[Secure-testing-commits] r3488 - data/CVE

Moritz Muehlenhoff jmm-guest at costa.debian.org
Wed Feb 15 09:37:11 UTC 2006 

Author: jmm-guest
Date: 2006-02-15 09:37:06 +0000 (Wed, 15 Feb 2006)
New Revision: 3488

Modified:
   data/CVE/list
Log:
updates on phpbb, as discussed with maintainer


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2006-02-15 09:14:32 UTC (rev 3487)
+++ data/CVE/list	2006-02-15 09:37:06 UTC (rev 3488)
@@ -116,7 +116,11 @@
 CVE-2006-0633 (The make_password function in ipsclass.php in Invision Power Board ...)
 	NOT-FOR-US: Invision Power Board
 CVE-2006-0632 (The gen_rand_string function in phpBB 2.0.19 uses insufficiently ...)
-	NOTE: Sounds irrelevant, pinged phpbb maintainers
+	- phpbb2 <unfixed> (low)
+	NOTE: According to maintainers phpbb2 doesn't have useful countermeasures against
+	NOTE: brute-force password guessing and as password seeding is based on milliseconds
+	NOTE: NTP-timed attacks may even be in the area of a couple thousands attempts
+	NOTE: instead of a million
 CVE-2006-0631 (CRLF injection vulnerability in Erik C. Thauvin mailback allows remote ...)
 	NOT-FOR-US: Erik C. Thauvin mailback
 CVE-2006-0630 (RITLabs The Bat! before 3.0.0.15 displays certain important headers ...)
@@ -433,7 +437,7 @@
 CVE-2006-0490 (SQL injection vulnerability in login.asp in ASPThai.Net ASPThai Forums ...)
 	NOT-FOR-US: ASPThai Forums
 CVE-2006-0489 (** DISPUTED ** Buffer overflow in the font command of mIRC, probably ...)
-	TODO: check
+	NOT-FOR-US: mIRC
 CVE-2006-0488 (The VDM (Virtual DOS Machine) emulation environment for MS-DOS ...)
 	NOT-FOR-US: Microsoft
 CVE-2006-0487 (Multiple unspecified vulnerabilities in Tumbleweed MailGate Email ...)
@@ -614,9 +618,11 @@
 CVE-2006-0439 (Text Rider 2.4 stores sensitive data in the data directory under the ...)
 	NOT-FOR-US: Text Rider
 CVE-2006-0438 (Cross-site request forgery (CSRF) vulnerability in phpBB 2.0.19, when ...)
-	TODO: check
+	- phpbb2 <unfixed> (unimportant)
+	NOTE: No real world risk according to maintainer
 CVE-2006-0437 (Cross-site scripting (XSS) vulnerability in admin_smilies.php in phpBB ...)
-	TODO: check
+	- phpbb2 <unfixed> (unimportant)
+	NOTE: Intended behaviour according to maintainer
 CVE-2006-0436 (Unspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 ...)
 	NOT-FOR-US: HP-UX
 CVE-2006-0435 (Unspecified vulnerability in Oracle PL/SQL (PLSQL) allows attackers to ...)

More information about the Secure-testing-commits mailing list