Author: jmm-guest Date: 2006-09-30 14:12:37 +0000 (Sat, 30 Sep 2006) New Revision: 4785 Modified: data/CVE/list Log: no-dsa for overkill bind8 behaviour documented move old kernel issue into kernel tracker remove apt non-issue Modified: data/CVE/list ==================================================================--- data/CVE/list 2006-09-30 14:08:54 UTC (rev 4784) +++ data/CVE/list 2006-09-30 14:12:37 UTC (rev 4785) @@ -4663,7 +4663,8 @@ CVE-2006-2972 (SQL injection vulnerability in vs_resource.php in Arantius Vice Stats ...) NOT-FOR-US: Arantius Vice Stats CVE-2006-2971 (Integer overflow in the recv_packet function in 0verkill 0.16 allows ...) - - overkill 0.16-9 (bug #373687; medium) + - overkill 0.16-9 (bug #373687; low) + [sarge] - overkill <no-dsa> (Only DoS against an obscure game, no code injection possible) CVE-2006-2970 (videoPage.php in L0j1k tinyMuw 0.1.0 allows remote attackers to obtain ...) NOT-FOR-US: tinyMuw CVE-2006-2969 (Cross-site scripting (XSS) vulnerability in L0j1k tinyMuw 0.1.0 allow ...) @@ -10556,10 +10557,11 @@ [sarge] - evolution <not-affected> (Vulnerability was apparantly introduced in 2.3.1) [woody] - evolution <not-affected> (Vulnerability was apparantly introduced in 2.3.1) CVE-2006-0527 (BIND 4 (BIND4) and BIND 8 (BIND8), if used as a target forwarder, ...) - - bind <unfixed> (medium) + - bind 1:8.4.7-1 (low) [sarge] - bind <no-dsa> (Architectual limitatiom, upgrade to BIND 9 as a a fix) NOTE: BIND 8 is unsuitable for forwarder use because of its NOTE: architecture. Upgrade to BIND 9 as a fix. + NOTE: This was fixed in sid by documenting it as an unfixable design limitation CVE-2006-0526 (The default configuration of the America Online (AOL) client software ...) NOT-FOR-US: AOL CVE-2006-0525 (Multiple Adobe products, including (1) Photoshop CS2, (2) Illustrator ...) @@ -16175,9 +16177,6 @@ CVE-2005-XXXX [tar''s rmt command may have undesired side effects] - tar <unfixed> (bug #290435; unimportant) [sarge] - tar <no-dsa> (Hardly exploitable) -CVE-2005-XXXX [smbmount doesn''t honor gid/uid with kernel 2.4] - - kernel-source-2.4.27 <unfixed> (bug #310982; low) - NOTE: probably already fixed in testing, wrote for confirmation CVE-2004-XXXX [Unspecified buffer overflow in libmng] - libmng 1.0.8-1 (bug #250106) CVE-2004-XXXX [Multiple buffer overflows in isoqlog] @@ -16186,12 +16185,6 @@ - libnss-ldap 199-1 (bug #169793) CVE-2005-3752 (Unspecified vulnerability in ldapdiff before 1.1.1 has unknown impact ...) - ldapdiff <not-affected> (The version in Debian doesn''t contain the vulnerable code, see #306878) -CVE-2005-XXXX [apt-cache doesn''t differentiate sources which share several properties] - - apt <unfixed> (bug #329814; low) - [sarge] - apt <no-dsa> (Unsupported use case) - NOTE: I tend to remove this completely, if you''re using apt sources which include vulnerable - NOTE: versions of Debian packages with higher version numbers you''re screwed anyway, no matter - NOTE: what apt display in this case CVE-2004-XXXX [asciijump: /var/games/asciijump world writable] - asciijump 0.0.6-1.2 (bug #269186) CVE-2004-XXXX [Barrendero spool world-readable]