thr3ads.net - Secure testing commits - [Secure-testing-commits] r2139

If this information is useful, please help other people find it:
Share via:
Moritz Muehlenhoff
2005-Sep-23 22:37 UTC
[Secure-testing-commits] r2139 - data/CAN

Author: jmm-guest
Date: 2005-09-23 22:36:40 +0000 (Fri, 23 Sep 2005)
New Revision: 2139

Modified:
   data/CAN/list
Log:
convert the remaining outstanding security issues
to <unfixed>


Modified: data/CAN/list
==================================================================---
data/CAN/list	2005-09-23 22:28:31 UTC (rev 2138)
+++ data/CAN/list	2005-09-23 22:36:40 UTC (rev 2139)
@@ -1663,11 +1663,11 @@
 CAN-2005-XXXX [time delay of password check proves account existence to
attackers]
 	NOTE: unknown if really a bug; if it is it''s different than the
 	NOTE: previous ssh delay bugs
-	- ssh (unfixed; bug #314645; low)
+	- ssh <unfixed> (bug #314645; low)
 CAN-2005-2548 (vlan_dev.c in Linux kernel 2.6.8 allows remote attackers to
cause a ...)
 	{DTSA-16-1}
 	NOTE: Will appear in next kernel DSA, fixed in 2.6 since 2.6.9-rc2
-	- kernel-image-2.6.8-i386 (unfixed; bug #309308; low)
+	- kernel-image-2.6.8-i386 <unfixed> (bug #309308; low)
 	NOTE: 2.6.12-1 contained a partially broken fix
 	- linux-2.6 2.6.12-6 (low)
 CAN-2005-XXXX [DoS by removal of default ACLs in ext2/ext3]
@@ -1705,7 +1705,7 @@
 CAN-2005-2476 (Cross-site scripting (XSS) vulnerability in lost_passowrd.php in
Naxtor ...)
 	NOTE: not-for-us (Naxtor Shopping Cart)
 CAN-2005-2475 (Race condition in Unzip 5.52 allows local users to modify
permissions ...)
-	- unzip (unfixed; bug #321927; low)
+	- unzip <unfixed> (bug #321927; low)
 CAN-2005-2474 (ChurchInfo allows remote attackers to execute obtain sensitive
...)
 	NOTE: not-for-us (ChurchInfo)
 CAN-2005-2473 (Multiple SQL injection vulnerabilities in ChurchInfo allow
remote ...)
@@ -1826,23 +1826,23 @@
 CAN-2001-1573 (Buffer overflow in smtpscan.dll for Trend Micro InterScan
VirusWall ...)
 	NOTE: not-for-us (Trend Micro InterScan VirusWall)
 CAN-2005-XXXX [wine: Unsafe use of temporary files in winelauncher]
-	- wine (unfixed; bug #321470; low)
+	- wine <unfixed> (bug #321470; low)
 CAN-2005-XXXX [inkscape: Unsafe temporary file handling in ps2epsi extension]
 	- inkscape 0.42 (bug #321501; low)
 CAN-2005-XXXX [DoS to users to prevent usage of showpartial through _hard_
links]
 	- metamail 2.7-48 (bug #321473; low)
 CAN-2005-XXXX [Insecure usage of temporary files in x11perfcomp and other
security issues]
-	- xfree86 (unfixed; bug #321447; low)
-	- xorg-x11 (unfixed; bug #321447; low)
+	- xfree86 <unfixed> (bug #321447; low)
+	- xorg-x11 <unfixed> (bug #321447; low)
 CAN-2005-XXXX [kdebase: startkde does not check lnusertemp''s result?]
 	NOTE: This hardly has security implications, lots of applications do not cope
 	NOTE: with a filled up /tmp dir.
-	- kdebase (unfixed; bug #292078; low)
+	- kdebase <unfixed> (bug #292078; low)
 CAN-2005-XXXX [gs-esp: Insecure usage of /tmp in source code]
-	- gs-esp (unfixed; bug #291452; low)
+	- gs-esp <unfixed> (bug #291452; low)
 CAN-2005-XXXX [Format string bug in sysklogd''s syslog_tst sources]
 	NOTE: binary not shipped
-	- sysklogd (unfixed; bug #281448; low)
+	- sysklogd <unfixed> (bug #281448; low)
 CAN-2005-XXXX [fftw3-dev: Insecure tempfile usage in fftw-wisdom-to-conf
script]
 	- fftw3 3.0.1-12 (low; bug #321566)
 CAN-2005-XXXX [clamav-getfile: Insecure use of temporary files]
@@ -2047,8 +2047,8 @@
 	NOTE: see ITP#276057 and #217571
 	TODO: track ITPs/work with mediawiki team (alioth)
 CAN-2005-2395 (Mozilla Firefox 1.0.4 and 1.0.5 does not choose the challenge
with the ...)
