[Secure-testing-commits] r4785 - data/CVE

Moritz Muehlenhoff jmm-guest at costa.debian.org
Sat Sep 30 14:12:38 UTC 2006 

Author: jmm-guest
Date: 2006-09-30 14:12:37 +0000 (Sat, 30 Sep 2006)
New Revision: 4785

Modified:
   data/CVE/list
Log:
no-dsa for overkill
bind8 behaviour documented
move old kernel issue into kernel tracker
remove apt non-issue


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2006-09-30 14:08:54 UTC (rev 4784)
+++ data/CVE/list	2006-09-30 14:12:37 UTC (rev 4785)
@@ -4663,7 +4663,8 @@
 CVE-2006-2972 (SQL injection vulnerability in vs_resource.php in Arantius Vice Stats ...)
 	NOT-FOR-US: Arantius Vice Stats
 CVE-2006-2971 (Integer overflow in the recv_packet function in 0verkill 0.16 allows ...)
-	- overkill 0.16-9 (bug #373687; medium)
+	- overkill 0.16-9 (bug #373687; low)
+	[sarge] - overkill <no-dsa> (Only DoS against an obscure game, no code injection possible)
 CVE-2006-2970 (videoPage.php in L0j1k tinyMuw 0.1.0 allows remote attackers to obtain ...)
 	NOT-FOR-US: tinyMuw
 CVE-2006-2969 (Cross-site scripting (XSS) vulnerability in L0j1k tinyMuw 0.1.0 allow ...)
@@ -10556,10 +10557,11 @@
 	[sarge] - evolution <not-affected> (Vulnerability was apparantly introduced in 2.3.1)
 	[woody] - evolution <not-affected> (Vulnerability was apparantly introduced in 2.3.1)
 CVE-2006-0527 (BIND 4 (BIND4) and BIND 8 (BIND8), if used as a target forwarder, ...)
-	- bind <unfixed> (medium)
+	- bind 1:8.4.7-1 (low)
 	[sarge] - bind <no-dsa> (Architectual limitatiom, upgrade to BIND 9 as a a fix)
 	NOTE: BIND 8 is unsuitable for forwarder use because of its
 	NOTE: architecture.  Upgrade to BIND 9 as a fix.
+	NOTE: This was fixed in sid by documenting it as an unfixable design limitation
 CVE-2006-0526 (The default configuration of the America Online (AOL) client software ...)
 	NOT-FOR-US: AOL
 CVE-2006-0525 (Multiple Adobe products, including (1) Photoshop CS2, (2) Illustrator ...)
@@ -16175,9 +16177,6 @@
 CVE-2005-XXXX [tar's rmt command may have undesired side effects]
 	- tar <unfixed> (bug #290435; unimportant)
 	[sarge] - tar <no-dsa> (Hardly exploitable)
-CVE-2005-XXXX [smbmount doesn't honor gid/uid with kernel 2.4]
-	- kernel-source-2.4.27 <unfixed> (bug #310982; low)
-	NOTE: probably already fixed in testing, wrote for confirmation
 CVE-2004-XXXX [Unspecified buffer overflow in libmng]
 	- libmng 1.0.8-1 (bug #250106)
 CVE-2004-XXXX [Multiple buffer overflows in isoqlog]
@@ -16186,12 +16185,6 @@
 	- libnss-ldap 199-1 (bug #169793)
 CVE-2005-3752 (Unspecified vulnerability in ldapdiff before 1.1.1 has unknown impact ...)
 	- ldapdiff <not-affected> (The version in Debian doesn't contain the vulnerable code, see #306878)
-CVE-2005-XXXX [apt-cache doesn't differentiate sources which share several properties]
-	- apt <unfixed> (bug #329814; low)
-	[sarge] - apt <no-dsa> (Unsupported use case)
-	NOTE: I tend to remove this completely, if you're using apt sources which include vulnerable
-	NOTE: versions of Debian packages with higher version numbers you're screwed anyway, no matter
-	NOTE: what apt display in this case
 CVE-2004-XXXX [asciijump: /var/games/asciijump world writable]
 	- asciijump 0.0.6-1.2 (bug #269186)
 CVE-2004-XXXX [Barrendero spool world-readable]

More information about the Secure-testing-commits mailing list