Author: stef-guest
Date: 2006-08-07 18:59:32 +0000 (Mon, 07 Aug 2006)
New Revision: 4517
Modified:
data/CVE/list
data/embedded-code-copies
Log:
- knowledgeroot includes FCKeditor. This may involve
CVE-2006-3362, CVE-2006-2529, CVE-2006-0921, CVE-2006-0658,
CVE-2005-4094, CVE-2005-4095, CVE-2005-0613
- TinyMCE is included in wordpress, moodle, knowledgeroot:
This might involve CVE-2005-4599, CVE-2005-4600, CVE-2006-3602
- CVE-2006-3011: new php safe mode issue
- CVE-2006-3336: new TWiki issue
- CVE-2006-3360: new phpsysinfo issue
- some NFUs
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2006-08-07 15:00:41 UTC (rev 4516)
+++ data/CVE/list 2006-08-07 18:59:32 UTC (rev 4517)
@@ -867,7 +867,7 @@
CVE-2006-3603 (Cross-site scripting (XSS) vulnerability in index.php in
FlexWATCH ...)
NOT-FOR-US: FlexWATCH Network Camera
CVE-2006-3602 (Directory traversal vulnerability in ...)
- NOT-FOR-US: FarsiNews
+ TODO: check wordpress, moodle, knowledgeroot
CVE-2006-3601 (** UNVERIFIABLE ** ...)
NOT-FOR-US: DotNetNuke
CVE-2006-3600 (Multiple stack-based buffer overflows in the LookupTRM::lookup
...)
@@ -1374,19 +1374,21 @@
CVE-2006-3363 (PHP remote file inclusion vulnerability in index.php in the
Glossaire ...)
TODO: check
CVE-2006-3362 (connectors/php/connector.php in FCKeditor mcpuk file manager,
as used ...)
- TODO: check
+ - knowledgeroot <unfixed>
CVE-2006-3361 (PHP remote file inclusion vulnerability in Stud.IP 1.3.0-2 and
...)
- TODO: check
+ NOT-FOR-US: Stud.IP
CVE-2006-3360 (Directory traversal vulnerability in index.php in phpSysInfo
2.5.1 ...)
- TODO: check
+ - phpsysinfo <unfixed> (low)
+ - egroupware <unfixed> (low)
+ - phpgroupware <unfixed> (low)
CVE-2006-3359 (Multiple SQL injection vulnerabilities in index.php in NewsPHP
2006 ...)
- TODO: check
+ NOT-FOR-US: NewsPHP
CVE-2006-3358 (Multiple cross-site scripting (XSS) vulnerabilities in
index.php in ...)
- TODO: check
+ NOT-FOR-US: NewsPHP
CVE-2006-3357 (Heap-based buffer overflow in HTML Help ActiveX control
(hhctrl.ocx) ...)
- TODO: check
+ NOT-FOR-US: HTML Help ActiveX control
CVE-2006-3356 (The TIFFFetchAnyArray function in ImageIO in Apple OS X 10.4.7
and ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2006-3355 (Heap-based buffer overflow in httpdget.c in mpg123 before
0.59s-rll ...)
- mpg123 <unfixed> (bug #377264; medium)
CVE-2006-3354 (Microsoft Internet Explorer 6 allows remote attackers to cause
a ...)
@@ -1394,7 +1396,7 @@
CVE-2006-3353 (Opera 9 allows remote attackers to cause a denial of service
(crash) ...)
NOT-FOR-US: Opera
CVE-2006-3352 (** DISPUTED ** ...)
- TODO: check
+ NOTE: firefox, but invalid
CVE-2006-3351 (Buffer overflow in Windows Explorer (explorer.exe) on Windows
XP and ...)
NOT-FOR-US: Windows Explorer
CVE-2006-XXXX [trac: reStructuredText breach of privacy and denial of service]
@@ -1408,7 +1410,7 @@
{DSA-1116}
- gimp 2.2.11-3.1 (bug #377049; medium)
CVE-2006-3350 (Stack-based buffer overflow in AutoVue SolidModel Professional
Desktop ...)
