Author: jmm-guest
Date: 2005-12-26 13:35:33 +0000 (Mon, 26 Dec 2005)
New Revision: 3162
Modified:
data/CVE/list
Log:
more syntax updates and tracker polishing
Modified: data/CVE/list
==================================================================---
data/CVE/list 2005-12-26 01:26:44 UTC (rev 3161)
+++ data/CVE/list 2005-12-26 13:35:33 UTC (rev 3162)
@@ -20016,7 +20016,7 @@
CVE-2003-0331 (SQL injection vulnerability in ttForum allows remote attackers
to ...)
NOT-FOR-US: ttForum
CVE-2003-0330 (Buffer overflow in unknown versions of Maelstrom allows local
users to ...)
- NOTE: maelstrom in sarge tests not vulnerable to exploit. Unsure when fixed.
+ - maelstrom <not-affected> (Melstrom in Sarge tests not vulnerable to
exploit. Unsure when fixed.)
CVE-2003-0329 (CesarFTP 0.99g stores user names and passwords in plaintext in
the ...)
NOT-FOR-US: CesarFTP
CVE-2003-0328 (EPIC IRC Client (EPIC4) pre2.002, pre2.003, and possibly later
...)
@@ -20026,13 +20026,10 @@
CVE-2003-0327 (Sybase Adaptive Server Enterprise (ASE) 12.5 allows remote
attackers ...)
NOT-FOR-US: Sybase Adaptive Server Enterprise
CVE-2003-0326 (Integer overflow in parse_decode_path() of slocate may allow
attackers ...)
- NOTE: bug does exist in slocate.
- NOTE: only impacts security if kernel has been recompiled to allow
- NOTE: an absurd 536870912 bytes of command line arguments. This is
- NOTE: very unlikely, and if you do exploit it, you get only slocate
- NOTE: gid.
+ - slocate <not-affected> (Only an issue if kernel has been recompiled to
allow 512 MB of command line arguments)
+ NOTE: Even if exploited, you get only slocate gid.
CVE-2003-0325 (Buffer overflow in Maelstrom 3.0.6, 3.0.5, and earlier allows
local ...)
- NOTE: maelstrom in sarge tests not vulnerable to exploit. Unsure when fixed.
+ - maelstrom <not-affected> (Melstrom in Sarge tests not vulnerable to
exploit. Unsure when fixed.)
CVE-2003-0324 (Buffer overflows in EPIC IRC Client (EPIC4) 1.0.1 allows remote
...)
{DSA-287}
- epic4 1:1.1.11.20030409-1
@@ -20068,9 +20065,7 @@
CVE-2003-0311
RESERVED
CVE-2003-0310 (Cross-site scripting (XSS) vulnerability in articleview.php for
eZ ...)
- NOTE: author apparently fixed hole by time vuln was reported,
- NOTE: and I guess that fix made it into new upstream versions,
- NOTE: but I did not check in detail
+ - ezpublish 2.2.8-1
CVE-2003-0309 (Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to
bypass ...)
NOT-FOR-US: MSIE
CVE-2003-0308 (The Sendmail 8.12.3 package in Debian GNU/Linux 3.0 does not
securely ...)
@@ -20091,18 +20086,16 @@
CVE-2003-0301 (The IMAP Client for Outlook Express 6.00.2800.1106 allows remote
...)
NOT-FOR-US: Microsort
CVE-2003-0300 (The IMAP Client for Sylpheed 0.8.11 allows remote malicious IMAP
...)
- NOTE: sylpheed and sylpheed-claws might still be vulnerable
- NOTE: but it''s only a crasher
+ TODO: sylpheed and sylpheed-claws might still be vulnerable, but it''s
only a crasher
CVE-2003-0299 (The IMAP Client, as used in mutt 1.4.1 and Balsa 2.0.10, allows
remote ...)
- NOTE: mutt and balsa might still be vulnerable
- NOTE: but it''s only a crasher
+ TODO: mutt and balsa might still be vulnerable, but it''s only a
crasher
CVE-2003-0298 (The IMAP Client for Mozilla 1.3 and 1.4a allows remote malicious
IMAP ...)
