[Secure-testing-commits] r6453 - data/CVE

jmm-guest at alioth.debian.org jmm-guest at alioth.debian.org
Fri Aug 31 15:28:26 UTC 2007 

Author: jmm-guest
Date: 2007-08-31 15:28:25 +0000 (Fri, 31 Aug 2007)
New Revision: 6453

Modified:
   data/CVE/list
Log:
tcp-wrappers flaw doesn't affect Debian
fetchmail, nvidia no-dsa
bugzilla/sarge, asterisk, vim/sarge, asterisk/sarge not-affected
new kernel issue
record apache2 fixes planned for stable
rewrite php entry as non-issue
NFUs
don't enter pidgin marketing buzz until details available


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2007-08-31 12:51:23 UTC (rev 6452)
+++ data/CVE/list	2007-08-31 15:28:25 UTC (rev 6453)
@@ -98,6 +98,8 @@
 	TODO: check
 CVE-2007-4601 (A regression error in tcp-wrappers 7.6.dbs-10 and 7.6.dbs-11 does not ...)
 	- tcp-wrappers 7.6.dbs-12 (bug #405342; medium)
+	[etch] - tcp-wrappers <not-affected> (Vulnerability was introduced in -10)
+	[sarge] - tcp-wrappers <not-affected> (Vulnerability was introduced in -10)
 CVE-2007-4580 (Buffer underflow in redlight.sys in BufferZone 2.1 and 2.5 allows ...)
 	NOT-FOR-US: BufferZone (Windows)
 CVE-2007-4579 (Heap-based buffer overflow in Microsoft MSN Messenger 7.x and Live ...)
@@ -130,6 +132,8 @@
 	NOT-FOR-US: SIDVault
 CVE-2007-4565 (fetchmail before 6.3.9 allows context-dependent attackers to cause a ...)
 	- fetchmail 6.3.8-8 (bug #440006; low)
+	[etch] - fetchmail <no-dsa> (Hardly a security problem)
+	[sarge] - fetchmail <no-dsa> (Hardly a security problem)
 CVE-2007-4564 (Cosminexus Manager in Cosminexus Application Server 07-00 and later ...)
 	NOT-FOR-US: Hitachi Cosminexus
 CVE-2007-4563 (Cosminexus Manager in Cosminexus Application Server 06-50 and later ...)
@@ -175,7 +179,8 @@
 CVE-2007-4544 (Cross-site scripting (XSS) vulnerability in wp-newblog.php in ...)
 	NOT-FOR-US: WordPress multi-user (MU)
 CVE-2007-4543 (Cross-site scripting (XSS) vulnerability in enter_bug.cgi in Bugzilla ...)
-	- bugzilla <unfixed> (bug #440106)
+	- bugzilla <unfixed> (low; bug #440106)
+        [sarge] - bugzilla <not-affected> (Vulnerable code not present)
 CVE-2007-4542 (Multiple cross-site scripting (XSS) vulnerabilities in MapServer ...)
 	TODO: check
 CVE-2007-4541 (Multiple cross-site scripting (XSS) vulnerabilities in Olate Download ...)
@@ -222,6 +227,8 @@
 	NOT-FOR-US: Ripe Website Manager
 CVE-2007-4521 (Asterisk Open Source 1.4.5 through 1.4.11, when configured to use an ...)
 	- asterisk <not-affected> (The voicemail backend is not enabled in Debian)
+	[sarge] - asterisk <not-affected> (Only Asterisk 1.4.x is affected)
+	[etch] - asterisk <not-affected> (Only Asterisk 1.4.x is affected)
 	NOTE: Patch: http://lists.digium.com/pipermail/asterisk-commits/2007-August/015743.html
 	NOTE: the backend will be enabled in future uploads with a fixed package.
 CVE-2007-4520
@@ -811,11 +818,9 @@
 CVE-2007-4256 (Directory traversal vulnerability in showpage.cgi in YNP Portal System ...)
 	NOT-FOR-US: YNP Portal System
 CVE-2007-4255 (Buffer overflow in the mSQL extension in PHP 5.2.3 allows ...)
-	- php5 <unfixed>
-	- php4 <removed>
-	[etch] - php5 <no-dsa> (requires malicious script)
-	[etch] - php4 <no-dsa> (requires malicious script)
-	[sarge] - php4 <no-dsa> (requires malicious script)
+	- php5 <unfixed> (unimportant)
+	- php4 <removed> (unimportant)
+        NOTE: Only exploitable by malicious script
 CVE-2007-4254 (Stack-based buffer overflow in a certain ActiveX control in VDT70.DLL ...)
 	NOT-FOR-US: Microsoft
 CVE-2007-4253 (SQL injection vulnerability in the News module in modules.php in ...)
@@ -1703,7 +1708,6 @@
 CVE-2007-3842 (Cross-site scripting (XSS) vulnerability in the 8e6 R3000 Enterprise ...)
 	NOT-FOR-US: 8e6 R3000 Enterprise Filter
 CVE-2007-3841 (Unspecified vulnerability in Pidgin (formerly Gaim) 2.0.2 for Linux ...)
-	- pidgin 2.1.0-1 (medium)
 	NOTE: this information is based upon a vague advisory by a vulnerability
 	NOTE: information sales organization that does not coordinate with vendors or
 	NOTE: release actionable advisories. So maybe it is not fixed _but_ since it is
@@ -2404,6 +2408,8 @@
 	NOT-FOR-US: 3Com
 CVE-2007-3532 (NVIDIA drivers (nvidia-drivers) before 1.0.7185, 1.0.9639, and ...)
