[Secure-testing-commits] r4810 - data/CVE

Moritz Muehlenhoff jmm-guest at costa.debian.org
Thu Oct 5 16:10:45 UTC 2006 

Author: jmm-guest
Date: 2006-10-05 16:10:44 +0000 (Thu, 05 Oct 2006)
New Revision: 4810

Modified:
   data/CVE/list
Log:
openssl regression is covered under the regular ID per mitre
mono fixed
pike issue not relevant for sarge
ipcalc no-dsa
netpanzer no-dsas
tcpick no-dsa
apt-setup non-issue
phpsysinfo unimportant
bugnums


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2006-10-04 21:14:25 UTC (rev 4809)
+++ data/CVE/list	2006-10-05 16:10:44 UTC (rev 4810)
@@ -46,10 +46,6 @@
 	TODO: check
 CVE-2006-5144 (Cross-site scripting (XSS) vulnerability in userupload.php in ...)
 	TODO: check
-CVE-2006-XXXX [openssl fix for CVE-2006-2940 introduced new security bug]
-	- openssl097 0.9.7k-3
-	- openssl 0.9.8c-3
-	[sarge] - openssl 0.9.7e-3sarge4
 CVE-2006-XXXX [unspecified libgsf security issue (IDEF1622)]
 	- libgsf 1.14.2-1
 CVE-2006-5143
@@ -201,7 +197,7 @@
 	- moodle 1.6.2+20060930-1 (bug #390294)
 CVE-2006-5072 [mono temp race]
 	RESERVED
-	- mono <unfixed> 
+	- mono 1.1.17.1-5
 CVE-2006-5071 (Multiple cross-site scripting (XSS) vulnerabilities in eyeOS before ...)
 	NOT-FOR-US: eyeOS
 CVE-2006-5070 (PHP remote file inclusion vulnerability in ...)
@@ -2475,7 +2471,10 @@
 	NOT-FOR-US: myWebland myBloggie
 CVE-2006-4041 (SQL injection vulnerability in Pike before 7.6.86, when using a ...)
 	- pike7.6 7.6.86-1
-	[sarge] - pike7.2 <unfixed> (bug #382607; bug #383766)
+	[sarge] - pike7.6 <unfixed> (unimportant; bug #382607; bug #383766)
+	[sarge] - pike7.2 <unfixed> (unimportant; bug #382607; bug #383766)
+	NOTE: No applications using pike+postgres in Sarge, fix provides
+	NOTE: new functions for proper quoting
 CVE-2006-4040 (PHP remote file inclusion vulnerability in myevent.php in myWebland ...)
 	NOT-FOR-US: myWebland myEvent
 CVE-2006-4039 (Multiple SQL injection vulnerabilities in eintragen.php in GaesteChaos ...)
@@ -2898,6 +2897,7 @@
 	NOT-FOR-US: Warzone
 CVE-2006-3848 (Cross-site scripting (XSS) vulnerability in CGI wrapper for IP ...)
 	- ipcalc 0.41-1 (bug #381469; low)
+	[sarge] - ipcalc <no-dsa> (No exploit potential)
 CVE-2006-3847 (PHP remote file inclusion vulnerability in (1) admin.php, and possibly ...)
 	NOT-FOR-US: MoSpray
 CVE-2006-3846 (PHP remote file inclusion vulnerability in extadminmenus.class.php in ...)
@@ -3803,7 +3803,7 @@
 	NOT-FOR-US: Dell Openmanage CD
 CVE-2006-3469 (Format string vulnerability in time.cc in MySQL Server 4.1 before ...)
 	{DSA-1112}
-	- mysql-dfsg-5.0 5.0.22-1
+	- mysql-dfsg-5.0 5.0.22-1 (bug #375694)
 CVE-2006-3468 (Linux kernel 2.6.x, when using both NFS and EXT3, allows remote ...)
 	- linux-2.6 2.6.17-6
 CVE-2006-3467 (Integer overflow in FreeType before 2.2 allows remote attackers to ...)
@@ -4036,9 +4036,12 @@
 CVE-2006-3361 (PHP remote file inclusion vulnerability in Stud.IP 1.3.0-2 and ...)
 	NOT-FOR-US: Stud.IP
 CVE-2006-3360 (Directory traversal vulnerability in index.php in phpSysInfo 2.5.1 ...)
-	- phpsysinfo <unfixed> (low)
-	- egroupware <unfixed> (low)
-	- phpgroupware <unfixed> (low)
+	- phpsysinfo <unfixed> (unimportant)
+	- egroupware <unfixed> (unimportant)
+	- phpgroupware <unfixed> (unimportant)
+	NOTE: Only the existence of files inside the WWW root is leaked. If this is
+	NOTE: a threat to your setup you most probably shouldn't install a script which
+	NOTE: exposes all your system data, either.
 CVE-2006-3359 (Multiple SQL injection vulnerabilities in index.php in NewsPHP 2006 ...)
 	NOT-FOR-US: NewsPHP
 CVE-2006-3358 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in ...)
