Author: nion Date: 2007-09-11 13:41:10 +0000 (Tue, 11 Sep 2007) New Revision: 6573 Modified: data/CVE/list Log: NFUs CVE-2007-4396 irssi-scripts affected (low) CVE-2007-3741 gimp fixed in 2.4.0~rc1-1 CVE-2005-4856 ezpublish not-affected CVE-2007-2958 sylpheed-claws affected (low), sylpheed fixed in 2.4.5-1 CVE-2007-1863 apache1 affected (low) Modified: data/CVE/list ==================================================================--- data/CVE/list 2007-09-11 09:14:08 UTC (rev 6572) +++ data/CVE/list 2007-09-11 13:41:10 UTC (rev 6573) @@ -643,7 +643,7 @@ CVE-2007-4479 (Cross-site scripting (XSS) vulnerability in search.html in Search ...) NOT-FOR-US: Search Engine Builder CVE-2007-4478 (Cross-site scripting (XSS) vulnerability in Microsoft Internet ...) - TODO: check + NOT-FOR-US: Internet Explorer CVE-2007-4477 (The administration interface in the Planet VC-200M VDSL2 router allows ...) NOT-FOR-US: Planet VC-200M VDSL2 router CVE-2007-4476 (Buffer overflow in the safer_name_suffix function in GNU tar has ...) @@ -825,7 +825,8 @@ CVE-2007-4397 (Multiple CRLF injection vulnerabilities in (1) xmms-thing 1.0, (2) ...) NOT-FOR-US: various IRC now_playing scripts CVE-2007-4396 (Multiple CRLF injection vulnerabilities in (1) ixmmsa.pl 0.3, (2) ...) - TODO: check + - irssi-scripts <unfixed> (low) + NOTE: weechat-scripts does not include the mentioned scripts CVE-2007-4395 (Multiple unspecified vulnerabilities in the Role Based Access Control ...) NOT-FOR-US: Sun Solaris 8 CVE-2007-4394 (Unspecified vulnerability in a "core clean" cron job created by the ...) @@ -2270,7 +2271,9 @@ CVE-2007-3742 (WebKit in Apple Safari 3 Beta before Update 3.0.3, and iPhone before ...) NOT-FOR-US: Apple Safari CVE-2007-3741 (The (1) psp (aka .tub), (2) bmp, (3) pcx, and (4) psd plugins in gimp ...) - TODO: check + - gimp 2.4.0~rc1-1 (low) + NOTE: lenny is affected but there is a bugfix release for 2.2.16 + NOTE: http://developer.gimp.org/NEWS-2.2 CVE-2007-3740 RESERVED CVE-2007-3739 @@ -2792,7 +2795,7 @@ CVE-2005-4857 (eZ publish 3.5 before 3.5.7, 3.6 before 3.6.5, 3.7 before 3.7.3, and ...) - ezpublish <not-affected> (Debian''s version is too old) CVE-2005-4856 (The admin interface in eZ publish 3.5 before 3.5.7, 3.6 before 3.6.5, ...) - TODO: check + - ezpublish <not-affected> (Debian''s version is too old) CVE-2005-4855 (Unrestricted file upload vulnerability in eZ publish 3.5 before 3.5.5, ...) TODO: check CVE-2005-4854 (eZ publish 3.5 through 3.7 before 20050830 does not use a folder''s ...) @@ -4158,7 +4161,10 @@ CVE-2007-2959 (SQL injection vulnerability in manufacturer.php in cpCommerce before ...) NOT-FOR-US: cpCommerce CVE-2007-2958 (Format string vulnerability in the inc_put_error function in src/inc.c ...) - TODO: check + - sylpheed-claws <unfixed> (low; bug #441854) + - sylpheed 2.4.5-1 (low) + NOTE: the cvs referenced in redhat bugzilla is not available anymore however + NOTE: http://www.colino.net/claws-mail/getpatchset.php3?ver=2.10.0cvs153 fixes the bug CVE-2007-2957 RESERVED CVE-2007-2956 (Stack-based buffer overflow in the readRadianceHeader function in (1) ...) @@ -4217,13 +4223,13 @@ CVE-2007-2932 (Cross-site scripting (XSS) vulnerability in index.php in BoastMachine ...) NOT-FOR-US: BoastMachine CVE-2007-2931 (Heap-based buffer overflow in Microsoft MSN Messenger 7.x and Live ...) - TODO: check + NOT-FOR-US: MSN Messenger CVE-2007-2930 RESERVED CVE-2007-2929 (The IBM Lenovo Access Support acpRunner ActiveX control, as ...) - TODO: check + NOT-FOR-US: IBM Lenovo Access Support CVE-2007-2928 (Format string vulnerability in the IBM Lenovo Access Support acpRunner ...) - TODO: check + NOT-FOR-US: IBM Lenovo Access Support CVE-2007-2927 (Unspecified vulnerability in Atheros 802.11 a/b/g wireless adapter ...) NOT-FOR-US: Windows Atheros drivers CVE-2007-2926 (ISC BIND 9 through 9.5.0a5 uses a weak random number generator during ...) @@ -5451,21 +5457,21 @@ CVE-2007-2411 (** DISPUTED ** ...) NOT-FOR-US: Sphider CVE-2007-2410 (WebCore on Apple Mac OS X 10.3.9 and 10.4.10 retains properties of ...) - TODO: check + NOT-FOR-US: Mac OS X CVE-2007-2409 (Cross-domain vulnerability in WebCore on Apple Mac OS X 10.3.9 and ...) - TODO: check + NOT-FOR-US: Mac OS X CVE-2007-2408 (WebKit in Apple Safari 3 Beta before Update 3.0.3 does not properly ...) NOT-FOR-US: Apple Safari CVE-2007-2407 (The Samba server on Apple Mac OS X 10.3.9 and 10.4.10, when Windows ...) - samba <not-affected> (MacOS/Apple-specific vulnerability) CVE-2007-2406 (Quartz Composer on Apple Mac OS X 10.4.10 does not initialize a ...) - TODO: check + NOT-FOR-US: Mac OS X CVE-2007-2405 (Integer underflow in Preview in PDFKit on Apple Mac OS X 10.4.10 ...) - TODO: check + NOT-FOR-US: Mac OS X CVE-2007-2404 (CRLF injection vulnerability in CFNetwork on Apple Mac OS X 10.3.9 and ...) - TODO: check + NOT-FOR-US: Mac OS X CVE-2007-2403 (CFNetwork on Apple Mac OS X 10.3.9 and 10.4.10 does not properly ...) - TODO: check + NOT-FOR-US: Mac OS X CVE-2007-2402 (QuickTime for Java in Apple Quicktime before 7.2 does not perform ...) NOT-FOR-US: Apple Quicktime CVE-2007-2401 (CRLF injection vulnerability in WebCore in Apple Mac OS X 10.3.9, ...) @@ -6693,10 +6699,12 @@ - php5 5.2.2-1 CVE-2007-1863 (cache_util.c in the mod_cache module in Apache HTTP Server (httpd), ...) - apache2 2.2.4-1 (low) + - apache <unfixed> (low) [sarge] - apache2 2.0.54-5sarge2 [etch] - apache2 2.2.3-4+etch2 - TODO: check apache 1 NOTE: see http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/cache/cache_util.c?view=markup&pathrev=551944 + NOTE: see http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/cache/cache_util.c?r1=463503&r2=551944&pathrev=551944 + NOTE: vulnerable code in src/modules/proxy/proxy_cache.c starting in line 1132 CVE-2007-1862 (The recall_headers function in mod_mem_cache in Apache 2.2.4 does not ...) - apache2 <not-affected> (Only Apache 2.2.4 was affected, and all versions of 2.2.4 in Debian are fixed) CVE-2007-1861 (The nl_fib_lookup function in net/ipv4/fib_frontend.c in Linux Kernel ...) @@ -6983,7 +6991,7 @@ CVE-2007-1750 (Unspecified vulnerability in Microsoft Internet Explorer 6 allows ...) NOT-FOR-US: Microsoft CVE-2007-1749 (Integer underflow in the CDownloadSink class code in the Vector Markup ...) - TODO: check + NOT-FOR-US: Vector Markup Language CVE-2007-1748 (Stack-based buffer overflow in the RPC interface in the Domain Name ...) NOT-FOR-US: Microsoft Windows CVE-2007-1747 (Unspecified vulnerability in MSO.dll in Microsoft Office 2000 SP3, ...) @@ -10856,13 +10864,13 @@ CVE-2007-0323 (Buffer overflow in the SetLanguage function in Research In Motion ...) NOT-FOR-US: Research In Motion (RIM) TeamOn Import Object ActiveX control CVE-2007-0322 (Multiple stack-based buffer overflows in the Intuit QuickBooks Online ...) - TODO: check + NOT-FOR-US: Intuit QuickBooks CVE-2007-0321 (Buffer overflow in the Update Service Agent ActiveX Control in ...) NOT-FOR-US: FLEXnet Connect CVE-2007-0320 (Multiple buffer overflows in (a) an ActiveX control (iftw.dll) and (b) ...) NOT-FOR-US: InstallFromTheWeb CVE-2007-0319 (Multiple stack-based buffer overflows in the Motive ...) - TODO: check + NOT-FOR-US: Motive ActiveEmailTest CVE-2007-0318 (The do_hfs_truncate function in Mac OS X 10.4.8 allows ...) NOT-FOR-US: Apple Mac OS CVE-2007-0317 (Format string vulnerability in the LogMessage function in FileZilla ...)