[Secure-testing-commits] r17935 - data/CVE
Nico Golde
nion at alioth.debian.org
Sat Dec 31 10:50:13 UTC 2011
Author: nion
Date: 2011-12-31 10:50:13 +0000 (Sat, 31 Dec 2011)
New Revision: 17935
Modified:
data/CVE/list
Log:
joining the tracker cleanup session: various fixed and removed versions
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2011-12-31 09:14:59 UTC (rev 17934)
+++ data/CVE/list 2011-12-31 10:50:13 UTC (rev 17935)
@@ -669,7 +669,7 @@
CVE-2011-4825 (Static code injection vulnerability in inc/function.base.php in Ajax ...)
NOT-FOR-US: Ajax File and Image Manager
CVE-2011-4824 (SQL injection vulnerability in auth_login.php in Cacti before 0.8.7h ...)
- - cacti <unfixed> (high; bug #652371)
+ - cacti 0.8.7i-1 (high; bug #652371)
CVE-2011-4823 (Multiple SQL injection vulnerabilities in Vik Real Estate ...)
NOT-FOR-US: Joomla extension
CVE-2011-4822 (Multiple cross-site scripting (XSS) vulnerabilities in the user ...)
@@ -2734,7 +2734,7 @@
CVE-2011-4197
RESERVED
CVE-2011-XXXX [backuppc xss issue]
- - backuppc <unfixed> (bug #646865)
+ - backuppc 3.2.1-2 (bug #646865)
CVE-2011-XXXX [spip privilege escalation]
- spip 2.1.12-1 (bug #649113)
[squeeze] - spip 2.1.1-3squeeze2
@@ -4627,12 +4627,12 @@
CVE-2011-3562
RESERVED
CVE-2011-3561 (Unspecified vulnerability in the Java Runtime Environment component in ...)
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
CVE-2011-3560 (Unspecified vulnerability in the Java Runtime Environment component in ...)
{DSA-2358-1 DSA-2356-1}
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
- openjdk-6 6b23~pre11-1
@@ -4640,7 +4640,7 @@
CVE-2011-3559 (Unspecified vulnerability in Oracle Communications Server 2.0; ...)
NOT-FOR-US: Oracle Communications Server, GlassFish Enterprise Server, Sun Java System App Server
CVE-2011-3558 (Unspecified vulnerability in the Java Runtime Environment component in ...)
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
[lenny] - openjdk-6 <not-affected> (Hotspot version too old)
@@ -4649,83 +4649,83 @@
- openjdk-7 7~b147-2.0-1
CVE-2011-3557 (Unspecified vulnerability in the Java Runtime Environment component in ...)
{DSA-2358-1 DSA-2356-1}
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
- openjdk-6 6b23~pre11-1
- openjdk-7 7~b147-2.0-1
CVE-2011-3556 (Unspecified vulnerability in the Java Runtime Environment component in ...)
{DSA-2358-1 DSA-2356-1}
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
- openjdk-6 6b23~pre11-1
- openjdk-7 7~b147-2.0-1
CVE-2011-3555 (Unspecified vulnerability in the Java Runtime Environment component in ...)
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
CVE-2011-3554 (Unspecified vulnerability in the Java Runtime Environment component in ...)
{DSA-2358-1 DSA-2356-1}
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
- openjdk-6 6b23~pre11-1
- openjdk-7 7~b147-2.0-1
CVE-2011-3553 (Unspecified vulnerability in the Java Runtime Environment component in ...)
{DSA-2358-1 DSA-2356-1}
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
- openjdk-6 6b23~pre11-1
- openjdk-7 7~b147-2.0-1
CVE-2011-3552 (Unspecified vulnerability in the Java Runtime Environment component in ...)
{DSA-2358-1 DSA-2356-1}
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
- openjdk-6 6b23~pre11-1
- openjdk-7 7~b147-2.0-1
CVE-2011-3551 (Unspecified vulnerability in the Java Runtime Environment component in ...)
{DSA-2358-1 DSA-2356-1}
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
- openjdk-6 6b23~pre11-1
- openjdk-7 7~b147-2.0-1
CVE-2011-3550 (Unspecified vulnerability in the Java Runtime Environment component in ...)
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
CVE-2011-3549 (Unspecified vulnerability in the Java Runtime Environment component in ...)
