Author: nion Date: 2007-10-08 23:56:10 +0000 (Mon, 08 Oct 2007) New Revision: 6870 Modified: data/CVE/list Log: NFUs CVE-2007-5246, CVE-2007-5245 firebird2.0/firebird1.5 not-affected CVE-2007-5232, CVE-2007-523[7-9], CVE-2007-5240 fixed in sun-java6 6-03-1 and sun-java5 1.5.0-13-1 CVE-2007-5236 sun-java6 and sun-java5 not-affected CVE-2007-5228 drupal not-affected new issue: CVE-2007-5226 dircproxy CVE-2004-2714 wmaker not-affected CVE-2004-2705 pvpgn not-affected CVE-2004-2698 imwheel not-affected CVE-2001-1585 openssh not-affected new issue: CVE-2007-4974 ardour Modified: data/CVE/list ==================================================================--- data/CVE/list 2007-10-08 22:31:23 UTC (rev 6869) +++ data/CVE/list 2007-10-08 23:56:10 UTC (rev 6870) @@ -1,173 +1,184 @@ CVE-2007-5261 (Multiple SQL injection vulnerabilities in MultiCart 1.0 allow remote ...) - TODO: check + NOT-FOR-US: MultiCart CVE-2007-5260 (ASP-CMS 1.0 stores sensitive information under the web root with ...) - TODO: check + NOT-FOR-US: ASP-CMS CVE-2007-5259 (Cross-site request forgery (CSRF) vulnerability in Ilient SysAid ...) - TODO: check + NOT-FOR-US: SysAid CVE-2007-5258 (PHP remote file inclusion vulnerability in log.php in phpFreeLog alpha ...) - TODO: check + NOT-FOR-US: FreeLog CVE-2007-5257 (Stack-based buffer overflow in the EDraw.OfficeViewer ActiveX control ...) - TODO: check + NOT-FOR-US: EDraw Office Viewer CVE-2007-5256 (Multiple stack-based buffer overflows in FSD 2.052 d9 and earlier, and ...) - TODO: check + NOT-FOR-US: FSD CVE-2007-5255 (Cross-site scripting (XSS) vulnerability in Google Mini Search ...) - TODO: check + NOT-FOR-US: Google Mini Search Appliance CVE-2007-5254 (VirusBlokAda Vba32 AntiVirus 3.12.2 uses weak permissions ...) - TODO: check + NOT-FOR-US: VirusBlokAda Vba32 AntiVirus CVE-2007-5253 (c32web.exe in McMurtrey/Whitaker Cart32 before 6.4 allows remote ...) - TODO: check + NOT-FOR-US: Cart32 CVE-2007-5252 (Buffer overflow in NetSupport Manager (NSM) Client 10.00 and 10.20, ...) - TODO: check + NOT-FOR-US: NetSupport Manager/School Student CVE-2007-5251 (Multiple cross-site scripting (XSS) vulnerabilities in Helm 3.2.16 ...) - TODO: check + NOT-FOR-US: Helm CVE-2007-5250 (The Windows dedicated server for the Unreal engine, as used by ...) - TODO: check + NOT-FOR-US: Americas Army CVE-2007-5249 (Multiple buffer overflows in the logging function in the Unreal ...) - TODO: check + NOT-FOR-US: Americas Army CVE-2007-5248 (Multiple format string vulnerabilities in the ID Software Doom 3 ...) - TODO: check + NOT-FOR-US: Doom 3 engine CVE-2007-5247 (Multiple format string vulnerabilities in the Monolith Lithtech ...) - TODO: check + NOT-FOR-US: Monolith engine CVE-2007-5246 (Multiple stack-based buffer overflows in Firebird LI 2.0.0.12748 and ...) - TODO: check + - firebird2.0 <not-affected> (current version in unstable/testing already has fix) + - firebird1.5 <not-affected> (current version in unstable/testing already has fix) CVE-2007-5245 (Multiple stack-based buffer overflows in Firebird LI 1.5.3.4870 and ...) - TODO: check + - firebird2.0 <not-affected> (current version in unstable/testing already has fix) + - firebird1.5 <not-affected> (current version