[Secure-testing-commits] r763 - sarge-checks/CAN

Moritz Muehlenhoff jmm-guest@costa.debian.org
Tue, 05 Apr 2005 21:46:25 +0000 

Author: jmm-guest
Date: 2005-04-05 21:46:22 +0000 (Tue, 05 Apr 2005)
New Revision: 763

Modified:
   sarge-checks/CAN/list
Log:
Checked all unfixed fixes, some additional comments,
one bug fixed, one more filed.


Modified: sarge-checks/CAN/list
===================================================================
--- sarge-checks/CAN/list	2005-04-05 20:07:10 UTC (rev 762)
+++ sarge-checks/CAN/list	2005-04-05 21:46:22 UTC (rev 763)
@@ -1,3 +1,6 @@
+CAN-2005-XXXX [Insecure tempfile handling in openwebmail CGI scripts]
+	NOTE: Not in testing, only sid
+	- openwebmail (unfixed; bug #291478)
 CAN-2005-XXXX [Linux kernel inproper shm_nopage() argument verification DoS]
 	- kernel-source-2.6.8 (unfixed; bug #303177)
 CAN-2005-XXXX [Cross Site Scripting in phpmyadmin's handling of the convcharsetparameter]
@@ -1625,6 +1628,7 @@
 CAN-2004-1618 (Vypress Tonecast 1.3 and earlier allows remote attackers to cause a ...)
 	NOTE: not-for-us (Tonecast)
 CAN-2004-1617 (Lynx allows remote attackers to cause a denial of service (infinite ...)
+	TODO: This is fixed in lynx-cur, maybe a fix can be extracted from there
 	- lynx (unfixed; bug #296340)
 CAN-2004-1616 (Links allows remote attackers to cause a denial of service (memory ...)
 	- links 0.99+1.00pre12-1
@@ -1972,6 +1976,7 @@
 	NOTE: not-for-us (Sami HTTP Server)
 CAN-2005-0449 (The netfilter/iptables module in Linux before 2.6.8.1 allows remote ...)
 	NOTE: According to Herbert Xu, 2.4 is not vulnerable : http://oss.sgi.com/archives/netdev/2005-01/msg01107.html
+	NOTE: Seems to be stuck with the ABI bump / debian-installer problem
 	- kernel-source-2.6.8 (unfixed; bug #295949)
 CAN-2005-0448 (Race condition in the rmtree function in File::Path.pm in Perl before ...)
 	{DSA-696-1}
@@ -1984,6 +1989,7 @@
 	{DSA-688-1}
 	- squid 2.5.8-3
 CAN-2005-0445 (Cross-site scripting (XSS) vulnerability in Open WebMail 2.x allows ...)
+	NOTE: Not in testing, only sid
 	- openwebmail (unfixed; bug #295756)
 CAN-2005-0444 (VMware before 4.5.2.8848-r5 searches for gdk-pixbuf shared libraries ...)
 	NOTE: not-for-us (VMware)
@@ -2075,9 +2081,8 @@
 	- mozilla-thunderbird 1.0.2-1
 CAN-2005-0400 [ext2 mkdir() directory entry random kernel memory leak]
 	NOTE: reserved
-	- kernel-source-2.4.27 (unfixed)
+	- kernel-source-2.4.27 (unfixed; bug #303294)
 	- kernel-source-2.6.8 2.6.8-16
-	NOTE: according to changelog, "Fix information leak in ext2."
 CAN-2005-0399 [GIF heap overflow parsing Netscape extension 2 in Mozilla]
 	- mozilla-firefox 1.0.2-1
 	- mozilla-thunderbird 1.0.2-1
@@ -3736,7 +3741,7 @@
 	NOTE: Response from Marcus Meissner <meissner@suse.de> saying the patch was integrated in upstream 2.6.8
 	NOTE: on further clarification he said that further fixes to this patch were made after 2.6.8 so only
 	NOTE: 2.6.10 is actually fixed, but 2.6.8 is not
-	- kernel-source-2.6.8 (unfixed; bug #300162)
+	- kernel-source-2.6.8-14
 CAN-2004-1189 (The add_to_history function in svr_principal.c in libkadm5srv for MIT ...)
 	{DSA-629-1}
 CAN-2004-1188 (The pnm_get_chunk function in xine 0.99.2 and earlier, and other ...)