[Secure-testing-commits] r4859 - data/CVE

Moritz Muehlenhoff jmm-guest at costa.debian.org
Wed Oct 18 19:11:45 UTC 2006 

Author: jmm-guest
Date: 2006-10-18 19:11:44 +0000 (Wed, 18 Oct 2006)
New Revision: 4859

Modified:
   data/CVE/list
Log:
dokiwiki fixed
removed CVEfied dokuwiki issues
plone fixed


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2006-10-18 09:14:22 UTC (rev 4858)
+++ data/CVE/list	2006-10-18 19:11:44 UTC (rev 4859)
@@ -303,8 +303,9 @@
 CVE-2006-5295 (Unspecified vulnerability in ClamAV before 0.88.5 allows remote ...)
 	- clamav 0.88.5-1 (high; bug #393445)
 CVE-2006-5229 (OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and ...)
-	TODO: check
-	NOTE: Not reproducible with standard etch setup
+	NOTE: This issues depends on the stack of selected authentication modules, while
+	NOTE: some are resilient against such timing attacks, some aren't
+	NOTE: This is inside responsibility of an admin
 CVE-2006-5228 (Multiple SQL injection vulnerabilities in the Google Gadget login.php ...)
 	NOT-FOR-US: ackerTodo
 CVE-2006-5227 (Cross-site scripting (XSS) vulnerability in admin.php in TorrentFlux ...)
@@ -583,9 +584,9 @@
 CVE-2006-5100 (PHP remote file inclusion vulnerability in parse/parser.php in ...)
 	NOT-FOR-US: WEB//NEWS (aka webnews)
 CVE-2006-5099 (lib/exec/fetch.php in DokuWiki before 2006-03-09e, when ...)
-	- dokuwiki <unfixed> (bug #391291; medium)
+	- dokuwiki 0.0.20060309-5.2 (bug #391291; medium)
 CVE-2006-5098 (lib/exec/fetch.php in DokuWiki before 2006-03-09e allows remote ...)
-	- dokuwiki <unfixed> (bug #391291; medium)
+	- dokuwiki 0.0.20060309-5.2 (bug #391291; medium)
 CVE-2006-5097 (** DISPUTED ** ...)
 	NOT-FOR-US: net2ftp
 CVE-2006-5096 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in ...)
@@ -831,9 +832,10 @@
 CVE-2006-4981 (Symantec Sygate NAC allows physically proximate attackers to bypass ...)
 	NOT-FOR-US: Symantec
 CVE-2006-4980 (Buffer overflow in the repr function in Python 2.3 through 2.6 before ...)
-	- python2.4 2.4.3-9
+	- python2.5 2.5-1 (bug #391589)
+	- python2.4 2.4.3-9 (bug #391589)
 	- python2.3 <unfixed> (bug #393053)
-	- python2.5 2.5-1
+	- python2.2 <not-affected> (Compiled without UCS-4 support)
 CVE-2006-4979 (Direct static code injection vulnerability in cfgphpquiz/install.php ...)
 	NOT-FOR-US: PhpQuiz
 CVE-2006-4978 (Multiple SQL injection vulnerabilities in Walter Beschmout PhpQuiz 1.2 ...)
@@ -1185,7 +1187,7 @@
 	TODO: check
 CVE-2006-4812 (Integer overflow in PHP 5 up to 5.1.6 and 4 before 4.3.0 allows remote ...)
 	- php4 <not-affected>
-	- php5 <unfixed>
+	- php5 <unfixed> (bug #391586)
 CVE-2006-4811
 	RESERVED
 CVE-2006-4810
@@ -2480,7 +2482,7 @@
 	RESERVED
 CVE-2006-4247 (Unspecified vulnerability in the Password Reset Tool before 0.4.1 on ...)
 	[sarge] - zope-cmfplone <not-affected> (Vulnerable code not present)
-	- zope-cmfplone <unfixed>
+	- zope-cmfplone 2.5.1-1
 CVE-2006-4246 (Usermin before 1.220 (20060629) allows remote attackers to read ...)
 	{DSA-1177-1}
 	- usermin <removed> (bug #374609)
@@ -2563,7 +2565,9 @@
 CVE-2006-4209 (PHP remote file inclusion vulnerability in install3.php in WEBInsta ...)
