Author: fw
Date: 2005-10-23 13:27:20 +0000 (Sun, 23 Oct 2005)
New Revision: 2535
Modified:
data/CVE/list
data/DSA/list
Log:
Reprocess some of the January 2005 DSAs (remaining DSAs will follow)
Modified: data/CVE/list
==================================================================---
data/CVE/list 2005-10-23 12:44:36 UTC (rev 2534)
+++ data/CVE/list 2005-10-23 13:27:20 UTC (rev 2535)
@@ -11670,13 +11670,13 @@
- mailman 2.1.5-5
CVE-2005-0079 (Buffer overflow in xtrlock 2.0 allows local users to cause a
denial of ...)
{DSA-649-1}
- TODO: check
+ - xtrlock 2.0-9
CVE-2005-0078 (The KDE screen saver in KDE before 3.0.5 does not properly check
the ...)
{DSA-660-1}
- TODO: check
+ - kdebase 4:3.0.5
CVE-2005-0077 (The DBI library (libdbi-perl) for Perl allows local users to
overwrite ...)
{DSA-658-1}
- TODO: check
+ - libdbi-perl 1.46-6
CVE-2005-0076 (Multiple buffer overflows in the XView library 3.2 may allow
local ...)
{DSA-672-1}
- xview 3.2p1.4-19
@@ -11690,13 +11690,13 @@
- sympa 4.1.2-2.1
CVE-2005-0072 (zhcon before 0.2 does not drop privileges before reading a user
...)
{DSA-655-1}
- TODO: check
+ - zhcon 1:0.2.3-8.1 (bug #292210)
CVE-2005-0071 (vdr before 1.2.6 does not securely create files, which allows
...)
{DSA-656-1}
- TODO: check
+ - vdr 1.2.6-6
CVE-2005-0070 (Synaesthesia 2.1 and earlier, and possibly other versions, when
...)
{DSA-681-1}
- TODO: check
+ NOTE: does not apply for sarge, program is not setuid anymore
CVE-2005-0069 (The (1) tcltags or (2) vimspell.sh scripts in vim 6.3 allow
local ...)
- vim 1:6.3-058+1
CVE-2005-0068 (The original design of ICMP does not require authentication for
...)
@@ -11887,7 +11887,7 @@
TODO: check
CVE-2005-0020 (Buffer overflow in playmidi before 2.4 allows local users to
execute ...)
{DSA-641-1}
- TODO: check
+ - playmidi 2.4debian-3
CVE-2005-0019 (Unknown vulnerability in hztty 2.0 and earlier allows local
users to ...)
{DSA-675-1}
- hztty 2.0-6.1
@@ -11899,10 +11899,10 @@
- f2c 20020621-3.4 (bug #292792)
CVE-2005-0016 (Buffer overflow in the exported_display function in xatitv in
gatos ...)
{DSA-640-1}
- TODO: check
+ - gatos 0.0.5-15
CVE-2005-0015 (diatheke.pl in Sword 1.5.7a allows remote attackers to execute
...)
{DSA-650-1}
- TODO: check
+ - sword 1.5.7-7 (bug #291433)
CVE-2005-0014 (Buffer overflow in ncplogin in ncpfs before 2.2.6 allows remote
...)
- ncpfs 2.2.6-1
CVE-2005-0013 (nwclient.c in ncpfs before 2.2.6 does not drop root privileges
before ...)
@@ -12288,13 +12288,13 @@
- xine-lib 1-rc8-1
CVE-2004-1186 (Multiple buffer overflows in enscript 1.6.3 allow remote
attackers or ...)
{DSA-654-1}
- TODO: check
+ - enscript 1.6.4-6
CVE-2004-1185 (Enscript 1.6.3 does not sanitize filenames, which allows remote
...)
{DSA-654-1}
- TODO: check
+ - enscript 1.6.4-6
CVE-2004-1184 (The EPSF pipe support in enscript 1.6.3 allows remote attackers
or ...)
