rhsa-2015_0197
Vulnerability from csaf_redhat
Published
2015-02-11 17:35
Modified
2024-11-05 18:46
Summary
Red Hat Security Advisory: rhevm-spice-client security and bug fix update
Notes
Topic
Updated rhevm-spice-client packages that fix two security issues and
several bugs are now available for Red Hat Enterprise Virtualization
Manager 3.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat Enterprise Virtualization Manager provides access to virtual
machines using SPICE. These SPICE client packages provide the SPICE client
and usbclerk service for both Windows 32-bit operating systems and Windows
64-bit operating systems.
A race condition was found in the way OpenSSL handled ServerHello messages
with an included Supported EC Point Format extension. A malicious server
could possibly use this flaw to cause a multi-threaded TLS/SSL client using
OpenSSL to write into freed memory, causing the client to crash or execute
arbitrary code. (CVE-2014-3509)
A flaw was found in the way OpenSSL handled fragmented handshake packets.
A man-in-the-middle attacker could use this flaw to force a TLS/SSL server
using OpenSSL to use TLS 1.0, even if both the client and the server
supported newer protocol versions. (CVE-2014-3511)
This update also fixes the following bugs:
* Previously, various clipboard managers, operating on the client or on the
guest, would occasionally lose synchronization, which resulted in clipboard
data loss and the SPICE console freezing. Now, spice-gtk have been patched,
such that clipboard synchronization does not freeze the SPICE console
anymore. (BZ#1083489)
* Prior to this update, when a SPICE console was launched from the Red Hat
Enterprise Virtualization User Portal with the 'Native Client' invocation
method and 'Open in Full Screen' selected, the displays of the guest
virtual machine were not always configured to match the client displays.
After this update, the SPICE console will show a full-screen guest display
for each client monitor. (BZ#1076243)
* A difference in behavior between Linux and Windows clients caused an
extra nul character to be sent when pasting text in a guest machine from a
Windows client. This invisible character was visible in some Java
applications. With this update, the extra nul character is removed from
text strings and no more extraneous character would appear. (BZ#1090122)
* Previously, If the clipboard is of type image/bmp, and the data is of 0
size, GTK+ will crash. With this update, the data size is checked first,
and GTK+ no longer crashes when clipboard is of type image/bmp, and the
data is of 0 size. (BZ#1090433)
* Modifier-only key combinations cannot be registered by users as hotkeys
so if a user tries to set a modifier-only key sequence (for example,
'ctrl+alt') as the hotkey for releasing the cursor, it will fail, and the
user will be able to release the cursor from the window. With this update,
when a modifier-only hotkey is attempted to be registered, it will fall
back to the default cursor-release sequence (which happens to be
'ctrl+alt'). (BZ#985319)
* Display configuration sometimes used outdated information about the
position of the remote-viewer windows in order to align and configure the
guest displays. Occasionally, this caused the guest displays to became
unexpectedly swapped when a window is resized. With this update,
remote-viewer will always use the current window locations to align
displays, rather than using a possibly outdated cached location
information. (BZ#1018182)
All rhevm-spice-client users are advised to upgrade to these updated
packages, which contain backported patches to correct these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated rhevm-spice-client packages that fix two security issues and\nseveral bugs are now available for Red Hat Enterprise Virtualization\nManager 3.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Enterprise Virtualization Manager provides access to virtual\nmachines using SPICE. These SPICE client packages provide the SPICE client\nand usbclerk service for both Windows 32-bit operating systems and Windows\n64-bit operating systems.\n\nA race condition was found in the way OpenSSL handled ServerHello messages\nwith an included Supported EC Point Format extension. A malicious server\ncould possibly use this flaw to cause a multi-threaded TLS/SSL client using\nOpenSSL to write into freed memory, causing the client to crash or execute\narbitrary code. (CVE-2014-3509)\n\nA flaw was found in the way OpenSSL handled fragmented handshake packets.\nA man-in-the-middle attacker could use this flaw to force a TLS/SSL server\nusing OpenSSL to use TLS 1.0, even if both the client and the server\nsupported newer protocol versions. (CVE-2014-3511)\n\nThis update also fixes the following bugs:\n\n* Previously, various clipboard managers, operating on the client or on the\nguest, would occasionally lose synchronization, which resulted in clipboard\ndata loss and the SPICE console freezing. Now, spice-gtk have been patched,\nsuch that clipboard synchronization does not freeze the SPICE console\nanymore. (BZ#1083489)\n\n* Prior to this update, when a SPICE console was launched from the Red Hat\nEnterprise Virtualization User Portal with the \u0027Native Client\u0027 invocation\nmethod and \u0027Open in Full Screen\u0027 selected, the displays of the guest\nvirtual machine were not always configured to match the client displays.