Author: jmm-guest Date: 2005-04-18 12:02:45 +0000 (Mon, 18 Apr 2005) New Revision: 844 Modified: sarge-checks/CAN/list Log: egroupware, gcor and libsafe CANified. New vulns: oops, ilohamail and sudo Several not-for-us (not complete yet) Modified: sarge-checks/CAN/list ==================================================================--- sarge-checks/CAN/list 2005-04-18 11:45:34 UTC (rev 843) +++ sarge-checks/CAN/list 2005-04-18 12:02:45 UTC (rev 844) @@ -1,6 +1,6 @@ begin claimed by jmm CAN-2005-1150 (Unknown vulnerability in Sun Java System Web Server 6.0 SP7 and ...) - TODO: check + NOTE: not-for-us (Sun Java) CAN-2005-1149 (SQL injection vulnerability in admin/login.asp in aspclick.it ACNews ...) TODO: check CAN-2005-1148 (calendar.pl in CalendarScript 3.21 allows remote attackers to obtain ...) @@ -16,59 +16,61 @@ CAN-2005-1143 (Cross-site scripting (XSS) vulnerability in index.php in ...) TODO: check CAN-2005-1142 (Heap-based buffer overflow in the readpgm function in pnm.c for GOCR ...) - TODO: check + - gocr (unfixed; bug #305068) CAN-2005-1141 (Integer overflow in the readpgm function in pnm.c for GOCR 0.40, when ...) - TODO: check + - gocr (unfixed; bug #305068) CAN-2005-1140 (Cross-site scripting (XSS) vulnerability in myBloggie 2.1.1 allows ...) - TODO: check + NOTE: not-for-us (MyBloggie) CAN-2005-1139 (Opera 8 Beta 3, when using first-generation vetted digital ...) TODO: check CAN-2005-1138 (Unknown vulnerability in WebMail in Kerio MailServer before 6.0.9 ...) - TODO: check + NOTE: not-for-us (Kerio) CAN-2005-1137 (Simple PHP Blog (sphpBlog) 0.4.0 allows remote attackers to obtain ...) - TODO: check + NOTE: not-for-us (sphpBlog) CAN-2005-1136 (Simple PHP Blog (sphpBlog) 0.4.0 stores the (1) password.txt and (2) ...) - TODO: check + NOTE: not-for-us (sphpBlog) CAN-2005-1135 (Cross-site scripting (XSS) vulnerability in search.php for Simple PHP ...) TODO: check CAN-2005-1134 (SQL injection vulnerability in exit.php for Serendipity 0.8 and ...) TODO: check CAN-2005-1133 (The POP3 server in IBM iSeries AS/400 returns different error messages ...) - TODO: check + NOTE: not-for-us (AS/400 system software) CAN-2005-1132 (LG U8120 modile phone allows remote attackers to cause a denial of ...) - TODO: check + NOTE: not-for-us (LG mobile phone) CAN-2005-1131 (Unknown vulnerability in Veritas i3 Focalpoint Server 7.1 and earlier ...) - TODO: check + NOTE: not-for-us (Veritas Focalpoint Server) CAN-2005-1130 (Cross-site scripting (XSS) vulnerability in index.php in Pinnacle Cart ...) - TODO: check + NOTE: not-for-us (PinnacleCart) CAN-2005-1129 (eGroupWare 1.0.6 and earlier, when an e-mail is composed with an ...) - TODO: check + - egroupware (unfixed; bug #304496) CAN-2005-1128 (Multiple SQL injection vulnerabilities in VHCS 2.4 and earlier allow ...) TODO: check CAN-2005-1127 (Format string vulnerability in the log function in Net::Server 0.87 ...) - TODO: check + NOTE: not-for-us (Free BSD) CAN-2005-1126 (The SIOCGIFCONF ioctl (ifconf function) in FreeBSD 4.x through 4.11 ...) TODO: check CAN-2005-1125 (Race condition in libsafe 2.0.16 and earlier, when running in ...) - TODO: check + - libsafe (unfixed; bug #305070) CAN-2005-1124 (Unknown vulnerability in the libgss Generic Security Services Library ...) TODO: check CAN-2005-1123 (Monkey daemon (monkeyd) before 0.9.1 allows remote attackers to cause ...) - TODO: check + NOTE: not-for-us (monkeyd) CAN-2005-1122 (Format string vulnerability in cgi.c for Monkey daemon (monkeyd) ...) - TODO: check + NOTE: not-for-us (monkeyd) CAN-2005-1121 (Format string vulnerability in Oops! Proxy Server 1.5.53 and earlier ...) - TODO: check + - oops (unfixed) CAN-2005-1120 (Multiple cross-site scripting (XSS) vulnerabilities in IlohaMail ...) - TODO: check + TODO: file bug + - ilohamail (unfixed) CAN-2005-1119 (Sudo VISudo 1.6.8 and earlier allows local users to corrupt arbitrary ...) - TODO: check + TODO: Somehow related bug 283161, but file a proper one + - sudo (unfixed) CAN-2005-1118 (Cross-site scripting (XSS) vulnerability in IISWebAgentIF.dll in the ...) - TODO: check + NOTE: not-for-us (RSA authentication agent) CAN-2005-1117 (PHP remote code injection vulnerability in index.php in ...) - TODO: check + NOTE: not-for-us (All4WWW Homepage creator) CAN-2005-1116 (Cross-site scripting (XSS) vulnerability in the Calendar module for ...) - TODO: check + TODO: check whether this is part of standard phpbb or an addon end claimed by jmm CAN-2005-1115 (Multiple cross-site scripting (XSS) vulnerabilities in Photo Album ...) TODO: check @@ -92,10 +94,7 @@ NOTE: Mozilla suite is not affected by all of these issues - mozilla-firefox 1.0.3-1 - mozilla (unfixed) -CAN-2005-XXXX [Integer and heap overflow in PNM processing of gocr] - - gocr (unfixed; bug #305068) CAN-2005-XXXX [libsafe security check bypass in multi threaded environments] - - libsafe (unfixed; bug #305070) CAN-2005-XXXX [Remote DoS vulnerabilities in postgrey] - postgrey 1.21-1 CAN-2005-1106 (PictureViewer in QuickTime for Windows 6.5.2 allows remote attackers ...) @@ -282,8 +281,6 @@ NOTE: not-for-us (Aeon) CAN-2005-1018 (Buffer overflow in the UniversalAgent for Computer Associates (CA) ...) NOTE: not-for-us (CA ArcServe Backup) -CAN-2005-XXXX [eGroupware: Inproper handling of canceled emails may disclose personal information] - - egroupware (unfixed; bug #304496) CAN-2005-XXXX [Some security issues in mod_security] NOTE: I don''t understand mod_security fully, so I''m not entirely sure which of NOTE: the changelog entries matches the security criteria, but the changelog