[Secure-testing-commits] r5480 - data/CVE

Wed Feb 21 23:18:13 UTC 2007

Author: stef-guest
Date: 2007-02-22 00:18:11 +0100 (Thu, 22 Feb 2007)
New Revision: 5480

Modified:
   data/CVE/list
Log:
- new mt-daapd, amavid-new, pure-ftpd issue
- bugnums


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2007-02-21 22:54:21 UTC (rev 5479)
+++ data/CVE/list	2007-02-21 23:18:11 UTC (rev 5480)
@@ -1,3 +1,9 @@
+CVE-2007-XXXX [mt-daapd remote access & default password]
+	- mt-daapd <unfixed> (bug #404640)
+CVE-2007-XXXX [amavids-new uses contrib/non-free packers without security support in default config]
+	- amavisd-new <unfixed> (bug #410588)
+CVE-2006-XXXX [pure-ftpd-mysql: any problems with a home dir will allow rw to the entire filesystem]
+	- pure-ftpd <unfixed> (bug #350889)
 CVE-2007-XXXX [MediaWiki XSS based on Microsoft Internet Explorer's UTF-7 charset autodetection]
 	- mediawiki1.7 1.7.1-9 (low)
 CVE-2007-1049 [wordpress security issue related to code used to prevent XSS]
@@ -294,17 +300,17 @@
 CVE-2007-0912 (Cross-Site Request Forgery (CSRF) vulnerability in admin/admin.adm.php ...)
 	NOT-FOR-US: JPortal
 CVE-2007-0911 (Off-by-one error in the str_ireplace function in PHP 5.2.1 might allow ...)
-	- php5 <unfixed> (bug #410561; medium)
+	- php5 <unfixed> (bug #410561; bug #410995; medium)
 	NOTE: this is a regression in the 5.2.1 release which is not yet uploaded.
 	NOTE: so we should just make sure we patch 5.2.1.  Leaving open in the
 	NOTE: meantime, so we don't forget about it.
 CVE-2007-0910 (Unspecified vulnerability in PHP before 5.2.1 allows attackers to ...)
-	- php5 <unfixed> (bug #410561; medium)
+	- php5 <unfixed> (bug #410561; bug #410995; medium)
 	NOTE: fix is believed to be isolated, needs verification and backporting:
 	NOTE: see CVE-2007-0910_clobbering-superglobals.diff in
 	NOTE: http://people.debian.org/~seanius/security/php
 CVE-2007-0909 (Multiple format string vulnerabilities in PHP before 5.2.1 might allow ...)
-	- php5 <unfixed> (bug #410561; medium)
+	- php5 <unfixed> (bug #410561; bug #410995; medium)
 	NOTE: half of fix (odbc part) is found, still trying to dig out the
 	NOTE: problems related to *print functions.
 	NOTE: see CVE-2007-0910_clobbering-superglobals.diff in
@@ -316,7 +322,7 @@
 	NOT-FOR-US: PHP
 	NOTE: this extension is not enabled in the php packages
 CVE-2007-0907 (Buffer underflow in PHP before 5.2.1 allows attackers to cause a ...)
-	- php5 <unfixed> (bug #410561; medium)
+	- php5 <unfixed> (bug #410561; bug #410995; medium)
 	NOTE: fix found, needs testing/backporting.  see:
 	NOTE: CVE-2007-0907_sapi_header_op.diff in
 	NOTE: http://people.debian.org/~seanius/security/php
@@ -327,9 +333,9 @@
 	NOTE: available as CVE-2007-0906_N_description.diff at
 	NOTE: http://people.debian.org/~seanius/security/php/
 	NOTE: (4) is a non-issue, as we don't use the bundled sqlite
-	- php5 <unfixed> (bug #410561; medium)
+	- php5 <unfixed> (bug #410561; bug #410995; medium)
 CVE-2007-0905 (PHP before 5.2.1 allows attackers to bypass safe_mode and open_basedir ...)
-	- php5 <unfixed> (bug #410561; medium)
+	- php5 <unfixed> (bug #410561; bug #410995; medium)
 	NOTE: we normally don't spend much time on safe_mode and open_basedir
 	NOTE: issues, but the because the attack vectors are "unspecified", it
 	NOTE: might be harder for us to try and sort out the fixes for this
@@ -499,13 +505,13 @@
 	NOTE: might not affect Debian version because HTML mode is disabled. sf: pinged maintainer
 CVE-2007-XXXX [php: multiple issues fixed in php 5.2.1]
 	- php4 <unfixed>
-	- php5 <unfixed> (bug #410561)
+	- php5 <unfixed> (bug #410561; bug #410995)
 CVE-2007-XXXX [ikiwiki allows web user to edit images and other non-page format files in the wiki]
 	- ikiwiki 1.42
 CVE-2007-0858
 	RESERVED
 CVE-2007-0857 (Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before ...)
-	- moin <unfixed> (bug #410338; medium)
+	- moin <unfixed> (bug #410338; medium; bug #410552)
 CVE-2007-0856 (TmComm.sys 1.5.0.1052 in the Trend Micro Anti-Rootkit Common Module ...)
 	NOT-FOR-US: Trend Micro Anti-Rootkit Common Module
 CVE-2007-0855 (Stack-based buffer overflow in RARLabs Unrar, as packaged in WinRAR ...)


