Author: jmm-guest Date: 2006-07-26 20:33:48 +0000 (Wed, 26 Jul 2006) New Revision: 4457 Modified: data/CVE/list Log: removed amanda issue: according to Bdale the code doesn''t work, so it''s not exploitable removed metar issue: checked the diff; this is not exploitable crypt++el is actually fixed since long some no-dsa for minor issues Modified: data/CVE/list ==================================================================--- data/CVE/list 2006-07-26 08:15:40 UTC (rev 4456) +++ data/CVE/list 2006-07-26 20:33:48 UTC (rev 4457) @@ -2953,6 +2953,7 @@ RESERVED CVE-2006-2480 (Format string vulnerability in Dia 0.94 allows user-complicit ...) - dia 0.95.0-4 (bug #368202; low) + [sarge] - dia <no-dsa> (Hardly exploitable, would require obviously malformed file names) CVE-2006-2479 (The Update functionality in Bitrix Site Manager 4.1.x does not verify ...) NOT-FOR-US: Bitrix CVE-2006-2478 (Bitrix Site Manager 4.1.x allows remote attackers to redirect users to ...) @@ -3009,6 +3010,7 @@ RESERVED CVE-2006-2453 (Multiple unspecified format string vulnerabilities in Dia have ...) - dia 0.95.0-4 (bug #368202; medium) + [sarge] - dia <no-dsa> (Hardly exploitable, would require obviously malformed file names) CVE-2006-2452 (GNOME GDM 2.8, 2.12, 2.14, and 2.15, when the "face browser" feature ...) - gdm <unfixed> (bug #375281; medium) [sarge] - gdm <not-affected> (Vulnerable code has only been introduced with 2.8) @@ -13227,9 +13229,6 @@ - isoqlog 2.2-0.1 (bug #254101; bug #202634) CVE-2002-XXXX [libnss-ldap: DoS through truncated DNS queries] - libnss-ldap 199-1 (bug #169793) -CVE-2004-XXXX [Insecure temp files in amanda''s chg-manual] - - amanda 1:2.4.5p1-1 (bug #226139; low) - NOTE: Woody and Sarge affected CVE-2005-3752 (Unspecified vulnerability in ldapdiff before 1.1.1 has unknown impact ...) - ldapdiff <not-affected> (The version in Debian doesn''t contain the vulnerable code, see #306878) CVE-2005-XXXX [apt-cache doesn''t differentiate sources which share several properties] @@ -13246,8 +13245,7 @@ - hdup <unfixed> (bug #302790; low) [sarge] - hdup <no-dsa> (Mostly a bug, very limited security implications) CVE-2001-XXXX [crypt++ passes passwords through the command line] - - crypt++el <unfixed> (bug #105562; low) - NOTE: Sarge and Woody are affected + - crypt++el 2.91-2.1 (bug #105562; low) CVE-2004-XXXX [Two vulnerabilities in sredird] - sredird 2.2.1-1.1 (bug #267098) CVE-2003-XXXX [fuzz: Insecure temp file usage] @@ -14019,7 +14017,8 @@ CVE-2005-2799 (Buffer overflow in apply.cgi in Linksys WRT54G 3.01.03, 3.03.6, and ...) NOT-FOR-US: Linksys routers CVE-2005-2798 (sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, ...) - - openssh 1:4.2p1-1 (bug #326065; medium) + - openssh 1:4.2p1-1 (bug #326065; unimportant) + NOTE: Not enabled in the binary build, see #326065 - openssh-krb5 <unfixed> (bug #327233; medium) CVE-2005-2797 (OpenSSH 4.0, and other versions before 4.2, does not properly handle ...) - openssh 1:4.2p1-1 (bug #326065; medium) @@ -15201,8 +15200,6 @@ - kernel-source-2.6.8 2.6.8-16sarge1 (bug #309308; low) NOTE: 2.6.12-1 contained a partially broken fix - linux-2.6 2.6.12-6 (bug #309308; low) -CVE-2005-XXXX [Unspecified buffer overflow in metar] - - metar 20050807.1-1 (unknown) CVE-2005-2489 (Web Content Management News System allows remote attackers to create ...) NOT-FOR-US: Web Content Management News System CVE-2005-2488 (Cross-site scripting (XSS) vulnerability in Web Content Management ...) @@ -15870,7 +15867,8 @@ CVE-2004-2266 (SQL injection vulnerability in Ansel 2.1 and earlier allows remote ...) NOT-FOR-US: Ansel CVE-2004-2265 (UUDeview 0.5.20 and earlier handles temporary files insecurely during ...) - - uudeview 0.5.20-2.1 (bug #320541; medium) + - uudeview 0.5.20-2.1 (bug #320541; low) + [sarge] - uudeview <no-dsa> (Hardly exploitable) NOTE: dnprogs apparetly not vulnerable, unsafe code is not called (#358500) CVE-2004-2264 (** DISPUTED ** ...) - less <not-affected> (less is not suid, explotability unlikely)