[Secure-testing-commits] r3162 - data/CVE
Moritz Muehlenhoff
jmm-guest at costa.debian.org
Mon Dec 26 13:35:38 UTC 2005
Author: jmm-guest
Date: 2005-12-26 13:35:33 +0000 (Mon, 26 Dec 2005)
New Revision: 3162
Modified:
data/CVE/list
Log:
more syntax updates and tracker polishing
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2005-12-26 01:26:44 UTC (rev 3161)
+++ data/CVE/list 2005-12-26 13:35:33 UTC (rev 3162)
@@ -20016,7 +20016,7 @@
CVE-2003-0331 (SQL injection vulnerability in ttForum allows remote attackers to ...)
NOT-FOR-US: ttForum
CVE-2003-0330 (Buffer overflow in unknown versions of Maelstrom allows local users to ...)
- NOTE: maelstrom in sarge tests not vulnerable to exploit. Unsure when fixed.
+ - maelstrom <not-affected> (Melstrom in Sarge tests not vulnerable to exploit. Unsure when fixed.)
CVE-2003-0329 (CesarFTP 0.99g stores user names and passwords in plaintext in the ...)
NOT-FOR-US: CesarFTP
CVE-2003-0328 (EPIC IRC Client (EPIC4) pre2.002, pre2.003, and possibly later ...)
@@ -20026,13 +20026,10 @@
CVE-2003-0327 (Sybase Adaptive Server Enterprise (ASE) 12.5 allows remote attackers ...)
NOT-FOR-US: Sybase Adaptive Server Enterprise
CVE-2003-0326 (Integer overflow in parse_decode_path() of slocate may allow attackers ...)
- NOTE: bug does exist in slocate.
- NOTE: only impacts security if kernel has been recompiled to allow
- NOTE: an absurd 536870912 bytes of command line arguments. This is
- NOTE: very unlikely, and if you do exploit it, you get only slocate
- NOTE: gid.
+ - slocate <not-affected> (Only an issue if kernel has been recompiled to allow 512 MB of command line arguments)
+ NOTE: Even if exploited, you get only slocate gid.
CVE-2003-0325 (Buffer overflow in Maelstrom 3.0.6, 3.0.5, and earlier allows local ...)
- NOTE: maelstrom in sarge tests not vulnerable to exploit. Unsure when fixed.
+ - maelstrom <not-affected> (Melstrom in Sarge tests not vulnerable to exploit. Unsure when fixed.)
CVE-2003-0324 (Buffer overflows in EPIC IRC Client (EPIC4) 1.0.1 allows remote ...)
{DSA-287}
- epic4 1:1.1.11.20030409-1
@@ -20068,9 +20065,7 @@
CVE-2003-0311
RESERVED
CVE-2003-0310 (Cross-site scripting (XSS) vulnerability in articleview.php for eZ ...)
- NOTE: author apparently fixed hole by time vuln was reported,
- NOTE: and I guess that fix made it into new upstream versions,
- NOTE: but I did not check in detail
+ - ezpublish 2.2.8-1
CVE-2003-0309 (Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to bypass ...)
NOT-FOR-US: MSIE
CVE-2003-0308 (The Sendmail 8.12.3 package in Debian GNU/Linux 3.0 does not securely ...)
@@ -20091,18 +20086,16 @@
CVE-2003-0301 (The IMAP Client for Outlook Express 6.00.2800.1106 allows remote ...)
NOT-FOR-US: Microsort
CVE-2003-0300 (The IMAP Client for Sylpheed 0.8.11 allows remote malicious IMAP ...)
- NOTE: sylpheed and sylpheed-claws might still be vulnerable
- NOTE: but it's only a crasher
+ TODO: sylpheed and sylpheed-claws might still be vulnerable, but it's only a crasher
CVE-2003-0299 (The IMAP Client, as used in mutt 1.4.1 and Balsa 2.0.10, allows remote ...)
