[Secure-testing-commits] r6879 - data/CVE

jmm-guest at alioth.debian.org jmm-guest at alioth.debian.org
Tue Oct 9 20:44:05 UTC 2007 

Author: jmm-guest
Date: 2007-10-09 20:44:04 +0000 (Tue, 09 Oct 2007)
New Revision: 6879

Modified:
   data/CVE/list
Log:
firebird entry doesn't match advisory, reverting to unfixed until clarified
non-free java not supported
rewrite some entries, old entries still need to be properly recorded
no-dsa for xfsdump and dircproxy


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2007-10-09 14:13:07 UTC (rev 6878)
+++ data/CVE/list	2007-10-09 20:44:04 UTC (rev 6879)
@@ -34,11 +34,9 @@
 CVE-2007-5247 (Multiple format string vulnerabilities in the Monolith Lithtech ...)
 	NOT-FOR-US: Monolith engine
 CVE-2007-5246 (Multiple stack-based buffer overflows in Firebird LI 2.0.0.12748 and ...)
-	- firebird2.0 <not-affected> (current version in unstable/testing already has fix)
-	- firebird1.5 <not-affected> (current version in unstable/testing already has fix)
+	TODO: check, previous commit contradicts to advisory
 CVE-2007-5245 (Multiple stack-based buffer overflows in Firebird LI 1.5.3.4870 and ...)
-	- firebird2.0 <not-affected> (current version in unstable/testing already has fix)
-	- firebird1.5 <not-affected> (current version in unstable/testing already has fix)
+	TODO: check, previous commit contradicts to advisory
 CVE-2007-5244 (Stack-based buffer overflow in Borland InterBase LI 8.0.0.53 through ...)
 	NOT-FOR-US: Borland InterBase
 CVE-2007-5243 (Multiple stack-based buffer overflows in Borland InterBase LI 8.0.0.53 ...)
@@ -50,18 +48,23 @@
 CVE-2007-5240 (Visual truncation vulnerability in the Java Runtime Environment in Sun ...)
 	- sun-java6 6-03-1 (low)
 	- sun-java5 1.5.0-13-1 (low)
+	[etch] - sun-java5 <no-dsa> (Non-free not supported)
 CVE-2007-5239 (Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE ...)
 	- sun-java6 6-03-1 (low)
 	- sun-java5 1.5.0-13-1 (low)
+	[etch] - sun-java5 <no-dsa> (Non-free not supported)
 CVE-2007-5238 (Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE ...)
-	- sun-java6 6-03-1 (low)
-	- sun-java5 1.5.0-13-1 (low)
+	- sun-java6 6-03-1 (unimportant)
+	- sun-java5 1.5.0-13-1 (unimportant)
+	NOTE: Leaked information hardly sensitive
 CVE-2007-5237 (Java Web Start in Sun JDK and JRE 6 Update 2 and earlier does not ...)
 	- sun-java6 6-03-1 (medium)
 	- sun-java5 1.5.0-13-1 (medium)
+	[etch] - sun-java5 <no-dsa> (Non-free not supported)
 CVE-2007-5236 (Java Web Start in Sun JDK and JRE 5.0 Update 12 and earlier, and SDK ...)
 	- sun-java6 <not-affected> (Windows only)
 	- sun-java5 <not-affected> (Windows only)
+	[etch] - sun-java5 <no-dsa> (Non-free not supported)
 CVE-2007-5235 (Cross-site scripting (XSS) vulnerability in index.php in Uebimiau ...)
 	NOT-FOR-US: Uebimiau
 CVE-2007-5234 (PHP remote file inclusion vulnerability in upload/common/footer.php in ...)
@@ -71,6 +74,7 @@
 CVE-2007-5232 (Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and ...)
 	- sun-java6 6-03-1 (low)
 	- sun-java5 1.5.0-13-1 (low)
+	[etch] - sun-java5 <no-dsa> (Non-free not supported)
 CVE-2007-5231 (Unrestricted file upload vulnerability in admin/upload_files.php in ...)
 	NOT-FOR-US: Zomplog
 CVE-2007-5230 (admin/upload_files.php in Zomplog 3.8.1 and earlier does not check for ...)
@@ -83,8 +87,8 @@
 	NOT-FOR-US: BlackBoard Learning System
 CVE-2007-5226 (irc_server.c in dircproxy 1.2.0 and earlier allows remote attackers to ...)
 	- dircproxy 1.0.5-5.1 (medium; bug #445883)
-	NOTE: the issue itself is of a very low impact but since this also means to lose data here
-	NOTE: I think it is medium
+	[sarge] - dircproxy <no-dsa> (Minor issue)
+	[etch] - dircproxy <no-dsa> (Minor issue)
 CVE-2005-4871 (Certain XML functions in IBM DB2 8.1 run with the privileges of DB2 ...)
 	NOT-FOR-US: IBM DB2
 CVE-2005-4870 (Stack-based buffer overflows in the (1) xmlvarcharfromfile, (2) ...)
@@ -127,7 +131,7 @@
 CVE-2004-2715 (edituser.php3 in PHPMyChat 0.14.5 allow remote attackers to bypass ...)
 	NOT-FOR-US: PHPMyChat
 CVE-2004-2714 (Unspecified vulnerability in Window Maker 0.80.2 and earlier allows ...)
-	- wmaker <not-affected> (Was fixed in version 0.90 of window maker)
+	- wmaker 0.90-1
 CVE-2004-2713 (** DISPUTED ** ...)
 	NOT-FOR-US: ZoneAlarm
 CVE-2004-2712 (Buffer overflow in Gyach Enhanced (Gyach-E) before 1.0.0-SneakPeek-3 ...)
@@ -145,7 +149,7 @@
 CVE-2004-2706 (Unspecified vulnerability in Gyach Enhanced (Gyach-E) before 1.0.4 ...)
 	NOT-FOR-US: Gyach-E
 CVE-2004-2705 (Unspecified vulnerability in Player vs. Player Gaming Network (PvPGN) ...)
-	- pvpgn <not-affected> (was already fixed in 1.6.4+20040826-1)
+	- pvpgn 1.6.4+20040826-1
 CVE-2004-2704 (Hastymail 1.0.1 and earlier (stable) and 1.1 and earlier (development) ...)
 	NOT-FOR-US: Hastymail
 CVE-2004-2703 (Clearswift MIMEsweeper 5.0.5, when it has been upgraded from ...)
@@ -159,7 +163,7 @@
 CVE-2004-2699 (deleteicon.aspx in AspDotNetStorefront 3.3 allows remote attackers to ...)
 	NOT-FOR-US: AspDotNetStorefront
 CVE-2004-2698 (Race condition in IMWheel 1.0.0pre11 and earlier, when running with ...)
-	- imwheel <not-affected> (This was already fixed two years ago in 1.0.0pre12-1)
+	- imwheel 1.0.0pre12-1
 CVE-2004-2697 (The Inventory Scout daemon (invscoutd) 1.3.0.0 and 2.0.2 for AIX 4.3.3 ...)
 	NOT-FOR-US: InvScoutd
 CVE-2004-2696 (BEA WebLogic Server and WebLogic Express 6.1, 7.0, and 8.1, when using ...)
@@ -1532,7 +1536,8 @@
 CVE-2007-4632 (Cisco IOS 12.2E, 12.2F, and 12.2S places a &quot;no login&quot; line into the ...)
 	NOT-FOR-US: Cisco
 CVE-2007-4631 (The DataLoader::doStart function in dataloader.cpp in QGit 1.5.6 and ...)
-	- qgit 1.5.5-1.1 (bug #440950; medium)
+	- qgit 1.5.5-1.1 (bug #440950; low)
+	[etch] - qgit <no-dsa> (Minor issue)
 CVE-2007-XXXX [maradns DoS]
 	- maradns 1.2.12.08-1
 	NOTE: http://marc.info/?l=maradns-list&m=118842373527534&w=2
@@ -2639,7 +2644,7 @@
 CVE-2007-4132 (Unspecified vulnerability in Red Hat Network Satellite Server 5.0.0 ...)
 	NOT-FOR-US: Red Hat Satellite Server
 CVE-2007-4131 (Directory traversal vulnerability in the contains_dot_dot function in ...)
-	- tar 1.18-2 (high; bug #439335)
+	- tar 1.18-2 (medium; bug #439335)
 CVE-2007-4130
 	RESERVED
 CVE-2007-4129 [coolkey incorrect cache file handling]
@@ -6175,6 +6180,7 @@
 	NOT-FOR-US: NetWin
 CVE-2007-2654 (xfs_fsr in xfsdump creates a .fsr temporary directory with insecure ...)
 	- xfsdump 2.2.45-1 (bug #417894; low)
+	[etch] - xfsdump <no-dsa> (Minor issue)
 CVE-2007-2653
 	REJECTED
 CVE-2007-2652 (Multiple unspecified vulnerabilities in Free-SA before 1.2.2 allow ...)

More information about the Secure-testing-commits mailing list