[Secure-testing-commits] r8172 - data/CVE

thijs at alioth.debian.org thijs at alioth.debian.org
Sun Feb 17 11:36:21 UTC 2008


Author: thijs
Date: 2008-02-17 11:36:20 +0000 (Sun, 17 Feb 2008)
New Revision: 8172

Modified:
   data/CVE/list
Log:
incorporate versions from etch r3 release.
update sun-java5 entries to mark all issues fixed that were fixed upstream
between 1.5.0-10-3 as originally in etch and 1.5.0-14-1etch1 as in r3.


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2008-02-16 21:14:19 UTC (rev 8171)
+++ data/CVE/list	2008-02-17 11:36:20 UTC (rev 8172)
@@ -260,6 +260,7 @@
 	- sun-java6 6-02-1
 	- sun-java5 1.5.0-14-1
 	[etch] - sun-java5 <no-dsa> (Non-free not supported)
+	[etch] - sun-java5 1.5.0-14-1etch1
 CVE-2008-0656 (Unrestricted file upload vulnerability in dmclTrace.jsp in EMC ...)
 	NOT-FOR-US: Documentum Administrator and Webtop
 CVE-2008-0655 (Multiple unspecified vulnerabilities in Adobe Reader and Acrobat ...)
@@ -2134,7 +2135,7 @@
 CVE-2007-XXXX [unace unspecified security issue related to uninitialized variable]
 	- unace-nonfree 2.5-3
 	[etch] - unace-nonfree <no-dsa> (non-free not supported)
-	TODO: r3 release:	[etch] - unace-nonfree 2.5-1etch1
+	[etch] - unace-nonfree 2.5-1etch1
 CVE-2007-6507 (SpntSvc.exe daemon in Trend Micro ServerProtect 5.58 for Windows, ...)
 	NOT-FOR-US: Trend Micro ServerProtect
 CVE-2007-6506 (The HPRulesEngine.ContentCollection.1 ActiveX Control in ...)
@@ -2345,12 +2346,12 @@
 	- apache2 2.2.8-1 (low)
 	[etch] - apache2 <no-dsa> (minor issue)
 	[sarge] - apache2 <not-affected> (vulnerable code introduced in 2.2)
-	TODO: r3 [etch] - apache2 2.2.3-4+etch4 (low)
+	[etch] - apache2 2.2.3-4+etch4 (low)
 CVE-2007-6421 (Cross-site scripting (XSS) vulnerability in balancer-manager in ...)
 	- apache2 2.2.8-1 (low)
 	[etch] - apache2 <no-dsa> (minor issue)
 	[sarge] - apache2 <not-affected> (vulnerable code introduced in 2.2)
-	TODO: r3 [etch] - apache2 2.2.3-4+etch4 (low)
+	[etch] - apache2 2.2.3-4+etch4 (low)
 CVE-2007-6420 (Cross-site request forgery (CSRF) vulnerability in the ...)
 	- apache2 <unfixed> (low)
 	[etch] - apache2 <no-dsa> (minor issue)
@@ -2421,10 +2422,10 @@
 	- gnome-screensaver <unfixed> (low; bug #455484)
 	[etch] - gnome-screensaver <no-dsa> (Minor issue)
 CVE-2007-6388 (Cross-site scripting (XSS) vulnerability in mod_status in the Apache ...)
-	- apache <unfixed> (low)
+	- apache <removed> (low)
 	- apache2 2.2.8-1 (low)
 	[etch] - apache <no-dsa> (scheduled for next point release)
-	NOTE: pending for apache 1.3.34-4.1+etch1 / etch r3
+	[etch] - apache 1.3.34-4.1+etch1
 CVE-2007-6358 (pdftops.pl before 1.20 in alternate pdftops filter allows local users ...)
 	{DSA-1437-1}
 	- cupsys 1.3.5-1 (low; bug #456960)
@@ -2880,12 +2881,12 @@
 	- libxfont 1:1.3.1-2
 CVE-2008-0005 (mod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before ...)
