[Secure-testing-commits] r4966 - data/CVE

Moritz Muehlenhoff Wed, 15 Nov 2006 11:47:12 -0800

Author: jmm-guest
Date: 2006-11-15 20:46:59 +0100 (Wed, 15 Nov 2006)
New Revision: 4966


Modified:
   data/CVE/list
Log:
multiple new chetcpasswd issues
trac CVEfied
one mozilla issue not-affected for sarge
remove xine-lib dupe
new pdns issues
bugnums


Modified: data/CVE/list
===================================================================
--- data/CVE/list       2006-11-15 08:14:20 UTC (rev 4965)
+++ data/CVE/list       2006-11-15 19:46:59 UTC (rev 4966)
@@ -1,3 +1,7 @@
+CVE-2006-XXXX [chetcpasswd multiple vulnerabilities]
+       - chetcpasswd <unfixed> (bug #394454)
+       NOTE: I've filed a removal bug, this doesn't have a security perspective
+       NOTE: It's too buggy even for sid and was never part of stable or 
testing
 CVE-2006-5884 (Multiple unspecified vulnerabilities in DirectAnimation ActiveX 
...)
        TODO: check
 CVE-2006-5883 (Multiple cross-site scripting (XSS) vulnerabilities in cPanel 
10 allow ...)
@@ -11,7 +15,7 @@
 CVE-2006-5879 (SQL injection vulnerability in default1.asp in ASPPortal 4.0.0 
beta ...)
        TODO: check
 CVE-2006-5878 (Cross-site Request Forgery (CSRF) vulnerability in Trac before 
0.10.1 ...)
-       TODO: check
+       - trac 0.10.1-1 (bug #397683)
 CVE-2006-5877
        RESERVED
 CVE-2006-5876
@@ -130,8 +134,6 @@
        RESERVED
 CVE-2006-5864 (Stack-based buffer overflow in the ps_gettext function in ps.c 
for GNU ...)
        - gv 1:3.6.2-2 (medium; bug #398292)
-CVE-2006-XXXX [track CSRF vulnerability]
-       - trac 0.10.1-1
 CVE-2006-5818 (Multiple buffer overflows in tunekrnl in IBM Lotus Domino 6.x 
before ...)
        NOT-FOR-US: Lotus Domino 
 CVE-2006-5817 (prl_dhcpd in Parallels Desktop for Mac Build 1940 uses insecure 
...)
@@ -291,7 +293,7 @@
        - icedove <unfixed> (medium)
        - mozilla <unfixed> (medium)
        - xulrunner <unfixed> (high)
-       - mozilla-firefox <removed> (high)
+       [sarge] - mozilla-firefox <not-affected> (Vulnerable code not present)
        - mozilla-thunderbird <removed> (medium)
 CVE-2006-5746 (The console in AirMagnet Enterprise does not properly validate 
the ...)
        NOT-FOR-US: AirMagnet
@@ -882,7 +884,7 @@
        - ruby1.8 <unfixed> (medium; bug #398457)
        - ruby1.9 <unfixed> (medium)
 CVE-2006-5466 (Heap-based buffer overflow in the showQueryPackage function in 
librpm ...)
-       - rpm 4.4.1-11 (low)
+       - rpm 4.4.1-11 (low; bug #397076)
        [sarge] - rpm <no-dsa> (You need to trust the RPMs you're installing)
        NOTE: Only hypothetical, far-fetched attacks feasible
 CVE-2006-5465 (Buffer overflow in PHP before 5.2.0 allows remote attackers to 
execute ...)
@@ -2322,10 +2324,10 @@
        NOT-FOR-US: Roxio Toast
 CVE-2006-4800 (Multiple buffer overflows in libavcodec in ffmpeg before ...)
        - ffmpeg 0.cvs20060329-1
-       NOTE: fixed in sid+etch according to jmm
+       NOTE: according to the changelog, libxine (starting from 1.1.2-4) links 
dynamically against ffmpeg
        TODO: check other packages embedding ffmpeg code
 CVE-2006-4799 (Buffer overflow in ffmpeg for xine-lib before 1.1.2 might allow 
...)
-       - xine-lib 1.1.2-1
+       - xine-lib 1.1.2-1 (bug #369876; medium)
        NOTE: according to the changelog, libxine (starting from 1.1.2-4) links 
dynamically against ffmpeg
        TODO: check ffmpeg
 CVE-2006-4798 (SQL-Ledger before 2.4.4 stores a password in a query string, 
which ...)
@@ -3584,9 +3586,11 @@
        NOTE: On Sarge this is only a DoS, not code injection
        - thunderbird 1.5.0.7-1 (low)
 CVE-2006-4252 (PowerDNS Recursor 3.1.3 and earlier allows remote attackers to 
cause a ...)
-       TODO: check
+       - pdns-recursor 3.1.4-1 (bug #398559)
+       - pdns <not-affected> (Recursor module has been moved to pdns-recursor)
 CVE-2006-4251 (Buffer overflow in PowerDNS Recursor 3.1.3 and earlier might 
allow ...)
-       TODO: check
+       - pdns-recursor 3.1.4-1 (bug #398557; high)
+       - pdns <not-affected> (Recursor module has been moved to pdns-recursor)
 CVE-2006-4250
        RESERVED
 CVE-2006-4249 [plone group creation privilege escalation]
@@ -7264,8 +7268,6 @@
 CVE-2006-2644 (AWStats 6.5, and possibly other versions, allows remote 
authenticated ...)
        {DSA-1075-1}
        - awstats 6.5-2 (bug #365910)
-CVE-2006-XXXX [libxine1 overflow via a specially-crafted AVI file]
-       - xine-lib 1.1.1-2 (bug #369876; medium)
 CVE-2006-XXXX [specialy crafted WAV turns mkvmerge into a malloc bomb]
        - mkvtoolnix 1.7.0-2 (bug #370144; low)
 CVE-2006-XXXX ['Cache' shell injection vulnerability]
@@ -14068,7 +14070,7 @@
 CVE-2006-0041
        RESERVED
 CVE-2006-0040 (GNOME Evolution 2.4.2.1 and earlier allows remote attackers to 
cause a ...)
-       - evolution <unfixed>
+       - evolution <unfixed> (bug #398064)
        [sarge] - evolution <not-affected> (Not reproducable on Sarge)
 CVE-2006-0039 (Race condition in the do_add_counters function in netfilter for 
Linux ...)
        {DSA-1103 DSA-1097-1}


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r4966 - data/CVE

Reply via email to