Secure testing commits - Sep 2005 - r2177 - data/CAN

Author: jmm-guest
Date: 2005-09-25 17:49:29 +0000 (Sun, 25 Sep 2005)
New Revision: 2177

Modified:
   data/CAN/list
Log:
adapt more older entries to the new syntax


Modified: data/CAN/list
==================================================================---
data/CAN/list	2005-09-25 17:44:41 UTC (rev 2176)
+++ data/CAN/list	2005-09-25 17:49:29 UTC (rev 2177)
@@ -510,8 +510,7 @@
 CAN-2005-2812 (man2web allows remote attackers to execute arbitrary commands
via -P ...)
 	NOT-FOR-US: man2web
 CAN-2005-2811 (Untrusted search path vulnerability in Net-SNMP 5.2.1.2 and
earlier, ...)
-	NOTE: This looks like a Portage-specific configuration flaw to mee, but please
double-check
-	NOTE: double-checked
+	- net-snmp <not-affected> (Gentoo Portage specific configuration flaw)
 CAN-2005-2810 (Multiple stack-based buffer overflows in urban before 1.5.3
allow ...)
 	NOT-FOR-US: urban game
 CAN-2005-2809 (silc daemon (silcd.c) in Secure Internet Live Conferencing
(SILC) 1.0 ...)
@@ -971,8 +970,7 @@
 CAN-2004-2474 (SQL injection vulnerability in PHPNews 1.2.3 allows remote
attackers ...)
 	NOT-FOR-US: PHPNews 
 CAN-2004-2473 (wmFrog weather monitor 0.1.6 allows local users to overwrite
arbitrary ...)
-	NOT-FOR-US: wmFrog 
-	NOTE: sent info to RFP #294352 
+	- wmfrog <itp> (bug #294352)
 CAN-2004-2472 (Agnitum Outpost Pro Firewall 2.1 allows remote attackers to
cause a ...)
 	NOT-FOR-US: Outpost Pro
 CAN-2004-2471 (SQL injection vulnerability in the sloth TCL script in
QuoteEngine ...)
@@ -1160,13 +1158,13 @@
 CAN-2003-1231 (Cross-site scripting (XSS) vulnerability in index.php in
ECW-Shop 5.5 ...)
 	NOT-FOR-US: ECW-Shop
 CAN-2003-1230 (The implementation of SYN cookies (syncookies) in FreeBSD 4.5
through ...)
-	NOTE: old freebsd
+	NOT-FOR-US: (FreeBSD)
+	NOTE: old freebsd, before it was introduced in Debian
 CAN-2003-1229 (X509TrustManager in (1) Java Secure Socket Extension (JSSE) in
SDK and ...)
 	NOT-FOR-US: Sun JSSE and JRE
 CAN-2005-2617 (The syscall32_setup_pages function in syscall32.c for Linux
kernel ...)
 	{DTSA-16-1}
-	NOTE: http://lists.debian.org/debian-kernel/2005/08/msg00991.html 
-	NOTE: amd64 specific DOS
+	NOTE: http://lists.debian.org/debian-kernel/2005/08/msg00991.html, amd64
specific DOS
 	- linux-2.6 2.6.12-6
 CAN-2005-2616 (Multiple PHP file include vulnerabilities in ezUpload 2.2 allow
remote ...)
 	NOT-FOR-US: ezUpload
@@ -1609,7 +1607,6 @@
 CAN-2005-2501 (Buffer overflow in AppKit for Mac OS X 10.3.9 and 10.4.2 allows
...)
 	NOT-FOR-US: Mac OS X
 CAN-2005-2500 (Buffer overflow in the xdr_xcode_array2 function in xdr.c in
Linux ...)
-	NOTE: Does not affect 2.6.8 or 2.4.27, fixed in current 2.6.12 kernels
 	- linux-2.6 2.6.12-1 (medium)
 CAN-2005-2499 (slocate before 2.7 does not properly process very long paths,
which ...)
