Secure testing commits - Jun 2006 - r4153 - data/CVE

Author: stef-guest
Date: 2006-06-06 08:51:01 +0000 (Tue, 06 Jun 2006)
New Revision: 4153

Modified:
   data/CVE/list
Log:
many mozilla issues, some fixed in firefox
new webalizer issue
mysql issue CVEified and fixed in 5.0
python-pgsql fixed



Modified: data/CVE/list
==================================================================---
data/CVE/list	2006-06-06 07:45:18 UTC (rev 4152)
+++ data/CVE/list	2006-06-06 08:51:01 UTC (rev 4153)
@@ -2,6 +2,8 @@
 	- dokuwiki <unfixed> (medium)
 CVE-2006-XXXX [PHP injection vulnerability in dokuwiki via curly braces]
 	- dokuwiki <unfixed> (medium)
+CVE-2006-XXXX [webalizer: symlink vulnerability]
+	- webalizer 2.01.10-29
 CVE-2006-2805 (SQL injection vulnerability in VBulletin 3.0.10 allows remote
...)
 	NOT-FOR-US: vBulletin
 CVE-2006-2804 (Cross-site scripting (XSS) vulnerability in index.cfm in Goss
iCM 7.0 ...)
@@ -41,31 +43,99 @@
 CVE-2006-2788 (Double-free vulnerability in the getRawDER function for
nsIX509Cert in ...)
 	TODO: check
 CVE-2006-2787 (EvalInSandbox in Mozilla Firefox and Thunderbird before 1.5.0.4
allows ...)
-	TODO: check
+	NOTE: MFSA-2006-31
+	- firefox 1.5.dfsg+1.5.0.4-1 (medium)
+	[sarge] - mozilla-firefox <unfixed> (medium)
+	- thunderbird <unfixed> (medium)
+	[sarge] - mozilla-thunderbird <unfixed> (medium)
+	- mozilla <unfixed> (medium)
+	- xulruner <unfixed> (medium)
 CVE-2006-2786 (HTTP response smuggling vulnerability in Mozilla Firefox and
...)
-	TODO: check
+	NOTE: MFSA-2006-33
+	- firefox 1.5.dfsg+1.5.0.4-1 (medium)
+	[sarge] - mozilla-firefox <unfixed> (medium)
+	- thunderbird <unfixed> (medium)
+	[sarge] - mozilla-thunderbird <unfixed> (medium)
+	- mozilla <unfixed> (medium)
+	- xulruner <unfixed> (medium)
 CVE-2006-2785 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox
before ...)
-	TODO: check
+	NOTE: MFSA-2006-34
+	- firefox 1.5.dfsg+1.5.0.4-1 (medium)
+	[sarge] - mozilla-firefox <unfixed> (medium)
+	- mozilla <unfixed> (medium)
+	- xulruner <unfixed> (medium)
 CVE-2006-2784 (The PLUGINSPAGE functionality in Mozilla Firefox before 1.5.0.4
allows ...)
-	TODO: check
+	NOTE: MFSA-2006-36
+	- firefox 1.5.dfsg+1.5.0.4-1 (medium)
+	[sarge] - mozilla-firefox <unfixed> (medium)
+	- mozilla <unfixed> (medium)
+	- xulruner <unfixed> (medium)
 CVE-2006-2783 (Mozilla Firefox and Thunderbird before 1.5.0.4 strips the
Unicode ...)
-	TODO: check
+	NOTE: MFSA-2006-42
+	- firefox 1.5.dfsg+1.5.0.4-1 (medium)
+	[sarge] - mozilla-firefox <unfixed> (medium)
+	- thunderbird <unfixed> (medium)
+	[sarge] - mozilla-thunderbird <unfixed> (medium)
+	- mozilla <unfixed> (medium)
+	- xulruner <unfixed> (medium)
 CVE-2006-2782 (Firefox 1.5.0.2 does not fix all test cases associated with ...)
-	TODO: check
+	NOTE: MFSA-2006-41
+	- firefox 1.5.dfsg+1.5.0.4-1 (medium)
+	[sarge] - mozilla-thunderbird <unfixed> (medium)
+	- mozilla <unfixed> (medium)
+	- xulruner <unfixed> (medium)
 CVE-2006-2781 (Double-free vulnerability in Mozilla Thunderbird before 1.5.0.4
and ...)
-	TODO: check
+	NOTE: MFSA-2006-40
+	- thunderbird <unfixed> (high)
+	[sarge] - mozilla-thunderbird <unfixed> (high)
+	- mozilla <unfixed> (high)
+	- xulruner <unfixed> (high)
 CVE-2006-2780 (Integer overflow in Mozilla Firefox and Thunderbird before
1.5.0.4 ...)
-	TODO: check
+	NOTE: MFSA-2006-32
+	- firefox 1.5.dfsg+1.5.0.4-1 (high)
+	[sarge] - mozilla-firefox <unfixed> (high)
+	- thunderbird <unfixed> (high)
+	[sarge] - mozilla-thunderbird <unfixed> (high)
+	- mozilla <unfixed> (high)
+	- xulruner <unfixed> (high)
 CVE-2006-2779 (Mozilla Firefox and Thunderbird before 1.5.0.4 allow remote
attackers ...)
-	TODO: check
+	NOTE: MFSA-2006-32
+	- firefox 1.5.dfsg+1.5.0.4-1 (high)
+	[sarge] - mozilla-firefox <unfixed> (high)
+	- thunderbird <unfixed> (high)
+	[sarge] - mozilla-thunderbird <unfixed> (high)
+	- mozilla <unfixed> (high)
