thr3ads.net - Secure testing commits - [Secure-testing-commits] r5820

If this information is useful, please help other people find it:
Share via:
Moritz Muehlenhoff
2007-May-11 15:24 UTC
[Secure-testing-commits] r5820 - data/CVE

Author: jmm-guest
Date: 2007-05-11 15:24:18 +0000 (Fri, 11 May 2007)
New Revision: 5820

Modified:
   data/CVE/list
Log:
rewrite register_globals issues in squirrelmail as non-issues
kernel issue doesn''t affect Debian
add some qemu entries for unstable
NFUs
lower severity of bugzilla issue
NOTEs like foo not in sarge are no longer necessary, as we have distribution-
  specific views
pdns/xmedcon issues not security-relevant


Modified: data/CVE/list
==================================================================---
data/CVE/list	2007-05-10 20:32:28 UTC (rev 5819)
+++ data/CVE/list	2007-05-11 15:24:18 UTC (rev 5820)
@@ -10,7 +10,6 @@
 	TODO: check
 CVE-2007-2583 (MySQL 5.x before 5.0.40 allows context-dependent attackers to
cause a ...)
 	- mysql-dfsg-5.0 <unfixed> (low)
-	NOTE: mysql-dfsg-5.0 not in sarge
 	NOTE: http://bugs.mysql.com/bug.php?id=27513
 CVE-2007-2582 (Unspecified vulnerability in the DB2 JDBC Applet Server (DB2JDS)
...)
 	TODO: check
@@ -750,7 +749,7 @@
 CVE-2007-2240
 	RESERVED
 CVE-2007-2239 (Stack-based buffer overflow in the SaveBMP method in the AXIS
Camera ...)
-	TODO: check
+	NOT-FOR-US: AXIS Camera Control
 CVE-2007-2238
 	RESERVED
 CVE-2007-2237
@@ -787,7 +786,7 @@
 CVE-2007-2222
 	RESERVED
 CVE-2007-2221 (Unspecified vulnerability in the mdsauth.dll COM object in
Microsoft ...)
-	TODO: check
+	NOT-FOR-US: Microsoft Internet Explorer
 CVE-2007-2220
 	RESERVED
 CVE-2007-2219
@@ -1838,7 +1837,7 @@
 CVE-2007-1748 (Stack-based buffer overflow in the RPC interface in the Domain
Name ...)
 	NOT-FOR-US: Microsoft Windows
 CVE-2007-1747 (Unspecified vulnerability in MSO.dll in Microsoft Office 2000
SP3, ...)
-	TODO: check
+	NOT-FOR-US: Microsoft Office
 CVE-2007-1746
 	RESERVED
 CVE-2007-1745 (The chm_decompress_stream function in libclamav/chmunpack.c in
Clam ...)
@@ -2013,13 +2012,13 @@
 CVE-2007-1673 (unzoo.c allows remote attackers to cause a denial of service
(infinite ...)
 	TODO: check
 CVE-2007-1672 (avast! antivirus before 4.7.981 allows remote attackers to cause
a ...)
-	TODO: check
+	NOT-FOR-US: avast
 CVE-2007-1671 (avpack32.dll before 7.3.0.6 in Avira AntiVir allows remote
attackers ...)
-	TODO: check
+	NOT-FOR-US: Avira
 CVE-2007-1670 (Panda Software Antivirus before 20070402 allows remote attackers
to ...)
-	TODO: check
+	NOT-FOR-US: Panda
 CVE-2007-1669 (Barracuda Spam Firewall 3.4 and later with virusdef before
2.0.6399, ...)
-	TODO: check
+	NOT-FOR-US: Barracuda
 CVE-2007-1668
 	RESERVED
 CVE-2007-1666 (The processor_request function in the debugger server for
DataRescue ...)
@@ -2756,7 +2755,7 @@
 	NOT-FOR-US: Avaya Communications Manager
 CVE-2007-1366 (QEMU 0.8.2 allows local users to crash a virtual machine via the
...)