{DSA-654-1}
- TODO: check
+ - enscript 1.6.4-6
CVE-2004-1183 (Integer overflow in the tiffdump utility for libtiff 3.7.1 and
earlier ...)
{DSA-626-1}
- libtiff-tools 3.6.1-5
@@ -12317,13 +12317,19 @@
- mailman 2.1.5-5
CVE-2004-1176 (Buffer underflow in extfs.c in Midnight Commander (mc) 4.5.55
and ...)
{DSA-639-1}
- TODO: check
+ NOTE: unstable not vulnerable according to DSA
+ NOTE: DSA was wrong..
+ - mc 1:4.6.0-4.6.1-pre3-1
CVE-2004-1175 (fish.c in midnight commander allows remote attackers execute
arbitrary ...)
{DSA-639-1}
- TODO: check
+ NOTE: unstable not vulnerable according to DSA
+ NOTE: DSA was wrong..
+ - mc 1:4.6.0-4.6.1-pre3-1
CVE-2004-1174 (direntry.c in Midnight Commander (mc) 4.5.55 and earlier allows
...)
{DSA-639-1}
- TODO: check
+ NOTE: unstable not vulnerable according to DSA
+ NOTE: DSA was wrong..
+ - mc 1:4.6.0-4.6.1-pre3-1
CVE-2004-1173 (Internet Explorer 6 allows remote attackers to bypass the popup
...)
NOT-FOR-US: MSIE
CVE-2004-1172 (Stack-based buffer overflow in the Agent Browser in Veritas
Backup ...)
@@ -12505,16 +12511,24 @@
NOT-FOR-US: RealPlayer
CVE-2004-1093 (Midnight commander (mc) 4.5.55 and earlier allows remote
attackers to ...)
{DSA-639-1}
- TODO: check
+ NOTE: unstable not vulnerable according to DSA
+ NOTE: DSA was wrong..
+ - mc 1:4.6.0-4.6.1-pre3-1
CVE-2004-1092 (Midnight commander (mc) 4.5.55 and earlier allows remote
attackers to ...)
{DSA-639-1}
- TODO: check
+ NOTE: unstable not vulnerable according to DSA
+ NOTE: DSA was wrong..
+ - mc 1:4.6.0-4.6.1-pre3-1
CVE-2004-1091 (Midnight commander (mc) 4.5.55 and earlier allows remote
attackers to ...)
{DSA-639-1}
- TODO: check
+ NOTE: unstable not vulnerable according to DSA
+ NOTE: DSA was wrong..
+ - mc 1:4.6.0-4.6.1-pre3-1
CVE-2004-1090 (Midnight commander (mc) 4.5.55 and earlier allows remote
attackers to ...)
{DSA-639-1}
- TODO: check
+ NOTE: unstable not vulnerable according to DSA
+ NOTE: DSA was wrong..
+ - mc 1:4.6.0-4.6.1-pre3-1
CVE-2004-1089 (Unknown vulnerability in Apple Mac OS X 10.3.6 server, when
using ...)
NOT-FOR-US: Apple MacOS
CVE-2004-1088 (Postfix server for Apple Mac OS X 10.3.6, when using CRAM-MD5,
allows ...)
@@ -12716,7 +12730,9 @@
- zip 2.30-8
CVE-2004-1009 (Midnight commander (mc) 4.5.55 and earlier allows remote
attackers to ...)
{DSA-639-1}
- TODO: check
+ NOTE: unstable not vulnerable according to DSA
+ NOTE: DSA was wrong..
+ - mc 1:4.6.0-4.6.1-pre3-1
CVE-2004-1008 (Integer signedness error in the ssh2_rdpkt function in PuTTY
before ...)
- putty 0.56-1
CVE-2004-1007 (The quoted-printable decoder in bogofilter 0.17.4 to 0.92.7
allows ...)
