thr3ads.net - Secure testing commits - [Secure-testing-commits] r6642

If this information is useful, please help other people find it:
Share via:
jmm-guest at alioth.debian.org
2007-Sep-19 16:06 UTC
[Secure-testing-commits] r6642 - data/CVE

Author: jmm-guest
Date: 2007-09-19 16:06:38 +0000 (Wed, 19 Sep 2007)
New Revision: 6642

Modified:
   data/CVE/list
Log:
- The Sarge kernels don''t need to be tracked inside CVE/list any more,
this has been
  moved to the kernel-sec repo
- merge several kernel entries from this repo and reflect the TODOs accordingly
- mark basedir violation as unimportant to remain consistent with previous
  entries
- QT4 not affected by recent buffer overflow
- new kernel issue, mark one issue only for 2.4
- bind 8 issue documented broken
- remove some hostoric TODOs



Modified: data/CVE/list
==================================================================---
data/CVE/list	2007-09-19 15:49:11 UTC (rev 6641)
+++ data/CVE/list	2007-09-19 16:06:38 UTC (rev 6642)
@@ -171,7 +171,6 @@
 	RESERVED
 CVE-2007-4849 (JFFS2, as used on One Laptop Per Child (OLPC) build 542 and
possibly ...)
 	- linux-2.6 <unfixed> (bug #442245; low)
-	TODO: check 2.4 kernel
 CVE-2007-4848 (Microsoft Internet Explorer 4.0 through 7 allows remote
attackers to ...)
 	NOT-FOR-US: Microsoft Internet Explorer
 CVE-2007-4847 (Google Picasa allows remote attackers to read image files stored
by ...)
@@ -230,9 +229,8 @@
 	NOTE: Upstream says that this can only be exploited by configured peers.
 CVE-2007-4825 (Directory traversal vulnerability in PHP 5.2.4 and earlier
allows ...)
 	- php5 <unfixed> (unimportant)
-	[etch] - php5 <no-dsa> (open_basedir not supported)
 	- php4 <not-affected> (error message "Allowed memory size of
8388608 bytes exhausted...")
-	NOTE: php5 PoC can be reproduced
+	NOTE: php5 PoC can be reproduced, basedir violations not treated as security
problems
 CVE-2007-4824 (Multiple cross-application scripting (XAS) vulnerabilities in
Google ...)
 	NOT-FOR-US: Google Picasa
 CVE-2007-4823 (Multiple buffer overflows in Google Picasa have unspecified
attack ...)
@@ -682,9 +680,6 @@
 	NOTE: http://marc.info/?l=maradns-list&m=118842373527534&w=2
 CVE-2007-XXXX [Unsafe "svn", "svnserve" passthrough in
scponly]
 	- scponly <unfixed> (high; bug #437148)
-CVE-2007-XXXX [backup-manager discloses FTP passwords]
-	- backup-manager 0.7.6-3 (bug #439392)
-	NOTE: similar to CVE-2007-2766, but for FTP
 CVE-2007-4630 (Cross-site scripting (XSS) vulnerability in xlaapmview.asp in
Absolute ...)
 	NOT-FOR-US: Absolute Poll Manager
 CVE-2007-4629 (Buffer overflow in the processLine funtion in maptemplate.c in
...)
@@ -1762,13 +1757,11 @@
 CVE-2007-4137 [buffer overflow in QUtf8Decoder]
 	RESERVED
 	- qt-x11-free 3:3.3.7-8 (medium; bug #442780)
-	- qt4-x11 <unfixed>
-	NOTE: probably not exploitable in qt4
+	- qt4-x11 <not-affected> (Not exploitable according to upstream)
 CVE-2007-4136
 	RESERVED
 CVE-2007-4135 (Unspecified vulnerability in the NFSv4 ID mapper (nfsidmap) on
SUSE ...)
