Secure testing commits - Nov 2005 - r2906 - data/CVE

Author: jmm-guest
Date: 2005-11-30 23:00:57 +0000 (Wed, 30 Nov 2005)
New Revision: 2906

Modified:
   data/CVE/list
Log:
adapt lots of entries to our new CVE syntax


Modified: data/CVE/list
==================================================================---
data/CVE/list	2005-11-30 22:00:34 UTC (rev 2905)
+++ data/CVE/list	2005-11-30 23:00:57 UTC (rev 2906)
@@ -15,7 +15,7 @@
 CVE-2005-3884 (Multiple SQL injection vulnerabilities in the search action in
Zainu ...)
 	NOT-FOR-US: Zaimu
 CVE-2005-3883 (CRLF injection vulnerability in the mb_send_mail function in PHP
...)
-	- php5 <unfixed> (bug filed; medium)
+	- php5 <unfixed> (bug #341368; medium)
 	TODO: check php4
 CVE-2005-3882 (SQL injection vulnerability in answer.php in FAQSystems FAQRing
...)
 	NOT-FOR-US: FAQRing Knowledge Base
@@ -286,7 +286,7 @@
 CVE-2004-2573 (PHP remote file include vulnerability in tables_update.inc.php
in ...)
 	- phpgroupware 0.9.14.007
 CVE-2005-XXXX [Multiple issues in webcalendar]
-	- webcalendar <unfixed> (bug filed; medium)
+	- webcalendar <unfixed> (bug #341208; medium)
 CVE-2005-3848 (Memory leak in the icmp_push_reply function in Linux 2.6 before
...)
 	[sarge] - kernel-source-2.6.8 2.6.8-16sarge2
 CVE-2005-3847 (The handle_stop_signal function in signal.c in Linux kernel
before ...)
@@ -6501,7 +6501,7 @@
 CVE-2002-1827 (Sendmail 8.9.0 through 8.12.3 allows local users to cause a
denial of ...)
 	- sendmail 8.12-4
 CVE-2002-1826 (grsecurity 1.9.4 for Linux kernel 2.4.18 allows local users to
bypass ...)
-	NOTE: kernel 2.4.18
+	- kernel-patch-2.4-grsecurity 1.9.6-1
 CVE-2002-1825 (Format string vulnerability in PerlRTE_example1.pl in WASD 7.1,
7.2.0 ...)
 	NOT-FOR-US: WASD
 CVE-2002-1824 (Microsoft Internet Explorer 6.0, when handling an expired
CA-CERT in a ...)
@@ -6525,7 +6525,7 @@
 CVE-2002-1815 (Directory traversal vulnerability in source.php and source.cgi
in ...)
 	NOT-FOR-US: Aquonics
 CVE-2002-1814 (Buffer overflow in efstools in Bonobo, when installed setuid,
allows ...)
-	NOTE: efstool not suid on debian
+	- efstool <not-affected> (efstool not suid on Debian)
 CVE-2002-1813 (Directory traversal vulnerability in AOL Instant Messenger (AIM)
...)
 	NOT-FOR-US: AIM
 CVE-2002-1812 (Buffer overflow in gdam123 0.933 and 0.942 allows local users to
...)
@@ -6655,8 +6655,7 @@
 	NOTE: varying and apparently innacurate info about what versions fix it
 	- razor 2.720-1 (low)
 CVE-2005-2023 (The send_pinentry_environment function in asshelp.c in gpg2 on
SUSE ...)
-	NOTE: insufficient info, possibly SuSE specific
-	NOT-FOR-US: only affects 1.9.14 of gpg2
+	- gnupg2 1.9.15-1
 CVE-2005-2022 (Unknown vulnerability in Webmail in iPlanet Messaging Server 5.2
Patch ...)
 	NOT-FOR-US: iPlanet
 CVE-2005-2021 (Cross-site scripting (XSS) vulnerability in cPanel 9.1 and
earlier ...)
@@ -6861,7 +6860,7 @@
 CVE-2002-1731 (The System Request menu in IBM AS/400 allows local users to list
valid ...)
 	NOT-FOR-US: IBM AS/400
 CVE-2002-1730 (ASPjar Guestbook 1.00 allows remote attackers to delete
arbitrary ...)