- NOTE: mutt and balsa might still be vulnerable
- NOTE: but it's only a crasher
+ TODO: mutt and balsa might still be vulnerable, but it's only a crasher
CVE-2003-0298 (The IMAP Client for Mozilla 1.3 and 1.4a allows remote malicious IMAP ...)
- mozilla 2:1.5-1
NOTE: May have been fixed in an earlier version. Not clear how
NOTE: Mozilla's a/b versions map to the Debian version.
CVE-2003-0297 (c-client IMAP Client, as used in imap-2002b and Pine 4.53, allows ...)
- uw-imap 7:2002c
- NOTE: did not check pine
+ TODO: check pine
CVE-2003-0296 (The IMAP Client for Evolution 1.2.4 allows remote malicious IMAP ...)
- evolution 1.3.2
CVE-2003-0295 (Cross-site scripting (XSS) vulnerability in private.php for vBulletin ...)
@@ -20135,9 +20128,7 @@
{DSA-344}
- unzip 5.50-3
CVE-2003-0281 (Buffer overflow in Firebird 1.0.2 and other versions before 1.5, and ...)
- - firebird2 1.5.1-1
- NOTE: firebird (1) in debian is very insecure and vulnerable, but
- NOTE: the server is not included, just the libraries. See bug #251458
+ - firebird2 1.5.1-1 (bug #251458)
CVE-2003-0280 (Multiple buffer overflows in the SMTP Service for ESMTP CMailServer ...)
NOT-FOR-US: SMTP Service for ESMTP CMailServer
CVE-2003-0279 (Multiple SQL injection vulnerabilities in the Web_Links module for ...)
@@ -20153,7 +20144,7 @@
CVE-2003-0274 (Buffer overflow in catmail for ListProc 8.2.09 and earlier allows ...)
NOT-FOR-US: ListProc
CVE-2003-0273 (Cross-site scripting (XSS) vulnerability in the web interface for ...)
- NOTE: old version of Request Tracker not in debian.
+ - request-tracker3.4 <not-affected> (Affects older versions of Request Tracker not in Debian)
CVE-2003-0272 (admin.php in miniPortail allows remote attackers to gain ...)
NOT-FOR-US: miniPortail
CVE-2003-0271 (Buffer overflow in Personal FTP Server allows remote attackers to ...)
@@ -20209,12 +20200,15 @@
CVE-2003-0248 (The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU ...)
{DSA-442 DSA-336 DSA-332 DSA-312 DSA-311}
- kernel-source-2.4.27 <not-affected> (Fixed before initial upload; 2.4.22-pre10)
+ - linux-2.6 <not-affected>
CVE-2003-0247 (Unknown vulnerability in the TTY layer of the Linux kernel 2.4 allows ...)
{DSA-442 DSA-336 DSA-332 DSA-312 DSA-311}
- kernel-source-2.4.27 <not-affected> (Fixed before initial upload; 2.4.21-rc4)
+ - linux-2.6 <not-affected>
CVE-2003-0246 (The ioperm system call in Linux kernel 2.4.20 and earlier does not ...)
{DSA-442 DSA-336 DSA-332 DSA-312 DSA-311}
- kernel-source-2.4.27 <not-affected> (Fixed before initial upload; 2.4.21-rc4)
+ - linux-2.6 <not-affected>
CVE-2003-0245 (Vulnerability in the apr_psprintf function in the Apache Portable ...)
- apache2 2.0.46
CVE-2003-0244 (The route cache implementation in Linux 2.4, and the Netfilter IP ...)
@@ -20335,7 +20329,7 @@
{DSA-317}
- cupsys 1.1.19final-1
CVE-2003-0194 (tcpdump does not properly drop privileges to the pcap user when ...)
- NOTE: apparently a redhat specific compilation prolem of tcpdump
+ - tcpdump <not-affected> (Apparently a Red Hat specific compilation packaging flaw)
CVE-2003-0193 (msxlsview.sh in xlsview for catdoc 0.91 and earlier allows local users ...)
