[Secure-testing-commits] r1712 - in data: . CAN
Author: jmm-guest
Date: 2005-08-29 07:40:19 + (Mon, 29 Aug 2005)
New Revision: 1712
Modified:
data/CAN/list
data/embedded-code-copies
Log:
poppler embeds xpdf code as well
Modified: data/CAN/list
===
--- data/CAN/list 2005-08-28 21:14:17 UTC (rev 1711)
+++ data/CAN/list 2005-08-29 07:40:19 UTC (rev 1712)
@@ -2543,6 +2543,7 @@
- gpdf (unfixed; low)
NOTE: only affects source package, not used in binary
- cupsys (unfixed; bug #324464; low)
+ - poppler 0.4.0-1 (low)
CAN-2005-2096 (Buffer overflow in zlib 1.2 and later versions allows remote
attackers ...)
{DSA-740-1}
NOTE: Several packages ship embedded copies of zlib, there are a lot
probably more
Modified: data/embedded-code-copies
===
--- data/embedded-code-copies 2005-08-28 21:14:17 UTC (rev 1711)
+++ data/embedded-code-copies 2005-08-29 07:40:19 UTC (rev 1712)
@@ -6,9 +6,9 @@
pdftohtml
kdegraphics/kpdf
tetex-bin
-cupsys (only older releases, recent ones use xpdf-utils)
+cupsys (only older releases, recent ones use xpdf-utils, it's still present in
the src, though)
+poppler
-
zlib code: (separate between 1.2 and 1.1)
dpkg
rsync
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r1713 - in data: CAN DSA
Author: jmm-guest
Date: 2005-08-29 14:26:03 + (Mon, 29 Aug 2005)
New Revision: 1713
Modified:
data/CAN/list
data/DSA/list
Log:
drupal fixed
new kismet dsa
Modified: data/CAN/list
===
--- data/CAN/list 2005-08-29 07:40:19 UTC (rev 1712)
+++ data/CAN/list 2005-08-29 14:26:03 UTC (rev 1713)
@@ -813,7 +813,7 @@
CAN-2005-2499 (slocate before 2.7 does not properly process very long paths,
which ...)
- slocate (unfixed; bug #324951; low)
CAN-2005-2498 (Eval injection vulnerability in PHPXMLRPC 1.1.1 and earlier
(PEAR ...)
- - drupal (unfixed; bug #323347; high)
+ - drupal 4.5.5-1 (bug #323347; high)
- phpgroupware (unfixed; bug #323349; high)
- egroupware (unfixed; bug #323350; high)
TODO: phpwiki has disabled the XMLRPC in the last upload, it orphaned
as well, should be fixed anyway
Modified: data/DSA/list
===
--- data/DSA/list 2005-08-29 07:40:19 UTC (rev 1712)
+++ data/DSA/list 2005-08-29 14:26:03 UTC (rev 1713)
@@ -1,3 +1,7 @@
+[29 Aug 2005] DSA-788-1 kismet - several
+ {CAN-2005-2626 CAN-2005-2627}
+ - kismet 2005.08.R1-1 (medium)
+ NOTE: not fixed in testing at time of DSA (glibc transition)
[26 Aug 2005] DSA-787-1 backup-manager - insecure permissions and tempfile
{CAN-2005-1855 CAN-2005-1856}
- backup-manager 0.5.8-2 (medium)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r1714 - data/CAN
Author: micah Date: 2005-08-29 15:07:42 + (Mon, 29 Aug 2005) New Revision: 1714 Modified: data/CAN/list Log: Added openvpn fix Modified: data/CAN/list === --- data/CAN/list 2005-08-29 14:26:03 UTC (rev 1713) +++ data/CAN/list 2005-08-29 15:07:42 UTC (rev 1714) @@ -740,13 +740,13 @@ CAN-2005-2535 (Buffer overflow in the Discovery Service in BrightStor ARCserve Backup ...) NOTE: not-for-us (ARCserve Backup) CAN-2005-2534 (Race condition in OpenVPN before 2.0.1, when --duplicate-cn is not ...) - NOTE: openvpn (unfixed; bug #324167; high) + - openvpn 2.0.2-1 (bug #324167; high) CAN-2005-2533 (OpenVPN before 2.0.1, when running in quot;dev tapquot; Ethernet bridging ...) - NOTE: openvpn (unfixed; bug #324167; high) + - openvpn 2.0.2-1 (bug #324167; high) CAN-2005-2532 (OpenVPN before 2.0.1 does not properly flush the OpenSSL error queue ...) - NOTE: openvpn (unfixed; bug #324167; high) + - openvpn 2.0.2-1 (bug #324167; high) CAN-2005-2531 (OpenVPN before 2.0.1, when running with quot;verb 0quot; and without TLS ...) - NOTE: openvpn (unfixed; bug #324167; high) + - openvpn 2.0.2-1 (bug #324167; high) CAN-2005-2530 NOTE: reserved CAN-2005-2529 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r1715 - data/CAN
