thr3ads.net - Secure testing commits - [Secure-testing-commits] r8399

If this information is useful, please help other people find it:
Share via:
jmm-guest at alioth.debian.org
2008-Mar-24 20:41 UTC
[Secure-testing-commits] r8399 - data/CVE

Author: jmm-guest
Date: 2008-03-24 20:41:07 +0000 (Mon, 24 Mar 2008)
New Revision: 8399

Modified:
   data/CVE/list
Log:
firebird special case DSA
some bug nums
one older cups no longer exploitable since 1.2


Modified: data/CVE/list
==================================================================---
data/CVE/list	2008-03-24 18:29:08 UTC (rev 8398)
+++ data/CVE/list	2008-03-24 20:41:07 UTC (rev 8399)
@@ -2110,6 +2110,7 @@
 	NOT-FOR-US: Flinx
 CVE-2008-0467 (Stack-based buffer overflow in Firebird before 2.0.4, and 2.1.x
before ...)
 	- firebird2 <removed>
+        [etch] - firebird2 <no-dsa> (Fixed packages have been released
through backports.org, see #1529)
 	- firebird2.0 2.0.3.12981.ds1-5 (medium; bug #463596)
 CVE-2008-0466 (Web Wiz RTE_file_browser.asp in, as used in Web Wiz Rich Text
Editor ...)
 	NOT-FOR-US: Web Wiz Rich Text Editor
@@ -2332,7 +2333,7 @@
 	- firebird2.0 2.0.3.12981.ds1-4 (bug #460048)
 	[lenny] - firebird2.0 2.0.3.12981.ds1-1+lenny1
 	- firebird2 <removed>
-	NOTE: firebird2 in etch is vulnerable
+        [etch] - firebird2 <no-dsa> (Fixed packages have been released
through backports.org, see #1529)
 CVE-2008-0386 (Xdg-utils 1.0.2 and earlier allows user-assisted remote
attackers to ...)
 	- xdg-utils <not-affected> (Ships a patch that modifies the vulnerable
code and uses sed secure)
 	NOTE: xdg-open-generic replaces the vulnerable code and runs view-mailcap or
sensible-browser
@@ -4695,7 +4696,7 @@
 CVE-2007-6040 (The Belkin F5D7230-4 Wireless G Router allows remote attackers
to ...)
 	NOT-FOR-US: Belkin F5D7230-4 Wireless G Router
 CVE-2007-6039 (PHP 5.2.5 and earlier allows context-dependent attackers to
cause a ...)
-	- php5 <unfixed> (unimportant; bug #453295)
+	- php5 <unfixed> (unimportant; bug #453295; bug #453295)
 	NOTE: Not a vulnerability per Debian PHP security policy, requires malicious
 	NOTE: script to trigger this issue
 CVE-2007-6077 (The session fixation protection mechanism in cgi_process.rb in
Rails ...)
@@ -8977,27 +8978,27 @@
 	NOTE: This refers to an improved fix for MOPB 03-2007, which is CVE-2007-1285
and a non-issue
 CVE-2007-4669 (The Services API in Firebird before 2.0.2 allows remote
authenticated ...)
 	- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
-	[etch] - firebird2 <unfixed>
+        [etch] - firebird2 <no-dsa> (Fixed packages have been released
through backports.org, see #1529)
 	[sarge] - firebird2 <unfixed>
 CVE-2007-4668 (Unspecified vulnerability in the server in Firebird before 2.0.2
...)
 	- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
-	[etch] - firebird2 <unfixed>
+        [etch] - firebird2 <no-dsa> (Fixed packages have been released
through backports.org, see #1529)
 	[sarge] - firebird2 <unfixed>
 CVE-2007-4667 (Unspecified vulnerability in the Services API in Firebird before
2.0.2 ...)
 	- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
-	[etch] - firebird2 <unfixed>
+        [etch] - firebird2 <no-dsa> (Fixed packages have been released
