Author: jmm-guest Date: 2005-07-02 22:57:35 +0000 (Sat, 02 Jul 2005) New Revision: 1323 Modified: data/CAN/list Log: new drupal issues already fixed new mozillae dos not yet fixed new freebsd issue not yet fixed wordpress, apache, asterisk CANified lots of not-for-us lowered asterisk urgency, as it doesn''t run as root in Debian some older issues from 2004 already fixed Modified: data/CAN/list ==================================================================--- data/CAN/list 2005-07-02 22:10:35 UTC (rev 1322) +++ data/CAN/list 2005-07-02 22:57:35 UTC (rev 1323) @@ -1,30 +1,32 @@ CAN-2005-XXXX [cacti: Multiple further SQL injection, auth bypass and remote command execution issues] - cacti 0.8.6f-1 (high) -begin claimed by jmm CAN-2005-2116 (Unknown vulnerability in the third-party XML-RPC library in Drupal ...) - TODO: check + - drupal 4.5.4-1 CAN-2005-2115 (Soldier of Fortune II 1.02x and 1.03 allows remote attackers to cause ...) - TODO: check + NOTE: not-for-us (Soldier of Fortune) CAN-2005-2114 (Mozilla 1.7.8, Firefox 1.0.4 and Camino 0.8.4 allow remote attackers ...) - TODO: check + - mozilla-firefox (unfixed; low) + - mozilla (unfixed; low) +CAN-2005-XXXX [XSS, SQL injection and other issues in Wordpress] + - wordpress 1.5.1.3-1 CAN-2005-2113 (SQL injection vulnerability in the loginUser function in the XMLRPC ...) - TODO: check + NOTE: not-for-us (XOOPS) CAN-2005-2112 (Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.0.11 ...) - TODO: check + NOTE: not-for-us (XOOPS) CAN-2005-2111 (login.cgi in Community Link Pro Web Editor allows remote attackers to ...) - TODO: check + NOTE: not-for-us (Community Link Pro Web Editor) CAN-2005-2110 (WordPress 1.5.1.2 and earlier allows remote attackers to obtain ...) - TODO: check + - wordpress 1.5.1.3-1 CAN-2005-2109 (wp-login.php in WordPress 1.5.1.2 and earlier allows remote attackers ...) - TODO: check + - wordpress 1.5.1.3-1 CAN-2005-2108 (SQL injection vulnerability in XMLRPC server in WordPress 1.5.1.2 and ...) - TODO: check + - wordpress 1.5.1.3-1 CAN-2005-2107 (Multiple cross-site scripting (XSS) vulnerabilities in post.php in ...) - TODO: check + - wordpress 1.5.1.3-1 CAN-2005-2106 (Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 ...) - TODO: check + - drupal 4.5.4-1 CAN-2005-2105 (Cisco IOS 12.2T through 12.4 allows remote attackers to bypass ...) - TODO: check + NOTE: not-for-us (IOS) CAN-2005-2104 NOTE: reserved CAN-2005-2103 @@ -46,78 +48,77 @@ CAN-2005-2095 NOTE: reserved CAN-2005-2094 (Sun SunONE web server 6.1 SP1 allows remote attackers to poison the ...) - TODO: check + NOTE: not-for-us (Sun) CAN-2005-2093 (Oracle 9i Application Server (Oracle9iAS) 9.0.2 allows remote ...) - TODO: check + NOTE: not-for-us (Oracle) CAN-2005-2092 (BEA Systems WebLogic 8.1 SP1 allows remote attackers to poison the web ...) - TODO: check + NOTE: not-for-us (BEA WebLogic) CAN-2005-2091 (IBM WebSphere 5.1 and WebSphere 5.0 allows remote attackers to poison ...) - TODO: check + NOTE: not-for-us (Websphere) CAN-2005-2090 (Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) ...) TODO: check CAN-2005-2089 (Microsoft IIS 5.0 and 6.0 