[Secure-testing-commits] r4457 - data/CVE

Moritz Muehlenhoff jmm-guest at costa.debian.org
Wed Jul 26 20:33:52 UTC 2006 

Author: jmm-guest
Date: 2006-07-26 20:33:48 +0000 (Wed, 26 Jul 2006)
New Revision: 4457

Modified:
   data/CVE/list
Log:
removed amanda issue: according to Bdale the code doesn't work, so
   it's not exploitable
removed metar issue: checked the diff; this is not exploitable
crypt++el is actually fixed since long
some no-dsa for minor issues


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2006-07-26 08:15:40 UTC (rev 4456)
+++ data/CVE/list	2006-07-26 20:33:48 UTC (rev 4457)
@@ -2953,6 +2953,7 @@
 	RESERVED
 CVE-2006-2480 (Format string vulnerability in Dia 0.94 allows user-complicit ...)
 	- dia 0.95.0-4 (bug #368202; low)
+	[sarge] - dia <no-dsa> (Hardly exploitable, would require obviously malformed file names)
 CVE-2006-2479 (The Update functionality in Bitrix Site Manager 4.1.x does not verify ...)
 	NOT-FOR-US: Bitrix
 CVE-2006-2478 (Bitrix Site Manager 4.1.x allows remote attackers to redirect users to ...)
@@ -3009,6 +3010,7 @@
 	RESERVED
 CVE-2006-2453 (Multiple unspecified format string vulnerabilities in Dia have ...)
 	- dia 0.95.0-4 (bug #368202; medium)
+	[sarge] - dia <no-dsa> (Hardly exploitable, would require obviously malformed file names)
 CVE-2006-2452 (GNOME GDM 2.8, 2.12, 2.14, and 2.15, when the &quot;face browser&quot; feature ...)
 	- gdm <unfixed> (bug #375281; medium)
 	[sarge] - gdm <not-affected> (Vulnerable code has only been introduced with 2.8)
@@ -13227,9 +13229,6 @@
 	- isoqlog 2.2-0.1 (bug #254101; bug #202634)
 CVE-2002-XXXX [libnss-ldap: DoS through truncated DNS queries]
 	- libnss-ldap 199-1 (bug #169793)
-CVE-2004-XXXX [Insecure temp files in amanda's chg-manual]
-	- amanda 1:2.4.5p1-1 (bug #226139; low)
-	NOTE: Woody and Sarge affected
 CVE-2005-3752 (Unspecified vulnerability in ldapdiff before 1.1.1 has unknown impact ...)
 	- ldapdiff <not-affected> (The version in Debian doesn't contain the vulnerable code, see #306878)
 CVE-2005-XXXX [apt-cache doesn't differentiate sources which share several properties]
@@ -13246,8 +13245,7 @@
 	- hdup <unfixed> (bug #302790; low)
 	[sarge] - hdup <no-dsa> (Mostly a bug, very limited security implications)
 CVE-2001-XXXX [crypt++ passes passwords through the command line]
-	- crypt++el <unfixed> (bug #105562; low)
-	NOTE: Sarge and Woody are affected
+	- crypt++el 2.91-2.1 (bug #105562; low)
 CVE-2004-XXXX [Two vulnerabilities in sredird]
 	- sredird 2.2.1-1.1 (bug #267098)
 CVE-2003-XXXX [fuzz: Insecure temp file usage]
@@ -14019,7 +14017,8 @@
 CVE-2005-2799 (Buffer overflow in apply.cgi in Linksys WRT54G 3.01.03, 3.03.6, and ...)
 	NOT-FOR-US: Linksys routers
 CVE-2005-2798 (sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, ...)
-	- openssh 1:4.2p1-1 (bug #326065; medium)
+	- openssh 1:4.2p1-1 (bug #326065; unimportant)
+	NOTE: Not enabled in the binary build, see #326065
 	- openssh-krb5 <unfixed> (bug #327233; medium)
 CVE-2005-2797 (OpenSSH 4.0, and other versions before 4.2, does not properly handle ...)
 	- openssh 1:4.2p1-1 (bug #326065; medium)
@@ -15201,8 +15200,6 @@
 	- kernel-source-2.6.8 2.6.8-16sarge1 (bug #309308; low)
 	NOTE: 2.6.12-1 contained a partially broken fix
 	- linux-2.6 2.6.12-6 (bug #309308; low)
-CVE-2005-XXXX [Unspecified buffer overflow in metar]
-	- metar 20050807.1-1 (unknown)
 CVE-2005-2489 (Web Content Management News System allows remote attackers to create ...)
 	NOT-FOR-US: Web Content Management News System
 CVE-2005-2488 (Cross-site scripting (XSS) vulnerability in Web Content Management ...)
@@ -15870,7 +15867,8 @@
 CVE-2004-2266 (SQL injection vulnerability in Ansel 2.1 and earlier allows remote ...)
 	NOT-FOR-US: Ansel
 CVE-2004-2265 (UUDeview 0.5.20 and earlier handles temporary files insecurely during ...)
-	- uudeview 0.5.20-2.1 (bug #320541; medium)
+	- uudeview 0.5.20-2.1 (bug #320541; low)
+	[sarge] - uudeview <no-dsa> (Hardly exploitable)
 	NOTE: dnprogs apparetly not vulnerable, unsafe code is not called (#358500)
 CVE-2004-2264 (** DISPUTED ** ...)
 	- less <not-affected> (less is not suid, explotability unlikely)

More information about the Secure-testing-commits mailing list