- TODO: check
+ NOT-FOR-US: AutoVue SolidModel Professional Desktop
CVE-2006-3349 (Multiple SQL injection vulnerabilities in SmS Script allow
remote ...)
NOT-FOR-US: SmS Script
CVE-2006-3348 (Multiple SQL injection vulnerabilities in HSPcomplete 3.2.2 and
3.3 ...)
@@ -1436,7 +1438,8 @@
CVE-2006-3337 (Cross-site scripting (XSS) vulnerability in ...)
NOT-FOR-US: cPanel (not the Chinese language tool in Debian)
CVE-2006-3336 (TWiki 01-Dec-2000 up to 4.0.3 allows remote attackers to bypass
the ...)
- TODO: check
+ - twiki <unfixed> (low; bug #381907)
+ NOTE: only in some server configurations
CVE-2006-3335 (Unspecified vulnerability in mkdir in HP-UX B.11.00, B.11.04,
B.11.11, ...)
NOT-FOR-US: HP-UX
CVE-2006-3334 (Buffer overflow in the png_decompress_chunk function in
pngrutil.c in ...)
@@ -1850,7 +1853,7 @@
CVE-2006-3136 (** DISPUTED ** ...)
NOT-FOR-US: Nucleus
CVE-2006-3135 (Multiple SQL injection vulnerabilities in CMS Mundo 1.0 build
008, and ...)
- TODO: check
+ NOT-FOR-US: CMS Mundo
CVE-2006-3134 (Buffer overflow in GraceNote CDDBControl ActiveX Control, as
used by ...)
NOT-FOR-US: GraceNote ActiveX Control
CVE-2006-3133
@@ -2117,15 +2120,17 @@
CVE-2006-3012 (SQL injection vulnerability in phpBannerExchange before 2.0
Update 6 ...)
NOT-FOR-US: phpBannerExchange
CVE-2006-3011 (The error_log function in basic_functions.c in PHP 5.1.4 and
4.4.2 ...)
- TODO: check
+ - php4 <unfixed> (low)
+ - php5 <unfixed> (low)
+ NOTE: only safe mode bypass
CVE-2003-1303 (Buffer overflow in the imap_fetch_overview function in the IMAP
...)
NOT-FOR-US: Microsoft Internet Explore
CVE-2003-1302 (The IMAP functionality in PHP before 4.3.1 allows remote
attackers to ...)
- TODO: check
+ - php4 4:4.3.2+rc3-1
CVE-2002-2215 (The imap_header function in the IMAP functionality for PHP
before ...)
- TODO: check
+ - php4 4:4.3.2+rc3-1
CVE-2002-2214 (The php_if_imap_mime_header_decode function in the IMAP
functionality ...)
- TODO: check
+ - php4 4:4.3.2+rc3-1
CVE-1999-1589 (Unspecified vulnerability in crontab in IBM AIX 3.2 allows
local users ...)
NOT-FOR-US: IBM AIX
CVE-2006-XXXX [snarf: crash on invalid response to the PASV command]
@@ -3274,7 +3279,7 @@
CVE-2006-2530 (avatar_upload.asp in Avatar MOD 1.3 for Snitz Forums 3.4, and
possibly ...)
NOT-FOR-US: Snitz mod
CVE-2006-2529 (editor/filemanager/upload/php/upload.php in FCKeditor before
2.3 Beta, ...)
- NOT-FOR-US: FCKeditor
+ TODO: check knowledgeroot
CVE-2006-2528 (PHP remote file inclusion vulnerability in classified_right.php
in ...)
NOT-FOR-US: phpBazar
CVE-2006-2527 (Admin/admin.php in phpBazar 2.1.0 and earlier allows remote
attackers ...)
@@ -7149,7 +7154,7 @@
CVE-2006-0922 (CubeCart 3.0 through 3.6 does not properly check authorization
for an ...)
