stef-guest at alioth.debian.org
2007-Dec-23 21:19 UTC
[Secure-testing-commits] r7705 - data/CVE
Author: stef-guest Date: 2007-12-23 21:19:30 +0000 (Sun, 23 Dec 2007) New Revision: 7705 Modified: data/CVE/list Log: - new apache issue - add info about apache2 stable updates - add info to autofs* issues Modified: data/CVE/list ==================================================================--- data/CVE/list 2007-12-23 21:14:11 UTC (rev 7704) +++ data/CVE/list 2007-12-23 21:19:30 UTC (rev 7705) @@ -1,3 +1,6 @@ +CVE-2007-6514 [apache script source disclosure when docroot is on smbfs] + - apache <unfixed> + - apache2 <unfixed> CVE-2007-XXXX [venkman preinst symlink dos] - venkman 0.9.87.2-1 (bug #456520) [sarge] - venkman <not-affected> (Vulnerable code not present) @@ -515,7 +518,9 @@ CVE-2007-6286 RESERVED CVE-2007-6285 (The default configuration for autofs 5 (autofs5) on Red Hat Enterprise ...) - TODO: check + TODO: file bug (autofs5 is in experimental) + - autofs <not-affected> (-hosts feature not present, auto.net has nosuid,nodev) + - autofs5 <unfixed> CVE-2007-6284 RESERVED CVE-2007-6283 (Red Hat Enterprise Linux 5 and Fedora install the Bind /etc/rndc.key ...) @@ -714,6 +719,7 @@ [sarge] - apache2 <no-dsa> (minor issue) [etch] - apache2 <no-dsa> (minor issue) NOTE: Might be exploitable with older flash plugins via HTTP Request Splitting + NOTE: pending for 2.2.3-4+etch4 / etch r3 NOTE: apache 1.3 is not vulnerable CVE-2007-6208 (sylprint.pl in claws mail tools (claws-mail-tools) allows local users ...) - claws-mail 3.1.0-2 (low; bug #454089) @@ -1293,6 +1299,8 @@ RESERVED CVE-2007-5964 (The default configuration of autofs 5 in Red Hat Enterprise Linux ...) - autofs 3.1.4-8 (medium) + - autofs5 <unfixed> + TODO: file bug (autofs5 in experimental) CVE-2007-5963 (Unspecified vulnerability in kdebase allows local users to cause a ...) - kdebase <unfixed> (unimportant) NOTE: This has only theoretical security impact @@ -4500,6 +4508,7 @@ [etch] - apache <no-dsa> (minor issue) - apache2 <unfixed> (low) - apache <unfixed> (low) + NOTE: pending for 2.2.3-4+etch4 / etch r3 CVE-2007-4999 (libpurple in Pidgin 2.1.0 through 2.2.1, when using HTML logging, ...) - pidgin 2.2.2-1 (medium) CVE-2007-4998 @@ -5759,7 +5768,7 @@ CVE-2003-1334 (Cross-site scripting (XSS) vulnerability in Kai Blankenhorn Bitfolge ...) NOT-FOR-US: snif CVE-2007-4465 (Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the ...) - - apache <unfixed> (low) + - apache <removed> (low) - apache2 2.2.6-1 (bug #453783) [sarge] - apache <no-dsa> (browser issue, low impact) [etch] - apache <no-dsa> (browser issue, low impact) @@ -5768,6 +5777,8 @@ NOTE: This is really a browser bug, see CVE-2006-5152. But still unfixed in MSIE. NOTE: Etch''s default configuration not vulnerable due to AddDefaultCharset, NOTE: but many users change this. + NOTE: pending for 2.2.3-4+etch4 / etch r3 + NOTE: The apache2 fix is actually a workaround. It will not be applied to apache 1.3. CVE-2007-4464 (CRLF injection vulnerability in the Fileinfo 2.0.9 plugin for Total ...) NOT-FOR-US: Total Commander CVE-2007-4463 (The Fileinfo 2.0.9 plugin for Total Commander allows user-assisted ...)