thr3ads.net - Secure testing commits - [Secure-testing-commits] r4988

If this information is useful, please help other people find it:
Share via:
Moritz Muehlenhoff
2006-Nov-21 19:14 UTC
[Secure-testing-commits] r4988 - data/CVE

Author: jmm-guest
Date: 2006-11-21 19:14:31 +0100 (Tue, 21 Nov 2006)
New Revision: 4988

Modified:
   data/CVE/list
Log:
new dovecot issue (already fixed)
firefox-sage issue doesn''t affect Debian
new linux-2.6 issue
texinfo maintainer pinged
some NFUs
older tetex issues don''t affect sarge
remove some old, resolved TODOs
popilo and elmo no-dsa


Modified: data/CVE/list
==================================================================---
data/CVE/list	2006-11-21 17:28:56 UTC (rev 4987)
+++ data/CVE/list	2006-11-21 18:14:31 UTC (rev 4988)
@@ -1,7 +1,11 @@
+CVE-2006-XXXX [dovecot off-by-one]
+	- dovecot 1.0.rc15-1
+	[sarge] - dovecot <not-affected> (Vulnerable code not present)
 CVE-2006-XXXX [TorrentFlux Arbitrary Command Execution and Directory Traversal]
 	- torrentflux <unfixed> (medium; bug #399169)
 CVE-2006-XXXX [Firefox Sage Extension Feed Script Insertion Vulnerability]
-	- firefox-sage <unfixed> (medium; bug #399170)
+	- firefox-sage <not-affected> (medium; bug #399170)
+	NOTE: Debian''s version has HTML disabled
 CVE-2006-5972 (Stack-based buffer overflow in WG111v2.SYS in NetGear WG111v2
wireless ...)
 	NOT-FOR-US: NetGear
 CVE-2006-5971 (Absolute path traversal vulnerability in admin/logfile.txt in
Verity ...)
@@ -574,7 +578,7 @@
 CVE-2006-5702 (Tikiwiki 1.9.5 allows remote attackers to obtain sensitive
information ...)
 	- tikiwiki 1.9.6+dfsg-1 (medium)
 CVE-2006-5701 (Double free vulnerability in squashfs module in the Linux kernel
...)
-	TODO: check
+	- linux-2.6 <unfixed> (low)
 CVE-2006-5700
 	RESERVED
 CVE-2006-5699
@@ -1023,7 +1027,7 @@
 CVE-2006-5488 (SQL injection vulnerability in XchangeBoard 1.70, and possibly
...)
 	NOT-FOR-US: XchangeBoard
 CVE-2006-5487 (Directory traversal vulnerability in Marshal MailMarshal SMTP
5.x, ...)
-	TODO: check
+	NOT-FOR-US: Marshal MailMarshal SMTP
 CVE-2006-5486 (Cross-site scripting (XSS) vulnerability in Webmail in Sun Java
System ...)
 	NOT-FOR-US: Sun Java System Messaging Server
 CVE-2006-5485 (Multiple PHP remote file inclusion vulnerabilities in SpeedBerg
...)
@@ -1388,7 +1392,7 @@
 	- flashplugin-nonfree <unfixed> (medium)
 	[sarge] - flashplugin-nonfree <no-dsa> (Contrib not supported, only
installer package)
 	[etch] - flashplugin-nonfree <no-dsa> (Contrib not supported, only
installer package)
-	TODO: file bug when upstream fix is released
+	TODO: file bug, fixed in 9.0.28.0
 CVE-2006-5329
 	RESERVED
 CVE-2006-5328 (OpenBase SQL 10.0 and earlier, as used in Apple Xcode 2.2 2.2
and ...)
@@ -1754,8 +1758,7 @@
 CVE-2006-5160 (** DISPUTED ** ...)
 	- firefox <not-affected> (no real issues)
 CVE-2006-5159 (** DISPUTED ** ...)
-	TODO: check again later
-	NOTE: might or might not be a real firefox issue, probably low impact
+	NOT-FOR-US: Bogus Firefox issue
 CVE-2006-5158 (The nlmclnt_mark_reclaim in clntlock.c in NFS lockd in Linux
kernel ...)
 	- linux-2.6 2.6.16