@@ -4631,7 +4634,7 @@
 	- krb5 1.4.3-9 (medium)
 CVE-2006-3082 (parse-packet.c in GnuPG (gpg) 1.4.3 and 1.9.20, and earlier versions, ...)
 	{DSA-1115 DSA-1107}
-	- gnupg 1.4.3-2 (bug #375052; low)
+	- gnupg 1.4.3-2 (bug #375052; bug #375473; low)
 	- gnupg2 1.9.20-1.1 (bug #375053; low)
 CVE-2006-3081 (mysqld in MySQL 4.1.x before 4.1.18, 5.0.x before 5.0.19, and 5.1.x ...)
 	{DSA-1112}
@@ -5262,7 +5265,7 @@
 CVE-2006-XXXX [PHP injection vulnerability in dokuwiki via curly braces]
 	- dokuwiki <unfixed> (medium)
 CVE-2006-XXXX [webalizer: symlink vulnerability]
-	- webalizer 2.01.10-29
+	- webalizer 2.01.10-29 (bug #359745)
 CVE-2006-2805 (SQL injection vulnerability in VBulletin 3.0.10 allows remote ...)
 	NOT-FOR-US: vBulletin
 CVE-2006-2804 (Cross-site scripting (XSS) vulnerability in index.cfm in Goss ...)
@@ -5841,6 +5844,7 @@
 	NOT-FOR-US: Docebo
 CVE-2006-2575 (The setFrame function in Lib/2D/Surface.hpp for NetPanzer 0.8 and ...)
 	- netpanzer 0.8+svn20060319-2 (bug #370146; low)
+	[sarge] - netpanzer <no-dsa> (Minor DoS against a game)
 CVE-2006-2574 (Multiple unspecified vulnerabilities in Software Distributor in HP-UX ...)
 	NOT-FOR-US: Software Distributor in HP-UX
 CVE-2006-2573 (SQL injection vulnerability in index.php in DGBook 1.0, with ...)
@@ -9059,7 +9063,7 @@
 CVE-2006-1259 (Multiple SQL injection vulnerabilities in Maian Support 1.0 allow ...)
 	NOT-FOR-US: Maian Support
 CVE-2006-1258 (Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.1 allows ...)
-	- phpmyadmin 4:2.8.0.2-2	
+	- phpmyadmin 4:2.8.0.2-2 (bug #382228)
 	[sarge] - phpmyadmin <not-affected> (Vulnerable code not present)
 CVE-2006-1257 (The sample files in the authfiles directory in Microsoft Commerce ...)
 	NOT-FOR-US: Microsoft
@@ -12187,7 +12191,8 @@
 	- gnupg 1.4.2.2-1 (bug #356125; medium)
 	[sarge] - gnupg2 <not-affected> (Vulnerable code not activated)
 CVE-2006-0048 (Francesco Stablum tcpick 0.2.1 allows remote attackers to cause a ...)
-	- tcpick 0.2.1-3 (bug #360571; medium)
+	- tcpick 0.2.1-3 (bug #360571; low)
+	[sarge] - tcpick <no-dsa> (Minor issue)
 CVE-2006-0047 (packets.c in Freeciv 2.0 before 2.0.8 allows remote attackers to cause ...)
 	{DSA-994-1}
 	- freeciv 2.0.8-1 (medium; bug #355211)
@@ -18958,7 +18963,8 @@
 CVE-2005-2296 (YabbSE 1.5.5c allows remote attackers to obtain sensitive information ...)
 	NOT-FOR-US: YabbSE
 CVE-2005-2295 (NetPanzer 0.8 and earlier allows remote attackers to cause a denial of ...)
-	- netpanzer 0.8+svn20060319-1 (bug #318329; medium)
+	- netpanzer 0.8+svn20060319-1 (bug #318329; low)
+	[sarge] - netpanzer <no-dsa> (Minor DoS against a game)
 CVE-2005-2294 (Oracle Forms 4.5, 6.0, 6i, and 9i on Unix, when a large number of ...)
 	NOT-FOR-US: Oracle
 CVE-2005-2293 (Oracle Formsbuilder 9.0.4 stores database usernames and passwords in a ...)
@@ -19688,7 +19694,10 @@
 CVE-2005-2215 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.x ...)
 	- mediawiki 1.4.9
 CVE-2005-2214 (apt-setup in Debian GNU/Linux installs the apt.conf file with insecure ...)
-	- apt-setup <unfixed> (bug #305142; low)
+	- apt-setup <unfixed> (bug #305142; unimportant)
+	NOTE: That's by design. We want to provide non-root users access to the source code,
+	NOTE: thus it needs to be world-readable. Also, the password can't be too sensitive
+	NOTE: as it'll be sent non-encrypted over the wire.
 CVE-2005-2213 (Buffer overflow in the mms_interp_header function in mms.c in MMS ...)
 	NOT-FOR-US: MMS Ripper
 CVE-2005-2212 (Backup Manager 0.5.8a creates an archive repository with world ...)

More information about the Secure-testing-commits mailing list