Secure testing commits - Mar 2008 - r8372 - data/CVE

Author: nion
Date: 2008-03-19 14:08:36 +0000 (Wed, 19 Mar 2008)
New Revision: 8372

Modified:
   data/CVE/list
Log:
NFUs
new bzip2 issue (CVE-2008-1372)
CVE-2008-1367 fixed in kfreebsd and glibc, linux kernel and gcc still unfixed
new zabbix issue (CVE-2008-1353)


Modified: data/CVE/list
==================================================================---
data/CVE/list	2008-03-19 09:14:11 UTC (rev 8371)
+++ data/CVE/list	2008-03-19 14:08:36 UTC (rev 8372)
@@ -15,7 +15,7 @@
 CVE-2008-1384
 	RESERVED
 CVE-2008-1383 (The docert function in ssl-cert.eclass, when used by src_compile
or ...)
-	TODO: check
+	NOT-FOR-US: Gentoo Linux Ebuilds
 CVE-2008-1382
 	RESERVED
 CVE-2008-1381
@@ -37,21 +37,25 @@
 CVE-2008-1373
 	RESERVED
 CVE-2008-1372 (bzlib.c in bzip2 before 1.0.5 allows user-assisted remote
attackers to ...)
-	TODO: check
+	- bzip2 <unfixed> (bug #471670)
 CVE-2008-1371 (Absolute path traversal vulnerability in install/index.php in
Drake ...)
-	TODO: check
+	NOT-FOR-US: Drake CMS
 CVE-2008-1370 (PHP remote file inclusion vulnerability in index.php in wildmary
Yap ...)
-	TODO: check
+	NOT-FOR-US: wildmary Yap Blog
 CVE-2008-1369 (A certain incorrect Sun Solaris 10 image on SPARC Enterprise
T5120 and ...)
-	TODO: check
+	NOT-FOR-US:  Sun Solaris
 CVE-2008-1368 (CRLF injection vulnerability in Microsoft Internet Explorer 5
and 6 ...)
-	TODO: check
+	NOT-FOR-US: Microsoft Internet Explorer
 CVE-2008-1367 (gcc 4.3.x does not generate a cld instruction while compiling
...)
-	TODO: check
+	- linux-2.6 <unfixed> (bug #469058)
+	- kfreebsd-6 6.3-4 (bug #469564)
+	- kfreebsd-7 7.0-2 (bug #469565)
+	- gcc-4.3 <unfixed> (bug #469567)
+	- glibc 2.7-8 (bug #465583)
 CVE-2008-1366 (Trend Micro OfficeScan Corporate Edition 8.0 Patch 2 build 1189
and ...)
-	TODO: check
+	NOT-FOR-US: Trend Micro OfficeScan Corporate Edition
 CVE-2008-1365 (Stack-based buffer overflow in Trend Micro OfficeScan Corporate
...)
-	TODO: check
+	NOT-FOR-US: Trend Micro OfficeScan Corporate Edition
 CVE-2008-1364
 	RESERVED
 CVE-2008-1363
@@ -61,53 +65,53 @@
 CVE-2008-1361
 	RESERVED
 CVE-2008-1359 (Cross-site scripting (XSS) vulnerability in Invision Power Board
(IPB ...)
-	TODO: check
+	NOT-FOR-US: Invision Power Board
 CVE-2008-1358 (Sack-based buffer overflow in the IMAP server in Alt-N
Technologies ...)
-	TODO: check
+	NOT-FOR-US: MDaemon
 CVE-2008-1357 (Format string vulnerability in the logDetail function of
applib.dll in ...)
-	TODO: check
+	NOT-FOR-US: McAfee Common Management Agent
 CVE-2008-1356 (Unspecified vulnerability in xscreensaver in Sun Solaris 10 Java
...)
-	TODO: check
+	NOT-FOR-US: Sun Solaris
 CVE-2008-1355 (Cross-site scripting (XSS) vulnerability in index.php in Jeebles
...)
-	TODO: check
+	NOT-FOR-US: Jeebles Directory
 CVE-2008-1354 (SQL injection vulnerability in MyIssuesView.asp in Advanced Data
...)
-	TODO: check
+	NOT-FOR-US: VSO-XP