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
CVE-2011-3548 (Unspecified vulnerability in the Java Runtime Environment component in ...)
{DSA-2358-1 DSA-2356-1}
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
- openjdk-6 6b23~pre11-1
- openjdk-7 7~b147-2.0-1
CVE-2011-3547 (Unspecified vulnerability in the Java Runtime Environment component in ...)
{DSA-2358-1 DSA-2356-1}
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
- openjdk-6 6b23~pre11-1
- openjdk-7 7~b147-2.0-1
CVE-2011-3546 (Unspecified vulnerability in the Java Runtime Environment component in ...)
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
CVE-2011-3545 (Unspecified vulnerability in the Java Runtime Environment component in ...)
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
CVE-2011-3544 (Unspecified vulnerability in the Java Runtime Environment component in ...)
{DSA-2358-1 DSA-2356-1}
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
- openjdk-6 6b23~pre11-1
@@ -4776,7 +4776,7 @@
NOT-FOR-US: SPARC T3, Netra SPARC T3, Sun Fire, and Sun Blade
CVE-2011-3521 (Unspecified vulnerability in the Java Runtime Environment component in ...)
{DSA-2358-1 DSA-2356-1}
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
- openjdk-6 6b23~pre11-1
@@ -5117,7 +5117,7 @@
[squeeze] - masqmail <no-dsa> (no security issue by itself)
CVE-2011-3389 (The SSL protocol, as used in certain configurations in Microsoft ...)
{DSA-2368-1 DSA-2358-1 DSA-2356-1}
- - sun-java6 <unfixed> (bug #645881)
+ - sun-java6 <removed> (bug #645881)
- lighttpd 1.4.30-1
[lenny] - sun-java6 <no-dsa> (Non-free not supported)
[squeeze] - sun-java6 <no-dsa> (Non-free not supported)
@@ -6463,7 +6463,7 @@
TODO: check
CVE-2011-2916
RESERVED
- - qtnx <unfixed> (bug #637439)
+ - qtnx <removed> (bug #637439)
CVE-2011-2915
RESERVED
- libmodplug 1:0.8.8.4-1
@@ -7088,7 +7088,7 @@
- drupal7 7.6-1
CVE-2011-2725 [ark directory traversal]
RESERVED
- - kdeutils <unfixed> (low; bug #635541)
+ - kdeutils 4:4.6.5-4 (low; bug #635541)
[squeeze] - kdeutils <no-dsa> (Minor issue)
[lenny] - kdeutils <no-dsa> (Minor issue)
CVE-2011-2724 (The check_mtab function in client/mount.cifs.c in mount.cifs in smbfs ...)
@@ -7156,7 +7156,7 @@
CVE-2011-2706
RESERVED
CVE-2011-2705 (The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby ...)
- - ruby1.8 <unfixed> (low; bug #635878)
+ - ruby1.8 1.8.7.352-1 (low; bug #635878)
- ruby1.9 <unfixed> (low)
- ruby1.9.1 <unfixed> (low)
CVE-2011-2704 (Stack-based buffer overflow in MapServer before 4.10.7 and 5.x before ...)
@@ -7224,7 +7224,7 @@
- drupal7 7.4-1 (bug #633385)
- drupal6 <not-affected>
CVE-2011-2686 (Ruby before 1.8.7-p352 does not reset the random seed upon forking, ...)
- - ruby1.8 <unfixed> (low; bug #635878)
+ - ruby1.8 1.8.7.352-1 (low; bug #635878)
- ruby1.9 <unfixed> (low)
- ruby1.9.1 <unfixed> (low)
CVE-2011-2685 (Stack-based buffer overflow in the Lotus Word Pro import filter in ...)
@@ -8195,7 +8195,7 @@
CVE-2011-2333
RESERVED
CVE-2011-2329 (The rampart_timestamp_token_validate function in ...)
- - rampart <unfixed> (bug #631221)
+ - rampart <removed> (bug #631221)
CVE-2011-2327 (Unspecified vulnerability in the Oracle Communications Unified ...)
NOT-FOR-US: Oracle Sun Products Suite
CVE-2011-2326
@@ -11038,7 +11038,7 @@
CVE-2011-1306 (Unspecified vulnerability in the Scratchpad application in Google ...)
