Author: stef-guest Date: 2006-10-01 15:03:44 +0000 (Sun, 01 Oct 2006) New Revision: 4795 Modified: data/CVE/list Log: - new graphicsmagick issue fixed - new moodle issue fixed - new elog issue fixed - openssh fixed - phpbb2 fixed - dokuwiki fixed - mpg123 fixed Modified: data/CVE/list ==================================================================--- data/CVE/list 2006-10-01 12:06:33 UTC (rev 4794) +++ data/CVE/list 2006-10-01 15:03:44 UTC (rev 4795) @@ -1,3 +1,10 @@ +CVE-2006-XXXX [elog XSS] + - elog 2.6.2+r1719-1 (bug #389361) +CVE-2006-XXXX [graphicsmagic buffer overflows] + - graphicsmagick 1.1.7-9 + TODO: check for security relevance and CVE-ids. Maybe imagemagick is affected, too +CVE-2006-XXXX [moodle SQL injection] + - moodle 1.6.2+20060930-1 (bug #390294) CVE-2006-5072 RESERVED CVE-2006-5071 (Multiple cross-site scripting (XSS) vulnerabilities in eyeOS before ...) @@ -42,7 +49,7 @@ TODO: check NOTE: This may be a dupe of CVE-2006-4925 CVE-2006-5051 (Signal handler race condition in OpenSSH before 4.4 allows remote ...) - - openssh <unfixed> (unimportant) + - openssh 1:4.3p2-4 (unimportant) - openssh-krb5 <unfixed> (high) NOTE: From my analysis only openssh with Kerberos support should be vulnerable NOTE: However, we''ll fix openssh as well just to make sure @@ -307,7 +314,7 @@ [sarge] - openssh <not-affected> [sarge] - openssh-krb5 <not-affected> CVE-2006-4924 (sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, ...) - - openssh <unfixed> (low; bug #389995) + - openssh 1:4.3p2-4 (low; bug #389995) - openssh-krb5 <unfixed> (low) CVE-2006-4923 (Cross-site scripting (XSS) vulnerability in search.php in eSyndiCat ...) NOT-FOR-US: eSyndiCat Portal System @@ -649,7 +656,7 @@ CVE-2006-4759 (PunBB 1.2.12 does not properly handle an avatar directory pathname ...) NOT-FOR-US: PunBB CVE-2006-4758 (phpBB 2.0.21 does not properly handle pathnames ending in %00, which ...) - - phpbb2 <unfixed> (bug #388120; unimportant) + - phpbb2 2.0.21-4 (bug #388120; unimportant) NOTE: Only exploitable by admins, which you''d need to trust CVE-2006-4757 (Multiple SQL injection vulnerabilities in the admin section in e107 ...) NOT-FOR-US: e107 @@ -814,7 +821,7 @@ CVE-2006-4680 (The Remote UI in Canon imageRUNNER includes usernames and passwords ...) NOT-FOR-US: Canon imageRUNNER CVE-2006-4679 (DokuWiki before 2006-03-09c enables the debug feature by default, ...) - - dokuwiki <unfixed> (low; bug #388082) + - dokuwiki 0.0.20060309-5.1 (low; bug #388082) CVE-2006-4678 (PHP remote file inclusion vulnerability in News Evolution 3.0.3 allows ...) NOT-FOR-US: News Evolution CVE-2006-4677 (** DISPUTED ** ...) @@ -822,9 +829,9 @@ CVE-2006-4676 (TIBCO RendezVous 7.4.11 and earlier logs base64-encoded usernames and ...) NOT-FOR-US: TIBCO RendezVous CVE-2006-4675 (Unrestricted file upload vulnerability in lib/exe/media.php in ...) - - dokuwiki <unfixed> (medium; bug #388082) + - dokuwiki 0.0.20060309-5.1 (medium; bug #388082) CVE-2006-4674 (Direct static code injection vulnerability in doku.php in DokuWiki ...) - - dokuwiki <unfixed> (medium; bug #388082) + - dokuwiki 0.0.20060309-5.1 (medium; bug #388082) CVE-2006-4673 (Global variable overwrite vulnerability in maincore.php in PHP-Fusion ...) NOT-FOR-US: PHP-Fusion CVE-2006-4672 (PHP remote file inclusion vulnerability in profitCode ppalCart 2.5 EE, ...) @@ -3844,7 +3851,7 @@ CVE-2006-3356 (The TIFFFetchAnyArray function in ImageIO in Apple OS X 10.4.7 and ...) NOT-FOR-US: Apple CVE-2006-3355 (Heap-based buffer overflow in httpdget.c in mpg123 before 0.59s-rll ...) - - mpg123 <unfixed> (bug #377264; medium) + - mpg123 0.60-1 (bug #377264; medium) [sarge] - mpg123 <no-dsa> (Non-free not supported) CVE-2006-3354 (Microsoft Internet Explorer 6 allows remote attackers to cause a ...) NOT-FOR-US: Microsoft Internet Explorer