[Secure-testing-commits] r4810 - data/CVE
Moritz Muehlenhoff
jmm-guest at costa.debian.org
Thu Oct 5 16:10:45 UTC 2006
Author: jmm-guest
Date: 2006-10-05 16:10:44 +0000 (Thu, 05 Oct 2006)
New Revision: 4810
Modified:
data/CVE/list
Log:
openssl regression is covered under the regular ID per mitre
mono fixed
pike issue not relevant for sarge
ipcalc no-dsa
netpanzer no-dsas
tcpick no-dsa
apt-setup non-issue
phpsysinfo unimportant
bugnums
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2006-10-04 21:14:25 UTC (rev 4809)
+++ data/CVE/list 2006-10-05 16:10:44 UTC (rev 4810)
@@ -46,10 +46,6 @@
TODO: check
CVE-2006-5144 (Cross-site scripting (XSS) vulnerability in userupload.php in ...)
TODO: check
-CVE-2006-XXXX [openssl fix for CVE-2006-2940 introduced new security bug]
- - openssl097 0.9.7k-3
- - openssl 0.9.8c-3
- [sarge] - openssl 0.9.7e-3sarge4
CVE-2006-XXXX [unspecified libgsf security issue (IDEF1622)]
- libgsf 1.14.2-1
CVE-2006-5143
@@ -201,7 +197,7 @@
- moodle 1.6.2+20060930-1 (bug #390294)
CVE-2006-5072 [mono temp race]
RESERVED
- - mono <unfixed>
+ - mono 1.1.17.1-5
CVE-2006-5071 (Multiple cross-site scripting (XSS) vulnerabilities in eyeOS before ...)
NOT-FOR-US: eyeOS
CVE-2006-5070 (PHP remote file inclusion vulnerability in ...)
@@ -2475,7 +2471,10 @@
NOT-FOR-US: myWebland myBloggie
CVE-2006-4041 (SQL injection vulnerability in Pike before 7.6.86, when using a ...)
- pike7.6 7.6.86-1
- [sarge] - pike7.2 <unfixed> (bug #382607; bug #383766)
+ [sarge] - pike7.6 <unfixed> (unimportant; bug #382607; bug #383766)
+ [sarge] - pike7.2 <unfixed> (unimportant; bug #382607; bug #383766)
+ NOTE: No applications using pike+postgres in Sarge, fix provides
+ NOTE: new functions for proper quoting
CVE-2006-4040 (PHP remote file inclusion vulnerability in myevent.php in myWebland ...)
NOT-FOR-US: myWebland myEvent
CVE-2006-4039 (Multiple SQL injection vulnerabilities in eintragen.php in GaesteChaos ...)
@@ -2898,6 +2897,7 @@
NOT-FOR-US: Warzone
CVE-2006-3848 (Cross-site scripting (XSS) vulnerability in CGI wrapper for IP ...)
- ipcalc 0.41-1 (bug #381469; low)
+ [sarge] - ipcalc <no-dsa> (No exploit potential)
CVE-2006-3847 (PHP remote file inclusion vulnerability in (1) admin.php, and possibly ...)
NOT-FOR-US: MoSpray
CVE-2006-3846 (PHP remote file inclusion vulnerability in extadminmenus.class.php in ...)
@@ -3803,7 +3803,7 @@
NOT-FOR-US: Dell Openmanage CD
CVE-2006-3469 (Format string vulnerability in time.cc in MySQL Server 4.1 before ...)
{DSA-1112}
- - mysql-dfsg-5.0 5.0.22-1
+ - mysql-dfsg-5.0 5.0.22-1 (bug #375694)
CVE-2006-3468 (Linux kernel 2.6.x, when using both NFS and EXT3, allows remote ...)
- linux-2.6 2.6.17-6
CVE-2006-3467 (Integer overflow in FreeType before 2.2 allows remote attackers to ...)
@@ -4036,9 +4036,12 @@
CVE-2006-3361 (PHP remote file inclusion vulnerability in Stud.IP 1.3.0-2 and ...)
NOT-FOR-US: Stud.IP
CVE-2006-3360 (Directory traversal vulnerability in index.php in phpSysInfo 2.5.1 ...)
- - phpsysinfo <unfixed> (low)
- - egroupware <unfixed> (low)
- - phpgroupware <unfixed> (low)
+ - phpsysinfo <unfixed> (unimportant)
+ - egroupware <unfixed> (unimportant)
+ - phpgroupware <unfixed> (unimportant)
+ NOTE: Only the existence of files inside the WWW root is leaked. If this is
+ NOTE: a threat to your setup you most probably shouldn't install a script which
+ NOTE: exposes all your system data, either.
CVE-2006-3359 (Multiple SQL injection vulnerabilities in index.php in NewsPHP 2006 ...)
NOT-FOR-US: NewsPHP
CVE-2006-3358 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in ...)
