[Secure-testing-commits] r5161 - data/CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Sat Dec 23 12:21:45 CET 2006 

Author: jmm-guest
Date: 2006-12-23 12:21:43 +0100 (Sat, 23 Dec 2006)
New Revision: 5161

Modified:
   data/CVE/list
Log:
typo CVEfied
openoffice crash not a security problem
mplayer crash not a security problem
dsniff lack of escaping not a security problem
one new firefox issue doesn't affect 1.0.x
one mozilla issue doesn't affect icedove
one mozilla issue probably not an issue on GNU/Linux
one kernel issue fixed


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2006-12-22 17:53:32 UTC (rev 5160)
+++ data/CVE/list	2006-12-23 11:21:43 UTC (rev 5161)
@@ -13,7 +13,8 @@
 CVE-2006-6691 (Multiple PHP remote file inclusion vulnerabilities in Valdersoft ...)
 	NOT-FOR-US: Valdersoft Shopping Cart
 CVE-2006-6690 (rtehtmlarea/pi1/class.tx_rtehtmlarea_pi1.php in Typo3 4.0.0 through ...)
-	TODO: check
+	- typo3 4.0.4+debian-1 (high; bug #403906)
+	NOTE: http://typo3.org/news-single-view/?tx_newsimporter_pi1%5BshowItem%5D=0&cHash=e4a40a11a9
 CVE-2006-6689 (Multiple PHP remote file inclusion vulnerabilities in Paristemi 0.8.3 ...)
 	NOT-FOR-US: Paristemi
 CVE-2006-6688 (Web Automated Perl Portal (WebAPP) 0.9.9.4, and 0.9.9.3.4 Network ...)
@@ -100,9 +101,6 @@
 	RESERVED
 CVE-2007-0001
 	RESERVED
-CVE-2006-XXXX [Typo3 Remote Command Execution via rtehtmlarea extension]
-	- typo3 4.0.4+debian-1 (high; bug #403906)
-	NOTE: http://typo3.org/news-single-view/?tx_newsimporter_pi1%5BshowItem%5D=0&cHash=e4a40a11a9
 CVE-2006-6659 (The Microsoft Office Outlook Recipient ActiveX control (ole32.dll) in ...)
 	NOT-FOR-US: Microsoft
 CVE-2006-6658 (Inktomi Search 4.1.4 allows remote attackers to obtain sensitive ...)
@@ -166,7 +164,8 @@
 CVE-2006-6629 (lib/WeBWorK/PG/Translator.pm in WeBWorK Program Generation (PG) ...)
 	NOT-FOR-US: WeBWorK
 CVE-2006-6628 (Integer overflow in OpenOffice.org (OOo) 2.1 allows user-assisted ...)
-	- openoffice.org <unfixed> (bug #404105)
+	- openoffice.org <unfixed> (unimportant; bug #404105)
+	NOTE: No code injection possible, just a crash
 CVE-2006-6627 (Integer overflow in the packed PE file parsing implementation in ...)
 	NOT-FOR-US: BitDefender
 CVE-2006-6626 (Cross-site scripting (XSS) vulnerability in an unspecified component ...)
@@ -287,16 +286,14 @@
 CVE-2006-XXXX [xmedcon segfault on some files]
 	- xmedcon 0.9.9.4-1 (low; bug #401529)
 	TODO: check security impact
-CVE-2006-XXXX [mplayer segfault on some files]
-	- mplayer 1.0~rc1-8 (bug #402922)
-	TODO: check security impact
 CVE-2006-XXXX [dsniff urlsnarf missing output sanitization]
-	- dsniff 2.4b1+debian-16 (low; bug #400624)
-	[sarge] - dsniff <no-dsa> (minor issue)
+	- dsniff 2.4b1+debian-16 (unimportant; bug #400624)
+	NOTE: While older terminals were vulnerable to some attacks involving terminal
+	NOTE: sequences, the lack of shell escaping is not a vulnerability in dsniff
 CVE-2006-XXXX [archivemail insecure temporary file issues]
 	- archivemail 0.6.2-2
 	[sarge] - archivemail <no-dsa> (minor issue)
-CVE-2006-XXXX [pythonpaste chroot esacpe]
+CVE-2006-XXXX [pythonpaste web root esacpe]
 	- paste 1.0.1-1
 	NOTE: http://pythonpaste.org/archives/message/20061218.050654.e8997561.en.html
 CVE-2006-XXXX [moodle unspecified security bug in the forum module (discuss.php)]
@@ -459,8 +456,7 @@
 	- xulrunner <unfixed> (high)
 	- iceape <unfixed> (high)
 	- firefox <removed> (high)
-	- mozilla <removed> (high)
-	- mozilla-firefox <removed> (high)
+	NOTE: Flaw was introduced in Firefox 1.5.0.4
 	- mozilla-thunderbird <removed> (high)
 	- icedove 1.5.0.9.dfsg1-1 (high)
 CVE-2006-6503 (Mozilla Firefox 2.x before 2.0.0.1, 1.5.x before 1.5.0.9, Thunderbird ...)
@@ -481,8 +477,9 @@
 	- firefox <removed> (high)
 	- mozilla <removed> (high)
 	- mozilla-firefox <removed> (high)
-	- mozilla-thunderbird <removed> (low)
-	- icedove 1.5.0.9.dfsg1-1 (low)
+	- mozilla-thunderbird <removed> (unimportant)
+	- icedove 1.5.0.9.dfsg1-1 (unimportant)
+	NOTE: Not exploitable in standard Icedove configuration
 CVE-2006-6501 (Unspecified vulnerability in Mozilla Firefox 2.x before 2.0.0.1, 1.5.x ...)
 	NOTE: MFSA-2006-70
 	- iceweasel <unfixed> (high)
@@ -513,6 +510,8 @@
 	- mozilla-firefox <removed> (high)
 	- mozilla-thunderbird <removed> (low)
 	- icedove 1.5.0.9.dfsg1-1 (low)
+	NOTE: Is it possible to reduce the floating point precision in Linux as a non-priv
+	NOTE: user? I don't think so
 CVE-2006-6498 (Multiple unspecified vulnerabilities in the JavaScript engine for ...)
 	NOTE: MFSA-2006-68
 	- iceweasel <unfixed> (high)
@@ -4681,7 +4680,7 @@
 	{DSA-1202-1}
 	- screen 4.0.3-0.1 (bug #395225; bug #395999; medium)
 CVE-2006-4572 (ip6_tables in netfilter in the Linux kernel before 2.6.16.31 allows ...)
-	- linux-2.6 <unfixed>
+	- linux-2.6 2.6.18-9
 CVE-2006-4571 (Multiple unspecified vulnerabilities in Firefox before 1.5.0.7, ...)
 	{DSA-1210 DSA-1192-1 DSA-1191-1}
 	NOTE: MFSA-2006-64

More information about the Secure-testing-commits mailing list