-	NOTE: not-fot-us (ASPjar Guestbook)
+	NOT-FOR-US: ASPjar Guestbook
 CVE-2002-1729 (Cross-site scripting vulnerability (XSS) in ASPjar Guestbook
1.00 ...)
 	NOT-FOR-US: ASPjar Guestbook
 CVE-2002-1728 (askSam Web Publisher 1.0 and 4.0 allows remote attackers to
determine ...)
@@ -6879,8 +6878,7 @@
 CVE-2002-1722 (Logitech iTouch keyboards allows attackers with physical access
to the ...)
 	NOT-FOR-US: microsoft
 CVE-2002-1721 (Off-by-one error in alterMIME 0.1.10 and 0.1.11 allows remote
...)
-	NOT-FOR-US: alterMIME
-	TODO: track RFP: #289546
+	- altermime <itp> (bug #289546)
 CVE-2002-1720 (SQL injection vulnerability in Spooky Login 2.0 through 2.5
allows ...)
 	NOT-FOR-US: Spooky Login
 CVE-2002-1719 (Unknown vulnerability in Bavo 0.3 allows remote attackers to
modify ...)
@@ -6956,7 +6954,7 @@
 CVE-2002-1682 (NewsReactor 1.0 uses a weak encryption scheme, which could allow
local ...)
 	NOT-FOR-US: NewsReactor
 CVE-2002-1681 (Cross-site scripting (XSS) vulnerability in Slashcode CVS
releases ...)
-	NOTE: Only present in intermediate CVS version, not released in Debian
+	- slash <not-affected> (Only present in intermediate CVS version, not
released in Debian)
 CVE-2002-1680 (Cross-site scripting (XSS) vulnerability in CGI Online Worldweb
...)
 	NOT-FOR-US: COWS
 CVE-2002-1679 (Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin
2.2.0 ...)
@@ -6970,8 +6968,7 @@
 CVE-2002-1675 (Format string vulnerability in the Cio_PrintF function of
cio_main.c ...)
 	NOT-FOR-US: Unreal IRCd
 CVE-2002-1674 (procfs on FreeBSD before 4.5 allows local users to cause a
denial of ...)
-	NOTE: kfreebsd use a much more recent version of the freebsd kernel
-	NOT-FOR-US: FreeBSD
+	- kfreebsd-source <not-affected> (kfreebsd/Debian uses a much more
recent kernel)
 CVE-2002-1673 (The web interface for Webmin 0.92 does not properly quote or
filter ...)
 	- webmin 0.93 (medium)
 CVE-2002-1672 (Webmin 0.92, when installed from an RPM, creates /var/webmin
with ...)
@@ -6986,8 +6983,7 @@
 CVE-2002-1668 (HP-UX 11.11 and earlier allows local users to cause a denial of
...)
 	NOT-FOR-US: HP-UX
 CVE-2002-1667 (The virtual memory management system in FreeBSD 4.5-RELEASE and
...)
-	NOTE: kfreebsd use a much more recent version of the freebsd kernel
-	NOT-FOR-US: FreeBSD
+	- kfreebsd-source <not-affected> (kfreebsd/Debian uses a much more
recent kernel)
 CVE-2002-1666 (Unknown vulnerability in Oracle E-Business Suite 11i.1 through
11i.6 ...)
 	NOT-FOR-US: Oracle
 CVE-2001-1506 (Unknown vulnerability in the file system protection subsystem in
HP ...)
@@ -7029,7 +7025,7 @@
 CVE-2001-1488 (Open Projects Network Internet Relay Chat (IRC) daemon
u2.10.05.18 ...)
 	NOT-FOR-US: Open Projects ircd
 CVE-2001-1487 (popauth utility in Qualcomm Qpopper 4.0 and earlier allows local
users ...)
-	NOTE: verified not present in 4.0.5-4sarge1
+	- qpopper <not-affected> (Vulnerable code verified not present)
 CVE-2001-1484 (Alcatel ADSL modems allow remote attackers to access the Trivial
File ...)
 	NOT-FOR-US: Alcatel hardware issue
 CVE-2001-1483 (One-Time Passwords In Everything (a.k.a OPIE) 2.32 and 2.4
allows ...)
