[Secure-testing-commits] r3974 - data/CVE
Author: jmm-guest Date: 2006-05-19 06:22:43 + (Fri, 19 May 2006) New Revision: 3974 Modified: data/CVE/list Log: verified tin to be not vulnerable to off-by-one Modified: data/CVE/list === --- data/CVE/list 2006-05-19 05:40:27 UTC (rev 3973) +++ data/CVE/list 2006-05-19 06:22:43 UTC (rev 3974) @@ -3682,7 +3682,8 @@ CVE-2006-0805 (The CAPTCHA functionality in php-Nuke 6.0 through 7.9 uses fixed ...) NOT-FOR-US: php-Nuke CVE-2006-0804 (Off-by-one error in TIN 1.8.0 and earlier might allow attackers to ...) - - tin 1:1.8.1 + - tin 1:1.8.2-1 + [sarge] - tin not-affected (Vulnerable code not present) CVE-2006-0803 (The signature verification functionality in the YaST Online Update ...) NOT-FOR-US: YaSt Online Update CVE-2006-0802 (Cross-site scripting (XSS) vulnerability in the NS-Languages module ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] Processing r3975 failed
The error message was: reference to unknwown bug DSA-2006-2147 make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3978 - data/CVE
Author: alec-guest
Date: 2006-05-19 13:55:35 + (Fri, 19 May 2006)
New Revision: 3978
Modified:
data/CVE/list
Log:
* found fixed versions of hamlib and mozilla-thunderbird
* opened bug for twiki
Modified: data/CVE/list
===
--- data/CVE/list 2006-05-19 09:28:16 UTC (rev 3977)
+++ data/CVE/list 2006-05-19 13:55:35 UTC (rev 3978)
@@ -2361,7 +2361,7 @@
- tcpquota unfixed (bug #358369; low)
[sarge] - tcpquota no-dsa (Only exploitable with strange AFS cell
name)
CVE-2006- [hamlib3-perl rpath set to user home]
- - hamlib unfixed (bug #358166; low)
+ - hamlib 1.2.5-3 (bug #358166; low)
[sarge] - hamlib no-dsa (Only exploitable with strange user name)
CVE-2006-1550 (Multiple buffer overflows in the xfig import code
(xfig-import.c) in ...)
{DSA-1025-1}
@@ -2593,7 +2593,7 @@
CVE-2006-1388 (Unspecified vulnerability in Microsoft Internet Explorer 6.0
allows ...)
NOT-FOR-US: Internet Explorer
CVE-2006-1387 (TWiki 4.0, 4.0.1, and 20010901 through 20040904 allows remote
...)
- - twiki unfixed
+ - twiki unfixed (bug #367973)
TODO: see if fw's patch secures this in Debian
CVE-2006-1386 (The (1) rdiff and (2) preview scripts in TWiki 4.0 and 4.0.1
ignore ...)
- twiki not-affected (only affects 4.0.0 - 4.1.0, version in Debian
too young)
@@ -5303,7 +5303,7 @@
CVE-2006-0237 (Cross-site scripting (XSS) vulnerability in index.php in GTP
iCommerce ...)
NOT-FOR-US: GTP iCommerce
CVE-2006-0236 (GUI display truncation vulnerability in Mozilla Thunderbird
1.0.2, ...)
- - mozilla-thunderbird unfixed (bug #349242; bug #363777; medium)
+ - mozilla-thunderbird 1.5.0.2-1 (bug #349242; bug #363777; medium)
CVE-2006-0235 (SQL injection vulnerability in WhiteAlbum 2.5 allows remote
attackers ...)
NOT-FOR-US: WhiteAlbum
CVE-2006-0234 (SQL injection vulnerability in index.php in microBlog 2.0 RC-10
allows ...)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3979 - data/CVE
Author: alec-guest
Date: 2006-05-19 15:01:50 + (Fri, 19 May 2006)
New Revision: 3979
Modified:
data/CVE/list
Log:
found fixed versions for gnome-screensaver, dokuwiki, and cfengine2 vulns
Modified: data/CVE/list
===
--- data/CVE/list 2006-05-19 13:55:35 UTC (rev 3978)
+++ data/CVE/list 2006-05-19 15:01:50 UTC (rev 3979)
@@ -2710,7 +2710,7 @@
CVE-2006-1336 (Cross-site scripting vulnerability in calendar.php in
ExtCalendar 1.0 ...)
