[Secure-testing-commits] r3731 - data/CVE
Author: jmm-guest Date: 2006-04-03 07:25:35 + (Mon, 03 Apr 2006) New Revision: 3731 Modified: data/CVE/list Log: two further rpath issues Modified: data/CVE/list === --- data/CVE/list 2006-04-02 20:02:36 UTC (rev 3730) +++ data/CVE/list 2006-04-03 07:25:35 UTC (rev 3731) @@ -126,6 +126,12 @@ CVE-2006- [gauche-config rpath set to user home] - gauche unfixed (bug #358139; low) [sarge] - gauche not-affected (gauche-config is a shell script in Sarge) +CVE-2006- [tcpquota rpath set to user home] + - tcpquota unfixed (bug #358369; low) + [sarge] - tcpquota no-dsa (Only exploitable with strange AFS cell name) +CVE-2006- [hamlib3-perl rpath set to user home] + - hamlib unfixed (bug #358166; low) + [sarge] - hamlib no-dsa (Only exploitable with strange user name) CVE-2006-1550 [dia buffer overflow in xfig import] - dia 0.94.0-18 CVE-2006-1498 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.5.8 and ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3733 - data/CVE
Author: neilm Date: 2006-04-03 09:46:42 + (Mon, 03 Apr 2006) New Revision: 3733 Modified: data/CVE/list Log: bugzilla fixed Modified: data/CVE/list === --- data/CVE/list 2006-04-03 07:52:14 UTC (rev 3732) +++ data/CVE/list 2006-04-03 09:46:42 UTC (rev 3733) @@ -1389,19 +1389,19 @@ CVE-2006-0917 (Melange Chat Server (aka M-Chat), when accessed via a web browser, ...) NOT-FOR-US: Melange Chat Server CVE-2006-0916 (Bugzilla 2.19.3 through 2.20 does not properly handle quot;//quot; sequences ...) - - bugzilla unfixed (bug #354457) + - bugzilla 2.20.1-1 (bug #354457; high) [woody] - bugzilla not-affected (Only 2.17 and above are affected) [sarge] - bugzilla not-affected (Only 2.17 and above are affected) CVE-2006-0915 (Bugzilla 2.16.10 does not properly handle certain characters in the ...) - - bugzilla unfixed (bug #354457) + - bugzilla 2.20.1-1 (bug #354457; high) [woody] - bugzilla not-affected (Only 2.17 and above are affected) [sarge] - bugzilla not-affected (Only 2.17 and above are affected) CVE-2006-0914 (Bugzilla 2.16.10, 2.17 through 2.18.4, and 2.20 do not properly handle ...) - - bugzilla unfixed (bug #354457) + - bugzilla 2.20.1-1 (bug #354457; high) [woody] - bugzilla not-affected (Only 2.17 and above are affected) [sarge] - bugzilla not-affected (Only 2.17 and above are affected) CVE-2006-0913 (SQL injection vulnerability in whineatnews.pl in Bugzilla 2.17 through ...) - - bugzilla unfixed (bug #354457) + - bugzilla 2.20.1-1 (bug #354457; high) [woody] - bugzilla not-affected (Only 2.17 and above are affected) [sarge] - bugzilla not-affected (Only 2.17 and above are affected) CVE-2006-0912 (Oreka before 0.5 allows remote attackers to cause a denial of service ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3734 - data/DSA
Author: jmm-guest Date: 2006-04-03 09:59:18 + (Mon, 03 Apr 2006) New Revision: 3734 Modified: data/DSA/list Log: fix typo Modified: data/DSA/list === --- data/DSA/list 2006-04-03 09:46:42 UTC (rev 3733) +++ data/DSA/list 2006-04-03 09:59:18 UTC (rev 3734) @@ -17,7 +17,7 @@ [23 Mar 2006] DSA-1016-1 evolution - format string vulnerabilities {CVE-2005-2549 CVE-2005-2550} [woody] - evolution 1.0.5-1woody3 - [woody] - evolution 2.0.4-2sarge1 + [sarge] - evolution 2.0.4-2sarge1 [23 Mar 2006] DSA-1015-1 sendmail - programming error {CVE-2006-0058} [woody] - sendmail 8.12.3-7.2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3735 - data/CVE
Author: jmm-guest Date: 2006-04-03 12:31:12 + (Mon, 03 Apr 2006) New Revision: 3735 Modified: data/CVE/list Log: new tcpick issue bugnums Modified: data/CVE/list === --- data/CVE/list 2006-04-03 09:59:18 UTC (rev 3734) +++ data/CVE/list 2006-04-03 12:31:12 UTC (rev 3735) @@ -1,9 +1,9 @@ CVE-2006-1548 [struts xss] - - libstruts1.2-java unfixed (bug filed) + - libstruts1.2-java unfixed (bug #360551) CVE-2006-1547 [struts dos] - - libstruts1.2-java unfixed (bug filed) + - libstruts1.2-java unfixed (bug #360551) CVE-2006-1546 [struts validation bypass] - - libstruts1.2-java unfixed (bug filed) + - libstruts1.2-java unfixed (bug #360551) CVE-2006-1545 (Direct static code injection vulnerability in admin/config.php in ...) TODO: check CVE-2006-1544 (Multiple cross-site scripting (XSS) vulnerabilities in news.php in ...) @@ -139,7 +139,7 @@ - hamlib unfixed (bug #358166; low) [sarge] - hamlib no-dsa (Only exploitable with strange user name) CVE-2006-1550 [dia