-	- mozilla-firefox (unfixed; bug #320539; medium)
-	- mozilla (unfixed; bug #320538; medium)
+	- mozilla-firefox <unfixed> (bug #320539; medium)
+	- mozilla <unfixed> (bug #320538; medium)
 CAN-2005-2394 (show_news.php in CuteNews 1.3.6 allows remote attackers to
obtain the ...)
 	NOTE: not-for-us (CuteNews)
 CAN-2005-2393 (Cross-site scripting (XSS) vulnerability in CuteNews 1.3.6
allows ...)
@@ -2205,7 +2205,7 @@
 CAN-2005-2312 (management.php in Realnode Emilda 1.2.2 and earlier allows
remote ...)
 	NOTE: not-for-us (Realnode Emilda)
 CAN-2005-2311 (SMS 1.9.2m and earlier allows local users to overwrite arbitrary
files ...)
-	- sms-pl (unfixed; bug #320540; unimportant)
+	- sms-pl <unfixed> (bug #320540; unimportant)
 	NOTE: vulnerable contrib file only in source package
 CAN-2005-2310 (Buffer overflow in Winamp 5.03a, 5.09 and 5.091 allows remote
...)
 	NOTE: not-for-us (Winamp)
@@ -2241,7 +2241,7 @@
 CAN-2005-2296 (YabbSE 1.5.5c allows remote attackers to obtain sensitive
information ...)
 	NOTE: not-for-us (YabbSE)
 CAN-2005-2295 (NetPanzer 0.8 and earlier allows remote attackers to cause a
denial of ...)
-	- netpanzer (unfixed; bug #318329; medium)
+	- netpanzer <unfixed> (bug #318329; medium)
 CAN-2005-2294 (Oracle Forms 4.5, 6.0, 6i, and 9i on Unix, when a large number
of ...)
 	NOTE: not-for-us (Oracle)
 CAN-2005-2293 (Oracle Formsbuilder 9.0.4 stores database usernames and
passwords in a ...)
@@ -2320,7 +2320,7 @@
 CAN-2004-2266 (SQL injection vulnerability in Ansel 2.1 and earlier allows
remote ...)
 	NOTE: not-for-us (Ansel)
 CAN-2004-2265 (UUDeview 0.5.20 and earlier handles temporary files insecurely
during ...)
-	- uudeview (unfixed; bug #320541; medium)
+	- uudeview <unfixed> (bug #320541; medium)
 	TODO: check libconvert-uulib-perl
 	NOTE: Florian Weimer is looking at libconvert-uulib-perl
 CAN-2004-2264 (** DISPUTED ** ...)
@@ -2374,7 +2374,7 @@
 CAN-2004-2240 (Multiple SQL injection vulnerabilities in Phorum 5.0.11 and
earlier ...)
 	NOTE: not-for-us (Phorum)
 CAN-2004-2239 (Buffer overflow in vsybase.c in vpopmail 5.4.2 and earlier might
allow ...)
-	- vpopmail (unfixed; bug #320608; low)
+	- vpopmail <unfixed> (bug #320608; low)
 CAN-2005-XXXX [SQL injecton vulnerabilities in vpopmail prior to 5.4.6]
 	NOTE: see http://archives.neohapsis.com/archives/bugtraq/2004-08/0286.html
 	NOTE: maintainer says does not apply to debian, see #320608
@@ -2439,7 +2439,7 @@
 	- ffmpeg 0.cvs20050811-1 (bug #320150; medium)
 CAN-2005-XXXX [Further minor security issues in phpbb]
 	NOTE: Maintainers already preparing packages of 2.0.17
-	- phpbb2 (unfixed; low)
+	- phpbb2 <unfixed> (low)
 CAN-2005-XXXX [xgalaga score file segfault]
 	- xgalaga 2.0.34-31 (low)
 CAN-2005-XXXX [xemeraldia games file overwrite]
@@ -2529,7 +2529,7 @@
 CAN-2002-2080 (Floositek FTGate PRO 1.05 allows remote attackers to cause a
denial of ...)
 	NOTE: not-for-us (FTGate)
 CAN-2002-2079 (mosix-protocol-stack in Multicomputer Operating System for UnIX
...)
-	- kernel-patch-openmosix (unfixed; bug #319621; low)
+	- kernel-patch-openmosix <unfixed> (bug #319621; low)
 	NOTE: filed bug with ftp.debian.org for removal (#319817)
 CAN-2002-2078 (Heap-based buffer overflow in Floositek (1) FTGate Pro 1.05 and
(2) ...)
 	NOTE: not-for-us (FTGate)
@@ -2810,7 +2810,7 @@
 	- slash (bug #328927; unfixed; low)
 CAN-2001-1534 (mod_usertrack in Apache 1.3.11 through 1.3.20 generates session
ID''s ...)
