[Secure-testing-commits] r4951 - in data: CVE DSA

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Sat Nov 11 12:04:42 CET 2006 

Author: jmm-guest
Date: 2006-11-11 12:04:41 +0100 (Sat, 11 Nov 2006)
New Revision: 4951

Modified:
   data/CVE/list
   data/DSA/list
Log:
one issue already fixed in previous DSA
no-dsa for two minor xfree issues
two courier issues not an issue; one not exploitable/ one missing sec feature
not-affected/no-dsa issues for bugzilla and phpmyadmin


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2006-11-11 10:50:50 UTC (rev 4950)
+++ data/CVE/list	2006-11-11 11:04:41 UTC (rev 4951)
@@ -753,8 +753,10 @@
 	- imagemagick 7:6.2.4.5.dfsg1-0.11 (bug #393025)
 CVE-2006-5455 (Cross-site request forgery (CSRF) vulnerability in editversions.cgi in ...)
 	- bugzilla 2.22.1-1 (bug #395094; low)
+	[sarge] - bugzilla (CSRF infrastructure not present, too intrusive to backport)
 CVE-2006-5454 (Bugzilla 2.18.x before 2.18.6, 2.20.x before 2.20.3, 2.22.x before ...)
 	- bugzilla 2.22.1-1 (bug #395094; low)
+	[sarge] - bugzilla <not-affected> (Vulnerable code not present)
 CVE-2006-5453 (Multiple cross-site scripting (XSS) vulnerabilities in Bugzilla 2.18.x ...)
 	- bugzilla 2.22.1-1 (bug #395094; low)
 CVE-2006-5452 (Buffer overflow in dtmail on HP Tru64 UNIX 4.0F through 5.1B and HP-UX ...)
@@ -1255,11 +1257,11 @@
 	- shttpd <itp> (bug #341284)
 CVE-2006-5215 (The Xsession script, as used by X Display Manager (xdm) in NetBSD ...)
 	- xdm 1:1.0.5-1 (low)
-	[sarge] - xfree86 <unfixed> (low)
+	[sarge] - xfree86 <no-dsa> (Minor issue)
 	NOTE: probably fixed earlier than 1:1.0.5
 CVE-2006-5214 (Race condition in the Xsession script, as used by X Display Manager ...)
 	- xdm 1:1.0.5-1 (low)
-	[sarge] - xfree86 <no-dsa> (low)
+	[sarge] - xfree86 <no-dsa> (Minor issue)
 	NOTE: probably fixed earlier than 1:1.0.5
 CVE-2006-5213 (Sun Solaris 10 before 20061006 uses &quot;incorrect and insufficient ...)
 	NOT-FOR-US: Solaris
@@ -9042,8 +9044,10 @@
 	NOT-FOR-US: PowerClan
 CVE-2006-1804 (SQL injection vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows ...)
 	- phpmyadmin 4:2.8.1-1 (bug #363519; low)
+	[sarge] - phpmyadmin <not-affected>
 CVE-2006-1803 (Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin ...)
 	- phpmyadmin 4:2.8.1-1 (bug #363519; low)
+	[sarge] - phpmyadmin <no-dsa> (CSRF code not present in Sarge, too intrusive to backport)
 CVE-2006-1802 (Cross-site scripting (XSS) vulnerability in index.php in ...)
 	NOT-FOR-US: TinyWebGallery
 CVE-2006-1801 (Cross-site scripting (XSS) vulnerability in planetsearchplus.php in ...)
@@ -19573,9 +19577,8 @@
 CVE-2004-2314 (The Telnet listener for Novell iChain Server before 2.2 Field Patch 3b ...)
 	NOT-FOR-US: Novell iChain Server
 CVE-2004-2313 (Inter7 SqWebMail 3.4.1 through 3.6.1 generates different error ...)
-	- courier <unfixed>
-	NOTE: Did not find reference to fix in upstream changelog or any other hint that it is fixed
-	NOTE: pinged Maintainer, no response
+	- courier <unfixed> (unimportant)
+	NOTE: This is a lack of a security feature, but not a direct vulnerability
 CVE-2004-2312 (Buffer overflow in GNU make for IBM AIX 4.3.3, when installed setgid, ...)
 	NOT-FOR-US: AIX only
 CVE-2004-2311 (Directory traversal vulnerability in webadmin.nsf in Lotus Domino R6 ...)
@@ -25021,9 +25024,7 @@
 CVE-2005-1309 (Cross-site scripting (XSS) vulnerability in bBlog 0.7.4 allows remote ...)
 	NOT-FOR-US: bBlog
 CVE-2005-1308 (SqWebMail allows remote attackers to inject arbitrary web script or ...)
-	- courier <unfixed> (bug #307575; medium)
-	NOTE: Upstream explanation looks wrong, not all code paths perform escaping.
-	NOTE: Sarge and Woody are affected
+	- courier <unfixed> (bug #307575; unimportant)
 CVE-2005-1307 (The (1) stopserver.sh and (2) startserver.sh scripts in Adobe Version ...)
 	NOT-FOR-US: Adobe Version Cue
 CVE-2005-1306 (The Adobe Reader control in Adobe Reader and Acrobat 7.0 and 7.0.1 ...)

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2006-11-11 10:50:50 UTC (rev 4950)
+++ data/DSA/list	2006-11-11 11:04:41 UTC (rev 4951)
@@ -403,7 +403,7 @@
         [woody] - lynx 2.8.4.1b-3.4
         [sarge] - lynx 2.8.5-2sarge2
 [26 May 2006] DSA-1075-1 awstats - programming error
-        {CVE-2006-2644}
+        {CVE-2006-2644 CVE-2006-1945}
         [sarge] - awstats 6.4-1sarge3 (bug #365910)
 [24 May 2006] DSA-1074-1 mpg123 - buffer overflow
         {CVE-2006-1655}

More information about the Secure-testing-commits mailing list