 	NOT-FOR-US: WEBInsta Mailing List Manager
 CVE-2006-4208 (Directory traversal vulnerability in wp-db-backup.php in Skippy ...)
-	- wordpress <unfixed> (low; bug #384800)
+	- wordpress <unfixed> (unimportant; bug #384800)
+	NOTE: Only exploitable by admin users, someone with the privilege to backup
+	NOTE: your data must be trustworthy
 CVE-2006-4207 (Multiple PHP remote file inclusion vulnerabilities in Bob Jewell ...)
 	NOT-FOR-US: Discloser
 CVE-2006-4206 (Cross-site scripting (XSS) vulnerability in calendar.asp in ...)
@@ -5411,7 +5415,9 @@
 CVE-2006-2942 (TWiki 4.0.0, 4.0.1, and 4.0.2 allows remote attackers to gain Twiki ...)
 	- twiki <not-affected> (Debian's version is old and does not include affected file)
 CVE-2006-2941 (Mailman before 2.1.9rc1 allows remote attackers to cause a denial of ...)
-	- mailman 1:2.1.8-3
+	- mailman <not-affected>
+	NOTE: Mailman uses the system version of the affected Python lib
+	TODO: Check affected Python versions
 CVE-2006-2940 (OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions ...)
 	{DSA-1195-1 DSA-1185-2}
 	- openssl 0.9.8c-2 (bug #389940)
@@ -5727,10 +5733,6 @@
 CVE-2006-2842 (** DISPUTED ** ...)
 	- squirrelmail 2:1.4.7-1 (unimportant; bug #373731)
 	NOTE: Only exploitable with register_globals enabled
-CVE-2006-XXXX [XSS vulnerability in dokuwikis's "Fullname" and "E-Mail" fields]
-	- dokuwiki <unfixed> (medium)
-CVE-2006-XXXX [PHP injection vulnerability in dokuwiki via curly braces]
-	- dokuwiki <unfixed> (medium)
 CVE-2006-XXXX [webalizer: symlink vulnerability]
 	- webalizer 2.01.10-29 (bug #359745)
 CVE-2006-2805 (SQL injection vulnerability in VBulletin 3.0.10 allows remote ...)
@@ -10175,10 +10177,10 @@
 CVE-2006-0988 (The default configuration of the DNS Server service on Windows Server ...)
 	NOT-FOR-US: MS Windows issue
 CVE-2006-0987 (The default configuration of ISC BIND, when configured as a caching ...)
-	- bind <unfixed> (bug #355787; low)
-	[sarge] - bind <no-dsa> (Affected sites can configure AllowRecursion)
-	- bind9 <unfixed> (bug #356266; low)
-	[sarge] - bind9 <no-dsa> (Affected sites can configure AllowRecursion)
+	- bind <unfixed> (bug #355787; unimportant)
+	- bind9 <unfixed> (bug #356266; unimportant)
+	NOTE: This is within the responsibilities of a local admin, especially when
+	NOTE: operating a DNS server, affected sites can configure AllowRecursion
 CVE-2006-0986 (WordPress 2.0.1 and earlier allows remote attackers to obtain ...)
 	- wordpress 2.0.2-1 (bug #355055; unimportant)
 CVE-2006-0985 (Multiple cross-site scripting (XSS) vulnerabilities in the &quot;post ...)
@@ -12918,8 +12920,6 @@
 CVE-2005-4534 (The shadow database feature (syncshadowdb) in Bugzilla 2.9 through ...)
 	- bugzilla 2.18 (bug #329387; low)
 	NOTE: The vulnerable script has been removed in the 2.18 upstream release
-	[woody] - bugzilla <unfixed> (low)
-	[sarge] - bugzilla <unfixed> (low)
 CVE-2005-XXXX [Insecure tempfile in libjpeg6b's exifautotran]
 	- libjpeg6b 6b-11 (bug #340079; low)
 	[woody] - libjpeg6b <not-affected> (Does not include exifautotran)

More information about the Secure-testing-commits mailing list