thr3ads.net - Secure testing commits - [Secure-testing-commits] r8507

If this information is useful, please help other people find it:
Share via:
nion at alioth.debian.org
2008-Apr-10 19:57 UTC
[Secure-testing-commits] r8507 - data/CVE

Author: nion
Date: 2008-04-10 19:57:23 +0000 (Thu, 10 Apr 2008)
New Revision: 8507

Modified:
   data/CVE/list
Log:
NFUs
CVE-2008-1683 seems to be a dup of CVE-2008-0887
new suphp issue (CVE-2008-1614)
CVE-2008-1612 fixed in squid 2.6.18-1
CVE-2008-1532 -> perlbal itp
new low impact lighttpd issue (CVE-2008-1531)
CVE-2008-1374 does not affect cupsys in Debian, CVE-2008-1373 fixed in cupsys
1.3.7-1
otrs2 issue got CVE-2008-1515


Modified: data/CVE/list
==================================================================---
data/CVE/list	2008-04-10 18:50:52 UTC (rev 8506)
+++ data/CVE/list	2008-04-10 19:57:23 UTC (rev 8507)
@@ -48,6 +48,7 @@
 	NOT-FOR-US: Sun Solaris
 CVE-2008-1683 (xscreensaver on Fedora 8, when an NIS authentication server is
...)
 	- gnome-screensaver <unfixed> (low; bug #475154)
+	NOTE: dup of CVE-2008-0887
 	NOTE: the description seems wrong, this does not affect xscreensaver
 	NOTE: contacted mitre to update description
 CVE-2008-1682 (PHP remote file inclusion vulnerability in ...)
@@ -181,39 +182,39 @@
 CVE-2008-1619 (The ssm_i emulation in Xen 5.1 on IA64 architectures allows
attackers ...)
 	TODO: check
 CVE-2008-1618 (The PPTP VPN service in Watchguard Firebox before 10, when
performing ...)
-	TODO: check
+	NOT-FOR-US: Watchguard Firebox
 CVE-2008-1617 (Double free vulnerability in Web TransferCtrl Class 8,2,1,4 ...)
-	TODO: check
+	NOT-FOR-US: WorkSite Web
 CVE-2008-1616
 	RESERVED
 CVE-2008-1615
 	RESERVED
 CVE-2008-1614 (suPHP before 0.6.3 allows local users to gain privileges via (1)
a ...)
-	TODO: check
+	- suphp <unfixed> (low; bug #475431)
 CVE-2008-1613
 	RESERVED
 CVE-2008-1612 (The arrayShrink function (lib/Array.c) in Squid 2.6.STABLE17
allows ...)
-	TODO: check
+	- squid 2.6.18-1 (medium)
 CVE-2008-1611 (Stack-based buffer overflow in TFTP Server SP 1.4 for Windows
allows ...)
-	TODO: check
+	NOT-FOR-US: TFTP Server for Windows
 CVE-2008-1610 (Stack-based buffer overflow in TallSoft Quick TFTP Server Pro
2.1 ...)
-	TODO: check
+	NOT-FOR-US: TFTP Server Pro
 CVE-2008-1609 (Multiple PHP remote file inclusion vulnerabilities in just
another ...)
-	TODO: check
+	NOT-FOR-US: JAF CMS
 CVE-2008-1608 (SQL injection vulnerability in postview.php in Clever Copy 3.0
allows ...)
-	TODO: check
+	NOT-FOR-US: Clever Copy
 CVE-2008-1607 (SQL injection vulnerability in haberoku.php in Serbay Arslanhan
Bomba ...)
-	TODO: check
+	NOT-FOR-US: Serbay Arslanhan Bomba Haber
 CVE-2008-1606 (Multiple directory traversal vulnerabilities in Elastic Path
(EP) 4.1 ...)
-	TODO: check
+	NOT-FOR-US: Elastic Path
 CVE-2008-1605 (The (1) ltmmCaptureCtrl Class, (2) ltmmConvertCtrl Class, and
(3) ...)
-	TODO: check
+	NOT-FOR-US: LEADTOOLS
 CVE-2008-1604 (Cross-site scripting (XSS) vulnerability in PerlMailer before
3.02 ...)
-	TODO: check
+	NOT-FOR-US: PerlMailer
 CVE-2008-1603 (Cross-site scripting (XSS) vulnerability in GNB DesignForm
before 3.9 ...)
-	TODO: check
+	NOT-FOR-US: GNB DesignForm
 CVE-2008-1602 (Stack-based buffer overflow in Orbit downloader 2.6.3 and 2.6.4
allows ...)
-	TODO: check
+	NOT-FOR-US: Orbit downloader