buffer overflow in xfig import] - - dia 0.94.0-18 + - dia 0.94.0-18 (bug #360566) CVE-2006-1498 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.5.8 and ...) - mediawiki 1.4.15-1 - mediawiki1.5 1.5.8-1 @@ -3642,8 +3642,9 @@ CVE-2006-0049 (gpg in GnuPG before 1.4.2.2 does not properly verify non-detached ...) {DSA-993-2} - gnupg 1.4.2.2-1 (bug #356125; medium) -CVE-2006-0048 +CVE-2006-0048 [tcpick dos] RESERVED + - tcpick unfixed (bug #360571; medium) CVE-2006-0047 (packets.c in Freeciv 2.0 before 2.0.8 allows remote attackers to cause ...) {DSA-994-1} - freeciv 2.0.8-1 (medium; bug #355211) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] Processing r3737 failed
The error message was: error: unknown package note 'unfixed' make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] Processing r3738 failed
The error message was: error: unknown package note 'unfixed' make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3739 - in data: CVE DSA
Author: jmm-guest Date: 2006-04-03 23:44:40 + (Mon, 03 Apr 2006) New Revision: 3739 Modified: data/CVE/list data/DSA/list Log: new dsa two rpath issues fixed fixed syntax of busybox entry Modified: data/CVE/list === --- data/CVE/list 2006-04-03 21:14:26 UTC (rev 3738) +++ data/CVE/list 2006-04-03 23:44:40 UTC (rev 3739) @@ -233,10 +233,10 @@ - subversion 1.3.0-5 (bug #359234; low) [sarge] - subversion not-affected (No rpaths set in Sarge) CVE-2006- [libtunepimp rpath set to /tmp] - - libtunepimp unfixed (bug #359241; low) + - libtunepimp 0.4.2-3 (bug #359241; low) [sarge] - libtunepimp not-affected (rpath not set to /tmp in Sarge) CVE-2006- [gpib rpath set to /tmp] - - gpib unfixed (bug #359239; low) + - gpib 3.2.06-3 (bug #359239; low) [sarge] - gpib not-affected (rpath not set to /tmp in Sarge) CVE-2006- [fftw rpath set to user home] - fftw unfixed (bug #358157; low) @@ -1204,7 +1204,7 @@ [sarge] - samba not-affected CVE-2006-1058 RESERVED - - busybox (unfixed; low; bug #360578) + - busybox unfixed low; bug #360578) CVE-2006-1057 RESERVED CVE-2006-1056 @@ -17692,6 +17692,7 @@ CVE-2004-1617 (Lynx allows remote attackers to cause a denial of service (infinite ...) NOTE: This is fixed in lynx-cur, maybe a fix can be extracted from there - lynx unfixed (bug #296340; low) + [sarge] - lynx no-dsa (Unimportant for a single-instance browser like Lynx) - lynx-cur 2.8.6-6 (low) CVE-2004-1616 (Links allows remote attackers to cause a denial of service (memory ...) - links 0.99+1.00pre12-1 (bug #296341; low) Modified: data/DSA/list === --- data/DSA/list 2006-04-03 21:14:26 UTC (rev 3738) +++ data/DSA/list 2006-04-03 23:44:40 UTC (rev 3739) @@ -1,3 +1,6 @@ +[04 Apr 2006] DSA-1022-1 storebackup - several + {CVE-2005-3146 CVE-2005-3147 CVE-2005-3148} + [sarge] - storebackup 1.18.4-2sarge1 [28 Mar 2006] DSA-1021-1 netpbm-free - insecure program execution {CVE-2005-2471} [woody] - netpbm-free 2:9.20-8.6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] Processing r3739 failed
The error message was: data/CVE/list:1207: expected package entry, got: '- busybox unfixed low; bug #360578)' make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3740 - data/CVE
Author: jmm-guest Date: 2006-04-03 23:51:15 + (Mon, 03 Apr 2006) New Revision: 3740 Modified: data/CVE/list Log: three rpath issue CVEfied NFUs Modified: data/CVE/list === --- data/CVE/list 2006-04-03 23:44:40 UTC (rev 3739) +++ data/CVE/list 2006-04-03 23:51:15 UTC (rev 3740) @@ -39,11 +39,14 @@ CVE-2006-1567 (Cross-site scripting (XSS) vulnerability in searchresults.asp in ...) TODO: check CVE-2006-1566 (Untrusted search path vulnerability in libtunepimp-perl 0.4.2-1 in ...) - TODO: check + - libtunepimp 0.4.2-3 (bug #359241; low) + [sarge] - libtunepimp not-affected (rpath not set to /tmp in Sarge) CVE-2006-1565 (Untrusted search path vulnerability in libgpib-perl 3.2.06-2 in Debian ...) - TODO: check + - gpib 3.2.06-3 (bug #359239; low) + [sarge] - gpib not-affected (rpath not set to /tmp in Sarge) CVE-2006-1564 (Untrusted search path vulnerability in libapache2-svn 1.3.0-4 for ...) - TODO: check + - subversion 1.3.0-5 (bug #359234; low) + [sarge] - subversion not-affected (No rpaths set in Sarge) CVE-2006-1563 (Direct static code injection vulnerability in config.php in vscripts ...) TODO: check CVE-2006-1562 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in ...) @@ -73,43 +76,43 @@ CVE-2006-1549 RESERVED CVE-2005-4767 (BEA WebLogic Server and WebLogic Express 8.1 SP5 and earlier, and 7.0 ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2005-4766 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2005-4765 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier and 7.0 ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2005-4764 (BEA WebLogic Server and WebLogic Express 9.0, 8.1, and 7.0 lock out ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2005-4763 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP6 ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2005-4762 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP6 ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2005-4761 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP5 ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2005-4760 (BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier, and 7.0 ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2005-4759 (BEA WebLogic Server and WebLogic Express 8.1 and 7.0, during a ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2005-4758 (Unspecified vulnerability in the Administration server in BEA WebLogic ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2005-4757 (BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier, and 7.0 ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2005-4756 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2005-4755 (BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier (1) ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2005-4754 (BEA WebLogic Server and WebLogic Express 8.1 SP3 and earlier allow ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2005-4753 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2005-4752 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, and 7.0 ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2005-4751 (Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2005-4750 (BEA WebLogic Server and WebLogic Express 8.1 SP4 and earlier, 7.0 SP5 ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2005-4749 (HTTP request smuggling vulnerability in BEA WebLogic Server and ...) - TODO: check + NOT-FOR-US: BEA WebLogic CVE-2006-1548 (Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction ...) - libstruts1.2-java unfixed (bug #360551) CVE-2006-1547 (ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 ...) @@ -127,7 +130,7 @@ CVE-2006-1541 (SQL injection vulnerability in Default.asp in EzASPSite 2.0 RC3 and ...) TODO: check CVE-2006-1540 (Microsoft Office 2002 (aka Office XP) allows user-complicit attackers ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2006-1539 (Multiple buffer overflows in the checkscores function in scores.c in ...) TODO: check CVE-2006-1538 (The Enova X-Wall ASIC encrypts with a key obtained via Microwire from ...) @@ -185,9 +188,9 @@ CVE-2006-1512 RESERVED CVE-2006-1511 (Buffer overflow in the ILASM assembler in the Microsoft .NET 1.0 and
[Secure-testing-commits] r3741 - data/CVE
Author: jmm-guest Date: 2006-04-03 23:52:19 + (Mon, 03 Apr 2006) New Revision: 3741 Modified: data/CVE/list Log: really fix syntax Modified: data/CVE/list === --- data/CVE/list 2006-04-03 23:51:15 UTC (rev 3740) +++ data/CVE/list 2006-04-03 23:52:19 UTC (rev 3741) @@ -1198,7 +1198,7 @@ [sarge] - samba not-affected CVE-2006-1058 RESERVED - - busybox unfixed low; bug #360578) + - busybox unfixed (low; bug #360578) CVE-2006-1057 RESERVED CVE-2006-1056 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] Update the e-mail address in your online profile Chase Bank (SM)
Dear Chase Manhattan's Bank Customer, This is your official notification from Chase Manhattan Bank that the service(s) listed below will be deactivated and deleted if not renewed immediately. Previous notifications have been sent to the Billing Contact assigned to this account. As the Primary Contact, you must renew the service(s) listed below or it will be deactivated and deleted SERVICE: Chase Manhattan Bank Online Banking . SecureCode. EXPIRATION: April 02 2006 https://chaseonline.chase.com/chaseonline/home/sso_co_home.jspSincerely, Chase Manhattan Bank Account Review Department. IMPORTANT CUSTOMER SUPPORT INFORMATION Need help? Use "Site Helper" or call customer service at 1.800.788.7000.Please do not "Reply" to this Alert. .2006 Chase Manhattan Bank Financial Group. All rights reserved. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits