jmm-guest at alioth.debian.org
2007-Jul-03 21:16 UTC
[Secure-testing-commits] r6091 - in data: CVE DSA
Author: jmm-guest
Date: 2007-07-03 21:16:33 +0000 (Tue, 03 Jul 2007)
New Revision: 6091
Modified:
data/CVE/list
data/DSA/list
Log:
add two CVEs to previous icefoo DSAs, which were missed back then
remove hiki dupe
non-free no-dsa as usual
no-dsa for obscure, minor subversion issue
no-dsa for minor icefoo issue
NFUs
Modified: data/CVE/list
==================================================================---
data/CVE/list 2007-07-03 21:14:12 UTC (rev 6090)
+++ data/CVE/list 2007-07-03 21:16:33 UTC (rev 6091)
@@ -167,7 +167,7 @@
CVE-2007-3437 (AOL Instant Messenger (AIM) 6.1.32.1 on Windows XP allows remote
...)
TODO: check
CVE-2007-3436 (Microsoft MSN Messenger 4.7 on Windows XP allows remote
attackers to ...)
- TODO: check
+ NOT-FOR-US: Microsoft
CVE-2007-3435 (Stack-based buffer overflow in the BeginPrint method in a
certain ...)
TODO: check
CVE-2007-3434 (index.php in Pharmacy System 2 and earlier allows remote
attackers to ...)
@@ -227,7 +227,7 @@
CVE-2007-3407 (Sergey Lyubka Simple HTTPD (shttpd) 1.38 allows remote attackers
to ...)
NOT-FOR-US: Simple HTTPD
CVE-2007-3406 (Multiple absolute path traversal vulnerabilities in Microsoft
Internet ...)
- TODO: check
+ NOT-FOR-US: Microsoft Internet Explorer
CVE-2007-3405 (Multiple cross-site scripting (XSS) vulnerabilities in
defter_yaz.asp ...)
NOT-FOR-US: Lebisoft zdefter
CVE-2007-3404 (Directory traversal vulnerability in ShowImage.php in SiteDepth
CMS ...)
@@ -250,8 +250,7 @@
NOT-FOR-US: KeyFocus
CVE-2007-3395
REJECTED
- - hiki 0.8.7-1 (bug #430691; medium)
- NOTE: Duplicate of CVE-2007-2836
+ NOTE: Duplicate of CVE-2007-2836 (hiki, bu# 430691)
CVE-2007-3394 (Multiple SQL injection vulnerabilities in eNdonesia 8.4 allow
remote ...)
NOT-FOR-US: eNdonesia
CVE-2007-3388
@@ -422,7 +421,7 @@
CVE-2006-7207 (Buffer overflow in ageet AGEphone before 1.4.0 might allow
remote ...)
NOT-FOR-US: AGEphone
CVE-2006-7206 (Microsoft Internet Explorer 6 on Windows XP SP2 allows remote
...)
- TODO: check
+ NOT-FOR-US: Microsoft Internet Explorer
CVE-2007-4168
REJECTED
CVE-2007-3322 (The Avaya 4602 SW IP Phone (Model 4602D02A) with 2.2.2 and
earlier SIP ...)
@@ -486,7 +485,7 @@
CVE-2007-3297 (Multiple PHP remote file inclusion vulnerabilities in Musoo 0.21
allow ...)
NOT-FOR-US: Musoo
CVE-2007-3296 (The ThunderServer.webThunder.1 ActiveX control in xunlei Web
...)
- TODO: check
+ NOT-FOR-US: Web Thunderbolt
CVE-2007-3295 (Directory traversal vulnerability in Yet another Bulletin Board
(YaBB) ...)
NOT-FOR-US: YaBB
CVE-2007-3294 (Multiple buffer overflows in the Tidy extension for PHP 5.2.3
allow ...)
@@ -518,7 +517,7 @@
CVE-2007-3283 (GNOME XScreenSaver in Sun Solaris 8 and 9 before 20070417, when
root ...)
