NFUs

CVE-2007-5246, CVE-2007-5245 firebird2.0/firebird1.5 not-affected
CVE-2007-5232, CVE-2007-523[7-9], CVE-2007-5240 fixed in sun-java6 6-03-1 and sun-java5 1.5.0-13-1
CVE-2007-5236 sun-java6 and sun-java5 not-affected
CVE-2007-5228 drupal not-affected
new issue: CVE-2007-5226 dircproxy
CVE-2004-2714 wmaker not-affected
CVE-2004-2705 pvpgn not-affected
CVE-2004-2698 imwheel not-affected
CVE-2001-1585 openssh not-affected
new issue: CVE-2007-4974 ardour


git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@6870 e39458fd-73e7-0310-bf30-c45bca0a0e42

4 files changed, 97 insertions, 85 deletions

diff --git a/data/CVE/2001.list b/data/CVE/2001.list
index ed1f6b464b..af330903cc 100644
--- a/data/CVE/2001.list
+++ b/data/CVE/2001.list
@@ -1,7 +1,7 @@
 CVE-2001-1585 (SSH protocol 2 (aka SSH-2) public key authentication in the ...)
-	TODO: check
+	- openssh <not-affected> (fixed in 2001)
 CVE-2001-1584 (CardBoard 2.4 greeting card CGI by Michael Barretto allows remote ...)
-	TODO: check
+	NOT-FOR-US: CardBoard
 CVE-2001-1583 (lpd daemon (in.lpd) in Solaris 8 and earlier allows remote attackers ...)
 	NOT-FOR-US: Solaris
 CVE-2001-1582 (Buffer overflow in the LDAP naming services library (libsldap) in Sun ...)
diff --git a/data/CVE/2004.list b/data/CVE/2004.list
index 75b2c370a1..3c582c7917 100644
--- a/data/CVE/2004.list
+++ b/data/CVE/2004.list
@@ -1,79 +1,80 @@
 CVE-2004-2725 (Multiple cross-site scripting (XSS) vulnerabilities in Aztek Forum 4.0 ...)
-	TODO: check
+	NOT-FOR-US: Aztek Forum
 CVE-2004-2724 (LionMax Software Chat Anywhere 2.72a allows remote attackers to cause ...)
-	TODO: check
+	NOT-FOR-US: Chat Anywhere
 CVE-2004-2723 (NessusWX 1.4.4 stores account passwords in plaintext in .session ...)
-	TODO: check
+	NOT-FOR-US: NessusWXdd
 CVE-2004-2722 (** DISPUTED ** ...)
-	TODO: check
+	- nessus <unfixed> (unimportant)
+	NOTE: this is no security issue assuming correct permissions
 CVE-2004-2721 (The CheckGroup function in openSkat VTMF before 2.1 generates public ...)
-	TODO: check
+	NOT-FOR-US: openSkat
 CVE-2004-2720 (Cross-site scripting (XSS) vulnerability in register.asp in Snitz ...)
-	TODO: check
+	NOT-FOR-US: Snitz Forums
 CVE-2004-2719 (Buffer overflow in the UrlToLocal function in PunyLib.dll of Foxmail ...)
-	TODO: check
+	NOT-FOR-US: Foxmail
 CVE-2004-2718 (PHPMyChat 0.14.5 does not remove or protect setup.php3 after ...)
-	TODO: check
+	NOT-FOR-US: PHPMyChat
 CVE-2004-2717 (Multiple directory traversal vulnerabilities in admin.php3 in ...)
-	TODO: check
+	NOT-FOR-US: PHPMyChat
 CVE-2004-2716 (Multiple SQL injection vulnerabilities in usersL.php3 in PHPMyChat ...)
-	TODO: check
+	NOT-FOR-US: PHPMyChat
 CVE-2004-2715 (edituser.php3 in PHPMyChat 0.14.5 allow remote attackers to bypass ...)
