hello,

the debian project (and likely other webkit downstreams) are in desparate need of assistance triaging the deluge of 30+ webkit security bugs that came through apple recently [1].  the problem, of course, is that the apple announcements are effectively useless since there is no information about patches and bug reports for the problems.  hence, it makes it very difficult to determine which webkit versions are affected; and also to find the patches needed to address the problems.

do you track CVEs?  if so, are the CVE numbers coupled to bug reports/patches?  if possible, can you help me track down the bug reports and patches for the following CVEs?

| WebKit
| CVE-ID:  CVE-2006-2783
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to a cross-
| site scripting attack
| Description:  WebKit ignores Unicode byte order mark sequences when
| parsing web pages. Certain websites and web content filters attempt
| to sanitize input by blocking specific HTML tags. This approach to
| filtering may be bypassed and lead to cross-site scripting when
| encountering maliciously-crafted HTML tags containing byte order mark
| sequences. This update addresses the issue through improved handling
| of byte order mark sequences. Credit to Chris Weber of Casaba
| Security, LLC for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2008-1588
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Unicode ideographic spaces may be used to spoof a website
| Description:  When Safari displays the current URL in the address
| bar, Unicode ideographic spaces are rendered. This allows a
| maliciously crafted website to direct the user to a spoofed site that
| visually appears to be a legitimate domain. This update addresses the
| issue by not rendering Unicode ideographic spaces in the address bar.
|
| WebKit
| CVE-ID:  CVE-2008-2320
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description:  A memory corruption issue exists in WebKit's handling
| of invalid color strings in CSS. Visiting a maliciously crafted
| website may lead to an unexpected application termination or
| arbitrary code execution. This update addresses the issue through
| improved handling of color strings. Credit to Thomas Raffetseder of
| the International Secure Systems Lab for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2008-3632
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description:  A use-after-free issue exists in WebKit's handling of
| '@import' statements within Cascading Style Sheets. Visiting a
| maliciously crafted website may lead to an unexpected application
| termination or arbitrary code execution. This update addresses the
| issue through improved handling of style sheets. Credit to Dean
| McNamee of Google Inc. for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2008-4231
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description:  An uninitialized memory access issue exists in WebKit's
| handling of HTML tables. Visiting a maliciously crafted website may
| lead to an unexpected application termination or arbitrary code
| execution. This update addresses the issue through proper
| initialization of the internal representation of HTML tables. Credit
| to Haifei Li of Fortinet's FortiGuard Global Security Research Team
| for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1681
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Interacting with a maliciously crafted website may result in
| unexpected actions on other sites
| Description:  A design issue exists in the same-origin policy
| mechanism used to limit interactions between websites. This policy
| allows websites to load pages from third-party websites into a
| subframe. This frame may be positioned to entice the user to click a
| particular element within the frame, an attack referred to as
| "clickjacking". A maliciously crafted website may be able to
| manipulate a user into taking an unexpected action, such as
| initiating a purchase. This update addresses the issue through
| adoption of the industry-standard 'X-Frame-Options' extension header,
| that allows individual web pages to opt out of being displayed within
| a subframe.
|
| WebKit
| CVE-ID:  CVE-2009-1684
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in cross-
| site scripting
| Description:  A cross-site scripting issue exists in the separation
| of JavaScript contexts. A maliciously crafted web page may use an
| event handler to execute a script in the security context of the next
| web page that is loaded in its window or frame. This update addresses
| the issue by ensuring that event handlers are not able to directly
| affect an in-progress page transition. Credit to Michal Zalewski of
| Google Inc. for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1685
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in cross-
| site scripting
| Description:  A cross-site scripting issue exists in the separation
| of JavaScript contexts. By enticing a user to visit a maliciously
| crafted web page, the attacker may overwrite the
| 'document.implementation' of an embedded or parent document served
| from a different security zone. This update addresses the issue by
| ensuring that changes to 'document.implementation' do not affect
| other documents. Credit to Dean McNamee of Google Inc. for reporting
| this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1686
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to arbitrary
| code execution
| Description:  A type conversion issue exists in WebKit's JavaScript
| exception handling. When an attempt is made to assign the exception
| to a variable that is declared as a constant, an object is cast to an
| invalid type, causing memory corruption. Visiting a maliciously
| crafted website may lead to an unexpected application termination or
| arbitrary code execution. This update addresses the issue by ensuring
| that assignment in a const declaration writes to the variable object.
| Credit to Jesse Ruderman of Mozilla Corporation for reporting this
| issue.
|
| WebKit
| CVE-ID:  CVE-2009-1687
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description:  A memory corruption issue exists in WebKit's JavaScript
| garbage collector. If an allocation fails, a memory write to an
| offset of a NULL pointer may result, leading to an unexpected
| application termination or arbitrary code execution. This update