 CVE-2003-1557 (Off-by-one buffer overflow in spamc of SpamAssassin 2.40 through
2.43, ...)
 	TODO: check
 CVE-2003-1556 (Cross-site scripting (XSS) vulnerability in cc_guestbook.pl in
CGI ...)
@@ -351,10 +352,10 @@
 CVE-2008-1533 (Unspecified vulnerability in the XML-RPC Blogger API plugin in
Joomla! ...)
 	- joomla <itp> (bug #326398)
 CVE-2008-1532 (Perlbal before 1.70, when buffered upload is enabled, allows
remote ...)
-	TODO: check
+	- perlbal <itp> (bug #456534)
 CVE-2008-1531 (lighttpd 1.4.19 and earlier allows remote attackers to cause a
denial ...)
 	{DSA-1540-1}
-	TODO: check
+	- lighttpd <unfixed> (low; bug #475438)
 CVE-2005-4874 (The XMLHttpRequest object in Mozilla 1.7.8 supports the HTTP
TRACE ...)
 	TODO: check
 CVE-2003-1555 (ScozNet ScozBook 1.1 BETA allows remote attackers to obtain
sensitive ...)
@@ -418,7 +419,11 @@
 CVE-2008-1516
 	RESERVED
 CVE-2008-1515 (The SOAP interface in OTRS 2.1.x before 2.1.8 and 2.2.x before
2.2.6 ...)
-	TODO: check
+	- otrs2 2.2.5-2
+	[etch] - otrs2 <not-affected> (Vulnerable code not present)
+	[etch] - otrs <not-affected> (Vulnerable code not present)
+	[sarge] - otrs <not-affected> (Vulnerable code not present)
+	NOTE: http://packages.qa.debian.org/o/otrs2/news/20080320T211729Z.html
 CVE-2008-1514 (ptrace in Linux kernel 2.6.9 on Fedora 7 and 8 allows local
users to ...)
 	TODO: check
 	NOTE: s390 specific issue, counterpart for x86 not reproducible with 2.6.24
here
@@ -677,14 +682,9 @@
 CVE-2008-1502 (The _bad_protocol_once function in
phpgwapi/inc/class.kses.inc.php in ...)
 	- egroupware 1.4.002.dfsg-2.1 (bug #471839)
 	- wordpress 2.5.0-1
-CVE-2008-XXXX [OTRS osa-2008-01]
-	- otrs2 2.2.5-2
-	[etch] - otrs2 <not-affected> (Vulnerable code not present)
-	[etch] - otrs <not-affected> (Vulnerable code not present)
-	[sarge] - otrs <not-affected> (Vulnerable code not present)
-	NOTE: http://packages.qa.debian.org/o/otrs2/news/20080320T211729Z.html
 CVE-2008-1391 (Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x
and 7.x, ...)
-	TODO: check
+	- kfreebsd-6 <unfixed>
+	- kfreebsd-7 <unfixed>
 CVE-2008-1390 (The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before
...)
 	- asterisk <unfixed> (low)
 	[etch] - asterisk <not-affected> (Only 1.4.x affected)
@@ -722,9 +722,9 @@
 CVE-2008-1375
 	RESERVED
 CVE-2008-1374 (Integer overflow in pdftops filter in CUPS in Red Hat Enterprise
Linux ...)
-	TODO: check
+	- cupsys <not-affected> (Redhat-specific incomplete patch, upstream
patch is complete)
 CVE-2008-1373 (Buffer overflow in the gif_read_lzw in CUPS 1.3.6 allows remote
...)
-	TODO: check
+	- cupsys 1.3.7-1 (medium)
 CVE-2008-1372 (bzlib.c in bzip2 before 1.0.5 allows user-assisted remote
attackers to ...)
 	- bzip2 1.0.5-0.1 (bug #471670)
 CVE-2008-1371 (Absolute path traversal vulnerability in install/index.php in
Drake ...)
@@ -816,7 +816,7 @@
 	{DSA-1525-1}
 	- asterisk 1:1.4.18.1~dfsg-1 (medium)
 CVE-2008-1331 (Unspecified vulnerability in OmniPCX Office with Internet Access
...)
-	TODO: check
+	NOT-FOR-US: OmniPCX Office
 CVE-2008-1330 (Unspecified vulnerability in the Windows client API in Novell
...)
 	NOT-FOR-US: Novell Groupwise
 CVE-2008-1329 (Unspecified vulnerability in the NetBackup service in CA
ARCserve ...)
@@ -1231,7 +1231,7 @@
 CVE-2008-1157 (Cisco CiscoWorks Internetwork Performance Monitor (IPM) 2.6
creates a ...)
 	NOT-FOR-US: Cisco IPM