@@ -7169,7 +7165,7 @@
 	- egroupware 1.0.0.007-3.dfsg-1 (bug #317263; high)
 	- phpwiki 1.3.7-4 (bug #316714; high)
 	- php4 4:4.3.10-16 (high; bug #316447)
-	NOTE: horde3 is not affected by this issue, they ship different XMLRPC code
+	- horde3 <not-affected> (horde3 ships different XMLRPC code)
 CVE-2005-1920 (The (1) Kate and (2) Kwrite applications in KDE KDE 3.2.x
through ...)
 	{DSA-804-2}
 	- kdelibs 4:3.4.2-1 (bug #319016; medium)
@@ -7178,8 +7174,7 @@
 CVE-2005-1918
 	RESERVED
 CVE-2005-1917 (kpopper 1.0 and earlier allows local users to create and
overwrite ...)
-	NOT-FOR-US: kpopper
-	NOTE: there is a kpopper in kerberos4kth-servers, but this is not the same one
+	NOT-FOR-US: kpopper, there is a kpopper in kerberos4kth-servers, but this is
not the same one
 CVE-2005-1916 (linki.py in ekg 2005-06-05 and earlier allows local users to
overwrite ...)
 	{DSA-760-1 DTSA-4-1}
 	- ekg 1:1.5+20050712+1.6rc2-1 (bug #318059; bug #317027; low)
@@ -7321,6 +7316,7 @@
 	- gopher 3.0.8 (low)
 CVE-2005-1852 (Multiple integer overflows in libgadu, as used in Kopete in KDE
3.2.3 ...)
 	{DSA-767-1 DTSA-4-1}
+	- kopete <unfixed> (bug #319443; unimportant)
 	NOTE: Kopete embeds the vulnerable code, but it''s only used as a
fallback when
 	NOTE: no shared lib version is found. As the Debian package has a dependency
on
 	NOTE: it the maintainer does not intent to fix it, see # 319443
@@ -7383,8 +7379,7 @@
 CVE-2005-1832 (Multiple cross-site scripting (XSS) vulnerabilities in
MyBulletinBoard ...)
 	NOT-FOR-US: MyBB
 CVE-2005-1831 (Sudo 1.6.8p7 on SuSE Linux 9.3, and possibly other Linux ...)
-	NOTE: Unreproducable by SuSE security team, sudo contains code to circumvent
such
-	NOTE: behaviour, seems like a broken PAM setup on the submitter''s
side
+	- sudo <not-affected> (Unreproducable, seems like a broken PAM setup on
the submitter''s side)
 CVE-2005-1830 (The DbgMsg.sys driver in Compuware SoftICE DriverStudio 3.1 and
3.2 ...)
 	NOT-FOR-US: SoftICE
 CVE-2005-1829 (Microsoft Internet Explorer 6 SP2 allows remote attackers to
cause a ...)
@@ -7426,7 +7421,6 @@
 CVE-2005-1811 (Cross-site scripting (XSS) vulnerability in usercp.php for ...)
 	NOT-FOR-US: MyBB
 CVE-2005-1810 (SQL injection vulnerability in template-functions-category.php
in ...)
-	NOTE: Not in Sarge
 	- wordpress 1.5.1.2-1
 CVE-2005-1809 (Sony Ericsson P900 Beamer allows remote attackers to cause a
denial of ...)
 	NOT-FOR-US: Sony hardware issue
@@ -7470,8 +7464,6 @@
 CVE-2005-1790 (Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and
6.0.2800.1106 ...)
 	- mozilla-firefox <unfixed> (bug #340283; low)
 	- mozilla <unfixed> (bug #340282; low)
-	NOTE: Confirmed DoS against Firefox and Mozilla.
-	NOTE: Maybe this will receive a different name.
 CVE-2005-1789 (SQL injection vulnerability in SignIn.asp in India Software
Solution ...)
 	NOT-FOR-US: India Software Solution shopping cart
 CVE-2005-1788 (SQL injection vulnerability in resellerresources.asp in Hosting
...)
@@ -7518,8 +7510,8 @@
 CVE-2005-1768 (Race condition in the ia32 compatibility code for the execve
system ...)
 	- kernel-source-2.4.27 2.4.27-11 (medium; bug #319629)
 CVE-2005-1767 (traps.c in the Linux kernel 2.6.x and 2.4.x executes stack
segment ...)
