Author: stef-guest Date: 2006-09-05 19:54:46 +0000 (Tue, 05 Sep 2006) New Revision: 4683 Modified: data/CVE/list Log: - CVE-2006-4305: maxdb arbitrary code execution (high) - CVE-2005-4809: unfixed in mozilla, fixed in recent firefox - CVE-2006-4455: disputed xchat issue might affect sarge - CVE-2006-4447: x.org setuid issue CVEified, probably affects sarge - some NFUs Modified: data/CVE/list ==================================================================--- data/CVE/list 2006-09-04 23:31:42 UTC (rev 4682) +++ data/CVE/list 2006-09-05 19:54:46 UTC (rev 4683) @@ -30,7 +30,8 @@ CVE-2006-4508 (Unspecified vulnerability in Tor 0.1.0.x before 0.1.0.18 and 0.1.1.x ...) - tor 0.1.1.23-1 CVE-2006-4507 (Unspecified vulnerability in the TIFF viewer (possibly libTIFF) in the ...) - TODO: check + NOT-FOR-US: Sony + NOTE: According to the original advisory, this is just CVE-2006-3459 CVE-2006-4506 (idmlib.sh in nxdrv in Novell Identity Manager (IDM) 3.0.1 allows local ...) NOT-FOR-US: Novell Identity Manager CVE-2006-4505 (CRLF injection vulnerability in links.php in NX5Linx 1.0 allows remote ...) @@ -142,6 +143,8 @@ NOT-FOR-US: phpECard CVE-2006-4455 (** DISPUTED ** ...) TODO: check + NOTE: xchat, disputed because it does "not affect any recent version" + NOTE: sarge''s 2.4.1 is not recent by their definition :-| CVE-2006-4454 (Cross-site scripting (XSS) vulnerability in hlstats.php in HLstats ...) NOT-FOR-US: HLstats CVE-2006-4453 (Cross-site scripting (XSS) vulnerability in PmWiki before 2.1.18 ...) @@ -157,7 +160,13 @@ CVE-2006-4448 (Multiple PHP remote file inclusion vulnerabilities in interact 2.2, ...) NOT-FOR-US: interact CVE-2006-4447 (X.Org and XFree86, including libX11, xdm, xf86dga, xinit, xload, ...) - TODO: check + - xbase-clients 1:7.1.ds-2 + - xtrans 1.0.0-6 + - xorg-server 1:1.0.2-9 + - libx11 2:1.0.0-7 + - xdm 1:1.0.5-1 + - xterm <unfixed> + [sarge] - xfree86 <unfixed> CVE-2006-4446 (Heap-based buffer overflow in DirectAnimation.PathControl COM object ...) NOT-FOR-US: Microsoft CVE-2006-4445 (** DISPUTED ** ...) @@ -181,9 +190,12 @@ CVE-2005-4810 (Microsoft Internet Explorer 7.0 Beta3 and earlier allows remote ...) NOT-FOR-US: Microsoft CVE-2005-4809 (Mozilla Firefox 1.0.1 and possibly other versions, including Mozilla ...) - TODO: check + - mozilla <unfixed> (medium) + - firefox <not-affected> (at least 1.5.0.6 is not vulnerable) + - xulrunner <not-affected> + TODO: check mozilla-firefox from sarge CVE-2003-1305 (Microsoft Internet Explorer allows remote attackers to cause a denial ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2006-XXXX [tikiwiki security issue in jhot.php] - tikiwiki 1.9.4+dfsg2-3 CVE-2006-4436 (isakmpd in OpenBSD 3.8, 3.9, and possibly earlier versions, creates ...) @@ -463,7 +475,7 @@ CVE-2006-4306 (Unspecified vulnerability in Sun Solaris 8 and 9 before 20060821 ...) NOT-FOR-US: Solaris CVE-2006-4305 (Buffer overflow in SAP DB and MaxDB before 7.6.00.30 allows remote ...) - TODO: check + - maxdb-7.5.00 <unfixed> (high; bug filed) CVE-2006-4304 (Buffer overflow in the sppp driver in FreeBSD 4.11 through 6.1 and ...) NOT-FOR-US: FreeBSD NetBSD CVE-2006-4303 (Race condition in (1) libnsl and (2) TLI/XTI API routines in Sun ...) @@ -2693,12 +2705,6 @@ NOT-FOR-US: QaTraq CVE-2006-3311 RESERVED -CVE-2006-XXXX [several setuid privledge escalations] - - xbase-clients 1:7.1.ds-2 - - xtrans 1.0.0-6 - - xorg-server 1:1.0.2-9 - - libx11 2:1.0.0-7 - - xdm 1:1.0.5-1 CVE-2006-3310 RESERVED CVE-2006-3309 (SQL injection vulnerability in SPT--ForumTopics.php in Scout Portal ...)