thr3ads.net - Secure testing commits - [Secure-testing-commits] r5481

If this information is useful, please help other people find it:
Share via:
Kees Cook
2007-Feb-22 01:38 UTC
[Secure-testing-commits] r5481 - data/CVE

Author: keescook-guest
Date: 2007-02-22 01:38:54 +0100 (Thu, 22 Feb 2007)
New Revision: 5481

Modified:
   data/CVE/list
Log:
NFUs, ekiga(high), gnucash(medium), slocate bug

Modified: data/CVE/list
==================================================================---
data/CVE/list	2007-02-21 23:18:11 UTC (rev 5480)
+++ data/CVE/list	2007-02-22 00:38:54 UTC (rev 5481)
@@ -9,9 +9,9 @@
 CVE-2007-1049 [wordpress security issue related to code used to prevent XSS]
 	- wordpress 2.1.1-1 (low)
 CVE-2007-1070 (Multiple stack-based buffer overflows in Trend Micro
ServerProtect for ...)
-	TODO: check
+	NOT-FOR-US: Trend Micro ServerProtect
 CVE-2007-1036 (The default configuration of JBoss does not restrict access to
the (1) ...)
-	TODO: check
+	NOT-FOR-US: JBoss
 CVE-2007-1035 (Unspecified vulnerability in certain demonstration scripts in
getID3 ...)
 	TODO: check
 CVE-2007-1034 (SQL injection vulnerability in modules.php in the Emporium 2.3.0
and ...)
@@ -19,63 +19,63 @@
 CVE-2007-1033 (Unspecified vulnerability in the Secure site 4.7.x-1.x-dev and
...)
 	TODO: check
 CVE-2007-1032 (Unspecified vulnerability in phpMyFAQ before 1.6.9, when ...)
-	TODO: check
+	NOT-FOR-US: phpMyFAQ
 CVE-2007-1031 (Directory traversal vulnerability in include/db_conn.php in
SpoonLabs ...)
-	TODO: check
+	NOT-FOR-US: Vivvo Article Management CMS
 CVE-2007-1030 (Niels Provos libevent 1.2 and 1.2a allows remote attackers to
cause a ...)
 	TODO: check
 CVE-2007-1029 (Stack-based buffer overflow in the Connect method in the IMAP4
...)
-	TODO: check
+	NOT-FOR-US: Quiksoft EasyMail Objects
 CVE-2007-1028 (Cross-site scripting (XSS) vulnerability in the Barry Jaspan
Image ...)
-	TODO: check
+	NOT-FOR-US: Image Pager
 CVE-2007-1027 (Certain setuid DB2 binaries in IBM DB2 before 9 Fix Pack 2 for
Linux ...)
-	TODO: check
+	NOT-FOR-US: IBM DB2
 CVE-2007-1026 (SQL injection vulnerability in view.php in XLAtunes 0.1 and
earlier ...)
-	TODO: check
+	NOT-FOR-US: XLAtunes
 CVE-2007-1025 (PHP remote file inclusion vulnerability in inc/functions_inc.php
in ...)
-	TODO: check
+	NOT-FOR-US: VS-Link-Partner
 CVE-2007-1024 (PHP remote file inclusion vulnerability in include.php in
Meganoide''s ...)
-	TODO: check
+	NOT-FOR-US: Meganoide''s news
 CVE-2007-1023 (SQL injection vulnerability in pop_profile.asp in Snitz Forums
2000 ...)
-	TODO: check
+	NOT-FOR-US: Snitz Forums 2000
 CVE-2007-1022 (SQL injection vulnerability in h_goster.asp in Turuncu Portal
1.0 ...)
-	TODO: check
+	NOT-FOR-US: Turuncu Portal
 CVE-2007-1021 (SQL injection vulnerability in inc_listnews.asp in CodeAvalanche
News ...)
-	TODO: check
+	NOT-FOR-US: CodeAvalanche News
 CVE-2007-1020 (Cross-site scripting (XSS) vulnerability in index.php in CedStat
1.31 ...)
-	TODO: check
+	NOT-FOR-US: CedStat
 CVE-2007-1019 (SQL injection vulnerability in news.php in webSPELL 4.01.02,
when ...)
-	TODO: check
+	NOT-FOR-US: webSPELL
 CVE-2007-1018 (PHP remote file inclusion vulnerability in tpl/header.php in
...)
-	TODO: check
+	NOT-FOR-US: VS-News-System
 CVE-2007-1017 (PHP remote file inclusion vulnerability in show_news_inc.php in
...)
-	TODO: check
+	NOT-FOR-US: VS-News-System
 CVE-2007-1016 (SQL injection vulnerability in Aktueldownload Haber script
allows ...)
-	TODO: check
+	NOT-FOR-US: Aktueldownload Haber
 CVE-2007-1015 (SQL injection vulnerability in HaberDetay.asp in Aktueldownload
Haber ...)
-	TODO: check
+	NOT-FOR-US: Aktueldownload Haber
 CVE-2007-1014 (Stack-based buffer overflow in VicFTPS before 5.0 allows remote
...)
-	TODO: check
+	NOT-FOR-US: VicFTPS
 CVE-2007-1013 (PHP remote file inclusion vulnerability in generate.php in ...)
-	TODO: check