 	- libnfsidmap <unfixed> (low; bug #442935)
-	TODO: report bug
 	NOTE: the patch fixing this is included in
http://ftp.opensuse.org/pub/opensuse/distribution/SL-10.1/inst-source/suse/src/nfsidmap-0.12-16.src.rpm
(libnfsidmap-0.12-nouser.patch)
 CVE-2007-4134 (Directory traversal vulnerability in extract.c in star before
1.5a84 ...)
 	- star 1.5a67-1.1 (bug #440100; low)
@@ -2698,7 +2691,7 @@
 CVE-2007-3732
 	RESERVED
 CVE-2007-3731 (The Linux kernel 2.6.20 and 2.6.21 does not properly handle an
invalid ...)
-	TODO: check
+	- linux-2.6 <unfixed>
 CVE-2007-3730 (The default configuration of the POP server in TCP/IP Services
5.6 for ...)
 	NOT-FOR-US: HP OpenVMS
 CVE-2007-3729 (The default configuration of the POP server in TCP/IP Services
5.6 for ...)
@@ -2730,7 +2723,7 @@
 	- kfreebsd-5 <unfixed> (low)
 	[etch] - kfreebsd-5 <no-dsa> (kfreebsd not supported)
 CVE-2007-3720 (The process scheduler in the Linux kernel 2.4 performs
scheduling ...)
-	TODO: check
+	- linux-2.6 <not-affected> (There''s a separate ID for 2.6, see
CVE-2007-3719)
 CVE-2007-3719 (The process scheduler in the Linux kernel 2.6.16 gives
preference to ...)
 	- linux-2.6 <unfixed>
 CVE-2007-3718 (Multiple unspecified vulnerabilities in the SVG parsing engine
in ...)
@@ -2863,7 +2856,7 @@
 CVE-2007-3658 (Unspecified vulnerability in Microsoft Register Server (REGSVR)
allows ...)
 	NOT-FOR-US: Microsoft
 CVE-2007-3657 (** DISPUTED ** ...)
-	TODO: check
+	NOTE: Disputed Firefox issue, browser crashes not treated as security problems
anyway
 CVE-2007-3656 (Mozilla Firefox before 1.8.0.13 and 1.8.1.x before 1.8.1.5 does
not ...)
 	{DSA-1339-1 DSA-1338-1 DSA-1337-1 DTSA-45-1 DTSA-47-1 DTSA-51-1}
 	- iceweasel 2.0.0.5-1 (high)
@@ -2874,7 +2867,7 @@
 	[etch] - sun-java5 <no-dsa> (Non-free not supported)
 	- sun-java6 6-02-1
 CVE-2007-3654 (The display driver allocattr functions in NetBSD 3.0 through
...)
-	TODO: check
+	NOT-FOR-US: NetBSD
 CVE-2007-3653
 	RESERVED
 CVE-2007-3652
@@ -3100,7 +3093,6 @@
 	NOT-FOR-US: Warzone
 CVE-2007-3544 (Unrestricted file upload vulnerability in (1) wp-app.php and (2)
...)
 	- wordpress 2.2.2-1
-	TODO: check whether this is fixed in 2.2.2, file bug if not
 CVE-2007-3543 (Unrestricted file upload vulnerability in WordPress before 2.2.1
and ...)
 	- wordpress 2.2.1-1
 CVE-2007-3542 (Cross-site scripting (XSS) vulnerability in admin/auth.php in
Pluxml ...)
@@ -4618,6 +4610,8 @@
 	NOT-FOR-US: MSN Messenger
 CVE-2007-2930 (The (1) NSID_SHUFFLE_ONLY and (2) NSID_USE_POOL PRNG algorithms
in ISC ...)
 	- bind <removed> (bug #442910)
+	[etch] - bind <no-dsa> (It''s documented in README.Debian that
Bind 8 has architectual limitations and should not be used unless you know what
you''re doing)
+	[sarge] - bind <no-dsa> (It''s documented in README.Debian that
Bind 8 has architectual limitations and should not be used unless you know what
you''re doing)
 CVE-2007-2929 (The IBM Lenovo Access Support acpRunner ActiveX control, as ...)