allows remote attackers to poison the web ...) - TODO: check + NOTE: not-for-us (Microsoft) CAN-2005-2088 (Apache 2.0.45 and 1.3.29 allows remote attackers to poison the web ...) - TODO: check + - apache (unfixed; bug #316173; medium) CAN-2005-2087 (Internet Explorer 6.0.2900.2180 on Windows XP allows remote attackers ...) - TODO: check + NOTE: not-for-us (Microsoft) CAN-2005-2086 (PHP remote file inclusion vulnerability in viewtopic.php in phpBB ...) - TODO: check + NOTE: phpbb versions in Debian not affected CAN-2005-2085 (Buffer overflow in Inframail Advantage Server Edition 6.0 through 6.7 ...) - TODO: check + NOTE: not-for-us (Inframail) CAN-2005-2084 (Cross-site scripting (XSS) vulnerability in SearchResults.aspx in ...) - TODO: check + NOTE: not-for-us (Community Forum) CAN-2005-2083 (Format string vulnerability in IMAP4 in IA eMailServer Corporate ...) - TODO: check + NOTE: not-for-us (IA eMailServer) CAN-2005-2082 (im_trbbs.cgi in imTRSET 1.02 and earlier allows remote attackers to ...) - TODO: check + NOTE: not-for-us (imTRSET) CAN-2005-2081 (Stack-based buffer overflow in the function that parses commands in ...) - TODO: check + - asterisk (unfixed; bug #315532; medium) CAN-2005-2080 (Unknown vulnerability in Remote Agent for Windows Servers (RAWS) in ...) - TODO: check + NOTE: not-for-us (Veritas Backup) CAN-2005-2079 (Heap-based buffer overflow in the Admin Plus Pack Option for VERITAS ...) - TODO: check + NOTE: not-for-us (Veritas Backup) CAN-2005-1932 (Lpanel 1.59 and earlier, and other versions before 1.597, allows ...) - TODO: check + NOTE: not-for-us (Lpanel) CAN-2005-1931 (GoodTech SMTP Server 5.14 allows remote attackers to cause a denial of ...) - TODO: check + NOTE: not-for-us (GoodTech SMTP Server) CAN-2004-2153 (Multiple unknown vulnerabilities in Real Estate Management Software ...) - TODO: check + NOTE: not-for-us (Real Estate Management Software) CAN-2004-2152 (Cross-site scripting (XSS) vulnerability in ''raw'' page output mode for ...) - TODO: check + NOTE: not-for-us (Mediawiki not yet in Debian) + TODO: track ITP: #217571, check CAN-2005-1245, CAN-2005-0536, CAN-2005-0535, CAN-2005-0534, CAN-2004-1405 CAN-2004-2151 (Chatman 1.1.1 RCL and earlier allows remote attackers to cause a ...) - TODO: check + NOTE: not-for-us (Chatman) CAN-2004-2150 (Nettica Corporation INTELLIPEER Email Server 1.01 displays different ...) - TODO: check + NOTE: not-for-us (INTELLIPEER Email Server) CAN-2004-2149 (Buffer overflow in the prepared statements API in libmysqlclient for ...) - TODO: check + - mysql-dfsg-4.1 4.1.5-1 CAN-2004-2148 (Unknown local vulnerability in the "change user" feature of Slava ...) - TODO: check + - fprobe-ng 1.1-1 + TODO: Check, whether fprobe is affected as well CAN-2004-2147 (Unknown versions of Symantec Norton AntiVirus and Microsoft Outlook ...) - TODO: check + NOTE: not-for-us (Symantec Antivirus) CAN-2004-2146 (CRLF injection vulnerability in PD9 Software MegaBBS 2 and 2.1 allows ...) - TODO: check + NOTE: not-for-us (MegaBBS) CAN-2004-2145 (SQL injection vulnerability in PD9 Software MegaBBS 2 and 2.1 allows ...) - TODO: check + NOTE: not-for-us (MegaBBS) CAN-2004-2144 (Baal Smart Forms before 3.2 allows remote attackers to bypass ...) - TODO: check + NOTE: not-for-us (Baal Smart Forms) CAN-2004-2143 (SQL injection vulnerability in the ReMOSitory module in Mambo Portal ...) - TODO: check + NOTE: not-for-us (Mambo Portal) CAN-2004-2142 (Unknown vulnerability in the remote tape support (remote.c) in the RMT ...) - TODO: check + - sdd 1.52-1 CAN-2004-2141 (Cross-site scripting (XSS) vulnerability in YaBBC.pl in YaBB 1 Gold ...) - TODO: check + NOTE: not-for-us (YaBB) CAN-2004-2140 (CRLF injection vulnerability in YaBB 1 Gold before 1.3.2 allows remote ...) - TODO: check + NOTE: not-for-us (YaBB) CAN-2004-2139 (Unknown vulnerability in Adminedit.pl YaBB 1 Gold before 1.3.2 allows ...) - TODO: check + NOTE: not-for-us (YaBB) CAN-2004-2138 (Cross-site scripting (XSS) vulnerability in AWSguest.php in ...) - TODO: check -end claimed by jmm + NOTE: not-for-us (MySQLGuest) CAN-2005-XXXX [proftpd: format string vulnerability in mod_sql''s SQLShowInfo] - proftpd 1.2.10-20 (medium) -CAN-2005-XXXX [XSS, SQL injection and other issues in Wordpress] - - wordpress 1.5.1.3-1 CAN-2005-XXXX [proftpd format string vulnerability in ftpshut] - proftpd 1.2.10-19 (medium) CAN-2005-2078 (BisonFTP Server V4R1 allows remote authenticated users to cause a ...) @@ -141,7 +142,7 @@ CAN-2005-2069 (pam_ldap and OpenLDAP, when connecting to a slave using TLS, does not ...) TODO: check CAN-2005-2068 (FreeBSD 4.x through 4.11 and 5.x through 5.4 allows remote attackers ...) - TODO: check + - kfreebsd-source (unfixed) CAN-2005-2067 (SQL injection vulnerability in article.asp in unknown versions of ...) NOTE: not-for-us (ASP Nuke) CAN-2005-2066 (SQL injection vulnerability in comment_post.asp in ASP Nuke 0.80 ...) @@ -586,8 +587,6 @@ TODO: check CAN-2000-1227 (Windows NT 4.0 and Windows 2000 hosts allow remote attackers to cause ...) TODO: check -CAN-2005-XXXX [HTTP request smuggling/spooing in apache2''s HTTP proxy mode] - - apache (unfixed; bug #316173; medium) CAN-2005-XXXX [Unspecified DoS vulnerability in dhcpcd] - dhcpcd 1:1.3.22pl4-22 (medium) CAN-2005-2053 (Just another flat file (JAF) CMS before 3.0 Final allows remote ...) @@ -610,8 +609,6 @@ NOTE: not-for-us (Duware) CAN-2005-XXXX [Insecure handling of tempfile for burning the backup in backup-manager] - backup-manager 0.5.8-2 (low) -CAN-2005-XXXX [Buffer overflow in Asterisk''s command parser] - - asterisk (unfixed; bug #315532; high) CAN-2005-2044 (Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.4.3 ...) NOTE: not-for-us (ATutor) CAN-2005-2043 (Directory traversal vulnerability in XAMPP before 1.4.14 allows remote ...) @@ -1229,7 +1226,6 @@ NOTE: not-for-us (Sun ONE) CAN-2005-1888 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.5 ...) NOTE: not-for-us (MediaWiki not yet in Debian) - TODO: track ITP: #217571, check CAN-2005-1245, CAN-2005-0536, CAN-2005-0535, CAN-2005-0534, CAN-2004-1405 CAN-2005-1887 (Unknown vulnerability in the Sun Solaris C library (libc and ...) NOTE: not-for-us (Solaris) CAN-2005-1886 (Cross-site scripting (XSS) vulnerability in view.php in YaPiG 0.92b, ...)