Author: joeyh Date: 2005-08-29 18:41:49 + (Mon, 29 Aug 2005) New Revision: 1715 Modified: data/CAN/list Log: maildrop hole Modified: data/CAN/list === --- data/CAN/list 2005-08-29 15:07:42 UTC (rev 1714) +++ data/CAN/list 2005-08-29 18:41:49 UTC (rev 1715) @@ -85,6 +85,7 @@ NOTE: reserved CAN-2005-2655 NOTE: reserved + - maildrop 1.5.3-2 (medium) CAN-2005-2654 NOTE: reserved CAN-2005- [cplay - still unsafe temporary file handling vulnerable to symlink attacks] @@ -596,7 +597,7 @@ CAN-2004-2344 (Unknown vulnerability in the ASN.1/H.323/H.225 stack of VocalTec ...) NOTE: not-for-us (VocalTec) CAN-2004-2343 (** DISPUTED ** ...) - TODO: check + NOTE: apache disputes this and I agree -- joeyh CAN-2004-2342 (ChatterBox 2.0 allows remote attackers to cause a denial of service ...) NOTE: not-for-us (ChatterBox) CAN-2004-2341 (PHP file include injection vulnerability in isearch.inc.php for ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r1716 - data/DSA
Author: joeyh
Date: 2005-08-29 19:55:58 + (Mon, 29 Aug 2005)
New Revision: 1716
Modified:
data/DSA/list
Log:
dsa update
Is CAN-2005-2498 really fixed in unstable? Bug is still open.
Also, for CAN-2005-1751 and, php4 is still marked as vulnerable in CAN/list, so
it or this DSA is wrong.
Modified: data/DSA/list
===
--- data/DSA/list 2005-08-29 18:41:49 UTC (rev 1715)
+++ data/DSA/list 2005-08-29 19:55:58 UTC (rev 1716)
@@ -1,3 +1,7 @@
+[29 Aug 2005] DSA-789-1 php4 - several
+ {CAN-2005-1751 CAN-2005-1921 CAN-2005-2498}
+ - php4 4.4.0-2 (high)
+ NOTE: not fixed in testing at time of DSA (glibc transition)
[29 Aug 2005] DSA-788-1 kismet - several
{CAN-2005-2626 CAN-2005-2627}
- kismet 2005.08.R1-1 (medium)
@@ -2,2 +6,3 @@
NOTE: not fixed in testing at time of DSA (glibc transition)
+ NOTE: but fixed in secure-testing repo
[26 Aug 2005] DSA-787-1 backup-manager - insecure permissions and tempfile
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r1717 - data/CAN
Author: joeyh Date: 2005-08-29 20:01:48 + (Mon, 29 Aug 2005) New Revision: 1717 Modified: data/CAN/list Log: shtool bugs don't affect unstale php4; it no longer copies the files Modified: data/CAN/list === --- data/CAN/list 2005-08-29 19:55:58 UTC (rev 1716) +++ data/CAN/list 2005-08-29 20:01:48 UTC (rev 1717) @@ -4083,7 +4083,7 @@ CAN-2005-1759 (Race condition in shtool 2.0.1 and earlier allows local users to ...) - shtool 2.0.1-2 (low) - mysql-ocaml 1.0.3-6 (low) - - php4 (unfixed; low) + - php4 4:4.4.0-1 (low) NOTE: the patch applied to NMU #311206 fixes both CAN-2005-1759 and CAN-2005-1751 CAN-2005-1758 (Buffer overflow in the IMAP command continuation function in Novell ...) NOTE: not-for-us (Novell) @@ -4094,7 +4094,7 @@ CAN-2005-1751 (Race condition in shtool 2.0.1 and earlier allows local users to ...) - shtool 2.0.1-2 (low) - mysql-ocaml 1.0.3-6 (low) - - php4 (unfixed; low) + - php4 4:4.4.0-1 (low) NOTE: the patch applied to NMU #311206 fixes both CAN-2005-1759 and CAN-2005-1751 CAN-2004-2136 (dm-crypt on Linux kernel 2.6.x, when used on certain file systems ...) NOTE: This looks like a minor issue, the paper is from Feb 2004, check whether this still applies ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r1718 - data/DSA
Author: joeyh
Date: 2005-08-29 20:02:40 + (Mon, 29 Aug 2005)
New Revision: 1718
Modified:
data/DSA/list
Log:
ah, it's a not uploaded version that fixes this DSA
Modified: data/DSA/list
===
--- data/DSA/list 2005-08-29 20:01:48 UTC (rev 1717)
+++ data/DSA/list 2005-08-29 20:02:40 UTC (rev 1718)
@@ -1,6 +1,6 @@
