Author: fw
Date: 2005-10-20 11:18:17 +0000 (Thu, 20 Oct 2005)
New Revision: 2499
Modified:
data/CVE/list
Log:
Use sid versions in CVE/list where possible. etch versions are now
copied from DTSA/list, or can be given explicitly using [etch].
Also add a couple of fixed versions from past DSAs.
Modified: data/CVE/list
==================================================================---
data/CVE/list 2005-10-20 11:07:43 UTC (rev 2498)
+++ data/CVE/list 2005-10-20 11:18:17 UTC (rev 2499)
@@ -793,12 +793,14 @@
- mod-auth-shadow 1.4-2 (bug #323789; medium)
CVE-2005-2962 (The post-installation script for ntlmaps before 0.9.9 sets ...)
{DSA-830-1}
+ - ntlmaps 0.9.9-4
CVE-2005-2961 (Buffer overflow in the get_string_ahref function for ProZilla
1.3.7.4 ...)
{DSA-834-1}
NOTE: prozilla is not in sarge or etch
CVE-2005-2960 (cfengine 1.6.5 and 2.1.16 allows local users to overwrite
arbitrary ...)
{DSA-836-1 DSA-835-1}
- cfengine <unfixed>
+ - cfengine2 <unfixed>
CVE-2005-2959 [Sudo does not sanitize SHELLOPTS and PS4 shell env vars before
starting sudoed apps]
RESERVED
- sudo 1.6.8p9-3 (medium)
@@ -1010,7 +1012,7 @@
NOTE: rejected, initially ipt_recent related
CVE-2005-2878 (Format string vulnerability in search.c in the imap4d server in
GNU ...)
{DSA-841-1 DTSA-20-1}
- - mailutils 1:0.6.90-2.1etch1 (bug #327424; high)
+ - mailutils 1:0.6.90-3 (bug #327424; high)
CVE-2005-2870 (Unknown vulnerability in the net-svc script on Solaris 10 allows
...)
NOT-FOR-US: Solaris
CVE-2005-2869 (Multiple cross-site scripting (XSS) vulnerabilities in
phpMyAdmin ...)
@@ -1501,6 +1503,7 @@
- turqstat 2.2.4-1 (medium)
CVE-2005-2657 (Unknown vulnerability in common-lisp-controller 4.18 and earlier
...)
{DSA-811-1}
+ - common-lisp-controller 4.18 (bug #328633; medium)
CVE-2005-2656 (Polygen before 1.0.6 generates precompiled grammar objects with
...)
{DSA-794-1}
NOTE: Fix in -8 had problems
@@ -2260,6 +2263,7 @@
{DSA-801-1}
NOTE: I suspect DSA-801 is fixed by the non-root patches from Ubuntu??
- ntp 1:4.2.0a+stable-2sarge1 (medium)
+ [etch] - ntp 1:4.2.0a+stable-2sarge1 (medium)
CVE-2005-2495 (Multiple integer overflows in XFree86 before 4.3.0 allow ...)
{DSA-816-1}
- xorg-x11 6.8.2.dfsg.1-7 (medium)
@@ -3108,50 +3112,50 @@
NOT-FOR-US: iCab
CVE-2005-2270 (Firefox before 1.0.5 and Mozilla before 1.7.9 does not properly
clone ...)
{DSA-810-1 DSA-779-2 DSA-781-1 DSA-779-1 DTSA-8-2 DTSA-14-1}
- - mozilla-firefox 1.0.4-2sarge3 (high)
- - mozilla 2:1.7.8-1sarge2 (bug #318062; high)
- - mozilla-thunderbird 1.0.6-1 (bug #318728; high)
+ - mozilla-firefox 1.0.5-1 (high)
+ - mozilla 2:1.7.9-1 (high; bug #318062)
+ - mozilla-thunderbird 1.0.6-1 (high)
CVE-2005-2269 (Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2
does ...)
{DSA-810-1 DSA-779-2 DSA-781-1 DSA-779-1 DTSA-8-2 DTSA-14-1}
- - mozilla-firefox 1.0.4-2sarge3 (high)
- - mozilla 2:1.7.8-1sarge2 (bug #318062; medium)
- - mozilla-thunderbird 1.0.6-1 (bug #318728; medium)
+ - mozilla-firefox 1.0.5-1 (high)
+ - mozilla 2:1.7.9-1 (medium; bug #318062)
+ - mozilla-thunderbird 1.0.6-1 (medium; bug #318728)
CVE-2005-2268 (Firefox before 1.0.5 and Mozilla before 1.7.9 does not clearly
...)
{DSA-810-1 DSA-779-2 DSA-779-1 DTSA-8-2 DTSA-14-1}
- - mozilla-firefox 1.0.4-2sarge3 (medium)
- - mozilla 2:1.7.8-1sarge2 (bug #318062; medium)
+ - mozilla-firefox 1.0.5-1 (medium)
+ - mozilla 2:1.7.9-1 (medium; bug #318062)
CVE-2005-2267 (Firefox before 1.0.5 allows remote attackers to steal
information and ...)
