[Secure-testing-commits] r4868 - data/CVE

Moritz Muehlenhoff jmm-guest at costa.debian.org
Sat Oct 21 22:13:38 UTC 2006 

Author: jmm-guest
Date: 2006-10-21 22:13:37 +0000 (Sat, 21 Oct 2006)
New Revision: 4868

Modified:
   data/CVE/list
Log:
mark php openbasedir issues as unimportant
some linux-2.6 issues fixed in latest upload
egroupware not-affected per maintainer
slash not-affected per maintainer
old imp issue is a non-issue


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2006-10-20 20:06:54 UTC (rev 4867)
+++ data/CVE/list	2006-10-21 22:13:37 UTC (rev 4868)
@@ -416,9 +416,9 @@
 CVE-2006-5179 (Intoto iGateway VPN and iGateway SSL-VPN allow context-dependent ...)
 	NOT-FOR-US: Intoto iGateway
 CVE-2006-5178 (Race condition in the symlink function in PHP 5.1.6 and earlier allows ...)
-	- php5 <unfixed> (bug #391281; low)
-	- php4 <unfixed> (bug #391282; low)
-	[sarge] - php4 <no-dsa> (openbasedir not supported)
+	- php5 <unfixed> (bug #391281; unimportant)
+	- php4 <unfixed> (bug #391282; unimportant)
+	NOTE: open_basedir is not supported
 CVE-2006-5177 (The NTLM authentication in MailEnable Professional 2.0 and Enterprise ...)
 	NOT-FOR-US: MailEnable Professional
 CVE-2006-5176 (Buffer overflow in NTLM authentication in MailEnable Professional 2.0 ...)
@@ -426,7 +426,7 @@
 CVE-2006-5175 (Cross-site request forgery (CSRF) vulnerability in the administrative ...)
 	NOT-FOR-US: TeraStation HD-HTGL
 CVE-2006-5174 (The copy_from_user function in the uaccess code in Linux kernel 2.6 ...)
-	- linux-2.6 <unfixed> (low)
+	- linux-2.6 2.6.18-3
 	NOTE: s390 only
 CVE-2006-5173 (Linux kernel does not properly save or restore EFLAGS during a context ...)
 	TODO: check
@@ -1587,9 +1587,9 @@
 CVE-2006-4626 (Heap-based buffer overflow in alwil avast! Anti-virus Engine before ...)
 	NOT-FOR-US: avast! Anti-virus Engine
 CVE-2006-4625 (PHP 4.x up to 4.4.4 and PHP 5 up to 5.1.6 allows local users to bypass ...)
-	- php4 <unfixed> (bug #391282; low)
-	- php5 <unfixed> (bug #391281; low)
-	[sarge] - php4 <no-dsa> (open_basedir violations not supported)
+	- php4 <unfixed> (bug #391282; unimportant)
+	- php5 <unfixed> (bug #391281; unimportant)
+	NOTE: open_basedir violations not supported in Debian's PHP
 CVE-2006-4624 (CRLF injection vulnerability in Utils.py in Mailman before 2.1.9rc1 ...)
 	{DSA-1188-1}
 	- mailman 1:2.1.8-3
@@ -3073,7 +3073,8 @@
 CVE-2006-3991 (PHP remote file inclusion vulnerability in index.php in Vlad Vostrykh ...)
 	NOT-FOR-US: Voodoo chat
 CVE-2006-3990 (Multiple PHP remote file inclusion vulnerabilities in Paul M. Jones ...)
-	- egroupware <unfixed> (bug #382207; medium)
+	- egroupware <not-affected>
+	NOTE: According to upstream egroupware is not affected, see #382207
 CVE-2006-3989 (PHP remote file inclusion vulnerability in index.php in Knusperleicht ...)
 	NOT-FOR-US: Knusperleicht
 CVE-2006-3988 (PHP remote file inclusion vulnerability in index.php in Knusperleicht ...)
@@ -6614,7 +6615,9 @@
 	{DSA-1090-1}
 	- spamassassin 3.1.3-1 (medium)
 CVE-2006-2446 (Race condition between the kfree_skb and __skb_unlink functions in the ...)
-	- linux-2.6 <unfixed>
+	- linux-2.6 2.6.16-1
+	NOTE: I'm not sure at which point this was merged, but I checked 2.6.16 and the