- xscreensaver <not-affected> (Not a security issue: works as
documented)
CVE-2007-3282 (Buffer overflow in the Microsoft Office MSODataSourceControl
ActiveX ...)
- TODO: check
+ NOT-FOR-US: Microsoft Office
CVE-2007-3281 (Cross-site scripting (XSS) vulnerability in index.php in Php
Hosting ...)
NOT-FOR-US: Php Hosting Biller
CVE-2007-3280 (The Database Link library (dblink) in PostgreSQL 8.1 implements
...)
@@ -877,7 +876,6 @@
- gimp <unfixed> (unimportant)
CVE-2007-3125
REJECTED
- NOTE: Duplicate of CVE-2006-6772
CVE-2007-3124 (Buffer overflow in backup/src/vmsbackup.c (aka the backup
utility) in ...)
NOT-FOR-US: FreeVMS
CVE-2007-3123 (unrar.c in libclamav in ClamAV before 0.90.3 and 0.91 before
0.91rc1 ...)
@@ -1011,8 +1009,7 @@
CVE-2007-3073 (Directory traversal vulnerability in Mozilla Firefox 2.0.0.4 and
...)
TODO: check
CVE-2007-3072 (Directory traversal vulnerability in Mozilla Firefox before
2.0.0.4 on ...)
- - iceweasel <not-affected>
- NOTE: Windows only
+ - iceweasel <not-affected> (Only affects Windows versions of Firefox)
CVE-2007-3071 (Buffer overflow in the GetWebStoreURL function in a certain
ActiveX ...)
NOT-FOR-US: eSellerate
CVE-2007-3070 (Cross-site scripting (XSS) vulnerability in index.php in
BDigital Web ...)
@@ -1148,11 +1145,11 @@
CVE-2007-3006 (Buffer overflow in Acoustica MP3 CD Burner 4.32 allows
user-assisted ...)
NOT-FOR-US: Acoustica MP3 CD Burner
CVE-2007-3005 (Unspecified vulnerability in the Sun Java Runtime Environment in
JDK ...)
- [etch] - sun-java <no-dsa> (Non-free not supported)
+ [etch] - sun-java5 <no-dsa> (Non-free not supported)
- sun-java5 1.5.0-11-1 (low)
- sun-java6 <unfixed> (low)
CVE-2007-3004 (Buffer overflow in the image parsing implementation in the Sun
Java ...)
- [etch] - sun-java <no-dsa> (Non-free not supported)
+ [etch] - sun-java5 <no-dsa> (Non-free not supported)
- sun-java5 1.5.0-11-1 (medium)
- sun-java6 <unfixed> (medium)
CVE-2007-3003 (Multiple SQL injection vulnerabilities in myBloggie 2.1.6 and
earlier ...)
@@ -1328,9 +1325,9 @@
CVE-2007-2925
RESERVED
CVE-2007-2924 (Multiple buffer overflows in RealNetworks GameHouse dldisplay
ActiveX ...)
- TODO: check
+ NOT-FOR-US: RealNetworks GameHouse
CVE-2007-2923 (The launch method in the LocalExec ActiveX control
(LocalExec.ocx) in ...)
- TODO: check
+ NOT-FOR-US: LocalExec ActiveX control
CVE-2007-2922
RESERVED
CVE-2007-2921 (Multiple buffer overflows in acgm.dll in the Corel / Micrografx
...)
@@ -1641,9 +1638,9 @@
- php4 <unfixed> (unimportant)
NOTE: open_basedir bypasses not supported
CVE-2003-1330 (Clearswift MAILsweeper for SMTP 4.3.6 SP1 does not execute
custom "on ...)
- TODO: check
+ NOT-FOR-US: MAILsweeper
CVE-2001-1581 (The File Blocker feature in Clearswift MAILsweeper for SMTP 4.2
allows ...)
- TODO: check
+ NOT-FOR-US: MAILsweeper
CVE-2007-XXXX [mantis multiple issues fixed in 1.0.7]
- mantis 1.0.7+dfsg-1
NOTE: "email notifications bypass security on custom fields" and
"XSS vulnerabilities"
@@ -2411,6 +2408,8 @@
- tomcat5.5 <unfixed> (low)
CVE-2007-2448 (Subversion 1.4.3 and earlier does not properly implement the
"partial ...)
- subversion 1.4.4dfsg1-1 (bug #428194; low)
+ [etch] - subversion <no-dsa> (Minor issue)
+ [sarge] - subversion <no-dsa> (Minor issue)
CVE-2007-2447 (The MS-RPC functionality in smbd in Samba 3.0.0 through
3.0.25rc3 ...)
{DSA-1291-2 DTSA-41-1}
- samba 3.0.25-1 (high)
@@ -3875,7 +3874,7 @@
CVE-2007-1805 (SQL injection vulnerability in genre.php in the debaser 0.92 and
...)
NOT-FOR-US: debaser module for Xoops
CVE-2007-1804 (PulseAudio 0.9.5 allows remote attackers to cause a denial of
service ...)
- - pulseaudio 0.9.6-1 (medium)
+ - pulseaudio 0.9.6-1 (low)
CVE-2007-1803 (Unspecified vulnerability in MailDwarf 3.01 and earlier allows
remote ...)
NOT-FOR-US: MailDwarf
CVE-2007-1802 (Cross-site scripting (XSS) vulnerability in MailDwarf 3.01 and
earlier ...)
@@ -5721,7 +5720,7 @@
CVE-2007-1096 (Cross-site scripting (XSS) vulnerability in ps_cart.php in
VirtueMart ...)
NOT-FOR-US: VirtueMart
CVE-2007-1095 (Mozilla Firefox does not properly implement JavaScript onUnload
...)
- - iceweasel <unfixed> (medium)
+ - iceweasel <unfixed> (low)
CVE-2007-1094 (Microsoft Internet Explorer 7 allows remote attackers to cause a
...)
NOT-FOR-US: Microsoft IE
CVE-2007-1093 (Multiple unspecified vulnerabilities in JP1/Cm2/Network Node
Manager ...)
@@ -6090,7 +6089,9 @@
- iceweasel <unfixed> (low)
[etch] - iceweasel <no-dsa> (Minor issue)
- iceape <unfixed> (low)
+ [etch] - iceape <no-dsa> (Minor issue)
- xulrunner <unfixed> (low)
+ [etch] - xulrunner <no-dsa> (Minor issue)
NOTE: maintainer notes that this may affect browsers based on xulrunner
CVE-2007-1003 (Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList
...)
{DSA-1294-1}
Modified: data/DSA/list
==================================================================---
data/DSA/list 2007-07-03 21:14:12 UTC (rev 6090)
+++ data/DSA/list 2007-07-03 21:16:33 UTC (rev 6091)
@@ -67,14 +67,14 @@
{CVE-2007-2138}
[etch] - postgresql-8.1 8.1.9-0etch1
[14 Jun 2007] DSA-1308-1 iceweasel - several vulnerabilities
- {CVE-2007-1362 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2870
CVE-2007-2871}
+ {CVE-2007-1116 CVE-2007-1362 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869
CVE-2007-2870 CVE-2007-2871}
[etch] - iceweasel 2.0.0.4-0etch1
[12 Jun 2007] DSA-1307-1 openoffice.org - heap overflow
{CVE-2007-0245}
[sarge] - openoffice.org 1.1.3-9sarge7
[etch] - openoffice.org 2.0.4.dfsg.2-7etch1
[12 Jun 2007] DSA-1306-1 xulrunner
- {CVE-2007-1362 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2870
CVE-2007-2871}
+ {CVE-2007-1116 CVE-2007-1362 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869
CVE-2007-2870 CVE-2007-2871}
[etch] - xulrunner 1.8.0.12-0etch1
[13 Jun 2007] DSA-1305-1 icedove - several vulnerabilities
{CVE-2007-1558 CVE-2007-2867 CVE-2007-2868}