thr3ads.net - Secure testing commits - [Secure-testing-commits] r2789

If this information is useful, please help other people find it:
Share via:
Moritz Muehlenhoff
2005-Nov-20 10:25 UTC
[Secure-testing-commits] r2789 - in data: CVE DSA

Author: jmm-guest
Date: 2005-11-20 10:24:32 +0000 (Sun, 20 Nov 2005)
New Revision: 2789

Modified:
   data/CVE/list
   data/DSA/list
Log:
convert another three months of DSAs


Modified: data/CVE/list
==================================================================---
data/CVE/list	2005-11-19 21:14:16 UTC (rev 2788)
+++ data/CVE/list	2005-11-20 10:24:32 UTC (rev 2789)
@@ -16247,10 +16247,16 @@
 	NOT-FOR-US: Antivir
 CVE-2004-0057 (The rawprint function in the ISAKMP decoding routines
(print-isakmp.c) ...)
 	{DSA-425}
+	TODO: No idea if this is fixed, we have a new upstream version
+	TODO: that came out after these advisories, but neither the debian nor
+	TODO: the upstream changelog seem to mention them.
 CVE-2004-0056 (Multiple vulnerabilities in the H.323 protocol implementation
for ...)
 	NOT-FOR-US: Nortel Networks products
 CVE-2004-0055 (The print_attr_string function in print-radius.c for tcpdump
3.8.1 and ...)
 	{DSA-425}
+	TODO: No idea if this is fixed, we have a new upstream version
+	TODO: that came out after these advisories, but neither the debian nor
+	TODO: the upstream changelog seem to mention them.
 CVE-2004-0054 (Multiple vulnerabilities in the H.323 protocol implementation
for ...)
 	NOT-FOR-US: Cisco IOS
 CVE-2004-0053 (Multiple content security gateway and antivirus products allow
remote ...)
@@ -16311,8 +16317,10 @@
 	RESERVED
 CVE-2004-0017 (Multiple SQL injection vulnerabilities in the (1) calendar and
(2) ...)
 	{DSA-419}
+	- phpgroupware 0.9.14.007-4
 CVE-2004-0014 (Multiple buffer overflows in the nd WebDAV interface 0.8.2 and
earlier ...)
 	{DSA-412}
+	- nd 0.8.2-1
 CVE-2004-0012
 	RESERVED
 CVE-2004-0010 (Stack-based buffer overflow in the ncp_lookup function for ncpfs
in ...)
@@ -16387,6 +16395,9 @@
 	NOT-FOR-US: Dameware
 CVE-2003-1029 (The L2TP protocol parser in tcpdump 3.8.1 and earlier allows
remote ...)
 	{DSA-425}
+	TODO: No idea if this is fixed, we have a new upstream version
+	TODO: that came out after these advisories, but neither the debian nor
+	TODO: the upstream changelog seem to mention them.
 CVE-2003-1028 (The download function of Internet Explorer 6 SP1 allows remote
...)
 	NOT-FOR-US: microsoft
 CVE-2003-1027 (Internet Explorer 5.01 through 6 SP1 allows remote attackers to
direct ...)
@@ -16516,9 +16527,10 @@
 CVE-2003-0964
 	REJECTED
 CVE-2003-0963 (Buffer overflows in (1) try_netscape_proxy and (2)
try_squid_eplf for ...)
-	- lftp 2.6.10
+	- lftp 2.6.10-1
 CVE-2003-0962 (Heap-based buffer overflow in rsync before 2.5.7, when running
in ...)
 	{DSA-404}
+	- rsync 2.5.6-1.1
 CVE-2003-0961 (Integer overflow in the do_brk function for the brk system call
in ...)
 	{DSA-475 DSA-470 DSA-450 DSA-442 DSA-440 DSA-439 DSA-433 DSA-423 DSA-417
DSA-403}
 	- kernel-source-2.4.27 <not-affected> (Fixed before initial upload;
2.4.23-pre7)
@@ -16546,6 +16558,7 @@
 	NOT-FOR-US: PeopleSoft PeopleTools
 CVE-2003-0949 (xsok 1.02 does not properly drop privileges before finding and
...)
