Author: fw
Date: 2005-12-23 22:07:15 +0000 (Fri, 23 Dec 2005)
New Revision: 3142
Modified:
data/CVE/list
Log:
Add a couple of missing fixed versions, to close latent vulnerabilities.
The tcpdump issues (CVE-2004-0057, CVE-2004-0055, CVE-2003-1029) are
all resolved in upstream version 3.8.3 (I looked at the source code).
Modified: data/CVE/list
==================================================================---
data/CVE/list 2005-12-23 21:43:29 UTC (rev 3141)
+++ data/CVE/list 2005-12-23 22:07:15 UTC (rev 3142)
@@ -12661,10 +12661,10 @@
NOT-FOR-US: Ipswitch Collaboration Suite
CVE-2005-0706 (Buffer overflow in discdb.c for grip 3.1.2 allows attackers to
cause a ...)
[sarge] - gnome-vfs2 <not-affected> (does not install the module with
the vulnerable code)
- NOTE: fixed in gnome-vfs2 2.10 long ago too.
- grip 3.2.0-4 (low)
- libcdaudio 0.99.9-2.1 (bug #304799; low)
- gnome-vfs 1.0.5-5.1 (bug #305163; low)
+ - gnome-vfs2 2.10.1-3
CVE-2005-0705 (The GPRS-LLC dissector in Ethereal 0.10.7 through 0.10.9, with
the ...)
- ethereal 0.10.10-1
CVE-2005-0704 (Buffer overflow in the Etheric dissector in Ethereal 0.10.7
through ...)
@@ -14831,6 +14831,7 @@
RESERVED
CVE-2005-0152 (PHP remote code injection vulnerability in Squirrelmail 1.2.6
allows ...)
{DSA-662-1}
+ - squirrelmail 1:1.2.7-1
NOTE: This bug exists only in version 1.2.6.
CVE-2005-0151 (Unknown vulnerability in the installation of Adobe License
Management ...)
NOT-FOR-US: Adobe License Management Software
@@ -17612,7 +17613,7 @@
RESERVED
CVE-2004-0405 (CVS before 1.11 allows CVS clients to read arbitrary files via
.. (dot ...)
{DSA-486}
- - cvs 1:1.12.5-4
+ - cvs 1:1.12.5-4 (medium)
CVE-2004-0404 (logcheck before 1.1.1 allows local users to overwrite arbitrary
files ...)
{DSA-488}
- logcheck 1.1.1-13.2
@@ -18052,7 +18053,7 @@
NOTE: fixed in 2.4.26-pre5
CVE-2004-0180 (The client for CVS before 1.11 allows a remote malicious CVS
server to ...)
{DSA-486}
- TODO: Check for the sid fix
+ - cvs 1:1.12.5-4 (medium)
CVE-2004-0179 (Multiple format string vulnerabilities in (1) neon 0.24.4 and
earlier, ...)
{DSA-487}
- neon 0.24.5-1
@@ -18264,16 +18265,14 @@
NOT-FOR-US: Antivir
CVE-2004-0057 (The rawprint function in the ISAKMP decoding routines
(print-isakmp.c) ...)
{DSA-425}
- TODO: No idea if this is fixed, we have a new upstream version
- TODO: that came out after these advisories, but neither the debian nor
- TODO: the upstream changelog seem to mention them.
+ - tcpdump 3.8.3-1
+ NOTE: Upstream version 3.8.3 is fixed; may have been fixed earlier.
CVE-2004-0056 (Multiple vulnerabilities in the H.323 protocol implementation
for ...)
NOT-FOR-US: Nortel Networks products
CVE-2004-0055 (The print_attr_string function in print-radius.c for tcpdump
3.8.1 and ...)
{DSA-425}
- TODO: No idea if this is fixed, we have a new upstream version
- TODO: that came out after these advisories, but neither the debian nor
- TODO: the upstream changelog seem to mention them.
+ - tcpdump 3.8.3-1
+ NOTE: Upstream version 3.8.3 is fixed; may have been fixed earlier.