 CVE-2008-1156 (Unspecified vulnerability in the Multicast Virtual Private
Network ...)
-	TODO: check
+	NOT-FOR-US: Cisco IOS
 CVE-2008-1155
 	RESERVED
 CVE-2008-1154 (The Disaster Recovery Framework (DRF) master server in Cisco
Unified ...)
@@ -1241,7 +1241,7 @@
 CVE-2008-1152 (The data-link switching (DLSw) component in Cisco IOS 12.0
through ...)
 	NOT-FOR-US: Cisco IOS
 CVE-2008-1151 (Memory leak in the virtual private dial-up network (VPDN)
component in ...)
-	TODO: check
+	NOT-FOR-US: Cisco IOS
 CVE-2008-1150 (The virtual private dial-up network (VPDN) component in Cisco
IOS ...)
 	NOT-FOR-US: Cisco IOS
 CVE-2008-1149 (phpMyAdmin before 2.11.5 accesses $_REQUEST to obtain some
parameters ...)
@@ -1581,27 +1581,27 @@
 CVE-2008-1024
 	RESERVED
 CVE-2008-1023 (Heap-based buffer overflow in Clip opcode parsing in Apple
QuickTime ...)
-	TODO: check
+	NOT-FOR-US: Apple QuickTime
 CVE-2008-1022 (Stack-based buffer overflow in Apple QuickTime before 7.4.5
allows ...)
-	TODO: check
+	NOT-FOR-US: Apple QuickTime
 CVE-2008-1021 (Heap-based buffer overflow in Animation codec content handling
in ...)
-	TODO: check
+	NOT-FOR-US: Apple QuickTime
 CVE-2008-1020 (Heap-based buffer overflow in quickTime.qts in Apple QuickTime
before ...)
-	TODO: check
+	NOT-FOR-US: Apple QuickTime
 CVE-2008-1019 (Heap-based buffer overflow in quickTime.qts in Apple QuickTime
before ...)
-	TODO: check
+	NOT-FOR-US: Apple QuickTime
 CVE-2008-1018 (Heap-based buffer overflow in Apple QuickTime before 7.4.5
allows ...)
-	TODO: check
+	NOT-FOR-US: Apple QuickTime
 CVE-2008-1017 (Heap-based buffer overflow in clipping region (aka crgn) atom
handling ...)
-	TODO: check
+	NOT-FOR-US: Apple QuickTime
 CVE-2008-1016 (Apple QuickTime before 7.4.5 does not properly handle movie
media ...)
-	TODO: check
+	NOT-FOR-US: Apple QuickTime
 CVE-2008-1015 (Buffer overflow in the data reference atom handling in Apple
QuickTime ...)
-	TODO: check
+	NOT-FOR-US: Apple QuickTime
 CVE-2008-1014 (Apple QuickTime before 7.4.5 does not properly handle external
URLs in ...)
-	TODO: check
+	NOT-FOR-US: Apple QuickTime
 CVE-2008-1013 (Apple QuickTime before 7.4.5 enables deserialization of QTJava
objects ...)
-	TODO: check
+	NOT-FOR-US: Apple QuickTime
 CVE-2008-1012 (Unspecified vulnerability in Apple AirPort Extreme Base Station
...)
 	NOT-FOR-US: Apple AirPort 
 CVE-2008-1011 (Cross-site scripting (XSS) vulnerability in WebKit, as used in
Apple ...)
@@ -1789,7 +1789,7 @@
 CVE-2008-0925
 	RESERVED
 CVE-2008-0924 (Stack-based buffer overflow in the DoLBURPRequest function in
libnldap ...)
-	TODO: check
+	NOT-FOR-US: Novell eDirectory
 CVE-2008-0923 (Directory traversal vulnerability in the Shared Folders feature
for ...)
 	- vmware-package <not-affected> (Only vulnerable on windows hosted
systems)
 CVE-2008-0922 (SQL injection vulnerability in the Manuales 0.1 module for
PHP-Nuke ...)
@@ -1864,7 +1864,10 @@
 	{DSA-1522-1}
 	- unzip 5.52-11
 CVE-2008-0887 (gnome-screensaver before 2.22.1, when a remote authentication
server ...)
-	TODO: check
+	- gnome-screensaver <unfixed> (low; bug #475154)
+	NOTE: dup of CVE-2008-1683
+	NOTE: the description seems wrong, this does not affect xscreensaver
+	NOTE: contacted mitre to update description
 CVE-2008-0886
 	REJECTED
 CVE-2008-0885
Secure testing commits - Apr 2008 - r8507 - data/CVE

[Secure-testing-commits] r8507 - data/CVE