 	NOT-FOR-US: IBM Lenovo Access Support
 CVE-2007-2928 (Format string vulnerability in the IBM Lenovo Access Support
acpRunner ...)
@@ -4864,8 +4858,9 @@
 CVE-2007-2835 (Multiple stack-based buffer overflows in (1) CCE_pinyin.c and
(2) ...)
 	{DSA-1328-1}
 	- unicon 3.0.4-12 (bug #431336)
-CVE-2007-2834
+CVE-2007-2834 [OO TIFF heap overflow]
 	RESERVED
+	- openoffice.org 2.2.1-9 (medium)
 CVE-2007-2833 (Emacs 21 allows user-assisted attackers to cause a denial of
service ...)
 	{DSA-1316-1}
 	- emacs21 21.4a+1-5.1 (bug #408929; low)
@@ -28689,11 +28684,9 @@
 	- openldap2 <not-affected> (Gentoo-specific packaging flaw)
 	- openldap2.2 <not-affected> (Gentoo-specific packaging flaw)
 CVE-2005-4441 (The PVLAN protocol allows remote attackers to bypass network
...)
-	TODO: check, whether this has ramifications on the kernel''s VLAN
implementation
-	TODO: or whether it''s a generic unfixable protocol flaw
+	NOT-FOR-US: VLAN protocol flaws, likely fixed in current kernels
 CVE-2005-4440 (The 802.1q VLAN protocol allows remote attackers to bypass
network ...)
-	TODO: check, whether this has ramifications on the kernel''s VLAN
implementation
-	TODO: or whether it''s a generic unfixable protocol flaw
+	NOT-FOR-US: VLAN protocol flaws, likely fixed in current kernels
 CVE-2005-4439 (Buffer overflow in ELOG elogd 2.6.0-beta4 allows remote
attackers to ...)
 	{DSA-967-1}
 	- elog 2.6.1+r1642-1 (bug #349528; high)
@@ -39835,7 +39828,7 @@
 	- spamassassin 3.0.4-1 (bug #314447; medium)
 CVE-2005-1265 (The mmap function in the Linux Kernel 2.6.10 can be used to
create ...)
 	{DSA-922-1}
-	TODO: check
+	- linux-2.6 2.6.12-1
 CVE-2005-1264 (Raw character devices (raw.c) in the Linux kernel 2.6.x call the
wrong ...)
 	- linux-2.6 <not-affected> (Fixed before upload into archive; 2.6.11.10)
 	[sarge] - kernel-source-2.6.8 2.6.8-16
@@ -43579,7 +43572,6 @@
 	- linux-2.6 <not-affected> (Fixed before upload into archive; 2.6.8.1)
 	[sarge] - kernel-source-2.6.8 2.6.8-14
 CVE-2005-0176 (The shmctl function in Linux 2.6.9 and earlier allows local
users to ...)
-	TODO: Check 2.6.8 and 2.4 and check, when this was fixed
 	- linux-2.6 <not-affected> (Fixed before upload into archive)
 CVE-2004-1392 (PHP 4.0 with cURL functions allows remote attackers to bypass
the ...)
 	- php4 4:4.3.10-3
@@ -44142,7 +44134,6 @@
 CVE-2005-0001 (Race condition in the page fault handler (fault.c) for Linux
kernel ...)
 	{DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1}
 	NOTE: i386 and smp specific
-	TODO: Check, when this was fixed upstream
 	- linux-2.6 <not-affected> (Fixed before upload into archive)
 	- kernel-source-2.4.27 2.4.27-8
 	[sarge] - kernel-source-2.6.8 2.6.8-13
@@ -44151,9 +44142,8 @@
 CVE-2004-1338 (The triggers in Oracle 9i and 10g allow local users to gain
privileges ...)
