- add typo3 cve ids

- NFUs
- new squid issue (CVE-2009-0801)
- CVE-2008-6176 fixed in drupal5,6/5.12-1,6.6-1
- CVE-2008-6170 fixed in drupal6 6.9-1
- CVE-2009-{0578, 0365} fixed in network-manager-applet/network-manager 0.7.0.99-1


git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@11369 e39458fd-73e7-0310-bf30-c45bca0a0e42

2 files changed, 18 insertions, 15 deletions

diff --git a/data/CVE/list b/data/CVE/list
index 6b96499a6e..455a0cf707 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -31,7 +31,7 @@ CVE-2008-6415 (Buffer overflow in YoungZSoft CCProxy 6.5 might allow remote atta
 CVE-2008-6414 (SQL injection vulnerability in detail.php in AJ Auction Pro Platinum ...)
 	NOT-FOR-US: AJ Auction Pro Platinum
 CVE-2008-6413 (Cross-site scripting (XSS) vulnerability in the Answers module ...)
-	TODO: check
+	NOT-FOR-US: Answers module for Drupal
 CVE-2008-6412 (Unspecified vulnerability in Vignette Content Management 7.3.0.5, ...)
 	NOT-FOR-US: Vignette Content Management
 CVE-2008-6411 (Explay CMS 2.1 and earlier allows remote attackers to bypass ...)
@@ -67,13 +67,13 @@ CVE-2009-0820 (Multiple eval injection vulnerabilities in phpScheduleIt before 1
 CVE-2009-0819 (sql/item_xmlfunc.cc in MySQL before 5.1.32 allows remote authenticated ...)
 	- mysql-dfsg-5.0 <not-affected> (Vulnerable code introduced in 5.1.5)
 CVE-2009-0818 (Cross-site scripting (XSS) vulnerability in the ...)
-	TODO: check
+	NOT-FOR-US: Taxonomy Theme module for Drupal
 CVE-2009-0817 (Cross-site scripting (XSS) vulnerability in the Protected Node module ...)
-	TODO: check
+	NOT-FOR-US: Protected Node module for Drupal
 CVE-2009-0816 (Cross-site scripting (XSS) vulnerability in the backend user interface ...)
-	TODO: check
+	- typo3-src 4.2.6-1 (low; bug #514713)
 CVE-2009-0815 (The jumpUrl mechanism in class.tslib_fe.php in TYPO3 4.0 before ...)
-	TODO: check
+	- typo3-src 4.2.6-1 (medium; bug #514713)
 CVE-2009-0814 (Cross-site scripting (XSS) vulnerability in Widgets.aspx in Blogsa 1.0 ...)
 	NOT-FOR-US: Blogsa
 CVE-2009-0813 (Insecure method vulnerability in the ImeraIEPlugin ActiveX control ...)
@@ -102,7 +102,9 @@ CVE-2009-0803 (SmoothWall SmoothGuardian, as used in SmoothWall Firewall, ...)
 CVE-2009-0802 (Qbik WinGate, when transparent interception mode is enabled, uses the ...)
 	NOT-FOR-US: Qbik WinGate
 CVE-2009-0801 (Squid, when transparent interception mode is enabled, uses the HTTP ...)
-	TODO: check
+	- squid <unfixed> (low)
+	- squid3 <unfixed> (low)
+	TODO: report bug
 CVE-2009-0800
 	RESERVED
 CVE-2009-0799
@@ -910,7 +912,8 @@ CVE-2008-6178 (Unrestricted file upload vulnerability in ...)
 CVE-2008-6177 (Multiple directory traversal vulnerabilities in LightBlog 9.8, when ...)
 	NOT-FOR-US: LightBlog
 CVE-2008-6176 (bootstrap.inc in Drupal 5.x before 5.12 and 6.x before 6.6, when the ...)
-	TODO: check
+	- drupal5 5.12-1 (low; bug #519114)
+	- drupal6 6.6-1 (low; bug #519115)
 CVE-2008-6175 (SilverSHielD 1.0.2.34 allows remote attackers to cause a denial of ...)
 	NOT-FOR-US: SilverSHielD