in unstable/testing already has fix) CVE-2007-5244 (Stack-based buffer overflow in Borland InterBase LI 8.0.0.53 through ...) - TODO: check + NOT-FOR-US: Borland InterBase CVE-2007-5243 (Multiple stack-based buffer overflows in Borland InterBase LI 8.0.0.53 ...) - TODO: check + NOT-FOR-US: Borland InterBase CVE-2007-5242 (Unspecified vulnerability in (1) SYS$EI1000.EXE and (2) ...) - TODO: check + NOT-FOR-US: HP OpenVMS CVE-2007-5241 (Buffer overflow in NET$CSMACD.EXE in HP OpenVMS 8.3 and earlier allows ...) - TODO: check + NOT-FOR-US: HP OpenVMS CVE-2007-5240 (Visual truncation vulnerability in the Java Runtime Environment in Sun ...) - TODO: check + - sun-java6 6-03-1 (low) + - sun-java5 1.5.0-13-1 (low) CVE-2007-5239 (Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE ...) - TODO: check + - sun-java6 6-03-1 (low) + - sun-java5 1.5.0-13-1 (low) CVE-2007-5238 (Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE ...) - TODO: check + - sun-java6 6-03-1 (low) + - sun-java5 1.5.0-13-1 (low) CVE-2007-5237 (Java Web Start in Sun JDK and JRE 6 Update 2 and earlier does not ...) - TODO: check + - sun-java6 6-03-1 (medium) + - sun-java5 1.5.0-13-1 (medium) CVE-2007-5236 (Java Web Start in Sun JDK and JRE 5.0 Update 12 and earlier, and SDK ...) - TODO: check + - sun-java6 <not-affected> (Windows only) + - sun-java5 <not-affected> (Windows only) CVE-2007-5235 (Cross-site scripting (XSS) vulnerability in index.php in Uebimiau ...) - TODO: check + NOT-FOR-US: Uebimiau CVE-2007-5234 (PHP remote file inclusion vulnerability in upload/common/footer.php in ...) - TODO: check + NOT-FOR-US: Ossigeno CMS CVE-2007-5233 (SQL injection vulnerability in index.php in Web Template Management ...) - TODO: check + NOT-FOR-US: Web Template Management System CVE-2007-5232 (Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and ...) - TODO: check + - sun-java6 6-03-1 (low) + - sun-java5 1.5.0-13-1 (low) CVE-2007-5231 (Unrestricted file upload vulnerability in admin/upload_files.php in ...) - TODO: check + NOT-FOR-US: Zomplog CVE-2007-5230 (admin/upload_files.php in Zomplog 3.8.1 and earlier does not check for ...) - TODO: check + NOT-FOR-US: Zomplog CVE-2007-5229 (Cross-site request forgery (CSRF) vulnerability in the FeedBurner ...) - TODO: check + NOT-FOR-US: FeedBurner FeedSmith wordpress plugin CVE-2007-5228 (Cross-site scripting (XSS) vulnerability in the subscription ...) - TODO: check + - drupal <not-affected> (does not shipt this module) CVE-2007-5227 (Multiple cross-site scripting (XSS) vulnerabilities in ...) - TODO: check + NOT-FOR-US: BlackBoard Learning System CVE-2007-5226 (irc_server.c in dircproxy 1.2.0 and earlier allows remote attackers to ...) - TODO: check + - dircproxy <unfixed> (medium; bug #445883) + NOTE: the issue itself is of a very low impact but since this also means to lose data here + NOTE: I think it is medium CVE-2005-4871 (Certain XML functions in IBM DB2 8.1 run with the privileges of DB2 ...) - TODO: check + NOT-FOR-US: IBM DB2 CVE-2005-4870 (Stack-based buffer overflows in the (1) xmlvarcharfromfile, (2) ...) - TODO: check + NOT-FOR-US: IBM DB2 CVE-2005-4869 (The (1) to_char and (2) to_date function in IBM DB2 8.1 allows local ...) - TODO: check + NOT-FOR-US: IBM DB2 CVE-2005-4868 (Shared memory sections and events in IBM DB2 8.1 have default ...) - TODO: check + NOT-FOR-US: IBM DB2 CVE-2005-4867 (Stack-based buffer overflow in the SATENCRYPT function in IBM DB2 8.1, ...) - TODO: check + NOT-FOR-US: IBM DB2 CVE-2005-4866 (Stack-based buffer overflow in JDBC Applet Server in IBM DB2 8.1 ...) - TODO: check + NOT-FOR-US: IBM DB2 CVE-2005-4865 (Stack-based buffer overflow in call in IBM DB2 7.x and 8.1 allows ...) - TODO: check + NOT-FOR-US: IBM DB2 CVE-2005-4864 (Stack-based buffer overflow in libdb2.so in IBM DB2 7.x and 8.1 allows ...) - TODO: check + NOT-FOR-US: IBM DB2 CVE-2005-4863 (Stack-based buffer overflow in db2fmp in IBM DB2 7.x and 8.1 allows ...) - TODO: check + NOT-FOR-US: IBM DB2 CVE-2004-2725 (Multiple cross-site scripting (XSS) vulnerabilities in Aztek Forum 4.0 ...) - TODO: check + NOT-FOR-US: Aztek Forum CVE-2004-2724 (LionMax Software Chat Anywhere 2.72a allows remote attackers to cause ...) - TODO: check + NOT-FOR-US: Chat Anywhere CVE-2004-2723 (NessusWX 1.4.4 stores account passwords in plaintext in .session ...) - TODO: check + NOT-FOR-US: NessusWXdd CVE-2004-2722 (** DISPUTED ** ...) - TODO: check + - nessus <unfixed> (unimportant) + NOTE: this is no security issue assuming correct permissions CVE-2004-2721 (The CheckGroup function in openSkat VTMF before 2.1 generates public ...) - TODO: check + NOT-FOR-US: openSkat CVE-2004-2720 (Cross-site scripting (XSS) vulnerability in register.asp in Snitz ...) - TODO: check + NOT-FOR-US: Snitz Forums CVE-2004-2719 (Buffer overflow in the UrlToLocal function in PunyLib.dll of Foxmail ...) - TODO: check + NOT-FOR-US: Foxmail CVE-2004-2718 (PHPMyChat 0.14.5 does not remove or protect setup.php3 after ...) - TODO: check + NOT-FOR-US: PHPMyChat CVE-2004-2717 (Multiple directory traversal vulnerabilities in admin.php3 in ...) - TODO: check + NOT-FOR-US: PHPMyChat CVE-2004-2716 (Multiple SQL injection vulnerabilities in usersL.php3 in PHPMyChat ...) - TODO: check + NOT-FOR-US: PHPMyChat CVE-2004-2715 (edituser.php3 in PHPMyChat 0.14.5 allow remote attackers to bypass ...) - TODO: check + NOT-FOR-US: PHPMyChat CVE-2004-2714 (Unspecified vulnerability in Window Maker 0.80.2 and earlier allows ...) - TODO: check + - wmaker <not-affected> (Was fixed in version 0.90 of window maker) CVE-2004-2713 (** DISPUTED ** ...) - TODO: check + NOT-FOR-US: ZoneAlarm CVE-2004-2712 (Buffer overflow in Gyach Enhanced (Gyach-E) before 1.0.0-SneakPeek-3 ...) - TODO: check + NOT-FOR-US: Gyach-E CVE-2004-2711 (Multiple buffer overflows in Gyach Enhanced (Gyach-E) before 1.0.2 ...) - TODO: check + NOT-FOR-US: Gyach-E CVE-2004-2710 (Multiple buffer overflows in Gyach Enhanced (Gyach-E) before 1.0.3 ...) - TODO: check + NOT-FOR-US: Gyach-E CVE-2004-2709 (Buffer overflow in the strip_html_tags method for Gyach Enhanced ...) - TODO: check + NOT-FOR-US: Gyach-E CVE-2004-2708 (Gyach Enhanced (Gyach-E) before 1.0.0 stores passwords in plaintext, ...) - TODO: check + NOT-FOR-US: Gyach-E CVE-2004-2707 (Multiple unspecified vulnerabilities in Gyach Enhanced (Gyach-E) ...) - TODO: check + NOT-FOR-US: Gyach-E CVE-2004-2706 (Unspecified vulnerability in Gyach Enhanced (Gyach-E) before 