Author: micah Date: 2006-01-19 02:53:50 +0000 (Thu, 19 Jan 2006) New Revision: 3319 Modified: data/CVE/list Log: Bug num for drupal vulns in sarge Sarge false positive checks up through ''d'' One false positive found Modified: data/CVE/list ==================================================================--- data/CVE/list 2006-01-18 17:25:08 UTC (rev 3318) +++ data/CVE/list 2006-01-19 02:53:50 UTC (rev 3319) @@ -1901,12 +1901,13 @@ CVE-2005-3976 (SQL injection vulnerability in type.asp, as used in multiple DUware ...) NOT-FOR-US: Multipke DuWare products CVE-2005-3975 (Interpretation conflict in file.inc in Drupal 4.5.0 through 4.5.5 and ...) - - drupal 4.5.6-1 (medium) + - drupal 4.5.6-1 (bug #348811; medium) CVE-2005-3974 (Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3, when running on ...) - drupal 4.5.6-1 (low) [sarge] - drupal <not-affected> (Only vulnerable if running PHP 5) CVE-2005-3973 (Multiple cross-site scripting (XSS) vulnerabilities in Drupal 4.5.0 ...) - - drupal 4.5.6-1 (medium) + - drupal 4.5.6-1 (bug #348811; medium) + NOTE: Sarge is affected CVE-2005-3972 (Cross-site scripting (XSS) vulnerability in extremesearch.php in ...) NOT-FOR-US: Extreme Search Corporate Edition CVE-2005-3971 (Cross-site scripting (XSS) vulnerability in the login form in Citrix ...) @@ -2792,6 +2793,7 @@ NOT-FOR-US: Dynix WebPac CVE-2004-2541 (Buffer overflow in Cscope 15.5, and possibly multiple overflows, ...) - cscope <unfixed> (bug #340177; medium) + NOTE: Sarge and Woody are affected CVE-2005-XXXX [unsafe file permissions in vpnc] - vpnc <unfixed> (bug #340105; medium) CVE-2005-XXXX [Insecure tempfiles in libjpeg] @@ -4735,6 +4737,7 @@ - hdup <unfixed> (bug #302790; low) CVE-2001-XXXX [crypt++ passes passwords through the command line] - crypt++el <unfixed> (bug #105562; low) + NOTE: Sarge and Woody are affected CVE-2004-XXXX [Two vulnerabilities in sredird] - sredird 2.2.1-1.1 (bug #267098) CVE-2003-XXXX [fuzz: Insecure temp file usage] @@ -4880,6 +4883,7 @@ CVE-2005-XXXX [Multiple security issues when using distcc without ssh auth] - distcc 2.18.3-3 (bug #298929; low) NOTE: Only affects distcc in a very non-standard setup + NOTE: Sarge affected CVE-2004-XXXX [phpwiki shares a cookie for all wikis on a host] - phpwiki <unfixed> (bug #282565; medium) CVE-2005-XXXX [Possibly incorrect virtualisation in php4] @@ -5884,6 +5888,8 @@ - egroupware <not-affected> (copy included is older and not vulnerable; bug #339583) CVE-2005-XXXX [cplay - still unsafe temporary file handling vulnerable to symlink attacks] - cplay 1.49-8 (bug #324913; low) + [woody] - cplay <not-affected> (CPLAY_TMP doesn''t exist in this version) + NOTE: Sarge is affected CVE-2005-XXXX [$servers[$i][''disable_anon_bind''] = true doesn''t prevent anonymous to access ldap directory] - phpldapadmin 0.9.6c-5 (bug #322423; low) CVE-2005-2672 (pwmconfig in LM_sensors before 2.9.1 creates temporary files ...) @@ -8398,6 +8404,7 @@ NOTE: oldstable (woody) had zlib 1.1, which is not affected [woody] - dpkg <not-affected> (Woody contains zlib 1.1, which is not affected) - dpkg 1.13.11 (bug #317967; medium) + NOTE: Sarge is affected - zsync 0.4.0-2 (bug #317968; medium) [woody] - dump <not-affected> (Woody contains zlib 1.1, which is not affected) - dump 0.4b40-1 (bug #317966; medium) @@ -8932,6 +8939,7 @@ NOT-FOR-US: Drupal CVE-2002-1805 (Cross-site scripting (XSS) vulnerability in DaCode 1.2.0 allows remote ...) - dacode <unfixed> (bug #322605; low) + NOTE: Sarge is affected (has same version as testing/unstable) CVE-2002-1804 (Cross-site scripting (XSS) vulnerability in NPDS 4.8 allows remote ...) NOT-FOR-US: NPDS CVE-2002-1803 (Cross-site scripting (XSS) vulnerability in PHP-Nuke 6.0 allows remote ...)