 	- apache (bug #328919; unimportant)
-	- apache2 (unfixed; unimportant)
+	- apache2 <unfixed> (unimportant)
 	NOTE: Cookies are only used for invading user privacy,
 	NOTE: not for authentication, so apache and apache2 should be fine.
 CAN-2001-1533 (** DISPUTED * ...)
@@ -2931,9 +2931,9 @@
 CAN-2005-2240 (xpvm.tcl in xpvm 1.2.5 allows local users to overwrite arbitrary
files ...)
 	- xpvm 1.2.5-8 (bug #318285; medium)
 CAN-2005-2239 (oftpd 0.3.7 allows remote attackers to cause a denial of service
via a ...)
-	- oftpd (unfixed; bug #318286; medium)
+	- oftpd <unfixed> (bug #318286; medium)
 CAN-2005-XXXX [oftpd port DOS]
-	- oftpd (unfixed; bug #307957; low)
+	- oftpd <unfixed> (bug #307957; low)
 	NOTE: CVE id requested from mitre
 CAN-2005-2238 (ftpd in IBM AIX 5.1, 5.2 and 5.3 allows remote authenticated
users to ...)
 	NOTE: not-for-us (AIX)
@@ -2953,7 +2953,7 @@
 	{DSA-761-2}
 	- heartbeat 1.2.3-12 (medium)
 CAN-2005-2230 (Electronic Mail Operator (elmo) 1.3.2-r1 and earlier creates the
...)
-	- elmo (unfixed; bug #318291; medium)
+	- elmo <unfixed> (bug #318291; medium)
 	NOTE: upload to unstable still hasn''t occurred (2005-09-18)
 CAN-2005-2229 (Blog Torrent 0.92 and earlier stores sensitive files under the
web ...)
 	NOTE: not-for-us (Blog Torrent)
@@ -2986,7 +2986,7 @@
 CAN-2005-2215 (Cross-site scripting (XSS) vulnerability in MediaWiki before
1.4.x ...)
 	NOTE: not-for-us (MediaWiki)
 CAN-2005-2214 (apt-setup in Debian GNU/Linux installs the apt.conf file with
insecure ...)
-	- base-config (unfixed; bug #305142; low)
+	- base-config <unfixed> (bug #305142; low)
 CAN-2005-2213 (Buffer overflow in the mms_interp_header function in mms.c in
MMS ...)
 	NOTE: not-for-us (MMS Ripper)
 CAN-2005-2212 (Backup Manager 0.5.8a creates an archive repository with world
...)
@@ -3353,19 +3353,19 @@
 CAN-2005-2099 (The Linux kernel before 2.6.12.5 does not properly destroy a
keyring ...)
 	{DTSA-16-1}
 	NOTE: 2.6.8 and 2.4.27 not affected
-	- linux-2.6 2.6.12-3 (unfixed; bug #323039; medium)
+	- linux-2.6 2.6.12-3 <unfixed> (bug #323039; medium)
 CAN-2005-2098 (The KEYCTL_JOIN_SESSION_KEYRING operation in the Linux kernel
before ...)
 	{DTSA-16-1}
 	NOTE: 2.6.8 and 2.4.27 not affected
-	- linux-2.6 2.6.12-3 (unfixed; bug #323039; medium)
+	- linux-2.6 2.6.12-3 <unfixed> (bug #323039; medium)
 CAN-2005-2097 (xpdf and kpdf do not properly validate the
&quot;loca&quot; table in PDF files, ...)
 	{DSA-780-1}
 	- kdegraphics 4:3.4.2-1 (bug #322458; low)
 	- xpdf 3.00-15 (bug #322462; low)
 	NOTE: tetex-bin not affected re bug #322467
-	- gpdf (unfixed; low)
+	- gpdf <unfixed> (low)
 	NOTE: only affects cupsys source package, not used in binary
-	- cupsys (unfixed; bug #324464; unimportant)
+	- cupsys <unfixed> (bug #324464; unimportant)
 	- poppler 0.4.0-1 (low)
 CAN-2005-2096 (Buffer overflow in zlib 1.2 and later versions allows remote
attackers ...)
 	{DSA-797-1 DSA-740-1}
@@ -3376,18 +3376,18 @@
 	NOTE: exploitability using this hole.
