Author: jmm-guest
Date: 2006-10-21 22:13:37 +0000 (Sat, 21 Oct 2006)
New Revision: 4868
Modified:
data/CVE/list
Log:
mark php openbasedir issues as unimportant
some linux-2.6 issues fixed in latest upload
egroupware not-affected per maintainer
slash not-affected per maintainer
old imp issue is a non-issue
Modified: data/CVE/list
==================================================================---
data/CVE/list 2006-10-20 20:06:54 UTC (rev 4867)
+++ data/CVE/list 2006-10-21 22:13:37 UTC (rev 4868)
@@ -416,9 +416,9 @@
CVE-2006-5179 (Intoto iGateway VPN and iGateway SSL-VPN allow context-dependent
...)
NOT-FOR-US: Intoto iGateway
CVE-2006-5178 (Race condition in the symlink function in PHP 5.1.6 and earlier
allows ...)
- - php5 <unfixed> (bug #391281; low)
- - php4 <unfixed> (bug #391282; low)
- [sarge] - php4 <no-dsa> (openbasedir not supported)
+ - php5 <unfixed> (bug #391281; unimportant)
+ - php4 <unfixed> (bug #391282; unimportant)
+ NOTE: open_basedir is not supported
CVE-2006-5177 (The NTLM authentication in MailEnable Professional 2.0 and
Enterprise ...)
NOT-FOR-US: MailEnable Professional
CVE-2006-5176 (Buffer overflow in NTLM authentication in MailEnable
Professional 2.0 ...)
@@ -426,7 +426,7 @@
CVE-2006-5175 (Cross-site request forgery (CSRF) vulnerability in the
administrative ...)
NOT-FOR-US: TeraStation HD-HTGL
CVE-2006-5174 (The copy_from_user function in the uaccess code in Linux kernel
2.6 ...)
- - linux-2.6 <unfixed> (low)
+ - linux-2.6 2.6.18-3
NOTE: s390 only
CVE-2006-5173 (Linux kernel does not properly save or restore EFLAGS during a
context ...)
TODO: check
@@ -1587,9 +1587,9 @@
CVE-2006-4626 (Heap-based buffer overflow in alwil avast! Anti-virus Engine
before ...)
NOT-FOR-US: avast! Anti-virus Engine
CVE-2006-4625 (PHP 4.x up to 4.4.4 and PHP 5 up to 5.1.6 allows local users to
bypass ...)
- - php4 <unfixed> (bug #391282; low)
- - php5 <unfixed> (bug #391281; low)
- [sarge] - php4 <no-dsa> (open_basedir violations not supported)
+ - php4 <unfixed> (bug #391282; unimportant)
+ - php5 <unfixed> (bug #391281; unimportant)
+ NOTE: open_basedir violations not supported in Debian''s PHP
CVE-2006-4624 (CRLF injection vulnerability in Utils.py in Mailman before
2.1.9rc1 ...)
{DSA-1188-1}
- mailman 1:2.1.8-3
@@ -3073,7 +3073,8 @@
CVE-2006-3991 (PHP remote file inclusion vulnerability in index.php in Vlad
Vostrykh ...)
NOT-FOR-US: Voodoo chat
CVE-2006-3990 (Multiple PHP remote file inclusion vulnerabilities in Paul M.
Jones ...)
- - egroupware <unfixed> (bug #382207; medium)
+ - egroupware <not-affected>
+ NOTE: According to upstream egroupware is not affected, see #382207
CVE-2006-3989 (PHP remote file inclusion vulnerability in index.php in
Knusperleicht ...)
NOT-FOR-US: Knusperleicht
CVE-2006-3988 (PHP remote file inclusion vulnerability in index.php in
Knusperleicht ...)
@@ -6614,7 +6615,9 @@
{DSA-1090-1}
- spamassassin 3.1.3-1 (medium)
CVE-2006-2446 (Race condition between the kfree_skb and __skb_unlink functions
in the ...)
- - linux-2.6 <unfixed>
+ - linux-2.6 2.6.16-1
+ NOTE: I''m not sure at which point this was merged, but I checked
2.6.16 and the
+ NOTE: patch is included there
CVE-2006-2445 (Race condition in run_posix_cpu_timers in Linux kernel before
...)
- linux-2.6 2.6.16-15
CVE-2006-2444 (The snmp_trap_decode function in the SNMP NAT helper for Linux
kernel ...)
@@ -8438,7 +8441,7 @@
CVE-2005-4773 (The configuration of VMware ESX Server 2.x, 2.0.x, 2.1.x, and
2.5.x ...)
NOT-FOR-US: VMware
CVE-2004-2656 (Multiple cross-site scripting (XSS) vulnerabilities in Slashdot
Like ...)
- - slash <unfixed> (medium; bug #390469)
+ - slash <not-affected> (Vulnerable code introduced in 2002, while
Debian''s is older!)
CVE-2006-XXXX [firebird local DoS]
- firebird2 1.5.3.4870-4 (bug #362001)
[sarge] - firebird2 <no-dsa> (Minor issue)
@@ -10122,13 +10125,13 @@
CVE-2006-1016 (Buffer overflow in the IsComponentInstalled method in Internet
...)
NOT-FOR-US: Windows
CVE-2006-1015 (Argument injection vulnerability in certain PHP 3.x, 4.x, and
5.x ...)
- - php5 5.1.4-0.1 (bug #368595; low)
- - php4 <unfixed> (bug #368592; low)
- [sarge] - php4 <no-dsa> (Application''s job to sanitize input)
+ - php5 5.1.4-0.1 (bug #368595; unimportant)
+ - php4 <unfixed> (bug #368592; unimportant)
+ NOTE: It''s the application''s job to sanitize input passed to
a function
CVE-2006-1014 (Argument injection vulnerability in certain PHP 4.x and 5.x ...)
- - php5 5.1.4-0.1 (bug #368595; low)
- - php4 <unfixed> (bug #368592; low)
- [sarge] - php4 <no-dsa> (Application''s job to sanitize input)
+ - php5 5.1.4-0.1 (bug #368595; unimportant)
+ - php4 <unfixed> (bug #368592; unimportant)
+ NOTE: It''s the application''s job to sanitize input passed to
a function
CVE-2006-1013 (PHP remote file include vulnerability in index.php in SMartBlog
(aka ...)
NOT-FOR-US: SMartBlog
CVE-2006-1012 (SQL injection vulnerability in WordPress 1.5.2, and possibly
other ...)
@@ -13220,9 +13223,9 @@
CVE-2005-4353 (SQL injection vulnerability in index.php in toendaCMS 0.6.2.1,
when ...)
NOT-FOR-US: toendaCMS
CVE-2005-4352 (The securelevels implementation in NetBSD 2.1 and earlier, and
Linux ...)
- - linux-2.6 <unfixed>
+ - linux-2.6 2.6.18-3
CVE-2005-4351 (The securelevels implementation in FreeBSD 7.0 and earlier,
OpenBSD up ...)
- - linux-2.6 <unfixed>
+ - linux-2.6 2.6.18-3
CVE-2005-4350 (Unspecified vulnerability in WBEM Services A.01.x before
A.01.05.12 ...)
NOT-FOR-US: WBEM Services
CVE-2005-4349 (** DISPUTED ** ...)
@@ -13809,8 +13812,8 @@
CVE-2005-4081 (Multiple SQL injection vulnerabilities in Alisveristr E-commerce
allow ...)
NOT-FOR-US: Alisveristr E-commerce
CVE-2005-4080 (Horde IMP 4.0.4 and earlier does not sanitize strings containing
UTF16 ...)
- - imp4 <unfixed> (bug #342654; low)
- [sarge] - imp4 <no-dsa> (Internet Explorer bug, needs to be fixed there)
+ - imp4 <unfixed> (bug #342654; unimportant)
+ NOTE: Internet Explorer bug, most definitely fixed since long, didn''t
check though
CVE-2005-4079 (The register_globals emulation in phpMyAdmin 2.7.0 rc1 allows
remote ...)
- phpmyadmin <not-affected> (Affects only 2.7.0)
CVE-2005-4078 (Multiple cross-site scripting (XSS) vulnerabilities in Ideal
BB.NET ...)