NOT-FOR-US: CubeCart
CVE-2006-0921 (Multiple directory traversal vulnerabilities in connector.php
in ...)
- NOT-FOR-US: FCKeditor
+ TODO: check knowledgeroot
CVE-2006-0920 (Oi! Email Marketing System 3.0 (aka Oi! 3) stores the server's
FTP ...)
NOT-FOR-US: Oi! Email Marketing System
CVE-2006-0919 (SQL injection vulnerability in index.php (aka the login page)
in Oi! ...)
@@ -7770,7 +7775,7 @@
CVE-2006-0659 (Multiple PHP remote file include vulnerabilities in RunCMS 1.2
and ...)
NOT-FOR-US: Runcms
CVE-2006-0658 (Incomplete blacklist vulnerability in connector.php in
FCKeditor 2.0 ...)
- NOT-FOR-US: FCKeditor
+ TODO: check knowledgeroot
CVE-2006-0657 (Cross-site scripting (XSS) vulnerability in Softcomplex PHP
Event ...)
NOT-FOR-US: Softcomplex
CVE-2006-0656 (Directory traversal vulnerability in HP Systems Insight Manager
4.2 ...)
@@ -9420,9 +9425,9 @@
CVE-2005-4602 (SQL injection vulnerability in inc/function_upload.php in MyBB
before ...)
NOT-FOR-US: MyBB
CVE-2005-4600 (tiny_mce_gzip.php in TinyMCE Compressor PHP before 1.06 allows
remote ...)
- NOT-FOR-US: TineMCE Compressor
+ TODO: check wordpress, moodle, knowledgeroot
CVE-2005-4599 (Cross-site scripting (XSS) vulnerability in tiny_mce_gzip.php
in ...)
- NOT-FOR-US: TineMCE Compressor
+ TODO: check wordpress, moodle, knowledgeroot
CVE-2005-4598 (Cross-site scripting (XSS) vulnerability in home.php in OoApp
...)
NOT-FOR-US: OoApp Guestbook
CVE-2005-4597 (Cross-site scripting (XSS) vulnerability in index.php in iPei
...)
@@ -10578,8 +10583,10 @@
NOT-FOR-US: Apache James
CVE-2005-4095 (Directory traversal vulnerability in connector.php in the ...)
NOT-FOR-US: DoceboLMS
+ TODO: check knowledgeroot
CVE-2005-4094 (connector.php in the fckeditor2rc2 addon in DoceboLMS 2.0.4
allows ...)
NOT-FOR-US: DoceboLMS
+ TODO: check knowledgeroot
CVE-2005-4093 (Check Point VPN-1 SecureClient NG with Application Intelligence
R56, ...)
NOT-FOR-US: Check Point
CVE-2005-4092 (Multiple heap-based buffer overflows in QuickTime.qts in Apple
...)
@@ -22867,6 +22874,7 @@
- phpbb2 2.0.13-1
CVE-2005-0613 (Unknown vulnerability in FCKeditor 2.0 RC2, when used with
PHP-Nuke, ...)
NOT-FOR-US: FCKeditor
+ TODO: check knowledgeroot
CVE-2005-0612 (Cisco IP/VC Videoconferencing System 3510, 3520, 3525 and 3530
contain ...)
NOT-FOR-US: Cisco
CVE-2005-0611 (Heap-based buffer overflow in RealNetworks RealPlayer 10.5 ...)
Modified: data/embedded-code-copies
===================================================================
--- data/embedded-code-copies 2006-08-07 15:00:41 UTC (rev 4516)
+++ data/embedded-code-copies 2006-08-07 18:59:32 UTC (rev 4517)
@@ -174,3 +174,13 @@
libmms:
xine-lib
mimms
+
+FCKeditor:
+knowledgeroot
+
+TinyMCE:
+wordpress
+moodle
+knowledgeroot
+joomla (ITP)
+
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