NOT-FOR-US: ExtCalendar
CVE-2006-1335 (gnome screensaver before 2.14, when running on an X server with
...)
- - gnome-screensaver unfixed (bug #357885)
+ - gnome-screensaver 2.14.1-1 (bug #357885)
CVE-2006-1334 (Multiple SQL injection vulnerabilities in Maian Weblog 2.0
allow ...)
NOT-FOR-US: Maian Weblog
CVE-2006-1333 (Multpile SQL injection vulnerabilities in BetaParticle Blog 6.0
and ...)
@@ -3092,7 +3092,7 @@
CVE-2006-1167
RESERVED
CVE-2006-1165 (Cross-site scripting (XSS) vulnerability in the mediamanager
module in ...)
- - dokuwiki unfixed (bug #357436)
+ - dokuwiki 0.0.20060309-3 (bug #357436)
CVE-2006-1164 (Nodez 4.6.1.1 and earlier stores sensitive data in the
list.gtdat file ...)
NOT-FOR-US: Nodez
CVE-2006-1163 (Cross-site scripting (XSS) vulnerability in Nodez 4.6.1.1
allows ...)
@@ -10538,7 +10538,7 @@
CVE-2005-2960 (cfengine 1.6.5 and 2.1.16 allows local users to overwrite
arbitrary ...)
{DSA-836-1 DSA-835-1}
- cfengine unfixed (bug #332433; low)
- - cfengine2 unfixed (bug #332432; low)
+ - cfengine2 2.1.17-1 (bug #332432; low)
NOTE: maintainer does not think it's a hole, script is unused/broken
CVE-2005-2959 (Incomplete blacklist vulnerability in sudo 1.6.8 and earlier
allows ...)
{DSA-870-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3980 - data/CVE
Author: alec-guest Date: 2006-05-19 15:23:35 + (Fri, 19 May 2006) New Revision: 3980 Modified: data/CVE/list Log: found fixed version of jetty, knowledgetree, and libextractor Modified: data/CVE/list === --- data/CVE/list 2006-05-19 15:01:50 UTC (rev 3979) +++ data/CVE/list 2006-05-19 15:23:35 UTC (rev 3980) @@ -1,5 +1,5 @@ CVE-2006-2458 (Multiple heap-based buffer overflows in Libextractor 0.5.13 and ...) - TODO: check + libextractor 0.5.14-1 CVE-2006-2457 RESERVED CVE-2006-2456 @@ -5456,7 +5456,7 @@ CVE-2003-1290 (BEA WebLogic Server and WebLogic Express 6.1, 7.0, and 8.1, with RMI ...) NOT-FOR-US: BEA WebLogic Server CVE-2006-2443 (The Debian package of knowledgetree 2.0.7 creates environment.php with ...) - - knowledgetree unfixed (bug #348306; medium) + - knowledgetree 2.0.7-2 (bug #348306; medium) CVE-2006- [php5 response splitting] - php5 5.1.2-1 (bug #347894) - php4 not-affected (vulnerable code was introduced in PHP5) @@ -7946,7 +7946,7 @@ CVE-2005-3748 (SQL injection vulnerability in the Search module in Tru-Zone Nuke ET ...) NOT-FOR-US: Tru-Zone Nuke ET CVE-2005-3747 (Unspecified vulnerability in Jetty before 5.1.6 allows remote ...) - - jetty unfixed (bug #340582; medium) + - jetty 5.1.8-1 (bug #340582; medium) CVE-2005-3746 (SQL injection vulnerability in thread.php in APBoard allows remote ...) NOT-FOR-US: APBoard CVE-2005-3745 (Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] Processing r3981 failed
The error message was: data/CVE/list:2: expected CVE annotation, got: 'libextractor 0.5.14-1' make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] Processing r3982 failed
