Author: jmm-guest Date: 2007-03-06 22:49:23 +0000 (Tue, 06 Mar 2007) New Revision: 5517 Modified: data/CVE/list Log: putty unimportant php5 just open_basedir/safe mode apply security policy for sql-ledger udev issue doesn''t affect sarge Modified: data/CVE/list ==================================================================--- data/CVE/list 2007-03-06 14:17:55 UTC (rev 5516) +++ data/CVE/list 2007-03-06 22:49:23 UTC (rev 5517) @@ -335,8 +335,8 @@ CVE-2007-1218 (Off-by-one buffer overflow in the parse_elements function in the ...) - tcpdump 3.9.5-2 (bug #413430; medium) CVE-2007-XXXX [puttygen can create world-readable private keys] - - putty <unfixed> (bug #400804; low) - [sarge] - putty <no-dsa> (minor issue) + - putty <unfixed> (bug #400804; unimportant) + NOTE: Sensitive operations like key generation should only be done in private home CVE-2007-XXXX [asterisk remote SIP security hole] - asterisk 1:1.2.16~dfsg-1 CVE-2007-1160 (webSPELL 4.0, and possibly later versions, allows remote attackers to ...) @@ -467,7 +467,9 @@ NOT-FOR-US: Pickle CVE-2007-1099 (dbclient in Dropbear SSH client before 0.49 does not sufficiently warn ...) - dropbear 0.49-1 (unimportant; bug #412899) - NOTE: security feature enhancement, not a vulnerability per se + NOTE: That''s a lack of a security feature (strict hostkey checking in openssh + NOTE: termininoloy) and an awkward interface, but not a vulnerability per se + NOTE: Especially as dropbear is specifically labeled a stripped down SSH implementation [etch] - dropbear 0.48.1-2 CVE-2007-1098 (Multiple unspecified vulnerabilities in ScryMUD before 2.1.11 have ...) NOT-FOR-US: ScryMUD @@ -1113,7 +1115,7 @@ - php5 5.2.0-9 (bug #410561; bug #410995; medium) - php4 6:4.4.4-9 CVE-2007-0905 (PHP before 5.2.1 allows attackers to bypass safe_mode and open_basedir ...) - - php5 <unfixed> (bug #410561; bug #410995; medium) + - php5 <unfixed> (bug #410561; bug #410995; unimportant) NOTE: we normally don''t spend much time on safe_mode and open_basedir NOTE: issues, but the because the attack vectors are "unspecified", it NOTE: might be harder for us to try and sort out the fixes for this @@ -1772,6 +1774,7 @@ NOT-FOR-US: Sun Solaris. CVE-2007-0667 (The redirect function in Form.pm for (1) LedgerSMB before 1.1.5 and ...) - sql-ledger <unfixed> (bug #409703) + [etch] - sql-ledger <no-dsa> (Should only be used with trusted users) NOTE: sql-ledger 2.6.22-2 adds a note to README.Debian that sql-ledger NOTE: is not secure with untrusted users. CVE-2007-0666 (Ipswitch WS_FTP Server 5.04 allows FTP site administrators to execute ...) @@ -2888,6 +2891,7 @@ NOT-FOR-US: HP CVE-2007-XXXX [udev wrong permissions on raid devices] - udev 0.105-2 (bug #404927) + [sarge] - udev <not-affected> (Doesn''t affect Sarge) CVE-2007-XXXX [yacas insecure rpath] - yacas <unfixed> (bug #399226; bug #399227; low) CVE-2007-XXXX [TXT record parsing overflow with special characters]