Author: stef-guest Date: 2007-03-04 13:32:17 +0000 (Sun, 04 Mar 2007) New Revision: 5504 Modified: data/CVE/list Log: - new asterisk issue fixed - php4+php5 fixed Modified: data/CVE/list ==================================================================--- data/CVE/list 2007-03-03 20:14:14 UTC (rev 5503) +++ data/CVE/list 2007-03-04 13:32:17 UTC (rev 5504) @@ -1,3 +1,5 @@ +CCVE-2007-XXXX [asterisk remote SIP security hole] + - asterisk 1:1.2.16~dfsg-1 CVE-2007-1160 (webSPELL 4.0, and possibly later versions, allows remote attackers to ...) NOT-FOR-US: webSPELL CVE-2007-1159 (Cross-site scripting (XSS) vulnerability in modules/out.php in ...) @@ -531,8 +533,8 @@ CVE-2007-0989 RESERVED CVE-2007-0988 (The zend_hash_init function in PHP, when running on a 64-bit platform, ...) - - php4 <unfixed> - - php5 <unfixed> + - php4 6:4.4.4-9 + - php5 5.2.0-9 CVE-2007-0987 (Directory traversal vulnerability in index.php in Jupiter CMS 1.1.5 ...) NOT-FOR-US: Jupiter CMS CVE-2007-0986 (PHP remote file inclusion vulnerability in index.php in Jupiter CMS ...) @@ -732,12 +734,14 @@ NOTE: so we should just make sure we patch 5.2.1. Leaving open in the NOTE: meantime, so we don''t forget about it. CVE-2007-0910 (Unspecified vulnerability in PHP before 5.2.1 allows attackers to ...) - - php5 <unfixed> (bug #410561; bug #410995; medium) + - php5 5.2.0-9 (bug #410561; bug #410995; medium) + - php4 6:4.4.4-9 NOTE: fix is believed to be isolated, needs verification and backporting: NOTE: see CVE-2007-0910_clobbering-superglobals.diff in NOTE: http://people.debian.org/~seanius/security/php CVE-2007-0909 (Multiple format string vulnerabilities in PHP before 5.2.1 might allow ...) - - php5 <unfixed> (bug #410561; bug #410995; medium) + - php5 5.2.0-9 (bug #410561; bug #410995; medium) + - php4 6:4.4.4-9 NOTE: half of fix (odbc part) is found, still trying to dig out the NOTE: problems related to *print functions. NOTE: see CVE-2007-0910_clobbering-superglobals.diff in @@ -746,10 +750,12 @@ NOTE: CHECKME-formattedprint-maybecve.diff and NOTE: CHECKME-main.c-precision-maybecve.diff in the same place. CVE-2007-0908 (The wddx extension in PHP before 5.2.1 allows remote attackers to ...) - NOT-FOR-US: PHP + - php5 5.2.0-9 (unimportant) + - php4 6:4.4.4-9 (unimportant) NOTE: this extension is not enabled in the php packages CVE-2007-0907 (Buffer underflow in PHP before 5.2.1 allows attackers to cause a ...) - - php5 <unfixed> (bug #410561; bug #410995; medium) + - php5 5.2.0-9 (bug #410561; bug #410995; medium) + - php4 6:4.4.4-9 NOTE: fix found, needs testing/backporting. see: NOTE: CVE-2007-0907_sapi_header_op.diff in NOTE: http://people.debian.org/~seanius/security/php @@ -760,7 +766,8 @@ NOTE: available as CVE-2007-0906_N_description.diff at NOTE: http://people.debian.org/~seanius/security/php/ NOTE: (4) is a non-issue, as we don''t use the bundled sqlite - - php5 <unfixed> (bug #410561; bug #410995; medium) + - php5 5.2.0-9 (bug #410561; bug #410995; medium) + - php4 6:4.4.4-9 CVE-2007-0905 (PHP before 5.2.1 allows attackers to bypass safe_mode and open_basedir ...) - php5 <unfixed> (bug #410561; bug #410995; medium) NOTE: we normally don''t spend much time on safe_mode and open_basedir @@ -931,9 +938,6 @@ NOT-FOR-US: GreenBrowser CVE-2006-6983 (Cross-domain vulnerability in MYweb4net Browser 3.8.8.0 allows remote ...) NOT-FOR-US: MYweb4net Browser -CVE-2007-XXXX [php: multiple issues fixed in php 5.2.1] - - php4 <unfixed> - - php5 <unfixed> (bug #410561; bug #410995) CVE-2007-XXXX [ikiwiki allows web user to edit images and other non-page format files in the wiki] - ikiwiki 1.42 (low) [etch] - ikiwiki 1.33.1