 (Cross-site scripting (XSS) vulnerability in index.php in Reservation M ...) NOT-FOR-US: Reservation Manager CVE-2009-3066 (Multiple cross-site scripting (XSS) vulnerabilities in PropertyWatchSc ...) NOT-FOR-US: PropertyWatchScript.com Property Watch CVE-2009-3065 (PHP remote file inclusion vulnerability in editor/edit_htmlarea.php in ...) NOT-FOR-US: Ve-EDIT CVE-2009-3064 (Directory traversal vulnerability in debugger/debug_php.php in Ve-EDIT ...) NOT-FOR-US: Ve-EDIT CVE-2009-3063 (SQL injection vulnerability in the Game Server (com_gameserver) compon ...) NOT-FOR-US: Joomla! CVE-2009-3062 (SQL injection vulnerability in message_box.php in OSI Codes PHP Live! ...) NOT-FOR-US: OSI Codes PHP Live! CVE-2009-3061 (SQL injection vulnerability in lesson.php in Alqatari Q R Script 1.0 a ...) NOT-FOR-US: Alqatari Q R Script CVE-2009-3060 (Multiple cross-site scripting (XSS) vulnerabilities in Joker Board (ak ...) NOT-FOR-US: Joker Board CVE-2009-3059 (Multiple SQL injection vulnerabilities in Joker Board (aka JBoard) 2.0 ...) NOT-FOR-US: Joker Board CVE-2009-3058 (Stack-based buffer overflow in akPlayer 1.9.0 allows remote attackers ...) NOT-FOR-US: akPlayer CVE-2009-3057 (Multiple cross-site scripting (XSS) vulnerabilities in AOM Software Be ...) NOT-FOR-US: AOM Software Beex CVE-2009-3056 (PHP remote file inclusion vulnerability in include/engine/content/elem ...) NOT-FOR-US: KingCMS CVE-2009-3055 (PHP remote file inclusion vulnerability in engine/api/api.class.php in ...) NOT-FOR-US: DataLife Engine CVE-2009-3054 (SQL injection vulnerability in the Artetics.com Art Portal (com_artpor ...) NOT-FOR-US: Joomla! CVE-2009-3053 (Directory traversal vulnerability in the Agora (com_agora) component 3 ...) NOT-FOR-US: Joomla! CVE-2009-3052 (SQL injection vulnerability in root/includes/prime_quick_style.php in ...) NOT-FOR-US: Prime Quick Style addon CVE-2009-3051 (Multiple format string vulnerabilities in lib/silcclient/client_entry. ...) {DSA-1879-1} - silc-toolkit 1.1.10-1 (medium) - silc-client 1.1-2 (medium) - silc-server 1.1.2-1 (medium) NOTE: silc-client/silc-server use libsilc from silc-toolkit since 1.1-2 CVE-2009-3050 (Buffer overflow in the set_page_size function in util.cxx in HTMLDOC 1 ...) - htmldoc 1.8.27-4.1 (low; bug #537637) [etch] - htmldoc (Minor issue) [lenny] - htmldoc (Minor issue) CVE-2009-3049 (Opera before 10.00 does not properly display all characters in Interna ...) NOT-FOR-US: Opera CVE-2009-3048 (Opera before 10.00 on Linux, Solaris, and FreeBSD does not properly im ...) NOT-FOR-US: Opera CVE-2009-3047 (Opera before 10.00, when a collapsed address bar is used, does not pro ...) NOT-FOR-US: Opera CVE-2009-3046 (Opera before 10.00 does not check all intermediate X.509 certificates ...) NOT-FOR-US: Opera CVE-2009-3045 (Opera before 10.00 trusts root X.509 certificates signed with the MD2 ...) NOT-FOR-US: Opera CVE-2009-3044 (Opera before 10.00 does not properly handle a (1) '\0' character or (2 ...) NOT-FOR-US: Opera CVE-2009-3043 (The tty_ldisc_hangup function in drivers/char/tty_ldisc.c in the Linux ...) - linux-2.6 2.6.31-1 (medium) [etch] - linux-2.6 (vulnerable code introduced in 2.6.31) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.31) - linux-2.6.24 (vulnerable code introduced in 2.6.31) CVE-2009-3039 RESERVED CVE-2009-3038 (A certain ActiveX control in lnresobject.dll 7.1.1.119 in the Research ...) NOT-FOR-US: ActiveX CVE-2009-3037 (Buffer overflow in xlssr.dll in the Autonomy KeyView XLS viewer (aka F ...) NOT-FOR-US: Autonomy KeyView XLS viewer CVE-2009-3036 (Cross-site scripting (XSS) vulnerability in the console in Symantec IM ...) NOT-FOR-US: Symantec IM Manager CVE-2009-3035 (The web console in Symantec Altiris Notification Server 6.0.x before 6 ...) NOT-FOR-US: Symantec Altiris Notification Server CVE-2009-3034 REJECTED CVE-2009-3033 (Buffer overflow in the RunCmd method in the Altiris eXpress NS Console ...) NOT-FOR-US: ActiveX CVE-2009-3032 (Integer overflow in kvolefio.dll 8.5.0.8339 and 10.5.0.0 in the Autono ...) NOT-FOR-US: Autonomy KeyView CVE-2009-3031 (Stack-based buffer overflow in the BrowseAndSaveFile method in the Alt ...) NOT-FOR-US: Symantec Altiris Notification Server CVE-2009-3030 (Cross-site scripting (XSS) vulnerability in Symantec SecurityExpressio ...) NOT-FOR-US: Symantec SecurityExpressions Audit and Compliance Server CVE-2009-3029 (Cross-site scripting (XSS) vulnerability in the console in Symantec Se ...) NOT-FOR-US: Symantec SecurityExpressions Audit and Compliance Server CVE-2009-3028 (The Altiris eXpress NS SC Download ActiveX control in AeXNSPkgDLLib.dl ...) NOT-FOR-US: Symantec CVE-2009-3027 (VRTSweb.exe in VRTSweb in Symantec Backup Exec Continuous Protection S ...) NOT-FOR-US: Symantec Backup Exec Continuous Protection Server CVE-2009-3025 (Unspecified vulnerability in Pidgin 2.6.0 allows remote attackers to c ...) - pidgin 2.6.1-1 (low) [lenny] - pidgin (Vulnerable code introduced in 2.6.0) [etch] - pidgin (Vulnerable code introduced in 2.6.0) CVE-2009-3024 (The verify_hostname_of_cert function in the certificate checking featu ...) - libio-socket-ssl-perl 1.30-1 [lenny] - libio-socket-ssl-perl 1.16-1+lenny1 [etch] - libio-socket-ssl-perl (Affected functionality introduced in 1.14) CVE-2009-3023 (Buffer overflow in the FTP Service in Microsoft Internet Information S ...) NOT-FOR-US: Microsoft IIS CVE-2009-3022 (Cross-site request forgery (CSRF) vulnerability in bingo!CMS 1.2 and e ...) NOT-FOR-US: bingo!CMS CVE-2009-3021 (Cross-site scripting (XSS) vulnerability in Site Calendar 'mycaljp' pl ...) NOT-FOR-US: Site Calendar 'mycaljp' plugin CVE-2009-3020 (win32k.sys in Microsoft Windows Server 2003 SP2 allows remote attacker ...) NOT-FOR-US: Microsoft Windows Server CVE-2009-3019 (Microsoft Internet Explorer 6 on Windows XP SP2 and SP3, and Internet ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-3018 (Maxthon Browser 3.0.0.145 Alpha with Ultramode does not properly block ...) NOT-FOR-US: Maxthon Browser CVE-2009-3017 (Orca Browser 1.2 build 5 does not properly block data: URIs in Refresh ...) NOT-FOR-US: Orca Browser CVE-2009-3016 (Apple Safari 4.0.3 does not properly block javascript: and data: URIs ...) NOT-FOR-US: Apple Safari CVE-2009-3015 (QtWeb 3.0 Builds 001 and 003 does not properly block javascript: and d ...) - qt4-x11 (unimportant) - kdelibs (unimportant) - kde4libs (unimportant) NOTE: This is a web site issue (open redirector), not a browser problem. CVE-2009-3014 (Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; S ...) NOTE: This is a web site issue (open redirector), not a browser problem. - iceweasel (unimportant) CVE-2009-3013 (Opera 9.52 and earlier, and 10.00 Beta 3 Build 1699, does not properly ...) NOT-FOR-US: Opera CVE-2009-3012 (Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre do ...) NOTE: This is a web site issue (open redirector), not a browser problem. CVE-2009-3011 (Google Chrome 1.0.154.48 and earlier, 2.0.172.28, 2.0.172.37, and 3.0. ...) NOT-FOR-US: Unclear, historic Chrome issue CVE-2009-3010 (Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; S ...) NOTE: This is a web site issue (open redirector), not a browser problem. - iceweasel (unimportant) CVE-2009-3009 (Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2 ...) {DSA-1887-1} - rails 2.2.3-1 (low; bug #545063) [etch] - rails (Unsupported) CVE-2009-3008 (K-Meleon 1.5.3 allows context-dependent attackers to spoof the address ...) NOT-FOR-US: K-Meleon CVE-2009-3007 (Mozilla Firefox 3.5.1 and SeaMonkey 1.1.17, and Flock 2.5.1, allow con ...) {DSA-1922-1} - xulrunner 1.9.1.3-3 (low) [etch] - xulrunner (Etch Packages no longer covered by security support) - iceape 2.0-1 (low) [etch] - iceape (Etch Packages no longer covered by security support) [lenny] - iceape (Iceape from Lenny only provides NSS libs) - webkit (proof-of-concept did not work) CVE-2009-3006 (Maxthon Browser 2.5.3.80 UNICODE allows remote attackers to spoof the ...) NOT-FOR-US: Maxthon Browser CVE-2009-3005 (Lunascape 5.1.3 and 5.1.4 allows remote attackers to spoof the address ...) NOT-FOR-US: Lunascape CVE-2009-3004 (Avant Browser 11.7 Builds 35 and 36 allows remote attackers to spoof t ...) NOT-FOR-US: Avant Browser CVE-2009-3003 (Microsoft Internet Explorer 6 through 8 allows remote attackers to spo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-3002 (The Linux kernel before 2.6.31-rc7 does not initialize certain data st ...) {DSA-1929-1 DSA-1928-1 DSA-1915-1} - linux-2.6 2.6.30-7 (low) - linux-2.6.24 NOTE: minor info leaks CVE-2009-3001 (The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel 2. ...) {DSA-1929-1 DSA-1928-1 DSA-1915-1} - linux-2.6 2.6.30-7 (low) - linux-2.6.24 NOTE: minor info leak CVE-2009-3000 (The sockfs module in the kernel in Sun Solaris 10 and OpenSolaris snv_ ...) NOT-FOR-US: Sun Solaris CVE-2009-2999 (The com.android.phone process in Android 1.5 CRBxx allows remote attac ...) NOT-FOR-US: Android CVE-2009-XXXX [serveez: buffer overflow in header parser] - serveez (low) [lenny] - serveez 0.1.5-2.1+lenny1 [etch] - serveez 0.1.5-2+etch1 CVE-2009-2998 (Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x b ...) NOT-FOR-US: Adobe CVE-2009-2997 (Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1. ...) NOT-FOR-US: Adobe CVE-2009-2996 (Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x b ...) NOT-FOR-US: Adobe CVE-2009-2995 (Integer overflow in Adobe Acrobat 7.x before 7.1.4, 8.x before 8.1.7, ...) NOT-FOR-US: Adobe CVE-2009-2994 (Buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x befo ...) NOT-FOR-US: Adobe CVE-2009-2993 (The JavaScript for Acrobat API in Adobe Reader and Acrobat 7.x before ...) NOT-FOR-US: Adobe CVE-2009-2992 (An unspecified ActiveX control in Adobe Reader and Acrobat 9.x before ...) NOT-FOR-US: Adobe CVE-2009-2991 (Unspecified vulnerability in the Mozilla plug-in in Adobe Reader and A ...) NOT-FOR-US: Adobe CVE-2009-2990 (Array index error in Adobe Reader and Acrobat 9.x before 9.2, 8.x befo ...) NOT-FOR-US: Adobe CVE-2009-2989 (Integer overflow in Adobe Acrobat 9.x before 9.2, 8.x before 8.1.7, an ...) NOT-FOR-US: Adobe CVE-2009-2988 (Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x b ...) NOT-FOR-US: Adobe CVE-2009-2987 (Unspecified vulnerability in an ActiveX control in Adobe Reader and Ac ...) NOT-FOR-US: Adobe CVE-2009-2986 (Multiple heap-based buffer overflows in Adobe Reader and Acrobat 7.x b ...) NOT-FOR-US: Adobe CVE-2009-2985 (Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x b ...) NOT-FOR-US: Adobe CVE-2009-2984 (Unspecified vulnerability in the image decoder in Adobe Acrobat 9.x be ...) NOT-FOR-US: Adobe CVE-2009-2983 (Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibl ...) NOT-FOR-US: Adobe CVE-2009-2982 (An unspecified certificate in Adobe Reader and Acrobat 9.x before 9.2, ...) NOT-FOR-US: Adobe CVE-2009-2981 (Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x b ...) NOT-FOR-US: Adobe CVE-2009-2980 (Integer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x bef ...) NOT-FOR-US: Adobe CVE-2009-2979 (Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibl ...) NOT-FOR-US: Adobe CVE-2009-2978 (SQL injection vulnerability in SugarCRM 4.5.1o and earlier, 5.0.0k and ...) - sugarcrm-ce-5.0 (bug #457876) CVE-2009-2977 (The Cisco Security Monitoring, Analysis and Response System (CS-MARS) ...) NOT-FOR-US: Cisco CVE-2009-2976 (Cisco Aironet Lightweight Access Point (AP) devices send the contents ...) NOT-FOR-US: Cisco CVE-2009-2975 (Mozilla Firefox 3.5.2 on Windows XP, in some situations possibly invol ...) - xulrunner (unimportant) NOTE: browser crashes not treated as security issues NOTE: not reproducible, probably only Firefox in Windows XP is affected CVE-2009-2974 (Google Chrome 1.0.154.65, 1.0.154.48, and earlier allows remote attack ...) - chromium-browser (Only 1.x is affected) - webkit (doesn't support 'chromehtml' protocol) CVE-2009-2973 (Google Chrome before 2.0.172.43 does not prevent SSL connections to a ...) - chromium-browser (Only 2.x is affected) - webkit (chrome-specific issue) CVE-2009-2972 (in.lpd in the print service in Sun Solaris 8 and 9 allows remote attac ...) NOT-FOR-US: Sun Solaris CVE-2009-2971 RESERVED CVE-2009-2970 (Stack-based buffer overflow in the GetUiDllVersion function in an Acti ...) NOT-FOR-US: UiTV UiPlayer CVE-2009-2969 RESERVED CVE-2009-2968 (Directory traversal vulnerability in a support component in the web in ...) NOT-FOR-US: VMware Studio CVE-2009-2967 (Multiple cross-site scripting (XSS) vulnerabilities in Buildbot 0.7.6 ...) - buildbot 0.7.11p3-1 [lenny] - buildbot (Minor issue) [etch] - buildbot (According to the vendor 0.7.5 and earlier are not affected) CVE-2009-2966 (avp.exe in Kaspersky Internet Security 9.0.0.459 and Anti-Virus 9.0.0. ...) NOT-FOR-US: Kaspersky Internet Security CVE-2009-2965 (Cross-site scripting (XSS) vulnerability in entry/index.jsp in Radvisi ...) NOT-FOR-US: Radvision Scopia CVE-2009-2964 (Multiple cross-site request forgery (CSRF) vulnerabilities in Squirrel ...) {DSA-2091-1} - squirrelmail 2:1.4.20~rc2-1 (low; bug #543818) CVE-2009-2963 (Unspecified vulnerability in the update feature in Toolbar Uninstaller ...) NOT-FOR-US: Toolbar Uninstaller CVE-2009-2961 (Stack-based buffer overflow in Thaddy de Konng KOL Player 1.0 allows r ...) NOT-FOR-US: Thaddy de Konng KOL Player CVE-2009-2960 (CuteFlow 2.10.3 and 2.11.0_c does not properly restrict access to page ...) NOT-FOR-US: CuteFlow CVE-2009-2959 (Cross-site scripting (XSS) vulnerability in the waterfall web status v ...) - buildbot 0.7.11p3-1 (low; bug #543822) [lenny] - buildbot (Minor issue) [etch] - buildbot (According to the vendor 0.7.5 and earlier are not affected) CVE-2009-2958 (The tftp_request function in tftp.c in dnsmasq before 2.50, when --ena ...) {DSA-1876-1} - dnsmasq 2.50-1 [etch] - dnsmasq CVE-2009-2957 (Heap-based buffer overflow in the tftp_request function in tftp.c in d ...) {DSA-1876-1} - dnsmasq 2.50-1 [etch] - dnsmasq CVE-2009-2956 (The (1) Net.Commerce and (2) Net.Data components in IBM WebSphere Comm ...) NOT-FOR-US: IBM WebSphere CVE-2009-2955 (Google Chrome 1.0.154.48 and earlier allows remote attackers to cause ...) - chromium-browser (Only 1.x is affected) NOTE: browser denial of services are not considered security-relevant CVE-2009-2954 (Microsoft Internet Explorer 6.0.2900.2180 and earlier allows remote at ...) NOT-FOR-US: Microsoft CVE-2009-2953 (Mozilla Firefox 3.0.6 through 3.0.13, and 3.5.x, allows remote attacke ...) - xulrunner (unimportant; bug #557753) NOTE: browser denial-of-services are considered unimportant CVE-2009-2952 (Unspecified vulnerability in the pollwakeup function in Sun Solaris 10 ...) NOT-FOR-US: Sun Solaris CVE-2009-2951 (Phenotype CMS before 2.9 does not use a random salt value for password ...) NOT-FOR-US: Phenotype CMS CVE-2009-2950 (Heap-based buffer overflow in the GIFLZWDecompressor::GIFLZWDecompress ...) {DSA-1995-1 DTSA-205-1} - openoffice.org 1:3.1.1-16 CVE-2009-2949 (Integer overflow in the XPMReader::ReadXPM function in filter.vcl/ixpm ...) {DSA-1995-1 DTSA-205-1} - openoffice.org 1:3.1.1-16 CVE-2009-2948 (mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3 ...) {DSA-1908-1} - samba 2:3.4.2-1 (medium; bug #550423) CVE-2009-2947 (Cross-site scripting (XSS) vulnerability in Xapian Omega before 1.0.16 ...) {DSA-1882-1} - xapian-omega 1.0.15-2 CVE-2009-2946 (Eval injection vulnerability in scripts/uscan.pl before Rev 1984 in de ...) {DSA-1878-2 DSA-1878-1} - devscripts 2.10.54 CVE-2009-2945 (weblogin/login.fcgi (aka the WebLogin login script) in Stanford Univer ...) - webauth 3.6.2-1 (low) [lenny] - webauth 3.6.0-1+lenny1 [etch] - webauth (Vulnerable code not present) CVE-2009-2944 (Incomplete blacklist vulnerability in the teximg plugin in ikiwiki bef ...) {DSA-1875-1} - ikiwiki 3.1415926 CVE-2009-2943 (The postgresql-ocaml bindings 1.5.4, 1.7.0, and 1.12.1 for PostgreSQL ...) {DSA-1909-1} - postgresql-ocaml 1.12.1-1 (low) CVE-2009-2942 (The mysql-ocaml bindings 1.0.4 for MySQL do not properly support the m ...) {DSA-1910-1} - mysql-ocaml 1.0.4-7 (low) CVE-2009-2941 RESERVED CVE-2009-2940 (The pygresql module 3.8.1 and 4.0 for Python does not properly support ...) {DSA-1911-1} - pygresql 1:4.0-1 (low) CVE-2009-2939 (The postfix.postinst script in the Debian GNU/Linux and Ubuntu postfix ...) - postfix 2.6.5-3 (low) [lenny] - postfix 2.5.5-1.1+lenny1 [etch] - postfix (Minor issue) CVE-2009-2938 RESERVED CVE-2009-2937 (Cross-site scripting (XSS) vulnerability in Planet 2.0 and Planet Venu ...) - planet (low; bug #546178) [lenny] - planet (Minor issue) [etch] - planet (Minor issue) - planet-venus 0~bzr116-1 (low; bug #546179) [lenny] - planet-venus 0~bzr95-2+lenny1 [etch] - planet-venus (Minor issue) CVE-2009-2936 (** DISPUTED ** The Command Line Interface (aka Server CLI or administr ...) - varnish 2.1.0-2 (unimportant) NOTE: Only a security issue if used against best practices CVE-2009-2935 (Google V8, as used in Google Chrome before 2.0.172.43, allows remote a ...) - chromium-browser (Only 2.x is affected) - libv8 1.3.11+dfsg-1 - webkit (libv8 issue) CVE-2009-2934 (Multiple stack-based buffer overflows in xaudio.dll in Programmed Inte ...) NOT-FOR-US: Programmed Integration PIPL CVE-2009-2933 (SQL injection vulnerability in comments.php in Piwigo before 2.0.3 all ...) - piwigo (Fixed before initial upload to the archive) CVE-2009-2932 (Cross-site scripting (XSS) vulnerability in uddiclient/process in the ...) NOT-FOR-US: SAP NetWeaver CVE-2009-2931 (Directory traversal vulnerability in p.php in SlideShowPro Director 1. ...) NOT-FOR-US: SlideShowPro Director CVE-2009-2930 (Cross-site scripting (XSS) vulnerability in the Search feature in elka ...) NOT-FOR-US: elka CMS (aka Elkapax) CVE-2009-2929 (Multiple SQL injection vulnerabilities in TGS Content Management 0.x a ...) NOT-FOR-US: TGS Content Management CVE-2009-2928 (Cross-site scripting (XSS) vulnerability in login.php in TGS Content M ...) NOT-FOR-US: TGS Content Management CVE-2009-2927 (SQL injection vulnerability in DetailFile.php in DigitalSpinners DS CM ...) NOT-FOR-US: DigitalSpinners DS CMS CVE-2009-2926 (Multiple SQL injection vulnerabilities in PHP Competition System BETA ...) NOT-FOR-US: PHP Competition System BETA CVE-2009-3026 (protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly oth ...) - pidgin 2.6.1-1 (low; bug #542891) [lenny] - pidgin 2.4.3-4lenny4 NOTE: gaim nof affected, it never claimed to support TLS/SSL NOTE: http://developer.pidgin.im/ticket/8131 NOTE: http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279 CVE-2009-2962 REJECTED CVE-2009-2925 (Directory traversal vulnerability in DJcalendar.cgi in DJCalendar allo ...) NOT-FOR-US: DJCalendar CVE-2009-2924 (Multiple SQL injection vulnerabilities in Videos Broadcast Yourself 2 ...) NOT-FOR-US: Videos Broadcast Yourself 2 CVE-2009-2923 (Multiple directory traversal vulnerabilities in BitmixSoft PHP-Lance 1 ...) NOT-FOR-US: BitmixSoft PHP-Lance CVE-2009-2922 (Absolute path traversal vulnerability in pixaria.image.php in Pixaria ...) NOT-FOR-US: Pixaria Gallery CVE-2009-2921 (Multiple SQL injection vulnerabilities in login.php in MOC Designs PHP ...) NOT-FOR-US: MOC Designs PHP News CVE-2009-2920 (Multiple cross-site scripting (XSS) vulnerabilities in Elvin 1.2.2 all ...) NOT-FOR-US: Elvin CVE-2009-2919 (Cross-site scripting (XSS) vulnerability in Boonex Orca 2.0 and 2.0.2 ...) NOT-FOR-US: Boonex Orca CVE-2009-2918 (The tgbvpn.sys driver in TheGreenBow IPSec VPN Client 4.61.003 allows ...) NOT-FOR-US: TheGreenBow IPSec VPN Client CVE-2009-2917 (Stack-based buffer overflow in ImTOO MPEG Encoder 3.1.53 allows remote ...) NOT-FOR-US: ImTOO MPEG Encoder CVE-2009-2916 (Format string vulnerability in the CNS_AddTxt function in logs.dll in ...) NOT-FOR-US: 2K Games Vietcong CVE-2009-2915 (SQL injection vulnerability in 2fly_gift.php in 2FLY Gift Delivery Sys ...) NOT-FOR-US: 2FLY Gift Delivery System CVE-2009-2914 (Cross-site scripting (XSS) vulnerability in index.php in XZero Communi ...) NOT-FOR-US: XZero Community Classified CVE-2009-2913 (Cross-site scripting (XSS) vulnerability in index.php in XZero Communi ...) NOT-FOR-US: XZero Community Classified CVE-2009-2912 (The (1) sendfile and (2) sendfilev functions in Sun Solaris 8 through ...) NOT-FOR-US: Sun Solaris CVE-2009-2911 (SystemTap 1.0, when the --unprivileged option is used, does not proper ...) - systemtap 1.0-2 (bug #551918) [lenny] - systemtap (Affected functionality only added in 1.0) CVE-2009-2910 (arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.31.4 on the x ...) {DSA-1928-1 DSA-1915-1} - linux-2.6 2.6.31-1 (medium) - linux-2.6.24 (medium) CVE-2009-2909 (Integer signedness error in the ax25_setsockopt function in net/ax25/a ...) {DSA-1929-1 DSA-1928-1 DSA-1915-1} - linux-2.6 2.6.31-1 (medium) - linux-2.6.24 (medium) CVE-2009-2908 (The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the Linux ...) {DSA-1928-1 DSA-1915-1} - linux-2.6 2.6.31-1 (medium) [etch] - linux-2.6 (vulnerable code introduced in 2.6.19) - linux-2.6.24 (medium) CVE-2009-2907 (Multiple cross-site scripting (XSS) vulnerabilities in SpringSource tc ...) NOT-FOR-US: SpringSource tc Server, Application Management Suite, Hyperic HQ Open Source, and Hyperic Enterprise CVE-2009-2906 (smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, ...) {DSA-1908-1} - samba 2:3.4.2-1 (low; bug #550423) CVE-2009-2905 (Heap-based buffer overflow in textbox.c in newt 0.51.5, 0.51.6, and 0. ...) {DSA-1894-1} - newt 0.52.10-4.1 (medium; bug #548198) CVE-2009-2904 (A certain Red Hat modification to the ChrootDirectory feature in OpenS ...) - openssh (issue with homechroot patch specific to Red Hat) CVE-2009-2903 (Memory leak in the appletalk subsystem in the Linux kernel 2.4.x throu ...) {DSA-1928-1 DSA-1915-1} - linux-2.6 2.6.31-1 (low) - linux-2.6.24 (low) CVE-2009-2902 (Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.2 ...) {DSA-2207-1} - tomcat6 6.0.24-1 (low) [lenny] - tomcat6 (Only ships the servlet package) - tomcat5.5 CVE-2009-2901 (The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6 ...) - tomcat6 (Windows-only) - tomcat5.5 (Windows-only) CVE-2009-2900 RESERVED CVE-2009-2899 (The monitor perl script in the Sybase database plug-in in SpringSource ...) NOT-FOR-US: SpringSource Hyperic HQ CVE-2009-2898 (Cross-site scripting (XSS) vulnerability in the Alerts list feature in ...) NOT-FOR-US: SpringSource Hyperic HQ CVE-2009-2897 (Multiple cross-site scripting (XSS) vulnerabilities in hq/web/common/G ...) NOT-FOR-US: SpringSource Hyperic HQ CVE-2009-2896 (Buffer overflow in KMplayer 2.9.4.1433 and earlier allows remote attac ...) NOT-FOR-US: KMPlayer: http://www.kmplayer.com CVE-2009-2895 (SQL injection vulnerability in rss.php in Ultimate Regnow Affiliate (U ...) NOT-FOR-US: Ultimate Regnow Affiliate CVE-2009-2894 (Multiple SQL injection vulnerabilities in Ebay Clone 2009 allow remote ...) NOT-FOR-US: Ebay Clone 2009 CVE-2009-2893 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in XZ ...) NOT-FOR-US: XZero Community Classifieds CVE-2009-2892 (Multiple SQL injection vulnerabilities in header.php in Scripteen Free ...) NOT-FOR-US: Scripteen Free Image Hosting Script CVE-2009-2891 (SQL injection vulnerability in list.php in PHP Scripts Now Riddles all ...) NOT-FOR-US: PHP Scripts Now Riddles CVE-2009-2890 (Cross-site scripting (XSS) vulnerability in results.php in PHP Scripts ...) NOT-FOR-US: PHP Scripts Now Riddles CVE-2009-2889 (Cross-site scripting (XSS) vulnerability in index.php in PHP Scripts N ...) NOT-FOR-US: PHP Scripts Now Riddles CVE-2009-2888 (SQL injection vulnerability in index.php in PHP Scripts Now Hangman al ...) NOT-FOR-US: PHP Scripts Now Hangman CVE-2009-2887 (Cross-site scripting (XSS) vulnerability in bios.php in PHP Scripts No ...) NOT-FOR-US: PHP Scripts Now President Bios CVE-2009-2886 (SQL injection vulnerability in bios.php in PHP Scripts Now President B ...) NOT-FOR-US: PHP Scripts Now President CVE-2009-2885 (SQL injection vulnerability in bios.php in PHP Scripts Now World's Tal ...) NOT-FOR-US: PHP Scripts Now World's CVE-2009-2884 (Cross-site scripting (XSS) vulnerability in bios.php in PHP Scripts No ...) NOT-FOR-US: PHP Scripts Now World's Tallest Buildings CVE-2009-2883 (SQL injection vulnerability in admin/login.php in SaphpLesson 4.0, whe ...) NOT-FOR-US: SaphpLesson CVE-2009-2882 (Multiple cross-site scripting (XSS) vulnerabilities in PG MatchMaking ...) NOT-FOR-US: PG MatchMaking CVE-2009-2881 (Multiple SQL injection vulnerabilities in Basilic 1.5.13 allow remote ...) NOT-FOR-US: Basilic CVE-2009-3369 (CgiUserConfigEdit in BackupPC 3.1.0, when SSH keys and Rsync are in us ...) - backuppc 3.1.0-8 (low; bug #542218) [etch] - backuppc (No configuration GUI) [lenny] - backuppc 3.1.0-4lenny2 CVE-2009-5043 (burn allows file names to escape via mishandled quotation marks ...) - burn 0.4.5-1 (low; bug #542329) [lenny] - burn 0.4.3-2.1+lenny1 [etch] - burn (Minor issue) CVE-2009-2880 (Buffer overflow in atrpui.dll in the Cisco WebEx WRF Player 26.x befor ...) NOT-FOR-US: Cisco WebEx WRF Player CVE-2009-2879 (Heap-based buffer overflow in atas32.dll in the Cisco WebEx WRF Player ...) NOT-FOR-US: Cisco WebEx WRF Player CVE-2009-2878 (Heap-based buffer overflow in atas32.dll in the Cisco WebEx WRF Player ...) NOT-FOR-US: Cisco WebEx WRF Player CVE-2009-2877 (Stack-based buffer overflow in ataudio.dll in the Cisco WebEx WRF Play ...) NOT-FOR-US: Cisco WebEx WRF Player CVE-2009-2876 (Heap-based buffer overflow in atas32.dll in the Cisco WebEx WRF Player ...) NOT-FOR-US: Cisco WebEx WRF Player CVE-2009-2875 (Buffer overflow in atas32.dll in the Cisco WebEx WRF Player 26.x befor ...) NOT-FOR-US: Cisco WebEx WRF Player CVE-2009-2874 (The TimesTenD process in Cisco Unified Presence 1.x, 6.x before 6.0(6) ...) NOT-FOR-US: Cisco Unified Presence CVE-2009-2873 (Cisco IOS 12.0 through 12.4, when IP-based tunnels and the Cisco Expre ...) NOT-FOR-US: Cisco IOS CVE-2009-2872 (Cisco IOS 12.0 through 12.4, when IP-based tunnels and the Cisco Expre ...) NOT-FOR-US: Cisco IOS CVE-2009-2871 (Unspecified vulnerability in Cisco IOS 12.2 and 12.4, when SSLVPN sess ...) NOT-FOR-US: Cisco IOS CVE-2009-2870 (Unspecified vulnerability in Cisco IOS 12.2 through 12.4, when the Cis ...) NOT-FOR-US: Cisco IOS CVE-2009-2869 (Unspecified vulnerability in Cisco IOS 12.2XNA, 12.2XNB, 12.2XNC, 12.2 ...) NOT-FOR-US: Cisco IOS CVE-2009-2868 (Unspecified vulnerability in Cisco IOS 12.2 through 12.4, when certifi ...) NOT-FOR-US: Cisco IOS CVE-2009-2867 (Unspecified vulnerability in Cisco IOS 12.2XNA, 12.2XNB, 12.2XNC, 12.2 ...) NOT-FOR-US: Cisco IOS CVE-2009-2866 (Unspecified vulnerability in Cisco IOS 12.2 through 12.4 allows remote ...) NOT-FOR-US: Cisco IOS CVE-2009-2865 (Buffer overflow in the login implementation in the Extension Mobility ...) NOT-FOR-US: Cisco IOS CVE-2009-2864 (Cisco Unified Communications Manager (aka CUCM, formerly CallManager) ...) NOT-FOR-US: Cisco CVE-2009-2863 (Race condition in the Firewall Authentication Proxy feature in Cisco I ...) NOT-FOR-US: Cisco IOS CVE-2009-2862 (The Object Groups for Access Control Lists (ACLs) feature in Cisco IOS ...) NOT-FOR-US: Cisco CVE-2009-2861 (The Over-the-Air Provisioning (OTAP) functionality on Cisco Aironet Li ...) NOT-FOR-US: Cisco CVE-2009-2860 (Unspecified vulnerability in db2jds in IBM DB2 8.1 before FP18 allows ...) NOT-FOR-US: db2jds in IBM DB2 CVE-2009-2859 (IBM DB2 8.1 before FP18 allows attackers to obtain unspecified access ...) NOT-FOR-US: IBM DB2 CVE-2009-2858 (Memory leak in the Security component in IBM DB2 8.1 before FP18 on Un ...) NOT-FOR-US: IBM DB2 CVE-2009-2857 (The kernel in Sun Solaris 8, 9, and 10, and OpenSolaris before snv_103 ...) NOT-FOR-US: kernel in Sun Solaris CVE-2009-2856 (Sun Virtual Desktop Infrastructure (VDI) 3.0, when anonymous binding i ...) NOT-FOR-US: Sun Virtual Desktop Infrastructure CVE-2009-2855 (The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allo ...) {DSA-1991-1} - squid 2.7.STABLE7-1 (low; bug #534982) - squid3 3.0.STABLE19-1 CVE-2009-2854 (Wordpress before 2.8.3 does not check capabilities for certain actions ...) {DSA-1871-2 DSA-1871-1} - wordpress 2.8.3-1 CVE-2009-2853 (Wordpress before 2.8.3 allows remote attackers to gain privileges via ...) {DSA-1871-2 DSA-1871-1} - wordpress 2.8.3-1 CVE-2009-2852 (WP-Syntax plugin 0.9.1 and earlier for Wordpress, with register_global ...) NOT-FOR-US: WP-Syntax plugin CVE-2009-2851 (Cross-site scripting (XSS) vulnerability in the administrator interfac ...) {DSA-1871-2 DSA-1871-1} - wordpress 2.8.3-1 (low) CVE-2009-2850 (Multiple buffer overflows in NASA Common Data Format (CDF) allow conte ...) NOT-FOR-US: NASA Common Data Format CVE-2009-2845 REJECTED CVE-2009-2849 (The md driver (drivers/md/md.c) in the Linux kernel before 2.6.30.2 mi ...) {DSA-1928-1 DSA-1872-1} - linux-2.6 2.6.30-4 (medium) - linux-2.6.24 [lenny] - linux-2.6 2.6.26-19 (medium) CVE-2009-2848 (The execve function in the Linux kernel, possibly 2.6.30-rc6 and earli ...) {DSA-1928-1 DSA-1872-1} - linux-2.6 2.6.30-7 (low) - linux-2.6.24 [lenny] - linux-2.6 2.6.26-19 (low) CVE-2009-2847 (The do_sigaltstack function in kernel/signal.c in Linux kernel 2.4 thr ...) {DSA-1928-1 DSA-1872-1} - linux-2.6 2.6.30-6 (low) - linux-2.6.24 [lenny] - linux-2.6 2.6.26-19 (low) CVE-2009-2846 (The eisa_eeprom_read function in the parisc isa-eeprom component (driv ...) {DSA-1928-1 DSA-1872-1} - linux-2.6 2.6.30-6 (low) - linux-2.6.24 [lenny] - linux-2.6 2.6.26-19 (low) CVE-2009-2844 (cfg80211 in net/wireless/scan.c in the Linux kernel 2.6.30-rc1 and oth ...) - linux-2.6 2.6.30-7 (medium) [etch] - linux-2.6 (vulnerability introduced in 2.6.30) [lenny] - linux-2.6 (vulnerability introduced in 2.6.30) - linux-2.6.24 (vulnerability introduced in 2.6.30) CVE-2009-2843 (Java for Mac OS X 10.5 before Update 6 and 10.6 before Update 1 accept ...) NOT-FOR-US: Mac OS X CVE-2009-2842 (Apple Safari before 4.0.4 does not properly implement certain (1) Open ...) NOT-FOR-US: Apple Safari CVE-2009-2841 (The HTMLMediaElement::loadResource function in html/HTMLMediaElement.c ...) - webkit 1.1.21-1 (medium; bug #559759) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) NOTE: http://trac.webkit.org/changeset/49480 - qt4-x11 4:4.6.2-4 (medium; bug #561760) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against [lenny] - qt4-x11 (HTML video support introduced in version 4.5) [etch] - qt4-x11 (webkit support introduced in version 4.4) - kdelibs (No support for HTML5 video tags) CVE-2009-2840 (Spotlight in Apple Mac OS X 10.5.8 does not properly handle temporary ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2839 (Screen Sharing in Apple Mac OS X 10.5.8 allows remote VNC servers to e ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2838 (Integer overflow in QuickLook in Apple Mac OS X 10.5.8 allows remote a ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2837 (Heap-based buffer overflow in QuickDraw Manager in Apple Mac OS X befo ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2836 (Race condition in Login Window in Apple Mac OS X 10.6.x before 10.6.2, ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2835 (The kernel in Apple Mac OS X before 10.6.2 does not properly handle ta ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2834 (IOKit in Apple Mac OS X before 10.6.2 allows local users to modify the ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2833 (Buffer overflow in the UCCompareTextDefault API in International Compo ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2832 (Buffer overflow in FTP Server in Apple Mac OS X before 10.6.2 allows r ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2831 (Dictionary in Apple Mac OS X 10.5.8 allows remote attackers to create ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2830 (Multiple buffer overflows in Christos Zoulas file before 5.03 in Apple ...) - file 5.03-1 [lenny] - file [etch] - file CVE-2009-2829 (Event Monitor in Apple Mac OS X 10.5.8 does not properly handle crafte ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2828 (The server in DirectoryService in Apple Mac OS X 10.5.8 allows remote ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2827 (Heap-based buffer overflow in Disk Images in Apple Mac OS X 10.5.8 all ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2826 (Multiple integer overflows in CoreGraphics in Apple Mac OS X 10.5.8 al ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2825 (Certificate Assistant in Apple Mac OS X before 10.6.2 does not properl ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2824 (Multiple buffer overflows in Apple Type Services (ATS) in Apple Mac OS ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2823 (The Apache HTTP Server in Apple Mac OS X before 10.6.2 enables the HTT ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2822 (AirPort Utility before 5.5.1 for Apple AirPort Base Station does not p ...) NOT-FOR-US: AirPort Utility CVE-2009-2821 RESERVED CVE-2009-2820 (The web interface in CUPS before 1.4.2, as used on Apple Mac OS X befo ...) {DSA-1933-1} - cups 1.4.2-1 (low; bug #555666) - cupsys CVE-2009-2819 (AFP Client in Apple Mac OS X 10.5.8 allows remote AFP servers to execu ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2818 (Adaptive Firewall in Apple Mac OS X before 10.6.2 does not properly ha ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2817 (Buffer overflow in Apple iTunes before 9.0.1 allows remote attackers t ...) NOT-FOR-US: Apple iTunes CVE-2009-2816 (The implementation of Cross-Origin Resource Sharing (CORS) in WebKit, ...) - webkit 1.1.21-1 (low; bug #559759) [lenny] - webkit (vulnerable code not present) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (low) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against [lenny] - qt4-x11 (Vulnerable code not present) NOTE: http://trac.webkit.org/changeset/47494 CVE-2009-2815 (The Telephony component in Apple iPhone OS before 3.1 does not properl ...) NOT-FOR-US: Apple iPhone OS CVE-2009-2814 (Cross-site scripting (XSS) vulnerability in the Wiki Server in Apple M ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2813 (Samba 3.4 before 3.4.2, 3.3 before 3.3.8, 3.2 before 3.2.15, and 3.0.1 ...) {DSA-1908-1} - samba 2:3.4.2-1 (bug #550422) NOTE: requires an administrator to manually configure a user account without NOTE: a home dir, otherwise, this is ineffective CVE-2009-2812 (Launch Services in Apple Mac OS X 10.5.8 does not properly recognize a ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2811 (Incomplete blacklist vulnerability in Launch Services in Apple Mac OS ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2810 (Launch Services in Apple Mac OS X 10.6.x before 10.6.2 recursively cle ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2809 (ImageIO in Apple Mac OS X 10.4.11 and 10.5.8 allows remote attackers t ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2808 (Help Viewer in Apple Mac OS X before 10.6.2 does not use an HTTPS conn ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2807 (Heap-based buffer overflow in the USB backend in CUPS in Apple Mac OS ...) - cupsys (issue in darwin-specific code; bug #550150) - cups (issue in darwin-specific code; bug #550150) CVE-2009-2806 RESERVED CVE-2009-2805 (Integer overflow in CoreGraphics in Apple Mac OS X 10.4.11 and 10.5.8 ...) NOT-FOR-US: CoreGraphics in Apple Mac OS X CVE-2009-2804 (Integer overflow in ColorSync in Apple Mac OS X 10.4.11 and 10.5.8, an ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2803 (CarbonCore in Apple Mac OS X 10.4.11 and 10.5.8 allows attackers to ex ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2802 (MantisBT 1.2.x before 1.2.2 insecurely handles attachments and MIME ty ...) - mantis (Only affects 1.2.x) NOTE: http://www.mantisbt.org/bugs/view.php?id=11952 NOTE: http://www.mantisbt.org/blog/?p=113 CVE-2009-2801 (The Application Firewall in Apple Mac OS X 10.5.8 drops unspecified fi ...) NOT-FOR-US: Apple Application Firewall CVE-2009-2800 (Buffer overflow in Alias Manager in Apple Mac OS X 10.4.11 and 10.5.8 ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2799 (Heap-based buffer overflow in Apple QuickTime before 7.6.4 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2009-2798 (Heap-based buffer overflow in Apple QuickTime before 7.6.4 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2009-2797 (The WebKit component in Safari in Apple iPhone OS before 3.1, and iPho ...) - webkit 1.1.21-1 (low; bug #559759) [lenny] - webkit (Too intrusive to backport, disk of regression higher than impact at hand) - kdelibs - kde4libs NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against - qt4-x11 4:4.6.2-4 (low) [lenny] - qt4-x11 (Too intrusive to backport, disk of regression higher than impact at hand) NOTE: http://trac.webkit.org/changeset/42483 CVE-2009-2796 (The UIKit component in Apple iPhone OS 3.0, and iPhone OS 3.0.1 for iP ...) NOT-FOR-US: Apple iPhone OS CVE-2009-2795 (Heap-based buffer overflow in the Recovery Mode component in Apple iPh ...) NOT-FOR-US: Apple iPhone OS CVE-2009-2794 (The Exchange Support component in Apple iPhone OS before 3.1, and iPho ...) NOT-FOR-US: Apple iPhone OS CVE-2009-2793 (The kernel in NetBSD, probably 5.0.1 and earlier, on x86 platforms doe ...) NOT-FOR-US: NetBSD kernel CVE-2009-2792 (Directory traversal vulnerability in plugings/pagecontent.php in Reall ...) NOT-FOR-US: Really Simple CMS CVE-2009-2791 (PHP remote file inclusion vulnerability in pda_projects.php in WebDyna ...) NOT-FOR-US: WebDynamite ProjectButler CVE-2009-2790 (SQL injection vulnerability in cat_products.php in SoftBiz Dating Scri ...) NOT-FOR-US: SoftBiz Dating CVE-2009-2789 (SQL injection vulnerability in the Permis (com_groups) component 1.0 f ...) NOT-FOR-US: com_groups component for Joomla! CVE-2009-2788 (Multiple SQL injection vulnerabilities in Mobilelib GOLD 3 allow remot ...) NOT-FOR-US: Mobilelib GOLD CVE-2009-2787 (Directory traversal vulnerability in include/reputation/rep_profile.ph ...) NOT-FOR-US: Reputation plugin for PunBB CVE-2009-2786 (SQL injection vulnerability in reputation.php in the Reputation plugin ...) NOT-FOR-US: Reputation plugin for PunBB CVE-2009-2785 (Multiple cross-site scripting (XSS) vulnerabilities in PHP Open Classi ...) NOT-FOR-US: PHP Open Classifieds Script CVE-2009-2784 (Multiple directory traversal vulnerabilities in dit.cms 1.3, when regi ...) NOT-FOR-US: dit.cms CVE-2009-2783 (Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.3.3 all ...) NOT-FOR-US: XOOPS CVE-2009-2782 (SQL injection vulnerability in the JFusion (com_jfusion) component for ...) NOT-FOR-US: com_jfusion component for Joomla! CVE-2009-2781 (SQL injection vulnerability in forum.php in Arab Portal 2.x, when magi ...) NOT-FOR-US: Arab Portal CVE-2009-2780 (Multiple cross-site scripting (XSS) vulnerabilities in 68 Classifieds ...) NOT-FOR-US: 68 Classifieds CVE-2009-2779 (SQL injection vulnerability in index.php in AJ Matrix DNA allows remot ...) NOT-FOR-US: AJ Matrix DNA CVE-2009-2778 (Cross-site scripting (XSS) vulnerability in visitor/view.php in Garage ...) NOT-FOR-US: GarageSales script CVE-2009-2777 (SQL injection vulnerability in visitor/view.php in GarageSales Script ...) NOT-FOR-US: GarageSales Script CVE-2009-2776 (SQL injection vulnerability in showresult.asp in Smart ASP Survey allo ...) NOT-FOR-US: Smart ASP Survey CVE-2009-2775 (SQL injection vulnerability in linkout.php in PHPArcadeScript (PHP Arc ...) NOT-FOR-US: PHPArcadeScript CVE-2009-2774 (SQL injection vulnerability in paidbanner.php in PHP Paid 4 Mail Scrip ...) NOT-FOR-US: PHP Paid 4 Mail CVE-2009-2773 (PHP remote file inclusion vulnerability in home.php in PHP Paid 4 Mail ...) NOT-FOR-US: PHP Paid 4 Mail CVE-2009-2772 (Multiple cross-site scripting (XSS) vulnerabilities in PG Roommate Fin ...) NOT-FOR-US: PG Roommate Finder Solution CVE-2009-2771 (Cross-site scripting (XSS) vulnerability in Free Arcade Script 1.3 all ...) NOT-FOR-US: Free Arcade Script CVE-2009-2770 (PowerUpload 2.4 allows remote attackers to bypass authentication and g ...) NOT-FOR-US: PowerUpload CVE-2009-2769 (PHP remote file inclusion vulnerability in include/timesheet.php in Ul ...) NOT-FOR-US: Ultrize TimeSheet CVE-2009-2768 (The load_flat_shared_library function in fs/binfmt_flat.c in the flat ...) - linux-2.6 2.6.30-6 (medium) [etch] - linux-2.6 (kernel/cred.c introduced in 2.6.29) [lenny] - linux-2.6 (kernel/cred.c introduced in 2.6.29) - linux-2.6.24 (kernel/cred.c introduced in 2.6.29) CVE-2009-2767 (The init_posix_timers function in kernel/posix-timers.c in the Linux k ...) - linux-2.6 2.6.30-6 (medium) [etch] - linux-2.6 (introduced in 2.6.28) [lenny] - linux-2.6 (introduced in 2.6.28) - linux-2.6.24 (introduced in 2.6.28) CVE-2009-2766 (httpd.c in httpd in the management GUI in DD-WRT 24 sp1 does not requi ...) NOT-FOR-US: DD-WRT CVE-2009-2765 (httpd.c in httpd in the management GUI in DD-WRT 24 sp1, and other ver ...) NOT-FOR-US: DD-WRT CVE-2009-2764 (Microsoft Internet Explorer 8.0.7100.0 on Windows 7 RC on the x64 plat ...) NOT-FOR-US: Microsoft CVE-2009-3040 (Multiple SQL injection vulnerabilities in Open Computer and Software ( ...) - ocsinventory-server 1.02.1-2 (unimportant; bug #541995) NOTE: Authentication is needed, only supported in trusted environments, see debtags CVE-2009-3042 (SQL injection vulnerability in machine.php in Open Computer and Softwa ...) - ocsinventory-server 1.02.1-2 (unimportant; bug #541995) NOTE: Authentication is needed, only supported in trusted environments, see debtags CVE-2009-2763 RESERVED CVE-2009-XXXX [logrotate race condition could lead to file disclosure] - logrotate 3.7.8-4 (low; bug #388608) [lenny] - logrotate (Minor issue) CVE-2009-XXXX [XSS in drupal printing module] - drupal6 (unimportant) NOTE: you need admin privs in orde to exploit this NOTE: http://lampsecurity.org/drupal-print-module-vulnerabilities CVE-2009-2761 (Unquoted Windows search path vulnerability in the scheduler (sched.exe ...) NOT-FOR-US: Avira AntiVir CVE-2009-2760 RESERVED CVE-2009-2759 RESERVED CVE-2009-2758 RESERVED CVE-2009-2757 RESERVED CVE-2009-2756 RESERVED CVE-2009-2755 RESERVED CVE-2009-2754 (Integer signedness error in the authentication functionality in librpc ...) NOT-FOR-US: Informix Storage Manager CVE-2009-2753 (Multiple buffer overflows in the authentication functionality in librp ...) NOT-FOR-US: Informix Storage Manager CVE-2009-2752 (IBM WebSphere Commerce 7.0 does not properly encrypt data in a databas ...) NOT-FOR-US: IBM WebSphere Commerce CVE-2009-2751 (IBM WebSphere Commerce 7.0 uses the same cryptographic key for session ...) NOT-FOR-US: IBM WebSphere Commerce CVE-2009-2750 (IBM WebSphere Service Registry and Repository (WSRR) 6.3.0 before FP2 ...) NOT-FOR-US: IBM WebSphere Service Registry and Repository CVE-2009-2749 (Feature Pack for Communications Enabled Applications (CEA) before 1.0. ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-2748 (Cross-site scripting (XSS) vulnerability in the Administration Console ...) NOT-FOR-US: IBM WebSphere CVE-2009-2747 (The Java Naming and Directory Interface (JNDI) implementation in IBM W ...) NOT-FOR-US: IBM WebSphere CVE-2009-2746 (Cross-site request forgery (CSRF) vulnerability in the administrative ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-2745 RESERVED CVE-2009-2744 (Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6. ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-2743 (IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.27, and 7.0 be ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-2742 (Cross-site scripting (XSS) vulnerability in Eclipse Help in IBM WebSph ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-2741 (Unspecified vulnerability in the wberuntimeear application in the test ...) NOT-FOR-US: IBM WebSphere Business Events CVE-2009-2740 (kmxIds.sys before 7.3.1.18 in CA Host-Based Intrusion Prevention Syste ...) NOT-FOR-US: CA Host-Based Intrusion Prevention System (HIPS) CVE-2009-2739 (Cross-site scripting (XSS) vulnerability in FreeNAS before 0.69.2 allo ...) NOT-FOR-US: FreeNAS CVE-2009-2738 (Cross-site request forgery (CSRF) vulnerability in the WebGUI in FreeN ...) NOT-FOR-US: FreeNAS CVE-2009-2737 (The EditCSVAction function in cgi/actions.py in Roundup 1.2 before 1.2 ...) {DSA-1754-1} - roundup 1.4.4-4+lenny1 (bug #518768) CVE-2009-2736 (Static code injection vulnerability in admin.php in sun-jester OpenNew ...) NOT-FOR-US: OpenNews CVE-2009-2735 (SQL injection vulnerability in admin.php in sun-jester OpenNews 1.0, w ...) NOT-FOR-US: OpenNews CVE-2009-2734 (SQL injection vulnerability in the get_employee function in classweekr ...) NOT-FOR-US: Achievo CVE-2009-2733 (Multiple cross-site scripting (XSS) vulnerabilities in Achievo before ...) NOT-FOR-US: Achievo CVE-2009-2732 (The checkHTTPpassword function in http.c in ntop 3.3.10 and earlier al ...) - ntop 3:3.3-12 (low; bug #543312) [lenny] - ntop (Minor issue) [etch] - ntop (Minor issue) CVE-2009-2731 RESERVED CVE-2009-2730 (libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' chara ...) {DSA-1935-1} - gnutls26 2.8.3-1 (low; bug #541439) - gnutls13 CVE-2009-2729 RESERVED CVE-2009-2728 RESERVED CVE-2009-2727 (Stack-based buffer overflow in the _tt_internal_realpath function in t ...) NOT-FOR-US: IBM AIX CVE-2009-2726 (The SIP channel driver in Asterisk Open Source 1.2.x before 1.2.34, 1. ...) - asterisk 1:1.6.2.0~dfsg~rc1-1 (bug #541441) [squeeze] - asterisk (Doesn't permit SIP packets to exceed 1500 bytes total) [lenny] - asterisk (Doesn't permit SIP packets to exceed 1500 bytes total) [etch] - asterisk (Doesn't permit SIP packets to exceed 1500 bytes total) CVE-2009-2725 RESERVED CVE-2009-2724 (Race condition in the java.lang package in Sun Java SE 5.0 before Upda ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 NOTE: unknown impact and attack vectors CVE-2009-2723 (Unspecified vulnerability in deserialization in the Provider class in ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 NOTE: unknown impact and attack vectors CVE-2009-2722 (Multiple unspecified vulnerabilities in the Provider class in Sun Java ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 NOTE: unknown impact and attack vectors CVE-2009-2721 (Multiple unspecified vulnerabilities in the Provider class in Sun Java ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 NOTE: unknown impact and attack vectors CVE-2009-2720 (Unspecified vulnerability in the javax.swing.plaf.synth.SynthContext.i ...) - sun-java6 6-15-1 [etch] - sun-java6 (Non-free not supported) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1 (medium; bug #560908) CVE-2009-2719 (The Java Web Start implementation in Sun Java SE 6 before Update 15 al ...) - sun-java6 6-15-1 [etch] - sun-java6 (Non-free not supported) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1 (medium; bug #560908) CVE-2009-2718 (The Abstract Window Toolkit (AWT) implementation in Sun Java SE 6 befo ...) - sun-java6 6-15-1 [etch] - sun-java6 (Non-free not supported) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1 (medium; bug #560908) CVE-2009-2717 (The Abstract Window Toolkit (AWT) implementation in Sun Java SE 6 befo ...) - sun-java6 6-15-1 [etch] - sun-java6 (Non-free not supported) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1 (medium; bug #560908) CVE-2009-2716 (The plugin functionality in Sun Java SE 6 before Update 15 does not pr ...) - sun-java6 6-15-1 [etch] - sun-java6 (Non-free not supported) [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1 (medium; bug #560908) CVE-2009-2762 (wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to ...) - wordpress 2.8.3-2 (unimportant; bug #541102) [lenny] - wordpress (Vulnerable code not present) [etch] - wordpress (Vulnerable code not present) NOTE: not really a security issue in my opinion, just an annoying bug CVE-2009-2715 (Sun VirtualBox 2.2 through 3.0.2 r49928 allows guest OS users to cause ...) - virtualbox-ose 3.0.4-dfsg-1 (medium) [lenny] - virtualbox-ose (Doesn't affect 1.6.x) CVE-2009-2714 (Unspecified vulnerability in Sun VirtualBox 3.0.0 and 3.0.2 allows gue ...) - virtualbox-ose 3.0.4-dfsg-1 [lenny] - virtualbox-ose (Only 3.0.x affected per Sun advisory) CVE-2009-2713 (The CDCServlet component in Sun Java System Access Manager 7.0 2005Q4 ...) NOT-FOR-US: Sun Java System Access Manager CVE-2009-2712 (Sun Java System Access Manager 6.3 2005Q1, 7.0 2005Q4, and 7.1; and Op ...) NOT-FOR-US: Sun Java System Access Manager CVE-2009-2711 (XScreenSaver in Sun Solaris 9 and 10, OpenSolaris before snv_120, and ...) NOT-FOR-US: XScreenSaver in Sun Solaris CVE-2009-XXXX [mantis: information leak] - mantis 1.1.8+dfsg-2 (medium; bug #425010) [lenny] - mantis 1.1.6+dfsg-2lenny1 NOTE: cve id requested on oss-sec CVE-2009-3041 (SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper acc ...) - spip 2.0.9-1 (medium) CVE-2009-XXXX [rubygems: integrity violation] - libgems-ruby (Debian's version installs gems packages to /var/lib/gems, bug #540610) NOTE: so no opportunity to overwrite system files NOTE: CVE id already requested CVE-2009-XXXX [bugzilla: unauthorized bug modification] - bugzilla 3.2.4-1 (low) [etch] - bugzilla (minor issue) [lenny] - bugzilla (minor issue) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=495257 CVE-2009-5044 (contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 allows ...) - groff 1.20.1-5 (low; bug #538330) [etch] - groff (pdfroff not yet present) [lenny] - groff (pdfroff not yet present) NOTE: requested CVE ids CVE-2009-XXXX [xscreensaver: local screen lock bypassable via low resolution video devices] - xscreensaver 5.05-3+nmu1 (low; bug #539699) [etch] - xscreensaver (vulnerable code not present) [lenny] - xscreensaver 5.05-3+lenny1 CVE-2009-2626 (The zend_restore_ini_entry_cb function in zend_ini.c in PHP 5.3.0, 5.2 ...) {DSA-1940-1} - php5 5.2.11.dfsg.1-1 (low; bug #540605) [etch] - php5 (too risky to fix it there) NOTE: requires the script itself to set and then restore a config var CVE-2009-XXXX [php5: 'open_basedir' bypass] - php5 5.3.1-1 (unimportant; bug #540606) NOTE: only affects 5.3.0 in experimental, open_basedir unsupported CVE-2009-2710 REJECTED CVE-2009-2709 REJECTED CVE-2009-2708 REJECTED CVE-2009-2707 (Unspecified vulnerability in ia32el (aka the IA 32 emulation functiona ...) NOT-FOR-US: SUSE Linux CVE-2009-2706 REJECTED CVE-2009-2705 (CA SiteMinder allows remote attackers to bypass cross-site scripting ( ...) NOT-FOR-US: SiteMinder CVE-2009-2704 (CA SiteMinder allows remote attackers to bypass cross-site scripting ( ...) NOT-FOR-US: SiteMinder CVE-2009-2703 (libpurple/protocols/irc/msgs.c in the IRC protocol plugin in libpurple ...) - pidgin 2.6.2 (low) [lenny] - pidgin (Minor issue) [etch] - pidgin (Minor issue) [lenny] - gaim (Only a transitional package) - gaim NOTE: this is only a null ptr dereference and can only be triggered by a rogue irc server CVE-2009-2702 (KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a ' ...) {DSA-1916-1} - kdelibs 4:3.5.10.dfsg.1-2.1 (low; bug #546212) - kde4libs 4:4.3.2-1 (low; bug #546218) [lenny] - kde4libs (Minor issue) CVE-2009-2701 (Unspecified vulnerability in the Zope Enterprise Objects (ZEO) storage ...) - zodb 1:3.9.0-1 [etch] - zodb (The vulnerability was introduced in ZODB 3.8) [lenny] - zodb (The vulnerability was introduced in ZODB 3.8) CVE-2009-2700 (src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not ...) {DSA-1988-1} - qt4-x11 4:4.5.3-1 (medium; bug #545793) [etch] - qt4-x11 (QSsl* classes were introduced in Qt 4.3) CVE-2009-2699 (The Solaris pollset feature in the Event Port backend in poll/unix/por ...) - apr (does not affect Linux or kFreeBSD) CVE-2009-2698 (The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp ...) {DSA-1872-1} - linux-2.6 2.6.19-1 (high) - linux-2.6.24 (Fixed before initial upload, 2.6.19) CVE-2009-2697 (The Red Hat build script for the GNOME Display Manager (GDM) before 2. ...) - gdm (TCP Wrappers support enabled correctly) CVE-2009-2696 (Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the ca ...) NOT-FOR-US: Red-Hat-specific patching problem in Tomcat NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=616717 CVE-2009-2695 (The Linux kernel before 2.6.31-rc7 does not properly prevent mmap oper ...) {DSA-2005-1 DSA-1915-1} - linux-2.6 2.6.31-1 (medium) [etch] - linux-2.6 (2.6.18 does not have mmap_min_addr) - linux-2.6.24 (medium) CVE-2009-2694 (The msn_slplink_process_msg function in libpurple/protocols/msn/slplin ...) {DSA-1870-1} - pidgin 2.5.9-1 (medium; bug #542486) [lenny] - gaim (Only a transitional package) - gaim CVE-2009-2693 (Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.2 ...) {DSA-2207-1} - tomcat6 6.0.24-1 (low) [lenny] - tomcat6 (The package only ships the servlet packages) - tomcat5.5 CVE-2009-2692 (The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, d ...) {DSA-1864-1 DSA-1865-1 DSA-1862-1} - linux-2.6 2.6.30-6 (high; bug #541403) - linux-2.6.24 CVE-2009-2691 (The mm_for_maps function in fs/proc/base.c in the Linux kernel 2.6.30. ...) {DSA-2005-1} - linux-2.6 2.6.30-7 (low) [lenny] - linux-2.6 2.6.26-21 - linux-2.6.24 CVE-2009-2690 (The encoder