 	- dpkg 1.13.11 (bug #317967; medium)
 	- zsync 0.4.0-2 (medium)
-	- dump (unfixed; bug #317966; medium)
+	- dump <unfixed> (bug #317966; medium)
 	- aide 0.10-6.1.1 (bug #317523; medium)
-	- amd64-libs (unfixed; bug #317970; medium)
-	- ia32-libs (unfixed; bug #317971; medium)
+	- amd64-libs <unfixed> (bug #317970; medium)
+	- ia32-libs <unfixed> (bug #317971; medium)
 	NOTE: dar-static claimed not used on untrusted input by maintainer in #317989
 	- bacula 1.36.3-2 (medium)
 	- sash 3.7-6 (medium)
 	- libphysfs-1.0-0 1.0.0-5 (medium)
-	- oops (unfixed; bug #318097; medium)
+	- oops <unfixed> (bug #318097; medium)
 	- rpm 4.0.4-31.1 (bug #318099; medium)
 	- rageircd 2.0.0-3sid1 (medium)
-	- systemimager-ssh (unfixed; bug #318101; unimportant)
+	- systemimager-ssh <unfixed> (bug #318101; unimportant)
 	- texmacs 1:1.0.5-3 (bug #318100; medium)
 	- zlib 1:1.2.2-7 (medium)
 	NOTE: fixed in experimental in 1:1.0.5.6-1, not yet in sid
@@ -3545,7 +3545,7 @@
 CAN-2002-1977 (Network Associates PGP 7.0.4 and 7.1 does not time out according
to ...)
 	NOTE: not-for-us (Proprietary PGP)
 CAN-2002-1976 (ifconfig, when used on the Linux kernel 2.2 and later, does not
report ...)
-	- net-tools (unfixed; unimportant)
+	- net-tools <unfixed> (unimportant)
 	NOTE: This seems to be a misunderstanding of what the PROMISC flag
 	NOTE: is about.  ifconfig reports properly when it is set using
 	NOTE: "ifconfig promisc".
@@ -3896,7 +3896,7 @@
 CAN-2002-1806 (Cross-site scripting (XSS) vulnerability in Drupal 4.0.0 allows
remote ...)
 	NOTE: not-for-us (Drupal)
 CAN-2002-1805 (Cross-site scripting (XSS) vulnerability in DaCode 1.2.0 allows
remote ...)
-	- dacode (unfixed; bug #322605; low)
+	- dacode <unfixed> (bug #322605; low)
 CAN-2002-1804 (Cross-site scripting (XSS) vulnerability in NPDS 4.8 allows
remote ...)
 	NOTE: not-for-us (NPDS)
 CAN-2002-1803 (Cross-site scripting (XSS) vulnerability in PHP-Nuke 6.0 allows
remote ...)
@@ -4109,7 +4109,7 @@
 CAN-2005-1976
 	NOTE: reserved
 CAN-2002-1782 (The default configuration of University of Washington IMAP
daemon ...)
-	- uw-imapd (unfixed; bug #315499; low)
+	- uw-imapd <unfixed> (bug #315499; low)
 CAN-2002-1781 (Multiple buffer overflows in DeleGate 7.7.0 through 7.8.1 allow
remote ...)
 	NOTE: not-for-us (DeleGate)
 CAN-2002-1780 (BPM Studio Pro 4.2 by ALCATech GmbH includes a webserver that
allows a ...)
@@ -4386,7 +4386,7 @@
 CAN-2001-1484 (Alcatel ADSL modems allow remote attackers to access the Trivial
File ...)
 	NOTE: not-for-us (Alcatel hardware issue)
 CAN-2001-1483 (One-Time Passwords In Everything (a.k.a OPIE) 2.32 and 2.4
allows ...)
-	- libpam-opie (unfixed; bug #112279; low)
+	- libpam-opie <unfixed> (bug #112279; low)
 CAN-2001-1482 (SQL injection vulnerability in bb_memberlist.php for phpBB 1.4.2
...)
 	NOTE: phpbb was initially uploaded as version 2 or phpbb has been removed now
 CAN-2001-1481 (Xitami 2.4 through 2.5 b4 stores the Administrator password in
...)
@@ -4713,7 +4713,7 @@
 	- zoo 2.10-4 (low; bug #309594)
 CAN-2005-2350 [Cross Site Scripting in websieve]
 	NOTE: reserved
-	- websieve (unfixed; bug #311838; low)
+	- websieve <unfixed> (bug #311838; low)
 	NOTE: second half of bug suggets lack of escaping of user data
 	NOTE: could be used to compromise program somehow
 	NOTE: that is not covered by the CAN though due to vagueness
@@ -4871,7 +4871,7 @@
 	NOTE: linux-2.6 not affected (already fixed)
 	- kernel-source-2.4.27 2.4.27-11 (unknown)
 CAN-2005-1766 (Heap-based buffer overflow in rtffplin.cpp in RealPlayer 10.5
...)
-	- helix-player 1.0.5 (unfixed; bug #316276; high)
+	- helix-player 1.0.5 <unfixed> (bug #316276; high)
 	NOTE: Helix Player is affected according to:
 	NOTE: <http://service.real.com/help/faq/security/050623_player/EN/>
 CAN-2005-1765 (syscall in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64
platform, ...)