| addresses the issue by checking for allocation failure. Credit to
| SkyLined of Google Inc. for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1688
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in cross-
| site scripting
| Description:  WebKit does not use the HTML 5 standard method to
| determine the security context associated with a given script. An
| implementation issue in WebKit's method may result in a cross-site
| scripting attack under certain conditions. This update addresses the
| issue by using the standards-compliant method to determine the
| security context associated with a script. Credit to Adam Barth of UC
| Berkeley, and Collin Jackson of Stanford University for reporting
| this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1689
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in a
| cross-site scripting attack
| Description:  A cross-site scripting issue exists in WebKit. A
| maliciously crafted website containing a form submitted to
| 'about:blank' may synchronously replace the document's security
| context, allowing currently-executing scripts to run in the new
| security context. This update addresses the issue through improved
| handling of cross-site interaction with form submission. Credit to
| Adam Barth of UC Berkeley, and Collin Jackson of Stanford University
| for reporting this issue.
|
| Webkit
| CVE-ID:  CVE-2009-1690
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in an
| unexpected application termination or arbitrary code execution
| Description:  A memory corruption issue exists in WebKit's handling
| of recursion in certain DOM event handlers. Visiting a maliciously
| crafted website may lead to an unexpected application termination or
| arbitrary code execution. This update addresses the issue through
| improved memory management. Credit to SkyLined of Google Inc, and
| wushi & ling of team509 working with Verisign iDefense VCP for
| reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1691
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to cross-
| site scripting
| Description:  A cross-site scripting issue in Safari allows a
| maliciously crafted website to alter standard JavaScript prototypes
| of websites served from a different domain. By enticing a user to
| visit a maliciously crafted web page, an attacker may be able to
| alter the execution of JavaScript served from other websites. This
| update addresses the issue through improved access controls on these
| prototypes.
|
| WebKit
| CVE-ID:  CVE-2009-1693
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may disclose images
| from other sites
| Description:  A cross-site image capture issue exists in WebKit. By
| using a canvas with an SVG image, a maliciously crafted website may
| load and capture an image from another website. This update addresses
| the issue by restricting the reading of canvases that have images
| loaded from other websites. Credit to Chris Evans of Google Inc. for
| reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1694
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may disclose images
| from other sites
| Description:  A cross-site image capture issue exists in WebKit. By
| using a canvas and a redirect, a maliciously crafted website may load
| and capture an image from another website. This update addresses the
| issue through improved handling of redirects. Credit to Chris Evans
| of for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1695
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in a
| cross-site scripting attack
| Description:  An issue in WebKit allows the contents of a frame to be
| accessed by an HTML document after a page transition has taken place.
| This may allow a maliciously crafted website to perform a cross-site
| scripting attack. This update addresses the issue through an improved
| domain check. Credit to Feng Qian of Google Inc. for reporting this
| issue.
|
| WebKit
| CVE-ID:  CVE-2009-1696
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Websites may surreptitiously track users
| Description:  Safari generates random numbers for JavaScript
| applications using a predictable algorithm. This could allow a
| website to track a particular Safari session without using cookies,
| hidden form elements, IP addresses, or other techniques. This update
| addresses the issue by using a better random number generator. Credit
| to Amit Klein of Trusteer for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1697
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in a
| cross-site scripting attack
| Description:  A CRLF injection issue exists in the handling of
| XMLHttpRequest headers in WebKit. This may allow a maliciously
| crafted website to bypass the same-origin policy by issuing an
| XMLHttpRequest that does not contain a Host header. XMLHttpRequests
| without a Host header may reach other websites on the same server,
| and allow attacker-supplied JavaScript to interact with those sites.
| This update addresses the issue through improved handling of
| XMLHttpRequest headers. Credit to Per von Zweigbergk for reporting
| this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1698
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Viewing a maliciously crafted web page may lead to an
| unexpected application termination or arbitrary code execution
| Description:  An uninitialized pointer issue exists in the handling
| of the CSS 'attr' function. Viewing a maliciously crafted web page
| may lead to an unexpected application termination or arbitrary code
| execution. This update addresses the issue through additional
| validation of CSS elements. Credit to Thierry Zoller working with
| TippingPoint's Zero Day Initiative, and Robert Swiecki of the Google
| Security Team for reporting this as a security issue.
|
| WebKit
| CVE-ID:  CVE-2009-1699
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in an
| information disclosure
| Description:  An XML External Entity issue exists in WebKit's
| handling of XML. A maliciously crafted website may be able to read
| files from the user's system. This update addresses the issue by not
| loading external entities across origins. Credit to Chris Evans of
| Google Inc. for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1700
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in the
