jmm-guest at alioth.debian.org
2007-Aug-01 17:28 UTC
[Secure-testing-commits] r6206 - data/CVE
Author: jmm-guest Date: 2007-08-01 17:28:27 +0000 (Wed, 01 Aug 2007) New Revision: 6206 Modified: data/CVE/list Log: asterisk updates new icefoo issues xpdf TODOs Modified: data/CVE/list ==================================================================--- data/CVE/list 2007-07-31 21:51:21 UTC (rev 6205) +++ data/CVE/list 2007-08-01 17:28:27 UTC (rev 6206) @@ -26,6 +26,9 @@ NOT-FOR-US: WP-FeedStats plugin for WordPress CVE-2007-4103 (The IAX2 channel driver (chan_iax2) in Asterisk Open 1.2.x before ...) - asterisk 1:1.4.9~dfsg-1 + [sarge] - asterisk <not-affected> (1.0 not affected) + NOTE: Etch status needs to be checked, according to http://ftp.digium.com/pub/asa/ASA-2007-018.html + NOTE: 1.2.20, 1.2.21, 1.2.21.1, 1.2.22 are affected. 1.2.13 from Etch isn''t mentioned CVE-2007-4102 (Cross-site scripting (XSS) vulnerability in search.php for sBlog 0.7.3 ...) NOT-FOR-US: sBlog CVE-2007-4101 (Multiple PHP remote file inclusion vulnerabilities in Madoa Poll 1.1 ...) @@ -554,10 +557,18 @@ RESERVED CVE-2007-3846 RESERVED -CVE-2007-3845 +CVE-2007-3845 [firefox external URI handler escaping vulnerability] RESERVED -CVE-2007-3844 + - iceweasel <unfixed> (medium) + - xulrunner <unfixed> (medium) + - iceape <unfixed> (medium) + - icedove <unfixed> (medium) +CVE-2007-3844 [firefox about:blank regression] RESERVED + - iceweasel <unfixed> (medium) + - xulrunner <unfixed> (medium) + - iceape <unfixed> (medium) + - icedove <unfixed> (medium) CVE-2007-3843 RESERVED CVE-2007-3842 (Cross-site scripting (XSS) vulnerability in the 8e6 R3000 Enterprise ...) @@ -716,16 +727,21 @@ RESERVED CVE-2007-3765 (The STUN implementation in Asterisk 1.4.x before 1.4.8, AsteriskNOW ...) - asterisk 1:1.4.8~dfsg-1 (bug #433681) - NOTE: ASA-2007-017 + [sarge] - asterisk <not-affected> (1.0.x not affected) + [etch] - asterisk <not-affected> (1.2.x not affected) + NOTE: http://ftp.digium.com/pub/asa/ASA-2007-017.html CVE-2007-3764 (The Skinny channel driver (chan_skinny) in Asterisk before 1.2.22 and ...) - asterisk 1:1.4.8~dfsg-1 - NOTE: ASA-2007-016 + NOTE: Etch and Sarge affected + NOTE: http://ftp.digium.com/pub/asa/ASA-2007-016.html CVE-2007-3763 (The IAX2 channel driver (chan_iax2) in Asterisk before 1.2.22 and ...) - asterisk 1:1.4.8~dfsg-1 - NOTE: ASA-2007-015 + NOTE: Etch and Sarge affected + NOTE: http://ftp.digium.com/pub/asa/ASA-2007-015.html CVE-2007-3762 (Stack-based buffer overflow in the IAX2 channel driver (chan_iax2) in ...) - asterisk 1:1.4.8~dfsg-1 (high) - NOTE: ASA-2007-014 + NOTE: Etch and Sarge affected + NOTE: http://ftp.digium.com/pub/asa/ASA-2007-014.html CVE-2007-XXXX [konqueror data: URL address bar spoofing] - kdebase <unfixed> (bug #433072; low) [sarge] - kdebase <no-dsa> (Minor issue) @@ -1588,7 +1604,11 @@ - xpdf <unfixed> (bug #435462) - kdegraphics <unfixed> - koffice <unfixed> - TODO: check usual suspects, especially in sarge + TODO: check pdftohtml/sarge (current poppler source package has a ported version, replaced in Etch) + TODO: check tetex-bin/sarge (links to poppler since 3.0-12) + TODO: check libextractor/sarge (uses internal pdf decoder since 0.5.12-1) + TODO: check pdfkit.framework/sarge (links to poppler since 0.8-4) + TODO: check ipe (only small parts, but with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp) CVE-2007-3386 RESERVED CVE-2007-3385 @@ -3699,7 +3719,9 @@ [etch] - schroot <not-affected> (Only exploitable in unstable) CVE-2007-2488 (The IAX2 channel driver (chan_iax2) in Asterisk before 20070504 does ...) - asterisk 1:1.4.5~dfsg-1 (low) - NOTE: ASA-2007-013 + NOTE: no-dsa / unimportant candidate, the opposite side of the telephone line + NOTE: could just as well hang-up + NOTE: http://ftp.digium.com/pub/asa/ASA-2007-013.html CVE-2007-2480 (The _udp_lib_get_port function in net/ipv4/udp.c in Linux kernel ...) - linux-2.6 <unfixed> (medium) CVE-2007-2479 (Cerulean Studios Trillian Pro before 3.1.5.1 allows remote attackers ...) @@ -4142,12 +4164,14 @@ NOT-FOR-US: Apple QuickTime CVE-2007-2294 (The Manager Interface in Asterisk before 1.2.18 and 1.4.x before 1.4.3 ...) - asterisk 1:1.4.3~dfsg-1 (low) + NOTE: Etch and Sarge affected + NOTE: http://ftp.digium.com/pub/asa/ASA-2007-012.html CVE-2007-2293 (Multiple stack-based buffer overflows in the process_sdp function in ...) - asterisk 1:1.4.3~dfsg-1 (high) - [sarge] - asterisk <not-affected> (vulnerable code not present) - [etch] - asterisk <not-affected> (vulnerable code not present) + [sarge] - asterisk <not-affected> (1.0.x not affected) + [etch] - asterisk <not-affected> (1.2.x not affected) [lenny] - asterisk <not-affected> (vulnerable code not present) - NOTE: only in 1.4.x + NOTE: http://ftp.digium.com/pub/asa/ASA-2007-010.html CVE-2007-2292 (CRLF injection vulnerability in the Digest Authentication support for ...) - iceweasel <unfixed> (low) [etch] - iceweasel <no-dsa> (Minor issue) @@ -5963,6 +5987,8 @@ CVE-2007-1594 (The handle_response function in chan_sip.c in Asterisk before 1.2.17 ...) - asterisk 1:1.4.2~dfsg-1 (medium; bug #419820) [sarge] - asterisk <not-affected> (correctly logs a warning) + NOTE: Etch affected + NOTE: http://ftp.digium.com/pub/asa/ASA-2007-011.html NOTE: http://bugs.digium.com/view.php?id=9313 CVE-2007-1516 (PHP remote file inclusion vulnerability in functions/update.php in ...) NOT-FOR-US: CcMail