Author: fw
Date: 2005-10-09 16:53:38 +0000 (Sun, 09 Oct 2005)
New Revision: 2373
Modified:
data/CAN/list
Log:
Add a couple of fixed versions, based on old DSAs and bug logs.
Modified: data/CAN/list
==================================================================---
data/CAN/list 2005-10-09 15:12:03 UTC (rev 2372)
+++ data/CAN/list 2005-10-09 16:53:38 UTC (rev 2373)
@@ -10437,7 +10437,8 @@
NOTE: cyrus-sasl code seems too old for any of the problems to apply
CAN-2005-0372 (Directory traversal vulnerability in gftp 2.0.18 and earlier for
GTK+ ...)
{DSA-686-1}
- TODO: check
+ - gftp 2.0.18-1
+ NOTE: CVE entry claims that 2.0.18 is vulnerable, but this is wrong.
CAN-2005-0371 (Armagetron 0.2.6.0 and earlier and Armagetron Advanced 0.2.7.0
and ...)
- armagetron <unfixed> (bug #296840; low)
CAN-2005-0370 (Armagetron 0.2.6.0 and earlier and Armagetron Advanced 0.2.7.0
and ...)
@@ -11021,7 +11022,7 @@
REJECTED
CAN-2005-0227 (PostgreSQL (pgsql) 7.4.x, 7.2.x, and other versions allows local
users ...)
{DSA-668-1}
- TODO: check
+ - postgresql 7.4.7-1
CAN-2005-0226 (Format string vulnerability in the Log_Resolver function in
log.c for ...)
NOT-FOR-US: ngIRCd
CAN-2005-0225 (firehol.sh in FireHOL before 1.224 creates temporary files with
...)
@@ -11052,7 +11053,7 @@
NOT-FOR-US: The Amp II engine as used by Gore: Ultimate Soldier
CAN-2005-0211 (Buffer overflow in wccp.c in Squid 2.5 before 2.5.STABLE7 allows
...)
{DSA-667-1}
- TODO: check
+ - squid 2.5.7-6
CAN-2005-0210 (Netfilter in the Linux kernel 2.6.8.1 allows local users to
cause a ...)
NOTE: fixed in ubuntu kernels
NOTE: 2.6.11 is not affected, apparantly 2.6.10 is no longer relevant
@@ -11100,7 +11101,7 @@
NOT-FOR-US: Cisco
CAN-2005-0194 (Squid 2.5, when processing the configuration file, parses empty
Access ...)
{DSA-667-1}
- TODO: check
+ - squid 2.5.7-7
CAN-2005-0193 (Buffer overflow in the (1) -v and (2) -a switches in mRouter in
iSync ...)
NOT-FOR-US: mRouter in iSync in OS X
CAN-2005-0192 (Directory traversal vulnerability in the parsing of Skin file
names in ...)
@@ -11183,12 +11184,12 @@
- uw-imap 7:2002edebian1-6
CAN-2005-0175 (Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison
the ...)
{DSA-667-1}
- TODO: check
+ - squid 2.5.7-6
CAN-2005-0174 (Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison
the ...)
- squid 2.5.7-6
CAN-2005-0173 (squid_ldap_auth in Squid 2.5 and earlier allows remote
authenticated ...)
{DSA-667-1}
- TODO: check
+ - squid 2.5.7-4
CAN-2005-0172
RESERVED
CAN-2005-0171
@@ -11218,10 +11219,10 @@
- unace 1.2b-3
CAN-2005-0159 (The tpkg-* scripts in the toolchain-source 3.0.4 package on
Debian ...)
{DSA-679-1}
- TODO: check
+ - toolchain-source 3.4-5
CAN-2005-0158 (Format string vulnerability in bidwatcher before 1.3.17 allows
remote ...)
{DSA-687-1}
- TODO: check
+ - bidwatcher 1.3.17-1
CAN-2005-0157 (The confirm add-on in SmartList 3.15 and earlier allows
attackers to ...)
{DSA-720-1}
- smartlist 3.15-18
@@ -11348,12 +11349,12 @@
- libpam-radius-auth 1.3.16-3
CAN-2005-0107 (bsmtpd 2.3 and earlier does not properly sanitize e-mail
addresses, ...)
