thr3ads.net - Secure testing commits - [Secure-testing-commits] r5572

If this information is useful, please help other people find it:
Share via:
Kees Cook
2007-Mar-21 23:07 UTC
[Secure-testing-commits] r5572 - data/CVE

Author: keescook-guest
Date: 2007-03-21 23:07:55 +0000 (Wed, 21 Mar 2007)
New Revision: 5572

Modified:
   data/CVE/list
Log:
NFUs: 66
unfixed: horde3 imp4 linux-2.6 netperf php4 php5 rhapsody tomcat5.5 webcalendar
xen-3.0
fixed: libwpd openafs


Modified: data/CVE/list
==================================================================---
data/CVE/list	2007-03-21 21:51:17 UTC (rev 5571)
+++ data/CVE/list	2007-03-21 23:07:55 UTC (rev 5572)
@@ -1,108 +1,108 @@
 CVE-2007-XXXX [Single-packet SIP INVITE DoS in asterisk]
 	- asterisk <unfixed> (bug #415466; medium)
 CVE-2007-1516 (PHP remote file inclusion vulnerability in functions/update.php
in ...)
-	TODO: check
+	NOT-FOR-US: CcMail
 CVE-2007-1515 (Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP
H3 ...)
-	TODO: check
+	- imp4 <unfixed> (medium)
 CVE-2007-1514 (PHP remote file inclusion vulnerability in index.php in ViperWeb
...)
-	TODO: check
+	NOT-FOR-US: ViperWeb Portal
 CVE-2007-1513 (PHP remote file inclusion vulnerability in comanda.php in GraFX
...)
-	TODO: check
+	NOT-FOR-US: WebSite Builder
 CVE-2007-1512 (Stack-based buffer overflow in the AfxOleSetEditMenu function in
the ...)
 	TODO: check
 CVE-2007-1511 (Buffer overflow in FrontBase Relational Database Server 4.2.7
and ...)
-	TODO: check
+	NOT-FOR-US: FrontBase Relational Database Server
 CVE-2007-1510 (SQL injection vulnerability in post.php in Particle Blogger
1.0.0 ...)
-	TODO: check
+	NOT-FOR-US: Particle Blogger
 CVE-2007-1509 (Directory traversal vulnerability in enkrypt.php in Sascha
Schroeder ...)
-	TODO: check
+	NOT-FOR-US: krypt
 CVE-2007-1508 (Cross-site scripting (XSS) vulnerability in CMD_USER_STATS in
...)
-	TODO: check
+	NOT-FOR-US: DirectAdmin
 CVE-2007-1507 (The default configuration in OpenAFS 1.4.x before 1.4.4 and
1.5.x ...)
 	{DSA-1271-1}
-	TODO: check
+	- openafs 1.4.2-6 (medium)
 CVE-2007-1506 (Cross-site scripting (XSS) vulnerability in ...)
-	TODO: check
+	NOT-FOR-US: Oracle Portal
 CVE-2007-1505 (Fujistu FENCE-Pro before V5L01, and Systemwalker Desktop
Encryption ...)
-	TODO: check
+	NOT-FOR-US: Fujistu FENCE-Pro
 CVE-2007-1504 (Cross-site scripting (XSS) vulnerability in the Servlet Service
in ...)
-	TODO: check
+	NOT-FOR-US: Fujitsu Interstage Application Server
 CVE-2007-1503 (Multiple format string vulnerabilities in comm.c in Rhapsody IRC
0.28b ...)
-	TODO: check
+	- rhapsody <unfixed> (medium)
 CVE-2007-1502 (Multiple buffer overflows in Rhapsody IRC 0.28b allow remote
attackers ...)
-	TODO: check
+	- rhapsody <unfixed> (medium)
 CVE-2007-1501 (Stack-based buffer overflow in Avant Browser 11.0 build 26
allows ...)
-	TODO: check
+	NOT-FOR-US: Avant Browse
 CVE-2007-1500 (The Linux Security Auditing Tool (LSAT) allows local users to
...)
-	TODO: check
+	NOT-FOR-US: Linux Security Auditing Tool
 CVE-2007-1499 (Cross-site scripting (XSS) vulnerability in Microsoft Internet
...)
 	TODO: check
 CVE-2007-1498 (Multiple stack-based buffer overflows in the
SiteManager.SiteMgr.1 ...)
-	TODO: check
+	NOT-FOR-US: SiteManager.SiteMgr.1 ActiveX control
 CVE-2007-1497 (nf_conntrack in netfilter in the Linux kernel before 2.6.20.3
does not ...)
-	TODO: check
+	- linux-2.6 <unfixed> (medium)
 CVE-2007-1496 (nfnetlink_log in netfilter in the Linux kernel before 2.6.20.3
allows ...)