[29 Aug 2005] DSA-789-1 php4 - several
{CAN-2005-1751 CAN-2005-1921 CAN-2005-2498}
- - php4 4.4.0-2 (high)
+ - php4 4:4.4.0-2 (high)
NOTE: not fixed in testing at time of DSA (glibc transition)
[29 Aug 2005] DSA-788-1 kismet - several
{CAN-2005-2626 CAN-2005-2627}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r1719 - data/DSA
Author: joeyh
Date: 2005-08-29 20:03:04 + (Mon, 29 Aug 2005)
New Revision: 1719
Modified:
data/DSA/list
Log:
one more correction
Modified: data/DSA/list
===
--- data/DSA/list 2005-08-29 20:02:40 UTC (rev 1718)
+++ data/DSA/list 2005-08-29 20:03:04 UTC (rev 1719)
@@ -1,7 +1,7 @@
[29 Aug 2005] DSA-789-1 php4 - several
{CAN-2005-1751 CAN-2005-1921 CAN-2005-2498}
- php4 4:4.4.0-2 (high)
- NOTE: not fixed in testing at time of DSA (glibc transition)
+ NOTE: not fixed in testing at time of DSA (not uploaded yet)
[29 Aug 2005] DSA-788-1 kismet - several
{CAN-2005-2626 CAN-2005-2627}
- kismet 2005.08.R1-1 (medium)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r1720 - in data/DTSA: . advs
Author: joeyh Date: 2005-08-29 20:20:17 + (Mon, 29 Aug 2005) New Revision: 1720 Added: data/DTSA/DTSA-10-1 data/DTSA/advs/10-pcre.adv Modified: data/DTSA/list Log: dsta for pcre3 Added: data/DTSA/DTSA-10-1 === --- data/DTSA/DTSA-10-1 2005-08-29 20:03:04 UTC (rev 1719) +++ data/DTSA/DTSA-10-1 2005-08-29 20:20:17 UTC (rev 1720) @@ -0,0 +1,51 @@ +-- +Debian Testing Security Advisory DTSA-10-1http://secure-testing.debian.net [EMAIL PROTECTED] Joey Hess +August 29th, 2005 +-- + +Package: pcre3 +Vulnerability : buffer overflow +Problem-Scope : remote +Debian-specific: No +CVE ID : CAN-2005-2491 + +An integer overflow in pcre_compile.c in Perl Compatible Regular Expressions +(PCRE) allows attackers to execute arbitrary code via quantifier values in +regular expressions, which leads to a heap-based buffer overflow. + +For the testing distribution (etch) this is fixed in version +6.3-0.1etch1 + +For the unstable distribution (sid) this is fixed in version +6.3-1 + +This upgrade is recommended if you use pcre3. + +The Debian testing security team does not track security issues for then +stable (sarge) and oldstable (woody) distributions. If stable is vulnerable, +the Debian security team will make an announcement once a fix is ready. + +Upgrade Instructions + + +To use the Debian testing security archive, add the following lines to +your /etc/apt/sources.list: + +deb http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free +deb-src http://secure-testing.debian.net/debian-security-updates etch-proposed-updates/security-updates main contrib non-free + +The archive signing key can be downloaded from +http://secure-testing.debian.net/ziyi-2005-7.asc + +To install the update, run this command as root: + +apt-get update apt-get install libpcre3 + +Note that after the upgrade, any daemons (exim, apache) that use libpcre3 +will remain running with the old vulnerable version. Either reboot your +system after the upgrade or use the command lsof /usr/lib/libpcre.so.3 to +list programs using libpcre3, and manually restart them. + +For further information about the Debian testing security team, please refer +to http://secure-testing.debian.net/ Added: data/DTSA/advs/10-pcre.adv === --- data/DTSA/advs/10-pcre.adv 2005-08-29 20:03:04 UTC (rev 1719) +++ data/DTSA/advs/10-pcre.adv 2005-08-29 20:20:17 UTC (rev 1720) @@ -0,0 +1,14 @@ +dtsa: DTSA-10-1 +source: pcre3 +date: August 29th, 2005 +author: Joey Hess +vuln-type: buffer overflow +problem-scope: remote +debian-specific: no +cve: CAN-2005-2491 +testing-fix: 6.3-0.1etch1 +sid-fix: 6.3-1 + +An integer overflow in pcre_compile.c in Perl Compatible