- mozilla 2:1.5-1
NOTE: May have been fixed in an earlier version. Not clear how
NOTE: Mozilla''s a/b versions map to the Debian version.
CVE-2003-0297 (c-client IMAP Client, as used in imap-2002b and Pine 4.53,
allows ...)
- uw-imap 7:2002c
- NOTE: did not check pine
+ TODO: check pine
CVE-2003-0296 (The IMAP Client for Evolution 1.2.4 allows remote malicious IMAP
...)
- evolution 1.3.2
CVE-2003-0295 (Cross-site scripting (XSS) vulnerability in private.php for
vBulletin ...)
@@ -20135,9 +20128,7 @@
{DSA-344}
- unzip 5.50-3
CVE-2003-0281 (Buffer overflow in Firebird 1.0.2 and other versions before 1.5,
and ...)
- - firebird2 1.5.1-1
- NOTE: firebird (1) in debian is very insecure and vulnerable, but
- NOTE: the server is not included, just the libraries. See bug #251458
+ - firebird2 1.5.1-1 (bug #251458)
CVE-2003-0280 (Multiple buffer overflows in the SMTP Service for ESMTP
CMailServer ...)
NOT-FOR-US: SMTP Service for ESMTP CMailServer
CVE-2003-0279 (Multiple SQL injection vulnerabilities in the Web_Links module
for ...)
@@ -20153,7 +20144,7 @@
CVE-2003-0274 (Buffer overflow in catmail for ListProc 8.2.09 and earlier
allows ...)
NOT-FOR-US: ListProc
CVE-2003-0273 (Cross-site scripting (XSS) vulnerability in the web interface
for ...)
- NOTE: old version of Request Tracker not in debian.
+ - request-tracker3.4 <not-affected> (Affects older versions of Request
Tracker not in Debian)
CVE-2003-0272 (admin.php in miniPortail allows remote attackers to gain ...)
NOT-FOR-US: miniPortail
CVE-2003-0271 (Buffer overflow in Personal FTP Server allows remote attackers
to ...)
@@ -20209,12 +20200,15 @@
CVE-2003-0248 (The mxcsr code in Linux kernel 2.4 allows attackers to modify
CPU ...)
{DSA-442 DSA-336 DSA-332 DSA-312 DSA-311}
- kernel-source-2.4.27 <not-affected> (Fixed before initial upload;
2.4.22-pre10)
+ - linux-2.6 <not-affected>
CVE-2003-0247 (Unknown vulnerability in the TTY layer of the Linux kernel 2.4
allows ...)
{DSA-442 DSA-336 DSA-332 DSA-312 DSA-311}
- kernel-source-2.4.27 <not-affected> (Fixed before initial upload;
2.4.21-rc4)
+ - linux-2.6 <not-affected>
CVE-2003-0246 (The ioperm system call in Linux kernel 2.4.20 and earlier does
not ...)
{DSA-442 DSA-336 DSA-332 DSA-312 DSA-311}
- kernel-source-2.4.27 <not-affected> (Fixed before initial upload;
2.4.21-rc4)
+ - linux-2.6 <not-affected>
CVE-2003-0245 (Vulnerability in the apr_psprintf function in the Apache
Portable ...)
- apache2 2.0.46
CVE-2003-0244 (The route cache implementation in Linux 2.4, and the Netfilter
IP ...)
@@ -20335,7 +20329,7 @@
{DSA-317}
- cupsys 1.1.19final-1
CVE-2003-0194 (tcpdump does not properly drop privileges to the pcap user when
...)
- NOTE: apparently a redhat specific compilation prolem of tcpdump
+ - tcpdump <not-affected> (Apparently a Red Hat specific compilation
packaging flaw)
CVE-2003-0193 (msxlsview.sh in xlsview for catdoc 0.91 and earlier allows local
users ...)