NOT-FOR-US: Google ChromeOS
CVE-2011-XXXX [gmime segfault]
- - gmime2.4 <unfixed> (bug #616366)
+ - gmime2.4 2.4.23-1 (bug #616366)
CVE-2011-1305 (Race condition in Google Chrome before 11.0.696.57 on Linux and Mac OS ...)
- chromium-browser 11.0.696.65~r84435-1
[squeeze] - chromium-browser <no-dsa> (minor issue)
@@ -14054,7 +14054,7 @@
NOTE: lenny10 includes a test for the bug. With lenny's toolchain
NOTE: and settings, the bug can't be reproduced.
CVE-2011-XXXX [Crash with long HOME environment variable]
- - toppler <unfixed> (unimportant; bug #608979)
+ - toppler 1.1.4-2 (unimportant; bug #608979)
NOTE: Negligable privilege escalation
CVE-2011-XXXX [Crash with long HOME environment variable]
- lbreakout2 <unfixed> (unimportant; bug #608980)
@@ -18544,7 +18544,7 @@
- torcs 1.3.1-5 (bug #598306)
[lenny] - torcs <no-dsa> (Minor issue)
CVE-2010-3383 (The (1) teamspeak and (2) teamspeak-server scripts in TeamSpeak 2.0.32 ...)
- - teamspeak-client <unfixed> (low; bug #598304)
+ - teamspeak-client 2.0.32-3.1 (low; bug #598304)
[lenny] - teamspeak-client <no-dsa> (Non-free not supported)
- teamspeak-server 2.0.24.1+debian-1.1 (low; bug #598305)
[lenny] - teamspeak-server <no-dsa> (Non-free not supported)
@@ -18567,7 +18567,7 @@
CVE-2010-3377 (The (1) runSalome, (2) runTestMedCorba, (3) runLightSalome, and (4) ...)
- salome 5.1.3-11 (bug #598421)
CVE-2010-3376 (The (1) proofserv, (2) xrdcp, (3) xrdpwdadmin, and (4) xrd scripts in ...)
- - root-system <unfixed> (bug #598420; bug #598419)
+ - root-system <removed> (bug #598420; bug #598419)
[lenny] - root-system <no-dsa> (minor issue)
CVE-2010-3375
RESERVED
@@ -18616,7 +18616,7 @@
- gargoyle-free 2009-08-25-2
NOTE: http://groups.google.com/group/garglk-dev/browse_thread/thread/1c92ab6f24d5ebe6
CVE-2010-3358 (HenPlus JDBC SQL-Shell 0.9.7 places a zero-length directory name in ...)
- - henplus <unfixed> (bug #598290)
+ - henplus <removed> (bug #598290)
CVE-2010-3357 (gnome-subtitles 1.0 places a zero-length directory name in the ...)
- gnome-subtitles 1.0-2 (low; bug #598289)
[lenny] - gnome-subtitles <no-dsa> (Minor issue)
@@ -18735,7 +18735,7 @@
NOT-FOR-US: Free Simple CMS 1.0
CVE-2010-3305 [pixel CSRF]
RESERVED
- - pixelpost <unfixed> (bug #597224)
+ - pixelpost <removed> (bug #597224)
CVE-2010-3304 (The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to ...)
- dovecot 1.2.13-1
[lenny] - dovecot <not-affected> (only affects 1.2.x)
@@ -21098,7 +21098,7 @@
- bugzilla <not-affected> (Only affects 3.5 to 3.7)
CVE-2010-2476 [syscp open_basedir bypassing]
RESERVED
- - syscp <unfixed> (bug #587481)
+ - syscp <removed> (bug #587481)
CVE-2010-2469 (The Linear eMerge 50 and 5000 uses a default password of eMerge for ...)
NOT-FOR-US: Linear eMerge
CVE-2010-2468 (The S2 Security NetBox 2.x and 3.x, as used in the Linear eMerge 50 ...)
@@ -23702,7 +23702,7 @@
CVE-2010-1520 (Cross-site scripting (XSS) vulnerability in logout.php in TaskFreak! ...)
NOT-FOR-US: TaskFreak! Original multi user
CVE-2010-1519 (Multiple integer overflows in glpng.c in glpng 1.45 allow ...)