in Sun Java SE 6 before Update 15, and OpenJDK, grants rea ...) - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) CVE-2009-2689 (JDK13Services.getProviders in Sun Java SE 5.0 before Update 20 and 6 b ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) CVE-2009-2688 (Multiple integer overflows in glyphs-eimage.c in XEmacs 21.4.22, when ...) - xemacs21 21.4.22-3 (low; bug #540470) [etch] - xemacs21 (Minor issue, obscure attack vector) [lenny] - xemacs21 (Minor issue, obscure attack vector) CVE-2009-2686 (Unspecified vulnerability in HP NonStop G06.12.00 through G06.32.00, H ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-2685 (Stack-based buffer overflow in the login form in the management web se ...) NOT-FOR-US: HP Power Manager CVE-2009-2684 (Multiple cross-site scripting (XSS) vulnerabilities in Jetdirect and t ...) NOT-FOR-US: Embedded Web Server in HP printers CVE-2009-2683 (Unspecified vulnerability in the Sender module in HP Remote Graphics S ...) NOT-FOR-US: HP Remote Graphics CVE-2009-2682 (Unspecified vulnerability in Role-Based Access Control (RBAC) in HP HP ...) NOT-FOR-US: HP-UX CVE-2009-2681 (Unspecified vulnerability in HP ProCurve Identity Driven Manager (IDM) ...) NOT-FOR-US: HP ProCurve Identity Driven Manager CVE-2009-2680 (Unspecified vulnerability in the Remote Management Interface (RMI) for ...) NOT-FOR-US: HP StorageWorks CVE-2009-2679 (Unspecified vulnerability in bootpd in HP HP-UX B.11.11, B.11.23, and ...) NOT-FOR-US: HP HP-UX CVE-2009-2678 (Unspecified vulnerability in Open System Services (OSS) Name Server on ...) NOT-FOR-US: Open System Services (OSS) Name Server on HP NonStop CVE-2009-2677 (Cross-site request forgery (CSRF) vulnerability in HP Insight Control ...) NOT-FOR-US: HP Insight Control Suite For Linux (aka ICE-LX) CVE-2009-2676 (Unspecified vulnerability in JNLPAppletlauncher in Sun Java SE, and SE ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 (bug #566769) [wheezy] - openjdk-6 CVE-2009-2675 (Integer overflow in the unpack200 utility in Sun Java Runtime Environm ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 (bug #566769) [wheezy] - openjdk-6 CVE-2009-2674 (Integer overflow in javaws.exe in Sun Java Web Start in Sun Java Runti ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) CVE-2009-2673 (The proxy mechanism implementation in Sun Java Runtime Environment (JR ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) CVE-2009-2672 (The proxy mechanism implementation in Sun Java Runtime Environment (JR ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) CVE-2009-2671 (The SOCKS proxy implementation in Sun Java Runtime Environment (JRE) i ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) CVE-2009-2670 (The audio system in Sun Java Runtime Environment (JRE) in JDK and JRE ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) CVE-2009-2669 (A certain debugging component in IBM AIX 5.3 and 6.1 does not properly ...) NOT-FOR-US: IBM AIX CVE-2009-2668 (Microsoft Internet Explorer 6 through 6.0.2900.2180 and 7 through 7.0. ...) NOT-FOR-US: Microsoft CVE-2009-2667 (Unspecified vulnerability in IBM Tivoli Key Lifecycle Manager (TKLM) 1 ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2009-2666 (socket.c in fetchmail before 6.3.11 does not properly handle a '\0' ch ...) {DSA-1852-1} - fetchmail 6.3.9~rc2-6 CVE-2009-2665 (The nsDocument::SetScriptGlobalObject function in content/base/src/nsD ...) - xulrunner 1.9.1.8-1 [lenny] - xulrunner (vulnerability introduced in firefox 3.5) [etch] - xulrunner (vulnerability introduced in firefox 3.5) CVE-2009-2664 (The js_watch_set function in js/src/jsdbgapi.cpp in the JavaScript eng ...) {DSA-1873-1} - xulrunner 1.9.0.13-1 [etch] - xulrunner (Mozilla packages from oldstable no longer covered by security support) CVE-2009-2663 (libvorbis before r16182, as used in Mozilla Firefox 3.5.x before 3.5.2 ...) {DSA-1939-1} - libvorbisidec 1.0.2+svn16259-2 (bug #669196) [squeeze] - libvorbisidec (Minor issue, no dev-deps) - libvorbis 1.2.0.dfsg-6 (medium; bug #540958) - xulrunner 1.9.1.2-1 (medium; bug #540961) [etch] - xulrunner (vulnerability introduced in 1.9.1.0) [lenny] - xulrunner (vulnerability introduced in 1.9.1.0) CVE-2009-2662 (The browser engine in Mozilla Firefox 3.5.x before 3.5.2 allows remote ...) {DSA-1873-1} - xulrunner 1.9.0.13-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2661 (The asn1_length function in strongSwan 2.8 before 2.8.11, 4.2 before 4 ...) {DSA-1899-1} - strongswan 4.3.2-1.1 (bug #540144) CVE-2009-2660 (Multiple integer overflows in CamlImages 2.2 might allow context-depen ...) {DSA-1912-2 DSA-1912-1 DSA-1857-1} - camlimages 1:3.0.1-3 (low; bug #540146) - advi 1.6.0-15 (low; bug #551282) CVE-2009-2657 (nilfs-utils before 2.0.14 installs multiple programs with unnecessary ...) - nilfs2-tools (dh_fixperms removes the setuid and setgid bits from all files) CVE-2009-2656 (Unspecified vulnerability in the com.android.phone process in Android ...) NOT-FOR-US: Android CVE-2009-2655 (mshtml.dll in Microsoft Internet Explorer 7 and 8 on Windows XP SP3 al ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2654 (Mozilla Firefox before 3.0.13, and 3.5.x before 3.5.2, allows remote a ...) {DSA-1873-1} - xulrunner 1.9.0.13-1 (low; bug #539891) [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2653 NOT-FOR-US: Microsoft Windows CVE-2009-2652 (Unspecified vulnerability in Solaris Trusted Extensions in Sun Solaris ...) NOT-FOR-US: Solaris Trusted Extensions CVE-2009-3938 (Buffer overflow in the ABWOutputDev::endWord function in poppler/ABWOu ...) {DSA-1941-1} - poppler 0.12.2-2.1 (low; bug #534680) [etch] - poppler (Vulnerable code not present) CVE-2009-2408 (Mozilla Network Security Services (NSS) before 3.12.3, Firefox before ...) {DSA-2025-1 DSA-1874-1} - nss 3.12.3-1 (medium; bug #539934) - icedove 2.0.0.24-1 (medium) CVE-2009-2651 (main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows remote ...) - asterisk 1:1.6.2.0~dfsg~rc1-1 (low; bug #539473) [etch] - asterisk (Vulnerable code not present) [lenny] - asterisk (Vulnerable code not present) [squeeze] - asterisk (Vulnerable code not present) NOTE: AST-2009-004 CVE-2009-2650 (Heap-based buffer overflow in Sorcerer Software MultiMedia Jukebox 4.0 ...) NOT-FOR-US: Sorcerer Software MultiMedia Jukebox CVE-2009-2649 (The IATA (ata) driver in FreeBSD 6.0 and 8.0, when read access to /dev ...) - kfreebsd-8 8.0-1 (bug #572811) - kfreebsd-7 7.3-1 (bug #572811) [lenny] - kfreebsd-7 (KFreebsd not supported) - kfreebsd-6 (bug #572811) [lenny] - kfreebsd-6 (KFreebsd not supported) CVE-2009-2648 (FlashDen Guestbook allows remote attackers to obtain configuration inf ...) NOT-FOR-US: FlashDen Guestbook CVE-2009-2647 (Unspecified vulnerability in Kaspersky Anti-Virus 2010 and Kaspersky I ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2009-2646 (Multiple unspecified vulnerabilities in the PDF distiller in the Attac ...) NOT-FOR-US: Research In Motion (RIM) BlackBerry Enterprise Server (BES) CVE-2009-2645 REJECTED CVE-2009-2644 (Race condition in the Solaris Auditing subsystem in Sun Solaris 9 and ...) NOT-FOR-US: Sun Solaris CVE-2009-2659 (The Admin media handler in core/servers/basehttp.py in Django 1.0 and ...) - python-django 1.1-1 (low; bug #539134) [etch] - python-django (Minor issue) [lenny] - python-django 1.0.2-1+lenny1 CVE-2009-2643 (Multiple unspecified vulnerabilities in the PDF distiller in the Attac ...) NOT-FOR-US: BlackBerry Products CVE-2009-XXXX [ser2net DoS] - ser2net 2.6-1 (low; bug #535159) [etch] - ser2net (Minor issue) [lenny] - ser2net (Minor issue) CVE-2009-2642 (index.php in Desi Short URL Script 1.0 allows remote attackers to bypa ...) NOT-FOR-US: Desi Short URL CVE-2009-2641 (PHP remote file inclusion vulnerability in app_and_readme/navigator/in ...) NOT-FOR-US: School Data Navigator CVE-2009-2640 (Multiple SQL injection vulnerabilities in cgi/admin.cgi in Interlogy P ...) NOT-FOR-US: Interlogy Profile Manager Basic CVE-2009-2639 (SQL injection vulnerability in admin.php in MRCGIGUY The Ticket System ...) NOT-FOR-US: MRCGIGUY CVE-2009-2638 (SQL injection vulnerability in the AkoBook (com_akobook) component 2.3 ...) NOT-FOR-US: Joomla! component CVE-2009-2637 (PHP remote file inclusion vulnerability in toolbar_ext.php in the Book ...) NOT-FOR-US: Joomla! component CVE-2009-2636 (Cross-site scripting (XSS) vulnerability in the Integration page in th ...) NOT-FOR-US: WebMail component in Kerio MailServer CVE-2009-2635 (PHP remote file inclusion vulnerability in toolbar_ext.php in the Real ...) NOT-FOR-US: Joomla! component CVE-2009-2634 (PHP remote file inclusion vulnerability in toolbar_ext.php in the Medi ...) NOT-FOR-US: Joomla! component CVE-2009-2633 (PHP remote file inclusion vulnerability in toolbar_ext.php in the Vehi ...) NOT-FOR-US: Joomla! component CVE-2009-2632 (Buffer overflow in the SIEVE script component (sieve/script.c), as use ...) {DSA-1893-1 DSA-1892-1 DSA-1881-1} - cyrus-imapd-2.2 2.2.13-15 (medium) - kolab-cyrus-imapd 2.2.13-5.1 (medium; bug #547712) - dovecot 1:1.2.1-1 (medium; bug #546656) CVE-2009-2631 (Multiple clientless SSL VPN products that run in web browsers, includi ...) NOT-FOR-US: Commercial SSL VPN products CVE-2009-2630 RESERVED CVE-2009-2629 (Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0 ...) {DSA-1884-1} - nginx 0.7.61-3 (medium) CVE-2009-2628 (The VMnc media codec in vmnc.dll in VMware Movie Decoder before 6.5.3 ...) NOT-FOR-US: VMware Movie Decoder CVE-2009-2627 (Insecure method vulnerability in the Acer LunchApp (aka AcerCtrls.APlu ...) NOT-FOR-US: Acer LunchApp CVE-2009-2625 (XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime En ...) {DSA-1984-1} - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) - libxerces2-java 2.9.1-4.1 (bug #548358) CVE-2009-2624 (The huft_build function in inflate.c in gzip before 1.3.13 creates a h ...) {DSA-1974-1} - gzip 1.3.12-8 (medium; bug #507263) CVE-2009-2623 RESERVED CVE-2009-2620 (src/remote/server.cpp in fbserver.exe in Firebird SQL 1.5 before 1.5.6 ...) - firebird2.0 2.0.5.13206-0.ds2-4 (low; bug #539477) [lenny] - firebird2.0 2.0.4.13130-1.ds1-4+lenny1 - firebird2.1 2.1.2.18118-0.ds1-4 (low; bug #539478) CVE-2009-2619 (SQL injection vulnerability in login.asp in DataCheck Solutions V-Spac ...) NOT-FOR-US: DataCheck Solutions V-SpacePal CVE-2009-2618 (SQL injection vulnerability in the Surveys (aka NS-Polls) module in MD ...) NOT-FOR-US: MDPro module CVE-2009-2617 (Stack-based buffer overflow in medialib.dll in BaoFeng Storm 3.9.62 al ...) NOT-FOR-US: BaoFeng Storm CVE-2009-2616 (SQL injection vulnerability in z_admin_login.asp in DataCheck Solution ...) NOT-FOR-US: DataCheck Solutions CVE-2009-2615 (Multiple cross-site scripting (XSS) vulnerabilities in DataCheck Solut ...) NOT-FOR-US: DataCheck Solutions CVE-2009-2614 (SQL injection vulnerability in z_admin_login.asp in DataCheck Solution ...) NOT-FOR-US: DataCheck Solutions CVE-2009-2613 (Multiple cross-site scripting (XSS) vulnerabilities in DataCheck Solut ...) NOT-FOR-US: DataCheck Solutions CVE-2009-2612 (SQL injection vulnerability in login.aspx in ProSMDR allows remote att ...) NOT-FOR-US: ProSMDR CVE-2009-2611 (Directory traversal vulnerability in infusions/last_seen_users_panel/l ...) NOT-FOR-US: MyFusion CVE-2009-2610 (Cross-site scripting (XSS) vulnerability in the Links Related module i ...) NOT-FOR-US: Drupal module CVE-2009-2609 (SQL injection vulnerability in the amoCourse (com_amocourse) component ...) NOT-FOR-US: Joomla! module CVE-2009-2608 (Multiple SQL injection vulnerabilities in PHP Address Book 4.0.x allow ...) NOT-FOR-US: PHP Address Book CVE-2009-2607 (SQL injection vulnerability in the com_pinboard component for Joomla! ...) NOT-FOR-US: Joomla! component CVE-2009-2606 (ASP Football Pool 2.3 stores sensitive information under the web root ...) NOT-FOR-US: ASP Football Pool CVE-2009-2605 (Multiple SQL injection vulnerabilities in adminquery.php in Traidnt Up ...) NOT-FOR-US: Traidnt up CVE-2009-2604 (Multiple SQL injection vulnerabilities in adminlogin.asp in Zen Help D ...) NOT-FOR-US: Zen Help Desk CVE-2009-2603 (Multiple SQL injection vulnerabilities in index.php in Escon SupportPo ...) NOT-FOR-US: Escon SupportPortal Pro CVE-2009-2602 (R2 Newsletter Lite, Pro, and Stats stores sensitive information under ...) NOT-FOR-US: R2 Newsletter Store CVE-2009-2601 (SQL injection vulnerability in the Joomlaequipment (aka JUser or com_j ...) NOT-FOR-US: Joomla! component CVE-2009-2600 (Multiple directory traversal vulnerabilities in view.php in Webboard 2 ...) NOT-FOR-US: Webboard CVE-2009-2599 (SQL injection vulnerability in index.php in RadCLASSIFIEDS Gold 2.0 al ...) NOT-FOR-US: RadCLASSIFIEDS CVE-2009-2598 (Multiple SQL injection vulnerabilities in Online Grades & Attendan ...) NOT-FOR-US: Online Grades & Attendance CVE-2009-2597 (The Sun Java System (SJS) Access Manager Policy Agent module 2.2 for S ...) NOT-FOR-US: Sun Java System (SJS) Access Manager Policy Agent module 2.2 for SJS Web Proxy Server CVE-2009-2596 (Unspecified vulnerability in the Solaris Auditing subsystem in Sun Sol ...) NOT-FOR-US: Solaris Auditing subsystem CVE-2009-2622 (Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 allows remote ...) {DSA-1843-2 DSA-1843-1} - squid3 3.0.STABLE18-1 (medium; bug #538989) - squid (see NOTE) NOTE: squid 2.x not affected, according to NOTE: http://www.squid-cache.org/Advisories/SQUID-2009_2.txt CVE-2009-2621 (Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 does not prope ...) {DSA-1843-2 DSA-1843-1} - squid3 3.0.STABLE18-1 (medium; bug #538989) - squid (see NOTE) NOTE: squid 2.x not affected, according to NOTE: http://www.squid-cache.org/Advisories/SQUID-2009_2.txt CVE-2009-2595 (Cross-site scripting (XSS) vulnerability in productSearch.html in Cens ...) NOT-FOR-US: Censura CVE-2009-2594 (Cross-site scripting (XSS) vulnerability in censura.php in Censura 1.1 ...) NOT-FOR-US: Censura CVE-2009-2593 (SQL injection vulnerability in censura.php in Censura 1.16.04 allows r ...) NOT-FOR-US: Censura CVE-2009-2592 (SQL injection vulnerability in guestbook.php in PHPJunkYard GBook 1.6 ...) NOT-FOR-US: PHPJunkYard CVE-2009-2591 (SQL injection vulnerability in the MyAnnonces module for E-Xoopport 3. ...) NOT-FOR-US: MyAnnonces module for E-Xoopport CVE-2009-2590 (SQL injection vulnerability in showcategory.php in Hutscripts PHP Webs ...) NOT-FOR-US: Hutscripts PHP CVE-2009-2589 (Multiple cross-site scripting (XSS) vulnerabilities in Hutscripts PHP ...) NOT-FOR-US: Hutscripts PHP CVE-2009-2588 (Multiple cross-site scripting (XSS) vulnerabilities in Hotscripts Type ...) NOT-FOR-US: Hotscripts Type PHP Clone Script CVE-2009-2587 (Multiple cross-site scripting (XSS) vulnerabilities in DragDropCart al ...) NOT-FOR-US: DragDropCart CVE-2009-2586 (Cross-site scripting (XSS) vulnerability in articles.php in EDGEPHP EZ ...) NOT-FOR-US: EZArticles CVE-2009-2585 (SQL injection vulnerability in index.php in Mlffat 2.2 allows remote a ...) NOT-FOR-US: Mlffat CVE-2009-XXXX [nilfs-tools privilege escalation] - nilfs2-tools (We don't install this with setuid) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=505374 CVE-2009-XXXX [XSS in drupal 6 calendar field] - drupal6 (unimportant) NOTE: you need to be able to create new calendar items, e.g. admistrative NOTE: access in order to exploit that NOTE: http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069849.html CVE-2009-2584 (Off-by-one error in the options_write function in drivers/misc/sgi-gru ...) - linux-2.6 2.6.31-2 (high) [etch] - linux-2.6 (vulnerable code not present) [lenny] - linux-2.6 (vulnerable code not present) - linux-2.6.24 (vulnerable code not present) NOTE: exploit code exists CVE-2009-2583 (Multiple session fixation vulnerabilities in IBM Tivoli Identity Manag ...) NOT-FOR-US: IBM Tivoli CVE-2009-2582 (Stack-based buffer overflow in manager.exe in Akamai Download Manager ...) NOT-FOR-US: Akamai Download Manager CVE-2009-2581 (Cross-site scripting (XSS) vulnerability in modifier.php in EditeurScr ...) NOT-FOR-US: EditeurScripts EsNews CVE-2009-2580 REJECTED CVE-2009-2579 (SQL injection vulnerability in reward_points.post.php in the Reward po ...) NOT-FOR-US: CS-Cart CVE-2009-2578 (Google Chrome 2.x through 2.0.172 allows remote attackers to cause a d ...) - chromium-browser (Only 2.x is affected) NOTE: browser denial of services not considered security-relevant CVE-2009-2577 (Opera 9.52 and earlier allows remote attackers to cause a denial of se ...) NOT-FOR-US: Opera CVE-2009-2576 (Microsoft Internet Explorer 6.0.2900.2180 and earlier allows remote at ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2575 (The Research In Motion (RIM) BlackBerry 8800 allows remote attackers t ...) NOT-FOR-US: BlackBerry CVE-2009-2574 (index.php in MiniTwitter 0.2 beta allows remote authenticated users to ...) NOT-FOR-US: MiniTwitter CVE-2009-2573 (Multiple SQL injection vulnerabilities in MiniTwitter 0.2 beta, when m ...) NOT-FOR-US: MiniTwitter CVE-2009-2572 (Cross-site request forgery (CSRF) vulnerability in the Fivestar module ...) NOT-FOR-US: Drupal Module CVE-2009-2571 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ve ...) NOT-FOR-US: VerliAdmin CVE-2009-2570 (Stack-based buffer overflow in the Symantec.FaxViewerControl.1 ActiveX ...) NOT-FOR-US: Symantec WinFax Pro CVE-2009-2569 (Multiple cross-site scripting (XSS) vulnerabilities in Verlihub Contro ...) NOT-FOR-US: vhcp CVE-2009-2568 (Stack-based buffer overflow in Sorinara Streaming Audio Player (SAP) 0 ...) NOT-FOR-US: Sorinara Streaming Audio Player CVE-2009-2567 (SQL injection vulnerability in the Almond Classifieds (com_aclassf) co ...) NOT-FOR-US: Joomla! component CVE-2009-2566 (Stack-based buffer overflow in TFM MMPlayer 2.0, and possibly 2.0.0.30 ...) NOT-FOR-US: TFM MMPlayer CVE-2009-2565 (Cross-site scripting (XSS) vulnerability in Perl CGI's By Mrs. Shiromu ...) NOT-FOR-US: Perl CGI's By Mrs. Shiromuku shiromuku CVE-2009-2564 (NOS Microsystems getPlus Download Manager, as used in Adobe Reader 1.6 ...) NOT-FOR-US: Adobe CVE-2009-2563 (Unspecified vulnerability in the Infiniband dissector in Wireshark 1.0 ...) - wireshark 1.2.1-1 (bug #538237) [etch] - wireshark (Only affects 1.0.6 to 1.2.0) [lenny] - wireshark (Only affects 1.0.6 to 1.2.0) CVE-2009-2562 (Unspecified vulnerability in the AFS dissector in Wireshark 0.9.2 thro ...) {DSA-1942-1} - wireshark 1.2.1-1 (low; bug #538237) [lenny] - wireshark 1.0.2-3+lenny6 [etch] - wireshark (Minor issue) CVE-2009-2561 (Unspecified vulnerability in the sFlow dissector in Wireshark 1.2.0 al ...) - wireshark 1.2.1-1 (bug #538237) [etch] - wireshark (Only affects 1.2.0) [lenny] - wireshark (Only affects 1.2.0) CVE-2009-2560 (Multiple unspecified vulnerabilities in Wireshark 1.2.0 allow remote a ...) {DSA-1942-1} - wireshark 1.2.1-1 (bug #538237) CVE-2009-2559 (Buffer overflow in the IPMI dissector in Wireshark 1.2.0 allows remote ...) - wireshark 1.2.1-1 (bug #538237) [etch] - wireshark (Only affects 1.2.0) [lenny] - wireshark (Only affects 1.2.0) CVE-2009-2558 (system/message.php in Admin News Tools 2.5 does not properly restrict ...) NOT-FOR-US: Admin News Tools CVE-2009-2557 (Directory traversal vulnerability in system/download.php in Admin News ...) NOT-FOR-US: Admin News Tools CVE-2009-2556 (Google Chrome before 2.0.172.37 allows attackers to leverage renderer ...) - chromium-browser (Only 2.x is affected) - webkit (chrome-specfic renderer issue) CVE-2009-2555 (Heap-based buffer overflow in src/jsregexp.cc in Google V8 before 1.1. ...) - chromium-browser (Only 1.x and 2.x are affected) - libv8 1.3.11+dfsg-1 - webkit (libv8 issue) CVE-2009-2658 (Directory traversal vulnerability in ZNC before 0.072 allows remote at ...) {DSA-1848-1} - znc 0.074-1 (medium; bug #537977) NOTE: http://znc.svn.sourceforge.net/viewvc/znc?view=rev&sortby=rev&sortdir=down&revision=1570 NOTE: CVE id requested CVE-2009-2554 (SQL injection vulnerability in the search method in jobline.class.php ...) NOT-FOR-US: Joomla! CVE-2009-2553 (Multiple SQL injection vulnerabilities in comments.php in Super Simple ...) NOT-FOR-US: Super Simple Blog Script CVE-2009-2552 (Multiple directory traversal vulnerabilities in comments.php in Super ...) NOT-FOR-US: Super Simple Blog Script CVE-2009-2551 (Multiple cross-site scripting (XSS) vulnerabilities in ScriptsEz Easy ...) NOT-FOR-US: ScriptsEz Easy Image Downloader CVE-2009-2550 (Stack-based buffer overflow in Hamster Audio Player 0.3a allows remote ...) NOT-FOR-US: Hamster Audio Player CVE-2009-2549 (Armed Assault (aka ArmA) 1.14 and earlier, and 1.16 beta, and Armed As ...) NOT-FOR-US: Armed Assault CVE-2009-2548 (Format string vulnerability in Armed Assault (aka ArmA) 1.14 and earli ...) NOT-FOR-US: Armed Assault CVE-2009-2547 (Integer underflow in Armed Assault (aka ArmA) 1.14 and earlier, and 1. ...) NOT-FOR-US: Armed Assault CVE-2009-2546 (Directory traversal vulnerability in Advanced Electron Forum (AEF) 1.x ...) NOT-FOR-US: Advanced Electron Forum CVE-2009-2545 (SQL injection vulnerability in Advanced Electron Forum (AEF) 1.x, when ...) NOT-FOR-US: Advanced Electron Forum CVE-2009-2544 (Directory traversal vulnerability in the Marcelo Costa FileServer comp ...) NOT-FOR-US: Marcelo Costa FileServer CVE-2009-2543 (Multiple unspecified vulnerabilities in the IBM Proventia engine 4.9.0 ...) NOT-FOR-US: IBM Proventia engine CVE-2009-2542 (Netscape 6 and 8 allows remote attackers to cause a denial of service ...) NOT-FOR-US: Netscape 6 and 8 CVE-2009-2541 (The web browser on the Sony PLAYSTATION 3 (PS3) allows remote attacker ...) NOT-FOR-US: Sony PLAYSTATION 3 CVE-2009-2540 (Opera, possibly 9.64 and earlier, allows remote attackers to cause a d ...) NOT-FOR-US: Opera CVE-2009-2539 (The Aigo P8860 allows remote attackers to cause a denial of service (m ...) NOT-FOR-US: Aigo P8860 CVE-2009-2538 (The Nokia N95 running Symbian OS 9.2, N82, and N810 Internet Tablet al ...) NOT-FOR-US: Nokia N95 CVE-2009-2537 (KDE Konqueror allows remote attackers to cause a denial of service (me ...) - kdebase (unimportant; bug #537931) CVE-2009-2536 (Microsoft Internet Explorer 5 through 8 allows remote attackers to cau ...) NOT-FOR-US: Microsoft Internet Explorer 5 CVE-2009-2535 (Mozilla Firefox before 2.0.0.19 and 3.x before 3.0.5, SeaMonkey, and T ...) - iceweasel 3.0.5-1 (unimportant) [etch] - iceweasel 2.0.0.19-0etch1 (unimportant) CVE-2009-2534 (RealNetworks Helix Server and Helix Mobile Server before 13.0.0 allow ...) NOT-FOR-US: RealNetworks Helix Server and Helix Mobile Server CVE-2009-2533 (rmserver in RealNetworks Helix Server and Helix Mobile Server before 1 ...) NOT-FOR-US: RealNetworks Helix Server and Helix Mobile Server CVE-2009-2532 (Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold a ...) NOT-FOR-US: Microsoft Windows Vista CVE-2009-2531 (Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handl ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2530 (Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handl ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2529 (Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, 7, and 8 does not prop ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2528 (GDI+ in Microsoft Office XP SP3 does not properly handle malformed obj ...) NOT-FOR-US: Microsoft Office XP CVE-2009-2527 (Heap-based buffer overflow in Microsoft Windows Media Player 6.4 allow ...) NOT-FOR-US: Microsoft Windows Media Player CVE-2009-2526 (Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP ...) NOT-FOR-US: Microsoft Windows Vista CVE-2009-2525 (Microsoft Windows Media Runtime, as used in DirectShow WMA Voice Codec ...) NOT-FOR-US: Microsoft Windows Media Runtime CVE-2009-2524 (Integer underflow in the NTLM authentication feature in the Local Secu ...) NOT-FOR-US: Microsoft Windows XP CVE-2009-2523 (The License Logging Server (llssrv.exe) in Microsoft Windows 2000 SP4 ...) NOT-FOR-US: Microsoft Windows 2000 CVE-2009-2522 REJECTED CVE-2009-2521 (Stack consumption vulnerability in the FTP Service in Microsoft Intern ...) NOT-FOR-US: Microsoft Internet Information Server CVE-2009-2520 REJECTED CVE-2009-2519 (The DHTML Editing Component ActiveX control in Microsoft Windows 2000 ...) NOT-FOR-US: Microsoft Windows CVE-2009-2518 (Integer overflow in GDI+ in Microsoft Office XP SP3 allows remote atta ...) NOT-FOR-US: Microsoft Office XP CVE-2009-2517 (The kernel in Microsoft Windows Server 2003 SP2 does not properly hand ...) NOT-FOR-US: Microsoft Windows Server 2003 CVE-2009-2516 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 ...) NOT-FOR-US: Microsoft Windows 2000 CVE-2009-2515 (Integer underflow in the kernel in Microsoft Windows 2000 SP4, XP SP2 ...) NOT-FOR-US: Microsoft Windows 2000 CVE-2009-2514 (win32k.sys in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3 ...) NOT-FOR-US: Microsoft Windows CVE-2009-2513 (The Graphics Device Interface (GDI) in win32k.sys in the kernel in Mic ...) NOT-FOR-US: Microsoft Windows CVE-2009-2512 (The Web Services on Devices API (WSDAPI) in Windows Vista Gold, SP1, a ...) NOT-FOR-US: Microsoft Windows CVE-2009-2511 (Integer overflow in the CryptoAPI component in Microsoft Windows 2000 ...) NOT-FOR-US: Microsoft Windows 2000 CVE-2009-2510 (The CryptoAPI component in Microsoft Windows 2000 SP4, Windows XP SP2 ...) NOT-FOR-US: Microsoft Windows 2000 CVE-2009-2509 (Active Directory Federation Services (ADFS) in Microsoft Windows Serve ...) NOT-FOR-US: Microsoft Active Directory Federation Services CVE-2009-2508 (The single sign-on implementation in Active Directory Federation Servi ...) NOT-FOR-US: Microsoft Active Directory Federation Services CVE-2009-2507 (A certain ActiveX control in the Indexing Service in Microsoft Windows ...) NOT-FOR-US: Microsoft Windows CVE-2009-2506 (Integer overflow in the text converters in Microsoft Office Word 2002 ...) NOT-FOR-US: Microsoft Office CVE-2009-2505 (The Internet Authentication Service (IAS) in Microsoft Windows Vista S ...) NOT-FOR-US: Microsoft Office CVE-2009-2504 (Multiple integer overflows in unspecified APIs in GDI+ in Microsoft .N ...) NOT-FOR-US: Microsoft products CVE-2009-2503 (GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Win ...) NOT-FOR-US: Microsoft products CVE-2009-2502 (Buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows ...) NOT-FOR-US: Microsoft products CVE-2009-2501 (Heap-based buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP ...) NOT-FOR-US: Microsoft products CVE-2009-2500 (Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows ...) NOT-FOR-US: Microsoft products CVE-2009-2499 (Microsoft Windows Media Format Runtime 9.0, 9.5, and 11; and Microsoft ...) NOT-FOR-US: Microsoft Windows Media Format Runtime CVE-2009-2498 (Microsoft Windows Media Format Runtime 9.0, 9.5, and 11 and Windows Me ...) NOT-FOR-US: Microsoft Windows Media Format Runtime CVE-2009-2497 (The Common Language Runtime (CLR) in Microsoft .NET Framework 2.0, 2.0 ...) NOT-FOR-US: Microsoft products CVE-2009-2496 (Heap-based buffer overflow in the Office Web Components ActiveX Contro ...) NOT-FOR-US: Microsoft Office XP CVE-2009-2495 (The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 ...) NOT-FOR-US: Microsoft Visual Studio .NET CVE-2009-2494 (The Active Template Library (ATL) in Microsoft Windows 2000 SP4, XP SP ...) NOT-FOR-US: Microsoft Windows CVE-2009-2493 (The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 ...) NOT-FOR-US: Microsoft Visual Studio .NET CVE-2009-2492 (Cross-site scripting (XSS) vulnerability in mt-wizard.cgi in Six Apart ...) - movabletype-opensource 4.2.6.1-1 (low; bug #537935) [lenny] - movabletype-opensource 4.2.3-1+lenny1 CVE-2009-4589 (Cross-site scripting (XSS) vulnerability in the Special:Block implemen ...) - mediawiki 1:1.15.0-1.1 (low; bug #537634) - mediawiki1.7 [etch] - mediawiki (metapackage) [etch] - mediawiki1.7 (vulnerably code introduced in 1.14.0) [lenny] - mediawiki (vulnerably code introduced in 1.14.0) NOTE: fixed in upstream 1.15.1 CVE-2009-XXXX [insecure tmp file vulnerability in slim] - slim (unimportant; bug #537604) NOTE: exploit scenario too constructed [lenny] - slim 1.3.0-1+lenny2 CVE-2009-2484 (Stack-based buffer overflow in the Win32AddConnection function in modu ...) - vlc (The vulnerability affects Windows builds only) CVE-2009-2479 (Mozilla Firefox 3.0.x, 3.5, and 3.5.1 on Windows allows remote attacke ...) - xulrunner 1.9.1.1-1 [etch] - xulrunner (only affects firefox 3.5) [lenny] - xulrunner (only affects firefox 3.5) CVE-2009-2478 (Mozilla Firefox 3.5 allows remote attackers to cause a denial of servi ...) - xulrunner (unimportant) NOTE: browser crashes not treated as security issues CVE-2009-2476 (The Java Management Extensions (JMX) implementation in Sun Java SE 6 b ...) - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) CVE-2009-2475 (Sun Java SE 5.0 before Update 20 and 6 before Update 15, and OpenJDK, ...) - sun-java5 1.5.0-20-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) CVE-2009-2474 (neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly ...) - neon27 0.28.6-1 (low; bug #542926) [lenny] - neon27 (Minor issue) - neon26 0.26.4-3 (low; bug #542926) [lenny] - neon26 (Minor issue) - neon (low; bug #542926) [etch] - neon (Minor issue) - gnome-vfs2 NOTE: affected neon code copy present in gnome-vfs2 [./imported/*] - litmus 0.13-1 NOTE: affected neon code copy present in litmus [./libneon/*] NOTE: The new reintroduced litmus package removes the embedded copy CVE-2009-2473 (neon before 0.28.6, when expat is used, does not properly detect recur ...) - neon27 (neon27 is compiled to use libxml2 instead of expat) - neon26 (neon26 is compiled to use libxml2 instead of expat) - neon [etch] - neon (neon is compiled to use libxml2 instead of expat) CVE-2009-2472 (Mozilla Firefox before 3.0.12 does not always use XPCCrossOriginWrappe ...) {DSA-1840-1} - xulrunner 1.9.0.12-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2471 (The setTimeout function in Mozilla Firefox before 3.0.12 does not prop ...) {DSA-1840-1} - xulrunner 1.9.0.12-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2470 (Mozilla Firefox before 3.0.12, and 3.5.x before 3.5.2, allows remote S ...) {DSA-1840-1} - xulrunner 1.9.0.12-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2469 (Mozilla Firefox before 3.0.12 does not properly handle an SVG element ...) {DSA-1840-1} - xulrunner 1.9.0.12-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2468 (Integer overflow in Apple CoreGraphics, as used in Safari before 4.0.3 ...) NOT-FOR-US: CoreGraphics in Apple Mac OS X NOTE: related issue to CVE-2009-1194 CVE-2009-2467 (Mozilla Firefox before 3.0.12 and 3.5 before 3.5.1 allows remote attac ...) {DSA-1840-1} - xulrunner 1.9.0.12-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2466 (The JavaScript engine in Mozilla Firefox before 3.0.12 and Thunderbird ...) {DSA-1840-1} - xulrunner 1.9.0.12-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2465 (Mozilla Firefox before 3.0.12 and Thunderbird allow remote attackers t ...) {DSA-1840-1} - xulrunner 1.9.0.12-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2464 (The nsXULTemplateQueryProcessorRDF::CheckIsSeparator function in Mozil ...) {DSA-1840-1} - xulrunner 1.9.0.12-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2463 (Multiple integer overflows in the (1) PL_Base64Decode and (2) PL_Base6 ...) {DSA-2025-1 DSA-1931-1} - nspr 4.8.2-1 - icedove 3.0~rc2-2 [etch] - nspr (Mozilla packages from oldstable no longer covered by security support) CVE-2009-2462 (The browser engine in Mozilla Firefox before 3.0.12 and Thunderbird al ...) {DSA-1840-1} - xulrunner 1.9.0.12-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-2491 (The utaudiod daemon in Sun Ray Server Software (SRSS) 4.0, when Solari ...) NOT-FOR-US: Sun Ray Server Software CVE-2009-2490 (Unspecified vulnerability in the utaudiod daemon in Sun Ray Server Sof ...) NOT-FOR-US: Sun Ray Server Software CVE-2009-2489 (Unspecified vulnerability in the utdmsession program in Sun Ray Server ...) NOT-FOR-US: Sun Ray Server Software CVE-2009-2488 (Unspecified vulnerability in the NFSv4 module in the kernel in Sun Sol ...) NOT-FOR-US: Sun Solaris CVE-2009-2487 (Use-after-free vulnerability in the frpr_icmp function in the ipfilter ...) NOT-FOR-US: Sun Solaris CVE-2009-2486 (Unspecified vulnerability in the SCTP implementation in Sun Solaris 10 ...) NOT-FOR-US: Sun Solaris CVE-2009-2485 (Stack-based buffer overflow in HT-MP3Player 1.0 allows remote attacker ...) NOT-FOR-US: HT-MP3Player CVE-2009-2483 (libprop/prop_object.c in proplib in NetBSD 4.0 and 4.0.1 allows local ...) NOT-FOR-US: NetBSD CVE-2009-2482 (The pam_unix module in OpenPAM in NetBSD 4.0 before 4.0.2 and 5.0 befo ...) NOT-FOR-US: NetBSD OpenPAM CVE-2009-2481 (mt-wizard.cgi in Six Apart Movable Type before 4.261, when global temp ...) NOT-FOR-US: Six Apart Movable Type CVE-2009-2480 (Cross-site scripting (XSS) vulnerability in mt-wizard.cgi in Six Apart ...) NOT-FOR-US: Six Apart Movable Type CVE-2009-2461 (mathtex.cgi in mathTeX, when downloaded before 20090713, does not secu ...) - mathtex 1.03-1 (low; bug #537253) CVE-2009-2460 (Multiple stack-based buffer overflows in mathtex.cgi in mathTeX, when ...) - mathtex 1.03-1 (medium; bug #537253) NOTE: severity set to medium as this is used in several web applications for conversions CVE-2009-2459 (Multiple unspecified vulnerabilities in mimeTeX, when downloaded befor ...) {DSA-1917-1} - mimetex 1.50-1.1 (medium; bug #537254) NOTE: set impact to medium as this is used in several web applications for conversions CVE-2009-2458 (Unspecified vulnerability in Sun Fire V215 Server, when using XVR-100 ...) NOT-FOR-US: Sun Fire V215 Server CVE-2009-2457 (The DS\NDSD component in Novell eDirectory 8.8 before SP5 allows remot ...) NOT-FOR-US: Novell eDirectory CVE-2009-2456 (The DS\NDSD component in Novell eDirectory 8.8 before SP5 allows remot ...) NOT-FOR-US: Novell eDirectory CVE-2009-2455 (Multiple cross-site scripting (XSS) vulnerabilities in webadmin/admin. ...) NOT-FOR-US: @mail CVE-2009-2454 (Cross-site scripting (XSS) vulnerability in Citrix Web Interface 4.6, ...) NOT-FOR-US: Citrix Web Interface CVE-2009-2453 (Citrix XenApp (formerly Presentation Server) 4.5 Hotfix Rollup Pack 3 ...) NOT-FOR-US: Citrix XenApp CVE-2009-2452 (Multiple unspecified vulnerabilities in Citrix Licensing 11.5 have unk ...) NOT-FOR-US: Citrix Licensing CVE-2009-2451 (Multiple SQL injection vulnerabilities in index.php in MIM:InfiniX 1.2 ...) NOT-FOR-US: MIM:InfiniX CVE-2009-2477 (js/src/jstracer.cpp in the Just-in-time (JIT) JavaScript compiler (aka ...) - xulrunner 1.9.1.2-1 (bug #537104) [lenny] - xulrunner (vulnerable code introduced in firefox 3.5) [etch] - xulrunner (vulnerable code introduced in firefox 3.5) CVE-2009-2450 (The OAmon.sys kernel driver 3.1.0.0 and earlier in Tall Emu Online Arm ...) NOT-FOR-US: Tall Emu Online Armor Personal Firewall CVE-2009-2449 (Directory traversal vulnerability in maillinglist/admin/change_config. ...) NOT-FOR-US: ADbNewsSender CVE-2009-2448 (Cross-site scripting (XSS) vulnerability in ogp_show.php in Online Gue ...) NOT-FOR-US: Online Guestbook Pro CVE-2009-2447 (Multiple cross-site scripting (XSS) vulnerabilities in ogp_show.php in ...) NOT-FOR-US: Online Guestbook Pro CVE-2009-2445 (Oracle iPlanet Web Server (formerly Sun Java System Web Server or Sun ...) NOT-FOR-US: Sun ONE Web Server CVE-2009-2444 (Directory traversal vulnerability in maillinglist/setup/step1.php.inc ...) NOT-FOR-US: ADbNewsSender CVE-2009-2443 (Siteframe 3.2.3, and other 3.2.x versions, allows remote attackers to ...) NOT-FOR-US: Siteframe CVE-2009-2442 (Cross-site scripting (XSS) vulnerability in public/index.php in Linea2 ...) NOT-FOR-US: Linea21 CVE-2009-2441 (Cross-site scripting (XSS) vulnerability in ogp_show.php in Online Gue ...) NOT-FOR-US: Online Guestbook Pro CVE-2009-2440 (Cross-site scripting (XSS) vulnerability in index.php in JNM Guestbook ...) NOT-FOR-US: JNM Guestbook CVE-2009-2439 (Multiple SQL injection vulnerabilities in Web Development House Alibab ...) NOT-FOR-US: Web Development House Alibaba CVE-2009-2438 (Cross-site scripting (XSS) vulnerability in index.php in the search mo ...) NOT-FOR-US: ClanSphere CVE-2009-2437 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Re ...) NOT-FOR-US: MyPHPDating CVE-2009-2436 (SQL injection vulnerability in page.php in Online Dating Software MyPH ...) NOT-FOR-US: MyPHPDating CVE-2009-2435 (The Sametime server in IBM Lotus Instant Messaging and Web Conferencin ...) NOT-FOR-US: IBM Lotus CVE-2009-2434 (Buffer overflow in the syscall implementation in IBM AIX 5.3 allows lo ...) NOT-FOR-US: IBM AIX CVE-2009-2433 (Stack-based buffer overflow in the AddFavorite method in Microsoft Int ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2432 (WordPress and WordPress MU before 2.8.1 allow remote attackers to obta ...) - wordpress 2.8.3-1 (unimportant; bug #537146) NOTE: Installation path is a known fact on a Debian package installation CVE-2009-2431 (WordPress 2.7.1 places the username of a post's author in an HTML comm ...) - wordpress 2.8.3-1 (unimportant; bug #537146) NOTE: Minor information leak CVE-2009-2430 (Unspecified vulnerability in auditconfig in Sun Solaris 8, 9, 10, and ...) NOT-FOR-US: Sun Solaris CVE-2009-2429 (SmartFilter Web Gateway Security 4.2.1.00 stores user credentials in c ...) NOT-FOR-US: SmartFilter Web Gateway Security CVE-2009-2428 (Multiple SQL injection vulnerabilities in Tausch Ticket Script 3 allow ...) NOT-FOR-US: Tausch Ticket Script CVE-2009-2427 (SQL injection vulnerability in co-profile.php in Jobbr 2.2.7 allows re ...) NOT-FOR-US: Jobbr CVE-2009-2426 (The connection_edge_process_relay_cell_not_open function in src/or/rel ...) - tor 0.2.0.35-1 (low; bug #537148) [lenny] - tor 0.2.0.35-1~lenny1 CVE-2009-2425 (Tor before 0.2.0.35 allows remote attackers to cause a denial of servi ...) - tor 0.2.0.35-1 (low; bug #537148) [lenny] - tor 0.2.0.35-1~lenny1 CVE-2009-2424 (Cross-site scripting (XSS) vulnerability in search.php in Ebay Clone 2 ...) NOT-FOR-US: Ebay Clone 2009 CVE-2009-2423 (SQL injection vulnerability in category.php in Ebay Clone 2009 allows ...) NOT-FOR-US: Ebay Clone 2009 CVE-2009-2422 (The example code for the digest authentication functionality (http_aut ...) - rails 2.3.5-1 (bug #535896) [lenny] - rails (vulnerable code not present, introduced in 2.3.x) CVE-2009-2446 (Multiple format string vulnerabilities in the dispatch_command functio ...) {DSA-1877-1} - mysql-dfsg-5.0 (low; bug #536726) [squeeze] - mysql-dfsg-5.0 5.0.51a-24+lenny2 CVE-2009-XXXX [libio-socket-ssl-perl: partial hostname matching vulnerability] - libio-socket-ssl-perl 1.26-1 (low; bug #535946) [lenny] - libio-socket-ssl-perl 1.16-1+lenny1 NOTE: hostname validition is not implemented until 1.14, so etch NOTE: is in a way is not affected, but in another sense, it is NOTE: completely affected since no validation done at all CVE-2009-2421 (The CFCharacterSetInitInlineBuffer method in CoreFoundation.dll in App ...) NOT-FOR-US: Apple Safari CVE-2009-2420 (Apple Safari 3.2.3 does not properly implement the file: protocol hand ...) NOT-FOR-US: Apple Safari CVE-2009-2419 (Use-after-free vulnerability in the servePendingRequests function in W ...) - webkit 1.1.10-1 [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) CVE-2009-2418 REJECTED CVE-2009-2417 (lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is u ...) {DSA-1869-1} - curl 7.19.5-1.1 (medium; bug #541991) CVE-2009-2416 (Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6 ...) {DSA-1861-1 DSA-1859-1} - libxml2 2.7.3.dfsg-2.1 (low; bug #540865) - libxml CVE-2009-2415 (Multiple integer overflows in memcached 1.1.12 and 1.2.2 allow remote ...) {DSA-1853-1} - memcached 1.4.1-1 (medium; bug #540379) - memcachedb 1.2.0-5 (medium; bug #540381) NOTE: the impact varies, on etch this runs as root and is not bound NOTE: to the loopback interface by default, memcached is even distributed NOTE: but fortunately not in a stable release. CVE-2009-2414 (Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6 ...) {DSA-1861-1 DSA-1859-1} - libxml2 2.7.3.dfsg-2.1 (medium; bug #540865) - libxml CVE-2009-2413 REJECTED CVE-2009-2412 (Multiple integer overflows in the Apache Portable Runtime (APR) librar ...) {DSA-1854-1} - apr 1.3.8-1 - apr-util 1.3.9+dfsg-1 CVE-2009-2411 (Multiple integer overflows in the libsvn_delta library in Subversion b ...) {DSA-1855-1} - subversion 1.6.4dfsg-1 CVE-2009-2410 (The local_handler_callback function in server/responder/pam/pam_LOCAL_ ...) - sssd (Fixed before initial upload to the archive) CVE-2009-2409 (The Network Security Services (NSS) library before 3.12.3, as used in ...) {DSA-1935-1 DSA-1888-1 DSA-1874-1} - nss 3.12.3-1 (low; bug #539895) - openssl 0.9.8k-4 (low; bug #539899) [etch] - openssl 0.9.8c-4etch8 - gnutls26 2.4.2-5 (low; bug #539901) - openjdk-6 6b17~pre3-1 (low) - gnutls13 - sun-java6 6-17-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-2407 (Heap-based buffer overflow in the parse_tag_3_packet function in fs/ec ...) {DSA-1845-1 DSA-1844-1} - linux-2.6 2.6.30-5 (medium) [etch] - linux-2.6 (ecryptfs not yet present) - linux-2.6.24 CVE-2009-2406 (Stack-based buffer overflow in the parse_tag_11_packet function in fs/ ...) {DSA-1845-1 DSA-1844-1} - linux-2.6 2.6.30-5 (medium) [etch] - linux-2.6 (ecryptfs not yet present) - linux-2.6.24 CVE-2009-2405 (Multiple cross-site scripting (XSS) vulnerabilities in the Web Console ...) - jbossas4 4.2.2.GA-1 (bug #562000) [lenny] - jbossas4 (Contrib not supported) CVE-2009-2404 (Heap-based buffer overflow in a regular-expression parser in Mozilla N ...) {DSA-2025-1 DSA-1874-1} - nss 3.12.3-1 (low; bug #539934) - icedove 2.0.0.24-1 (low) CVE-2009-2403 (Heap-based buffer overflow in SCMPX 1.5.1 allows remote attackers to c ...) NOT-FOR-US: SCMPX CVE-2009-2402 (SQL injection vulnerability in index.php in the forum module in PHPEch ...) NOT-FOR-US: PHPEcho CVE-2009-2401 (Cross-site scripting (XSS) vulnerability in PHPEcho CMS 2.0-rc3 allows ...) NOT-FOR-US: PHPEcho CVE-2009-2400 (SQL injection vulnerability in the PHP (com_php) component for Joomla! ...) NOT-FOR-US: Joomla! CVE-2009-2399 (PHP remote file inclusion vulnerability in dm-albums/template/album.ph ...) NOT-FOR-US: DM FileManager CVE-2009-2398 (Directory traversal vulnerability in test/index.php in PHP-Sugar 0.80 ...) NOT-FOR-US: PHP-Sugar CVE-2009-2397 (Directory traversal vulnerability in download.php in Audio Article Dir ...) NOT-FOR-US: Audio Article Directory CVE-2009-2396 (PHP remote file inclusion vulnerability in template/album.php in DM Al ...) NOT-FOR-US: DM Albums CVE-2009-2395 (SQL injection vulnerability in the K2 (com_k2) component 1.0.1 Beta an ...) NOT-FOR-US: Joomla! CVE-2009-2394 (SQL injection vulnerability in cat.php in SMSPages 1.0 in Mr.Saphp Ara ...) NOT-FOR-US: SMSPages CVE-2009-2393 (admin/index.php in Virtuenetz Virtue Online Test Generator does not re ...) NOT-FOR-US: Virtuenetz Virtue Online Test Generator CVE-2009-2392 (SQL injection vulnerability in text.php in Virtuenetz Virtue Online Te ...) NOT-FOR-US: Virtuenetz Virtue Online Test Generator CVE-2009-2391 (Cross-site scripting (XSS) vulnerability in text.php in Virtuenetz Vir ...) NOT-FOR-US: Virtuenetz Virtue Online Test Generator CVE-2009-2390 (SQL injection vulnerability in the BookFlip (com_bookflip) component 2 ...) NOT-FOR-US: Joomla! CVE-2009-2389 (Multiple SQL injection vulnerabilities in newsscript.php in USOLVED NE ...) NOT-FOR-US: USOLVED NEWSolved CVE-2009-2388 (SQL injection vulnerability in admin/index.php in Opial 1.0 allows rem ...) NOT-FOR-US: Opial CVE-2009-2387 (Unspecified vulnerability in the proc filesystem in Sun OpenSolaris sn ...) NOT-FOR-US: Sun OpenSolaris CVE-2009-2386 (Insecure method vulnerability in Awingsoft Awakening Winds3D Viewer pl ...) NOT-FOR-US: Awingsoft Awakening Winds3D Viewer plugin CVE-2009-2369 (Integer overflow in the wxImage::Create function in src/common/image.c ...) {DSA-1890-1} - wxwidgets2.8 2.8.7.1-2 (medium; bug #537174) - wxwidgets2.6 2.6.3.2.2-3.1 (medium; bug #537175) - wxwindows2.4 (medium) CVE-2009-2360 (Cross-site scripting (XSS) vulnerability in passwd/main.php in the Pas ...) {DSA-1829-1} - sork-passwd-h3 3.1-1.1 (low; bug #536554) CVE-2009-2385 (SQL injection vulnerability in the awardsMembers function in Sources/P ...) NOT-FOR-US: Member Awards component for Simple Machines Forum CVE-2009-2384 (Buffer overflow in amp.exe in Brothersoft PEamp 1.02b allows user-assi ...) NOT-FOR-US: Brothersoft PEamp CVE-2009-2383 (SQL injection vulnerability in BTE_RW_webajax.php in the Related Sites ...) NOT-FOR-US: Related Sites plugin for WordPress CVE-2009-2382 (admin.php in phpMyBlockchecker 1.0.0055 allows remote attackers to byp ...) NOT-FOR-US: phpMyBlockchecker CVE-2009-2381 (Gizmo 3.1.0.79 on Linux does not verify a server's SSL certificate, wh ...) NOT-FOR-US: Gizmo CVE-2009-2380 (Cross-site scripting (XSS) vulnerability in includes/functions.php in ...) NOT-FOR-US: 4images CVE-2009-2379 (Directory traversal vulnerability in public/index.php in BIGACE Web CM ...) NOT-FOR-US: BIGACE Web CMS CVE-2009-2378 (PHP remote file inclusion vulnerability in formmailer.admin.inc.php in ...) NOT-FOR-US: Jax FormMailer CVE-2009-2377 (Buffer overflow in the Avax Vector ActiveX control in avPreview.ocx in ...) NOT-FOR-US: AVAX-software Avax Vector ActiveX CVE-2009-2376 (Cross-site scripting (XSS) vulnerability in the Html::textarea functio ...) NOT-FOR-US: TangoCMS CVE-2009-2375 (Stack-based buffer overflow in Photo DVD Maker 8.02, and possibly earl ...) NOT-FOR-US: Photo DVD Maker CVE-2009-2371 (Advanced Forum 6.x before 6.x-1.1, a module for Drupal, does not preve ...) NOT-FOR-US: Advanced Forum module for Drupal CVE-2009-2370 (Cross-site scripting (XSS) vulnerability in Advanced Forum 5.x before ...) NOT-FOR-US: Advanced Forum module for Drupal CVE-2009-2368 (Unspecified vulnerability in Socks Server 5 before 3.7.8-8 has unknown ...) NOT-FOR-US: Socks Server CVE-2009-2367 (cgi-bin/makecgi-pro in Iomega StorCenter Pro generates predictable ses ...) NOT-FOR-US: Iomega StorCenter Pro CVE-2009-2366 (SQL injection vulnerability in login.asp in DataCheck Solutions ForumP ...) NOT-FOR-US: DataCheck Solutions ForumPal FE CVE-2009-2365 (SQL injection vulnerability in login.asp in DataCheck Solutions Galler ...) NOT-FOR-US: DataCheck Solutions GalleryPal FE CVE-2009-2364 (Stack-based buffer overflow in Mp3-Nator 2.0 allows remote attackers t ...) NOT-FOR-US: Mp3-Nator CVE-2009-2363 (Stack-based buffer overflow in KUDRSOFT AudioPLUS 2.00.215 allows remo ...) NOT-FOR-US: KUDRSOFT AudioPLUS CVE-2009-2362 (Stack-based buffer overflow in KUDRSOFT AudioPLUS 2.0.0.215 allows rem ...) NOT-FOR-US: KUDRSOFT AudioPLUS CVE-2009-2361 (SQL injection vulnerability in include/class.staff.php in osTicket bef ...) NOT-FOR-US: osTicket CVE-2009-2359 (Multiple SQL injection vulnerabilities in TekRADIUS 3.0 allow context- ...) NOT-FOR-US: TekRADIUS CVE-2009-2358 (TekRADIUS 3.0 uses BUILTIN\Users:R permissions for the TekRADIUS.ini f ...) NOT-FOR-US: TekRADIUS CVE-2009-2357 (The default configuration of TekRADIUS 3.0 uses the sa account to comm ...) NOT-FOR-US: TekRADIUS CVE-2009-2356 (Multiple stack-based buffer overflows in the pgsqlQuery function in Nu ...) NOT-FOR-US: NullLogic Groupware CVE-2009-2355 (The forum module in NullLogic Groupware 1.2.7 allows remote authentica ...) NOT-FOR-US: NullLogic Groupware CVE-2009-2354 (SQL injection vulnerability in the auth_checkpass function in the logi ...) NOT-FOR-US: NullLogic Groupware CVE-2009-2353 (encoder.php in eAccelerator allows remote attackers to execute arbitra ...) - eaccelerator-src (bug #460341) CVE-2009-2352 (Google Chrome 1.0.154.48 and earlier does not block javascript: URIs i ...) - chromium-browser 5.0.375.70~r48679-2 - webkit (doesn't have a 'view-source' handler) NOTE: poc didn't seem to work against 5.0.375.70~r48679-2 NOTE: chromium security team doesn't consider this a valid security issue NOTE: http://crbug.com/40086 CVE-2009-2351 (Opera 9.52 and earlier does not block javascript: URIs in Refresh head ...) NOT-FOR-US: Opera CVE-2009-2350 (Microsoft Internet Explorer 6.0.2900.2180 and earlier does not block j ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2349 RESERVED CVE-2009-2348 (Android 1.5 CRBxx allows local users to bypass the (1) Manifest.permis ...) NOT-FOR-US: Android CVE-2009-2347 (Multiple integer overflows in inter-color spaces conversion tools in l ...) {DSA-1835-1} - tiff 3.8.2-13 - tiff3 (fixed prior to initial upload) CVE-2009-2346 (The IAX2 protocol implementation in Asterisk Open Source 1.2.x before ...) - asterisk 1:1.6.2.0~dfsg~beta3-1 (bug #539473) [etch] - asterisk (Etch Packages no longer covered by security support) [lenny] - asterisk (Intrusive protocol-level vulnerabilitity, see http://downloads.asterisk.org/pub/security/IAX2-security.pdf) CVE-2009-2345 (Multiple SQL injection vulnerabilities in ClanSphere before 2009.0.1 a ...) NOT-FOR-US: ClanSphere CVE-2009-2344 (The web-based management interfaces in Sourcefire Defense Center (DC) ...) NOT-FOR-US: Sourcefire CVE-2009-2342 (Cross-site scripting (XSS) vulnerability in admin.php (aka the login p ...) NOT-FOR-US: CMME CVE-2009-2341 (SQL injection vulnerability in albumdetail.php in Opial 1.0 allows rem ...) NOT-FOR-US: Opial CVE-2009-2340 (SQL injection vulnerability in admin/index.php in Opial 1.0 allows rem ...) NOT-FOR-US: Opial CVE-2009-2339 (SQL injection vulnerability in index.php in Rentventory allows remote ...) NOT-FOR-US: Rentventory CVE-2009-2338 (Directory traversal vulnerability in includes/startmodules.inc.php in ...) NOT-FOR-US: FreeWebshop.org CVE-2009-2337 (SQL injection vulnerability in includes/module/book/index.inc.php in w ...) NOT-FOR-US: w3b|cms CVE-2009-2336 (The forgotten mail interface in WordPress and WordPress MU before 2.8. ...) - wordpress 2.8.3-1 (unimportant; bug #536724) NOTE: Minor information leak CVE-2009-2335 (WordPress and WordPress MU before 2.8.1 exhibit different behavior for ...) - wordpress 2.8.3-1 (unimportant; bug #536724) NOTE: Minor information leak CVE-2009-2334 (wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not ...) {DSA-1871-2 DSA-1871-1} - wordpress 2.8.3-1 (low; bug #536724) CVE-2009-2333 (Multiple directory traversal vulnerabilities in CMS Chainuk 1.2 and ea ...) NOT-FOR-US: CMS Chainuk CVE-2009-2332 (CMS Chainuk 1.2 and earlier allows remote attackers to obtain sensitiv ...) NOT-FOR-US: CMS Chainuk CVE-2009-2331 (Multiple static code injection vulnerabilities in CMS Chainuk 1.2 and ...) NOT-FOR-US: CMS Chainuk CVE-2009-2330 (Cross-site scripting (XSS) vulnerability in admin/admin_menu.php in CM ...) NOT-FOR-US: CMS Chainuk CVE-2009-2329 (KerviNet Forum 1.1 and earlier allows remote attackers to obtain sensi ...) NOT-FOR-US: KerviNet Forum CVE-2009-2328 (admin/edit_user.php in KerviNet Forum 1.1 and earlier does not require ...) NOT-FOR-US: KerviNet Forum CVE-2009-2327 (Cross-site scripting (XSS) vulnerability in add_voting.php in KerviNet ...) NOT-FOR-US: KerviNet Forum CVE-2009-2326 (Multiple SQL injection vulnerabilities in KerviNet Forum 1.1 and earli ...) NOT-FOR-US: KerviNet Forum CVE-2009-2325 (Directory traversal vulnerability in index.php in Clicknet CMS 2.1 all ...) NOT-FOR-US: Clicknet CMS CVE-2009-2324 (Multiple cross-site scripting (XSS) vulnerabilities in FCKeditor befor ...) {DSA-1836-1} - fckeditor 1:2.6.4.1-1 (low; bug #536051) - moin 1.8.2-2 NOTE: moin from 1.8.2-2 uses systemwide copy of fckeditor [lenny] - moin (unimportant; provides FCKeditor as example files in /usr/share/doc, but not executable in general case) [etch] - moin (doesn't provide FCKeditor sample files) - knowledgeroot 0.9.8.5-3 NOTE: knowledgeroot from 0.9.8.5-3 uses systemwide copy of fckeditor [etch] - knowledgeroot (doesn't provide FCKeditor sample files) - karrigell [etch] - karrigell (doesn't provide FCKeditor sample files) - gforge 4.6.99+svn6225-1 [etch] - gforge (doesn't contain FCKeditor) - egroupware (doesn't provide FCKeditor sample files) - request-tracker3.8 (doesn't provide FCKeditor sample files) CVE-2009-2323 (The web interface on the Axesstel MV 410R redirects users back to the ...) NOT-FOR-US: Axesstel MV 410R CVE-2009-2322 (Cross-site scripting (XSS) vulnerability in cgi-bin/sysconf.cgi on the ...) NOT-FOR-US: Axesstel MV 410R CVE-2009-2321 (cgi-bin/sysconf.cgi on the Axesstel MV 410R allows remote attackers to ...) NOT-FOR-US: Axesstel MV 410R CVE-2009-2320 (The web interface on the Axesstel MV 410R relies on client-side JavaSc ...) NOT-FOR-US: Axesstel MV 410R CVE-2009-2319 (The default configuration of the Wi-Fi component on the Axesstel MV 41 ...) NOT-FOR-US: Axesstel MV 410R CVE-2009-2318 (The Axesstel MV 410R allows remote attackers to cause a denial of serv ...) NOT-FOR-US: Axesstel MV 410R CVE-2009-2317 (The Axesstel MV 410R has a certain default administrator password, and ...) NOT-FOR-US: Axesstel MV 410R CVE-2009-2316 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Iden ...) NOT-FOR-US: IBM Tivoli CVE-2009-2315 REJECTED CVE-2009-2314 (Race condition in the Sun Lightweight Availability Collection Tool 3.0 ...) NOT-FOR-US: Lightweight Availability Collection Tool CVE-2009-2687 (The exif_read_data function in the Exif module in PHP before 5.2.10 al ...) {DSA-1940-1} - php5 5.2.10.dfsg.1-2 (low; bug #535888) - php4 (low; bug #535897) NOTE: 5.3.0 (in experimental) is not affected CVE-2009-XXXX [apache2: htaccess override] - apache2 2.2.9-1 (low; bug #535886) [etch] - apache2 2.2.3-4+etch8 NOTE: fixed in etch in DSA-1816-1 CVE-2009-XXXX [xscreensaver: symlink attack enables local information disclosure] - xscreensaver (does not run setuid in debian) NOTE: http://bugs.debian.org/535870 CVE-2009-XXXX [libdkim: signature parsing is not thread-safe] - libdkim 1:1.0.19-4 (unimportant; bug #532740) NOTE: This is mostly a missing feature, it's unlikely that any threaded application NOTE: is using libdkim in the current state, so the practical impact is none CVE-2009-XXXX [mimedecode: potential dos/crash due to invalid input] - mimedecode (low; bug #530430) [etch] - mimedecode (minor issue) [lenny] - mimedecode (minor issue) CVE-2009-2313 (Directory traversal vulnerability in index.php in Jinzora Media Jukebo ...) NOT-FOR-US: Jinzora Media Jukebox CVE-2009-2312 (SmartFilter Web Gateway Security 4.2.1.00 stores user credentials in c ...) NOT-FOR-US: Secure Computing SmartFilter CVE-2009-2311 (SQL injection vulnerability in the rGallery plugin 1.2.3 for WoltLab B ...) NOT-FOR-US: rGallery plugin for WoltLab CVE-2009-2310 (SQL injection vulnerability in include/get_read.php in Extensible-BioL ...) NOT-FOR-US: Extensible-BioLawCom CMS CVE-2009-2309 (SQL injection vulnerability in index.php in Codice CMS 2 allows remote ...) NOT-FOR-US: Codice CMS 2 CVE-2009-2308 (Multiple SQL injection vulnerabilities in affiliates.php in the Affili ...) NOT-FOR-US: PunBB CVE-2009-2307 (SQL injection vulnerability in the CWGuestBook module 2.1 and earlier ...) NOT-FOR-US: MDPro CVE-2009-2306 (The ARD-9808 DVR card security camera stores sensitive information und ...) NOT-FOR-US: ARD-9808 DVR card security camera CVE-2009-2305 (The ARD-9808 DVR card security camera allows remote attackers to cause ...) NOT-FOR-US: ARD-9808 DVR card security camera CVE-2009-2304 (index.php in Aardvark Topsites PHP 5.2.0 and earlier allows remote att ...) NOT-FOR-US: Aardvark Topsites CVE-2009-2303 (index.php in Aardvark Topsites PHP 5.2.1 and earlier allows remote att ...) NOT-FOR-US: Aardvark Topsites CVE-2009-2302 (Cross-site scripting (XSS) vulnerability in index.php in Aardvark Tops ...) NOT-FOR-US: Aardvark Topsites CVE-2009-2301 (The radware AppWall Web Application Firewall (WAF) 1.0.2.6, with Gatew ...) NOT-FOR-US: AppWall Web Application Firewall CVE-2009-2300 (The management interface in the phion airlock Web Application Firewall ...) NOT-FOR-US: phion airlock Web Application Firewall CVE-2009-2299 (The Artofdefence Hyperguard Web Application Firewall (WAF) module befo ...) NOT-FOR-US: Artofdefence Hyperguard Web Application Firewall CVE-2009-2298 (Stack-based buffer overflow in rping in HP OpenView Network Node Manag ...) NOT-FOR-US: HP Network Node Manager rping CVE-2009-2297 (Unspecified vulnerability in the udp subsystem in the kernel in Sun So ...) NOT-FOR-US: kernel in Sun Solaris CVE-2009-2296 (The NFSv4 server kernel module in Sun Solaris 10, and OpenSolaris befo ...) NOT-FOR-US: kernel module in Sun Solaris CVE-2009-2295 (Multiple integer overflows in CamlImages 2.2 and earlier might allow c ...) {DSA-1912-2 DSA-1832-1} - camlimages 1:3.0.1-2 (low; bug #535909) - advi 1.6.0-15 (low; bug #550440) CVE-2009-2294 (Integer overflow in the Png_datainfo_callback function in Dillo 2.1 an ...) - dillo 3.0-1 (medium; bug #535788) CVE-2009-2293 (Optimum Web Design Tutorial Share 3.5.0 and earlier allows remote atta ...) NOT-FOR-US: Optimum Web Design Tutorial Share CVE-2009-2292 (Cross-site scripting (XSS) vulnerability in Appleple a-News 2.32 allow ...) NOT-FOR-US: Appleple a-News CVE-2009-2291 (Unspecified vulnerability in LoginToboggan 6.x-1.x before 6.x-1.5, a m ...) NOT-FOR-US: LoginToboggan module for Drupal CVE-2009-2290 (SQL injection vulnerability in the Boy Scout Advancement (com_bsadv) c ...) NOT-FOR-US: Joomla! CVE-2009-2289 (Cross-site scripting (XSS) vulnerability in index.php in Arcade Trade ...) NOT-FOR-US: Arcade Trade Script CVE-2009-2287 (The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel ...) {DSA-1846-1 DSA-1845-1} - linux-2.6 2.6.30-2 (low) - linux-2.6.24 - kvm 88+dfsg-2 (low; bug #557737) CVE-2009-2285 (Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 allo ...) {DSA-1835-1} - tiff 3.8.2-12 (low; bug #534137) - tiff3 (fixed prior to initial upload) NOTE: this doesn't allow code execution, only a crash. CVE-2009-2283 (Multiple cross-site scripting (XSS) vulnerabilities in the help jsp sc ...) NOT-FOR-US: Sun Java Web Console in Solaris CVE-2009-2282 (The Virtual Network Terminal Server daemon (vntsd) for Logical Domains ...) NOT-FOR-US: LDoms in Sun Solaris CVE-2009-2373 (Cross-site scripting (XSS) vulnerability in the Forum module in Drupal ...) {DSA-1930-1} - drupal6 6.12-1.1 (low; bug #535435) - drupal5 (Vulnerable code not present) NOTE: http://drupal.org/node/507572 NOTE: requested CVE id CVE-2009-2372 (Drupal 6.x before 6.13 does not prevent users from modifying user sign ...) {DSA-1930-1} - drupal6 6.12-1.1 (medium; bug #535435) - drupal5 (Vulnerable code not present) NOTE: http://drupal.org/node/507572 NOTE: marked as medium as this might lead to code execution if the php filter is enabled NOTE: requested CVE id CVE-2009-2374 (Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize ...) {DSA-1930-1} - drupal6 6.12-1.1 (low; bug #535435) - drupal5 5.18-1.1 (low; bug #535476) NOTE: http://drupal.org/node/507572 NOTE: requested CVE id CVE-2009-2284 (Cross-site scripting (XSS) vulnerability in phpMyAdmin before 3.2.0.1 ...) - phpmyadmin 4:3.2.0.1-1 (medium; bug #535890) [etch] - phpmyadmin (Vulnerable code not present) [lenny] - phpmyadmin (Vulnerable code not present) NOTE: affects 3.x branch only CVE-2009-2280 RESERVED CVE-2009-2279 RESERVED CVE-2009-2278 RESERVED CVE-2009-2277 (Cross-site scripting (XSS) vulnerability in WebAccess in VMware Virtua ...) NOT-FOR-US: VMware CVE-2009-2276 (SQL injection vulnerability in voteforus.php in the Vote For Us extens ...) NOT-FOR-US: voteforus.php extension for PunBB CVE-2009-2275 (Directory traversal vulnerability in frontend/x3/stats/lastvisit.html ...) NOT-FOR-US: cPanel CVE-2009-2274 (The Huawei D100 allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Huawei D100 CVE-2009-2273 (The default configuration of the Wi-Fi component on the Huawei D100 do ...) NOT-FOR-US: Huawei D100 CVE-2009-2272 (The Huawei D100 stores the administrator's account name and password i ...) NOT-FOR-US: Huawei D100 CVE-2009-2271 (The Huawei D100 has (1) a certain default administrator password for t ...) NOT-FOR-US: Huawei D100 CVE-2009-2270 (Unrestricted file upload vulnerability in member/uploads_edit.php in d ...) NOT-FOR-US: dedecms CVE-2009-2269 (SQL injection vulnerability in Empire CMS 5.1 allows remote attackers ...) NOT-FOR-US: Empire CMS CVE-2009-2268 (Cross-site scripting (XSS) vulnerability in the Cross-Domain Controlle ...) NOT-FOR-US: Sun Java System Access Manager CVE-2009-2267 (VMware Workstation 6.5.x before 6.5.3 build 185404, VMware Player 2.5. ...) - vmware-package CVE-2009-2266 (OXID eShop 4.x before 4.1.4-21266, 3.x, and 2.x allows remote attacker ...) NOT-FOR-US: OXID eShop CVE-2009-2281 (Multiple heap-based buffer underflows in the readPostBody function in ...) {DSA-1914-1} - mapserver 5.4.2-1 (medium; bug #535340) NOTE: https://www.openwall.com/lists/oss-security/2009/06/22/2 CVE-2009-2265 (Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4 ...) {DSA-1836-1} - fckeditor 1:2.6.4.1-1 (medium; bug #536051) NOTE: http://dev.fckeditor.net/changeset/3815/FCKeditor/trunk/editor/filemanager - moin 1.8.2-2 NOTE: moin from 1.8.2-2 uses systemwide copy of fckeditor [lenny] - moin (unimportant) [etch] - moin (Vulnerable code not present) NOTE: moin in lenny provides FCKeditor as example files (/usr/share/doc) - request-tracker3.8 (Vulnerable code not present) - egroupware 1.6.002+dfsg-1 (low) [lenny] - egroupware 1.4.004-2.dfsg-4.2 - gforge 4.6.99+svn6225-1 [etch] - gforge (doesn't contain FCKeditor) - knowledgeroot 0.9.8.5-3 (medium; bug #538722) - karrigell [etch] - karrigell (Vulnerable code not present) NOTE: knowledgeroot from 0.9.8.5-3 uses systemwide copy of fckeditor CVE-2009-2264 RESERVED CVE-2009-2263 (Directory traversal vulnerability in index.php in Awesome PHP Mega Fil ...) NOT-FOR-US: Mega File Manager CVE-2009-2262 (PHP remote file inclusion vulnerability in install/di.php in AjaxPorta ...) NOT-FOR-US: AjaxPortal CVE-2009-2261 (PeaZIP 2.6.1, 2.5.1, and earlier on Windows allows user-assisted remot ...) NOT-FOR-US: PeaZIP CVE-2009-2260 (stardict 3.0.1, when Enable Net Dict is configured, sends the contents ...) - stardict 3.0.1-5 (low; bug #534731) [etch] - stardict (netdict plugin not yet present) [lenny] - stardict 3.0.1-4+lenny1 CVE-2009-2259 REJECTED CVE-2009-2258 (Directory traversal vulnerability in cgi-bin/webcm in the administrati ...) NOT-FOR-US: Netgear DG632 CVE-2009-2257 (The administrative web interface on the Netgear DG632 with firmware 3. ...) NOT-FOR-US: Netgear DG632 CVE-2009-2256 (The administrative web interface on the Netgear DG632 with firmware 3. ...) NOT-FOR-US: Netgear DG632 CVE-2009-2255 (Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative au ...) NOT-FOR-US: Zen Cart CVE-2009-2254 (Zen Cart 1.3.8a, 1.3.8, and earlier does not require administrative au ...) NOT-FOR-US: Zen Cart CVE-2009-2253 RESERVED CVE-2009-2252 RESERVED CVE-2009-2251 RESERVED CVE-2009-2250 RESERVED CVE-2009-2249 RESERVED CVE-2009-2248 RESERVED CVE-2009-2247 RESERVED CVE-2009-2246 RESERVED CVE-2009-2245 RESERVED CVE-2009-2244 RESERVED CVE-2009-2243 (SQL injection vulnerability in active_appointments.asp in ASP Inline C ...) NOT-FOR-US: ASP Inline Corporate Calendar CVE-2009-2242 (SQL injection vulnerability in active_appointments.asp in ASP Inline C ...) NOT-FOR-US: ASP Inline Corporate Calendar CVE-2009-2241 (Cross-site scripting (XSS) vulnerability in search.asp in ASP Inline C ...) NOT-FOR-US: ASP Inline Corporate Calendar CVE-2009-2240 (Cross-site scripting (XSS) vulnerability in AD2000 free-sw leger (aka ...) NOT-FOR-US: Web Conference Room Free CVE-2009-2239 (SQL injection vulnerability in the (1) casinobase (com_casinobase), (2 ...) NOT-FOR-US: Joomla! components CVE-2009-2238 (Unrestricted file upload vulnerability in includes/shared_scripts/wysi ...) NOT-FOR-US: DMXReady Registration Manager CVE-2009-2237 (Unspecified vulnerability in Views Bulk Operations 5.x-1.x before 5.x- ...) NOT-FOR-US: contributed Views Bulk Operations module for Drupal CVE-2009-2236 (SQL injection vulnerability in yad-admin/login.php in Your Article Dir ...) NOT-FOR-US: Your Articles Directory CVE-2009-2235 (SQL injection vulnerability in page.php in Your Articles Directory all ...) NOT-FOR-US: Your Articles Directory CVE-2009-2234 (Multiple SQL injection vulnerabilities in admin.php in VICIDIAL Call C ...) NOT-FOR-US: VICIDIAL Call Center Suite CVE-2009-2210 (Mozilla Thunderbird before 2.0.0.22 and SeaMonkey before 1.1.17 allow ...) {DSA-1830-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - iceape 1.1.17-1 [squeeze] - iceape (only provides a stub for XPCOM) [lenny] - iceape (Only provides a stub for XPCOM) [etch] - iceape (Etch Packages no longer covered by security support) - kompozer (mail suite not compiled) NOTE: http://www.mozilla.org/security/announce/2009/mfsa2009-33.html NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=495057 CVE-2009-2343 (Cross-site scripting (XSS) vulnerability in people.php in Zoph before ...) - zoph 0.7.5-1 (low; bug #535188) [lenny] - zoph (Minor issue, fringe package) NOTE: http://sourceforge.net/tracker/?func=detail&aid=2815898&group_id=69353&atid=524249 NOTE: http://sourceforge.net/project/shownotes.php?group_id=69353&release_id=694128 CVE-2009-XXXX [udev: creates aacraid devices that are rw by group floppy] - udev 0.141-1 (low; bug #530245; bug #462655; bug #404927) [lenny] - udev (Minor issue) [etch] - udev (minor issue) CVE-2009-2288 (statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execut ...) {DSA-1825-1} - nagios3 3.0.6-5 - nagios2 NOTE: http://secunia.com/advisories/35543 CVE-2009-2286 (Buffer overflow in compface 1.5.2 and earlier allows user-assisted att ...) - libcompface 1:1.5.2-5 (unimportant; bug #534973) CVE-2009-2233 (The admin interface in AWScripts.com Gallery Search Engine 1.5 allows ...) NOT-FOR-US: AWScripts.com Gallery Search Engine CVE-2009-2232 (SQL injection vulnerability in image.php in Softbiz Banner Ad Manageme ...) NOT-FOR-US: Softbiz Banner Ad Management Script CVE-2009-2231 (MIDAS 1.43 allows remote attackers to bypass authentication and obtain ...) NOT-FOR-US: MIDAS CVE-2009-2230 (SQL injection vulnerability in inc/datahandlers/user.php in MyBB (aka ...) NOT-FOR-US: MyBB CVE-2009-2229 (Directory traversal vulnerability in engine.php in Kasseler CMS 1.3.5 ...) NOT-FOR-US: Kasseler CMS CVE-2009-2228 (Cross-site scripting (XSS) vulnerability in engine.php in Kasseler CMS ...) NOT-FOR-US: Kasseler CMS CVE-2009-2227 (Stack-based buffer overflow in B Labs Bopup Communication Server 3.2.2 ...) NOT-FOR-US: Bopup Communication Server CVE-2009-2226 (Cross-site scripting (XSS) vulnerability in Let's PHP! Tree BBS 2004/1 ...) NOT-FOR-US: Let's PHP! Tree BBS CVE-2009-2225 (Stack-based buffer overflow in SureThing CD/DVD Labeler 5.1.616 trial ...) NOT-FOR-US: SureThing CD/DVD Labeler CVE-2009-2224 (Directory traversal vulnerability in ang/shared/flags.php in AN Guestb ...) NOT-FOR-US: AN Guestbook CVE-2009-2223 (Directory traversal vulnerability in locms/smarty.php in LightOpenCMS ...) NOT-FOR-US: LightOpenCMS CVE-2009-2222 (Directory traversal vulnerability in PHP-I-BOARD 1.2 and earlier allow ...) NOT-FOR-US: PHP-I-BOARD CVE-2009-2221 (Cross-site scripting (XSS) vulnerability in PHP-I-BOARD 1.2 and earlie ...) NOT-FOR-US: PHP-I-BOARD CVE-2009-2220 (Multiple directory traversal vulnerabilities in Tribiq CMS 5.0.12c, wh ...) NOT-FOR-US: Tribiq CMS CVE-2009-2219 (Multiple cross-site scripting (XSS) vulnerabilities in phpCollegeExcha ...) NOT-FOR-US: phpCollegeExchange CVE-2009-2218 (Multiple PHP remote file inclusion vulnerabilities in phpCollegeExchan ...) NOT-FOR-US: phpCollegeExchange CVE-2009-2217 (Cross-site scripting (XSS) vulnerability in NBBC before 1.4.2 allows r ...) NOT-FOR-US: NBBC CVE-2009-2216 (Cross-site scripting (XSS) vulnerability in CMD_REDIRECT in DirectAdmi ...) NOT-FOR-US: DirectAdmin CVE-2009-2215 (Multiple cross-site scripting (XSS) vulnerabilities in URD before 0.6. ...) NOT-FOR-US: URD CVE-2009-2214 (The Secure Gateway service in Citrix Secure Gateway 3.1 and earlier al ...) NOT-FOR-US: Citrix Secure Gateway CVE-2009-2213 (The default configuration of the Security global settings on the Citri ...) NOT-FOR-US: Citrix NetScaler Access Gateway CVE-2009-2212 (The CQWeb server in IBM Rational ClearQuest 7.0.0 before 7.0.0.6 and 7 ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2009-2211 (Cross-site scripting (XSS) vulnerability in the CQWeb server in IBM Ra ...) NOT-FOR-US: IBM Rational ClearQuest CVE-2009-2209 (SQL injection vulnerability in rscms_mod_newsview.php in RS-CMS 2.1 al ...) NOT-FOR-US: RS-CMS CVE-2009-2208 (FreeBSD 6.3, 6.4, 7.1, and 7.2 does not enforce permissions on the SIO ...) - kfreebsd-6 [lenny] - kfreebsd-6 (KFreebsd not supported) - kfreebsd-7 7.2-2 [lenny] - kfreebsd-7 (KFreebsd not supported) NOTE: http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc CVE-2009-2207 (The MobileMail component in Apple iPhone OS 3.0 and 3.0.1, and iPhone ...) NOT-FOR-US: Apple iPhone OS CVE-2009-2206 (Multiple heap-based buffer overflows in the AudioCodecs library in the ...) NOT-FOR-US: Apple iPhone OS CVE-2009-2205 (Stack-based buffer overflow in the Java Web Start command launcher in ...) NOT-FOR-US: Mac OS X CVE-2009-2204 (Unspecified vulnerability in the CoreTelephony component in Apple iPho ...) NOT-FOR-US: Apple iPhone OS CVE-2009-2203 (Buffer overflow in Apple QuickTime before 7.6.4 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2009-2202 (Apple QuickTime before 7.6.4 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2009-2201 (The screensharing feature in the Admin application in Apple Xsan befor ...) NOT-FOR-US: Admin application in Apple Xsan CVE-2009-2200 (WebKit in Apple Safari before 4.0.3 does not properly restrict the URL ...) - kdelibs - webkit (gtk-based frame loader not affected) - qt4-x11 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=517273 NOTE: http://trac.webkit.org/changeset/44905 NOTE: http://trac.webkit.org/changeset/44909 CVE-2009-2199 (Incomplete blacklist vulnerability in WebKit in Apple Safari before 4. ...) - kdelibs - webkit (problem with look-alike character rendering with mac-specific fonts) - qt4-x11 CVE-2009-2198 (Apple GarageBand before 5.1 reconfigures Safari to accept all cookies ...) NOT-FOR-US: Apple GarageBand CVE-2009-2197 (Apple Safari before 9.1 allows remote attackers to spoof the user inte ...) NOT-FOR-US: Apple Safari CVE-2009-2196 (Unspecified vulnerability in Apple Safari 4 before 4.0.3 allows remote ...) NOT-FOR-US: Apple Safari CVE-2009-2195 (Buffer overflow in WebKit in Apple Safari before 4.0.3 allows remote a ...) - webkit 1.1.12-1 (medium) [lenny] - webkit (Vulnerable code not present) - kdelibs - kde4libs - qt4-x11 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=517273 NOTE: http://trac.webkit.org/changeset/45696 CVE-2009-2194 (Apple Mac OS X 10.5 before 10.5.8 does not properly share file descrip ...) NOT-FOR-US: Apple Mac OS X CVE-2009-2193 (Buffer overflow in the kernel in Apple Mac OS X 10.5 before 10.5.8 all ...) NOT-FOR-US: kernel in Apple Mac OS X CVE-2009-2192 (MobileMe in Apple Mac OS X 10.5 before 10.5.8 does not properly delete ...) NOT-FOR-US: MobileMe in Apple Mac OS X CVE-2009-2191 (Format string vulnerability in Login Window in Apple Mac OS X 10.4.11 ...) NOT-FOR-US: Login Window in Apple Mac OS X CVE-2009-2190 (launchd in Apple Mac OS X 10.5 before 10.5.8 allows remote attackers t ...) NOT-FOR-US: launchd in Apple Mac OS X CVE-2009-2189 (The ICMPv6 implementation on the Apple Time Capsule, AirPort Extreme B ...) NOT-FOR-US: Apple CVE-2009-2188 (Buffer overflow in ImageIO in Apple Mac OS X 10.5 before 10.5.8, and S ...) NOT-FOR-US: ImageIO in Apple Mac OS X CVE-2009-2187 (Multiple memory leaks in the (1) IP and (2) IPv6 multicast implementat ...) NOT-FOR-US: Sun Solaris CVE-2009-2186 (Unspecified vulnerability in Adobe Shockwave Player before 11.0.0.465 ...) NOT-FOR-US: Adobe Shockwave Playe CVE-2009-2185 (The ASN.1 parser (pluto/asn1.c, libstrongswan/asn1/asn1.c, libstrongsw ...) {DSA-1899-1 DSA-1898-1} - strongswan 4.2.14-1.2 (bug #533837) - openswan 1:2.6.22+dfsg-1 CVE-2009-2184 (Absolute path traversal vulnerability in forcedownload.php in Gravy Me ...) NOT-FOR-US: Gravy Media Photo CVE-2009-2183 (Directory traversal vulnerability in admin-files/ad.php in Campsite 3. ...) NOT-FOR-US: Campsite CVE-2009-2182 (Multiple PHP remote file inclusion vulnerabilities in Campsite 3.3.0 R ...) NOT-FOR-US: Campsite CVE-2009-2181 (Cross-site scripting (XSS) vulnerability in admin-files/templates/list ...) NOT-FOR-US: Campsite CVE-2009-2180 (Multiple directory traversal vulnerabilities in upfiles/index.php in P ...) NOT-FOR-US: Pc4 Uploader CVE-2009-2179 (SQL injection vulnerability in search.php in phpDatingClub 3.7 allows ...) NOT-FOR-US: phpDatingClub CVE-2009-2178 (Cross-site scripting (XSS) vulnerability in website.php in phpDatingCl ...) NOT-FOR-US: phpDatingClub CVE-2009-2177 (code/display.php in fuzzylime (cms) 3.03a and earlier, when magic_quot ...) NOT-FOR-US: fuzzylime CVE-2009-2176 (Multiple directory traversal vulnerabilities in fuzzylime (cms) 3.03a ...) NOT-FOR-US: fuzzylime CVE-2009-2175 (Stack-based buffer overflow in the flattenIncrementally function in fl ...) - gnome-xcf-thumbnailer 1.0-1.1 (low; bug #601735) [lenny] - gnome-xcf-thumbnailer (Minor issue) - xcftools 1.0.7-1 (low; bug #533361) [etch] - xcftools 1.0.4-1+etch1 [lenny] - xcftools 1.0.4-1+lenny1 CVE-2009-2174 (GUPnP 0.12.7 allows remote attackers to cause a denial of service (cra ...) - gupnp 0.12.6-3.1 (low; bug #534594) [etch] - gupnp (Minor issue) [lenny] - gupnp (Minor issue) CVE-2009-2173 (The LAN game feature in Carom3D 5.06 allows remote authenticated users ...) NOT-FOR-US: Carom3D CVE-2009-2172 (Cross-site scripting (XSS) vulnerability in forum/radioandtv.php in th ...) NOT-FOR-US: Radio and TV Player addon for vBulletin CVE-2009-2169 (Insecure method vulnerability in the PDFVIEWER.PDFViewerCtrl.1 ActiveX ...) NOT-FOR-US: Edraw PDF Viewer CVE-2009-2168 (cpanel/login.php in EgyPlus 7ammel (aka 7ml) 1.0.1 and earlier sends a ...) NOT-FOR-US: EgyPlus 7ammel (aka 7ml) CVE-2009-2167 (Multiple SQL injection vulnerabilities in cpanel/login.php in EgyPlus ...) NOT-FOR-US: EgyPlus 7ammel (aka 7ml) CVE-2009-2166 (Absolute path traversal vulnerability in cvs.php in OCS Inventory NG b ...) - ocsinventory-server 1.02.1-1 (unimportant; bug #531735) NOTE: README.Debian states Important: access to the reports server should be restricted CVE-2009-2165 (SerendipityNZ (aka SimpleBoxes) Serene Bach 2.20R and earlier, and 3.0 ...) NOT-FOR-US: SerendipityNZ (aka SimpleBoxes) Serene Bach CVE-2009-2164 (Multiple SQL injection vulnerabilities in Kjtechforce mailman beta1, w ...) NOT-FOR-US: kjtechforce CVE-2009-2163 (Cross-site scripting (XSS) vulnerability in login/default.aspx in Site ...) NOT-FOR-US: Sitecore CMS CVE-2009-2162 (Cross-site scripting (XSS) vulnerability in the XOOPS MANIAC PukiWikiM ...) NOT-FOR-US: XOOPS MANIAC PukiWikiMod module CVE-2009-2161 (Directory traversal vulnerability in backend/admin-functions.php in To ...) NOT-FOR-US: TorrentTrader CVE-2009-2160 (TorrentTrader Classic 1.09 allows remote attackers to (1) obtain confi ...) NOT-FOR-US: TorrentTrader CVE-2009-2159 (backup-database.php in TorrentTrader Classic 1.09 does not require adm ...) NOT-FOR-US: TorrentTrader CVE-2009-2158 (account-recover.php in TorrentTrader Classic 1.09 chooses random passw ...) NOT-FOR-US: TorrentTrader CVE-2009-2157 (Multiple SQL injection vulnerabilities in TorrentTrader Classic 1.09 a ...) NOT-FOR-US: TorrentTrader CVE-2009-2156 (Multiple cross-site scripting (XSS) vulnerabilities in TorrentTrader C ...) NOT-FOR-US: TorrentTrader CVE-2009-2155 (Cross-site scripting (XSS) vulnerability in report/ReportViewAction.do ...) NOT-FOR-US: WebNMS CVE-2009-2154 (SQL injection vulnerability in admin/login.php in Impleo Music Collect ...) NOT-FOR-US: Impleo Music Collection CVE-2009-2153 (Cross-site scripting (XSS) vulnerability in index.php in Impleo Music ...) NOT-FOR-US: Impleo Music Collection CVE-2009-2152 (SQL injection vulnerability in a_index.php in AdaptWeb 0.9.2 allows re ...) NOT-FOR-US: AdaptWeb CVE-2009-2151 (Directory traversal vulnerability in index.php in AdaptWeb 0.9.2 allow ...) NOT-FOR-US: AdaptWeb CVE-2009-2150 (Multiple cross-site request forgery (CSRF) vulnerabilities in Campus V ...) NOT-FOR-US: Campus Virtual-LMS CVE-2009-2149 (Multiple cross-site scripting (XSS) vulnerabilities in Campus Virtual- ...) NOT-FOR-US: Campus Virtual-LMS CVE-2009-2148 (SQL injection vulnerability in news/index.php in Campus Virtual-LMS al ...) NOT-FOR-US: Campus Virtual-LMS CVE-2009-2147 (SQL injection vulnerability in fdown.php in phpWebThings 1.5.2 and ear ...) NOT-FOR-US: phpWebThings CVE-2009-2146 (Unrestricted file upload vulnerability in the Compose Email feature in ...) - sugarcrm-ce-5.0 (bug #457876) CVE-2009-2145 (Multiple cross-site scripting (XSS) vulnerabilities in transLucid 1.75 ...) NOT-FOR-US: transLucid CVE-2009-2144 (SQL injection vulnerability in the FireStats plugin before 1.6.2-stabl ...) NOT-FOR-US: FireStats plugin for WordPress CVE-2009-2143 (PHP remote file inclusion vulnerability in firestats-wordpress.php in ...) NOT-FOR-US: FireStats plugin for WordPress CVE-2009-2142 (Multiple SQL injection vulnerabilities in admin/index.asp in Zip Store ...) NOT-FOR-US: Zip Store Chat CVE-2009-2141 (Multiple cross-site scripting (XSS) vulnerabilities in TBDev.NET 01-01 ...) NOT-FOR-US: TBDev.NET CVE-2009-2140 (Multiple heap-based buffer overflows in cppcanvas/source/mtfrenderer/e ...) - openoffice.org (bug introduced by a patch not applied to the deb) CVE-2009-2139 (Heap-based buffer overflow in svtools/source/filter.vcl/wmf/enhwmf.cxx ...) {DSA-1880-1} - openoffice.org 1:3.1.1~ooo310m15-1 CVE-2009-2138 (Multiple open redirect vulnerabilities in TBDev.NET 01-01-08 allow rem ...) NOT-FOR-US: TBDev.NET CVE-2009-2137 (Memory leak in the Ultra-SPARC T2 crypto provider device driver (aka n ...) NOT-FOR-US: Ultra-SPARC T2 crypto provider device driver in Sun Solaris 10 CVE-2009-2136 (Unspecified vulnerability in the TCP/IP networking stack in Sun Solari ...) NOT-FOR-US: Sun Solaris 10 CVE-2009-2135 (Multiple race conditions in the Solaris Event Port API in Sun Solaris ...) NOT-FOR-US: Sun Solaris 10 CVE-2009-2134 (pivot/tb.php in Pivot 1.40.4 and 1.40.7 allows remote attackers to obt ...) NOT-FOR-US: Pivot CVE-2009-2133 (Multiple cross-site scripting (XSS) vulnerabilities in Pivot 1.40.4 an ...) NOT-FOR-US: Pivot CVE-2009-2132 (Directory traversal vulnerability in global.php in 4images before 1.7. ...) NOT-FOR-US: 4images CVE-2009-2131 (Cross-site scripting (XSS) vulnerability in 4images 1.7.7 and earlier ...) NOT-FOR-US: 4images CVE-2009-2130 (Elvin 1.2.0 allows remote attackers to read the PHP source code of (1) ...) NOT-FOR-US: Elvin CVE-2009-2129 (Cross-site request forgery (CSRF) vulnerability in login.php in Elvin ...) NOT-FOR-US: Elvin CVE-2009-2128 (SQL injection vulnerability in close_bug.php in Elvin before 1.2.1 all ...) NOT-FOR-US: Elvin CVE-2009-2127 (Cross-site scripting (XSS) vulnerability in show_activity.php in Elvin ...) NOT-FOR-US: Elvin CVE-2009-2126 (Cross-site scripting (XSS) vulnerability in close_bug.php in Elvin bef ...) NOT-FOR-US: Elvin CVE-2009-2125 (delete_bug.php in Elvin before 1.2.1 does not require administrative p ...) NOT-FOR-US: Elvin CVE-2009-2124 (Directory traversal vulnerability in page.php in Elvin 1.2.0 allows re ...) NOT-FOR-US: Elvin CVE-2009-2123 (Multiple SQL injection vulnerabilities in Elvin 1.2.0 allow remote att ...) NOT-FOR-US: Elvin CVE-2009-2122 (SQL injection vulnerability in viewimg.php in the Paolo Palmonari Phot ...) NOT-FOR-US: Photoracer plugin for WordPress CVE-2009-2121 (Buffer overflow in the browser kernel in Google Chrome before 2.0.172. ...) - chromium-browser (Only 2.x is affected) - webkit (chrome-specific issue) CVE-2009-2170 (Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.0 befo ...) {DSA-1822-1} - mahara 1.1.5-1 (low) CVE-2009-2171 (Mahara 1.1 before 1.1.5 does not apply permission checks when saving a ...) - mahara 1.1.5-1 (low) [lenny] - mahara (vulnerable code introduced in 1.1) CVE-2009-2120 (Multiple SQL injection vulnerabilities in TekBase All-in-One 3.1 allow ...) NOT-FOR-US: TekBase CVE-2009-2119 (Cross-site scripting (XSS) vulnerability in the login interface (my.lo ...) NOT-FOR-US: FirePass CVE-2009-2118 (Integer overflow in IrfanView 4.23, when the resampling or screen fitt ...) NOT-FOR-US: IrfanView CVE-2009-2117 (uye_paneli.php in phPortal 1.0 allows remote attackers to bypass authe ...) NOT-FOR-US: phPortal CVE-2009-2116 (Directory traversal vulnerability in admin.php in SkyBlueCanvas 1.1 r2 ...) NOT-FOR-US: SkyBlueCanvas CVE-2009-2115 (admin.php in SkyBlueCanvas 1.1 r237 allows remote authenticated admini ...) NOT-FOR-US: SkyBlueCanvas CVE-2009-2114 (Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Sk ...) NOT-FOR-US: SkyBlueCanvas CVE-2009-2113 (Multiple SQL injection vulnerabilities in FretsWeb 1.2 allow remote at ...) NOT-FOR-US: FretsWeb CVE-2009-2112 (Directory traversal vulnerability in include/page_bottom.php in phpFK ...) NOT-FOR-US: phpFK CVE-2009-2111 (Static code injection vulnerability in add_reg.php in DB Top Sites 1.0 ...) NOT-FOR-US: DB Top Site CVE-2009-2110 (Multiple directory traversal vulnerabilities in DB Top Sites 1.0, when ...) NOT-FOR-US: DB Top Sites 1.0 CVE-2009-2109 (Multiple directory traversal vulnerabilities in FretsWeb 1.2 allow rem ...) NOT-FOR-US: FretsWeb CVE-2009-2108 (git-daemon in git 1.4.4.5 through 1.6.3 allows remote attackers to cau ...) {DSA-1841-2 DSA-1841-1} - git-core 1:1.6.3.3-1 (medium; bug #532935) NOTE: http://git.kernel.org/?p=git/git.git;a=commitdiff;h=73bb33a9 CVE-2009-XXXX [moin: heirarchical ACL vulnerability] - moin 1.8.4-1 (unimportant; bug #533673) NOTE: Not a specific vulnerability, rather a security-related behaviour change, see bug [etch] - moin (vulnerable code not present in 1.5.3-1.2etch2) CVE-2009-XXXX [pcsc-lite: creates world-writable directory] - pcsc-lite 1.5.4-1 (low; bug #533670) [etch] - pcsc-lite (directory introduced in 1.5.0) [lenny] - pcsc-lite (directory introduced in 1.5.0) CVE-2009-XXXX ["slowloris" denial-of-service vulnerabilty in webservers] - squid - squid3 NOTE: http://www.squid-cache.org/bugs/show_bug.cgi?id=2694 - lighttpd CVE-2009-2107 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in We ...) NOT-FOR-US: Webmedia Explorer CVE-2009-XXXX [ShowConfigTab unintentionally grants rights intended for SuperUsers] - request-tracker3.6 3.6.8-1 (low; bug #532990) [lenny] - request-tracker3.6 3.6.7-5+lenny1 [etch] - request-tracker3.6 (flaw introduced in 3.6.2) - request-tracker3.4 (flaw introduced in 3.6.2; bug #534498) - request-tracker3.8 3.8.4-1 CVE-2009-2106 (SQL injection vulnerability in the Virtual Civil Services (civserv) ex ...) NOT-FOR-US: Virtual Civil Services extension for TYPO3 CVE-2009-2105 (SQL injection vulnerability in the References database (t3references) ...) NOT-FOR-US: References database extension for TYPO3 CVE-2009-2104 (Cross-site scripting (XSS) vulnerability in the Modern Guestbook / Com ...) NOT-FOR-US: Modern Guestbook extension for TYPO3 CVE-2009-2103 (SQL injection vulnerability in the Frontend MP3 Player (fe_mp3player) ...) NOT-FOR-US: Frontend MP3 Player extension for TYPO3 CVE-2009-2102 (SQL injection vulnerability in the Jumi (com_jumi) component 2.0.3 and ...) NOT-FOR-US: Jumi component for Joomla CVE-2009-2101 (Directory traversal vulnerability in archive.php in TorrentVolve 1.4, ...) NOT-FOR-US: TorrentVolve CVE-2009-2100 (Directory traversal vulnerability in the JoomlaPraise Projectfork (com ...) NOT-FOR-US: JoomlaPraise component for Joomla CVE-2009-2099 (SQL injection vulnerability in the iJoomla RSS Feeder (com_ijoomla_rss ...) NOT-FOR-US: iJoomla RSS Feeder component for Joomla CVE-2009-2098 (SQL injection vulnerability in topicler.php in phPortal 1.0 allows rem ...) NOT-FOR-US: phPortal CVE-2009-2097 (SQL injection vulnerability in system/application/controllers/catalog. ...) NOT-FOR-US: Zoki Catalog CVE-2009-2096 (SQL injection vulnerability in house/listing_view.php in phpCollegeExc ...) NOT-FOR-US: phpCollegeExchange CVE-2009-2095 (PHP remote file inclusion vulnerability in template/simpledefault/admi ...) NOT-FOR-US: Mundi Mail CVE-2009-2094 (Unspecified vulnerability in IBM WebSphere Commerce 6.0 Enterprise bef ...) NOT-FOR-US: IBM WebSphere Commerce CVE-2009-2093 (SQL injection vulnerability in the console in IBM WebSphere Partner Ga ...) NOT-FOR-US: IBM WebSphere CVE-2009-2092 (IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.5 does not pro ...) NOT-FOR-US: IBM WebSphere CVE-2009-2091 (The System Management/Repository component in IBM WebSphere Applicatio ...) NOT-FOR-US: IBM WebSphere CVE-2009-2090 (Unspecified vulnerability in wsadmin in the System Management/Reposito ...) NOT-FOR-US: IBM WebSphere CVE-2009-2089 (The Migration component in IBM WebSphere Application Server (WAS) 6.1 ...) NOT-FOR-US: IBM WebSphere CVE-2009-2088 (The Servlet Engine/Web Container component in IBM WebSphere Applicatio ...) NOT-FOR-US: IBM WebSphere CVE-2009-2087 (The Web Services functionality in IBM WebSphere Application Server (WA ...) NOT-FOR-US: IBM WebSphere CVE-2009-2086 REJECTED CVE-2009-2085 (The Security component in IBM WebSphere Application Server (WAS) 6.1 b ...) NOT-FOR-US: IBM WebSphere CVE-2009-2084 (Simple Linux Utility for Resource Management (SLURM) 1.2 and 1.3 befor ...) {DSA-1776-1} - slurm-llnl 1.3.15-1 (bug #524980) [lenny] - slurm-llnl 1.3.6-1lenny3 CVE-2009-2083 (Cross-site scripting (XSS) vulnerability in the term data detail page ...) NOT-FOR-US: Taxonomy CVE-2009-2082 (SQL injection vulnerability in insidepage.php in Creative Web Solution ...) NOT-FOR-US: Creative Web Solutions Multi-Level CMS CVE-2009-2081 (Directory traversal vulnerability in help.php in phpWebThings 1.5.2 an ...) NOT-FOR-US: phpWebThings CVE-2009-2080 (admin.php in MRCGIGUY The Ticket System 2.0 does not properly restrict ...) NOT-FOR-US: MRCGIGUY CVE-2009-2079 (Cross-site scripting (XSS) vulnerability in the administrative page in ...) NOT-FOR-US: Taxonomy CVE-2009-2078 (Multiple cross-site scripting (XSS) vulnerabilities in Booktree 5.x be ...) NOT-FOR-US: Booktree module for drupal CVE-2009-2077 (Drupal 6.x before 6.x-2.6, a module for Drupal, allows remote authenti ...) - drupal6-mod-views (Fixed before initial upload) CVE-2009-2076 (Cross-site scripting (XSS) vulnerability in Views 6.x before 6.x-2.6, ...) - drupal6-mod-views (Fixed before initial upload) CVE-2009-2075 (Nodequeue 5.x before 5.x-2.7 and 6.x before 6.x-2.2, a module for Drup ...) NOT-FOR-US: Nodequeue module for Drupal CVE-2009-2074 (Cross-site scripting (XSS) vulnerability in Nodequeue 5.x before 5.x-2 ...) NOT-FOR-US: Nodequeue module for Drupal CVE-2009-XXXX [backuppc: web frontend installed insecurely by default] - backuppc 3.1.0-6 [lenny] - backuppc 3.1.0-4lenny1 CVE-2009-XXXX [clamav scanner bypass with archives] - clamav 0.95.2+dfsg-1 (low; bug #535881) [lenny] - clamav (Inherent to the concept of malware concept) [etch] - clamav (Support was discontinued) NOTE: http://blog.zoller.lu/2009/05/advisory-clamav-generic-bypass.html CVE-2009-2073 (Cross-site request forgery (CSRF) vulnerability in Linksys WRT160N wir ...) NOT-FOR-US: Linksys CVE-2009-2072 (Apple Safari does not require a cached certificate before displaying a ...) NOT-FOR-US: Apple Safari CVE-2009-2071 (Google Chrome before 1.0.154.53 displays a cached certificate for a (1 ...) - chromium-browser (Only 1.x is affected) - webkit (chrome-specific issue) CVE-2009-2070 (Opera displays a cached certificate for a (1) 4xx or (2) 5xx CONNECT r ...) NOT-FOR-US: Opera CVE-2009-2069 (Microsoft Internet Explorer before 8 displays a cached certificate for ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2068 (Google Chrome detects http content in https web pages only when the to ...) - chromium-browser 5.0.342.9~r43360-1 CVE-2009-2067 (Opera detects http content in https web pages only when the top-level ...) NOT-FOR-US: Opera CVE-2009-2066 (Apple Safari detects http content in https web pages only when the top ...) NOT-FOR-US: Apple Safari CVE-2009-2065 (Mozilla Firefox 3.0.10, and possibly other versions, detects http cont ...) - xulrunner (bug #565521) [wheezy] - xulrunner (no detailed information available) CVE-2009-2064 (Microsoft Internet Explorer 8, and possibly other versions, detects ht ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2063 (Opera, possibly before 9.25, processes a 3xx HTTP CONNECT response bef ...) NOT-FOR-US: Opera CVE-2009-2062 (Apple Safari before 3.2.2 processes a 3xx HTTP CONNECT response before ...) NOT-FOR-US: Apple Safari CVE-2009-2061 (Mozilla Firefox before 3.0.10 processes a 3xx HTTP CONNECT response be ...) {DSA-1830-1 DSA-1820-1} - xulrunner 1.9.0.11-1 - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 CVE-2009-2060 (src/net/http/http_transaction_winhttp.cc in Google Chrome before 1.0.1 ...) - chromium-browser (Only 1.x is affected) - webkit (chrome-specific issue) CVE-2009-2059 (Opera, possibly before 9.25, uses the HTTP Host header to determine th ...) NOT-FOR-US: Opera CVE-2009-2058 (Apple Safari before 3.2.2 uses the HTTP Host header to determine the c ...) NOT-FOR-US: Apple Safari CVE-2009-2057 (Microsoft Internet Explorer before 8 uses the HTTP Host header to dete ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2056 (Cisco IOS XR 3.8.1 and earlier allows remote authenticated users to ca ...) NOT-FOR-US: Cisco CVE-2009-2055 (Cisco IOS XR 3.4.0 through 3.8.1 allows remote attackers to cause a de ...) NOT-FOR-US: Cisco IOS CVE-2009-2054 (Cisco Unified Communications Manager (aka CUCM, formerly CallManager) ...) NOT-FOR-US: Cisco CVE-2009-2053 (Cisco Unified Communications Manager (aka CUCM, formerly CallManager) ...) NOT-FOR-US: Cisco CVE-2009-2052 (Cisco Unified Communications Manager (aka CUCM, formerly CallManager) ...) NOT-FOR-US: Cisco CVE-2009-2051 (Cisco IOS 12.2 through 12.4 and 15.0 through 15.1, Cisco IOS XE 2.5.x ...) NOT-FOR-US: Cisco CVE-2009-2050 (Cisco Unified Communications Manager (aka CUCM, formerly CallManager) ...) NOT-FOR-US: Cisco CVE-2009-2049 (Cisco IOS 12.0(32)S12 through 12.0(32)S13 and 12.0(33)S3 through 12.0( ...) NOT-FOR-US: Cisco IOS CVE-2009-2048 (Cross-site scripting (XSS) vulnerability in the Administration interfa ...) NOT-FOR-US: Cisco CVE-2009-2047 (Directory traversal vulnerability in the Administration interface in C ...) NOT-FOR-US: Cisco CVE-2009-2046 (The embedded web server on the Cisco Video Surveillance 2500 Series IP ...) NOT-FOR-US: Cisco CVE-2009-2045 (The Cisco Video Surveillance Stream Manager firmware before 5.3, as us ...) NOT-FOR-US: Cisco CVE-2009-2044 (Mozilla Firefox 3.0.10 and earlier on Linux allows remote attackers to ...) - xulrunner (uses external cairo library) - cairo 1.8.8-2 (unimportant) NOTE: http://cgit.freedesktop.org/cairo/commit/?id=2cf82eaf0d08e68b787bb0792da97e73d8d4ce38 NOTE: Just a crasher CVE-2009-2043 (nsViewManager.cpp in Mozilla Firefox 3.0.2 through 3.0.10 allows remot ...) - xulrunner (unimportant) NOTE: Browser crashes not treated as security issues CVE-2009-2042 (libpng before 1.2.37 does not properly parse 1-bit interlaced images w ...) {DSA-2032-1} - libpng 1.2.37-1 (low; bug #533676) [etch] - libpng (Minor issue, only exploitable in rare setups) - xulrunner (xulrunner dynamically linked against libpng; embeded code copy not used) CVE-2009-2041 (Cross-site scripting (XSS) vulnerability in A51 D.O.O. activeCollab 0. ...) NOT-FOR-US: activeCollab CVE-2009-2040 (admin/options.php in Grestul 1.2 does not properly restrict access, wh ...) NOT-FOR-US: Grestul CVE-2009-2039 (Unspecified vulnerability in the Luottokunta module before 1.3 for osC ...) NOT-FOR-US: Luottokunta module for osCommerce CVE-2009-2038 (Unspecified vulnerability in the Finnish Bank Payment module 2.2 for o ...) NOT-FOR-US: Finnish Bank Payment module 2.2 for osCommerce CVE-2009-2037 (Multiple directory traversal vulnerabilities in Online Grades & At ...) NOT-FOR-US: Online Grades CVE-2009-2036 (SQL injection vulnerability in index.php in Open Biller 0.1 allows rem ...) NOT-FOR-US: Open Biller CVE-2009-2035 (Unspecified vulnerability in Services 6.x before 6.x-0.14, a module fo ...) NOT-FOR-US: Service module for Drupal CVE-2009-2034 (SQL injection vulnerability in writemessage.php in Yogurt 0.3, when re ...) NOT-FOR-US: Yogurt CVE-2009-2033 (Cross-site scripting (XSS) vulnerability in index.php in Yogurt 0.3 al ...) NOT-FOR-US: Yogurt CVE-2009-2032 (Cross-site scripting (XSS) vulnerability in search.asp in PDshopPro, w ...) NOT-FOR-US: PDshopPro CVE-2009-2031 (smbfs in Sun OpenSolaris snv_84 through snv_110, when default mount pe ...) NOT-FOR-US: OpenSolaris CVE-2009-2030 (Unspecified vulnerability in the XML Digital Signature verification fu ...) NOT-FOR-US: IBM OS/400 CVE-2009-2029 (Unspecified vulnerability in rpc.nisd in Sun Solaris 8 through 10, and ...) NOT-FOR-US: Sun Solaris CVE-2009-2028 (Multiple unspecified vulnerabilities in Adobe Reader 7 and Acrobat 7 b ...) NOT-FOR-US: Adobe CVE-2009-2027 (The Installer in Apple Safari before 4.0 on Windows allows local users ...) NOT-FOR-US: Apple Safari CVE-2009-2026 (Stack-based buffer overflow in a token searching function in the dtsco ...) NOT-FOR-US: CA Software Delivery CVE-2009-2025 (admin/login.php in DM FileManager 3.9.2 allows remote attackers to byp ...) NOT-FOR-US: DM FileManager CVE-2009-2024 (Vlad Titarenko ASP VT Auth 1.0 stores sensitive information under the ...) NOT-FOR-US: Vlad Titarenko ASP VT Auth CVE-2009-2023 (SQL injection vulnerability in index.php in Shop-Script Pro 2.12, when ...) NOT-FOR-US: Shop-Script CVE-2009-2022 (fipsCMS Light 2.1 stores sensitive information under the web root with ...) NOT-FOR-US: fipsCMS CVE-2009-2021 (SQL injection vulnerability in search.php in Virtue Classifieds allows ...) NOT-FOR-US: Virtue Classifieds allows CVE-2009-2020 (Cross-site scripting (XSS) vulnerability in news_detail.php in Virtue ...) NOT-FOR-US: News Manager CVE-2009-2019 (SQL injection vulnerability in news_detail.php in Virtue News Manager ...) NOT-FOR-US: Virtue News Manager CVE-2009-2018 (SQL injection vulnerability in admin/index.php in Jared Eckersley MyCa ...) NOT-FOR-US: Jared Eckersley MyCars CVE-2009-2017 (SQL injection vulnerability in products.php in Virtue Book Store allow ...) NOT-FOR-US: Virtue Book Store CVE-2009-2016 (SQL injection vulnerability in products.php in Virtue Shopping Mall al ...) NOT-FOR-US: Virtue Shopping Mall CVE-2009-2015 (Directory traversal vulnerability in includes/file_includer.php in the ...) NOT-FOR-US: com_moofaq for Joomla! CVE-2009-2014 (SQL injection vulnerability in the ComSchool (com_school) component 1. ...) NOT-FOR-US: com_school for Joomla! CVE-2009-2013 (SQL injection vulnerability in bin/aps_browse_sources.php in Frontis 3 ...) NOT-FOR-US: Frontis CVE-2009-2012 (Unspecified vulnerability in idmap in Sun OpenSolaris snv_88 through s ...) NOT-FOR-US: OpenSolaris CVE-2009-2011 (Worldweaver DX Studio Player 3.0.29.0, 3.0.22.0, 3.0.12.0, and probabl ...) NOT-FOR-US: Worldweaver DX Studio Player CVE-2009-2010 (Multiple SQL injection vulnerabilities in Haudenschilt Family Connecti ...) NOT-FOR-US: Haudenschilt Family Connections CMS CVE-2009-2009 (Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.5, a ...) NOT-FOR-US: Dokeos CVE-2009-2008 (Multiple SQL injection vulnerabilities in Dokeos 1.8.5, and possibly e ...) NOT-FOR-US: Dokeos CVE-2009-2007 (Multiple directory traversal vulnerabilities in Dokeos 1.8.5, and poss ...) NOT-FOR-US: Dokeos CVE-2009-2006 (Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.5, a ...) NOT-FOR-US: Dokeos CVE-2009-2005 (Cross-site request forgery (CSRF) vulnerability in Dokeos 1.8.5, and p ...) NOT-FOR-US: Dokeos CVE-2009-2004 (Multiple SQL injection vulnerabilities in main/mySpace/myStudents.php ...) NOT-FOR-US: Dokeos CVE-2009-2003 (Ascad Networks Password Protector SD 1.3.1 allows remote attackers to ...) NOT-FOR-US: Ascad Networks Password Protector CVE-2009-2002 (Unspecified vulnerability in the WebLogic Portal component in BEA Prod ...) NOT-FOR-US: BEA Product Suite CVE-2009-2001 (Unspecified vulnerability in the PL/SQL component in Oracle Database 1 ...) NOT-FOR-US: Oracle Database CVE-2009-2000 (Unspecified vulnerability in the Authentication component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2009-1999 (Unspecified vulnerability in the Business Intelligence Enterprise Edit ...) NOT-FOR-US: Oracle Application Server CVE-2009-1998 (Unspecified vulnerability in the Oracle Communications Order and Servi ...) NOT-FOR-US: Oracle Industry Applications CVE-2009-1997 (Unspecified vulnerability in the Authentication component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2009-1996 (Unspecified vulnerability in the Logical Standby component in Oracle D ...) NOT-FOR-US: Oracle Database CVE-2009-1995 (Unspecified vulnerability in the Advanced Queuing component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-1994 (Unspecified vulnerability in the Oracle Spatial component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2009-1993 (Unspecified vulnerability in the Application Express component in Orac ...) NOT-FOR-US: Oracle Database CVE-2009-1992 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database CVE-2009-1991 (Unspecified vulnerability in the Oracle Text component in Oracle Datab ...) NOT-FOR-US: Oracle Database CVE-2009-1990 (Unspecified vulnerability in the Business Intelligence Enterprise Edit ...) NOT-FOR-US: Oracle Application Server CVE-2009-1989 (Unspecified vulnerability in the PeopleSoft Enterprise FMS component i ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-1988 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS eProfile M ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-1987 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools - E ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-1986 (Unspecified vulnerability in the Oracle Applications Manager component ...) NOT-FOR-US: Oracle Applications Manager CVE-2009-1985 (Unspecified vulnerability in the Network Authentication component in O ...) NOT-FOR-US: Oracle Database CVE-2009-1984 (Unspecified vulnerability in the Application Install component in Orac ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-1983 (Unspecified vulnerability in the Oracle iStore component in Oracle E-B ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-1982 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-1981 (Unspecified vulnerability in the Highly Interactive Client component i ...) NOT-FOR-US: Siebel Product Suite CVE-2009-1980 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-1979 (Unspecified vulnerability in the Network Authentication component in O ...) NOT-FOR-US: Oracle Database CVE-2009-1978 (Unspecified vulnerability in the Oracle Secure Backup component in Ora ...) NOT-FOR-US: Oracle Secure Backup CVE-2009-1977 (Unspecified vulnerability in the Oracle Secure Backup component in Ora ...) NOT-FOR-US: Oracle Secure Backup CVE-2009-1976 (Unspecified vulnerability in the HTTP Server component in Oracle Appli ...) NOT-FOR-US: Oracle Application Server CVE-2009-1975 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA WebLogic Server CVE-2009-1974 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA WebLogic CVE-2009-1973 (Unspecified vulnerability in the Virtual Private Database component in ...) NOT-FOR-US: Oracle Database CVE-2009-1972 (Unspecified vulnerability in the Auditing component in Oracle Database ...) NOT-FOR-US: Oracle Database CVE-2009-1971 (Unspecified vulnerability in the Data Pump component in Oracle Databas ...) NOT-FOR-US: Oracle Database CVE-2009-1970 (Unspecified vulnerability in the Listener component in Oracle Database ...) NOT-FOR-US: Oracle Database CVE-2009-1969 (Unspecified vulnerability in the Auditing component in Oracle Database ...) NOT-FOR-US: Oracle Database CVE-2009-1968 (Unspecified vulnerability in the Secure Enterprise Search component in ...) NOT-FOR-US: Oracle Database CVE-2009-1967 (Unspecified vulnerability in the Config Management component in (1) Or ...) NOT-FOR-US: Oracle Database CVE-2009-1966 (Unspecified vulnerability in the Config Management component in (1) Or ...) NOT-FOR-US: Oracle Database CVE-2009-1965 (Unspecified vulnerability in the Net Foundation Layer component in Ora ...) NOT-FOR-US: Oracle Database CVE-2009-1964 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-1963 (Unspecified vulnerability in the Network Foundation component in Oracl ...) NOT-FOR-US: Oracle Database CVE-2009-XXXX [predictable random number generator used in web browsers] - webkit 1.2 (low; bug #532514) NOTE: The implementations for UNIX seems fine, might be fixed earlier [lenny] - webkit (Minor issue) - kdebase (unimportant; bug #532519) - w3m (unimportant; bug #532521) NOTE: w3m doesn't have Javascript support and the boundary issue is harmles - chromium-browser 26.0.1410.43-1 (bug #520324) [squeeze] - chromium-browser NOTE: chromium has provides window.crypto.getRandomValues as a strong random number generator NOTE: https://code.google.com/p/chromium/issues/detail?id=246054 - lynx 2.8.7rel.1-1 (unimportant; bug #532520) NOTE: lynx doesn't have Javascript and form-data support - dillo (bug #532522) NOTE: These issues can be fixed in more recent upstream versions, but the risk NOTE: of regression doesn't outweigh the issue at hand CVE-2009-1961 (The inode double locking code in fs/ocfs2/file.c in the Linux kernel 2 ...) {DSA-1844-1} - linux-2.6 2.6.30-1 (low) [etch] - linux-2.6 (Affected code was introduced in 2.6.19) [lenny] - linux-2.6 2.6.26-16 - linux-2.6.24 NOTE: fixed in lenny 5.0.2 release CVE-2009-1959 (Off-by-one error in the event_wallops function in fe-common/irc/fe-eve ...) - irssi 0.8.13-2 (low; bug #532607; bug #531357) [lenny] - irssi 0.8.12-7 [etch] - irssi 0.8.10-3 NOTE: exploitability limited, DoS rather obscure attack scenario CVE-2009-1956 (Off-by-one error in the apr_brigade_vprintf function in Apache APR-uti ...) - apr-util 1.3.7+dfsg-1 (low) [lenny] - apr-util 1.2.12+dfsg-8+lenny3 CVE-2009-1955 (The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Ap ...) {DSA-1812-1} - apr-util 1.3.7+dfsg-1 (medium) CVE-2009-1954 (Unspecified vulnerability in portmapper (aka portmap) in IBM AIX 5.3 a ...) NOT-FOR-US: IBM AIX CVE-2009-1953 (IBM FileNet Content Manager 4.0, 4.0.1, and 4.5, as used in IBM WebSph ...) NOT-FOR-US: IBM FileNet Content Manager CVE-2009-1952 (Multiple SQL injection vulnerabilities in the administrative login fea ...) NOT-FOR-US: PropertyMax CVE-2009-1951 (Cross-site scripting (XSS) vulnerability in index.php in PropertyMax P ...) NOT-FOR-US: PropertyMax CVE-2009-1950 (SQL injection vulnerability in yorum.asp in WebEyes Guest Book 3 allow ...) NOT-FOR-US: WebEyes Guest Book CVE-2009-1949 (import_wbb1.php in Unclassified NewsBoard (UNB) 1.6.4 allows remote at ...) NOT-FOR-US: Unclassified NewsBoard CVE-2009-1948 (Multiple directory traversal vulnerabilities in forum.php in Unclassif ...) NOT-FOR-US: Unclassified NewsBoard CVE-2009-1947 (SQL injection vulnerability in the UnbDbEncode function in unb_lib/dat ...) NOT-FOR-US: Unclassified NewsBoard CVE-2009-1946 (PHP remote file inclusion vulnerability in latestposts.php in AdaptBB ...) NOT-FOR-US: AdaptBB CVE-2009-1945 (SQL injection vulnerability in webCal3_detail.asp in WebCal 3.04 allow ...) NOT-FOR-US: cWebCal CVE-2009-1944 (Stack-based buffer overflow in AIMP 2.51 build 330 allows remote attac ...) NOT-FOR-US: AIMP CVE-2009-1943 (Stack-based buffer overflow in the IKE service (ireIke.exe) in SafeNet ...) NOT-FOR-US: SafeNet SoftRemote CVE-2009-1942 (Cross-site scripting (XSS) vulnerability in the Quiz module 5.x, 6.x-2 ...) NOT-FOR-US: Quiz module for Drupal CVE-2009-1941 (PAD Site Scripts 3.6 stores sensitive information under the web docume ...) NOT-FOR-US: PAD Site Scripts CVE-2009-1940 (Cross-site scripting (XSS) vulnerability in the administrator panel in ...) NOT-FOR-US: Joomla! CVE-2009-1939 (Cross-site scripting (XSS) vulnerability in the JA_Purity template for ...) NOT-FOR-US: Joomla! CVE-2009-1938 (Cross-site scripting (XSS) vulnerability in Joomla! 