Author: jmm-guest Date: 2007-02-27 23:49:33 +0100 (Tue, 27 Feb 2007) New Revision: 5491 Modified: data/CVE/list Log: etch fix for ikiwiki amarok fixes nexuiz issue doesn''t affect etch fetchmail issue doesn''t affect sarge amavis-ng only an issue is someone installs non-free code (in which case you''re screwed anyway) mt-daapd uses an not-so-well default, but it''s not a direct vulnerability Modified: data/CVE/list ==================================================================--- data/CVE/list 2007-02-27 22:36:27 UTC (rev 5490) +++ data/CVE/list 2007-02-27 22:49:33 UTC (rev 5491) @@ -4,9 +4,12 @@ CVE-2007-XXXX [TYPO3 Security Bulletin TYPO3-20070221-1: Email header injection] - typo3-src 4.0.5+debian-1 CVE-2007-XXXX [mt-daapd remote access & default password] - - mt-daapd <unfixed> (bug #404640) + - mt-daapd <unfixed> (unimportant; bug #404640) + NOTE: User-unfriendly packaging flaw, but not a vulnerability per se CVE-2007-XXXX [amavids-new uses contrib/non-free packers without security support in default config] - - amavisd-new <unfixed> (bug #410588) + - amavisd-new <unfixed> (unimportant; bug #410588) + NOTE: Doesn''t affect a standard Debian installation, only users, which install + NOTE: proprietary apps, it should be fixed for sanity, but not a direct vulnerability CVE-2006-XXXX [pure-ftpd-mysql: any problems with a home dir will allow rw to the entire filesystem] - pure-ftpd <unfixed> (bug #350889) CVE-2007-XXXX [MediaWiki XSS based on Microsoft Internet Explorer''s UTF-7 charset autodetection] @@ -524,7 +527,8 @@ - php4 <unfixed> - php5 <unfixed> (bug #410561; bug #410995) CVE-2007-XXXX [ikiwiki allows web user to edit images and other non-page format files in the wiki] - - ikiwiki 1.42 + - ikiwiki 1.42 (low) + [etch] - ikiwiki 1.33.1 CVE-2007-0858 RESERVED CVE-2007-0857 (Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before ...) @@ -768,9 +772,9 @@ CVE-2006-6981 (3proxy 0.5 to 0.5.2, when NT-encoded passwords are being used, allows ...) NOT-FOR-US: 3proxy CVE-2006-6980 (The magnatune.com album browser in Amarok allows attackers to cause a ...) - - amarok 1.4.4-3 (bug #410850) + - amarok 1.4.4-3 (bug #410850; low) CVE-2006-6979 (The ruby handlers in Amarok do not properly quote text in certain ...) - - amarok <unfixed> (bug #410850; medium) + - amarok 1.4.4-1 (bug #410850; low) CVE-2006-6978 (Cross-site scripting (XSS) vulnerability in the "Basic Toolbar ...) NOT-FOR-US: FCKEditor CVE-2006-6977 (Cross-site scripting (XSS) vulnerability in the "Basic Toolbar ...) @@ -1036,6 +1040,7 @@ NOT-FOR-US: Drupal addon module "Textimage" CVE-2007-0657 (Unspecified vulnerability in Nexuiz 2.2.2 allows remote attackers to ...) - nexuiz 2.2.3-1 (medium) + [etch] - nexuiz <not-affected> (Vulnerable code not present, was introduced in 2.2.2) CVE-2007-0656 (PHP remote file inclusion vulnerability in includes/functions.php in ...) NOT-FOR-US: phpBB2-MODificat it is a module to phpbb2 CVE-2007-0655 @@ -4754,6 +4759,7 @@ NOT-FOR-US: BlogMe CVE-2006-5974 (fetchmail 6.3.5 and 6.3.6 before 6.3.6-rc4, when refusing a message ...) - fetchmail 6.3.6-1 (low) + [sarge] - fetchmail <not-affected> (Vulnerable code not present) CVE-2006-5973 (Off-by-one buffer overflow in Dovecot 1.0test53 through 1.0.rc14, and ...) - dovecot 1.0.rc15-1 [sarge] - dovecot <not-affected> (Vulnerable code not present)