Author: jmm-guest Date: 2007-05-05 10:32:18 +0000 (Sat, 05 May 2007) New Revision: 5786 Modified: data/CVE/list Log: mark one kernel dupe as such no-dsa for minor openssh information leak no-dsa for kfreebsd clamav issue doesn''t affect clamd, not treating as security issue webcalendar fixed in sarge xine-ui isn''t <not-affected>, it was vulnerable in the past Modified: data/CVE/list ==================================================================--- data/CVE/list 2007-05-05 08:58:05 UTC (rev 5785) +++ data/CVE/list 2007-05-05 10:32:18 UTC (rev 5786) @@ -90,7 +90,7 @@ CVE-2007-2437 (The X render (Xrender) extension in X.org X Window System 7.0, 7.1, ...) TODO: check CVE-2007-2436 (The nl_fib_lookup function in net/ipv4/fib_frontend.c in Linux Kernel ...) - TODO: check + NOT-FOR-US: Duplicate of CVE-2007-1861 CVE-2007-2435 (Sun Java Web Start in JDK and JRE 5.0 Update 10 and earlier, and Java ...) TODO: check CVE-2007-2434 (Buffer overflow in asnsp.dll in Aventail Connect 4.1.2.13 allows ...) @@ -505,10 +505,12 @@ NOT-FOR-US: Adobe Photoshop CVE-2007-2243 (OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is ...) - openssh <unfixed> (low) + [etch] - openssh <no-dsa> (Minor issue) [sarge] - openssh <no-dsa> (Minor issue) CVE-2007-2242 (The IPv6 protocol allows remote attackers to cause a denial of service ...) - linux-2.6 <unfixed> (low; bug #421595) - kfreebsd-5 <unfixed> (low) + [etch] - kfreebsd-5 <no-dsa> (No security support for KFreeBSD) NOTE: This should be off by default, tweakable by a simple knob. NOTE: (FreeBSD has it turned on for hosts, too.) CVE-2007-2241 (Unspecified vulnerability in query.c in ISC BIND 9.4.0, and 9.5.0a1 ...) @@ -787,9 +789,9 @@ [etch] - mixmaster 3.0b2-4.etch1 [sarge] - mixmaster <not-affected> (Code generation in Sarge pads over this) CVE-2007-XXXX [unspecified vulnerability in Clamav''s PDF parser] - - clamav 0.90.2-1 (unknown; bug #418849) - NOTE: closed report: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=459 - NOTE: Commit r3021 looks as if it''s just a null pointer dereference. + - clamav 0.90.2-1 (unimportant; bug #418849) + NOTE: closed report: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=459 + NOTE: Commit r3021 looks as if it''s just a null pointer dereference. CVE-2007-XXXX [heap-based buffer overflow in git-blame with long file names] - git-core 1.5.1.2-1 (low) NOTE: http://git.kernel.org/?p=git/git.git;a=commit;h=1bb88be99e4fdedcd5cc5292c11b566a00028deb @@ -2228,6 +2230,9 @@ NOTE: local malicious scripts only CVE-2007-1483 (Multiple PHP remote file inclusion vulnerabilities in WebCalendar ...) - webcalendar 1.0.5-1 (high) + [sarge] - webcalendar 0.9.45-4sarge7 + NOTE: This was fixed in Sarge as a side-effect of an earlier fix, marking current + NOTE: Sarge version as fixed version CVE-2007-1482 (Cross-site scripting (XSS) vulnerability in index.php in WBBlog allows ...) NOT-FOR-US: WBBlog CVE-2007-1481 (SQL injection vulnerability in index.php in WBBlog allows remote ...) @@ -5539,10 +5544,7 @@ CVE-2007-0255 (XINE 0.99.4 allows user-assisted remote attackers to cause a denial of ...) - xine-ui <unfixed> (low) CVE-2007-0254 (Format string vulnerability in the errors_create_window function in ...) - - xine-ui 0.99.4+dfsg+cvs20061111-2 (unimportant; bug #407369) - NOTE: My understanding is that this CVE is bogus. - NOTE: I failed to see where the format string vulnerability is, I have report - NOTE: a bug in case I have missed something. + - xine-ui 0.99.4+dfsg+cvs20061111-2 (low; bug #407369) CVE-2007-0253 (** DISPUTED ** ...) - kernel-patch-grsecurity2 <unfixed> (unimportant; bug #407350) NOTE: See CVE-2007-0257