1.5.x through 1.5. ...) NOT-FOR-US: Joomla! CVE-2009-1937 (Cross-site scripting (XSS) vulnerability in the comment posting featur ...) NOT-FOR-US: LightNEasy CVE-2009-1936 (_functions.php in cpCommerce 1.2.x, possibly including 1.2.9, sends a ...) NOT-FOR-US: cpCommerce CVE-2009-1935 (Integer overflow in the pipe_build_write_buffer function (sys/kern/sys ...) - kfreebsd-6 [lenny] - kfreebsd-6 (KFreebsd not supported) - kfreebsd-7 7.2-2 [lenny] - kfreebsd-7 (KFreebsd not supported) CVE-2009-1934 (Cross-site scripting (XSS) vulnerability in the Reverse Proxy Plug-in ...) NOT-FOR-US: Sun Java System Web Server CVE-2009-1933 (Kerberos in Sun Solaris 8, 9, and 10, and OpenSolaris before snv_117, ...) NOT-FOR-US: Solaris CVE-2009-XXXX [pgp4pine off-by-one] - pgp4pine (bug #457947; medium) [etch] - pgp4pine (Contrib not supported) [lenny] - pgp4pine (Contrib not supported) NOTE: http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0122.html NOTE: unlike the note states this is not just an off-by-one, classic stack-based buffer overflow CVE-2009-1932 (Multiple integer overflows in the (1) user_info_callback, (2) user_end ...) {DSA-1839-1} - gst-plugins-good0.10 0.10.15-2 (medium; bug #531631; bug #532352) CVE-2009-1931 RESERVED CVE-2009-1930 (The Telnet service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Serv ...) NOT-FOR-US: Microsoft Windows CVE-2009-1929 (Heap-based buffer overflow in the Microsoft Terminal Services Client A ...) NOT-FOR-US: ActiveX CVE-2009-1928 (Stack consumption vulnerability in the LDAP service in Active Director ...) NOT-FOR-US: Microsoft Windows CVE-2009-1927 REJECTED CVE-2009-1926 (Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gol ...) NOT-FOR-US: Microsoft Windows CVE-2009-1925 (The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP ...) NOT-FOR-US: Microsoft Windows Vista Gold CVE-2009-1924 (Integer overflow in the Windows Internet Name Service (WINS) component ...) NOT-FOR-US: Microsoft Windows CVE-2009-1923 (Heap-based buffer overflow in the Windows Internet Name Service (WINS) ...) NOT-FOR-US: Microsoft Windows CVE-2009-1922 (The Message Queuing (aka MSMQ) service for Microsoft Windows 2000 SP4, ...) NOT-FOR-US: Microsoft Windows CVE-2009-1921 REJECTED CVE-2009-1920 (The JScript scripting engine 5.1, 5.6, 5.7, and 5.8 in JScript.dll in ...) NOT-FOR-US: Microsoft CVE-2009-1919 (Microsoft Internet Explorer 5.01 SP4 and 6 SP1; Internet Explorer 6 fo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-1918 (Microsoft Internet Explorer 5.01 SP4 and 6 SP1; Internet Explorer 6 fo ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-1917 (Microsoft Internet Explorer 6 SP1; Internet Explorer 6 for Windows XP ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-1916 (dig.php in GScripts.net DNS Tools allows remote attackers to execute a ...) NOT-FOR-US: GScripts.net DNS Tools CVE-2009-1915 (Stack-based buffer overflow in the URL Search Hook (ICQToolBar.dll) in ...) NOT-FOR-US: ICQ CVE-2009-1914 (The pci_register_iommu_region function in arch/sparc/kernel/pci_common ...) {DSA-1844-1} - linux-2.6 2.6.29-1 (low; bug #532722) [lenny] - linux-2.6 2.6.26-16 - linux-2.6.24 NOTE: updated in lenny 5.0.2 release CVE-2009-1913 (SQL injection vulnerability in manager.php in LuxBum 0.5.5, when magic ...) NOT-FOR-US: LuxBum CVE-2009-1912 (Directory traversal vulnerability in src/func/language.php in webSPELL ...) NOT-FOR-US: webSPELL CVE-2009-1911 (Directory traversal vulnerability in .include/init.php (aka admin/_inc ...) NOT-FOR-US: QuiXplorer CVE-2009-1910 (SQL injection vulnerability in index.php in RTWebalbum 1.0.462 allows ...) NOT-FOR-US: RTWebalbum CVE-2009-1909 (SQL injection vulnerability in Skip 1.0.2 and earlier, and 1.1RC2 and ...) NOT-FOR-US: Skip CVE-2009-1908 (Cross-site scripting (XSS) vulnerability in Skip 1.0.2 and earlier, an ...) NOT-FOR-US: Skip CVE-2009-1907 (Cross-site scripting (XSS) vulnerability in claroline/linker/notfound. ...) NOT-FOR-US: Claroline CVE-2009-1906 (The DRDA Services component in IBM DB2 9.1 before FP7 and 9.5 before F ...) NOT-FOR-US: IBM DB2 CVE-2009-1905 (The Common Code Infrastructure component in IBM DB2 8 before FP17, 9.1 ...) NOT-FOR-US: IBM DB2 CVE-2009-1904 (The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 ...) {DSA-1860-1} - ruby1.8 1.8.7.173-1 (low; bug #532689) - ruby1.9 (bug #575778) NOTE: http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/ CVE-2009-1903 (The PDF XSS protection feature in ModSecurity before 2.5.8 allows remo ...) - libapache-mod-security 2.5.9-1 CVE-2009-1902 (The multipart processor in ModSecurity before 2.5.9 allows remote atta ...) - libapache-mod-security 2.5.9-1 CVE-2009-1901 (The Security component in IBM WebSphere Application Server (WAS) 6.0.2 ...) NOT-FOR-US: IBM WebSphere CVE-2009-1900 (The Configservice APIs in the Administrative Console component in IBM ...) NOT-FOR-US: IBM WebSphere CVE-2009-1899 (Unspecified vulnerability in the Administrative Configservice API in t ...) NOT-FOR-US: IBM WebSphere CVE-2009-1898 (The secure login page in the Administrative Console component in IBM W ...) NOT-FOR-US: IBM WebSphere CVE-2009-1960 (inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, w ...) - dokuwiki 0.0.20090214b-1 (unimportant) NOTE: we don't support setups with register_globals enabled CVE-2009-1897 (The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in ...) - linux-2.6 2.6.30-3 (high; bug #537409) [etch] - linux-2.6 (vulnerable code introduced in 2.6.29) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.29) - linux-2.6.24 (vulnerable code introduced in 2.6.29) NOTE: http://seclists.org/fulldisclosure/2009/Jul/0241.html CVE-2009-1896 (The Java Web Start framework in IcedTea in OpenJDK before 1.6.0.0-20.b ...) - openjdk-6 6b16-1.6-1 (bug #542210) CVE-2009-1895 (The personality subsystem in the Linux kernel before 2.6.31-rc3 has a ...) {DSA-1845-1 DSA-1844-1} - linux-2.6 2.6.30-3 (low) [etch] - linux-2.6 (mmap_min_addr first indroduced in 2.6.23) - linux-2.6.24 CVE-2009-1894 (Race condition in PulseAudio 0.9.9, 0.9.10, and 0.9.14 allows local us ...) {DSA-1838-1} - pulseaudio 0.9.15-4.1 (high; bug #537351) [etch] - pulseaudio (vulnerable code not present) CVE-2009-1893 (The configtest function in the Red Hat dhcpd init script for DHCP 3.0. ...) NOT-FOR-US: Red Hat dhcpd init script for DHCP CVE-2009-1892 (dhcpd in ISC DHCP 3.0.4 and 3.1.1, when the dhcp-client-identifier and ...) {DSA-1833-2} - isc-dhcp 3.1.2p1-2 (low; bug #539492) - dhcp3 3.1.2p1-2 (low; bug #549584) [etch] - dhcp3 (problematic assert is not present) [lenny] - dhcp3 3.1.1-6+lenny2 CVE-2009-1891 (The mod_deflate module in Apache httpd 2.2.11 and earlier compresses l ...) {DSA-1834-1} - apache2 2.2.11-7 (medium; bug #534712) CVE-2009-1890 (The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy mo ...) {DSA-1834-1} - apache2 2.2.11-7 (medium; bug #536718) [etch] - apache2 (bug introduced in 2.2.5) [lenny] - apache2 2.2.9-10+lenny4 CVE-2009-1889 (The OSCAR protocol implementation in Pidgin before 2.5.8 misinterprets ...) - pidgin 2.5.8-1 (low; bug #535790) [lenny] - pidgin (Minor issue) NOTE: http://developer.pidgin.im/ticket/9483 NOTE: http://developer.pidgin.im/viewmtn/revision/info/9bac0a540156fb1848eedd61c8630737dee752c7 CVE-2009-1888 (The acl_group_override function in smbd/posix_acls.c in smbd in Samba ...) {DSA-1823-1} - samba 2:3.3.6-1 (low) [etch] - samba (Vulnerable code not present) NOTE: Successful exploitation requires that "dos filemode" is set to "yes" in smb.conf. CVE-2009-1887 (agent/snmp_agent.c in snmpd in net-snmp 5.0.9 in Red Hat Enterprise Li ...) - net-snmp (Vulnerable code not present) NOTE: Red Hat incorrect fix for CVE-2008-4309. Checked code in oldstable and stable. CVE-2009-1886 (Multiple format string vulnerabilities in client/client.c in smbclient ...) {DSA-1823-1} - samba 2:3.3.6-1 [etch] - samba (Vulnerable code not present) NOTE: Only the 3.2.x branch was affected, so marking 3.3 as affected CVE-2009-1885 (Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in Ap ...) - xerces-c 3.0.1-2 (low; bug #540297) [etch] - xerces-c (Minor issue) [lenny] - xerces-c (Minor issue) - xerces-c2 2.8.0+deb1-2 (low; bug #541986) [lenny] - xerces-c2 2.8.0-3+lenny1 - xerces27 [etch] - xerces27 (Minor issue) CVE-2009-1884 (Off-by-one error in the bzinflate function in Bzip2.xs in the Compress ...) - libcompress-raw-bzip2-perl 2.018-1 (medium; bug #542777) [lenny] - libcompress-raw-bzip2-perl 2.011-2lenny1 CVE-2009-1883 (The z90crypt_unlocked_ioctl function in the z90crypt driver in the Lin ...) {DSA-1929-1} - linux-2.6 2.6.19-1 - linux-2.6.24 (problem was fixed before first upload, 2.6.19) NOTE: See Solar Designer's posting to oss-security CVE-2009-1882 (Integer overflow in the XMakeImage function in magick/xwindow.c in Ima ...) {DSA-1903-1 DSA-1858-1} - imagemagick 7:6.5.1.0-1.1 (medium; bug #530838) - graphicsmagick 1.3.5-5.1 (medium; bug #530946) CVE-2009-1881 (Cross-site scripting (XSS) vulnerability in MT312 IMG-BBS allows remot ...) NOT-FOR-US: MT312 CVE-2009-1880 (Cross-site scripting (XSS) vulnerability in MT312 REP-BBS allows remot ...) NOT-FOR-US: MT312 CVE-2009-XXXX [OCS Inventory NG SQL Injection Vulnerability] - ocsinventory-server 1.02.1-1 (unimportant; bug #531735) NOTE: README.Debian states Important: access to the reports server should be restricted NOTE: can be exploited only if magic_quotes is off CVE-2009-3870 REJECTED CVE-2009-1879 (Cross-site scripting (XSS) vulnerability in index.template.html in the ...) NOT-FOR-US: Adobe Flex CVE-2009-1878 (Session fixation vulnerability in Adobe ColdFusion 8.0.1 and earlier a ...) NOT-FOR-US: Adobe ColdFusion CVE-2009-1877 (Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 8.0.1 and ...) NOT-FOR-US: Adobe ColdFusion CVE-2009-1876 (Adobe ColdFusion 8.0.1 and earlier might allow attackers to obtain sen ...) NOT-FOR-US: Adobe ColdFusion CVE-2009-1875 (Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusio ...) NOT-FOR-US: Adobe ColdFusion CVE-2009-1874 (Multiple cross-site scripting (XSS) vulnerabilities in the Management ...) NOT-FOR-US: Adobe JRun CVE-2009-1873 (Directory traversal vulnerability in logging/logviewer.jsp in the Mana ...) NOT-FOR-US: Adobe JRun CVE-2009-1872 (Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusio ...) NOT-FOR-US: Adobe ColdFusion Server CVE-2009-1871 REJECTED CVE-2009-1870 (Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2009-1869 (Integer overflow in the ActionScript Virtual Machine 2 (AVM2) abcFile ...) NOT-FOR-US: Adobe Flash Player CVE-2009-1868 (Heap-based buffer overflow in Adobe Flash Player before 9.0.246.0 and ...) NOT-FOR-US: Adobe Flash Player CVE-2009-1867 (Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2009-1866 (Stack-based buffer overflow in Adobe Flash Player before 9.0.246.0 and ...) NOT-FOR-US: Adobe Flash Player CVE-2009-1865 (Adobe Flash Player before 9.0.246.0 and 10.x before 10.0.32.18, and Ad ...) NOT-FOR-US: Adobe Flash Player CVE-2009-1864 (Heap-based buffer overflow in Adobe Flash Player before 9.0.246.0 and ...) NOT-FOR-US: Adobe Flash Player CVE-2009-1863 (Unspecified vulnerability in Adobe Flash Player before 9.0.246.0 and 1 ...) NOT-FOR-US: Adobe Flash Player CVE-2009-1862 (Unspecified vulnerability in Adobe Reader and Acrobat 9.x through 9.1. ...) NOT-FOR-US: Adobe Flash Player CVE-2009-1861 (Multiple heap-based buffer overflows in Adobe Reader 7 and Acrobat 7 b ...) NOT-FOR-US: Adobe Reader CVE-2009-1860 (Unspecified vulnerability in Adobe Shockwave Player before 11.5.0.600 ...) NOT-FOR-US: Adobe Shockwave Player CVE-2009-1859 (Adobe Reader 7 and Acrobat 7 before 7.1.3, Adobe Reader 8 and Acrobat ...) NOT-FOR-US: Adobe Reader CVE-2009-1858 (The JBIG2 filter in Adobe Reader 7 and Acrobat 7 before 7.1.3, Adobe R ...) NOT-FOR-US: Adobe Reader CVE-2009-1857 (Adobe Reader 7 and Acrobat 7 before 7.1.3, Adobe Reader 8 and Acrobat ...) NOT-FOR-US: Adobe Reader CVE-2009-1856 (Integer overflow in Adobe Reader 7 and Acrobat 7 before 7.1.3, Adobe R ...) NOT-FOR-US: Adobe Reader CVE-2009-1855 (Stack-based buffer overflow in Adobe Reader 7 and Acrobat 7 before 7.1 ...) NOT-FOR-US: Adobe Reader CVE-2009-1854 (Million Dollar Text Links 1.0 allows remote attackers to bypass authen ...) NOT-FOR-US: Million Dollar Text Links CVE-2009-1853 (Multiple SQL injection vulnerabilities in index.php in Kensei Board 2. ...) NOT-FOR-US: Kensei Board CVE-2009-1852 (Multiple SQL injection vulnerabilities in Graphiks MyForum 1.3 allow r ...) NOT-FOR-US: Graphiks MyForum CVE-2009-1851 (SQL injection vulnerability in include.php in phpBugTracker 1.0.4 and ...) NOT-FOR-US: phpBugTracker CVE-2009-1850 (SQL injection vulnerability in index.php in phpBugTracker 1.0.3 allows ...) NOT-FOR-US: phpBugTracker CVE-2009-1849 (Cross-site scripting (XSS) vulnerability in the Monitor_Bandwidth func ...) NOT-FOR-US: PRTG Traffic Grapher CVE-2009-1848 (SQL injection vulnerability in the JoomlaMe AgoraGroups (aka AG or com ...) NOT-FOR-US: JoomlaMe CVE-2009-1847 (Directory traversal vulnerability in index.php in Easy PX 41 CMS 9.0 B ...) NOT-FOR-US: Easy PX 41 CMS CVE-2009-1846 (Multiple directory traversal vulnerabilities in SiteX 0.7.4 Build 418 ...) NOT-FOR-US: SiteX CVE-2009-1845 (Cross-site scripting (XSS) vulnerability in ajax/updatecheck.php in Lu ...) NOT-FOR-US: Lussumo Vanilla CVE-2009-1844 (Multiple cross-site scripting (XSS) vulnerabilities in Drupal 5.x befo ...) {DSA-1808-1} - drupal5 5.17-1.1 (low; bug #529191) - drupal6 6.11-1.1 (low; bug #529190; bug #531386) CVE-2009-1843 (Multiple SQL injection vulnerabilities in Flash Quiz Beta 2 allow remo ...) NOT-FOR-US: Flash Quiz CVE-2009-1842 (SQL injection vulnerability in main/tracking/userLog.php in Francisco ...) NOT-FOR-US: PHP-Nuke CVE-2009-1957 (charon/sa/ike_sa.c in the charon daemon in strongSWAN before 4.3.1 all ...) {DSA-1899-1} - strongswan 4.2.14-1.1 (medium; bug #531612) [etch] - strongswan (Vulnerable code not present, IKEv2 was introduced in 4.3) CVE-2009-1958 (charon/sa/tasks/child_create.c in the charon daemon in strongSWAN befo ...) {DSA-1899-1} - strongswan 4.2.14-1.1 (medium; bug #531612) [etch] - strongswan (Vulnerable code not present, IKEv2 was introduced in 4.3) CVE-2009-1841 (js/src/xpconnect/src/xpcwrappedjsclass.cpp in Mozilla Firefox before 3 ...) {DSA-1830-1 DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 CVE-2009-1840 (Mozilla Firefox before 3.0.11, Thunderbird, and SeaMonkey do not check ...) {DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1839 (Mozilla Firefox 3 before 3.0.11 associates an incorrect principal with ...) {DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1838 (The garbage-collection implementation in Mozilla Firefox before 3.0.11 ...) {DSA-1830-1 DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 CVE-2009-1837 (Race condition in the NPObjWrapper_NewResolve function in modules/plug ...) {DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Doesn't affect Gecko 1.8) CVE-2009-1836 (Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMon ...) {DSA-1830-1 DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 CVE-2009-1835 (Mozilla Firefox before 3.0.11 and SeaMonkey before 1.1.17 associate lo ...) {DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1834 (Visual truncation vulnerability in netwerk/dns/src/nsIDNService.cpp in ...) {DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1833 (The JavaScript engine in Mozilla Firefox before 3.0.11, Thunderbird be ...) {DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1832 (Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMon ...) {DSA-1830-1 DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 CVE-2009-1828 (Mozilla Firefox 3.0.10 allows remote attackers to cause a denial of se ...) - xulrunner (unimportant) NOTE: Browser crashes not treated as security issues CVE-2009-1827 (The SVG component in Mozilla Firefox 3.0.4 allows remote attackers to ...) - xulrunner (unimportant) NOTE: Browser crashes not treated as security issues CVE-2009-1831 (The Nullsoft Modern Skins Support module (gen_ff.dll) in Nullsoft Wina ...) NOT-FOR-US: Nullsoft Winamp CVE-2009-1830 (Stack-based buffer overflow in Soulseek 156 and 157 NS allows remote a ...) NOT-FOR-US: Soulseek CVE-2009-1826 (modules/admuser.php in myGesuad 0.9.14 (aka 0.9) does not require admi ...) NOT-FOR-US: myGesuad CVE-2009-1825 (modules/admuser.php in myColex 1.4.2 does not require administrative a ...) NOT-FOR-US: myColex CVE-2009-1824 (The ps_drv.sys kernel driver in ArcaBit ArcaVir 2009 Antivirus Protect ...) NOT-FOR-US: ArcaBit ArcaVir CVE-2009-1823 (Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e- ...) NOT-FOR-US: 3rd party Printer, e-mail and PDF module for Drupal CVE-2009-1822 (Multiple PHP remote file inclusion vulnerabilities in the InterJoomla ...) NOT-FOR-US: Joomla! CVE-2009-1821 (DMXReady Registration Manager 1.1 stores sensitive information under t ...) NOT-FOR-US: DMXReady Registration Manager CVE-2009-1820 (Cross-site scripting (XSS) vulnerability in product.php in 2daybiz Cus ...) NOT-FOR-US: 2daybiz Custom T-shirt Design Script CVE-2009-1819 (SQL injection vulnerability in product.php in 2daybiz Custom T-shirt D ...) NOT-FOR-US: 2daybiz Custom T-shirt Design Script CVE-2009-1818 (SQL injection vulnerability in admin/admin_manager.asp in MaxCMS 2.0 a ...) NOT-FOR-US: MaxCMS CVE-2009-1817 (Multiple buffer overflows in DigiMode Maya 1.0.2 allow remote attacker ...) NOT-FOR-US: DigiMode Maya CVE-2009-1816 (SQL injection vulnerability in admin.php in My Game Script 2.0 allows ...) NOT-FOR-US: My Game Script CVE-2009-1815 (Stack-based buffer overflow in Sonic Spot Audioactive Player 1.93b all ...) NOT-FOR-US: Sonic Spot Audioactive Player CVE-2009-1814 (SQL injection vulnerability in mail.php in PHPenpals 1.1 and earlier a ...) NOT-FOR-US: PHPenpals CVE-2009-1813 (Multiple SQL injection vulnerabilities in admin/index.php in Submitter ...) NOT-FOR-US: Submitter Script CVE-2009-1812 (Multiple SQL injection vulnerabilities in myGesuad 0.9.14 (aka 0.9) al ...) NOT-FOR-US: myGesuad CVE-2009-1811 (Multiple cross-site scripting (XSS) vulnerabilities in myGesuad 0.9.14 ...) NOT-FOR-US: myGesuad CVE-2009-1810 (Multiple SQL injection vulnerabilities in myColex 1.4.2 allow remote a ...) NOT-FOR-US: myColex CVE-2009-1809 (Multiple cross-site scripting (XSS) vulnerabilities in myColex 1.4.2 a ...) NOT-FOR-US: myColex CVE-2009-1829 (Unspecified vulnerability in the PCNFSD dissector in Wireshark 0.8.20 ...) {DSA-1942-1} - wireshark 1.0.8-1 (low; bug #533347) [lenny] - wireshark 1.0.2-3+lenny6 [etch] - wireshark (Minor issue) CVE-2009-1808 (Microsoft Windows XP SP3 allows local users to cause a denial of servi ...) NOT-FOR-US: Microsoft CVE-2009-1807 (Unspecified vulnerability in Config.dll in Baofeng products 3.09.04.17 ...) NOT-FOR-US: Baofeng CVE-2009-1806 (Unspecified vulnerability in IBM Hardware Management Console (HMC) 7 r ...) NOT-FOR-US: IBM Hardware Management Console CVE-2009-1805 (Unspecified vulnerability in the VMware Descheduled Time Accounting dr ...) NOT-FOR-US: VMware (experimental feature anyway) CVE-2009-1804 (Multiple SQL injection vulnerabilities in admin/index.php in VideoScri ...) NOT-FOR-US: videoscript CVE-2009-1803 (FreePBX 2.5.1, and other 2.4.x, 2.5.x, and pre-release 2.6.x versions, ...) NOT-FOR-US: FreePBX CVE-2009-1802 (Multiple cross-site request forgery (CSRF) vulnerabilities in FreePBX ...) NOT-FOR-US: FreePBX CVE-2009-1801 (Multiple cross-site scripting (XSS) vulnerabilities in FreePBX 2.5.1, ...) NOT-FOR-US: FreePBX CVE-2009-1800 (Stack-based buffer overflow in the Chinagames CGAgent ActiveX control ...) NOT-FOR-US: Chinagames CVE-2009-1799 (Multiple SQL injection vulnerabilities in the getGalleryImage function ...) NOT-FOR-US: ST-Gallery CVE-2009-1798 (Multiple cross-site scripting (XSS) vulnerabilities on the Network Man ...) NOT-FOR-US: APC CVE-2009-1797 (Multiple cross-site request forgery (CSRF) vulnerabilities on the Netw ...) NOT-FOR-US: APC CVE-2009-1796 (Cross-site scripting (XSS) vulnerability in Sun Java System Portal Ser ...) NOT-FOR-US: Sun Java System Portal Server CVE-2009-1795 RESERVED CVE-2009-1794 RESERVED CVE-2009-1793 RESERVED CVE-2009-1792 (The system.openURL function in StoneTrip Ston3D StandalonePlayer (aka ...) NOT-FOR-US: StoneTrip Ston3D StandalonePlayer CVE-2009-1790 (Cross-site scripting (XSS) vulnerability in CGI RESCUE Trees before 2. ...) NOT-FOR-US: CGI Rescue Trees CVE-2009-1787 (Multiple SQL injection vulnerabilities in PHP Dir Submit (aka WebsiteS ...) NOT-FOR-US: PHP Dir Submit CVE-2009-1786 (The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows local users ...) NOT-FOR-US: IBM AIX libc CVE-2009-1785 (Cross-site scripting (XSS) vulnerability in Ulteo Open Virtual Desktop ...) NOT-FOR-US: Ulteo Open Virtual Desktop CVE-2009-1784 (The AVG parsing engine 8.5 323, as used in multiple AVG anti-virus pro ...) NOT-FOR-US: AVG anti-virus CVE-2009-1783 (Multiple FRISK Software F-Prot anti-virus products, including Antiviru ...) NOT-FOR-US: FRISK Software F-Prot anti-virus CVE-2009-1782 (Multiple F-Secure anti-virus products, including Anti-Virus for Micros ...) NOT-FOR-US: F-Secure anti-virus CVE-2009-1781 (Static code injection vulnerability in admin.php in Frax.dk Php Recomm ...) NOT-FOR-US: Frax.dk Php Recommend CVE-2009-1780 (admin.php in Frax.dk Php Recommend 1.3 and earlier does not require au ...) NOT-FOR-US: Frax.dk Php Recommend CVE-2009-1779 (PHP remote file inclusion vulnerability in admin.php in Frax.dk Php Re ...) NOT-FOR-US: Frax.dk Php Recommend CVE-2009-1778 (SQL injection vulnerability in the new user registration feature in Bi ...) NOT-FOR-US: BigACE CMS CVE-2009-1777 (CRLF injection vulnerability in FormMail.pl in Matt Wright FormMail 1. ...) NOT-FOR-US: Matt Wright FormMail CVE-2009-1776 (Multiple cross-site scripting (XSS) vulnerabilities in FormMail.pl in ...) NOT-FOR-US: Matt Wright FormMail CVE-2009-1775 (Multiple cross-site scripting (XSS) vulnerabilities in Ulteo Open Virt ...) NOT-FOR-US: Ulteo Open Virtual Desktop CVE-2009-1774 (Directory traversal vulnerability in plugins/ddb/foot.php in Strawberr ...) NOT-FOR-US: Strawberry CVE-2009-1773 (activeCollab 2.1 Corporate allows remote attackers to obtain sensitive ...) NOT-FOR-US: activeCollab CVE-2009-1772 (Cross-site scripting (XSS) vulnerability in activeCollab 2.1 Corporate ...) NOT-FOR-US: activeCollab CVE-2009-1771 (index.php in Flyspeck CMS 6.8 does not require administrative authenti ...) NOT-FOR-US: Flyspeck CMS CVE-2009-1770 (Directory traversal vulnerability in includes/database/examples/addres ...) NOT-FOR-US: Flyspeck CMS CVE-2009-1769 (The web interface in Open Computer and Software Inventory Next Generat ...) - ocsinventory-server 1.02.1-1 (unimportant; bug #529344) NOTE: README.Debian states Important: access to the reports server should be restricted CVE-2009-1768 (Directory traversal vulnerability in download.php in Rama Zaiten CMS 0 ...) NOT-FOR-US: Rama Zaiten CMS CVE-2009-1767 (admin/edituser.php in 2daybiz Template Monster Clone does not require ...) NOT-FOR-US: 2daybiz Template Monster Clone CVE-2009-1766 (SQL injection vulnerability in index.php in LightOpenCMS 0.1 allows re ...) NOT-FOR-US: LightOpenCMS CVE-2009-1765 (Multiple directory traversal vulnerabilities in pluck 4.6.2, when regi ...) NOT-FOR-US: pluck CMS CVE-2009-1764 (SQL injection vulnerability in inc/ajax.asp in MaxCMS 2.0 allows remot ...) NOT-FOR-US: MaxCMS CVE-2009-1763 (Unspecified vulnerability in the Solaris Secure Digital slot driver (a ...) NOT-FOR-US: Solaris CVE-2009-1762 (Multiple cross-site scripting (XSS) vulnerabilities in the WebAccess l ...) NOT-FOR-US: Novell GroupWise CVE-2009-XXXX [radare-common insecure temp files handling] - radare 1.4-1 (low) CVE-2009-1761 (The message engine in CA ARCserve Backup r12.0 and r12.0 SP1 for Windo ...) NOT-FOR-US: CA ARCserve Backup CVE-2009-1760 (Directory traversal vulnerability in src/torrent_info.cpp in Rasterbar ...) {DSA-1815-1} - libtorrent-rasterbar 0.14.4-1 (medium) CVE-2009-1759 (Stack-based buffer overflow in the btFiles::BuildFromMI function (trun ...) {DSA-1817-1} - ctorrent 1.3.4-dnh3.2-1.1 (medium; bug #530255) CVE-2009-1758 (The hypervisor_callback function in Xen, possibly before 3.4.0, as app ...) {DSA-1809-1} - linux-2.6 2.6.28-1 (low; bug #536148) - linux-2.6.24 CVE-2009-1757 (Cross-site request forgery (CSRF) vulnerability in Transmission 1.5 be ...) - transmission 1.61-1 (low) [lenny] - transmission (Vulnerable code not present, the web interface was introduced in 1.30) [etch] - transmission (Vulnerable code not present, the web interface was introduced in 1.30) CVE-2009-1754 (The PackageManagerService class in services/java/com/android/server/Pa ...) NOT-FOR-US: Android CVE-2009-1752 (exJune Office Message System 1 does not properly restrict access to (1 ...) NOT-FOR-US: exJune Office Message System CVE-2009-1751 (SQL injection vulnerability in list_list.php in Realty Webware Technol ...) NOT-FOR-US: Realty Web-Base CVE-2009-1750 (Unrestricted file upload vulnerability in VidSharePro allows remote au ...) NOT-FOR-US: VidSharePro CVE-2009-1749 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ca ...) NOT-FOR-US: Catviz CVE-2009-1748 (Multiple directory traversal vulnerabilities in index.php in Catviz 0. ...) NOT-FOR-US: Catviz CVE-2009-1747 (SQL injection vulnerability in index.php in 26th Avenue bSpeak 1.10 al ...) NOT-FOR-US: bSpeak CVE-2009-1746 (SQL injection vulnerability in berita.php in Dian Gemilang DGNews 3.0 ...) NOT-FOR-US: Dian Gemilang DGNews CVE-2009-1745 (Armorlogic Profense Web Application Firewall before 2.2.22, and 2.4.x ...) NOT-FOR-US: Armorlogic Profense Web Application Firewall CVE-2009-1744 (InstallHFZ.exe 6.5.201.0 in Pinnacle Hollywood Effects 6, a module in ...) NOT-FOR-US: Pinnacle CVE-2009-1743 (Directory traversal vulnerability in InstallHFZ.exe 6.5.201.0 in Pinna ...) NOT-FOR-US: Pinnacle CVE-2009-1742 (code.php in PC4Arb Pc4 Uploader 9.0 and earlier makes it easier for re ...) NOT-FOR-US: PC4Arb Pc4 Uploader CVE-2009-1741 (Multiple SQL injection vulnerabilities in login.php in DM FileManager ...) NOT-FOR-US: DM FileManager CVE-2009-1740 (Multiple heap-based buffer overflows in the D-Link MPEG4 Viewer Active ...) NOT-FOR-US: D-Link MPEG4 Viewer CVE-2009-1739 (PAD Site Scripts 3.6 allows remote attackers to bypass authentication ...) NOT-FOR-US: PAD Site Scripts CVE-2009-1738 (Cross-site scripting (XSS) vulnerability in Feed Block 6.x-1.x before ...) NOT-FOR-US: Feed Block CVE-2009-1737 (Directory traversal vulnerability in bom.php in MyPic 2.1 allows remot ...) NOT-FOR-US: MyPic CVE-2009-1736 (SQL injection vulnerability in the GridSupport (GS) Ticket System (com ...) NOT-FOR-US: GridSupport component for Joomla CVE-2009-1735 (Cross-site scripting (XSS) vulnerability in search.php in VidSharePro ...) NOT-FOR-US: VidSharePro CVE-2009-1734 (SQL injection vulnerability in listing_video.php in VidSharePro allows ...) NOT-FOR-US: VidSharePro CVE-2009-1733 (Cross-site request forgery (CSRF) vulnerability in IPplan 4.91a allows ...) - ipplan 4.91a-1.1 (unimportant; bug #530271) NOTE: Only exploitable with admin rights CVE-2009-1732 (Cross-site scripting (XSS) vulnerability in admin/usermanager in IPpla ...) {DSA-1827-1} - ipplan 4.91a-1.1 (low; bug #530271) CVE-2009-1731 (SQL injection vulnerability in panel/index.php in MLFFAT 2.1 allows re ...) NOT-FOR-US: MLFFAT CVE-2009-1730 (Multiple directory traversal vulnerabilities in NetMechanica NetDecisi ...) NOT-FOR-US: NetDecision TFTP Server CVE-2009-1729 (Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System ...) NOT-FOR-US: Sun Java System Communications Express CVE-2009-1728 (Stack-based buffer overflow in Image RAW in Apple Mac OS X 10.5 before ...) NOT-FOR-US: Image RAW in Apple Mac OS X CVE-2009-1727 (Incomplete blacklist vulnerability in CoreTypes in Apple Mac OS X 10.5 ...) NOT-FOR-US: CoreTypes in Apple Mac OS X CVE-2009-1726 (Heap-based buffer overflow in ColorSync in Apple Mac OS X 10.4.11 and ...) NOT-FOR-US: ColorSync in Apple Mac OS X CVE-2009-1725 (WebKit in Apple Safari before 4.0.2, as used on iPhone OS before 3.1, ...) {DSA-1988-1 DSA-1950-1} - webkit 1.1.13-1 (medium; bug #538346) - qt4-x11 4:4.5.2-2 (medium; bug #538347) [etch] - qt4-x11 (QTWebkit was introduced in 4.4) - kdelibs (medium; bug #538350) - kde4libs (medium; bug #538349) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=513813#c18 NOTE: patch http://trac.webkit.org/changeset/44799/ NOTE: PoC http://web.archive.org/web/20110813092643/https://cevans-app.appspot.com/static/webkitentityoffbyone.html CVE-2009-1724 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - qt4-x11 (bug #538403) [etch] - qt4-x11 (webkit support introduced in version 4.4) - webkit 1.1.13-1 (low; bug #538402) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - kdelibs (unimportant) - kde4libs (unimportant) NOTE: http://www.thespanner.co.uk/2009/06/19/minor-safari-cross-domain-bug/ CVE-2009-1723 (CFNetwork in Apple Mac OS X 10.5 before 10.5.8 places an incorrect URL ...) NOT-FOR-US: CFNetwork in Apple Mac OS X CVE-2009-1722 (Heap-based buffer overflow in the compression implementation in OpenEX ...) {DSA-1842-1} - openexr 1.6.1-1 (medium; bug #540424) CVE-2009-1721 (The decompression implementation in the Imf::hufUncompress function in ...) {DSA-1842-1} - openexr 1.6.1-4.1 (medium; bug #540424) CVE-2009-1720 (Multiple integer overflows in OpenEXR 1.2.2 and 1.6.1 allow context-de ...) {DSA-1842-1} - openexr 1.6.1-4.1 (medium; bug #540424) CVE-2009-1719 (The Aqua Look and Feel for Java implementation in Java 1.5 on Mac OS X ...) NOT-FOR-US: Aqua Look and Feel for Java implementation in Java 1.5 on Mac OS X CVE-2009-1718 (WebKit in Apple Safari before 4.0 allows user-assisted remote attacker ...) - webkit 1.1.12-1 (medium; bug #535793) [lenny] - webkit (Minor issue) - kdelibs (unimportant) - kde4libs (unimportant) - qt4-x11 4:4.6.2-4 (low; bug #561760) [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/44010 CVE-2009-1717 (Integer overflow in Terminal in Apple Mac OS X 10.5 before 10.5.7 allo ...) NOT-FOR-US: Mac OS X CVE-2009-1716 (CFNetwork in Apple Safari before 4.0 on Windows does not properly prot ...) NOT-FOR-US: CFNetwork in Apple CVE-2009-1715 (Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in ...) - webkit 1.0.1-4 (medium; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (bug #561760) [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/31890 CVE-2009-1714 (Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in ...) {DSA-1950-1} - webkit 1.1.12-1 (low; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.6.3-1 (low) [lenny] - qt4-x11 (Minor impact, no apps in Lenny which use qtwebkit ) NOTE: http://trac.webkit.org/changeset/36359 CVE-2009-1713 (The XSLT functionality in WebKit in Apple Safari before 4.0 does not p ...) {DSA-1988-1} - webkit 1.0.1-4 (medium; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.5.2-2 [etch] - qt4-x11 (QTWebkit was introduced in 4.4) NOTE: http://trac.webkit.org/changeset/34533 CVE-2009-1712 (WebKit in Apple Safari before 4.0 does not prevent remote loading of l ...) {DSA-1988-1 DSA-1950-1} - webkit 1.1.12-1 (medium; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.5.2-2 [etch] - qt4-x11 (QTWebkit was introduced in 4.4) NOTE: http://trac.webkit.org/changeset/41568 CVE-2009-1711 (WebKit in Apple Safari before 4.0 does not properly initialize memory ...) {DSA-1988-1 DSA-1950-1} - webkit 1.1.12-1 (medium; bug #535793) NOTE: http://trac.webkit.org/changeset/36918 - kdelibs - kde4libs - qt4-x11 4:4.5.2-1 [etch] - qt4-x11 (QTWebkit was introduced in 4.4) CVE-2009-1710 (WebKit in Apple Safari before 4.0 allows remote attackers to spoof the ...) {DSA-1950-1} - webkit 1.1.12-1 (low; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (low; bug #561760) [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/35157 CVE-2009-1709 (Use-after-free vulnerability in the garbage-collection implementation ...) {DSA-1866-1} - webkit 0~svn32442-1 NOTE: fixed in upstream commit http://trac.webkit.org/changeset/32230 - kdelibs (vulnerable code in kdegraphics) - kde4libs (Vulnerable code not present) - kdegraphics 4:4.0 (medium; bug #534951) NOTE: kdegraphics >4.0 not affected since ksvg is only in 3.5.x series) CVE-2009-1708 (Apple Safari before 4.0 does not prevent calls to the open-help-anchor ...) NOT-FOR-US: Apple Safari CVE-2009-1707 (Race condition in the Reset Safari implementation in Apple Safari befo ...) NOT-FOR-US: Apple Safari CVE-2009-1706 (The Private Browsing feature in Apple Safari before 4.0 on Windows doe ...) NOT-FOR-US: Apple Safari CVE-2009-1705 (CoreGraphics in Apple Safari before 4.0 on Windows does not properly u ...) NOT-FOR-US: Apple Safari CVE-2009-1704 (CFNetwork in Apple Safari before 4.0 misinterprets downloaded image fi ...) NOT-FOR-US: Apple Safari CVE-2009-1703 (WebKit in Apple Safari before 4.0 does not prevent references to file: ...) - webkit 1.1.12-1 (low; bug #535793) [lenny] - webkit (Minor issue) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (medium; bug #561760) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against [lenny] - qt4-x11 (HTML video support introduced in version 4.5) NOTE: http://trac.webkit.org/changeset/42533 CVE-2009-1702 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - webkit 1.1.12-1 (low; bug #535793) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (low) [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/42216 CVE-2009-1701 (Use-after-free vulnerability in the JavaScript DOM implementation in W ...) - webkit 1.1.12-1 (medium; bug #535793) [lenny] - webkit (Unmaintained, only affects fringe apps) - kdelibs - qt4-x11 4:4.6.2-4 [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: invasive patch to backport. NOTE: http://trac.webkit.org/changeset/40881 CVE-2009-1700 (The XSLT implementation in WebKit in Apple Safari before 4.0, iPhone O ...) - webkit 1.1.12-1 (low; bug #535793) [lenny] - webkit (Unmaintained in Lenny, only affects fringe apps) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (low) [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/38065 CVE-2009-1699 (The XSL stylesheet implementation in WebKit in Apple Safari before 4.0 ...) {DSA-1988-1} - webkit 1.0.1-4 (medium; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.5.2-2 [etch] - qt4-x11 (QTWebkit was introduced in 4.4) CVE-2009-1698 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iP ...) {DSA-1988-1 DSA-1950-1 DSA-1868-1 DSA-1867-1} - webkit 1.1.5-1 (medium; bug #534946) NOTE: http://trac.webkit.org/changeset/42081 - qt4-x11 4:4.5.2-1 [etch] - qt4-x11 (QTWebkit was introduced in 4.4) - kdelibs 4:3.5.10.dfsg.1-2.1 (medium; bug #534949) - kde4libs 4:4.3.0-1 (medium) CVE-2009-1697 (CRLF injection vulnerability in WebKit in Apple Safari before 4.0, iPh ...) {DSA-1950-1} - webkit 1.1.15.2-1 (medium; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/41262 CVE-2009-1696 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iP ...) - webkit 1.1.12-1 (medium; bug #535793) [lenny] - webkit (Vulnerable code not present) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 [lenny] - qt4-x11 (Vulnerable code not present) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/39510 NOTE: http://trac.webkit.org/changeset/39553 CVE-2009-1695 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) {DSA-1950-1} - webkit 1.1.12-1 (low; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (low) [lenny] - qt4-x11 (Vulnerable code not present) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/42223 CVE-2009-1694 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iP ...) {DSA-1950-1} - webkit 1.1.12-1 (low; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (low) [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/35935 CVE-2009-1693 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iP ...) {DSA-1950-1} - webkit 1.1.12-1 (medium; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against [lenny] - qt4-x11 (Minor impact, no apps in Lenny which use qtwebkit ) NOTE: http://trac.webkit.org/changeset/35928 CVE-2009-1692 (WebKit before r41741, as used in Apple iPhone OS 1.0 through 2.2.1, iP ...) {DSA-1950-1} - webkit 1.1.12-1 (low; bug #535793) - kdelibs (unimportant) - kde4libs (unimportant) - qt4-x11 4:4.6.2-4 (unimportant) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: upstream (undisclosed) bug report is https://bugs.webkit.org/show_bug.cgi?id=23319 NOTE: http://trac.webkit.org/changeset/41741 CVE-2009-1691 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - webkit 1.1.12-1 (medium; bug #535793) [lenny] - webkit (Vulnerable code not present) NOTE: http://trac.webkit.org/changeset/32791 - kdelibs - kde4libs - qt4-x11 4.4.3-1 NOTE: QT4 might be fixed earlier, but only Lenny version was checked CVE-2009-1690 (Use-after-free vulnerability in WebKit, as used in Apple Safari before ...) {DSA-1988-1 DSA-1950-1 DSA-1868-1 DSA-1867-1} - webkit 1.1.5-1 (medium; bug #534946) NOTE: http://trac.webkit.org/changeset/42532 - kdelibs 4:3.5.10.dfsg.1-2.1 (medium; bug #534952) - kde4libs 4:4.3.0-1 (medium; bug #534949) NOTE: http://websvn.kde.org/?view=rev&revision=983316 - qt4-x11 4:4.5.2-1 (medium; bug #534947) [etch] - qt4-x11 (QTWebkit was introduced in 4.4) CVE-2009-1689 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - webkit 1.1.12-1 (low; bug #535793) [lenny] - webkit (Vulnerable code not present) - kdelibs - kde4libs - qt4-x11 4.4.3-1 NOTE: QT4 might be fixed earlier, but only Lenny version was checked NOTE: http://trac.webkit.org/changeset/32791 CVE-2009-1688 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - webkit 1.1.12-1 (low; bug #535793) [lenny] - webkit (Vulnerable code not present) - kdelibs - kde4libs - qt4-x11 4.4.3-1 NOTE: QT4 might be fixed earlier, but only Lenny version was checked NOTE: http://trac.webkit.org/changeset/32791 CVE-2009-1687 (The JavaScript garbage collector in WebKit in Apple Safari before 4.0, ...) {DSA-1988-1 DSA-1950-1 DSA-1868-1 DSA-1867-1} - webkit 1.1.5-1 (medium; bug #534946) - kdelibs 4:3.5.10.dfsg.1-2.1 (bug #534952) - kde4libs 4:4.3.0-1 NOTE: http://trac.webkit.org/changeset/41854 - qt4-x11 4:4.5.2-1 (medium; bug #534946) [etch] - qt4-x11 (QTWebkit was introduced in 4.4) CVE-2009-1686 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iP ...) - webkit 1.1.12-1 (medium; bug #535793) [lenny] - webkit (Vulnerable code not present) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/31431 CVE-2009-1685 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) - webkit 1.0.1-4 (bug #535793) - kdelibs - qt4-x11 4:4.6.2-4 (low) [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/34574 CVE-2009-1684 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari bef ...) {DSA-1950-1} - webkit 1.1.12-1 (low; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (low) [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against NOTE: http://trac.webkit.org/changeset/42365 CVE-2009-1683 (The Telephony component in Apple iPhone OS 1.0 through 2.2.1 and iPhon ...) NOT-FOR-US: iPhone CVE-2009-1682 (Apple Safari before 4.0 does not properly check for revoked Extended V ...) NOT-FOR-US: Apple Safari CVE-2009-1681 (WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iP ...) {DSA-1950-1} - webkit 1.1.12-1 (low; bug #535793) - kdelibs - kde4libs - qt4-x11 4:4.6.2-4 (low) [lenny] - qt4-x11 (qtwebkit not supported security-wise) NOTE: QT4 might be fixed earlier, but only 4.6.2 was checked against, Lenny is affected NOTE: http://trac.webkit.org/changeset/42333 CVE-2009-1680 (Safari in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for iPod tou ...) NOT-FOR-US: Safari in Apple iPhone OS CVE-2009-1679 (The Profiles component in Apple iPhone OS 1.0 through 2.2.1 and iPhone ...) NOT-FOR-US: iPhone CVE-2009-1756 (SLiM Simple Login Manager 1.3.0 places the X authority magic cookie (m ...) - slim 1.3.1-2 (low; bug #529306) [lenny] - slim 1.3.0-1+lenny2 CVE-2009-1755 (Off-by-one error in the packet_read_query_section function in packet.c ...) {DSA-1803-1} - nsd3 3.2.2-1 (medium; bug #529418) - nsd 2.3.7-3 (medium; bug #529420) NOTE: VU#710316 CVE-2009-1753 (Coccinelle 0.1.7 allows local users to overwrite arbitrary files via a ...) - coccinelle 0.1.7.deb-3 (low) CVE-2009-1678 (Directory traversal vulnerability in the saveFeed function in rss/feed ...) NOT-FOR-US: Bitweaver CVE-2009-1677 (Multiple static code injection vulnerabilities in the saveFeed functio ...) NOT-FOR-US: Bitweaver CVE-2009-1676 REJECTED CVE-2009-1675 (Stack-based buffer overflow in ElectraSoft 32bit FTP 09.04.24 allows r ...) NOT-FOR-US: ElectraSoft 32bit FTP CVE-2009-1674 (Stack-based buffer overflow in Microchip MPLAB IDE 8.30 allows user-as ...) NOT-FOR-US: Microchip MPLAB IDE CVE-2009-1673 (The kernel in Sun Solaris 9 allows local users to cause a denial of se ...) NOT-FOR-US: SunOS CVE-2009-1672 (The Deployment Toolkit ActiveX control in deploytk.dll 6.0.130.3 in Su ...) NOT-FOR-US: ActiveX CVE-2009-1671 (Multiple buffer overflows in the Deployment Toolkit ActiveX control in ...) NOT-FOR-US: ActiveX CVE-2009-1670 (user/index.php in TCPDB 3.8 does not require administrative authentica ...) NOT-FOR-US: TCPDB CVE-2009-1669 (The smarty_function_math function in libs/plugins/function.math.php in ...) {DSA-1919-1} - smarty 2.6.26-0.1 (low; bug #529810) [etch] - smarty (Vulnerable code not present) [lenny] - smarty (Minor issue) CVE-2009-1668 (TYPSoft FTP Server 1.11 allows remote attackers to cause a denial of s ...) NOT-FOR-US: TYPSoft CVE-2009-1667 (Stack-based buffer overflow in Mini-stream CastRipper 2.50.70 allows r ...) NOT-FOR-US: CastRipper CVE-2009-1666 (Multiple unspecified vulnerabilities in CycloMedia CycloScopeLite 2.50 ...) NOT-FOR-US: CycloMedia CycloScopeLite CVE-2009-1665 (myaccount.php in Easy Scripts Answer and Question Script allows remote ...) NOT-FOR-US: Easy Scripts Answer and Question Script CVE-2009-1664 (myaccount.php in Easy Scripts Answer and Question Script does not veri ...) NOT-FOR-US: Easy Scripts Answer and Question Script CVE-2009-1663 (Unrestricted file upload vulnerability in myaccount.php in Easy Script ...) NOT-FOR-US: Easy Scripts Answer and Question Script CVE-2009-1662 (Multiple SQL injection vulnerabilities in admin/login.php in Wright Wa ...) NOT-FOR-US: Wright Way Services Recipe Script CVE-2009-1661 (SQL injection vulnerability in admin/utopic.php in uTopic 1.0, when ma ...) NOT-FOR-US: uTopic CVE-2009-1660 (Stack-based buffer overflow in URUWorks ViPlay3 3.0 and earlier allows ...) NOT-FOR-US: ViPlay3 CVE-2009-1659 (Unrestricted file upload vulnerability in admin/uploadimage.php in eLi ...) NOT-FOR-US: eLitius CVE-2009-1658 (Multiple SQL injection vulnerabilities in admin/admin.php in Realty We ...) NOT-FOR-US: Web-Base CVE-2009-1657 (Multiple SQL injection vulnerabilities in the Starrating plugin before ...) NOT-FOR-US: Starrating plugin for b2evolution CVE-2009-1656 (Xerox WorkCentre and WorkCentre Pro 232, 238, 245, 255, 265, 275; and ...) NOT-FOR-US: Xerox CVE-2009-1655 (Multiple SQL injection vulnerabilities in myaccount.php in Easy Script ...) NOT-FOR-US: Easy Scripts Answer and Question Script CVE-2009-1654 (Cross-site scripting (XSS) vulnerability in questiondetail.php in Easy ...) NOT-FOR-US: Easy Scripts Answer and Question Script CVE-2009-1653 (Directory traversal vulnerability in examples/tbs_us_examples_0view.ph ...) NOT-FOR-US: TinyButStrong CVE-2009-1652 (admin/adminaddeditdetails.php in Business Community Script does not pr ...) NOT-FOR-US: Business Community Script CVE-2009-1651 (SQL injection vulnerability in admin/member_details.php in 2daybiz Bus ...) NOT-FOR-US: 2daybiz CVE-2009-1650 (Multiple SQL injection vulnerabilities in photos.php in Shutter 0.1.1 ...) NOT-FOR-US: Shutter CVE-2009-1649 (Directory traversal vulnerability in arch.php in beLive 0.2.3 allows r ...) NOT-FOR-US: beLive CVE-2009-1648 (The YaST2 LDAP module in yast2-ldap-server on SUSE Linux Enterprise Se ...) NOT-FOR-US: yast2-ldap-server on SUSE CVE-2009-1647 (Heap-based buffer overflow in popcorn.exe in Ultrafunk Popcorn 1.87 al ...) NOT-FOR-US: Ultrafunk Popcorn CVE-2009-1646 (Stack-based buffer overflow in Mini-stream RM Downloader 3.0.0.9 allow ...) NOT-FOR-US: Mini-stream RM Downloader CVE-2009-1645 (Multiple stack-based buffer overflows in Mini-stream Easy RM-MP3 Conve ...) NOT-FOR-US: Mini-stream Easy RM-MP Converter CVE-2009-1644 (Stack-based buffer overflow in Sorinara Streaming Audio Player 0.9 all ...) NOT-FOR-US: Streaming Audio Player CVE-2009-1643 (Stack-based buffer overflow in Sorinara Soritong MP3 Player 1.0 allows ...) NOT-FOR-US: Sorinara Soritong MP3 Player CVE-2009-1642 (Multiple stack-based buffer overflows in Mini-stream ASX to MP3 Conver ...) NOT-FOR-US: Mini-stream ASX to MP3 Converter CVE-2009-1641 (Multiple stack-based buffer overflows in Mini-stream Ripper 3.0.1.1 al ...) NOT-FOR-US: Mini-stream Ripper CVE-2009-1640 (Stack-based buffer overflow in Nucleus Data Recovery Kernel Recovery f ...) NOT-FOR-US: Nucleus Data Recovery Kernel Recovery CVE-2009-1639 (Stack-based buffer overflow in Nucleus Data Recovery Kernel Recovery f ...) NOT-FOR-US: Nucleus Data Recovery Kernel Recovery CVE-2009-1638 (Techno Dreams Job Career Package 3.0 allows remote attackers to bypass ...) NOT-FOR-US: Techno Dreams Job Career Package CVE-2009-1637 (profile.php in Simple Customer 1.3 does not require administrative aut ...) NOT-FOR-US: Simple Customer CVE-2009-1788 (Heap-based buffer overflow in voc_read_header in libsndfile 1.0.15 thr ...) {DSA-1814-1 DTSA-202-1} - libsndfile 1.0.20-1 (low; bug #528650) CVE-2009-1791 (Heap-based buffer overflow in aiff_read_header in libsndfile 1.0.15 th ...) {DSA-1814-1 DTSA-202-1} - libsndfile 1.0.20-1 (low; bug #528650) CVE-2009-1636 (Multiple buffer overflows in the Internet Agent (aka GWIA) component i ...) NOT-FOR-US: Novell GroupWise CVE-2009-1635 (Multiple cross-site scripting (XSS) vulnerabilities in the WebAccess c ...) NOT-FOR-US: Novell GroupWise CVE-2009-1634 (The WebAccess component in Novell GroupWise 7.x before 7.03 HP3 and 8. ...) NOT-FOR-US: Novell GroupWise CVE-2009-1633 (Multiple buffer overflows in the cifs subsystem in the Linux kernel be ...) {DSA-1865-1 DSA-1844-1 DSA-1809-1} - linux-2.6 2.6.30-1 - linux-2.6.24 CVE-2009-1632 (Multiple memory leaks in Ipsec-tools before 0.7.2 allow remote attacke ...) {DSA-1804-1} - ipsec-tools 1:0.7.1-1.5 (medium; bug #528933) CVE-2009-1631 (The Mailer component in Evolution 2.26.1 and earlier uses world-readab ...) - evolution 2.29.90-1 (unimportant; bug #526409) NOTE: Mostly a security enhancement, only for local users/mail and open homedirs CVE-2009-1630 (The nfs_permission function in fs/nfs/dir.c in the NFS client implemen ...) {DSA-1865-1 DSA-1844-1 DSA-1809-1} - linux-2.6 2.6.30-1 - linux-2.6.24 CVE-2009-1629 (ajaxterm.js in AjaxTerm 0.10 and earlier generates session IDs with pr ...) {DSA-1994-1} - ajaxterm 0.10-5 (medium; bug #528938) CVE-2009-1789 (mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and ea ...) {DSA-1826-1} - eggdrop 1.6.19-1.2 (medium; bug #528778) CVE-2009-XXXX [cron: Incomplete fix for CVE-2006-2607 (setgid() and initgroups() not checked] - cron 3.0pl1-106 (low; bug #528434) [lenny] - cron (Minor issue) [etch] - cron (Minor issue) CVE-2009-1628 (Stack-based buffer overflow in mnet.exe in Unisys Business Information ...) NOT-FOR-US: Unisys Business Information Server CVE-2009-1627 (Stack-based buffer overflow in Streaming Download Project (SDP) Downlo ...) NOT-FOR-US: Streaming Download Project (SDP) CVE-2009-1626 (SQL injection vulnerability in public/specific.php in EZ-Blog before B ...) NOT-FOR-US: EZ-Blog CVE-2009-1625 (Directory traversal vulnerability in index.php in Thickbox Gallery 2 a ...) NOT-FOR-US: Thickbox Gallery 2 CVE-2009-1624 (Directory traversal vulnerability in index.php in Dew-NewPHPLinks 2.0 ...) NOT-FOR-US: Dew-NewPHPLinks 2.0 CVE-2009-1623 (Cross-site scripting (XSS) vulnerability in index.php in Dew-NewPHPLin ...) NOT-FOR-US: Dew-NewPHPLinks 2.0 CVE-2009-1622 (SQL injection vulnerability in user.php in EcShop 2.5.0 allows remote ...) NOT-FOR-US: EcShop 2.5.0 CVE-2009-1621 (Directory traversal vulnerability in index.php in OpenCart 1.1.8 allow ...) NOT-FOR-US: OpenCart CVE-2009-1620 (Multiple cross-site scripting (XSS) vulnerabilities in input.php in Ma ...) NOT-FOR-US: MataChat CVE-2009-1619 (Teraway FileStream 1.0 allows remote attackers to bypass authenticatio ...) NOT-FOR-US: Teraway FileStream CVE-2009-1618 (Teraway LiveHelp 2.0 allows remote attackers to bypass authentication ...) NOT-FOR-US: Teraway LiveHelp CVE-2009-1617 (Teraway LinkTracker 1.0 allows remote attackers to bypass authenticati ...) NOT-FOR-US: Teraway LinkTracker CVE-2009-1616 (Cross-site scripting (XSS) vulnerability in docs/showdoc.php in Copper ...) NOT-FOR-US: Coppermine Photo Gallery CVE-2009-1615 (Unrestricted file upload vulnerability in Leap CMS 0.1.4 allows remote ...) NOT-FOR-US: Leap CMS CVE-2009-1614 (Multiple cross-site scripting (XSS) vulnerabilities in Leap CMS 0.1.4 ...) NOT-FOR-US: Leap CMS CVE-2009-1613 (Multiple SQL injection vulnerabilities in leap.php in Leap CMS 0.1.4, ...) NOT-FOR-US: Leap CMS CVE-2009-1612 (Stack-based buffer overflow in the MPS.StormPlayer.1 ActiveX control i ...) NOT-FOR-US: ActiveX CVE-2009-1611 (Stack-based buffer overflow in ElectraSoft 32bit FTP 09.04.24 allows r ...) NOT-FOR-US: ElectraSoft 32bit FTP CVE-2009-1610 (admin/changepassword.php in Job Script Job Board Software 2.0 allows r ...) NOT-FOR-US: Job Script Job Board Software CVE-2009-1609 (Unrestricted file upload vulnerability in admin/uploadform.asp in Batt ...) NOT-FOR-US: Battle Blog CVE-2009-1608 (Multiple buffer overflows in Microchip MPLAB IDE 8.30 and possibly ear ...) NOT-FOR-US: Microchip MPLAB IDE CVE-2009-1607 (Cross-site scripting (XSS) vulnerability in the administrator panel in ...) NOT-FOR-US: LinkBase CVE-2009-1606 (Multiple stack-based and heap-based buffer overflows in Dafolo DafoloC ...) NOT-FOR-US: Dafolo DafoloControl ActiveX CVE-2009-1605 (Heap-based buffer overflow in the loadexponentialfunc function in mupd ...) NOT-FOR-US: MuPDF CVE-2009-1604 (Unspecified vulnerability in LimeSurvey before 1.82 allows remote atta ...) - limesurvey (bug #472802) CVE-2009-1603 (src/tools/pkcs11-tool.c in pkcs11-tool in OpenSC 0.11.7, when used wit ...) - opensc 0.11.8 (high; bug #527640) [etch] - opensc (vulnerable code introduced in 0.11.7) [lenny] - opensc (vulnerable code introduced in 0.11.7) NOTE: checked code, public exponent set correctly in etch/lenny versions (CK_BYTE publicExponent[] = { 3 };) CVE-2009-1602 (Pablo Software Solutions Quick 'n Easy Mail Server 3.3 allows remote a ...) NOT-FOR-US: Pablo Software CVE-2009-1601 (The Ubuntu clamav-milter.init script in clamav-milter before 0.95.1+df ...) - clamav (Vulnerable code not present) NOTE: from what I see this code was never uploaded to the debian archive CVE-2009-1600 (Apple Safari executes DOM calls in response to a javascript: URI in th ...) NOT-FOR-US: Apple Safari CVE-2009-1599 (Opera executes DOM calls in response to a javascript: URI in the targe ...) NOT-FOR-US: Opera CVE-2009-1598 (Google Chrome executes DOM calls in response to a javascript: URI in t ...) - chromium-browser (unimportant) - webkit (chrome-specific issue) NOTE: it sounds like a "researcher misconception bug" (as seeming explained by Abobe) rather than a security issue CVE-2009-1597 (Mozilla Firefox executes DOM calls in response to a javascript: URI in ...) - xulrunner (bug #565521) [wheezy] - xulrunner (no detailed information available) CVE-2009-1596 (Ignite Realtime Openfire before 3.6.5 does not properly implement the ...) NOT-FOR-US: Openfire CVE-2009-1595 (The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Real ...) NOT-FOR-US: Openfire CVE-2009-XXXX [More file buffer overflows] - file 5.03-1 (bug #525820) [etch] - file (CDF code not yet present in 4.x) [lenny] - file (CDF code not yet present in 4.x) CVE-2009-1594 (Armorlogic Profense Web Application Firewall before 2.2.22, and 2.4.x ...) NOT-FOR-US: Armorlogic Profense Web Application Firewall CVE-2009-1593 (Armorlogic Profense Web Application Firewall before 2.2.22, and 2.4.x ...) NOT-FOR-US: Armorlogic Profense Web Application Firewall CVE-2009-1592 (Stack-based buffer overflow in ElectraSoft 32bit FTP 09.04.24 allows r ...) NOT-FOR-US: ElectraSoft 32bit FTP CVE-2009-1591 (CRLF injection vulnerability in CGI RESCUE Web Mailer before 1.04 allo ...) NOT-FOR-US: CGI RESCUE Web Mailer CVE-2009-1590 (Unspecified vulnerability in CGI RESCUE FORM2MAIL before 1.42 allows r ...) NOT-FOR-US: CGI RESCUE FORM2MAIL CVE-2009-1589 (Unspecified vulnerability in CGI RESCUE MiniBBS22 before 1.01 allows r ...) NOT-FOR-US: CGI RESCUE MiniBBS CVE-2009-1588 (Cross-site scripting (XSS) vulnerability in CGI RESCUE MiniBBS 8t befo ...) NOT-FOR-US: CGI RESCUE MiniBBS CVE-2009-XXXX [hex-a-hop: buffer overflow in loading save games] - hex-a-hop (unimportant; bug #528250) NOTE: That's a simple bug, it's silly to treat this as a security issue CVE-2009-1587 (index.php in PHP Site Lock 2.0 allows remote attackers to bypass authe ...) NOT-FOR-US: PHP Site Lock CVE-2009-1586 (Stack-based buffer overflow in the NZB importer feature in GrabIt 1.7. ...) NOT-FOR-US: GrabIt CVE-2009-1585 (Multiple SQL injection vulnerabilities in TemaTres 1.031, when magic_q ...) NOT-FOR-US: TemaTres CVE-2009-1584 (Multiple SQL injection vulnerabilities in TemaTres 1.0.3 and 1.031, wh ...) NOT-FOR-US: TemaTres CVE-2009-1583 (Multiple cross-site scripting (XSS) vulnerabilities in TemaTres 1.0.3 ...) NOT-FOR-US: TemaTres CVE-2009-1582 (Million Dollar Text Links 1.0 does not properly restrict administrator ...) NOT-FOR-US: Million Dollar Text Links CVE-2009-1581 (functions/mime.php in SquirrelMail before 1.4.18 does not protect the ...) {DSA-1802-1} - squirrelmail 2:1.4.18-1 (low; bug #528528) NOTE: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13667 CVE-2009-1580 (Session fixation vulnerability in SquirrelMail before 1.4.18 allows re ...) {DSA-1802-1} - squirrelmail 2:1.4.18-1 (low; bug #528528) NOTE: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13676 CVE-2009-1579 (The map_yp_alias function in functions/imap_general.php in SquirrelMai ...) {DSA-1802-1} - squirrelmail 2:1.4.18-1 (medium; bug #528528) NOTE: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13674 NOTE: doesn't affect every setup CVE-2009-1578 (Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail be ...) {DSA-1802-1} - squirrelmail 2:1.4.18-1 (low; bug #528528) NOTE: http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13670 CVE-2009-1577 (Multiple stack-based buffer overflows in the putstring function in fin ...) - cscope 15.6-1 CVE-2009-1576 (Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.1 ...) {DSA-1792-1} - drupal6 6.11-1 (bug #526378) - drupal5 5.17-1 CVE-2009-1575 (Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.17 and ...) {DSA-1792-1} - drupal6 6.11-1 (bug #526378) - drupal5 5.17-1 CVE-2009-1574 (racoon/isakmp_frag.c in ipsec-tools before 0.7.2 allows remote attacke ...) {DSA-1804-1} - ipsec-tools 1:0.7.1-1.4 (medium; bug #527634) CVE-2009-1571 (Use-after-free vulnerability in the HTML parser in Mozilla Firefox 3.0 ...) {DSA-1999-1} - xulrunner 1.9.1.8-1 [etch] - xulrunner - iceape 2.0.3-1 [lenny] - iceape (Lenny package only provide xpcom stubs) - icedove 3.0.2-1 CVE-2009-1570 (Integer overflow in the ReadImage function in plug-ins/file-bmp/bmp-re ...) - gimp 2.6.7-1.1 (medium; bug #555929) CVE-2009-1569 (Multiple stack-based buffer overflows in Novell iPrint Client 4.38, 5. ...) NOT-FOR-US: Novell iPrint Client CVE-2009-1568 (Stack-based buffer overflow in ienipp.ocx in Novell iPrint Client 5.30 ...) NOT-FOR-US: Novell iPrint Client CVE-2009-1567 (Multiple stack-based buffer overflows in the Lateral Arts Photobox upl ...) NOT-FOR-US: ActiveX CVE-2009-1566 (Integer overflow in Roxio Easy Media Creator 9.0.136, and Roxio Creato ...) NOT-FOR-US: Roxio Easy Media Creator CVE-2009-1565 (vmnc.dll in the VMnc media codec in VMware Movie Decoder before 6.5.4 ...) NOT-FOR-US: VMware Movie Decoder CVE-2009-1564 (Heap-based buffer overflow in vmnc.dll in the VMnc media codec in VMwa ...) NOT-FOR-US: VMwar CVE-2009-1563 REJECTED CVE-2009-1562 RESERVED CVE-2009-1561 (Cross-site request forgery (CSRF) vulnerability in administration.cgi ...) NOT-FOR-US: Cisco Linksys CVE-2009-1560 (The Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 ...) NOT-FOR-US: Cisco Linksys CVE-2009-1559 (Absolute path traversal vulnerability in adm/file.cgi on the Cisco Lin ...) NOT-FOR-US: Cisco Linksys CVE-2009-1558 (Directory traversal vulnerability in adm/file.cgi on the Cisco Linksys ...) NOT-FOR-US: Cisco Linksys CVE-2009-1557 (Multiple cross-site scripting (XSS) vulnerabilities on the Cisco Links ...) NOT-FOR-US: Cisco Linksys CVE-2009-1556 (img/main.cgi on the Cisco Linksys WVC54GCA wireless video camera with ...) NOT-FOR-US: Cisco Linksys CVE-2009-1555 (The Cisco Linksys WVC54GCA wireless video camera with firmware 1.00R22 ...) NOT-FOR-US: Cisco Linksys CVE-2009-1554 (Cross-site scripting (XSS) vulnerability in ThemeServlet.java in Sun W ...) NOT-FOR-US: Sun Woodstock CVE-2009-1553 (Multiple cross-site scripting (XSS) vulnerabilities in the Admin Conso ...) NOT-FOR-US: Sun GlassFish Enterprise Server CVE-2009-1552 (Unspecified vulnerability in the IGMP driver in SCO Unixware Release 7 ...) NOT-FOR-US: SCO UnixWare CVE-2009-1551 (Multiple PHP remote file inclusion vulnerabilities in Qt quickteam 2 a ...) NOT-FOR-US: Qt quickteam CVE-2009-1550 (Zakkis Technology ABC Advertise 1.0 does not properly restrict access ...) NOT-FOR-US: Zakkis Technology ABC Advertise CVE-2009-1549 (AGTC MyShop 3.2b allows remote attackers to bypass authentication and ...) NOT-FOR-US: AGTC MyShop CVE-2009-1548 (SQL injection vulnerability in index.php in BluSky CMS allows remote a ...) NOT-FOR-US: BluSky CMS CVE-2009-XXXX [prelude-manager: password world-readable] - prelude-manager (The postinst sets correct permissions, see bug #527344) NOTE: FEDORA-2009-3931 http://lwn.net/Articles/331612 CVE-2009-XXXX [bash-completion: does not properly quote characters] - bash-completion 200811xx~bzr1223 (bug #259987) NOTE: adding this reference to track the fact that this has already been addressed by debian security NOTE: fixed over a year ago in debian; but fedora finally got around to addressing the issue recently NOTE: FEDORA-2009-3639 http://lwn.net/Articles/331605 CVE-2009-1547 (Unspecified vulnerability in Microsoft Internet Explorer 5.01 SP4, 6, ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-1546 (Integer overflow in Avifil32.dll in the Windows Media file handling fu ...) NOT-FOR-US: Microsoft Windows CVE-2009-1545 (Unspecified vulnerability in Avifil32.dll in the Windows Media file ha ...) NOT-FOR-US: Microsoft Windows CVE-2009-1544 (Double free vulnerability in the Workstation service in Microsoft Wind ...) NOT-FOR-US: Microsoft Windows CVE-2009-1543 REJECTED CVE-2009-1542 (The Virtual Machine Monitor (VMM) in Microsoft Virtual PC 2004 SP1, 20 ...) NOT-FOR-US: Microsoft CVE-2009-1541 REJECTED CVE-2009-1540 REJECTED CVE-2009-1539 (The QuickTime Movie Parser Filter in quartz.dll in DirectShow in Micro ...) NOT-FOR-US: Microsoft DirectX CVE-2009-1538 (The QuickTime Movie Parser Filter in quartz.dll in DirectShow in Micro ...) NOT-FOR-US: Microsoft DirectX CVE-2009-1537 (Unspecified vulnerability in the QuickTime Movie Parser Filter in quar ...) NOT-FOR-US: Microsoft DirectX CVE-2009-1536 (ASP.NET in Microsoft .NET Framework 2.0 SP1 and SP2 and 3.5 Gold and S ...) NOT-FOR-US: Microsoft .NET Framework CVE-2009-1535 (The WebDAV extension in Microsoft Internet Information Services (IIS) ...) NOT-FOR-US: IIS CVE-2009-1534 (Buffer overflow in the Office Web Components ActiveX Control in Micros ...) NOT-FOR-US: Microsoft Office XP CVE-2009-1533 (Buffer overflow in the Works for Windows document converters in Micros ...) NOT-FOR-US: Microsoft CVE-2009-1532 (Microsoft Internet Explorer 8 for Windows XP SP2 and SP3; 8 for Server ...) NOT-FOR-US: Microsoft CVE-2009-1531 (Microsoft Internet Explorer 7 for Windows XP SP2 and SP3; 7 for Server ...) NOT-FOR-US: Microsoft CVE-2009-1530 (Use-after-free vulnerability in Microsoft Internet Explorer 7 for Wind ...) NOT-FOR-US: Microsoft CVE-2009-1529 (Microsoft Internet Explorer 7 for Windows XP SP2 and SP3; 7 for Server ...) NOT-FOR-US: Microsoft CVE-2009-1528 (Microsoft Internet Explorer 6 and 7 for Windows XP SP2 and SP3; 6 and ...) NOT-FOR-US: Microsoft CVE-2009-1527 (Race condition in the ptrace_attach function in kernel/ptrace.c in the ...) - linux-2.6 2.6.29-5 (high) [etch] - linux-2.6 (vulnerable code introduced in 2.6.29) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.29) CVE-2009-1526 (JBMC Software DirectAdmin before 1.334 allows local users to create or ...) NOT-FOR-US: Directadmin CVE-2009-1525 (CMD_DB in JBMC Software DirectAdmin before 1.334 allows remote authent ...) NOT-FOR-US: Directadmin CVE-2009-1524 (Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1. ...) - jetty 6.1.19-1 (low; bug #527571) CVE-2009-1523 (Directory traversal vulnerability in the HTTP server in Mort Bay Jetty ...) - jetty 6.1.19-1 (low; bug #528389) CVE-2009-1522 (The IBM Tivoli Storage Manager (TSM) client 5.5.0.0 through 5.5.1.17 o ...) NOT-FOR-US: Tivoli CVE-2009-1521 (Unspecified vulnerability in the Java GUI in the IBM Tivoli Storage Ma ...) NOT-FOR-US: Tivoli CVE-2009-1520 (Buffer overflow in the Web GUI in the IBM Tivoli Storage Manager (TSM) ...) NOT-FOR-US: Tivoli CVE-2009-XXXX [moin: XSS in AttachFile.py via attachements] - moin 1.8.3-1 (low; bug #526594) [lenny] - moin 1.7.1-3+lenny2 [etch] - moin (Vulnerable code not present) NOTE: http://hg.moinmo.in/moin/1.8/rev/269a1fbc3ed7 NOTE: CVE id requested CVE-2009-1513 (Buffer overflow in the PATinst function in src/load_pat.cpp in libmodp ...) {DSA-1850-1} - libmodplug 1:0.8.7-1 (medium; bug #526084) - gst-plugins-bad0.10 (Vulnerable code not present; bug #527077) [etch] - libmodplug (Vulnerable code not present) NOTE: gst-plugins-bad0.10 in testing and unstable builds against an external libmodplug. CVE-2009-1519 (Directory traversal vulnerability in index.php in Pecio CMS 1.1.5 allo ...) NOT-FOR-US: Pecio CMS CVE-2009-1518 (Cross-site request forgery (CSRF) vulnerability in Beltane before 2.3. ...) NOT-FOR-US: Beltane CVE-2009-1517 (Multiple insecure method vulnerabilities in the Symantec.EasySetup.1 A ...) NOT-FOR-US: ActiveX CVE-2009-1516 (Stack-based buffer overflow in the IceWarpServer.APIObject ActiveX con ...) NOT-FOR-US: ActiveX CVE-2009-1514 (Google Chrome 1.0.154.53 allows remote attackers to cause a denial of ...) - chromium-browser 5.0.375.38~r46659-1 (low) NOTE: proof of concept maximum impact against webkit is dos-only CVE-2009-1573 (xvfb-run 1.6.1 in Debian GNU/Linux, Ubuntu, Fedora 10, and possibly ot ...) - xorg-server 2:1.6.1.901-3 (low; bug #526678) [etch] - xorg-server (minor issue) [lenny] - xorg-server (minor issue) CVE-2009-1515 (Heap-based buffer overflow in the cdf_read_sat function in src/cdf.c i ...) - file 5.02-1 [lenny] - file (Vulnerable code not present) [etch] - file (Vulnerable code not present) NOTE: code introduced in 5.xx series CVE-2009-1512 (Static code injection vulnerability in X-Forum 0.6.2 allows remote aut ...) NOT-FOR-US: X-Forum CVE-2009-1511 (GDI+ in Microsoft Windows XP SP3 allows remote attackers to cause a de ...) NOT-FOR-US: Microsoft Windows CVE-2009-1510 (Multiple directory traversal vulnerabilities in KoschtIT Image Gallery ...) NOT-FOR-US: KoschtIT Image Gallery CVE-2009-1509 (SQL injection vulnerability in ajaxp_backend.php in MyioSoft AjaxPorta ...) NOT-FOR-US: MyioSoft AjaxPortal CVE-2009-1508 (SQL injection vulnerability in the xforum_validateUser function in Com ...) NOT-FOR-US: X-Forum CVE-2009-1507 (The Node Access User Reference module 5.x before 5.x-2.0-beta4 and 6.x ...) NOT-FOR-US: Node Access User Reference module for Drupal CVE-2009-1506 (SQL injection vulnerability in classes/Xp.php in eLitius 1.0 allows re ...) NOT-FOR-US: eLitius CVE-2009-1505 (SQL injection vulnerability in the News Page module 5.x before 5.x-1.2 ...) NOT-FOR-US: News Page module for Drupal CVE-2009-1504 (Absolute Form Processor XE 1.5 allows remote attackers to bypass authe ...) NOT-FOR-US: Absolute Form Processor XE CVE-2009-1503 (Multiple SQL injection vulnerabilities in login.php in Tiger Document ...) NOT-FOR-US: Tiger Document Management System CVE-2009-1502 (Directory traversal vulnerability in plugin.php in S-Cms 1.1 Stable an ...) NOT-FOR-US: S-Cms CVE-2009-1501 (Cross-site scripting (XSS) vulnerability in the Exif module 5.x-1.x be ...) NOT-FOR-US: EXIF module for Drupal CVE-2009-1500 (SQL injection vulnerability in index.php in ProjectCMS 1.0 Beta allows ...) NOT-FOR-US: ProjectCMS CVE-2009-1499 (SQL injection vulnerability in the MailTo (aka com_mailto) component i ...) NOT-FOR-US: com_mailto component for Joomla! CVE-2009-1498 (Directory traversal vulnerability in inc/profilemain.php in Game Maker ...) NOT-FOR-US: Game Maker 2k Internet Discussion Boards CVE-2009-1497 (Stack-based buffer overflow in srt2smi.exe in Gretech Online Movie Pla ...) NOT-FOR-US: GOM Player CVE-2009-1496 (Directory traversal vulnerability in the Cmi Marketplace (com_cmimarke ...) NOT-FOR-US: com_cmimarketplace component for Joomla! CVE-2009-1495 (Web File Explorer 3.1 stores sensitive information under the web root ...) NOT-FOR-US: Web File Explorer CVE-2009-1494 (The process_stat function in Memcached 1.2.8 discloses memory-allocati ...) - memcached 1.2.8-1 (low; bug #526554) [lenny] - memcached (Affected compile-time options not set) [etch] - memcached (Affected compile-time options not set) CVE-2009-1493 (The customDictionaryOpen spell method in the JavaScript API in Adobe R ...) NOT-FOR-US: Adobe Reader CVE-2009-1492 (The getAnnots Doc method in the JavaScript API in Adobe Reader and Acr ...) NOT-FOR-US: Adobe Reader CVE-2009-1491 (McAfee GroupShield for Microsoft Exchange on Exchange Server 2000, and ...) NOT-FOR-US: McAfee GroupShield for Microsoft Exchange CVE-2009-1490 (Heap-based buffer overflow in Sendmail before 8.13.2 allows remote att ...) - sendmail 8.13.2-0 CVE-2009-XXXX [samba: Account locking out doesnt work with an LDAP backend] - samba 2:3.2.6 (bug #514151) [lenny] - samba 2:3.2.5-4lenny1 [etch] - samba (Bug not yet present in Etch's version) CVE-2009-1572 (The BGP daemon (bgpd) in Quagga 0.99.11 and earlier allows remote atta ...) {DSA-1788-1} - quagga 0.99.11-2 (high; bug #526270) [lenny] - quagga 0.99.10-1lenny2 [etch] - quagga (no AS4 code) CVE-2009-1489 (includes/user.php in Fungamez RC1 allows remote attackers to bypass au ...) NOT-FOR-US: Fungamez CVE-2009-1488 (Directory traversal vulnerability in admin/load.php in FunGamez RC1 al ...) NOT-FOR-US: Fungamez CVE-2009-1487 (SQL injection vulnerability in pages/login.php in FunGamez RC1 allows ...) NOT-FOR-US: Fungamez CVE-2009-1486 (Directory traversal vulnerability in pmscript.php in Flatchat 3.0 allo ...) NOT-FOR-US: Flatchat CVE-2009-1485 (The logging feature in eMule Plus before 1.2e allows remote attackers ...) NOT-FOR-US: eMule Plus CVE-2009-1484 (Cross-site scripting (XSS) vulnerability in the web mail interface fea ...) NOT-FOR-US: AXIGEN Mail Server CVE-2009-1483 (Unrestricted file upload vulnerability in upload-file.php in Adam Patt ...) NOT-FOR-US: Adam Patterson Studio Lounge Address Book CVE-2009-1482 (Multiple cross-site scripting (XSS) vulnerabilities in action/AttachFi ...) {DSA-1791-1} - moin 1.8.3-1 (low; bug #526594) [etch] - moin (Not exploitable) NOTE: http://hg.moinmo.in/moin/1.8/rev/5f51246a4df1 CVE-2009-1481 (SQL injection vulnerability in action.asp in PuterJam's Blog (PJBlog3) ...) NOT-FOR-US: PuterJam's Blog CVE-2009-1480 (SQL injection vulnerability in index.php Pragyan CMS 2.6.4 allows remo ...) NOT-FOR-US: Pragyan CMS CVE-2009-1479 (Directory traversal vulnerability in client/desktop/default.htm in Box ...) NOT-FOR-US: Boxalino CVE-2009-1478 (Multiple unspecified vulnerabilities in the DTrace ioctl handlers in S ...) NOT-FOR-US: Solaris CVE-2009-1477 (The https web interfaces on the ATEN KH1516i IP KVM switch with firmwa ...) NOT-FOR-US: ATEN IP KVM Switch CVE-2009-1476 (Buffer overflow in lib/load_http.c in ippool in Darren Reed IPFilter ( ...) NOT-FOR-US: IPFilter CVE-2009-1475 RESERVED CVE-2009-1474 (The ATEN KH1516i IP KVM switch with firmware 1.0.063 and the KN9116 IP ...) NOT-FOR-US: ATEN IP KVM Switch CVE-2009-1473 (The (1) Windows and (2) Java client programs for the ATEN KH1516i IP K ...) NOT-FOR-US: ATEN IP KVM Switch CVE-2009-1472 (The Java client program for the ATEN KH1516i IP KVM switch with firmwa ...) NOT-FOR-US: ATEN IP KVM Switch CVE-2009-1471 RESERVED CVE-2009-1470 RESERVED CVE-2009-1469 (CRLF injection vulnerability in the Forgot Password implementation in ...) NOT-FOR-US: IceWarp CVE-2009-1468 (Multiple SQL injection vulnerabilities in the search form in server/we ...) NOT-FOR-US: IceWarp CVE-2009-1467 (Multiple cross-site scripting (XSS) vulnerabilities in IceWarp eMail S ...) NOT-FOR-US: IceWarp CVE-2009-1466 (Application Access Server (A-A-S) 2.0.48 stores (1) passwords and (2) ...) NOT-FOR-US: Application Access Server (A-A-S) CVE-2009-1465 (Application Access Server (A-A-S) 2.0.48 has "wildbat" as its default ...) NOT-FOR-US: Application Access Server (A-A-S) CVE-2009-1464 (Multiple cross-site request forgery (CSRF) vulnerabilities in index.aa ...) NOT-FOR-US: Application Access Server (A-A-S) CVE-2009-1463 (Static code injection vulnerability in razorCMS before 0.4 allows remo ...) NOT-FOR-US: razorCMS CVE-2009-1462 (The Security Manager in razorCMS before 0.4 does not verify the permis ...) NOT-FOR-US: razorCMS CVE-2009-1461 (Cross-site scripting (XSS) vulnerability in the Create New Page form i ...) NOT-FOR-US: razorCMS CVE-2009-1460 (razorCMS before 0.4 uses weak permissions for (1) admin/core/admin_con ...) NOT-FOR-US: razorCMS CVE-2009-1459 (Cross-site request forgery (CSRF) vulnerability in razorCMS before 0.4 ...) NOT-FOR-US: razorCMS CVE-2009-1458 (Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php ...) NOT-FOR-US: razorCMS CVE-2009-1457 (Cross-site scripting (XSS) vulnerability in player.php in Nuke Evoluti ...) NOT-FOR-US: Nuke Evolution Xtreme CVE-2009-1456 (Directory traversal vulnerability in admin.php in Malleo 1.2.3 allows ...) NOT-FOR-US: Malleo CVE-2009-1455 (Multiple cross-site request forgery (CSRF) vulnerabilities in WebColla ...) NOT-FOR-US: WebCollab CVE-2009-1454 (Cross-site scripting (XSS) vulnerability in tasks.php in WebCollab bef ...) NOT-FOR-US: WebCollab CVE-2009-1453 (SQL injection vulnerability in class.eport.php in Tiny Blogr 1.0.0 rc4 ...) NOT-FOR-US: Tiny Blogr CVE-2009-1452 (Multiple PHP remote file inclusion vulnerabilities in theme/format.php ...) NOT-FOR-US: SMA-DB CVE-2009-1451 (Cross-site scripting (XSS) vulnerability in startpage.php in SMA-DB 0. ...) NOT-FOR-US: SMA-DB CVE-2009-1450 (PHP remote file inclusion vulnerability in format.php in SMA-DB 0.3.12 ...) NOT-FOR-US: SMA-DB CVE-2009-1449 (Stack-based buffer overflow in PortableApps CoolPlayer Portable (aka C ...) NOT-FOR-US: CoolPlayer CVE-2009-1448 (Cross-site scripting (XSS) vulnerability in apricot.php in LovPop.net ...) NOT-FOR-US: LovPop.net CVE-2009-1447 (Unrestricted file upload vulnerability in admin/editor/image.php in e- ...) NOT-FOR-US: e-cart.biz Free Shopping Car CVE-2009-1446 (Unrestricted file upload vulnerability in upload.php in Elkagroup Imag ...) NOT-FOR-US: Elkagroup Image Gallery CVE-2009-1445 (Multiple directory traversal vulnerabilities in WebPortal CMS 0.8-beta ...) NOT-FOR-US: WebPortal CMS CVE-2009-1444 (PHP remote file inclusion vulnerability in indexk.php in WebPortal CMS ...) NOT-FOR-US: WebPortal CMS CVE-2009-1443 (Multiple unspecified vulnerabilities in the Server component in OCS In ...) - ocsinventory-server 1.02-1 (unimportant) NOTE: Only supported in trusted environments, see debtags CVE-2009-1442 (Multiple integer overflows in Skia, as used in Google Chrome 1.x befor ...) NOT-FOR-US: skia CVE-2009-1441 (Heap-based buffer overflow in the ParamTraits<SkBitmap>::Read fu ...) - chromium-browser (Only 1.x is affected) - webkit (chrome-specific issue) CVE-2009-1439 (Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.2 ...) {DSA-1800-1 DSA-1794-1 DSA-1787-1} - linux-2.6 2.6.29-2 (bug #523365) - linux-2.6.24 CVE-2009-1438 (Integer overflow in the CSoundFile::ReadMed function (src/load_med.cpp ...) {DSA-1851-1 DSA-1850-1} - libmodplug 1:0.8.7-1 (low; bug #526657; bug #527076) - gst-plugins-bad0.10 0.10.10.2-1 (bug #527075) NOTE: gstreamer in unstable dynamically linked to external libmodplug CVE-2009-1437 (Stack-based buffer overflow in PortableApps CoolPlayer Portable (aka C ...) NOT-FOR-US: CoolPlayer CVE-2009-1436 (The db interface in libc in FreeBSD 6.3, 6.4, 7.0, 7.1, and 7.2-PREREL ...) - kfreebsd-7 (Debian/kfreebsd uses glibc) CVE-2009-1435 (NTRtScan.exe in Trend Micro OfficeScan Client 8.0 SP1 and 8.0 SP1 Patc ...) NOT-FOR-US: Trend Micro OfficeScan CVE-2009-1434 (Cross-site request forgery (CSRF) vulnerability in Foswiki before 1.0. ...) - foswiki (bug #509864) CVE-2009-1433 (SQL injection vulnerability in File::find (filesystem/File.php) in Sil ...) NOT-FOR-US: SilverStripe CVE-2009-1432 (Symantec Reporting Server, as used in Symantec AntiVirus (SAV) Corpora ...) NOT-FOR-US: Symantec CVE-2009-1431 (XFR.EXE in the Intel File Transfer service in the console in Symantec ...) NOT-FOR-US: Symantec CVE-2009-1430 (Multiple stack-based buffer overflows in IAO.EXE in the Intel Alert Or ...) NOT-FOR-US: Symantec CVE-2009-1429 (The Intel LANDesk Common Base Agent (CBA) in Symantec Alert Management ...) NOT-FOR-US: Symantec CVE-2009-1428 (Multiple cross-site scripting (XSS) vulnerabilities in ccLgView.exe in ...) NOT-FOR-US: Symantec CVE-2009-1427 (Unspecified vulnerability in HP-UX B.11.31 allows local users to cause ...) NOT-FOR-US: HP-UX CVE-2009-1426 (Unspecified vulnerability on HP ProLiant DL and ML 100 Series G5, G5p, ...) NOT-FOR-US: HP ProLiant CVE-2009-1425 (Unspecified vulnerability in HP ProCurve Threat Management Services zl ...) NOT-FOR-US: HP ProCurve CVE-2009-1424 (Unspecified vulnerability in HP ProCurve Threat Management Services zl ...) NOT-FOR-US: HP ProCurve CVE-2009-1423 (Unspecified vulnerability in HP ProCurve Threat Management Services zl ...) NOT-FOR-US: HP ProCurve CVE-2009-1422 (Unspecified vulnerability in HP ProCurve Threat Management Services zl ...) NOT-FOR-US: HP ProCurve CVE-2009-1421 (Unspecified vulnerability in NFS / ONCplus B.11.31_06 and B.11.31_07 o ...) NOT-FOR-US: ONCplus on HP HP-UX CVE-2009-1420 (Stack-based buffer overflow in rping in HP OpenView Network Node Manag ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-1419 (Unspecified vulnerability in HP Discovery & Dependency Mapping Inv ...) NOT-FOR-US: HP Discovery & Dependency Mapping Inventory CVE-2009-1418 (Cross-site scripting (XSS) vulnerability in HP System Management Homep ...) NOT-FOR-US: HP System Management Homepage CVE-2009-1417 (gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and e ...) - gnutls26 2.6.6-1 (low; bug #528281) [lenny] - gnutls26 (Minor issue, explicitly labeled as a test program) - gnutls13 [etch] - gnutls13 (Minor issue, explicitly labeled as a test program) CVE-2009-1416 (lib/gnutls_pk.c in libgnutls in GnuTLS 2.5.0 through 2.6.5 generates R ...) - gnutls26 2.6.6-1 (medium) - gnutls13 [lenny] - gnutls26 (Vulnerable code not present, only affects 2.6.x) [etch] - gnutls13 (Vulnerable code not present, only affects 2.6.x) CVE-2009-1415 (lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not proper ...) - gnutls26 2.6.6-1 (medium) - gnutls13 [lenny] - gnutls26 (Vulnerable code not present) [etch] - gnutls26 (Vulnerable code not present) [etch] - gnutls13 (Vulnerable code not present, only affects 2.6.x) CVE-2009-1414 (Google Chrome 2.0.x lets modifications to the global object persist ac ...) - chromium-browser (Only 2.x is affected) - webkit (doesn't have a 'chromehtml' handler) CVE-2009-1413 (Google Chrome 1.0.x does not cancel timeouts upon a page transition, w ...) - chromium-browser (Only 1.x is affected) - webkit (doesn't have a 'chromehtml' handler) CVE-2009-1412 (Argument injection vulnerability in the chromehtml: protocol handler i ...) - chromium-browser (Only 1.x is affected) - webkit (doesn't have a 'chromehtml' handler) CVE-2009-XXXX [iodine: DoS against iodined triggerable by authenticated users] - iodine 0.5.1 (low) [lenny] - iodine 0.4.2-2~lenny1 CVE-2009-XXXX [ntop: access.log permissions] - ntop (fedora-specific configuration issue; debian package not affected) NOTE: bug #524801 (http://bugs.debian.org/524801) CVE-2009-1402 RESERVED CVE-2009-1401 RESERVED CVE-2009-1400 RESERVED CVE-2009-1399 RESERVED CVE-2009-1398 RESERVED CVE-2009-1397 RESERVED CVE-2009-1396 RESERVED CVE-2009-1395 RESERVED CVE-2009-1394 (Stack-based buffer overflow in Motorola Timbuktu Pro 8.6.5 on Windows ...) NOT-FOR-US: Motorola Timbuktu Pro CVE-2009-1393 RESERVED CVE-2009-1392 (The browser engine in Mozilla Firefox 3 before 3.0.11, Thunderbird bef ...) {DSA-1830-1 DSA-1820-1} - xulrunner 1.9.0.11-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 CVE-2009-1391 (Off-by-one error in the inflate function in Zlib.xs in Compress::Raw:: ...) - perl 5.10.0-23 (low; bug #532736) [etch] - perl (Doesn't yet include Compress-Raw-Zlib) - libcompress-raw-zlib-perl 2.015-2 (low; bug #532738) [lenny] - libcompress-raw-zlib-perl 2.012-1lenny1 [lenny] - perl 5.10.0-19lenny1 CVE-2009-1390 (Mutt 1.5.19, when linked against (1) OpenSSL (mutt_ssl.c) or (2) GnuTL ...) - mutt 1.5.20-1 [lenny] - mutt (Affected code was introduced in 1.5.19) [etch] - mutt (Affected code was introduced in 1.5.19) [squeeze] - mutt (Affected code was introduced in 1.5.19) CVE-2009-1389 (Buffer overflow in the RTL8169 NIC driver (drivers/net/r8169.c) in the ...) {DSA-1865-1 DSA-1844-1} - linux-2.6 2.6.26-16 (high; bug #532376) - linux-2.6.24 NOTE: potential for kernel memory corruption by remote attacker CVE-2009-1388 (The ptrace_start function in kernel/ptrace.c in the Linux kernel 2.6.1 ...) - linux-2.6 (problem in redhat-specific kernel patches) - linux-2.6.24 (problem in redhat-specific kernel patches) CVE-2009-1387 (The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in Open ...) - openssl 0.9.8k-2 (low; bug #532037) [lenny] - openssl 0.9.8g-15+lenny3 [etch] - openssl 0.9.8c-4etch9 - openssl097 (DTLS support was introduced in 0.9.8) CVE-2009-1386 (ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause ...) - openssl 0.9.8k-1 (low; bug #532037) [lenny] - openssl 0.9.8g-15+lenny3 [etch] - openssl 0.9.8c-4etch9 - openssl097 (DTLS support was introduced in 0.9.8) CVE-2009-1385 (Integer underflow in the e1000_clean_rx_irq function in drivers/net/e1 ...) {DSA-1865-1 DSA-1844-1} - linux-2.6 2.6.26-16 (low; bug #532721) - linux-2.6.24 CVE-2009-1384 (pam_krb5 2.2.14 through 2.3.4, as used in Red Hat Enterprise Linux (RH ...) - libpam-krb5 (different code base than Debian's libpam-krb5) CVE-2009-1383 (The getdirective function in mathtex.cgi in mathTeX, when downloaded b ...) - mathtex 1.03-1 (medium; bug #537258) CVE-2009-1382 (Multiple stack-based buffer overflows in mimetex.cgi in mimeTeX, when ...) {DSA-1917-1} - mimetex 1.50-1.1 (medium; bug #537254) CVE-2009-1381 (The map_yp_alias function in functions/imap_general.php in SquirrelMai ...) {DSA-1802-2} - squirrelmail 2:1.4.19-1 CVE-2009-1380 (Cross-site scripting (XSS) vulnerability in JMX-Console in JBossAs in ...) - jbossas4 4.2.2.GA-1 (bug #562000) [lenny] - jbossas4 (Contrib not supported) CVE-2009-1379 (Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment f ...) - openssl 0.9.8k-1 (low; bug #530400) [lenny] - openssl 0.9.8g-15+lenny3 [etch] - openssl 0.9.8c-4etch9 - openssl097 (DTLS support was introduced in 0.9.8) CVE-2009-1378 (Multiple memory leaks in the dtls1_process_out_of_seq_message function ...) - openssl 0.9.8k-1 (low; bug #530400) [lenny] - openssl 0.9.8g-15+lenny3 [etch] - openssl 0.9.8c-4etch9 - openssl097 (DTLS support was introduced in 0.9.8) CVE-2009-1377 (The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and ...) - openssl 0.9.8k-1 (low; bug #530400) [lenny] - openssl 0.9.8g-15+lenny3 [etch] - openssl 0.9.8c-4etch9 - openssl097 (DTLS support was introduced in 0.9.8) CVE-2009-1376 (Multiple integer overflows in the msn_slplink_process_msg functions in ...) {DSA-1805-1} - pidgin 2.5.6-1 - gaim [lenny] - gaim (Only a transitional package) CVE-2009-1375 (The PurpleCircBuffer implementation in Pidgin (formerly Gaim) before 2 ...) {DSA-1805-1} - pidgin 2.5.6-1 - gaim [lenny] - gaim (Only a transitional package) CVE-2009-1374 (Buffer overflow in the decrypt_out function in Pidgin (formerly Gaim) ...) - pidgin 2.5.6-1 [lenny] - pidgin (QQ support not yet present) - gaim (QQ support not yet present) CVE-2009-1373 (Buffer overflow in the XMPP SOCKS5 bytestream server in Pidgin (former ...) {DSA-1805-1} - pidgin 2.5.6-1 - gaim [lenny] - gaim (Only a transitional package) CVE-2009-1365 (Unspecified vulnerability in Adobe Flash Media Server (FMS) before 3.0 ...) NOT-FOR-US: Adobe Flash Media Server CVE-2009-1364 (Use-after-free vulnerability in the embedded GD library in libwmf 0.2. ...) {DSA-1796-1} - libwmf 0.2.8.4-6.1 (low; bug #526434) CVE-2009-1363 RESERVED CVE-2009-1360 (The __inet6_check_established function in net/ipv6/inet6_hashtables.c ...) - linux-2.6 2.6.29-1 (low; bug #529342) [etch] - linux-2.6 (Introduced in 2.6.27) [lenny] - linux-2.6 (Introduced in 2.6.27) - linux-2.6.24 (Introduced in 2.6.27) CVE-2009-1411 (SQL injection vulnerability in events/inc/events.inc.php in the Events ...) NOT-FOR-US: Seditio CMS CVE-2009-1410 (SQL injection vulnerability in index.php in Quick.Cms.Lite 0.5 allows ...) NOT-FOR-US: Quick.Cms.Lite CVE-2009-1409 (SQL injection vulnerability in usersettings.php in e107 0.7.15 and ear ...) NOT-FOR-US: e107 CVE-2009-1408 (Cross-site scripting (XSS) vulnerability in webSPELL 4.2.0c allows rem ...) NOT-FOR-US: webSPELL CVE-2009-1407 (Directory traversal vulnerability in config.php in NotFTP 1.3.1 allows ...) NOT-FOR-US: NotFTP CVE-2009-1406 (Directory traversal vulnerability in cms_detect.php in TotalCalendar 2 ...) NOT-FOR-US: TotalCalendar CVE-2009-1405 (Directory traversal vulnerability in index.php in PastelCMS 0.8.0, whe ...) NOT-FOR-US: PastelCMS CVE-2009-1404 (SQL injection vulnerability in admin.php in PastelCMS 0.8.0, when magi ...) NOT-FOR-US: PastelCMS CVE-2009-1403 (SQL injection vulnerability in product_info.php in CRE Loaded 6.2 allo ...) NOT-FOR-US: CRE Loaded CVE-2009-1370 (Stack-based buffer overflow in ape_plugin.plg in Xilisoft Video Conver ...) NOT-FOR-US: Xilisoft Video Converter CVE-2009-1369 (moziloCMS 1.11 allows remote attackers to obtain sensitive information ...) NOT-FOR-US: moziloCMS CVE-2009-1368 (Directory traversal vulnerability in index.php in moziloCMS 1.11 allow ...) NOT-FOR-US: moziloCMS CVE-2009-1367 (Cross-site scripting (XSS) vulnerability in index.php in moziloCMS 1.1 ...) NOT-FOR-US: moziloCMS CVE-2009-1366 (Cross-site scripting (XSS) vulnerability in Website\admin\Sales\paypal ...) NOT-FOR-US: DotNetNuke CVE-2009-1362 (SQL injection vulnerability in administration/index.php in chCounter 3 ...) NOT-FOR-US: chCounter CVE-2009-1361 (dig.php in GScripts.net DNS Tools allows remote attackers to execute a ...) NOT-FOR-US: GScripts.net DNS Tools CVE-2009-1359 (Unspecified vulnerability in the SCTP sockets implementation in Sun Op ...) NOT-FOR-US: Sun OpenSolaris CVE-2009-1357 (CRLF injection vulnerability in da/DA/Login in Sun Java System Delegat ...) NOT-FOR-US: Sun Java System Delegated Administrator CVE-2009-1356 (Stack-based buffer overflow in Elecard AVC HD Player allows remote att ...) NOT-FOR-US: Elecard AVC HD Player CVE-2009-1355 (Stack-based buffer overflow in muxatmd in IBM AIX 5.2, 5.3, and 6.1 al ...) NOT-FOR-US: IBM AIX CVE-2009-1354 (Directory traversal vulnerability in Mongoose 2.4 allows remote attack ...) NOT-FOR-US: Mongoose CVE-2009-1353 (Buffer overflow in the http_parse_hex function in libz/misc.c in Zervi ...) NOT-FOR-US: Zervit Webserver CVE-2009-1352 (Stack-based buffer overflow in Dawningsoft PowerCHM 5.7 allows remote ...) NOT-FOR-US: PowerCHM CVE-2009-1351 (Heap-based buffer overflow in Apollo 37zz allows remote attackers to c ...) NOT-FOR-US: Apollo 37zz CVE-2009-1350 (Unspecified vulnerability in xtagent.exe in Novell NetIdentity Client ...) NOT-FOR-US: Novell NetIdentity Client CVE-2009-1349 (Cross-site scripting (XSS) vulnerability in C2Net Stronghold 2.3 allow ...) NOT-FOR-US: C2Net Stronghold CVE-2009-1358 (apt-get in apt before 0.7.21 does not check for the correct error code ...) {DSA-1779-1 DTSA-199-1} - apt 0.7.21 (bug #433091) CVE-2009-1440 (Incomplete blacklist vulnerability in DownloadListCtrl.cpp in amule 2. ...) {DSA-1821-1} - amule 2.2.5-1.1 (low; bug #525078) [etch] - amule (Doesn't support preview of complete files, which is the vulnerable part) CVE-2009-1348 (The AV engine before DAT 5600 in McAfee VirusScan, Total Protection, I ...) NOT-FOR-US: Various AV junk CVE-2009-1347 (Multiple SQL injection vulnerabilities in stats/index.php in chCounter ...) NOT-FOR-US: chCounter CVE-2009-1346 (SQL injection vulnerability in publico/ficha.php in NetHoteles 3.0 all ...) NOT-FOR-US: NetHoteles CVE-2009-1345 (SQL injection vulnerability in document.php in cpCommerce 1.2.8 allows ...) NOT-FOR-US: cpCommerce CVE-2009-1344 (Cross-site scripting (XSS) vulnerability in the Localization client mo ...) NOT-FOR-US: Localization client for drupal CVE-2009-1343 (Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e- ...) NOT-FOR-US: Print module for Drupal CVE-2009-1342 (Cross-site scripting (XSS) vulnerability in the CCK comment reference ...) NOT-FOR-US: CCK comment module for Drupal CVE-2009-XXXX [git-core in Debian has non-root-owned files under /usr] - git-core 1:1.6.2.1-1 (bug #516669) [lenny] - git-core 1:1.5.6.5-3+lenny3.2 NOTE: fixed accidently through spu CVE-2009-1341 (Memory leak in the dequote_bytea function in quote.c in the DBD::Pg (a ...) {DSA-1780-1} - libdbd-pg-perl 2.1.3-1 CVE-2009-1340 RESERVED CVE-2009-1339 (Cross-site request forgery (CSRF) vulnerability in TWiki before 4.3.1 ...) - twiki (bug #526258) NOTE: We should probably request removal from unstable, replaced by foswiki CVE-2009-1338 (The kill_something_info function in kernel/signal.c in the Linux kerne ...) {DSA-1800-1 DSA-1787-1} - linux-2.6 2.6.29-1 [etch] - linux-2.6 (Vulnerable code not present) CVE-2009-1337 (The exit_notify function in kernel/exit.c in the Linux kernel before 2 ...) {DSA-1800-1 DSA-1794-1 DSA-1787-1} - linux-2.6 2.6.29-5 - linux-2.6.24 CVE-2009-1336 (fs/nfs/client.c in the Linux kernel before 2.6.23 does not properly in ...) {DSA-1794-1} - linux-2.6 2.6.23-1 [etch] - linux-2.6 (Vulnerable code not present) CVE-2009-1335 (Microsoft Internet Explorer 7 and 8 on Windows XP and Vista allows rem ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-1334 (Cross-site scripting (XSS) vulnerability in login/FilepathLogin.html i ...) NOT-FOR-US: IBM Tivoli Continuous Data Protection CVE-2009-1333 (Cross-site scripting (XSS) vulnerability in refresh_rate.htm in the we ...) NOT-FOR-US: HP Deskjet CVE-2009-1332 (The Online Help feature in Sun Java System Directory Server 5.2 and En ...) NOT-FOR-US: Sun Java System Directory Server CVE-2009-1331 (Integer overflow in Microsoft Windows Media Player (WMP) 11.0.5721.526 ...) NOT-FOR-US: Windows Media Player CVE-2009-XXXX [pptp-linux: unrestrictive pptpsetup permissions] - pptp-linux 1.7.2-3 (low; bug #523476) [lenny] - pptp-linux (Minor issue) [etch] - pptp-linux (Minor issue) CVE-2009-1330 (Stack-based buffer overflow in Easy RM to MP3 Converter allows remote ...) NOT-FOR-US: Easy RM to MP3 Converter CVE-2009-1329 (Stack-based buffer overflow in Mini-stream Shadow Stream Recorder 3.0. ...) NOT-FOR-US: Mini-stream CVE-2009-1328 (Stack-based buffer overflow in Mini-stream RM-MP3 Converter 3.0.0.7 al ...) NOT-FOR-US: Mini-stream CVE-2009-1327 (Stack-based buffer overflow in Mini-stream WM Downloader 3.0.0.9 allow ...) NOT-FOR-US: Mini-stream CVE-2009-1326 (Stack-based buffer overflow in Mini-stream RM Downloader 3.0.0.9 allow ...) NOT-FOR-US: Mini-stream CVE-2009-1325 (Stack-based buffer overflow in Mini-stream Ripper 3.0.1.1 allows remot ...) NOT-FOR-US: Mini-stream CVE-2009-1324 (Stack-based buffer overflow in Mini-stream ASX to MP3 Converter 3.0.0. ...) NOT-FOR-US: Mini-stream CVE-2009-1323 (SQL injection vulnerability in body.asp in Web File Explorer 3.1 allow ...) NOT-FOR-US: Web File Explorer CVE-2009-1322 (ASP Product Catalog 1.0 stores sensitive information under the web roo ...) NOT-FOR-US: ASP Product Catalog CVE-2009-1321 (Cross-site scripting (XSS) vulnerability in search.asp in ASP Product ...) NOT-FOR-US: ASP Product Catalog CVE-2009-1320 (Multiple cross-site scripting (XSS) vulnerabilities in include/zstore. ...) NOT-FOR-US: Zazzle Store Builder CVE-2009-1319 (Directory traversal vulnerability in includes/ini.inc.php in GuestCal ...) NOT-FOR-US: GuestCal CVE-2009-1318 (Directory traversal vulnerability in index.php in Jamroom 3.1.2, 3.2.3 ...) NOT-FOR-US: Jamroom CVE-2009-1317 (Multiple SQL injection vulnerabilities in Aqua CMS 1.1, when magic_quo ...) NOT-FOR-US: Aqua CMS CVE-2009-1316 (Multiple SQL injection vulnerabilities in AbleSpace 1.0 allow remote a ...) NOT-FOR-US: AbleSpace CVE-2009-1315 (Multiple cross-site scripting (XSS) vulnerabilities in AbleSpace 1.0 a ...) NOT-FOR-US: Ablespace CVE-2009-1314 (body.asp in Web File Explorer 3.1 allows remote attackers to create ar ...) NOT-FOR-US: Web File Explorer CVE-2009-1313 (The nsTextFrame::ClearTextRun function in layout/generic/nsTextFrameTh ...) - xulrunner 1.9.0.10-1 (low) [etch] - xulrunner (introduced in 1.9.0.9) [lenny] - xulrunner (introduced in 1.9.0.9) CVE-2009-1312 (Mozilla Firefox before 3.0.9 and SeaMonkey 1.1.17 do not block javascr ...) {DSA-1797-1} - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - kompozer (unimportant) NOTE: kompozer shares the browser engine with Firefox, but JavaScript is not enabled CVE-2009-1311 (Mozilla Firefox before 3.0.9 and SeaMonkey before 1.1.17 allow user-as ...) {DSA-1797-1} - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - kompozer 1:0.8~alpha2+dfsg+svn129-3 CVE-2009-1310 (Cross-site scripting (XSS) vulnerability in the MozSearch plugin imple ...) {DSA-1886-1} - iceweasel 3.0.9-1 [etch] - iceweasel (Etch Packages no longer covered by security support) CVE-2009-1309 (Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey do not proper ...) {DSA-1797-1} - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - kompozer (unimportant) NOTE: kompozer shares the browser engine with Firefox, but JavaScript is not enabled CVE-2009-1308 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.0 ...) {DSA-1797-1} - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1307 (The view-source: URI implementation in Mozilla Firefox before 3.0.9, T ...) {DSA-1830-1 DSA-1797-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1306 (The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbi ...) {DSA-1797-1} - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1305 (The JavaScript engine in Mozilla Firefox before 3.0.9, Thunderbird bef ...) {DSA-1797-1} - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - kompozer (unimportant) NOTE: kompozer shares the browser engine with Firefox, but JavaScript is not enabled CVE-2009-1304 (The JavaScript engine in Mozilla Firefox 3.x before 3.0.9, Thunderbird ...) {DSA-1797-1} - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1303 (The browser engine in Mozilla Firefox before 3.0.9, Thunderbird before ...) {DSA-1830-1 DSA-1797-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1302 (The browser engine in Mozilla Firefox 3.x before 3.0.9, Thunderbird be ...) {DSA-1830-1 DSA-1797-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-1301 (Integer signedness error in the store_id3_text function in the ID3v2 c ...) - mpg123 1.7.2-1 (low) [etch] - mpg123 (Minor issue) [lenny] - mpg123 (Minor issue) NOTE: http://secunia.com/advisories/34587/3/ NOTE: unlike secunia states I can't see that this allows code execution but is just an invalid read NOTE: crashing the application CVE-2009-1300 (apt 0.7.20 does not check when the date command returns an "invalid da ...) {DSA-1779-1 DTSA-199-1} - apt 0.7.21 (bug #523213) CVE-2009-1299 (The pa_make_secure_dir function in core-util.c in PulseAudio 0.9.10 an ...) {DSA-2017-1} - pulseaudio 0.9.21-1.1 (bug #573615) CVE-2009-1298 (The ip_frag_reasm function in net/ipv4/ip_fragment.c in the Linux kern ...) {DTSA-204-1} - linux-2.6 2.6.32-1 (low) [etch] - linux-2.6 (introduced in 2.6.29) [lenny] - linux-2.6 (introduced in 2.6.29) - linux-2.6.24 (introduced in 2.6.29) CVE-2009-1297 (iscsi_discovery in open-iscsi in SUSE openSUSE 10.3 through 11.1 and S ...) - open-iscsi 2.0.871-1 (low; bug #547011) [lenny] - open-iscsi 2.0.870~rc3-0.4.1 [etch] - open-iscsi (Vulnerable script not yet present) CVE-2009-1296 (The eCryptfs support utilities (ecryptfs-utils) 73-0ubuntu6.1 on Ubunt ...) - ecryptfs-utils 75-2 (unimportant; bug #532372) NOTE: this is a non-issue as the debian installer doesn't support per user NOTE: encrypted home directories with ecryptfs, so no passphrase is stored in the NOTE: installer logs on disk CVE-2009-1295 (Apport before 0.108.4 on Ubuntu 8.04 LTS, before 0.119.2 on Ubuntu 8.1 ...) NOT-FOR-US: Apport CVE-2009-1294 (Multiple cross-site scripting (XSS) vulnerabilities in web/guest/home ...) NOT-FOR-US: Novell Teaming CVE-2009-1293 (The web login functionality (c/portal/login) in Novell Teaming 1.0 thr ...) NOT-FOR-US: Novell Teaming CVE-2009-1292 (UCM-CQ in IBM Rational ClearCase 7.0.0.x before 7.0.0.5, 7.0.1.x befor ...) NOT-FOR-US: ClearCase CVE-2009-1371 (The CLI_ISCONTAINED macro in libclamav/others.h in ClamAV before 0.95. ...) {DSA-1771-1} - clamav 0.95.1+dfsg-1 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=1552 CVE-2009-1372 (Stack-based buffer overflow in the cli_url_canon function in libclamav ...) - clamav 0.95.1+dfsg-1 [etch] - clamav (vulnerable code not present) [lenny] - clamav (vulnerable code not present) NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=1552 CVE-2009-1291 (Stack-based buffer overflow in TIBCO SmartSockets before 6.8.2, SmartS ...) NOT-FOR-US: SmartSockets CVE-2009-1290 (Multiple cross-site request forgery (CSRF) vulnerabilities in the web ...) NOT-FOR-US: IBM BladeCenter CVE-2009-1289 (private/login.ssi in the Advanced Management Module (AMM) on the IBM B ...) NOT-FOR-US: IBM BladeCenter CVE-2009-1288 (Multiple cross-site scripting (XSS) vulnerabilities in the Advanced Ma ...) NOT-FOR-US: IBM BladeCenter CVE-2009-1287 (Cross-site scripting (XSS) vulnerability in Cisco Subscriber Edge Serv ...) NOT-FOR-US: Cisco Subscriber Edge Services Manager CVE-2009-1286 (The IMAP task in the server in IBM Lotus Domino 8.0.2 before FP1 IF1 a ...) NOT-FOR-US: IBM Lotus Domino CVE-2009-1285 (Static code injection vulnerability in the getConfigFile function in s ...) - phpmyadmin 4:3.1.3.2-1 (unimportant; bug #524804) [etch] - phpmyadmin (Vulnerable code not present) [lenny] - phpmyadmin (Vulnerable code not present) CVE-2009-1284 (Buffer overflow in BibTeX 0.99 allows context-dependent attackers to c ...) - texlive-bin 2009-1 (low; bug #520920) [etch] - texlive-bin (Minor issue) [lenny] - texlive-bin 2007.dfsg.2-4+lenny2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=492136 CVE-2009-1283 (glFusion before 1.1.3 performs authentication with a user-provided pas ...) NOT-FOR-US: glFusion CVE-2009-1282 (SQL injection vulnerability in private/system/lib-session.php in glFus ...) NOT-FOR-US: glFusion CVE-2009-1281 (Cross-site scripting (XSS) vulnerability in glFusion before 1.1.3 allo ...) NOT-FOR-US: glFusion CVE-2009-1280 (Multiple cross-site request forgery (CSRF) vulnerabilities in the com_ ...) NOT-FOR-US: Joomla! CVE-2009-1279 (Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.5 thr ...) NOT-FOR-US: Joomla! CVE-2009-1278 (Static code injection vulnerability in forms/ajax/configure.php in Gra ...) NOT-FOR-US: Gravity Board CVE-2009-1277 (SQL injection vulnerability in index.php in Gravity Board X (GBX) 2.0 ...) NOT-FOR-US: Gravity Board CVE-2009-1276 (XScreenSaver in Sun Solaris 10 and OpenSolaris before snv_109, and Sol ...) NOT-FOR-US: Sun Solaris CVE-2009-1275 (Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other prod ...) - tiles 2.2.0-1 CVE-2009-1273 (pam_ssh 1.92 and possibly other versions, as used when PAM is compiled ...) - libpam-ssh 1.92-7 (low; bug #535877) [etch] - libpam-ssh (Minor issue) [lenny] - libpam-ssh 1.91.0-9.3+lenny1 CVE-2009-1272 (The php_zip_make_relative_path function in php_zip.c in PHP 5.2.x befo ...) {DTSA-188-1} - php5 5.2.6.dfsg.1-3 [etch] - php5 (this is caused by the fix for CVE-2008-5658, which was not applied to php4) - php4 (this is caused by the fix for CVE-2008-5658, which was not applied to php4) CVE-2009-1271 (The JSON_parser function (ext/json/JSON_parser.c) in PHP 5.2.x before ...) {DSA-1789-1 DSA-1775-1} - php5 5.2.9.dfsg.1-1 - php4 (the JSON extension was introduced in php5.2) - php-json-ext CVE-2009-1269 (Unspecified vulnerability in Wireshark 0.99.6 through 1.0.6 allows rem ...) {DSA-1785-1} - wireshark 1.0.7-1 (low) [etch] - wireshark (Vulnerable code not present; introduced in 0.99.6) CVE-2009-1268 (The Check Point High-Availability Protocol (CPHAP) dissector in Wiresh ...) {DSA-1785-1} - wireshark 1.0.7-1 (low) [etch] - wireshark 0.99.4-5.etch.4 CVE-2009-1267 (Unspecified vulnerability in the LDAP dissector in Wireshark 0.99.2 th ...) - wireshark (Only affects Wireshark on Windows) CVE-2009-1266 (Unspecified vulnerability in Wireshark before 1.0.7 has unknown impact ...) NOTE: Dupe of CVE-2009-1210 CVE-2009-1265 (Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux kern ...) {DSA-1800-1 DSA-1794-1 DSA-1787-1} - linux-2.6 2.6.29-4 - linux-2.6.24 CVE-2009-1264 (Frontend User Registration (sr_feuser_register) extension 2.5.20 and e ...) NOT-FOR-US: Frontend User Registration (sr_feuser_register) extension CVE-2009-1263 (SQL injection vulnerability in sub_commententry.php in the BookJoomlas ...) NOT-FOR-US: Joomla! CVE-2009-1262 (Format string vulnerability in Fortinet FortiClient 3.0.614, and possi ...) NOT-FOR-US: Fortinet FortiClient CVE-2009-1261 (Multiple cross-site scripting (XSS) vulnerabilities in Web Help Desk 9 ...) NOT-FOR-US: Web Help Desk CVE-2009-1260 (Multiple stack-based buffer overflows in UltraISO 9.3.3.2685 and earli ...) NOT-FOR-US: UltraISO CVE-2009-1259 (SQL injection vulnerability in inc/bb/topic.php in Insane Visions Adap ...) NOT-FOR-US: Insane Visions AdaptBB CVE-2009-1258 (SQL injection vulnerability in the RD-Autos (com_rdautos) component 1. ...) NOT-FOR-US: Joomla! CVE-2009-1257 (Heap-based buffer overflow in Magic ISO Maker 5.5 build 0274 allows re ...) NOT-FOR-US: Magic ISO Maker CVE-2009-1256 (SQL injection vulnerability in FlexCMS 2.5 allows remote attackers to ...) NOT-FOR-US: FlexCMS CVE-2009-1255 (The process_stat function in (1) Memcached before 1.2.8 and (2) Memcac ...) - memcached 1.2.8-1 (low) [etch] - memcached (Minor issue) [lenny] - memcached (Minor issue) [squeeze] - memcached (Minor issue) - memcachedb 1.2.0-3 (low; bug #527330) [squeeze] - memcachedb (Minor issue) NOTE: why are weaknesses in security hardening features like ASLR considered minor? NOTE: even though this is not directly a vulnerability itself, part of this application's armor is now missing; making it easier for unknown vulnerabilities to be effective. CVE-2009-1270 (libclamav/untar.c in ClamAV before 0.95 allows remote attackers to cau ...) {DSA-1771-1} - clamav 0.95.1+dfsg-1 (medium; bug #523016) CVE-2009-1254 (James Stone Tunapie 2.1 allows remote attackers to execute arbitrary c ...) {DSA-1764-1} - tunapie 2.1.17-1 CVE-2009-1253 (James Stone Tunapie 2.1 allows local users to overwrite arbitrary file ...) {DSA-1764-1} - tunapie 2.1.17-1 CVE-2009-1252 (Stack-based buffer overflow in the crypto_recv function in ntp_crypto. ...) {DSA-1801-1} - ntp 1:4.2.4p6+dfsg-2 (high; bug #525373) NOTE: VU#853097 CVE-2009-1251 (Heap-based buffer overflow in the cache manager in the client in OpenA ...) {DSA-1768-1} - openafs 1.4.10+dfsg1-1 CVE-2009-1250 (The cache manager in the client in OpenAFS 1.0 through 1.4.8 and 1.5.0 ...) {DSA-1768-1} - openafs 1.4.10+dfsg1-1 [etch] - openafs 1.4.2-6etch3 CVE-2009-1249 (Cross-site scripting (XSS) vulnerability in Feed element mapper 5.x be ...) NOT-FOR-US: Feed element mapper for Drupal CVE-2009-1248 (Multiple PHP remote file inclusion vulnerabilities in Acute Control Pa ...) NOT-FOR-US: Acute Control Panel CVE-2009-1247 (SQL injection vulnerability in login.php in Acute Control Panel 1.0.0 ...) NOT-FOR-US: Acute Control Panel CVE-2009-1246 (Multiple directory traversal vulnerabilities in Blogplus 1.0 allow rem ...) NOT-FOR-US: Blogplus CVE-2009-1245 (Multiple SQL injection vulnerabilities in the insert_to_pastebin funct ...) NOT-FOR-US: CCCP Community Clan Portal Pastebin CVE-2009-1244 (Unspecified vulnerability in the virtual machine display function in V ...) NOT-FOR-US: VMware CVE-2009-1243 (net/ipv4/udp.c in the Linux kernel before 2.6.29.1 performs an unlocki ...) - linux-2.6 (Issue was introduced after 2.6.27 release) - linux-2.6.24 (Issue was introduced after 2.6.27 release) CVE-2009-1242 (The vmx_set_msr function in arch/x86/kvm/vmx.c in the VMX implementati ...) {DSA-1800-1 DSA-1787-1} - linux-2.6 2.6.30-1 [etch] - linux-2.6 (Doesn't include KVM yet) - linux-2.6.24 CVE-2009-1241 (Unspecified vulnerability in ClamAV before 0.95 allows remote attacker ...) - clamav 0.95+dfsg-1 (medium; bug #526042) [etch] - clamav (debian package does not use the rar code in clamav at the current time) [lenny] - clamav (debian package does not use the rar code in clamav at the current time) CVE-2009-1240 (Unspecified vulnerability in the IBM Proventia engine 4.9.0.0.44 20081 ...) NOT-FOR-US: IBM Proventia CVE-2009-1239 (IBM DB2 9.1 before FP7 returns incorrect query results in certain situ ...) NOT-FOR-US: IBM DB2 CVE-2009-1274 (Integer overflow in the qt_error parse_trak_atom function in demuxers/ ...) - xine-lib 1.1.16.3-1 (medium; bug #522811) - vlc (affected part of xine-lib code not present) CVE-2009-1238 (Race condition in the HFS vfs sysctl interface in XNU 1228.8.20 and ea ...) NOT-FOR-US: Mac OS X CVE-2009-1237 (Multiple memory leaks in XNU 1228.3.13 and earlier on Apple Mac OS X 1 ...) NOT-FOR-US: Mac OS X CVE-2009-1236 (Heap-based buffer overflow in the AppleTalk networking stack in XNU 12 ...) NOT-FOR-US: Mac OS X CVE-2009-1235 (XNU 1228.9.59 and earlier on Apple Mac OS X 10.5.6 and earlier does no ...) NOT-FOR-US: Mac OS X CVE-2009-1234 (Opera 9.64 allows remote attackers to cause a denial of service (appli ...) NOT-FOR-US: Opera CVE-2009-1233 (Apple Safari 3.2.2 and 4 Beta on Windows allows remote attackers to ca ...) NOT-FOR-US: Safari on Windows CVE-2009-1232 (Mozilla Firefox 3.0.8 and earlier 3.0.x versions allows remote attacke ...) - xulrunner (unimportant) NOTE: Browser crashes not treated as security issues CVE-2009-1231 (Unspecified vulnerability in the eClient in IBM DB2 Content Manager 8. ...) NOT-FOR-US: DB2 CVE-2009-1230 (Static code injection vulnerability in index.php in Podcast Generator ...) NOT-FOR-US: Podcast Generator CVE-2009-1229 (SQL injection vulnerability in Arcadwy Arcade Script allows remote att ...) NOT-FOR-US: Arcadwy Arcade Script CVE-2009-1228 (Cross-site scripting (XSS) vulnerability in register.php in Arcadwy Ar ...) NOT-FOR-US: Arcadwy Arcade Script CVE-2009-1227 NOT-FOR-US: Check Point CVE-2009-1226 (core/admin/delete.php in Podcast Generator 1.1 and earlier does not pr ...) NOT-FOR-US: Podcast Generator CVE-2009-1225 (Cross-site scripting (XSS) vulnerability in index.php in Turnkey Ebook ...) NOT-FOR-US: Turnkey Ebook Store CVE-2009-1224 (SQL injection vulnerability in vsp-core/pub/themes/bismarck/gamestat.p ...) NOT-FOR-US: vsp stats processor CVE-2009-1223 (aspWebCalendar Free Edition stores sensitive information under the web ...) NOT-FOR-US: aspWebCalendar Free Edition CVE-2009-1222 (Directory traversal vulnerability in index.php in webEdition 6.0.0.4 a ...) NOT-FOR-US: webEdition CVE-2009-1221 RESERVED CVE-2009-1220 (Cross-site scripting (XSS) vulnerability in +webvpn+/index.html in Web ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-1219 (Sun Calendar Express Web Server in Sun ONE Calendar Server 6.0 and Sun ...) NOT-FOR-US: Sun Calendar Express Web Server CVE-2009-1218 (Multiple cross-site scripting (XSS) vulnerabilities in Sun Calendar Ex ...) NOT-FOR-US: Sun Calendar Express Web Server CVE-2009-1217 (Off-by-one error in the GpFont::SetData function in gdiplus.dll in Mic ...) NOT-FOR-US: Windows GDI+ CVE-2009-1216 (Multiple unspecified vulnerabilities in (1) unlzh.c and (2) unpack.c i ...) NOTE: Duplicate of CVE-2006-4335, confirmed by Microsoft. They're working on NOTE: getting it rejected CVE-2009-1215 (Race condition in GNU screen 4.0.3 allows local users to create or ove ...) - screen 4.0.3-13 (low; bug #521123) [etch] - screen (etch version predates #433338) [lenny] - screen 4.0.3-11+lenny1 CVE-2009-1214 (GNU screen 4.0.3 creates the /tmp/screen-exchange temporary file with ...) - screen 4.0.3-13 (bug #521123) [lenny] - screen 4.0.3-11+lenny1 NOTE: documented behaviour "or the public accessible screen-exchange", see man screen CVE-2009-1213 (Cross-site request forgery (CSRF) vulnerability in attachment.cgi in B ...) - bugzilla 3.2.4.0-1 (low; bug #514143) [etch] - bugzilla (Minor issue) [lenny] - bugzilla (Minor issue) NOTE: should this really be considered minor? see fedora bug and FSA: NOTE: - https://bugzilla.redhat.com/show_bug.cgi?id=494398 NOTE: - https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00191.html CVE-2009-1212 (Multiple insecure method vulnerabilities in PRECIS~2.DLL in the Precis ...) NOT-FOR-US: PrecisionID Datamatrix ActiveX control CVE-2009-1211 (Blue Coat ProxySG, when transparent interception mode is enabled, uses ...) NOT-FOR-US: Blue Coat ProxySG CVE-2009-1210 (Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in ...) {DSA-1785-1} - wireshark 1.0.7-1 (low) [etch] - wireshark (Vulnerable code not present, introduced in 0.99.6) CVE-2009-1209 (Stack-based buffer overflow in W3C Amaya Web Browser 11.1 allows remot ...) - amaya CVE-2009-1208 (SQL injection vulnerability in auth2db 0.2.5, and possibly other versi ...) {DSA-1757-1} - auth2db 0.2.5-2+dfsg-1.1 (bug #521823; low) CVE-2009-1207 (Race condition in the dircmp script in Sun Solaris 8 through 10, and O ...) NOT-FOR-US: Solaris CVE-2009-1206 (Unspecified vulnerability in futomi's CGI Cafe Access Analyzer CGI Pro ...) NOT-FOR-US: Cafe Access Analyzer CGI Professional CVE-2009-1205 REJECTED CVE-2009-1204 (Cross-site scripting (XSS) vulnerability in TikiWiki (Tiki) CMS/Groupw ...) - tikiwiki CVE-2009-1203 (WebVPN on the Cisco Adaptive Security Appliances (ASA) device with sof ...) NOT-FOR-US: Cisco CVE-2009-1202 (WebVPN on the Cisco Adaptive Security Appliances (ASA) device with sof ...) NOT-FOR-US: Cisco CVE-2009-1201 (Eval injection vulnerability in the csco_wrap_js function in /+CSCOL+/ ...) NOT-FOR-US: Cisco CVE-2009-1200 RESERVED CVE-2009-1199 RESERVED CVE-2009-1198 (Cross-site scripting (XSS) vulnerability in Apache jUDDI before 2.0 al ...) NOT-FOR-US: Apache jUDDI CVE-2009-1197 (Apache jUDDI before 2.0 allows attackers to spoof entries in log files ...) NOT-FOR-US: Apache jUDDI CVE-2009-1196 (The directory-services functionality in the scheduler in CUPS 1.1.17 a ...) - cups 1.1.99.b1.r4748-1 - cupsys [etch] - cupsys 1.1.99.b1.r4748-1 CVE-2009-1195 (The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not proper ...) {DSA-1816-1} - apache2 2.2.11-6 (low; bug #530834) CVE-2009-1194 (Integer overflow in the pango_glyph_string_set_size function in pango/ ...) {DSA-1798-1} - pango1.0 1.24.0-2 (medium; bug #527474) CVE-2009-1193 REJECTED CVE-2009-1192 (The (1) agp_generic_alloc_page and (2) agp_generic_alloc_pages functio ...) {DSA-1800-1 DSA-1794-1 DSA-1787-1} - linux-2.6 