[Secure-testing-commits] r844 - sarge-checks/CAN

Moritz Muehlenhoff jmm-guest@costa.debian.org
Mon, 18 Apr 2005 12:02:48 +0000 

Author: jmm-guest
Date: 2005-04-18 12:02:45 +0000 (Mon, 18 Apr 2005)
New Revision: 844

Modified:
   sarge-checks/CAN/list
Log:
egroupware, gcor and libsafe CANified.
New vulns: oops, ilohamail and sudo
Several not-for-us (not complete yet)


Modified: sarge-checks/CAN/list
===================================================================
--- sarge-checks/CAN/list	2005-04-18 11:45:34 UTC (rev 843)
+++ sarge-checks/CAN/list	2005-04-18 12:02:45 UTC (rev 844)
@@ -1,6 +1,6 @@
 begin claimed by jmm
 CAN-2005-1150 (Unknown vulnerability in Sun Java System Web Server 6.0 SP7 and ...)
-	TODO: check
+	NOTE: not-for-us (Sun Java)
 CAN-2005-1149 (SQL injection vulnerability in admin/login.asp in aspclick.it ACNews ...)
 	TODO: check
 CAN-2005-1148 (calendar.pl in CalendarScript 3.21 allows remote attackers to obtain ...)
@@ -16,59 +16,61 @@
 CAN-2005-1143 (Cross-site scripting (XSS) vulnerability in index.php in ...)
 	TODO: check
 CAN-2005-1142 (Heap-based buffer overflow in the readpgm function in pnm.c for GOCR ...)
-	TODO: check
+	- gocr (unfixed; bug #305068)
 CAN-2005-1141 (Integer overflow in the readpgm function in pnm.c for GOCR 0.40, when ...)
-	TODO: check
+	- gocr (unfixed; bug #305068)
 CAN-2005-1140 (Cross-site scripting (XSS) vulnerability in myBloggie 2.1.1 allows ...)
-	TODO: check
+	NOTE: not-for-us (MyBloggie)
 CAN-2005-1139 (Opera 8 Beta 3, when using first-generation vetted digital ...)
 	TODO: check
 CAN-2005-1138 (Unknown vulnerability in WebMail in Kerio MailServer before 6.0.9 ...)
-	TODO: check
+	NOTE: not-for-us (Kerio)
 CAN-2005-1137 (Simple PHP Blog (sphpBlog) 0.4.0 allows remote attackers to obtain ...)
-	TODO: check
+	NOTE: not-for-us (sphpBlog)
 CAN-2005-1136 (Simple PHP Blog (sphpBlog) 0.4.0 stores the (1) password.txt and (2) ...)
-	TODO: check
+	NOTE: not-for-us (sphpBlog)
 CAN-2005-1135 (Cross-site scripting (XSS) vulnerability in search.php for Simple PHP ...)
 	TODO: check
 CAN-2005-1134 (SQL injection vulnerability in exit.php for Serendipity 0.8 and ...)
 	TODO: check
 CAN-2005-1133 (The POP3 server in IBM iSeries AS/400 returns different error messages ...)
-	TODO: check
+	NOTE: not-for-us (AS/400 system software)
 CAN-2005-1132 (LG U8120 modile phone allows remote attackers to cause a denial of ...)
-	TODO: check
+	NOTE: not-for-us (LG mobile phone)
 CAN-2005-1131 (Unknown vulnerability in Veritas i3 Focalpoint Server 7.1 and earlier ...)
-	TODO: check
+	NOTE: not-for-us (Veritas Focalpoint Server)
 CAN-2005-1130 (Cross-site scripting (XSS) vulnerability in index.php in Pinnacle Cart ...)
-	TODO: check
+	NOTE: not-for-us (PinnacleCart)
 CAN-2005-1129 (eGroupWare 1.0.6 and earlier, when an e-mail is composed with an ...)
-	TODO: check
+	- egroupware (unfixed; bug #304496)
 CAN-2005-1128 (Multiple SQL injection vulnerabilities in VHCS 2.4 and earlier allow ...)
 	TODO: check
 CAN-2005-1127 (Format string vulnerability in the log function in Net::Server 0.87 ...)
-	TODO: check
+	NOTE: not-for-us (Free BSD)
 CAN-2005-1126 (The SIOCGIFCONF ioctl (ifconf function) in FreeBSD 4.x through 4.11 ...)
 	TODO: check
 CAN-2005-1125 (Race condition in libsafe 2.0.16 and earlier, when running in ...)
-	TODO: check
+	- libsafe (unfixed; bug #305070)
 CAN-2005-1124 (Unknown vulnerability in the libgss Generic Security Services Library ...)
 	TODO: check
 CAN-2005-1123 (Monkey daemon (monkeyd) before 0.9.1 allows remote attackers to cause ...)
-	TODO: check
+	NOTE: not-for-us (monkeyd)
 CAN-2005-1122 (Format string vulnerability in cgi.c for Monkey daemon (monkeyd) ...)
-	TODO: check
+	NOTE: not-for-us (monkeyd)
 CAN-2005-1121 (Format string vulnerability in Oops! Proxy Server 1.5.53 and earlier ...)
-	TODO: check
+	- oops (unfixed)
 CAN-2005-1120 (Multiple cross-site scripting (XSS) vulnerabilities in IlohaMail ...)
-	TODO: check
+	TODO: file bug
+	- ilohamail (unfixed)
 CAN-2005-1119 (Sudo VISudo 1.6.8 and earlier allows local users to corrupt arbitrary ...)
-	TODO: check
+	TODO: Somehow related bug 283161, but file a proper one
+	- sudo (unfixed)
 CAN-2005-1118 (Cross-site scripting (XSS) vulnerability in IISWebAgentIF.dll in the ...)
-	TODO: check
+	NOTE: not-for-us (RSA authentication agent)
 CAN-2005-1117 (PHP remote code injection vulnerability in index.php in ...)
-	TODO: check
+	NOTE: not-for-us (All4WWW Homepage creator)
 CAN-2005-1116 (Cross-site scripting (XSS) vulnerability in the Calendar module for ...)
-	TODO: check
+	TODO: check whether this is part of standard phpbb or an addon
 end claimed by jmm
 CAN-2005-1115 (Multiple cross-site scripting (XSS) vulnerabilities in Photo Album ...)
 	TODO: check
@@ -92,10 +94,7 @@
 	NOTE: Mozilla suite is not affected by all of these issues
 	- mozilla-firefox 1.0.3-1
 	- mozilla (unfixed)
-CAN-2005-XXXX [Integer and heap overflow in PNM processing of gocr]
-	- gocr (unfixed; bug #305068)
 CAN-2005-XXXX [libsafe security check bypass in multi threaded environments]
-	- libsafe (unfixed; bug #305070)
 CAN-2005-XXXX [Remote DoS vulnerabilities in postgrey]
 	- postgrey 1.21-1
 CAN-2005-1106 (PictureViewer in QuickTime for Windows 6.5.2 allows remote attackers ...)
@@ -282,8 +281,6 @@
 	NOTE: not-for-us (Aeon)
 CAN-2005-1018 (Buffer overflow in the UniversalAgent for Computer Associates (CA) ...)
 	NOTE: not-for-us (CA ArcServe Backup)
-CAN-2005-XXXX [eGroupware: Inproper handling of canceled emails may disclose personal information]
-	- egroupware (unfixed; bug #304496)
 CAN-2005-XXXX [Some security issues in mod_security]
 	NOTE: I don't understand mod_security fully, so I'm not entirely sure which of
 	NOTE: the changelog entries matches the security criteria, but the changelog