[Secure-testing-commits] r4798 - in data: CVE DSA

Moritz Muehlenhoff jmm-guest at costa.debian.org
Sun Oct 1 21:30:21 UTC 2006 

Author: jmm-guest
Date: 2006-10-01 21:30:20 +0000 (Sun, 01 Oct 2006)
New Revision: 4798

Modified:
   data/CVE/list
   data/DSA/list
Log:
fix zope CVE ID
multiple bugnums


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2006-10-01 21:14:26 UTC (rev 4797)
+++ data/CVE/list	2006-10-01 21:30:20 UTC (rev 4798)
@@ -1830,7 +1830,8 @@
 	[sarge] - zope-cmfplone <not-affected> (Vulnerable code not present)
 	- zope-cmfplone <unfixed>
 CVE-2006-4246 (Usermin before 1.220 (20060629) allows remote attackers to read ...)
-	TODO: check
+	{DSA-1177-1}
+	- usermin <removed> (bug #374609)
 CVE-2006-4245
 	RESERVED
 CVE-2006-4244 (SQL-Ledger 2.4.4 through 2.6.17 authenticates users by verifying that ...)
@@ -1839,7 +1840,6 @@
 	RESERVED
 	- linux-2.6 2.6.17-9
 CVE-2006-4242 (PHP remote file inclusion vulnerability in install.jim.php in the JIM ...)
-	{DSA-1177-1}
 	NOT-FOR-US: JIM component for Joomla or Mambo
 CVE-2006-4241 (PHP remote file inclusion vulnerability in processor/reporter.sql.php ...)
 	NOT-FOR-US: Reporter Mambo component (com_reporter)
@@ -2158,11 +2158,11 @@
 CVE-2006-4096 (BIND before 9.2.6-P1 and 9.3.x before 9.3.2-P1 allows remote attackers to ...)
 	{DSA-1172-1}
 	- bind <not-affected> (Not vulnerable according to CERT advisory)
-	- bind9 1:9.3.2-P1-1 (medium; bug #386245)
+	- bind9 1:9.3.2-P1-1 (medium; bug #386245; bug #386237)
 CVE-2006-4095 (BIND before 9.2.6-P1 and 9.3.x before 9.3.2-P1 allows remote attackers ...)
 	{DSA-1172-1}
 	- bind <not-affected> (Not vulnerable according to CERT advisory)
-	- bind9 1:9.3.2-P1-1 (medium; bug #386245)
+	- bind9 1:9.3.2-P1-1 (medium; bug #386245; bug #386237)
 CVE-2006-4094
 	RESERVED
 CVE-2006-4093 (Linux kernel 2.x.6 before 2.6.17.9 and 2.4.x before 2.4.33.1 on ...)
@@ -2279,7 +2279,7 @@
 	NOT-FOR-US: myWebland myBloggie
 CVE-2006-4041 (SQL injection vulnerability in Pike before 7.6.86, when using a ...)
 	- pike7.6 7.6.86-1
-	[sarge] - pike7.2 <unfixed> (bug #382607)
+	[sarge] - pike7.2 <unfixed> (bug #382607; bug #383766)
 CVE-2006-4040 (PHP remote file inclusion vulnerability in myevent.php in myWebland ...)
 	NOT-FOR-US: myWebland myEvent
 CVE-2006-4039 (Multiple SQL injection vulnerabilities in eintragen.php in GaesteChaos ...)
@@ -2338,12 +2338,12 @@
 CVE-2006-4021 (The cryptographic module in ScatterChat 1.0.x allows attackers to ...)
 	NOT-FOR-US: ScatterChat
 CVE-2006-4020 (scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows ...)
-	- php5 5.1.6-1 (unimportant; bug #382256)
+	- php5 5.1.6-1 (unimportant; bug #382256; bug #382262)
 	- php4 4:4.4.4-1 (unimportant; bug #382261)
 	NOTE: Only exploitable by malicious, local user
 CVE-2006-4019 (Dynamic variable evaluation vulnerability in compose.php in ...)
 	{DSA-1154}
-	- squirrelmail 2:1.4.8-1
+	- squirrelmail 2:1.4.8-1 (bug #382621)
 CVE-2006-4018 (Heap-based buffer overflow in the pefromupx function in ...)
 	{DSA-1153}
 	- clamav 0.88.4-1 (high; bug #382004; bug #382007)
@@ -2779,7 +2779,7 @@
 	- krusader <not-affected> (bug #380063; file in directory with 0700 permissions)
 CVE-2006-3815 (heartbeat.c in heartbeat before 2.0.6 sets insecure permissions in a ...)
 	{DSA-1128}
