[Secure-testing-commits] r2499 - data/CVE
Florian Weimer
fw at costa.debian.org
Thu Oct 20 11:18:29 UTC 2005
Author: fw
Date: 2005-10-20 11:18:17 +0000 (Thu, 20 Oct 2005)
New Revision: 2499
Modified:
data/CVE/list
Log:
Use sid versions in CVE/list where possible. etch versions are now
copied from DTSA/list, or can be given explicitly using [etch].
Also add a couple of fixed versions from past DSAs.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2005-10-20 11:07:43 UTC (rev 2498)
+++ data/CVE/list 2005-10-20 11:18:17 UTC (rev 2499)
@@ -793,12 +793,14 @@
- mod-auth-shadow 1.4-2 (bug #323789; medium)
CVE-2005-2962 (The post-installation script for ntlmaps before 0.9.9 sets ...)
{DSA-830-1}
+ - ntlmaps 0.9.9-4
CVE-2005-2961 (Buffer overflow in the get_string_ahref function for ProZilla 1.3.7.4 ...)
{DSA-834-1}
NOTE: prozilla is not in sarge or etch
CVE-2005-2960 (cfengine 1.6.5 and 2.1.16 allows local users to overwrite arbitrary ...)
{DSA-836-1 DSA-835-1}
- cfengine <unfixed>
+ - cfengine2 <unfixed>
CVE-2005-2959 [Sudo does not sanitize SHELLOPTS and PS4 shell env vars before starting sudoed apps]
RESERVED
- sudo 1.6.8p9-3 (medium)
@@ -1010,7 +1012,7 @@
NOTE: rejected, initially ipt_recent related
CVE-2005-2878 (Format string vulnerability in search.c in the imap4d server in GNU ...)
{DSA-841-1 DTSA-20-1}
- - mailutils 1:0.6.90-2.1etch1 (bug #327424; high)
+ - mailutils 1:0.6.90-3 (bug #327424; high)
CVE-2005-2870 (Unknown vulnerability in the net-svc script on Solaris 10 allows ...)
NOT-FOR-US: Solaris
CVE-2005-2869 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin ...)
@@ -1501,6 +1503,7 @@
- turqstat 2.2.4-1 (medium)
CVE-2005-2657 (Unknown vulnerability in common-lisp-controller 4.18 and earlier ...)
{DSA-811-1}
+ - common-lisp-controller 4.18 (bug #328633; medium)
CVE-2005-2656 (Polygen before 1.0.6 generates precompiled grammar objects with ...)
{DSA-794-1}
NOTE: Fix in -8 had problems
@@ -2260,6 +2263,7 @@
{DSA-801-1}
NOTE: I suspect DSA-801 is fixed by the non-root patches from Ubuntu??
- ntp 1:4.2.0a+stable-2sarge1 (medium)
+ [etch] - ntp 1:4.2.0a+stable-2sarge1 (medium)
CVE-2005-2495 (Multiple integer overflows in XFree86 before 4.3.0 allow ...)
{DSA-816-1}
- xorg-x11 6.8.2.dfsg.1-7 (medium)
@@ -3108,50 +3112,50 @@
NOT-FOR-US: iCab
CVE-2005-2270 (Firefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone ...)
{DSA-810-1 DSA-779-2 DSA-781-1 DSA-779-1 DTSA-8-2 DTSA-14-1}
- - mozilla-firefox 1.0.4-2sarge3 (high)
- - mozilla 2:1.7.8-1sarge2 (bug #318062; high)
- - mozilla-thunderbird 1.0.6-1 (bug #318728; high)
+ - mozilla-firefox 1.0.5-1 (high)
+ - mozilla 2:1.7.9-1 (high; bug #318062)
+ - mozilla-thunderbird 1.0.6-1 (high)
CVE-2005-2269 (Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does ...)
{DSA-810-1 DSA-779-2 DSA-781-1 DSA-779-1 DTSA-8-2 DTSA-14-1}
- - mozilla-firefox 1.0.4-2sarge3 (high)
- - mozilla 2:1.7.8-1sarge2 (bug #318062; medium)
- - mozilla-thunderbird 1.0.6-1 (bug #318728; medium)
+ - mozilla-firefox 1.0.5-1 (high)
+ - mozilla 2:1.7.9-1 (medium; bug #318062)
+ - mozilla-thunderbird 1.0.6-1 (medium; bug #318728)
CVE-2005-2268 (Firefox before 1.0.5 and Mozilla before 1.7.9 does not clearly ...)
{DSA-810-1 DSA-779-2 DSA-779-1 DTSA-8-2 DTSA-14-1}
- - mozilla-firefox 1.0.4-2sarge3 (medium)
- - mozilla 2:1.7.8-1sarge2 (bug #318062; medium)
+ - mozilla-firefox 1.0.5-1 (medium)
+ - mozilla 2:1.7.9-1 (medium; bug #318062)
CVE-2005-2267 (Firefox before 1.0.5 allows remote attackers to steal information and ...)
