Author: jmm-guest Date: 2005-04-22 10:05:01 +0000 (Fri, 22 Apr 2005) New Revision: 890 Modified: sarge-checks/CAN/list Log: CANified xine-lib and egroupware Lots of not-for-us. Modified: sarge-checks/CAN/list ==================================================================--- sarge-checks/CAN/list 2005-04-22 09:18:28 UTC (rev 889) +++ sarge-checks/CAN/list 2005-04-22 10:05:01 UTC (rev 890) @@ -1,24 +1,24 @@ -begin claimed by jmm CAN-2005-1204 (Desktop Rover 3.0, and possibly earlier versions, allows remote ...) - TODO: check + NOTE: not-for-us (Desktop Rover) CAN-2005-1203 (Multiple SQL injection vulnerabilities in index.php in eGroupware ...) - TODO: check + - egroupware 1.0.0.007-2.dfsg-1 CAN-2005-1202 (Multiple cross-site scripting (XSS) vulnerabilities in eGroupware ...) - TODO: check + - egroupware 1.0.0.007-2.dfsg-1 CAN-2005-1201 (Multiple directory traversal vulnerabilities in AZBB before 1.0.08 ...) - TODO: check + NOTE: not-for-us (AZbb) CAN-2005-1200 (PHP remote code injection vulnerability in main_index.php in AZ ...) - TODO: check + NOTE: not-for-us (AZbb) CAN-2005-1199 (SQL injection vulnerability in printthread.php in UBB.Threads allows ...) - TODO: check + NOTE: not-for-us (UBB.threads) CAN-2005-1198 (Directory traversal vulnerability in apexec.pl for Anaconda Foundation ...) - TODO: check + NOTE: not-for-us (Anaconda Foundation Directory) CAN-2005-1197 (SQL injection vulnerability in the ...) - TODO: check + NOTE: not-for-us (Oracle) CAN-2005-1196 (SQL injection vulnerability in kb.php in the Knowledge Base module for ...) - TODO: check + NOTE: not-for-us (PHPBB Knowledgebase Mod) CAN-2005-1195 (Multiple heap-based buffer overflows in the code used to handle (1) ...) - TODO: check + NOTE: The vulnerable code is present in xine-lib as well, MPlayer is not in Debian + - xine-lib (unfixed; bug #305343) CAN-2005-1194 NOTE: reserved CAN-2005-1193 @@ -26,143 +26,144 @@ CAN-2005-1192 NOTE: reserved CAN-2004-1776 (Cisco IOS 12.1(3) and 12.1(3)T allows remote attackers to read and ...) - TODO: check + NOTE: not-for-us (Cisco) CAN-2004-1775 (Cisco VACM (View-based Access Control MIB) for Catalyst Operating ...) - TODO: check + NOTE: not-for-us (Cisco) CAN-2003-1132 (The DNS server for Cisco Content Service Switch (CSS) 11000 and 11500, ...) - TODO: check + NOTE: not-for-us (Cisco) CAN-2001-1476 (SSH before 2.0, with RC4 encryption and the "disallow NULL passwords" ...) - TODO: check + NOTE: not-for-us (Commercial SSH) CAN-2001-1475 (SSH before 2.0, when using RC4 and password authentication, allows ...) - TODO: check + NOTE: not-for-us (Commercial SSH) CAN-2001-1474 (SSH before 2.0 disables host key checking when connecting to the ...) - TODO: check + NOTE: not-for-us (Commercial SSH) CAN-2001-1473 (The SSH-1 protocol allows remote servers conduct man-in-the-middle ...) - TODO: check + NOTE: SSH1 protocol design flaw issue, proper fix is to use the SSH2 protocol + TODO: check whether that''s properly documented CAN-2001-1472 (SQL injection vulnerability in prefs.php in phpBB 1.4.0 and 1.4.1 ...) TODO: check CAN-2001-1471 (prefs.php in phpBB 1.4.0 and earlier allows remote authenticated users ...) TODO: check CAN-2001-1470 (The IDEA cipher as implemented by SSH1 does not protect the final ...) + NOTE: SSH1 protocol design flaw issue, proper fix is to use the SSH2 protocol TODO: check CAN-2001-1469 (The RC4 stream cipher as used by SSH1 allows remote attackers to ...) + NOTE: SSH1 protocol design flaw issue, proper fix is to use the SSH2 protocol TODO: check CAN-2001-1468 (PHP remote code injection vulnerability in checklogin.php in ...) - TODO: check + NOTE: not-for-us (phpSecurePages) CAN-2001-1467 (mkpasswd in expect 5.2.8, as used by Red Hat Linux 6.2 through 7.0, ...) TODO: check CAN-2001-1466 (Buffer overflow in VanDyke SecureCRT before 3.4.2, when using the ...) - TODO: check + NOTE: not-for-us (VanDyke SecureCRT) CAN-2001-1465 (SurfControl SuperScout only filters packets containing both an HTTP ...) - TODO: check + NOTE: not-for-us (SurfControl SuperScout) CAN-2001-1464 (Crystal Reports, when displaying data for a password protected ...) - TODO: check + NOTE: not-for-us (Crystal Reports) CAN-2001-1463 (The remote admimnistration client for RhinoSoft Serv-U 3.0 sends the ...) - TODO: check + NOTE: not-for-us (RhinoSoft Serv-U) CAN-2001-1462 (WebID in RSA Security SecurID 5.0 as used by ACE/Agent for Windows, ...) - TODO: check + NOTE: not-for-us (RSA Security SecurID) CAN-2001-1461 (Directory traversal vulnerability in WebID in RSA Security SecurID 5.0 ...) - TODO: check + NOTE: not-for-us (RSA Security SecurID) CAN-2001-1460 (SQL injection vulnerability in article.php in PostNuke 0.62 through ...) - TODO: check + NOTE: not-for-us (PostNuke) CAN-2001-1459 (OpenSSH 2.9 and earlier does not initiate a Pluggable Authentication ...) - TODO: check + - openssh 3.0.1p1-1 CAN-2001-1458 (Directory traversal vulnerability in Novell GroupWise 5.5 and 6.0 ...) - TODO: check + NOTE: not-for-us (Novell Groupwise) CAN-2001-1457 (Buffer overflow in CrazyWWWBoard 2000p4 and 2000LEp5 allows remote ...) - TODO: check + NOTE: not-for-us (CrazyWWWBoard) CAN-2001-1456 (Buffer overflow in the (1) smap/smapd and (2) CSMAP daemons for ...) - TODO: check + NOTE: not-for-us (Gauntlet Firewall) CAN-2001-1455 (Netegrity SiteMinder 3.6 through 4.5.1 allows remote attackers to ...) - TODO: check + NOTE: not-for-us (Netegrity SiteMinder) CAN-2001-1454 (Buffer overflow in MySQL before 3.23.33 allows remote attackers to ...) - TODO: check + - mysql-dfsg 3.23.33-1 CAN-2001-1453 (Buffer overflow in libmysqlclient.so in MySQL 3.23.33 and earlier ...) - TODO: check + - mysql-dfsg 3.23.33-1 CAN-2001-1452 (By default, DNS servers on Windows NT 4.0 and Windows 2000 Server ...) - TODO: check + NOTE: not-for-us (Windows) CAN-2001-1451 (Memory leak in the SNMP LAN Manager (LANMAN) MIB extension for ...) - TODO: check + NOTE: not-for-us (Windows) CAN-2001-1450 (Microsoft Internet Explorer 5.0 through 6.0 allows attackers to cause ...) - TODO: check + NOTE: not-for-us (Windows) CAN-2001-1449 (The default installation of Apache before 1.3.19 on Mandrake Linux 7.1 ...) - TODO: check + NOTE: not-for-us (Mandrake specific packaging flaw) CAN-2001-1448 (Magic eDeveloper Enterprise Edition 8.30-5 and earlier allows local ...) - TODO: check + NOTE: not-for-us (Magic eDeveloper) CAN-2001-1447 (NetInfo Manager for Mac OS X 10.0 through 10.1 allows local users to ...) - TODO: check + NOTE: not-for-us (Windows) CAN-2001-1446 (Find-By-Content in Mac OS X 10.0 through 10.0.4 creates world-readable ...) - TODO: check + NOTE: not-for-us (MacOS X) CAN-2001-1445 (Unknown vulnerability in the SMTP server in Lotus Domino 5.0 through ...) - TODO: check + NOTE: not-for-us (Lotus Domino) CAN-2001-1444 (The Kerberos Telnet protocol, as implemented by KTH Kerberos IV and ...) TODO: check CAN-2001-1443 (KTH Kerberos IV and Kerberos V (Heimdal) for Telnet clients do not ...) TODO: check CAN-2001-1442 (Buffer overflow in innfeed for ISC InterNetNews (INN) before 2.3.0 ...) - TODO: check + - inn2 2.3.3+20020922-1 + TODO: Verify whether this applies to inn as well CAN-2001-1441 (Cross-site scripting (XSS) vulnerability in VisualAge for Java 3.5 ...) - TODO: check + NOTE: not-for-us (VisualAge for Java) CAN-2001-1440 (Unknown vulnerability in login for AIX 5.1L, when using loadable ...) - TODO: check + NOTE: not-for-us (AIX) CAN-2001-1439 (Buffer overflow in the text editor functionality in HP-UX 10.01 ...) - TODO: check + NOTE: not-for-us (HP-UX) CAN-2001-1438 (Handspring Visor 1.0 and 1.0.1 with the VisorPhone Springboard module ...) - TODO: check + NOTE: not-for-us (Handspring Visor) CAN-2001-1437 (easyScripts easyNews 1.5 allows remote attackers to obtain the full ...) - TODO: check + NOTE: not-for-us (easyScripts