[Secure-testing-commits] r1790 - in data: CAN DSA

Moritz Muehlenhoff jmm-guest at costa.debian.org
Sat Sep 3 10:13:17 UTC 2005 

Author: jmm-guest
Date: 2005-09-03 10:13:13 +0000 (Sat, 03 Sep 2005)
New Revision: 1790

Modified:
   data/CAN/list
   data/DSA/list
Log:
new apache2 dos
lots of nfus
canified gallery xss
corrected cve ref for dsa-790
update on proftpd dsa


Modified: data/CAN/list
===================================================================
--- data/CAN/list	2005-09-03 09:41:57 UTC (rev 1789)
+++ data/CAN/list	2005-09-03 10:13:13 UTC (rev 1790)
@@ -1,8 +1,7 @@
-begin claimed by jmm
 CAN-2005-2766 (Symantec AntiVirus Corporate Edition 9.0.1.x and 9.0.4.x, and possibly ...)
-	TODO: check
+	NOTE: not-for-us (Symantec AntiVirus)
 CAN-2005-2765 (The user interface in the Windows Firewall does not properly display ...)
-	TODO: check
+	NOTE: not-for-us (Microsoft Windows)
 CAN-2005-2764
 	NOTE: reserved
 CAN-2005-2763
@@ -56,46 +55,48 @@
 CAN-2005-2738
 	NOTE: reserved
 CAN-2005-2737 (Cross-site scripting (XSS) vulnerability in PhotoPost PHP Pro 5.1 ...)
-	TODO: check
+	NOTE: not-for-us (PhotoPost)
 CAN-2005-2736 (Cross-site scripting (XSS) vulnerability in YaPig 0.95 and earlier ...)
-	TODO: check
+	NOTE: not-for-us (YaPig)
 CAN-2005-2735 (Cross-site scripting (XSS) vulnerability in phpGraphy 0.9.9a and ...)
-	TODO: check
+	NOTE: not-for-us (phpGraphy)
 CAN-2005-2734 (Cross-site scripting (XSS) vulnerability in Gallery 1.5.1-RC2 and ...)
-	TODO: check
+	- gallery 1.5-2 (bug #325285; medium)
+	- gallery2 (unfixed; bug #325285; medium)
 CAN-2005-2733 (upload_img_cgi.php in Simple PHP Blog (SPHPBlog) does not properly ...)
-	TODO: check
+	NOTE: not-for-us (Simple PHP Blog)
 CAN-2005-2732 (AWStats 6.4, and possibly earlier versions, allows remote attackers to ...)
 	TODO: check
 CAN-2005-2731 (Directory traversal vulnerability in Astaro Security Linux 6.0, when ...)
-	TODO: check
+	NOTE: not-for-us (Astato specific)
 CAN-2005-2730 (The HTTP proxy in Astaro Security Linux 6.0 allows remote attackers to ...)
-	TODO: check
+	NOTE: not-for-us (Astato specific)
 CAN-2005-2729 (The HTTP proxy in Astaro Security Linux 6.0 does not properly filter ...)
-	TODO: check
+	NOTE: not-for-us (Astato specific)
 CAN-2005-2728 (The byte-range filter in Apache 2.0 before 2.0.54 allows remote ...)
-	TODO: check
+	NOTE: The CVE description is wrong, this has been merged for 2.0.55
+	- apache2 (unfixed; bug filed; medium)
 CAN-2005-2727 (Home Ftp Server 1.0.7 stores sensitive user information and server ...)
-	TODO: check
+	NOTE: not-for-us (Home Ftp Server)
 CAN-2005-2726 (Directory traversal vulnerability in Home Ftp Server 1.0.7 allows ...)
-	TODO: check
+	NOTE: not-for-us (Home Ftp Server)
 CAN-2005-2725 (The inputtrap utility in QNX RTOS 6.1.0, 6.3, and possibly earlier ...)
-	TODO: check
+	NOTE: not-for-us (QNX)
 CAN-2005-2723 (SQL injection vulnerability in auth.php in PaFileDB 3.1, when ...)
-	TODO: check
+	NOTE: not-for-us (PaFileDB)
 CAN-2005-2722 (Foojan PHP Weblog allows remote attackers to obtain sensitive ...)
-	TODO: check
+	NOTE: not-for-us (Foojan PHP Weblog)
 CAN-2005-2721 (Multiple cross-site scripting (XSS) vulnerabilities in (1) index.php ...)
-	TODO: check
+	NOTE: not-for-us (Foojan PHP Weblog)
 CAN-2005-2720 (Stack-based buffer overflow in the ACE archive decompression library ...)
-	TODO: check
+	NOTE: not-for-us (HAURI Antivirus)
 CAN-2005-2719 (Ventrilo 2.1.2 through 2.3.0 allows remote attackers to cause a denial ...)
-	TODO: check
+	NOTE: not-for-us (Ventrilo)
 CAN-2005-2718 (Buffer overflow in ad_pcm.c in MPlayer 1.0pre7 and earlier allows ...)
-	TODO: check
+	NOTE: not-for-us (MPlayer)
 CAN-2005-2717 (PHP remote file inclusion vulnerability in WebCalendar before 1.0.1 ...)
 	{DSA-799-1}
-	TODO: check
+	- webcalendar (unfixed; bug filed; medium)
 CAN-2005-2715
 	NOTE: reserved
 CAN-2005-2714
@@ -129,24 +130,23 @@
 CAN-2005-2700
 	NOTE: reserved
 CAN-2005-2699 (admin/admin.php in PHPKit 1.6.1 allows remote authenticated ...)
-	TODO: check
+	NOTE: not-for-us (PHPKit)
 CAN-2005-2698 (Cross-site scripting (XSS) vulnerability in browse.php in Nephp ...)
-	TODO: check
+	NOTE: not-for-us (Nephp Publisher Enterprise)
 CAN-2005-2697 (SQL injection vulnerability in search.php for MyBulletinBoard (MyBB) ...)
-	TODO: check
+	NOTE: not-for-us (MyBB)
 CAN-2005-2696 (The Lotus Notes client does not properly restrict access to password ...)
-	TODO: check
+	NOTE: not-for-us (Notes)
 CAN-2005-2695 (Unspecified vulnerability in the SSL certificate checking ...)
-	TODO: check
+	NOTE: not-for-us (Cisco)
 CAN-2005-2694 (Buffer overflow in WinAce 2.6.0.5, and possibly earlier versions, ...)
-	TODO: check
+	NOTE: not-for-us (WinAce)
 CAN-1999-1586 (loadmodule in SunOS 4.1.x, as used by xnews, does not properly ...)
-	TODO: check
+	NOTE: not-for-us (SunOS)
 CAN-1999-1585 (The (1) rcS and (2) mountall programs in Sun Solaris 2.x, possibly ...)
-	TODO: check
+	NOTE: not-for-us (Solaris)
 CAN-1999-1584 (Unknown vulnerability in (1) loadmodule, and (2) modload if modload is ...)
-	TODO: check
-end claimed by jmm
+	NOTE: not-for-us (SunOS)
 CAN-2005-XXXX [osh buffer overflow in handlers.c]
 	NOTE: This is not the same as -13
 	- osh 1.7-14 (unfixed; bug #323424; medium)
@@ -177,9 +177,6 @@
 	- affix 2.1.2-3 (bug #325444; medium)
 CAN-2005-XXXX [Insecure tempfile usage in tleds]
 	- tleds 1.05beta10-9 (bug# 276789; low)
-CAN-2005-XXXX [XSS in gallery's EXIF handling]
-	- gallery 1.5-2 (bug #325285; medium)
-	- gallery2 (unfixed; bug #325285; medium)
 CAN-2005-2693 (cvsbug in CVS 1.12.12 and earlier creates temporary files insecurely, ...)
 	NOTE: cvs: not shipped in binary package
 	- cvs 1:1.12.9-15 (bug #325106; low)
@@ -263,7 +260,7 @@
 	{DSA-791-1 DTSA-11-1}
 	- maildrop 1.5.3-1.1etch1 (medium)
 CAN-2005-2654 (phpldapadmin before 0.9.6c allows remote attackers to gain anonymous ...)
-	TODO: check
+	- phpldapadmin 0.9.6c-5 (medium)
 CAN-2005-XXXX [cplay - still unsafe temporary file handling vulnerable to symlink attacks]
 	- cplay 1.49-8 (bug #324913; low)
 CAN-2005-XXXX [$servers[$i]['disable_anon_bind'] = true doesn't prevent anonymous to access ldap directory]
@@ -933,9 +930,9 @@
 CAN-2005-2527
 	NOTE: reserved
 CAN-2005-2526 (CUPS in Mac OS X 10.3.9 and 10.4.2 allows remote attackers to cause a ...)
-	TODO: check
+	NOTE: not-for-us (MacOS X)
 CAN-2005-2525 (CUPS in Mac OS X 10.3.9 and 10.4.2 does not properly close file ...)
-	TODO: check
+	NOTE: not-for-us (MacOS X)
 CAN-2005-2524
 	NOTE: reserved
 CAN-2005-2523 (Multiple cross-site scripting (XSS) vulnerabilities in Weblog Server ...)
@@ -3377,7 +3374,7 @@
 CAN-2005-2018
 	NOTE: reserved
 CAN-2005-2017 (Symantec AntiVirus 9 Corporate Edition allows local users to gain ...)
-	TODO: check
+	NOTE: not-for-us (Symantec AntiVirus)
 CAN-2005-2016
 	NOTE: reserved
 CAN-2005-2015

