[Secure-testing-commits] r1846 - data/CAN

Thu Sep 8 09:53:23 UTC 2005

Author: jmm-guest
Date: 2005-09-08 09:53:19 +0000 (Thu, 08 Sep 2005)
New Revision: 1846

Modified:
   data/CAN/list
Log:
new courier/webmail xss
new frox issue already fixed
several not-for-us


Modified: data/CAN/list
===================================================================

--- data/CAN/list	2005-09-08 08:39:04 UTC (rev 1845)
+++ data/CAN/list	2005-09-08 09:53:19 UTC (rev 1846)
@@ -1,14 +1,13 @@
-claimed by jmm
 CAN-2005-2840 (Multiple unknown vulnerabilities in MAXdev MD-Pro 1.0.72 and earlier ...)
-	TODO: check
+	NOTE: not-for-us (MAXdev)
 CAN-2005-2839 (Multiple cross-site scripting (XSS) vulnerabilities in MAXdev MD-Pro ...)
-	TODO: check
+	NOTE: not-for-us (MAXdev)
 CAN-2005-2838 (SQL injection vulnerability in login.php in myBloggie 2.1.3-beta and ...)
-	TODO: check
+	NOTE: not-for-us (myBloggie)
 CAN-2005-2837 (Multiple eval injection vulnerabilities in PlainBlack Software WebGUI ...)
-	TODO: check
+	NOTE: not-for-us (WebGUI)
 CAN-2005-2836 (Multiple cross-site scripting (XSS) vulnerabilities in Phorum 5.0.17a ...)
-	TODO: check
+	NOTE: not-for-us (Phorum)
 CAN-2005-2835
 	NOTE: reserved
 CAN-2005-2834
@@ -40,40 +39,40 @@
 CAN-2005-2821
 	NOTE: reserved
 CAN-2005-2820 (Cross-site scripting (XSS) vulnerability in SqWebMail 5.0.4 allows ...)
-	TODO: check
+	- courier (unfixed; bug #327181; medium)
 CAN-2005-2819 (Unknown vulnerability in DownFile 1.3 allows remote attackers to ...)
-	TODO: check
+	NOTE: not-for-us (DownFile)
 CAN-2005-2818 (Cross-site scripting (XSS) vulnerability in DownFile 1.3 allows remote ...)
-	TODO: check
+	NOTE: not-for-us (DownFile)
 CAN-2005-2817 (Simple Machines Forum (SMF) 1-0-5 and earlier supports the use of URLs ...)
-	TODO: check
+	NOTE: not-for-us (Simple Machines Forum)
 CAN-2005-2816 (Cross-site scripting (XSS) vulnerability in Greymatter allows remote ...)
-	TODO: check
+	NOTE: not-for-us (Greymatter)
 CAN-2005-2815 (print.php in FlatNuke 2.5.6 allows remote attackers to obtain ...)
-	TODO: check
+	NOTE: not-for-us (FlatNuke)
 CAN-2005-2814 (Cross-site scripting (XSS) vulnerability in FlatNuke 2.5.6 allows ...)
-	TODO: check
+	NOTE: not-for-us (FlatNuke)
 CAN-2005-2813 (Directory traversal vulnerability in FlatNuke 2.5.6 and possibly ...)
-	TODO: check
+	NOTE: not-for-us (FlatNuke)
 CAN-2005-2812 (man2web allows remote attackers to execute arbitrary commands via -P ...)
-	TODO: check
+	NOTE: not-for-us (man2web)
 CAN-2005-2811 (Untrusted search path vulnerability in Net-SNMP 5.2.1.2 and earlier, ...)
-	TODO: check
+	NOTE: This looks like a Portage-specific configuration flaw to mee, but please double-check
+	TODO: double-check, whether this is Gentoo specific
 CAN-2005-2810 (Multiple stack-based buffer overflows in urban before 1.5.3 allow ...)
-	TODO: check
+	NOTE: not-for-us (urban game)
 CAN-2005-2809 (silc daemon (silcd.c) in Secure Internet Live Conferencing (SILC) 1.0 ...)
-	TODO: check
+	NOTE: not-for-us (silc daemon)
 CAN-2005-2808 (frox 0.7.16 and 0.7.17 does not properly parse certain Deny ACLs, ...)
-	TODO: check
+	- frox 0.7.18-1 (medium)
 CAN-2005-2807 (frox 0.7.18, when running setuid root, does not properly drop ...)
-	TODO: check
+	NOTE: not-affected (does not run setuid root in the Debian package)
 CAN-2005-2806 (client.cpp in BNBT EasyTracker 7.7r3.2004.10.27 and earlier allows ...)
-	TODO: check
+	NOTE: not-for-us (BNBT EasyTracker)
 CAN-2005-2805 (forum_post.php in e107 0.6 allows remote attackers to post to ...)
-	TODO: check
+	NOTE: not-for-us (e107)
 CAN-2005-2804
 	NOTE: reserved
-end claimed by jmm
 CAN-2005-2803 (Cross-site scripting (XSS) vulnerability in Hiki 0.8.1 to 0.8.2 allows ...)
 	TODO: check
 CAN-2005-2800 (Memory leak in the seq_file implemenetation in the SCSI procfs ...)
@@ -326,7 +325,7 @@
 	{DSA-796-1}
 	- affix 2.1.2-3 (bug #325444; medium)
 CAN-2005-XXXX [Insecure tempfile usage in tleds]
-	- tleds 1.05beta10-9 (bug# 276789; low)
+	- tleds 1.05beta10-9 (bug #276789; low)
 CAN-2005-2693 (cvsbug in CVS 1.12.12 and earlier creates temporary files insecurely, ...)
 	{DSA-802-1}
 	NOTE: cvs: not shipped in binary package