easyNews) CAN-2001-1436 (Dallas Semiconductor iButton DS1991 returns predictable values when ...) - TODO: check + NOTE: not-for-us (Dallas Semiconductor iButton DS1991) CAN-2001-1435 (inetd in Compaq Tru64 UNIX 5.1 allows attackers to cause a denial of ...) - TODO: check + NOTE: not-for-us (Tru64 UNIX) CAN-2001-1434 (Cisco IOS 12.0(5)XU through 12.1(2) allows remote attackers to read ...) - TODO: check + NOTE: not-for-us (IOS) CAN-2000-1223 (quikstore.cgi in Quikstore Shopping Cart allows remote attackers to ...) - TODO: check + NOTE: not-for-us (Quikstore Shopping Cart) CAN-2000-1222 (AIX sysback before 4.2.1.13 uses a relative path to find and execute ...) - TODO: check + NOTE: not-for-us (AIX) CAN-2000-1221 (The line printer daemon (lpd) in the lpr package in multiple Linux ...) TODO: check CAN-2000-1220 (The line printer daemon (lpd) in the lpr package in multiple Linux ...) TODO: check CAN-2000-1219 (The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not ...) - TODO: check + - gcc-3.3 3.3.4-1 CAN-2000-1218 (The default configuration for the domain name resolver for Microsoft ...) - TODO: check + NOTE: not-for-us (Windows) CAN-2000-1217 (Microsoft Windows 2000 before Service Pack 2 (SP2), when running in a ...) - TODO: check + NOTE: not-for-us (Windows) CAN-2000-1216 (Buffer overflow in portmir for AIX 4.3.0 allows local users to corrupt ...) - TODO: check + NOTE: not-for-us (AIX) CAN-2000-1215 (The default configuration of Lotus Domino server 5.0.8 includes system ...) - TODO: check + NOTE: not-for-us (Lotus Domino) CAN-1999-1583 (Buffer overflow in nslookup for AIX 4.3 allows local users to execute ...) - TODO: check + NOTE: not-for-us (AIX) CAN-1999-1582 (By design, the "established" command on the Cisco PIX firewall allows ...) - TODO: check + NOTE: not-for-us (Cisco PIX) CAN-1999-1581 (Memory leak in Simple Network Management Protocol (SNMP) agent ...) - TODO: check + NOTE: not-for-us (Windows) CAN-1999-1580 (SunOS sendmail 5.59 through 5.65 uses popen to process a forwarding ...) - TODO: check + NOTE: not-for-us (Sun''s sendmail) CAN-1999-1579 (The Cenroll ActiveX control (xenroll.dll) for Terminal Server Editions ...) - TODO: check + NOTE: not-for-us (Windows) CAN-1999-1578 (Buffer overflow in Registration Wizard ActiveX control (regwizc.dll, ...) - TODO: check + NOTE: not-for-us (Windows) CAN-1999-1577 (Buffer overflow in HHOpen ActiveX control (hhopen.ocx) 1.0.0.1 for ...) - TODO: check + NOTE: not-for-us (Windows) CAN-1999-1576 (Buffer overflow in Adobe Acrobat ActiveX control (pdf.ocx, ...) - TODO: check + NOTE: not-for-us (Acrobat Reader) CAN-1999-1575 (The Kodak/Wang (1) Image Edit (imgedit.ocx), (2) Image Annotation ...) - TODO: check + NOTE: not-for-us (Kodak/Wang tools for IE) CAN-1999-1574 (Buffer overflow in the lex routines of nslookup for AIX 4.3 may allow ...) - TODO: check + NOTE: not-for-us (AIX) CAN-1999-1573 (Multiple unknown vulnerabilities in the "r-cmnds" (1) remshd, (2) ...) - TODO: check -end claimed by jmm + NOTE: not-for-us (HP-UX) CAN-2005-XXXX [Minor directory traversal bugs in cpio and gzip] - gzip (unfixed; bug #305255) - cpio (unfixed) -CAN-2005-XXXX [Multiple security issues in egroupware] - - egroupware 1.0.0.007-2.dfsg-1 CAN-2005-1191 (The Web View DLL (webvw.dll), as used in Windows Explorer on Windows ...) NOTE: not-for-us (Windows) CAN-2005-1190 (WebcamXP PRO v2.16.468 and earlier allows remote attackers to cause a ...) @@ -202,8 +203,6 @@ NOTE: reserved CAN-2004-1774 (Buffer overflow in the SDO_CODE_SIZE peocedure of the MD2 package ...) NOTE: not-for-us (Oracle) -CAN-2005-XXXX [Heap overflow in xine-lib''s RTSP streaming code] - - xine-lib (unfixed; bug #305343) CAN-2005-1173 (Buffer overflow in PMSoftware Simple Web Server 1.0 allows remote ...) NOTE: not-for-us (PMSoftware Simple Web Server) CAN-2005-1172 (Cross-site scripting (XSS) vulnerability in init.inc.php in Coppermine ...)