[Secure-testing-team] [Secure-testing-commits] r12558 - in data: . CVE
Michael S. Gilbert
michael.s.gilbert at gmail.com
Tue Aug 11 16:00:33 UTC 2009
On Tue, 11 Aug 2009 17:17:11 +0200, Moritz Muehlenhoff wrote:
> Hi Michael,
>
> On Mon, Aug 10, 2009 at 11:59:52PM +0000, Michael Gilbert wrote:
> > Author: gilbert-guest
> > Date: 2009-08-10 23:59:52 +0000 (Mon, 10 Aug 2009)
> > New Revision: 12558
> >
> > Modified:
> > data/CVE/list
> > data/embedded-code-copies
> > Log:
> > - fix typo
> > - apache issue doesn't warrant a dsa
>
>
> michael.s.gilbert at gmail.com>
>
> >
> > Modified: data/CVE/list
> > ===================================================================
> > --- data/CVE/list 2009-08-10 23:56:52 UTC (rev 12557)
> > +++ data/CVE/list 2009-08-10 23:59:52 UTC (rev 12558)
> > @@ -1,5 +1,7 @@
> > CVE-2009-XXXX [apache2: xml-based firewall bypass / port scanning]
> > - apache2 <unfixed> (low; bug #540862)
> > + [etch] - apache2 <no-dsa> (minor issue)
> > + [lenny] - apache2 <no-dsa> (minor issue)
> > CVE-2009-XXXX [linux-2.6: parisc eisa underflow]
> > - linux-2.6 <unfixed> (low)
> > - linux-2.6.24 <removed>
>
> Stefan's followup indicates that Apache isn't affected at all,
> so this would rather be a <not-affected>?
i think that it would make more sense to continue tracking the issue
until someone has a chance to test whether the exploit actually works
or not. also, i think that it should be reassigned to xerces, since the
flaw happens to be in xml parsing, rather than apache itself...
mike
More information about the Secure-testing-team
mailing list