[Secure-testing-commits] r4988 - data/CVE
Moritz Muehlenhoff
jmm-guest at alioth.debian.org
Tue Nov 21 19:14:33 CET 2006
Author: jmm-guest
Date: 2006-11-21 19:14:31 +0100 (Tue, 21 Nov 2006)
New Revision: 4988
Modified:
data/CVE/list
Log:
new dovecot issue (already fixed)
firefox-sage issue doesn't affect Debian
new linux-2.6 issue
texinfo maintainer pinged
some NFUs
older tetex issues don't affect sarge
remove some old, resolved TODOs
popilo and elmo no-dsa
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2006-11-21 17:28:56 UTC (rev 4987)
+++ data/CVE/list 2006-11-21 18:14:31 UTC (rev 4988)
@@ -1,7 +1,11 @@
+CVE-2006-XXXX [dovecot off-by-one]
+ - dovecot 1.0.rc15-1
+ [sarge] - dovecot <not-affected> (Vulnerable code not present)
CVE-2006-XXXX [TorrentFlux Arbitrary Command Execution and Directory Traversal]
- torrentflux <unfixed> (medium; bug #399169)
CVE-2006-XXXX [Firefox Sage Extension Feed Script Insertion Vulnerability]
- - firefox-sage <unfixed> (medium; bug #399170)
+ - firefox-sage <not-affected> (medium; bug #399170)
+ NOTE: Debian's version has HTML disabled
CVE-2006-5972 (Stack-based buffer overflow in WG111v2.SYS in NetGear WG111v2 wireless ...)
NOT-FOR-US: NetGear
CVE-2006-5971 (Absolute path traversal vulnerability in admin/logfile.txt in Verity ...)
@@ -574,7 +578,7 @@
CVE-2006-5702 (Tikiwiki 1.9.5 allows remote attackers to obtain sensitive information ...)
- tikiwiki 1.9.6+dfsg-1 (medium)
CVE-2006-5701 (Double free vulnerability in squashfs module in the Linux kernel ...)
- TODO: check
+ - linux-2.6 <unfixed> (low)
CVE-2006-5700
RESERVED
CVE-2006-5699
@@ -1023,7 +1027,7 @@
CVE-2006-5488 (SQL injection vulnerability in XchangeBoard 1.70, and possibly ...)
NOT-FOR-US: XchangeBoard
CVE-2006-5487 (Directory traversal vulnerability in Marshal MailMarshal SMTP 5.x, ...)
- TODO: check
+ NOT-FOR-US: Marshal MailMarshal SMTP
CVE-2006-5486 (Cross-site scripting (XSS) vulnerability in Webmail in Sun Java System ...)
NOT-FOR-US: Sun Java System Messaging Server
CVE-2006-5485 (Multiple PHP remote file inclusion vulnerabilities in SpeedBerg ...)
@@ -1388,7 +1392,7 @@
- flashplugin-nonfree <unfixed> (medium)
[sarge] - flashplugin-nonfree <no-dsa> (Contrib not supported, only installer package)
[etch] - flashplugin-nonfree <no-dsa> (Contrib not supported, only installer package)
- TODO: file bug when upstream fix is released
+ TODO: file bug, fixed in 9.0.28.0
CVE-2006-5329
RESERVED
CVE-2006-5328 (OpenBase SQL 10.0 and earlier, as used in Apple Xcode 2.2 2.2 and ...)
@@ -1754,8 +1758,7 @@
CVE-2006-5160 (** DISPUTED ** ...)
- firefox <not-affected> (no real issues)
CVE-2006-5159 (** DISPUTED ** ...)
- TODO: check again later
- NOTE: might or might not be a real firefox issue, probably low impact
+ NOT-FOR-US: Bogus Firefox issue
CVE-2006-5158 (The nlmclnt_mark_reclaim in clntlock.c in NFS lockd in Linux kernel ...)
- linux-2.6 2.6.16
CVE-2006-5157 (Format string vulnerability in the ActiveX control (ATXCONSOLE.OCX) in ...)
@@ -2492,7 +2495,6 @@
- qt4-x11 4.2.1-1 (bug #394192)
CVE-2006-4810 (Buffer overflow in the readline function in util/texindex.c, as used ...)
- texinfo <unfixed>
- TODO: File bug
CVE-2006-4809 (Stack-based buffer overflow in loader_pnm.c in imlib2 before 1.2.1, ...)
- imlib2 1.3.0.0debian1-3 (medium; bug #397371)
CVE-2006-4808 (Heap-based buffer overflow in loader_tga.c in imlib2 before 1.2.1, and ...)
@@ -3409,7 +3411,7 @@
CVE-2006-4414
RESERVED
CVE-2006-4413 (Apple Remote Desktop before 3.1 uses insecure permissions for certain ...)
- TODO: check
+ NOT-FOR-US: Apple Remote Desktop
CVE-2006-4412
RESERVED
CVE-2006-4411
@@ -5645,7 +5647,7 @@
CVE-2006-3446
RESERVED
CVE-2006-3445 (Microsoft Agent on Microsoft Windows 2000 SP4, XP SP2, and Server 2003 ...)
- TODO: check
+ NOT-FOR-US: Microsoft
CVE-2006-3444 (Unspecified vulnerability in the kernel in Microsoft Windows 2000 SP4, ...)
NOT-FOR-US: Microsoft
CVE-2006-3443 (Untrusted search path vulnerability in Winlogon in Microsoft Windows ...)
@@ -10588,7 +10590,6 @@
NOT-FOR-US: Internet Explorer
CVE-2006-1387 (TWiki 4.0, 4.0.1, and 20010901 through 20040904 allows remote ...)
- twiki 1:4.0.4-3 (bug #367973)
- TODO: see if fw's patch secures this in Debian
CVE-2006-1386 (The (1) rdiff and (2) preview scripts in TWiki 4.0 and 4.0.1 ignore ...)
- twiki <not-affected> (only affects 4.0.0 - 4.1.0, version in Debian too young)
CVE-2006-1385 (Stack-based buffer overflow in the parseTaggedData function in ...)
@@ -13199,6 +13200,7 @@
{DSA-1019-1 DSA-998-1 DSA-984-1 DSA-983-1 DSA-982-1 DSA-979-1 DSA-974-1 DSA-972-1 DSA-971-1}
- poppler 0.4.5-1 (medium)
- tetex-bin 3.0-12 (medium)
+ [sarge] - tetex-bin <not-affected> (tetex2 uses an older version, which is not affected)
- kdegraphics 4:3.5.1-2 (medium)
- gpdf 2.10.0-3 (medium)
- xpdf 3.01-6 (bug #350785; bug #350783; medium)
@@ -14344,7 +14346,6 @@
NOT-FOR-US: HP-UX
CVE-2005-4450 (Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.7.0 ...)
NOTE: According to the description possibly a dupe of the non-issue CVE-2005-4349
- TODO: check back with Secunia, they're the only source for this issue
CVE-2005-4449 (verify.php in FlatNuke 2.5.6 allows remote authenticated ...)
NOT-FOR-US: FlatNuke
CVE-2005-4448 (FlatNuke 2.5.6 verifies authentication credentials based on an MD5 ...)
@@ -15202,7 +15203,7 @@
{DSA-1005-1 DSA-1004-1 DSA-992-1}
- ffmpeg 0.cvs20050918-5.1 (bug #342207; medium)
- xine-lib 1.0.1-1.5 (bug #342208; medium)
- TODO: check mplayer
+ - mplayer <not-affected> (Fixed before initial upload)
- gst-ffmpeg 0.8.7-5 (bug #343503; medium)
- vlc 0.8.4.debian-2 (medium)
NOTE: kino, smilutils, motion and vlc link statically against libavcodec, need a recompile once ffmpeg is fixed
@@ -15846,7 +15847,6 @@
NOT-FOR-US: Belkin hardware
CVE-2005-3801 (CounterPane PasswordSafe 1.x and 2.x allows local users to test ...)
NOT-FOR-US: PasswordSafe
- TODO: the problem might affect mypasswordsafe
CVE-2005-3800 (Macromedia Contribute Publishing Server (CPS) before 1.11 uses a weak ...)
NOT-FOR-US: Macromedia Contribute Publishing Server
CVE-2005-3799 (phpBB 2.0.18 allows remote attackers to obtain sensitive information ...)
@@ -16813,7 +16813,7 @@
CVE-2003-1266 (The (1) FTP, (2) POP3, (3) SMTP, and (4) NNTP servers in EServer 2.92 ...)
NOT-FOR-US: EServer
CVE-2003-1265 (Netscape 7.0 and Mozilla 5.0 do not immediately delete messages in the ...)
- TODO: There is no Mozilla 5.0, but it should be tested on a current Mozilla
+ NOT-FOR-US: Ancient Mozilla issue
CVE-2003-1264 (TFTP server in Longshine Wireless Access Point (WAP) LCS-883R-AC-B, ...)
NOT-FOR-US: Longshine hardware
CVE-2003-1263 (ICAL.EXE in iCal 3.7 allows remote attackers to cause a denial of ...)
@@ -16888,7 +16888,6 @@
NOTE: which in debian requires a manual and non-documented
NOTE: initialization of the rpm database which is not configured in
NOTE: the package
- TODO: file bug?
CVE-2002-2203 (Unknown vulnerability in the System Serial Console terminal in Solaris ...)
NOT-FOR-US: Solaris
CVE-2002-2202 (Outlook Express 6.0 does not delete messages from dbx files, even when ...)
@@ -17624,7 +17623,6 @@
NOT-FOR-US: Inweb Mail Server
CVE-2004-2502 (im-switch before 11.4-46.1 in Fedora Core 2 allows local users to ...)
- im-switch <not-affected> (Debian's version is somehow derived from RH, but not affected)
- TODO: Please double-check
CVE-2004-2501 (Buffer overflow in the IMAP service of MailEnable Professional Edition ...)
NOT-FOR-US: MailEnable Professional
CVE-2004-2500 (Unknown vulnerability in IlohaMail before 0.8.14-rc1 has unknown ...)
@@ -18064,7 +18062,8 @@
CVE-2005-3164 (Hitachi Cosminexus Application Server does not properly handle when a ...)
NOT-FOR-US: Hitachi Cosminexus Application Server
CVE-2005-3163 (Unspecified vulnerability in Polipo 0.9.8 and earlier allows attackers ...)
- - polipo 0.9.9-1 (bug #332411; medium)
+ - polipo 0.9.9-1 (bug #332411; low)
+ [sarge] - polipo <no-dsa> (Minor issue)
CVE-2005-3162
REJECTED
CVE-2005-3161 (Multiple SQL injection vulnerabilities in PHP-Fusion before 6.00.110 ...)
@@ -21472,6 +21471,7 @@
- heartbeat 1.2.3-12 (bug #318287; medium)
CVE-2005-2230 (Electronic Mail Operator (elmo) 1.3.2-r1 and earlier creates the ...)
- elmo 1.3.0-1.1 (bug #318291; low)
+ [sarge] - elmo <no-dsa> (Minor issue)
CVE-2005-2229 (Blog Torrent 0.92 and earlier stores sensitive files under the web ...)
NOT-FOR-US: Blog Torrent
CVE-2005-2228 (Web Wiz Forums 7.9 and 8.0 allows remote attackers to view message ...)
@@ -21891,7 +21891,7 @@
[woody] - tetex-bin <not-affected> (pdftex doesn't include or use the vulnerable code)
- tetex-bin 3.0-12
NOTE: tetex links to poppler since 3.0-12
- TODO: Check, when sid was fixed for this
+ [sarge] - tetex-bin <not-affected> (tetex2 uses an older version, which is not affected)
- gpdf 2.10.0-4 (bug #334454; low)
NOTE: Cups switched to xpdf-utils
- cupsys 1.1.22-7 (bug #324464)
More information about the Secure-testing-commits
mailing list