The error message was: data/CVE/list:58: expected CVE annotation, got: clamav not-affected (clamav-freshclam doesn't ship freshclam setuid or setgid) make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3983 - data/CVE
Author: alec-guest Date: 2006-05-19 16:08:02 + (Fri, 19 May 2006) New Revision: 3983 Modified: data/CVE/list Log: typos, while I'm here mark bugzilla CVE-2006-2420 unimportant Modified: data/CVE/list === --- data/CVE/list 2006-05-19 15:59:43 UTC (rev 3982) +++ data/CVE/list 2006-05-19 16:08:02 UTC (rev 3983) @@ -55,7 +55,7 @@ CVE-2006-2428 (add.asp in DUware DUbanner 3.1 allows remote attackers to execute ...) NOT-FOR-US: Duware CVE-2006-2427 (freshclam in (1) Clam Antivirus (ClamAV) 0.88 and (2) ClamXav 1.0.3h ...) - clamav not-affected (clamav-freshclam doesn't ship freshclam setuid or setgid) + - clamav not-affected (clamav-freshclam doesn't ship freshclam setuid or setgid) CVE-2006-2426 (Sun Java Runtime Environment (JRE) 1.5.0_6 and earlier, JDK 1.5.0_6 ...) TODO: check CVE-2006-2425 (Multiple cross-site scripting (XSS) vulnerabilities in PRV.php in ...) @@ -70,7 +70,7 @@ TODO: check CVE-2006-2420 (Bugzilla 2.20rc1 through 2.20 and 2.21.1, when using RSS 1.0, allows ...) NOTE: this issue normally would not be included in CVE, it is being identified since the Bugzilla developers have addressed it. - bugzilla unfixed (low) + - bugzilla unfixed (unimportant) CVE-2006-2419 (Cross-site scripting (XSS) vulnerability in index.php in Directory ...) TODO: check CVE-2006-2418 (Cross-site scripting (XSS) vulnerabilities in certain versions of ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3984 - data/CVE
Author: alec-guest Date: 2006-05-19 18:23:58 + (Fri, 19 May 2006) New Revision: 3984 Modified: data/CVE/list Log: * two new phpMyAdmin CVEs * many NFUs Modified: data/CVE/list === --- data/CVE/list 2006-05-19 16:08:02 UTC (rev 3983) +++ data/CVE/list 2006-05-19 18:23:58 UTC (rev 3984) @@ -57,30 +57,30 @@ CVE-2006-2427 (freshclam in (1) Clam Antivirus (ClamAV) 0.88 and (2) ClamXav 1.0.3h ...) - clamav not-affected (clamav-freshclam doesn't ship freshclam setuid or setgid) CVE-2006-2426 (Sun Java Runtime Environment (JRE) 1.5.0_6 and earlier, JDK 1.5.0_6 ...) - TODO: check + NOT-FOR-US: in non-free CVE-2006-2425 (Multiple cross-site scripting (XSS) vulnerabilities in PRV.php in ...) - TODO: check + NOT-FOR-US: phpRemoteView CVE-2006-2424 (PHP remote file inclusion vulnerability in ezUserManager 1.6 and ...) - TODO: check + NOT-FOR-US: ezUserManager CVE-2006-2423 (Cross-site scripting (XSS) vulnerability in ftplogin/index.php in ...) - TODO: check + NOT-FOR-US: Confixx CVE-2006-2422 (phpCOIN 1.2.3 and earlier stores messages based upon e-mail addresses, ...) - TODO: check + NOT-FOR-US: phpCOIN CVE-2006-2421 (Stack-based buffer overflow in Pragma FortressSSH 4.0.7.20 allows ...) - TODO: check + NOT-FOR-US: Pragma CVE-2006-2420 (Bugzilla 2.20rc1 through 2.20 and 2.21.1, when using RSS 1.0, allows ...) NOTE: this issue normally would not be included in CVE, it is being identified since the Bugzilla developers have addressed it. - bugzilla unfixed (unimportant) CVE-2006-2419 (Cross-site scripting (XSS) vulnerability in index.php in Directory ...) - TODO: check + NOT-FOR-US: Directory Listing Script CVE-2006-2418 (Cross-site scripting (XSS) vulnerabilities in certain versions of ...) - TODO: check + - phpmyadmin unfixed (medium) CVE-2006-2417 (Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.x before ...) - TODO: check + - phpmyadmin unfixed (medium) CVE-2006-2416 (SQL injection vulnerability in class2.php in e107 0.7.2 and earlier ...) - TODO: check + NOT-FOR-US: e107 CVE-2006-2415 (Multiple cross-site scripting (XSS) vulnerabilities in FlexChat 2.0 ...) - TODO: check + NOT-FOR-US: FlexChat CVE-2006-2414 (Directory traversal vulnerability in Dovecot 1.0 beta and 1.0 allows ...) TODO: check CVE-2006-2413 (GNUnet before SVN revision 2781 allows remote attackers to cause a ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3986 - data/DSA
Author: fw
Date: 2006-05-19 20:41:39 + (Fri, 19 May 2006)
New Revision: 3986
Modified:
data/DSA/list
Log:
DSA-1059-1: quagga
Modified: data/DSA/list
===
--- data/DSA/list 2006-05-19 19:11:04 UTC (rev 3985)
+++ data/DSA/list 2006-05-19 20:41:39 UTC (rev 3986)
@@ -1,3 +1,6 @@
+[19 May 2006] DSA-1059-1 quagga - several vulnerabilities
+{CVE-2006-2223 CVE-2006-2224 CVE-2006-2276}
+[sarge] - quagga 0.98.3-7.2
[18 May 2006] DSA-1058-1 awstats - missing input sanitising
{CVE-2006-2237}
[woody] - awstats not-affected
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3987 - data/CVE
Author: joeyh
Date: 2006-05-19 21:14:26 + (Fri, 19 May 2006)
New Revision: 3987
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2006-05-19 20:41:39 UTC (rev 3986)
+++ data/CVE/list 2006-05-19 21:14:26 UTC (rev 3987)
@@ -380,6 +380,7 @@
CVE-2006-2277 (Multiple Apple Mac OS X 10.4 applications might allow ...)
NOT-FOR-US: Apple Mac OS X
CVE-2006-2276 (bgpd in Quagga 0.98 and 0.99 before 20060504 allows local users
to ...)
+ {DSA-1059-1}
- quagga 0.99.4-1 (bug #366980; low)
CVE-2006-2275 (Linux SCTP (lksctp) before 2.6.17 allows remote attackers to
cause a ...)
- linux-2.6 unfixed
@@ -490,8 +491,10 @@
CVE-2006-2225 (Buffer overflow in XM Easy Personal FTP Server 4.3 and earlier
allows ...)
NOT-FOR-US: Easy Personal FTP Server
CVE-2006-2224 (RIPd in Quagga 0.98 and 0.99 before 20060503 does not properly
enforce ...)
+ {DSA-1059-1}
- quagga 0.99.3-2 (bug #365940; medium)
CVE-2006-2223 (RIPd in Quagga 0.98 and 0.99 before 20060503 does not properly
...)
+ {DSA-1059-1}
- quagga 0.99.3-2 (bug #365940; medium)
CVE-2006- (Buffer overflow in zawhttpd 0.8.23, and possibly previous
versions, ...)
NOT-FOR-US: zawhttpd
@@ -655,6 +658,7 @@
CVE-2006-2149 (PHP remote file inclusion vulnerability in sources/lostpw.php
in ...)
NOT-FOR-US: Aardvark Topsites
CVE-2006-2147 (resmgrd in resmgr for SUSE Linux and other distributions does
not ...)
+ {DSA-1047-1}
- resmgr 1.0-4 (low)
CVE-2006-2146 (Multiple cross-site scripting (XSS) vulnerabilities in
index.php in ...)
TODO: check
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