@@ -12726,10 +12742,14 @@
- dhcp 2.0pl5-19.1
CVE-2004-1005 (Multiple buffer overflows in Midnight Commander (mc) 4.5.55 and
...)
{DSA-639-1}
- TODO: check
+ NOTE: unstable not vulnerable according to DSA
+ NOTE: DSA was wrong..
+ - mc 1:4.6.0-4.6.1-pre3-1
CVE-2004-1004 (Multiple format string vulnerabilities in Midnight Commander
(mc) ...)
{DSA-639-1}
- TODO: check
+ NOTE: unstable not vulnerable according to DSA
+ NOTE: DSA was wrong..
+ - mc 1:4.6.0-4.6.1-pre3-1
CVE-2004-1003 (Trend ScanMail allows remote attackers to obtain potentially
sensitive ...)
NOT-FOR-US: Trend ScanMail
CVE-2004-1002 (Integer underflow in pppd in cbcp.c for ppp 2.4.1 allows remote
...)
@@ -13786,7 +13806,7 @@
RESERVED
CVE-2004-0555 (Buffer overflow in (1) queue.c and (2) queued.c in queue before
1.30.1 ...)
{DSA-643-1}
- TODO: check
+ - queue 1.30.1-5
CVE-2004-0554 (Linux kernel 2.4.x and 2.6.x for x86 allows local users to cause
a ...)
NOTE: this was a big deal and is fixed in all current kernels
CVE-2004-0553
Modified: data/DSA/list
==================================================================---
data/DSA/list 2005-10-23 12:44:36 UTC (rev 2534)
+++ data/DSA/list 2005-10-23 13:27:20 UTC (rev 2535)
@@ -946,94 +946,95 @@
NOTE: not fixed in testing at time of DSA
[26 Jan 2005] DSA-660-1 kdebase - missing return value check
{CVE-2005-0078}
- - kdebase 4:3.0.5
+ [woody] - kdebase 4:2.2.2-14.9
NOTE: fixed in testing at time of DSA
[26 Jan 2005] DSA-659-1 libpam-radius-auth - information leak, integer
underflow
{CVE-2004-1340 CVE-2005-0108}
- - libpam-radius-auth 1.3.16-3
+ [woody] - libpam-radius-auth 1.3.14-1.3
NOTE: 1/2 fixed in testing at time of DSA
[25 Jan 2005] DSA-658-1 libdbi-perl - insecure temporary file
{CVE-2005-0077}
- - libdbi-perl 1.46-6
+ [woody] - libdbi-perl 1.21-2woody2
NOTE: not fixed in testing at time of DSA
[25 Jan 2005] DSA-657-1 xine-lib - buffer overflow
{CVE-2004-1379}
- - xine-lib 1-rc6a-1
+ [woody] - xine-lib 0.9.8-2woody2
NOTE: fixed in testing at time of DSA
[25 Jan 2005] DSA-656-1 vdr - insecure file access
{CVE-2005-0071}
- - vdr 1.2.6-6
+ [woody] - vdr 1.0.0-1woody2
NOTE: not fixed in testing at time of DSA
[25 Jan 2005] DSA-655-1 zhcon - missing privilege release
{CVE-2005-0072}
- - zhcon 1:0.2.3-8.1 (bug #292210)
+ [woody] - zhcon 1:0.2-4woody3
NOTE: not fixed in testing at time of DSA
[21 Jan 2005] DSA-654-1 enscript - several
{CVE-2004-1184 CVE-2004-1185 CVE-2004-1186}
- - enscript 1.6.4-6
+ [woody] - enscript 1.6.3-1.3
NOTE: not fixed in testing at time of DSA
[21 Jan 2005] DSA-653-1 ethereal - buffer overflow
{CVE-2005-0084}
- - ethereal 0.10.9-1
+ [woody] - ethereal 0.9.4-1woody11