 	{DSA-1284-1}
-	TODO: check
+	- qemu <unfixed>
 CVE-2007-1365 (Buffer overflow in kern/uipc_mbuf2.c in OpenBSD 3.9 and 4.0
allows ...)
 	NOT-FOR-US: OpenBSD Kernel
 CVE-2007-1364 (DropAFew before 0.2.1 does not require authorization for certain
...)
@@ -2854,13 +2853,14 @@
 	{DSA-1284-1}
 CVE-2007-1322 (QEMU 0.8.2 allows local users to halt a virtual machine by
executing ...)
 	{DSA-1284-1}
-	TODO: check
+	- qemu <unfixed>
 CVE-2007-1321
 	RESERVED
 	{DSA-1284-1}
+	- qemu <unfixed>
 CVE-2007-1320 (Multiple heap-based buffer overflows in the
cirrus_invalidate_region ...)
 	{DSA-1284-1}
-	TODO: check
+	- qemu <unfixed>
 CVE-2007-1319 (Unspecified vulnerability in the IOPCServer::RemoveGroup
function in ...)
 	NOT-FOR-US: DeviceXPlorer OLE
 CVE-2007-1318
@@ -3009,7 +3009,7 @@
 CVE-2007-1281 (Kaspersky AntiVirus Engine 6.0.1.411 for Windows and 5.5-10 for
Linux ...)
 	NOT-FOR-US: Kaspersky AntiVirus Engine
 CVE-2007-1280 (Cross-site scripting (XSS) vulnerability in Adobe RoboHelp X5,
6, and ...)
-	TODO: check
+	NOT-FOR-US: Adobe
 CVE-2007-1279 (Unspecified vulnerability in the installer for Adobe Bridge
1.0.3 ...)
 	NOT-FOR-US: Adobe
 CVE-2007-1278 (Unspecified vulnerability in the IIS connector in Adobe JRun 4.0
...)
@@ -3214,7 +3214,7 @@
 CVE-2007-1215 (Buffer overflow in the Graphics Device Interface (GDI) in
Microsoft ...)
 	NOT-FOR-US: Microsoft GDI
 CVE-2007-1214 (Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2003 Viewer, and
2004 ...)
-	TODO: check
+	NOT-FOR-US: Microsoft Excel
 CVE-2007-1213 (The TrueType Fonts rasterizer in Microsoft Windows 2000 SP4
allows ...)
 	NOT-FOR-US: Microsoft Windows
 CVE-2007-1212 (Buffer overflow in the Graphics Device Interface (GDI) in
Microsoft ...)
@@ -3236,9 +3236,9 @@
 CVE-2007-1204 (Stack-based buffer overflow in the Universal Plug and Play
(UPnP) ...)
 	NOT-FOR-US: Microsoft Windows
 CVE-2007-1203 (Unspecified vulnerability in Microsoft Excel 2000 SP3, 2002 SP3,
2003 ...)
-	TODO: check
+	NOT-FOR-US: Microsoft Excel
 CVE-2007-1202 (Microsoft Word 2000 SP3, 2002 SP3, 2003 SP2, 2003 Viewer, 2004
for ...)
-	TODO: check
+	NOT-FOR-US: Microsoft Word
 CVE-2007-1201
 	RESERVED
 CVE-2007-1200
@@ -4011,21 +4011,21 @@
 CVE-2007-0948
 	RESERVED
 CVE-2007-0947 (Use-after-free vulnerability in Microsoft Internet Explorer 7 on
...)
-	TODO: check
+	NOT-FOR-US: Microsoft Internet Explorer
 CVE-2007-0946 (Unspecified vulnerability in Microsoft Internet Explorer 7 on
Windows ...)
-	TODO: check
+	NOT-FOR-US: Microsoft Internet Explorer
 CVE-2007-0945 (Microsoft Internet Explorer 6 SP1 on Windows 2000 SP4; 6 and 7
on ...)
-	TODO: check
+	NOT-FOR-US: Microsoft Internet Explorer
 CVE-2007-0944 (Unspecified vulnerability in the CTableCol::OnPropertyChange
method in ...)
-	TODO: check
+	NOT-FOR-US: Microsoft Internet Explorer
 CVE-2007-0943
 	RESERVED
 CVE-2007-0942 (Microsoft Internet Explorer 5.01 SP4 on Windows 2000 SP4; 6 SP1
on ...)
-	TODO: check
+	NOT-FOR-US: Microsoft Internet Explorer
 CVE-2007-0941
 	RESERVED
 CVE-2007-0940 (Unspecified vulnerability in the Cryptographic API Component
Object ...)
-	TODO: check
+	NOT-FOR-US: Microsoft CAPICOM
 CVE-2007-0939 (Cross-site scripting (XSS) vulnerability in Microsoft Content
...)
 	NOT-FOR-US: Microsoft Content Management Server
 CVE-2007-0938 (Microsoft Content Management Server (MCMS) 2001 SP1 and 2002 SP2
does ...)
@@ -4474,7 +4474,7 @@
 CVE-2007-0792 (The mod_perl initialization script in Bugzilla 2.23.3 does not
set the ...)
 	- bugzilla <not-affected> (Only development version 2.23.3 is affected)
 CVE-2007-0791 (Cross-site scripting (XSS) vulnerability in Atom feeds in
Bugzilla ...)
-	- bugzilla <unfixed> (bug #409824; medium)
+	- bugzilla <unfixed> (bug #409824; low)
 	[sarge] - bugzilla <not-affected> (Vulnerable code not present)
 CVE-2007-0790 (Heap-based buffer overflow in SmartFTP 2.0.1002 allows remote
FTP ...)
 	NOT-FOR-US: SmartFTP
@@ -4553,7 +4553,7 @@
 CVE-2007-0772 (The Linux kernel 2.6.13 and other versions before 2.6.20.1
allows ...)
 	- linux-2.6 2.6.18.dfsg.1-11
 CVE-2007-0771 (Unspecified vulnerability in the utrace support for Linux kernel
...)
-	- linux-2.6 <unfixed> (medium)
+	- linux-2.6 <not-affected> (RHEL-specific backport, only present in -mm
tree)
 CVE-2007-0770 (Buffer overflow in GraphicsMagick and ImageMagick allows
user-assisted ...)
 	{DSA-1260}
 	- graphicsmagick 1.1.7-12
@@ -5756,7 +5756,7 @@
 CVE-2007-0268 (Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5,
...)
 	NOT-FOR-US: Oracle
 CVE-2007-0267 (The ufs_lookup function in the Mac OS X 10.4.8 and FreeBSD 6.1
kernels ...)
-	TODO: Check if Debian UFS filesystem was affected
+	NOT-FOR-US: UFS filesystem on MacOS/FreeBSD
 CVE-2007-0266 (SQL injection vulnerability in boxx/ShowAppendix.asp in Ezboxx
Portal ...)
 	NOT-FOR-US: Ezboxx Portal
 CVE-2007-0265 (Multiple cross-site scripting (XSS) vulnerabilities in Ezboxx
Portal ...)
@@ -5850,7 +5850,7 @@
 CVE-2007-0230 (** DISPUTED ** PHP remote file inclusion vulnerability in
install.php ...)
 	NOT-FOR-US: CS-Cart
 CVE-2007-0229 (Integer overflow in the ffs_mountfs function in Mac OS X 10.4.8
and ...)
-	TODO: check kfreebsd
+	NOT-FOR-US: MacOS X
 CVE-2007-0228 (The DataCollector service in EIQ Networks Network Security
Analyzer ...)
 	NOT-FOR-US: EIQ Networks Network Security Analyzer
 CVE-2007-0227 (slocate 3.1 does not properly manage database entries that
specify ...)
@@ -5881,7 +5881,7 @@
 CVE-2007-0216
 	RESERVED
 CVE-2007-0215 (Stack-based buffer overflow in Microsoft Excel 2000 SP3, 2002
SP3, ...)
-	TODO: check
+	NOT-FOR-US: Microsoft Excel
 CVE-2007-0214 (The HTML Help ActiveX control (Hhctrl.ocx) in Microsoft Windows
2000 ...)
 	NOT-FOR-US: Microsoft
 CVE-2007-0213 (Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007
does ...)
@@ -5947,8 +5947,6 @@
 	[sarge] - udev <not-affected> (Doesn''t affect Sarge)
 CVE-2007-XXXX [yacas insecure rpath]
 	- yacas 1.0.57-3 (bug #399226; bug #399227; low)
-CVE-2007-XXXX [TXT record parsing overflow with special characters]
-	- pdns <unfixed> (bug #406465)
 CVE-2007-0248 (The aclMatchExternal function in Squid before 2.6.STABLE7 allows
...)
 	- squid 2.6.5-4 (low; bug #407202)
 	[sarge] - squid <not-affected> (Vulnerable code not present)
@@ -6480,7 +6478,7 @@
 CVE-2007-0036
 	RESERVED
 CVE-2007-0035 (Microsoft Word 2000 SP3, 2002 SP3, 2003 SP2, 2003 Viewer, 2004
for ...)
-	TODO: check
+	NOT-FOR-US: Microsoft Word
 CVE-2007-0034 (Buffer overflow in the Advanced Search (Finder.exe) feature of
...)
 	NOT-FOR-US: Microsoft Outlook
 CVE-2007-0033 (Microsoft Outlook 2002 and 2003 allows user-assisted remote
attackers to ...)
@@ -7208,9 +7206,6 @@
 CVE-2006-XXXX [gaim crash when receiving an invalid UPnP response]
 	- gaim 1:2.0.0+beta5-9 (low)
 	[sarge] - gaim <no-dsa> (minor issue)
-CVE-2006-XXXX [xmedcon segfault on some files]
-	- xmedcon 0.9.9.4-1 (unknown; bug #401529)
-	TODO: check security impact
 CVE-2006-XXXX [dsniff urlsnarf missing output sanitization]
 	- dsniff 2.4b1+debian-16 (unimportant; bug #400624)
 	NOTE: While older terminals were vulnerable to some attacks involving terminal
@@ -13819,8 +13814,8 @@
 CVE-2006-3666 (SQL injection vulnerability in AjaxPortal 3.0, with
magic_quotes_gpc ...)
 	NOT-FOR-US: AjaxPortal
 CVE-2006-3665 (SquirrelMail 1.4.6 and earlier, with register_globals enabled,
allows ...)
-	- squirrelmail 2:1.4.7-1 (low)
-	[sarge] - squirrelmail <no-dsa> (Operation with registers_globals not
supported)
+	- squirrelmail 2:1.4.7-1 (unimportant)
+	NOTE: Operation with registers_globals not supported
 CVE-2006-3664 (Unspecified vulnerability in NIS server on Sun Solaris 8, 9, and
10 ...)
 	NOT-FOR-US: Sun Solaris
 CVE-2006-3663 (Finjan Vital Security Appliance 5100/8100 NG 8.3.5 stores
passwords in ...)
@@ -14870,8 +14865,8 @@
 CVE-2006-3175 (Multiple PHP remote file inclusion vulnerabilities in
mcGuestbook 1.3 ...)
 	NOT-FOR-US: mcGuestbook
 CVE-2006-3174 (Cross-site scripting (XSS) vulnerability in search.php in
SquirrelMail ...)
-	- squirrelmail 2:1.4.7-1 (bug #375782; low)
-	[sarge] - squirrelmail <no-dsa> (Operation with registers_globals not
supported)
+	- squirrelmail 2:1.4.7-1 (bug #375782; unimportant)
+	NOTE: Operation with registers_globals not supported
 CVE-2006-3173 (Multiple PHP remote file inclusion vulnerabilities in
Content*Builder ...)
 	NOT-FOR-US: Content*Builder
 CVE-2006-3172 (Multiple PHP remote file inclusion vulnerabilities in
Content*Builder ...)
Secure testing commits - May 2007 - r5820 - data/CVE

[Secure-testing-commits] r5820 - data/CVE