+	- xulruner <unfixed> (high)
 CVE-2006-2778 (The crypto.signText function in Mozilla Firefox and Thunderbird
before ...)
-	TODO: check
+	NOTE: MFSA-2006-38
+	- firefox 1.5.dfsg+1.5.0.4-1 (high)
+	[sarge] - mozilla-firefox <unfixed> (high)
+	- thunderbird <unfixed> (high)
+	[sarge] - mozilla-thunderbird <unfixed> (high)
+	- mozilla <unfixed> (high)
+	- xulruner <unfixed> (high)
 CVE-2006-2777 (Unspecified vulnerability in Mozilla Firefox before 1.5.0.4 and
...)
-	TODO: check
+	NOTE: MFSA-2006-43
+	- firefox 1.5.dfsg+1.5.0.4-1 (high)
+	[sarge] - mozilla-firefox <unfixed> (high)
+	- mozilla <unfixed> (high)
+	- xulruner <unfixed> (high)
 CVE-2006-2776 (Certain privileged UI code in Mozilla Firefox and Thunderbird
before ...)
-	TODO: check
+	NOTE: MFSA-2006-37
+	- firefox 1.5.dfsg+1.5.0.4-1 (high)
+	[sarge] - mozilla-firefox <unfixed> (high)
+	- thunderbird <unfixed> (high)
+	[sarge] - mozilla-thunderbird <unfixed> (high)
+	- mozilla <unfixed> (high)
+	- xulruner <unfixed> (high)
 CVE-2006-2775 (Mozilla Firefox and Thunderbird before 1.5.0.4 associates XUL
...)
-	TODO: check
+	NOTE: MFSA-2006-35
+	- firefox 1.5.dfsg+1.5.0.4-1 (high)
+	[sarge] - mozilla-firefox <unfixed> (high)
+	- thunderbird <unfixed> (high)
+	[sarge] - mozilla-thunderbird <unfixed> (high)
+	- mozilla <unfixed> (high)
+	- xulruner <unfixed> (high)
 CVE-2006-2774 (Cross-site scripting (XSS) vulnerability in search.php in
QontentOne ...)
 	TODO: check
 CVE-2006-2773 (admin/redigera/redigera2.asp in Hogstorps hogstorp Guestbook 2.0
does ...)
@@ -108,8 +178,6 @@
 	TODO: check
 CVE-2006-2754 (Stack-based buffer overflow in st.c in slurpd for OpenLDAP
before ...)
 	TODO: check
-CVE-2006-2753 (SQL injection vulnerability in MySQL 4.1.x before 4.1.20 and
5.0.x ...)
-	TODO: check
 CVE-2006-2752 (The RedCarpet /etc/ximian/rcd.conf configuration file in Novell
Linux ...)
 	TODO: check
 CVE-2006-2751 (Cross-site scripting (XSS) vulnerability in Open Searchable
Image ...)
@@ -333,10 +401,10 @@
 CVE-2006-XXXX [drupal: Execution of arbitrary files in certain Apache
configurations]
 	- drupal <unfixed> (bug #368835; medium)
 	NOTE: Micah requested CVE, June 6, 2006
-CVE-2006-XXXX [mysql SQL-injection with multibyte encoding]
+CVE-2006-2753 [mysql SQL-injection with multibyte encoding]
 	- mysql-dfsg <removed> (bug #369741; bug #356751; medium)
 	- mysql <unfixed> (bug #369754; medium)
-	- mysql-dfsg-5.0 <unfixed> (bug #369735; medium)
+	- mysql-dfsg-5.0 5.0.22-1 (bug #369735; medium)
 	- mysql-dfsg-4.1 <unfixed> (medium)
 CVE-2006-2659 (libs/comverp.c in Courier MTA before 0.53.2 allows attackers to
cause ...)
 	- courier 0.53.2-1 (bug #368834)
@@ -1068,7 +1136,7 @@
 	- postgresql-8.0 <removed> (medium)
 	- postgresql-8.1 8.1.4-1 (medium)
 	- psycopg 1.1.21-5 (bug #369230)
-	- python-pgsql <unfixed> (bug #369250)
+	- python-pgsql 2.4.0-8 (bug #369250)
 	- pygresql 1:3.6.1-1 (bug #369239)
 	[sarge] - pygresql <not-affected> (Already includes proper quoting)
 	NOTE: Beginning with version 7.5.4, postgresql is a transition
@@ -1910,9 +1978,13 @@
 CVE-2006-1943 (Multiple cross-site scripting (XSS) vulnerabilities in Smarter
Scripts ...)
 	NOT-FOR-US: Smarter Scripts IntelliLink Pro
 CVE-2006-1942 (Mozilla Firefox 1.5.0.2 and possibly other versions before
1.5.0.4, ...)
-	TODO: check
-	NOTE: pkg-mozilla-maintainers are preparing a big security release,
I''ve pinged them
-	NOTE: to ask about this issue
+	NOTE: MFSA-2006-39
+	- firefox 1.5.dfsg+1.5.0.4-1 (low)
+	[sarge] - mozilla-firefox <unfixed> (low)
+	- thunderbird <unfixed> (low)
+	[sarge] - mozilla-thunderbird <unfixed> (low)
+	- mozilla <unfixed> (low)
+	- xulruner <unfixed> (low)
 CVE-2006-1941 (Neon Responder 5.4 for LANsurveyor allows remote attackers to
cause a ...)
 	NOT-FOR-US: Neon Responder
 CVE-2006-1940 (Unspecified vulnerability in Ethereal 0.10.4 up to 0.10.14
allows ...)