-	TODO: check
+	- linux-2.6 <unfixed> (medium)
 CVE-2007-1495 (The \Device\SymEvent driver in Symantec Norton Personal Firewall
2006 ...)
-	TODO: check
+	NOT-FOR-US: Symantec Norton Personal Firewall
 CVE-2007-1494 (Cross-site scripting (XSS) vulnerability in NukeSentinel before
2.5.06 ...)
-	TODO: check
+	NOT-FOR-US: NukeSentinel
 CVE-2007-1493 (nukesentinel.php in NukeSentinel 2.5.06 and earlier uses a
permissive ...)
-	TODO: check
+	NOT-FOR-US: NukeSentinel
 CVE-2007-1492 (winmm.dll in Microsoft Windows XP allows user-assisted remote
...)
 	TODO: check
 CVE-2007-1491 (Apache Tomcat in Avaya S87XX, S8500, and S8300 before CM 3.1.3,
and ...)
-	TODO: check
+	NOT-FOR-US: Avaya S87XX
 CVE-2007-1490 (Unspecified maintenance web pages in Avaya S87XX, S8500, and
S8300 ...)
-	TODO: check
+	NOT-FOR-US: Avaya S87XX
 CVE-2007-1489 (Unspecified vulnerability in WebAPP 0.9.9.6 before 20070312
allows ...)
-	TODO: check
+	NOT-FOR-US: WebAPP
 CVE-2007-1488 (Unspecified vulnerability in Sun Java System Web Server 6.0 and
6.1 ...)
-	TODO: check
+	NOT-FOR-US: Sun Java System Web Server
 CVE-2007-1487 (Directory traversal vulnerability in index.php in Sascha
Schroeder ...)
-	TODO: check
+	NOT-FOR-US: CyberTeddy WebLog
 CVE-2007-1486 (PHP remote file inclusion vulnerability in template.class.php in
...)
-	TODO: check
+	NOT-FOR-US: Carbonize Lazarus Guestbook
 CVE-2007-1485 (** DISPUTED ** ...)
-	TODO: check
+	NOT-FOR-US: LIBFtp
 CVE-2007-1484 (The array_user_key_compare function in PHP 4.4.6 and earlier,
and 5.x ...)
 	TODO: check
 CVE-2007-1483 (Multiple PHP remote file inclusion vulnerabilities in
WebCalendar ...)
-	TODO: check
+	- webcalendar <unfixed> (bug #404297; high)
 CVE-2007-1482 (Cross-site scripting (XSS) vulnerability in index.php in WBBlog
allows ...)
-	TODO: check
+	NOT-FOR-US: WBBlog
 CVE-2007-1481 (SQL injection vulnerability in index.php in WBBlog allows remote
...)
-	TODO: check
+	NOT-FOR-US: WBBlog
 CVE-2007-1480 (Creative Guestbook 1.0 allows remote attackers to add an ...)
-	TODO: check
+	NOT-FOR-US: Creative Guestbook
 CVE-2007-1479 (Cross-site scripting (XSS) vulnerability in Guestbook.php in
Creative ...)
-	TODO: check
+	NOT-FOR-US: Creative Guestbook
 CVE-2007-1478 (download.php in McGallery 0.5b allows remote attackers to read
...)
-	TODO: check
+	NOT-FOR-US: McGallery
 CVE-2007-1477 (Directory traversal vulnerability in index.php in PHP Point Of
Sale ...)
-	TODO: check
+	NOT-FOR-US: Point Of Sale for osCommerce
 CVE-2007-1476 (The SymTDI driver in Symantec Norton Personal Firewall 2006
9.1.1.7 ...)
-	TODO: check
+	NOT-FOR-US: Symantec Norton Personal Firewall
 CVE-2007-1475 (Multiple buffer overflows in the (1) ibase_connect and (2) ...)
-	TODO: check
+	- php4 <unfixed> (low)
 CVE-2007-1474 (Argument injection vulnerability in the cleanup cron script in
Horde ...)
-	TODO: check
+	- horde3 <unfixed> (medium)
 CVE-2007-1473 (Cross-site scripting (XSS) vulnerability in
framework/NLS/NLS.php in ...)
-	TODO: check
+	- horde3 <unfixed> (medium)
 CVE-2007-1472 (Variable overwrite vulnerability in
groupit/base/groupit.start.inc in ...)
-	TODO: check
+	NOT-FOR-US: Groupit
 CVE-2007-1471 (admin/default.asp in Orion-Blog 2.0 allows remote attackers to
bypass ...)
-	TODO: check
+	NOT-FOR-US: Orion-Blog
 CVE-2007-1470 (Multiple buffer overflows in LIBFtp 5.0 allow user-assisted
remote ...)
