[Secure-testing-commits] r2038 - data/CAN

Florian Weimer fw at costa.debian.org
Sun Sep 18 10:25:08 UTC 2005 

Author: fw
Date: 2005-09-18 10:25:05 +0000 (Sun, 18 Sep 2005)
New Revision: 2038

Modified:
   data/CAN/list
Log:
Resolve a few TODOs, adding BTS xrefs where necessary.




Modified: data/CAN/list
===================================================================
--- data/CAN/list	2005-09-18 10:11:02 UTC (rev 2037)
+++ data/CAN/list	2005-09-18 10:25:05 UTC (rev 2038)
@@ -2266,8 +2266,9 @@
 CAN-2002-2039 (/bin/su in QNX realtime operating system (RTOS) 4.25 and 6.1.0 allows ...)
 	NOTE: not-for-us (QNX)
 CAN-2002-2038 (Next Generation POSIX Threading (NGPT) 1.9.0 uses a filesystem-based ...)
-	TODO: check, ISS says Linux: Linux Any version
+	NOTE: not-for-us (NGPT)
 	NOTE: http://lists.debian.org/debian-user/2003/10/msg03627.html
+	NOTE: NPTL does not have this problem.
 CAN-2002-2037 (The Cisco Media Gateway Controller (MGC) in (1) SC2200 7.4 and ...)
 	NOTE: not-for-us (Cisco)
 CAN-2002-2036 (Sun Ray Server Software (SRSS) 1.3, when Non-Smartcard Mobility (NSCM) ...)
@@ -2440,7 +2441,11 @@
 CAN-2001-1541 (Buffer overflow in Unix-to-Unix Copy Protocol (UUCP) in BSDI BSD/OS ...)
 	NOTE: not-for-us (BSDI UUCP)
 CAN-2001-1540 (IPRoute 0.973, 0.974 and 1.18 allows remote attackers to cause a ...)
-	TODO: try nmap exploit
+	NOTE: not-for-us (IPRoute router software)
+	NOTE: This is not for iproute/iproute2.
+	NOTE: From Chris Gragsone's message on BUGTRAQ:
+	NOTE: "IPRoute, by David F. Mischler, is PC-based router software
+	NOTE: "for networks running the Internet Protocol (IP)."
 CAN-2001-1539 (The JavaScript settimeout function in Internet Explorer allows remote ...)
 	NOTE: not-for-us (MSIE)
 CAN-2001-1538 (SpeedXess HA-120 DSL router has a default administrative password of ...)
@@ -2451,12 +2456,12 @@
 CAN-2001-1536 (Autogalaxy stores usernames and passwords in cleartext in cookies, ...)
 	NOTE: not-for-us (Autogalaxy)
 CAN-2001-1535 (Slashcode 2.0 creates new accounts with an 8-character random ...)
-	NOTE: cannot find paper about this anymore
-	TODO: followup
+	- slash (bug #328927; unfixed; low)
 CAN-2001-1534 (mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's ...)
-	NOTE: cannot find paper about this anymore
-	NOTE: only affects things misusing apache session IDs
-	TODO: followup
+	- apache (bug #328919; unimportant)
+	- apache2 (unfixed; unimportant)
+	NOTE: Cookies are only used for invading user privacy,
+	NOTE: not for authentication, so apache and apache2 should be fine.
 CAN-2001-1533 (** DISPUTED * ...)
 	NOTE: not-for-us (Microsoft)
 CAN-2001-1532 (WebX stores authentication information in the HTTP_REFERER variable, ...)
@@ -3189,9 +3194,10 @@
 CAN-2002-1977 (Network Associates PGP 7.0.4 and 7.1 does not time out according to ...)
 	NOTE: not-for-us (Proprietary PGP)
 CAN-2002-1976 (ifconfig, when used on the Linux kernel 2.2 and later, does not report ...)
-	NOTE: Kernel 2.2 introduced a different way to set promisc mode through setsockopt()
-	NOTE: instead through an ioctl() as before.
-	TODO: check, whether current ifconfig handles that correctly, I guess so
+	- net-tools (unfixed; unimportant)
+	NOTE: This seems to be a misunderstanding of what the PROMISC flag
+	NOTE: is about.  ifconfig reports properly when it is set using
+	NOTE: "ifconfig promisc".
 CAN-2002-1975 (Sharp Zaurus PDA SL-5000D and SL-5500 uses a salt of "A0" to encrypt ...)
 	NOTE: not-for-us (Zaurus hardware)
 CAN-2002-1974 (The FTP service in Zaurus PDAs SL-5000D and SL-5500 does not require ...)
@@ -4029,7 +4035,7 @@
 CAN-2001-1484 (Alcatel ADSL modems allow remote attackers to access the Trivial File ...)
 	NOTE: not-for-us (Alcatel hardware issue)
 CAN-2001-1483 (One-Time Passwords In Everything (a.k.a OPIE) 2.32 and 2.4 allows ...)
-	TODO: check
+	- libpam-opie (unfixed; bug #112279; low)
 CAN-2001-1482 (SQL injection vulnerability in bb_memberlist.php for phpBB 1.4.2 ...)
 	NOTE: phpbb was initially uploaded as version 2 or phpbb has been removed now
 CAN-2001-1481 (Xitami 2.4 through 2.5 b4 stores the Administrator password in ...)
@@ -9014,10 +9020,10 @@
 CAN-2003-1085 (The HTTP server in the Thomson TWC305, TWC315, and TCW690 cable modem ...)
 	NOTE: not-for-us (Thomson cable modem)
 CAN-2005-0488 (Certain BSD-based Telnet clients, including those used on Solaris and ...)
-	NOTE: netkit-telnet not affected
-	TODO: check heimdal
+	TODO: check heimdal, netkit-telnet-ssl
 	- krb4 (unfixed; low)
 	- krb5 (unfixed; low)
+	- netkit-telnet not-affected (netkit-telnet is not affected)
 CAN-2004-1639 (Mozilla Firefox before 0.10, Mozilla 5.0, and Gecko 20040913 allows ...)
 	NOTE: This is not a real security issue; it just describes the fact that the Gecko
 	NOTE: engine of the Mozillae may be lead into a crash if you feed it with large chunks

More information about the Secure-testing-commits mailing list