[Secure-testing-commits] r6882 - data/CVE

nion at alioth.debian.org nion at alioth.debian.org
Tue Oct 9 22:09:23 UTC 2007 

Author: nion
Date: 2007-10-09 22:09:23 +0000 (Tue, 09 Oct 2007)
New Revision: 6882

Modified:
   data/CVE/list
Log:
NFUs
CVE-2007-5270 drupal not-affected
CVE-2007-526[6-9] libpng not-affected


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2007-10-09 21:53:27 UTC (rev 6881)
+++ data/CVE/list	2007-10-09 22:09:23 UTC (rev 6882)
@@ -38,49 +38,55 @@
 CVE-2007-5272 (SQL injection vulnerability in kategori.asp in Furkan Tastan Blog ...)
 	NOT-FOR-US: Furkan Tastan Blog
 CVE-2007-5271 (Multiple PHP remote file inclusion vulnerabilities in Trionic Cite CMS ...)
-	TODO: check
+	NOT-FOR-US: Trionic Cite CMS
 CVE-2007-5270 (Unspecified vulnerability in the Boost module before 4.7.x-1.0, and ...)
-	TODO: check
+	- drupal <not-affected> (does not ship this module)
 CVE-2007-5269 (Certain chunk handlers in libpng before 1.0.29 and 1.2.x before 1.2.21 ...)
-	TODO: check
+	- libpng <not-affected> (vulnerable code not present in Debian version)
 CVE-2007-5268 (pngrtran.c in libpng before 1.0.29 and 1.2.x before 1.2.21 use (1) ...)
-	TODO: check
+	- libpng <not-affected> (vulnerable code not present in Debian version)
 CVE-2007-5267 (Off-by-one error in ICC profile chunk handling in the png_set_iCCP ...)
-	TODO: check
+	- libpng <not-affected> (vulnerable code not present)
+	NOTE: the version in Debian does not use strncpy to copy the buffer so this off-by-one
+	NOTE: is not present in this old version. Instead it allocates space for strlen(name)+1
+	NOTE: and uses strcpy(new_iccp_name, name) which is not nice but safe
 CVE-2007-5266 (Off-by-one error in ICC profile chunk handling in the png_set_iCCP ...)
-	TODO: check
+	- libpng <not-affected> (vulnerable code not present)
+	NOTE: the version in Debian does not use strncpy to copy the buffer so this off-by-one
+	NOTE: is not present in this old version. Instead it allocates space for strlen(name)+1
+	NOTE: and uses strcpy(new_iccp_name, name) which is not nice but safe
 CVE-2007-5265 (Multiple format string vulnerabilities in websrv.cpp in Dawn of Time ...)
-	TODO: check
+	NOT-FOR-US: Dawn of Time
 CVE-2007-5264 (Battlefront Dropteam 1.3.3 and earlier sends the client's online ...)
-	TODO: check
+	NOT-FOR-US: Battlefront
 CVE-2007-5263 (Multiple buffer overflows in Battlefront Dropteam 1.3.3 and earlier ...)
-	TODO: check
+	NOT-FOR-US: Battlefront
 CVE-2007-5262 (Multiple format string vulnerabilities in Battlefront Dropteam 1.3.3 ...)
-	TODO: check
+	NOT-FOR-US: Battlefront
 CVE-2004-2744 (Unspecified vulnerability in Tincan Limited PHPlist before 2.8.12 has ...)
-	TODO: check
+	NOT-FOR-US: Tincan Limited PHPlist
 CVE-2004-2743 (upload.cgi in Mega Upload Progress Bar before 1.45 allows remote ...)
-	TODO: check
+	NOT-FOR-US: Mega Upload Progress Bar
 CVE-2004-2742 (Cross-site scripting (XSS) vulnerability in the report viewer in ...)
-	TODO: check
+	NOT-FOR-US: Crystal Enterprise
 CVE-2004-2741 (Cross-site scripting (XSS) vulnerability in the &quot;help window&quot; ...)
-	TODO: check
+	- horde2 <removed>
 CVE-2004-2740 (PHP remote file inclusion vulnerability in authform.inc.php in ...)
-	TODO: check
+	NOT-FOR-US: PHProjekt
 CVE-2004-2739 (The setup routine (setup.php) in PHProjekt 4.2.1 and earlier allows ...)
-	TODO: check
+	NOT-FOR-US: PHProjekt
 CVE-2004-2738 (Cross-site scripting (XSS) vulnerability in check_user_id.php in ...)
-	TODO: check
+	NOT-FOR-US: Zero board
 CVE-2004-2737 (SQL injection vulnerability in problist.asp in NetSupport DNA HelpDesk ...)
-	TODO: check
+	NOT-FOR-US: NetSupport DNA HelpDesk
 CVE-2004-2736 (Polar HelpDesk 3.0 allows remote attackers to bypass authentication by ...)
-	TODO: check
+	NOT-FOR-US: Polar HelpDesk
 CVE-2004-2735 (Cross-site scripting (XSS) vulnerability in P4DB 2.01 and earlier ...)
-	TODO: check
+	NOT-FOR-US: P4DB
 CVE-2004-2734 (webadmin-apache.conf in Novell Web Manager of Novell NetWare 6.5 uses ...)
-	TODO: check
+	NOT-FOR-US: Novell NetWare
 CVE-2004-2733 (Web Wiz Forums 7.7a uses invalid logic to determine user privileges, ...)
-	TODO: check
+	NOT-FOR-US: Web Wiz Forums
 CVE-2004-2732 (nbmember.cgi in Netbilling 2.0 allows remote attackers to obtain ...)
 	TODO: check
 CVE-2004-2731 (Multiple integer overflows in Sbus PROM driver ...)
@@ -95,11 +101,6 @@
 	TODO: check
 CVE-2004-2726 (HTTPMail service in MailEnable Professional 1.18 does not properly ...)
 	TODO: check
-CVE-2007-XXXX
-	- libpng <not-affected> (vulnerable code not present)
-	NOTE: the version in Debian does not use strncpy to copy the buffer so this off-by-one
-	NOTE: is not present in this old version. Instead it allocates space for strlen(name)+1
-	NOTE: and uses strcpy(new_iccp_name, name) which is not nice but safe
 CVE-2007-5261 (Multiple SQL injection vulnerabilities in MultiCart 1.0 allow remote ...)
 	NOT-FOR-US: MultiCart
 CVE-2007-5260 (ASP-CMS 1.0 stores sensitive information under the web root with ...)

More information about the Secure-testing-commits mailing list