@@ -4899,7 +4899,7 @@
 	- linux-2.6 2.6.12-1 (medium)
 	- kernel-source-2.6.11 2.6.11-6 (medium)
 	- kernel-source-2.6.8 2.6.8-17
-	- kernel-source-2.4.27 (unfixed; low)
+	- kernel-source-2.4.27 <unfixed> (low)
 CAN-2005-1760 (sysreport 1.3.15 and earlier includes contents of the up2date
file in ...)
 	NOTE: not-for-us (sysreport)
 CAN-2005-1759 (Race condition in shtool 2.0.1 and earlier allows local users to
...)
@@ -5022,7 +5022,7 @@
 	- moodle 1.4.4.dfsg.1-3
 CAN-2005-2351 [Minor DoS condition in mutt due to preditable tempfiles]
 	NOTE: reserved
-	- mutt (unfixed; bug #311296; low)
+	- mutt <unfixed> (bug #311296; low)
 CAN-2005-XXXX [gforge arbitrary code execution through viewFile.php]
 	NOTE: viewFile.php has been removed along with other files in -26, so Debian
is
 	NOTE: no longer affected.
@@ -5121,7 +5121,7 @@
 CAN-2005-1707 (The fn_show_postinst function in Gentoo webapp-config before
1.10-r14 ...)
 	NOTE: not-for-us (Gentoo)
 CAN-2005-1706 (Unknown vulnerability in MailScanner 4.41.3 and earlier, related
to ...)
-	- mailscanner (unfixed; bug #310774; low)
+	- mailscanner <unfixed> (bug #310774; low)
 CAN-2005-1705 (gdb before 6.3 searches the current working directory to load
the ...)
 	- gdb 6.3-6
 CAN-2005-1704 (Integer overflow in the Binary File Descriptor (BFD) library for
gdb ...)
@@ -6463,7 +6463,7 @@
 	- maradns 1.0.27-1
 CAN-2005-2352 [Temp file races in gs-gpl addons scripts]
 	NOTE: reserved
-	- gs-gpl (unfixed; bug #291373; low)
+	- gs-gpl <unfixed> (bug #291373; low)
 CAN-2005-XXXX [Possible SQL injection in freeradius]
 	- freeradius 1.0.2-4
 CAN-2005-2353 (run-mozilla.sh in Thunderbird, with debugging enabled, allows
local ...)
@@ -6473,14 +6473,14 @@
 CAN-2005-XXXX [Logging bypassing through SIGHUP in syslog-ng]
 	- syslog-ng 1.6.5-2.1
 CAN-2005-XXXX [trackballs: Follows symlinks as gid games]
-	- trackballs (unfixed; bug #302454; medium)
+	- trackballs <unfixed> (bug #302454; medium)
 	NOTE: CVE request sent to mitre
 	TODO: check possibility of exploitation via scripting language,
 	TODO: as mentioned in the bug report as a separate issue
 CAN-2005-XXXX [Less secure default setting in pwgen or the lack documentation
about it]
 	- pwgen 2.04-1
 CAN-2005-XXXX [Insecure handling of gpg passphrases in gabber]
-	- gabber (unfixed; bug #177776; low)
+	- gabber <unfixed> (bug #177776; low)
 CAN-2005-1470 (Multiple unknown vulnerabilities in the (1) TZSP, (2) MGCP, (3)
ISUP, ...)
 	- ethereal 0.10.10-2sarge2
 CAN-2005-1469 (Unknown vulnerability in the GSM dissector in Ethereal before
0.10.11 ...)
@@ -6532,12 +6532,12 @@
 	NOTE: reserved
 	NOTE: have not checked to see which security holes are in it exactly
 	NOTE: Has been removed from Sarge
-	- nvu (unfixed; bug #306822; medium)
+	- nvu <unfixed> (bug #306822; medium)
 CAN-2005-XXXX [eskuel: arbitrary file retreiving]
 	- eskuel 1.0.5-3.1 (low)
 CAN-2005-2356 [eskuel: No authentication at all]
 	NOTE: reserved
-	- eskuel (unfixed; bug #163653; low)
+	- eskuel <unfixed> (bug #163653; low)
 CAN-2005-XXXX [Buffer overflow in elog''s header buffer]
 	- elog 2.5.7+r1558-3
 CAN-2005-XXXX [Unspeficied security issue in ipsec-tool''s single DES
support]
@@ -6998,7 +6998,7 @@
 CAN-2005-XXXX [Multiple security problems in Quake 2]
 	NOTE: this release added lots of warnings about the security problems
 	- quake2 1:0.3-1.1
-	- quake2 (unfixed; bug #280573; low)
+	- quake2 <unfixed> (bug #280573; low)
 	NOTE: CVE id requested from mitre
 CAN-2005-1245 (Cross-site scripting (XSS) vulnerability in MediaWiki before
1.4.2, ...)