through backports.org, see #1529)
 	[sarge] - firebird2 <unfixed>
 CVE-2007-4666 (Unspecified vulnerability in the server in Firebird before
2.0.2, when ...)
 	- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
-	[etch] - firebird2 <unfixed>
+        [etch] - firebird2 <no-dsa> (Fixed packages have been released
through backports.org, see #1529)
 	[sarge] - firebird2 <unfixed>
 CVE-2007-4665 (Unspecified vulnerability in the server in Firebird before 2.0.2
...)
 	- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
-	[etch] - firebird2 <unfixed>
+        [etch] - firebird2 <no-dsa> (Fixed packages have been released
through backports.org, see #1529)
 	[sarge] - firebird2 <unfixed>
 CVE-2007-4664 (Unspecified vulnerability in the (1) attach database and (2)
create ...)
 	- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
-	[etch] - firebird2 <unfixed>
+        [etch] - firebird2 <no-dsa> (Fixed packages have been released
through backports.org, see #1529)
 	[sarge] - firebird2 <unfixed>
 CVE-2007-4663 (Directory traversal vulnerability in PHP before 5.2.4 allows
attackers ...)
 	- php5 <unfixed> (unimportant)
@@ -10455,7 +10456,8 @@
 CVE-2007-4046 (SQL injection vulnerability in index.php in the Pony Gallery
...)
 	NOT-FOR-US: Pony Gallery
 CVE-2007-4045 (The CUPS service, as used in SUSE Linux before 20070720 and
other ...)
-	- cupsys <not-affected> (SuSE-specific regression)
+	- cupsys 1.2 
+        NOTE: Since 1.2 allocation has changed and this issue is no longer
exploitable
 CVE-2007-4044
 	REJECTED
 CVE-2007-4043 (file.cgi in Secure Computing SecurityReporter (aka Network
Security ...)
@@ -10493,7 +10495,7 @@
 	RESERVED
 CVE-2007-4029 (libvorbis 1.1.2, and possibly other versions before 1.2.0,
allows ...)
 	{DSA-1471-1}
-	- libvorbis 1.2.0.dfsg-1 (medium)
+	- libvorbis 1.2.0.dfsg-1 (medium; bug #437916)
 	NOTE: svn revisions fixing this
https://bugzilla.redhat.com/show_bug.cgi?id=249780
 CVE-2007-4028 (Absolute path traversal vulnerability in index.php in Webspell
4.01.02 ...)
 	NOT-FOR-US: WebSPELL
@@ -11673,7 +11675,7 @@
 	[sarge] - dar <no-dsa> (Minor issue)
 CVE-2007-3527 (Integer overflow in Firebird 2.0.0 allows remote authenticated
users ...)
 	- firebird2.0 2.0.3.12981.ds1-1 (bug #441405)
-	[etch] - firebird2 <unfixed>
+        [etch] - firebird2 <no-dsa> (Fixed packages have been released
through backports.org, see #1529)
 	[sarge] - firebird2 <unfixed>
 CVE-2007-3526 (Multiple SQL injection vulnerabilities in Buddy Zone 1.5 and
earlier ...)
 	NOT-FOR-US: Buddy Zone
@@ -11889,18 +11891,22 @@
 CVE-2006-7214 (Multiple unspecified vulnerabilities in Firebird 1.5 allow
remote ...)
 	- firebird1.5 <removed> (bug #432753)
 	- firebird2 <removed>
+        [etch] - firebird2 <no-dsa> (Fixed packages have been released
through backports.org, see #1529)
 	- firebird2.0 <not-affected> (fixed in 2.0)
 CVE-2006-7213 (Firebird 1.5 allows remote authenticated users without SYSDBA
and ...)
 	- firebird1.5 <removed> (bug #432753)
 	- firebird2 <removed>
+        [etch] - firebird2 <no-dsa> (Fixed packages have been released
through backports.org, see #1529)
 	- firebird2.0 <not-affected> (fixed in 2.0)
 CVE-2006-7212 (Multiple buffer overflows in Firebird 1.5, one of which affects
WNET, ...)