| disclosure of sensitive information
| Description:  WebKit does not properly handle redirects when
| processing Extensible Stylesheet Language Transformations (XSLT).
| This allows a maliciously crafted website to retrieve XML content
| from pages on other websites, which could result in the disclosure of
| sensitive information. This update addresses the issue by ensuring
| that documents referenced in transformations are downloaded from the
| same domain as the transformation itself. Credit to Chris Evans of
| Google for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1701
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description:  A use-after-free issue exists in WebKit's handling of
| the JavaScript DOM. Visiting a maliciously crafted website may lead
| to an unexpected application termination or arbitrary code execution.
| This update addresses the issue through improved handling of document
| elements. Credit to wushi & ling of team509 working with
| TippingPoint's Zero Day Initiative for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1702
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to a cross-
| site scripting attack
| Description:  An issue in WebKit's handling of Location and History
| objects may result in a cross-site scripting attack when visiting a
| maliciously crafted website. This update addresses the issue through
| improved handling of Location and History objects. Credit to Adam
| Barth and Joel Weinberger of UC Berkeley for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1703
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to
| information disclosure
| Description:  WebKit's handling of audio and video HTML elements
| allows a remote website to reference local "file:" URLs. A
| maliciously crafted website could perform file existence checking,
| which may lead to information disclosure. This update addresses the
| issue through improved handling of audio and video elements. Credit
| to Dino Dai Zovi for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1709
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description:  A use-after-free issue exists in WebKit's handling of
| SVG animation elements. Visiting a maliciously crafted website may
| lead to an unexpected application termination or arbitrary code
| execution. This update addresses the issue through improved handling
| of caches. Credit to an anonymous researcher working with
| TippingPoint's Zero Day Initiative for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1710
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  A maliciously crafted website may spoof browser UI elements
| Description:  By specifying a large and mostly transparent custom
| cursor, and adjusting the CSS3 hotspot property, a maliciously
| crafted website may spoof browser UI elements, such as the host name
| and security indicators. This update addresses the issue through
| additional restriction on custom cursors. Credit to Dean McNamee of
| Google for reporting this issue
|
| WebKit
| CVE-ID:  CVE-2009-1711
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to an
| unexpected application termination or arbitrary code execution
| Description:  An uninitialized memory access issue exists in WebKit's
| handling of Attr DOM objects. Visiting a maliciously crafted website
| may lead to an unexpected application termination or arbitrary code
| execution. This update addresses the issue through improved
| validation of DOM objects. Credit to Feng Qian of Google Inc. for
| reporting this issue.
|
| Webkit
| CVE-ID:  CVE-2009-1712
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may lead to
| information disclosure or arbitrary code execution
| Description:  WebKit allows remote websites to load Java applets from
| the local system. Local applets may not expect to be loaded remotely
| and may allow the remote site to execute arbitrary code or otherwise
| grant unexpected privileges to the remote site. This update addresses
| the issue by preventing remote websites from loading local applets.
|
| WebKit
| CVE-ID:  CVE-2009-1713
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Visiting a maliciously crafted website may result in an
| information disclosure
| Description:  An information disclosure issue exists in WebKit's
| implementation of the document() function used in XSLT documents. A
| maliciously crafted website may be able to read files from other
| security zones, including the user's system. This update addresses
| the issue by preventing the loading of resources across origins.
| Credit to Chris Evans of Google for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1714
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Using Web Inspector on a maliciously crafted website may
| result in cross-site scripting
| Description:  An issue in Web Inspector allows a page being inspected
| to run injected script with elevated privileges, including the
| ability to read the user's file system. This update addresses the
| issue by proper escaping of HTML attributes. Credit to Pengsu Cheng
| of Wuhan University for reporting this issue.|
|
| WebKit
| CVE-ID:  CVE-2009-1715
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Using Web Inspector on a maliciously crafted website may
| result in cross-site scripting
| Description:  An issue in Web Inspector allows a page being inspected
| to run injected script with elevated privileges, including the
| ability to read the user's file system. This update addresses the
| issue by executing scripts with the privileges of the web page being
| inspected. Credit to Collin Jackson of Stanford University, and Adam
| Barth of UC Berkeley for reporting this issue.
|
| WebKit
| CVE-ID:  CVE-2009-1718
| Available for:  Mac OS X v10.4.11, Mac OS X Server v10.4.11,
| Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista
| Impact:  Dragging content over a maliciously crafted web page may
| lead to information disclosure
| Description:  An issue exists in WebKit's handling of drag events.
| This may lead to the disclosure of sensitive information when content
| is dragged over a maliciously crafted web page. This update addresses
| the issue through improved handling of drag events. Credit to Eric
| Seidel of Google, Inc. for reporting this issue.

thank you for any help that you can provide.

[1] http://bugs.debian.org/535793