Regular Expressions +(PCRE) allows attackers to execute arbitrary code via quantifier values in +regular expressions, which leads to a heap-based buffer overflow. Modified: data/DTSA/list === --- data/DTSA/list 2005-08-29 20:03:04 UTC (rev 1719) +++ data/DTSA/list 2005-08-29 20:20:17 UTC (rev 1720) @@ -1,10 +1,14 @@ +[01 Jan 1969] DTSA-10-1 pcre3 - buffer overflow + - pcre3 6.3-0.1etch1 (high) + NOTE: joeyh working on it [28 Aug 2005] DTSA-9-1 mozilla-thunderbird - several vulnerabilities - - mozilla-thunderbird 1.0.2-3etch1 + - mozilla-thunderbird 1.0.2-3etch1 (high) NOTE: joeyh working on it + NOTE: stalled by build failure [28 Aug 2005] DTSA-8-1 mozilla-firefox - several vulnerabilities - - mozilla-firefox 1.0.4-2sarge2 + - mozilla-firefox 1.0.4-2sarge2 (high) [28 Aug 2005] DTSA-7-1 mozilla - frame injection spoofing - - mozilla 2:1.7.8-1sarge1 + - mozilla 2:1.7.8-1sarge1 (high) [28 Aug 2005] DTSA-6-1 cgiwrap - multiple vulnerabilities - cgiwrap 3.9-3.0etch1 (low) NOTE: waiting for builds (neilm) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r1722 - data/DTSA/hints doc
Author: joeyh Date: 2005-08-29 20:40:32 + (Mon, 29 Aug 2005) New Revision: 1722 Modified: data/DTSA/hints/joeyh doc/announce.2 Log: some misc updates Modified: data/DTSA/hints/joeyh === --- data/DTSA/hints/joeyh 2005-08-29 20:38:38 UTC (rev 1721) +++ data/DTSA/hints/joeyh 2005-08-29 20:40:32 UTC (rev 1722) @@ -1,3 +1,5 @@ +#sync pcre3/6.3-0.1etch1 + sync mozilla-firefox/1.0.4-2sarge2 sync mozilla/2:1.7.8-1sarge1 sync centericq/4.20.0-8etch1 Modified: doc/announce.2 === --- doc/announce.2 2005-08-29 20:38:38 UTC (rev 1721) +++ doc/announce.2 2005-08-29 20:40:32 UTC (rev 1722) @@ -35,9 +35,17 @@ DTSA-1-1 kismet - XX complete -Currently, security updates are only built for the alpha, i386, ia64, -mipsel, powerpc and sparc architectures. +Note that while all of Debian's architectures are supported, we may release +an advisory before fixed packages have built for all supported +architectures. If so the missing builds will become available as they +complete. +We are not currently issueing advisories for security fixes that reach +testing through normal propigation from unstable, but only for security +fixes that are made available through our repository. So users of testing +should continue to upgrade their systems on a regular basis to get such +security fixes. + Note that this announcement does not mean that testing is suitable for production use. Several security issues are present in unstable, and an even larger number are present in testing. Our beginning of security @@ -47,6 +55,10 @@ open, and users should use this information to make their own decisions about whether testing is secure enough for them. +Finally, we are still in the process of working out how best to serve users +of testing and keep your systems secure, and we welcome comments and +feedback about ways to do better. + For more information about the testing security team, see our web site. http://secure-testing.alioth.debian.org/. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r1723 - data/CAN
Author: joeyh
Date: 2005-08-29 21:14:17 + (Mon, 29 Aug 2005)
New Revision: 1723
Modified:
data/CAN/list
Log:
automatic CAN database update
Modified: data/CAN/list
===
--- data/CAN/list 2005-08-29 20:40:32 UTC (rev 1722)
+++ data/CAN/list 2005-08-29 21:14:17 UTC (rev 1723)
@@ -85,6 +85,7 @@
NOTE: reserved
CAN-2005-2655
NOTE: reserved
+ {DTSA-11-1}
- maildrop 1.5.3-2 (medium)
CAN-2005-2654
NOTE: reserved
@@ -165,10 +166,10 @@
CAN-2005-2628
NOTE: reserved
CAN-2005-2627 (Multiple integer underflows in Kismet before 2005-08-R1 allow
remote ...)