@@ -4631,7 +4634,7 @@
- krb5 1.4.3-9 (medium)
CVE-2006-3082 (parse-packet.c in GnuPG (gpg) 1.4.3 and 1.9.20, and earlier versions, ...)
{DSA-1115 DSA-1107}
- - gnupg 1.4.3-2 (bug #375052; low)
+ - gnupg 1.4.3-2 (bug #375052; bug #375473; low)
- gnupg2 1.9.20-1.1 (bug #375053; low)
CVE-2006-3081 (mysqld in MySQL 4.1.x before 4.1.18, 5.0.x before 5.0.19, and 5.1.x ...)
{DSA-1112}
@@ -5262,7 +5265,7 @@
CVE-2006-XXXX [PHP injection vulnerability in dokuwiki via curly braces]
- dokuwiki <unfixed> (medium)
CVE-2006-XXXX [webalizer: symlink vulnerability]
- - webalizer 2.01.10-29
+ - webalizer 2.01.10-29 (bug #359745)
CVE-2006-2805 (SQL injection vulnerability in VBulletin 3.0.10 allows remote ...)
NOT-FOR-US: vBulletin
CVE-2006-2804 (Cross-site scripting (XSS) vulnerability in index.cfm in Goss ...)
@@ -5841,6 +5844,7 @@
NOT-FOR-US: Docebo
CVE-2006-2575 (The setFrame function in Lib/2D/Surface.hpp for NetPanzer 0.8 and ...)
- netpanzer 0.8+svn20060319-2 (bug #370146; low)
+ [sarge] - netpanzer <no-dsa> (Minor DoS against a game)
CVE-2006-2574 (Multiple unspecified vulnerabilities in Software Distributor in HP-UX ...)
NOT-FOR-US: Software Distributor in HP-UX
CVE-2006-2573 (SQL injection vulnerability in index.php in DGBook 1.0, with ...)
@@ -9059,7 +9063,7 @@
CVE-2006-1259 (Multiple SQL injection vulnerabilities in Maian Support 1.0 allow ...)
NOT-FOR-US: Maian Support
CVE-2006-1258 (Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.1 allows ...)
- - phpmyadmin 4:2.8.0.2-2
+ - phpmyadmin 4:2.8.0.2-2 (bug #382228)
[sarge] - phpmyadmin <not-affected> (Vulnerable code not present)
CVE-2006-1257 (The sample files in the authfiles directory in Microsoft Commerce ...)
NOT-FOR-US: Microsoft
@@ -12187,7 +12191,8 @@
- gnupg 1.4.2.2-1 (bug #356125; medium)
[sarge] - gnupg2 <not-affected> (Vulnerable code not activated)
CVE-2006-0048 (Francesco Stablum tcpick 0.2.1 allows remote attackers to cause a ...)
- - tcpick 0.2.1-3 (bug #360571; medium)
+ - tcpick 0.2.1-3 (bug #360571; low)
+ [sarge] - tcpick <no-dsa> (Minor issue)
CVE-2006-0047 (packets.c in Freeciv 2.0 before 2.0.8 allows remote attackers to cause ...)
{DSA-994-1}
- freeciv 2.0.8-1 (medium; bug #355211)
@@ -18958,7 +18963,8 @@
CVE-2005-2296 (YabbSE 1.5.5c allows remote attackers to obtain sensitive information ...)
NOT-FOR-US: YabbSE
CVE-2005-2295 (NetPanzer 0.8 and earlier allows remote attackers to cause a denial of ...)
- - netpanzer 0.8+svn20060319-1 (bug #318329; medium)
+ - netpanzer 0.8+svn20060319-1 (bug #318329; low)
+ [sarge] - netpanzer <no-dsa> (Minor DoS against a game)
CVE-2005-2294 (Oracle Forms 4.5, 6.0, 6i, and 9i on Unix, when a large number of ...)
NOT-FOR-US: Oracle
CVE-2005-2293 (Oracle Formsbuilder 9.0.4 stores database usernames and passwords in a ...)
@@ -19688,7 +19694,10 @@
CVE-2005-2215 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.x ...)
- mediawiki 1.4.9
CVE-2005-2214 (apt-setup in Debian GNU/Linux installs the apt.conf file with insecure ...)
- - apt-setup <unfixed> (bug #305142; low)
+ - apt-setup <unfixed> (bug #305142; unimportant)
+ NOTE: That's by design. We want to provide non-root users access to the source code,
+ NOTE: thus it needs to be world-readable. Also, the password can't be too sensitive
+ NOTE: as it'll be sent non-encrypted over the wire.
CVE-2005-2213 (Buffer overflow in the mms_interp_header function in mms.c in MMS ...)
NOT-FOR-US: MMS Ripper
CVE-2005-2212 (Backup Manager 0.5.8a creates an archive repository with world ...)
More information about the Secure-testing-commits
mailing list