NOTE: not fixed in testing at time of DSA
[21 Jan 2005] DSA-652-1 unarj
{CVE-2004-0947 CVE-2004-1027}
- NOTE: not-for-us (unarj)
+ [woody] - unarj 2.43-3woody1
+ NOTE: package was in non-free, different code base
[20 Jan 2005] DSA-651-1 squid - buffer overflow, integer overflow
{CVE-2005-0094 CVE-2005-0095}
- - squid 2.5.7-4
+ [woody] - squid 2.4.6-2woody5
NOTE: not fixed in testing at time of DSA
[20 Jan 2005] DSA-650-1 sword - missing input sanitising
{CVE-2005-0015}
- - sword 1.5.7-7
+ [woody] - sword 1.5.3-3woody2
NOTE: not fixed in testing at time of DSA
[20 Jan 2005] DSA-649-1 xtrlock - buffer overflow
{CVE-2005-0079}
- - xtrlock 2.0-9
+ [woody] - xtrlock 2.0-6woody2
NOTE: fixed in testing at time of DSA
[19 Jan 2005] DSA-648-1 xpdf - buffer overflow
{CVE-2005-0064}
- - xpdf 3.00-12
+ [woody] - xpdf 1.00-3.4
NOTE: not fixed in testing at time of DSA
[19 Jan 2005] DSA-647-1 mysql - insecure temporary files
{CVE-2005-0004}
- - mysql-dfsg 4.0.23-3
- - mysql-dfsg-4.1 4.1.8a-6
+ [woody] - mysql 3.23.49-8.9
NOTE: not fixed in testing at time of DSA
[19 Jan 2005] DSA-646-1 imagemagick - buffer overflow
{CVE-2005-0005}
- - imagemagick 6:6.0.6.2-2
+ [woody] - imagemagick 4:5.4.4.5-1woody5
NOTE: not fixed in testing at time of DSA
[19 Jan 2005] DSA-645-1 cupsys - buffer overflow
{CVE-2005-0064}
NOTE: cupsys not affected in sarge, though other programs are vulnerable
NOTE: see CVE/list
+ [woody] - cupsys 1.1.14-5woody12
NOTE: not fixed in testing at time of DSA
[18 Jan 2005] DSA-644-1 chbg - buffer overflow
{CVE-2004-1264}
- - chbg 1.5-4
+ [woody] - chbg 1.5-1woody1
NOTE: fixed in testing at time of DSA
[18 Jan 2005] DSA-643-1 queue - buffer overflows
{CVE-2004-0555}
- - queue 1.30.1-5
+ [woody] - queue 1.30.1-4woody2
NOTE: not fixed in testing at time of DSA
[17 Jan 2005] DSA-642-1 gallery - several
{CVE-2004-1106}
- - gallery 1.4.4-pl4-1
+ [woody] - gallery 1.2.5-8woody3
NOTE: fixed in testing at time of DSA
[17 Jan 2005] DSA-641-1 playmidi - buffer overflow
{CVE-2005-0020}
- - playmidi 2.4debian-3
+ [woody] - playmidi 2.4-4woody1
NOTE: not fixed in testing at time of DSA
[17 Jan 2005] DSA-640-1 gatos - buffer overflow
{CVE-2005-0016}
- - gatos 0.0.5-15
+ [woody] - gatos 0.0.5-6woody3
NOTE: not fixed in testing at time of DSA
[14 Jan 2005] DSA-639-1 mc - several
{CVE-2004-1004 CVE-2004-1005 CVE-2004-1009 CVE-2004-1090 CVE-2004-1091
CVE-2004-1092 CVE-2004-1093 CVE-2004-1174 CVE-2004-1175 CVE-2004-1176}
NOTE: unstable not vulnerable according to DSA
NOTE: DSA was wrong..
- - mc 1:4.6.0-4.6.1-pre3-1
+ [woody] - mc 4.5.55-1.2woody5
NOTE: not fixed in testing at time of DSA
[13 Jan 2005] DSA-638-1 gopher - several
{CVE-2004-0560 CVE-2004-0561}