-	TODO: check
+	NOT-FOR-US: LIBFtp
 CVE-2007-1469 (SQL injection vulnerability in gallery.asp in Absolute Image
Gallery ...)
-	TODO: check
+	NOT-FOR-US: Absolute Image Gallery
 CVE-2007-1468 (Cross-site scripting (XSS) vulnerability in IBM Rational
ClearQuest ...)
-	TODO: check
+	NOT-FOR-US: IBM Rational ClearQuest
 CVE-2007-1467 (Multiple cross-site scripting (XSS) vulnerabilities in (1) ...)
-	TODO: check
+	NOT-FOR-US: Cisco Secure Access Control Server
 CVE-2007-1466 (Integer overflow in the the WP6GeneralTextPacket::_readContents
...)
-	TODO: check
+	- libwpd 0.8.9-1 (medium)
 CVE-2007-1465
 	RESERVED
 CVE-2007-1464
@@ -110,21 +110,23 @@
 CVE-2007-1463
 	RESERVED
 CVE-2007-1462 (The luci server component in conga preserves the password
between page ...)
-	TODO: check
+	NOT-FOR-US: conga
 CVE-2007-1461 (The compress.bzip2:// URL wrapper provided by the bz2 extension
in PHP ...)
-	TODO: check
+	- php5 <unfixed> (low)
+	NOTE: Safemode and open_basedir bypasses not supported
 CVE-2007-1460 (The zip:// URL wrapper provided by the PECL zip extension in PHP
5.2.0 ...)
-	TODO: check
+	- php5 <unfixed> (low)
+	NOTE: Safemode and open_basedir bypasses not supported
 CVE-2007-1459 (Multiple PHP remote file inclusion vulnerabilities in WebCreator
...)
-	TODO: check
+	NOT-FOR-US: WebCreator
 CVE-2007-1458 (Multiple PHP remote file inclusion vulnerabilities in CARE2X 1.1
allow ...)
-	TODO: check
+	NOT-FOR-US: CARE2X
 CVE-2007-1457 (Buffer overflow in the urarlib_get function in Christian
Scheurer ...)
-	TODO: check
+	NOT-FOR-US: UniquE RAR File Library
 CVE-2007-1456 (** DISPUTED ** ...)
-	TODO: check
+	NOT-FOR-US: PHP Photo Album
 CVE-2007-1455 (Multiple absolute path traversal vulnerabilities in Fantastico,
as ...)
-	TODO: check
+	NOT-FOR-US: Fantastico
 CVE-2007-1454 (ext/filter in PHP 5.2.0, when FILTER_SANITIZE_STRING is used
with the ...)
 	TODO: check
 CVE-2007-1453 (Buffer underflow in the PHP_FILTER_TRIM_DEFAULT macro in the
filtering ...)
@@ -132,53 +134,53 @@
 CVE-2007-1452 (The FDF support (ext/fdf) in PHP 5.2.0 and earlier does not
implement ...)
 	TODO: check
 CVE-2007-1451 (GuppY 4.0 allows remote attackers to delete arbitrary files via
a ...)
-	TODO: check
+	NOT-FOR-US: GuppY
 CVE-2007-1450 (SQL injection vulnerability in mainfile.php in PHP-Nuke 8.0 and
...)
-	TODO: check
+	NOT-FOR-US: PHP-Nuke
 CVE-2007-1449 (Directory traversal vulnerability in mainfile.php in PHP-Nuke
8.0 and ...)
-	TODO: check
+	NOT-FOR-US: PHP-Nuke
 CVE-2007-1448 (The Tape Engine in CA (formerly Computer Associates) BrightStor
...)
-	TODO: check
+	NOT-FOR-US: BrightStor ARCserve Backup
 CVE-2007-1447 (The Tape Engine in CA (formerly Computer Associates) BrightStor
...)
-	TODO: check
+	NOT-FOR-US: BrightStor ARCserve Backup
 CVE-2007-1446 (Multiple PHP remote file inclusion vulnerabilities in Open
Education ...)
-	TODO: check
+	NOT-FOR-US: Open Education System
 CVE-2007-1445 (SQL injection vulnerability in the heme preview feature for ...)
-	TODO: check
+	NOT-FOR-US: BP Blog
 CVE-2007-1444 (netserver in netperf 2.4.3 allows local users to overwrite
arbitrary ...)
-	TODO: check
+	- netperf <unfixed> (bug #413658; medium)
 CVE-2007-1443 (Multiple cross-site scripting (XSS) vulnerabilities in
register.php in ...)