{DSA-575-1}
- catdoc 0.91.5-2
@@ -20349,7 +20343,7 @@
{DSA-304}
- lv 4.49.5-2
CVE-2003-0187 (The connection tracking core of Netfilter for Linux 2.4.20, with
...)
- NOTE: only affects kernel 2.4.19, 2.4.20.
+ - kernel-source-2.4.27 <not-affected> (Fixed before upload into archive;
2.4.21)
CVE-2003-0186
RESERVED
CVE-2003-0185
@@ -20380,7 +20374,7 @@
{DSA-283}
- xfsdump 2.2.8-1
CVE-2003-0172 (Buffer overflow in openlog function for PHP 4.3.1 on Windows
operating ...)
- NOTE: not belived to be vulnerable
(http://marc.theaimsgroup.com/?l=bugtraq&m=104931415307111&w=2)
+ - php4 <not-affected> (Non-issue; see
http://marc.theaimsgroup.com/?l=bugtraq&m=104931415307111&w=2)
CVE-2003-0171 (DirectoryServices in MacOS X trusts the PATH environment
variable to ...)
NOT-FOR-US: MacOS
CVE-2003-0170 (Unknown vulnerability in ftpd in IBM AIX 5.2, when configured to
use ...)
@@ -20394,13 +20388,13 @@
- balsa 2.0.10
- mutt 1.4.0
CVE-2003-0166 (Integer signedness error in emalloc() function for PHP before
4.3.2 ...)
- NOTE: not belived to be vulnerable
(http://marc.theaimsgroup.com/?l=bugtraq&m=104931415307111&w=2)
+ - php4 <not-affected> (Non-issue; see
http://marc.theaimsgroup.com/?l=bugtraq&m=104931415307111&w=2)
CVE-2003-0165 (Format string vulnerability in Eye Of Gnome (EOG) allows
attackers to ...)
- eog 2.2.1
CVE-2003-0164
RESERVED
CVE-2003-0163 (decrypt_msg for the Gaim-Encryption GAIM plugin 1.15 and earlier
does ...)
- NOTE: Gaim-Encryption Plugin not in debian
+ TODO: Check, gaim-encryption is now in Debian
CVE-2003-0162 (Ecartis 1.0.0 (formerly listar) before snapshot 20030227 allows
remote ...)
{DSA-271}
- ecartis 1.0.0+cvs.20030321-1
@@ -20473,7 +20467,7 @@
{DSA-285}
- lprng 3.8.20-4.
CVE-2003-0135 (vsftpd FTP daemon in Red Hat Linux 9 is not compiled against TCP
...)
- NOTE: red-hat specific compilation problem of vsftpd
+ - vsftpd <not-affected> (Red Hat specific packaging flaw)
CVE-2003-0134 (Unknown vulnerability in filestat.c for Apache running on OS2,
...)
- apache2 2.0.46
CVE-2003-0133 (GtkHTML, as included in Evolution before 1.2.4, allows remote
...)
@@ -20551,7 +20545,7 @@
{DSA-262}
- samba 2.2.8
CVE-2003-0084 (mod_auth_any package in Red Hat Enterprise Linux 2.1 and other
...)
- NOTE: mod_auth_any not in Debian
+ NOT-FOR-US: mod_auth_any not in Debian
CVE-2003-0083 (Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46
does not ...)
- apache2 2.0.46
- apache 1.3.25
@@ -20581,6 +20575,7 @@
CVE-2003-0049 (Apple File Protocol (AFP) in Mac OS X before 10.2.4 allows ...)
NOT-FOR-US: MacOS
CVE-2003-0048 (PuTTY 0.53b and earlier does not clear logon credentials from
memory, ...)
+ - putty 0.53-b-2003-01-04-1
NOTE: apparently fixed upstream 2002-11-12 changelog
CVE-2003-0047 (SSH2 clients for VanDyke (1) SecureCRT 4.0.2 and 3.4.7, (2)
SecureFX ...)
NOT-FOR-US: commercial ssh clients
@@ -20593,8 +20588,7 @@
{DSA-246}
- tomcat <removed>
CVE-2003-0041 (Kerberos FTP client allows remote FTP sites to execute arbitrary
code ...)
