diff options
author | Moritz Muehlenhoff <jmm@debian.org> | 2006-08-23 20:45:52 +0000 |
---|---|---|
committer | Moritz Muehlenhoff <jmm@debian.org> | 2006-08-23 20:45:52 +0000 |
commit | a654bba130ef3829355aca711a065a60704615b7 (patch) | |
tree | b8f3c142284cd0eaaaee0ad623e110412cc59888 /data/CVE | |
parent | 02b4a6a8ac0a96baf2f0c2e8b57fc9b6397123c8 (diff) |
spring cleanup:
syslog-ng not-affected
removed gjay, a bug, not a security problem
removed bogus python issue
libpam-opie unimportant
mutt unimportant
vipw not exploitable
no-dsa for several minor issues
kmail issue is an inherent design problem
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@4616 e39458fd-73e7-0310-bf30-c45bca0a0e42
Diffstat (limited to 'data/CVE')
-rw-r--r-- | data/CVE/2001.list | 4 | ||||
-rw-r--r-- | data/CVE/2005.list | 24 | ||||
-rw-r--r-- | data/CVE/2006.list | 16 |
3 files changed, 24 insertions, 20 deletions
diff --git a/data/CVE/2001.list b/data/CVE/2001.list index 0b95421b24..b3155bc5e4 100644 --- a/data/CVE/2001.list +++ b/data/CVE/2001.list @@ -206,7 +206,9 @@ CVE-2001-1487 (popauth utility in Qualcomm Qpopper 4.0 and earlier allows local CVE-2001-1484 (Alcatel ADSL modems allow remote attackers to access the Trivial File ...) NOT-FOR-US: Alcatel hardware issue CVE-2001-1483 (One-Time Passwords In Everything (a.k.a OPIE) 2.32 and 2.4 allows ...) - - libpam-opie <unfixed> (bug #112279; low) + - libpam-opie <unfixed> (bug #112279; unimportant) + NOTE: This is documented and not really important. In contrast to passwords + NOTE: used by humans [sarge] - libpam-opie <no-dsa> (Documented shortcoming, minor impact) CVE-2001-1482 (SQL injection vulnerability in bb_memberlist.php for phpBB 1.4.2 ...) NOTE: phpbb was initially uploaded as version 2 or phpbb has been removed now diff --git a/data/CVE/2005.list b/data/CVE/2005.list index 3808e1418d..976daf8109 100644 --- a/data/CVE/2005.list +++ b/data/CVE/2005.list @@ -3940,7 +3940,7 @@ CVE-2005-XXXX [coreutils ignores umask when using -m in mkdir, mkfifo and mknod] [sarge] - coreutils <no-dsa> (Minor issue, hardly exploitable) [woody] - coreutils <no-dsa> (Minor issue, hardly exploitable) CVE-2005-XXXX [tar's rmt command may have undesired side effects] - - tar <unfixed> (bug #290435; low) + - tar <unfixed> (bug #290435; unimportant) [sarge] - tar <no-dsa> (Hardly exploitable) CVE-2005-XXXX [smbmount doesn't honor gid/uid with kernel 2.4] - kernel-source-2.4.27 <unfixed> (bug #310982; low) @@ -5561,10 +5561,11 @@ CVE-2005-XXXX [clamav-getfile: Insecure use of temporary files] CVE-2005-3254 (The CGIwrap program before 3.9 on Debian GNU/Linux uses an incorrect ...) {DTSA-6-1} - cgiwrap 3.9-3.1 (bug #316881; low) - NOTE: Sarge and Woody affected + [sarge] - cgiwrap <no-dsa> (Minor impact) CVE-2005-3255 (The (1) cgiwrap and (2) php-cgiwrap packages before 3.9 in Debian ...) {DTSA-6-1} - cgiwrap 3.9-3.1 (bug #316901; low) + [sarge] - cgiwrap <no-dsa> (Minor information disclosure, only debugging libs) CVE-2005-2550 (Format string vulnerability in Evolution 1.4 through 2.3.6.1 allows ...) {DSA-1016-1 DTSA-13-1} - evolution 2.2.3-3 (high; bug #322535) @@ -5985,8 +5986,10 @@ CVE-2005-XXXX [Integer overflow in ffmpeg's MPEG encoding] - ffmpeg 0.cvs20050811-1 (bug #320150; medium) CVE-2005-XXXX [xgalaga score file segfault] - xgalaga 2.0.34-31 (bug #319686; low) + [sarge] - xgalaga <no-dsa> (Minor issue) CVE-2005-XXXX [xemeraldia games file overwrite] - xemeraldia 0.4-1 (bug #319661; low) + [sarge] -xemeraldia <no-dsa> (Very minor issue) CVE-2005-2335 (Buffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows ...) {DSA-774-1} NOTE: previous fix in -15 was broken @@ -6464,6 +6467,7 @@ CVE-2005-2096 (zlib 1.2 and later versions allows remote attackers to cause a de NOTE: see dannf's first bug comment; systemimager-ssh doesn't use compression [woody] - texmacs <not-affected> (Woody contains zlib 1.1, which is not affected) - texmacs 1:1.0.5-3 (bug #318100; medium) + [sarge] - texmacs <no-dsa> (Hardly exploitable) - zlib 1:1.2.2-7 (bug #317133; medium) - pvpgn 1.7.8-2 (bug #332236; unknown) - mysql-dfsg-4.1 (bug #319858; unimportant) @@ -7257,8 +7261,9 @@ CVE-2005-XXXX [Unspecified issue in moodle's admin/delete.php] - moodle 1.4.4.dfsg.1-3 CVE-2005-2351 [Minor DoS condition in mutt due to preditable tempfiles] RESERVED - - mutt <unfixed> (bug #311296; low) + - mutt <unfixed> (bug #311296; unimportant) [sarge] - mutt <no-dsa> (Minor annoyance, not a real DoS) + NOTE: An "attacker" could achieve the same by simply filling up /tmp CVE-2005-XXXX [gforge arbitrary code execution through viewFile.php] NOTE: viewFile.php has been removed along with other files in -26, so Debian is NOTE: no longer affected. @@ -8151,8 +8156,6 @@ CVE-2005-XXXX [Insecure mailbox generation in passwd's useradd] - shadow 4.0.8 [sarge] - shadow <not-affected> (was introduced after version 4.0.3) [woody] - shadow <not-affected> (was introduced after version 4.0.3) -CVE-2005-XXXX [Insecure tempfile generation in shadow's vipw] - - shadow 1:4.0.3-33 CVE-2005-1364 (Multiple SQL injection vulnerabilities in MetaBid Auctions allow ...) NOT-FOR-US: MetaBid Auctions CVE-2005-1363 (Multiple SQL injection vulnerabilities in MetaCart 2.0 for PayFlow ...) @@ -10309,15 +10312,12 @@ CVE-2005-0406 (A design flaw in image processing software that modifies JPEG ima CVE-2005-0405 RESERVED CVE-2005-0404 (KMail 1.7.1 in KDE 3.3.2 allows remote attackers to spoof email ...) - NOTE: see http://mail.kde.org/pipermail/kmail-devel/2005-February/015490.html NOTE: see http://bugs.kde.org/show_bug.cgi?id=96020 - NOTE: see http://www.securiteam.com/unixfocus/5GP0B0AFFE.html - NOTE: see http://secunia.com/advisories/14925 - NOTE: kde maintainers informed of it by security team - - kdepim <unfixed> (bug #305601; low) + - kdepim 3.4-1 (bug #305601; low) [sarge] - kdepim <no-dsa> (Hardly exploitable) - NOTE: On woody, kmail is part of kdenetwork, but there is no GnuPG - NOTE: support, so this issue is not very important. + NOTE: According to the KDE bug the URL bar in 3.4 cannot be manipulated. Kmail also + NOTE: warns that HTML mails introduce the risk of phishing. This could as well + NOTE: be unimportant CVE-2005-0403 (init_dev in tty_io.c in the Red Hat backport of NPTL to Red Hat ...) - glibc <not-affected> (Specific to the NPTL backport for RHEL 3) CVE-2005-0402 (Firefox before 1.0.2 allows remote attackers to execute arbitrary code ...) diff --git a/data/CVE/2006.list b/data/CVE/2006.list index f11f68e54e..2474e98fd2 100644 --- a/data/CVE/2006.list +++ b/data/CVE/2006.list @@ -931,7 +931,8 @@ CVE-2006-3839 CVE-2006-3838 (Multiple stack-based buffer overflows in eIQnetworks Enterprise ...) NOT-FOR-US: eIQnetworks Enterprise CVE-2006-XXXX [syslog-ng dos] - - syslog-ng 2.0rc1-2 + - syslog-ng 2.0rc1-2 (low) + [sarge] - syslog-ng <not-affected> (Vulnerable code not present) CVE-2006-XXXX [courier-authdaemon: wrong socket permissions may lead to password disclosure] - courier-authlib 0.58-3.1 (bug #378571; medium) [sarge] - courier-authlib <not-affected> (bug #378571; medium) @@ -939,8 +940,6 @@ CVE-2006-4046 (Multiple stack-based buffer overflows in Open Cubic Player 2.6.0p - ocp 0.1.10rc6-1 (medium; bug #381098) CVE-2006-XXXX [uqwk buffer overflow] - uqwk 2.21-13 (bug #376577; medium) -CVE-2006-XXXX [gjay buffer overrun] - - gjay 0.2.8.3-5 (bug #361056) CVE-2006-XXXX [Webalizer buffer overflows] - webalizer <unfixed> (unknown) NOTE: 11_various_buffer_overflows should be reviewed for exploitability @@ -3376,6 +3375,7 @@ CVE-2006-2770 (Directory traversal vulnerability in randompic.php in pppBLOG 0.3 NOT-FOR-US: pppBLOG CVE-2006-2769 (The HTTP Inspect preprocessor (http_inspect) in Snort 2.4.0 through ...) - snort 2.3.3-8 (low; bug #381726) + [sarge] - snort <no-dsa> (Minor impact) CVE-2006-2768 (PHP remote file inclusion vulnerability in METAjour 2.1, when ...) NOT-FOR-US: METAjour CVE-2006-2767 (PHP remote file inclusion vulnerability in Ottoman 1.1.2, when ...) @@ -6186,14 +6186,15 @@ CVE-2006-1544 (Multiple cross-site scripting (XSS) vulnerabilities in news.php i CVE-2006-1543 (Multiple SQL injection vulnerabilities in vscripts (aka Kuba ...) NOT-FOR-US: VNews CVE-2006-1542 (Stack-based buffer overflow in Python 2.4.2 and earlier, running on ...) - - python2.3 <unfixed> - - python2.4 <unfixed> + NOT-FOR-US: Bogus issue, this doesn't trigger any local overflow + NOTE: Should be rejected CVE-2006-1541 (SQL injection vulnerability in Default.asp in EzASPSite 2.0 RC3 and ...) NOT-FOR-US: EzASPSite CVE-2006-1540 (MSO.DLL in Microsoft Office 2000, Office XP (2002), and Office 2003 ...) NOT-FOR-US: Microsoft CVE-2006-1539 (Multiple buffer overflows in the checkscores function in scores.c in ...) - bsdgames 2.17-6 (bug #361160) + [sarge] - bsdgames <no-dsa> (Minor impact) CVE-2006-1538 (The Enova X-Wall ASIC encrypts with a key obtained via Microwire from ...) NOT-FOR-US: Enova X-Wall ASIC CVE-2006-1537 (Craig Knudsen WebCalendar 1.1.0-CVS allows remote attackers to obtain ...) @@ -7062,6 +7063,7 @@ CVE-2006-1151 (Cross-site scripting vulnerability in index.php in M-Phorum 0.2 a NOT-FOR-US: M-Phorum CVE-2006-1150 (Buffer overflow in Tenes Empanadas Graciela (TEG) 0.11.1, ...) - teg 0.11.1-3 (bug #357645; low) + [sarge] - teg <no-dsa> (Only DoS against exotic, mostly single player game) CVE-2006-1149 (PHP remote file inclusion vulnerability in lib/OWL_API.php in OWL ...) NOT-FOR-US: OWL Intranet Engine CVE-2006-1148 (Multiple stack-based buffer overflows in the procConnectArgs function ...) @@ -8218,8 +8220,8 @@ CVE-2006-0637 (Buffer overflow in cram.dll in QUALCOMM Eudora WorldMail 3.0 allo CVE-2006-0636 (desktop.php in eyeOS 0.8.9 and earlier tests for the existence of the ...) NOT-FOR-US: eyeOS CVE-2006-0635 (Tiny C Compiler (TCC) 0.9.23 (aka TinyCC) evaluates the ...) - - tcc <unfixed> (bug #352202; medium) - NOTE: Sarge status not yet analysed + - tcc <unfixed> (bug #352202; low) + [sarge] - tcc <no-dsa> (Only incorrect code gen, hardly any production use) CVE-2006-0634 (Borland C++Builder 6 (BCB6) with Update Pack 4 Enterprise edition ...) NOT-FOR-US: Borland C++Builder CVE-2006-0633 (The make_password function in ipsclass.php in Invision Power Board ...) |