[Secure-testing-commits] r7472 - data/CVE

jmm-guest at alioth.debian.org jmm-guest at alioth.debian.org
Sun Dec 2 18:43:07 UTC 2007


Author: jmm-guest
Date: 2007-12-02 18:43:06 +0000 (Sun, 02 Dec 2007)
New Revision: 7472

Modified:
   data/CVE/list
Log:
resolve older jffnms issue, incorrect CVE allocation
ekiga no-dsa
rewrite PHP non-issue
wordpress not unimportant, e.g. could be used as a stepstone
  in an adjacent vulnerability


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2007-12-02 17:57:49 UTC (rev 7471)
+++ data/CVE/list	2007-12-02 18:43:06 UTC (rev 7472)
@@ -310,9 +310,9 @@
 CVE-2007-6040 (The Belkin F5D7230-4 Wireless G Router allows remote attackers to ...)
 	NOT-FOR-US: Belkin F5D7230-4 Wireless G Router
 CVE-2007-6039 (PHP 5.2.5 and earlier allows context-dependent attackers to cause a ...)
-	- php5 <unfixed> (bug #453295)
-	[etch] - php5 <no-dsa> (requires negligent/malicious local user)
-	[etch] - php4 <not-affected> (detects memory exhaustion and quits)
+	- php5 <unfixed> (unimportant; bug #453295)
+	NOTE: Not a vulnerability per Debian PHP security policy, requires malicious
+	NOTE: script to trigger this issue
 CVE-2007-6077 (The session fixation protection mechanism in cgi_process.rb in Rails ...)
 	- rails 1.2.6-1 (low; bug #452748)
 CVE-2007-6111 (Multiple unspecified vulnerabilities in Wireshark (formerly Ethereal) ...)
@@ -410,7 +410,7 @@
 CVE-2007-6014
 	RESERVED
 CVE-2007-6013 (Wordpress 1.5 through 2.3.1 uses cookie values based on the MD5 hash ...)
-	- wordpress <unfixed> (unimportant; bug #452251)
+	- wordpress <unfixed> (low; bug #452251)
 	NOTE: if untrusted people are allowed to read the database they could still
 	NOTE: crack the hash with more work, so maybe this is unimportant?
 CVE-2007-6012 (SQL injection vulnerability in SearchR.asp in DocuSafe 4.1.0 allows ...)
@@ -3859,6 +3859,7 @@
 	NOT-FOR-US: eWire Payment Client
 CVE-2007-4924 (The Open Phone Abstraction Library (opal), as used by (1) Ekiga before ...)
 	- ekiga 2.0.11-1 (low)
+	[etch] - ekiga <no-dsa> (Minor issue)
 CVE-2007-4923 (PHP remote file inclusion vulnerability in admin.joomlaradiov5.php in ...)
 	NOT-FOR-US: Joomla extension
 CVE-2007-4922 (SQL injection vulnerability in play.php in the jeuxflash 1.0 module ...)
@@ -3914,6 +3915,7 @@
 	NOT-FOR-US: Xwiki
 CVE-2007-4897 (pwlib, as used by Ekiga 2.0.5 and possibly other products, allows ...)
 	- ekiga 2.0.9-1 (low)
+	[etch] - ekiga <no-dsa> (Minor issue)
 CVE-2007-4896 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
 	NOT-FOR-US: Toms Gaestebuch
 CVE-2007-4895 (Directory traversal vulnerability in dwoprn.php in Sisfo Kampus 2006 ...)
@@ -7939,10 +7941,8 @@
 	- php5 <unfixed> (unimportant)
 	NOTE: That's by design
 CVE-2007-3204 (SQL injection vulnerability in auth.php in Just For Fun Network ...)
-	- jffnms 0.8.3dfsg.1-4 (high)
-	NOTE: 20_security.dpatch is addressing this bug however the maintainer didn't include
-	NOTE: a note about the CVE id.
-	NOTE: the fix for CVE-2007-3190 is incomplete (the 'pass' param can still contain an injection)
+	NOTE: This is an jffnms ID, which has been wrongly reported by an external party,
+	NOTE: The data is sufficiently sanitised with the Debian fix for CVE-2007-3192
 CVE-2007-3203 (Stack-based buffer overflow in smtpdll.dll in the SMTP service in ...)
 	NOT-FOR-US: 602Pro LAN SUITE
 CVE-2007-3202 (Cross-site scripting (XSS) vulnerability in the rich text editor in ...)




More information about the Secure-testing-commits mailing list