[Secure-testing-commits] r7410 - data/CVE

jmm-guest at alioth.debian.org jmm-guest at alioth.debian.org
Tue Nov 27 21:25:19 UTC 2007 

Author: jmm-guest
Date: 2007-11-27 21:25:19 +0000 (Tue, 27 Nov 2007)
New Revision: 7410

Modified:
   data/CVE/list
Log:
- ngircd issue has been duped
- fix syntax
- python/tar not treated as a security problem


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2007-11-27 21:14:10 UTC (rev 7409)
+++ data/CVE/list	2007-11-27 21:25:19 UTC (rev 7410)
@@ -115,7 +115,8 @@
 CVE-2007-6063 (Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux ...)
 	TODO: check
 CVE-2007-6062 (irc-channel.c in ngIRCd before 0.10.3 allows remote attackers to cause ...)
-	TODO: check
+	- ngircd 0.10.3-1
+	[etch] - ngircd <no-dsa> (Minor issue)
 CVE-2007-6061 (Audacity 1.3.2 creates a temporary directory with a predictable name ...)
 	TODO: check
 CVE-2007-6060 (AhnLab Antivirus 3 Internet Security 2008 Platinum appends data to a ...)
@@ -217,8 +218,6 @@
 	NOT-FOR-US: LIVE555 Media Server
 CVE-2007-6034
 	REJECTED
-	- ngircd 0.10.3-1
-	[etch] - ngircd <no-dsa> (Minor issue)
 CVE-2007-6033 (Invensys Wonderware InTouch 8.0 creates a NetDDE share with insecure ...)
 	NOT-FOR-US: Invensys Wonderware InTouch
 CVE-2007-6032 (SQL injection vulnerability in calendar/page.asp in Aleris Web ...)
@@ -532,10 +531,6 @@
 	NOT-FOR-US: IBM Lotus Notes, Symantec Mail Security, and others
 CVE-2007-5908
 	REJECTED
-	NOTE: there is a list of possible clocksource names which consits of short enough names
-	NOTE: this is a bug in the kernel but not a security issue, there is no way for a user to
-	NOTE: exploit this, they can only chose an item from the list
-	NOTE: Issue about to be rejected by MITRE
 CVE-2007-5907 (Xen 3.1.1 does not prevent modification of the CR4 TSC from ...)
 	- xen-3 3.1.2-1 (medium; bug #451626)
 	- xen-3.0 <unfixed>
@@ -4560,9 +4555,17 @@
 	{DSA-1366-1}
 	- clamav 0.91.2-1~volatile1 (high)
 CVE-2007-4559 (Directory traversal vulnerability in the (1) extract and (2) ...)
-	- python2.3 <removed>
-	- python2.4 <unfixed> (bug #440097)
-	- python2.5 <unfixed> (bug #440099)
+	- python2.3 <removed> (unimportant)
+	- python2.4 <unfixed> (unimportant; bug #440097)
+	- python2.5 <unfixed> (unimportant; bug #440099)
+	NOTE: According to upstream this is the intended behaviour for the module.
+	NOTE: Since this is a library interface to embed Tar functionality into applications
+	NOTE: it is in order to not provide the full security safety belts one might
+	NOTE: expect from an enduser application like tar(1). Plus, addressing this would
+	NOTE: mean to diverge from upstream permanently and could break the behaviour
+	NOTE: of external apps. Anyone who wants to see this "fixed" should rather file
+	NOTE: a PEP on an improved tar interface with additional security guarantees
+	NOTE: provided by design.
 CVE-2007-4558
 	REJECTED
 CVE-2007-4557 (Cross-site scripting (XSS) vulnerability in the webacc servlet in ...)

More information about the Secure-testing-commits mailing list