{DSA-575-1}
- catdoc 0.91.5-2
@@ -20349,7 +20343,7 @@
{DSA-304}
- lv 4.49.5-2
CVE-2003-0187 (The connection tracking core of Netfilter for Linux 2.4.20, with ...)
- NOTE: only affects kernel 2.4.19, 2.4.20.
+ - kernel-source-2.4.27 <not-affected> (Fixed before upload into archive; 2.4.21)
CVE-2003-0186
RESERVED
CVE-2003-0185
@@ -20380,7 +20374,7 @@
{DSA-283}
- xfsdump 2.2.8-1
CVE-2003-0172 (Buffer overflow in openlog function for PHP 4.3.1 on Windows operating ...)
- NOTE: not belived to be vulnerable (http://marc.theaimsgroup.com/?l=bugtraq&m=104931415307111&w=2)
+ - php4 <not-affected> (Non-issue; see http://marc.theaimsgroup.com/?l=bugtraq&m=104931415307111&w=2)
CVE-2003-0171 (DirectoryServices in MacOS X trusts the PATH environment variable to ...)
NOT-FOR-US: MacOS
CVE-2003-0170 (Unknown vulnerability in ftpd in IBM AIX 5.2, when configured to use ...)
@@ -20394,13 +20388,13 @@
- balsa 2.0.10
- mutt 1.4.0
CVE-2003-0166 (Integer signedness error in emalloc() function for PHP before 4.3.2 ...)
- NOTE: not belived to be vulnerable (http://marc.theaimsgroup.com/?l=bugtraq&m=104931415307111&w=2)
+ - php4 <not-affected> (Non-issue; see http://marc.theaimsgroup.com/?l=bugtraq&m=104931415307111&w=2)
CVE-2003-0165 (Format string vulnerability in Eye Of Gnome (EOG) allows attackers to ...)
- eog 2.2.1
CVE-2003-0164
RESERVED
CVE-2003-0163 (decrypt_msg for the Gaim-Encryption GAIM plugin 1.15 and earlier does ...)
- NOTE: Gaim-Encryption Plugin not in debian
+ TODO: Check, gaim-encryption is now in Debian
CVE-2003-0162 (Ecartis 1.0.0 (formerly listar) before snapshot 20030227 allows remote ...)
{DSA-271}
- ecartis 1.0.0+cvs.20030321-1
@@ -20473,7 +20467,7 @@
{DSA-285}
- lprng 3.8.20-4.
CVE-2003-0135 (vsftpd FTP daemon in Red Hat Linux 9 is not compiled against TCP ...)
- NOTE: red-hat specific compilation problem of vsftpd
+ - vsftpd <not-affected> (Red Hat specific packaging flaw)
CVE-2003-0134 (Unknown vulnerability in filestat.c for Apache running on OS2, ...)
- apache2 2.0.46
CVE-2003-0133 (GtkHTML, as included in Evolution before 1.2.4, allows remote ...)
@@ -20551,7 +20545,7 @@
{DSA-262}
- samba 2.2.8
CVE-2003-0084 (mod_auth_any package in Red Hat Enterprise Linux 2.1 and other ...)
- NOTE: mod_auth_any not in Debian
+ NOT-FOR-US: mod_auth_any not in Debian
CVE-2003-0083 (Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not ...)
- apache2 2.0.46
- apache 1.3.25
@@ -20581,6 +20575,7 @@
CVE-2003-0049 (Apple File Protocol (AFP) in Mac OS X before 10.2.4 allows ...)
NOT-FOR-US: MacOS
CVE-2003-0048 (PuTTY 0.53b and earlier does not clear logon credentials from memory, ...)
+ - putty 0.53-b-2003-01-04-1
NOTE: apparently fixed upstream 2002-11-12 changelog
CVE-2003-0047 (SSH2 clients for VanDyke (1) SecureCRT 4.0.2 and 3.4.7, (2) SecureFX ...)
NOT-FOR-US: commercial ssh clients
@@ -20593,8 +20588,7 @@
{DSA-246}
- tomcat <removed>
CVE-2003-0041 (Kerberos FTP client allows remote FTP sites to execute arbitrary code ...)
