[Secure-testing-commits] r3974 - data/CVE
Author: jmm-guest Date: 2006-05-19 06:22:43 + (Fri, 19 May 2006) New Revision: 3974 Modified: data/CVE/list Log: verified tin to be not vulnerable to off-by-one Modified: data/CVE/list === --- data/CVE/list 2006-05-19 05:40:27 UTC (rev 3973) +++ data/CVE/list 2006-05-19 06:22:43 UTC (rev 3974) @@ -3682,7 +3682,8 @@ CVE-2006-0805 (The CAPTCHA functionality in php-Nuke 6.0 through 7.9 uses fixed ...) NOT-FOR-US: php-Nuke CVE-2006-0804 (Off-by-one error in TIN 1.8.0 and earlier might allow attackers to ...) - - tin 1:1.8.1 + - tin 1:1.8.2-1 + [sarge] - tin not-affected (Vulnerable code not present) CVE-2006-0803 (The signature verification functionality in the YaST Online Update ...) NOT-FOR-US: YaSt Online Update CVE-2006-0802 (Cross-site scripting (XSS) vulnerability in the NS-Languages module ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] Processing r3975 failed
The error message was: reference to unknwown bug DSA-2006-2147 make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3978 - data/CVE
Author: alec-guest Date: 2006-05-19 13:55:35 + (Fri, 19 May 2006) New Revision: 3978 Modified: data/CVE/list Log: * found fixed versions of hamlib and mozilla-thunderbird * opened bug for twiki Modified: data/CVE/list === --- data/CVE/list 2006-05-19 09:28:16 UTC (rev 3977) +++ data/CVE/list 2006-05-19 13:55:35 UTC (rev 3978) @@ -2361,7 +2361,7 @@ - tcpquota unfixed (bug #358369; low) [sarge] - tcpquota no-dsa (Only exploitable with strange AFS cell name) CVE-2006- [hamlib3-perl rpath set to user home] - - hamlib unfixed (bug #358166; low) + - hamlib 1.2.5-3 (bug #358166; low) [sarge] - hamlib no-dsa (Only exploitable with strange user name) CVE-2006-1550 (Multiple buffer overflows in the xfig import code (xfig-import.c) in ...) {DSA-1025-1} @@ -2593,7 +2593,7 @@ CVE-2006-1388 (Unspecified vulnerability in Microsoft Internet Explorer 6.0 allows ...) NOT-FOR-US: Internet Explorer CVE-2006-1387 (TWiki 4.0, 4.0.1, and 20010901 through 20040904 allows remote ...) - - twiki unfixed + - twiki unfixed (bug #367973) TODO: see if fw's patch secures this in Debian CVE-2006-1386 (The (1) rdiff and (2) preview scripts in TWiki 4.0 and 4.0.1 ignore ...) - twiki not-affected (only affects 4.0.0 - 4.1.0, version in Debian too young) @@ -5303,7 +5303,7 @@ CVE-2006-0237 (Cross-site scripting (XSS) vulnerability in index.php in GTP iCommerce ...) NOT-FOR-US: GTP iCommerce CVE-2006-0236 (GUI display truncation vulnerability in Mozilla Thunderbird 1.0.2, ...) - - mozilla-thunderbird unfixed (bug #349242; bug #363777; medium) + - mozilla-thunderbird 1.5.0.2-1 (bug #349242; bug #363777; medium) CVE-2006-0235 (SQL injection vulnerability in WhiteAlbum 2.5 allows remote attackers ...) NOT-FOR-US: WhiteAlbum CVE-2006-0234 (SQL injection vulnerability in index.php in microBlog 2.0 RC-10 allows ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3979 - data/CVE
Author: alec-guest Date: 2006-05-19 15:01:50 + (Fri, 19 May 2006) New Revision: 3979 Modified: data/CVE/list Log: found fixed versions for gnome-screensaver, dokuwiki, and cfengine2 vulns Modified: data/CVE/list === --- data/CVE/list 2006-05-19 13:55:35 UTC (rev 3978) +++ data/CVE/list 2006-05-19 15:01:50 UTC (rev 3979) @@ -2710,7 +2710,7 @@ CVE-2006-1336 (Cross-site scripting vulnerability in calendar.php in ExtCalendar 1.0 ...) NOT-FOR-US: ExtCalendar CVE-2006-1335 (gnome screensaver before 2.14, when running on an X server with ...) - - gnome-screensaver unfixed (bug #357885) + - gnome-screensaver 