Secure testing commits - Sep 2005 - r2220 - data/CAN

Author: jmm-guest
Date: 2005-09-29 09:34:29 +0000 (Thu, 29 Sep 2005)
New Revision: 2220

Modified:
   data/CAN/list
Log:
qpopper CANified, new mantis issues, nfus


Modified: data/CAN/list
==================================================================---
data/CAN/list	2005-09-29 09:18:04 UTC (rev 2219)
+++ data/CAN/list	2005-09-29 09:34:29 UTC (rev 2220)
@@ -1,39 +1,38 @@
-begin claimed by jmm
 CAN-2005-3104 (mt-comments.cgi in Movable Type before 3.2 allows attackers to
...)
-	TODO: check
+	NOT-FOR-US: Movable Type
 CAN-2005-3103 (Cross-site scripting (XSS) vulnerability in Movable Type before
3.2 ...)
-	TODO: check
+	NOT-FOR-US: Movable Type
 CAN-2005-3102 (The administrative interface in Movable Type allows attackers to
...)
-	TODO: check
+	NOT-FOR-US: Movable Type
 CAN-2005-3101 (The password reset feature in Movable Type before 3.2 generates
...)
-	TODO: check
+	NOT-FOR-US: Movable Type
 CAN-2005-3100 (Unspecified "PPTP Remote DoS Vulnerability" in
Astaro Security Linux ...)
-	TODO: check
+	NOT-FOR-US: Astato Security Linux
 CAN-2005-3099 (Unspecified vulnerability in the (1) Xsun and (2) Xprt commands
in ...)
-	TODO: check
+	NOT-FOR-US: Solaris
 CAN-2005-3098 (poppassd in Qualcomm qpopper 4.0.8 allows local users to modify
...)
-	TODO: check
+	- qpopper <unfixed> (bug #330123; unimportant)
+	NOTE: Vulnerable code does not seem to be shipped in the binary package
 CAN-2005-3097 (Directory traversal vulnerability in Avi Alkalay contribute.cgi
(aka ...)
-	TODO: check
+	NOT-FOR-US: Avi Alkalay
 CAN-2005-3096 (Avi Alkalay nslookup.cgi program, dated 16 June 2002, allows
remote ...)
-	TODO: check
+	NOT-FOR-US: Avi Alkalay
 CAN-2005-3095 (Avi Alkalay notify program, dated 19 Aug 2001, allows remote
attackers ...)
-	TODO: check
+	NOT-FOR-US: Avi Alkalay
 CAN-2005-3094 (Avi Alkalay man-cgi script allows remote attackers to execute
...)
-	TODO: check
+	NOT-FOR-US: Avi Alkalay
 CAN-2005-3093 (Nokia 7610 and 3210 phones allows attackers to cause a denial of
...)
-	TODO: check
+	NOT-FOR-US: Nokia cell phones
 CAN-2005-3092 (Heap-based buffer overflow in Image-Line Software FL Studio
5.0.1 ...)
-	TODO: check
+	NOT-FOR-US: Image-Line Software FL Studio
 CAN-2005-3091 (Cross-site scripting (XSS) vulnerability in Mantis before
1.0.0rc1 ...)
-	TODO: check
+	- mantis <unfixed> (bug filed; unknown)
 CAN-2005-3090 (Cross-site scripting (XSS) vulnerability in
bug_actiongroup_page.php ...)
-	TODO: check
+	- mantis <unfixed> (bug filed; unknown)
 CAN-2005-3089 (Firefox 1.0.6 allows attackers to cause a denial of service
(crash) ...)
-	TODO: check
+	TODO: file a bug, it''s not really clear, whether this has security
implications
 CAN-2005-3088
-	NOTE: reserved
-end claimed by jmm
+	RESERVED
 CAN-2005-XXXX [backupninja insecure temp file]
 	- backupninja 0.8-2 (medium)
 CAN-2005-XXXX [microcode.ctl downloads microcode w/o user confirmation]
@@ -165,8 +164,6 @@
 CAN-2005-XXXX [imview: Possible buffer overflow with FITS images]
 	- imview <unfixed> (bug #326971; unknown)
 	TODO: Needs further evaluation
-CAN-2005-XXXX [Potential unspecified qpopper local root exploit]
-	- qpopper <unfixed> (bug #330123; medium)
 CAN-2005-XXXX [ Chroot escape in vserver kernel patch]
 	- kernel-patch-vserver <unfixed> (bug #329087; medium)
 CAN-2005-XXXX [Local kernel DoS through incorrect boundary checks in cipher
processors]