-	TODO: check
+	NOT-FOR-US: PHPMyChat
 CVE-2004-2714 (Unspecified vulnerability in Window Maker 0.80.2 and earlier allows ...)
-	TODO: check
+	- wmaker <not-affected> (Was fixed in version 0.90 of window maker)
 CVE-2004-2713 (** DISPUTED ** ...)
-	TODO: check
+	NOT-FOR-US: ZoneAlarm
 CVE-2004-2712 (Buffer overflow in Gyach Enhanced (Gyach-E) before 1.0.0-SneakPeek-3 ...)
-	TODO: check
+	NOT-FOR-US: Gyach-E
 CVE-2004-2711 (Multiple buffer overflows in Gyach Enhanced (Gyach-E) before 1.0.2 ...)
-	TODO: check
+	NOT-FOR-US: Gyach-E
 CVE-2004-2710 (Multiple buffer overflows in Gyach Enhanced (Gyach-E) before 1.0.3 ...)
-	TODO: check
+	NOT-FOR-US: Gyach-E
 CVE-2004-2709 (Buffer overflow in the strip_html_tags method for Gyach Enhanced ...)
-	TODO: check
+	NOT-FOR-US: Gyach-E
 CVE-2004-2708 (Gyach Enhanced (Gyach-E) before 1.0.0 stores passwords in plaintext, ...)
-	TODO: check
+	NOT-FOR-US: Gyach-E
 CVE-2004-2707 (Multiple unspecified vulnerabilities in Gyach Enhanced (Gyach-E) ...)
-	TODO: check
+	NOT-FOR-US: Gyach-E
 CVE-2004-2706 (Unspecified vulnerability in Gyach Enhanced (Gyach-E) before 1.0.4 ...)
-	TODO: check
+	NOT-FOR-US: Gyach-E
 CVE-2004-2705 (Unspecified vulnerability in Player vs. Player Gaming Network (PvPGN) ...)
-	TODO: check
+	- pvpgn <not-affected> (was already fixed in 1.6.4+20040826-1)
 CVE-2004-2704 (Hastymail 1.0.1 and earlier (stable) and 1.1 and earlier (development) ...)
-	TODO: check
+	NOT-FOR-US: Hastymail
 CVE-2004-2703 (Clearswift MIMEsweeper 5.0.5, when it has been upgraded from ...)
-	TODO: check
+	NOT-FOR-US: MIMEsweeper
 CVE-2004-2702 (Cross-site scripting (XSS) vulnerability in login_up.php3 in Plesk 7.0 ...)
-	TODO: check
+	NOT-FOR-US: Plesk
 CVE-2004-2701 (Cross-site scripting (XSS) vulnerability in signin.aspx for ...)
-	TODO: check
+	NOT-FOR-US: AspDotNetStorefront
 CVE-2004-2700 (Unrestricted file upload vulnerability in AspDotNetStorefront 3.3 ...)
-	TODO: check
+	NOT-FOR-US: AspDotNetStorefront
 CVE-2004-2699 (deleteicon.aspx in AspDotNetStorefront 3.3 allows remote attackers to ...)
-	TODO: check
+	NOT-FOR-US: AspDotNetStorefront
 CVE-2004-2698 (Race condition in IMWheel 1.0.0pre11 and earlier, when running with ...)
-	TODO: check
+	- imwheel <not-affected> (This was already fixed two years ago in 1.0.0pre12-1)
 CVE-2004-2697 (The Inventory Scout daemon (invscoutd) 1.3.0.0 and 2.0.2 for AIX 4.3.3 ...)
-	TODO: check
+	NOT-FOR-US: InvScoutd
 CVE-2004-2696 (BEA WebLogic Server and WebLogic Express 6.1, 7.0, and 8.1, when using ...)
-	TODO: check
+	NOT-FOR-US: BEA WebLogic
 CVE-2004-2695 (SQL injection vulnerability in the Authorize.net callback code ...)
-	TODO: check
+	NOT-FOR-US: vBulletin
 CVE-2004-2694 (Microsoft Outlook Express 6.0 allows remote attackers to bypass ...)
