thr3ads.net - Secure testing commits - [Secure-testing-commits] r4711

If this information is useful, please help other people find it:
Share via:
Moritz Muehlenhoff
2006-Sep-10 12:42 UTC
[Secure-testing-commits] r4711 - in data: CVE DSA

Author: jmm-guest
Date: 2006-09-10 12:42:28 +0000 (Sun, 10 Sep 2006)
New Revision: 4711

Modified:
   data/CVE/list
   data/DSA/list
Log:
- new openssl and bind DSAs
- add missing CVE ID to old gpdf DSA
- remove two thunderbird entries for sarge that overlapped
  the DSA reference
- older thunderbird and firefox issues are non-issue


Modified: data/CVE/list
==================================================================---
data/CVE/list	2006-09-10 12:37:29 UTC (rev 4710)
+++ data/CVE/list	2006-09-10 12:42:28 UTC (rev 4711)
@@ -4091,7 +4091,6 @@
 	NOTE: MFSA-2006-31
 	- firefox 1.5.dfsg+1.5.0.4-1 (medium)
 	- thunderbird 1.5.0.4-1 (medium)
-	[sarge] - mozilla-thunderbird <unfixed> (medium)
 	- mozilla 2:1.7.13-0.3 (medium)
 	- xulrunner 1.8.0.4-1 (medium)
 CVE-2006-2786 (HTTP response smuggling vulnerability in Mozilla Firefox and
...)
@@ -4099,7 +4098,6 @@
 	NOTE: MFSA-2006-33
 	- firefox 1.5.dfsg+1.5.0.4-1 (medium)
 	- thunderbird 1.5.0.4-1 (medium)
-	[sarge] - mozilla-thunderbird <unfixed> (medium)
 	- mozilla 2:1.7.13-0.3 (medium)
 	- xulrunner 1.8.0.4-1 (medium)
 CVE-2006-2785 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox
before ...)
@@ -8162,8 +8160,9 @@
 	- namazu2 <not-affected> (Windows-specific issue)
 CVE-2006-1166 (Monotone 0.25 and earlier, when a user creates a file in a
directory ...)
 	- monotone 0.26pre1-0.1 (low)
-	NOTE: Needs a case-insensitive file system (e.g. VFAT or Samba) on
-	NOTE: the client.
+	[sarge] - monotone <no-dsa> (Only exploitable in very far-fetched
situation)
+	NOTE: Needs a case-insensitive file system (e.g. VFAT or Samba) on the client
+	NOTE: and massive social engineering 
 CVE-2006-1128 (Directory traversal vulnerability in the session handling class
...)
 	- gallery2 2.0.3
 CVE-2006-1127 (Cross-site scripting (XSS) vulnerability in Gallery 2 up to
2.0.2 ...)
@@ -14223,8 +14222,11 @@
 CVE-2005-3403 (Multiple cross-site scripting (XSS) vulnerabilities in ATutor
1.4.1 ...)
 	NOT-FOR-US: ATutor
 CVE-2005-3402 (The SMTP client in Mozilla Thunderbird 1.0.5 BETA, 1.0.7, and
possibly ...)
-	- thunderbird <unfixed> (bug #363714; low)
-	[sarge] - mozilla-thunderbird <unfixed> (bug #363714; low)
+	- thunderbird <unfixed> (bug #363714; unimportant)
+	[sarge] - mozilla-thunderbird <unfixed> (bug #363714; unimportant)
+	NOTE: That''s a non-issue; only a feature request for an improvement
in a corner case.
+	NOTE: If someone wants to use security-sensitive communication a TLS-secured
server
+	NOTE: should be used.
 CVE-2005-3401 (Multiple interpretation error in TheHacker 5.8.4.128 allows
remote ...)
 	NOT-FOR-US: TheHacker
 CVE-2005-3400 (Multiple interpretation error in Fortinet 2.48.0.0 allows remote
...)
@@ -17528,10 +17530,12 @@
 CVE-2005-2396 (Cross-site scripting (XSS) vulnerability in MediaWiki 1.4.6 and
...)
 	- mediawiki 1.4.9 (bug #276057)
 CVE-2005-2395 (Mozilla Firefox 1.0.4 and 1.0.5 does not choose the challenge
with the ...)
-	- firefox <unfixed> (bug #320539; low)
-	NOTE: as of version 1.4.99+1.5rc3.dfsg-2, mozilla-firefox is now an empty
transitional package
-	- mozilla-firefox 1.4.99+1.5rc3.dfsg-2 (bug #320539; low)
-	- mozilla <unfixed> (bug #320538; low)
+	- firefox <unfixed> (bug #320539; unimportant)
+	- mozilla-firefox 1.4.99+1.5rc3.dfsg-2 (bug #320539; unimportant)
+	- mozilla <unfixed> (bug #320538; unimportant)
+	NOTE: Firefox and Mozilla follow RFC behaviour. This is more a lack of
security
+	NOTE: feature (client-side preference for stronger methods) and not a
vulnerabilit
+	NOTE: This also seems like a rare setup.
 CVE-2005-2394 (show_news.php in CuteNews 1.3.6 allows remote attackers to
obtain the ...)
 	NOT-FOR-US: CuteNews
 CVE-2005-2393 (Cross-site scripting (XSS) vulnerability in CuteNews 1.3.6
allows ...)

Modified: data/DSA/list
==================================================================---
data/DSA/list	2006-09-10 12:37:29 UTC (rev 4710)
+++ data/DSA/list	2006-09-10 12:42:28 UTC (rev 4711)
@@ -1,3 +1,9 @@
+[10 Sep 2006] DSA-1773-1 openssl - cryptographic weakness
+	{CVE-2006-4339}
+	[sarge] - openssl 0.9.7e-3sarge2
+[09 Sep 2006] DSA-1772-1 bind9 - programming error
+	{CVE-2006-4095 CVE-2006-4096}
+	[sarge] - bind9 9.2.4-1sarge1
 [07 Sep 2006] DSA-1171 ethereal - several
         {CVE-2006-4333 CVE-2005-3241 CVE-2005-3242 CVE-2005-3243 CVE-2005-3244
CVE-2005-3246 CVE-2005-3248}
         [sarge] - ethereal 0.10.10-2sarge8
@@ -646,7 +652,7 @@
 	[sarge] - pdftohtml 0.36-11sarge2
 	NOTE: sid is not affected, just a revamp of previous patches
 [27 Feb 2006] DSA-982-1 gpdf - several
-	{CVE-2005-2097 CVE-2005-3191 CVE-2005-3193 CVE-2006-0301}
+	{CVE-2005-2097 CVE-2005-3191 CVE-2005-3193 CVE-2006-0301 CVE-2006-1244}
 	[sarge] - gpdf 2.8.2-1.2sarge4
 	NOTE: sid is not affected, just a revamp of previous patches
 [26 Feb 2006] DSA-981-1 bmv - integer overflow
Secure testing commits - Sep 2006 - r4711 - in data: CVE DSA

[Secure-testing-commits] r4711 - in data: CVE DSA