- - libglpng <unfixed> (low; bug #595171)
+ - libglpng <removed> (low; bug #595171)
[lenny] - libglpng <no-dsa> (Minor issue)
CVE-2010-1518 (Array index error in the SetDLInfo method in the GIGABYTE Dldrv2 ...)
NOT-FOR-US: GIGABYTE Dldrv2 ActiveX control
@@ -30610,27 +30610,27 @@
- xpdf <unfixed> (unimportant)
CVE-2009-5045 [multiple vulnerabilities in jetty]
RESERVED
- - jetty <unfixed> (unimportant; bug #553644)
+ - jetty 6.1.22-1 (unimportant; bug #553644)
NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
NOTE: The affected apps are not shipped in the package, see #553644
CVE-2009-5046 [multiple vulnerabilities in jetty]
RESERVED
- - jetty <unfixed> (unimportant; bug #553644)
+ - jetty 6.1.22-1 (unimportant; bug #553644)
NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
NOTE: The affected apps are not shipped in the package, see #553644
CVE-2009-5047 [multiple vulnerabilities in jetty]
RESERVED
- - jetty <unfixed> (unimportant; bug #553644)
+ - jetty 6.1.22-1 (unimportant; bug #553644)
NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
NOTE: The affected apps are not shipped in the package, see #553644
CVE-2009-5048 [multiple vulnerabilities in jetty]
RESERVED
- - jetty <unfixed> (unimportant; bug #553644)
+ - jetty 6.1.22-1 (unimportant; bug #553644)
NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
NOTE: The affected apps are not shipped in the package, see #553644
CVE-2009-5049 [multiple vulnerabilities in jetty]
RESERVED
- - jetty <unfixed> (unimportant; bug #553644)
+ - jetty 6.1.22-1 (unimportant; bug #553644)
NOTE: http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
NOTE: The affected apps are not shipped in the package, see #553644
CVE-2009-XXXX [cherokee 0.5.4 DoS]
@@ -34469,7 +34469,7 @@
[etch] - php5 <no-dsa> (too risky to fix it there)
NOTE: requires the script itself to set and then restore a config var
CVE-2009-XXXX [php5: 'open_basedir' bypass]
- - php5 <unfixed> (unimportant; bug #540606)
+ - php5 5.3.1-1 (unimportant; bug #540606)
NOTE: only affects 5.3.0 in experimental, open_basedir unsupported
CVE-2009-2710
RESERVED
@@ -37219,7 +37219,7 @@
CVE-2009-1734 (SQL injection vulnerability in listing_video.php in VidSharePro allows ...)
NOT-FOR-US: VidSharePro
CVE-2009-1733 (Cross-site request forgery (CSRF) vulnerability in IPplan 4.91a allows ...)
- - ipplan <unfixed> (unimportant; bug #530271)
+ - ipplan 4.91a-1.1 (unimportant; bug #530271)
NOTE: Only exploitable with admin rights
CVE-2009-1732 (Cross-site scripting (XSS) vulnerability in admin/usermanager in ...)
{DSA-1827-1}
@@ -37664,7 +37664,7 @@
{DSA-1804-1}
- ipsec-tools 1:0.7.1-1.5 (medium; bug #528933)
CVE-2009-1631 (The Mailer component in Evolution 2.26.1 and earlier uses ...)
- - evolution <unfixed> (unimportant; bug #526409)
+ - evolution 2.29.90-1 (unimportant; bug #526409)
NOTE: Mostly a security enhancement, only for local users/mail and open homedirs
CVE-2009-1630 (The nfs_permission function in fs/nfs/dir.c in the NFS client ...)
{DSA-1865-1 DSA-1844-1 DSA-1809-1}
@@ -45143,7 +45143,7 @@
CVE-2008-5624 (PHP 5 before 5.2.7 does not properly initialize the page_uid and ...)
{DSA-1789-1 DTSA-188-1}
- php5 5.2.6.dfsg.1-1 (medium; bug #508021)
- - php4 <unfixed> (medium; bug #559787)
+ - php4 <removed> (medium; bug #559787)
CVE-2008-5660 (Format string vulnerability in the vinagre_utils_show_error function ...)
- vinagre 0.5.1-2
CVE-2008-5360 (Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and ...)
@@ -45330,7 +45330,7 @@
CVE-2008-5658 (Directory traversal vulnerability in the ZipArchive::extractTo ...)
