Secure testing commits - Apr 2005 - r906 - sarge-checks/CAN

Author: jmm-guest
Date: 2005-04-25 10:01:57 +0000 (Mon, 25 Apr 2005)
New Revision: 906

Modified:
   sarge-checks/CAN/list
Log:
CANified cpio and gzip vulns.
Lots of not-for-us.


Modified: sarge-checks/CAN/list
==================================================================---
sarge-checks/CAN/list	2005-04-25 09:25:23 UTC (rev 905)
+++ sarge-checks/CAN/list	2005-04-25 10:01:57 UTC (rev 906)
@@ -1,56 +1,56 @@
-begin claimed by jmm
 CAN-2005-1245 (Cross-site scripting (XSS) vulnerability in MediaWiki before
1.4.2, ...)
-	TODO: check
+	NOTE: not-for-us (MediaWiki not yet in Debian)
+	TODO: track ITP: #217571
 CAN-2005-1244 (Directory traversal vulnerability in the third party tool from
NetIQ, ...)
-	TODO: check
+	NOTE: not-for-us (AS/400 FTP server addon)
 CAN-2005-1243 (Directory traversal vulnerability in the third party tool from
...)
-	TODO: check
+	NOTE: not-for-us (AS/400 FTP server addon)
 CAN-2005-1242 (Directory traversal vulnerability in the third party tool from
Bsafe, ...)
-	TODO: check
+	NOTE: not-for-us (AS/400 FTP server addon)
 CAN-2005-1241 (Directory traversal vulnerability in the third party tool from
...)
-	TODO: check
+	NOTE: not-for-us (AS/400 FTP server addon)
 CAN-2005-1240 (Directory traversal vulnerability in the third party tool from
...)
-	TODO: check
+	NOTE: not-for-us (AS/400 FTP server addon)
 CAN-2005-1239 (Directory traversal vulnerability in the third party tool from
...)
-	TODO: check
+	NOTE: not-for-us (AS/400 FTP server addon)
 CAN-2005-1238 (By design, the built-in FTP server for iSeries AS/400 systems
does not ...)
-	TODO: check
+	NOTE: not-for-us (AS/400 FTP server)
 CAN-2005-1237 (SQL injection vulnerability in news.php in FlexPHPNews 0.0.3
allows ...)
-	TODO: check
+	NOTE: not-for-us (FlexPHPNews)
 CAN-2005-1236 (Multiple SQL injection vulnerabilities in DUware DUportal 3.1.2
and ...)
-	TODO: check
+	NOTE: not-for-us (DUPortal)
 CAN-2005-1235 (auction_my_auctions.php in phpbb-Auction 1.2m and earlier allows
...)
-	TODO: check
+	NOTE: not-for-us (phpbb-Auction)
 CAN-2005-1234 (Multiple SQL injection vulnerabilities in phpbb-Auction allow
remote ...)
-	TODO: check
+	NOTE: not-for-us (phpbb-Auction)
 CAN-2005-1233 (Cross-site scripting (XSS) vulnerability in index.php in PHP
Labs ...)
-	TODO: check
+	NOTE: not-for-us (PHP Labs proFile)
 CAN-2005-1232 (Buffer overflow in Sun Java System Web Proxy Server (aka Sun ONE
Proxy ...)
-	TODO: check
+	NOTE: not-for-us (Sun ONE Proxy Server)
 CAN-2005-1231 (Cross-site scripting (XSS) vulnerability in the NewTerm function
in ...)
-	TODO: check
+	NOTE: not-for-us (JAWS)
 CAN-2005-1230 (Directory traversal vulnerability in Yawcam 0.2.5 allows remote
...)
-	TODO: check
+	NOTE: not-for-us (Yawcan)
 CAN-2005-1229 (Directory traversal vulnerability in cpio 2.6 and earlier allows
...)
-	TODO: check
+	- cpio (unfixed)
 CAN-2005-1228 (Directory traversal vulnerability in gunzip -N in gzip 1.2.4
through ...)
-	TODO: check
+	- gzip (unfixed; bug #305255)
 CAN-2005-1227 (Cross-site scripting (XSS) vulnerability in PHProjekt 4.2 and
earlier ...)
-	TODO: check
+	NOTE: not-for-us (PHPProjekt)
 CAN-2005-1226 (Coppermine Photo Gallery 1.3.2 stores passwords in plaintext,
which ...)
-	TODO: check
+	NOTE: not-for-us (Coppermine Photo Gallery)
 CAN-2005-1225 (SQL injection vulnerability in Coppermine Photo Gallery 1.3.2
allows ...)
-	TODO: check
+	NOTE: not-for-us (Coppermine Photo Gallery)
 CAN-2005-1224 (Multiple SQL injection vulnerabilities in DUportal Pro 3.4 allow
...)
-	TODO: check
+	NOTE: not-for-us (DUPortal)
 CAN-2005-1223 (Multiple SQL injection vulnerabilities in Ocean12 Calendar
manager ...)
-	TODO: check
+	NOTE: not-for-us (Ocean12 Calender manager)
 CAN-2005-1222 (cat_for_gen.php in Annuaire Netref 4.2 allows remote attackers
to ...)
-	TODO: check
+	NOTE: not-for-us (Annuaire Netref)
 CAN-2005-1221 (SQL injection vulnerability in login.asp for Ecommerce-Carts
EcommPro ...)
-	TODO: check
+	NOTE: not-for-us (ECommPro)
 CAN-2005-1220 (Shoutbox SCRIPT 3.0.2 and earlier allows remote attackers to
obtain ...)
-	TODO: check
+	NOTE: not-for-us (Shoutbox)
 CAN-2005-1219
 	NOTE: reserved
 CAN-2005-1218
@@ -83,7 +83,6 @@
 	NOTE: reserved
 CAN-2002-1657 (PostgreSQL uses the username for a salt when generating
passwords, ...)
 	TODO: check
-end claimed by jmm
 CAN-2005-XXXX [libpam-ssh: Inproper caching of pwd data with potential security
implications]
 	- libpam-ssh 1.91.0-9
 CAN-2005-1204 (Desktop Rover 3.0, and possibly earlier versions, allows remote
...)
@@ -249,9 +248,6 @@
 	NOTE: not-for-us (AIX)
 CAN-1999-1573 (Multiple unknown vulnerabilities in the
"r-cmnds" (1) remshd, (2) ...)
 	NOTE: not-for-us (HP-UX)
-CAN-2005-XXXX [Minor directory traversal bugs in cpio and gzip]
-	- gzip (unfixed; bug #305255)
-	- cpio (unfixed)
 CAN-2005-1191 (The Web View DLL (webvw.dll), as used in Windows Explorer on
Windows ...)
 	NOTE: not-for-us (Windows)
 CAN-2005-1190 (WebcamXP PRO v2.16.468 and earlier allows remote attackers to
cause a ...)