 CVE-2006-5157 (Format string vulnerability in the ActiveX control
(ATXCONSOLE.OCX) in ...)
@@ -2492,7 +2495,6 @@
 	- qt4-x11 4.2.1-1 (bug #394192)
 CVE-2006-4810 (Buffer overflow in the readline function in util/texindex.c, as
used ...)
 	- texinfo <unfixed>
-	TODO: File bug
 CVE-2006-4809 (Stack-based buffer overflow in loader_pnm.c in imlib2 before
1.2.1, ...)
 	- imlib2 1.3.0.0debian1-3 (medium; bug #397371)
 CVE-2006-4808 (Heap-based buffer overflow in loader_tga.c in imlib2 before
1.2.1, and ...)
@@ -3409,7 +3411,7 @@
 CVE-2006-4414
 	RESERVED
 CVE-2006-4413 (Apple Remote Desktop before 3.1 uses insecure permissions for
certain ...)
-	TODO: check
+	NOT-FOR-US: Apple Remote Desktop
 CVE-2006-4412
 	RESERVED
 CVE-2006-4411
@@ -5645,7 +5647,7 @@
 CVE-2006-3446
 	RESERVED
 CVE-2006-3445 (Microsoft Agent on Microsoft Windows 2000 SP4, XP SP2, and
Server 2003 ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2006-3444 (Unspecified vulnerability in the kernel in Microsoft Windows
2000 SP4, ...)
 	NOT-FOR-US: Microsoft
 CVE-2006-3443 (Untrusted search path vulnerability in Winlogon in Microsoft
Windows ...)
@@ -10588,7 +10590,6 @@
 	NOT-FOR-US: Internet Explorer
 CVE-2006-1387 (TWiki 4.0, 4.0.1, and 20010901 through 20040904 allows remote
...)
 	- twiki 1:4.0.4-3 (bug #367973)
-	TODO: see if fw''s patch secures this in Debian
 CVE-2006-1386 (The (1) rdiff and (2) preview scripts in TWiki 4.0 and 4.0.1
ignore ...)
 	- twiki <not-affected> (only affects 4.0.0 - 4.1.0, version in Debian
too young)
 CVE-2006-1385 (Stack-based buffer overflow in the parseTaggedData function in
...)
@@ -13199,6 +13200,7 @@
 	{DSA-1019-1 DSA-998-1 DSA-984-1 DSA-983-1 DSA-982-1 DSA-979-1 DSA-974-1
DSA-972-1 DSA-971-1}
 	- poppler 0.4.5-1 (medium)
 	- tetex-bin 3.0-12 (medium)
+	[sarge] - tetex-bin <not-affected> (tetex2 uses an older version, which
is not affected)
 	- kdegraphics 4:3.5.1-2 (medium)
 	- gpdf 2.10.0-3 (medium)
 	- xpdf 3.01-6 (bug #350785; bug #350783; medium)
@@ -14344,7 +14346,6 @@
 	NOT-FOR-US: HP-UX
 CVE-2005-4450 (Cross-site request forgery (CSRF) vulnerability in phpMyAdmin
2.7.0 ...)
 	NOTE: According to the description possibly a dupe of the non-issue
CVE-2005-4349
-	TODO: check back with Secunia, they''re the only source for this issue
 CVE-2005-4449 (verify.php in FlatNuke 2.5.6 allows remote authenticated ...)
 	NOT-FOR-US: FlatNuke
 CVE-2005-4448 (FlatNuke 2.5.6 verifies authentication credentials based on an
MD5 ...)
@@ -15202,7 +15203,7 @@
 	{DSA-1005-1 DSA-1004-1 DSA-992-1}
 	- ffmpeg 0.cvs20050918-5.1 (bug #342207; medium)
 	- xine-lib 1.0.1-1.5 (bug #342208; medium)
-	TODO: check mplayer
+	- mplayer <not-affected> (Fixed before initial upload)
 	- gst-ffmpeg 0.8.7-5 (bug #343503; medium)
 	- vlc 0.8.4.debian-2 (medium)
 	NOTE: kino, smilutils, motion and vlc link statically against libavcodec, need
a recompile once ffmpeg is fixed
@@ -15846,7 +15847,6 @@
 	NOT-FOR-US: Belkin hardware
 CVE-2005-3801 (CounterPane PasswordSafe 1.x and 2.x allows local users to test
...)
 	NOT-FOR-US: PasswordSafe
-	TODO: the problem might affect mypasswordsafe