 	- firebird1.5 <removed> (bug #432753)
 	- firebird2 <removed>
+        [etch] - firebird2 <no-dsa> (Fixed packages have been released
through backports.org, see #1529)
 	- firebird2.0 <not-affected> (fixed in 2.0)
 CVE-2006-7211 (fb_lock_mgr in Firebird 1.5 uses weak permissions (0666) for the
...)
 	- firebird1.5 <not-affected> (fixed before rename to firebird1.5)
 	- firebird2 1.5.3.4870-4 (low; bug #362001)
+        [etch] - firebird2 <no-dsa> (Fixed packages have been released
through backports.org, see #1529)
 	- firebird2.0 <not-affected> (fixed in 2.0)
 	[sarge] - firebird2 <no-dsa> (Minor issue)
 CVE-2006-7210 (Microsoft Windows 2000, XP, and Server 2003 allows remote
attackers to ...)
@@ -12569,7 +12575,7 @@
 	NOT-FOR-US: Calendarix
 CVE-2007-3181 (Buffer overflow in fbserver.exe in Firebird SQL 2 before 2.0.1
allows ...)
 	- firebird2.0 2.0.3.12981.ds1-1 (medium)
-	[etch] - firebird2 <unfixed> (medium)
+        [etch] - firebird2 <no-dsa> (Fixed packages have been released
through backports.org, see #1529)
 	[sarge] - firebird2 <unfixed> (medium)
 	NOTE: maybe fixed prior to 2.0.3.12981.ds1-1 (2.0.1) but couldn''t
find any earlier source code
 	NOTE: in the pool to check and since this version is in testing and
unstable...
@@ -12763,7 +12769,7 @@
 	NOT-FOR-US: Microsoft FrontPage
 CVE-2007-3108 (The BN_from_montgomery function in crypto/bn/bn_mont.c in
OpenSSL ...)
 	- openssl 0.9.8e-6 (bug #438142; low)
-	- openssl097 <removed>
+	- openssl097 <removed> (bug #438180)
 	[sarge] - openssl <no-dsa> (Not exploitable in a real-world scenario)
 	[etch] - openssl <no-dsa> (Not exploitable in a real-world scenario)
 	[etch] - openssl097 <no-dsa> (Not exploitable in a real-world scenario)
@@ -13613,7 +13619,7 @@
 CVE-2007-2757 (Multiple cross-site scripting (XSS) vulnerabilities in Redoable
1.2 ...)
 	NOT-FOR-US: Redoable
 CVE-2007-2756 (The gdPngReadData function in libgd 2.0.34 allows user-assisted
...)
-	- libgd2 2.0.35.dfsg-1 (bug #426100; low)
+	- libgd2 2.0.35.dfsg-1 (bug #426100; bug #426099; low)
 	[etch] - libgd <no-dsa> (Minor issue)
 	[sarge] - libgd <no-dsa> (Minor issue)
 	[etch] - libgd2 <no-dsa> (Minor issue)
@@ -13950,7 +13956,7 @@
 	NOT-FOR-US: LaVague
 CVE-2007-2606 (Multiple buffer overflows in Firebird 2.1 allow attackers to
trigger ...)
 	- firebird2.0 2.0.3.12981.ds1-1 (low; bug #444976)
-	[etch] - firebird2 <unfixed> (low)
+        [etch] - firebird2 <no-dsa> (Fixed packages have been released
through backports.org, see #1529)
 	[sarge] - firebird2 <unfixed> (low)
 	NOTE: Minor issue, because conffile is restricted
 CVE-2007-2605 (Unspecified vulnerability in the GetPropertyById function in
...)
@@ -17288,7 +17294,7 @@
 	- kdepim <unfixed> (unimportant)
 	NOTE: this is a "feature request", since gnupg is fixed from
CVE-2007-1263
 CVE-2007-1264 (Enigmail 0.94.2 and earlier does not properly use the
--status-fd ...)
-	- enigmail <unfixed> (unimportant)
+	- enigmail <unfixed> (unimportant; bug #415225)
 	NOTE: this is a "feature request", since gnupg is fixed from
CVE-2007-1263
 CVE-2007-1263 (GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from
the ...)
 	{DSA-1266-1}
Secure testing commits - Mar 2008 - r8399 - data/CVE

[Secure-testing-commits] r8399 - data/CVE
