jmm-guest at alioth.debian.org
2008-Jan-20 15:27 UTC
[Secure-testing-commits] r7989 - data/CVE
Author: jmm-guest
Date: 2008-01-20 15:27:07 +0000 (Sun, 20 Jan 2008)
New Revision: 7989
Modified:
data/CVE/list
Log:
unhide vorbis entry, marking as unfixed for now
tomcat SSO CVEfied and marked
Modified: data/CVE/list
==================================================================---
data/CVE/list 2008-01-20 13:31:54 UTC (rev 7988)
+++ data/CVE/list 2008-01-20 15:27:07 UTC (rev 7989)
@@ -517,8 +517,14 @@
NOT-FOR-US: Instant Softwares Dating Site
CVE-2008-0129 (SQL injection vulnerability in starnet/addons/slideshow_full.php
in ...)
NOT-FOR-US: Site at School
-CVE-2008-0128
+CVE-2008-0128 [Tomcat does not enforce HTTPS for SSO cookies]
RESERVED
+ - tomcat5 <removed> (unimportant)
+ NOTE: SSO cookies not working in 5.0, have only been fixed in 5.5.13, see
#34724
+ - tomcat5.5 5.5.23-1 (low)
+ NOTE: SSO cookies sent over secure connections do not require
+ NOTE: secure connections, possibly defeating HTTPS encryption.
+ NOTE: See: http://issues.apache.org/bugzilla/show_bug.cgi?id=41217
CVE-2008-0127 (The administration interface in McAfee E-Business Server 8.5.2
and ...)
NOT-FOR-US: McAfee E-Business Server
CVE-2008-0126
@@ -7909,6 +7915,7 @@
CVE-2007-4067 (Absolute path traversal vulnerability in the
clInetSuiteX6.clWebDav ...)
NOT-FOR-US: Clever Internet ActiveX Suite
CVE-2007-4066 (Multiple buffer overflows in Xiph.Org libvorbis before 1.2.0
allow ...)
+ - libvorbis <unfixed>
NOTE: svn revisionsions fixing this:
https://bugzilla.redhat.com/show_bug.cgi?id=249780
CVE-2007-4065 (lib/vorbisfile.c in libvorbisfile in Xiph.Org libvorbis before
1.2.0 ...)
- libvorbis <unfixed> (unimportant)
@@ -11886,12 +11893,6 @@
NOT-FOR-US: Hitachi Groupmax
CVE-2007-2420 (SQL injection vulnerability in bry.asp in Burak Yilmaz Blog 1.0
allows ...)
NOT-FOR-US: Burak Yilmaz Blog
-CVE-2007-XXXX [Tomcat does not enforce HTTPS for SSO cookies]
- - tomcat5 <unfixed> (low)
- - tomcat5.5 5.5.23-1 (low)
- NOTE: SSO cookies sent over secure connections do not require
- NOTE: secure connections, possibly defeating HTTPS encryption.
- NOTE: See: http://issues.apache.org/bugzilla/show_bug.cgi?id=41217
CVE-2007-2419 (Multiple buffer overflows in an ActiveX control (boisweb.dll) in
...)
NOT-FOR-US: Macrovision
CVE-2007-2418 (Heap-based buffer overflow in the Rendezvous / Extensible
Messaging ...)
@@ -17053,8 +17054,11 @@
{DSA-1257}
- samba 3.0.23d-5 (low)
CVE-2007-0450 (Directory traversal vulnerability in Apache HTTP Server and
Tomcat 5.x ...)
- - tomcat5 <removed>
- - tomcat5.5 5.5.23-1
+ - tomcat5 <removed> (unimportant)
+ - tomcat5.5 5.5.23-1 (unimportant)
+ NOTE: This only adds an additional control settings for path delimiters, the
+ NOTE: necessary proxies still need to be secured or fixed individually (e.g.
+ NOTE: as done for mod_jk in a DSA
CVE-2007-0449 (Multiple buffer overflows in LGSERVER.EXE in CA BrightStor
ARCserve ...)
NOT-FOR-US: CA BrightStor
CVE-2007-0448 (The fopen function in PHP 5.2.0 does not properly handle invalid
URI ...)