 	{DSA-405}
+	- xsok 1.02-11
 CVE-2003-0948 (Buffer overflow in iwconfig allows local users to execute
arbitrary ...)
 	NOTE: not vulnerable, iwconfig not setuid/setgid in Debian.
 CVE-2003-0947 (Buffer overflow in iwconfig, when installed setuid, allows local
users ...)
@@ -16578,8 +16591,10 @@
 	NOT-FOR-US: Symbol Access Portable Data Terminal
 CVE-2003-0933 (Buffer overflow in conquest 7.2 and earlier may allow a local
user to ...)
 	{DSA-398}
+	- conquest 7.2-5
 CVE-2003-0932 (Buffer overflow in omega-rpg 0.90 allows local users to execute
...)
 	{DSA-400}
+	- omega-rpg 1:0.90-pa9-11
 CVE-2003-0931 (Sygate Enforcer 4.0 earlier allows remote attackers to cause a
denial ...)
 	NOT-FOR-US: Sygate Enforcer
 CVE-2003-0930 (Clearswift MAILsweeper before 4.3.15 does not properly detect
...)
@@ -16617,6 +16632,7 @@
 	RESERVED
 CVE-2003-0914 (ISC BIND 8.3.x before 8.3.7, and 8.4.x before 8.4.3, allows
remote ...)
 	{DSA-409}
+	- bind 1:8.4.3-1
 CVE-2003-0913 (Unknown vulnerability in the Terminal application for Mac OS X
10.3 ...)
 	NOT-FOR-US: MacOS
 CVE-2003-0912
@@ -16637,8 +16653,11 @@
 	NOT-FOR-US: Windows
 CVE-2003-0902 (Unknown vulnerability in minimalist mailing list manager 2.4,
2.2, and ...)
 	{DSA-402}
+	- minimalist 2.4-1
 CVE-2003-0901 (Buffer overflow in to_ascii for PostgreSQL 7.2.x, and 7.3.x
before ...)
 	{DSA-397}
+	- postgresql <not-affected> (Not affected, per DSA-397
+	TODO: Previous entry said 7.3.4 fixed this, what is correct?
 CVE-2003-0900 (Perl 5.8.1 on Fedora Core does not properly initialize the
random ...)
 	- perl 5.8.2
 CVE-2003-0899 (Buffer overflow in defang in libhttpd.c for thttpd 2.21 to
2.23b1 ...)
@@ -16669,6 +16688,7 @@
 	TODO: check
 CVE-2003-0886 (Format string vulnerability in hfaxd for Hylafax 4.1.7 and
earlier ...)
 	{DSA-401}
+	- hylafax 1:4.1.8-1
 CVE-2003-0885
 	RESERVED
 CVE-2003-0884
@@ -16732,6 +16752,7 @@
 	NOTE: affects glibc 2.2.4, Debian uses 2.3.2
 CVE-2003-0858 (Zebra 0.93b and earlier, and quagga before 0.95, allows local
users to ...)
 	{DSA-415}
+	- quagga 0.96.4x-4
 CVE-2003-0857
 	RESERVED
 CVE-2003-0856 (iproute 2.4.7 and earlier allows local users to cause a denial
of ...)
@@ -16869,6 +16890,7 @@
 	NOT-FOR-US: SGI IRIX
 CVE-2003-0795 (The vty layer in Quagga before 0.96.4, and Zebra 0.93b and
earlier, ...)
 	{DSA-415}
+	- quagga 0.96.4x-4
 CVE-2003-0794 (GDM 2.4.4.x before 2.4.4.4, and 2.4.1.x before 2.4.1.7, does not
limit ...)
 	- gdm 2.4.4.4
 CVE-2003-0793 (GDM 2.4.4.x before 2.4.4.4, and 2.4.1.x before 2.4.1.7, does not
...)
@@ -17841,6 +17863,7 @@
 	NOT-FOR-US: CesarFTP
 CVE-2003-0328 (EPIC IRC Client (EPIC4) pre2.002, pre2.003, and possibly later
...)
 	{DSA-399 DSA-306}
+	- epic4 1:1.1.11.20030409-2
 CVE-2003-0327 (Sybase Adaptive Server Enterprise (ASE) 12.5 allows remote
attackers ...)
