[Secure-testing-commits] r7776 - data/CVE
Author: stef-guest Date: 2008-01-01 11:11:33 + (Tue, 01 Jan 2008) New Revision: 7776 Modified: data/CVE/list Log: new mozilla/konqueror issues NFUs Modified: data/CVE/list === --- data/CVE/list 2007-12-31 21:14:29 UTC (rev 7775) +++ data/CVE/list 2008-01-01 11:11:33 UTC (rev 7776) @@ -1,63 +1,68 @@ CVE-2007-6594 (IBM Lotus Notes 8 for Linux before 8.0.1 uses (1) unspecified weak ...) - TODO: check + NOT-FOR-US: Lotus Notes CVE-2007-6593 (Multiple stack-based buffer overflows in l123sr.dll in Autonomy ...) - TODO: check + NOT-FOR-US: IBM Lotus Notes CVE-2007-6592 (Apple Safari 2, when a user accepts an SSL server certificate on the ...) - TODO: check + NOT-FOR-US: Safari CVE-2007-6591 (KDE Konqueror 3.5.5 and 3.95.00, when a user accepts an SSL server ...) - TODO: check + - konqueror unfixed (medium) + NOTE: filed http://bugs.kde.org/show_bug.cgi?id=154921 CVE-2007-6590 (Mozilla 1.9 M8 and earlier, Mozilla Firefox 2, SeaMonkey 1.1.5, ...) - TODO: check + - iceape unfixed (medium) + - iceweasel unfixed (medium) + TODO: check mozilla derivatives/xulrunner CVE-2007-6589 (The jar protocol handler in Mozilla Firefox before 2.0.0.10 and ...) - TODO: check + - iceape 1.1.7-1 (medium) + - iceweasel 2.0.0.10-1 (medium) + TODO: check mozilla derivatives/xulrunner CVE-2007-6588 (Cross-site scripting (XSS) vulnerability in PHCDownload 1.10 allows ...) - TODO: check + NOT-FOR-US: PHCDownload CVE-2007-6587 (SQL injection vulnerability in plog-rss.php in Plogger 1.0 Beta 3.0 ...) - TODO: check + NOT-FOR-US: Plogger CVE-2007-6586 (SQL injection vulnerability in sezione_news.php in nicLOR-CMS allows ...) - TODO: check + NOT-FOR-US: nicLOR-CMS CVE-2007-6585 (PHP remote file inclusion vulnerability in confirmUnsubscription.php ...) - TODO: check + NOT-FOR-US: NmnNewsletter CVE-2007-6584 (Multiple directory traversal vulnerabilities in 1024 CMS 1.3.1 allow ...) - TODO: check + NOT-FOR-US: 1024 CMS CVE-2007-6583 (SQL injection vulnerability in admin/ops/findip/ajax/search.php in ...) - TODO: check + NOT-FOR-US: 1024 CMS CVE-2007-6582 (Directory traversal vulnerability in index.php in mBlog 1.2 allows ...) - TODO: check + NOT-FOR-US: mBlog CVE-2007-6581 (Multiple directory traversal vulnerabilities in Social Engine 2.0 ...) - TODO: check + NOT-FOR-US: Social Engine CVE-2007-6580 (Multiple SQL injection vulnerabilities in Wallpaper Site 1.0.09 allow ...) - TODO: check + NOT-FOR-US: Wallpaper Site CVE-2007-6579 (Multiple SQL injection vulnerabilities in Ip Reg 0.3 allow remote ...) - TODO: check + NOT-FOR-US: Ip Reg CVE-2007-6578 (SQL injection vulnerability in go.php in PHP ZLink 0.3 allows remote ...) - TODO: check + NOT-FOR-US: PHP ZLink CVE-2007-6577 (Multiple SQL injection vulnerabilities in index.php in zBlog 1.2 allow ...) - TODO: check + NOT-FOR-US: zBlog CVE-2007-6576 (Multiple SQL injection vulnerabilities in Adult Script 1.6.5 and ...) - TODO: check + NOT-FOR-US: Adult Script CVE-2007-6575 (SQL injection vulnerability in default.php in MMSLamp allows remote ...) - TODO: check + NOT-FOR-US: MMSLamp CVE-2007-6574 (Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.4 ...) - TODO: check + NOT-FOR-US: Dokeos CVE-2007-6573 (QK SMTP Server 3 allows remote attackers to cause a denial of service ...) - TODO: check + NOT-FOR-US: QK SMTP CVE-2007-6572 (Cross-site scripting (XSS) vulnerability in Sun Java System Web Server ...) - TODO: check + NOT-FOR-US: Sun Java System Web Server CVE-2007-6571 (Cross-site scripting (XSS) vulnerability in Sun Java System Web Proxy ...) - TODO: check + NOT-FOR-US: Sun