-	NOTE: linux-2.6 not affected (already fixed)
-	TODO: Add which revision was that fixed?
+	- linux-2.6 <not-affected> (Fixed before upload into archive)
+	TODO: Add which revision fixed this
 	- kernel-source-2.4.27 2.4.27-11 (unknown)
 CVE-2005-1766 (Heap-based buffer overflow in rtffplin.cpp in RealPlayer 10.5
...)
 	{DSA-826-1}
@@ -7528,28 +7520,24 @@
 	NOTE: <http://service.real.com/help/faq/security/050623_player/EN/>
 CVE-2005-1765 (syscall in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64
platform, ...)
 	{DTSA-16-1}
-	- kernel-source-2.6.8 2.6.8-17
-	- kernel-source-2.6.8 2.6.8-16sarge1
+	[sarge] - kernel-source-2.6.8 2.6.8-16sarge1
 	- linux-2.6 2.6.12-1 (medium)
-	NOTE: Fixed in the 2.6.11 stable series and merged into 2.6.12
-	NOTE: 2.6 only, not in 2.4
+	- kernel-source-2.4.27 <not-affected>
 CVE-2005-1764 (Linux 2.6.11 on 64-bit x86 (x86_64) platforms does not use a
guard ...)
-	NOTE: horms says not vulnerable in 2.4.27 or 2.6.8 as far as he can tell
+	- linux-2.6 <not-affected> (Fixed before upload into archive; 2.6.11)
+	- kernel-source-2.4.27 <not-affected>
 CVE-2005-1763 (Buffer overflow in ptrace in the Linux Kernel for 64-bit
architectures ...)
-	- kernel-source-2.6.8 2.6.8-17
-	- linux-2.6 2.6.12-1
-	NOTE: Commited to kernel git on 2005-05-17 (between .12-rc4 and .12-rc5)
+	[sarge] - kernel-source-2.6.8 2.6.8-17
+	- linux-2.6 <not-affected> (Fixed before upload into archive;
2.6.12-rc5)
 CVE-2005-1762 (The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the
AMD64 ...)
 	{DTSA-16-1}
-	- linux-2.6 2.6.12-1 (medium)
-	NOTE: Commited to kernel git on 2005-05-17 (between .12-rc4 and .12-rc5)
-	- kernel-source-2.6.8 2.6.8-17
+	- linux-2.6 <not-affected> (Fixed before upload into archive;
2.6.12-rc5)
+	[sarge] - kernel-source-2.6.8 2.6.8-17
 	- kernel-source-2.4.27 2.4.27-11
 CVE-2005-1761 (Linux kernel 2.6 and 2.4 on the IA64 architecture allows local
users ...)
 	{DTSA-16-1}
 	- linux-2.6 2.6.12-1 (medium)
-	- kernel-source-2.6.11 2.6.11-6 (medium)
-	- kernel-source-2.6.8 2.6.8-17
+	[sarge] - kernel-source-2.6.8 2.6.8-17
 	- kernel-source-2.4.27 <unfixed> (low)
 CVE-2005-1760 (sysreport 1.3.15 and earlier includes contents of the up2date
file in ...)
 	NOT-FOR-US: sysreport
@@ -7571,11 +7559,9 @@
 	- php4 4:4.3.10-16 (low)
 	NOTE: the patch applied to NMU #311206 fixes both CVE-2005-1759 and
CVE-2005-1751
 CVE-2004-2136 (dm-crypt on Linux kernel 2.6.x, when used on certain file
systems ...)
-	NOTE: This looks like a minor issue, the paper is from Feb 2004, check whether
this still applies
-	TODO: check, whether this still applies
+	TODO: This looks like a minor issue, the paper is from Feb 2004, check whether
this still applies
 CVE-2004-2135 (cryptoloop on Linux kernel 2.6.x, when used on certain file
systems ...)
-	NOTE: This looks like a minor issue, the paper is from Feb 2004, check whether
this still applies
-	TODO: check, whether this still applies
+	TODO: This looks like a minor issue, the paper is from Feb 2004, check whether
this still applies
 CVE-2004-2134 (Oracle toplink mapping workBench uses a weak encryption
algorithm for ...)
 	NOT-FOR-US: Oracle
 CVE-2004-2133 (Certain third-party packages for CVSup 16.1h, such as SuSE
Linux, ...)