Secure testing commits - Mar 2006 - r3588 - data/CVE

Author: djoume-guest
Date: 2006-03-10 20:35:44 +0000 (Fri, 10 Mar 2006)
New Revision: 3588

Modified:
   data/CVE/list
Log:
* some NFUs
* flex issue, I''m looking for someone aware about the 
coordination with ubuntu about this issue.


Modified: data/CVE/list
==================================================================---
data/CVE/list	2006-03-10 20:19:26 UTC (rev 3587)
+++ data/CVE/list	2006-03-10 20:35:44 UTC (rev 3588)
@@ -313,28 +313,32 @@
 	NOT-FOR-US: Jay Eckles CGI Calendar
 CVE-2006-0979 (Unspecified vulnerability in the local weblog publisher in
Nidelven IT ...)
 	NOT-FOR-US: Nidelven IT Issue Dealer
-begin claimed by djoume
 CVE-2006-0978 (Multiple cross-site scripting (XSS) vulnerabilities in the View
...)
-	TODO: check
+	NOT-FOR-US: ArGoSoft Mail Server
 CVE-2006-0977 (Craig Morrison Mail Transport System Professional (aka MTS Pro)
acts ...)
-	TODO: check
+	NOT-FOR-US: MTS Pro
 CVE-2006-0976 (Directory traversal vulnerability in scan_lang_insert.php in
Boris ...)
-	TODO: check
+	NOT-FOR-US: SPiD
 CVE-2006-0975 (Multiple unspecified vulnerabilities in Will Estes and John
Millaway ...)
-	TODO: check
+	- flex 2.5.33-1
+	NOTE: There are other package affected by this vulnerability
+	NOTE: Martin Pitt has built a list for ubuntu and also mentionned that
+	NOTE: "Coordination with Debian has happened". 
+	NOTE: Could someone aware about this please update this entry?
+	NOTE: See : https://launchpad.net/distros/ubuntu/+source/flex/+bug/30940
 CVE-2006-0974 (Cross-site scripting (XSS) vulnerability in failure.asp in
Battleaxe ...)
-	TODO: check
+	NOT-FOR-US: bttlxeForum 2.0
 CVE-2006-0973 (SQL injection vulnerability in topics.php in Appalachian State
...)
-	TODO: check
+	NOT-FOR-US: phpWebSite
 CVE-2006-0972 (SQL injection vulnerability in news.php in Tony Baird Fantastic
News ...)
-	TODO: check
+	NOT-FOR-US: Tony Baird Fantastic News
 CVE-2006-0971 (Directory traversal vulnerability in Lionel Reyero DirectContact
0.3b ...)
-	TODO: check
+	NOT-FOR-US: DirectContact
 CVE-2006-0970 (PHP remote file inclusion vulnerability in index.php in one or
more ...)
-	TODO: check
+	NOT-FOR-US: ActiveCampaign products
 CVE-2006-0969 (PHP remote file inclusion vulnerability in index.php in Top
sites de ...)
-	TODO: check
-end claimed by djoume
+	NOT-FOR-US: PixelArtKingdom TopSites
+begin claimed by djoume
 CVE-2006-0968 (The ncprwsnt service in NCP Network Communication Secure Client
8.11 ...)
 	TODO: check
 CVE-2006-0967 (NCP Network Communication Secure Client 8.11 Build 146, and
possibly ...)
@@ -377,6 +381,7 @@
 	TODO: check
 CVE-2006-0948
 	RESERVED
+end claimed by djoume
 CVE-2006-0947 (Thomson SpeedTouch modem running firmware 5.3.2.6.0 allows
remote ...)
 	TODO: check
 CVE-2006-0946 (Cross-site scripting (XSS) vulnerability in Thomson SpeedTouch
modems ...)

SALVETTI Djoum? wrote:
> Author: djoume-guest
> Date: 2006-03-10 20:35:44 +0000 (Fri, 10 Mar 2006)
> New Revision: 3588
> 
> Modified:
>    data/CVE/list
> Log:
> * some NFUs
> * flex issue, I''m looking for someone aware about the 
> coordination with ubuntu about this issue.
>
>  CVE-2006-0975 (Multiple unspecified vulnerabilities in Will Estes and John
Millaway ...)
> -	TODO: check
> +	- flex 2.5.33-1
> +	NOTE: There are other package affected by this vulnerability
> +	NOTE: Martin Pitt has built a list for ubuntu and also mentionned that
> +	NOTE: "Coordination with Debian has happened". 
> +	NOTE: Could someone aware about this please update this entry?
> +	NOTE: See : https://launchpad.net/distros/ubuntu/+source/flex/+bug/30940
Neil ran the detection script for Sarge and unstable on his private mirror.
I''ve just commited the list of affected packages in SVN.  Please help
evaluate
the affected source packages up to which extent they use the vulnerable
and if there''s an exploit vector. I''ve already started, but
have been too
busy to make further progress. Help is welcome.

A flex fix is already prepared, but failed with mysterious failures on sparc,
ia64 and powerpc. For some reason the build system believes the included .l
were been changed and tries to rebuild the .l files from source, which
fails as flex doesn''t build depend on flex. I''ll build them
manually on porter
machines later the week end. After that affected flex using packages will be
rebuilt.

Cheers,
        Moritz