 CVE-2008-6174 (Cross-site scripting (XSS) vulnerability in admin/postlister/index.php ...)
@@ -920,9 +923,10 @@ CVE-2008-6173 (Cross-site scripting (XSS) vulnerability in fullscreen.php in ...
 CVE-2008-6172 (Directory traversal vulnerability in captcha/captcha_image.php in the ...)
 	NOT-FOR-US: Joomla!
 CVE-2008-6171 (Drupal 5.x before 5.12 and 6.x before 6.6, when the server is ...)
-	TODO: check
+	TODO: check back with mitre
+	NOTE: looks like a dupe of CVE-2008-6176
 CVE-2008-6170 (Cross-site scripting (XSS) vulnerability in Drupal 5.x before 5.12 and ...)
-	TODO: check
+	- drupal6 6.9-1 (low)
 CVE-2008-6169 (Cross-site request forgery (CSRF) vulnerability in the Localization ...)
 	NOT-FOR-US: Localization modules for Drupal
 CVE-2008-6168 (Cross-site scripting (XSS) vulnerability in search.php in miniPortail ...)
@@ -1126,7 +1130,7 @@ CVE-2009-0580
 CVE-2009-0579
 	RESERVED
 CVE-2009-0578 (network-manager-applet in Ubuntu 8.10 does not properly verify ...)
-	TODO: check
+	- network-manager-applet 0.7.0.99-1 (medium)
 CVE-2009-0577 (Integer overflow in the WriteProlog function in texttops in CUPS ...)
 	NOT-FOR-US: RedHat specific, because they had a problem applying the fix for CVE-2008-3640
 CVE-2009-0576 (Unspecified vulnerability in Sun Java System Directory Server 5.2 p6 ...)
@@ -1455,9 +1459,6 @@ CVE-2008-6091 (SQL injection vulnerability in plugins.php in BMForum 5.6, when .
 	NOT-FOR-US: BMForum
 CVE-2009-0489 (The DBus configuration file for Wicd before 1.5.9 allows arbitrary ...)
 	- wicd 1.5.9-1
-CVE-2009-XXXX [typo3 information disclosure & xss]
-	- typo3-src 4.2.6-1 (medium; bug #514713)
-	[lenny] - typo3-src 4.2.5-1+lenny1
 CVE-2009-0479 (Multiple SQL injection vulnerabilities in admin/admin_login.php in ...)
 	NOT-FOR-US: Online Grades
 CVE-2009-0477 (Unspecified vulnerability in the process (aka proc) filesystem in Sun ...)
@@ -1906,7 +1907,8 @@ CVE-2009-0366 [wesnoth server memory exhaustion]
 	RESERVED
 	- wesnoth 1:1.4.7-4
 CVE-2009-0365 (The dbus request handler in (1) network-manager-applet and (2) ...)
-	TODO: check
+	- network-manager-applet 0.7.0.99-1 (medium)
+	- network-manager 0.7.0.99-1 (medium)
 CVE-2009-0364
 	RESERVED
 CVE-2009-0363 (Multiple buffer overflows in (a) BarnOwl before 1.0.5 and (b) owl ...)
@@ -2515,7 +2517,7 @@ CVE-2009-0188
 CVE-2009-0187 (Stack-based buffer overflow in Orbit Downloader 2.8.2 and 2.8.3, and ...)
 	NOT-FOR-US: Orbit Downloader
 CVE-2009-0186 (Integer overflow in libsndfile 1.0.18, as used in Winamp and other ...)
-	TODO: check
+	- libsndfile 1.0.19-1 (medium)
 CVE-2009-0185
 	RESERVED
 CVE-2009-0184 (Multiple buffer overflows in the torrent parsing implementation in ...)
diff --git a/data/DTSA/list b/data/DTSA/list
index 558ecdee57..24ca23bb9a 100644
--- a/data/DTSA/list
+++ b/data/DTSA/list
@@ -576,6 +576,7 @@
 	{CVE-2009-0490}
 	[lenny] - audacity 1.3.5-2+lenny1
 [February 10th, 2009] DTSA-193-1 typo3 - several vulnerabilities
+	{CVE-2009-0816 CVE-2009-0815}
 	[lenny] - typo3-src 4.2.5-1+lenny1
 [February 11th, 2009] DTSA-194-1 samizdat - cross-site scripting
 	{CVE-2009-0359}