[Secure-testing-commits] r4647 - in data: CVE DSA

Moritz Muehlenhoff jmm-guest at costa.debian.org
Mon Aug 28 18:35:28 UTC 2006 

Author: jmm-guest
Date: 2006-08-28 18:35:24 +0000 (Mon, 28 Aug 2006)
New Revision: 4647

Modified:
   data/CVE/list
   data/DSA/list
Log:
fix streamripper syntax
webalizer fixed
remove provisional php entries
no-dsa for non-free mpg123
zope-zms unimportant
bind no-dsa
remove stray ruby entry
libjpeg/tmp no-dsa


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2006-08-28 07:15:27 UTC (rev 4646)
+++ data/CVE/list	2006-08-28 18:35:24 UTC (rev 4647)
@@ -301,9 +301,6 @@
 	NOT-FOR-US: 04WebServer
 CVE-2002-2216 (Soft3304 04WebServer before 1.20 does not properly process URL ...)
 	NOT-FOR-US: 04WebServer
-CVE-2006-XXXX [multiple issues fixed by php 4.4.4 and 5.1.5]
-	- php4 <unfixed> (medium)
-	- php5 <unfixed> (medium)
 CVE-2006-XXXX [gallery2 session ID disclosure]
 	- gallery2 2.1.2-1
 CVE-2006-XXXX [insecure filehandling in mysql_upgrade]
@@ -1069,7 +1066,7 @@
 CVE-2006-XXXX [uqwk buffer overflow]
 	- uqwk 2.21-13 (bug #376577; medium)
 CVE-2006-XXXX [Webalizer buffer overflows]
-	- webalizer <unfixed> (unknown)
+	- webalizer 2.01.10-30 (unknown)
 	NOTE: 11_various_buffer_overflows should be reviewed for exploitability
 CVE-2006-3837 (delcookie.php in Professional Home Page Tools Guestbook changes the ...)
 	NOT-FOR-US: Professional Home Page Tools Guestbook
@@ -2172,6 +2169,7 @@
 	NOT-FOR-US: Apple
 CVE-2006-3355 (Heap-based buffer overflow in httpdget.c in mpg123 before 0.59s-rll ...)
 	- mpg123 <unfixed> (bug #377264; medium)
+	[sarge] - mpg123 <no-dsa> (Non-free not supported)
 CVE-2006-3354 (Microsoft Internet Explorer 6 allows remote attackers to cause a ...)
 	NOT-FOR-US: Microsoft Internet Explorer
 CVE-2006-3353 (Opera 9 allows remote attackers to cause a denial of service (crash) ...)
@@ -2956,8 +2954,9 @@
 CVE-2006-2998 (PHP remote file inclusion vulnerability in board/post.php in free ...)
 	NOT-FOR-US: not packaged for Debian
 CVE-2006-2997 (Cross-site scripting (XSS) vulnerability in ZMS 2.9 and earlier, when ...)
-	- zope-zms <unfixed> (bug #373667; low)
+	- zope-zms <unfixed> (bug #373667; unimportant)
 	[sarge] - zope-zms <no-dsa> (Only exploitable with register_globals)
+	NOTE: register_globals is an unsupported mode of operation in Debian
 CVE-2006-2996 (PHP remote file inclusion vulnerability in inc/design.inc.php in ...)
 	NOT-FOR-US: aePartner
 CVE-2006-2995 (Multiple PHP remote file inclusion vulnerabilities in WebprojectDB ...)
@@ -4025,6 +4024,7 @@
 	NOT-FOR-US: Fujitsu UXP/V
 CVE-2002-2211 (BIND 4 and BIND 8, when resolving recursive DNS queries for arbitrary ...)
 	- bind <unfixed> (medium)
+	[sarge] - bind <no-dsa> (Upgrade to BIND 9 as a fix)
 	- bind9 <not-affected> (does not send parallel queries)
 	NOTE: Disabling recursion does not close all attack vectors.
 	NOTE: Browser reflection attacks will still work.
@@ -5465,9 +5465,7 @@
 CVE-2006-1931 (The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, ...)
 	{DSA-1157}
 	NOTE: the redhat bugzilla entry says this is fixed in 1.8.3
-	NOTE: the fix is definitely not in 1.8.2-7sarge2	
 	- ruby1.8 1.8.3
-	[sarge] - ruby1.8 <unfixed> (bug #365520)
 CVE-2006-1930 (** DISPUTED ** ...)
 	NOT-FOR-US: Green Minute
 CVE-2006-1929 (PHP remote file inclusion vulnerability in include/common.php in ...)
@@ -8898,6 +8896,7 @@
 	[woody] - evolution <not-affected> (Vulnerability was apparantly introduced in 2.3.1)
 CVE-2006-0527 (BIND 4 (BIND4) and BIND 8 (BIND8), if used as a target forwarder, ...)
 	- bind <unfixed> (medium)
+	[sarge] - bind <no-dsa> (Architectual limitatiom, upgrade to BIND 9 as a a fix)
 	NOTE: BIND 8 is unsuitable for forwarder use because of its
 	NOTE: architecture.  Upgrade to BIND 9 as a fix.
 CVE-2006-0526 (The default configuration of the America Online (AOL) client software ...)
@@ -10559,6 +10558,7 @@
 CVE-2005-XXXX [Insecure tempfile in libjpeg6b's exifautotran]
 	- libjpeg6b 6b-11 (bug #340079; low)
 	[woody] - libjpeg6b <not-affected> (Does not include exifautotran)
+	[sarge] - libjpeg6b <no-dsa> (Creates tempfile in cwd, only very far-fetched attack vectors applicable)
 CVE-2006-0043 (Buffer overflow in the realpath function in nfs-server rpc.mountd, as ...)
 	{DSA-975-1}
 	- nfs-user-server 2.2beta47-22 (high; bug #350020)

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2006-08-28 07:15:27 UTC (rev 4646)
+++ data/DSA/list	2006-08-28 18:35:24 UTC (rev 4647)
@@ -1,6 +1,6 @@
 [27 Aug 2006] DSA-1158 streamripper
         {CVE-2006-3124}
-        [sarge] - streamripper1.61.7-1sarge1
+        [sarge] - streamripper 1.61.7-1sarge1
 [27 Aug 2006] DSA-1157 ruby1.8
         {CVE-2006-3694 CVE-2006-1931}
         [sarge] - ruby1.8 1.8.2-7sarge4

More information about the Secure-testing-commits mailing list