Author: jmm-guest Date: 2005-12-19 00:11:32 +0000 (Mon, 19 Dec 2005) New Revision: 3093 Modified: data/CVE/list data/embedded-code-copies Log: more syntax conversions Modified: data/CVE/list ==================================================================--- data/CVE/list 2005-12-18 22:47:53 UTC (rev 3092) +++ data/CVE/list 2005-12-19 00:11:32 UTC (rev 3093) @@ -17583,7 +17583,7 @@ CVE-2004-0174 (Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using ...) - apache 1.3.29.0.2-5 CVE-2004-0172 (Heap-based buffer overflow in the search_for_command function of ...) - NOT-FOR-US: ltrace; Debian (and no other distribution) installs this SUID root + - ltrace <not-affected> (Not setuid/setgid in Debian) CVE-2004-0170 RESERVED CVE-2004-0168 (Unknown vulnerability in CoreFoundation for Mac OS X 10.3.2, related ...) @@ -17686,8 +17686,8 @@ - libxml2 2.6.6-1 CVE-2004-0109 (Buffer overflow in the ISO9660 file system component for Linux kernel ...) {DSA-495 DSA-491 DSA-489 DSA-482 DSA-481 DSA-480 DSA-479} - - kernel-source-2.4.27 2.4.27-1 - NOTE: fixed in 2.4.26-rc4 + - kernel-source-2.4.27 <not-affected> (Fixed before upload into archive; 2.4.26-rc4) + TODO: Check 2.6 CVE-2004-0107 (The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier ...) - sysstat 5.0.2-1 CVE-2004-0106 (Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to ...) @@ -17743,7 +17743,7 @@ CVE-2004-0076 REJECTED CVE-2004-0074 (Multiple buffer overflows in xsok 1.02 allows local users to gain ...) - NOTE: turned out not to be vulnerable. See bug #278777 + - xsok <not-affected> (Not vulnerable. See bug #278777) CVE-2004-0073 (PHP remote code injection vulnerability in (1) config.php and (2) ...) NOT-FOR-US: EasyDynamicPages CVE-2004-0072 (Directory traversal vulnerability in Accipiter Direct Server 6.0 ...) @@ -17850,8 +17850,7 @@ RESERVED CVE-2004-0010 (Stack-based buffer overflow in the ncp_lookup function for ncpfs in ...) {DSA-495 DSA-491 DSA-489 DSA-482 DSA-481 DSA-480 DSA-479} - - kernel-source-2.4.27 2.4.27-1 - NOTE: fixed in 2.4.25-pre7 + - kernel-source-2.4.27 <not-affected> (Fixed before upload into archive; 2.4.25-pre7) CVE-2004-0008 (Integer overflow in Gaim 0.74 and earlier, and Ultramagnetic before ...) {DSA-434} - gaim 1:0.75-2 @@ -17866,8 +17865,7 @@ - gaim 1:0.75-2 CVE-2004-0003 (Unknown vulnerability in Linux kernel before 2.4.22 allows local users ...) {DSA-495 DSA-491 DSA-489 DSA-482 DSA-481 DSA-480 DSA-479} - - kernel-source-2.4.27 2.4.27-1 - NOTE: fixed in 2.4.26-rc4 + - kernel-source-2.4.27 <not-affected> (Fixed before upload into archive; 2.4.26-rc4) CVE-2004-0002 (The TCP MSS (maximum segment size) functionality in netinet allows ...) NOT-FOR-US: FreeBSD netinet CVE-2003-1565 @@ -17948,12 +17946,10 @@ - flashplugin-nonfree 7.0.25-1 CVE-2003-1016 (Multiple content security gateway and antivirus products allow remote ...) NOTE: Multiple vendor MIME quote bypass filtering - TODO: unchecked CVE-2003-1015 (Multiple content security gateway and antivirus products allow remote ...) - mime-tools 5.411-2 CVE-2003-1014 (Multiple content security gateway and antivirus products allow remote ...) NOTE: Multiple vendor MIME RFC822 comment bypass filtering - TODO: unchecked CVE-2003-1013 (The Q.931 dissector in Ethereal before 0.10.0, and Tethereal, allows ...) {DSA-407} - ethereal 0.10.0-1 @@ -17984,7 +17980,6 @@ NOT-FOR-US: Cisco CVE-2003-1000 (xchat 2.0.6 allows remote attackers to cause a denial of service ...) - xchat 2.0.7 - NOTE: apparently only DOS CVE-2003-0999 (Unknown multiple vulnerabilities in (1) lpstat and (2) the libprint ...) NOT-FOR-US: Solaris CVE-2003-0998 (Unknown "potential system security vulnerability" in Computer ...) @@ -18026,7 +18021,7 @@ CVE-2003-0976 (NFS Server (XNFS.NLM) for Novell NetWare 6.5 does not properly enforce ...) NOT-FOR-US: netware CVE-2003-0975 (Apple Safari 1.0 through 1.1 on Mac OS X 10.3.1 and Mac OS X 10.2.8 ...) - NOTE: nor-for-us (MacOS) + NOT-FOR-US: MacOS CVE-2003-0974 (Applied Watch Command Center allows remote attackers to conduct ...) NOT-FOR-US: Applied Watch Command Center CVE-2003-0973 (Unknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x ...) @@ -18041,8 +18036,8 @@ CVE-2003-0970 (The Network Management Port on Sun Fire B1600 systems allows remote ...) NOT-FOR-US: Sun Fire B1600 CVE-2003-0968 (Stack-based buffer overflow in SMB_Logon_Server of the rlm_smb ...) + - freeradius 1.0.1 (unimportant) NOTE: freeradius module in question is not built in debian package - NOTE: buffer overflow apparently fixed in freeradius 1.0.1 CVE-2003-0967 (rad_decode in FreeRADIUS 0.9.2 and earlier allows remote attackers to ...) - freeradius 0.9.2-4 CVE-2003-0996 (Unknown "System Security Vulnerability" in Computer Associates (CA) ...) @@ -18087,9 +18082,9 @@ {DSA-405} - xsok 1.02-11 CVE-2003-0948 (Buffer overflow in iwconfig allows local users to execute arbitrary ...) - NOTE: not vulnerable, iwconfig not setuid/setgid in Debian. + - wireless-tools <not-affected> (iwconfig not setuid/setgid in Debian) CVE-2003-0947 (Buffer overflow in iwconfig, when installed setuid, allows local users ...) - NOTE: not vulnerable, iwconfig not setuid/setgid in Debian. + - wireless-tools <not-affected> (iwconfig not setuid/setgid in Debian) CVE-2003-0946 (Format string vulnerability in clamav-milter for Clam AntiVirus 0.60 ...) - clamav 0.65 CVE-2003-0945 (The Web Database Manager in web-tools for SAP DB before 7.4.03.30 ...) @@ -18272,6 +18267,7 @@ NOTE: php4, this bug appears not to have been fixed. NOTE: submitted to BTS on libapache-mod-php4 NOTE: developer claims there is no problem + TODO: Which bug is meant here? CVE-2003-0862 REJECTED CVE-2003-0861 (Integer overflows in (1) base64_encode and (2) the GD library for PHP ...) @@ -18279,6 +18275,7 @@ CVE-2003-0860 (Buffer overflows in PHP before 4.3.3 have unknown impact and unknown ...) - php4 4:4.3.3-1 CVE-2003-0859 (The getifaddrs function in GNU libc (glibc) 2.2.4 and earlier allows ...) + TODO: When was this fixed? oldstable could be affected NOTE: affects glibc 2.2.4, Debian uses 2.3.2 CVE-2003-0858 (Zebra 0.93b and earlier, and quagga before 0.95, allows local users to ...) {DSA-415} @@ -18298,6 +18295,7 @@ CVE-2003-0852 (Format string vulnerability in send_message.c for Sylpheed-claws 0.9.4 ...) - sylpheed-claws 0.9.8claws-1 CVE-2003-0851 (OpenSSL 0.9.6k allows remote attackers to cause a denial of service ...) + TODO: Check, oldstable might be affected NOTE: affects openssl 0.9.6. Testing uses 0.9.7. CVE-2003-0850 (The TCP reassembly functionality in libnids before 1.18 allows remote ...) {DSA-410} @@ -18314,14 +18312,14 @@ CVE-2003-0845 (Unknown vulnerability in the HSQLDB component in JBoss 3.2.1 and 3.0.8 ...) NOT-FOR-US: JBoss CVE-2003-0844 (mod_gzip 1.3.26.1a and earlier, and possibly later official versions, ...) - NOTE: libapache-mod-gzip, vulnerable only when compiled in debug mode - NOTE: Debian doesn''t enable MOD_GZIP_DEBUG1. + - libapache-mod-gzip <unfixed> (Debian doesn''t enable vulnerable debug mode) + TODO: Check, whether this is fixed already CVE-2003-0843 (Format string vulnerability in mod_gzip_printf for mod_gzip 1.3.26.1a ...) - NOTE: libapache-mod-gzip, vulnerable only when compiled in debug mode - NOTE: Debian doesn''t enable MOD_GZIP_DEBUG1. + - libapache-mod-gzip <unfixed> (Debian doesn''t enable vulnerable debug mode) + TODO: Check, whether this is fixed already CVE-2003-0842 (Stack-based buffer overflow in mod_gzip_printf for mod_gzip 1.3.26.1a ...) - NOTE: libapache-mod-gzip, vulnerable only when compiled in debug mode - NOTE: Debian doesn''t enable MOD_GZIP_DEBUG1. + - libapache-mod-gzip <unfixed> (Debian doesn''t enable vulnerable debug mode) + TODO: Check, whether this is fixed already CVE-2003-0841 (The grid option in PeopleSoft 8.42 stores temporary .xls files in ...) NOT-FOR-US: Peoplesoft CVE-2003-0840 (Buffer overflow in dtprintinfo on HP-UX 11.00, and possibly other ...) @@ -18335,7 +18333,7 @@ CVE-2003-0836 (Stack-based buffer overflow in IBM DB2 Universal Data Base 7.2 before ...) NOT-FOR-US: IBM DB2 CVE-2003-0835 (Multiple buffer overflows in asf_http_request of MPlayer before 0.92 ...) - NOT-FOR-US: mplayer + - mplayer <itp> (bug #113238) CVE-2003-0834 (Buffer overflow in CDE libDtHelp library allows local users to execute ...) NOT-FOR-US: CDE CVE-2003-0833 (Stack-based buffer overflow in webfs before 1.20 allows attackers to ...) Modified: data/embedded-code-copies ==================================================================--- data/embedded-code-copies 2005-12-18 22:47:53 UTC (rev 3092) +++ data/embedded-code-copies 2005-12-19 00:11:32 UTC (rev 3093) @@ -1,3 +1,4 @@ + This file collects cases, where a source package embeds code from other projects, without linking dynamically: @@ -146,3 +147,7 @@ curl: wget (code for NTLM authentication) + + +TODO evaluate: +gimp-gap \ No newline at end of file
Florian Weimer
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: [Secure-testing-commits] r3093 - in data: . CVE
* Moritz Muehlenhoff:> CVE-2003-0844 (mod_gzip 1.3.26.1a and earlier, and possibly later official versions, ...) > - NOTE: libapache-mod-gzip, vulnerable only when compiled in debug mode > - NOTE: Debian doesn''t enable MOD_GZIP_DEBUG1. > + - libapache-mod-gzip <unfixed> (Debian doesn''t enable vulnerable debug mode) > + TODO: Check, whether this is fixed alreadyIs this <unfixed> or <not-affected>, or just unimportant