 	- apache2 2.2.8-1 (low)
-	- apache <unfixed> (low)
+	- apache <removed> (low)
 	[etch] - apache <no-dsa> (browser issue; low impact)
 	[sarge] - apache <no-dsa> (browser issue; low impact)
 	[sarge] - apache2 <no-dsa> (browser issue; low impact)
 	[etch] - apache2 <no-dsa> (browser issue; low impact)
-	TODO: r3 [etch] - apache2 2.2.3-4+etch4 (low)
+	[etch] - apache2 2.2.3-4+etch4 (low)
 CVE-2008-0004
 	RESERVED
 CVE-2008-0003 (Stack-based buffer overflow in the PAMBasicAuthenticator::PAMCallback ...)
@@ -2912,7 +2913,7 @@
 	[etch] - apache2 <no-dsa> (minor issue)
 	- apache <not-affected> (vulnerable code not present)
 	NOTE: Might be exploitable with older flash plugins via HTTP Request Splitting
-	NOTE: pending for 2.2.3-4+etch4 / etch r3
+	[etch] - apache2 2.2.3-4+etch4
 CVE-2007-6208 (sylprint.pl in claws mail tools (claws-mail-tools) allows local users ...)
 	- claws-mail 3.1.0-2 (low; bug #454089)
 CVE-2007-6210 (zabbix_agentd 1.1.4 in ZABBIX before 1.4.3 runs &quot;UserParameter&quot; ...)
@@ -2924,7 +2925,7 @@
 	- sing 1.1-16 (low; bug #454167)
 	[etch] - sing <no-dsa> (Only exploitable in inherently broken setups)
 	[sarge] - sing <no-dsa> (Only exploitable in inherently broken setups)
-	TODO: r3	[etch] - sing 1.1-13etch1
+	[etch] - sing 1.1-13etch1
 	TODO: r8	[sarge] - sing 1.1-9sarge1
 CVE-2007-6209 (Util/difflog.pl in zsh 4.3.4 allows local users to overwrite arbitrary ...)
 	- zsh 4.3.4-dev-3-2 (low; bug #454073)
@@ -3216,6 +3217,7 @@
 CVE-2007-6062 (irc-channel.c in ngIRCd before 0.10.3 allows remote attackers to cause ...)
 	- ngircd 0.10.3-1 (bug #451875)
 	[etch] - ngircd <no-dsa> (Minor issue)
+	[etch] - ngircd 0.10.0-2etch1
 CVE-2007-6061 (Audacity 1.3.2 creates a temporary directory with a predictable name ...)
 	- audacity 1.3.4-1.1 (bug #453283; low)
 	[etch] - audacity <no-dsa> (Minor issue)
@@ -4342,6 +4344,7 @@
 	- sun-java6 6-03-1 (medium)
 	- sun-java5 1.5.0-13-1 (medium)
 	[etch] - sun-java5 <no-dsa> (Non-free not supported)
+	[etch] - sun-java5 1.5.0-14-1etch1
 CVE-2007-5688 (Multiple SQL injection vulnerabilities in directory.php in the ...)
 	NOT-FOR-US: Multi Host Forum Pro
 CVE-2007-5687 (Multiple buffer overflows in the rich text processing functionality in ...)
@@ -5418,7 +5421,7 @@
 CVE-2007-5448 (Madwifi 0.9.3.2 and earlier allows remote attackers to cause a denial ...)
 	- madwifi 1:0.9.3.2-2 (medium; bug #446824)
 	[etch] - madwifi <no-dsa> (Non-free not supported)
-	TODO: r3 release: [etch] - madwifi 1:0.9.2+r1842.20061207-2etch2
+	[etch] - madwifi 1:0.9.2+r1842.20061207-2etch2
 CVE-2007-5447 (ioncube_loader_win_5.2.dll in the ionCube Loader 6.5 extension for PHP ...)
 	NOT-FOR-US: ionCube
 CVE-2007-5446 (Absolute path traversal vulnerability in a certain ActiveX control in ...)
@@ -5722,6 +5725,7 @@
 	- sun-java6 6-03-1 (low)
 	- sun-java5 1.5.0-13-1 (low)
 	[etch] - sun-java5 <no-dsa> (Non-free not supported)
+	[etch] - sun-java5 1.5.0-14-1etch1
 CVE-2007-5374 (cp_memberedit.php in LightBlog 8.4.1.1 does not check for ...)
 	NOT-FOR-US: LightBlog
 CVE-2007-5373 (ldapscripts 1.4 and 1.7 sends a password as a command line argument ...)
