Author: jmm-guest Date: 2006-11-19 10:54:20 +0100 (Sun, 19 Nov 2006) New Revision: 4976 Modified: data/CVE/list Log: several no-dsas some moodle issues unimportant ffmpeg issues affects xine-lib as well older pam-mysql issues don''t affect Sarge gradm2 not affected by RBAC issue sympa unimportant Modified: data/CVE/list ==================================================================--- data/CVE/list 2006-11-18 12:04:01 UTC (rev 4975) +++ data/CVE/list 2006-11-19 09:54:20 UTC (rev 4976) @@ -1861,7 +1861,8 @@ CVE-2006-5112 (Buffer overflow in InterVations NaviCOPA Web Server 2.01 allows remote ...) NOT-FOR-US: NaviCOPA Web Server CVE-2006-5111 (The libksba library 0.9.12 and possibly other versions, as used by ...) - - libksba 0.9.14-1 (bug #391278) + - libksba 0.9.14-1 (low; bug #391278) + [sarge] - libksba <no-dsa> (Minor issue) CVE-2006-5110 (Cross-site scripting (XSS) vulnerability in home.php in PHP Invoice ...) NOT-FOR-US: PHP Invoice CVE-2006-5109 (Devellion CubeCart 2.0.x allows remote attackers to obtain sensitive ...) @@ -2224,9 +2225,11 @@ - moodle 1.6.2-1 [sarge] - moodle <not-affected> (Function not present) CVE-2006-4939 (backup/backup_scheduled.php in Moodle before 1.6.2 generates trace ...) - - moodle 1.6.2-1 + - moodle 1.6.2-1 (unimportant) + NOTE: Path disclosure CVE-2006-4938 (help.php in Moodle before 1.6.2 does not check the existence of ...) - - moodle 1.6.2-1 + - moodle 1.6.2-1 (unimportant) + NOTE: Path disclosure CVE-2006-4937 (lib/setup.php in Moodle before 1.6.2 sets the error reporting level to ...) - moodle 1.6.2-1 CVE-2006-4936 (Moodle before 1.6.2 does not properly validate the module instance id ...) @@ -2516,8 +2519,8 @@ NOT-FOR-US: Roxio Toast CVE-2006-4800 (Multiple buffer overflows in libavcodec in ffmpeg before ...) - ffmpeg 0.cvs20060329-1 + - xine-lib 1.1.2-1 NOTE: according to the changelog, libxine (starting from 1.1.2-4) links dynamically against ffmpeg - TODO: check other packages embedding ffmpeg code CVE-2006-4799 (Buffer overflow in ffmpeg for xine-lib before 1.1.2 might allow ...) - xine-lib 1.1.2-1 (bug #369876; medium) NOTE: according to the changelog, libxine (starting from 1.1.2-4) links dynamically against ffmpeg @@ -8094,7 +8097,8 @@ CVE-2006-2363 (SQL injection vulnerability in the weblinks option (weblinks.html.php) ...) NOT-FOR-US: Limbo CVE-2006-2362 (Buffer overflow in getsym in tekhex.c in libbfd in Free Software ...) - - binutils 2.17-1 (bug #368237) + - binutils 2.17-1 (low; bug #368237) + [sarge] - binutils <no-dsa> (Very minor issue) CVE-2006-2361 (PHP remote file inclusion vulnerability in pafiledb_constants.php in ...) NOT-FOR-US: phpbb mod CVE-2006-2360 (SQL injection vulnerability in charts.php in the Chart mod for phpBB ...) @@ -12313,7 +12317,8 @@ CVE-2005-4714 (Format string vulnerability in the vmps_log function in OpenVMPS (VLAN ...) NOT-FOR-US: OpenVMPS CVE-2005-4713 (Unspecified vulnerability in the SQL logging facility in PAM-MySQL ...) - - libpam-mysql 0.6.2-1 (bug #353589; high) + - libpam-mysql 0.6.2-1 (bug #353589; low) + [sarge] - libpam-mysql <not-affected> (Vulnerable code not present) CVE-2005-4712 (CRLF injection vulnerability in process_signup.php in PHP Handicapper ...) NOT-FOR-US: Handicapper CVE-2006-XXXX [dpkg-sig: insecure temp file bug] @@ -13385,7 +13390,6 @@ CVE-2006-0228 (The RBAC functionality in grsecurity before 2.1.8 does not properly ...) - kernel-patch-grsecurity2 2.1.8-1 (bug #349246; medium) - kernel-patch-2.4-grsecurity <removed> (bug #349247; medium) - - gradm2 2.1.8-1 (medium) CVE-2006-0227 (Multiple unspecified vulnerabilities in lpsched in Sun Solaris 8, 9, ...) NOT-FOR-US: lpsched in Sun Solaris CVE-2006-0226 (Integer overflow in IEEE 802.11 network subsystem (ieee80211_ioctl.c) ...) @@ -13920,7 +13924,8 @@ CVE-2006-0057 (Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers ...) NOT-FOR-US: Windows CVE-2006-0056 (Double-free vulnerability in the authentication and authentication ...) - - libpam-mysql 0.6.2-1 (bug #353589; high) + - libpam-mysql 0.6.2-1 (bug #353589; medium) + [sarge] - libpam-mysql <not-affected> (Vulnerable code not present) CVE-2006-0055 (The ispell_op function in ee on FreeBSD 4.10 to 6.0 uses predictable ...) - ee 1:1.4.2-5 (bug #348322) CVE-2006-0054 (The ipfw firewall in FreeBSD 6.0-RELEASE allows remote attackers to ...) @@ -22452,6 +22457,7 @@ NOT-FOR-US: Drupal CVE-2002-1805 (Cross-site scripting (XSS) vulnerability in DaCode 1.2.0 allows remote ...) - dacode <removed> (bug #322605; low) + [sarge] - dacode <no-dsa> (Minor issue; attacker would need to bypass moderator review/approval) NOTE: Sarge is affected (has same version as testing/unstable) CVE-2002-1804 (Cross-site scripting (XSS) vulnerability in NPDS 4.8 allows remote ...) NOT-FOR-US: NPDS @@ -23467,7 +23473,7 @@ - shtool 2.0.1-2 (low) [sarge] - shtool <no-dsa> (Minor issue) - mysql-ocaml 1.0.3-6 (unimportant) - - php4 4:4.4.0-1 (low) + - php4 4:4.4.0-1 (unimportant) CVE-2005-1758 (Buffer overflow in the IMAP command continuation function in Novell ...) NOT-FOR-US: Novell CVE-2005-1757 (Buffer overflow in the Modweb agent for Novell NetMail 3.52 before ...) @@ -27598,7 +27604,8 @@ CVE-2004-1736 (Cacti 0.8.5a allows remote attackers to gain sensitive information via ...) - cacti 0.8.5a-5 CVE-2004-1735 (Cross-site scripting (XSS) vulnerability in the create list option in ...) - - sympa 4.1.5-4 (bug #298105; low) + - sympa 4.1.5-4 (bug #298105; unimportant) + NOTE: A user with the privilege to create new mailing lists needs to be trustworthy CVE-2004-1734 (PHP remote file inclusion vulnerability in Mantis 0.19.0a allows ...) - mantis 0.19.2-1 CVE-2004-1733 (Directory traversal vulnerability in MyDMS 1.4.2 and other versions ...)