 	NOT-FOR-US: Sybase Adaptive Server Enterprise
 CVE-2003-0326 (Integer overflow in parse_decode_path() of slocate may allow
attackers ...)
@@ -19675,12 +19698,16 @@
 	- jitterbug 1.6.2-4.5
 CVE-2004-0016 (The calendar module for phpgroupware 0.9.14 does not enforce the
&quot;save ...)
 	{DSA-419}
+	- phpgroupware 0.9.14.007-4
 CVE-2004-0015 (vbox3 0.1.8 and earlier does not properly drop privileges before
...)
 	{DSA-418}
+	- vbox3 0.1.8
 CVE-2004-0013 (jabber 1.4.2, 1.4.2a, and possibly earlier versions, does not
properly ...)
 	{DSA-414}
+	- jabber 1.4.3-1
 CVE-2004-0011 (Buffer overflow in fsp before 2.81.b18 allows remote users to
execute ...)
 	{DSA-416}
+	- fsp 2.81.b18-1
 CVE-2004-0009 (Apache-SSL 1.3.28+1.52 and earlier, with SSLVerifyClient set to
1 or 3 ...)
 	- apache-ssl 1.3.31
 	TODO: test

Modified: data/DSA/list
==================================================================---
data/DSA/list	2005-11-19 21:14:16 UTC (rev 2788)
+++ data/DSA/list	2005-11-20 10:24:32 UTC (rev 2789)
@@ -1896,10 +1896,7 @@
 	[woody] - netpbm-free 2:9.20-8.4
 [16 Jan 2004] DSA-425 tcpdump - multiple vulnerabilities
 	{CVE-2003-1029 CVE-2003-0989 CVE-2004-0055 CVE-2004-0057}
-	TODO: No idea if this is fixed, we have a new upstream version
-	TODO: that came out after these advisories, but neither the debian nor
-	TODO: the upstream changelog seem to mention them.
-	NOTE: Mailed maintainer.
+	[woody] - tcpdump 3.6.2-2.7
 [16 Jan 2004] DSA-424 mc - buffer overflow
 	{CVE-2003-1023}
 	[woody]	- mc 4.5.55-1.2woody2
@@ -1916,72 +1913,77 @@
 	[woody] - jitterbug 1.6.2-4.2woody2
 [09 Jan 2004] DSA-419 phpgroupware - missing filename sanitising, SQL injection
 	{CVE-2004-0016 CVE-2004-0017}
-	- phpgroupware 0.9.14.007-4
+	[woody] - phpgroupware 0.9.14-0.RC3.2.woody3
 [07 Jan 2004] DSA-418 vbox3 - privilege leak
 	{CVE-2004-0015}
-	- vbox3 0.1.8
+	[woody] - vbox3 0.1.7.1
 [07 Jan 2004] DSA-417 linux-kernel-2.4.18-powerpc+alpha - missing boundary
check
 	{CVE-2003-0961 CVE-2003-0985}
-	NOTE: 2.4.18 not present. Did not check newer kernels.
+	[woody] - kernel-patch-2.4.18-powerpc 2.4.18-1woody3
+	[woody] - kernel-image-2.4.18-1-alpha 2.4.18-12
 [06 Jan 2004] DSA-416 fsp - buffer overflow, directory traversal
 	{CVE-2003-1022 CVE-2004-0011}
-	- fsp 2.81.b18-1
+	[woody]	- fsp 2.81.b3-3.1woody1
 [06 Jan 2004] DSA-415 zebra - denial of service
 	{CVE-2003-0795 CVE-2003-0858}
-	- quagga 0.96.4x-4
+	[woody] - zebra 0.92a-5woody2
 [06 Jan 2004] DSA-414 jabber - denial of service
 	{CVE-2004-0013}
-	- jabber 1.4.3-1
+	[woody] - jabber 1.4.2a-1.1woody1
 [06 Jan 2004] DSA-413 linux-kernel-2.4.18 - missing boundary check
 	{CVE-2003-0985}
-	NOTE: 2.4.18 not present. Did not check newer kernels.