- {DTSA-1-1}
+ {DSA-788-1 DTSA-1-1}
- kismet 2005.08.R1-1 (bug #323386; high)
CAN-2005-2626 (Unspecified vulnerability in Kismet before 2005-08-R1 allows
remote ...)
- {DTSA-1-1}
+ {DSA-788-1 DTSA-1-1}
- kismet 2005.08.R1-1 (bug #323386; high)
CAN-2004-2476 (Microsoft Internet Explorer 6.0 allows remote attackers to
cause a ...)
NOTE: not-for-us (MS IE)
@@ -814,6 +815,7 @@
CAN-2005-2499 (slocate before 2.7 does not properly process very long paths,
which ...)
- slocate (unfixed; bug #324951; low)
CAN-2005-2498 (Eval injection vulnerability in PHPXMLRPC 1.1.1 and earlier
(PEAR ...)
+ {DSA-789-1}
- drupal 4.5.5-1 (bug #323347; high)
- phpgroupware (unfixed; bug #323349; high)
- egroupware (unfixed; bug #323350; high)
@@ -3694,7 +3696,7 @@
{DSA-737-1 DTSA-3-1}
- clamav 0.86.1-1 (low)
CAN-2005-1921 (Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier
(aka ...)
- {DSA-746-1 DSA-747-1 DSA-745-1}
+ {DSA-789-1 DSA-746-1 DSA-747-1 DSA-745-1}
NOTE: ITP #312413 - submitter contacted, she has already addressed this
NOTE: This will probably be re-organized by the CVE editor, but lets
keep it for now,
NOTE: as it's the same issue
@@ -4092,6 +4094,7 @@
CAN-2005-1756 (Cross-site scripting (XSS) vulnerability in the ModWeb agent
for ...)
NOTE: not-for-us (Novell)
CAN-2005-1751 (Race condition in shtool 2.0.1 and earlier allows local users
to ...)
+ {DSA-789-1}
- shtool 2.0.1-2 (low)
- mysql-ocaml 1.0.3-6 (low)
- php4 4:4.4.0-1 (low)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r1724 - data/CAN
Author: stef-guest Date: 2005-08-29 21:33:50 + (Mon, 29 Aug 2005) New Revision: 1724 Modified: data/CAN/list Log: CAN-2005-1268 affects only apache2 Modified: data/CAN/list === --- data/CAN/list 2005-08-29 21:14:17 UTC (rev 1723) +++ data/CAN/list 2005-08-29 21:33:50 UTC (rev 1724) @@ -6118,8 +6118,6 @@ CAN-2005-1268 (Off-by-one error in the mod_ssl Certificate Revocation List (CRL) ...) NOTE: This is from latest Trustix advisory, exploitation would require to trick NOTE: someone into using a maliciously crafted certificate revocation list - TODO: check libapache-mod-ssl: AFAIK it is not affected, file bug if it is - - libapache-mod-ssl (unfixed; low) - apache2 (unfixed; bug #320048; low) CAN-2005-1267 (The bgp_update_print function in tcpdump 3.x does not properly handle ...) - tcpdump 3.9.0.cvs.20050614-1 (medium) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r1725 - data/CAN
Author: jmm-guest
Date: 2005-08-29 23:23:30 + (Mon, 29 Aug 2005)
New Revision: 1725
Modified:
data/CAN/list
Log:
phpgroupware fixed
Modified: data/CAN/list
===
--- data/CAN/list 2005-08-29 21:33:50 UTC (rev 1724)
+++ data/CAN/list 2005-08-29 23:23:30 UTC (rev 1725)
@@ -1,3 +1,5 @@
+CAN-2005- [Unspecified XSS in phpgroupware's phpgwapi]
+ - phpgroupware 0.9.16.008-1 (unknown)
CAN-2005- [Insecure usage of popen() in Affix]
- affix (unfixed; bug filed; medium)
CAN-2005- [Insecure tempfile usage in tleds]
@@ -409,7 +411,7 @@
NOTE: not-fur-us (MidiCart)
CAN-2005-2600 (FUDForum 2.6.15 with quot;Tree Viewquot; enabled allows
remote attackers to ...)
