[Secure-testing-commits] r5517 - data/CVE
Moritz Muehlenhoff
jmm-guest at alioth.debian.org
Tue Mar 6 23:49:27 CET 2007
Author: jmm-guest
Date: 2007-03-06 22:49:23 +0000 (Tue, 06 Mar 2007)
New Revision: 5517
Modified:
data/CVE/list
Log:
putty unimportant
php5 just open_basedir/safe mode
apply security policy for sql-ledger
udev issue doesn't affect sarge
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2007-03-06 14:17:55 UTC (rev 5516)
+++ data/CVE/list 2007-03-06 22:49:23 UTC (rev 5517)
@@ -335,8 +335,8 @@
CVE-2007-1218 (Off-by-one buffer overflow in the parse_elements function in the ...)
- tcpdump 3.9.5-2 (bug #413430; medium)
CVE-2007-XXXX [puttygen can create world-readable private keys]
- - putty <unfixed> (bug #400804; low)
- [sarge] - putty <no-dsa> (minor issue)
+ - putty <unfixed> (bug #400804; unimportant)
+ NOTE: Sensitive operations like key generation should only be done in private home
CVE-2007-XXXX [asterisk remote SIP security hole]
- asterisk 1:1.2.16~dfsg-1
CVE-2007-1160 (webSPELL 4.0, and possibly later versions, allows remote attackers to ...)
@@ -467,7 +467,9 @@
NOT-FOR-US: Pickle
CVE-2007-1099 (dbclient in Dropbear SSH client before 0.49 does not sufficiently warn ...)
- dropbear 0.49-1 (unimportant; bug #412899)
- NOTE: security feature enhancement, not a vulnerability per se
+ NOTE: That's a lack of a security feature (strict hostkey checking in openssh
+ NOTE: termininoloy) and an awkward interface, but not a vulnerability per se
+ NOTE: Especially as dropbear is specifically labeled a stripped down SSH implementation
[etch] - dropbear 0.48.1-2
CVE-2007-1098 (Multiple unspecified vulnerabilities in ScryMUD before 2.1.11 have ...)
NOT-FOR-US: ScryMUD
@@ -1113,7 +1115,7 @@
- php5 5.2.0-9 (bug #410561; bug #410995; medium)
- php4 6:4.4.4-9
CVE-2007-0905 (PHP before 5.2.1 allows attackers to bypass safe_mode and open_basedir ...)
- - php5 <unfixed> (bug #410561; bug #410995; medium)
+ - php5 <unfixed> (bug #410561; bug #410995; unimportant)
NOTE: we normally don't spend much time on safe_mode and open_basedir
NOTE: issues, but the because the attack vectors are "unspecified", it
NOTE: might be harder for us to try and sort out the fixes for this
@@ -1772,6 +1774,7 @@
NOT-FOR-US: Sun Solaris.
CVE-2007-0667 (The redirect function in Form.pm for (1) LedgerSMB before 1.1.5 and ...)
- sql-ledger <unfixed> (bug #409703)
+ [etch] - sql-ledger <no-dsa> (Should only be used with trusted users)
NOTE: sql-ledger 2.6.22-2 adds a note to README.Debian that sql-ledger
NOTE: is not secure with untrusted users.
CVE-2007-0666 (Ipswitch WS_FTP Server 5.04 allows FTP site administrators to execute ...)
@@ -2888,6 +2891,7 @@
NOT-FOR-US: HP
CVE-2007-XXXX [udev wrong permissions on raid devices]
- udev 0.105-2 (bug #404927)
+ [sarge] - udev <not-affected> (Doesn't affect Sarge)
CVE-2007-XXXX [yacas insecure rpath]
- yacas <unfixed> (bug #399226; bug #399227; low)
CVE-2007-XXXX [TXT record parsing overflow with special characters]
More information about the Secure-testing-commits
mailing list