-	TODO: check
+	NOT-FOR-US: Outlook
 CVE-2004-2693 (HP-UX B.11.00 and B.11.11 with B6848AB GTK+ Support Libraries ...)
-	TODO: check
+	NOT-FOR-US: HP-UX
 CVE-2004-2692 (The exec_dir PHP patch (php-exec-dir) 4.3.2 through 4.3.7 with safe ...)
-	TODO: check
+	NOT-FOR-US: php-exec-dir patch
 CVE-2004-2691 (Unspecified vulnerability in 3Com SuperStack 3 4400 switches with ...)
-	TODO: check
+	NOT-FOR-US: 3Com firmware
 CVE-2004-2690 (Unrestricted file upload vulnerability in the Administration Panel for ...)
-	TODO: check
+	NOT-FOR-US: NewsPHP
 CVE-2004-2689 (NewsPHP allows remote attackers to gain unauthorized administrative ...)
-	TODO: check
+	NOT-FOR-US: NewsPHP
 CVE-2004-2688 (Cross-site scripting (XSS) vulnerability in index.php in NewsPHP ...)
-	TODO: check
+	NOT-FOR-US: NewsPHP
 CVE-2004-2687 (distcc 2.x, as used in XCode 1.5 and others, when not configured to ...)
 	- distcc 2.18.1-1 (low)
 	NOTE: since 2.18.1-1 there is the --allow switch to control network access
diff --git a/data/CVE/2005.list b/data/CVE/2005.list
index 80f0bd245c..4052008fb9 100644
--- a/data/CVE/2005.list
+++ b/data/CVE/2005.list
@@ -1,21 +1,21 @@
 CVE-2005-4871 (Certain XML functions in IBM DB2 8.1 run with the privileges of DB2 ...)
-	TODO: check
+	NOT-FOR-US: IBM DB2
 CVE-2005-4870 (Stack-based buffer overflows in the (1) xmlvarcharfromfile, (2) ...)
-	TODO: check
+	NOT-FOR-US: IBM DB2
 CVE-2005-4869 (The (1) to_char and (2) to_date function in IBM DB2 8.1 allows local ...)
-	TODO: check
+	NOT-FOR-US: IBM DB2
 CVE-2005-4868 (Shared memory sections and events in IBM DB2 8.1 have default ...)
-	TODO: check
+	NOT-FOR-US: IBM DB2
 CVE-2005-4867 (Stack-based buffer overflow in the SATENCRYPT function in IBM DB2 8.1, ...)
-	TODO: check
+	NOT-FOR-US: IBM DB2
 CVE-2005-4866 (Stack-based buffer overflow in JDBC Applet Server in IBM DB2 8.1 ...)
-	TODO: check
+	NOT-FOR-US: IBM DB2
 CVE-2005-4865 (Stack-based buffer overflow in call in IBM DB2 7.x and 8.1 allows ...)
-	TODO: check
+	NOT-FOR-US: IBM DB2
 CVE-2005-4864 (Stack-based buffer overflow in libdb2.so in IBM DB2 7.x and 8.1 allows ...)
-	TODO: check
+	NOT-FOR-US: IBM DB2
 CVE-2005-4863 (Stack-based buffer overflow in db2fmp in IBM DB2 7.x and 8.1 allows ...)
-	TODO: check
+	NOT-FOR-US: IBM DB2
 CVE-2005-4862 (The search functionality in XWiki 0.9.793 indexes cleartext user ...)
 	NOT-FOR-US: Xwiki
 CVE-2005-4861 (functions.php in Ragnarok Online Control Panel (ROCP) 4.3.4a allows ...)
diff --git a/data/CVE/2007.list b/data/CVE/2007.list
index 146fc7734c..311e34fad0 100644
--- a/data/CVE/2007.list
+++ b/data/CVE/2007.list
@@ -1,75 +1,85 @@
 CVE-2007-5261 (Multiple SQL injection vulnerabilities in MultiCart 1.0 allow remote ...)