+	NOTE: patch is included there
 CVE-2006-2445 (Race condition in run_posix_cpu_timers in Linux kernel before ...)
 	- linux-2.6 2.6.16-15
 CVE-2006-2444 (The snmp_trap_decode function in the SNMP NAT helper for Linux kernel ...)
@@ -8438,7 +8441,7 @@
 CVE-2005-4773 (The configuration of VMware ESX Server 2.x, 2.0.x, 2.1.x, and 2.5.x ...)
 	NOT-FOR-US: VMware
 CVE-2004-2656 (Multiple cross-site scripting (XSS) vulnerabilities in Slashdot Like ...)
-	- slash <unfixed> (medium; bug #390469)
+	- slash <not-affected> (Vulnerable code introduced in 2002, while Debian's is older!)
 CVE-2006-XXXX [firebird local DoS]
 	- firebird2 1.5.3.4870-4 (bug #362001)
 	[sarge] - firebird2 <no-dsa> (Minor issue)
@@ -10122,13 +10125,13 @@
 CVE-2006-1016 (Buffer overflow in the IsComponentInstalled method in Internet ...)
 	NOT-FOR-US: Windows
 CVE-2006-1015 (Argument injection vulnerability in certain PHP 3.x, 4.x, and 5.x ...)
-	- php5 5.1.4-0.1 (bug #368595; low)
-	- php4 <unfixed> (bug #368592; low)
-	[sarge] - php4 <no-dsa> (Application's job to sanitize input)
+	- php5 5.1.4-0.1 (bug #368595; unimportant)
+	- php4 <unfixed> (bug #368592; unimportant)
+	NOTE: It's the application's job to sanitize input passed to a function
 CVE-2006-1014 (Argument injection vulnerability in certain PHP 4.x and 5.x ...)
-	- php5 5.1.4-0.1 (bug #368595; low)
-	- php4 <unfixed> (bug #368592; low)
-	[sarge] - php4 <no-dsa> (Application's job to sanitize input)
+	- php5 5.1.4-0.1 (bug #368595; unimportant)
+	- php4 <unfixed> (bug #368592; unimportant)
+	NOTE: It's the application's job to sanitize input passed to a function
 CVE-2006-1013 (PHP remote file include vulnerability in index.php in SMartBlog (aka ...)
 	NOT-FOR-US: SMartBlog
 CVE-2006-1012 (SQL injection vulnerability in WordPress 1.5.2, and possibly other ...)
@@ -13220,9 +13223,9 @@
 CVE-2005-4353 (SQL injection vulnerability in index.php in toendaCMS 0.6.2.1, when ...)
 	NOT-FOR-US: toendaCMS
 CVE-2005-4352 (The securelevels implementation in NetBSD 2.1 and earlier, and Linux ...)
-	- linux-2.6 <unfixed>
+	- linux-2.6 2.6.18-3
 CVE-2005-4351 (The securelevels implementation in FreeBSD 7.0 and earlier, OpenBSD up ...)
-	- linux-2.6 <unfixed>
+	- linux-2.6 2.6.18-3
 CVE-2005-4350 (Unspecified vulnerability in WBEM Services A.01.x before A.01.05.12 ...)
 	NOT-FOR-US: WBEM Services
 CVE-2005-4349 (** DISPUTED ** ...)
@@ -13809,8 +13812,8 @@
 CVE-2005-4081 (Multiple SQL injection vulnerabilities in Alisveristr E-commerce allow ...)
 	NOT-FOR-US: Alisveristr E-commerce
 CVE-2005-4080 (Horde IMP 4.0.4 and earlier does not sanitize strings containing UTF16 ...)
-	- imp4 <unfixed> (bug #342654; low)
-	[sarge] - imp4 <no-dsa> (Internet Explorer bug, needs to be fixed there)
+	- imp4 <unfixed> (bug #342654; unimportant)
+	NOTE: Internet Explorer bug, most definitely fixed since long, didn't check though
 CVE-2005-4079 (The register_globals emulation in phpMyAdmin 2.7.0 rc1 allows remote ...)
 	- phpmyadmin <not-affected> (Affects only 2.7.0)
 CVE-2005-4078 (Multiple cross-site scripting (XSS) vulnerabilities in Ideal BB.NET ...)

More information about the Secure-testing-commits mailing list