{DSA-779-2 DSA-779-1 DTSA-8-2}
- mozilla-firefox 1.0.4-2sarge3 (medium)
CVE-2005-2266 (Firefox before 1.0.5 and Mozilla before 1.7.9 allows a child
frame to ...)
{DSA-810-1 DSA-779-2 DSA-781-1 DSA-779-1 DTSA-8-2 DTSA-14-1}
- - mozilla-firefox 1.0.4-2sarge3 (medium)
- - mozilla 2:1.7.8-1sarge2 (bug #318062; medium)
- - mozilla-thunderbird 1.0.6-1 (bug #318728; low)
+ - mozilla-firefox 1.0.5-1 (medium)
+ - mozilla 2:1.7.9-1 (medium; bug #318062)
+ - mozilla-thunderbird 1.0.6-1 (low; bug #318728)
CVE-2005-2265 (Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2
and 7.2 ...)
{DSA-810-1 DSA-779-2 DSA-781-1 DSA-779-1 DTSA-8-2 DTSA-14-1}
- - mozilla-firefox 1.0.4-2sarge3 (high)
- - mozilla 2:1.7.8-1sarge2 (bug #318062; medium)
- - mozilla-thunderbird 1.0.6-1 (bug #318728; medium)
+ - mozilla-firefox 1.0.5-1 (high)
+ - mozilla 2:1.7.9-1 (medium; bug #318062)
+ - mozilla-thunderbird 1.0.6-1 (medium; bug #318728)
CVE-2005-2264 (Firefox before 1.0.5 allows remote attackers to steal sensitive
...)
{DSA-779-2 DSA-779-1 DTSA-8-2}
- mozilla-firefox 1.0.4-2sarge3 (medium)
CVE-2005-2263 (The InstallTrigger.install method in Firefox before 1.0.5 and
Mozilla ...)
{DSA-810-1 DSA-779-2 DSA-779-1 DTSA-8-2 DTSA-14-1}
- - mozilla-firefox 1.0.4-2sarge3 (medium)
- - mozilla 2:1.7.8-1sarge2 (bug #318062; medium)
+ - mozilla-firefox 1.0.5-1 (medium)
+ - mozilla 2:1.7.9-1 (medium; bug #318062)
CVE-2005-2262 (Firefox 1.0.3 and 1.0.4, and Netscape 8.0.2, allows remote
attackers ...)
{DSA-779-2 DSA-779-1 DTSA-8-2}
- mozilla-firefox 1.0.4-2sarge3 (medium)
CVE-2005-2261 (Firefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before
1.7.9, ...)
{DSA-810-1 DSA-779-2 DSA-781-1 DSA-779-1 DTSA-8-2 DTSA-14-1}
- - mozilla-firefox 1.0.4-2sarge3 (medium)
- - mozilla 2:1.7.8-1sarge2 (bug #318062; medium)
- - mozilla-thunderbird 1.0.6-1 (bug #318728; medium)
+ - mozilla-firefox 1.0.5-1 (medium)
+ - mozilla 2:1.7.9-1 (medium; bug #318062)
+ - mozilla-thunderbird 1.0.6-1 (medium; bug #318728)
CVE-2005-2260 (The browser user interface in Firefox before 1.0.5, Mozilla
before ...)
{DSA-810-1 DSA-779-2 DSA-779-1 DTSA-8-2 DTSA-14-1}
- - mozilla-firefox 1.0.4-2sarge3 (medium)
- - mozilla 2:1.7.8-1sarge2 (bug #318062; medium)
+ - mozilla-firefox 1.0.5-1 (medium)
+ - mozilla 2:1.7.9-1 (medium; bug #318062)
CVE-2002-2086 (Multiple cross-site scripting (XSS) vulnerabilities in magicHTML
of ...)
NOT-FOR-US: magicHTML
CVE-2002-2085 (Directory traversal vulnerability in page.cgi of WWWeBBB Forum
3.82 ...)
@@ -3844,7 +3848,7 @@
NOT-FOR-US: MyGuestbook
CVE-2005-2161 (Cross-site scripting (XSS) vulnerability in phpBB 2.0.16 allows
remote ...)
{DSA-768-1}
- - phpbb2 2.0.13-6sarge1 (bug #317739; high)
+ - phpbb2 2.0.13+1-6sarge1 (bug #317739; high)
CVE-2005-2160 (IMail stores usernames and passwords in cleartext in a cookie,
which ...)
NOT-FOR-US: IMail
CVE-2005-2159 (mshftp.dll in PlanetDNS PlanetFileServer 2.0.1.3 allows remote
...)
@@ -4024,7 +4028,7 @@
NOTE: fixed in experimental in 1:1.0.5.6-1, not yet in sid
CVE-2005-2095 (SquirrelMail 1.4.4 and earlier does not properly handle the
$_POST ...)
{DSA-756-1}
- - squirrelmail 2:1.4.4-6 (bug #317094)
+ - squirrelmail 2:1.4.4-6sarge1 (bug #317094)
CVE-2005-2094 (Sun SunONE web server 6.1 SP1 allows remote attackers to poison
the ...)
NOT-FOR-US: Sun
CVE-2005-2093 (Oracle 9i Application Server (Oracle9iAS) 9.0.2 allows remote
...)
@@ -5109,8 +5113,9 @@
REJECTED
CVE-2005-1937 (A regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows
remote ...)
{DSA-810-1 DSA-777-1 DSA-775-1 DTSA-7-1 DTSA-8-2 DTSA-14-1}
- - mozilla-firefox 1.0.4-2sarge3 (medium)
- - mozilla 2:1.7.8-1sarge1 (medium)
+ - mozilla-firefox 1.0.6-1 (medium)
+ - mozilla 2:1.7.10-1 (medium)
+ [woody] - mozilla <not-affected> (regression of a previous security fix)
CVE-2004-2137 (Outlook Express 6.0, when sending multipart e-mail messages
using the ...)
NOT-FOR-US: Microsoft
CVE-2005-1936 (Unknown vulnerability in the web server for the ESS/ Network
...)
@@ -5287,7 +5292,7 @@
NOT-FOR-US: arshell
CVE-2005-1857 (Format string vulnerability in simpleproxy before 3.4 allows
remote ...)
{DSA-786-1}
- TODO: check
+ - simpleproxy 3.2-4 (medium)
CVE-2005-1856 (The CD-burning feature in backup-manager 0.5.8 and earlier uses
a ...)
{DSA-787-1}
- backup-manager 0.5.8-2 (bug #315582; low)
@@ -5296,7 +5301,7 @@
- backup-manager 0.5.8-2 (medium)
CVE-2005-1854 (Unknown vulnerability in apt-cacher in Debian 3.1, related to
"missing ...)
{DSA-772-1}
- TODO: check
+ - apt-cacher 0.9.10 (high)
CVE-2005-1853 (gopher.c in the Gopher client 3.0.5 does not properly create
temporary ...)
{DSA-770-1}
- gopher 3.0.8 (low)
@@ -5492,7 +5497,7 @@
NOT-FOR-US: Avast
CVE-2005-1769 (Multiple cross-site scripting (XSS) vulnerabilities in
SquirrelMail ...)
{DSA-756-1}
- - squirrelmail 2:1.4.4-6 (bug #314374; medium)
+ - squirrelmail 2:1.4.4-6sarge1 (bug #314374; medium)
CVE-2005-1768 (Race condition in the ia32 compatibility code for the execve
system ...)
- kernel-source-2.4.27 2.4.27-11 (medium; bug #319629)
CVE-2005-1767 (traps.c in the Linux kernel 2.6.x and 2.4.x executes stack
segment ...)
@@ -5979,6 +5984,8 @@
CVE-2005-1636 (mysql_install_db in MySQL 4.1.x before 4.1.12 and 5.x up to
5.0.4 ...)
{DSA-783-1}
- mysql-dfsg 4.0.12-2 (bug #319526; low)
+ - mysql-dfsg-4.1 4.1.12 (medium; bug #319526)
+ - mysql-dfsg-5.0 5.0.11beta-3 (medium)
CVE-2005-1635 (JGS-XA JGS-Portal 3.0.2 and earlier allows remote attackers to
obtain ...)
NOT-FOR-US: JGS-Portal
CVE-2005-1634 (Multiple cross-site scripting (XSS) vulnerabilities in JGS-XA
...)
@@ -6175,7 +6182,7 @@
NOT-FOR-US: Bakbone Netvault
CVE-2005-1546 (Buffer overflow in the PE parser in HT Editor before 0.8.0
allows ...)
{DSA-743-1}
- - ht 0.8.0-2 (bug #308587)
+ - ht 0.8.0-3 (bug #308587)
CVE-2005-1545 (Integer overflow in the ELF parser in HT Editor before 0.8.0
allows ...)
{DSA-743-1}
- ht 0.8.0-3 (bug #308587)
@@ -10546,10 +10553,10 @@
RESERVED
CVE-2005-0393 (The helper scripts for crip 3.5 do not properly use temporary
files, ...)
{DSA-733-1}
- TODO: check
+ - crip 3.5-1sarge2 (low)
CVE-2005-0392 (ppxp does not drop root privileges before opening log files,
which ...)
{DSA-725-2 DSA-725-1}
- TODO: check
+ - ppxp 0.2001080415-11
CVE-2005-0391 (geneweb 4.10 and earlier does not properly check file
permissions and ...)
{DSA-712-1}
- geneweb 4.10-7 (bug #304405)
@@ -13354,8 +13361,8 @@
NOTE: upstream versions became vulnerable again, see
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=296850
NOTE: and were fixed again, it got CVE-2005-1937 for the reversion
- - mozilla 2:1.7.8-1sarge1 (medium)
- - mozilla-firefox 1.0.4-2sarge3 (medium)
+ - mozilla 2:1.7.10-1 (medium)
+ - mozilla-firefox 1.0.6-1 (medium)
CVE-2004-0717 (Opera 7.51 for Windows and 7.50 for Linux does not properly
prevent a ...)
NOT-FOR-US: opera 7.50
CVE-2004-0716 (Buffer overflow in the DCE daemon (DCED) for the DCE endpoint
mapper ...)