jmm-guest at alioth.debian.org
2007-Dec-02 18:43 UTC
[Secure-testing-commits] r7472 - data/CVE
Author: jmm-guest Date: 2007-12-02 18:43:06 +0000 (Sun, 02 Dec 2007) New Revision: 7472 Modified: data/CVE/list Log: resolve older jffnms issue, incorrect CVE allocation ekiga no-dsa rewrite PHP non-issue wordpress not unimportant, e.g. could be used as a stepstone in an adjacent vulnerability Modified: data/CVE/list ==================================================================--- data/CVE/list 2007-12-02 17:57:49 UTC (rev 7471) +++ data/CVE/list 2007-12-02 18:43:06 UTC (rev 7472) @@ -310,9 +310,9 @@ CVE-2007-6040 (The Belkin F5D7230-4 Wireless G Router allows remote attackers to ...) NOT-FOR-US: Belkin F5D7230-4 Wireless G Router CVE-2007-6039 (PHP 5.2.5 and earlier allows context-dependent attackers to cause a ...) - - php5 <unfixed> (bug #453295) - [etch] - php5 <no-dsa> (requires negligent/malicious local user) - [etch] - php4 <not-affected> (detects memory exhaustion and quits) + - php5 <unfixed> (unimportant; bug #453295) + NOTE: Not a vulnerability per Debian PHP security policy, requires malicious + NOTE: script to trigger this issue CVE-2007-6077 (The session fixation protection mechanism in cgi_process.rb in Rails ...) - rails 1.2.6-1 (low; bug #452748) CVE-2007-6111 (Multiple unspecified vulnerabilities in Wireshark (formerly Ethereal) ...) @@ -410,7 +410,7 @@ CVE-2007-6014 RESERVED CVE-2007-6013 (Wordpress 1.5 through 2.3.1 uses cookie values based on the MD5 hash ...) - - wordpress <unfixed> (unimportant; bug #452251) + - wordpress <unfixed> (low; bug #452251) NOTE: if untrusted people are allowed to read the database they could still NOTE: crack the hash with more work, so maybe this is unimportant? CVE-2007-6012 (SQL injection vulnerability in SearchR.asp in DocuSafe 4.1.0 allows ...) @@ -3859,6 +3859,7 @@ NOT-FOR-US: eWire Payment Client CVE-2007-4924 (The Open Phone Abstraction Library (opal), as used by (1) Ekiga before ...) - ekiga 2.0.11-1 (low) + [etch] - ekiga <no-dsa> (Minor issue) CVE-2007-4923 (PHP remote file inclusion vulnerability in admin.joomlaradiov5.php in ...) NOT-FOR-US: Joomla extension CVE-2007-4922 (SQL injection vulnerability in play.php in the jeuxflash 1.0 module ...) @@ -3914,6 +3915,7 @@ NOT-FOR-US: Xwiki CVE-2007-4897 (pwlib, as used by Ekiga 2.0.5 and possibly other products, allows ...) - ekiga 2.0.9-1 (low) + [etch] - ekiga <no-dsa> (Minor issue) CVE-2007-4896 (Multiple cross-site scripting (XSS) vulnerabilities in ...) NOT-FOR-US: Toms Gaestebuch CVE-2007-4895 (Directory traversal vulnerability in dwoprn.php in Sisfo Kampus 2006 ...) @@ -7939,10 +7941,8 @@ - php5 <unfixed> (unimportant) NOTE: That''s by design CVE-2007-3204 (SQL injection vulnerability in auth.php in Just For Fun Network ...) - - jffnms 0.8.3dfsg.1-4 (high) - NOTE: 20_security.dpatch is addressing this bug however the maintainer didn''t include - NOTE: a note about the CVE id. - NOTE: the fix for CVE-2007-3190 is incomplete (the ''pass'' param can still contain an injection) + NOTE: This is an jffnms ID, which has been wrongly reported by an external party, + NOTE: The data is sufficiently sanitised with the Debian fix for CVE-2007-3192 CVE-2007-3203 (Stack-based buffer overflow in smtpdll.dll in the SMTP service in ...) NOT-FOR-US: 602Pro LAN SUITE CVE-2007-3202 (Cross-site scripting (XSS) vulnerability in the rich text editor in ...)