 	NOT-FOR-US: oracle
 CVE-2004-1337 (The POSIX Capability Linux Security Module (LSM) for Linux
kernel 2.6 ...)
-	- linux-2.6 <not-affected> (Fixed before upload into archive)
+	- linux-2.6 <not-affected> (Fixed before upload into archive, 2.6.11)
 	[sarge] - kernel-source-2.6.8 2.6.8-14
-	TODO: Check, when this was fixed
 CVE-2004-1336 (The xdvizilla script in tetex-bin 2.0.2 creates temporary files
with ...)
 	- tetex-bin 2.0.2-25
 CVE-2004-1335 (Memory leak in the ip_options_get function in the Linux kernel
before ...)
@@ -44376,7 +44366,6 @@
 CVE-2004-1235 (Race condition in the (1) load_elf_library and (2) binfmt_aout
...)
 	{DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1}
 	- linux-2.6 <not-affected> (Fixed before upload into archive)
-	TODO: Check, when this was fixed
 	- kernel-source-2.4.27 2.4.27-8 (bug #289202; bug #289708; bug #291053; high)
 CVE-2004-1234 (load_elf_binary in Linux before 2.4.26 allows local users to
cause a ...)
 	{DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1}
@@ -44614,7 +44603,6 @@
 	- vim 1:6.3-046+0sarge1
 CVE-2004-1137 (Multiple vulnerabilities in the IGMP functionality for Linux
kernel ...)
 	- linux-2.6 <not-affected> (Fixed before upload into the archive)
-	TODO: Check, when this was fixed
 	- kernel-source-2.4.27 2.4.27-7
 CVE-2004-1136 (Buffer overflow in CuteFTP Professional 6.0, and possibly other
...)
 	NOT-FOR-US: CuteFTP
@@ -44760,33 +44748,27 @@
 	- zope-zwiki 0.37.0-1
 CVE-2004-1074 (The binfmt functionality in the Linux kernel, when
&quot;memory overcommit&quot; ...)
 	{DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1}
-	- linux-2.6 <not-affected> (Fixed before upload into archive)
-	TODO: Check, which version fixed this
+	- linux-2.6 <not-affected> (Fixed before upload into archive; 2.6.10)
 	[sarge] - kernel-source-2.6.8 2.6.8-11
 	- kernel-source-2.4.27 2.4.27-7
 CVE-2004-1073 (The open_exec function in the execve functionality (exec.c) in
Linux ...)
 	{DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1}
 	- linux-2.6 <not-affected> (Fixed before upload into archive)
-	TODO: Check, which version fixed this
 	- kernel-source-2.4.27 2.4.27-6
 CVE-2004-1072 (The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to
...)
 	{DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1}
 	- linux-2.6 <not-affected> (Fixed before upload into archive)
-	TODO: Check, which version fixed this
 	- kernel-source-2.4.27 2.4.27-6
 CVE-2004-1071 (The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to
...)
 	{DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1}
 	- linux-2.6 <not-affected> (Fixed before upload into archive)
-	TODO: Check, which version fixed this
 	- kernel-source-2.4.27 2.4.27-6
 CVE-2004-1070 (The load_elf_binary function in the binfmt_elf loader
(binfmt_elf.c) ...)
 	{DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1}
 	- linux-2.6 <not-affected> (Fixed before upload into archive)
-	TODO: Check, which version fixed this
 	- kernel-source-2.4.27 2.4.27-6
 CVE-2004-1069 (Race condition in SELinux 2.6.x through 2.6.9 allows local users
to ...)
 	- linux-2.6 <not-affected> (Fixed before upload into archive)
-	TODO: Check, which version fixed this
 	- kernel-source-2.4.27 <not-affected> (2.6 only issue)
 	[sarge] - kernel-source-2.6.8 2.6.8-11
 CVE-2004-1068 (A &quot;missing serialization&quot; error in the
unix_dgram_recvmsg function in ...)