 	NOTE: not-for-us (MediaWiki)
@@ -7034,7 +7034,7 @@
 CAN-2005-1230 (Directory traversal vulnerability in Yawcam 0.2.5 allows remote
...)
 	NOTE: not-for-us (Yawcan)
 CAN-2005-1229 (Directory traversal vulnerability in cpio 2.6 and earlier allows
...)
-	- cpio (unfixed; bug #306693; medium)
+	- cpio <unfixed> (bug #306693; medium)
 CAN-2005-1228 (Directory traversal vulnerability in gunzip -N in gzip 1.2.4
through ...)
 	{DSA-752-1}
 	- gzip 1.3.5-10
@@ -7407,7 +7407,7 @@
 	NOTE: not-for-us (Free BSD)
 CAN-2005-1125 (Race condition in libsafe 2.0.16 and earlier, when running in
...)
 	NOTE: Has been removed from Sarge
-	- libsafe (unfixed; bug #305070; medium)
+	- libsafe <unfixed> (bug #305070; medium)
 CAN-2005-1124 (Unknown vulnerability in the libgss Generic Security Services
Library ...)
 	NOTE: not-for-us (Solaris)
 CAN-2005-1123 (Monkey daemon (monkeyd) before 0.9.1 allows remote attackers to
cause ...)
@@ -7417,11 +7417,11 @@
 CAN-2005-1121 (Format string vulnerability in the my_xlog function in lib.c for
Oops! ...)
 	{DSA-726-1}
 	NOTE: Not part of Sarge due to FTBFS on ia64 and alpha
-	- oops (unfixed; bug #307360; high)
+	- oops <unfixed> (bug #307360; high)
 CAN-2005-1120 (Multiple cross-site scripting (XSS) vulnerabilities in IlohaMail
...)
-	- ilohamail (unfixed; bug #304525; medium)
+	- ilohamail <unfixed> (bug #304525; medium)
 CAN-2005-1119 (Sudo VISudo 1.6.8 and earlier allows local users to corrupt
arbitrary ...)
-	- sudo (unfixed; bug #283161; low)
+	- sudo <unfixed> (bug #283161; low)
 CAN-2005-1118 (Cross-site scripting (XSS) vulnerability in IISWebAgentIF.dll in
the ...)
 	NOTE: not-for-us (RSA authentication agent)
 CAN-2005-1117 (PHP remote code injection vulnerability in index.php in ...)
@@ -7437,7 +7437,7 @@
 CAN-2005-1112 (IBM WebSphere Application Server 6.0 and earlier, when sharing
the ...)
 	NOTE: not-for-us (IBM Websphere)
 CAN-2005-1111 (Race condition in cpio 2.6 and earlier allows local users to
modify ...)
-	- cpio (unfixed; bug #305372; low)
+	- cpio <unfixed> (bug #305372; low)
 CAN-2005-1110 (Stack-based buffer overflow in the RespondeHTTPPendiente
function in ...)
 	NOTE: not-for-us (Sumus web server)
 CAN-2005-1109 (The filtering of URLs in JunkBuster before 2.0.2-r3 allows
remote ...)
@@ -7458,7 +7458,7 @@
 	NOTE: not-for-us (Windows)
 CAN-2005-1105 (Directory traversal vulnerability in the
MimeBodyPart.getFileName ...)
 	NOTE: api vulnerablity
-	- libgnumail-java (unfixed; bug #304712; low)
+	- libgnumail-java <unfixed> (bug #304712; low)
 CAN-2005-1104 (Multiple cross-site scripting (XSS) vulnerabilities in Centra 7
...)
 	NOTE: not-for-us (Centra)
 CAN-2005-1103 (Sygate Security Agent (SSA) in Sygate Secure Enterprise 3.5
through ...)
@@ -7597,7 +7597,7 @@
 CAN-2005-1040 (Multiple unknown vulnerabilities in netapplet in Novell Linux
Desktop ...)
 	NOTE: Debian is not affected; see bug # 310833
 CAN-2005-1039 (Race condition in Core Utilities (coreutils) 5.2.1, when (1)
mkdir, ...)
-	- coreutils (unfixed; bug #304556; low)
+	- coreutils <unfixed> (bug #304556; low)
 CAN-2005-1038 (crontab in Vixie cron 4.1, when running with the -e option,
allows ...)
 	NOTE: long fixed in Debian''s cron
 CAN-2005-1037 (Unknown vulnerability in AIX 5.3.0, when configured as an NIS
client, ...)
@@ -7925,7 +7925,7 @@
 CAN-2005-0894 (OpenmosixCollector and OpenMosixView in OpenMosixView 1.5 allow
local ...)
 	- openmosixview 1.5-7
 CAN-2005-0893 (modes.c in smail 3.2.0.120 implements signal handlers with
certain ...)