 	- slocate <unfixed> (bug #324951; low)
@@ -1618,7 +1615,8 @@
 	- drupal 4.5.5-1 (bug #323347; high)
 	- phpgroupware 0.9.16.008-1 (bug #323349; high)
 	- egroupware 1.0.0.009.dfsg-1 (bug #323350; high)
-	TODO: phpwiki has disabled the XMLRPC in the last upload, it orphaned as well,
should be fixed anyway
+	- phpwiki <unfixed> (unimportant)
+	NOTE: phpwiki has disabled the XMLRPC in the last upload, it orphaned as well,
should be fixed anyway
 	- php4 4.3.10-16etch1 (bug #323366; high)
 	TODO: check php5
 CAN-2005-2497
@@ -1638,8 +1636,9 @@
 CAN-2005-2491 (Integer overflow in pcre_compile.c in Perl Compatible Regular
...)
 	{DSA-800-1 DTSA-10-1}
 	- pcre3 6.3-0.1etch1 (bug #324531; medium)
-	NOTE: gnumeric/goffice includes one as well; according to upstream not
exploitable in gnumeric,
-	NOTE: new copy will be included any way
+	- gnumeric <unfixed> (unimportant)
+	- goffice <unfixed> (unimportant)
+	NOTE: gnumeric/goffice includes one as well; not exploitable as affected code
not used
 	- python2.1 2.1.3dfsg-3 (medium)
 	- python2.2 2.2.3dfsg-4 (medium)
 	- python2.3 2.3.5-8 (medium)
@@ -1661,8 +1660,7 @@
 CAN-2005-XXXX [Inconsistent escaping of user supplied data in dbauthpgsql.c]
 	- dbmail-pgsql <unfixed> (bug #290833; medium)
 CAN-2005-XXXX [time delay of password check proves account existence to
attackers]
-	NOTE: unknown if really a bug; if it is it''s different than the
-	NOTE: previous ssh delay bugs
+	NOTE: unknown if really a bug; if it is it''s different than the
previous ssh delay bugs
 	- ssh <unfixed> (bug #314645; low)
 CAN-2005-2548 (vlan_dev.c in Linux kernel 2.6.8 allows remote attackers to
cause a ...)
 	{DTSA-16-1}
@@ -1671,8 +1669,7 @@
 	NOTE: 2.6.12-1 contained a partially broken fix
 	- linux-2.6 2.6.12-6 (low)
 CAN-2005-XXXX [DoS by removal of default ACLs in ext2/ext3]
-	NOTE: Fixed in SVN for kernel-source-2.4.27 and 2.6.8, will probably result
-	NOTE: in a kernel DSA with other issues
+	NOTE: Fixed in SVN for kernel-source-2.4.27 and 2.6.8
 	TODO: Check, whether this is fixed in linux-2.6 SVN as well
 CAN-2005-XXXX [Unspecified buffer overflow in metar]
 	- metar 20050807.1-1 (unknown)
@@ -1720,18 +1717,16 @@
 	RESERVED
 CAN-2005-2459 (The huft_build function in inflate.c in the zlib routines in the
Linux ...)
 	{DTSA-16-1}
-	NOTE: 2.6.8 will be handled in DSA, 2.6.8 will soon be removed from sid
 	- linux-2.6 2.6.12-3 (bug #323173)
 	- kernel-source-2.4.27 2.4.27-11 (medium)
 CAN-2005-2458 (inflate.c in the zlib routines in the Linux kernel before
2.6.12.5 ...)
 	{DTSA-16-1}
-	NOTE: 2.6.8 will be handled in DSA, 2.6.8 will soon be removed from sid
 	- linux-2.6 2.6.12-3 (bug #323173; medium)
 	- kernel-source-2.4.27 2.4.27-11 (medium)
 CAN-2004-2301 (Eudora before 6.1.1 allows remote attackers to cause a denial of
...)
 	NOT-FOR-US: Eudora
 CAN-2004-2300 (Buffer overflow in snmpd in ucd-snmp 4.2.6 and earlier, when
installed ...)
-	NOTE: snmpd is neither setuid nor setgid in Debian
+	- net-snmp <not-affected> (snmpd is neither setuid nor setgid in Debian)
 CAN-2004-2299 (Buffer overflow in Omnicron OmniHTTPd 3.0a and earlier allows
remote ...)
 	NOT-FOR-US: Omnicron
 CAN-2004-2298 (Novell Internet Messaging System (NIMS) 2.6 and 3.0, and NetMail
3.1 ...)