+ 	[woody] - kernel-source-2.4.18 2.4.18-14.1
+	[woody] - kernel-image-2.4.18-1-i386 2.4.18-12.1
 [05 Jan 2004] DSA-412 nd - buffer overflows
 	{CVE-2004-0014}
-	- nd 0.8.2-1
+	[woody]	- nd 0.5.0-1woody1
 [05 Jan 2004] DSA-411 mpg321 - format string vulnerability
 	{CVE-2003-0969}
-	- mpg321 0.2.10.3
+	[woody]	- mpg321 0.2.10.2
 [05 Jan 2004] DSA-410 libnids - buffer overflow
 	{CVE-2003-0850}
-	- libnids 1.18-1
+	[woody] - libnids 1.16-3woody1
 [05 Jan 2004] DSA-409 bind - denial of service
 	{CVE-2003-0914}
-	- bind 1:8.4.3-1
+	[woody]	- bind 1:8.3.3-2.0woody2
 [05 Jan 2004] DSA-408 screen - integer overflow
 	{CVE-2003-0972}
-	- screen 4.0.2-0.1
+	[woody] - screen 3.9.11-5woody1
 [05 Jan 2004] DSA-407 ethereal - buffer overflows
 	{CVE-2003-0925 CVE-2003-0926 CVE-2003-0927 CVE-2003-1012 CVE-2003-1013}
-	- ethereal 0.10.0-1
+	[woody] - ethereal 0.9.4-1woody6
 [05 Jan 2004] DSA-406 lftp - buffer overflow 
-	- lftp 2.6.10-1
+	{CVE-2003-0963}
+	[woody] - lftp 2.4.9-1woody2
 [30 Dec 2003] DSA-405 xsok - missing privilege release
 	{CVE-2003-0949}
-	- xsok 1.02-11
+	[woody]	- xsok 1.02-9woody2
 [04 Dec 2003] DSA-404 rsync - heap overflow
 	{CVE-2003-0962}
-	- rsync 2.5.6-1.1
+	[woody] - rsync 2.5.5-0.2
 [01 Dec 2003] DSA-403 kernel-image-2.4.18-1-alpha, kernel-image-2.4.18-1-i386,
kernel-source-2.4.18 - local root exploit
 	{CVE-2003-0961}
-	NOTE: 2.4.18 not present in sarge, did not check newer kernels.
+	[woody] - kernel-image-2.4.18-1-alpha 2.4.18-11
+	[woody] - kernel-image-2.4.18-1-i386 2.4.18-12
+	[woody] - kernel-source-2.4.18 2.4.18-14
 [17 Nov 2003] DSA-402 minimalist - unsanitised input
 	{CVE-2003-0902}
-	- minimalist 2.4-1
+	[woody] - minimalist 2.2-4
 [17 Nov 2003] DSA-401 hylafax - format strings
 	{CVE-2003-0886}
-	- hylafax 1:4.1.8-1
+	[woody] - hylafax 4.1.1-1.3
 [11 Nov 2003] DSA-400 omega-rpg - buffer overflow
 	{CVE-2003-0932}
-	- omega-rpg 1:0.90-pa9-11
+	[woody]	- omega-rpg 0.90-pa9-7woody1
 [10 Nov 2003] DSA-399 epic4 - buffer overflow
 	{CVE-2003-0328}
-	- epic4 1:1.1.11.20030409-2
+	[woody]	- epic4 1.1.2.20020219-2.2
 [10 Nov 2003] DSA-398 conquest - buffer overflow
 	{CVE-2003-0933}
-	- conquest 7.2-5
+	[woody] - conquest 7.1.1-6woody1
 [07 Nov 2003] DSA-397 postgresql - buffer overflow
 	{CVE-2003-0901}
-	- postgresql 7.3.4
+	[woody] - postgresql 7.2.1-2woody4
 [29 Oct 2003] DSA-396 thttpd - missing input sanitizing, wrong calculation
 	{CVE-2002-1562 CVE-2003-0899}
 	- thttpd 2.23beta1-2.3 (bug #216677)
Secure testing commits - Nov 2005 - r2789 - in data: CVE DSA

[Secure-testing-commits] r2789 - in data: CVE DSA