{DSA-1789-1 DTSA-188-1}
- php5 5.2.6.dfsg.1-3 (bug #507857)
- - php4 <unfixed>
+ - php4 <removed>
CVE-2008-5323 (Cross-site scripting (XSS) vulnerability in index.php in Wysi Wiki Wyg ...)
NOT-FOR-US: Wysi Wiki Wyg
CVE-2008-5322 (Wysi Wiki Wyg 1.0 allows remote attackers to obtain system information ...)
@@ -53172,7 +53172,7 @@
NOT-FOR-US: Softbiz Web Host Directory Script
CVE-2008-2086 (Sun Java Web Start and Java Plug-in for JDK and JRE 6 Update 10 and ...)
- openjdk-6 <not-affected> (browser plugin is different code base)
- - sun-java5 <unfixed>
+ - sun-java5 <removed>
[etch] - sun-java5 <no-dsa> (Non-free not supported)
[lenny] - sun-java5 <no-dsa> (Non-free not supported)
- sun-java6 6-10-1
@@ -63210,8 +63210,8 @@
[etch] - mp <no-dsa> (Minor issue)
NOTE: Can be fixed in a point update
CVE-2007-5019 (Buffer overflow in the Sun Java Web Start ActiveX control in Java ...)
- - sun-java6 <unfixed> (unimportant)
- - sun-java5 <unfixed> (unimportant)
+ - sun-java6 <removed> (unimportant)
+ - sun-java5 <removed> (unimportant)
- openjdk-6 <unfixed> (unimportant)
NOTE: exploiting this would not work under Linux
CVE-2007-5018 (Stack-based buffer overflow in IMAPD in Mercury/32 4.52 allows remote ...)
@@ -66122,7 +66122,7 @@
NOTE: fix sneaked into php 5.2.3 sans-mention:
NOTE: http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.417.2.8.2.36&r2=1.417.2.8.2.37&pathrev=PHP_5_2
NOTE: fixed in php4/etch, php5/etch, php4/sarge svn
- - php4 <unfixed> (low)
+ - php4 <removed> (low)
- php5 5.2.4-1 (low; bug #441433)
CVE-2007-3798 (Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 ...)
{DSA-1353-1}
@@ -67199,7 +67199,7 @@
CVE-2007-3379 (Unspecified vulnerability in the kernel in Red Hat Enterprise Linux ...)
- linux-2.6 <not-affected> (Red Hat-specific vulnerability)
CVE-2007-3378 (The (1) session_save_path, (2) ini_set, and (3) error_log functions in ...)
- - php4 <unfixed> (unimportant)
+ - php4 <removed> (unimportant)
- php5 5.2.4-1 (unimportant)
CVE-2007-3377 (Header.pm in Net::DNS before 0.60, a Perl module, (1) generates ...)
{DSA-1515-1}
@@ -67630,7 +67630,7 @@
CVE-2007-3206
RESERVED
CVE-2007-3205 (The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Subhosin, ...)
- - php4 <unfixed> (unimportant)
+ - php4 <removed> (unimportant)
- php5 <unfixed> (unimportant)
NOTE: That's by design
CVE-2007-3204 (SQL injection vulnerability in auth.php in Just For Fun Network ...)
@@ -68624,11 +68624,11 @@
{DSA-1323-1}
- krb5 1.6.dfsg.1-5 (high; bug #430785)
CVE-2006-7205 (The array_fill function in ext/standard/array.c in PHP 4.4.2 and 5.1.2 ...)
- - php4 <unfixed> (unimportant)
+ - php4 <removed> (unimportant)
- php5 <unfixed> (unimportant)
NOTE: local DoS when Apache memory limit is set high
CVE-2006-7204 (The imap_body function in PHP before 4.4.4 does not implement safemode ...)
- - php4 <unfixed> (unimportant)
+ - php4 <removed> (unimportant)
NOTE: open_basedir bypasses not supported
CVE-2003-1330 (Clearswift MAILsweeper for SMTP 4.3.6 SP1 does not execute custom "on ...)
NOT-FOR-US: MAILsweeper
@@ -70790,7 +70790,7 @@
CVE-2007-1891 (Stack-based buffer overflow in the GetPrivateProfileSectionW function ...)