- NOTE: verified sarge version of krb5-clients not vulnerable
- NOTE: nothing in changelogs
+ - krb5 <not-affected> (Verified sarge version of krb5-clients not vulnerable, nothing in changelogs)
CVE-2003-0038 (Cross-site scripting (XSS) vulnerability in options.py for Mailman 2.1 ...)
{DSA-436}
- mailman 2.1.1-1
@@ -20606,9 +20600,9 @@
CVE-2003-0035 (Buffer overflow in escputil, as included in the printer-drivers ...)
NOT-FOR-US: ml85p, as included in the printer-drivers package for Mandrake Linux
CVE-2003-0034 (Buffer overflow in the mtink status monitor, as included in the ...)
+ - mtink <not-affected> (Not installed setuid or setgid, so this is not exploitable)
NOTE: HOME overflow was fixed in mainSrc/rcfile.c, but not in
NOTE: chooser/mtinkc.c's version, which goes into mtinkc
- NOTE: it's not installed setuid or setgid, so this is not exploitable
CVE-2003-0031 (Multiple buffer overflows in libmcrypt before 2.5.5 allow attackers to ...)
{DSA-228}
- libmcrypt 2.5.5-1
@@ -20648,8 +20642,8 @@
CVE-2002-1583 (Buffer overflow in sqllib/security/db2ckpw for IBM DB2 Universal ...)
NOT-FOR-US: IBM DB2
CVE-2002-1582 (compose.cgi in Mailreader.com 2.3.30 and 2.3.31, when using Sendmail ...)
- NOTE: mailreader. Affects 2.3.30 and 2.3.31.
- NOTE: Sarge uses 2.3.29.
+ [woody] - mailreader <not-affected> (Affects only 2.3.30-2.3.32)
+ - mailreader 2.3.33
CVE-2002-1581 (Directory traversal vulnerability in nph-mr.cgi in Mailreader.com ...)
{DSA-534}
- mailreader 2.3.29-9
@@ -20729,7 +20723,7 @@
CVE-2002-1535 (Secure Webserver 1.1 in Raptor 6.5 and Symantec Enterprise Firewall ...)
NOT-FOR-US: Symantec
CVE-2002-1533 (Cross-site scripting (XSS) vulnerability in Jetty JSP servlet engine ...)
- NOTE: problem in jetty 4.1.0, Debian started with 4.2
+ - jetty <not-affected> (Fixed before upload into archive; 4.1 series)
CVE-2002-1527 (emumail.cgi in EMU Webmail 5.0 allows remote attackers to determine ...)
NOT-FOR-US: EMU Webmail
CVE-2002-1526 (Cross-site scripting (XSS) vulnerability in emumail.cgi for EMU ...)
@@ -20750,11 +20744,11 @@
CVE-2002-1507 (Unreal Tournament 2003 (ut2003) clients and servers allow remote ...)
NOT-FOR-US: Unreal
CVE-2002-1506 (Buffer overflow in Linuxconf before 1.28r4 allows local users to ...)
- NOTE: linuxconf not in unstable or testing
+ - linuxconf <removed>
CVE-2002-1504 (Directory traversal vulnerability in WebServer 4 Everyone 1.22 allows ...)
NOT-FOR-US: webserver-4everyone
CVE-2002-1503 (Buffer overflow in Automatic File Distributor (AFD) 1.2.14 and earlier ...)
- NOTE: AFD not in debian
+ NOT-FOR-US: AFD not in debian
CVE-2002-1500 (Buffer overflow in (1) mrinfo, (2) mtrace, and (3) pppd in NetBSD ...)
NOT-FOR-US: NetBSD
CVE-2002-1499 (Multiple SQL injection vulnerabilities in FactoSystem CMS allows ...)
@@ -20780,11 +20774,11 @@
CVE-2002-1483 (db4web_c and db4web_c.exe programs in DB4Web 3.4 and 3.6 allow remote ...)