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2005-09-03 09:41:57 UTC (rev 1789)
+++ data/DSA/list	2005-09-03 10:13:13 UTC (rev 1790)
@@ -19,10 +19,11 @@
 	{CAN-2005-2716}
 	- affix 2.1.2-3 (medium) 
 	NOTE: not fixed in testing at time of DSA (glibc transition, builds)
-[01 Sep 2005] DSA-795-1 proftpd - format string error
+[01 Sep 2005] DSA-795-2 proftpd - format string error
 	{CAN-2005-2390}
 	- proftpd 1.2.10-20 (medium)
 	NOTE: fixed in testing at time of DSA
+	NOTE: Initial -1 release had a build problem
 [01 Sep 2005] DSA-794-1 polygen - programming error
 	{CAN-2005-2656}
 	- polygen 1.0.6-9 (low)
@@ -47,7 +48,7 @@
 	NOTE: not fixed in testing at time of DSA (glibc transition)
 	NOTE: but fixed in secure-testing repo
 [30 Aug 2005] DSA-790-1 phpldapadmin - programming error
-	{CAN-2005-1654}
+	{CAN-2005-2654}
 	- phpldapadmin 0.9.6c-5 (medium)
 	NOTE: fixed in testing at time of DSA
 [29 Aug 2005] DSA-789-1 php4 - several

More information about the Secure-testing-commits mailing list