Author: jmm-guest Date: 2006-09-06 22:08:42 +0000 (Wed, 06 Sep 2006) New Revision: 4694 Modified: data/CVE/list Log: two unimportant/no-dsa php issues Modified: data/CVE/list ==================================================================--- data/CVE/list 2006-09-06 18:06:37 UTC (rev 4693) +++ data/CVE/list 2006-09-06 22:08:42 UTC (rev 4694) @@ -1101,10 +1101,17 @@ CVE-2006-4024 (The FESTAHES_Load function in pce/hes.c in Festalon 0.5.0 through ...) - festalon <not-affected> (vuln. code introduced in 0.5.0) CVE-2006-4023 (The ip2long function in PHP 5.1.4 and earlier may incorrectly validate ...) - - php5 <unfixed> (medium; bug #382257) - - php4 <unfixed> (medium; bug #382270) + - php5 <unfixed> (unimportant; bug #382257) + - php4 <unfixed> (unimportant; bug #382270) + NOTE: Not every lack of protection of programmer''s flaws is a vulnerability + NOTE: See notes by Sean for details + NOTE: > the entry states that this is more likely a bug in any + NOTE: > applications not performing further validation/sanitizing, + NOTE: > and i tend to agree based on the php.net documentation, which + NOTE: > states: "ip2long() should not be used as the sole form of IP + NOTE: > validation. Combine it with long2ip()". CVE-2006-4022 (Intel 2100 PRO/Wireless Network Connection driver PROSet before ...) - NOT-FOR-US: Intel + NOT-FOR-US: Intel Windows driver CVE-2006-4021 (The cryptographic module in ScatterChat 1.0.x allows attackers to ...) NOT-FOR-US: ScatterChat CVE-2006-4020 (scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows ...) @@ -4197,6 +4204,13 @@ - freetype 2.2.1-1 (medium) CVE-2006-2660 (Buffer consumption vulnerability in the tempnam function in PHP 5.1.4 ...) - php4 4:4.4.4-1 (low) + [sarge] - php4 <no-dsa> (not worth an update, see NOTE by Sean) + NOTE: using a long enough path (>MAXPATHLEN) allows you to have + NOTE: tempnam create a file without the temp extension. sounds like + NOTE: another shoot yourself in the foot issue, since the local user + NOTE: could just as easily create the file manually, and if the + NOTE: tempnam function is taking unsanitized input, it''s an + NOTE: application error - php5 5.1.6-1 (low) CVE-2006-2658 RESERVED