-	TODO: check
+	NOT-FOR-US: MultiCart
 CVE-2007-5260 (ASP-CMS 1.0 stores sensitive information under the web root with ...)
-	TODO: check
+	NOT-FOR-US: ASP-CMS
 CVE-2007-5259 (Cross-site request forgery (CSRF) vulnerability in Ilient SysAid ...)
-	TODO: check
+	NOT-FOR-US: SysAid
 CVE-2007-5258 (PHP remote file inclusion vulnerability in log.php in phpFreeLog alpha ...)
-	TODO: check
+	NOT-FOR-US: FreeLog
 CVE-2007-5257 (Stack-based buffer overflow in the EDraw.OfficeViewer ActiveX control ...)
-	TODO: check
+	NOT-FOR-US: EDraw Office Viewer
 CVE-2007-5256 (Multiple stack-based buffer overflows in FSD 2.052 d9 and earlier, and ...)
-	TODO: check
+	NOT-FOR-US: FSD
 CVE-2007-5255 (Cross-site scripting (XSS) vulnerability in Google Mini Search ...)
-	TODO: check
+	NOT-FOR-US: Google Mini Search Appliance
 CVE-2007-5254 (VirusBlokAda Vba32 AntiVirus 3.12.2 uses weak permissions ...)
-	TODO: check
+	NOT-FOR-US: VirusBlokAda Vba32 AntiVirus
 CVE-2007-5253 (c32web.exe in McMurtrey/Whitaker Cart32 before 6.4 allows remote ...)
-	TODO: check
+	NOT-FOR-US: Cart32
 CVE-2007-5252 (Buffer overflow in NetSupport Manager (NSM) Client 10.00 and 10.20, ...)
-	TODO: check
+	NOT-FOR-US: NetSupport Manager/School Student
 CVE-2007-5251 (Multiple cross-site scripting (XSS) vulnerabilities in Helm 3.2.16 ...)
-	TODO: check
+	NOT-FOR-US: Helm
 CVE-2007-5250 (The Windows dedicated server for the Unreal engine, as used by ...)
-	TODO: check
+	NOT-FOR-US: Americas Army
 CVE-2007-5249 (Multiple buffer overflows in the logging function in the Unreal ...)
-	TODO: check
+	NOT-FOR-US: Americas Army
 CVE-2007-5248 (Multiple format string vulnerabilities in the ID Software Doom 3 ...)
-	TODO: check
+	NOT-FOR-US: Doom 3 engine
 CVE-2007-5247 (Multiple format string vulnerabilities in the Monolith Lithtech ...)
-	TODO: check
+	NOT-FOR-US: Monolith engine
 CVE-2007-5246 (Multiple stack-based buffer overflows in Firebird LI 2.0.0.12748 and ...)
-	TODO: check
+	- firebird2.0 <not-affected> (current version in unstable/testing already has fix)
+	- firebird1.5 <not-affected> (current version in unstable/testing already has fix)
 CVE-2007-5245 (Multiple stack-based buffer overflows in Firebird LI 1.5.3.4870 and ...)
-	TODO: check
+	- firebird2.0 <not-affected> (current version in unstable/testing already has fix)
+	- firebird1.5 <not-affected> (current version in unstable/testing already has fix)
 CVE-2007-5244 (Stack-based buffer overflow in Borland InterBase LI 8.0.0.53 through ...)
-	TODO: check
+	NOT-FOR-US: Borland InterBase
 CVE-2007-5243 (Multiple stack-based buffer overflows in Borland InterBase LI 8.0.0.53 ...)
-	TODO: check
+	NOT-FOR-US: Borland InterBase
 CVE-2007-5242 (Unspecified vulnerability in (1) SYS$EI1000.EXE and (2) ...)
-	TODO: check
+	NOT-FOR-US: HP OpenVMS
 CVE-2007-5241 (Buffer overflow in NET$CSMACD.EXE in HP OpenVMS 8.3 and earlier allows ...)
