[Secure-testing-commits] r3139 - in data: CVE DSA

Fri Dec 23 21:34:01 UTC 2005

Author: fw
Date: 2005-12-23 21:33:55 +0000 (Fri, 23 Dec 2005)
New Revision: 3139

Modified:
   data/CVE/list
   data/DSA/list
Log:
fix various latent vulnerabilities

CVE-2005-3535: published
CVE-2003-0388: looks like a non-issue (getlogin is safe according to libc)
DSA-705-1: do not copy vulnerability information to CVE-2003-0854


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2005-12-23 21:14:20 UTC (rev 3138)
+++ data/CVE/list	2005-12-23 21:33:55 UTC (rev 3139)
@@ -2288,9 +2288,10 @@
 	RESERVED
 	{DSA-925-1}
 	- phpbb2 2.0.18-1 (bug #336582; medium)
-CVE-2005-3535
+CVE-2005-3535 [buffer overflow in ketm, leading to group games privileges]
 	RESERVED
 	{DSA-926-1}
+	- ketm 0.0.6-17sarge1 (low)
 CVE-2005-3534 [buffer overflow in the NBD server]
 	RESERVED
 	{DSA-924-1}
@@ -4427,6 +4428,7 @@
 	{DSA-868-1 DSA-866-1 DSA-837-1}
 	- mozilla-firefox 1.0.6-5 (bug #327452; bug #327802; bug #327366; medium)
 	- mozilla 2:1.7.12-1 (bug #327455; medium)
+	- mozilla-thunderbird 1.0.7-1
 	NOTE: epiphany-browser is apparently fixed fix the mozilla-browser
 	NOTE: upload; see bug #327366
 CVE-2005-2930 (Stack-based buffer overflow in the _chm_find_in_PMGL function in ...)
@@ -4782,30 +4784,37 @@
 	{DSA-868-1 DSA-866-1 DSA-838-1}
 	- mozilla-firefox 1.0.7-1 (bug #329778; medium)
 	- mozilla 2:1.7.12-1 (medium)
+	- mozilla-thunderbird 1.0.7-1
 CVE-2005-2706 (Firefox before 1.0.7 and Mozilla before Suite 1.7.12 allows remote ...)
 	{DSA-868-1 DSA-866-1 DSA-838-1}
 	- mozilla-firefox 1.0.7-1 (bug #329778; high)
 	- mozilla 2:1.7.12-1 (high)
+	- mozilla-thunderbird 1.0.7-1
 CVE-2005-2705 (Integer overflow in the JavaScript engine in Firefox before 1.0.7 and ...)
 	{DSA-868-1 DSA-866-1 DSA-838-1}
 	- mozilla-firefox 1.0.7-1 (bug #329778; high)
 	- mozilla 2:1.7.12-1 (high)
+	- mozilla-thunderbird 1.0.7-1
 CVE-2005-2704 (Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote ...)
 	{DSA-868-1 DSA-866-1 DSA-838-1}
 	- mozilla-firefox 1.0.7-1 (bug #329778; medium)
 	- mozilla 2:1.7.12-1 (medium)
+	- mozilla-thunderbird 1.0.7-1
 CVE-2005-2703 (Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote ...)
 	{DSA-868-1 DSA-866-1 DSA-838-1}
 	- mozilla-firefox 1.0.7-1 (bug #329778; medium)
 	- mozilla (medium)
+	- mozilla-thunderbird 1.0.7-1
 CVE-2005-2702 (Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote ...)
 	{DSA-868-1 DSA-866-1 DSA-838-1}
 	- mozilla-firefox 1.0.7-1 (bug #329778; high)
 	- mozilla 2:1.7.12-1 (high)
+	- mozilla-thunderbird 1.0.7-1
 CVE-2005-2701 (Heap-based buffer overflow in Firefox before 1.0.7 and Mozilla Suite ...)
 	{DSA-868-1 DSA-866-1 DSA-838-1}
