[Secure-testing-commits] r3701 - in data: . CVE DSA

Mon Mar 27 23:25:17 UTC 2006

Author: jmm-guest
Date: 2006-03-27 23:25:11 +0000 (Mon, 27 Mar 2006)
New Revision: 3701

Modified:
   data/CVE/list
   data/DSA/list
   data/ID_pending
Log:
new flex DSA
another CVE ID for older bugzilla issue
one real issue didn't affect helix after all
remove non-issue


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2006-03-27 16:30:14 UTC (rev 3700)
+++ data/CVE/list	2006-03-27 23:25:11 UTC (rev 3701)
@@ -259,6 +259,7 @@
 	NOT-FOR-US: Inprotect
 CVE-2006-1269 (Buffer overflow in the parse function in parse.c in zoo 2.10 might ...)
 	- zoo <unfixed> (low)
+	[sarge] - zoo <no-dsa> (Attack vector very far-fetched, hardly exploitable)
 CVE-2006-1268 (The Internet Key Exchange implementation in Funkwerk X2300 7.2.1 ...)
 	NOT-FOR-US: Funkwerk X2300
 CVE-2006-1267 (Invision Power Board 2.1.4 allows remote attackers to hijack sessions ...)
@@ -1058,7 +1059,9 @@
 	[woody] - bugzilla <not-affected> (Only 2.17 and above are affected)
 	[sarge] - bugzilla <not-affected> (Only 2.17 and above are affected)
 CVE-2006-0913 (SQL injection vulnerability in whineatnews.pl in Bugzilla 2.17 through ...)
-	TODO: check
+	- bugzilla <unfixed> (bug #354457)
+	[woody] - bugzilla <not-affected> (Only 2.17 and above are affected)
+	[sarge] - bugzilla <not-affected> (Only 2.17 and above are affected)
 CVE-2006-0912 (Oreka before 0.5 allows remote attackers to cause a denial of service ...)
 	TODO: check
 CVE-2006-0911 (NmService.exe in Ipswitch WhatsUp Professional 2006 allows remote ...)
@@ -2461,7 +2464,7 @@
 CVE-2006-0324 (SQL injection vulnerability in WebspotBlogging 3.0 allows remote ...)
 	NOT-FOR-US: WebspotBlogging
 CVE-2006-0323 (Buffer overflow in multiple RealNetworks products and versions ...)
-	- helix-player <unfixed> (bug #358754; medium)
+	NOT-FOR-US: Real Player (initial advisory claimed Helix affected, which is incorrect
 CVE-2006-0322 (Unspecified vulnerability the edit comment formatting functionality in ...)
 	- mediawiki <unfixed> (low)
 CVE-2005-4666 (Cross-site scripting (XSS) vulnerability in PHlyMail before 3.3 Beta1 ...)
@@ -10199,8 +10202,6 @@
 	NOT-FOR-US: AppWeb HTTP server
 CVE-2004-2213 (Mbedthis AppWeb HTTP server before 1.1.3 allows remote attackers to ...)
 	NOT-FOR-US: AppWeb HTTP server
-CVE-2005-XXXX [strobe reads file from unsafe directory]
-	- netdiag 0.7-7.1 (bug #206905; low)
 CVE-2005-XXXX [Integer overflow in ffmpeg's MPEG encoding]
 	- ffmpeg 0.cvs20050811-1 (bug #320150; medium)
 CVE-2005-XXXX [xgalaga score file segfault]

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2006-03-27 16:30:14 UTC (rev 3700)
+++ data/DSA/list	2006-03-27 23:25:11 UTC (rev 3701)
@@ -1,3 +1,6 @@
+[28 Mar 2006] DSA-1020-1 flex - buffer overflow
+	{CVE-2006-0459}
+	[sarge] - flex 2.5.31-31sarge1
 [24 Mar 2006] DSA-1019-1 koffice - several
 	{CVE-2006-1244}
 	[sarge] - koffice 1.3.5-4.sarge.3

Modified: data/ID_pending
===================================================================
--- data/ID_pending	2006-03-27 16:30:14 UTC (rev 3700)
+++ data/ID_pending	2006-03-27 23:25:11 UTC (rev 3701)
@@ -147,8 +147,6 @@
 CVE-2005-XXXX [microcode.ctl downloads microcode w/o user confirmation]
 	- microcode.ctl <unfixed> (bug #282583; unimportant)
 	NOTE: The validity of the microcode is ensure inside the CPU
-CVE-2005-XXXX [Unsafe user of snprintf() in icebreaker's highscore list]
-	- icebreaker 1.21-9.1 (bug #297644; low)
 CVE-2001-XXXX [gnupg: inproper flagging of signatures as being local]
 	- gnupg 1.0.7-1 (bug #107374)
 CVE-2003-XXXX [Insecure temp files in lilo]