- NOTE: verified sarge version of krb5-clients not vulnerable
- NOTE: nothing in changelogs
+ - krb5 <not-affected> (Verified sarge version of krb5-clients not
vulnerable, nothing in changelogs)
CVE-2003-0038 (Cross-site scripting (XSS) vulnerability in options.py for
Mailman 2.1 ...)
{DSA-436}
- mailman 2.1.1-1
@@ -20606,9 +20600,9 @@
CVE-2003-0035 (Buffer overflow in escputil, as included in the printer-drivers
...)
NOT-FOR-US: ml85p, as included in the printer-drivers package for Mandrake
Linux
CVE-2003-0034 (Buffer overflow in the mtink status monitor, as included in the
...)
+ - mtink <not-affected> (Not installed setuid or setgid, so this is not
exploitable)
NOTE: HOME overflow was fixed in mainSrc/rcfile.c, but not in
NOTE: chooser/mtinkc.c''s version, which goes into mtinkc
- NOTE: it''s not installed setuid or setgid, so this is not exploitable
CVE-2003-0031 (Multiple buffer overflows in libmcrypt before 2.5.5 allow
attackers to ...)
{DSA-228}
- libmcrypt 2.5.5-1
@@ -20648,8 +20642,8 @@
CVE-2002-1583 (Buffer overflow in sqllib/security/db2ckpw for IBM DB2 Universal
...)
NOT-FOR-US: IBM DB2
CVE-2002-1582 (compose.cgi in Mailreader.com 2.3.30 and 2.3.31, when using
Sendmail ...)
- NOTE: mailreader. Affects 2.3.30 and 2.3.31.
- NOTE: Sarge uses 2.3.29.
+ [woody] - mailreader <not-affected> (Affects only 2.3.30-2.3.32)
+ - mailreader 2.3.33
CVE-2002-1581 (Directory traversal vulnerability in nph-mr.cgi in
Mailreader.com ...)
{DSA-534}
- mailreader 2.3.29-9
@@ -20729,7 +20723,7 @@
CVE-2002-1535 (Secure Webserver 1.1 in Raptor 6.5 and Symantec Enterprise
Firewall ...)
NOT-FOR-US: Symantec
CVE-2002-1533 (Cross-site scripting (XSS) vulnerability in Jetty JSP servlet
engine ...)
- NOTE: problem in jetty 4.1.0, Debian started with 4.2
+ - jetty <not-affected> (Fixed before upload into archive; 4.1 series)
CVE-2002-1527 (emumail.cgi in EMU Webmail 5.0 allows remote attackers to
determine ...)
NOT-FOR-US: EMU Webmail
CVE-2002-1526 (Cross-site scripting (XSS) vulnerability in emumail.cgi for EMU
...)
@@ -20750,11 +20744,11 @@
CVE-2002-1507 (Unreal Tournament 2003 (ut2003) clients and servers allow remote
...)
NOT-FOR-US: Unreal
CVE-2002-1506 (Buffer overflow in Linuxconf before 1.28r4 allows local users to
...)
- NOTE: linuxconf not in unstable or testing
+ - linuxconf <removed>
CVE-2002-1504 (Directory traversal vulnerability in WebServer 4 Everyone 1.22
allows ...)
NOT-FOR-US: webserver-4everyone
CVE-2002-1503 (Buffer overflow in Automatic File Distributor (AFD) 1.2.14 and
earlier ...)
- NOTE: AFD not in debian
+ NOT-FOR-US: AFD not in debian
CVE-2002-1500 (Buffer overflow in (1) mrinfo, (2) mtrace, and (3) pppd in
NetBSD ...)
NOT-FOR-US: NetBSD
CVE-2002-1499 (Multiple SQL injection vulnerabilities in FactoSystem CMS allows
...)
@@ -20780,11 +20774,11 @@
CVE-2002-1483 (db4web_c and db4web_c.exe programs in DB4Web 3.4 and 3.6 allow
remote ...)
