[Secure-testing-commits] r4825 - in data: CVE DSA

Moritz Muehlenhoff jmm-guest at costa.debian.org
Fri Oct 6 15:27:39 UTC 2006 

Author: jmm-guest
Date: 2006-10-06 15:27:38 +0000 (Fri, 06 Oct 2006)
New Revision: 4825

Modified:
   data/CVE/list
   data/DSA/list
Log:
new mozilla DSA
add a missing CVE to previous mozilla DSAs
new php issue
maxdb fixed
xine-ui format string flaws unimportant
no-dsa for minor libwww dos
bugnums
pam brute-force issue not terribly important


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2006-10-06 09:14:26 UTC (rev 4824)
+++ data/CVE/list	2006-10-06 15:27:38 UTC (rev 4825)
@@ -733,8 +733,10 @@
 	RESERVED
 CVE-2006-4813
 	RESERVED
-CVE-2006-4812
+CVE-2006-4812 [php unserialize integer overflow]
 	RESERVED
+	- php4 <not-affected>
+	- php5 <unfixed>
 CVE-2006-4811
 	RESERVED
 CVE-2006-4810
@@ -1903,7 +1905,7 @@
 	NOT-FOR-US: Solaris
 CVE-2006-4305 (Buffer overflow in SAP DB and MaxDB before 7.6.00.30 allows remote ...)
 	{DSA-1190-1}
-	- maxdb-7.5.00 <unfixed> (high; bug #386182)
+	- maxdb-7.5.00 7.5.00.34-5 (high; bug #386182)
 CVE-2006-4304 (Buffer overflow in the sppp driver in FreeBSD 4.11 through 6.1, NetBSD ...)
 	- kfreebsd-5 <unfixed> (bug #391289)
 CVE-2006-4303 (Race condition in (1) libnsl and (2) TLI/XTI API routines in Sun ...)
@@ -6727,7 +6729,7 @@
 	- ppp 2.4.4rel-1 (medium)
 CVE-2006-2193 (Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff ...)
 	{DSA-1091-1}
-	- tiff 3.8.2-4 (bug #371064; medium)
+	- tiff 3.8.2-4 (bug #371064; bug #370355; medium)
 CVE-2006-2191 (** DISPUTED ** ...)
 	- mailman <unfixed> (unimportant)
 	NOTE: not exploitable
@@ -7416,7 +7418,9 @@
 CVE-2006-1906 (Cross-site scripting (XSS) vulnerability in index.php in jjgan852 ...)
 	NOT-FOR-US: phpLister
 CVE-2006-1905 (Multiple format string vulnerabilities in xiTK (xitk/main.c) in xine ...)
-	- xine-ui 0.99.4-1 (bug #363370; medium)
+	- xine-ui 0.99.4-1 (bug #363370; unimportant)
+	NOTE: This is a non-issue: An attacker would need to trick the user into opening
+	NOTE: an MP3 file with a very obviously manipulated filename containing the shellcode
 CVE-2006-1904 (Cross-site scripting (XSS) vulnerability in index.php in AnimeGenesis ...)
 	NOT-FOR-US: AnimeGenesis Gallery
 CVE-2006-1903 (Multiple cross-site scripting (XSS) vulnerabilities in UserLand Manila ...)
@@ -16197,6 +16201,7 @@
 	NOTE: Sarge is vulnerable
 CVE-2005-3183 (The HTBoundary_put_block function in HTBound.c for W3C libwww ...)
 	- w3c-libwww 5.4.0-11 (bug #334443; low)
+	[sarge] - w3c-libwww <no-dsa> (Minor DoS)
 CVE-2005-3182 (Buffer overflow in the HTTP management interface for GFI MailSecurity ...)
 	NOT-FOR-US: GFI MailSecurity
 CVE-2005-XXXX [xscreensaver does not maintain screen locks during upgrade]
@@ -16782,7 +16787,7 @@
 	{DSA-878-1}
 	- netpbm-free 2:10.0-10
 CVE-2005-2977 (The SELinux version of PAM before 0.78 r3 allows local users to ...)
-	- pam <unfixed> (bug #336344; medium)
+	- pam <unfixed> (bug #336344; low)
 	[sarge] - pam <not-affected> (Does not contain SELinux support)
 	[woody] - pam <not-affected> (Does not contain SELinux support)
 CVE-2005-2976 (Integer overflow in io-xpm.c in gdk-pixbuf 0.22.0 in GTK+ before 2.8.7 ...)

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2006-10-06 09:14:26 UTC (rev 4824)
+++ data/DSA/list	2006-10-06 15:27:38 UTC (rev 4825)
@@ -1,3 +1,6 @@
+[06 Oct 2006] DSA-1192-1 mozilla
+	{CVE-2006-2788 CVE-2006-4340 CVE-2006-4565 CVE-2006-4566 CVE-2006-4568 CVE-2006-4570 CVE-2006-4571}
+	[sarge] - mozilla 1.7.8-1sarge7.3.1
 [05 Oct 2006] DSA-1191-1 mozilla-thunderbird
 	{CVE-2006-2788 CVE-2006-4340 CVE-2006-4565 CVE-2006-4566 CVE-2006-4568 CVE-2006-4570 CVE-2006-4571}
 	[sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8c.1
@@ -88,10 +91,10 @@
 	{CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3811}
 	[sarge] - mozilla-firefox 1.0.4-2sarge11
 [29 Aug 2006] DSA-1160 mozilla - several
-        {CVE-2006-2779 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809}
+        {CVE-2006-2779 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3811}
         [sarge] - mozilla 2:1.7.8-1sarge7.2.2
 [28 Aug 2006] DSA-1159 mozilla-thunderbird - several
-        {CVE-2006-2779 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810}
+        {CVE-2006-2779 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810 CVE-2006-3811}
         [sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8b.1
 [27 Aug 2006] DSA-1158 streamripper
         {CVE-2006-3124}

More information about the Secure-testing-commits mailing list