CVE-2004-0054 (Multiple vulnerabilities in the H.323 protocol implementation
for ...)
NOT-FOR-US: Cisco IOS
CVE-2004-0053 (Multiple content security gateway and antivirus products allow
remote ...)
@@ -18410,9 +18409,8 @@
NOT-FOR-US: Dameware
CVE-2003-1029 (The L2TP protocol parser in tcpdump 3.8.1 and earlier allows
remote ...)
{DSA-425}
- TODO: No idea if this is fixed, we have a new upstream version
- TODO: that came out after these advisories, but neither the debian nor
- TODO: the upstream changelog seem to mention them.
+ - tcpdump 3.8.3-1
+ NOTE: Upstream version 3.8.3 is fixed; may have been fixed earlier.
CVE-2003-1028 (The download function of Internet Explorer 6 SP1 allows remote
...)
NOT-FOR-US: microsoft
CVE-2003-1027 (Internet Explorer 5.01 through 6 SP1 allows remote attackers to
direct ...)
@@ -19134,14 +19132,14 @@
CVE-2003-0695 (Multiple "buffer management errors" in OpenSSH
before 3.7.1 may allow ...)
{DSA-383 DSA-382}
- openssh 1:3.7.1
- TODO: openssh-krb5: Screwy changelog does not make sense. Filed bug.
+ TODO: openssh-krb5: Screwy changelog does not make sense (bug #264717).
CVE-2003-0694 (The prescan function in Sendmail 8.12.9 allows remote attackers
to ...)
{DSA-384}
- sendmail 8.12.10-1
CVE-2003-0693 (A "buffer management error" in
buffer_append_space of buffer.c for ...)
{DSA-383 DSA-382}
- openssh 1:3.6.1p2-6.0
- TODO: openssh-krb5: Screwy changelog does not make sense. Filed bug.
+ TODO: openssh-krb5: Screwy changelog does not make sense (bug #264717).
CVE-2003-0692 (KDM in KDE 3.1.3 and earlier uses a weak session cookie
generation ...)
{DSA-388}
- kdebase 4:3.2
@@ -19170,7 +19168,7 @@
CVE-2003-0682 ("Memory bugs" in OpenSSH 3.7.1 and earlier,
with unknown impact, a ...)
{DSA-383 DSA-382}
- openssh 1:3.6.1p2-9
- TODO: ssh-krb5: Screwy changelog does not make sense. Filed bug.
+ TODO: openssh-krb5: Screwy changelog does not make sense (bug #264717).
CVE-2003-0681 (A "potential buffer overflow in ruleset
parsing" for Sendmail 8.12.9, ...)
{DSA-384}
- sendmail 8.12.10-1
@@ -19767,6 +19765,7 @@
- ethereal 0.9.13-1
CVE-2003-0428 (Unknown vulnerability in the DCERPC (DCE/RPC) dissector in
Ethereal ...)
{DSA-324}
+ - ethereal 0.9.13-1
CVE-2003-0427 (Buffer overflow in mikmod 3.1.6 and earlier allows remote
attackers to ...)
{DSA-320}
- mikmod 3.1.6-6
@@ -22110,6 +22109,7 @@
- tomcat 3.3.1a-1
CVE-2003-0040 (SQL injection vulnerability in the PostgreSQL auth module for
courier ...)
{DSA-247}
+ - courier 0.40.2-3
- courier-ssl 0.40.2-3
CVE-2003-0039 (ISC dhcrelay (dhcp-relay) 3.0rc9 and earlier, and possibly other
...)
{DSA-245}
@@ -22714,6 +22714,7 @@
NOT-FOR-US: W3C Jigsaw Proxy Server
CVE-2002-1051 (Format string vulnerability in TrACESroute 6.0 GOLD (aka NANOG
...)
{DSA-254}
+ - traceroute-nanog 6.3.0-1
CVE-2002-1050 (Buffer overflow in HylaFAX faxgetty before 4.1.3 allows remote
...)
{DSA-148}
- hylafax 4.1.2-2.1