\nAfter this update, the SPICE console will show a full-screen guest display\nfor each client monitor. (BZ#1076243)\n\n* A difference in behavior between Linux and Windows clients caused an\nextra nul character to be sent when pasting text in a guest machine from a\nWindows client. This invisible character was visible in some Java\napplications. With this update, the extra nul character is removed from\ntext strings and no more extraneous character would appear. (BZ#1090122)\n\n* Previously, If the clipboard is of type image/bmp, and the data is of 0\nsize, GTK+ will crash. With this update, the data size is checked first,\nand GTK+ no longer crashes when clipboard is of type image/bmp, and the\ndata is of 0 size. (BZ#1090433)\n\n* Modifier-only key combinations cannot be registered by users as hotkeys\nso if a user tries to set a modifier-only key sequence (for example,\n\u0027ctrl+alt\u0027) as the hotkey for releasing the cursor, it will fail, and the\nuser will be able to release the cursor from the window. With this update,\nwhen a modifier-only hotkey is attempted to be registered, it will fall\nback to the default cursor-release sequence (which happens to be\n\u0027ctrl+alt\u0027). (BZ#985319)\n\n* Display configuration sometimes used outdated information about the\nposition of the remote-viewer windows in order to align and configure the\nguest displays. Occasionally, this caused the guest displays to became\nunexpectedly swapped when a window is resized. With this update,\nremote-viewer will always use the current window locations to align\ndisplays, rather than using a possibly outdated cached location\ninformation. (BZ#1018182)\n\nAll rhevm-spice-client users are advised to upgrade to these updated\npackages, which contain backported patches to correct these issues.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2015:0197", "url": "https://access.redhat.com/errata/RHSA-2015:0197" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "1018145", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1018145" }, { "category": "external", "summary": "1018182", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1018182" }, { "category": "external", "summary": "1076243", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1076243" }, { "category": "external", "summary": "1083489", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1083489" }, { "category": "external", "summary": "1090122", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090122" }, { "category": "external", "summary": "1090433", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090433" }, { "category": "external", "summary": "1103366", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1103366" }, { "category": "external", "summary": "1105650", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1105650" }, { "category": "external", "summary": "1115445", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1115445" }, { "category": "external", "summary": "1127498", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1127498" }, { "category": "external", "summary": "1127504", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1127504" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_0197.json" } ], "title": "Red Hat Security Advisory: rhevm-spice-client security and bug fix update", "tracking": { "current_release_date": "2024-11-05T18:46:23+00:00", "generator": { "date": "2024-11-05T18:46:23+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2015:0197", "initial_release_date": "2015-02-11T17:35:16+00:00", "revision_history": [ { "date": "2015-02-11T17:35:16+00:00", "number": "1", "summary": "Initial version" }, { "date": "2015-02-11T17:35:16+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-05T18:46:23+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHEV-M 3.5", "product": { "name": "RHEV-M 3.5", "product_id": "6Server-RHEV-S-3.5", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhev_manager:3" } } } ], "category": "product_family", "name": "Red Hat Virtualization" }, { "branches": [ { "category": "product_version", "name": "rhevm-spice-client-x64-cab-0:3.5-2.el6.noarch", "product": { "name": "rhevm-spice-client-x64-cab-0:3.5-2.el6.noarch", "product_id": "rhevm-spice-client-x64-cab-0:3.5-2.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhevm-spice-client-x64-cab@3.5-2.el6?arch=noarch" } } }, { "category": "product_version", "name": "rhevm-spice-client-x64-msi-0:3.5-2.el6.noarch", "product": { "name": "rhevm-spice-client-x64-msi-0:3.5-2.el6.noarch", "product_id": "rhevm-spice-client-x64-msi-0:3.5-2.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhevm-spice-client-x64-msi@3.5-2.el6?arch=noarch" } } }, { "category": "product_version", "name": "rhevm-spice-client-x86-msi-0:3.5-2.el6.noarch", "product": { "name": "rhevm-spice-client-x86-msi-0:3.5-2.el6.noarch", "product_id": "rhevm-spice-client-x86-msi-0:3.5-2.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhevm-spice-client-x86-msi@3.5-2.el6?arch=noarch" } } }, { "category": "product_version", "name": "rhevm-spice-client-x86-cab-0:3.5-2.el6.noarch", "product": { "name": "rhevm-spice-client-x86-cab-0:3.5-2.el6.noarch", "product_id": "rhevm-spice-client-x86-cab-0:3.5-2.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhevm-spice-client-x86-cab@3.5-2.el6?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "rhevm-spice-client-0:3.5-2.el6.src", "product": { "name": "rhevm-spice-client-0:3.5-2.el6.src", "product_id": "rhevm-spice-client-0:3.5-2.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rhevm-spice-client@3.5-2.el6?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rhevm-spice-client-0:3.5-2.el6.src as a component of RHEV-M 3.5", "product_id": "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-2.el6.src" }, "product_reference": "rhevm-spice-client-0:3.5-2.el6.src", "relates_to_product_reference": "6Server-RHEV-S-3.5" }, { "category": "default_component_of", "full_product_name": { "name": "rhevm-spice-client-x64-cab-0:3.5-2.el6.noarch as a component of RHEV-M 3.5", "product_id": "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-2.el6.noarch" }, "product_reference": "rhevm-spice-client-x64-cab-0:3.5-2.el6.noarch", "relates_to_product_reference": "6Server-RHEV-S-3.5" }, { "category": "default_component_of", "full_product_name": { "name": "rhevm-spice-client-x64-msi-0:3.5-2.el6.noarch as a component of RHEV-M 3.5", "product_id": "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-2.el6.noarch" }, "product_reference": "rhevm-spice-client-x64-msi-0:3.5-2.el6.noarch", "relates_to_product_reference": "6Server-RHEV-S-3.5" }, { "category": "default_component_of", "full_product_name": { "name": "rhevm-spice-client-x86-cab-0:3.5-2.el6.noarch