Author: jmm-guest
Date: 2007-10-09 20:44:04 +0000 (Tue, 09 Oct 2007)
New Revision: 6879
Modified:
data/CVE/list
Log:
firebird entry doesn't match advisory, reverting to unfixed until clarified
non-free java not supported
rewrite some entries, old entries still need to be properly recorded
no-dsa for xfsdump and dircproxy
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2007-10-09 14:13:07 UTC (rev 6878)
+++ data/CVE/list 2007-10-09 20:44:04 UTC (rev 6879)
@@ -34,11 +34,9 @@
CVE-2007-5247 (Multiple format string vulnerabilities in the Monolith Lithtech
...)
NOT-FOR-US: Monolith engine
CVE-2007-5246 (Multiple stack-based buffer overflows in Firebird LI
2.0.0.12748 and ...)
- - firebird2.0 <not-affected> (current version in unstable/testing
already has fix)
- - firebird1.5 <not-affected> (current version in unstable/testing
already has fix)
+ TODO: check, previous commit contradicts to advisory
CVE-2007-5245 (Multiple stack-based buffer overflows in Firebird LI 1.5.3.4870
and ...)
- - firebird2.0 <not-affected> (current version in unstable/testing
already has fix)
- - firebird1.5 <not-affected> (current version in unstable/testing
already has fix)
+ TODO: check, previous commit contradicts to advisory
CVE-2007-5244 (Stack-based buffer overflow in Borland InterBase LI 8.0.0.53
through ...)
NOT-FOR-US: Borland InterBase
CVE-2007-5243 (Multiple stack-based buffer overflows in Borland InterBase LI
8.0.0.53 ...)
@@ -50,18 +48,23 @@
CVE-2007-5240 (Visual truncation vulnerability in the Java Runtime Environment
in Sun ...)
- sun-java6 6-03-1 (low)
- sun-java5 1.5.0-13-1 (low)
+ [etch] - sun-java5 <no-dsa> (Non-free not supported)
CVE-2007-5239 (Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK
and JRE ...)
- sun-java6 6-03-1 (low)
- sun-java5 1.5.0-13-1 (low)
+ [etch] - sun-java5 <no-dsa> (Non-free not supported)
CVE-2007-5238 (Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK
and JRE ...)
- - sun-java6 6-03-1 (low)
- - sun-java5 1.5.0-13-1 (low)
+ - sun-java6 6-03-1 (unimportant)
+ - sun-java5 1.5.0-13-1 (unimportant)
+ NOTE: Leaked information hardly sensitive
CVE-2007-5237 (Java Web Start in Sun JDK and JRE 6 Update 2 and earlier does
not ...)
- sun-java6 6-03-1 (medium)
- sun-java5 1.5.0-13-1 (medium)
+ [etch] - sun-java5 <no-dsa> (Non-free not supported)
CVE-2007-5236 (Java Web Start in Sun JDK and JRE 5.0 Update 12 and earlier,
and SDK ...)
- sun-java6 <not-affected> (Windows only)
- sun-java5 <not-affected> (Windows only)
+ [etch] - sun-java5 <no-dsa> (Non-free not supported)
CVE-2007-5235 (Cross-site scripting (XSS) vulnerability in index.php in
Uebimiau ...)
NOT-FOR-US: Uebimiau
CVE-2007-5234 (PHP remote file inclusion vulnerability in
upload/common/footer.php in ...)
@@ -71,6 +74,7 @@
CVE-2007-5232 (Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2
and ...)
- sun-java6 6-03-1 (low)
- sun-java5 1.5.0-13-1 (low)
+ [etch] - sun-java5 <no-dsa> (Non-free not supported)
CVE-2007-5231 (Unrestricted file upload vulnerability in
admin/upload_files.php in ...)
NOT-FOR-US: Zomplog
CVE-2007-5230 (admin/upload_files.php in Zomplog 3.8.1 and earlier does not
check for ...)
@@ -83,8 +87,8 @@
NOT-FOR-US: BlackBoard Learning System
CVE-2007-5226 (irc_server.c in dircproxy 1.2.0 and earlier allows remote
attackers to ...)