 CVE-2005-3800 (Macromedia Contribute Publishing Server (CPS) before 1.11 uses a
weak ...)
 	NOT-FOR-US: Macromedia Contribute Publishing Server
 CVE-2005-3799 (phpBB 2.0.18 allows remote attackers to obtain sensitive
information ...)
@@ -16813,7 +16813,7 @@
 CVE-2003-1266 (The (1) FTP, (2) POP3, (3) SMTP, and (4) NNTP servers in EServer
2.92 ...)
 	NOT-FOR-US: EServer
 CVE-2003-1265 (Netscape 7.0 and Mozilla 5.0 do not immediately delete messages
in the ...)
-	TODO: There is no Mozilla 5.0, but it should be tested on a current Mozilla
+	NOT-FOR-US: Ancient Mozilla issue
 CVE-2003-1264 (TFTP server in Longshine Wireless Access Point (WAP)
LCS-883R-AC-B, ...)
 	NOT-FOR-US: Longshine hardware
 CVE-2003-1263 (ICAL.EXE in iCal 3.7 allows remote attackers to cause a denial
of ...)
@@ -16888,7 +16888,6 @@
 	NOTE: which in debian requires a manual and non-documented
 	NOTE: initialization of the rpm database which is not configured in
 	NOTE: the package
-	TODO: file bug?
 CVE-2002-2203 (Unknown vulnerability in the System Serial Console terminal in
Solaris ...)
 	NOT-FOR-US: Solaris
 CVE-2002-2202 (Outlook Express 6.0 does not delete messages from dbx files,
even when ...)
@@ -17624,7 +17623,6 @@
 	NOT-FOR-US: Inweb Mail Server
 CVE-2004-2502 (im-switch before 11.4-46.1 in Fedora Core 2 allows local users
to ...)
 	- im-switch <not-affected> (Debian''s version is somehow derived
from RH, but not affected)
-	TODO: Please double-check
 CVE-2004-2501 (Buffer overflow in the IMAP service of MailEnable Professional
Edition ...)
 	NOT-FOR-US: MailEnable Professional
 CVE-2004-2500 (Unknown vulnerability in IlohaMail before 0.8.14-rc1 has unknown
...)
@@ -18064,7 +18062,8 @@
 CVE-2005-3164 (Hitachi Cosminexus Application Server does not properly handle
when a ...)
 	NOT-FOR-US: Hitachi Cosminexus Application Server
 CVE-2005-3163 (Unspecified vulnerability in Polipo 0.9.8 and earlier allows
attackers ...)
-	- polipo 0.9.9-1 (bug #332411; medium)
+	- polipo 0.9.9-1 (bug #332411; low)
+	[sarge] - polipo <no-dsa> (Minor issue)
 CVE-2005-3162
 	REJECTED
 CVE-2005-3161 (Multiple SQL injection vulnerabilities in PHP-Fusion before
6.00.110 ...)
@@ -21472,6 +21471,7 @@
 	- heartbeat 1.2.3-12 (bug #318287; medium)
 CVE-2005-2230 (Electronic Mail Operator (elmo) 1.3.2-r1 and earlier creates the
...)
 	- elmo 1.3.0-1.1 (bug #318291; low)
+	[sarge] - elmo <no-dsa> (Minor issue)
 CVE-2005-2229 (Blog Torrent 0.92 and earlier stores sensitive files under the
web ...)
 	NOT-FOR-US: Blog Torrent
 CVE-2005-2228 (Web Wiz Forums 7.9 and 8.0 allows remote attackers to view
message ...)
@@ -21891,7 +21891,7 @@
 	[woody] - tetex-bin <not-affected> (pdftex doesn''t include or
use the vulnerable code)
 	- tetex-bin 3.0-12
 	NOTE: tetex links to poppler since 3.0-12
-	TODO: Check, when sid was fixed for this
+	[sarge] - tetex-bin <not-affected> (tetex2 uses an older version, which
is not affected)
 	- gpdf 2.10.0-4 (bug #334454; low)
 	NOTE: Cups switched to xpdf-utils
 	- cupsys 1.1.22-7 (bug #324464)
Secure testing commits - Nov 2006 - r4988 - data/CVE

[Secure-testing-commits] r4988 - data/CVE