{DSA-690-1}
- TODO: check
+ - bsmtpd 2.3pl8b-16
CAN-2005-0106 (SSLeay.pm in libnet-ssleay-perl before 1.25 uses the
/tmp/entropy file ...)
- libnet-ssleay-perl 1.25-1.1
CAN-2005-0105 (Unknown vulnerability in typespeed 0.4.1 and earlier allows
local ...)
{DSA-684-1}
- TODO: check
+ - typespeed 0.4.4-8
CAN-2005-0104 (Cross-site scripting (XSS) vulnerability in webmail.php in ...)
{DSA-662-1}
TODO: check
@@ -11370,10 +11371,10 @@
- xemacs21 21.4.16-2
CAN-2005-0099 (The SDL port of abuse (abuse-SDL) before 2.00 does not properly
drop ...)
{DSA-691-1}
- TODO: check
+ NOTE: abuse is only in woody.
CAN-2005-0098 (Multiple buffer overflows in the SDL port of abuse (abuse-SDL)
before ...)
{DSA-691-1}
- TODO: check
+ NOTE: abuse is only in woody.
CAN-2005-0097 (The NTLM component in Squid 2.5.STABLE7 and earlier allows
remote ...)
- squid 2.5.7-4
CAN-2005-0096 (Memory leak in the NTLM fakeauth_auth helper for Squid
2.5.STABLE7 and ...)
@@ -11398,6 +11399,7 @@
CAN-2005-0088 (The publisher handler for mod_python 2.7.8 and earlier allows
remote ...)
{DSA-689-1}
- libapache2-mod-python 3.1.3-3
+ - libapache-mod-python 2:2.7.10-4
CAN-2005-0087 (The alsa-lib package in Red Hat Linux 4 disables stack
protection for ...)
NOTE: debian does not have stack protection, but it''s fixed anyway
since 1.0.9
- alsa-lib 1.0.9-1
@@ -11440,15 +11442,15 @@
TODO: check
CAN-2005-0076 (Multiple buffer overflows in the XView library 3.2 may allow
local ...)
{DSA-672-1}
- TODO: check
+ - xview 3.2p1.4-19
CAN-2005-0075 (prefs.php in SquirrelMail before 1.4.4, with register_globals
enabled, ...)
- squirrelmail 2:1.4.4-1
CAN-2005-0074 (Buffer overflow in pcdsvgaview in xpcd 2.08 allows local users
to ...)
{DSA-676-1}
- TODO: check
+ - xpcd 2.08-11.1
CAN-2005-0073 (Buffer overflow in queue.c in a support script for sympa 3.3.3,
when ...)
{DSA-677-1}
- TODO: check
+ - sympa 4.1.2-2.1
CAN-2005-0072 (zhcon before 0.2 does not drop privileges before reading a user
...)
{DSA-655-1}
TODO: check
@@ -11651,7 +11653,7 @@
TODO: check
CAN-2005-0019 (Unknown vulnerability in hztty 2.0 and earlier allows local
users to ...)
{DSA-675-1}
- TODO: check
+ - hztty 2.0-6.1
CAN-2005-0018 (The f2 shell script in the f2c package 3.1 allows local users to
read ...)
{DSA-661-2}
- f2c 20020621-3.4 (bug #292792)
@@ -12067,7 +12069,7 @@
NOTE: htmlheadline not in unstable
CAN-2004-1180 (Unknown vulnerability in the rwho daemon (rwhod) before 0.17, on
...)
{DSA-678-1}
- TODO: check
+ - netkit-rwho 0.17-8
CAN-2004-1179 (The debstd script in debmake 3.6.x before 3.6.10 and 3.7.x
before ...)
{DSA-615-1}
CAN-2004-1178
@@ -13444,8 +13446,11 @@
NOTE: Fixed in upstream ( <= 2.6.7)
CAN-2004-0595 (The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to
...)
{DSA-669-1 DSA-531}
+ - php3 3:3.0.18-27
CAN-2004-0594 (The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x
up to ...)
{DSA-669-1 DSA-531}
+ NOTE: DSA claims PHP3 is vulnerable, but this is not mentioned
+ NOTE: in the changelog.
CAN-2004-0593 (Sygate Enforcer 3.5MR1 and earlier passes broadcast traffic
before ...)
NOT-FOR-US: Sygate Enforcer
CAN-2004-0592