-	- smail (unfixed; bug #301428; medium)
+	- smail <unfixed> (bug #301428; medium)
 	NOTE: no patch known at this time.
 CAN-2005-0892 (Buffer overflow in smail 3.2.0.120 allows remote attackers or
local ...)
 	{DSA-722-1}
@@ -7958,7 +7958,7 @@
 CAN-2002-1648 (Cross-site request forgery (CSRF) vulnerability in compose.php
in ...)
 	- squirrelmail 1:1.2.3
 CAN-2002-1647 (The quick login feature in Slash Slashcode does not redirect the
user ...)
-	- slash (unfixed; bug #160579; low)
+	- slash <unfixed> (bug #160579; low)
 CAN-2002-1646 (SSH Secure Shell for Servers 3.0.0 to 3.1.1 allows remote
attackers to ...)
 	NOTE: not-for-us (commercial ssh)
 CAN-2002-1645 (Buffer overflow in the URL catcher feature for SSH Secure Shell
for ...)
@@ -8163,9 +8163,9 @@
 CAN-2005-0839 (Linux kernel 2.6 before 2.6.11 does not restrict access to the
N_MOUSE ...)
 	- kernel-source-2.6.8 2.6.8-16
 CAN-2005-0838 (Multiple buffer overflows in the XSL parser for IceCast 2.20 may
allow ...)
-	- icecast2 (unfixed; bug #301368; low)
+	- icecast2 <unfixed> (bug #301368; low)
 CAN-2005-0837 (IceCast 2.20 allows remote attackers to bypass the XSL parser
and ...)
-	- icecast2 (unfixed; bug #301368; low)
+	- icecast2 <unfixed> (bug #301368; low)
 CAN-2005-0836 (Argument injection vulnerability in Java Web Start for J2SE
1.4.2 up ...)
 	NOTE: not-for-us (Java Web Start for proprietary Sun Java)
 CAN-2005-0835 (The SNMP service in the Belkin 54G (F5D7130) wireless router
allows ...)
@@ -9374,8 +9374,8 @@
 	NOTE: not-for-us (Thomson cable modem)
 CAN-2005-0488 (Certain BSD-based Telnet clients, including those used on
Solaris and ...)
 	TODO: check heimdal, netkit-telnet-ssl
-	- krb4 (unfixed; low)
-	- krb5 (unfixed; low)
+	- krb4 <unfixed> (low)
+	- krb5 <unfixed> (low)
 	- netkit-telnet not-affected (netkit-telnet is not affected)
 CAN-2004-1639 (Mozilla Firefox before 0.10, Mozilla 5.0, and Gecko 20040913
allows ...)
 	NOTE: This is not a real security issue; it just describes the fact that the
Gecko
@@ -9431,7 +9431,7 @@
 	NOTE: not-for-us (Tonecast)
 CAN-2004-1617 (Lynx allows remote attackers to cause a denial of service
(infinite ...)
 	NOTE: This is fixed in lynx-cur, maybe a fix can be extracted from there
-	- lynx (unfixed; bug #296340; low)
+	- lynx <unfixed> (bug #296340; low)
 CAN-2004-1616 (Links allows remote attackers to cause a denial of service
(memory ...)
 	- links 0.99+1.00pre12-1
 CAN-2004-1615 (Opera allows remote attackers to cause a denial of service
(invalid ...)
@@ -9783,7 +9783,7 @@
 	NOTE: The vulnerable code has been removed from the kernel in favor of a
better
 	NOTE: fix between 2.6.11 and 2.6.12, see
 	NOTE:
http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1e01441051dda3bb01c455b6e20bce6d00563d82"
-	- kernel-source-2.6.8 (unfixed; bug #295949; high)
+	- kernel-source-2.6.8 <unfixed> (bug #295949; high)
 	- linux-2.6 not-affected 
 CAN-2005-0448 (Race condition in the rmtree function in File::Path.pm in Perl
before ...)
 	{DSA-696-1}
@@ -9874,7 +9874,7 @@
 	NOTE: not-for-us (Openconf)
 CAN-2005-0406 (A design flaw in image processing software that modifies JPEG
images ...)
 	TODO: check all softwares that modifies JPEG images in Debian...
-	- imagemagick (unfixed; bug #298051; low)
+	- imagemagick <unfixed> (bug #298051; low)
 CAN-2005-0405
 	NOTE: reserved
 CAN-2005-0404 (KMail 1.7.1 in KDE 3.3.2 allows remote attackers to spoof email
...)
@@ -9883,7 +9883,7 @@
 	NOTE: see http://www.securiteam.com/unixfocus/5GP0B0AFFE.html
 	NOTE: see http://secunia.com/advisories/14925
 	NOTE: kde maintainers informed of it by security team
-	- kdepim (unfixed; bug #305601; medium)
+	- kdepim <unfixed> (bug #305601; medium)
 	NOTE: On woody, kmail is part of kdenetwork, but there is no GnuPG
 	NOTE: support, so this issue is not very important.
 CAN-2005-0403 (init_dev in tty_io.c in the Red Hat backport of NPTL to Red Hat
...)
@@ -9967,7 +9967,7 @@
 CAN-2005-0372 (Directory traversal vulnerability in gftp 2.0.18 and earlier for
GTK+ ...)
 	{DSA-686-1}
 CAN-2005-0371 (Armagetron 0.2.6.0 and earlier and Armagetron Advanced 0.2.7.0
and ...)
-	- armagetron (unfixed; bug #296840; low)
+	- armagetron <unfixed> (bug #296840; low)
 CAN-2005-0370 (Armagetron 0.2.6.0 and earlier and Armagetron Advanced 0.2.7.0
and ...)
 	- armagetron 0.2.7.0-1
 CAN-2005-0369 (Armagetron 0.2.6.0 and earlier and Armagetron Advanced 0.2.7.0
earlier ...)
@@ -10017,7 +10017,7 @@
 	NOTE: checked inetutils 2:1.4.2+20040207-4; not vulnerable and its tftpd is
not shipped
 	NOTE: atftp checks h_length
 	NOTE: netkit-tftp not vulnerable
-	- tftpd-hpa (unfixed; bug #295297; unimportant)
+	- tftpd-hpa <unfixed> (bug #295297; unimportant)
 	NOTE: The address length comes from libc, not the network.
 CAN-2004-1484 (Format string vulnerability in the _msg function in error.c in
socat ...)
 	- socat 1.4.0.3-1
@@ -10985,7 +10985,7 @@
 	- kdegraphics 3.3.2-2
 	- tetex-bin 2.0.2-26
 	NOTE: only affects source package, not used in binary
-	- cupsys (unfixed; bug #324459; unimportant)
+	- cupsys <unfixed> (bug #324459; unimportant)
 CAN-2005-0063 (The document processing application used by the Windows Shell in
...)
 	NOTE: not-for-us (Microsoft)
 CAN-2005-0062
@@ -11312,7 +11312,7 @@
 	NOTE: uml_net is only executable by users in group uml-net in Debian
 	NOTE: uml-utilities-20040406 does not seem to be vulnerable, tried exploit
 CAN-2004-1294 (The mget function in cmds.c for tnftp 20030825 allows remote FTP
...)
-	- tnftp (unfixed; bug #285902; medium)
+	- tnftp <unfixed> (bug #285902; medium)
 CAN-2004-1293 (Buffer overflow in the ReadFontTbl function in reader.c for ...)
 	NOTE: not-for-us (rtf2latex2e)
 CAN-2004-1292 (Buffer overflow in the parse_emelody function in parse_emelody.c
for ...)
@@ -12083,7 +12083,7 @@
 	NOTE: lvmcreate_initrd not in debian
 CAN-2004-0971 (The krb5-send-pr script in the kerberos5 (krb5) package in
Trustix ...)
 	NOTE: not shipped in deb
-	- krb5 (unfixed; bug #278271; low)
+	- krb5 <unfixed> (bug #278271; low)
 	- arla 0.36.2-11
 CAN-2004-0970 (The (1) gzexe, (2) zdiff, and (3) znew scripts in the gzip
package, as ...)
 	{DSA-588-1}
@@ -12095,7 +12095,7 @@
 	- libc6 2.3.2.ds1-19
 CAN-2004-0967 (The (1) pj-gs.sh, (2) ps2epsi , (3) pv.sh, and (4) sysvlp.sh
scripts ...)
 	- gs-common 0.3.6-0.1
-	- gs-gpl (unfixed; bug #291373; low)
+	- gs-gpl <unfixed> (bug #291373; low)
 	NOTE: ps2epsi hole present in gs-gpl, but not shipped in binary
 CAN-2004-0966 (The (1) autopoint and (2) gettextize scripts in the GNU gettext
...)
 	- gettext 0.14.1-6
@@ -12296,7 +12296,7 @@
 	{DSA-599-1 DSA-581-1 DSA-573-1}
 	- koffice 1:1.3.4-1
 	NOTE: only affects source package, not used in binary
-	- cupsys (unfixed; bug #324460; unimportant)
+	- cupsys <unfixed> (bug #324460; unimportant)
 CAN-2004-0887 (SUSE Linux Enterprise Server 9 on the S/390 platform does not
properly ...)
 	NOTE: waldi provided this info
 	- linux-kernel-image-2.6.8-s390 2.6.8-3
Secure testing commits - Sep 2005 - r2139 - data/CAN

[Secure-testing-commits] r2139 - data/CAN
