[Secure-testing-commits] r4976 - data/CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Sun Nov 19 10:54:22 CET 2006 

Author: jmm-guest
Date: 2006-11-19 10:54:20 +0100 (Sun, 19 Nov 2006)
New Revision: 4976

Modified:
   data/CVE/list
Log:
several no-dsas
some moodle issues unimportant
ffmpeg issues affects xine-lib as well
older pam-mysql issues don't affect Sarge
gradm2 not affected by RBAC issue
sympa unimportant


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2006-11-18 12:04:01 UTC (rev 4975)
+++ data/CVE/list	2006-11-19 09:54:20 UTC (rev 4976)
@@ -1861,7 +1861,8 @@
 CVE-2006-5112 (Buffer overflow in InterVations NaviCOPA Web Server 2.01 allows remote ...)
 	NOT-FOR-US: NaviCOPA Web Server
 CVE-2006-5111 (The libksba library 0.9.12 and possibly other versions, as used by ...)
-	- libksba 0.9.14-1 (bug #391278)
+	- libksba 0.9.14-1 (low; bug #391278)
+	[sarge] - libksba <no-dsa> (Minor issue)
 CVE-2006-5110 (Cross-site scripting (XSS) vulnerability in home.php in PHP Invoice ...)
 	NOT-FOR-US: PHP Invoice
 CVE-2006-5109 (Devellion CubeCart 2.0.x allows remote attackers to obtain sensitive ...)
@@ -2224,9 +2225,11 @@
 	- moodle 1.6.2-1
 	[sarge] - moodle <not-affected> (Function not present)
 CVE-2006-4939 (backup/backup_scheduled.php in Moodle before 1.6.2 generates trace ...)
-	- moodle 1.6.2-1
+	- moodle 1.6.2-1 (unimportant)
+	NOTE: Path disclosure
 CVE-2006-4938 (help.php in Moodle before 1.6.2 does not check the existence of ...)
-	- moodle 1.6.2-1
+	- moodle 1.6.2-1 (unimportant)
+	NOTE: Path disclosure
 CVE-2006-4937 (lib/setup.php in Moodle before 1.6.2 sets the error reporting level to ...)
 	- moodle 1.6.2-1
 CVE-2006-4936 (Moodle before 1.6.2 does not properly validate the module instance id ...)
@@ -2516,8 +2519,8 @@
 	NOT-FOR-US: Roxio Toast
 CVE-2006-4800 (Multiple buffer overflows in libavcodec in ffmpeg before ...)
 	- ffmpeg 0.cvs20060329-1
+	- xine-lib 1.1.2-1
 	NOTE: according to the changelog, libxine (starting from 1.1.2-4) links dynamically against ffmpeg
-	TODO: check other packages embedding ffmpeg code
 CVE-2006-4799 (Buffer overflow in ffmpeg for xine-lib before 1.1.2 might allow ...)
 	- xine-lib 1.1.2-1 (bug #369876; medium)
 	NOTE: according to the changelog, libxine (starting from 1.1.2-4) links dynamically against ffmpeg
@@ -8094,7 +8097,8 @@
 CVE-2006-2363 (SQL injection vulnerability in the weblinks option (weblinks.html.php) ...)
 	NOT-FOR-US: Limbo
 CVE-2006-2362 (Buffer overflow in getsym in tekhex.c in libbfd in Free Software ...)
-	- binutils 2.17-1 (bug #368237)
+	- binutils 2.17-1 (low; bug #368237)
+	[sarge] - binutils <no-dsa> (Very minor issue)
 CVE-2006-2361 (PHP remote file inclusion vulnerability in pafiledb_constants.php in ...)
 	NOT-FOR-US: phpbb mod
 CVE-2006-2360 (SQL injection vulnerability in charts.php in the Chart mod for phpBB ...)
@@ -12313,7 +12317,8 @@
 CVE-2005-4714 (Format string vulnerability in the vmps_log function in OpenVMPS (VLAN ...)
 	NOT-FOR-US: OpenVMPS
 CVE-2005-4713 (Unspecified vulnerability in the SQL logging facility in PAM-MySQL ...)
-	- libpam-mysql 0.6.2-1 (bug #353589; high)
+	- libpam-mysql 0.6.2-1 (bug #353589; low)
+	[sarge] - libpam-mysql <not-affected> (Vulnerable code not present)
 CVE-2005-4712 (CRLF injection vulnerability in process_signup.php in PHP Handicapper ...)
 	NOT-FOR-US: Handicapper
 CVE-2006-XXXX [dpkg-sig: insecure temp file bug]
@@ -13385,7 +13390,6 @@
 CVE-2006-0228 (The RBAC functionality in grsecurity before 2.1.8 does not properly ...)
 	- kernel-patch-grsecurity2 2.1.8-1 (bug #349246; medium)
 	- kernel-patch-2.4-grsecurity <removed> (bug #349247; medium)
-	- gradm2 2.1.8-1 (medium)
 CVE-2006-0227 (Multiple unspecified vulnerabilities in lpsched in Sun Solaris 8, 9, ...)
 	NOT-FOR-US: lpsched in Sun Solaris
 CVE-2006-0226 (Integer overflow in IEEE 802.11 network subsystem (ieee80211_ioctl.c) ...)
@@ -13920,7 +13924,8 @@
 CVE-2006-0057 (Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers ...)
 	NOT-FOR-US: Windows
 CVE-2006-0056 (Double-free vulnerability in the authentication and authentication ...)
-	- libpam-mysql 0.6.2-1 (bug #353589; high)
+	- libpam-mysql 0.6.2-1 (bug #353589; medium)
+	[sarge] - libpam-mysql <not-affected> (Vulnerable code not present)
 CVE-2006-0055 (The ispell_op function in ee on FreeBSD 4.10 to 6.0 uses predictable ...)
 	- ee 1:1.4.2-5 (bug #348322)
 CVE-2006-0054 (The ipfw firewall in FreeBSD 6.0-RELEASE allows remote attackers to ...)
@@ -22452,6 +22457,7 @@
 	NOT-FOR-US: Drupal
 CVE-2002-1805 (Cross-site scripting (XSS) vulnerability in DaCode 1.2.0 allows remote ...)
 	- dacode <removed> (bug #322605; low)
+	[sarge] - dacode <no-dsa> (Minor issue; attacker would need to bypass moderator review/approval)
 	NOTE: Sarge is affected (has same version as testing/unstable)
 CVE-2002-1804 (Cross-site scripting (XSS) vulnerability in NPDS 4.8 allows remote ...)
 	NOT-FOR-US: NPDS
@@ -23467,7 +23473,7 @@
 	- shtool 2.0.1-2 (low)
 	[sarge] - shtool <no-dsa> (Minor issue)
 	- mysql-ocaml 1.0.3-6 (unimportant)
-	- php4 4:4.4.0-1 (low)
+	- php4 4:4.4.0-1 (unimportant)
 CVE-2005-1758 (Buffer overflow in the IMAP command continuation function in Novell ...)
 	NOT-FOR-US: Novell
 CVE-2005-1757 (Buffer overflow in the Modweb agent for Novell NetMail 3.52 before ...)
@@ -27598,7 +27604,8 @@
 CVE-2004-1736 (Cacti 0.8.5a allows remote attackers to gain sensitive information via ...)
 	- cacti 0.8.5a-5
 CVE-2004-1735 (Cross-site scripting (XSS) vulnerability in the create list option in ...)
-	- sympa 4.1.5-4 (bug #298105; low)
+	- sympa 4.1.5-4 (bug #298105; unimportant)
+	NOTE: A user with the privilege to create new mailing lists needs to be trustworthy
 CVE-2004-1734 (PHP remote file inclusion vulnerability in Mantis 0.19.0a allows ...)
 	- mantis 0.19.2-1
 CVE-2004-1733 (Directory traversal vulnerability in MyDMS 1.4.2 and other versions ...)

More information about the Secure-testing-commits mailing list