thr3ads.net - Secure testing commits - [Secure-testing-commits] r3955

If this information is useful, please help other people find it:
Share via:
Moritz Muehlenhoff
2006-May-15 15:12 UTC
[Secure-testing-commits] r3955 - in data: CVE DSA

Author: jmm-guest
Date: 2006-05-15 15:10:10 +0000 (Mon, 15 May 2006)
New Revision: 3955

Modified:
   data/CVE/list
   data/DSA/list
Log:
new webcalendar DSA
one more issue fixed by mozilla DSA
one more issue fixed by older curl DSA
gcc-4.1 issue a non-issue
no-dsa monopd
quake2 no-dsa
record fix for rssh, which came through s-p-u
remove old wdm non-issue


Modified: data/CVE/list
==================================================================---
data/CVE/list	2006-05-15 09:14:23 UTC (rev 3954)
+++ data/CVE/list	2006-05-15 15:10:10 UTC (rev 3955)
@@ -1028,7 +1028,8 @@
 CVE-2006-1903 (Multiple cross-site scripting (XSS) vulnerabilities in UserLand
Manila ...)
 	NOT-FOR-US: UserLand Manila
 CVE-2006-1902 (fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1
...)
-	- gcc-4.1 4.1.0-2 (bug #356896; low)
+	- gcc-4.1 4.1.0-2 (bug #356896; unimportant)
+	NOTE: Turned out to be a non-issue
 CVE-2006-1901 (Mozilla Camino 1.0 and earlier allow remote attackers to cause a
...)
 	NOT-FOR-US: Mozilla Camino
 CVE-2006-1900 (Multiple buffer overflows in World Wide Web Consortium (W3C)
Amaya ...)
@@ -3134,7 +3135,8 @@
 CVE-2006-1047 (Unspecified vulnerability in the &quot;Remember Me login
functionality&quot; in ...)
 	NOT-FOR-US: Joomla!
 CVE-2006-1046 (server.cpp in Monopd 0.9.3 allows remote attackers to cause a
denial ...)
-	- monopd <unfixed> (bug #355797)
+	- monopd <unfixed> (bug #355797; low)
+	[sarge] - monopd <no-dsa> (Very minor security ramifications)
 CVE-2006-1045 (The HTML rendering engine in Mozilla Thunderbird 1.5, when
&quot;Block ...)
 	{DSA-1051-1 DSA-1046-1}
 	- thunderbird 1.5.0.2-1
@@ -7574,22 +7576,30 @@
 	NOT-FOR-US: Intel hardware
 CVE-2004-2599 (Multiple buffer overflows in Quake II server before R1Q2, as
used in ...)
 	- quake2 <unfixed> (bug #280573; low)
+	[sarge] - quake2 <no-dsa> (Documented to be insecure, contrib)
 	NOTE: There is a big note in the quake2 package stating that it is not secure.
 	NOTE: Otherwise severity would be high.
 CVE-2004-2598 (Quake II server before R1Q2, as used in multiple products,
allows ...)
 	- quake2 <unfixed> (bug #280573; low)
+	[sarge] - quake2 <no-dsa> (Documented to be insecure, contrib)
 CVE-2004-2597 (Quake II server before R1Q2, as used in multiple products,
allows ...)
 	- quake2 <unfixed> (bug #280573; low)
+	[sarge] - quake2 <no-dsa> (Documented to be insecure, contrib)
 CVE-2004-2596 (Quake II server before R1Q2, as used in multiple products,
allows ...)
 	- quake2 <unfixed> (bug #280573; low)
+	[sarge] - quake2 <no-dsa> (Documented to be insecure, contrib)
 CVE-2004-2595 (Absolute path traversal vulnerability in Quake II server before
R1Q2 ...)
 	- quake2 <unfixed> (bug #280573; low)
+	[sarge] - quake2 <no-dsa> (Documented to be insecure, contrib)
 CVE-2004-2594 (Absolute path traversal vulnerability in Quake II server before
R1Q2 ...)
 	- quake2 <unfixed> (bug #280573; low)
+	[sarge] - quake2 <no-dsa> (Documented to be insecure, contrib)
 CVE-2004-2593 (Buffer overflow in command-packet processing of Quake II server
before ...)
 	- quake2 <unfixed> (bug #280573; low)
+	[sarge] - quake2 <no-dsa> (Documented to be insecure, contrib)
 CVE-2004-2592 (Quake II server before R1Q2, as used in multiple products,
allows ...)
 	- quake2 <unfixed> (bug #280573; low)
+	[sarge] - quake2 <no-dsa> (Documented to be insecure, contrib)
 CVE-2004-2591 (The data-overwrite capability of ButtUglySoftware CleanCache
2.19 does ...)
 	NOT-FOR-US: ButtUglySoftware CleanCache
 CVE-2004-2590 (Unspecified vulnerability in meindlSOFT Cute PHP Library (aka
cphplib) ...)
@@ -9063,6 +9073,8 @@
 	- osh 1.7-15 (bug #338312; bug #323424; bug #323482; bug #311369; medium)
 CVE-2005-3345 (rssh 2.0.0 through 2.2.3 allows local users to bypass access
...)
 	- rssh 2.3.0-1 (bug #344395; bug #344424)
+	[sarge] - rssh 2.2.3-1.sarge.1
+	NOTE: Update was introduced through s-p-u, not a DSA
 CVE-2005-3344 (The default installation of Horde 3.0.4 contains an
administrative ...)
 	{DSA-884-1}
 	- horde3 3.0.5-2 (bug #332290; bug #332289; medium)
@@ -9867,8 +9879,6 @@
 CVE-2004-XXXX [Insecure temp files in amanda''s chg-manual]
 	- amanda 1:2.4.5p1-1 (bug #226139; low)
 	NOTE: Woody and Sarge affected
-CVE-2004-XXXX [Buffer overflow in wdm''s login]
-	- wdm <unfixed> (bug #276218; low)
 CVE-2005-3752 (Unspecified vulnerability in ldapdiff before 1.1.1 has unknown
impact ...)
 	- ldapdiff <not-affected> (The version in Debian doesn''t
contain the vulnerable code, see #306878)
 CVE-2005-XXXX [apt-cache doesn''t differentiate sources which share
several properties]
@@ -17192,8 +17202,6 @@
 CVE-2005-XXXX [Multiple security problems in Quake 2]
 	NOTE: this release added lots of warnings about the security problems
 	- quake2 1:0.3-1.1
-	- quake2 <unfixed> (bug #280573; low)
-	NOTE: CVE id requested from mitre
 CVE-2005-1245 (Cross-site scripting (XSS) vulnerability in MediaWiki before
1.4.2, ...)
 	- mediawiki 1.4.9 (bug #276057)
 CVE-2005-1244 (** DISPUTED ** ...)