 	- nvidia-kernel-common <unfixed> (bug #434398)
+	[sarge] - nvidia-kernel-common <no-dsa> (Contrib and non-free not supported)
+	[etch] - nvidia-kernel-common <no-dsa> (Contrib and non-free not supported)
 CVE-2007-3531 (The set_default_speeds function in backend/backend.c in NVidia NVClock ...)
 	TODO: check
 CVE-2007-3530 (PHPDirector 0.21 and earlier stores the admin account name and ...)
@@ -2802,7 +2808,7 @@
 	[sarge] - gdm <no-dsa> (Minor issue)
 	[etch] - gdm <no-dsa> (Minor issue)
 CVE-2007-3380 (The Distributed Lock Manager (DLM) in the cluster manager for Linux ...)
-	TODO: check
+	- linux-2.6 2.6.23-1
 CVE-2007-3379
 	RESERVED
 CVE-2007-3378 (The (1) session_save_path and (2) ini_set functions in PHP 4.4.7 and ...)
@@ -3000,7 +3006,7 @@
 	[etch] - apache <unfixed> (low)
 	[sarge] - apache <unfixed> (low)
 	- apache2 2.2.4-2 (low)
-	[etch] - apache2 <unfixed> (low)
+        [etch] - apache2 2.2.3-4+etch2
 	[sarge] - apache2 2.0.54-5sarge2 (low)
 CVE-2007-3303 (Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows ...)
 	- apache2 <unfixed> (unimportant)
@@ -4546,7 +4552,6 @@
 	- xfsdump 2.2.45-1 (bug #417894; low)
 CVE-2007-2653
 	REJECTED
-	NOT-FOR-US: This is bogus, the annoucement refers to the recently discovered modelines issues	
 CVE-2007-2652 (Multiple unspecified vulnerabilities in Free-SA before 1.2.2 allow ...)
 	NOT-FOR-US: Free-SA
 CVE-2007-2651 (Multiple off-by-one errors in VooDoo cIRCle before 1.1.beta27 allow ...)
@@ -5027,9 +5032,9 @@
 CVE-2007-2439 (Caucho Resin Professional 3.1.0 and Caucho Resin 3.1.0 and earlier for ...)
 	NOT-FOR-US: Caucho Resin Professional
 CVE-2007-2438 (The sandbox for vim allows dangerous functions such as (1) writefile, ...)
-	- vim 1:7.1-022+1 (bug #435401; medium)
-	TODO: File bug
-	NOTE: Exploitable through modelines.
+	- vim 1:7.1-022+1 (bug #435401; low)
+	[sarge] - vim <not-affected> (Vulnerable code not present)
+	NOTE: Exploitable through modelines, needs to be used with care in any case
 CVE-2007-2437 (The X render (Xrender) extension in X.org X Window System 7.0, 7.1, ...)
 	- xorg-server 2:1.3.0.0.dfsg-4 (unimportant; bug #422936)
 	NOTE: etch vulnerable (patch below applies)
@@ -5040,7 +5045,6 @@
 	NOTE: just as well provide a binary which does more harm
 CVE-2007-2436
 	REJECTED
-	NOTE: duplicate of CVE-2007-1861
 CVE-2007-2435 (Sun Java Web Start in JDK and JRE 5.0 Update 10 and earlier, and Java ...)
 	- sun-java5 1.5.0-11-1 (medium; bug #423062)
 	[etch] - sun-java5 <no-dsa> (Non-free not supported)
@@ -5502,7 +5506,7 @@
 	[etch] - bind9 <not-affected> (Only 9.4/9.5 branches affected)
 	[sarge] - bind9 <not-affected> (Only 9.4/9.5 branches affected)
 CVE-2007-2240 (The IBM Lenovo Access Support acpRunner ActiveX control, as ...)
-	TODO: check
+	NOT-FOR-US: IBM Lenovo Access Support acpRunner ActiveX control
 CVE-2007-2239 (Stack-based buffer overflow in the SaveBMP method in the AXIS Camera ...)
 	NOT-FOR-US: AXIS Camera Control
 CVE-2007-2238
@@ -6339,6 +6343,7 @@
 CVE-2007-1863 (cache_util.c in the mod_cache module in Apache HTTP Server (httpd), ...)
 	- apache2 2.2.4-1 (low)
 	[sarge] - apache2 2.0.54-5sarge2
+        [etch] - apache2 2.2.3-4+etch2
 	TODO: check apache 1
 	NOTE: see http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/cache/cache_util.c?view=markup&pathrev=551944
 CVE-2007-1862 (The recall_headers function in mod_mem_cache in Apache 2.2.4 does not ...)
@@ -6980,6 +6985,7 @@
 CVE-2007-1595 (The Asterisk Extension Language (AEL) in pbx/pbx_ael.c in Asterisk ...)
 	- asterisk 1:1.4.0~dfsg-1 (low)
 	[etch] - asterisk <not-affected> (Only affects 1.4.x)
+	[sarge] - asterisk <not-affected> (Only affects 1.4.x)
 CVE-2007-1593 (The administrative service in Symantec Veritas Volume Replicator (VVR) ...)
 	NOT-FOR-US: Symantec
 CVE-2007-1592 (net/ipv6/tcp_ipv6.c in Linux kernel 2.6.x up to 2.6.21-rc3 ...)
@@ -13938,6 +13944,7 @@
 CVE-2006-5752 (Cross-site scripting (XSS) vulnerability in mod_status.c in the ...)
 	- apache2 2.2.4-2 (low)
 	[sarge] - apache2 2.0.54-5sarge2
+        [etch] - apache2 2.2.3-4+etch2
 	- apache <removed> (low)
 CVE-2006-5751 (Integer overflow in the get_fdb_entries function in ...)
 	{DSA-1233}

More information about the Secure-testing-commits mailing list