NOT-FOR-US: db4web
CVE-2002-1482 (SQL injection vulnerability in login.php for phpGB 1.20 and earlier, ...)
- NOTE: phpGB not in Debian
+ NOT-FOR-US: phpGB not in Debian
CVE-2002-1481 (savesettings.php in phpGB 1.20 and earlier does not require ...)
- NOTE: phpGB not in Debian
+ NOT-FOR-US: phpGB not in Debian
CVE-2002-1480 (Cross-site scripting (XSS) vulnerability in phpGB before 1.20 allows ...)
- NOTE: phpGB not in Debian
+ NOT-FOR-US: phpGB not in Debian
CVE-2002-1475 (Unknown vulnerability in the ARP component for HP Tru64 UNIX 4.0f, ...)
NOT-FOR-US: HPUX
CVE-2002-1474 (Unknown vulnerability or vulnerabilities in TCP/IP component for HP ...)
@@ -20806,13 +20800,13 @@
CVE-2002-1461 (Web Shop Manager 1.1 allows remote attackers to execute arbitrary ...)
NOT-FOR-US: Webshop Manager
CVE-2002-1460 (L-Forum 2.40 and earlier does not properly verify whether a file was ...)
- NOTE: L-Forum not in Debian
+ NOT-FOR-US: L-Forum not in Debian
CVE-2002-1459 (Cross-site scripting vulnerability in L-Forum 2.40 and earlier, when ...)
- NOTE: L-Forum not in Debian
+ NOT-FOR-US: L-Forum not in Debian
CVE-2002-1458 (Cross-site scripting vulnerability in L-Forum 2.40 and earlier, when ...)
- NOTE: L-Forum not in Debian
+ NOT-FOR-US: L-Forum not in Debian
CVE-2002-1457 (SQL injection vulnerability in search.php for L-Forum 2.40 allows ...)
- NOTE: L-Forum not in Debian
+ NOT-FOR-US: L-Forum not in Debian
CVE-2002-1456 (Buffer overflow in mIRC 6.0.2 and earlier allows remote attackers to ...)
NOT-FOR-US: mIRC
CVE-2002-1455 (Multiple cross-site scripting (XSS) vulnerabilities in OmniHTTPd allow ...)
@@ -20824,13 +20818,13 @@
CVE-2002-1452 (Buffer overflow in the search capability for MyWebServer 1.0.2 allows ...)
NOT-FOR-US: MyWebServer
CVE-2002-1451 (Blazix before 1.2.2 allows remote attackers to read source code of JSP ...)
- NOTE: Blazix not in Debian
+ NOT-FOR-US: Blazix not in Debian
CVE-2002-1450 (IBM UniVerse with UV/ODBC allows attackers to cause a denial of ...)
NOT-FOR-US: IBM UniVerse
CVE-2002-1449 (eUpload 1.0 stores the password.txt password file in plaintext under ...)
- NOTE: eUpload not in Debian
+ NOT-FOR-US: eUpload not in Debian
CVE-2002-1445 (Cross-site scripting (XSS) vulnerability in CERN Proxy Server allows ...)
- NOTE: CERN HTTPD not in Debian
+ NOT-FOR-US: CERN HTTPD not in Debian
CVE-2002-1444 (The Google toolbar 1.1.60, when running on Internet Explorer 5.5 and ...)
NOT-FOR-US: Google Toolbar
CVE-2002-1442 (The Google toolbar 1.1.58 and earlier allows remote web sites to ...)
@@ -20852,20 +20846,18 @@
CVE-2002-1429 (Cross-site scripting vulnerability in board.php of endity.com ShoutBOX ...)
NOT-FOR-US: ShoutBox
CVE-2002-1428 (index.php in dotProject 0.2.1.5 allows remote attackers to bypass ...)
- NOTE: dotproject not in Debian
+ NOT-FOR-US: dotproject
CVE-2002-1427 (The print_html_to_file function in edit.cgi for Easy Homepage Creator ...)