- egroupware-fudforum (unfixed; bug #323928; medium)
- - phpgroupware-fudforum (unfixed; bug #323929; medium)
+ - phpgroupware 0.9.16.008-1 (bug #323929; medium)
CAN-2005-2599 (Hummingbird FTP for Connectivity 10.0 uses weak encryption
(trivial ...)
NOTE: not-for-us (Hummingbird FTP for Connectivity)
CAN-2005-2598 (Multiple directory traversal vulnerabilities in Dokeos
(formerly ...)
@@ -817,7 +819,7 @@
CAN-2005-2498 (Eval injection vulnerability in PHPXMLRPC 1.1.1 and earlier
(PEAR ...)
{DSA-789-1}
- drupal 4.5.5-1 (bug #323347; high)
- - phpgroupware (unfixed; bug #323349; high)
+ - phpgroupware 0.9.16.008-1 (unfixed; bug #323349; high)
- egroupware (unfixed; bug #323350; high)
TODO: phpwiki has disabled the XMLRPC in the last upload, it orphaned
as well, should be fixed anyway
- php4 (unfixed; bug #323366; high)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r1726 - data/CAN
Author: jmm-guest
Date: 2005-08-29 23:25:20 + (Mon, 29 Aug 2005)
New Revision: 1726
Modified:
data/CAN/list
Log:
affix fixed
Modified: data/CAN/list
===
--- data/CAN/list 2005-08-29 23:23:30 UTC (rev 1725)
+++ data/CAN/list 2005-08-29 23:25:20 UTC (rev 1726)
@@ -1,7 +1,7 @@
CAN-2005- [Unspecified XSS in phpgroupware's phpgwapi]
- phpgroupware 0.9.16.008-1 (unknown)
CAN-2005- [Insecure usage of popen() in Affix]
- - affix (unfixed; bug filed; medium)
+ - affix 2.1.2-3 (bug #325444; medium)
CAN-2005- [Insecure tempfile usage in tleds]
- tleds 1.05beta10-9 (bug# 276789; low)
CAN-2005- [XSS in gallery's EXIF handling]
@@ -85,7 +85,7 @@
NOTE: reserved
CAN-2005-2656
NOTE: reserved
-CAN-2005-2655
+CAN-2005-2655 [Privilege escalation due to insufficient privilege drop in
maildrop's lockmail]
NOTE: reserved
{DTSA-11-1}
- maildrop 1.5.3-2 (medium)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r1727 - data/CAN
Author: jmm-guest Date: 2005-08-29 23:29:44 + (Mon, 29 Aug 2005) New Revision: 1727 Modified: data/CAN/list Log: new minor polygen issue Modified: data/CAN/list === --- data/CAN/list 2005-08-29 23:25:20 UTC (rev 1726) +++ data/CAN/list 2005-08-29 23:29:44 UTC (rev 1727) @@ -1,3 +1,5 @@ +CAN-2005- [polygen doesn't honor umask when creating grm.o files] + - polygen 1.0.6-8 (low) CAN-2005- [Unspecified XSS in phpgroupware's phpgwapi] - phpgroupware 0.9.16.008-1 (unknown) CAN-2005- [Insecure usage of popen() in Affix] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