2.6.29-4 - linux-2.6.24 CVE-2009-1191 (mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server ...) - apache2 2.2.11-4 (low) [etch] - apache2 (introduced in 2.2.11) [lenny] - apache2 (introduced in 2.2.11) CVE-2009-1190 (Algorithmic complexity vulnerability in the java.util.regex.Pattern.co ...) - libspring-2.5-java 2.5.6.SEC01-1 CVE-2009-1189 (The _dbus_validate_signature_with_reason function (dbus-marshal-valida ...) {DSA-1837-1} - dbus 1.2.14-1 (high; bug #532720) NOTE: remote signature spoofing possible, and this was supposed to be NOTE: originally fixed with the updates for CVE-2008-3834 CVE-2009-1188 (Integer overflow in the JBIG2 decoding feature in the SplashBitmap::Sp ...) {DSA-2050-1 DSA-2028-1} - poppler 0.10.6-1 (medium; bug #524806) [etch] - poppler (SplashBitmap code not present) [lenny] - poppler 0.8.7-3.1 - xpdf 3.02-2 (bug #575779) - kdegraphics 4:4.0 - swftools 0.9.2+ds1-2 CVE-2009-1187 (Integer overflow in the JBIG2 decoding feature in Poppler before 0.10. ...) {DSA-1941-1} - poppler 0.10.6-1 (medium; bug #524806) CVE-2009-1186 (Buffer overflow in the util_path_encode function in udev/lib/libudev-u ...) {DSA-1772-1} - udev 0.141-1 (medium) CVE-2009-1185 (udev before 1.4.1 does not verify whether a NETLINK message originates ...) {DSA-1772-1} - udev 0.141-1 (medium) CVE-2009-1184 (The selinux_ip_postroute_iptables_compat function in security/selinux/ ...) {DSA-1809-1 DSA-1800-1} - linux-2.6 2.6.29-5 [etch] - linux-2.6 (Issue was introduced after 2.6.24 release) - linux-2.6.24 (Issue was introduced after 2.6.24 release) CVE-2009-1183 (The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earl ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (medium; bug #524806) [lenny] - poppler 0.8.7-2 - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-1182 (Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2 and ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (medium; bug #524806) [lenny] - poppler 0.8.7-2 - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0-1 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-1181 (The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (medium; bug #524806) [lenny] - poppler 0.8.7-2 - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0-1 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-1180 (The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (medium; bug #524806) [lenny] - poppler 0.8.7-2 - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0-1 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-1179 (Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUP ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (medium; bug #524806) [lenny] - poppler 0.8.7-2 - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0-1 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-1178 (Unspecified vulnerability in the server in IBM Tivoli Storage Manager ...) NOT-FOR-US: Tivoli CVE-2009-1177 (Multiple stack-based buffer overflows in maptemplate.c in mapserv in M ...) - mapserver 5.2.2-1 (medium; bug #523027) [lenny] - mapserver (Vulnerable code not present or covered by 02_CVE-2009-840-CVE-2009-2281.dpatch) [etch] - mapserver (Vulnerable code not present or covered by 02_CVE-2009-840-CVE-2009-2281.dpatch) CVE-2009-1176 (mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2 ...) {DSA-1914-1} - mapserver 5.2.2-1 (low; bug #523027) NOTE: covered by 02_CVE-2009-840-CVE-2009-2281.dpatch as well CVE-2009-1175 (Cross-site scripting (XSS) vulnerability in apps/web/vs_diag.cgi in th ...) - banshee (unimportant) NOTE: banshee is intented as a desktop music player with no serious NOTE: login credentials that an attacker could use remote CVE-2009-1174 (The Web Services Security component in IBM WebSphere Application Serve ...) NOT-FOR-US: WebSphere CVE-2009-1173 (IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3 uses weak pe ...) NOT-FOR-US: WebSphere CVE-2009-1172 (The JAX-RPC WS-Security runtime in the Web Services Security component ...) NOT-FOR-US: WebSphere CVE-2009-1171 (The TeX filter in Moodle 1.6 before 1.6.9+, 1.7 before 1.7.7+, 1.8 bef ...) {DSA-1761-1} - moodle 1.8.2.dfsg-5 (medium; bug #522116) NOTE: this applies only to people who have a complete tex environment and NOTE: aren't just using mimetex to render the tex CVE-2009-1170 (Unspecified vulnerability in Sun OpenSolaris snv_100 through snv_101 a ...) NOT-FOR-US: OpenSolaris CVE-2009-1169 (The txMozillaXSLTProcessor::TransformToDoc function in Mozilla Firefox ...) {DSA-1756-1} - xulrunner 1.9.0.8-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - kompozer 1:0.8~alpha2+dfsg+svn129-1 CVE-2009-1168 (Cisco IOS 12.0(32)S12 through 12.0(32)S13 and 12.0(33)S3 through 12.0( ...) NOT-FOR-US: Cisco IOS CVE-2009-1167 (Unspecified vulnerability on the Cisco Wireless LAN Controller (WLC) p ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2009-1166 (The administrative web interface on the Cisco Wireless LAN Controller ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2009-1165 (Memory leak on the Cisco Wireless LAN Controller (WLC) platform 4.x be ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2009-1164 (The administrative web interface on the Cisco Wireless LAN Controller ...) NOT-FOR-US: Cisco Wireless LAN Controller CVE-2009-1163 (Memory leak on the Cisco Physical Access Gateway with software before ...) NOT-FOR-US: Cisco CVE-2009-1162 (Cross-site scripting (XSS) vulnerability in the Spam Quarantine login ...) NOT-FOR-US: Cisco IronPort AsyncOS CVE-2009-1161 (Directory traversal vulnerability in the TFTP service in Cisco CiscoWo ...) NOT-FOR-US: CiscoWorks CVE-2009-1160 (Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-1159 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-1158 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-1157 (Memory leak on Cisco Adaptive Security Appliances (ASA) 5500 Series an ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-1156 (Unspecified vulnerability on Cisco Adaptive Security Appliances (ASA) ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-1155 (Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security ...) NOT-FOR-US: Cisco Adaptive Security Appliances CVE-2009-1154 (Cisco IOS XR 3.8.1 and earlier allows remote attackers to cause a deni ...) NOT-FOR-US: Cisco CVE-2009-1153 REJECTED CVE-2009-1152 (Siemens Gigaset SE461 WiMAX router 1.5-BL024.9.6401, and possibly othe ...) NOT-FOR-US: Siemens router CVE-2009-1151 (Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x ...) {DSA-1824-1} - phpmyadmin 4:3.1.3.1-1 CVE-2009-1150 (Multiple cross-site scripting (XSS) vulnerabilities in the export page ...) {DSA-1824-1} - phpmyadmin 4:3.1.3.1-1 CVE-2009-1149 (CRLF injection vulnerability in bs_disp_as_mime_type.php in the BLOB s ...) - phpmyadmin 4:3.1.3.1-1 [etch] - phpmyadmin (Vulnerable code not present) [lenny] - phpmyadmin (Vulnerable code not present) CVE-2009-1148 (Directory traversal vulnerability in bs_disp_as_mime_type.php in the B ...) - phpmyadmin 4:3.1.3.1-1 [etch] - phpmyadmin (Vulnerable code not present) [lenny] - phpmyadmin (Vulnerable code not present) CVE-2009-1147 (Unspecified vulnerability in vmci.sys in the Virtual Machine Communica ...) NOT-FOR-US: VmWare CVE-2009-1146 (Unspecified vulnerability in an ioctl in hcmon.sys in VMware Workstati ...) NOT-FOR-US: VmWare CVE-2009-1145 RESERVED CVE-2009-1144 (Untrusted search path vulnerability in the Gentoo package of Xpdf befo ...) - xpdf (Gentoo specific vulnerability in building xpdf) CVE-2009-1143 RESERVED CVE-2009-1142 RESERVED CVE-2009-1141 (Microsoft Internet Explorer 6 for Windows XP SP2 and SP3 and Server 20 ...) NOT-FOR-US: Microsoft CVE-2009-1140 (Microsoft Internet Explorer 5.01 SP4; 6 SP1; 6 and 7 for Windows XP SP ...) NOT-FOR-US: Microsoft CVE-2009-1139 (Memory leak in the LDAP service in Active Directory on Microsoft Windo ...) NOT-FOR-US: Microsoft CVE-2009-1138 (The LDAP service in Active Directory on Microsoft Windows 2000 SP4 doe ...) NOT-FOR-US: Microsoft CVE-2009-1137 (Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows re ...) NOT-FOR-US: Microsoft CVE-2009-1136 (The Microsoft Office Web Components Spreadsheet ActiveX control (aka O ...) NOT-FOR-US: ActiveX CVE-2009-1135 (Microsoft Internet Security and Acceleration (ISA) Server 2006 Gold an ...) NOT-FOR-US: Microsoft Internet Security and Acceleration (ISA) Server CVE-2009-1134 (Excel in 2007 Microsoft Office System SP1 and SP2; Microsoft Office Ex ...) NOT-FOR-US: Microsoft CVE-2009-1133 (Heap-based buffer overflow in Microsoft Remote Desktop Connection (for ...) NOT-FOR-US: Microsoft CVE-2009-1132 (Heap-based buffer overflow in the Wireless LAN AutoConfig Service (aka ...) NOT-FOR-US: Microsoft Windows Vista Gold CVE-2009-1131 (Multiple stack-based buffer overflows in Microsoft Office PowerPoint 2 ...) NOT-FOR-US: Microsoft CVE-2009-1130 (Heap-based buffer overflow in Microsoft Office PowerPoint 2002 SP3 and ...) NOT-FOR-US: Microsoft CVE-2009-1129 (Multiple stack-based buffer overflows in the PowerPoint 95 importer (P ...) NOT-FOR-US: Microsoft CVE-2009-1128 (Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows re ...) NOT-FOR-US: Microsoft CVE-2009-1127 (win32k.sys in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3 ...) NOT-FOR-US: Microsoft Windows CVE-2009-1126 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2 ...) NOT-FOR-US: Microsoft CVE-2009-1125 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 ...) NOT-FOR-US: Microsoft CVE-2009-1124 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 ...) NOT-FOR-US: Microsoft CVE-2009-1123 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 ...) NOT-FOR-US: Microsoft CVE-2009-1122 (The WebDAV extension in Microsoft Internet Information Services (IIS) ...) NOT-FOR-US: Microsoft CVE-2009-1121 RESERVED CVE-2009-1120 (EMC RepliStor Server Service before ESA-09-003 has a DoASOCommand Remo ...) NOT-FOR-US: EMC CVE-2009-1119 (Multiple heap-based buffer overflows in EMC RepliStor 6.2 before SP5 a ...) NOT-FOR-US: EMC RepliStor CVE-2009-1118 RESERVED CVE-2009-1117 RESERVED CVE-2009-1116 RESERVED CVE-2009-1115 RESERVED CVE-2009-1114 RESERVED CVE-2009-1113 RESERVED CVE-2009-1112 RESERVED CVE-2009-1111 RESERVED CVE-2009-1110 RESERVED CVE-2009-1109 RESERVED CVE-2009-1108 RESERVED CVE-2009-1086 (Heap-based buffer overflow in the ldns_rr_new_frm_str_internal functio ...) {DSA-1795-1} - ldns 1.5.1-1 CVE-2009-1107 (The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Env ...) - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1106 (The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Env ...) - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1105 (The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Env ...) - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1104 (The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Env ...) - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1103 (Unspecified vulnerability in the Java Plug-in in Java SE Development K ...) - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1102 (Unspecified vulnerability in the Virtual Machine in Java SE Developmen ...) - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1101 (Unspecified vulnerability in the lightweight HTTP server implementatio ...) {DSA-1769-1} - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1100 (Multiple unspecified vulnerabilities in Java SE Development Kit (JDK) ...) - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 CVE-2009-1099 (Integer signedness error in Java SE Development Kit (JDK) and Java Run ...) - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 CVE-2009-1098 (Buffer overflow in Java SE Development Kit (JDK) and Java Runtime Envi ...) {DSA-1769-1} - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 CVE-2009-1097 (Multiple buffer overflows in Java SE Development Kit (JDK) and Java Ru ...) {DSA-1769-1} - sun-java6 6-13-1 [lenny] - sun-java6 6-20-0lenny1 CVE-2009-1096 (Buffer overflow in unpack200 in Java SE Development Kit (JDK) and Java ...) {DSA-1769-1} - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1095 (Integer overflow in unpack200 in Java SE Development Kit (JDK) and Jav ...) {DSA-1769-1} - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1094 (Unspecified vulnerability in the LDAP implementation in Java SE Develo ...) {DSA-1769-1} - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 - sun-java5 1.5.0-18-1 [etch] - sun-java5 (Non-free not supported) [lenny] - sun-java5 1.5.0-22-0lenny1 CVE-2009-1093 (LdapCtx in the LDAP service in Java SE Development Kit (JDK) and Java ...) {DSA-1769-1} - sun-java6 6-13-1 (bug #521414) [lenny] - sun-java6 6-20-0lenny1 CVE-2009-1962 (Xfig, possibly 3.2.5, allows local users to read and write arbitrary f ...) - xfig 1:3.2.5.a-1 [etch] - xfig (Minor issue) [lenny] - xfig (Minor issue) CVE-2009-1092 (Use-after-free vulnerability in the LIVEAUDIO.LiveAudioCtrl.1 ActiveX ...) NOT-FOR-US: LIVEAUDIO.LiveAudioCtrl.1 ActiveX CVE-2009-1091 (Cross-site scripting (XSS) vulnerability in upload.php in Rapidleech r ...) NOT-FOR-US: Rapidleech CVE-2009-1090 (Directory traversal vulnerability in upload.php in Rapidleech rev.36 a ...) NOT-FOR-US: Rapidleech CVE-2009-1089 (Absolute path traversal vulnerability in upload.php in Rapidleech rev. ...) NOT-FOR-US: Rapidleech CVE-2009-1088 (Hannon Hill Cascade Server 5.7 and other versions allows remote authen ...) NOT-FOR-US: Hannon Hill Cascade Server CVE-2009-1087 (Multiple argument injection vulnerabilities in PPLive.exe in PPLive 1. ...) NOT-FOR-US: PPLive CVE-2009-1085 (Piwik 0.2.32 and earlier stores sensitive information under the web ro ...) - piwik (bug #506933) CVE-2009-1084 (Sun Java System Identity Manager (IdM) 7.0 through 8.0 does not proper ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1083 (Sun Java System Identity Manager (IdM) 7.0 through 8.0 on Linux, AIX, ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1082 (Sun Java System Identity Manager (IdM) 7.0 through 8.0 allows remote a ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1081 (Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1080 (Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1079 (Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1078 (Sun Java System Identity Manager (IdM) 7.0 through 8.0 does not enforc ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1077 (The Change My Password implementation in the admin interface in Sun Ja ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1076 (Sun Java System Identity Manager (IdM) 7.0 through 8.0 responds differ ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1075 (Sun Java System Identity Manager (IdM) 7.0 through 8.0 responds differ ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1074 (Sun Java System Identity Manager (IdM) 7.0 through 8.0 does not use SS ...) NOT-FOR-US: Sun Java System Identity Manager CVE-2009-1073 (nss-ldapd before 0.6.8 uses world-readable permissions for the /etc/ns ...) {DSA-1758-1} - nss-ldapd 0.6.8 CVE-2009-1072 (nfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD c ...) {DSA-1800-1} - linux-2.6 2.6.29-1 [etch] - linux-2.6 (Issue was introduced after 2.6.24 release) - linux-2.6.24 (Issue was introduced after 2.6.24 release) CVE-2009-0934 (Cross-site scripting (XSS) vulnerability in ejabberd before 2.0.4 allo ...) {DSA-1774-1} - ejabberd 2.0.5-1 (bug #520852) [etch] - ejabberd (Vulnerable expression not present) CVE-2009-1071 (Stack-based buffer overflow in Icarus 2.0 allows remote attackers to c ...) NOT-FOR-US: Icarus CVE-2009-1070 (Cross-site scripting (XSS) vulnerability in system/index.php in Expres ...) NOT-FOR-US: ExpressionEngine CVE-2009-1069 (Multiple cross-site scripting (XSS) vulnerabilities in the node edit f ...) NOT-FOR-US: Drupal module CVE-2009-1068 (Stack-based buffer overflow in BS.Player (bsplayer) 2.32 Build 975 Fre ...) NOT-FOR-US: BS.Player CVE-2009-1067 (Cross-site scripting (XSS) vulnerability in index.php in Pixie CMS 1.0 ...) NOT-FOR-US: Pixie CMS CVE-2009-1066 (SQL injection vulnerability in the referral function in admin/lib/lib_ ...) NOT-FOR-US: Pixie CMS CVE-2009-1065 (SQL injection vulnerability in index.php in Pixie CMS 1.01a allows rem ...) NOT-FOR-US: Pixie CMS CVE-2009-1064 (Argument injection vulnerability in orbitmxt.dll 2.1.0.2 in the Orbit ...) NOT-FOR-US: Orbit Downloader CVE-2009-1063 (Buffer overflow in eXeScope 6.50 allows user-assisted remote attackers ...) NOT-FOR-US: eXeScope CVE-2009-1062 (Adobe Acrobat Reader 9 before 9.1, 8 before 8.1.4, and 7 before 7.1.1 ...) NOT-FOR-US: Acrobat Reader CVE-2009-1061 (Unspecified vulnerability in Adobe Acrobat Reader 9 before 9.1, 8 befo ...) NOT-FOR-US: Acrobat Reader CVE-2009-1060 (Unspecified vulnerability in Apple Safari on Mac OS X 10.5.6 allows re ...) NOT-FOR-US: Apple Safari CVE-2009-1059 (Stack-based buffer overflow in Trident PowerZip 7.2 might allow remote ...) NOT-FOR-US: Trident PowerZip CVE-2009-1058 (Stack-based buffer overflow in ZipGenius might allow remote attackers ...) NOT-FOR-US: ZipGenius CVE-2009-1057 (MicroSmarts Enterprise ZipItFast! 3.0 allows remote attackers to execu ...) NOT-FOR-US: MicroSmarts Enterprise ZipItFast! CVE-2009-1056 (IBM Rational AppScan Enterprise before 5.5 FP1 allows remote attackers ...) NOT-FOR-US: IBM Rational AppScan Enterprise CVE-2009-1055 (Unspecified vulnerability in the web service in Sitecore CMS 5.3.1 rev ...) NOT-FOR-US: Sitecore CMS CVE-2009-1054 (Unspecified vulnerability in JustSystems Ichitaro 13, 2004 through 200 ...) NOT-FOR-US: JustSystems Ichitaro CVE-2009-1053 (chaozzDB 1.2 and earlier stores sensitive information under the web ro ...) NOT-FOR-US: chaozzDB CVE-2009-1052 (FireAnt 1.3 and earlier stores sensitive information under the web roo ...) NOT-FOR-US: FireAnt CVE-2009-1051 (FubarForum 1.6 and earlier stores sensitive information under the web ...) NOT-FOR-US: FubarForum CVE-2009-1050 (Bloginator 1A allows remote attackers to bypass authentication and gai ...) NOT-FOR-US: Bloginator CVE-2009-1049 (SQL injection vulnerability in articleCall.php in Bloginator 1A allows ...) NOT-FOR-US: Bloginator CVE-2009-1048 (The web interface on the snom VoIP phones snom 300, snom 320, snom 360 ...) NOT-FOR-US: snom VoIP phones CVE-2009-1047 (Cross-site scripting (XSS) vulnerability in the Send by e-mail module ...) NOT-FOR-US: Send by e-mail module for Drupal CVE-2009-1046 (The console selection feature in the Linux kernel 2.6.28 before 2.6.28 ...) {DSA-1800-1 DSA-1787-1} - linux-2.6 2.6.29-1 - linux-2.6.24 [etch] - linux-2.6 (Introduced in 2.6.23-rc1) CVE-2009-1045 (requests/status.xml in VLC 0.9.8a allows remote attackers to cause a d ...) - vlc 0.9.9a-1 (unimportant; bug #522170) NOTE: access is limited to localhost CVE-2009-1044 (Mozilla Firefox 3.0.7 on Windows 7 allows remote attackers to execute ...) {DSA-1756-1} - xulrunner 1.9.0.8-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - kompozer 1:0.8~alpha2+dfsg+svn129-3 CVE-2009-1043 (Unspecified vulnerability in Microsoft Internet Explorer 8 on Windows ...) NOT-FOR-US: Microsoft CVE-2009-1042 (Unspecified vulnerability in Apple Safari on Mac OS X 10.5.6 allows re ...) NOT-FOR-US: Apple Safari CVE-2009-1041 (The ktimer feature (sys/kern/kern_time.c) in FreeBSD 7.0, 7.1, and 7.2 ...) - kfreebsd-7 7.1-3 [lenny] - kfreebsd-7 7.0-7lenny1 CVE-2009-1040 (Buffer overflow in WinAsm Studio 5.1.5.0 allows user-assisted remote a ...) NOT-FOR-US: WinAsm CVE-2009-1039 (Buffer overflow in CDex 1.70b2 allows remote attackers to execute arbi ...) NOT-FOR-US: CDex CVE-2009-1038 (Multiple SQL injection vulnerabilities in YAP Blog 1.1.1 allow remote ...) NOT-FOR-US: YAP Blog CVE-2009-1037 (Unspecified vulnerability in the Send by e-mail module in the "Printer ...) NOT-FOR-US: Send by e-mail module for Drupal CVE-2009-1036 (Cross-site request forgery (CSRF) vulnerability in the Plus 1 module b ...) NOT-FOR-US: Plus 1 module for Drupal CVE-2009-1035 (Cross-site scripting (XSS) vulnerability in the Tasklist module 5.x-1. ...) NOT-FOR-US: Tasklist module for Drupal CVE-2009-1034 (SQL injection vulnerability in the Tasklist module 5.x-1.x before 5.x- ...) NOT-FOR-US: Tasklist module for Drupal CVE-2009-1033 (SQL injection vulnerability in misc.php in DeluxeBB 1.3 and earlier al ...) NOT-FOR-US: DeluxeBB CVE-2009-1032 (SQL injection vulnerability in gallery_list.php in YABSoft Advanced Im ...) NOT-FOR-US: YABSoft Advanced Image Gallery CVE-2009-1031 (Directory traversal vulnerability in the FTP server in Rhino Software ...) NOT-FOR-US: FTP Rhino Software Serv-U CVE-2009-1030 (Cross-site scripting (XSS) vulnerability in the choose_primary_blog fu ...) - wordpress-mu 2.9.1-1 (bug #399756) CVE-2009-1029 (Stack-based buffer overflow in POP Peeper 3.4.0.0 and earlier allows r ...) NOT-FOR-US: POP Peeper CVE-2009-1028 (Stack-based buffer overflow in ediSys eZip Wizard 3.0 allows remote at ...) NOT-FOR-US: ediSys eZip Wizard CVE-2009-1027 (SQL injection vulnerability in OpenCart 1.1.8 allows remote attackers ...) NOT-FOR-US: OpenCart CVE-2009-1026 (Multiple SQL injection vulnerabilities in login.php in Kim Websites 1. ...) NOT-FOR-US: Kim Websites CVE-2009-1025 (PHP remote file inclusion vulnerability in linkadmin.php in Beerwin PH ...) NOT-FOR-US: Beerwin PHPLinkAdmin CVE-2009-1024 (Multiple SQL injection vulnerabilities in Beerwin PHPLinkAdmin 1.0 all ...) NOT-FOR-US: Beerwin PHPLinkAdmin CVE-2009-1023 (SQL injection vulnerability in index.php in phpComasy 0.9.1 allows rem ...) NOT-FOR-US: phpComasy CVE-2009-1022 (Heap-based buffer overflow in the Preview/ Set Segment function in Gre ...) NOT-FOR-US: Gretech GOMlab GOM Encoder CVE-2009-1021 (Unspecified vulnerability in the Advanced Replication component in Ora ...) NOT-FOR-US: Oracle Database CVE-2009-1020 (Unspecified vulnerability in the Network Foundation component in Oracl ...) NOT-FOR-US: Oracle Database CVE-2009-1019 (Unspecified vulnerability in the Network Authentication component in O ...) NOT-FOR-US: Oracle Database CVE-2009-1018 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-1017 (Unspecified vulnerability in the BI Publisher component in Oracle Appl ...) NOT-FOR-US: Oracle Application Server CVE-2009-1016 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA Product Suite CVE-2009-1015 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database CVE-2009-1014 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-1013 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-1012 (Unspecified vulnerability in the plug-ins for Apache and IIS web serve ...) NOT-FOR-US: BEA Product Suite CVE-2009-1011 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle Application Server CVE-2009-1010 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle Application Server CVE-2009-1009 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle Application Server CVE-2009-1008 (Unspecified vulnerability in the Outside In Technology component in Or ...) NOT-FOR-US: Oracle Application Server CVE-2009-1007 (Unspecified vulnerability in the Data Mining component in Oracle Datab ...) NOT-FOR-US: Oracle Database CVE-2009-1006 (Unspecified vulnerability in the JRockit component in BEA Product Suit ...) NOT-FOR-US: BEA Product Suite CVE-2009-1005 (Unspecified vulnerability in the Oracle Data Service Integrator (AquaL ...) NOT-FOR-US: BEA Product Suite CVE-2009-1004 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA Product Suite CVE-2009-1003 (Unspecified vulnerability in the WebLogic Server component in BEA Prod ...) NOT-FOR-US: BEA Product Suite CVE-2009-1002 (Unspecified vulnerability in Oracle BEA WebLogic Server 10.3, 10.0 Gol ...) NOT-FOR-US: BEA Product Suite CVE-2009-1001 (Unspecified vulnerability in Oracle BEA WebLogic Portal 8.1 Gold throu ...) NOT-FOR-US: BEA Product Suite CVE-2009-1000 (The Oracle Applications Framework component in Oracle E-Business Suite ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-0999 (Unspecified vulnerability in the Oracle Application Object Library com ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-0998 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS - eBenefit ...) NOT-FOR-US: PeopleSoft Enterprise HRMS CVE-2009-0997 (Unspecified vulnerability in the Database Vault component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2009-0996 (Unspecified vulnerability in the BI Publisher component in Oracle Appl ...) NOT-FOR-US: Oracle Application Server CVE-2009-0995 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business Suite CVE-2009-0994 (Unspecified vulnerability in the BI Publisher component in Oracle Appl ...) NOT-FOR-US: Oracle Application Server CVE-2009-0993 (Unspecified vulnerability in the OPMN component in Oracle Application ...) NOT-FOR-US: Oracle Application Server CVE-2009-0992 (Unspecified vulnerability in the Advanced Queuing component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-0991 (Unspecified vulnerability in the Listener component in Oracle Database ...) NOT-FOR-US: Oracle Database CVE-2009-0990 (Unspecified vulnerability in the BI Publisher component in Oracle Appl ...) NOT-FOR-US: Oracle Application Server CVE-2009-0989 (Unspecified vulnerability in the BI Publisher component in Oracle Appl ...) NOT-FOR-US: Oracle Application Server CVE-2009-0988 (Unspecified vulnerability in the Password Policy component in Oracle D ...) NOT-FOR-US: Oracle Database CVE-2009-0987 (Unspecified vulnerability in the Upgrade component in Oracle Database ...) NOT-FOR-US: Oracle Database CVE-2009-0986 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-0985 (Unspecified vulnerability in the Core RDBMS component in Oracle Databa ...) NOT-FOR-US: Oracle Database CVE-2009-0984 (Unspecified vulnerability in the Database Vault component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2009-0983 (Unspecified vulnerability in the Portal component in Oracle Applicatio ...) NOT-FOR-US: Oracle Application Server CVE-2009-0982 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools com ...) NOT-FOR-US: Oracle PeopleSoft Enterprise CVE-2009-0981 (Unspecified vulnerability in the Application Express component in Orac ...) NOT-FOR-US: Oracle Database CVE-2009-0980 (Unspecified vulnerability in the SQLX Functions component in Oracle Da ...) NOT-FOR-US: Oracle Database CVE-2009-0979 (Unspecified vulnerability in the Resource Manager component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-0978 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-0977 (Unspecified vulnerability in the Advanced Queuing component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-0976 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-0975 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-0974 (Unspecified vulnerability in the Portal component in Oracle Applicatio ...) NOT-FOR-US: Oracle Application Server CVE-2009-0973 (Unspecified vulnerability in the Cluster Ready Services component in O ...) NOT-FOR-US: Oracle Database CVE-2009-0972 (Unspecified vulnerability in the Workspace Manager component in Oracle ...) NOT-FOR-US: Oracle Database CVE-2009-0971 (Cross-site scripting (XSS) vulnerability in futomi's CGI Cafe Access A ...) NOT-FOR-US: futomi's CGI Cafe Access Analyzer CGI Standard Version CVE-2009-0970 (PHP remote file inclusion vulnerability in includes/class_image.php in ...) NOT-FOR-US: PHP Pro Bid CVE-2009-0969 (Cross-site request forgery (CSRF) vulnerability in account/settings/ac ...) NOT-FOR-US: phpFoX CVE-2009-0968 (SQL injection vulnerability in fmoblog.php in the fMoblog plugin 2.1 f ...) NOT-FOR-US: fMoblog plugin for WordPress CVE-2009-0967 (The FTP server in Serv-U 7.0.0.1 through 7.4.0.1 allows remote authent ...) NOT-FOR-US: Serv-U CVE-2009-0966 (PHP remote file inclusion vulnerability in cross.php in YABSoft Mega F ...) NOT-FOR-US: YABSoft Mega File Hosting CVE-2009-0965 (SQL injection vulnerability in functions/browse.php in Ganesha Digital ...) NOT-FOR-US: Ganesha Digital Library CVE-2009-0964 (UserView_list.php in PHPRunner 4.2, and possibly earlier, stores passw ...) NOT-FOR-US: PHPRunner CVE-2009-0963 (Multiple SQL injection vulnerabilities in PHPRunner 4.2, and possibly ...) NOT-FOR-US: PHPRunner CVE-2009-0962 (Unspecified vulnerability in Futomi's CGI Cafe MP Form Mail CGI eComme ...) NOT-FOR-US: Futomi's CGI Cafe MP Form Mail CGI eCommerce CVE-2009-0961 (The Mail component in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS ...) NOT-FOR-US: Apple iPhone CVE-2009-0960 (The Mail component in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS ...) NOT-FOR-US: Apple iPhone CVE-2009-0959 (The MPEG-4 video codec in Apple iPhone OS 1.0 through 2.2.1 and iPhone ...) NOT-FOR-US: Apple iPhone CVE-2009-0958 (Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for iPod touch 1.1 thr ...) NOT-FOR-US: Apple iPhone CVE-2009-0957 (Heap-based buffer overflow in Apple QuickTime before 7.6.2 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2009-0956 (Apple QuickTime before 7.6.2 does not properly initialize memory befor ...) NOT-FOR-US: Apple QuickTime CVE-2009-0955 (Apple QuickTime before 7.6.2 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2009-0954 (Heap-based buffer overflow in Apple QuickTime before 7.6.2 on Windows ...) NOT-FOR-US: Apple QuickTime CVE-2009-0953 (Heap-based buffer overflow in Apple QuickTime before 7.6.2 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2009-0952 (Buffer overflow in Apple QuickTime before 7.6.2 allows remote attacker ...) NOT-FOR-US: Apple QuickTime CVE-2009-0951 (Heap-based buffer overflow in Apple QuickTime before 7.6.2 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2009-0950 (Stack-based buffer overflow in Apple iTunes before 8.2 allows remote a ...) NOT-FOR-US: Apple iTunes CVE-2009-0949 (The ippReadIO function in cups/ipp.c in cupsd in CUPS before 1.3.10 do ...) {DSA-1811-1} - cups 1.3.10-1 CVE-2009-0948 RESERVED - file 5.02-1 CVE-2009-0947 RESERVED - file 5.02-1 CVE-2009-0946 (Multiple integer overflows in FreeType 2.3.9 and earlier allow remote ...) {DSA-1784-1} - freetype 2.3.9-4.1 (medium; bug #524925) CVE-2009-0945 (Array index error in the insertItemBefore method in WebKit, as used in ...) {DSA-1988-1 DSA-1950-1 DSA-1866-1} - qt4-x11 4:4.5.2-1 (medium; bug #532718) [etch] - qt4-x11 (webkit support introduced in version 4.4) - webkit 1.1.5-1 (medium; bug #532724; bug #532725) NOTE: http://trac.webkit.org/changeset/43590 - kde4libs 4:4.3.0-1 (medium; bug #534917) [lenny] - kde4libs (khtml doesn't have SVG support) NOTE: http://websvn.kde.org/?view=rev&revision=983302 - kdegraphics 4:4.0 (medium; bug #534918) NOTE: kdegraphics >4.0 not affected since ksvg is only in 3.5.x series NOTE: http://websvn.kde.org/?view=rev&revision=983306 CVE-2009-0944 (The Microsoft Office Spotlight Importer in Spotlight in Apple Mac OS X ...) NOT-FOR-US: Microsoft Office Spotlight CVE-2009-0943 (Help Viewer in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 does not ...) NOT-FOR-US: Help Viewer in Apple Mac OS X CVE-2009-0942 (Help Viewer in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 does not ...) NOT-FOR-US: Help Viewer in Apple Mac OS X CVE-2009-0941 (The HP Embedded Web Server (EWS) on HP LaserJet Printers, Edgeline Pri ...) NOT-FOR-US: HP Embedded Web Server CVE-2009-0940 (Multiple cross-site request forgery (CSRF) vulnerabilities in the HP E ...) NOT-FOR-US: HP Embedded Web Server CVE-2009-0939 (Tor before 0.2.0.34 treats incomplete IPv4 addresses as valid, which h ...) - tor 0.2.0.34-1 CVE-2009-0938 (Unspecified vulnerability in Tor before 0.2.0.34 allows directory mirr ...) - tor 0.2.0.34-1 (bug #512728) CVE-2009-0937 (Unspecified vulnerability in Tor before 0.2.0.34 allows directory mirr ...) - tor 0.2.0.34-1 (bug #514580) CVE-2009-0936 (Unspecified vulnerability in Tor before 0.2.0.34 allows attackers to c ...) - tor 0.2.0.34-1 CVE-2009-0935 (The inotify_read function in the Linux kernel 2.6.27 to 2.6.27.13, 2.6 ...) - linux-2.6 2.6.30-1 (low) [etch] - linux-2.6 (Vulnerability was introduced in 2.6.27-rc9) [lenny] - linux-2.6 (Vulnerability was introduced in 2.6.27-rc9) - linux-2.6.24 (Vulnerability was introduced in 2.6.27-rc9) CVE-2009-0933 (Cross-site scripting (XSS) vulnerability in the administrative interfa ...) - dotclear (Fixed before initial upload to archive) CVE-2009-0932 (Directory traversal vulnerability in framework/Image/Image.php in Hord ...) {DSA-1765-1} - horde3 3.2.2+debian0-2 (bug #513265; medium) CVE-2009-0931 (Cross-site scripting (XSS) vulnerability in the tag cloud search scrip ...) - horde3 3.2.2+debian0-2 (bug #513265) [etch] - horde3 (Vulnerable code not present) CVE-2009-0930 (Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP befor ...) {DSA-1770-1} - imp4 4.2-4 (medium; bug #513266) CVE-2009-0929 (Directory traversal vulnerability in the media manager in Nucleus CMS ...) NOT-FOR-US: Nucleus CMS CVE-2009-0928 (Heap-based buffer overflow in Adobe Acrobat Reader and Acrobat Profess ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2009-0927 (Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before ...) NOT-FOR-US: Adobe Reader and Adobe Acrobat CVE-2009-0926 (Unspecified vulnerability in the UFS filesystem functionality in Sun O ...) NOT-FOR-US: Sun OpenSolaris CVE-2009-0925 (Unspecified vulnerability in Sun Solaris 10 on SPARC sun4v systems, an ...) NOT-FOR-US: Sun Solaris CVE-2009-0924 (Unspecified vulnerability in Sun OpenSolaris snv_39 through snv_45, wh ...) NOT-FOR-US: Sun OpenSolaris CVE-2009-0923 (Unspecified vulnerability in Kerberos Incremental Propagation in Solar ...) NOT-FOR-US: Solaris CVE-2009-0922 (PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows rem ...) - postgresql-8.3 8.3.7-1 (bug #517405) [lenny] - postgresql-8.3 8.3.7-0lenny1 - postgresql-8.1 - postgresql-7.4 [etch] - postgresql-8.1 8.1.17-0etch1 [etch] - postgresql-7.4 (Minor issue) CVE-2009-0921 (Multiple heap-based buffer overflows in OvCgi/Toolbar.exe in HP OpenVi ...) NOT-FOR-US: HP Openview CVE-2009-0920 (Stack-based buffer overflow in OvCgi/Toolbar.exe in HP OpenView Networ ...) NOT-FOR-US: HP Openview CVE-2009-0919 (XAMPP installs multiple packages with insecure default passwords, whic ...) NOT-FOR-US: DFLabs PTK CVE-2009-0918 (Multiple unspecified vulnerabilities in DFLabs PTK 1.0.0 through 1.0.4 ...) NOT-FOR-US: DFLabs PTK CVE-2009-0917 (Cross-site scripting (XSS) vulnerability in DFLabs PTK 1.0.0 through 1 ...) NOT-FOR-US: DFLabs PTK CVE-2009-0916 (Unspecified vulnerability in Opera before 9.64 has unknown impact and ...) NOT-FOR-US: Opera CVE-2009-0915 (Opera before 9.64 allows remote attackers to conduct cross-domain scri ...) NOT-FOR-US: Opera CVE-2009-0914 (Opera before 9.64 allows remote attackers to execute arbitrary code vi ...) NOT-FOR-US: Opera CVE-2009-0913 (Unspecified vulnerability in the keysock kernel module in Solaris 10 a ...) NOT-FOR-US: Solaris CVE-2009-0912 (perl-MDK-Common 1.1.11 and 1.1.24, 1.2.9 through 1.2.14, and possibly ...) NOT-FOR-US: perl-MDK-Common CVE-2009-0911 RESERVED CVE-2009-0910 (Heap-based buffer overflow in the VNnc Codec in VMware Workstation 6.5 ...) NOT-FOR-US: VmWare CVE-2009-0909 (Heap-based buffer overflow in the VNnc Codec in VMware Workstation 6.5 ...) NOT-FOR-US: VmWare CVE-2009-0908 (Unspecified vulnerability in the ACE shared folders implementation in ...) NOT-FOR-US: VmWare CVE-2009-0907 REJECTED CVE-2009-0906 (The Service Component Architecture (SCA) feature pack for IBM WebSpher ...) NOT-FOR-US: IBM WebSphere CVE-2009-0905 (IBM WebSphere MQ 6.0 before 6.0.2.8 and 7.0 before 7.0.1.0 does not pr ...) NOT-FOR-US: IBM WebSphere CVE-2009-0904 (The IBM Stax XMLStreamWriter in the Web Services component in IBM WebS ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-0903 (IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3, and the Fea ...) NOT-FOR-US: WebSphere CVE-2009-0902 RESERVED CVE-2009-0901 (The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 ...) NOT-FOR-US: Microsoft Visual Studio .NET CVE-2009-0900 (Heap-based buffer overflow in the client in IBM WebSphere MQ 6.0 befor ...) NOT-FOR-US: IBM WebSphere CVE-2009-0899 (IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.24 and 7.0 th ...) NOT-FOR-US: IBM WebSphere CVE-2009-0898 (Stack-based buffer overflow in HP OpenView Network Node Manager (OV NN ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-0897 (IBM WebSphere Partner Gateway (WPG) 6.1.0 before 6.1.0.1 and 6.1.1 bef ...) NOT-FOR-US: IBM WebSphere CVE-2009-0896 (Buffer overflow in the queue manager in IBM WebSphere MQ 6.x before 6. ...) NOT-FOR-US: IBM WebSphere CVE-2009-0895 (Integer overflow in Novell eDirectory 8.7.3.x before 8.7.3.10 ftf2 and ...) NOT-FOR-US: Novell eDirectory CVE-2009-0894 (Heap-based buffer overflow in the decoder_create function in the initi ...) - xvidcore (Fixed before initial release) CVE-2009-0893 (Multiple heap-based buffer overflows in xvidcore/src/decoder.c in the ...) - xvidcore (Fixed before initial release) CVE-2009-0892 (The administrative console in IBM WebSphere Application Server (WAS) 6 ...) NOT-FOR-US: IBM WebSphere CVE-2009-0891 (The Web Services Security component in IBM WebSphere Application Serve ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-0890 RESERVED CVE-2009-0889 (Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and A ...) NOT-FOR-US: Adobe Reader CVE-2009-0888 (Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and A ...) NOT-FOR-US: Adobe Reader CVE-2009-0887 (Integer signedness error in the _pam_StrTok function in libpam/pam_mis ...) - pam 1.0.1-10 (low; bug #520115) [lenny] - pam 1.0.1-5+lenny1 [etch] - pam 0.79-5+etch1 CVE-2009-0886 (Directory traversal vulnerability in login.php in OneOrZero Helpdesk 1 ...) NOT-FOR-US: OneOrZero Helpdesk CVE-2009-0885 (Multiple heap-based buffer overflows in Media Commands 1.0 allow remot ...) NOT-FOR-US: Media Commands CVE-2009-0884 (Buffer overflow in FileZilla Server before 0.9.31 allows remote attack ...) NOT-FOR-US: FileZilla Server (only client packaged in debian) CVE-2009-0883 (SQL injection vulnerability in Blue Eye CMS 1.0.0 and earlier, when ma ...) NOT-FOR-US: Blue Eye CMS CVE-2009-0882 (Multiple SQL injection vulnerabilities in nForum 1.5 allow remote atta ...) NOT-FOR-US: nForum CVE-2009-0881 (SQL injection vulnerability in ejemplo/paises.php in isiAJAX 1 allows ...) NOT-FOR-US: isiAJAX CVE-2009-0880 (Directory traversal vulnerability in the CIM server in IBM Director be ...) NOT-FOR-US: Windows CVE-2009-0879 (The CIM server in IBM Director before 5.20.3 Service Update 2 on Windo ...) NOT-FOR-US: Windows CVE-2009-0878 (The read_game_map function in src/terrain_translation.cpp in Wesnoth b ...) {DSA-1737-1} - wesnoth 1:1.4.7-4 CVE-2009-0877 (Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System ...) NOT-FOR-US: Sun Java System Communications Express CVE-2009-0876 (Sun xVM VirtualBox 2.0.0, 2.0.2, 2.0.4, 2.0.6r39760, 2.1.0, 2.1.2, and ...) - virtualbox-ose (Vulnerable code not present, Debian version patches localconf) [lenny] - virtualbox-ose (lenny version doesn't install binaries with suid 0) CVE-2009-0875 (Race condition in the Doors subsystem in the kernel in Sun Solaris 8 t ...) NOT-FOR-US: Sun Solaris CVE-2009-0874 (Multiple unspecified vulnerabilities in the Doors subsystem in the ker ...) NOT-FOR-US: Sun Solaris CVE-2009-0873 (The NFS daemon (aka nfsd) in Sun Solaris 10 and OpenSolaris before snv ...) NOT-FOR-US: Solaris CVE-2009-0872 (The NFS server in Sun Solaris 10, and OpenSolaris before snv_111, does ...) NOT-FOR-US: Solaris CVE-2009-0871 (The SIP channel driver in Asterisk Open Source 1.4.22, 1.4.23, and 1.4 ...) - asterisk (Vulnerable code introduced in 1.4.22) CVE-2009-0870 (The NFSv4 Server module in the kernel in Sun Solaris 10, and OpenSolar ...) NOT-FOR-US: Solaris CVE-2009-0869 (Buffer overflow in the client in IBM Tivoli Storage Manager (TSM) HSM ...) NOT-FOR-US: IBM Tivoli Storage Manager CVE-2009-0868 (CRLF injection vulnerability in the WebLink template in Fujitsu Jasmin ...) NOT-FOR-US: Fujitsu Jasmine2000 Enterprise Edition CVE-2009-0867 (The HRM-S service in Fujitsu Enhanced Support Facility 3.0 and 3.0.1 a ...) NOT-FOR-US: Fujitsu Enhanced Support Facility CVE-2009-0866 (pHNews Alpha 1 stores sensitive information under the web root with in ...) NOT-FOR-US: pHNews CVE-2009-0865 (Directory traversal vulnerability in the SnapShotToFile method in the ...) NOT-FOR-US: GeoVision CVE-2009-0864 (S-Cms 1.1 Stable allows remote attackers to bypass authentication and ...) NOT-FOR-US: S-Cms CVE-2009-0863 (SQL injection vulnerability in admin/delete_page.php in S-Cms 1.1 Stab ...) NOT-FOR-US: S-Cms CVE-2009-0862 (Cross-site scripting (XSS) vulnerability in the hook_cntrlr_error_outp ...) NOT-FOR-US: TangoCMS CVE-2009-0861 (Cross-site scripting (XSS) vulnerability in phpDenora before 1.2.3 all ...) NOT-FOR-US: phpDenora CVE-2009-0860 (Cross-site scripting (XSS) vulnerability in the web user interface in ...) NOT-FOR-US: NetMRI CVE-2009-0859 (The shm_get_stat function in ipc/shm.c in the shm subsystem in the Lin ...) {DSA-1800-1 DSA-1794-1 DSA-1787-1} - linux-2.6 2.6.29-1 NOTE: All Debian kernels set CONFIG_SHMEM, so this is moot except NOTE: for locally modified configs and even for that I fail to NOTE: see why anyone would run a kernel w/o CONFIG_SHMEM? CVE-2009-0858 (The response_addname function in response.c in Daniel J. Bernstein djb ...) {DSA-1831-1} - djbdns 1:1.05-5 (low; bug #518169; bug #517631) CVE-2009-0857 (Cross-site scripting (XSS) vulnerability in /prm/reports in the Perfor ...) NOT-FOR-US: SunMC CVE-2009-0856 (Multiple cross-site scripting (XSS) vulnerabilities in sample applicat ...) NOT-FOR-US: IBM WebSphere CVE-2009-0855 (Cross-site scripting (XSS) vulnerability in the administrative console ...) NOT-FOR-US: IBM WebSphere CVE-2009-0853 (login.php in CelerBB 0.0.2, when magic_quotes_gpc is disabled, allows ...) NOT-FOR-US: CelerBB CVE-2009-0852 (showme.php in CelerBB 0.0.2 allows remote attackers to obtain "reserve ...) NOT-FOR-US: CelerBB CVE-2009-0851 (Multiple SQL injection vulnerabilities in CelerBB 0.0.2, when magic_qu ...) NOT-FOR-US: CelerBB CVE-2009-0850 (Cross-site scripting (XSS) vulnerability in BitDefender Internet Secur ...) NOT-FOR-US: BitDefender CVE-2009-0849 (Stack-based buffer overflow in the DtbClsLogin function in NovaStor No ...) NOT-FOR-US: NovaNET CVE-2009-0848 (Untrusted search path vulnerability in GTK2 in OpenSUSE 11.0 and 11.1 ...) - gtk+2.0 (suse specific patch) CVE-2009-0847 (The asn1buf_imbed function in the ASN.1 decoder in MIT Kerberos 5 (aka ...) {DSA-1766-1} - krb5 1.6.dfsg.4~beta1-13 [etch] - krb5 (Affected code present, but not exploitable before 1.6.3) CVE-2009-0846 (The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c i ...) {DSA-1766-1} - krb5 1.6.dfsg.4~beta1-13 CVE-2009-0845 (The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego ...) {DSA-1766-1} - krb5 1.6.dfsg.4~beta1-13 [etch] - krb5 (Vulnerable code was introduced in 1.5) CVE-2009-0844 (The get_input_token function in the SPNEGO implementation in MIT Kerbe ...) {DSA-1766-1} - krb5 1.6.dfsg.4~beta1-13 [etch] - krb5 (Vulnerable code was introduced in 1.5) CVE-2009-0843 (The msLoadQuery function in mapserv in MapServer 4.x before 4.10.4 and ...) {DSA-1914-1} - mapserver 5.2.2-1 (bug #523027) NOTE: this can only probe for files that are not present, useless when not NOTE: in combination with another attack CVE-2009-0842 (mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows rem ...) {DSA-1914-1} - mapserver 5.2.2-1 (low; bug #523027) CVE-2009-0841 (Directory traversal vulnerability in mapserv.c in mapserv in MapServer ...) {DSA-1914-1} - mapserver 5.2.2-1 (bug #523027) NOTE: this doesn't work under linux as the root from the directory traversal needs to exist CVE-2009-0840 (Heap-based buffer underflow in the readPostBody function in cgiutil.c ...) {DSA-1914-1} - mapserver 5.4.2-1 (medium; bug #523027) NOTE: Initial fix was incomplete CVE-2009-0839 (Stack-based buffer overflow in mapserv.c in mapserv in MapServer 4.x b ...) {DSA-1914-1} - mapserver 5.2.2-1 (medium; bug #523027) CVE-2009-0838 (The crypto pseudo device driver in Sun Solaris 10, and OpenSolaris snv ...) NOT-FOR-US: Solaris CVE-2009-0837 (Stack-based buffer overflow in Foxit Reader 3.0 before Build 1506, inc ...) NOT-FOR-US: Foxit Reader CVE-2009-0836 (Foxit Reader 2.3 before Build 3902 and 3.0 before Build 1506, includin ...) NOT-FOR-US: Foxit Reader CVE-2009-0854 (Untrusted search path vulnerability in dash 0.5.4, when used as a logi ...) - dash (Debian uses upstream's patch to implement -l) CVE-2009-0835 (The __secure_computing function in kernel/seccomp.c in the seccomp sub ...) {DSA-1800-1} - linux-2.6 2.6.30-1 (low) [etch] - linux-2.6 (Not enabled in 2.6.18) - linux-2.6.24 [etch] - linux-2.6.24 (unimportant) NOTE: CONFIG_SECCOMP has only been enabled in 2.6.26 CVE-2009-0834 (The audit_syscall_entry function in the Linux kernel 2.6.28.7 and earl ...) {DSA-1800-1 DSA-1794-1 DSA-1787-1} - linux-2.6 2.6.29-1 (low) - linux-2.6.24 CVE-2009-0833 (Heap-based buffer overflow in gen_msn.dll in the gen_msn plugin 0.31 f ...) NOT-FOR-US: Winamp CVE-2009-0832 (SQL injection vulnerability in items.php in the E-Cart module 1.3 for ...) NOT-FOR-US: PHP-Fusion CVE-2009-0831 (SQL injection vulnerability in members.php in the Members CV (job) mod ...) NOT-FOR-US: PHP-Fusion CVE-2009-0830 (Cross-site scripting (XSS) vulnerability in QuoteBook allows remote at ...) NOT-FOR-US: QuoteBook CVE-2009-0829 (Multiple SQL injection vulnerabilities in QuoteBook allow remote attac ...) NOT-FOR-US: QuoteBook CVE-2009-0828 (QuoteBook stores quotes.inc under the web root with insufficient acces ...) NOT-FOR-US: QuoteBook CVE-2009-0827 (PollHelper stores poll.inc under the web root with insufficient access ...) NOT-FOR-US: PollHelper CVE-2009-0826 (BlogHelper stores common_db.inc under the web root with insufficient a ...) NOT-FOR-US: BlogHelper CVE-2009-0825 (SQL injection vulnerability in system/rss.php in TinX/cms 3.x before 3 ...) NOT-FOR-US: TinX/cms CVE-2009-0824 (Elaborate Bytes ElbyCDIO.sys 6.0.2.0 and earlier, as distributed in Sl ...) NOT-FOR-US: Elaborate Bytes ElbyCDIO.sys CVE-2009-0823 RESERVED CVE-2009-0822 RESERVED CVE-2009-0821 (Mozilla Firefox 2.0.0.20 and earlier allows remote attackers to cause ...) - iceweasel (unimportant) NOTE: Browser DoS not treated as security issues CVE-2009-0820 (Multiple eval injection vulnerabilities in phpScheduleIt before 1.2.11 ...) NOT-FOR-US: phpScheduleIt CVE-2009-0819 (sql/item_xmlfunc.cc in MySQL 5.1 before 5.1.32 and 6.0 before 6.0.10 a ...) - mysql-dfsg-5.0 (Vulnerable code introduced in 5.1.5) - mysql-5.1 5.1.32-1 CVE-2009-0818 (Cross-site scripting (XSS) vulnerability in the taxonomy_theme_admin_t ...) NOT-FOR-US: Taxonomy Theme module for Drupal CVE-2009-0817 (Cross-site scripting (XSS) vulnerability in the Protected Node module ...) NOT-FOR-US: Protected Node module for Drupal CVE-2009-0816 (Multiple cross-site scripting (XSS) vulnerabilities in the backend use ...) {DTSA-193-1} - typo3-src 4.2.6-1 (low; bug #514713) [etch] - typo3-src 4.0.2+debian-8 CVE-2009-0815 (The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8 ...) {DTSA-193-1} - typo3-src 4.2.6-1 (medium; bug #514713) [etch] - typo3-src 4.0.2+debian-8 CVE-2009-0814 (Cross-site scripting (XSS) vulnerability in Widgets.aspx in Blogsa 1.0 ...) NOT-FOR-US: Blogsa CVE-2009-0813 (Insecure method vulnerability in the ImeraIEPlugin ActiveX control (Im ...) NOT-FOR-US: ActiveX CVE-2009-0812 (Stack-based buffer overflow in BreakPoint Software Hex Workshop 4.23, ...) NOT-FOR-US: BreakPoint Software Hex Workshop CVE-2009-0811 (Insecure method vulnerability in the SopCast SopCore ActiveX control i ...) NOT-FOR-US: ActiveX CVE-2009-0810 (SQL injection vulnerability in login.php in xGuestbook 2.0 allows remo ...) NOT-FOR-US: xGuestbook CVE-2009-0809 (The Web Editor in Dassault Systemes ENOVIA SmarTeam V5 before Release ...) NOT-FOR-US: Dassault Systemes ENOVIA SmarTeam CVE-2009-0808 (Multiple SQL injection vulnerabilities in SimpleCMMS before 0.1.0 allo ...) NOT-FOR-US: SimpleCMMS CVE-2009-0807 (zFeeder 1.6 allows remote attackers to gain administrative access via ...) NOT-FOR-US: zFeeder CVE-2009-0806 (Unspecified vulnerability in OpenGoo before 1.2.1 allows remote authen ...) NOT-FOR-US: OpenGoo CVE-2009-0805 (Cross-site scripting (XSS) vulnerability in piCal 0.91h and earlier, a ...) NOT-FOR-US: piCal CVE-2009-0804 (Ziproxy 2.6.0, when transparent interception mode is enabled, uses the ...) - ziproxy 2.7.2-1 (low; bug #521051) [lenny] - ziproxy (Minor issue) CVE-2009-0803 (SmoothWall SmoothGuardian, as used in SmoothWall Firewall, NetworkGuar ...) NOT-FOR-US: SmoothWall CVE-2009-0802 (Qbik WinGate, when transparent interception mode is enabled, uses the ...) NOT-FOR-US: Qbik WinGate CVE-2009-0801 (Squid, when transparent interception mode is enabled, uses the HTTP Ho ...) - squid 4.1-1 (unimportant; bug #521053) - squid3 3.3.3-1 (unimportant; bug #521052) NOTE: This only affects HTTP connections and only in transparent mode NOTE: Also, same origin validations in the browsers still apply and keep this mostly harmless NOTE: http://marc.info/?l=squid-dev&m=123542836103750&w=4 CVE-2009-0800 (Multiple "input validation flaws" in the JBIG2 decoder in Xpdf 3.02pl2 ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (medium; bug #524806) [lenny] - poppler 0.8.7-2 - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-0799 (The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (medium; bug #524806) [lenny] - poppler 0.8.7-2 - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-0798 (ACPI Event Daemon (acpid) before 1.0.10 allows remote attackers to cau ...) {DSA-1786-1} - acpid 1.0.10-1 (medium) CVE-2009-0797 REJECTED CVE-2009-0796 (Cross-site scripting (XSS) vulnerability in Status.pm in Apache::Statu ...) - libapache2-mod-perl2 2.0.4-6 (low; bug #567635) [lenny] - libapache2-mod-perl2 2.0.4-5+lenny1 - apache [etch] - apache (minor issue) CVE-2009-0795 REJECTED CVE-2009-0794 (Integer overflow in the PulseAudioTargetDataL class in src/java/org/cl ...) - openjdk-6 6b16-1 [lenny] - openjdk-6 (no PulseAudio support included) CVE-2009-0793 (cmsxform.c in LittleCMS (aka lcms or liblcms) 1.18, as used in OpenJDK ...) {DSA-1769-1} - openjdk-6 6b16-1 - lcms 1.18.dfsg-1.1 (low; bug #530785) [lenny] - lcms (Minor issue) [etch] - lcms (Minor issue) CVE-2009-0792 (Multiple integer overflows in icc.c in the International Color Consort ...) {DSA-2080-1 DTSA-198-1} - argyll 1.0.3-3 (medium; bug #523472; bug #524802) - ghostscript 8.64~dfsg-1.1 (medium; bug #524915) - gs-gpl (medium; bug #561717) CVE-2009-0791 (Multiple integer overflows in Xpdf 2.x and 3.x and Poppler 0.x, as use ...) - cupsys (medium; bug #535488) - cups 1.3.10-1 (medium; bug #535489) [etch] - cupsys (pdftops source included, but not built) [lenny] - cups (pdftops source included, but not built) CVE-2009-0790 (The pluto IKE daemon in Openswan and Strongswan IPsec 2.6 before 2.6.2 ...) {DSA-1760-1 DSA-1759-1} - openswan 1:2.6.21+dfsg-1 (medium; bug #521949) - strongswan 4.2.14-1 (medium; bug #521950) CVE-2009-0789 (OpenSSL before 0.9.8k on WIN64 and certain other platforms does not pr ...) - openssl (only non-Debian architectures affected) CVE-2009-0788 (Red Hat Network (RHN) Satellite Server 5.3 and 5.4 does not properly r ...) NOT-FOR-US: Red Hat Network Satellite Server CVE-2009-0787 (The ecryptfs_write_metadata_to_contents function in the eCryptfs funct ...) - linux-2.6 2.6.29-1 (medium; bug #529326) [etch] - linux-2.6 (ecryptfs was merged in 2.6.19) [lenny] - linux-2.6 (vulnerable code introduced in 2.6.28) - linux-2.6.24 (vulnerabile code introduced in 2.6.28) CVE-2009-0786 REJECTED CVE-2009-0785 RESERVED CVE-2009-0784 (Race condition in the SystemTap stap tool 0.0.20080705 and 0.0.2009031 ...) {DSA-1755-1} - systemtap 0.0.20090314-2 [etch] - systemtap (vulnerable code not present) CVE-2009-0783 (Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 th ...) {DSA-2207-1} - tomcat5.5 (low; bug #532366) - tomcat6 6.0.20-1 (low; bug #532362) [lenny] - tomcat6 (Only ships the servlet package) - tomcat5 (low; bug #532363) CVE-2009-0782 REJECTED CVE-2009-0781 (Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the ca ...) {DSA-2207-1} - tomcat5.5 (unimportant; bug #532366) - tomcat6 6.0.20-1 (unimportant; bug #532362) - tomcat5 (unimportant; bug #532363) NOTE: Just examples on how to use Tomcat, not for production CVE-2009-0780 (The aspath_prepend function in rde_attr.c in bgpd in OpenBSD 4.3 and 4 ...) NOT-FOR-US: openbsd CVE-2009-0779 (Buffer overflow in pppdial in IBM AIX 5.3 and 6.1 allows local users t ...) NOT-FOR-US: IBM AIX CVE-2009-0778 (The icmp_send function in net/ipv4/icmp.c in the Linux kernel before 2 ...) - linux-2.6 (Issue was introduced after 2.6.24 release and fixed before release of 2.6.25) - linux-2.6.24 (Issue was introduced after 2.6.24 release and fixed before release of 2.6.25) CVE-2009-0777 (Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonk ...) - iceweasel 3.0.7-1 (low; bug #576466) [lenny] - iceweasel (minor issue) [etch] - iceweasel (Etch Packages no longer covered by security support) CVE-2009-0776 (nsIRDFService in Mozilla Firefox before 3.0.7, Thunderbird before 