@@ -44818,11 +44800,9 @@
 	[sarge] - kernel-source-2.6.8 2.6.8-14
 CVE-2004-1057 (Multiple drivers in Linux kernel 2.4.19 and earlier do not
properly ...)
 	- linux-2.6 <not-affected> (Fixed before upload into archive)
-	TODO: previous fix in -9 has regressions
 	- kernel-source-2.4.27 2.4.27-10
 CVE-2004-1056 (Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does
not ...)
 	- linux-2.6 <not-affected> (Fixed before upload into archive)
-	TODO: Check, which version fixed this
 	- kernel-source-2.4.27 2.4.27-8
 	[sarge] - kernel-source-2.6.8 2.6.8-11
 CVE-2004-1055 (Multiple cross-site scripting (XSS) vulnerabilities in
phpMyAdmin ...)
@@ -45269,7 +45249,6 @@
 	REJECTED
 CVE-2004-0889 (Multiple integer overflows in xpdf 3.0, and other packages that
use ...)
 	- xpdf 3.00-10 (medium)
-	TODO: check xpdf embedders
 CVE-2004-0888 (Multiple integer overflows in xpdf 2.0 and 3.0, and other
packages ...)
 	{DSA-599-1 DSA-581-1 DSA-573-1}
 	- koffice 1:1.3.4-1
@@ -45299,8 +45278,7 @@
 	- cyrus-sasl2 2.1.19-1.3 (bug #275431; bug #276865; bug #275432; bug #275553)
 CVE-2004-0883 (Multiple vulnerabilities in the samba filesystem (smbfs) in
Linux ...)
 	{DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1}
-	- linux-2.6 <not-affected> (Fixed before upload into archive)
-	TODO: Check, when this was fixed
+	- linux-2.6 <not-affected> (Fixed before upload into archive, 2.6.10)
 	- kernel-source-2.4.27 2.4.27-6
 	[sarge] - kernel-source-2.6.8 2.6.8-13
 CVE-2004-0882 (Buffer overflow in the QFILEPATHINFO request handler in Samba
3.0.x ...)
@@ -45333,13 +45311,11 @@
 	NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=252342
 	NOTE: http://www.securitytracker.com/alerts/2004/Sep/1011331.html
 	NOTE: fix doesn''t look likely any time soon
-	TODO: followup
 CVE-2004-0870 (KDE Konqueror does not prevent cookies that are sent over an
insecure ...)
 	NOTE: upstream knows about the problem, no fix expected
 	NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=252342
 	NOTE: http://www.securitytracker.com/alerts/2004/Sep/1011331.html
 	NOTE: fix doesn''t look likely any time soon
-	TODO: followup
 CVE-2004-0869 (Internet Explorer does not prevent cookies that are sent over an
...)
 	NOT-FOR-US: MSIE
 CVE-2004-0868
@@ -45464,14 +45440,11 @@
 	[sarge] - kernel-source-2.6.8 2.6.8-8
 	- kernel-source-2.4.27 2.4.27-7
 CVE-2004-0813 (Unknown vulnerability in the SG_IO functionality in ide-cd
allows ...)
-	- linux-2.6 <not-affected> (Fixed before upload into archive)
-	- kernel-source-2.4.27 <not-affected> (Fixed before upload into archive)
-	TODO: Check, when this was fixed in 2.4
-	TODO: Check, when this was fixed in 2.6
+	- linux-2.6 <not-affected> (Fixed before upload into archive, 2.6.10)
+	- kernel-source-2.4.27 <not-affected> (Only an issue with botched
permissions)
 CVE-2004-0812 (Unknown vulnerability in the Linux kernel before 2.4.23, on the
AMD ...)
-	- linux-2.6 <not-affected>
-	- kernel-source-2.4.27 <not-affected> (Fixed before upload into archive)
-	TODO: Check, when this was fixed in 2.4
+	- linux-2.6 <not-affected> (Fixed before upload into archive,
2.6.0-test10)
+	- kernel-source-2.4.27 <not-affected> (2.4 not support for amd64)
 CVE-2004-0811 (Unknown vulnerability in Apache 2.0.51 prevents &quot;the
merging of the ...)