{DSA-779-2 DSA-779-1 DTSA-8-2}
- mozilla-firefox 1.0.4-2sarge3 (medium)
CVE-2005-2266 (Firefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to ...)
{DSA-810-1 DSA-779-2 DSA-781-1 DSA-779-1 DTSA-8-2 DTSA-14-1}
- - mozilla-firefox 1.0.4-2sarge3 (medium)
- - mozilla 2:1.7.8-1sarge2 (bug #318062; medium)
- - mozilla-thunderbird 1.0.6-1 (bug #318728; low)
+ - mozilla-firefox 1.0.5-1 (medium)
+ - mozilla 2:1.7.9-1 (medium; bug #318062)
+ - mozilla-thunderbird 1.0.6-1 (low; bug #318728)
CVE-2005-2265 (Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 ...)
{DSA-810-1 DSA-779-2 DSA-781-1 DSA-779-1 DTSA-8-2 DTSA-14-1}
- - mozilla-firefox 1.0.4-2sarge3 (high)
- - mozilla 2:1.7.8-1sarge2 (bug #318062; medium)
- - mozilla-thunderbird 1.0.6-1 (bug #318728; medium)
+ - mozilla-firefox 1.0.5-1 (high)
+ - mozilla 2:1.7.9-1 (medium; bug #318062)
+ - mozilla-thunderbird 1.0.6-1 (medium; bug #318728)
CVE-2005-2264 (Firefox before 1.0.5 allows remote attackers to steal sensitive ...)
{DSA-779-2 DSA-779-1 DTSA-8-2}
- mozilla-firefox 1.0.4-2sarge3 (medium)
CVE-2005-2263 (The InstallTrigger.install method in Firefox before 1.0.5 and Mozilla ...)
{DSA-810-1 DSA-779-2 DSA-779-1 DTSA-8-2 DTSA-14-1}
- - mozilla-firefox 1.0.4-2sarge3 (medium)
- - mozilla 2:1.7.8-1sarge2 (bug #318062; medium)
+ - mozilla-firefox 1.0.5-1 (medium)
+ - mozilla 2:1.7.9-1 (medium; bug #318062)
CVE-2005-2262 (Firefox 1.0.3 and 1.0.4, and Netscape 8.0.2, allows remote attackers ...)
{DSA-779-2 DSA-779-1 DTSA-8-2}
- mozilla-firefox 1.0.4-2sarge3 (medium)
CVE-2005-2261 (Firefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, ...)
{DSA-810-1 DSA-779-2 DSA-781-1 DSA-779-1 DTSA-8-2 DTSA-14-1}
- - mozilla-firefox 1.0.4-2sarge3 (medium)
- - mozilla 2:1.7.8-1sarge2 (bug #318062; medium)
- - mozilla-thunderbird 1.0.6-1 (bug #318728; medium)
+ - mozilla-firefox 1.0.5-1 (medium)
+ - mozilla 2:1.7.9-1 (medium; bug #318062)
+ - mozilla-thunderbird 1.0.6-1 (medium; bug #318728)
CVE-2005-2260 (The browser user interface in Firefox before 1.0.5, Mozilla before ...)
{DSA-810-1 DSA-779-2 DSA-779-1 DTSA-8-2 DTSA-14-1}
- - mozilla-firefox 1.0.4-2sarge3 (medium)
- - mozilla 2:1.7.8-1sarge2 (bug #318062; medium)
+ - mozilla-firefox 1.0.5-1 (medium)
+ - mozilla 2:1.7.9-1 (medium; bug #318062)
CVE-2002-2086 (Multiple cross-site scripting (XSS) vulnerabilities in magicHTML of ...)
NOT-FOR-US: magicHTML
CVE-2002-2085 (Directory traversal vulnerability in page.cgi of WWWeBBB Forum 3.82 ...)
@@ -3844,7 +3848,7 @@
NOT-FOR-US: MyGuestbook
CVE-2005-2161 (Cross-site scripting (XSS) vulnerability in phpBB 2.0.16 allows remote ...)
{DSA-768-1}
- - phpbb2 2.0.13-6sarge1 (bug #317739; high)
+ - phpbb2 2.0.13+1-6sarge1 (bug #317739; high)
CVE-2005-2160 (IMail stores usernames and passwords in cleartext in a cookie, which ...)
NOT-FOR-US: IMail
CVE-2005-2159 (mshftp.dll in PlanetDNS PlanetFileServer 2.0.1.3 allows remote ...)
@@ -4024,7 +4028,7 @@
NOTE: fixed in experimental in 1:1.0.5.6-1, not yet in sid
CVE-2005-2095 (SquirrelMail 1.4.4 and earlier does not properly handle the $_POST ...)
{DSA-756-1}
- - squirrelmail 2:1.4.4-6 (bug #317094)
+ - squirrelmail 2:1.4.4-6sarge1 (bug #317094)
CVE-2005-2094 (Sun SunONE web server 6.1 SP1 allows remote attackers to poison the ...)
NOT-FOR-US: Sun
CVE-2005-2093 (Oracle 9i Application Server (Oracle9iAS) 9.0.2 allows remote ...)