@@ -1751,7 +1746,7 @@
 CAN-2002-2116 (Netgear RM-356 and RT-338 series SOHO routers allow remote
attackers ...)
 	NOT-FOR-US: Netgear RM-356 and RT-338 series SOHO routers
 CAN-2002-2115 (Cross-site scripting (XSS) vulnerability in Hyper NIKKI System
(HNS) ...)
-	NOTE: nor-for-us (Hyper NIKKI System (HNS) Lite)
+	NOT-FOR-US: Hyper NIKKI System (HNS) Lite
 CAN-2002-2114 (Artekopia Netjuke before 1.0 b7 allows remote attackers to
execute ...)
 	- netjuke 1.0b7
 CAN-2002-2113 (search.cgi in AGH HTMLsearch 1.0 allows remote attackers to
execute ...)
@@ -1784,7 +1779,7 @@
 CAN-2002-2100 (Microsoft Outlook 2002 allows remote attackers to embed bypass
the ...)
 	NOT-FOR-US: Microsoft
 CAN-2002-2099 (Buffer overflow in the GNU DataDisplay Debugger (DDD) 3.3.1
allows ...)
-	NOTE: ddd is not setuid/gid so not exploitable
+	- ddd <not-affected> (ddd is not setuid/gid so not exploitable)
 CAN-2002-2098 (Buffer overflow in axspawn.c in Axspawn-pam before 0.2.1a allows
...)
 	NOT-FOR-US: Axspawn-pam
 CAN-2002-2097 (The compression code in MaraDNS before 0.9.01 allows remote
attackers ...)
@@ -1930,7 +1925,6 @@
 CAN-2005-2432 (SQL injection vulnerability in PhpList allows remote attackers
to ...)
 	NOT-FOR-US: PhpList
 CAN-2005-2431 (The (1) lost password and (2) account pending features in GForge
4.5 ...)
-	NOTE: maintainer lacks time for backport/investigation for GForge 3.1 in
Debian
 	- gforge (bug #328224; unimportant)
 	NOTE: Direct flooding is possible as well in most circumstances.
 	NOTE: maintainer lacks time for backport/investigation for GForge 3.1 in
Debian
@@ -2085,7 +2079,7 @@
 CAN-2005-2378 (Oracle Reports allows remote attackers to read arbitrary files
via an ...)
 	NOT-FOR-US: Oracle Reports
 CAN-2005-2377 (nss_ldap 181 to versions before 213, as used in Mandrake
Corporate ...)
-	NOTE: appears to be Mandrake specfic
+	- libnss-ldap <not-affected> (Mandrake specfic vulnerability)
 CAN-2005-2376 (Buffer overflow in Race Driver 1.20 and earlier allows remote
...)
 	NOT-FOR-US: Race Driver
 CAN-2005-2375 (Format string vulnerability in Race Driver 1.20 and earlier
allows ...)
@@ -2234,7 +2228,7 @@
 CAN-2005-2299 (Multiple cross-site scripting (XSS) vulnerabilities in Simple
Message ...)
 	NOT-FOR-US: Simple Message Board
 CAN-2005-2298 (BitDefender Engine 1.6.1 and earlier does not properly scan all
...)
-	NOTE: BitDefender can be used by AMaViS but is not shipped in Debian
+	NOT-FOR-US: BitDefender can be used by AMaViS but is not shipped in Debian
 CAN-2005-2297 (Stack-based buffer overflow in TreeAction.do in Sybase EAServer
4.2.5 ...)
 	NOT-FOR-US: Sybase EAServer
 CAN-2005-2296 (YabbSE 1.5.5c allows remote attackers to obtain sensitive
information ...)
@@ -2320,8 +2314,7 @@
 	NOT-FOR-US: Ansel
 CAN-2004-2265 (UUDeview 0.5.20 and earlier handles temporary files insecurely
during ...)
 	- uudeview <unfixed> (bug #320541; medium)
-	TODO: check libconvert-uulib-perl
-	NOTE: Florian Weimer is looking at libconvert-uulib-perl
+	TODO: check libconvert-uulib-perl, Florian Weimer is looking at
libconvert-uulib-perl
 CAN-2004-2264 (** DISPUTED ** ...)
 	NOTE: less is not suid, explotability unlikely
 CAN-2004-2263 (SQL injection vulnerability in the valid function in fr_left.php
in ...)