Author: jmm-guest
Date: 2006-12-10 13:06:58 +0100 (Sun, 10 Dec 2006)
New Revision: 5099
Modified:
data/CVE/list
Log:
no-dsas for non-free software
mark several "month of kernel bugs" issues as unimportant; these are
robustness bugs, but labeling them as security problems is too
far-fetched
Modified: data/CVE/list
==================================================================---
data/CVE/list 2006-12-09 20:14:19 UTC (rev 5098)
+++ data/CVE/list 2006-12-10 12:06:58 UTC (rev 5099)
@@ -76,6 +76,7 @@
CVE-2006-6332 [madwifi code injection]
RESERVED
- madwifi 1:0.9.2+r1842.20061207-1 (high)
+ [etch] - madwifi <no-dsa> (Non-free not supported)
CVE-2006-6331 (metaInfo.php in TorrentFlux 2.2, when
$cfg["enable_file_priority"] is ...)
TODO: check
CVE-2006-6330 (index.php for TorrentFlux 2.2 allows remote registered users to
...)
@@ -517,7 +518,8 @@
CVE-2006-6129 (Integer overflow in the fatfile_getarch2 in Apple Mac OS X
allows ...)
NOT-FOR-US: Apple Mac OS X
CVE-2006-6128 (The ReiserFS functionality in Linux kernel 2.6.18, and possibly
other ...)
- - linux-2.6 <unfixed> (low)
+ - linux-2.6 <unfixed> (unimportant)
+ NOTE: Mounting filesystem partitions should be limited to root
CVE-2006-6127 (Apple Mac OS X kernel allows local users to cause a denial of
service ...)
NOT-FOR-US: Apple Mac OS X
CVE-2006-6126 (Apple Mac OS X allows local users to cause a denial of service
(memory ...)
@@ -657,21 +659,27 @@
CVE-2006-6061 (com.apple.AppleDiskImageController in Apple Mac OS X 10.4.8, and
...)
NOT-FOR-US: Apple Mac OS X
CVE-2006-6060 (The NTFS filesystem code in Linux kernel 2.6.x up to 2.6.18, and
...)
- - linux-2.6 <unfixed>
+ - linux-2.6 <unfixed> (unimportant)
+ NOTE: Mounting filesystem partitions should be limited to root
CVE-2006-6059 (Buffer overflow in MA521nd5.SYS driver 5.148.724.2003 for
NetGear ...)
NOT-FOR-US: NetGear
CVE-2006-6058 (The minix filesystem code in Linux kernel 2.6.x up to 2.6.18,
and ...)
- - linux-2.6 <unfixed>
+ - linux-2.6 <unfixed> (unimportant)
+ NOTE: Mounting filesystem partitions should be limited to root
CVE-2006-6057 (The Linux kernel 2.6.x up to 2.6.18, and possibly other
versions, on ...)
- - linux-2.6 <unfixed>
+ - linux-2.6 <unfixed> (unimportant)
+ NOTE: Mounting filesystem partitions should be limited to root
CVE-2006-6056 (Linux kernel 2.6.x up to 2.6.18 and possibly other versions,
when ...)
- - linux-2.6 <unfixed>
+ - linux-2.6 <unfixed> (unimportant)
+ NOTE: Mounting filesystem partitions should be limited to root
CVE-2006-6055 (Stack-based buffer overflow in A5AGU.SYS 1.0.1.41 for the D-Link
...)
NOT-FOR-US: D-Link
CVE-2006-6054 (The ext2 file system code in Linux kernel 2.6.x allows local
users to ...)
- - linux-2.6 <unfixed>
+ - linux-2.6 <unfixed> (unimportant)
+ NOTE: Mounting filesystem partitions should be limited to root
CVE-2006-6053 (The ext3fs_dirhash function in Linux kernel 2.6.x allows local
users ...)
- - linux-2.6 <unfixed>
+ - linux-2.6 <unfixed> (unimportant)
+ NOTE: Mounting filesystem partitions should be limited to root
CVE-2006-6052 (NetEpi Case Manager before 0.98 generates different error
messages ...)
NOT-FOR-US: NetEpi Case Manager
CVE-2006-6051 (PHP remote file inclusion vulnerability in reporter.logic.php in
the ...)
@@ -4435,11 +4443,13 @@
- gzip 1.3.5-15 (medium)
- lha <unfixed> (medium; bug #401301)
[sarge] - lha <no-dsa> (Non-free not supported)
+ [etch] - lha <no-dsa> (Non-free not supported)
CVE-2006-4337 (Buffer overflow in the make_table function in the LHZ component
in ...)
{DSA-1181-1}
- gzip 1.3.5-15 (high)
- lha <unfixed> (high; bug #401301)
[sarge] - lha <no-dsa> (Non-free not supported)
+ [etch] - lha <no-dsa> (Non-free not supported)
CVE-2006-4336 (Buffer underflow in the build_tree function in unpack.c in gzip
1.3.5 allows ...)
{DSA-1181-1}
- gzip 1.3.5-15 (high)
@@ -4448,6 +4458,7 @@
- gzip 1.3.5-15 (high)
- lha <unfixed> (high; bug #401301)
[sarge] - lha <no-dsa> (Non-free not supported)
+ [etch] - lha <no-dsa> (Non-free not supported)
CVE-2006-4334 (Unspecified vulnerability in gzip 1.3.5 allows context-dependent
...)
{DSA-1181-1}
- gzip 1.3.5-15 (high)
Florian Weimer
2006-Dec-10 17:33 UTC
[Secure-testing-team] Re: [Secure-testing-commits] r5099 - data/CVE
* Moritz Muehlenhoff:> CVE-2006-6128 (The ReiserFS functionality in Linux kernel 2.6.18, and possibly other ...) > - - linux-2.6 <unfixed> (low) > + - linux-2.6 <unfixed> (unimportant) > + NOTE: Mounting filesystem partitions should be limited to rootBut it''s not in a default install, at least for VFAT USB sticks. Perhaps these bugs are relevant after all. We could declare that console users are trusted by definition, but this is a bit excessive.
Moritz Muehlenhoff
2006-Dec-10 23:58 UTC
[Secure-testing-team] Re: [Secure-testing-commits] r5099 - data/CVE
On Sun, Dec 10, 2006 at 05:32:52PM +0100, Florian Weimer wrote:> * Moritz Muehlenhoff: > > > CVE-2006-6128 (The ReiserFS functionality in Linux kernel 2.6.18, and possibly other ...) > > - - linux-2.6 <unfixed> (low) > > + - linux-2.6 <unfixed> (unimportant) > > + NOTE: Mounting filesystem partitions should be limited to root > > But it''s not in a default install, at least for VFAT USB sticks. > Perhaps these bugs are relevant after all.I only added unimportant tags for "fixed system disk filesystems" and left e.g. the the ISO9660 issue at "low". Cheers, Moritz