@@ -5109,8 +5113,9 @@
REJECTED
CVE-2005-1937 (A regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote ...)
{DSA-810-1 DSA-777-1 DSA-775-1 DTSA-7-1 DTSA-8-2 DTSA-14-1}
- - mozilla-firefox 1.0.4-2sarge3 (medium)
- - mozilla 2:1.7.8-1sarge1 (medium)
+ - mozilla-firefox 1.0.6-1 (medium)
+ - mozilla 2:1.7.10-1 (medium)
+ [woody] - mozilla <not-affected> (regression of a previous security fix)
CVE-2004-2137 (Outlook Express 6.0, when sending multipart e-mail messages using the ...)
NOT-FOR-US: Microsoft
CVE-2005-1936 (Unknown vulnerability in the web server for the ESS/ Network ...)
@@ -5287,7 +5292,7 @@
NOT-FOR-US: arshell
CVE-2005-1857 (Format string vulnerability in simpleproxy before 3.4 allows remote ...)
{DSA-786-1}
- TODO: check
+ - simpleproxy 3.2-4 (medium)
CVE-2005-1856 (The CD-burning feature in backup-manager 0.5.8 and earlier uses a ...)
{DSA-787-1}
- backup-manager 0.5.8-2 (bug #315582; low)
@@ -5296,7 +5301,7 @@
- backup-manager 0.5.8-2 (medium)
CVE-2005-1854 (Unknown vulnerability in apt-cacher in Debian 3.1, related to "missing ...)
{DSA-772-1}
- TODO: check
+ - apt-cacher 0.9.10 (high)
CVE-2005-1853 (gopher.c in the Gopher client 3.0.5 does not properly create temporary ...)
{DSA-770-1}
- gopher 3.0.8 (low)
@@ -5492,7 +5497,7 @@
NOT-FOR-US: Avast
CVE-2005-1769 (Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail ...)
{DSA-756-1}
- - squirrelmail 2:1.4.4-6 (bug #314374; medium)
+ - squirrelmail 2:1.4.4-6sarge1 (bug #314374; medium)
CVE-2005-1768 (Race condition in the ia32 compatibility code for the execve system ...)
- kernel-source-2.4.27 2.4.27-11 (medium; bug #319629)
CVE-2005-1767 (traps.c in the Linux kernel 2.6.x and 2.4.x executes stack segment ...)
@@ -5979,6 +5984,8 @@
CVE-2005-1636 (mysql_install_db in MySQL 4.1.x before 4.1.12 and 5.x up to 5.0.4 ...)
{DSA-783-1}
- mysql-dfsg 4.0.12-2 (bug #319526; low)
+ - mysql-dfsg-4.1 4.1.12 (medium; bug #319526)
+ - mysql-dfsg-5.0 5.0.11beta-3 (medium)
CVE-2005-1635 (JGS-XA JGS-Portal 3.0.2 and earlier allows remote attackers to obtain ...)
NOT-FOR-US: JGS-Portal
CVE-2005-1634 (Multiple cross-site scripting (XSS) vulnerabilities in JGS-XA ...)
@@ -6175,7 +6182,7 @@
NOT-FOR-US: Bakbone Netvault
CVE-2005-1546 (Buffer overflow in the PE parser in HT Editor before 0.8.0 allows ...)
{DSA-743-1}
- - ht 0.8.0-2 (bug #308587)
+ - ht 0.8.0-3 (bug #308587)
CVE-2005-1545 (Integer overflow in the ELF parser in HT Editor before 0.8.0 allows ...)
{DSA-743-1}
- ht 0.8.0-3 (bug #308587)
@@ -10546,10 +10553,10 @@
RESERVED
CVE-2005-0393 (The helper scripts for crip 3.5 do not properly use temporary files, ...)
{DSA-733-1}
- TODO: check
+ - crip 3.5-1sarge2 (low)
CVE-2005-0392 (ppxp does not drop root privileges before opening log files, which ...)
{DSA-725-2 DSA-725-1}
- TODO: check
+ - ppxp 0.2001080415-11
CVE-2005-0391 (geneweb 4.10 and earlier does not properly check file permissions and ...)
{DSA-712-1}
- geneweb 4.10-7 (bug #304405)
@@ -13354,8 +13361,8 @@
NOTE: upstream versions became vulnerable again, see
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=296850
NOTE: and were fixed again, it got CVE-2005-1937 for the reversion
- - mozilla 2:1.7.8-1sarge1 (medium)
- - mozilla-firefox 1.0.4-2sarge3 (medium)
+ - mozilla 2:1.7.10-1 (medium)
+ - mozilla-firefox 1.0.6-1 (medium)
CVE-2004-0717 (Opera 7.51 for Windows and 7.50 for Linux does not properly prevent a ...)
NOT-FOR-US: opera 7.50
CVE-2004-0716 (Buffer overflow in the DCE daemon (DCED) for the DCE endpoint mapper ...)
More information about the Secure-testing-commits
mailing list