as a component of RHEV-M 3.5", "product_id": "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-2.el6.noarch" }, "product_reference": "rhevm-spice-client-x86-cab-0:3.5-2.el6.noarch", "relates_to_product_reference": "6Server-RHEV-S-3.5" }, { "category": "default_component_of", "full_product_name": { "name": "rhevm-spice-client-x86-msi-0:3.5-2.el6.noarch as a component of RHEV-M 3.5", "product_id": "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-2.el6.noarch" }, "product_reference": "rhevm-spice-client-x86-msi-0:3.5-2.el6.noarch", "relates_to_product_reference": "6Server-RHEV-S-3.5" } ] }, "vulnerabilities": [ { "cve": "CVE-2014-3509", "cwe": { "id": "CWE-362", "name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)" }, "discovery_date": "2014-08-06T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1127498" } ], "notes": [ { "category": "description", "text": "A race condition was found in the way OpenSSL handled ServerHello messages with an included Supported EC Point Format extension. A malicious server could possibly use this flaw to cause a multi-threaded TLS/SSL client using OpenSSL to write into freed memory, causing the client to crash or execute arbitrary code.", "title": "Vulnerability description" }, { "category": "summary", "text": "openssl: race condition in ssl_parse_serverhello_tlsext", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-2.el6.src", "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-2.el6.noarch", "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-2.el6.noarch", "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-2.el6.noarch", "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-2.el6.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-3509" }, { "category": "external", "summary": "RHBZ#1127498", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1127498" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-3509", "url": "https://www.cve.org/CVERecord?id=CVE-2014-3509" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3509", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3509" }, { "category": "external", "summary": "https://www.openssl.org/news/secadv_20140806.txt", "url": "https://www.openssl.org/news/secadv_20140806.txt" } ], "release_date": "2014-08-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2015-02-11T17:35:16+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-2.el6.src", "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-2.el6.noarch", "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-2.el6.noarch", "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-2.el6.noarch", "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-2.el6.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2015:0197" } ], "scores": [ { "cvss_v2": { "accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0" }, "products": [ "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-2.el6.src", "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-2.el6.noarch", "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-2.el6.noarch", "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-2.el6.noarch", "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-2.el6.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "openssl: race condition in ssl_parse_serverhello_tlsext" }, { "cve": "CVE-2014-3511", "cwe": { "id": "CWE-390", "name": "Detection of Error Condition Without Action" }, "discovery_date": "2014-08-06T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1127504" } ], "notes": [ { "category": "description", "text": "A flaw was found in the way OpenSSL handled fragmented handshake packets. A man-in-the-middle attacker could use this flaw to force a TLS/SSL server using OpenSSL to use TLS 1.0, even if both the client and the server supported newer protocol versions.", "title": "Vulnerability description" }, { "category": "summary", "text": "openssl: TLS protocol downgrade attack", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-2.el6.src", "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-2.el6.noarch", "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-2.el6.noarch", "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-2.el6.noarch", "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-2.el6.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-3511" }, { "category": "external", "summary": "RHBZ#1127504", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1127504" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-3511", "url": "https://www.cve.org/CVERecord?id=CVE-2014-3511" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3511", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3511" }, { "category": "external", "summary": "https://www.openssl.org/news/secadv_20140806.txt", "url": "https://www.openssl.org/news/secadv_20140806.txt" } ], "release_date": "2014-08-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2015-02-11T17:35:16+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258", "product_ids": [ "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-2.el6.src", "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-2.el6.noarch", "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-2.el6.noarch", "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-2.el6.noarch", "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-2.el6.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2015:0197" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "products": [ "6Server-RHEV-S-3.5:rhevm-spice-client-0:3.5-2.el6.src", "6Server-RHEV-S-3.5:rhevm-spice-client-x64-cab-0:3.5-2.el6.noarch", "6Server-RHEV-S-3.5:rhevm-spice-client-x64-msi-0:3.5-2.el6.noarch", "6Server-RHEV-S-3.5:rhevm-spice-client-x86-cab-0:3.5-2.el6.noarch", "6Server-RHEV-S-3.5:rhevm-spice-client-x86-msi-0:3.5-2.el6.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "openssl: TLS protocol downgrade attack" } ] }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.