Secure testing commits - Nov 2007 - r7410 - data/CVE

Author: jmm-guest
Date: 2007-11-27 21:25:19 +0000 (Tue, 27 Nov 2007)
New Revision: 7410

Modified:
   data/CVE/list
Log:
- ngircd issue has been duped
- fix syntax
- python/tar not treated as a security problem


Modified: data/CVE/list
==================================================================---
data/CVE/list	2007-11-27 21:14:10 UTC (rev 7409)
+++ data/CVE/list	2007-11-27 21:25:19 UTC (rev 7410)
@@ -115,7 +115,8 @@
 CVE-2007-6063 (Buffer overflow in the isdn_net_setcfg function in isdn_net.c in
Linux ...)
 	TODO: check
 CVE-2007-6062 (irc-channel.c in ngIRCd before 0.10.3 allows remote attackers to
cause ...)
-	TODO: check
+	- ngircd 0.10.3-1
+	[etch] - ngircd <no-dsa> (Minor issue)
 CVE-2007-6061 (Audacity 1.3.2 creates a temporary directory with a predictable
name ...)
 	TODO: check
 CVE-2007-6060 (AhnLab Antivirus 3 Internet Security 2008 Platinum appends data
to a ...)
@@ -217,8 +218,6 @@
 	NOT-FOR-US: LIVE555 Media Server
 CVE-2007-6034
 	REJECTED
-	- ngircd 0.10.3-1
-	[etch] - ngircd <no-dsa> (Minor issue)
 CVE-2007-6033 (Invensys Wonderware InTouch 8.0 creates a NetDDE share with
insecure ...)
 	NOT-FOR-US: Invensys Wonderware InTouch
 CVE-2007-6032 (SQL injection vulnerability in calendar/page.asp in Aleris Web
...)
@@ -532,10 +531,6 @@
 	NOT-FOR-US: IBM Lotus Notes, Symantec Mail Security, and others
 CVE-2007-5908
 	REJECTED
-	NOTE: there is a list of possible clocksource names which consits of short
enough names
-	NOTE: this is a bug in the kernel but not a security issue, there is no way
for a user to
-	NOTE: exploit this, they can only chose an item from the list
-	NOTE: Issue about to be rejected by MITRE
 CVE-2007-5907 (Xen 3.1.1 does not prevent modification of the CR4 TSC from ...)
 	- xen-3 3.1.2-1 (medium; bug #451626)
 	- xen-3.0 <unfixed>
@@ -4560,9 +4555,17 @@
 	{DSA-1366-1}
 	- clamav 0.91.2-1~volatile1 (high)
 CVE-2007-4559 (Directory traversal vulnerability in the (1) extract and (2)
...)
-	- python2.3 <removed>
-	- python2.4 <unfixed> (bug #440097)
-	- python2.5 <unfixed> (bug #440099)
+	- python2.3 <removed> (unimportant)
+	- python2.4 <unfixed> (unimportant; bug #440097)
+	- python2.5 <unfixed> (unimportant; bug #440099)
+	NOTE: According to upstream this is the intended behaviour for the module.
+	NOTE: Since this is a library interface to embed Tar functionality into
applications
+	NOTE: it is in order to not provide the full security safety belts one might
+	NOTE: expect from an enduser application like tar(1). Plus, addressing this
would
+	NOTE: mean to diverge from upstream permanently and could break the behaviour
+	NOTE: of external apps. Anyone who wants to see this "fixed" should
rather file
+	NOTE: a PEP on an improved tar interface with additional security guarantees
+	NOTE: provided by design.
 CVE-2007-4558
 	REJECTED
 CVE-2007-4557 (Cross-site scripting (XSS) vulnerability in the webacc servlet
in ...)