Author: jmm-guest
Date: 2005-04-05 21:46:22 +0000 (Tue, 05 Apr 2005)
New Revision: 763
Modified:
sarge-checks/CAN/list
Log:
Checked all unfixed fixes, some additional comments,
one bug fixed, one more filed.
Modified: sarge-checks/CAN/list
==================================================================---
sarge-checks/CAN/list 2005-04-05 20:07:10 UTC (rev 762)
+++ sarge-checks/CAN/list 2005-04-05 21:46:22 UTC (rev 763)
@@ -1,3 +1,6 @@
+CAN-2005-XXXX [Insecure tempfile handling in openwebmail CGI scripts]
+ NOTE: Not in testing, only sid
+ - openwebmail (unfixed; bug #291478)
CAN-2005-XXXX [Linux kernel inproper shm_nopage() argument verification DoS]
- kernel-source-2.6.8 (unfixed; bug #303177)
CAN-2005-XXXX [Cross Site Scripting in phpmyadmin''s handling of the
convcharsetparameter]
@@ -1625,6 +1628,7 @@
CAN-2004-1618 (Vypress Tonecast 1.3 and earlier allows remote attackers to
cause a ...)
NOTE: not-for-us (Tonecast)
CAN-2004-1617 (Lynx allows remote attackers to cause a denial of service
(infinite ...)
+ TODO: This is fixed in lynx-cur, maybe a fix can be extracted from there
- lynx (unfixed; bug #296340)
CAN-2004-1616 (Links allows remote attackers to cause a denial of service
(memory ...)
- links 0.99+1.00pre12-1
@@ -1972,6 +1976,7 @@
NOTE: not-for-us (Sami HTTP Server)
CAN-2005-0449 (The netfilter/iptables module in Linux before 2.6.8.1 allows
remote ...)
NOTE: According to Herbert Xu, 2.4 is not vulnerable :
http://oss.sgi.com/archives/netdev/2005-01/msg01107.html
+ NOTE: Seems to be stuck with the ABI bump / debian-installer problem
- kernel-source-2.6.8 (unfixed; bug #295949)
CAN-2005-0448 (Race condition in the rmtree function in File::Path.pm in Perl
before ...)
{DSA-696-1}
@@ -1984,6 +1989,7 @@
{DSA-688-1}
- squid 2.5.8-3
CAN-2005-0445 (Cross-site scripting (XSS) vulnerability in Open WebMail 2.x
allows ...)
+ NOTE: Not in testing, only sid
- openwebmail (unfixed; bug #295756)
CAN-2005-0444 (VMware before 4.5.2.8848-r5 searches for gdk-pixbuf shared
libraries ...)
NOTE: not-for-us (VMware)
@@ -2075,9 +2081,8 @@
- mozilla-thunderbird 1.0.2-1
CAN-2005-0400 [ext2 mkdir() directory entry random kernel memory leak]
NOTE: reserved
- - kernel-source-2.4.27 (unfixed)
+ - kernel-source-2.4.27 (unfixed; bug #303294)
- kernel-source-2.6.8 2.6.8-16
- NOTE: according to changelog, "Fix information leak in ext2."
CAN-2005-0399 [GIF heap overflow parsing Netscape extension 2 in Mozilla]
- mozilla-firefox 1.0.2-1
- mozilla-thunderbird 1.0.2-1
@@ -3736,7 +3741,7 @@
NOTE: Response from Marcus Meissner <meissner@suse.de> saying the patch
was integrated in upstream 2.6.8
NOTE: on further clarification he said that further fixes to this patch were
made after 2.6.8 so only
NOTE: 2.6.10 is actually fixed, but 2.6.8 is not
- - kernel-source-2.6.8 (unfixed; bug #300162)
+ - kernel-source-2.6.8-14
CAN-2004-1189 (The add_to_history function in svr_principal.c in libkadm5srv
for MIT ...)
{DSA-629-1}
CAN-2004-1188 (The pnm_get_chunk function in xine 0.99.2 and earlier, and other
...)