[Secure-testing-commits] r3276 - data/CVE

Moritz Muehlenhoff jmm-guest at costa.debian.org
Thu Jan 12 11:12:09 UTC 2006 

Author: jmm-guest
Date: 2006-01-12 11:12:03 +0000 (Thu, 12 Jan 2006)
New Revision: 3276

Modified:
   data/CVE/list
Log:
new sudo issue
new libapache-auth-ldap issue
lots of NFUS


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2006-01-12 09:14:20 UTC (rev 3275)
+++ data/CVE/list	2006-01-12 11:12:03 UTC (rev 3276)
@@ -69,70 +69,71 @@
 	NOTE: question, that makes it very clear that setuid root is only for single-user
 	NOTE: systems and xmame-sdl and xmess aren't setuid at all
 	[sarge] - xmame <no-dsa> (XMame is non-free software)
-begin claimed by jmm
 CVE-2006-0160 (SQL injection vulnerability in add_post.php3 in Venom Board 1.22 ...)
-	TODO: check
+	NOT-FOR-US: Venom Board
 CVE-2006-0159 (SQL injection vulnerability in escribir.php in Foro Domus 2.10 allows ...)
-	TODO: check
+	NOT-FOR-US: Foro Domus
 CVE-2006-0158 (SQL injection vulnerability in index.php in CyberDoc SiteSuite CMS ...)
-	TODO: check
+	NOT-FOR-US: CyberDoc SiteSuite CMS
 CVE-2006-0157 (settings.php in Reamday Enterprises Magic News Plus 1.0.3 allows ...)
-	TODO: check
+	NOT-FOR-US: Reamday Enterprises Magic News Plus
 CVE-2006-0156 (Cross-site scripting (XSS) vulnerability in Foxrum 4.0.4f allows ...)
-	TODO: check
+	NOT-FOR-US: Foxforum
 CVE-2006-0155 (Cross-site scripting (XSS) vulnerability in posts.php in 427BB 2.2 and ...)
-	TODO: check
+	NOT-FOR-US: 427BB
 CVE-2006-0154 (SQL injection vulnerability in showthread.php in 427BB 2.2 and 2.2.1 ...)
-	TODO: check
+	NOT-FOR-US: 427BB
 CVE-2006-0153 (427BB 2.2 and 2.2.1 verifies authentication credentials based on the ...)
-	TODO: check
+	NOT-FOR-US: 427BB
 CVE-2006-0152 (Cross-site scripting (XSS) in search_result.php in phpChamber 1.2 and ...)
-	TODO: check
+	NOT-FOR-US: phpChamber
 CVE-2006-0151 (sudo 1.6.8 and other versions does not clear the PYTHONINSPECT ...)
-	TODO: check
+	- sudo <unfixed>
+	NOTE: The whole black list approach is flawed, for the DSA we'll switch to
+	NOTE: a white list approach of known to be safe env vars.
 CVE-2006-0150 (Multiple format string vulnerabilities in the auth_ldap_log_reason ...)
-	TODO: check
+	- libapache-auth-ldap <removed>
+	NOTE: DSA in preparation
 CVE-2006-0149 (Cross-site scripting (XSS) vulnerability in SimpBook 1.0, with ...)
-	TODO: check
+	NOT-FOR-US: SimpBook
 CVE-2006-0148 (NetSarang Xlpd 2.1 allows remote attackers to cause a denial of ...)
-	TODO: check
+	NOT-FOR-US: NetSarang Xlpd
 CVE-2006-0147 (Dynamic code evaluation vulnerability in tests/tmssql.php test script ...)
-	TODO: check
+	NOT-FOR-US: ADOdb for PHP
 CVE-2006-0146 (The server.php test script in ADOdb for PHP before 4.70, as used in ...)
-	TODO: check
+	NOT-FOR-US: ADOdb for PHP
 CVE-2006-0145 (The lseek system call in kernfs in NetBSD 1.6 through 2.1 does not ...)
-	TODO: check
+	NOT-FOR-US: NetBSD
 CVE-2006-0144 (The proxy server feature in go-pear.php in PHP PEAR 0.2.2 allows ...)
-	TODO: check
+	TODO: check, whether this is included in the PEAR packages from PHP 4 oder 5
 CVE-2006-0143 (Microsoft Windows Graphics Rendering Engine (GRE) allows remote ...)
-	TODO: check
+	NOT-FOR-US: Windows
 CVE-2006-0142 (Cross-site scripting (XSS) vulnerability in andromeda.php in Andromeda ...)
-	TODO: check
+	NOT-FOR-US: Andromeda
 CVE-2006-0141 (Qualcomm Eudora Internet Mail Server (EIMS) before 3.2.8 allows remote ...)
-	TODO: check
+	NOT-FOR-US: Eudora
 CVE-2006-0140 (Cross-site scripting (XSS) vulnerability in post.php in NavBoard V16 ...)
-	TODO: check
+	NOT-FOR-US: Navboard
 CVE-2006-0139 (The send-private-message functionality (send-private-message.asp) in ...)
-	TODO: check
+	NOT-FOR-US: PD9 Software MegaBBS
 CVE-2005-4641 (SQL injection vulnerability in home.php in eazyCMS 2.0 allows remote ...)
-	TODO: check
+	NOT-FOR-US: eazyCMS
 CVE-2005-4640 (SQL injection vulnerability in index.php in class-1 Poll Software 0.4 ...)
-	TODO: check
+	NOT-FOR-US: class-1 Poll
 CVE-2005-4639 (Buffer overflow in the CA-driver (dst_ca.c) for TwinHan DST ...)
-	TODO: check
+	NOT-FOR-US: TwinHan DST
 CVE-2005-4638 (index.php in Kayako SupportSuite 3.00.26 and earlier allow remote ...)
-	TODO: check
+	NOT-FOR-US: Kayako SupportSuite
 CVE-2005-4637 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in ...)
-	TODO: check
+	NOT-FOR-US: Kayako SupportSuite
 CVE-2005-4636 (OpenOffice.org 2.0 and earlier, when hyperlinks has been disabled, ...)
 	- openoffice.org <unfixed> (unimportant)
 	NOTE: This is a non-issue IMO (neilm). OOo just launches a web browser. 
 	NOTE: If the admin doesn't web browsing, why is one installed/enabled?
 CVE-2004-2653 (Unspecified vulnerability in PD9 Software MegaBBS 2.0 and 2.1 allows ...)
-	TODO: check
+	NOT-FOR-US: PD9 Software MegaBBS
 CVE-2006-0162 (Heap-based buffer overflow in libclamav/upx.c in Clam Antivirus ...)
 	- clamav 0.88-1
-end claimed by jmm
 CVE-2006-0138 (aMSN (aka Alvaro's Messenger) allows remote attackers to cause a ...)
 	NOT-FOR-US: Alvaro's Messenger
 CVE-2006-0137 (SQL injection vulnerability in linkcategory.php in Phanatic Softwares ...)

More information about the Secure-testing-commits mailing list