-	TODO: check
+	NOT-FOR-US: HP OpenVMS
 CVE-2007-5240 (Visual truncation vulnerability in the Java Runtime Environment in Sun ...)
-	TODO: check
+	- sun-java6 6-03-1 (low)
+	- sun-java5 1.5.0-13-1 (low)
 CVE-2007-5239 (Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE ...)
-	TODO: check
+	- sun-java6 6-03-1 (low)
+	- sun-java5 1.5.0-13-1 (low)
 CVE-2007-5238 (Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE ...)
-	TODO: check
+	- sun-java6 6-03-1 (low)
+	- sun-java5 1.5.0-13-1 (low)
 CVE-2007-5237 (Java Web Start in Sun JDK and JRE 6 Update 2 and earlier does not ...)
-	TODO: check
+	- sun-java6 6-03-1 (medium)
+	- sun-java5 1.5.0-13-1 (medium)
 CVE-2007-5236 (Java Web Start in Sun JDK and JRE 5.0 Update 12 and earlier, and SDK ...)
-	TODO: check
+	- sun-java6 <not-affected> (Windows only)
+	- sun-java5 <not-affected> (Windows only)
 CVE-2007-5235 (Cross-site scripting (XSS) vulnerability in index.php in Uebimiau ...)
-	TODO: check
+	NOT-FOR-US: Uebimiau
 CVE-2007-5234 (PHP remote file inclusion vulnerability in upload/common/footer.php in ...)
-	TODO: check
+	NOT-FOR-US: Ossigeno CMS
 CVE-2007-5233 (SQL injection vulnerability in index.php in Web Template Management ...)
-	TODO: check
+	NOT-FOR-US: Web Template Management System
 CVE-2007-5232 (Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and ...)
-	TODO: check
+	- sun-java6 6-03-1 (low)
+	- sun-java5 1.5.0-13-1 (low)
 CVE-2007-5231 (Unrestricted file upload vulnerability in admin/upload_files.php in ...)
-	TODO: check
+	NOT-FOR-US: Zomplog
 CVE-2007-5230 (admin/upload_files.php in Zomplog 3.8.1 and earlier does not check for ...)
-	TODO: check
+	NOT-FOR-US: Zomplog
 CVE-2007-5229 (Cross-site request forgery (CSRF) vulnerability in the FeedBurner ...)
-	TODO: check
+	NOT-FOR-US: FeedBurner FeedSmith wordpress plugin
 CVE-2007-5228 (Cross-site scripting (XSS) vulnerability in the subscription ...)
-	TODO: check
+	- drupal <not-affected> (does not shipt this module)
 CVE-2007-5227 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
-	TODO: check
+	NOT-FOR-US: BlackBoard Learning System
 CVE-2007-5226 (irc_server.c in dircproxy 1.2.0 and earlier allows remote attackers to ...)
-	TODO: check
+	- dircproxy <unfixed> (medium; bug #445883)
+	NOTE: the issue itself is of a very low impact but since this also means to lose data here
+	NOTE: I think it is medium
 CVE-2007-5225 (Integer signedness error in FIFO filesystems (named pipes) on Sun ...)
 	NOT-FOR-US: Sun Solaris
 CVE-2007-5224 (inc/exif.inc.php in Original Photo Gallery 0.11.2 and earlier allows ...)
@@ -606,6 +616,7 @@ CVE-2007-4975 (Cross-site scripting (XSS) vulnerability in hilfe.php in b1gMail
 	NOT-FOR-US: b1gMail
 CVE-2007-4974 (Heap-based buffer overflow in libsndfile 1.0.17 and earlier might ...)
 	- libsndfile 1.0.17-4 (bug #443386; medium)
+	- ardour <unfixed> (medium; bug #445889)
 CVE-2007-4973
 	RESERVED
 CVE-2007-4972 (RegMon 7.04 does not properly validate certain parameters to System ...)