2.0. ...) {DSA-1830-1 DSA-1751-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - iceweasel 3.0 [etch] - iceweasel (Etch Packages no longer covered by security support) NOTE: Iceweasel in Lenny links against Xulrunner - xulrunner 1.9.0.7-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - kompozer 1:0.8~alpha2+dfsg+svn129-3 CVE-2009-0775 (Double free vulnerability in Mozilla Firefox before 3.0.7, Thunderbird ...) {DSA-1751-1} - xulrunner 1.9.0.7-1 [etch] - xulrunner (Vulnerable code not present) CVE-2009-0774 (The layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird ...) {DSA-1830-1 DSA-1751-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - iceweasel 3.0 [etch] - iceweasel (Etch Packages no longer covered by security support) NOTE: Iceweasel in Lenny links against Xulrunner - xulrunner 1.9.0.7-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-0773 (The JavaScript engine in Mozilla Firefox before 3.0.7, Thunderbird bef ...) {DSA-1830-1 DSA-1751-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - xulrunner 1.9.0.7-1 [etch] - xulrunner (Vulnerable code not present) CVE-2009-0772 (The layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird ...) {DSA-1830-1 DSA-1751-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - iceweasel 3.0 [etch] - iceweasel (Etch Packages no longer covered by security support) NOTE: Iceweasel in Lenny links against Xulrunner - xulrunner 1.9.0.7-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-0771 (The layout engine in Mozilla Firefox before 3.0.7, Thunderbird before ...) {DSA-1830-1 DSA-1751-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - xulrunner 1.9.0.7-1 [etch] - xulrunner (Vulnerable code not present) - kompozer 1:0.8~alpha2+dfsg+svn129-1 CVE-2009-0769 (QIP 2005 build 8082 allows remote attackers to cause a denial of servi ...) NOT-FOR-US: QIP CVE-2009-0768 (SQL injection vulnerability in forumhop.php in YapBB 1.2 and earlier a ...) NOT-FOR-US: YapBB CVE-2009-0767 (Kipper 2.01 stores sensitive information under the web root with insuf ...) NOT-FOR-US: Kipper CVE-2009-0766 (Directory traversal vulnerability in default.php in Kipper 2.01 allows ...) NOT-FOR-US: Kipper CVE-2009-0765 (Directory traversal vulnerability in index.php in Kipper 2.01 allows r ...) NOT-FOR-US: Kipper CVE-2009-0764 (Multiple cross-site scripting (XSS) vulnerabilities in Kipper 2.01 all ...) NOT-FOR-US: Kipper CVE-2009-0763 (Cross-site scripting (XSS) vulnerability in default.php in Kipper 2.01 ...) NOT-FOR-US: Kipper CVE-2009-0762 (Cross-site scripting (XSS) vulnerability in ScriptsEz Ez PHP Comment a ...) NOT-FOR-US: ScriptsEz Ez PHP Comment CVE-2009-0761 (Cross-site scripting (XSS) vulnerability in online.asp in Team Board 1 ...) NOT-FOR-US: Team Board CVE-2009-0760 (Team Board 1.x and 2.x stores sensitive information under the web root ...) NOT-FOR-US: Team Board CVE-2009-0759 (Multiple CRLF injection vulnerabilities in webadmin in ZNC before 0.06 ...) {DSA-1735-1} - znc 0.066-1 (bug #516950) CVE-2009-0758 (The originates_from_local_legacy_unicast_socket function in avahi-core ...) {DSA-2086-1} - avahi 0.6.24-3 (low; bug #517683) [etch] - avahi (Minor issue) NOTE: reflector is off by default CVE-2009-0757 (Multiple buffer overflows in GNU MPFR 2.4.0 allow context-dependent at ...) - mpfr 2.4.0-5 (low; bug #527475) [lenny] - mpfr (Vulnerable code not yet present) [etch] - mpfr (Vulnerable code not yet present) CVE-2009-0756 (The JBIG2Stream::readSymbolDictSeg function in Poppler before 0.10.4 a ...) - poppler 0.10.6-1 (low; bug #518478) [lenny] - poppler 0.8.7-2 [etch] - poppler (Application crash only, could be fixed with further issues) NOTE: poppler in lenny fixed in batch of CVEs pushed out in 5.0.2 release CVE-2009-0755 (The FormWidgetChoice::loadDefaults function in Poppler before 0.10.4 a ...) {DSA-1941-1} - poppler 0.10.6-1 (low; bug #518478) [lenny] - poppler (Application crash only, could be fixed with further issues) [etch] - poppler (vulnerable code not present; forms introduced after 0.4.5) CVE-2009-0754 (PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows l ...) {DSA-1789-1} - php4 (low) - php5 5.2.9.dfsg.1-2 (low; bug #523049) CVE-2009-0752 (Unspecified vulnerability in Movable Type Pro and Community Solution 4 ...) - movabletype-opensource (bug #518469) NOTE: http://www.sixapart.com/pipermail/mtos-dev/2009-March/002677.html CVE-2009-0751 (Yaws before 1.80 allows remote attackers to cause a denial of service ...) {DSA-1740-1} - yaws 1.80-1 CVE-2009-0750 (SQL injection vulnerability in login.php in the smNews example script ...) NOT-FOR-US: txtSQL CVE-2009-0748 (The ext4_fill_super function in fs/ext4/super.c in the Linux kernel 2. ...) {DSA-1749-1} - linux-2.6 2.6.29-1 (low) [etch] - linux-2.6 (ext4 not yet present) - linux-2.6.24 (low) NOTE: Since the feature is experimental until 2.6.27, I don't think we need to fix this CVE-2009-0747 (The ext4_isize function in fs/ext4/ext4.h in the Linux kernel 2.6.27 b ...) {DSA-1749-1} - linux-2.6 2.6.28-2 (low) [etch] - linux-2.6 (ext4 not yet present) - linux-2.6.24 (low) NOTE: Since the feature is experimental until 2.6.27, I don't think we need to fix this CVE-2009-0746 (The make_indexed_dir function in fs/ext4/namei.c in the Linux kernel 2 ...) {DSA-1749-1} - linux-2.6 2.6.28-1 (low) [etch] - linux-2.6 (ext4 not yet present) - linux-2.6.24 (low) NOTE: Since the feature is experimental until 2.6.27, I don't think we need to fix this CVE-2009-0745 (The ext4_group_add function in fs/ext4/resize.c in the Linux kernel 2. ...) {DSA-1787-1 DSA-1749-1} - linux-2.6 2.6.29-1 (low) [etch] - linux-2.6 (ext4 not yet present) - linux-2.6.24 (low) NOTE: Since the feature is experimental until 2.6.27, I don't think we need to fix this CVE-2009-0744 (Apple Safari 4 Beta build 528.16 allows remote attackers to cause a de ...) NOT-FOR-US: Apple Safari CVE-2009-0743 (Cross-site scripting (XSS) vulnerability in the edit account page in t ...) NOT-FOR-US: Cisco Unified MeetingPlace Web Conferencing CVE-2009-0742 (The username command in Cisco ACE Application Control Engine Module fo ...) NOT-FOR-US: Cisco CVE-2009-0770 (dkim-milter 2.6.0 through 2.8.0 allows remote attackers to cause a den ...) {DSA-1728-1} - dkim-milter 2.6.0.dfsg-2 (low) [lenny] - dkim-milter 2.6.0.dfsg-1+lenny1 NOTE: http://sourceforge.net/tracker/index.php?func=detail&aid=2508602&group_id=139420&atid=744358 CVE-2009-0749 (Use-after-free vulnerability in the GIFReadNextExtension function in l ...) - optipng 0.6.2.1-1 (low) [etch] - optipng 0.5.5-2 [lenny] - optipng 0.6.1.1-2 CVE-2009-0741 (SQL injection vulnerability in Login.asp in Craft Silicon Banking@Home ...) NOT-FOR-US: Craft Silicon Banking@Home CVE-2009-0740 (SQL injection vulnerability in login.php in BlueBird Prelease allows r ...) NOT-FOR-US: BlueBird Prelease CVE-2009-0739 (SQL injection vulnerability in login.php in MyNews 0.10 allows remote ...) NOT-FOR-US: MyNews CVE-2009-0738 (SQL injection vulnerability in login.php in Auth Php 1.0 allows remote ...) NOT-FOR-US: Auth Php CVE-2009-0736 (Cross-site scripting (XSS) vulnerability in Pebble before 2.3.2 allows ...) NOT-FOR-US: Pebble CVE-2009-0735 (Directory traversal vulnerability in lib/classes/message_class.php in ...) NOT-FOR-US: Papoo CMS CVE-2009-0734 (Heap-based buffer overflow in MultimediaPlayer.exe 6.86.240.7 in Nokia ...) NOT-FOR-US: MultimediaPlayer.exe CVE-2009-0733 (Multiple stack-based buffer overflows in the ReadSetOfCurves function ...) {DSA-1769-1 DSA-1745-1} - lcms 1.18.dfsg-1 (bug #522446) - openjdk-6 6b18-1.8.13-0+squeeze2 NOTE: Marking the current oldstable version as fixed, but likely fixed way earlier CVE-2009-0732 (Downloadcenter 2.1 stores common.h under the web root with insufficien ...) NOT-FOR-US: Downloadcenter CVE-2009-0731 (Directory traversal vulnerability in pages/play.php in Free Arcade Scr ...) NOT-FOR-US: Free Arcade Script CVE-2009-0730 (Multiple SQL injection vulnerabilities in the GigCalendar (com_gigcal) ...) NOT-FOR-US: GigCalendar CVE-2009-0729 (Multiple directory traversal vulnerabilities in Page Engine CMS 2.0 Ba ...) NOT-FOR-US: Page Engine CMS CVE-2009-0728 (SQL injection vulnerability in the My_eGallery module for MAXdev MDPro ...) NOT-FOR-US: MAXdev MDPro/Postnuke CVE-2009-0727 (SQL injection vulnerability in jobdetails.php in taifajobs 1.0 and ear ...) NOT-FOR-US: taifajobs CVE-2009-0726 (SQL injection vulnerability in the GigCalendar (com_gigcal) component ...) NOT-FOR-US: Joomla! CVE-2009-0725 RESERVED CVE-2009-0724 RESERVED CVE-2009-0723 (Multiple integer overflows in LittleCMS (aka lcms or liblcms) before 1 ...) {DSA-1769-1 DSA-1745-1} - lcms 1.18.dfsg-1 (bug #522446) - openjdk-6 6b18-1.8.13-0+squeeze2 NOTE: Marking the current oldstable version as fixed, but likely fixed way earlier CVE-2009-0722 (Directory traversal vulnerability in admin.php in Potato News 1.0.0 al ...) NOT-FOR-US: Potato News CVE-2009-0721 (Unspecified vulnerability in Easy Login in the Sender module in HP Rem ...) NOT-FOR-US: HP Remote Graphics CVE-2009-0720 (Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) ...) NOT-FOR-US: HP OpenView Network Node Manager CVE-2009-0719 (Unspecified vulnerability in useradd in HP HP-UX B.11.11, B.11.23, and ...) NOT-FOR-US: HP-UX CVE-2009-0718 (Unspecified vulnerability in HP StorageWorks Storage Mirroring 5 befor ...) NOT-FOR-US: HP StorageWorks Storage Mirroring CVE-2009-0717 (Unspecified vulnerability in HP StorageWorks Storage Mirroring 5 befor ...) NOT-FOR-US: HP StorageWorks Storage Mirroring CVE-2009-0716 (Unspecified vulnerability in HP StorageWorks Storage Mirroring 5 befor ...) NOT-FOR-US: HP StorageWorks Storage Mirroring CVE-2009-0715 (Unspecified vulnerability in Secure NaviCLI in HP Storage Essentials 6 ...) NOT-FOR-US: HP Storage Essentials CVE-2009-0714 (Unspecified vulnerability in the dpwinsup module (dpwinsup.dll) for dp ...) NOT-FOR-US: HP Data Protector Express CVE-2009-0713 (Unspecified vulnerability in WMI Mapper for HP Systems Insight Manager ...) NOT-FOR-US: WMI Mapper CVE-2009-0712 (Unspecified vulnerability in WMI Mapper for HP Systems Insight Manager ...) NOT-FOR-US: WMI Mapper CVE-2009-0711 (filter.php in PHPFootball 1.6 and earlier allows remote attackers to r ...) NOT-FOR-US: PHPFootball CVE-2009-0710 (Multiple cross-site scripting (XSS) vulnerabilities in PHPFootball 1.6 ...) NOT-FOR-US: PHPFootball CVE-2009-0709 (SQL injection vulnerability in login.php in PHPFootball 1.6 allows rem ...) NOT-FOR-US: PHPFootball CVE-2009-0708 (Multiple cross-site request forgery (CSRF) vulnerabilities in Semantic ...) NOT-FOR-US: SemanticScuttle CVE-2009-0707 (SQL injection vulnerability in admin/index.php in PowerClan 1.14a allo ...) NOT-FOR-US: PowerClan CVE-2009-0706 (SQL injection vulnerability in the Simple Review (com_simple_review) c ...) NOT-FOR-US: Joomla! CVE-2009-0705 (SQL injection vulnerability in news.php in PowerScripts PowerNews 2.5. ...) NOT-FOR-US: PowerScripts PowerNews CVE-2009-0704 (SQL injection vulnerability in search.php in WSN Guest 1.23 allows rem ...) NOT-FOR-US: WSN Guest CVE-2009-0703 (SQL injection vulnerability in bview.asp in ASPThai.Net Webboard 6.0 a ...) NOT-FOR-US: ASPThai.Net Webboard CVE-2009-0702 (SQL injection vulnerability in the Phoca Documentation (com_phocadocum ...) NOT-FOR-US: Joomla! CVE-2009-0701 (Multiple PHP remote file inclusion vulnerabilities in index.php in Cyb ...) NOT-FOR-US: Cybershade CVE-2009-0700 (Plunet BusinessManager 4.1 and earlier allows remote authenticated use ...) NOT-FOR-US: Plunet BusinessManager CVE-2009-0699 (Cross-site scripting (XSS) vulnerability in pagesUTF8/auftrag_allgemei ...) NOT-FOR-US: Plunet BusinessManager CVE-2009-0698 (Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib ...) - xine-lib 1.1.16.2-1 (bug #517792; bug #523475; medium) - vlc (affected part of xine-lib code not present) CVE-2009-0697 RESERVED CVE-2009-0696 (The dns_db_findrdataset function in db.c in named in ISC BIND 9.4 befo ...) {DSA-1847-1} - bind9 1:9.6.1.dfsg.P1-1 (bug #538975; high) NOTE: See also http://www.kb.cert.org/vuls/id/725188 CVE-2009-0695 (hagent.exe in Wyse Device Manager (WDM) 4.7.x does not require authent ...) NOT-FOR-US: Wyse Device Manager not in Debian CVE-2009-0694 RESERVED CVE-2009-0693 (Multiple buffer overflows in Wyse Device Manager (WDM) 4.7.x allow rem ...) NOT-FOR-US: Wyse Device Manager not in Debian CVE-2009-0692 (Stack-based buffer overflow in the script_write_params method in clien ...) {DSA-1833-2 DSA-1833-1} - dhcp3 3.1.2p1-1 (medium) NOTE: dhcp in etch is not affected. CVE-2009-0691 (The Foxit JPEG2000/JBIG2 Decoder add-on before 2.0.2009.616 for Foxit ...) NOT-FOR-US: Foxit JPEG2000/JBIG2 Decoder add-on CVE-2009-0690 (The Foxit JPEG2000/JBIG2 Decoder add-on before 2.0.2009.616 for Foxit ...) NOT-FOR-US: Foxit JPEG2000/JBIG2 Decoder add-on CVE-2009-0689 (Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa. ...) {DSA-1998-1 DSA-1931-1 DLA-1564-1 DLA-376-1} - nspr 4.8-2 [etch] - nspr (Mozilla packages from oldstable no longer covered by security support) - kdelibs 4:3.5.10.dfsg.1-3 (medium; bug #559265) - kde4libs 4:4.3.4-1 (medium; bug #559266) [lenny] - kde4libs (Only uses by a few packages in Lenny, hardly any attack vector) - mono 4.2.1.102+dfsg2-4 [wheezy] - mono (Minor issue) NOTE: http://www.mono-project.com/docs/about-mono/vulnerabilities/ NOTE: https://gist.github.com/directhex/01e853567fd2cc74ed39 CVE-2009-0688 (Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 ...) {DSA-1807-1 DTSA-200-1 DTSA-201-1} - cyrus-sasl2 2.1.23.dfsg1-1 (bug #528749) - cyrus-sasl2-heimdal 2.1.23.dfsg1-1 NOTE: VU#238019 CVE-2009-0687 (The pf_test_rule function in OpenBSD Packet Filter (PF), as used in Op ...) NOT-FOR-US: OpenBSD Packet Filter CVE-2009-0686 (The TrendMicro Activity Monitor Module (tmactmon.sys) 2.52.0.1002 in T ...) NOT-FOR-US: Trend Micro Internet Pro CVE-2009-0685 RESERVED CVE-2009-0684 RESERVED CVE-2009-0683 RESERVED CVE-2009-0682 (vetmonnt.sys in CA Internet Security Suite r3, vetmonnt.sys before 9.0 ...) NOT-FOR-US: CA Internet Security Suite CVE-2009-0681 (PGP Desktop before 9.10 allows local users to (1) cause a denial of se ...) NOT-FOR-US: PGP Desktop CVE-2009-0680 (cgi-bin/welcome/VPN_only in the web interface in Netgear SSL312 allows ...) NOT-FOR-US: Netgear CVE-2009-0679 (Cross-site scripting (XSS) vulnerability in the Your Account module in ...) NOT-FOR-US: RavenNuke CVE-2009-0678 (images/captcha.php in RavenNuke 2.30 allows remote attackers to obtain ...) NOT-FOR-US: RavenNuke CVE-2009-0677 (avatarlist.php in the Your Account module, reached through modules.php ...) NOT-FOR-US: RavenNuke CVE-2009-0676 (The sock_getsockopt function in net/core/sock.c in the Linux kernel be ...) {DSA-1794-1 DSA-1787-1 DSA-1749-1} - linux-2.6 2.6.29-1 (low) - linux-2.6.24 (low) NOTE: Original fix was incomplete/risky, see: NOTE: NOTE: Reproducer in NOTE: lacks initialzer for len. Leak confirmed with fixed reproducer. CVE-2009-0675 (The skfp_ioctl function in drivers/net/skfp/skfddi.c in the Linux kern ...) {DSA-1794-1 DSA-1787-1 DSA-1749-1} - linux-2.6 2.6.29-1 (low) - linux-2.6.24 (low) CVE-2009-0674 (images/captcha.php in Raven Web Services RavenNuke 2.30, when register ...) NOT-FOR-US: RavenNuke CVE-2009-0673 (Eval injection vulnerability in the Custom Fields feature in the Your ...) NOT-FOR-US: RavenNuke CVE-2009-0672 (SQL injection vulnerability in the Resend_Email module in Raven Web Se ...) NOT-FOR-US: RavenNuke CVE-2009-0671 REJECTED CVE-2009-0670 RESERVED CVE-2009-0669 (Zope Object Database (ZODB) before 3.8.2, when certain Zope Enterprise ...) {DSA-2234-1 DSA-1863-1} - zope3 (bug #540462) - zope2.11 2.11.4-1 (bug #540463) - zope2.10 2.10.9-1 (bug #540464) - zope2.9 - zodb 1:3.8.2-1 (bug #540465) CVE-2009-0668 (Unspecified vulnerability in Zope Object Database (ZODB) before 3.8.2, ...) {DSA-2234-1 DSA-1863-1} - zope3 (medium; bug #540462) - zope2.11 2.11.4-1 (medium; bug #540463) - zope2.10 2.10.9-1 (medium; bug #540464) - zope2.9 - zodb 1:3.8.2-1 (medium; bug #540465) CVE-2009-0667 (Untrusted search path vulnerability in Agent/Backend.pm in Ocsinventor ...) {DSA-1828-1} - ocsinventory-agent 1:0.0.9.2repack1-5 (medium; bug #506416) CVE-2009-0666 RESERVED CVE-2009-0665 RESERVED CVE-2009-0664 (Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.0.x be ...) {DSA-1778-1} - mahara 1.1.3-1 (low) CVE-2009-0663 (Heap-based buffer overflow in the DBD::Pg (aka DBD-Pg or libdbd-pg-per ...) {DSA-1780-1} - libdbd-pg-perl 2.1.3-1 CVE-2009-0662 (The PlonePAS product 3.x before 3.9 and 3.2.x before 3.2.2, a product ...) - plone3 (medium; bug #525943) CVE-2009-0661 (Wee Enhanced Environment for Chat (WeeChat) 0.2.6 allows remote attack ...) {DSA-1744-1} - weechat 0.2.6.1-1 (medium; bug #519940) [etch] - weechat (vulnerable code not present) CVE-2009-0660 (Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.0 befo ...) {DSA-1736-1} - mahara 1.1.2-1 (low) CVE-2009-0659 (Stack-based buffer overflow in the GetStatsFromLine function in TPTEST ...) NOT-FOR-US: TPTEST CVE-2009-0658 (Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and e ...) NOT-FOR-US: Adobe Reader CVE-2009-0657 (Toshiba Face Recognition 2.0.2.32 allows physically proximate attacker ...) NOT-FOR-US: Toshiba Face Recognition CVE-2009-0656 (Asus SmartLogon 1.0.0005 allows physically proximate attackers to bypa ...) NOT-FOR-US: Asus SmartLogon CVE-2009-0655 (Lenovo Veriface III allows physically proximate attackers to login to ...) NOT-FOR-US: Lenovo Veriface CVE-2009-0654 (Tor 0.2.0.28, and probably 0.2.0.34 and earlier, allows remote attacke ...) - tor (unimportant) NOTE: attacker already controls entry and exit node at this stage CVE-2009-0653 (OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an ...) - openssl 0.9.8-1 (bug #517791) CVE-2009-0652 (The Internationalized Domain Names (IDN) blacklist in Mozilla Firefox ...) {DSA-1830-1 DSA-1797-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - xulrunner 1.9.0.9-1 [etch] - xulrunner (Etch Packages no longer covered by security support) CVE-2009-0651 (Unspecified vulnerability in the Veritas network daemon (aka vnetd) in ...) NOT-FOR-US: Veritas network daemon CVE-2009-0650 (Stack-based buffer overflow in the GetStatsFromLine function in TPTEST ...) NOT-FOR-US: TPTEST CVE-2009-0649 (The web browser in Symbian OS on the Nokia N95 cell phone allows remot ...) NOT-FOR-US: Symbian OS CVE-2009-XXXX [thunar: potential exploits via application launchers] - thunar (bug #517020; unimportant) NOTE: Minor impact, any attack would still require a significant amount of social engineering CVE-2009-XXXX [sysvinit: no-root option in expert installer exposes locally exploitable security flaw] - sysvinit (bug #517018; unimportant) NOTE: hardly a security issue, if an attacker has local access to the machine and you NOTE: don't use encryption or something similar you have lost anyway NOTE: - this ^ philosophy is flawed; it should not be trivial to get root just because you NOTE: have local access to the machine. it is worth it to make it as difficult as NOTE: possible without impacting authorized users. otherwise, why spend so much effort NOTE: to make sure xscreensaver, gdm, and login are rock solid? NOTE: - i would like to track as low, rather than unimportant CVE-2009-0753 (Absolute path traversal vulnerability in MLDonkey 2.8.4 through 2.9.7 ...) {DSA-1739-1} - mldonkey 3.0.0-1 (bug #516829; medium) [etch] - mldonkey (vulnerable code not present) NOTE: daemon is run as non-root and can only be exploited via localhost CVE-2009-0648 (Multiple cross-site request forgery (CSRF) vulnerabilities in the mana ...) NOT-FOR-US: Falt4 CMS CVE-2009-0647 (msnmsgr.exe in Windows Live Messenger (WLM) 2009 build 14.0.8064.206, ...) NOT-FOR-US: Windows Live Messenger CVE-2009-0646 (Multiple SQL injection vulnerabilities in 4Site CMS 2.6 and earlier al ...) NOT-FOR-US: 4Site CMS CVE-2009-0645 (Directory traversal vulnerability in index.php in Jaws 0.8.8 allows re ...) NOT-FOR-US: Jaws CVE-2009-0644 (The HTTP interface in Swann DVR4-SecuraNet has a certain default admin ...) NOT-FOR-US: Swann DVR4-SecuraNet CVE-2009-0643 (Static code injection vulnerability in post.php in Simple PHP News 1.0 ...) NOT-FOR-US: Simple PHP News CVE-2009-0642 (ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check th ...) {DSA-1860-1} - ruby1.9 1.9.0.5-1 (bug #513528) - ruby1.8 1.8.7.72-3.1 (medium; bug #517639; bug #522939) CVE-2009-0641 (sys_term.c in telnetd in FreeBSD 7.0-RELEASE and other 7.x versions de ...) NOT-FOR-US: FreeBSD telnetd (apparently there's some common code base in netkit-telnet, but it's not affected CVE-2009-0640 (Directory traversal vulnerability in the administrative web server in ...) NOT-FOR-US: Swann DVR4-SecuraNet CVE-2009-0639 (PHP remote file inclusion vulnerability in moduli/libri/index.php in p ...) NOT-FOR-US: phpyabs CVE-2009-0638 (The Cisco Firewall Services Module (FWSM) 2.x, 3.1 before 3.1(16), 3.2 ...) NOT-FOR-US: Cisco Firewall Services Module CVE-2009-0637 (The SCP server in Cisco IOS 12.2 through 12.4, when Role-Based CLI Acc ...) NOT-FOR-US: Cisco IOS CVE-2009-0636 (Unspecified vulnerability in Cisco IOS 12.0 through 12.4, when SIP voi ...) NOT-FOR-US: Cisco IOS CVE-2009-0635 (Memory leak in the Cisco Tunneling Control Protocol (cTCP) encapsulati ...) NOT-FOR-US: Cisco IOS CVE-2009-0634 (Multiple unspecified vulnerabilities in the home agent (HA) implementa ...) NOT-FOR-US: Cisco IOS CVE-2009-0633 (Multiple unspecified vulnerabilities in the (1) Mobile IP NAT Traversa ...) NOT-FOR-US: Cisco IOS CVE-2009-0632 (The IP Phone Personal Address Book (PAB) Synchronizer feature in Cisco ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2009-0631 (Unspecified vulnerability in Cisco IOS 12.0 through 12.4, when configu ...) NOT-FOR-US: Cisco IOS CVE-2009-0630 (The (1) Cisco Unified Communications Manager Express; (2) SIP Gateway ...) NOT-FOR-US: Cisco IOS CVE-2009-0629 (The (1) Airline Product Set (aka ALPS), (2) Serial Tunnel Code (aka ST ...) NOT-FOR-US: Cisco IOS CVE-2009-0628 (Memory leak in the SSLVPN feature in Cisco IOS 12.3 through 12.4 allow ...) NOT-FOR-US: Cisco IOS CVE-2009-0627 (Unspecified vulnerability in Cisco NX-OS before 4.0(1a)N2(1), when run ...) NOT-FOR-US: Cisco NX-OS CVE-2009-0626 (The SSLVPN feature in Cisco IOS 12.3 through 12.4 allows remote attack ...) NOT-FOR-US: Cisco IOS CVE-2009-0625 (Unspecified vulnerability in Cisco ACE Application Control Engine Modu ...) NOT-FOR-US: Cisco CVE-2009-0624 (Unspecified vulnerability in the SNMPv2c implementation in Cisco ACE A ...) NOT-FOR-US: Cisco CVE-2009-0623 (Unspecified vulnerability in Cisco ACE Application Control Engine Modu ...) NOT-FOR-US: Cisco CVE-2009-0622 (Unspecified vulnerability in Cisco ACE Application Control Engine Modu ...) NOT-FOR-US: Cisco CVE-2009-0621 (Cisco ACE 4710 Application Control Engine Appliance before A1(8a) uses ...) NOT-FOR-US: Cisco CVE-2009-0620 (Cisco ACE Application Control Engine Module for Catalyst 6500 Switches ...) NOT-FOR-US: Cisco CVE-2009-0619 (Unspecified vulnerability in the Session Border Controller (SBC) befor ...) NOT-FOR-US: Cisco CVE-2009-0618 (Unspecified vulnerability in the Java agent in Cisco Application Netwo ...) NOT-FOR-US: Cisco CVE-2009-0617 (Cisco Application Networking Manager (ANM) before 2.0 uses a default M ...) NOT-FOR-US: Cisco CVE-2009-0616 (Cisco Application Networking Manager (ANM) before 2.0 uses default use ...) NOT-FOR-US: Cisco CVE-2009-0615 (Directory traversal vulnerability in Cisco Application Networking Mana ...) NOT-FOR-US: Cisco CVE-2009-0614 (Unspecified vulnerability in the Web Server in Cisco Unified MeetingPl ...) NOT-FOR-US: Cisco CVE-2009-0613 (Trend Micro InterScan Web Security Suite (IWSS) 3.1 before build 1237 ...) NOT-FOR-US: Trend Micro CVE-2009-0612 (Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 3.x and I ...) NOT-FOR-US: Trend Micro CVE-2009-0611 (Multiple cross-site scripting (XSS) vulnerabilities in qfsearch/AdminS ...) NOT-FOR-US: Novell Open Enterprise Server CVE-2009-0610 (Multiple static code injection vulnerabilities in post.php in Simple P ...) NOT-FOR-US: Simple PHP News CVE-2009-0609 (Sun Java System Directory Proxy Server in Sun Java System Directory Se ...) NOT-FOR-US: Sun Java System Directory Server Enterprise Edition CVE-2009-0608 (Integer overflow in the showLog function in fake_log_device.c in liblo ...) NOT-FOR-US: Android CVE-2009-0607 (Multiple integer overflows in malloc_leak.c in Bionic in Open Handset ...) NOT-FOR-US: Android CVE-2009-0606 (The link_image function in linker/linker.c in the dynamic linker in Bi ...) NOT-FOR-US: Android CVE-2009-0605 (Stack consumption vulnerability in the do_page_fault function in arch/ ...) - linux-2.6 (CONFIG_KPROBES is not enabled) - linux-2.6.24 (CONFIG_KPROBES is not enabled) CVE-2009-0604 (SQL injection vulnerability in index.php in PHP Director 0.21 and earl ...) NOT-FOR-US: PHP Director CVE-2009-0603 (Cross-site scripting (XSS) vulnerability in index.php in the Link modu ...) NOT-FOR-US: Link drupal module CVE-2009-0602 (Unrestricted file upload vulnerability in upload.php in WikkiTikkiTavi ...) NOT-FOR-US: WikkiTikkiTavi CVE-2009-0601 (Format string vulnerability in Wireshark 0.99.8 through 1.0.5 on non-W ...) - wireshark 1.0.6-1 [etch] - wireshark (Vulnerable code not present, introduced in 0.99.8) [lenny] - wireshark 1.0.2-3+lenny4 CVE-2009-0600 (Wireshark 0.99.6 through 1.0.5 allows user-assisted remote attackers t ...) - wireshark 1.0.6-1 [etch] - wireshark (Vulnerable code not present, introduced in 0.99.6) [lenny] - wireshark 1.0.2-3+lenny4 CVE-2009-0599 (Buffer overflow in wiretap/netscreen.c in Wireshark 0.99.7 through 1.0 ...) - wireshark 1.0.6-1 [etch] - wireshark (Vulnerable code not present, introduced in 0.99.7) [lenny] - wireshark 1.0.2-3+lenny4 CVE-2009-0598 (SQL injection vulnerability in index.php in PhpMesFilms 1.0 and 1.8 al ...) NOT-FOR-US: PhpMesFilms CVE-2009-0597 (SQL injection vulnerability in admin/index.php in w3b>cms (aka w3bl ...) NOT-FOR-US: w3b>cms CVE-2009-0596 (Directory traversal vulnerability in skysilver/login.tpl.php in phpSke ...) NOT-FOR-US: phpSkelSite CVE-2009-0595 (PHP remote file inclusion vulnerability in skysilver/login.tpl.php in ...) NOT-FOR-US: phpSkelSite CVE-2009-0594 (Cross-site scripting (XSS) vulnerability in index.php in phpSkelSite 1 ...) NOT-FOR-US: phpSkelSite CVE-2009-0593 (SQL injection vulnerability in members.php in plx Auto Reminder 3.7 al ...) NOT-FOR-US: plx Auto Reminder CVE-2009-0592 (Multiple directory traversal vulnerabilities in PNphpBB2 1.2i and earl ...) NOT-FOR-US: PNphpBB2 CVE-2009-0591 (The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is ...) - openssl (vulnerable versions not uploaded to Debian) CVE-2009-0590 (The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remo ...) {DSA-1763-1} - openssl 0.9.8g-16 (low; bug #522002) CVE-2009-0589 REJECTED CVE-2009-0588 (agent/request/op.cgi in the Registration Authority (RA) component in R ...) NOT-FOR-US: Registration Authority (RA) component in Red Hat Certificate System (RHCS) CVE-2009-0587 (Multiple integer overflows in Evolution Data Server (aka evolution-dat ...) {DSA-1813-1} - evolution-data-server 2.22.3-1 (medium) NOTE: this version doesnt fix the overflows but uses the glib functions for decoding instead CVE-2009-0586 (Integer overflow in the gst_vorbis_tag_add_coverart function (gst-libs ...) - gst-plugins-base0.10 0.10.22-4 [lenny] - gst-plugins-base0.10 (Vulnerable lib calls not present) [etch] - gst-plugins-base0.10 (Vulnerable lib calls not present) CVE-2009-0585 (Integer overflow in the soup_base64_encode function in soup-misc.c in ...) {DSA-1748-1} - libsoup 2.2.105-4 (medium; bug #520039) CVE-2009-0584 (icc.c in the International Color Consortium (ICC) Format library (aka ...) {DSA-1746-1 DTSA-198-1} - ghostscript 8.64~dfsg-1.1 (medium; bug #522416) - argyll 1.0.3-2 (bug #522448) - gs-gpl (medium) - gs-esp CVE-2009-0583 (Multiple integer overflows in icc.c in the International Color Consort ...) {DSA-1746-1 DTSA-198-1} - ghostscript 8.64~dfsg-1.1 (medium; bug #522416) - argyll 1.0.3-2 (bug #522448) - gs-gpl (medium) - gs-esp CVE-2009-0582 (The ntlm_challenge function in the NTLM SASL authentication mechanism ...) {DSA-1813-1} - evolution-data-server 2.26.1.1-1 CVE-2009-0581 (Memory leak in LittleCMS (aka lcms or liblcms) before 1.18beta2, as us ...) {DSA-1769-1 DSA-1745-1} - lcms 1.18.dfsg-1 (bug #522446) CVE-2009-0580 (Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 th ...) {DSA-2207-1} - tomcat6 6.0.20-1 (low; bug #532362) [lenny] - tomcat6 (Only ships the servlet package) - tomcat5 (low; bug #532363) - tomcat5.5 (low; bug #532366) CVE-2009-0579 (Linux-PAM before 1.0.4 does not enforce the minimum password age (MIND ...) - pam 1.0.1-10 (unimportant; bug #514437) NOTE: the ability to change a password earlier than scheduled is not a security NOTE: vulnerability in itself (unless the user changes their password back to NOTE: their previous password; thus violating the security policy as defined by NOTE: the administrator) CVE-2009-0578 (GNOME NetworkManager before 0.7.0.99 does not properly verify privileg ...) - network-manager-applet 0.7.0.99-1 (medium; bug #519801) [lenny] - network-manager-applet (Bug affected the 0.7.x series) CVE-2009-0577 (Integer overflow in the WriteProlog function in texttops in CUPS 1.1.1 ...) NOT-FOR-US: RedHat specific, because they had a problem applying the fix for CVE-2008-3640 CVE-2009-0576 (Unspecified vulnerability in Sun Java System Directory Server 5.2 p6 a ...) NOT-FOR-US: Sun Java System Directory Server CVE-2009-0575 (Cross-site scripting (XSS) vulnerability in the theme_views_bulk_opera ...) NOT-FOR-US: Views Bulk Operations CVE-2009-0574 (SQL injection vulnerability in index.php in Easy CafeEngine allows rem ...) NOT-FOR-US: Easy CafeEngine CVE-2009-0573 (Multiple cross-site scripting (XSS) vulnerabilities in FotoWeb 6.0 (Bu ...) NOT-FOR-US: FotoWeb CVE-2009-0572 (PHP remote file inclusion vulnerability in include/flatnux.php in Flat ...) NOT-FOR-US: FlatnuX CMS CVE-2009-0571 (admin.php in Ninja Designs Mailist 3.0 stores backup copies of maillis ...) NOT-FOR-US: Ninja Designs Mailist CVE-2009-0570 (Directory traversal vulnerability in send.php in Ninja Designs Mailist ...) NOT-FOR-US: Ninja Designs Mailist CVE-2009-0569 (Buffer overflow in Becky! Internet Mail 2.48.02 and earlier allows rem ...) NOT-FOR-US: Becky! Internet Mail CVE-2009-0568 (The RPC Marshalling Engine (aka NDR) in Microsoft Windows 2000 SP4, XP ...) NOT-FOR-US: Microsoft CVE-2009-0567 REJECTED CVE-2009-0566 (Microsoft Office Publisher 2007 SP1 does not properly calculate object ...) NOT-FOR-US: Microsoft Office Publisher CVE-2009-0565 (Buffer overflow in Microsoft Office Word 2000 SP3, 2002 SP3, and 2007 ...) NOT-FOR-US: Microsoft CVE-2009-0564 RESERVED CVE-2009-0563 (Stack-based buffer overflow in Microsoft Office Word 2002 SP3, 2003 SP ...) NOT-FOR-US: Microsoft CVE-2009-0562 (The Office Web Components ActiveX Control in Microsoft Office XP SP3, ...) NOT-FOR-US: ActiveX CVE-2009-0561 (Integer overflow in Excel in Microsoft Office 2000 SP3, Office XP SP3, ...) NOT-FOR-US: Microsoft CVE-2009-0560 (Excel in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP3, an ...) NOT-FOR-US: Microsoft CVE-2009-0559 (Stack-based buffer overflow in Excel in Microsoft Office 2000 SP3 and ...) NOT-FOR-US: Microsoft CVE-2009-0558 (Array index error in Excel in Microsoft Office 2000 SP3 and Office 200 ...) NOT-FOR-US: Microsoft CVE-2009-0557 (Excel in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP3, an ...) NOT-FOR-US: Microsoft CVE-2009-0556 (Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and Powe ...) NOT-FOR-US: Microsoft Office CVE-2009-0555 (Microsoft Windows Media Runtime, as used in DirectShow WMA Voice Codec ...) NOT-FOR-US: Microsoft Windows CVE-2009-0554 (Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-0553 (Microsoft Internet Explorer 6 SP1, 6 and 7 on Windows XP SP2 and SP3, ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-0552 (Unspecified vulnerability in Microsoft Internet Explorer 5.01 SP4, 6 S ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-0551 (Microsoft Internet Explorer 6 SP1, 6 and 7 on Windows XP SP2 and SP3, ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-0550 (Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP ...) NOT-FOR-US: Microsoft Windows CVE-2009-0549 (Excel in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP3, an ...) NOT-FOR-US: Microsoft CVE-2009-0548 (Cross-site scripting (XSS) vulnerability in the Additional Report Sett ...) NOT-FOR-US: Additional Report Settings interface in ESET Remote Administrator CVE-2009-0547 (Evolution 2.22.3.1 checks S/MIME signatures against a copy of the e-ma ...) {DSA-1813-1} - evolution-data-server 2.24.5-2 (low; bug #508479) CVE-2009-0546 (Stack-based buffer overflow in NewsGator FeedDemon 2.7 and earlier all ...) NOT-FOR-US: NewsGator FeedDemon CVE-2009-0545 (cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote atta ...) NOT-FOR-US: ZeroShell CVE-2009-0544 (Buffer overflow in the PyCrypto ARC2 module 2.0.1 allows remote attack ...) {DSA-1726-1} - python-crypto 2.0.1+dfsg1-3 (bug #516660) CVE-2009-0543 (ProFTPD Server 1.3.1, with NLS support enabled, allows remote attacker ...) {DSA-1730-1 DSA-1727-1} - proftpd-dfsg 1.3.2-1 (medium; bug #516388) [etch] - proftpd-dfsg (etch version not affected) [lenny] - proftpd-dfsg 1.3.1-17lenny2 CVE-2009-0542 (SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2 a ...) {DSA-1730-1 DSA-1727-1} - proftpd-dfsg 1.3.2-1 (medium; bug #516388) [etch] - proftpd-dfsg (etch version not affected) [lenny] - proftpd-dfsg 1.3.1-17lenny2 CVE-2009-0541 (Multiple cross-site scripting (XSS) vulnerabilities in Magento 1.2.0 a ...) NOT-FOR-US: Magento CVE-2009-0540 (Cross-site scripting (XSS) vulnerability in Libero 5.3 SP5, and possib ...) NOT-FOR-US: Libero CVE-2009-0539 RESERVED CVE-2009-0538 (Format string vulnerability in Symantec pcAnywhere before 12.5 SP1 all ...) NOT-FOR-US: Symantec pcAnywhere CVE-2009-0537 (Integer overflow in the fts_build function in fts.c in libc in (1) Ope ...) - glibc (Vulnerable code not present) NOTE: glibc checks the comlete path length being not longer than USHRT_MAX NOTE: and closes the directory path + free of structures in case , io/fts.c line 727 CVE-2009-0536 (at in bos.rte.cron on IBM AIX 5.2.0, 5.3.0 through 5.3.9, and 6.1.0 th ...) NOT-FOR-US: IBM AIX CVE-2009-0535 (Directory traversal vulnerability in export.php in Thyme 1.3 and earli ...) NOT-FOR-US: Thyme CVE-2009-0534 (SQL injection vulnerability in FlexCMS allows remote attackers to exec ...) NOT-FOR-US: FlexCMS CVE-2009-0533 (Cross-site scripting (XSS) vulnerability in password.php in Scripts fo ...) NOT-FOR-US: Sites EZ Reminder CVE-2009-0532 (Cross-site scripting (XSS) vulnerability in password.php in Scripts Fo ...) NOT-FOR-US: Scripts For Sites (SFS) EZ Baby CVE-2009-0531 (SQL injection vulnerability in gallery/view.asp in A Better Member-Bas ...) NOT-FOR-US: A Better Member-Based ASP Photo Gallery CVE-2009-0530 (Multiple PHP remote file inclusion vulnerabilities in SnippetMaster 2. ...) NOT-FOR-US: SnippetMaster CVE-2009-0529 (Cross-site scripting (XSS) vulnerability in index.php in SnippetMaster ...) NOT-FOR-US: SnippetMaster CVE-2009-0528 (SQL injection vulnerability in frame.php in Rhadrix If-CMS 2.07 and ea ...) NOT-FOR-US: Rhadrix If-CMS CVE-2009-0527 (PHP remote file inclusion vulnerability in plugins/rss_importer_functi ...) NOT-FOR-US: AdaptCMS CVE-2009-0526 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Ad ...) NOT-FOR-US: AdaptCMS CVE-2009-0525 (Cross-site scripting (XSS) vulnerability in the sajax_get_common_js fu ...) NOT-FOR-US: Sajax CVE-2009-XXXX [nautilus: potential exploits via application launchers] - nautilus 2.26.2-1 (low; bug #515104) [lenny] - nautilus (Minor issue) [etch] - nautilus (Minor issue) NOTE: need to submit a request for CVE id CVE-2009-XXXX [konqueror: potential exploits via application launchers] - kdebase (unimportant; bug #515106) NOTE: Minor impact, any attack would still require a significant amount of social engineering CVE-2009-0737 (Multiple cross-site scripting (XSS) vulnerabilities in the web-based i ...) {DSA-1901-1} - mediawiki 1:1.14.0-1 (low; bug #514547) - mediawiki1.7 [lenny] - mediawiki 1:1.12.0-2lenny3 [etch] - mediawiki (metapackage) CVE-2009-0524 (Cross-site scripting (XSS) vulnerability in Adobe RoboHelp 6 and 7, an ...) NOT-FOR-US: Adobe RoboHelp CVE-2009-0523 (Cross-site scripting (XSS) vulnerability in Adobe RoboHelp Server 6 an ...) NOT-FOR-US: Adobe RoboHelp CVE-2009-0522 (Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87 on ...) NOT-FOR-US: Adobe Flash Player CVE-2009-0521 (Untrusted search path vulnerability in Adobe Flash Player 9.x before 9 ...) NOT-FOR-US: Adobe Flash Player CVE-2009-0520 (Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87 doe ...) NOT-FOR-US: Adobe Flash Player CVE-2009-0519 (Unspecified vulnerability in Adobe Flash Player 9.x before 9.0.159.0 a ...) NOT-FOR-US: Adobe Flash Player CVE-2009-0518 (VI Client in VMware VirtualCenter before 2.5 Update 4, VMware ESXi 3.5 ...) NOT-FOR-US: VMware CVE-2009-0517 (Eval injection vulnerability in index.php in phpSlash 0.8.1.1 and earl ...) NOT-FOR-US: phpSlash CVE-2009-0516 (SQL injection vulnerability in the classified page (classified.php) in ...) NOT-FOR-US: BusinessSpace CVE-2009-0515 (Directory traversal vulnerability in check_lang.php in Yet Another NOC ...) NOT-FOR-US: YANOCC CVE-2009-0514 (Multiple directory traversal vulnerabilities in WebFrame 0.76 allow re ...) NOT-FOR-US: WebFrame CVE-2009-0513 (Multiple PHP remote file inclusion vulnerabilities in WebFrame 0.76 al ...) NOT-FOR-US: WebFrame CVE-2009-0512 (Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and A ...) NOT-FOR-US: Adobe Reader CVE-2009-0511 (Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and A ...) NOT-FOR-US: Adobe Reader CVE-2009-0510 (Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and A ...) NOT-FOR-US: Adobe Reader CVE-2009-0509 (Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and A ...) NOT-FOR-US: Adobe Reader CVE-2009-0508 (The Servlet Engine/Web Container and JSP components in IBM WebSphere A ...) NOT-FOR-US: IBM WebSphere CVE-2009-0507 (IBM WebSphere Process Server (WPS) 6.1.2 before 6.1.2.3 and 6.2 before ...) NOT-FOR-US: IBM WebSphere CVE-2009-0506 (Unspecified vulnerability in IBM WebSphere Application Server (WAS) 5. ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-0505 (The CICS listener in IBM TXSeries for Multiplatforms 6.2 GA waits for ...) NOT-FOR-US: IBM TXSeries CVE-2009-0504 (WSPolicy in the Web Services component in IBM WebSphere Application Se ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-0503 (IBM WebSphere Message Broker 6.1.x before 6.1.0.2 writes a database co ...) NOT-FOR-US: IBM WebSphere CVE-2009-0502 (Cross-site scripting (XSS) vulnerability in blocks/html/block_html.php ...) {DSA-1724-1} - moodle 1.8.2.dfsg-3 (low) NOTE: MSA-09-0004 CVE-2009-0501 (Unspecified vulnerability in the Calendar export feature in Moodle 1.8 ...) {DTSA-195-1} - moodle 1.8.2.dfsg-4 (low) [etch] - moodle (Vulnerable code not present) CVE-2009-0500 (Cross-site scripting (XSS) vulnerability in course/lib.php in Moodle 1 ...) {DSA-1724-1 DTSA-195-1} - moodle 1.8.2.dfsg-3 (low) CVE-2009-0499 (Cross-site request forgery (CSRF) vulnerability in the forum code in M ...) - moodle 1.8.2.dfsg-3 (low) [etch] - moodle (Vulnerable code not present) CVE-2009-0498 (Virtual GuestBook (vgbook) 2.1 stores sensitive information under the ...) NOT-FOR-US: Virtual GuestBook CVE-2009-0497 (Directory traversal vulnerability in log.jsp in Ignite Realtime Openfi ...) NOT-FOR-US: Openfire CVE-2009-0496 (Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime ...) NOT-FOR-US: Openfire CVE-2009-0495 (PHP remote file inclusion vulnerability in include/define.php in REALT ...) NOT-FOR-US: REALTOR CVE-2009-0494 (SQL injection vulnerability in the Portfol (com_portfol) 1.2 component ...) NOT-FOR-US: Joomla! CVE-2009-0493 (SQL injection vulnerability in login.php in IT!CMS 2.1a and earlier al ...) NOT-FOR-US: IT CMS CVE-2009-0492 (Unspecified vulnerability in SimpleIrcBot before 1.0 Stable has unknow ...) NOT-FOR-US: SimpleIrcBot CVE-2009-0491 (Stack-based buffer overflow in Elecard MPEG Player 5.5 build 15884.081 ...) NOT-FOR-US: Elecard MPEG Player CVE-2009-0488 (Cross-site scripting (XSS) vulnerability in Phorum before 5.2.10 allow ...) NOT-FOR-US: Phorum CVE-2009-0486 (Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl, calls t ...) - bugzilla 3.2.4.0-1 (bug #514143) [etch] - bugzilla (Versions before 3.2.1, 3.0.7, and 3.3.2 were not affected) [lenny] - bugzilla (Versions before 3.2.1, 3.0.7, and 3.3.2 were not affected) CVE-2009-0485 (Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.17 to 2. ...) - bugzilla 3.2.4.0-1 (low; bug #514143) [etch] - bugzilla (Minor issue) [lenny] - bugzilla (Minor issue) CVE-2009-0484 (Cross-site request forgery (CSRF) vulnerability in Bugzilla 3.0 before ...) - bugzilla 3.2.4.0-1 (low; bug #514143) [etch] - bugzilla (Minor issue) [lenny] - bugzilla (Minor issue) CVE-2009-0483 (Cross-site request forgery (CSRF) vulnerability in Bugzilla 2.22 befor ...) - bugzilla 3.2.4.0-1 (low; bug #514143) [etch] - bugzilla (Minor issue) [lenny] - bugzilla (Minor issue) CVE-2009-0482 (Cross-site request forgery (CSRF) vulnerability in Bugzilla before 3.2 ...) - bugzilla 3.2.4.0-1 (low; bug #514143) [etch] - bugzilla (Minor issue) [lenny] - bugzilla (Minor issue) CVE-2009-0481 (Bugzilla 2.x before 2.22.7, 3.0 before 3.0.7, 3.2 before 3.2.1, and 3. ...) - bugzilla 3.2.4.0-1 (low; bug #514143) [etch] - bugzilla (Minor issue) [lenny] - bugzilla (Minor issue) CVE-2009-0480 (The IP implementation in Sun Solaris 8 through 10, and OpenSolaris bef ...) NOT-FOR-US: Solaris CVE-2009-0489 (The DBus configuration file for Wicd before 1.5.9 allows arbitrary use ...) - wicd 1.5.9-1 CVE-2009-0479 (Multiple SQL injection vulnerabilities in admin/admin_login.php in Onl ...) NOT-FOR-US: Online Grades CVE-2009-0477 (Unspecified vulnerability in the process (aka proc) filesystem in Sun ...) NOT-FOR-US: OpenSolaris CVE-2009-0476 (Stack-based buffer overflow in MultiMedia Soft AdjMmsEng.dll 7.11.1.0 ...) NOT-FOR-US: MultiMedia Soft audio components CVE-2009-0475 (Integer underflow in the Huffman decoding functionality (pvmp3_huffman ...) NOT-FOR-US: OpenCORE CVE-2009-0474 (The web interface in the Rockwell Automation ControlLogix 1756-ENBT/A ...) NOT-FOR-US: Rockwell EtherNet/IP Bridge Module CVE-2009-0473 (Open redirect vulnerability in the web interface in the Rockwell Autom ...) NOT-FOR-US: Rockwell EtherNet/IP Bridge Module CVE-2009-0472 (Multiple cross-site scripting (XSS) vulnerabilities in the web interfa ...) NOT-FOR-US: Rockwell EtherNet/IP Bridge Module CVE-2009-0471 (Cross-site request forgery (CSRF) vulnerability in the HTTP server in ...) NOT-FOR-US: Cisco IOS CVE-2009-0470 (Multiple cross-site scripting (XSS) vulnerabilities in the HTTP server ...) NOT-FOR-US: Cisco IOS CVE-2009-0469 (Unspecified vulnerability in futomi's CGI Cafe Fulltext search CGI 1.1 ...) NOT-FOR-US: futomi's CGI Cafe CVE-2009-0468 (Multiple cross-site request forgery (CSRF) vulnerabilities in ajax.htm ...) NOT-FOR-US: Profense Web Application Firewall CVE-2009-0467 (Cross-site scripting (XSS) vulnerability in proxy.html in Profense Web ...) NOT-FOR-US: Profense Web Application Firewall CVE-2009-0466 (Cross-site scripting (XSS) vulnerability in Vivvo CMS before 4.1.1 all ...) NOT-FOR-US: Vivvo CMS CVE-2009-0465 (The SaveDoc method in the All_In_The_Box.AllBox ActiveX control in ALL ...) NOT-FOR-US: Synactis ALL In-The-Box ActiveX 3 CVE-2009-0464 (PHP remote file inclusion vulnerability in includes/header.php in Groo ...) NOT-FOR-US: Groone GBook CVE-2009-0463 (PHP remote file inclusion vulnerability in includes/header.php in Groo ...) NOT-FOR-US: Groone GLinks CVE-2009-0462 (Multiple SQL injection vulnerabilities in customer_login_check.asp in ...) NOT-FOR-US: ClickTech ClickCart CVE-2009-0461 (Whole Hog Password Protect: Enhanced 1.x allows remote attackers to by ...) NOT-FOR-US: Whole Hog Password Protect CVE-2009-0460 (Whole Hog Ware Support 1.x allows remote attackers to bypass authentic ...) NOT-FOR-US: Whole Hog Ware Support CVE-2009-0459 (Multiple SQL injection vulnerabilities in admin/login_submit.php in Wh ...) NOT-FOR-US: Whole Hog Password Protect CVE-2009-0458 (Multiple SQL injection vulnerabilities in admin/login_submit.php in Wh ...) NOT-FOR-US: Whole Hog Ware Support CVE-2009-0457 (Multiple directory traversal vulnerabilities in AJA Portal 1.2 allow r ...) NOT-FOR-US: AJA Portal CVE-2009-0456 (PHP remote file inclusion vulnerability in examples/example_clientside ...) NOT-FOR-US: patForms CVE-2009-0455 (Cross-site scripting (XSS) vulnerability in the anonymous comments fea ...) NOT-FOR-US: glFusion CVE-2009-0454 (Multiple SQL injection vulnerabilities in DMXReady Online Notebook Man ...) NOT-FOR-US: DMXReady Online Notebook Manager CVE-2009-0453 (Online Grades 3.2.4 allows remote attackers to obtain configuration in ...) NOT-FOR-US: Online Grades CVE-2009-0452 (Multiple SQL injection vulnerabilities in parents/login.php in Online ...) NOT-FOR-US: Online Grades CVE-2009-0451 (SQL injection vulnerability in Skalfa SkaLinks 1.5 allows remote attac ...) NOT-FOR-US: Skalfa SkaLinks CVE-2009-0450 (Stack-based buffer overflow in BlazeVideo HDTV Player 3.5 and earlier ...) NOT-FOR-US: BlazeVideo CVE-2009-0449 (Buffer overflow in klim5.sys in Kaspersky Anti-Virus for Workstations ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2009-0448 (Directory traversal vulnerability in admin/modules/aa/preview.php in S ...) NOT-FOR-US: Syntax Desktop CVE-2009-0447 (Multiple SQL injection vulnerabilities in default.asp in MyDesign Saya ...) NOT-FOR-US: MyDesign Sayac CVE-2009-0446 (SQL injection vulnerability in photo.php in WEBalbum 2.4b allows remot ...) NOT-FOR-US: WEBalbum CVE-2009-0445 (SQL injection vulnerability in index.php in Dreampics Gallery Builder ...) NOT-FOR-US: Dreampics Gallery Builder CVE-2009-0444 (Multiple PHP remote file inclusion vulnerabilities in GRBoard 1.8, whe ...) NOT-FOR-US: GRBoard CVE-2009-0443 (Stack-based buffer overflow in Elecard AVC HD PLAYER 5.5.90116 allows ...) NOT-FOR-US: Elecard AVC HD PLAYER CVE-2009-0442 (Directory traversal vulnerability in bbcode.php in PHPbbBook 1.3 and 1 ...) NOT-FOR-US: PHPbbBook CVE-2009-0441 (PHP remote file inclusion vulnerability in skin_shop/standard/2_view_b ...) NOT-FOR-US: Technote CVE-2009-0440 (IBM WebSphere Partner Gateway (WPG) 6.0.0 through 6.0.0.7 does not pro ...) NOT-FOR-US: IBM WebSphere Partner Gateway CVE-2009-0439 (Unspecified vulnerability in the queue manager in IBM WebSphere MQ (WM ...) NOT-FOR-US: IBM WebSphere CVE-2009-0438 (IBM WebSphere Application Server (WAS) 7 before 7.0.0.1 on Windows all ...) NOT-FOR-US: IBM WebSphere CVE-2009-0437 (The Installation Factory installation process for IBM WebSphere Applic ...) NOT-FOR-US: IBM WebSphere CVE-2009-0436 (The (1) mod_ibm_ssl and (2) mod_cgid modules in IBM HTTP Server 6.0.x ...) NOT-FOR-US: IBM HTTP Server CVE-2009-0435 (Unspecified vulnerability in the IBM Asynchronous I/O (aka AIO or libi ...) NOT-FOR-US: IBM WebSphere CVE-2009-0434 (PerfServlet in the PMI/Performance Tools component in IBM WebSphere Ap ...) NOT-FOR-US: IBM WebSphere CVE-2009-0433 (Unspecified vulnerability in IBM WebSphere Application Server (WAS) 5. ...) NOT-FOR-US: IBM WebSphere CVE-2009-0432 (The installation process for the File Transfer servlet in the System M ...) NOT-FOR-US: IBM WebSphere CVE-2009-0431 (SQL injection vulnerability in Default.asp in LinksPro Standard Editio ...) NOT-FOR-US: LinksPro CVE-2009-0430 (Multiple cross-site scripting (XSS) vulnerabilities in Active Bids all ...) NOT-FOR-US: Active Bids CVE-2009-0429 (Multiple SQL injection vulnerabilities in Active Bids allow remote att ...) NOT-FOR-US: Active Bids CVE-2009-0428 (SQL injection vulnerability in CategoryManager/upload_image_category.a ...) NOT-FOR-US: DMXReady Secure Document CVE-2009-0427 (SQL injection vulnerability in CategoryManager/upload_image_category.a ...) NOT-FOR-US: DMXReady Secure Document CVE-2009-0426 (SQL injection vulnerability in CategoryManager/upload_image_category.a ...) NOT-FOR-US: DMXReady Secure Document CVE-2009-0425 (SQL injection vulnerability in index.php in Blue Eye CMS 1.0.0 and ear ...) NOT-FOR-US: Blue Eye CMS CVE-2009-0424 (Cross-site scripting (XSS) vulnerability in sign1.php in AN Guestbook ...) NOT-FOR-US: AN Guestbook CVE-2009-0423 (Directory traversal vulnerability in index.php in Php Photo Album (PHP ...) NOT-FOR-US: Php Photo Album CVE-2009-0422 (Dynamic variable evaluation vulnerability in lists/admin.php in phpLis ...) - phplist (bug #612288) CVE-2009-0421 (SQL injection vulnerability in the Eventing (com_eventing) 1.6.x compo ...) NOT-FOR-US: Joomla! CVE-2009-0420 (SQL injection vulnerability in the RD-Autos (com_rdautos) 1.5.5 Stable ...) NOT-FOR-US: Joomla! CVE-2009-0419 (Microsoft XML Core Services, as used in Microsoft Expression Web, Offi ...) NOT-FOR-US: Microsoft CVE-2009-0418 (The IPv6 Neighbor Discovery Protocol (NDP) implementation in HP HP-UX ...) NOT-FOR-US: HP HP-UX CVE-2009-0417 (Cross-site scripting (XSS) vulnerability in the AgaviWebRouting::gen(n ...) NOT-FOR-US: Agavi CVE-2009-0416 (The SSL certificate setup program (genSslCert.sh) in Standards Based L ...) NOT-FOR-US: sblim-sfcb CVE-2009-0415 (Untrusted search path vulnerability in trickle 1.07 allows local users ...) - trickle 1.07-6 (bug #513456; low) [etch] - trickle (Minor issue) CVE-2009-0413 (Cross-site scripting (XSS) vulnerability in RoundCube Webmail (roundcu ...) - roundcube 0.2~stable-1 (low; bug #514179) [lenny] - roundcube (Vulnerable code not present) CVE-2009-0412 (The ProcessLogin function in class.auth.php in Interspire Shopping Car ...) NOT-FOR-US: Interspire Shopping Cart CVE-2009-0411 (Google Chrome before 1.0.154.46 does not properly restrict access from ...) - chromium-browser (Only 1.x is affected) - webkit (chrome-specific issue) CVE-2009-0410 (Off-by-one error in the SMTP daemon in GroupWise Internet Agent (GWIA) ...) NOT-FOR-US: Novell GroupWise CVE-2009-0409 (SQL injection vulnerability in offline_auth.php in Max.Blog 1.0.6 and ...) NOT-FOR-US: Max.Blog CVE-2009-0408 (Cross-site request forgery (CSRF) vulnerability in osCommerce 2.2 RC 2 ...) NOT-FOR-US: osCommerce CVE-2009-0407 (SQL injection vulnerability in admin/login.php in PHP-CMS Project 1 al ...) NOT-FOR-US: PHP-CMS CVE-2009-0406 (SQL injection vulnerability in index.php in Community CMS 0.4 and earl ...) NOT-FOR-US: Community CMS CVE-2009-0405 (SQL injection vulnerability in articles.php in smartSite CMS 1.0 allow ...) NOT-FOR-US: smartSite CMS CVE-2009-0404 (Multiple cross-site scripting (XSS) vulnerabilities in Bioinformatics ...) NOT-FOR-US: Bioinformatics htmLawed CVE-2009-0403 (SQL injection vulnerability in admin/authenticate.php in Chipmunk Blog ...) NOT-FOR-US: Chipmunk Blogger Script CVE-2009-0402 (SQL injection vulnerability in client/new_account.php in Domain Techno ...) NOT-FOR-US: Domain Technologie Control CVE-2009-0401 (SQL injection vulnerability in browsecats.php in E-Php CMS allows remo ...) NOT-FOR-US: E-Php CMS CVE-2009-0400 (SQL injection vulnerability in blog.php in SocialEngine 3.06 trial all ...) NOT-FOR-US: SocialEngine CVE-2009-0399 (Chipmunk Blogger Script allows remote attackers to gain administrator ...) NOT-FOR-US: Chipmunk Blogger Script CVE-2009-0398 (Array index error in the gst_qtp_trak_handler function in gst/qtdemux/ ...) - gst-plugins-good0.10 (Vulnerable code not present) - gst-plugins-bad0.10 (Vulnerable code not present) CVE-2009-0397 (Heap-based buffer overflow in the qtdemux_parse_samples function in gs ...) {DSA-1729-1} - gst-plugins-good0.10 0.10.8-4.1 (bug #514177) [lenny] - gst-plugins-good0.10 0.10.8-4.1~lenny1 [etch] - gst-plugins-good0.10 (plugin in other package) - gst-plugins-bad0.10 0.10.4-1 CVE-2009-0396 (The Sony Ericsson W910i, W660i, K618i, K610i, Z610i, K810i, K660i, W88 ...) NOT-FOR-US: Sony Ericsson CVE-2009-0395 (SQL injection vulnerability in the login feature in NetArt Media Car P ...) NOT-FOR-US: NetArt Media Car Portal CVE-2009-0394 (SQL injection vulnerability in login.php in Pre Lecture Exercises (PLE ...) NOT-FOR-US: Pre Lecture Exercises CVE-2009-0393 (Cross-site scripting (XSS) vulnerability in sysconf.cgi in Motorola Wi ...) NOT-FOR-US: Motorola Wimax CVE-2009-0392 (Directory traversal vulnerability in sysconf.cgi in Motorola Wimax mod ...) NOT-FOR-US: Motorola Wimax CVE-2009-0391 (Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6. ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2009-0390 (Argument injection vulnerability in Enomaly Elastic Computing Platform ...) NOT-FOR-US: Enomaly Elastic Computing Platform CVE-2009-0389 (Multiple insecure method vulnerabilities in the Web On Windows (WOW) A ...) NOT-FOR-US: ActiveX CVE-2009-0388 (Multiple integer signedness errors in (1) UltraVNC 1.0.2 and 1.0.5 and ...) - tightvnc (bug in the windows-specific client connection code) NOTE: http://bugs.debian.org/528204 CVE-2009-0387 (Array index error in the qtdemux_parse_samples function in gst/qtdemux ...) {DSA-1729-1} - gst-plugins-good0.10 0.10.8-4.1 (bug #514177) [lenny] - gst-plugins-good0.10 0.10.8-4.1~lenny1 [etch] - gst-plugins-good0.10 (plugin in other package) - gst-plugins-bad0.10 0.10.4-1 CVE-2009-0386 (Heap-based buffer overflow in the qtdemux_parse_samples function in gs ...) {DSA-1729-1} - gst-plugins-good0.10 0.10.8-4.1 (bug #514177) [lenny] - gst-plugins-good0.10 0.10.8-4.1~lenny1 [etch] - gst-plugins-good0.10 (plugin in other package) - gst-plugins-bad0.10 0.10.4-1 CVE-2009-0384 (SQL injection vulnerability in autor.php in OwnRS CMS 1.2 allows remot ...) NOT-FOR-US: OwnRS CMS CVE-2009-0383 (delete.php in Max.Blog 1.0.6 does not properly restrict access, which ...) NOT-FOR-US: Max.Blog CVE-2009-0382 (Unspecified vulnerability in Internationalization (i18n) Translation 5 ...) - drupal5 (Translation module not packaged) - drupal6 (Issue only affects the 5.x branch) CVE-2009-0381 (SQL injection vulnerability in the BazaarBuilder Ecommerce Shopping Ca ...) NOT-FOR-US: BazaarBuilder Ecommerce Shopping Cart CVE-2009-0380 NOT-FOR-US: Sigsiu Online Business Index CVE-2009-0379 (SQL injection vulnerability in the Prince Clan Chess Club (com_pcchess ...) NOT-FOR-US: Prince Clan Chess Club CVE-2009-0378 (Cross-site scripting (XSS) vulnerability in index.php in the beamospet ...) NOT-FOR-US: Joomla! CVE-2009-0377 (SQL injection vulnerability in the beamospetition (com_beamospetition) ...) NOT-FOR-US: Joomla! CVE-2009-0376 (Heap-based buffer overflow in a DLL file in RealNetworks RealPlayer 10 ...) NOT-FOR-US: RealPlayer CVE-2009-0375 (Buffer overflow in a DLL file in RealNetworks RealPlayer 10, RealPlaye ...) NOT-FOR-US: RealPlayer CVE-2009-0374 - chromium-browser (unimportant) - webkit (poc doesn't work) CVE-2009-0373 (SQL injection vulnerability in the ElearningForce Flash Magazine Delux ...) NOT-FOR-US: Joomla! CVE-2009-0372 (Unrestricted file upload vulnerability in index.php in Miltenovik Mano ...) NOT-FOR-US: Miltenovik Manojlo MemHT Portal CVE-2009-0371 (Directory traversal vulnerability in post.php in SiteXS CMS 0.1.1 and ...) NOT-FOR-US: SiteXS CMS CVE-2009-0370 (Multiple unspecified vulnerabilities in IBM AIX 5.2.0 through 6.1.2 al ...) NOT-FOR-US: IBM AIX CVE-2009-0369 (Microsoft Internet Explorer 7 allows remote attackers to trick a user ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-0487 (Cross-site scripting (XSS) vulnerability in Mahara before 1.0.9 allows ...) - mahara 1.0.9-1 (low) [lenny] - mahara 1.0.4-4 CVE-2009-0478 (Squid 2.7 to 2.7.STABLE5, 3.0 to 3.0.STABLE12, and 3.1 to 3.1.0.4 allo ...) {DSA-1732-1} - squid 2.7.STABLE3-4.1 (medium; bug #514142) - squid3 3.0.STABLE8-3 (medium) [etch] - squid (Vulnerable code not present) CVE-2009-XXXX [glpi sql injection] - glpi 0.71.5-1 (bug #513611; unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2009-0490 (Stack-based buffer overflow in the String_parse::get_nonspace_quoted f ...) {DTSA-192-1} - audacity 1.3.6-1 (bug #514138) [lenny] - audacity 1.3.5-2+lenny1 CVE-2009-0368 (OpenSC before 0.11.7 allows physically proximate attackers to bypass i ...) {DSA-1734-1} - opensc 0.11.7-1 [etch] - opensc (vulnerable code not present) CVE-2009-0367 (The Python AI module in Wesnoth 1.4.x and 1.5 before 1.5.11 allows rem ...) {DSA-1737-1} - wesnoth 1:1.4.7-4 CVE-2009-0366 (The uncompress_buffer function in src/server/simple_wml.cpp in Wesnoth ...) {DSA-1737-1} - wesnoth 1:1.4.7-4 CVE-2009-0365 (nm-applet.conf in GNOME NetworkManager before 0.7.0.99 contains an inc ...) {DSA-1955-1} - network-manager-applet 0.7.0.99-1 (medium; bug #519801) - network-manager 0.6.5-1 (medium) NOTE: network-manager in lenny not affected, because it is in network-manager-applet CVE-2009-0364 (Format string vulnerability in the mini_calendar component in Citadel. ...) {DSA-1752-1} - webcit 7.38b-dfsg-2 (low) CVE-2009-0363 (Multiple buffer overflows in (a) BarnOwl before 1.0.5 and (b) owl 2.1. ...) {DTSA-197-1} - barnowl 1.0.5-1 [lenny] - barnowl 1.0.1-4 - owl 2.2.2-1 (bug #515118) [lenny] - owl (Minor issue) [etch] - owl (Minor issue) CVE-2009-0362 (filter.d/wuftpd.conf in Fail2ban 0.8.3 uses an incorrect regular expre ...) - fail2ban 0.8.3-2sid1 (low; bug #514163) CVE-2009-0361 (Russ Allbery pam-krb5 before 3.13, as used by libpam-heimdal, su in So ...) {DSA-1722-1 DSA-1721-1} - libpam-heimdal 3.10-2.1 (bug #516695) - libpam-krb5 3.13-2 [lenny] - libpam-krb5 3.11-4 CVE-2009-0360 (Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, d ...) {DSA-1721-1} - libpam-krb5 3.13-2 [lenny] - libpam-krb5 3.11-4 CVE-2009-0359 (Multiple cross-site scripting (XSS) vulnerabilities in Samizdat before ...) {DTSA-194-1} - samizdat 0.6.2-2 CVE-2009-0358 (Mozilla Firefox 3.x before 3.0.6 does not properly implement the (1) n ...) - iceweasel 3.0 [etch] - iceweasel (Only affects Firefox 3.x) NOTE: Iceweasel in Lenny links against Xulrunner - xulrunner 1.9.0.5-1 [etch] - xulrunner (Only affects Xulrunner 1.9) CVE-2009-0357 (Mozilla Firefox before 3.0.6 and SeaMonkey before 1.1.15 do not proper ...) - iceweasel 3.0 [etch] - iceweasel (Etch Packages no longer covered by security support) NOTE: Iceweasel in Lenny links against Xulrunner - xulrunner 1.9.0.5-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - iceape 1.1.14-1.1 [etch] - iceape (Etch Packages no longer covered by security support) NOTE: Iceape in Lenny only provides XPCOM libs - kompozer 1:0.8~alpha2+dfsg+svn129-1 CVE-2009-0356 (Mozilla Firefox before 3.0.6 and SeaMonkey do not block links to the ( ...) - iceweasel 3.0 [etch] - iceweasel (Etch Packages no longer covered by security support) NOTE: Iceweasel in Lenny links against Xulrunner - xulrunner 1.9.0.5-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - iceape 1.1.14-1.1 [etch] - iceape (Etch Packages no longer covered by security support) NOTE: Iceape in Lenny only provides XPCOM libs - kompozer (.desktop file support is not available) CVE-2009-0355 (components/sessionstore/src/nsSessionStore.js in Mozilla Firefox befor ...) - iceweasel 3.0.6-1 [etch] - iceweasel (Etch Packages no longer covered by security support) CVE-2009-0354 (Cross-domain vulnerability in js/src/jsobj.cpp in Mozilla Firefox 3.x ...) - iceweasel 3.0 [etch] - iceweasel (Only affects Firefox 3.x) NOTE: Iceweasel in Lenny links against Xulrunner - xulrunner 1.9.0.5-1 [etch] - xulrunner (Only affects Xulrunner 1.9) CVE-2009-0353 (Unspecified vulnerability in Mozilla Firefox 3.x before 3.0.6, Thunder ...) {DSA-1830-1} - iceweasel 3.0 [etch] - iceweasel (Etch Packages no longer covered by security support) NOTE: Iceweasel in Lenny links against Xulrunner - xulrunner 1.9.0.5-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - iceape 1.1.14-1.1 [etch] - iceape (Etch Packages no longer covered by security support) NOTE: Iceape in Lenny only provides XPCOM libs - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 CVE-2009-0352 (Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0 ...) {DSA-1830-1} - iceweasel 3.0 [etch] - iceweasel (Etch Packages no longer covered by security support) NOTE: Iceweasel in Lenny links against Xulrunner - xulrunner 1.9.0.5-1 [etch] - xulrunner (Etch Packages no longer covered by security support) - iceape 1.1.14-1.1 [etch] - iceape (Etch Packages no longer covered by security support) NOTE: Iceape in Lenny only provides XPCOM libs - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - kompozer 1:0.8~alpha2+dfsg+svn129-1 CVE-2009-0343 (Niels Provos Systrace 1.6f and earlier on the x86_64 Linux platform al ...) - systrace CVE-2009-0342 (Niels Provos Systrace before 1.6f on the x86_64 Linux platform allows ...) - systrace CVE-2009-0351 (Stack-based buffer overflow in WFTPSRV.exe in WinFTP 2.3.0 allows remo ...) NOT-FOR-US: WinFTP CVE-2009-0350 (Stack-based buffer overflow in Merak Media Player 3.2 allows remote at ...) NOT-FOR-US: Merak Media Player CVE-2009-0349 (Stack-based buffer overflow in FTPShell Server 4.3 allows user-assiste ...) NOT-FOR-US: FTPShell Server CVE-2009-0348 (The login module in Sun Java System Access Manager 6 2005Q1 (aka 6.3), ...) NOT-FOR-US: Sun Java System Access Manager CVE-2009-0347 (Open redirect vulnerability in cs.html in the Autonomy (formerly Verit ...) NOT-FOR-US: Autonomy (formerly Verity) Ultraseek search engine CVE-2009-0346 (The IP-in-IP packet processing implementation in the IPsec and IP stac ...) NOT-FOR-US: Sun Solaris CVE-2009-0345 (Unspecified vulnerability in the Embedded Lights Out Manager (ELOM) on ...) NOT-FOR-US: Embedded Lights Out Manager (ELOM) CVE-2009-0344 (Unspecified vulnerability in the Embedded Lights Out Manager (ELOM) on ...) NOT-FOR-US: Embedded Lights Out Manager (ELOM) CVE-2009-0341 (The shell32 module in Microsoft Internet Explorer 7.0 on Windows XP SP ...) NOT-FOR-US: Microsoft CVE-2009-0340 (Multiple directory traversal vulnerabilities in Simple PHP Newsletter ...) NOT-FOR-US: Simple PHP Newsletter CVE-2009-0339 (SQL injection vulnerability in inc_webblogmanager.asp in DMXReady Blog ...) NOT-FOR-US: DMXReady Blog Manager CVE-2009-0338 (Cross-site scripting (XSS) vulnerability in inc_webblogmanager.asp in ...) NOT-FOR-US: DMXReady Blog Manager CVE-2009-0337 (SQL injection vulnerability in index.asp in Katy Whitton BlogIt! allow ...) NOT-FOR-US: Katy Whitton BlogIt! CVE-2009-0336 (Katy Whitton BlogIt! stores sensitive information under the web root w ...) NOT-FOR-US: Katy Whitton BlogIt! CVE-2009-0335 (Cross-site scripting (XSS) vulnerability in index.asp in Katy Whitton ...) NOT-FOR-US: Katy Whitton BlogIt! CVE-2009-0334 (SQL injection vulnerability in index.asp in Katy Whitton BlogIt! allow ...) NOT-FOR-US: Katy Whitton BlogIt! CVE-2009-0333 (SQL injection vulnerability in the WebAmoeba (WA) Ticket System (com_w ...) NOT-FOR-US: Joomla! CVE-2009-0332 (Multiple SQL injection vulnerabilities in AV Book Library before 1.1 a ...) NOT-FOR-US: AV Book Library CVE-2009-0331 (Directory traversal vulnerability in gallery/comment.php in Enhanced S ...) NOT-FOR-US: Enhanced Simple PHP Gallery (ESPG) CVE-2009-0330 (Directory traversal vulnerability in index.php in Simple Content Manag ...) NOT-FOR-US: Simple Content Management System (SCMS) CVE-2009-0329 (SQL injection vulnerability in the PcCookBook (com_pccookbook) compone ...) NOT-FOR-US: Joomla! CVE-2009-0328 (ROBS-PROJECTS Digital Sales IPN (aka DS-IPN.NET or DS-IPN Paypal Shop) ...) NOT-FOR-US: ROBS-PROJECTS Digital Sales IPN CVE-2009-0327 (SQL injection vulnerability in readbible.php in Free Bible Search PHP ...) NOT-FOR-US: Free Bible Search PHP Script CVE-2009-0326 (SQL injection vulnerability in login.php in Dark Age CMS 0.2c beta all ...) NOT-FOR-US: Dark Age CMS CVE-2009-0325 (Directory traversal vulnerability in entries/index.php in Ninja Blog 4 ...) NOT-FOR-US: Ninja Blog CVE-2009-0324 (Multiple SQL injection vulnerabilities in BibCiter 1.4 allow remote at ...) NOT-FOR-US: BibCiter CVE-2009-0322 (drivers/firmware/dell_rbu.c in the Linux kernel before 2.6.27.13, and ...) {DSA-1794-1 DSA-1787-1 DSA-1749-1} - linux-2.6 2.6.29-1 (low) - linux-2.6.24 CVE-2009-0321 (Apple Safari 3.2.1 (aka AppVer 3.525.27.1) on Windows allows remote at ...) NOT-FOR-US: Apple Safari on Windows CVE-2009-0320 (Microsoft Windows XP, Server 2003 and 2008, and Vista exposes I/O acti ...) NOT-FOR-US: Microsoft Windows CVE-2009-0319 (Unspecified vulnerability in the autofs module in the kernel in Sun So ...) NOT-FOR-US: Solaris CVE-2009-0385 (Integer signedness error in the fourxm_read_header function in libavfo ...) {DSA-1782-1 DSA-1781-1} - ffmpeg-debian 0.svn20080206-16 (medium; bug #524799) - ffmpeg 0.svn20080206-16 - xmovie - mplayer 1.0~rc2-14 (medium; bug #524805) NOTE: MPlayer links against libavformat since 1.0~rc2-14, etch Mplayer still needs a fix NOTE: http://git.ffmpeg.org/?p=ffmpeg;a=commitdiff;h=72e715fb798f2cb79fd24a6d2eaeafb7c6eeda17 CVE-2009-0318 (Untrusted search path vulnerability in the GObject Python interpreter ...) {DTSA-190-1} - gnumeric 1.8.4-3 (low; bug #513418) [etch] - gnumeric 1.6.3-5.1+etch2 CVE-2009-0317 (Untrusted search path vulnerability in the Python language bindings fo ...) - nautilus-python 0.4.3-3.2 (low; bug #513419) CVE-2009-0316 (Untrusted search path vulnerability in src/if_python.c in the Python i ...) - vim 2:7.2.025-2 (low; bug #493937) [lenny] - vim 1:7.1.314-3+lenny2 [squeeze] - vim 1:7.1.314-3+lenny2 [etch] - vim (Minor issue) NOTE: Not included in this round, could be fixed via next DSA with other issues CVE-2009-0315 (Untrusted search path vulnerability in the Python module in xchat allo ...) - xchat 2.8.6-2.1 (low; bug #513509) [etch] - xchat (Minor issue) CVE-2009-0314 (Untrusted search path vulnerability in the Python module in gedit allo ...) {DTSA-191-1} - gedit 2.22.3-2 (low; bug #513513) [etch] - gedit (Minor issue) CVE-2009-0313 (winetricks before 20081223 allows local users to overwrite arbitrary f ...) NOT-FOR-US: winetricks CVE-2009-0311 (The Backbone service (ftbackbone.exe) in EMC AutoStart before 5.3 SP2 ...) NOT-FOR-US: EMC AutoStart CVE-2009-0310 (Buffer overflow in SUSE blinux (aka sbl) in SUSE openSUSE 10.3 through ...) NOT-FOR-US: SuSE blinux CVE-2009-0309 RESERVED CVE-2009-0308 RESERVED CVE-2009-0307 (Cross-site scripting (XSS) vulnerability in the "Customize Statistics ...) NOT-FOR-US: Motion (RIM) BlackBerry Enterprise Server CVE-2009-0306 (Buffer overflow in the IBM Lotus Notes Intellisync ActiveX control in ...) NOT-FOR-US: IBM Lotus Notes Intellisync ActiveX CVE-2009-0305 (Multiple stack-based buffer overflows in the Research in Motion RIM Ax ...) NOT-FOR-US: ActiveX CVE-2009-0304 (The kernel in Sun Solaris 10 and 11 snv_101b, and OpenSolaris before s ...) NOT-FOR-US: Solaris CVE-2009-0303 (Cross-site scripting (XSS) vulnerability in Web Help Desk before 9.1.1 ...) NOT-FOR-US: Web Help Desk CVE-2009-0302 (SQL injection vulnerability in the Downloads module for PHP-Nuke 8.0 8 ...) NOT-FOR-US: PHP-Nuke CVE-2009-0301 (Multiple insecure method vulnerabilities in the FlexCell.Grid ActiveX ...) NOT-FOR-US: FlexCell Grid Control CVE-2009-0300 REJECTED CVE-2009-0299 (SQL injection vulnerability in index.php in Groone GLinks 2.1 allows r ...) NOT-FOR-US: Groone GLinks CVE-2009-0298 (Heap-based buffer overflow in MW6 Technologies Barcode ActiveX control ...) NOT-FOR-US: MW6 Technologies Barcode CVE-2009-0297 (SQL injection vulnerability in login_check.asp in ClickAuction allows ...) NOT-FOR-US: ClickAuction CVE-2009-0296 (SQL injection vulnerability in shop_display_products.php in Script Tok ...) NOT-FOR-US: Script Toko Online CVE-2009-0295 (SQL injection vulnerability in index.php in Information Technology Lig ...) NOT-FOR-US: ITLPoll CVE-2009-0294 (Multiple PHP remote file inclusion vulnerabilities in WB News 2.0.1, w ...) NOT-FOR-US: WB News CVE-2009-0293 (SQL injection vulnerability in profile_view.php in Wazzum Dating Softw ...) NOT-FOR-US: Wazzum Dating Software CVE-2009-0292 (SQL injection vulnerability in show_cat2.php in SHOP-INET 4 allows rem ...) NOT-FOR-US: SHOP-INET CVE-2009-0291 (Directory traversal vulnerability in fc.php in OpenX 2.6.3 allows remo ...) - openx (bug #513771) CVE-2009-0290 (Directory traversal vulnerability in common.php in SIR GNUBoard 4.31.0 ...) NOT-FOR-US: GNU Board CVE-2009-0289 (k23productions TFTPUtil GUI 1.2.0 and 1.3.0 allows remote attackers to ...) NOT-FOR-US: k23productions TFTPUtil GUI CVE-2009-0288 (Directory traversal vulnerability in k23productions TFTPUtil GUI 1.2.0 ...) NOT-FOR-US: k23productions TFTPUtil GUI CVE-2009-0287 (SQL injection vulnerability in lib/patUser.php in KEEP Toolkit before ...) NOT-FOR-US: KEEP Toolkit CVE-2009-0286 (Directory traversal vulnerability in upgrade/index.php in OpenGoo 1.1, ...) NOT-FOR-US: OpenGoo CVE-2009-0285 (Cross-site scripting (XSS) vulnerability in error.asp in BBSXP 5.13 an ...) NOT-FOR-US: BBSXP CVE-2009-0284 (SQL injection vulnerability in category.php in Flax Article Manager 1. ...) NOT-FOR-US: Flax Article Manager CVE-2009-0283 (Cross-site scripting (XSS) vulnerability in err.asp in Oblog allows re ...) NOT-FOR-US: Oblog CVE-2009-0281 (SQL injection vulnerability in login.aspx in WarHound Walking Club all ...) NOT-FOR-US: WarHound Walking Club CVE-2009-0280 (Asp Project Management 1.0 allows remote attackers to bypass authentic ...) NOT-FOR-US: Asp Project Management CVE-2009-0279 (SQL injection vulnerability in comentar.php in Pardal CMS 0.2.0 and ea ...) NOT-FOR-US: Pardal CMS CVE-2009-0323 (Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0 an ...) - amaya (medium; bug #507587) NOTE: http://www.coresecurity.com/content/amaya-buffer-overflows CVE-2009-0282 (Integer overflow in Ralink Technology USB wireless adapter (RT73) 3.08 ...) {DSA-1714-1 DSA-1713-1 DSA-1712-1} - rt2400 1.2.2+cvs20080623-3 (bug #512999) - rt2500 1:1.1.0-b4+cvs20080623-3 (bug #513000) - rt2570 1.1.0+cvs20080623-2 (bug #513001) - rt73 1:1.0.3.6-cvs20080623-dfsg1-3 (bug #512995) CVE-2009-0312 (Cross-site scripting (XSS) vulnerability in the antispam feature (secu ...) {DSA-1715-1 DTSA-187-1} - moin 1.8.1-1.1 (low) NOTE: http://hg.moinmo.in/moin/1.7/rev/89b91bf87dad CVE-2009-0276 (Cross-domain vulnerability in the V8 JavaScript engine in Google Chrom ...) - chromium-browser (only 1.x is affected) - libv8 1.3.11+dfsg-1 - webkit (libv8 issue) CVE-2009-0274 (Unspecified vulnerability in WebAccess in Novell GroupWise 6.5, 7.0, 7 ...) NOT-FOR-US: Novell GroupWise CVE-2009-0273 (Multiple cross-site scripting (XSS) vulnerabilities in Novell GroupWis ...) NOT-FOR-US: Novell GroupWise CVE-2009-0272 (Cross-site request forgery (CSRF) vulnerability in Novell GroupWise We ...) NOT-FOR-US: Novell GroupWise CVE-2009-0269 (fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel befo ...) {DSA-1787-1 DSA-1749-1} - linux-2.6 2.6.29-1 [etch] - linux-2.6 (ecryptfs was merged in 2.6.19) - linux-2.6.24 CVE-2009-0265 (Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not prop ...) - bind9 (vulnerable code not present, introduced in 9.6.x) CVE-2009-0278 (Sun Java System Application Server (AS) 8.1 and 8.2 allows remote atta ...) NOT-FOR-US: Sun Java System Application Server (AS) CVE-2009-0277 (Unspecified vulnerability in the kernel in OpenSolaris snv_100 through ...) NOT-FOR-US: OpenSolaris CVE-2009-0275 (Static code injection vulnerability in admin.php in Ryneezy phoSheezy ...) NOT-FOR-US: Ryneezy phoSheezy CVE-2009-0271 (Directory traversal vulnerability in the TFTP service in Fujitsu Syste ...) NOT-FOR-US: Fujitsu SystemcastWizard Lite CVE-2009-0270 (Stack-based buffer overflow in PXEService.exe in Fujitsu SystemcastWiz ...) NOT-FOR-US: Fujitsu SystemcastWizard Lite CVE-2009-0268 (Race condition in the pseudo-terminal (aka pty) driver module in Sun S ...) NOT-FOR-US: Sun Solaris CVE-2009-0267 (libike in Sun Solaris 9 and 10, and OpenSolaris before snv_100, does n ...) NOT-FOR-US: Sun Solaris CVE-2009-0266 (Stack-based buffer overflow in Triologic Media Player 8.0.0.0 allows u ...) NOT-FOR-US: Triologic Media Player CVE-2009-0264 (Buffer overflow in the Registry Setting Tool in Fujitsu SystemcastWiza ...) NOT-FOR-US: Fujitsu SystemcastWizard Lite CVE-2009-0263 (Multiple buffer overflows in Winamp 5.541 and earlier allow remote att ...) NOT-FOR-US: Winamp CVE-2009-0262 (Stack-based buffer overflow in Triologic Media Player 7 and 8.0.0.0 al ...) NOT-FOR-US: Triologic Media Player CVE-2009-0261 (Stack-based buffer overflow in EffectMatrix Total Video Player 1.31 al ...) NOT-FOR-US: EffectMatrix Total Video Player CVE-2009-0260 (Multiple cross-site scripting (XSS) vulnerabilities in action/AttachFi ...) {DSA-1715-1 DTSA-187-1} - moin 1.8.1-1.1 (bug #513158; low) CVE-2009-0259 (The Word processor in OpenOffice.org 1.1.2 through 1.1.5 allows remote ...) - openoffice.org 2.0.4.dfsg.2-7 NOTE: Checked with maintainer and issue was fixed long ago, marking etch version as fixed for now CVE-2009-0254 (Stack-based buffer overflow in easyHDR PRO 1.60.2 allows user-assisted ...) NOT-FOR-US: easyHDR PRO CVE-2009-0253 (Mozilla Firefox 3.0.5 allows remote attackers to trick a user into vis ...) NOTE: Mozilla #474967, upstream disputes this being a bug CVE-2009-0252 (Multiple SQL injection vulnerabilities in default.asp in Enthrallweb e ...) NOT-FOR-US: Enthrallweb eReservations CVE-2009-0251 (Static code injection vulnerability in admin.php in Ryneezy phoSheezy ...) NOT-FOR-US: Ryneezy phoSheezy CVE-2009-0250 (Ryneezy phoSheezy 0.2 stores sensitive information under the web root ...) NOT-FOR-US: Ryneezy phoSheezy CVE-2009-0249 (Katy Whitton RankEm stores sensitive information under the web root wi ...) NOT-FOR-US: Katy Whitton RankEm CVE-2009-0248 (Cross-site scripting (XSS) vulnerability in rankup.asp in Katy Whitton ...) NOT-FOR-US: Katy Whitton RankEm CVE-2009-0247 (The server for 53KF Web IM 2009 Home, Professional, and Enterprise edi ...) NOT-FOR-US: 53KF Web IM CVE-2009-0246 (Stack-based buffer overflow in easyHDR PRO 1.60.2 allows user-assisted ...) NOT-FOR-US: easyHDR PRO CVE-2009-0414 (Unspecified vulnerability in Tor before 0.2.0.33 has unspecified impac ...) - tor 0.2.0.33-1 CVE-2009-0245 (Cross-site scripting (XSS) vulnerability in Usagi Project MyNETS 1.2.0 ...) NOT-FOR-US: Usagi Project MyNETS CVE-2009-0244 (Directory traversal vulnerability in the OBEX FTP Service in the Micro ...) NOT-FOR-US: Microsoft product CVE-2009-0243 (Microsoft Windows does not properly enforce the Autorun and NoDriveTyp ...) NOT-FOR-US: Microsoft product CVE-2009-0255 (The System extension Install tool in TYPO3 4.0.0 through 4.0.9, 4.1.0 ...) {DSA-1711-1} - typo3-src 4.2.4-1 CVE-2009-0256 (Session fixation vulnerability in the authentication library in TYPO3 ...) {DSA-1711-1} - typo3-src 4.2.4-1 CVE-2009-0257 (Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 4.0.0 thr ...) {DSA-1711-1} - typo3-src 4.2.4-1 CVE-2009-0258 (The Indexed Search Engine (indexed_search) system extension in TYPO3 4 ...) {DSA-1711-1} - typo3-src 4.2.4-1 CVE-2009-0242 REJECTED CVE-2009-0241 (Stack-based buffer overflow in the process_path function in gmetad/ser ...) {DSA-1710-1} - ganglia-monitor-core 2.5.7-5 (medium; bug #512637) CVE-2009-0240 (listing.php in WebSVN 2.0 and possibly 1.7 beta, when using an SVN aut ...) {DSA-1725-1} - websvn 2.0-4+lenny1 (bug #512191) [etch] - websvn (authenthication doesn't exist in that version) CVE-2009-0239 (Cross-site scripting (XSS) vulnerability in Windows Search 4.0 for Mic ...) NOT-FOR-US: Microsoft CVE-2009-0238 (Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Exc ...) NOT-FOR-US: Microsoft CVE-2009-0237 (Cross-site scripting (XSS) vulnerability in cookieauth.dll in the HTML ...) NOT-FOR-US: Microsoft Forefront Threat Management Gateway CVE-2009-0236 REJECTED CVE-2009-0235 (Stack-based buffer overflow in the Word 97 text converter in WordPad i ...) NOT-FOR-US: Microsoft WordPad CVE-2009-0234 (The DNS Resolver Cache Service (aka DNSCache) in Windows DNS Server in ...) NOT-FOR-US: Microsoft Windows CVE-2009-0233 (The DNS Resolver Cache Service (aka DNSCache) in Windows DNS Server in ...) NOT-FOR-US: Microsoft Windows CVE-2009-0232 (Integer overflow in the Embedded OpenType (EOT) Font Engine in Microso ...) NOT-FOR-US: Microsoft Windows CVE-2009-0231 (The Embedded OpenType (EOT) Font Engine (T2EMBED.DLL) in Microsoft Win ...) NOT-FOR-US: Microsoft Windows CVE-2009-0230 (The Windows Print Spooler in Microsoft Windows 2000 SP4, XP SP2 and SP ...) NOT-FOR-US: Microsoft CVE-2009-0229 (The Windows Printing Service in Microsoft Windows 2000 SP4, XP SP2 and ...) NOT-FOR-US: Microsoft CVE-2009-0228 (Stack-based buffer overflow in the EnumeratePrintShares function in Wi ...) NOT-FOR-US: Microsoft CVE-2009-0227 (Stack-based buffer overflow in the PowerPoint 4.2 conversion filter (P ...) NOT-FOR-US: Microsoft CVE-2009-0226 (Stack-based buffer overflow in the PowerPoint 4.2 conversion filter in ...) NOT-FOR-US: Microsoft CVE-2009-0225 (Microsoft Office PowerPoint 2002 SP3 allows remote attackers to execut ...) NOT-FOR-US: Microsoft CVE-2009-0224 (Microsoft Office PowerPoint 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1 ...) NOT-FOR-US: Microsoft CVE-2009-0223 (Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows re ...) NOT-FOR-US: Microsoft CVE-2009-0222 (Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows re ...) NOT-FOR-US: Microsoft CVE-2009-0221 (Integer overflow in Microsoft Office PowerPoint 2002 SP3 and 2003 SP3 ...) NOT-FOR-US: Microsoft CVE-2009-0220 (Multiple stack-based buffer overflows in the PowerPoint 4.0 importer ( ...) NOT-FOR-US: Microsoft CVE-2009-0219 (The PDF distiller in the Attachment Service in Research in Motion (RIM ...) NOT-FOR-US: BlackBerry CVE-2009-0218 (Insecure method vulnerability in Particle Software IntraLaunch Applica ...) NOT-FOR-US: IntraLaunch Application Launcher ActiveX control CVE-2009-0217 (The design of the W3C XML Signature Syntax and Processing (XMLDsig) re ...) {DSA-1995-1 DSA-1849-1 DTSA-205-1} - xml-security-c 1.4.0-4 - xmlsec1 1.2.12-1 [lenny] - xmlsec1 (Minor issue) - mono 2.4.2.3+dfsg-1 NOTE: http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html NOTE: http://web.archive.org/web/20090124230233/http://anonsvn.mono-project.com:80/viewvc?view=rev NOTE: http://www.aleksey.com/xmlsec/download.html (1.2.12 has fix) - sun-java6 6-15-1 [lenny] - sun-java6 6-20-0lenny1 - openjdk-6 6b16-1.6-1 (medium; bug #542210) - openoffice.org 1:3.1.1-16 CVE-2009-0216 (GE Fanuc iFIX 5.0 and earlier relies on client-side authentication inv ...) NOT-FOR-US: GE Fanuc iFIX CVE-2009-0215 (Stack-based buffer overflow in the GetXMLValue method in the IBM Acces ...) NOT-FOR-US: IBM Access Support ActiveX CVE-2009-0214 (Unspecified vulnerability in the WebFGServer application in AREVA e-te ...) NOT-FOR-US: WebFGServer CVE-2009-0213 (Unspecified vulnerability in the NETIO application in AREVA e-terrahab ...) NOT-FOR-US: AREVA e-terrahabitat CVE-2009-0212 (Unspecified vulnerability in the WebFGServer application in AREVA e-te ...) NOT-FOR-US: AREVA e-terrahabitat CVE-2009-0211 (Unspecified vulnerability in the WebFGServer application in AREVA e-te ...) NOT-FOR-US: AREVA e-terrahabitat CVE-2009-0210 (Buffer overflow in the MLF application in AREVA e-terrahabitat 5.7 and ...) NOT-FOR-US: AREVA e-terrahabitat CVE-2009-0209 (PI Server in OSIsoft PI System before 3.4.380.x does not properly use ...) NOT-FOR-US: OSIsoft PI System CVE-2009-0208 (Unspecified vulnerability in HP Virtual Rooms Client before 7.0.1, whe ...) NOT-FOR-US: HP Virtual Rooms Client CVE-2009-0207 (Unspecified vulnerability in HP-UX B.11.11 running VERITAS Oracle Disk ...) NOT-FOR-US: VERITAS Oracle Disk Manager CVE-2009-0206 (Unspecified vulnerability in NFS in HP ONCplus B.11.31.05 and earlier ...) NOT-FOR-US: HP ONCplus CVE-2009-0205 RESERVED CVE-2009-0204 (Cross-site scripting (XSS) vulnerability in HP Select Access 6.1 and 6 ...) NOT-FOR-US: HP Select Access CVE-2009-0203 RESERVED CVE-2009-0202 (Array index error in FL21WIN.DLL in the PowerPoint Freelance Windows 2 ...) NOT-FOR-US: Microsoft CVE-2009-0201 (Heap-based buffer overflow in OpenOffice.org (OOo) before 3.1.1 and St ...) {DSA-1880-1} - openoffice.org 1:3.1.1~ooo310m15-1 CVE-2009-0200 (Integer underflow in OpenOffice.org (OOo) before 3.1.1 and StarOffice/ ...) {DSA-1880-1} - openoffice.org 1:3.1.1~ooo310m15-1 CVE-2009-0199 (Heap-based buffer overflow in the VMnc media codec in vmnc.dll in VMwa ...) NOT-FOR-US: VMware Movie Decoder CVE-2009-0198 (Heap-based buffer overflow in the JBIG2 filter in Adobe Reader 7 and A ...) NOT-FOR-US: Adobe Reader CVE-2009-0197 (Integer overflow in the FORMATS Plugin before 4.23 for IrfanView allow ...) NOT-FOR-US: IrfanView CVE-2009-0196 (Heap-based buffer overflow in the big2_decode_symbol_dict function (jb ...) {DSA-2080-1 DTSA-198-1} - ghostscript 8.64~dfsg-1.1 (medium; bug #524803) - gs-gpl (medium; bug #561717) - jbig2dec (already fixed in initial upload) CVE-2009-0195 (Heap-based buffer overflow in Xpdf 3.02pl2 and earlier, CUPS 1.3.9, an ...) {DSA-1790-1} - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 CVE-2009-0194 (The domain-locking implementation in the GARMINAXCONTROL.GarminAxContr ...) NOT-FOR-US: Garmin Communicator Plug-In CVE-2009-0193 (Heap-based buffer overflow in Adobe Acrobat Reader 9 before 9.1, 8 bef ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2009-0192 (Off-by-one error in the iMonitor component in Novell eDirectory 8.8 SP ...) NOT-FOR-US: Novell eDirectory CVE-2009-0191 (Foxit Reader 2.3 before Build 3902 and 3.0 before Build 1506, includin ...) NOT-FOR-US: Foxit Reader CVE-2009-0190 REJECTED CVE-2009-0189 REJECTED CVE-2009-0188 (Apple QuickTime before 7.6.2 allows remote attackers to execute arbitr ...) NOT-FOR-US: Apple QuickTime CVE-2009-0187 (Stack-based buffer overflow in Orbit Downloader 2.8.2 and 2.8.3, and p ...) NOT-FOR-US: Orbit Downloader CVE-2009-0186 (Integer overflow in libsndfile 1.0.18, as used in Winamp and other pro ...) {DSA-1742-1 DTSA-202-1} - libsndfile 1.0.19-1 (medium) CVE-2009-0185 (Heap-based buffer overflow in Apple QuickTime before 7.6.2 allows remo ...) NOT-FOR-US: Apple QuickTime CVE-2009-0184 (Multiple buffer overflows in the torrent parsing implementation in Fre ...) NOT-FOR-US: Free Download Manager CVE-2009-0183 (Stack-based buffer overflow in Remote Control Server in Free Download ...) NOT-FOR-US: Free Download Manager CVE-2009-0182 (Buffer overflow in VUPlayer 2.49 and earlier allows user-assisted atta ...) NOT-FOR-US: VUPlayer CVE-2009-0181 (Buffer overflow in VUPlayer allows user-assisted attackers to have an ...) NOT-FOR-US: VUPlayer CVE-2009-0180 (Certain Fedora build scripts for nfs-utils before 1.1.2-9.fc9 on Fedor ...) NOT-FOR-US: Fedora specific issue CVE-2009-0179 (libmikmod 3.1.11 through 3.2.0, as used by MikMod and possibly other p ...) - libmikmod 3.1.11-6.1 (low; bug #476339) [etch] - libmikmod (Minor issue) [lenny] - libmikmod (Minor issue) CVE-2009-0178 (Unspecified vulnerability in IBM Hardware Management Console (HMC) 7 r ...) NOT-FOR-US: IBM Hardware Management Console CVE-2009-0177 (vmwarebase.dll, as used in the vmware-authd service (aka vmware-authd. ...) NOT-FOR-US: vmware-authd CVE-2009-0176 (Multiple heap-based buffer overflows in the PDF distiller in the Attac ...) NOT-FOR-US: Attachment Service in Research in Motion CVE-2009-0175 (Heap-based buffer overflow in Heathco Software MP3 TrackMaker 1.5 allo ...) NOT-FOR-US: Heathco Software MP3 TrackMaker CVE-2009-0174 (Stack-based buffer overflow in VUPlayer 2.49 allows remote attackers t ...) NOT-FOR-US: VUPlayer CVE-2009-0173 (Unspecified vulnerability in the server in IBM DB2 8 before FP17a, 9.1 ...) NOT-FOR-US: IBM DB2 CVE-2009-0172 (Unspecified vulnerability in IBM DB2 8 before FP17a, 9.1 before FP6a, ...) NOT-FOR-US: IBM DB2 9.1 CVE-2009-0171 (The Sun SPARC Enterprise M4000 and M5000 Server, within a certain rang ...) NOT-FOR-US: Sun SPARC Enterprise M4000 and M5000 Server CVE-2009-0170 (Sun Java System Access Manager 6.3 2005Q1, 7 2005Q4, and 7.1 allows re ...) NOT-FOR-US: Sun Java System Access Manager CVE-2009-0169 (Sun Java System Access Manager 7.1 allows remote authenticated sub-rea ...) NOT-FOR-US: Sun Java System Access Manager CVE-2009-0168 (Unspecified vulnerability in ppdmgr in Sun Solaris 10 and OpenSolaris ...) NOT-FOR-US: ppdmgr in Sun Solaris 10 and OpenSolaris CVE-2009-0167 (Unspecified vulnerability in lpadmin in Sun Solaris 10 and OpenSolaris ...) NOT-FOR-US: lpadmin in Sun Solaris 10 and OpenSolaris CVE-2009-0166 (The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (medium; bug #524806) [lenny] - poppler 0.8.7-2 - cups (Uses poppler's pdftops) - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-0165 (Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, as ...) {DSA-1793-1 DSA-1790-1} - xpdf 3.02-1.4+lenny1 (low; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0 (low; bug #528369) CVE-2009-0164 (The web interface for CUPS before 1.3.10 does not validate the HTTP Ho ...) - cups 1.3.10-1 (low) [lenny] - cups (Minor issue, needs several prerequirements for attack) - cupsys [etch] - cupsys (Minor issue, needs several prerequirements for attack) CVE-2009-0163 (Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and ...) {DSA-1773-1} - cups 1.3.10-1 - cupsys CVE-2009-0162 (Cross-site scripting (XSS) vulnerability in Safari before 3.2.3, and 4 ...) NOT-FOR-US: Safari CVE-2009-0161 (The OpenSSL::OCSP module for Ruby in Apple Mac OS X 10.5 before 10.5.7 ...) NOT-FOR-US: Mac OS X NOTE: dupe of CVE-2009-0642 CVE-2009-0160 (QuickDraw Manager in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 all ...) NOT-FOR-US: QuickDraw Manager CVE-2009-0159 (Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c ...) {DSA-1801-1} - ntp 1:4.2.4p6+dfsg-2 (low; bug #525373) CVE-2009-0158 (Stack-based buffer overflow in telnet in Apple Mac OS X 10.4.11 and 10 ...) NOT-FOR-US: telnet in Apple Mac OS X CVE-2009-0157 (Heap-based buffer overflow in CFNetwork in Apple Mac OS X 10.5 before ...) NOT-FOR-US: CFNetwork in Apple CVE-2009-0156 (Launch Services in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allow ...) NOT-FOR-US: Launch Services in Apple Mac OS CVE-2009-0155 (Integer underflow in CoreGraphics in Apple Mac OS X 10.5 before 10.5.7 ...) NOT-FOR-US: CoreGraphics in Apple Mac OS CVE-2009-0154 (Heap-based buffer overflow in Apple Type Services (ATS) in Apple Mac O ...) NOT-FOR-US: Apple Type Services CVE-2009-0153 (International Components for Unicode (ICU) 4.0, 3.6, and other 3.x ver ...) {DSA-1889-1} - icu 4.0.1-1 (low; bug #534590) CVE-2009-0152 (iChat in Apple Mac OS X 10.5 before 10.5.7 disables SSL for AOL Instan ...) NOT-FOR-US: iChat in Apple Mac OS X CVE-2009-0151 (The screen saver in Dock in Apple Mac OS X 10.5 before 10.5.8 does not ...) NOT-FOR-US: screen saver in Dock in Apple Mac OS X CVE-2009-0150 (Stack-based buffer overflow in Apple Mac OS X 10.5 before 10.5.7 allow ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0149 (Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allows local users to ga ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0148 (Multiple buffer overflows in Cscope before 15.7a allow remote attacker ...) {DSA-1806-1} - cscope 15.7a-1 (low; bug #528510) CVE-2009-0147 (Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and ea ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (low; bug #524806) [lenny] - poppler 0.8.7-2 - cups (Uses poppler's pdftops) - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-0146 (Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and ear ...) {DSA-1793-1 DSA-1790-1} - poppler 0.10.6-1 (medium; bug #524806) [lenny] - poppler 0.8.7-2 - cups (Uses poppler's pdftops) - xpdf 3.02-1.4+lenny1 (medium; bug #524809) [squeeze] - xpdf 3.02-1.4+lenny1 - kdegraphics 4:4.0 (medium; bug #524810) - swftools 0.9.2+ds1-2 CVE-2009-0145 (CoreGraphics in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7, iPhone ...) NOT-FOR-US: CoreGraphics in Apple Mac OS X CVE-2009-0144 (CFNetwork in Apple Mac OS X 10.5 before 10.5.7 does not properly parse ...) NOT-FOR-US: CFNetwork in Apple Mac OS X CVE-2009-0143 (Apple iTunes before 8.1 does not properly inform the user about the or ...) NOT-FOR-US: Apple iTunes CVE-2009-0142 (Race condition in AFP Server in Apple Mac OS X 10.5.6 allows local use ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0141 (XTerm in Apple Mac OS X 10.4.11 and 10.5.6, when used with luit, creat ...) NOT-FOR-US: XTerm in Apple Mac OS X CVE-2009-0140 (Unspecified vulnerability in the SMB component in Apple Mac OS X 10.4. ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0139 (Integer overflow in the SMB component in Apple Mac OS X 10.5.6 allows ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0138 (servermgrd (Server Manager) in Apple Mac OS X 10.5.6 does not properly ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0137 (Multiple unspecified vulnerabilities in Safari RSS in Apple Mac OS X 1 ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0134 (Insecure method vulnerability in the EasyGrid.SGCtrl.32 ActiveX contro ...) NOT-FOR-US: EasyGrid.SGCtrl.32 ActiveX control CVE-2009-0135 (Multiple integer overflows in the Audible::Tag::readTag function in me ...) {DSA-1706-1} - amarok 1.4.10-2 (medium) CVE-2009-0136 (Multiple array index errors in the Audible::Tag::readTag function in m ...) {DSA-1706-1} - amarok 1.4.10-2 (medium) CVE-2009-0133 (Buffer overflow in Microsoft HTML Help Workshop 4.74 and earlier allow ...) NOT-FOR-US: Microsoft HTML Help Workshop CVE-2009-0132 (Integer overflow in the aio_suspend function in Sun Solaris 8 through ...) NOT-FOR-US: Solaris CVE-2009-0131 (The UFS implementation in the kernel in Sun OpenSolaris snv_29 through ...) NOT-FOR-US: UFS in OpenSolaris CVE-2009-0130 (** DISPUTED ** lib/crypto/c_src/crypto_drv.c in erlang does not proper ...) - erlang (unimportant; bug #511520) NOTE: the return value is passed to the caller (lib/crypto/src/crypto.erl) which NOTE: only return success in case of DSA_do_verify returning 1 and failure otherwise NOTE: this is likely to be rejected CVE-2009-0129 (libcrypt-openssl-dsa-perl does not properly check the return value fro ...) - libcrypt-openssl-dsa-perl 0.13-4 (bug #511519) CVE-2009-0128 (plugins/crypto/openssl/crypto_openssl.c in Simple Linux Utility for Re ...) {DTSA-185-1} - slurm-llnl 1.3.13-1 (bug #511511) CVE-2009-0127 (** DISPUTED ** M2Crypto does not properly check the return value from ...) - m2crypto (bug #511515; unimportant) NOTE: m2crypto provides a direct mapping of the OpenSSL functions, no incorrect NOTE: call sites are known, if such are found they should be fixed in the respective NOTE: applications CVE-2009-0126 (The decrypt_public function in lib/crypt.cpp in the client in Berkeley ...) {DSA-1718-1} - boinc 6.2.14-3 (bug #511521) CVE-2009-0125 - libnasl (unimportant; bug #511517) CVE-2009-0124 (The tqsl_verifyDataBlock function in openssl_cert.cpp in American Radi ...) - tqsllib 2.0-8 (low; bug #511509) [etch] - tqsllib (Minor issue) CVE-2009-0123 (Unspecified vulnerability in Apple Safari on Mac OS X 10.5 and Windows ...) NOT-FOR-US: Apple Safari CVE-2009-0122 (hplip.postinst in HP Linux Imaging and Printing (HPLIP) 2.7.7 and 2.8. ...) - hplip (only a bug in ubuntus postinst script, we use our own postinst which is not vulnerable) CVE-2009-XXXX [unspecified multiple Drupal vulnerabilies, likely some overlap with the next temp entry] - drupal6 6.6-3 CVE-2009-XXXX [unspecified Drupal SQL injection] - drupal5 5.15-1 CVE-2009-0121 (SQL injection vulnerability in frontpage.php in Goople CMS 1.8.2 allow ...) NOT-FOR-US: Goople CMS CVE-2009-0120 (The IBM WebSphere DataPower XML Security Gateway XS40 with firmware 3. ...) NOT-FOR-US: Web Sphere CVE-2009-0119 (Buffer overflow in Microsoft Windows XP SP3 allows remote attackers to ...) NOT-FOR-US: Windows CVE-2009-0118 RESERVED CVE-2009-0117 RESERVED CVE-2009-0116 RESERVED CVE-2009-0115 (The Device Mapper multipathing driver (aka multipath-tools or device-m ...) {DSA-1767-1} - multipath-tools 0.4.8-15 (low; bug #522813) CVE-2009-XXXX [openslp: insecure cert validation through openssl api misuse] - openslp-dfsg (Debian's openslp doesn't build with SSL support) CVE-2009-0114 (Unspecified vulnerability in the Settings Manager in Adobe Flash Playe ...) NOT-FOR-US: Flash CVE-2009-0113 (Directory traversal vulnerability in attachmentlibrary.php in the XSta ...) NOT-FOR-US: Joomla! component CVE-2009-0112 (Cross-site request forgery (CSRF) vulnerability in admin/agent_edit.as ...) NOT-FOR-US: PollPro CVE-2009-0111 (SQL injection vulnerability in frontpage.php in Goople CMS 1.8.2 and e ...) NOT-FOR-US: Goople CMS CVE-2009-0110 (SQL injection vulnerability in read.php in RiotPix 0.61 and earlier al ...) NOT-FOR-US: RiotPix CVE-2009-0109 (SQL injection vulnerability in index.php in RiotPix 0.61 and earlier a ...) NOT-FOR-US: RiotPix CVE-2009-0108 (PHPAuctions (aka PHPAuctionSystem) allows remote attackers to bypass a ...) NOT-FOR-US: PHPAuctions CVE-2009-0107 (Cross-site scripting (XSS) vulnerability in profile.php in PHPAuctions ...) NOT-FOR-US: PHPAuctions CVE-2009-0106 (SQL injection vulnerability in profile.php in PHPAuctions (aka PHPAuct ...) NOT-FOR-US: PHPAuctions CVE-2009-0105 (Cross-site scripting (XSS) vulnerability in index.php in EZpack 4.2b2 ...) NOT-FOR-US: EZpack CVE-2009-0104 (SQL injection vulnerability in index.php in EZpack 4.2b2 allows remote ...) NOT-FOR-US: EZpack CVE-2009-0103 (Multiple PHP remote file inclusion vulnerabilities in playSMS 0.9.3 al ...) NOT-FOR-US: playSMS CVE-2009-0102 (Microsoft Project 2000 SR1 and 2002 SP1, and Office Project 2003 SP3, ...) NOT-FOR-US: Microsoft CVE-2009-0101 REJECTED CVE-2009-0100 (Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Exc ...) NOT-FOR-US: Microsoft Office Excel CVE-2009-0099 (The Electronic Messaging System Microsoft Data Base (EMSMDB32) provide ...) NOT-FOR-US: Microsoft CVE-2009-0098 (Microsoft Exchange 2000 Server SP3, Exchange Server 2003 SP2, and Exch ...) NOT-FOR-US: Microsoft CVE-2009-0097 (Microsoft Office Visio 2002 SP2 and 2003 SP3 does not properly validat ...) NOT-FOR-US: Microsoft CVE-2009-0096 (Microsoft Office Visio 2002 SP2, 2003 SP3, and 2007 SP1 does not prope ...) NOT-FOR-US: Microsoft CVE-2009-0095 (Microsoft Office Visio 2002 SP2, 2003 SP3, and 2007 SP1 does not prope ...) NOT-FOR-US: Microsoft CVE-2009-0094 (The WINS server in Microsoft Windows 2000 SP4 and Server 2003 SP1 and ...) NOT-FOR-US: Microsoft Windows CVE-2009-0093 (Windows DNS Server in Microsoft Windows 2000 SP4, Server 2003 SP1 and ...) NOT-FOR-US: Microsoft Windows CVE-2009-0092 REJECTED CVE-2009-0091 (Microsoft .NET Framework 2.0, 2.0 SP1, and 3.5 does not properly enfor ...) NOT-FOR-US: Microsoft .NET Framework CVE-2009-0090 (Microsoft .NET Framework 1.0 SP3, 1.1 SP1, and 2.0 SP1 does not proper ...) NOT-FOR-US: Microsoft .NET Framework CVE-2009-0089 (Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP ...) NOT-FOR-US: Microsoft Windows CVE-2009-0088 (The WordPerfect 6.x Converter (WPFT632.CNV, 1998.1.27.0) in Microsoft ...) NOT-FOR-US: Microsoft Office CVE-2009-0087 (Unspecified vulnerability in the Word 6 text converter in WordPad in M ...) NOT-FOR-US: Microsoft Word CVE-2009-0086 (Integer underflow in Windows HTTP Services (aka WinHTTP) in Microsoft ...) NOT-FOR-US: Microsoft Windows CVE-2009-0085 (The Secure Channel (aka SChannel) authentication component in Microsof ...) NOT-FOR-US: Microsoft Windows CVE-2009-0084 (Use-after-free vulnerability in DirectShow in Microsoft DirectX 8.1 an ...) NOT-FOR-US: DirectX CVE-2009-0083 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2 ...) NOT-FOR-US: Microsoft Windows CVE-2009-0082 (The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 ...) NOT-FOR-US: Microsoft Windows CVE-2009-0081 (The graphics device interface (GDI) implementation in the kernel in Mi ...) NOT-FOR-US: Microsoft Windows CVE-2009-0080 (The ThreadPool class in Windows Vista Gold and SP1, and Server 2008, d ...) NOT-FOR-US: Windows Vista CVE-2009-0079 (The RPCSS service in Microsoft Windows XP SP2 and SP3 and Server 2003 ...) NOT-FOR-US: Microsoft Windows XP CVE-2009-0078 (The Windows Management Instrumentation (WMI) provider in Microsoft Win ...) NOT-FOR-US: Microsoft Windows XP CVE-2009-0077 (The firewall engine in Microsoft Forefront Threat Management Gateway, ...) NOT-FOR-US: Microsoft Forefront Threat Management Gateway CVE-2009-0076 (Microsoft Internet Explorer 7, when XHTML strict mode is used, allows ...) NOT-FOR-US: Microsoft CVE-2009-0075 (Microsoft Internet Explorer 7 does not properly handle errors during a ...) NOT-FOR-US: Microsoft CVE-2009-0074 REJECTED CVE-2009-0073 REJECTED CVE-2009-0072 (Microsoft Internet Explorer 6.0 through 8.0 beta2 allows remote attack ...) NOT-FOR-US: Internet Explorer CVE-2009-0071 (Mozilla Firefox 3.0.5 and earlier 3.0.x versions, when designMode is e ...) - iceweasel (unimportant) NOTE: Browser crashes not treated as security issues CVE-2009-0070 (Integer signedness error in Apple Safari allows remote attackers to re ...) NOT-FOR-US: Apple Safari CVE-2009-0069 (Unspecified vulnerability in the nfs4rename_persistent_fh function in ...) NOT-FOR-US: Solaris CVE-2009-0068 (Interaction error in xdg-open allows remote attackers to execute arbit ...) - xdg-utils (xdg-open is not added to mailcap) CVE-2009-0067 RESERVED CVE-2009-0066 (Multiple unspecified vulnerabilities in Intel system software for Trus ...) NOT-FOR-US: Intel system software for TXT CVE-2009-0065 (Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Trans ...) {DSA-1794-1 DSA-1787-1 DSA-1749-1} - linux-2.6 2.6.29-1 - linux-2.6.24 CVE-2009-0064 (Multiple unspecified vulnerabilities in the Control Center in Symantec ...) NOT-FOR-US: Symantec Brightmail Gateway Appliance CVE-2009-0063 (Cross-site scripting (XSS) vulnerability in the Control Center in Syma ...) NOT-FOR-US: Symantec Brightmail Gateway Appliance CVE-2009-0062 (Unspecified vulnerability in the Cisco Wireless LAN Controller (WLC), ...) NOT-FOR-US: Cisco CVE-2009-0061 (Unspecified vulnerability in the Wireless LAN Controller (WLC) TSEC dr ...) NOT-FOR-US: Cisco CVE-2009-0060 RESERVED CVE-2009-0059 (The Cisco Wireless LAN Controller (WLC), Cisco Catalyst 6500 Wireless ...) NOT-FOR-US: Cisco CVE-2009-0058 (The Cisco Wireless LAN Controller (WLC), Cisco Catalyst 6500 Wireless ...) NOT-FOR-US: Cisco CVE-2009-0057 (The Certificate Authority Proxy Function (CAPF) service in Cisco Unifi ...) NOT-FOR-US: Cisco CVE-2009-0056 (Cross-site request forgery (CSRF) vulnerability in the administration ...) NOT-FOR-US: Cisco IronPort Encryption Appliance CVE-2009-0055 (Cross-site request forgery (CSRF) vulnerability in the administration ...) NOT-FOR-US: Cisco IronPort Encryption Appliance CVE-2009-0054 (PXE Encryption in Cisco IronPort Encryption Appliance 6.2.4 before 6.2 ...) NOT-FOR-US: Cisco IronPort Encryption Appliance CVE-2009-0053 (PXE Encryption in Cisco IronPort Encryption Appliance 6.2.4 before 6.2 ...) NOT-FOR-US: Cisco IronPort Encryption Appliance CVE-2009-0052 (The Atheros wireless driver, as used in Netgear WNDAP330 Wi-Fi access ...) NOT-FOR-US: Netgear WNDAP330 Access Point CVE-2009-0051 (ZXID 0.29 and earlier does not properly check the return value from th ...) NOT-FOR-US: ZXID CVE-2009-0050 (Lasso 2.2.1 and earlier does not properly check the return value from ...) {DSA-1700-1} - lasso 2.2.1-2 (bug #511262) CVE-2009-0049 (Belgian eID middleware (eidlib) 2.6.0 and earlier does not properly ch ...) {DSA-1946-1} - belpic 2.6.0-6 (bug #511261) CVE-2009-0048 (OpenEvidence 1.0.6 and earlier does not properly check the return valu ...) NOT-FOR-US: OpenEvidence CVE-2009-0047 (Gale 0.99 and earlier does not properly check the return value from th ...) NOT-FOR-US: Gale CVE-2009-0046 (Sun GridEngine 5.3 and earlier does not properly check the return valu ...) NOT-FOR-US: Sun GridEngine CVE-2009-0045 RESERVED CVE-2009-0044 RESERVED CVE-2009-0043 (The smmsnmpd service in CA Service Metric Analysis r11.0 through r11.1 ...) NOT-FOR-US: CA Service Metric Analysis r11.0 through r11.1 SP1 and Service CVE-2009-0042 (Multiple unspecified vulnerabilities in the Arclib library (arclib.dll ...) NOT-FOR-US: CA Anti-Virus CVE-2009-0041 (IAX2 in Asterisk Open Source 1.2.x before 1.2.31, 1.4.x before 1.4.23- ...) {DSA-1952-1} - asterisk 1:1.6.1.0~dfsg~rc3-1 (low; bug #513413) [lenny] - asterisk (Minor issue) [etch] - asterisk (Etch Packages no longer covered by security support) CVE-2009-0040 (The PNG reference library (aka libpng) before 1.0.43, and 1.2.x before ...) {DSA-1830-1 DSA-1750-1} - icedove 2.0.0.22-1 (bug #535124) [squeeze] - icedove 2.0.0.22-0lenny1 - libpng 1.2.35-1 (bug #516256) CVE-2009-0039 (Multiple cross-site request forgery (CSRF) vulnerabilities in the web ...) - geronimo (bug #481869) CVE-2009-0038 (Multiple cross-site scripting (XSS) vulnerabilities in the web adminis ...) - geronimo (bug #481869) CVE-2009-0037 (The redirect implementation in curl and libcurl 5.11 through 7.19.3, w ...) {DSA-1738-1} - curl 7.18.2-8.1 (bug #518423) CVE-2009-0036 (Buffer overflow in the proxyReadClientSocket function in proxy/libvirt ...) - libvirt 0.5.1-7 (unimportant) NOTE: not building libvirt proxy from libvirt source package CVE-2009-0035 (alsa-utils 1.0.19 and later versions allows local users to overwrite a ...) - alsa-driver 1.0.20-1 (unimportant) NOTE: alsainfo not built into source package CVE-2009-0034 (parse.c in sudo 1.6.9p17 through 1.6.9p19 does not properly interpret ...) - sudo 1.6.9p17-2 (medium) [etch] - sudo (Vulnerable code not present) CVE-2009-0033 (Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 th ...) {DSA-2207-1} - tomcat6 6.0.28-1 [lenny] - tomcat6 (Only ships the servlet package) - tomcat5 (medium; bug #532363) - tomcat5.5 (medium; bug #532366) CVE-2009-0032 (CUPS on Mandriva Linux 2008.0, 2008.1, 2009.0, Corporate Server (CS) 3 ...) NOT-FOR-US: issue affects pdfdistiller CVE-2009-0031 (Memory leak in the keyctl_join_session_keyring function (security/keys ...) {DSA-1794-1 DSA-1787-1 DSA-1749-1} - linux-2.6 2.6.29-1 (low) - linux-2.6.24 CVE-2009-0030 (A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID ...) - squirrelmail (RedHat-specific regression) CVE-2009-0029 (The ABI in the Linux kernel 2.6.28 and earlier on s390, powerpc, sparc ...) {DSA-1794-1 DSA-1787-1 DSA-1749-1} - linux-2.6 2.6.29-1 (medium; bug #536147) - linux-2.6.24 CVE-2009-0028 (The clone system call in the Linux kernel 2.6.28 and earlier allows lo ...) {DSA-1800-1 DSA-1794-1 DSA-1787-1} - linux-2.6 2.6.29-1 - linux-2.6.24 CVE-2009-0027 (The request handler in JBossWS in JBoss Enterprise Application Platfor ...) - jbossas4 4.2.2.GA-1 (bug #562000) [lenny] - jbossas4 (Contrib not supported) CVE-2009-0026 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabb ...) NOT-FOR-US: Apache Jackrabbit CVE-2009-0025 (BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check t ...) {DSA-1703-1} - bind9 1:9.5.1.dfsg.P1-1 (low; bug #511936) NOTE: unlike the advisory states it is DSA_do_verify not DSA_verify NOTE: low severity because it is believed hard to trigger and only NOTE: affects DNSSEC with DSA, which is supposedly rarely used. CVE-2009-0024 (The sys_remap_file_pages function in mm/fremap.c in the Linux kernel b ...) - linux-2.6 2.6.24-4 [etch] - linux-2.6 (Introduced in 2.6.23) NOTE: Fixed in 2.6.24 before initial upload CVE-2009-0023 (The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apa ...) {DSA-1812-1} - apr-util 1.3.7+dfsg-1 CVE-2009-0022 (Samba 3.2.0 through 3.2.6, when registry shares are enabled, allows re ...) - samba 2:3.2.5-3 [etch] - samba (Only 3.2.x affected) CVE-2009-0021 (NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly ...) {DSA-1702-1} - ntp 1:4.2.4p4+dfsg-8 CVE-2009-0020 (Unspecified vulnerability in CarbonCore in Apple Mac OS X 10.4.11 and ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0019 (Remote Apple Events in Apple Mac OS X 10.4.11 and 10.5.6 allows remote ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0018 (The Remote Apple Events server in Apple Mac OS X 10.4.11 and 10.5.6 do ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0017 (csregprinter in the Printing component in Apple Mac OS X 10.4.11 and 1 ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0016 (Apple iTunes before 8.1 on Windows allows remote attackers to cause a ...) NOT-FOR-US: Apple iTunes CVE-2009-0015 (Unspecified vulnerability in fseventsd in the FSEvents framework in Ap ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0014 (Folder Manager in Apple Mac OS X 10.5.6 uses insecure default permissi ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0013 (dscl in DS Tools in Apple Mac OS X 10.4.11 and 10.5.6 requires that pa ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0012 (Heap-based buffer overflow in CoreText in Apple Mac OS X 10.5.6 allows ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0011 (Certificate Assistant in Apple Mac OS X 10.5.6 allows local users to o ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0010 (Integer underflow in QuickDraw Manager in Apple Mac OS X 10.4.11 and 1 ...) NOT-FOR-US: QuickDraw Manager in Apple Mac OS X CVE-2009-0009 (Unspecified vulnerability in the Pixlet codec in Apple Mac OS X 10.4.1 ...) NOT-FOR-US: Apple Mac OS X CVE-2009-0008 (Unspecified vulnerability in Apple QuickTime MPEG-2 Playback Component ...) NOT-FOR-US: Apple QuickTime CVE-2009-0007 (Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2009-0006 (Integer signedness error in Apple QuickTime before 7.6 allows remote a ...) NOT-FOR-US: Apple QuickTime CVE-2009-0005 (Unspecified vulnerability in Apple QuickTime before 7.6 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2009-0004 (Buffer overflow in Apple QuickTime before 7.6 allows remote attackers ...) NOT-FOR-US: Apple QuickTime CVE-2009-0003 (Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2009-0002 (Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote ...) NOT-FOR-US: Apple QuickTime CVE-2009-0001 (Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote ...) NOT-FOR-US: Apple QuickTime