 	- apache2 2.0.52
 CVE-2004-0810 (Buffer overflow in Netopia Timbuktu 7.0.3 allows remote
attackers to ...)
@@ -45621,7 +45594,6 @@
 	{DSA-537}
 	- ruby1.8 1.8.1+1.8.2pre1-4
 	- ruby <removed>
-	TODO: is ruby1.6 vulnerable?
 CVE-2004-0754 (Integer overflow in Gaim before 0.82 allows remote attackers to
cause ...)
 	- gaim 1:0.82.1-1
 CVE-2004-0753 (The BMP image processor for (1) gdk-pixbuf before 0.22 and (2)
gtk2 ...)
@@ -45989,7 +45961,6 @@
 	NOT-FOR-US: Infoblox DNS One
 CVE-2004-0605 (Non-registered IRC users using (1) ircd-hybrid 7.0.1 and
earlier, (2) ...)
 	NOTE: Dossibly fixed in ircd-hybrid 7.0.2: "fixed flood limit bug".
-	TODO: Check: Does not match posted patch. Mailed Debian maintainer.
 CVE-2004-0604 (The HTTP client and server in giFT-FastTrack 0.8.6 and earlier
allows ...)
 	NOT-FOR-US: giFT-FastTrack not in debian
 CVE-2004-0603 (gzexe in gzip 1.3.3 and earlier will execute an argument when
the ...)
@@ -46014,7 +45985,6 @@
 	- libpng3 1.2.5.0-7
 CVE-2004-0596 (The Equalizer Load-balancer for serial network interfaces
(eql.c) in ...)
 	- linux-2.6 <not-affected> (Fixed before upload into archive)
-	TODO: Check, which version fixed this
 CVE-2004-0595 (The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to
...)
 	{DSA-669-1 DSA-531}
 	- php3 3:3.0.18-27
@@ -46252,8 +46222,6 @@
 	- kernel-source-2.4.27 <not-affected> (Fixed before upload into archive;
2.4.27-rc1)
 CVE-2004-0494 (Multiple extfs backend scripts for GNOME virtual file system
(VFS) ...)
 	- gnome-vfs 1.0.1
-	TODO: Fedora fixed this in a recent mc advisory, we should double-check
whether
-	TODO: this applies to Debian''s mc package
 CVE-2004-0493 (The ap_get_mime_headers_core function in Apache httpd 2.0.49
allows ...)
 	- apache2 2.0.50-1
 CVE-2004-0492 (Heap-based buffer overflow in proxy_util.c for mod_proxy in
Apache ...)
@@ -46289,7 +46257,6 @@
 	NOT-FOR-US: Microsoft
 CVE-2004-0478 (Unknown versions of Mozilla allow remote attackers to cause a
denial ...)
 	NOTE: only a Mozilla DOS
-	TODO: not even fixed upstream
 CVE-2004-0477 (Unknown vulnerability in 3Com OfficeConnect Remote 812 ADSL
Router ...)
 	NOT-FOR-US: 3Com OfficeConnect Remote 812 ADSL Router
 CVE-2004-0476 (Buffer overflow in 3Com OfficeConnect Remote 812 ADSL Router
1.1.9.4 ...)
@@ -48213,7 +48180,6 @@
 	NOT-FOR-US: WiTango Application Server and Tango 2000
 CVE-2003-0594 (Mozilla allows remote attackers to bypass intended cookie access
...)
 	NOTE: cannot find reference to it being fixed.
-	TODO: check
 CVE-2003-0593 (Opera allows remote attackers to bypass intended cookie access
...)
 	NOT-FOR-US: opera
 CVE-2003-0592 (Konqueror in KDE 3.1.3 and earlier (kdelibs) allows remote
attackers ...)
