[Secure-testing-commits] r5786 - data/CVE

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Sat May 5 10:32:23 UTC 2007 

Author: jmm-guest
Date: 2007-05-05 10:32:18 +0000 (Sat, 05 May 2007)
New Revision: 5786

Modified:
   data/CVE/list
Log:
mark one kernel dupe as such
no-dsa for minor openssh information leak
no-dsa for kfreebsd
clamav issue doesn't affect clamd, not treating as security issue
webcalendar fixed in sarge
xine-ui isn't <not-affected>, it was vulnerable in the past


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2007-05-05 08:58:05 UTC (rev 5785)
+++ data/CVE/list	2007-05-05 10:32:18 UTC (rev 5786)
@@ -90,7 +90,7 @@
 CVE-2007-2437 (The X render (Xrender) extension in X.org X Window System 7.0, 7.1, ...)
 	TODO: check
 CVE-2007-2436 (The nl_fib_lookup function in net/ipv4/fib_frontend.c in Linux Kernel ...)
-	TODO: check
+	NOT-FOR-US: Duplicate of CVE-2007-1861
 CVE-2007-2435 (Sun Java Web Start in JDK and JRE 5.0 Update 10 and earlier, and Java ...)
 	TODO: check
 CVE-2007-2434 (Buffer overflow in asnsp.dll in Aventail Connect 4.1.2.13 allows ...)
@@ -505,10 +505,12 @@
 	NOT-FOR-US: Adobe Photoshop
 CVE-2007-2243 (OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is ...)
 	- openssh <unfixed> (low)
+	[etch] - openssh <no-dsa> (Minor issue)
 	[sarge] - openssh <no-dsa> (Minor issue)
 CVE-2007-2242 (The IPv6 protocol allows remote attackers to cause a denial of service ...)
 	- linux-2.6 <unfixed> (low; bug #421595)
 	- kfreebsd-5 <unfixed> (low)
+	[etch] - kfreebsd-5 <no-dsa> (No security support for KFreeBSD)
 	NOTE: This should be off by default, tweakable by a simple knob.
 	NOTE: (FreeBSD has it turned on for hosts, too.)
 CVE-2007-2241 (Unspecified vulnerability in query.c in ISC BIND 9.4.0, and 9.5.0a1 ...)
@@ -787,9 +789,9 @@
 	[etch] - mixmaster 3.0b2-4.etch1
 	[sarge] - mixmaster <not-affected> (Code generation in Sarge pads over this)
 CVE-2007-XXXX [unspecified vulnerability in Clamav's PDF parser]
-	- clamav 0.90.2-1 (unknown; bug #418849)
-	NOTE: closed report: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=459
-	NOTE: Commit r3021 looks as if it's just a null pointer dereference.
+       - clamav 0.90.2-1 (unimportant; bug #418849)
+       NOTE: closed report: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=459
+       NOTE: Commit r3021 looks as if it's just a null pointer dereference.
 CVE-2007-XXXX [heap-based buffer overflow in git-blame with long file names]
 	- git-core 1.5.1.2-1 (low)
 	NOTE: http://git.kernel.org/?p=git/git.git;a=commit;h=1bb88be99e4fdedcd5cc5292c11b566a00028deb
@@ -2228,6 +2230,9 @@
 	NOTE: local malicious scripts only
 CVE-2007-1483 (Multiple PHP remote file inclusion vulnerabilities in WebCalendar ...)
 	- webcalendar 1.0.5-1 (high)
+	[sarge] - webcalendar 0.9.45-4sarge7
+	NOTE: This was fixed in Sarge as a side-effect of an earlier fix, marking current
+	NOTE: Sarge version as fixed version
 CVE-2007-1482 (Cross-site scripting (XSS) vulnerability in index.php in WBBlog allows ...)
 	NOT-FOR-US: WBBlog
 CVE-2007-1481 (SQL injection vulnerability in index.php in WBBlog allows remote ...)
@@ -5539,10 +5544,7 @@
 CVE-2007-0255 (XINE 0.99.4 allows user-assisted remote attackers to cause a denial of ...)
 	- xine-ui <unfixed> (low)
 CVE-2007-0254 (Format string vulnerability in the errors_create_window function in ...)
-	- xine-ui 0.99.4+dfsg+cvs20061111-2 (unimportant; bug #407369)
-	NOTE: My understanding is that this CVE is bogus.
-	NOTE: I failed to see where the format string vulnerability is, I have report
-	NOTE: a bug in case I have missed something.
+	- xine-ui 0.99.4+dfsg+cvs20061111-2 (low; bug #407369)
 CVE-2007-0253 (** DISPUTED ** ...)
 	- kernel-patch-grsecurity2 <unfixed> (unimportant; bug #407350)
 	NOTE: See CVE-2007-0257

More information about the Secure-testing-commits mailing list