NOT-FOR-US: db4web
CVE-2002-1482 (SQL injection vulnerability in login.php for phpGB 1.20 and
earlier, ...)
- NOTE: phpGB not in Debian
+ NOT-FOR-US: phpGB not in Debian
CVE-2002-1481 (savesettings.php in phpGB 1.20 and earlier does not require ...)
- NOTE: phpGB not in Debian
+ NOT-FOR-US: phpGB not in Debian
CVE-2002-1480 (Cross-site scripting (XSS) vulnerability in phpGB before 1.20
allows ...)
- NOTE: phpGB not in Debian
+ NOT-FOR-US: phpGB not in Debian
CVE-2002-1475 (Unknown vulnerability in the ARP component for HP Tru64 UNIX
4.0f, ...)
NOT-FOR-US: HPUX
CVE-2002-1474 (Unknown vulnerability or vulnerabilities in TCP/IP component for
HP ...)
@@ -20806,13 +20800,13 @@
CVE-2002-1461 (Web Shop Manager 1.1 allows remote attackers to execute
arbitrary ...)
NOT-FOR-US: Webshop Manager
CVE-2002-1460 (L-Forum 2.40 and earlier does not properly verify whether a file
was ...)
- NOTE: L-Forum not in Debian
+ NOT-FOR-US: L-Forum not in Debian
CVE-2002-1459 (Cross-site scripting vulnerability in L-Forum 2.40 and earlier,
when ...)
- NOTE: L-Forum not in Debian
+ NOT-FOR-US: L-Forum not in Debian
CVE-2002-1458 (Cross-site scripting vulnerability in L-Forum 2.40 and earlier,
when ...)
- NOTE: L-Forum not in Debian
+ NOT-FOR-US: L-Forum not in Debian
CVE-2002-1457 (SQL injection vulnerability in search.php for L-Forum 2.40
allows ...)
- NOTE: L-Forum not in Debian
+ NOT-FOR-US: L-Forum not in Debian
CVE-2002-1456 (Buffer overflow in mIRC 6.0.2 and earlier allows remote
attackers to ...)
NOT-FOR-US: mIRC
CVE-2002-1455 (Multiple cross-site scripting (XSS) vulnerabilities in OmniHTTPd
allow ...)
@@ -20824,13 +20818,13 @@
CVE-2002-1452 (Buffer overflow in the search capability for MyWebServer 1.0.2
allows ...)
NOT-FOR-US: MyWebServer
CVE-2002-1451 (Blazix before 1.2.2 allows remote attackers to read source code
of JSP ...)
- NOTE: Blazix not in Debian
+ NOT-FOR-US: Blazix not in Debian
CVE-2002-1450 (IBM UniVerse with UV/ODBC allows attackers to cause a denial of
...)
NOT-FOR-US: IBM UniVerse
CVE-2002-1449 (eUpload 1.0 stores the password.txt password file in plaintext
under ...)
- NOTE: eUpload not in Debian
+ NOT-FOR-US: eUpload not in Debian
CVE-2002-1445 (Cross-site scripting (XSS) vulnerability in CERN Proxy Server
allows ...)
- NOTE: CERN HTTPD not in Debian
+ NOT-FOR-US: CERN HTTPD not in Debian
CVE-2002-1444 (The Google toolbar 1.1.60, when running on Internet Explorer 5.5
and ...)
NOT-FOR-US: Google Toolbar
CVE-2002-1442 (The Google toolbar 1.1.58 and earlier allows remote web sites to
...)
@@ -20852,20 +20846,18 @@
CVE-2002-1429 (Cross-site scripting vulnerability in board.php of endity.com
ShoutBOX ...)
NOT-FOR-US: ShoutBox
CVE-2002-1428 (index.php in dotProject 0.2.1.5 allows remote attackers to
bypass ...)
- NOTE: dotproject not in Debian
+ NOT-FOR-US: dotproject
CVE-2002-1427 (The print_html_to_file function in edit.cgi for Easy Homepage
Creator ...)