@@ -48274,12 +48240,10 @@
 	RESERVED
 CVE-2003-0565 (Multiple vulnerabilities in multiple vendor implementations of
the ...)
 	NOTE: affects many implementations of the X.400 protocol
-	TODO: see if anything in debian uses X.400 and is vulnerable.
 CVE-2003-0564 (Multiple vulnerabilities in multiple vendor implementations of
the ...)
 	NOTE: affects multiple S/MIME implementations
 	NOTE: checked current mozilla, which contains safe NSS 3.9.1
 	- mozilla 2:1.7.3
-	TODO: see if anything else in debian uses S/MIME and is vulnerable, mutt has
S/MIME unknown if its vulnerable
 CVE-2003-0563
 	RESERVED
 CVE-2003-0562 (Buffer overflow in the CGI2PERL.NLM PERL handler in Novell
Netware 5.1 ...)
@@ -48904,9 +48868,9 @@
 CVE-2003-0301 (The IMAP Client for Outlook Express 6.00.2800.1106 allows remote
...)
 	NOT-FOR-US: Microsort
 CVE-2003-0300 (The IMAP Client for Sylpheed 0.8.11 allows remote malicious IMAP
...)
-	TODO: sylpheed and sylpheed-claws might still be vulnerable, but it''s
only a crasher
+	NOT-FOR-US: Historic Sylpheed issues, only a crasher anyway
 CVE-2003-0299 (The IMAP Client, as used in mutt 1.4.1 and Balsa 2.0.10, allows
remote ...)
-	TODO: mutt and balsa might still be vulnerable, but it''s only a
crasher
+	NOT-FOR-US: Historic mutt and Balsa issues, only a crasher anyway
 CVE-2003-0298 (The IMAP Client for Mozilla 1.3 and 1.4a allows remote malicious
IMAP ...)
 	- mozilla 2:1.5-1
 	NOTE: May have been fixed in an earlier version.  Not clear how
@@ -49246,7 +49210,7 @@
 CVE-2003-0151 (BEA WebLogic Server and Express 6.0 through 7.0 does not
properly ...)
 	NOT-FOR-US: BEA WebLogic Server
 CVE-2003-0150 (MySQL 3.23.55 and earlier creates world-writeable files and
allows ...)
-	TODO: not sure if this is fixed
+	NOT-FOR-US: Historic MySQL issue
 CVE-2003-0149 (Heap-based buffer overflow in ePO agent for McAfee ePolicy ...)
 	NOT-FOR-US: McAfee ePolicy Orchestrator
 CVE-2003-0148 (The default installation of MSDE via McAfee ePolicy Orchestrator
2.0 ...)
@@ -50483,7 +50447,7 @@
 CVE-2002-0771 (Cross-site scripting vulnerability in viewcvs.cgi for ViewCVS
0.9.2 ...)
 	- viewcvs 0.9.2-5
 CVE-2002-0770 (Quake 2 (Q2) server 3.20 and 3.21 allows remote attackers to
obtain ...)
-	TODO: Check quake2
+	NOT-FOR-US: Historic Quake2 issue
 CVE-2002-0769 (The web-based configuration interface for the Cisco ATA 186
Analog ...)
 	NOT-FOR-US: Cisco
 CVE-2002-0767 (simpleinit on Linux systems does not close a read/write FIFO
file ...)
@@ -50792,8 +50756,6 @@
 	NOT-FOR-US: openca, not in debian
 CVE-2004-0001 (Unknown vulnerability in the eflags checking in the 32-bit
ptrace ...)
 	- kernel-image-2.6.8-9-amd64-generic
-	TODO: what version?
-	TODO: test?
 CVE-2003-1328 (The showHelp() function in Microsoft Internet Explorer 5.01,
5.5, and ...)
 	NOT-FOR-US: windows
 CVE-2003-1326 (Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers
...)
Secure testing commits - Sep 2007 - r6642 - data/CVE

[Secure-testing-commits] r6642 - data/CVE