NOT-FOR-US: Akamai
CVE-2007-1890 (Integer overflow in the msg_receive function in PHP 4 before 4.4.5 and ...)
- - php4 <unfixed> (unimportant)
+ - php4 <removed> (unimportant)
- php5 <unfixed> (unimportant)
NOTE: local code execution only, possibly only on FreeBSD
CVE-2007-1889 (Integer signedness error in the _zend_mm_alloc_int function in the ...)
@@ -70813,7 +70813,7 @@
CVE-2007-1884 (Multiple integer signedness errors in the printf function family in ...)
NOTE: Dupe of CVE-2007-0909; Fixed in DSA-1264, php5 5.2.0-9, php4 6:4.4.4-9
CVE-2007-1883 (PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows ...)
- - php4 <unfixed> (unimportant)
+ - php4 <removed> (unimportant)
- php5 <unfixed> (unimportant)
NOTE: Only triggerable by malicious script
CVE-2007-1882 (qcbin/servlet/tdservlet/TDAPI_GeneralWebTreatment in HP Mercury ...)
@@ -70856,7 +70856,7 @@
NOT-FOR-US: not a bug
CVE-2007-1864 (Buffer overflow in the bundled libxmlrpc library in PHP before 4.4.7, ...)
{DSA-1331-1 DSA-1330-1}
- - php4 <unfixed>
+ - php4 <removed>
- php5 5.2.2-1
CVE-2007-1863 (cache_util.c in the mod_cache module in Apache HTTP Server (httpd), ...)
- apache2 2.2.4-1 (low)
@@ -70939,7 +70939,7 @@
CVE-2007-1836 (The command line administration interface in Data Domain OS before ...)
NOT-FOR-US: Data Domain OS
CVE-2007-1835 (PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty session ...)
- - php4 <unfixed> (unimportant)
+ - php4 <removed> (unimportant)
- php5 <unfixed> (unimportant)
NOTE: open_basedir bypasses not supported
CVE-2007-1834 (Cisco Unified CallManager (CUCM) 5.0 before 5.0(4a)SU1 and Cisco ...)
@@ -71226,7 +71226,7 @@
NOT-FOR-US: mcweject
CVE-2007-1718 (CRLF injection vulnerability in the mail function in PHP 4.0.0 through ...)
{DSA-1283-1 DSA-1282-1 DTSA-39-1 DTSA-40-1}
- - php4 <unfixed> (medium)
+ - php4 <removed> (medium)
[sarge] - php4 <not-affected> (Vulnerable code not present)
- php5 5.2.0-11 (medium)
CVE-2007-1717 (The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 ...)
@@ -71249,7 +71249,7 @@
- php5 5.2.0-9
NOTE: register_globals not supported
CVE-2007-1710 (The readfile function in PHP 4.4.4, 5.1.6, and 5.2.1 allows ...)
- - php4 <unfixed> (unimportant)
+ - php4 <removed> (unimportant)
- php5 <unfixed> (unimportant)
NOTE: Safe mode violations not supported, insufficient measure
CVE-2007-1709 (Buffer overflow in the confirm_phpdoc_compiled function in the phpDOC ...)
@@ -71583,10 +71583,10 @@
CVE-2007-1583 (The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0 through ...)
{DSA-1283-1 DSA-1282-1 DTSA-39-1 DTSA-40-1}
- php5 5.2.0-11 (medium)
- - php4 <unfixed> (medium)
+ - php4 <removed> (medium)
CVE-2007-1582 (The resource system in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 ...)
- php5 <unfixed> (unimportant)
- - php4 <unfixed> (unimportant)
+ - php4 <removed> (unimportant)
NOTE: Only triggerable by malicious script
CVE-2007-1581 (The resource system in PHP 5.0.0 through 5.2.1 allows ...)
- php5 <unfixed> (unimportant)
@@ -71827,7 +71827,7 @@
CVE-2007-1485 (** DISPUTED ** ...)
NOT-FOR-US: LIBFtp
CVE-2007-1484 (The array_user_key_compare function in PHP 4.4.6 and earlier, and 5.x ...)
- - php4 <unfixed> (unimportant)
+ - php4 <removed> (unimportant)
- php5 5.2.2-1 (unimportant)
NOTE: local malicious scripts only
CVE-2007-1483 (Multiple PHP remote file inclusion vulnerabilities in WebCalendar ...)