- NOTE: Easy Homepage Creator not in Debian
+ NOT-FOR-US: Easy Homepage Creator
CVE-2002-1426 (HP ProCurve Switch 4000M C.07.23 allows remote attackers to
cause a ...)
NOT-FOR-US: HP
CVE-2002-1423 (tmp_view.php in FUDforum before 2.2.0 allows remote attackers to
read ...)
- NOTE: vuln in fudforum before 2.2.0. fudforum in phpgroupware-fudforum
- NOTE: is version 2.5.x
+ - phpgroupware <not-affected> (Issue in fudforum 2.2.0. fudforum in
phpgroupware-fudforum is 2.5.x)
+ TODO: Check egroupware for this and CVE-2002-1422 and CVE-2004-1421
CVE-2002-1422 (admbrowse.php in FUDforum before 2.2.0 allows remote attackers
to ...)
- NOTE: vuln in fudforum before 2.2.0. fudforum in phpgroupware-fudforum
- NOTE: is version 2.5.x
+ - phpgroupware <not-affected> (Issue in fudforum 2.2.0. fudforum in
phpgroupware-fudforum is 2.5.x)
CVE-2002-1421 (SQL injection vulnerabilities in FUDforum before 2.2.0 allow
remote ...)
- NOTE: vuln in fudforum before 2.2.0. fudforum in phpgroupware-fudforum
- NOTE: is version 2.5.x
+ - phpgroupware <not-affected> (Issue in fudforum 2.2.0. fudforum in
phpgroupware-fudforum is 2.5.x)
CVE-2002-1416 (The POP3 service for WebEasyMail 3.4.2.2 and earlier generates
...)
NOT-FOR-US: Webeasymail
CVE-2002-1415 (Format string vulnerability in SMTP service for WebEasyMail
3.4.2.2 ...)
@@ -20930,20 +20922,20 @@
- openldap2 2.0.27-3
CVE-2002-1376 (libmysqlclient client library in MySQL 3.x to 3.23.54, and 4.x
to ...)
{DSA-212}
- NOTE: bug in mysql 3, sarge uses mysql 4
+ - mysql <removed>
CVE-2002-1370
REJECTED
CVE-2002-1368 (Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows
remote ...)
{DSA-232}
- cupsys 1.1.18-1
CVE-2002-1360 (Multiple SSH2 servers and clients do not properly handle strings
with ...)
- NOTE: Debian uses openssh, not vulnerable
+ - openssh <not-affected> (OpenSSH not vulnerable)
CVE-2002-1359 (Multiple SSH2 servers and clients do not properly handle large
packets ...)
- NOTE: Debian uses openssh, not vulnerable
+ - openssh <not-affected> (OpenSSH not vulnerable)
CVE-2002-1358 (Multiple SSH2 servers and clients do not properly handle lists
with ...)
- NOTE: Debian uses openssh, not vulnerable
+ - openssh <not-affected> (OpenSSH not vulnerable)
CVE-2002-1357 (Multiple SSH2 servers and clients do not properly handle packets
or ...)
- NOTE: Debian uses openssh, not vulnerable
+ - openssh <not-affected> (OpenSSH not vulnerable)
CVE-2002-1356 (Ethereal 0.9.7 and earlier allows remote attackers to cause a
denial ...)
- ethereal 0.9.8-1
CVE-2002-1355 (Multiple integer signedness errors in the BGP dissector in
Ethereal ...)
@@ -21006,7 +20998,7 @@
CVE-2002-1322 (Rational ClearCase 4.1, 2002.05, and possibly other versions
allows ...)
NOT-FOR-US: ClearCase
CVE-2002-1321 (Multiple buffer overflows in RealOne and RealPlayer allow remote
...)
- NOTE: Realplayer not in Sarge
+ NOT-FOR-US: Realplayer
CVE-2002-1316 (importInfo in the Admin Server for iPlanet WebServer 4.x, up to
SP11, ...)
NOT-FOR-US: iPlanet
CVE-2002-1315 (Cross-site scripting (XSS) vulnerability in the Admin Server for
...)