- NOTE: Easy Homepage Creator not in Debian
+ NOT-FOR-US: Easy Homepage Creator
CVE-2002-1426 (HP ProCurve Switch 4000M C.07.23 allows remote attackers to cause a ...)
NOT-FOR-US: HP
CVE-2002-1423 (tmp_view.php in FUDforum before 2.2.0 allows remote attackers to read ...)
- NOTE: vuln in fudforum before 2.2.0. fudforum in phpgroupware-fudforum
- NOTE: is version 2.5.x
+ - phpgroupware <not-affected> (Issue in fudforum 2.2.0. fudforum in phpgroupware-fudforum is 2.5.x)
+ TODO: Check egroupware for this and CVE-2002-1422 and CVE-2004-1421
CVE-2002-1422 (admbrowse.php in FUDforum before 2.2.0 allows remote attackers to ...)
- NOTE: vuln in fudforum before 2.2.0. fudforum in phpgroupware-fudforum
- NOTE: is version 2.5.x
+ - phpgroupware <not-affected> (Issue in fudforum 2.2.0. fudforum in phpgroupware-fudforum is 2.5.x)
CVE-2002-1421 (SQL injection vulnerabilities in FUDforum before 2.2.0 allow remote ...)
- NOTE: vuln in fudforum before 2.2.0. fudforum in phpgroupware-fudforum
- NOTE: is version 2.5.x
+ - phpgroupware <not-affected> (Issue in fudforum 2.2.0. fudforum in phpgroupware-fudforum is 2.5.x)
CVE-2002-1416 (The POP3 service for WebEasyMail 3.4.2.2 and earlier generates ...)
NOT-FOR-US: Webeasymail
CVE-2002-1415 (Format string vulnerability in SMTP service for WebEasyMail 3.4.2.2 ...)
@@ -20930,20 +20922,20 @@
- openldap2 2.0.27-3
CVE-2002-1376 (libmysqlclient client library in MySQL 3.x to 3.23.54, and 4.x to ...)
{DSA-212}
- NOTE: bug in mysql 3, sarge uses mysql 4
+ - mysql <removed>
CVE-2002-1370
REJECTED
CVE-2002-1368 (Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows remote ...)
{DSA-232}
- cupsys 1.1.18-1
CVE-2002-1360 (Multiple SSH2 servers and clients do not properly handle strings with ...)
- NOTE: Debian uses openssh, not vulnerable
+ - openssh <not-affected> (OpenSSH not vulnerable)
CVE-2002-1359 (Multiple SSH2 servers and clients do not properly handle large packets ...)
- NOTE: Debian uses openssh, not vulnerable
+ - openssh <not-affected> (OpenSSH not vulnerable)
CVE-2002-1358 (Multiple SSH2 servers and clients do not properly handle lists with ...)
- NOTE: Debian uses openssh, not vulnerable
+ - openssh <not-affected> (OpenSSH not vulnerable)
CVE-2002-1357 (Multiple SSH2 servers and clients do not properly handle packets or ...)
- NOTE: Debian uses openssh, not vulnerable
+ - openssh <not-affected> (OpenSSH not vulnerable)
CVE-2002-1356 (Ethereal 0.9.7 and earlier allows remote attackers to cause a denial ...)
- ethereal 0.9.8-1
CVE-2002-1355 (Multiple integer signedness errors in the BGP dissector in Ethereal ...)
@@ -21006,7 +20998,7 @@
CVE-2002-1322 (Rational ClearCase 4.1, 2002.05, and possibly other versions allows ...)
NOT-FOR-US: ClearCase
CVE-2002-1321 (Multiple buffer overflows in RealOne and RealPlayer allow remote ...)
- NOTE: Realplayer not in Sarge
+ NOT-FOR-US: Realplayer
CVE-2002-1316 (importInfo in the Admin Server for iPlanet WebServer 4.x, up to SP11, ...)
NOT-FOR-US: iPlanet
CVE-2002-1315 (Cross-site scripting (XSS) vulnerability in the Admin Server for ...)
More information about the Secure-testing-commits
mailing list