- dircproxy 1.0.5-5.1 (medium; bug #445883)
- NOTE: the issue itself is of a very low impact but since this also
means to lose data here
- NOTE: I think it is medium
+ [sarge] - dircproxy <no-dsa> (Minor issue)
+ [etch] - dircproxy <no-dsa> (Minor issue)
CVE-2005-4871 (Certain XML functions in IBM DB2 8.1 run with the privileges of
DB2 ...)
NOT-FOR-US: IBM DB2
CVE-2005-4870 (Stack-based buffer overflows in the (1) xmlvarcharfromfile, (2)
...)
@@ -127,7 +131,7 @@
CVE-2004-2715 (edituser.php3 in PHPMyChat 0.14.5 allow remote attackers to
bypass ...)
NOT-FOR-US: PHPMyChat
CVE-2004-2714 (Unspecified vulnerability in Window Maker 0.80.2 and earlier
allows ...)
- - wmaker <not-affected> (Was fixed in version 0.90 of window maker)
+ - wmaker 0.90-1
CVE-2004-2713 (** DISPUTED ** ...)
NOT-FOR-US: ZoneAlarm
CVE-2004-2712 (Buffer overflow in Gyach Enhanced (Gyach-E) before
1.0.0-SneakPeek-3 ...)
@@ -145,7 +149,7 @@
CVE-2004-2706 (Unspecified vulnerability in Gyach Enhanced (Gyach-E) before
1.0.4 ...)
NOT-FOR-US: Gyach-E
CVE-2004-2705 (Unspecified vulnerability in Player vs. Player Gaming Network
(PvPGN) ...)
- - pvpgn <not-affected> (was already fixed in 1.6.4+20040826-1)
+ - pvpgn 1.6.4+20040826-1
CVE-2004-2704 (Hastymail 1.0.1 and earlier (stable) and 1.1 and earlier
(development) ...)
NOT-FOR-US: Hastymail
CVE-2004-2703 (Clearswift MIMEsweeper 5.0.5, when it has been upgraded from
...)
@@ -159,7 +163,7 @@
CVE-2004-2699 (deleteicon.aspx in AspDotNetStorefront 3.3 allows remote
attackers to ...)
NOT-FOR-US: AspDotNetStorefront
CVE-2004-2698 (Race condition in IMWheel 1.0.0pre11 and earlier, when running
with ...)
- - imwheel <not-affected> (This was already fixed two years ago in
1.0.0pre12-1)
+ - imwheel 1.0.0pre12-1
CVE-2004-2697 (The Inventory Scout daemon (invscoutd) 1.3.0.0 and 2.0.2 for
AIX 4.3.3 ...)
NOT-FOR-US: InvScoutd
CVE-2004-2696 (BEA WebLogic Server and WebLogic Express 6.1, 7.0, and 8.1,
when using ...)
@@ -1532,7 +1536,8 @@
CVE-2007-4632 (Cisco IOS 12.2E, 12.2F, and 12.2S places a "no login"
line into the ...)
NOT-FOR-US: Cisco
CVE-2007-4631 (The DataLoader::doStart function in dataloader.cpp in QGit
1.5.6 and ...)
- - qgit 1.5.5-1.1 (bug #440950; medium)
+ - qgit 1.5.5-1.1 (bug #440950; low)
+ [etch] - qgit <no-dsa> (Minor issue)
CVE-2007-XXXX [maradns DoS]
- maradns 1.2.12.08-1
NOTE: http://marc.info/?l=maradns-list&m=118842373527534&w=2
@@ -2639,7 +2644,7 @@
CVE-2007-4132 (Unspecified vulnerability in Red Hat Network Satellite Server
5.0.0 ...)
NOT-FOR-US: Red Hat Satellite Server
CVE-2007-4131 (Directory traversal vulnerability in the contains_dot_dot
function in ...)
- - tar 1.18-2 (high; bug #439335)
+ - tar 1.18-2 (medium; bug #439335)
CVE-2007-4130
RESERVED
CVE-2007-4129 [coolkey incorrect cache file handling]
@@ -6175,6 +6180,7 @@
NOT-FOR-US: NetWin
CVE-2007-2654 (xfs_fsr in xfsdump creates a .fsr temporary directory with
insecure ...)
- xfsdump 2.2.45-1 (bug #417894; low)
+ [etch] - xfsdump <no-dsa> (Minor issue)
CVE-2007-2653
REJECTED
CVE-2007-2652 (Multiple unspecified vulnerabilities in Free-SA before 1.2.2
allow ...)
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