-	- heartbeat 1.2.4-13 (bug #379904)
+	- heartbeat 1.2.4-13 (bug #379904; bug #380289)
 CVE-2006-3814 (Buffer overflow in the Loader_XM::load_instrument_internal function in ...)
 	{DSA-1166}
 	- cheesetracker 0.9.9-6 (bug #380364; low)
@@ -3637,7 +3637,7 @@
 	{DSA-1137-1}
 	- tiff 3.8.2-6
 CVE-2006-3486 (** DISPUTED ** ...)
-	- mysql-dfsg-5.0 5.0.22-4 (unimportant)
+	- mysql-dfsg-5.0 5.0.22-4 (unimportant; bug #378102)
 	[sarge] - mysql-dfsg-4.1 <not-affected> (Vulnerable code not present)
 	[sarge] - mysql-dfsg <not-affected> (Vulnerable code not present)
 	NOTE: Only DoS possible, only root can trigger this -> non-issue
@@ -3802,7 +3802,7 @@
 	- hiki 0.8.6-1 (bug #378059; low)
 CVE-2006-3378 (passwd command in shadow in Ubuntu 5.04 through 6.06 LTS, when called ...)
 	{DSA-1150-1}
-	- shadow 1:4.0.14-1
+	- shadow 1:4.0.14-1 (bug #379174)
 CVE-2006-3377 (Cross-site scripting (XSS) vulnerability in JMB Software AutoRank PHP ...)
 	NOT-FOR-US: JMB Software AutoRank PHP
 CVE-2006-3376 (Integer overflow in player.c in libwmf 0.2.8.4, as used in multiple ...)
@@ -4077,7 +4077,7 @@
 	NOT-FOR-US: Algorithmic Research PrivateWire VPN
 CVE-2006-3251 (Heap-based buffer overflow in the array_push function in hashcash.c ...)
 	{DSA-1114}
-	- hashcash 1.21
+	- hashcash 1.21 (bug #376444)
 CVE-2006-3250 (Heap-based buffer overflow in Windows Live Messenger 8.0 allows ...)
 	NOT-FOR-US: Windows Live Messenger
 CVE-2006-3249 (** DISPUTED ** ...)
@@ -5841,8 +5841,8 @@
 	NOT-FOR-US: Mobotix
 CVE-2006-2489 (Integer overflow in CGI scripts in Nagios 1.x before 1.4.1 and 2.x ...)
 	{DSA-1072-1}
-	- nagios 2:1.4-1 (bug #366682; bug #366803; high)
-	- nagios2 2.3-1 (bug #366683; high)
+	- nagios 2:1.4-1 (bug #366682; bug #366803; bug #368193; high)
+	- nagios2 2.3-1 (bug #366683; bug #368199; high)
 CVE-2006-2488 (Multiple cross-site scripting (XSS) vulnerabilities in Spymac WebOS ...)
 	NOT-FOR-US: Spymac 
 CVE-2006-2487 (Multiple PHP remote file inclusion vulnerabilities in ScozNews 1.2.1 ...)
@@ -6412,7 +6412,7 @@
 	NOT-FOR-US: Big Webmaster Guestbook Script
 CVE-2006-2230 (Multiple format string vulnerabilities in xiTK (xitk/main.c) in xine ...)
 	{DSA-1093-1}
-	- xine-ui 0.99.4-2 (medium; bug #363370)
+	- xine-ui 0.99.4-2 (medium; bug #363370; bug #372172)
 CVE-2006-2229 (OpenVPN 2.0.7 and earlier, when configured to use the --management ...)
 	- openvpn <unfixed> (unimportant)
 	NOTE: One needs to explicitly set the IP to something else than 127.0.0.1
@@ -7142,7 +7142,7 @@
 CVE-2006-1931 (The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, ...)
 	{DSA-1157}
 	NOTE: the redhat bugzilla entry says this is fixed in 1.8.3
-	- ruby1.8 1.8.3
+	- ruby1.8 1.8.3 (bug #365520)
 CVE-2006-1930 (** DISPUTED ** ...)
 	NOT-FOR-US: Green Minute
 CVE-2006-1929 (PHP remote file inclusion vulnerability in include/common.php in ...)
@@ -7489,7 +7489,8 @@
 CVE-2006-1776 (PHP remote file inclusion vulnerability in doc/index.php in Jeremy ...)
 	NOT-FOR-US: Simplog
 CVE-2006-1775 (Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.19 ...)
-	- phpbb2 <unfixed> (medium)
+	- phpbb2 <unfixed> (unimportant)
+	NOTE: Only exploitable by authenticated admin users
 CVE-2006-1774 (HP System Management Homepage (SMH) 2.1.3.132, when running on ...)
 	NOT-FOR-US: HP System Management Homepage
 CVE-2006-1773 (SQL injection vulnerability in include.php in PHPKIT 1.6.1 Release 2 ...)
@@ -7755,7 +7756,7 @@
 CVE-2005-4773 (The configuration of VMware ESX Server 2.x, 2.0.x, 2.1.x, and 2.5.x ...)
 	NOT-FOR-US: VMware
 CVE-2004-2656 (Multiple cross-site scripting (XSS) vulnerabilities in Slashdot Like ...)
-	- slash <unfixed> (medium)
+	- slash <unfixed> (medium; bug #390469)
 CVE-2006-XXXX [firebird local DoS]
 	- firebird2 1.5.3.4870-4 (bug #362001)
 	[sarge] - firebird2 <no-dsa> (Minor issue)
@@ -7860,8 +7861,7 @@
 CVE-2006-1665 (Multiple cross-site scripting (XSS) vulnerabilities in Arab Portal ...)
 	NOT-FOR-US: Arab Portal
 CVE-2006-1664 (Buffer overflow in xine_list_delete_current in libxine 1.14 and ...)
-	- libxine1 <not-affected> (not reproducible with Debian version)
-	NOTE: see bug #363127
+	- libxine1 <not-affected> (Not reproducible with Debian version, see bug #363127)
 CVE-2006-1663
 	REJECTED
 CVE-2006-1662 (The frontpage option in Limbo CMS 1.0.4.2 and 1.0.4.1 allows remote ...)
@@ -9084,7 +9084,7 @@
 	[sarge] - shadow <not-affected> (Vulnerable code was introduced later)
 CVE-2006-1173 (Sendmail before 8.13.7 allows remote attackers to cause a denial of ...)
 	{DSA-1155}
-	- sendmail 8.13.7-1 (low)
+	- sendmail 8.13.7-1 (low; bug #373801)
 CVE-2006-1172 (Stack-based buffer overflow in the createPKCS10 function in ...)
 	NOT-FOR-US: ActiveX control
 CVE-2006-1171
@@ -10056,7 +10056,7 @@
 	NOTE: Only affected the 3.3.2 KDE backport
 CVE-2006-0745 (X.Org server (xorg-server) 1.0.0 and later, X11R6.9.0, and X11R7.0 ...)
 	- xorg-x11 6.9.0.dfsg.1-5 (bug #360388; medium)
-	- xorg-server 1:1.0.2-1
+	- xorg-server 1:1.0.2-1 (bug #378465; medium)
 	- xfree86 <not-affected>
 CVE-2006-0744 (Linux kernel before 2.6.16.5 does not properly handle uncanonical ...)
 	{DSA-1103}
@@ -25982,7 +25982,7 @@
 	NOT-FOR-US: Tonecast
 CVE-2004-1617 (Lynx and lynx-ssl allow remote attackers to cause a denial of service ...)
 	{DSA-1077-1 DSA-1076-1}
-	- lynx 2.8.5-2sarge1.2 (bug #296340; low)
+	- lynx 2.8.5-2sarge1.2 (bug #296340; bug #384725; low)
 	- lynx-cur 2.8.6-6 (low)
 	- lynx-ssl <removed>
 CVE-2004-1616 (Links allows remote attackers to cause a denial of service (memory ...)
@@ -29606,7 +29606,7 @@
 CVE-2004-0627 (The check_scramble_323 function in MySQL 4.1.x before 4.1.3, and 5.0, ...)
 	- mysql <not-affected> (Apparently 3.2 not exploitable, see #330164)
 	- mysql-dfsg <not-affected> (Apparently 4.0 not exploitable, see #330164)
-	- mysql-dfsg-4.1 4.1.11a-1 (bug #330164; medium)
+	- mysql-dfsg-4.1 4.1.11a-1 (bug #330164; bug #380507; medium)
 	- mysql-dfsg-5.0 <not-affected> (Was fixed before MySQL 5.0 was uploaded into the archive)
 CVE-2004-0626 (The tcp_find_option function of the netfilter subsystem in Linux ...)
 	[sarge] - kernel-source-2.6.8 2.6.8-1

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2006-10-01 21:14:26 UTC (rev 4797)
+++ data/DSA/list	2006-10-01 21:30:20 UTC (rev 4798)
@@ -23,7 +23,7 @@
 	{CVE-2006-3467}
 	[sarge] - freetype 2.1.7-6
 [15 Sep 2006] DSA-1177-1 usermin
-	{CVE-2006-4242}
+	{CVE-2006-4246}
 	[sarge] - usermin 1.110-3.1
 [13 Sep 2006] DSA-1176-1 zope2.7
 	{CVE-2006-4684}

More information about the Secure-testing-commits mailing list