Java System Web Proxy CVE-2007-6570 (Cross-site scripting (XSS) vulnerability in the View URL Database ...) - TODO: check + NOT-FOR-US: Sun Java System Web Proxy Server CVE-2007-6569 (Cross-site scripting (XSS) vulnerability in the View Error Log ...) - TODO: check + NOT-FOR-US: Sun Java System Web Proxy Server CVE-2007-6568 (PHP remote file inclusion vulnerability in config.inc.php in XZero ...) - TODO: check + NOT-FOR-US: XZero Community Classifieds CVE-2007-6567 (Directory traversal vulnerability in index.php in XZero Community ...) - TODO: check + NOT-FOR-US: XZero Community Classifieds CVE-2007-6566 (SQL injection vulnerability in post.php in XZero Community Classifieds ...) - TODO: check + NOT-FOR-US: XZero Community Classifieds CVE-2007-6565 (Multiple SQL injection vulnerabilities in Blakord Portal 1.3.A Beta ...) - TODO: check + NOT-FOR-US: Blakord Portal CVE-2007- [XSS via file
[Secure-testing-commits] r7777 - data/CVE
Author: stef-guest Date: 2008-01-01 11:26:34 + (Tue, 01 Jan 2008) New Revision: Modified: data/CVE/list Log: CVE id requested Modified: data/CVE/list === --- data/CVE/list 2008-01-01 11:11:33 UTC (rev 7776) +++ data/CVE/list 2008-01-01 11:26:34 UTC (rev ) @@ -89,6 +89,7 @@ NOTE: Only terminates a single connection, no security impact, fixed in 1.0.10 CVE-2007- [mongrel remote arbitrary file disclosure] - mongrel 1.1.3-1 (medium) + NOTE: CVE id requested CVE-2007-6564 (Cross-site scripting (XSS) vulnerability in admin.php in Limbo CMS ...) NOT-FOR-US: Limbo CMS CVE-2007-6563 (Heap-based buffer overflow in WinAce 2.65 and earlier, and possibly ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] www.debt-free.com.ar
Please see this site in Subject ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r7778 - data/CVE
Author: jmm-guest Date: 2008-01-01 16:28:15 + (Tue, 01 Jan 2008) New Revision: 7778 Modified: data/CVE/list Log: dovecot CVEfied Modified: data/CVE/list === --- data/CVE/list 2008-01-01 11:26:34 UTC (rev ) +++ data/CVE/list 2008-01-01 16:28:15 UTC (rev 7778) @@ -74,7 +74,7 @@ CVE-2007- [vlc buffer overflow in subtitle handling] - vlc unfixed (low; bug #458318) NOTE: see http://www.securityfocus.com/archive/1/485488/30/0/threaded -CVE-2007- [dovecot LDAP auth may authenticate as wrong user] +CVE-2007-6598 [dovecot LDAP auth may authenticate as wrong user] - dovecot 1:1.0.10-1 (low; bug #458315) [sarge] - dovecot not-affected (Vulnerable code not present) NOTE: http://dovecot.org/list/dovecot-news/2007-December/57.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r7779 - in data: . CVE
Author: jmm-guest Date: 2008-01-01 17:34:15 + (Tue, 01 Jan 2008) New Revision: 7779 Modified: data/CVE/list data/spu-candidates.txt Log: updates on minor issues Modified: data/CVE/list === --- data/CVE/list 2008-01-01 16:28:15 UTC (rev 7778) +++ data/CVE/list 2008-01-01 17:34:15 UTC (rev 7779) @@ -5655,8 +5655,12 @@ NOT-FOR-US: ABC eStore CVE-2007-4626 (Unspecified vulnerability in Polipo before 1.0.2 allows remote ...) - polipo 1.0.2-1 (low) + [sarge] - polipo no-dsa (Minor issue) + [etch] - polipo no-dsa (Minor issue) CVE-2007-4625 (Polipo before 1.0.2 allows remote HTTP servers to cause a denial of ...) - - polipo 1.0.2-1 + - polipo 1.0.2-1 (low) + [sarge] - polipo no-dsa (Minor issue) + [etch] - polipo no-dsa (Minor issue) CVE-2007-4624 (Cross-site scripting (XSS) vulnerability in pframe.php in AbleDesign ...) NOT-FOR-US: AbleDesign Dynamic Picture Frame CVE-2007-4623 (Stack-based buffer overflow in the sendrmt function in bellmail in IBM ...) @@ -10400,9 +10404,9 @@ CVE-2007-2631 (Cross-site request