@@ -71850,7 +71850,7 @@
CVE-2007-1476 (The SymTDI device driver (SYMTDI.SYS) in Symantec Norton Personal ...)
NOT-FOR-US: Symantec Norton Personal Firewall
CVE-2007-1475 (Multiple buffer overflows in the (1) ibase_connect and (2) ...)
- - php4 <unfixed> (unimportant)
+ - php4 <removed> (unimportant)
NOTE: Can only be triggered by malicious script
CVE-2007-1474 (Argument injection vulnerability in the cleanup cron script in Horde ...)
{DSA-1406-1}
@@ -72020,7 +72020,7 @@
CVE-2007-1414 (Multiple PHP remote file inclusion vulnerabilities in Coppermine Photo ...)
NOT-FOR-US: Coppermine Photo Gallery
CVE-2007-1413 (Buffer overflow in the snmpget function in the snmp extension in PHP ...)
- - php4 <unfixed> (unimportant)
+ - php4 <removed> (unimportant)
- php5 <unfixed> (unimportant)
NOTE: Only triggerable by malicious script
CVE-2007-1412 (The cpdf_open function in the ClibPDF (cpdf) extension in PHP 4.4.6 ...)
@@ -72096,7 +72096,7 @@
CVE-2007-1384 (Directory traversal vulnerability in torrent.cpp in KTorrent before ...)
- ktorrent 2.0.3+dfsg1-2.1 (bug #414832; medium)
CVE-2007-1383 (Integer overflow in the 16 bit variable reference counter in PHP 4 ...)
- - php4 <unfixed> (unimportant)
+ - php4 <removed> (unimportant)
NOTE: Only triggerable by malicious PHP scripts, PHP5 not "affected"
CVE-2007-1382 (The PHP COM extensions for PHP on Windows systems allow ...)
NOT-FOR-US: Windows PHP COM extensions
@@ -72115,7 +72115,7 @@
NOT-FOR-US: Adobe Reader
CVE-2007-1376 (The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x ...)
{DSA-1283-1 DTSA-39-1}
- - php4 <unfixed>
+ - php4 <removed>
- php5 5.2.0-11
NOTE: Only triggerable by malicious script
CVE-2007-1375 (Integer overflow in the substr_compare function in PHP 5.2.1 and ...)
@@ -72398,7 +72398,7 @@
- lintian 1.23.28 (low)
[sarge] - lintian <not-affected> (Vulnerable code not present)
CVE-2007-1287 (A regression error in the phpinfo function in PHP 4.4.3 to 4.4.6, and ...)
- - php4 <unfixed> (unimportant)
+ - php4 <removed> (unimportant)
[sarge] - php4 <not-affected> (Regression introduced in 4.4.3)
NOTE: Non-issue, explicit debug feature
CVE-2007-1286 (Integer overflow in PHP 4.4.4 and earlier allows remote ...)
@@ -72407,7 +72407,7 @@
- php5 5.2.0-11 (low)
CVE-2007-1285 (The Zend Engine in PHP 4.x before 4.4.7, and 5.x before 5.2.2, allows ...)
- php5 5.2.2-1 (unimportant)
- - php4 <unfixed> (unimportant)
+ - php4 <removed> (unimportant)
NOTE: Needs to be sanisited within apps, only crashes the current instance anyway
CVE-2007-1284
RESERVED
@@ -76047,8 +76047,8 @@
CVE-2007-0013
RESERVED
CVE-2007-0012 (Sun JRE 5.0 before update 14 allows remote attackers to cause a denial ...)
- - sun-java5 <unfixed> (unimportant)
- - sun-java6 <unfixed> (unimportant)
+ - sun-java5 <removed> (unimportant)
+ - sun-java6 <removed> (unimportant)
- openjdk-6 <unfixed> (unimportant)
NOTE: not a security issue, browser dos treated as regular bugs, also likely Windows-specific
CVE-2007-0011 (The web portal interface in Citrix Access Gateway (aka Citrix Advanced ...)
@@ -77172,7 +77172,7 @@
NOT-FOR-US: abitwhizzy.php
CVE-2006-6383 (PHP 5.2.0 and 4.4 allows local users to bypass safe_mode and ...)
- php5 <unfixed> (unimportant)
- - php4 <unfixed> (unimportant)
+ - php4 <removed> (unimportant)
NOTE: safe-mode and basedir violations not treated as security issues
CVE-2006-6382 (The control panel for Positive Software H-Sphere before 2.5.0 RC3 ...)
NOT-FOR-US: Positive Software H-Sphere
@@ -78662,7 +78662,7 @@
NOT-FOR-US: PHPEasyData
CVE-2006-5706 (Unspecified vulnerabilities in PHP, probably before 5.2.0, allow local ...)
- php5 5.2.0-1 (unimportant)
- - php4 <unfixed> (unimportant)
+ - php4 <removed> (unimportant)
NOTE: lack of basedir restrictions are not security-relevant by Debian PHP security policy
CVE-2006-5705 (Multiple directory traversal vulnerabilities in ...)
- wordpress 2.0.5-0.1
@@ -82444,7 +82444,7 @@
- festalon <not-affected> (vuln. code introduced in 0.5.0)
CVE-2006-4023 (The ip2long function in PHP 5.1.4 and earlier may incorrectly validate ...)
- php5 <unfixed> (unimportant; bug #382257)
- - php4 <unfixed> (unimportant; bug #382270)
+ - php4 <removed> (unimportant; bug #382270)
NOTE: Not every lack of protection of programmer's flaws is a vulnerability
NOTE: See notes by Sean for details
NOTE: > the entry states that this is more likely a bug in any
@@ -84713,7 +84713,7 @@
NOT-FOR-US: phpCMS
CVE-2006-3018 (Unspecified vulnerability in the session extension functionality in ...)
- php5 5.1.4-0.1 (unimportant)
- - php4 <unfixed> (unimportant)
+ - php4 <removed> (unimportant)
NOTE: Sanitising is the application's responsibilitys
CVE-2006-3017 (zend_hash_del_key_or_index in zend_hash.c in PHP before 4.4.3 and 5.x ...)
{DSA-1206-1}
@@ -88315,7 +88315,7 @@
CVE-2006-1551 (Eval injection vulnerability in pajax_call_dispatcher.php in PAJAX ...)
NOT-FOR-US: PAJAX
CVE-2006-1549 (PHP 4.4.2 and 5.1.2 allows local users to cause a crash (segmentation ...)
- - php4 <unfixed> (bug #361854; unimportant)
+ - php4 <removed> (bug #361854; unimportant)
- php5 5.1.4-0.1 (bug #361917; unimportant)
[sarge] - php4 <no-dsa> (there are easier ways to segfault your own program)
CVE-2005-4767 (BEA WebLogic Server and WebLogic Express 8.1 SP5 and earlier, and 7.0 ...)
@@ -89630,11 +89630,11 @@
NOT-FOR-US: Windows
CVE-2006-1015 (Argument injection vulnerability in certain PHP 3.x, 4.x, and 5.x ...)
- php5 5.1.4-0.1 (bug #368595; unimportant)
- - php4 <unfixed> (bug #368592; unimportant)
+ - php4 <removed> (bug #368592; unimportant)
NOTE: It's the application's job to sanitize input passed to a function
CVE-2006-1014 (Argument injection vulnerability in certain PHP 4.x and 5.x ...)
- php5 5.1.4-0.1 (bug #368595; unimportant)
- - php4 <unfixed> (bug #368592; unimportant)
+ - php4 <removed> (bug #368592; unimportant)
NOTE: It's the application's job to sanitize input passed to a function
CVE-2006-1013 (PHP remote file include vulnerability in index.php in SMartBlog (aka ...)
NOT-FOR-US: SMartBlog
@@ -89814,7 +89814,7 @@
NOT-FOR-US: zip.lib.php
CVE-2006-0931 (Directory traversal vulnerability in PEAR::Archive_Tar 1.2, and other ...)
- php5 <unfixed> (bug #368545; unimportant)
- - php4 <unfixed> (bug #368545; unimportant)
+ - php4 <removed> (bug #368545; unimportant)
NOTE: is this really a vulnerability in pear? it seems it should be a bug
NOTE: in any application not checking for such archives.
NOTE: Lack of a security feature is not a vulnerability
More information about the Secure-testing-commits
mailing list