Author: jmm-guest Date: 2006-01-12 11:12:03 +0000 (Thu, 12 Jan 2006) New Revision: 3276 Modified: data/CVE/list Log: new sudo issue new libapache-auth-ldap issue lots of NFUS Modified: data/CVE/list ==================================================================--- data/CVE/list 2006-01-12 09:14:20 UTC (rev 3275) +++ data/CVE/list 2006-01-12 11:12:03 UTC (rev 3276) @@ -69,70 +69,71 @@ NOTE: question, that makes it very clear that setuid root is only for single-user NOTE: systems and xmame-sdl and xmess aren''t setuid at all [sarge] - xmame <no-dsa> (XMame is non-free software) -begin claimed by jmm CVE-2006-0160 (SQL injection vulnerability in add_post.php3 in Venom Board 1.22 ...) - TODO: check + NOT-FOR-US: Venom Board CVE-2006-0159 (SQL injection vulnerability in escribir.php in Foro Domus 2.10 allows ...) - TODO: check + NOT-FOR-US: Foro Domus CVE-2006-0158 (SQL injection vulnerability in index.php in CyberDoc SiteSuite CMS ...) - TODO: check + NOT-FOR-US: CyberDoc SiteSuite CMS CVE-2006-0157 (settings.php in Reamday Enterprises Magic News Plus 1.0.3 allows ...) - TODO: check + NOT-FOR-US: Reamday Enterprises Magic News Plus CVE-2006-0156 (Cross-site scripting (XSS) vulnerability in Foxrum 4.0.4f allows ...) - TODO: check + NOT-FOR-US: Foxforum CVE-2006-0155 (Cross-site scripting (XSS) vulnerability in posts.php in 427BB 2.2 and ...) - TODO: check + NOT-FOR-US: 427BB CVE-2006-0154 (SQL injection vulnerability in showthread.php in 427BB 2.2 and 2.2.1 ...) - TODO: check + NOT-FOR-US: 427BB CVE-2006-0153 (427BB 2.2 and 2.2.1 verifies authentication credentials based on the ...) - TODO: check + NOT-FOR-US: 427BB CVE-2006-0152 (Cross-site scripting (XSS) in search_result.php in phpChamber 1.2 and ...) - TODO: check + NOT-FOR-US: phpChamber CVE-2006-0151 (sudo 1.6.8 and other versions does not clear the PYTHONINSPECT ...) - TODO: check + - sudo <unfixed> + NOTE: The whole black list approach is flawed, for the DSA we''ll switch to + NOTE: a white list approach of known to be safe env vars. CVE-2006-0150 (Multiple format string vulnerabilities in the auth_ldap_log_reason ...) - TODO: check + - libapache-auth-ldap <removed> + NOTE: DSA in preparation CVE-2006-0149 (Cross-site scripting (XSS) vulnerability in SimpBook 1.0, with ...) - TODO: check + NOT-FOR-US: SimpBook CVE-2006-0148 (NetSarang Xlpd 2.1 allows remote attackers to cause a denial of ...) - TODO: check + NOT-FOR-US: NetSarang Xlpd CVE-2006-0147 (Dynamic code evaluation vulnerability in tests/tmssql.php test script ...) - TODO: check + NOT-FOR-US: ADOdb for PHP CVE-2006-0146 (The server.php test script in ADOdb for PHP before 4.70, as used in ...) - TODO: check + NOT-FOR-US: ADOdb for PHP CVE-2006-0145 (The lseek system call in kernfs in NetBSD 1.6 through 2.1 does not ...) - TODO: check + NOT-FOR-US: NetBSD CVE-2006-0144 (The proxy server feature in go-pear.php in PHP PEAR 0.2.2 allows ...) - TODO: check + TODO: check, whether this is included in the PEAR packages from PHP 4 oder 5 CVE-2006-0143 (Microsoft Windows Graphics Rendering Engine (GRE) allows remote ...) - TODO: check + NOT-FOR-US: Windows CVE-2006-0142 (Cross-site scripting (XSS) vulnerability in andromeda.php in Andromeda ...) - TODO: check + NOT-FOR-US: Andromeda CVE-2006-0141 (Qualcomm Eudora Internet Mail Server (EIMS) before 3.2.8 allows remote ...) - TODO: check + NOT-FOR-US: Eudora CVE-2006-0140 (Cross-site scripting (XSS) vulnerability in post.php in NavBoard V16 ...) - TODO: check + NOT-FOR-US: Navboard CVE-2006-0139 (The send-private-message functionality (send-private-message.asp) in ...) - TODO: check + NOT-FOR-US: PD9 Software MegaBBS CVE-2005-4641 (SQL injection vulnerability in home.php in eazyCMS 2.0 allows remote ...) - TODO: check + NOT-FOR-US: eazyCMS CVE-2005-4640 (SQL injection vulnerability in index.php in class-1 Poll Software 0.4 ...) - TODO: check + NOT-FOR-US: class-1 Poll CVE-2005-4639 (Buffer overflow in the CA-driver (dst_ca.c) for TwinHan DST ...) - TODO: check + NOT-FOR-US: TwinHan DST CVE-2005-4638 (index.php in Kayako SupportSuite 3.00.26 and earlier allow remote ...) - TODO: check + NOT-FOR-US: Kayako SupportSuite CVE-2005-4637 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in ...) - TODO: check + NOT-FOR-US: Kayako SupportSuite CVE-2005-4636 (OpenOffice.org 2.0 and earlier, when hyperlinks has been disabled, ...) - openoffice.org <unfixed> (unimportant) NOTE: This is a non-issue IMO (neilm). OOo just launches a web browser. NOTE: If the admin doesn''t web browsing, why is one installed/enabled? CVE-2004-2653 (Unspecified vulnerability in PD9 Software MegaBBS 2.0 and 2.1 allows ...) - TODO: check + NOT-FOR-US: PD9 Software MegaBBS CVE-2006-0162 (Heap-based buffer overflow in libclamav/upx.c in Clam Antivirus ...) - clamav 0.88-1 -end claimed by jmm CVE-2006-0138 (aMSN (aka Alvaro''s Messenger) allows remote attackers to cause a ...) NOT-FOR-US: Alvaro''s Messenger CVE-2006-0137 (SQL injection vulnerability in linkcategory.php in Phanatic Softwares ...)