Author: jmm-guest
Date: 2007-02-09 00:55:41 +0100 (Fri, 09 Feb 2007)
New Revision: 5428
Modified:
data/CVE/list
Log:
ffmpeg fixed
snort,w3m,mozilla no-dsa
tdiary already fixed
old kronolith issue doesn't affect kronolith1
NFUify potential 2yo Helix issue
verified some older issues
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2007-02-08 20:36:06 UTC (rev 5427)
+++ data/CVE/list 2007-02-08 23:55:41 UTC (rev 5428)
@@ -674,7 +674,7 @@
- gstreamer0.10-ffmpeg 0.10.1-6
- gst-ffmpeg 0.8.7-10
[etch] - ffmpeg 0.cvs20060823-5
- - ffmpeg <unfixed>
+ - ffmpeg 0.cvs20060823-6
- mplayer 1.0~rc1-12
CVE-2007-0471 (sre/params.php in the Integrity Clientless Security (ICS)
component in ...)
NOT-FOR-US: Check Point
@@ -685,7 +685,7 @@
CVE-2007-0468 (Stack-based buffer overflow in rcdll.dll in msdev.exe in Visual
C++ ...)
NOT-FOR-US: Visual C++
CVE-2007-0467 (crashdump in Apple Mac OS X 10.4.8 allows local users in the
admin ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2007-0466 (Telestream Flip4Mac Windows Media Components for Quicktime
2.1.0.33 ...)
NOT-FOR-US: Telestream
CVE-2007-0465 (Format string vulnerability in Apple Installer 2.1.5 on Mac OS
X ...)
@@ -930,7 +930,7 @@
- gst-ffmpeg 0.8.7-9
- mplayer 1.0~rc1-12
[etch] - ffmpeg 0.cvs20060823-5
- - ffmpeg <unfixed>
+ - ffmpeg 0.cvs20060823-6
CVE-2007-XXXX [netpbm heap corruption]
- netpbm-free 2:10.0-11 (bug #407605)
CVE-2007-0363 (Cross-site scripting (XSS) vulnerability in admin-search.php in
(1) ...)
@@ -1300,6 +1300,7 @@
CVE-2006-6931 (Algorithmic complexity vulnerability in Snort before 2.6.1,
during ...)
- snort <unfixed> (low; bug #407421)
[sarge] - snort <no-dsa> (Minor issue)
+ [etch] - snort <no-dsa> (Minor issue)
CVE-2006-6930 (SQL injection vulnerability in viewad.asp in Rapid Classified
3.1 ...)
NOT-FOR-US: Rapid Classified
CVE-2006-6929 (Multiple cross-site scripting (XSS) vulnerabilities in Rapid
...)
@@ -2084,7 +2085,7 @@
NOT-FOR-US: Fishyshoop
CVE-2006-6772 (Format string vulnerability in w3m 0.5.1, when run with the
dump or ...)
- w3m 0.5.1-5.1 (bug #404564; low)
- NOTE: Only exploitable in dump mode
+ [sarge] w3m <no-dsa> (Minor issue, only exploitable in dump mode)
TODO: Check w3mee, is this forked version still needed?
CVE-2006-6771 (Multiple PHP remote file inclusion vulnerabilities in Irokez
CMS 0.7.1 ...)
NOT-FOR-US: Irokez CMS
@@ -3151,7 +3152,7 @@
CVE-2006-6337 (Multiple SQL injection vulnerabilities in giris.asp in Aspee
and ...)
NOT-FOR-US: Aspee Ziyaretci Defteri
CVE-2006-6336 (Heap-based buffer overflow in the Mail Management Server
(MAILMA.exe) ...)
- TODO: check
+ NOT-FOR-US: Eudora WorldMail
CVE-2006-6335 (Multiple buffer overflows in Sophos Anti-Virus scanning engine
before ...)
NOT-FOR-US: Sophos Anti-Virus
CVE-2006-6334 (Heap-based buffer overflow in the SendChannelData function in
wfica.ocx in ...)
@@ -3492,9 +3493,9 @@
NOT-FOR-US: Blogn
CVE-2006-6175 (Directory traversal vulnerability in lib/FBView.php in Horde
Kronolith ...)
- kronolith2 2.1.4-1 (bug #400899; bug #401061)
- TODO: check kronolith 1.x
+ - kronolith <not-affected> (Vulnerable code not present)
CVE-2006-6174 (Cross-site scripting (XSS) vulnerability in tDiary before 2.0.3
and ...)
- - tdiary 2.1.4-4 (bug #400447; bug #400650)
+ - tdiary 2.0.2+20060303-4.1 (bug #400447; bug #400650)
CVE-2006-6173 (Buffer overflow in the shared_region_make_private_np function
in ...)
NOT-FOR-US: Mac OS X
CVE-2006-6172 (Buffer overflow in the asmrp_eval function for Real Media input
plugin ...)
@@ -4806,7 +4807,7 @@
CVE-2006-5575
RESERVED
CVE-2006-5574 (Unspecified vulnerability in the Brazilian Portuguese Grammar
Checker ...)
- TODO: check
+ NOT-FOR-US: Microsoft
CVE-2006-5573
RESERVED
CVE-2006-5572
@@ -6404,6 +6405,7 @@
CVE-2006-4842 (The Netscape Portable Runtime (NSPR) API 4.6.1 and 4.6.2, as
used in ...)
- xulrunner 1.8.0.9-1 (low; bug #405062)
[sarge] - mozilla <unfixed> (low)
+ [sarge] - mozilla <no-dsa> (Minor issue)
NOTE: could not find setuid binary in sid, but evolution-data-server
has a setgid mail binary
NOTE: see https://bugzilla.mozilla.org/show_bug.cgi?id=351470
TODO: check whether sarge has a setuid/setgid binary linking against
libnspr
@@ -19046,7 +19048,7 @@
CVE-2005-4131 (Unspecified vulnerability in Microsoft Excel 2000, 2002, and
2003, in ...)
NOT-FOR-US: Excel
CVE-2005-4130 (** UNVERIFIABLE, PRERELEASE ** ...)
- TODO: Once dislosed, check, whether this affects Helix
+ NOT-FOR-US: Pre-Notification for RealMedia vulnerability, which never
appeared
CVE-2005-4129
REJECTED
CVE-2005-4128
@@ -19056,7 +19058,7 @@
REJECTED
NOT-FOR-US: iTunes
CVE-2005-4126 (** UNVERIFIABLE, PRERELEASE ** ...)
- TODO: Once dislosed, check, whether this affects Helix
+ NOT-FOR-US: Pre-Notification for RealMedia vulnerability, which never
appeared
CVE-2005-4125
RESERVED
CVE-2005-4124
@@ -21848,8 +21850,6 @@
NOTE: Sarge is vulnerable
CVE-2005-3245 (Unspecified vulnerability in the ONC RPC dissector in Ethereal
0.10.3 ...)
- ethereal 0.10.13-1 (bug #334880; medium)
- NOTE: This affects Woody and Sarge
- TODO: This is disabled by default, if this is a compile-time option
change to "unimportant"
CVE-2005-3244 (The BER dissector in Ethereal 0.10.3 to 0.10.12 allows remote
...)
{DSA-1171}
[woody] - ethereal <not-affected> (This only affects Ethereal 0.10.3 to
0.10.12)
@@ -26567,7 +26567,6 @@
NOT-FOR-US: ViRobot
CVE-2005-2040 (Multiple buffer overflows in the getterminaltype function in
telnetd ...)
{DSA-758-1}
- TODO: Check telnetd from netkit, krb4, krb5, as they all seem to be
derived from the same BSD code base
- heimdal 0.6.3-11 (bug #315065; bug #315086; high)
CVE-2005-2039 (Unknown vulnerability in "various plugins" for
NanoBlogger 3.2.1 and ...)
- nanoblogger <not-affected> (3.1 version in Debian was not affected by
this vulnerability, see #315492)
_______________________________________________
Secure-testing-commits mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
