[Secure-testing-commits] r7989 - data/CVE

jmm-guest at alioth.debian.org jmm-guest at alioth.debian.org
Sun Jan 20 15:27:07 UTC 2008 

Author: jmm-guest
Date: 2008-01-20 15:27:07 +0000 (Sun, 20 Jan 2008)
New Revision: 7989

Modified:
   data/CVE/list
Log:
unhide vorbis entry, marking as unfixed for now
tomcat SSO CVEfied and marked


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2008-01-20 13:31:54 UTC (rev 7988)
+++ data/CVE/list	2008-01-20 15:27:07 UTC (rev 7989)
@@ -517,8 +517,14 @@
 	NOT-FOR-US: Instant Softwares Dating Site
 CVE-2008-0129 (SQL injection vulnerability in starnet/addons/slideshow_full.php in ...)
 	NOT-FOR-US: Site at School
-CVE-2008-0128
+CVE-2008-0128 [Tomcat does not enforce HTTPS for SSO cookies]
 	RESERVED
+	- tomcat5 <removed> (unimportant)
+	NOTE: SSO cookies not working in 5.0, have only been fixed in 5.5.13, see #34724
+	- tomcat5.5 5.5.23-1 (low)
+	NOTE: SSO cookies sent over secure connections do not require
+	NOTE: secure connections, possibly defeating HTTPS encryption.
+	NOTE: See: http://issues.apache.org/bugzilla/show_bug.cgi?id=41217
 CVE-2008-0127 (The administration interface in McAfee E-Business Server 8.5.2 and ...)
 	NOT-FOR-US: McAfee E-Business Server
 CVE-2008-0126
@@ -7909,6 +7915,7 @@
 CVE-2007-4067 (Absolute path traversal vulnerability in the clInetSuiteX6.clWebDav ...)
 	NOT-FOR-US: Clever Internet ActiveX Suite
 CVE-2007-4066 (Multiple buffer overflows in Xiph.Org libvorbis before 1.2.0 allow ...)
+	- libvorbis <unfixed>
 	NOTE: svn revisionsions fixing this: https://bugzilla.redhat.com/show_bug.cgi?id=249780
 CVE-2007-4065 (lib/vorbisfile.c in libvorbisfile in Xiph.Org libvorbis before 1.2.0 ...)
 	- libvorbis <unfixed> (unimportant)
@@ -11886,12 +11893,6 @@
 	NOT-FOR-US: Hitachi Groupmax
 CVE-2007-2420 (SQL injection vulnerability in bry.asp in Burak Yilmaz Blog 1.0 allows ...)
 	NOT-FOR-US: Burak Yilmaz Blog
-CVE-2007-XXXX [Tomcat does not enforce HTTPS for SSO cookies]
-	- tomcat5 <unfixed> (low)
-	- tomcat5.5 5.5.23-1 (low)
-	NOTE: SSO cookies sent over secure connections do not require
-	NOTE: secure connections, possibly defeating HTTPS encryption.
-	NOTE: See: http://issues.apache.org/bugzilla/show_bug.cgi?id=41217
 CVE-2007-2419 (Multiple buffer overflows in an ActiveX control (boisweb.dll) in ...)
 	NOT-FOR-US: Macrovision
 CVE-2007-2418 (Heap-based buffer overflow in the Rendezvous / Extensible Messaging ...)
@@ -17053,8 +17054,11 @@
 	{DSA-1257}
 	- samba 3.0.23d-5 (low)
 CVE-2007-0450 (Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x ...)
-	- tomcat5 <removed>
-	- tomcat5.5 5.5.23-1
+	- tomcat5 <removed> (unimportant)
+	- tomcat5.5 5.5.23-1 (unimportant)
+	NOTE: This only adds an additional control settings for path delimiters, the
+	NOTE: necessary proxies still need to be secured or fixed individually (e.g.
+	NOTE: as done for mod_jk in a DSA
 CVE-2007-0449 (Multiple buffer overflows in LGSERVER.EXE in CA BrightStor ARCserve ...)
 	NOT-FOR-US: CA BrightStor
 CVE-2007-0448 (The fopen function in PHP 5.2.0 does not properly handle invalid URI ...)

More information about the Secure-testing-commits mailing list