+	NOT-FOR-US: VirtualSystem Htaccess Password Generator
 CVE-2007-1012 (Cross-site scripting (XSS) vulnerability in faq.php in DeskPRO
1.1.0 ...)
-	TODO: check
+	NOT-FOR-US: DeskPRO
 CVE-2007-1011 (PHP remote file inclusion vulnerability in functions_inc.php in
...)
-	TODO: check
+	NOT-FOR-US: VS-Gastebuch
 CVE-2007-1010 (Multiple PHP remote file inclusion vulnerabilities in ZebraFeeds
1.0, ...)
-	TODO: check
+	NOT-FOR-US: ZebraFeeds
 CVE-2007-1009
 	RESERVED
 CVE-2007-1008 (Apple iTunes 7.0.2 allows user-assisted remote attackers to
cause a ...)
-	TODO: check
+	NOT-FOR-US: Apple iTunes
 CVE-2007-1007 (Format string vulnerability in GnomeMeeting 1.0.2 and earlier
allows ...)
-	TODO: check
+	- gnomemeeting <unfixed> (high)
 CVE-2007-1006 (Multiple format string vulnerabilities in the ...)
-	TODO: check
+	- ekiga <unfixed> (bug #411944; high)
 CVE-2007-1005
 	RESERVED
 CVE-2007-1004 (Mozilla Firefox mmight allow remote attackers to condut spoofing
and ...)
-	TODO: check
+	- iceweasel <unfixed> (low)
 CVE-2007-1003
 	RESERVED
 CVE-2007-1002
@@ -109,17 +109,17 @@
 CVE-2007-0988 (The zend_hash_init function in PHP, when running on a 64-bit
platform, ...)
 	TODO: check
 CVE-2007-0987 (Directory traversal vulnerability in index.php in Jupiter CMS
1.1.5 ...)
-	TODO: check
+	NOT-FOR-US: Jupiter CMS
 CVE-2007-0986 (PHP remote file inclusion vulnerability in index.php in Jupiter
CMS ...)
-	TODO: check
+	NOT-FOR-US: Jupiter CMS
 CVE-2007-0985 (SQL injection vulnerability in nickpage.php in phpCC 4.2 beta
and ...)
-	TODO: check
+	NOT-FOR-US: phpCC
 CVE-2007-0984 (SQL injection vulnerability in admin_poll.asp in PollMentor 2.0
allows ...)
-	TODO: check
+	NOT-FOR-US: PollMentor
 CVE-2007-0983 (PHP remote file inclusion vulnerability in _admin/nav.php in AT
...)
-	TODO: check
+	NOT-FOR-US: AT Contenator
 CVE-2007-0982 (Cross-site scripting (XSS) vulnerability in error.php in
TaskFreak! ...)
-	TODO: check
+	NOT-FOR-US: TaskFreak!
 CVE-2007-XXXX [capi_{cmsg,message}2str not thread-safe; vulnerable to buffer
overflow]
 	- isdnutils <unfixed> (bug #408530)
 	- asterisk-chan-capi <unfixed> (bug #411293)
@@ -1746,7 +1746,7 @@
 CVE-2007-0326
 	RESERVED
 CVE-2007-0325 (Multiple buffer overflows in the Trend Micro OfficeScan
Web-Deployment ...)
-	TODO: check
+	NOT-FOR-US: Trend Micro OfficeScan
 CVE-2007-0324 (Multiple buffer overflows in the LizardTech DjVu Browser Plug-in
...)
 	NOT-FOR-US: LizardTech DjVu Browser Plug-in
 CVE-2007-0323
@@ -1969,13 +1969,10 @@
 CVE-2007-0228 (The DataCollector service in EIQ Networks Network Security
Analyzer ...)
 	NOT-FOR-US: EIQ Networks Network Security Analyzer
 CVE-2007-0227 (slocate 3.1 does not properly manage database entries that
specify ...)
-	- slocate <unfixed> (unimportant)
+	- slocate <unfixed> (bug #411937; low)
 	NOTE: slocate will allow users to find files in directories with the
-	NOTE: executable bit set but without the readable bit set - files the 
-	NOTE: user can access if the user knows the exact path but couldn''t
-	NOTE: otherwise find.  I''m not convinced this is an issue - the
executable
-	NOTE: bit means "searchable" for directories - but the original
argument
-	NOTE: is plausible.
+	NOTE: executable bit set but without the readable bit set.  This is
+	NOTE: an information leak.
 CVE-2007-0226 (SQL injection vulnerability in wbsearch.aspx in uniForum 4 and
earlier ...)
 	NOT-FOR-US: uniForum
 CVE-2007-0225 (Cross-site scripting (XSS) vulnerability in shopcustadmin.asp in
...)
@@ -3098,7 +3095,7 @@
 CVE-2007-0008
 	RESERVED
 CVE-2007-0007 (gnucash 2.0.4 and earlier allows local users to overwrite
arbitrary ...)
-	TODO: check
+	- gnucash <unfixed> (bug #411942; medium)
 CVE-2007-0006 (The key serial number collision avoidance code in the
key_alloc_serial ...)
 	- linux-2.6 <unfixed>
 CVE-2007-0005
Secure testing commits - Feb 2007 - r5481 - data/CVE

[Secure-testing-commits] r5481 - data/CVE