 	- mozilla-firefox 1.0.7-1 (bug #329778; medium)
 	- mozilla 2:1.7.12-1 (bug #329778; medium)
+	- mozilla-thunderbird 1.0.7-1
 CVE-2005-2700 (ssl_engine_kernel.c in mod_ssl before 2.8.24, when using ...)
 	{DSA-807-1 DSA-805-1}
 	- libapache-mod-ssl 2.8.24-1 (medium)
@@ -12385,6 +12394,7 @@
 	- rxvt-unicode 5.3-1
 CVE-2005-0763 (Buffer overflow in Midnight Commander (mc) 4.5.55 and earlier may ...)
 	{DSA-698-1}
+	- mc 1:4.6.0-4.6.1-pre3-1
 	NOTE: Sarge-specific regression correcting a previous DSA.
 CVE-2005-0762 (Heap-based buffer overflow in the SGI parser in ImageMagick before 6.0 ...)
 	{DSA-702-1}
@@ -17186,6 +17196,7 @@
 CVE-2004-0582 (Unknown vulnerability in Webmin 1.140 allows remote attackers to ...)
 	{DSA-526}
 	- usermin 1.090-1
+	- webmin 1.150-1
 CVE-2004-0581 (ksymoops-gznm script in Mandrake Linux 9.1 through 10.0, and Corporate ...)
 	NOT-FOR-US: Mandrake script
 CVE-2004-0580 (DHCP on Linksys BEFSR11, BEFSR41, BEFSR81, and BEFSRU31 Cable/DSL ...)
@@ -19835,8 +19846,10 @@
 CVE-2003-0389 (Cross-site scripting (XSS) vulnerability in the secure redirect ...)
 	NOT-FOR-US: RSA ACE/Agent
 CVE-2003-0388 (pam_wheel in Linux-PAM 0.78, with the trust option enabled and the ...)
-	[sarge] - pam <not-affected> (pam is not vulnerable at all in sarge, according to maintainer)
-	TODO: Check Woody and sid
+	- pam <not-affected> (pam is not vulnerable at all in sarge, according to maintainer)
+	NOTE: From the libc documentation:
+	NOTE: "The user cannot do anything to fool these functions."
+	NOTE: This means that this is not a bug in getlogin.
 CVE-2003-0387
 	RESERVED
 CVE-2003-0386 (OpenSSH 3.6.1 and earlier, when restricting host access by numeric IP ...)
@@ -19907,6 +19920,7 @@
 	{DSA-316}
 	- nethack 3.4.1-1
 	- jnethack 1.1.5-15
+	- slashem 0.0.6E4F8-6
 CVE-2003-0358 (Buffer overflow in (1) nethack 3.4.0 and earlier, and (2) falconseye ...)
 	{DSA-350 DSA-316}
 	- falconseye 1.9.3-9
@@ -20403,6 +20417,7 @@
 	- netpbm-free 2:9.20-9
 CVE-2003-0144 (Buffer overflow in the lprm command in the lprold lpr package on SuSE ...)
 	{DSA-275 DSA-267}
+	- lpr 1:2000.05.07-4.20
 	- lpr-ppd 1:0.72-3
 CVE-2003-0142 (Adobe Acrobat Reader (acroread) 6, under certain circumstances when ...)
 	NOT-FOR-US: acroread

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2005-12-23 21:14:20 UTC (rev 3138)
+++ data/DSA/list	2005-12-23 21:33:55 UTC (rev 3139)
@@ -1041,7 +1041,6 @@
 	NOTE: fixed in testing at time of DSA
 [04 Apr 2005] DSA-705-1 wu-ftpd - missing input sanitising
 	{CVE-2005-0256}
-	{CVE-2003-0854}
 	[woody] - wu-ftpd 2.6.2-3woody5
 	NOTE: DSA mentions CVE-2003-0854 as fixed, but this update only 
 	NOTE: contains a workaround.


