Author: seanius
Date: 2006-08-15 17:46:11 +0000 (Tue, 15 Aug 2006)
New Revision: 4569
Modified:
data/CVE/list
Log:
syncing status/notes of some of the php CVE''s.
not mentioning status of CVE''s that are for sure
fixed in the pending upload, but mentioning the
disputed ones for now.
Modified: data/CVE/list
==================================================================---
data/CVE/list 2006-08-15 09:14:18 UTC (rev 4568)
+++ data/CVE/list 2006-08-15 17:46:11 UTC (rev 4569)
@@ -5887,6 +5887,7 @@
CVE-2006-1549 (PHP 4.4.2 and 5.1.2 allows local users to cause a crash
(segmentation ...)
- php4 <unfixed> (bug #361854)
- php5 5.1.4-0.1 (bug #361917)
+ NOTE: this is arguably not a security vulnerability.
CVE-2005-4767 (BEA WebLogic Server and WebLogic Express 8.1 SP5 and earlier,
and 7.0 ...)
NOT-FOR-US: BEA WebLogic
CVE-2005-4766 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier,
and 7.0 ...)
@@ -7188,9 +7189,13 @@
CVE-2006-1015 (Argument injection vulnerability in certain PHP 3.x, 4.x, and
5.x ...)
- php5 5.1.4-0.1 (bug #368595; low)
- php4 <unfixed> (bug #368592; low)
+ NOTE: is this really a vulnerability in php? it seems it should be a bug
+ NOTE: in any application that doesn''t check input before passing it
along.
CVE-2006-1014 (Argument injection vulnerability in certain PHP 4.x and 5.x ...)
- php5 5.1.4-0.1 (bug #368595; low)
- php4 <unfixed> (bug #368592; low)
+ NOTE: is this really a vulnerability in php? it seems it should be a bug
+ NOTE: in any application that doesn''t check input before passing it
along.
CVE-2006-1013 (PHP remote file include vulnerability in index.php in SMartBlog
(aka ...)
NOT-FOR-US: SMartBlog
CVE-2006-1012 (SQL injection vulnerability in WordPress 1.5.2, and possibly
other ...)
@@ -7369,6 +7374,8 @@
- php5 <unfixed> (bug #368545; low)
[sarge] - php4 <unfixed> (bug #368545; low)
[woody] - php4 <unfixed> (bug #368545; low)
+ NOTE: is this really a vulnerability in pear? it seems it should be a bug
+ NOTE: in any application not checking for such archives.
CVE-2006-0930 (Directory traversal vulnerability in Webmail in ArGoSoft Mail
Server ...)
NOT-FOR-US: ArgoSoft Mail Server
CVE-2006-0929 (Directory traversal vulnerability in the IMAP server in ArGoSoft
Mail ...)
@@ -13203,6 +13210,9 @@
CVE-2005-3319 (The apache2handler SAPI (sapi_apache2.c) in the Apache module
...)
- php4 4:4.4.2-1 (bug #336004; bug #354684; low)
- php5 5.1.1-1 (bug #336005; low)
+ [sarge] - php4 <not-affected>
+ NOTE: can''t reproduce, error may not be present in 4.3.
+ NOTE: tentatively marking as not-affected in sarge.
CVE-2005-3318 (Buffer overflow in the _chm_decompress_block function in CHM lib
...)
{DSA-886-1}
- chmlib 0.37-1 (bug #335931; medium)
@@ -17845,8 +17855,8 @@
NOTE: php function that displays the PHP logo and version information. In the
bug
NOTE: log the developers seem unwilling to fix this, as it only affects a
debug
NOTE: function.
- NOTE: fixed in CVS, estimated release of PHP5.1 to fix this issue
- - php4 <unfixed> (bug #349260; low)
+ NOTE: can not reproduce in any versions of php4 in the archive.
+ - php4 <not-affected> (bug #349260; low)
- php5 5.1.1-1 (bug #336654; low)
CVE-2002-1953 (Heap-based buffer overflow in the goim handler of AOL Instant
...)
NOT-FOR-US: AIM
@@ -19158,7 +19168,7 @@
- shtool 2.0.1-2 (low)
- mysql-ocaml 1.0.3-6 (low)
- php4 4:4.4.0-1 (low)
- NOTE: the patch applied to NMU #311206 fixes both CVE-2005-1759 and
CVE-2005-1751
+ [sarge] - php4 4:4.3.10-16 (low)
CVE-2005-1758 (Buffer overflow in the IMAP command continuation function in
Novell ...)
NOT-FOR-US: Novell
CVE-2005-1757 (Buffer overflow in the Modweb agent for Novell NetMail 3.52
before ...)
@@ -19170,7 +19180,7 @@
- shtool 2.0.1-2 (bug #311206; low)
- mysql-ocaml 1.0.3-6 (bug #314464; low)
- php4 4:4.3.10-16 (low)
- NOTE: the patch applied to NMU #311206 fixes both CVE-2005-1759 and
CVE-2005-1751
+ [sarge] - php4 4:4.3.10-16 (low)
CVE-2004-2136 (dm-crypt on Linux kernel 2.6.x, when used on certain file
systems ...)
TODO: This looks like a minor issue, the paper is from Feb 2004, check whether
this still applies
CVE-2004-2135 (cryptoloop on Linux kernel 2.6.x, when used on certain file
systems ...)