forgery (CSRF) vulnerability in SquirrelMail ...) NOTE: Duplicate of CVE-2007-2589 CVE-2007-2630 (Incomplete blacklist vulnerability in ...) - - moin 1.5.8-4.1 + - moin 1.5.8-4.1 (unimportant) - karrigell not-affected (Vulnerable php code not present) - - knowledgeroot 0.9.8.2-2 + - knowledgeroot 0.9.8.2-2 (unimportant) CVE-2007-2629 (Bradford CampusManager Network Control Application Server 3.1(6) ...) NOT-FOR-US: Bradford CVE-2007-2628 (PHP remote file inclusion vulnerability in include/logout.php in ...) @@ -11476,7 +11480,9 @@ NOT-FOR-US: OpenSurveyPilot CVE-2007-2165 (The Auth API in ProFTPD before 20070417, when multiple simultaneous ...) - proftpd 1.3.0-24 (low) + [sarge] - proftpd no-dsa (Minor issue) - proftpd-dfsg 1.3.0-24 (low) + [etch] - proftpd-dfsg no-dsa (Minor issue) CVE-2007-2164 (Konqueror 3.5.5 release 45.4 allows remote attackers to cause a denial ...) - kdelibs unfixed (unimportant) NOTE: Browser crashes are not treated as security problems Modified: data/spu-candidates.txt === --- data/spu-candidates.txt 2008-01-01 16:28:15 UTC (rev 7778) +++ data/spu-candidates.txt 2008-01-01 17:34:15 UTC (rev 7779) @@ -22,6 +22,10 @@ -- +proftpd (CVE-2007-2165) + +-- + python2.4, python2.5 (CVE-2007-4965) http://bugs.python.org/issue1179 notified maintainer ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r7780 - data/CVE
Author: jmm-guest Date: 2008-01-01 18:14:17 + (Tue, 01 Jan 2008) New Revision: 7780 Modified: data/CVE/list Log: - rewrite non-free fixes pending for r3 as no-dsa again, otherwise they show up in the list of unfixed issues, they can be fixed on time of r3 release - one rsync issue unimportant - python, skktools, pulseaudio no-dsa - fix flashplugin issue Modified: data/CVE/list === --- data/CVE/list 2008-01-01 17:34:15 UTC (rev 7779) +++ data/CVE/list 2008-01-01 18:14:17 UTC (rev 7780) @@ -219,7 +219,8 @@ CVE-2007- [unace unspecified security issue related to uninitialized variable] - unace-nonfree 2.5-3 [sarge] - unace-nonfree no-dsa (non-free not supported) - [etch] - unace-nonfree 2.5-1etch1 + [etch] - unace-nonfree no-dsa (non-free not supported) + TODO: r3 release: [etch] - unace-nonfree 2.5-1etch1 CVE-2007-6507 (SpntSvc.exe daemon in Trend Micro ServerProtect 5.58 for Windows, ...) NOT-FOR-US: Trend Micro ServerProtect CVE-2007-6506 (The HPRulesEngine.ContentCollection.1 ActiveX Control in ...) @@ -980,7 +981,8 @@ CVE-2007-6200 (Unspecified vulnerability in rsync before 3.0.0pre6, when running a ...) - rsync 2.6.9-6 (low; bug #453652) CVE-2007-6199 (rsync before 3.0.0pre6, when running a writable rsync daemon that is ...) - - rsync 2.6.9-6 (low; bug #453652) + - rsync 2.6.9-6 (unimportant; bug #453652) + NOTE: Security feature enhancement, not really a security problem CVE-2007-6198 (portal/server.pt in the Plumtree portal in BEA AquaLogic Interaction ...) NOT-FOR-US: Plumtree CVE-2007-6197 (The Plumtree portal in BEA AquaLogic Interaction 5.0.2 through 5.0.4 ...) @@ -3429,8 +3431,8 @@ NOT-FOR-US: Softbiz Recipes Portal Script CVE-2007-5448 (Madwifi 0.9.3.2 and earlier allows remote attackers to cause a denial ...) - madwifi 1:0.9.3.2-2 (medium; bug #446824) - [etch] - madwifi 1:0.9.2+r1842.20061207-2etch2 - NOTE: this results in a kernel panic + [etch] - madwifi no-dsa (Non-free not supported) + TODO: r3 release: [etch] - madwifi 1:0.9.2+r1842.20061207-2etch2 CVE-2007-5447 (ioncube_loader_win_5.2.dll in the ionCube Loader 6.5 extension for PHP ...) NOT-FOR-US: ionCube CVE-2007-5446 (Absolute path traversal vulnerability in a certain ActiveX control in ...) @@ -4853,7 +4855,10 @@ NOTE: Duplicate of CVE-2007-3913 CVE-2007-4965 (Multiple integer overflows in the imageop module in Python 2.5.1 and ...) - python2.5 unfixed (low; bug #44) + [etch] - python2.5 no-dsa (Minor issue) + [sarge] - python2.5 no-dsa (Minor issue) - python2.4 unfixed (low; bug #443335) + [etch] - python2.4 no-dsa (Minor issue) CVE-2007-4964 (WinImage 8.10 and earlier allows remote attackers to cause a denial of ...) NOT-FOR-US: WinImage CVE-2007-4963 (Visual truncation vulnerability in WinImage 8.10 and earlier allows ...) @@ -6378,9 +6383,9 @@ CVE-2007-4325 (PHP remote file inclusion vulnerability in index.php in Gaestebuch 1.5 ...) NOT-FOR-US: Gaestebuch CVE-2007-4324 (ActionScript 3 (AS3) in Adobe Flash Player 9.0.47.0, and other ...) - - flashplugin-nonfree not-affected (This package just downloads the plugin from adobe.com which has an updated version) - [etch] - flashplugin-nonfree no-dsa (non-free not supported) - [sarge] - flashplugin-nonfree no-dsa (non-free not supported) + - flashplugin-nonfree 9.0.115.0.1 + [etch] - flashplugin-nonfree 9.0.115.0.1~etch1 + [sarge] - flashplugin-nonfree no-dsa (Non-free not supported) CVE-2007-4323 (DenyHosts 2.6 does not properly parse sshd log files, which allows ...) - denyhosts 2.6-2.1 (bug #438162; medium) CVE-2007-4322 (BlockHosts before 2.0.4 does not properly parse (1) sshd and (2) ...) @@ -7284,7 +7289,9 @@ {DSA-1386-1} - wesnoth 1.2.7-1 CVE-2007-3916 (The main function in skkdic-expr.c in SKK Tools 1.2 allows local users ...) - - skktools 1.2+0.20061004-3 + - skktools 1.2+0.20061004-3 (low) + [sarge] - skktools no-dsa (Minor issue) + [etch] - skktools no-dsa (Minor issue) CVE-2007-3915 RESERVED CVE-2007-3914 @@ -12313,6 +12320,7 @@ CVE-2007-1804 (PulseAudio 0.9.5 allows remote attackers to cause a denial of service ...) {DTSA-44-1} - pulseaudio 0.9.6-1 (low) + [etch] - pulseaudio no-dsa (Minor issue) CVE-2007-1803 (Unspecified vulnerability in MailDwarf 3.01 and earlier allows remote ...) NOT-FOR-US: MailDwarf CVE-2007-1802 (Cross-site scripting (XSS) vulnerability in MailDwarf 3.01 and earlier ...) @@ -15039,7 +15047,8 @@ [etch] - rar no-dsa (Non-free) - unrar-nonfree 1:3.7.3-1 (high; bug #410580) [sarge] - unrar-nonfree 1:3.5.2-0.2 - [etch] - unrar-nonfree 1:3.5.4-1.1 + [etch] - unrar-nonfree
[Secure-testing-commits] r7781 - data
Author: nion Date: 2008-01-01 18:17:17 + (Tue, 01 Jan 2008) New Revision: 7781 Modified: data/spu-candidates.txt Log: notified maintainer for proftpd update Modified: data/spu-candidates.txt === --- data/spu-candidates.txt 2008-01-01 18:14:17 UTC (rev 7780) +++ data/spu-candidates.txt 2008-01-01 18:17:17 UTC (rev 7781) @@ -22,7 +22,8 @@ -- -proftpd (CVE-2007-2165) +proftpd-dfsg, proftpd (CVE-2007-2165) +notified maintainer -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r7782 - data/CVE
Author: stef-guest Date: 2008-01-01 21:15:38 + (Tue, 01 Jan 2008) New Revision: 7782 Modified: data/CVE/list Log: new minor apache2 issue Modified: data/CVE/list === --- data/CVE/list 2008-01-01 18:17:17 UTC (rev 7781) +++ data/CVE/list 2008-01-01 21:15:38 UTC (rev 7782) @@ -426,8 +426,11 @@ NOT-FOR-US: Fonality Trixbox CVE-2007-6423 RESERVED -CVE-2007-6422 +CVE-2007-6422 [apache 2.2 mod_proxy_balance balancer manager DoS] RESERVED + - apache2 unfixed (low) + [etch] - apache2 no-dsa (minor issue) + [sarge] - apache2 not-affected (vulnerable code introduced later) CVE-2007-6421 RESERVED CVE-2007-6420 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] www.rich-dad.com.ar
Please see this site in Subject ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits