Author: jmm-guest Date: 2005-08-10 09:53:51 +0000 (Wed, 10 Aug 2005) New Revision: 1551 Modified: data/CAN/list Log: new kernel issues tar not an issue pstotext CANified lots of nfus Modified: data/CAN/list ==================================================================--- data/CAN/list 2005-08-10 09:31:18 UTC (rev 1550) +++ data/CAN/list 2005-08-10 09:53:51 UTC (rev 1551) @@ -1,28 +1,28 @@ -begin claimed by jmm CAN-2005-2546 (Arab Portal 2.0 allows remote attackers to obtain sensitive ...) - TODO: check + NOTE: not-for-us (Arab Portal) CAN-2005-2545 (Multiple cross-site scripting (XSS) vulnerabilities in PHPOpenChat ...) - TODO: check + NOTE: not-for-us (PHPOpenChat) CAN-2005-2544 (PHP remote file inclusion vulnerability in config.php in Comdev ...) - TODO: check + NOTE: not-for-us (Comdev eCommerce) CAN-2005-2543 (Directory traversal vulnerability in wce.download.php in Comdev ...) - TODO: check + NOTE: not-for-us (Comdev eCommerce) CAN-2005-2542 (Invision Power Board (IPB) 1.0.3 allows remote attackers to inject ...) - TODO: check + NOTE: not-for-us (Invision Power Board) CAN-2005-2541 (Tar 1.15.1 does not properly warn the user when extracting setuid or ...) - TODO: check + NOTE: This is intended behaviour, after all tar is an archiving tool and you + NOTE: need to give -p as a command line flag CAN-2005-2540 (CRLF injection vulnerability in FlatNuke 2.5.5 and possibly earlier ...) - TODO: check + NOTE: not-for-us (FlatNuke) CAN-2005-2539 (Multiple cross-site scripting (XSS) vulnerabilities in FlatNuke 2.5.5 ...) - TODO: check + NOTE: not-for-us (FlatNuke) CAN-2005-2538 (FlatNuke 2.5.5 and possibly earlier versions allows remote attackers ...) - TODO: check + NOTE: not-for-us (FlatNuke) CAN-2005-2537 (FlatNuke 2.5.5 and possibly earlier versions allows remote attackers ...) - TODO: check + NOTE: not-for-us (FlatNuke) CAN-2005-2536 (pstotext before 1.8g does not properly use the "-dSAFER" option when ...) - TODO: check + - pstotext 1.9-2 (medium) CAN-2005-2535 (Buffer overflow in the Discovery Service in BrightStor ARCserve Backup ...) - TODO: check + NOTE: not-for-us (ARCserve Backup) CAN-2005-2534 NOTE: reserved CAN-2005-2533 @@ -92,7 +92,7 @@ CAN-2005-2501 NOTE: reserved CAN-2005-2500 (Buffer overflow in the xdr_xcode_array2 function in xdr.c in Linux ...) - TODO: check + TODO: Might be affected, pinged Horms, wait for reply CAN-2005-2499 NOTE: reserved CAN-2005-2498 @@ -114,8 +114,8 @@ CAN-2005-2490 NOTE: reserved CAN-2004-2302 (Race condition in the sysfs_read_file and sysfs_write_file functions ...) - TODO: check -end claimed by jmm + - kernel-source-2.6.8 (unfixed; bug filed; medium) + NOTE: Already fixed in 2.6.12, AFAIK 2.4 doesn''t use sysfs CAN-2005-XXXX [Buffer overflow in Description parsing] - bidwatcher (unfixed; bug #319489; high) CAN-2005-XXXX [Does not do escaping in mysql version - both a worrying flaw and stops adduser working] @@ -468,8 +468,6 @@ - rsync 2.6.6-1 (low) CAN-2005-XXXX [Unspecified XSS in hiki] - hiki 0.8.2-1 -CAN-2005-XXXX [pstotext allows malicious post script code] - - pstotext 1.9-2 (medium) CAN-2005-2404 (SQL injection vulnerability in sendcard.php in Sendcard 3.2.3 allows ...) NOTE: not-for-us (Sendcard) CAN-2005-2403 (The login protocol in RealChat 3.5.1b does not use authentication, ...)