@@ -5966,10 +5970,12 @@
 	- sun-java6 6-03-1 (low)
 	- sun-java5 1.5.0-13-1 (low)
 	[etch] - sun-java5 <no-dsa> (Non-free not supported)
+	[etch] - sun-java5 1.5.0-14-1etch1
 CVE-2007-5273 (Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and ...)
 	- sun-java6 6-03-1 (low)
 	- sun-java5 1.5.0-13-1 (low)
 	[etch] - sun-java5 <no-dsa> (Non-free not supported)
+	[etch] - sun-java5 1.5.0-14-1etch1
 CVE-2007-5272 (SQL injection vulnerability in kategori.asp in Furkan Tastan Blog ...)
 	NOT-FOR-US: Furkan Tastan Blog
 CVE-2007-5271 (Multiple PHP remote file inclusion vulnerabilities in Trionic Cite CMS ...)
@@ -6087,22 +6093,25 @@
 	- sun-java6 6-03-1 (low)
 	- sun-java5 1.5.0-13-1 (low)
 	[etch] - sun-java5 <no-dsa> (Non-free not supported)
+	[etch] - sun-java5 1.5.0-14-1etch1
 CVE-2007-5239 (Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE ...)
 	- sun-java6 6-03-1 (low)
 	- sun-java5 1.5.0-13-1 (low)
 	[etch] - sun-java5 <no-dsa> (Non-free not supported)
+	[etch] - sun-java5 1.5.0-14-1etch1
 CVE-2007-5238 (Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE ...)
 	- sun-java6 6-03-1 (unimportant)
 	- sun-java5 1.5.0-13-1 (unimportant)
+	[etch] - sun-java5 1.5.0-14-1etch1
 	NOTE: Leaked information hardly sensitive
 CVE-2007-5237 (Java Web Start in Sun JDK and JRE 6 Update 2 and earlier does not ...)
 	- sun-java6 6-03-1 (medium)
 	- sun-java5 1.5.0-13-1 (medium)
 	[etch] - sun-java5 <no-dsa> (Non-free not supported)
+	[etch] - sun-java5 1.5.0-14-1etch1
 CVE-2007-5236 (Java Web Start in Sun JDK and JRE 5.0 Update 12 and earlier, and SDK ...)
 	- sun-java6 <not-affected> (Windows only)
 	- sun-java5 <not-affected> (Windows only)
-	[etch] - sun-java5 <no-dsa> (Non-free not supported)
 CVE-2007-5235 (Cross-site scripting (XSS) vulnerability in index.php in Uebimiau ...)
 	NOT-FOR-US: Uebimiau
 CVE-2007-5234 (PHP remote file inclusion vulnerability in upload/common/footer.php in ...)
@@ -6113,6 +6122,7 @@
 	- sun-java6 6-03-1 (low)
 	- sun-java5 1.5.0-13-1 (low)
 	[etch] - sun-java5 <no-dsa> (Non-free not supported)
+	[etch] - sun-java5 1.5.0-14-1etch1
 CVE-2007-5231 (Unrestricted file upload vulnerability in admin/upload_files.php in ...)
 	NOT-FOR-US: Zomplog
 CVE-2007-5230 (admin/upload_files.php in Zomplog 3.8.1 and earlier does not check for ...)
@@ -6127,7 +6137,7 @@
 	- dircproxy 1.0.5-5.1 (low; bug #445883)
 	[sarge] - dircproxy <no-dsa> (Minor issue)
 	[etch] - dircproxy <no-dsa> (Minor issue)
-	TODO: r3 release	[etch] - dircproxy 1.0.5-5etch1
+	[etch] - dircproxy 1.0.5-5etch1
 CVE-2005-4871 (Certain XML functions in IBM DB2 8.1 run with the privileges of DB2 ...)
 	NOT-FOR-US: IBM DB2
 CVE-2005-4870 (Stack-based buffer overflows in the (1) xmlvarcharfromfile, (2) ...)
@@ -6759,8 +6769,8 @@
 	[etch] - apache <no-dsa> (minor issue)
 	- apache2 2.2.8-1 (low)
 	- apache <unfixed> (low)
-	NOTE: pending for apache2 2.2.3-4+etch4 / etch r3
-	NOTE: pending for apache 1.3.34-4.1+etch1 / etch r3
+	[etch] - apache2 2.2.3-4+etch4
+	[etch] - apache 1.3.34-4.1+etch1
 CVE-2007-4999 (libpurple in Pidgin 2.1.0 through 2.2.1, when using HTML logging, ...)
 	- pidgin 2.2.2-1 (medium)
 CVE-2007-4998 (cp, when running with an option to preserve symlinks on multiple OSes, ...)
@@ -8057,8 +8067,8 @@
 	NOTE: This is really a browser bug, see CVE-2006-5152. But still unfixed in MSIE.
 	NOTE: Etch's default configuration not vulnerable due to AddDefaultCharset,
 	NOTE: but many users change this.
-	NOTE: pending for 2.2.3-4+etch4 / etch r3
 	NOTE: The apache2 fix is actually a workaround. It will not be applied to apache 1.3.
+	[etch] - apache2 2.2.3-4+etch4
 CVE-2007-4464 (CRLF injection vulnerability in the Fileinfo 2.0.9 plugin for Total ...)
 	NOT-FOR-US: Total Commander
 CVE-2007-4463 (The Fileinfo 2.0.9 plugin for Total Commander allows user-assisted ...)
@@ -9290,6 +9300,7 @@
 CVE-2007-3922 (Unspecified vulnerability in the Java Runtime Environment (JRE) Applet ...)
 	- sun-java5 1.5.0-12-2
 	[etch] - sun-java5 <no-dsa> (non-free not supported)
+	[etch] - sun-java5 1.5.0-14-1etch1
 	- sun-java6 6-02-1
 CVE-2007-3921 (gforge 3.1 and 4.5.14 allows local users to truncate arbitrary files ...)
 	{DSA-1402-1}
@@ -9863,6 +9874,7 @@
 	- sun-java5 1.5.0-12-1
 	- sun-java6 6-02-1
 	[etch] - sun-java5 <no-dsa> (non-free not supported)
+	[etch] - sun-java5 1.5.0-14-1etch1
 CVE-2007-3697 (PHP remote file inclusion vulnerability in phpbb/sendmsg.php in ...)
 	NOT-FOR-US: FlashBB
 CVE-2007-3696 (CA ERwin Data Model Validator (formerly AllFusion Data Model ...)
@@ -9958,6 +9970,7 @@
 CVE-2007-3655 (Stack-based buffer overflow in javaws.exe in Sun Java Web Start in JRE ...)
 	- sun-java5 1.5.0-12-1
 	[etch] - sun-java5 <no-dsa> (Non-free not supported)
+	[etch] - sun-java5 1.5.0-14-1etch1
 	- sun-java6 6-02-1
 CVE-2007-3654 (The display driver allocattr functions in NetBSD 3.0 through ...)
 	NOT-FOR-US: NetBSD
@@ -10330,6 +10343,7 @@
 	NOTE: Sun Alert ID 102957 says issue is Windows only
 CVE-2007-3503 (The Javadoc tool in Sun JDK 6 and JDK 5.0 Update 11 can generate HTML ...)
 	[etch] - sun-java5 <no-dsa> (non-free)
+	[etch] - sun-java5 1.5.0-14-1etch1
 	- sun-java5 1.5.0-12-1
 	[etch] - sun-java6 <no-dsa> (non-free)
 	- sun-java6 6-01-1 (bug #432006)
@@ -10830,7 +10844,7 @@
 	[etch] - apache2 2.2.3-4+etch2
 	[sarge] - apache2 2.0.54-5sarge2 (low)
 	[etch] - apache <no-dsa> (scheduled for next point release)
-	NOTE: pending for apache 1.3.34-4.1+etch1 / etch r3
+	[etch] - apache 1.3.34-4.1+etch1
 CVE-2007-3303 (Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows ...)
 	- apache2 <unfixed> (unimportant)
 	NOTE: If you can execute arbitrary code, a DoS is not a problem.
@@ -12087,10 +12101,12 @@
 	NOT-FOR-US: VP-ASP Shopping Cart
 CVE-2007-2789 (The BMP image parser in Sun Java Development Kit (JDK) before ...)
 	- sun-java5 1.5.0-11-1 (medium)
+	[etch] - sun-java5 1.5.0-14-1etch1
 	[etch] - sun-java5 <no-dsa> (Non-free not supported)
 	- sun-java6 6-01-1 (bug #422403)
 CVE-2007-2788 (Integer overflow in the embedded ICC profile image parser in Sun Java ...)
 	- sun-java5 1.5.0-11-1 (medium)
+	[etch] - sun-java5 1.5.0-14-1etch1
 	[etch] - sun-java5 <no-dsa> (Non-free not supported)
 	- sun-java6 6-01-1 (bug #422403)
 CVE-2007-2787 (Stack-based buffer overflow in the BrowseDir function in the (1) ...)
@@ -12908,6 +12924,7 @@
 	REJECTED
 CVE-2007-2435 (Sun Java Web Start in JDK and JRE 5.0 Update 10 and earlier, and Java ...)
 	- sun-java5 1.5.0-11-1 (medium; bug #423062)
+	[etch] - sun-java5 1.5.0-14-1etch1
 	[etch] - sun-java5 <no-dsa> (Non-free not supported)
 CVE-2007-2434 (Buffer overflow in asnsp.dll in Aventail Connect 4.1.2.13 allows ...)
 	NOT-FOR-US: Aventail Connect
@@ -15516,7 +15533,7 @@
 	- libapache2-mod-perl2 2.0.2-5 (low; bug #433549)
 	[etch] - libapache2-mod-perl2 <no-dsa> (Minor issue)
 	[etch] - apache <no-dsa> (scheduled for stable point release)
-	NOTE: pending for apache 1.3.34-4.1+etch1 / etch r3
+	[etch] - apache 1.3.34-4.1+etch1
 CVE-2007-1348
 	RESERVED
 CVE-2007-1347 (Microsoft Windows Explorer on Windows 2000 SP4 FR and XP SP2 FR, and ...)
@@ -17083,7 +17100,7 @@
 	[sarge]	- unrar-nonfree <no-dsa> (Non-free not supported)
 	[etch] - unrar-nonfree <no-dsa> (Non-free not supported)
 	TODO: r8 release        [sarge] - unrar-nonfree 1:3.5.2-0.2
-	TODO: r3 release	[etch] - unrar-nonfree 1:3.5.4-1.1
+	[etch] - unrar-nonfree 1:3.5.4-1.1
 	NOTE: amavid-new automatically uses "rar -p-" or "unrar -p-",
 	NOTE: which probably turns this into remote code execution
 	NOTE: clamav can also call unrar -p-, but AFAICS not in default configuration
@@ -21861,7 +21878,7 @@
 	[etch] - apache2 2.2.3-4+etch2
 	- apache <removed> (low)
 	[etch] - apache <no-dsa> (scheduled for stable point release)
-	NOTE: pending for apache 1.3.34-4.1+etch1 / etch r3
+	[etch] - apache 1.3.34-4.1+etch1
 CVE-2006-5751 (Integer overflow in the get_fdb_entries function in ...)
 	{DSA-1233}
 	- linux-2.6 2.6.18-8 (medium)
@@ -23076,7 +23093,6 @@
 	NOT-FOR-US: Linksys
 CVE-2006-5201 (Multiple packages on Sun Solaris, including (1) NSS; (2) Java JDK and ...)
 	- sun-java5 1.5.0-10-1 (bug #393042)
-	[etch] - sun-java5 <no-dsa> (Non-free not supported)
 	NOTE: this is similar to CVE-2006-4339
 CVE-2006-5200 (Unspecified vulnerability in Adobe Breeze 5 Licensed Server and Breeze ...)
 	NOT-FOR-US: Adobe
@@ -29418,7 +29434,6 @@
 	- clamav <not-affected> (clamav-freshclam doesn't ship freshclam setuid or setgid)
 CVE-2006-2426 (Sun Java Runtime Environment (JRE) 1.5.0_6 and earlier, JDK 1.5.0_6 ...)
 	- sun-java5 1.5.0-10-1 (bug #384734)
-	[etch] - sun-java5 <no-dsa> (Non-free not supported)
 CVE-2006-2425 (Multiple cross-site scripting (XSS) vulnerabilities in PRV.php in ...)
 	NOT-FOR-US: phpRemoteView
 CVE-2006-2424 (PHP remote file inclusion vulnerability in ezUserManager 1.6 and ...)




More information about the Secure-testing-commits mailing list