[Secure-testing-commits] r4512 - data/CVE

Stefan Fritsch stef-guest at costa.debian.org
Sun Aug 6 18:46:32 UTC 2006 

Author: stef-guest
Date: 2006-08-06 18:46:30 +0000 (Sun, 06 Aug 2006)
New Revision: 4512

Modified:
   data/CVE/list
Log:
- CVE-2005-1918: old tar issue was fixed before sarge
- CVE-2005-3757: warning about code execution from XSLTs has been
  added to saxon's readme
- CVE-2006-1862: linux issue seems to be redhat only
- CVE-2004-2658, CVE-2005-4788, CVE-2005-4789: Three resmgr issues
  with insufficient info. Might affect sarge.
- many NFUs


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2006-08-06 17:38:35 UTC (rev 4511)
+++ data/CVE/list	2006-08-06 18:46:30 UTC (rev 4512)
@@ -3371,7 +3371,7 @@
 CVE-2006-2482
 	RESERVED
 CVE-2006-2481 (VMware ESX Server 2.0.x before 2.0.2 and 2.x before 2.5.3 patch 4 ...)
-	TODO: check
+	NOT-FOR-US: VMware ESX 
 CVE-2006-2480 (Format string vulnerability in Dia 0.94 allows user-complicit ...)
 	- dia 0.95.0-4 (bug #368202; low)
 	[sarge] - dia <no-dsa> (Hardly exploitable, would require obviously malformed file names)
@@ -3562,9 +3562,9 @@
 CVE-2006-2390 (Cross-site scripting (XSS) vulnerability in OZJournals 1.2 allows ...)
 	NOT-FOR-US: OZJournals
 CVE-2006-2389 (Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2006-2388 (Microsoft Office Excel 2000 through 2004 allows user-complicit ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2006-2387
 	RESERVED
 CVE-2006-2386
@@ -3596,7 +3596,7 @@
 CVE-2006-2373 (The Server Message Block (SMB) driver (MRXSMB.SYS) in Microsoft ...)
 	NOT-FOR-US: Microsoft
 CVE-2006-2372 (Buffer overflow in the DHCP Client service for Microsoft Windows 2000 ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2006-2371 (Buffer overflow in the Remote Access Connection Manager service ...)
 	NOT-FOR-US: Microsoft
 CVE-2006-2370 (Buffer overflow in the Routing and Remote Access service (RRAS) in ...)
@@ -3754,9 +3754,9 @@
 CVE-2006-2312 (Unspecified vulnerability in the URI handler in Skype 2.0.*.104 and ...)
 	NOT-FOR-US: Skype
 CVE-2006-2311 (Cross-site scripting (XSS) vulnerability in BlueDragon Server and ...)
-	TODO: check
+	NOT-FOR-US: BlueDragon Server and Server JX 
 CVE-2006-2310 (BlueDragon Server and Server JX 6.2.1.286 for Windows allows remote ...)
-	TODO: check
+	NOT-FOR-US: BlueDragon Server and Server JX 
 CVE-2006-2309 (The HTTP service in EServ/3 3.25 allows remote attackers to obtain ...)
 	NOT-FOR-US: EServ
 CVE-2006-2308 (Directory traversal vulnerability in the IMAP service in EServ/3 3.25 ...)
@@ -4412,10 +4412,13 @@
 	NOT-FOR-US: SUSE-specific
 CVE-2005-4789 (resmgr in SUSE Linux 9.2 and 9.3, and possibly other distributions, ...)
 	TODO: check
+	NOTE: sf: pinged maintainer
 CVE-2005-4788 (resmgr in SUSE Linux 9.2 and 9.3, and possibly other distributions, ...)
 	TODO: check
+	NOTE: sf: pinged maintainer
 CVE-2004-2658 (resmgr in SUSE CORE 9 does not properly identify terminal names, which ...)
 	TODO: check
+	NOTE: sf: pinged maintainer
 CVE-2006-XXXX [librsvg2 crash on certain svg files]
 	- librsvg 2.14.3-2 (bug #361653; bug #361540; medium)
 CVE-2006-2018 (** DISPUTED ** ...)
@@ -4800,7 +4803,8 @@
 	{DSA-1103}
 	- linux-2.6 2.6.16-10
 CVE-2006-1862 (The virtual memory implementation in Linux kernel 2.6.x allows local ...)
-	TODO: check
+	- linux-2.6 <not-affected> (seems to be RedHat-specific)
+	- linux-2.6.16 <not-affected> (seems to be RedHat-specific)
 CVE-2006-1861 (Multiple integer overflows in FreeType before 2.2 allow remote ...)
 	{DSA-1095-1}
 	- freetype 2.2.1-1
@@ -4817,7 +4821,7 @@
 	{DSA-1103 DSA-1097-1}
 	- linux-2.6 2.6.16-14
 CVE-2006-1856 (Certain modifications to the Linux kernel 2.6.16 and earlier do not ...)
-	TODO: check
+	- linux-2.6 2.6.16-12