-	TODO: check
+	NOT-FOR-US: Woltlab Burning Board
 CVE-2007-1442 (Oracle Database 10g uses a NULL pDacl parameter when calling the
...)
-	TODO: check
+	NOT-FOR-US: Oracle Database
 CVE-2007-1441 (The 4thPass browser on the RIM BlackBerry 8100 (Pearl) before
4.2.1 ...)
-	TODO: check
+	NOT-FOR-US: BlackBerry 8100
 CVE-2007-1440 (SQL injection vulnerability in search.asp in JGBBS 3.0 Beta 1
allows ...)
-	TODO: check
+	NOT-FOR-US: JGBBS
 CVE-2007-1439 (PHP remote file inclusion vulnerability in ressourcen/dbopen.php
in ...)
-	TODO: check
+	NOT-FOR-US: MySQL Commander
 CVE-2007-1438 (SQL injection vulnerability in devami.asp in X-Ice News System
1.0 ...)
-	TODO: check
+	NOT-FOR-US: X-Ice News System
 CVE-2006-7171 (product_review.php in Koan Software Mega Mall allows remote
attackers ...)
-	TODO: check
+	NOT-FOR-US: Mega Mall
 CVE-2006-7170 (Multiple SQL injection vulnerabilities in Koan Software Mega
Mall ...)
-	TODO: check
+	NOT-FOR-US: Mega Mall
 CVE-2006-7169 (PHP remote file inclusion vulnerability in
includes/header_simple.php ...)
-	TODO: check
+	NOT-FOR-US: Ultimate PHP Board
 CVE-2006-7168 (PHP remote file inclusion vulnerability in includes/not_mem.php
in the ...)
-	TODO: check
+	NOT-FOR-US: phpBB module Add Name
 CVE-2006-7167 (Unspecified vulnerability in ProRat Server 1.9 Fix2 allows
remote ...)
-	TODO: check
+	NOT-FOR-US: ProRat Server
 CVE-2006-7166 (IBM WebSphere Application Server (WAS) 5.1.1.9 and earlier
allows ...)
-	TODO: check
+	NOT-FOR-US: IBM WebSphere Application Server
 CVE-2006-7165 (IBM WebSphere Application Server (WAS) 5.0 through 5.1.1.0
allows ...)
-	TODO: check
+	NOT-FOR-US: IBM WebSphere Application Server
 CVE-2006-7164 (SimpleFileServlet in IBM WebSphere Application Server 5.0.1
through ...)
-	TODO: check
+	NOT-FOR-US: IBM WebSphere Application Server
 CVE-2005-4834 (IBM WebSphere Application Server (WAS) 5.0.2.5 through 5.1.1.3
allows ...)
-	TODO: check
+	NOT-FOR-US: IBM WebSphere Application Server
 CVE-2005-4833 (IBM WebSphere Application Server (WAS) 6.0 before 20050201, when
...)
-	TODO: check
+	NOT-FOR-US: IBM WebSphere Application Server
 CVE-2003-1321 (Buffer overflow in Avant Browser 8.02 allows remote attackers to
cause ...)
 	TODO: check
 CVE-2007-1437 (Unspecified vulnerability in LedgerSMB before 1.1.5 and
SQL-Ledger ...)
@@ -422,7 +424,7 @@
 CVE-2007-1320
 	RESERVED
 CVE-2007-1319 (Unspecified vulnerability in the OPCDA interface in Takebishi
Electric ...)
-	TODO: check
+	NOT-FOR-US: DeviceXPlorer OLE
 CVE-2007-1318
 	RESERVED
 CVE-2007-1317
@@ -1425,7 +1427,7 @@
 CVE-2007-0999 (Format string vulnerability in Ekiga 2.0.3, and probably other
...)
 	- ekiga 2.0.3-5 (bug #414069; high)
 CVE-2007-0998 (The VNC server implementation in QEMU allows local users of a
guest ...)
-	TODO: check
+	- xen-3.0 <unfixed> (medium)
 CVE-2007-0997
 	RESERVED
 CVE-2007-0996 (The child frames in Mozilla Firefox before 1.5.0.10 and 2.x
before ...)
@@ -2878,7 +2880,7 @@
 	{DSA-1257}
 	- samba 3.0.23d-5 (low)
 CVE-2007-0450 (Directory traversal vulnerability in Apache HTTP Server and
Tomcat 5.x ...)
-	TODO: check
+	- tomcat5.5 <unfixed> (medium)
 CVE-2007-0449 (Multiple buffer overflows in LGSERVER.EXE in CA BrightStor
ARCserve ...)
 	NOT-FOR-US: CA BrightStor
 CVE-2007-0448
Secure testing commits - Mar 2007 - r5572 - data/CVE

[Secure-testing-commits] r5572 - data/CVE