 CVE-2008-1353 (zabbix_agentd in ZABBIX 1.4.4 allows remote attackers to cause a
...)
-	TODO: check
+	- zabbix <unfixed> (low; bug #471678)
 CVE-2008-1352 (Directory traversal vulnerability in search.php in EdiorCMS
(ecms) 3.0 ...)
-	TODO: check
+	NOT-FOR-US: EdiorCMS
 CVE-2008-1351 (SQL injection vulnerability in the Tutorials 2.1b module for
XOOPS ...)
-	TODO: check
+	NOT-FOR-US: Tutorials module for XOOPS
 CVE-2008-1350 (SQL injection vulnerability in kb.php in Fully Modded phpBB
(phpbbfm) ...)
-	TODO: check
+	NOT-FOR-US: Fully Modded phpBB
 CVE-2008-1349 (SQL injection vulnerability in viewcat.php in the bamaGalerie
(Bama ...)
-	TODO: check
+	NOT-FOR-US: bamaGalerie
 CVE-2008-1348 (Cross-site scripting (XSS) vulnerability in index.php in the
eWebsite ...)
-	TODO: check
+	NOT-FOR-US: eWeather module for PHP-Nuke
 CVE-2008-1347 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
-	TODO: check
+	NOT-FOR-US: MyioSoft EasyGallery
 CVE-2008-1346 (SQL injection vulnerability in staticpages/easygallery/index.php
in ...)
-	TODO: check
+	NOT-FOR-US: MyioSoft EasyGallery
 CVE-2008-1345 (Cross-site scripting (XSS) vulnerability in ...)
-	TODO: check
+	NOT-FOR-US: MyioSoft EasyCalendar
 CVE-2008-1344 (Multiple SQL injection vulnerabilities in MyioSoft EasyCalendar
4.0tr ...)
-	TODO: check
+	NOT-FOR-US: MyioSoft EasyCalendar
 CVE-2008-1343 (Directory traversal vulnerability in pkgadd and pkgrm in SCO
UnixWare ...)
-	TODO: check
+	NOT-FOR-US: SCO Unixware
 CVE-2008-1342 (Multiple cross-site scripting (XSS) vulnerabilities in the
search ...)
-	TODO: check
+	NOT-FOR-US: Polymita BPM-Suite and CollagePortal
 CVE-2008-1341 (SQL injection vulnerability in SearchResults.aspx in LaGarde
...)
-	TODO: check
+	NOT-FOR-US: LaGarde StoreFront
 CVE-2008-1340
 	RESERVED
 CVE-2008-1339
 	RESERVED
 CVE-2008-1338 (The Perforce service (p4s.exe) in Perforce Server 2007.3/143793
and ...)
-	TODO: check
+	NOT-FOR-US: Perforce Server
 CVE-2008-1337 (The instant message service in Timbuktu Pro 8.6.5 RC 229 and
earlier ...)
-	TODO: check
+	NOT-FOR-US: Timbuktu Pro for Windows
 CVE-2008-1336 (SQL injection vulnerability in Koobi CMS 4.2.3 through 4.3.0
allows ...)
-	TODO: check
+	NOT-FOR-US: Koobi CMS
 CVE-2008-1335 (The ipsec4_get_ulp function in the kernel in NetBSD 2.0 through
3.1 ...)
 	TODO: check
 CVE-2008-1334 (cgi/b on the BT Home Hub router allows remote attackers to
bypass ...)
@@ -10220,7 +10224,10 @@
 	{DSA-1438-1}
 	- tar 1.18-2 (medium; bug #439335)
 CVE-2007-4130 (The Linux kernel 2.6.9 before 2.6.9-67 in Red Hat Enterprise
Linux ...)
-	TODO: check
+	- linux-2.6 2.6.12-1 (low)
+	NOTE: a fix is included in 2.6, see line 854 mempolicy.c
+	NOTE: it was maybe fixed earlier, 2.6.12 is the first version in git
+	NOTE: which I can see and ships the fix
 CVE-2007-4129 (CoolKey 1.1.0 allows local users to overwrite arbitrary files
via a ...)
 	- coolkey 1.1.0-3
 CVE-2007-4128 (SQL injection vulnerability in index.php in the Firestorm
Technologies ...)