Modified: data/DSA/list
==================================================================---
data/DSA/list	2006-05-15 09:14:23 UTC (rev 3954)
+++ data/DSA/list	2006-05-15 15:10:10 UTC (rev 3955)
@@ -1,3 +1,6 @@
+[15 May 2006] DSA-1056-1 webcalendar - verbose error message
+	{CVE-2006-2247}
+	[sarge] - webcalendar 0.9.45-4sarge4
 [11 May 2006] DSA-1055-1 mozilla-firefox - programming error
         {CVE-2006-1993}
         [sarge] - mozilla-firefox 1.0.4-2sarge7
@@ -28,7 +31,7 @@
 [30 Apr 2006] DSA-1047-1 resmgr - programming error
         [sarge] - resmgr 1.0-2sarge2
 [27 Apr 2006] DSA-1046-1 mozilla - several
-        {CVE-2005-2353 CVE-2005-4134 CVE-2006-0292 CVE-2006-0293 CVE-2006-0748
CVE-2006-0749 CVE-2006-0884 CVE-2006-1045 CVE-2006-1529 CVE-2006-1530
CVE-2006-1531 CVE-2006-1723 CVE-2006-1724 CVE-2006-1727 CVE-2006-1728
CVE-2006-1729 CVE-2006-1730 CVE-2006-1731 CVE-2006-1733 CVE-2006-1734
CVE-2006-1735 CVE-2006-1736 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739
CVE-2006-1740 CVE-2006-1741 CVE-2006-1742 CVE-2006-1790}
+        {CVE-2006-1732 CVE-2005-2353 CVE-2005-4134 CVE-2006-0292 CVE-2006-0293
CVE-2006-0748 CVE-2006-0749 CVE-2006-0884 CVE-2006-1045 CVE-2006-1529
CVE-2006-1530 CVE-2006-1531 CVE-2006-1723 CVE-2006-1724 CVE-2006-1727
CVE-2006-1728 CVE-2006-1729 CVE-2006-1730 CVE-2006-1731 CVE-2006-1733
CVE-2006-1734 CVE-2006-1735 CVE-2006-1736 CVE-2006-1737 CVE-2006-1738
CVE-2006-1739 CVE-2006-1740 CVE-2006-1741 CVE-2006-1742 CVE-2006-1790}
         [sarge] - mozilla 1.7.8-1sarge5
 [27 Apr 2006] DSA-1045-1 openvpn - design error
         {CVE-2006-1629}
@@ -583,7 +586,7 @@
 	[sarge] - ethereal 0.10.10-2sarge3
 	NOTE: not fixed in testing at time of DSA (unfixed in sid)
 [12 Dec 2005] DSA-919-2 curl - buffer overflow
-	{CVE-2005-4077}
+	{CVE-2005-4077 CVE-2005-3185}
 	[woody] - curl 7.9.5-1woody2
 	[sarge] - curl 7.13.2-2sarge5
 	NOTE: partially fixed in testing at time of DSA
Secure testing commits - May 2006 - r3955 - in data: CVE DSA

[Secure-testing-commits] r3955 - in data: CVE DSA
