[Secure-testing-commits] r4569 - data/CVE

Sean Finney seanius at costa.debian.org
Tue Aug 15 17:46:14 UTC 2006 

Author: seanius
Date: 2006-08-15 17:46:11 +0000 (Tue, 15 Aug 2006)
New Revision: 4569

Modified:
   data/CVE/list
Log:
syncing status/notes of some of the php CVE's.
not mentioning status of CVE's that are for sure
fixed in the pending upload,  but mentioning the
disputed ones for now.


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2006-08-15 09:14:18 UTC (rev 4568)
+++ data/CVE/list	2006-08-15 17:46:11 UTC (rev 4569)
@@ -5887,6 +5887,7 @@
 CVE-2006-1549 (PHP 4.4.2 and 5.1.2 allows local users to cause a crash (segmentation ...)
 	- php4 <unfixed> (bug #361854)
 	- php5 5.1.4-0.1 (bug #361917)
+	NOTE: this is arguably not a security vulnerability.
 CVE-2005-4767 (BEA WebLogic Server and WebLogic Express 8.1 SP5 and earlier, and 7.0 ...)
 	NOT-FOR-US: BEA WebLogic
 CVE-2005-4766 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 ...)
@@ -7188,9 +7189,13 @@
 CVE-2006-1015 (Argument injection vulnerability in certain PHP 3.x, 4.x, and 5.x ...)
 	- php5 5.1.4-0.1 (bug #368595; low)
 	- php4 <unfixed> (bug #368592; low)
+	NOTE: is this really a vulnerability in php?  it seems it should be a bug
+	NOTE: in any application that doesn't check input before passing it along.
 CVE-2006-1014 (Argument injection vulnerability in certain PHP 4.x and 5.x ...)
 	- php5 5.1.4-0.1 (bug #368595; low)
 	- php4 <unfixed> (bug #368592; low)
+	NOTE: is this really a vulnerability in php?  it seems it should be a bug
+	NOTE: in any application that doesn't check input before passing it along.
 CVE-2006-1013 (PHP remote file include vulnerability in index.php in SMartBlog (aka ...)
 	NOT-FOR-US: SMartBlog
 CVE-2006-1012 (SQL injection vulnerability in WordPress 1.5.2, and possibly other ...)
@@ -7369,6 +7374,8 @@
 	- php5 <unfixed> (bug #368545; low)
 	[sarge] - php4 <unfixed> (bug #368545; low)
 	[woody] - php4 <unfixed> (bug #368545; low)
+	NOTE: is this really a vulnerability in pear?  it seems it should be a bug
+	NOTE: in any application not checking for such archives.
 CVE-2006-0930 (Directory traversal vulnerability in Webmail in ArGoSoft Mail Server ...)
 	NOT-FOR-US: ArgoSoft Mail Server
 CVE-2006-0929 (Directory traversal vulnerability in the IMAP server in ArGoSoft Mail ...)
@@ -13203,6 +13210,9 @@
 CVE-2005-3319 (The apache2handler SAPI (sapi_apache2.c) in the Apache module ...)
 	- php4 4:4.4.2-1 (bug #336004; bug #354684; low)
 	- php5 5.1.1-1 (bug #336005; low)
+	[sarge] - php4 <not-affected>
+	NOTE: can't reproduce, error may not be present in 4.3.  
+	NOTE: tentatively marking as not-affected in sarge.
 CVE-2005-3318 (Buffer overflow in the _chm_decompress_block function in CHM lib ...)
 	{DSA-886-1}
 	- chmlib 0.37-1 (bug #335931; medium)
@@ -17845,8 +17855,8 @@
 	NOTE: php function that displays the PHP logo and version information. In the bug
 	NOTE: log the developers seem unwilling to fix this, as it only affects a debug
 	NOTE: function.
-	NOTE: fixed in CVS, estimated release of PHP5.1 to fix this issue
-	- php4 <unfixed> (bug #349260; low)
+	NOTE: can not reproduce in any versions of php4 in the archive.
+	- php4 <not-affected> (bug #349260; low)
 	- php5 5.1.1-1 (bug #336654; low)
 CVE-2002-1953 (Heap-based buffer overflow in the goim handler of AOL Instant ...)
 	NOT-FOR-US: AIM
@@ -19158,7 +19168,7 @@
 	- shtool 2.0.1-2 (low)
 	- mysql-ocaml 1.0.3-6 (low)
 	- php4 4:4.4.0-1 (low)
-	NOTE: the patch applied to NMU #311206 fixes both CVE-2005-1759 and CVE-2005-1751
+	[sarge] - php4 4:4.3.10-16 (low)
 CVE-2005-1758 (Buffer overflow in the IMAP command continuation function in Novell ...)
 	NOT-FOR-US: Novell
 CVE-2005-1757 (Buffer overflow in the Modweb agent for Novell NetMail 3.52 before ...)
@@ -19170,7 +19180,7 @@
 	- shtool 2.0.1-2 (bug #311206; low)
 	- mysql-ocaml 1.0.3-6 (bug #314464; low)
 	- php4 4:4.3.10-16 (low)
-	NOTE: the patch applied to NMU #311206 fixes both CVE-2005-1759 and CVE-2005-1751
+	[sarge] - php4 4:4.3.10-16 (low)
 CVE-2004-2136 (dm-crypt on Linux kernel 2.6.x, when used on certain file systems ...)
 	TODO: This looks like a minor issue, the paper is from Feb 2004, check whether this still applies
 CVE-2004-2135 (cryptoloop on Linux kernel 2.6.x, when used on certain file systems ...)

More information about the Secure-testing-commits mailing list