 CVE-2006-1855 (choose_new_parent in Linux kernel before 2.6.11.12 includes certain ...)
 	NOTE: probably fixed before, but this is the oldest linux-2.6 in the changelog
 	- linux-2.6 2.6.12-1
@@ -5548,7 +5552,7 @@
 CVE-2006-1587 (NetBSD 1.6 up to 3.0, when a user has &quot;set record&quot; in .mailrc with the ...)
 	NOT-FOR-US: NetBSD
 CVE-2002-2210 (The installation of OpenOffice 1.0.1 allows local users to overwrite ...)
-	TODO: check
+	- openoffice.org 1.0.2
 CVE-2006-1614 (Integer overflow in the cli_scanpe function in the PE header parser ...)
 	{DSA-1024-1}
 	- clamav 0.88.1-1
@@ -5904,16 +5908,16 @@
 CVE-2006-1472
 	RESERVED
 CVE-2006-1471 (Format string vulnerability in the CF_syslog function launchd in Apple ...)
-	TODO: check
+	NOT-FOR-US: Apple
 CVE-2006-1470 (OpenLDAP in Apple Mac OS X 10.4 up to 10.4.6 allows remote attackers ...)
 	- openldap2 <not-affected> (Vulnerable code not present)
 	- openldap2.2 <unfixed> (medium)
 CVE-2006-1469 (Stack-based buffer overflow in ImageIO in Apple Mac OS X 10.4 up to ...)
-	TODO: check
+	NOT-FOR-US: Apple
 CVE-2006-1468 (Unspecified vulnerability in Apple File Protocol (AFP) server in Apple ...)
-	TODO: check
+	NOT-FOR-US: Apple
 CVE-2006-1467 (Integer overflow in the AAC file parsing code in Apple iTunes before ...)
-	TODO: check
+	NOT-FOR-US: Apple iTunes
 CVE-2006-1466 (Xcode Tools before 2.3 for Mac OS X 10.4, when running the WebObjects ...)
 	NOT-FOR-US: Apple
 CVE-2006-1465 (Buffer overflow in Apple QuickTime before 7.1 allows remote attackers ...)
@@ -6241,11 +6245,11 @@
 CVE-2006-1317
 	RESERVED
 CVE-2006-1316 (Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2006-1315 (The Server Service (SRV.SYS driver) in Microsoft Windows 2000 SP4, XP ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2006-1314 (Heap-based buffer overflow in the Server Service (SRV.SYS driver) in ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2006-1313 (Microsoft JScript 5.1, 5.5, and 5.6 on Windows 2000 SP4, and 5.6 on ...)
 	NOT-FOR-US: Microsoft JScript
 CVE-2006-1312
@@ -6255,25 +6259,25 @@
 CVE-2006-1310
 	RESERVED
 CVE-2006-1309 (Microsoft Excel 2000 through 2004 allows user-complicit attackers to ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2006-1308 (Unspecified vulnerability in Microsoft Excel 2000 through 2004 allows ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2006-1307
 	RESERVED
 CVE-2006-1306 (Microsoft Excel 2000 through 2004 allows user-complicit attackers to ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2006-1305
 	RESERVED
 CVE-2006-1304 (Buffer overflow in Microsoft Excel 2000 through 2003 allows ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2006-1303 (Multiple unspecified vulnerabilities in Microsoft Internet Explorer ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2006-1302 (Buffer overflow in Microsoft Excel 2000 through 2003 allows ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2006-1301 (Microsoft Excel 2000 through 2004 allows user-complicit attackers to ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2006-1300 (Microsoft .NET framework 2.0 (ASP.NET) in Microsoft Windows 2000 SP4, ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2006-1299
 	RESERVED
 CVE-2006-1298 (Format string vulnerability in the Job Engine service (bengine.exe) in ...)
@@ -6570,11 +6574,11 @@
 CVE-2006-1179
 	RESERVED
 CVE-2006-1178 (Tamarack MMSd before 7.992 allows remote attackers to cause a denial ...)
-	TODO: check
+	NOT-FOR-US: Tamarack MMSd
 CVE-2006-1177
 	RESERVED
 CVE-2006-1176 (Buffer overflow in eBay Enhanced Picture Services (aka EPUImageControl ...)
-	TODO: check
+	NOT-FOR-US: eBay Enhanced Picture Services
 CVE-2006-1175 (The WeOnlyDo! SFTP (wodSFTP) ActiveX control is marked as safe for ...)
 	NOT-FOR-US: WeOnlyDo! SFTP
 CVE-2006-1174 (useradd in shadow-utils before 4.0.3, and possibly other versions ...)
@@ -7371,9 +7375,9 @@
 CVE-2006-0819 (Dwarf HTTP Server 1.3.2 allows remote attackers to obtain the source ...)
 	NOT-FOR-US: Dwarf HTTP Server
 CVE-2006-0818 (Absolute path directory traversal vulnerability in (1) MERAK Mail Server for ...)
-	TODO: check
+	NOT-FOR-US: MERAK Mail Server and VisNetic MailServer
 CVE-2006-0817 (Absolute path directory traversal vulnerability in (a) MERAK Mail ...)
-	TODO: check
+	NOT-FOR-US: MERAK Mail Server and VisNetic MailServer
 CVE-2006-0816 (Orion Application Server before 2.0.7, when running on Windows, allows ...)
 	NOT-FOR-US: Orion Application Server
 CVE-2006-0815 (NetworkActiv Web Server 3.5.15 allows remote attackers to read script ...)
@@ -10942,7 +10946,7 @@
 CVE-2006-0034 (Heap-based buffer overflow in the CRpcIoManagerServer::BuildContext ...)
 	NOT-FOR-US: Microsoft
 CVE-2006-0033 (Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2006-0032
 	RESERVED
 CVE-2006-0031 (Stack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, ...)
@@ -10956,7 +10960,7 @@
 CVE-2006-0027 (Unspecified vulnerability in Microsoft Exchange allows remote ...)
 	NOT-FOR-US: Microsoft
 CVE-2006-0026 (Buffer overflow in Microsoft Internet Information Services (IIS) 5.0, ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2006-0025 (Stack-based buffer overflow in Microsoft Windows Media Player 9 and 10 ...)
 	NOT-FOR-US: Microsoft Windows Media Player
 CVE-2006-0024 (Multiple unspecified vulnerabilities in Adobe Flash Player 8.0.22.0 ...)
@@ -11484,7 +11488,7 @@
 CVE-2005-3757 (The Saxon XSLT parser in Google Mini Search Appliance, and possibly ...)
 	NOTE: XSLTs can call arbitrary java methods in libsaxon-java. This behaviour
 	NOTE: is well documented and can be switched off. Let's hope that all users
-	NOTE: of saxon are aware of this. Filed a whishlist bug to add a warning.
+	NOTE: of saxon are aware of this. A warning has been added to the readme.
 	NOTE: Current rdependencies:
 	- ooo2dbk <not-affected> (uses it's own xslt unless overridden by command line arg)
 	TODO: check zope-zms (stef-guest: pinged maintainers)
@@ -11756,7 +11760,7 @@
 CVE-2006-0008 (The ShellAbout API call in Korean Input Method Editor (IME) in Korean ...)
 	NOT-FOR-US: Microsoft
 CVE-2006-0007 (Buffer overflow in GIFIMP32.FLT, as used in Microsoft Office 2003 SP1 ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2006-0006 (Heap-based buffer overflow in the bitmap processing routine in ...)
 	NOT-FOR-US: Microsoft
 CVE-2006-0005 (Buffer overflow in the plug-in for Microsoft Windows Media Player ...)
@@ -11942,11 +11946,11 @@
 CVE-2005-3622 (phpMyAdmin 2.7.0-beta1 and earlier allows remote attackers to obtain ...)
 	- phpmyadmin <unfixed> (unimportant)
 CVE-2005-3620 (The management interface for VMware ESX Server 2.0.x before 2.0.2 ...)
-	TODO: check
+	NOT-FOR-US: VMware ESX
 CVE-2005-3619 (Cross-site scripting (XSS) vulnerability in the management interface ...)
 	NOT-FOR-US: VMware ESX
 CVE-2005-3618 (Cross-site request forgery (CSRF) vulnerability in the management ...)
-	TODO: check
+	NOT-FOR-US: VMWare ESX
 CVE-2005-3617
 	RESERVED
 CVE-2005-3616
@@ -18531,7 +18535,8 @@
 CVE-2005-1919
 	REJECTED
 CVE-2005-1918 (The original patch for a GNU tar directory traversal vulnerability ...)
-	TODO: check
+	- tar 1.14-2.2 
+	NOTE: 1.14-2.2 is ok, maybe Debian was not-affected anyway
 CVE-2005-1917 (kpopper 1.0 and earlier allows local users to create and overwrite ...)
 	NOT-FOR-US: kpopper, there is a kpopper in kerberos4kth-servers, but this is not the same one
 CVE-2005-1916 (linki.py in ekg 2005-06-05 and earlier allows local users to overwrite ...)

More information about the Secure-testing-commits mailing list