[Secure-testing-commits] r5390 - data/CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Wed Jan 31 20:38:56 CET 2007 

Author: jmm-guest
Date: 2007-01-31 20:38:54 +0100 (Wed, 31 Jan 2007)
New Revision: 5390

Modified:
   data/CVE/list
Log:
iceweasel unimportant
update bind fix
mplayer fixed
ffmpeg fixed
wget not a security problem
some NFUs


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2007-01-31 18:51:43 UTC (rev 5389)
+++ data/CVE/list	2007-01-31 19:38:54 UTC (rev 5390)
@@ -188,7 +188,8 @@
 CVE-2006-6955 (Opera allows remote attackers to cause a denial of service ...)
 	NOT-FOR-US: Opera
 CVE-2006-6954 (Flock beta 1 0.7 allows remote attackers to cause a denial of service ...)
-	TODO: check iceweasel
+	- iceweasel <unfixed> (unimportant)
+	NOTE: Browser crashes not treated as security problems
 	NOTE: Tested the proof of concept in iceweasel 2.0.0.1 and it crash.
 CVE-2006-6953 (The virtual keyboard implementation in GlobeTrotter Mobility Manager ...)
 	NOT-FOR-US: GlobeTrotter Mobility Manager
@@ -206,16 +207,18 @@
 	- chmlib 2:0.39-1 (bug #408603; medium)
 CVE-2007-0494 (ISC BIND 9.0.x, 9.1.x, 9.2.0 up to 9.2.7, 9.3.0 up to 9.3.3, 9.4.0a1 ...)
 	{DSA-1254-1}
-	- bind9 1:9.3.4-1
+	- bind9 1:9.3.4-2
 	- bind <not-affected>
 CVE-2007-0493 (Use-after-free vulnerability in ISC BIND 9.3.0 up to 9.3.3, 9.4.0a1 up to ...)
-	- bind9 1:9.3.4-1
+	- bind9 1:9.3.4-2
+	[sarge] - bind9 <not-affected> (Vulnerable code not present)
 	- bind <not-affected>
 CVE-2007-XXXX [gstreamer ffmpeg missing checks of packet sizes, chunk sizes, and fragment positions]
 	- gstreamer0.10-ffmpeg 0.10.1-6
 	- gst-ffmpeg 0.8.7-10
+	[etch] - ffmpeg 0.cvs20060823-5
 	- ffmpeg <unfixed>
-	TODO: check other ffmpeg related packages
+	- mplayer 1.0~rc1-12
 CVE-2007-0471 (sre/params.php in Check Point Connectra NGX R62 and earlier allows ...)
 	NOT-FOR-US: Check Point
 CVE-2007-0470 (Multiple unspecified vulnerabilities in tip in Sun Solaris 8, 9, and ...)
@@ -233,9 +236,9 @@
 CVE-2007-0464
 	RESERVED
 CVE-2007-0463 (Format string vulnerability in Apple Software Update 2.0.5 on Mac OS X ...)
-	TODO: check
+	NOT-FOR-US: Apple
 CVE-2007-0462 (The _GetSrcBits32ARGB function in Apple QuickDraw, as used by ...)
-	TODO: check
+	NOT-FOR-US: Apple
 CVE-2007-0461 (Multiple memory leaks in the Dazuko anti-virus helper module before ...)
 	- dazuko-source <unfixed> (bug #408300)
 CVE-2007-0460 (Multiple buffer overflows in ulogd for SUSE Linux 9.3 up to 10.1, and ...)
@@ -471,7 +474,9 @@
 CVE-2007-XXXX [gstreamer-ffmpeg unspecified issue related to sps and pps ids]
 	- gstreamer0.10-ffmpeg 0.10.1-5
 	- gst-ffmpeg 0.8.7-9
-	TODO: check other ffmpeg related packages
+	- mplayer 1.0~rc1-12
+	[etch] - ffmpeg 0.cvs20060823-5
+	- ffmpeg <unfixed>
 CVE-2007-XXXX [netpbm heap corruption]
 	- netpbm-free 2:10.0-11 (bug #407605)
 CVE-2007-0363 (Cross-site scripting (XSS) vulnerability in admin-search.php in (1) ...)
@@ -1125,7 +1130,6 @@
 	NOTE: of imagination. I suppose KDE Security only issued an update for it
 	NOTE: because the shared underlying code was part of the Month of Apple Bugs
 	NOTE: and they wanted to debunk claims of code injection.
-	TODO: Check the other usual suspects
 CVE-2007-0103 (The Adobe PDF specification 1.3, as implemented by Adobe Acrobat ...)
 	NOT-FOR-US: Acrobat Reader
 CVE-2007-0102 (The Adobe PDF specification 1.3, as implemented by Apple Mac OS X ...)
@@ -1748,7 +1752,6 @@
 CVE-2006-6719 (The ftp_syst function in ftp-basic.c in Free Software Foundation (FSF) ...)
 	- wget <unfixed> (unimportant)
 	NOTE: An FTP server crashing a download utility is a bug, but not a DoS security issue
-	TODO: insufficient info, check, whether code injection is possible
 CVE-2006-6718 (The Allied Telesis AT-9000/24 Ethernet switch has a default password ...)
 	NOT-FOR-US: Allied Telesis
 CVE-2006-6717 (The Allied Telesis AT-9000/24 Ethernet switch accepts management ...)
@@ -2370,7 +2373,7 @@
 CVE-2006-6490
 	RESERVED
 CVE-2006-6489 (The SISCO OSI stack, as used in SISCO MMS-EASE, ICCP Toolkit for ...)
-	TODO: check
+	NOT-FOR-US: SISCO OSI stack
 CVE-2006-6488 (Stack-based buffer overflow in the DoModal function in the Dialog Wrapper ...)
 	NOT-FOR-US: ICONICS
 CVE-2006-6487 (Cross-site scripting (XSS) vulnerability in index.php in DT Guestbook ...)

More information about the Secure-testing-commits mailing list