1.0.4 ...) - TODO: check + NOT-FOR-US: Gyach-E CVE-2004-2705 (Unspecified vulnerability in Player vs. Player Gaming Network (PvPGN) ...) - TODO: check + - pvpgn <not-affected> (was already fixed in 1.6.4+20040826-1) CVE-2004-2704 (Hastymail 1.0.1 and earlier (stable) and 1.1 and earlier (development) ...) - TODO: check + NOT-FOR-US: Hastymail CVE-2004-2703 (Clearswift MIMEsweeper 5.0.5, when it has been upgraded from ...) - TODO: check + NOT-FOR-US: MIMEsweeper CVE-2004-2702 (Cross-site scripting (XSS) vulnerability in login_up.php3 in Plesk 7.0 ...) - TODO: check + NOT-FOR-US: Plesk CVE-2004-2701 (Cross-site scripting (XSS) vulnerability in signin.aspx for ...) - TODO: check + NOT-FOR-US: AspDotNetStorefront CVE-2004-2700 (Unrestricted file upload vulnerability in AspDotNetStorefront 3.3 ...) - TODO: check + NOT-FOR-US: AspDotNetStorefront CVE-2004-2699 (deleteicon.aspx in AspDotNetStorefront 3.3 allows remote attackers to ...) - TODO: check + NOT-FOR-US: AspDotNetStorefront CVE-2004-2698 (Race condition in IMWheel 1.0.0pre11 and earlier, when running with ...) - TODO: check + - imwheel <not-affected> (This was already fixed two years ago in 1.0.0pre12-1) CVE-2004-2697 (The Inventory Scout daemon (invscoutd) 1.3.0.0 and 2.0.2 for AIX 4.3.3 ...) - TODO: check + NOT-FOR-US: InvScoutd CVE-2004-2696 (BEA WebLogic Server and WebLogic Express 6.1, 7.0, and 8.1, when using ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2004-2695 (SQL injection vulnerability in the Authorize.net callback code ...) - TODO: check + NOT-FOR-US: vBulletin CVE-2004-2694 (Microsoft Outlook Express 6.0 allows remote attackers to bypass ...) - TODO: check + NOT-FOR-US: Outlook CVE-2004-2693 (HP-UX B.11.00 and B.11.11 with B6848AB GTK+ Support Libraries ...) - TODO: check + NOT-FOR-US: HP-UX CVE-2004-2692 (The exec_dir PHP patch (php-exec-dir) 4.3.2 through 4.3.7 with safe ...) - TODO: check + NOT-FOR-US: php-exec-dir patch CVE-2004-2691 (Unspecified vulnerability in 3Com SuperStack 3 4400 switches with ...) - TODO: check + NOT-FOR-US: 3Com firmware CVE-2004-2690 (Unrestricted file upload vulnerability in the Administration Panel for ...) - TODO: check + NOT-FOR-US: NewsPHP CVE-2004-2689 (NewsPHP allows remote attackers to gain unauthorized administrative ...) - TODO: check + NOT-FOR-US: NewsPHP CVE-2004-2688 (Cross-site scripting (XSS) vulnerability in index.php in NewsPHP ...) - TODO: check + NOT-FOR-US: NewsPHP CVE-2001-1585 (SSH protocol 2 (aka SSH-2) public key authentication in the ...) - TODO: check + - openssh <not-affected> (fixed in 2001) CVE-2001-1584 (CardBoard 2.4 greeting card CGI by Michael Barretto allows remote ...) - TODO: check + NOT-FOR-US: CardBoard CVE-2007-5225 (Integer signedness error in FIFO filesystems (named pipes) on Sun ...) NOT-FOR-US: Sun Solaris CVE-2007-5224 (inc/exif.inc.php in Original Photo Gallery 0.11.2 and earlier allows ...) @@ -727,6 +738,7 @@ NOT-FOR-US: b1gMail CVE-2007-4974 (Heap-based buffer overflow in libsndfile 1.0.17 and earlier might ...) - libsndfile 1.0.17-4 (bug #443386; medium) + - ardour <unfixed> (medium; bug #445889) CVE-2007-4973 RESERVED CVE-2007-4972 (RegMon 7.04 does not properly validate certain parameters to System ...)