thr3ads.net - Secure testing commits - [Secure-testing-commits] r6023

If this information is useful, please help other people find it:
Share via:
jmm-guest at alioth.debian.org
2007-Jun-16 20:44 UTC
[Secure-testing-commits] r6023 - in data: CVE DSA

Author: jmm-guest
Date: 2007-06-16 20:44:18 +0000 (Sat, 16 Jun 2007)
New Revision: 6023

Modified:
   data/CVE/list
   data/DSA/list
Log:
add missing CVE ID to iceape
webpy not an issue
iceweasel issue false alarm
rhapsody has been yanked from the archive
apache and bind 8 are gone too
asterisk-chan-capi unimportant
fix some icefoo severities
sarge not affected by minor slocate information disclosure
linux-2.6 no-dsa


Modified: data/CVE/list
==================================================================---
data/CVE/list	2007-06-16 18:26:09 UTC (rev 6022)
+++ data/CVE/list	2007-06-16 20:44:18 UTC (rev 6023)
@@ -590,7 +590,10 @@
 CVE-2000-1243 (Privacy leak in Dansie Shopping Cart 3.04, and probably earlier
...)
 	TODO: check
 CVE-2007-XXXX [webpy HTTP response splitting vulnerability]
-	- webpy 0.210-1 (bug #427715)
+	- webpy 0.210-1 (bug #427715; unimportant)
+	NOTE: This is not a vulnerability, but an additional precaution function for
+	NOTE: a development framework. If someone wants to have this updated in Etch,
this
+	NOTE: needs to go through a point update
 CVE-2007-XXXX [dar choosing weak IV when encrypting]
 	- dar 2.3.3-1 (bug #425335; low)
 	[sarge] - dar <no-dsa> (minor issue)
@@ -2369,7 +2372,7 @@
 CVE-2007-2177 (Stack-based buffer overflow in the Microgaming Download Helper
ActiveX ...)
 	NOT-FOR-US: Microgaming Download Helper
 CVE-2007-2176 (Unspecified vulnerability in Mozilla Firefox allows remote
attackers ...)
-	- iceweasel <unfixed> (low)
+	NOT-FOR-US: Related to Apple QuickTime as well, no information about Mozilla
being affected is available
 CVE-2007-2175 (Apple QuickTime Java extensions (QTJava.dll), as used in Safari
and ...)
 	NOT-FOR-US: Apple QuickTime
 CVE-2007-2174 (The IOCTL handling in srescan.sys in the ZoneAlarm Spyware
Removal ...)
@@ -3941,11 +3944,9 @@
 CVE-2007-1504 (Cross-site scripting (XSS) vulnerability in the Servlet Service
in ...)
 	NOT-FOR-US: Fujitsu Interstage Application Server
 CVE-2007-1503 (Multiple format string vulnerabilities in comm.c in Rhapsody IRC
0.28b ...)
-	- rhapsody <unfixed> (medium)
-	NOTE: Removal from Etch requested
+	- rhapsody <removed> (medium)
 CVE-2007-1502 (Multiple buffer overflows in Rhapsody IRC 0.28b allow remote
attackers ...)
-	- rhapsody <unfixed> (medium)
-	NOTE: Removal from Etch requested
+	- rhapsody <removed> (medium)
 CVE-2007-1501 (Stack-based buffer overflow in Avant Browser 11.0 build 26
allows ...)
 	NOT-FOR-US: Avant Browse
 CVE-2007-1500 (The Linux Security Auditing Tool (LSAT) allows local users to
...)
@@ -4324,7 +4325,7 @@
 CVE-2007-1350 (Stack-based buffer overflow in webadmin.exe in Novell NetMail
3.5.2 ...)
 	NOT-FOR-US: Novell NetMail
 CVE-2007-1349 (PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm
in ...)
-	- apache <unfixed> (low)
+	- apache <removed> (low)
 	- libapache2-mod-perl2 <unfixed> (low)
 CVE-2007-1348
 	RESERVED
@@ -4742,7 +4743,7 @@
 CVE-2007-1217 (Buffer overflow in the bufprint function in capiutil.c in
libcapi, as ...)
 	- isdnutils 1:3.9.20060704-3 (bug #408530; low)
 	[sarge] - isdnutils <no-dsa> (Not exploitable over ISDN network)
-	- asterisk-chan-capi 0.7.1-1.1 (bug #411293)
+	- asterisk-chan-capi 0.7.1-1.1 (bug #411293; unimportant)
 	- linux-2.6 <unfixed> (bug #411294; unimportant)
 	NOTE: Not exploitable over ISDN network, only theoretically through a
dedicated CAPI server
 CVE-2007-1216 (Double-free vulnerability in the GSS-API library ...)
@@ -4994,12 +4995,11 @@
 CVE-2007-1117 (Unspecified vulnerability in Publisher 2007 in Microsoft Office
2007 ...)
 	NOT-FOR-US: Microsoft Office
 CVE-2007-1116 (The CheckLoadURI function in Mozilla Firefox 1.8 lists the
about: URI ...)
-	- iceweasel <unfixed> (medium)
-	- iceape <unfixed> (medium)
-	- xulrunner 1.8.1.4-1 (bug #415919; bug #415944; bug #415945; medium)
+	- iceweasel 2.0.0.4-1 (low)
+	- iceape 1.1.2-1 (low)
+	- xulrunner 1.8.1.4-1 (bug #415919; bug #415944; bug #415945; low)
 	NOTE: according to a blog comment at
http://www.gnucitizen.org/projects/hscan-redux/,
 	NOTE: older mozillas are not vulnerable
-	TODO: this should be checked
 CVE-2007-1115 (The child frames in Opera 9 before 9.20 inherit the default
charset ...)
 	NOT-FOR-US: Opera
 CVE-2007-1114 (The child frames in Microsoft Internet Explorer 7 inherit the
default ...)
@@ -5067,9 +5067,9 @@
 CVE-2007-1085 (Cross-site scripting (XSS) vulnerability in Google Desktop
allows ...)
 	NOT-FOR-US: Google Desktop
 CVE-2007-1084 (Mozilla Firefox 2.0.0.1 and earlier does not prompt users before
...)
-	- iceweasel <unfixed> (medium)
-	- iceape <unfixed> (medium)
-	NOTE: xulrunner by itself is not affecte, but other browsers based on
xulrunner may be affected
+	- iceweasel <unfixed> (low)
+	- iceape <unfixed> (low)
+	NOTE: xulrunner by itself is not affeced, but other browsers based on
xulrunner may be affected
 	TODO: check epiphany, galeon and kazehakase
 CVE-2007-1083 (Buffer overflow in the Configuration Checker (ConfigChk) ActiveX
...)
 	NOT-FOR-US: ConfigChk ActiveX control
@@ -5248,7 +5248,8 @@
 CVE-2006-7052 (Multiple PHP remote file inclusion vulnerabilities in DotWidget
For ...)
 	NOT-FOR-US: DotWidget
 CVE-2006-7051 (The sys_timer_create function in posix-timers.c for Linux kernel
2.6.x ...)
-	- linux-2.6 <unfixed> (medium)
+	- linux-2.6 <unfixed> (low)
+	[etch] - linux-2.6 <no-dsa> (Design limitation, use resource limits if
it poses a problem)
 CVE-2006-7050 (Cross-site scripting (XSS) vulnerability in WikkaWiki (Wikka
Wiki) ...)
 	NOT-FOR-US: WikkaWiki
 CVE-2006-7049 (The Method method in WikkaWiki (Wikka Wiki) before 1.1.6.2 calls
the ...)
@@ -7401,6 +7402,7 @@
 	NOT-FOR-US: EIQ Networks Network Security Analyzer
 CVE-2007-0227 (slocate 3.1 does not properly manage database entries that
specify ...)
 	- slocate <unfixed> (bug #411937; low)
+	[sarge] - slocate <not-affected> (Performs correct access checks)
 	NOTE: slocate will allow users to find files in directories with the
 	NOTE: executable bit set but without the readable bit set.  This is
 	NOTE: an information leak.
@@ -17879,7 +17881,7 @@
 CVE-2002-2212 (The DNS resolver in unspecified versions of Fujitsu UXP/V, when
...)
 	NOT-FOR-US: Fujitsu UXP/V
 CVE-2002-2211 (BIND 4 and BIND 8, when resolving recursive DNS queries for
arbitrary ...)
-	- bind <unfixed> (unimportant)
+	- bind <removed> (unimportant)
 	- bind9 <not-affected> (does not send parallel queries)
 	NOTE: Disabling recursion does not close all attack vectors.
 	NOTE: Browser reflection attacks will still work.

Modified: data/DSA/list
==================================================================---
data/DSA/list	2007-06-16 18:26:09 UTC (rev 6022)
+++ data/DSA/list	2007-06-16 20:44:18 UTC (rev 6023)
@@ -22,7 +22,7 @@
 	[sarge] - gimp 2.2.6-1sarge2
 	[etch] - gimp 2.2.13-1etch1
 [07 Jun 2007] DSA-1300-1 iceape
-	{CVE-2007-1362 CVE-2007-1558 CVE-2007-2867 CVE-2007-2868 CVE-2007-2870
CVE-2007-2871}
+	{CVE-2007-1116 CVE-2007-1362 CVE-2007-1558 CVE-2007-2867 CVE-2007-2868
CVE-2007-2870 CVE-2007-2871}
 	[etch] - iceape 1.0.9-0etch1
 [07 Jun 2007] DSA-1299-1 ipsec-tools
 	{CVE-2007-1841}
Secure testing commits - Jun 2007 - r6023 - in data: CVE DSA

[Secure-testing-commits] r6023 - in data: CVE DSA