2.14.1-1 (bug #357885) CVE-2006-1334 (Multiple SQL injection vulnerabilities in Maian Weblog 2.0 allow ...) NOT-FOR-US: Maian Weblog CVE-2006-1333 (Multpile SQL injection vulnerabilities in BetaParticle Blog 6.0 and ...) @@ -3092,7 +3092,7 @@ CVE-2006-1167 RESERVED CVE-2006-1165 (Cross-site scripting (XSS) vulnerability in the mediamanager module in ...) - - dokuwiki unfixed (bug #357436) + - dokuwiki 0.0.20060309-3 (bug #357436) CVE-2006-1164 (Nodez 4.6.1.1 and earlier stores sensitive data in the list.gtdat file ...) NOT-FOR-US: Nodez CVE-2006-1163 (Cross-site scripting (XSS) vulnerability in Nodez 4.6.1.1 allows ...) @@ -10538,7 +10538,7 @@ CVE-2005-2960 (cfengine 1.6.5 and 2.1.16 allows local users to overwrite arbitrary ...) {DSA-836-1 DSA-835-1} - cfengine unfixed (bug #332433; low) - - cfengine2 unfixed (bug #332432; low) + - cfengine2 2.1.17-1 (bug #332432; low) NOTE: maintainer does not think it's a hole, script is unused/broken CVE-2005-2959 (Incomplete blacklist vulnerability in sudo 1.6.8 and earlier allows ...) {DSA-870-1} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3980 - data/CVE
Author: alec-guest Date: 2006-05-19 15:23:35 + (Fri, 19 May 2006) New Revision: 3980 Modified: data/CVE/list Log: found fixed version of jetty, knowledgetree, and libextractor Modified: data/CVE/list === --- data/CVE/list 2006-05-19 15:01:50 UTC (rev 3979) +++ data/CVE/list 2006-05-19 15:23:35 UTC (rev 3980) @@ -1,5 +1,5 @@ CVE-2006-2458 (Multiple heap-based buffer overflows in Libextractor 0.5.13 and ...) - TODO: check + libextractor 0.5.14-1 CVE-2006-2457 RESERVED CVE-2006-2456 @@ -5456,7 +5456,7 @@ CVE-2003-1290 (BEA WebLogic Server and WebLogic Express 6.1, 7.0, and 8.1, with RMI ...) NOT-FOR-US: BEA WebLogic Server CVE-2006-2443 (The Debian package of knowledgetree 2.0.7 creates environment.php with ...) - - knowledgetree unfixed (bug #348306; medium) + - knowledgetree 2.0.7-2 (bug #348306; medium) CVE-2006- [php5 response splitting] - php5 5.1.2-1 (bug #347894) - php4 not-affected (vulnerable code was introduced in PHP5) @@ -7946,7 +7946,7 @@ CVE-2005-3748 (SQL injection vulnerability in the Search module in Tru-Zone Nuke ET ...) NOT-FOR-US: Tru-Zone Nuke ET CVE-2005-3747 (Unspecified vulnerability in Jetty before 5.1.6 allows remote ...) - - jetty unfixed (bug #340582; medium) + - jetty 5.1.8-1 (bug #340582; medium) CVE-2005-3746 (SQL injection vulnerability in thread.php in APBoard allows remote ...) NOT-FOR-US: APBoard CVE-2005-3745 (Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] Processing r3981 failed
The error message was: data/CVE/list:2: expected CVE annotation, got: 'libextractor 0.5.14-1' make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] Processing r3982 failed
The error message was: data/CVE/list:58: expected CVE annotation, got: clamav not-affected (clamav-freshclam doesn't ship freshclam setuid or setgid) make: *** [all] Error 1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3983 - data/CVE
Author: alec-guest Date: 2006-05-19 16:08:02 + (Fri, 19 May 2006) New Revision: 3983 Modified: data/CVE/list Log: typos, while I'm here mark bugzilla CVE-2006-2420 unimportant Modified: data/CVE/list === --- data/CVE/list 2006-05-19 15:59:43 UTC (rev 3982) +++ data/CVE/list 2006-05-19 16:08:02 UTC (rev 3983) @@ -55,7 +55,7 @@ CVE-2006-2428 (add.asp in DUware DUbanner 3.1 allows remote attackers to execute ...) NOT-FOR-US: Duware CVE-2006-2427 (freshclam in (1) Clam Antivirus (ClamAV) 0.88 and (2) ClamXav 1.0.3h ...) - clamav not-affected (clamav-freshclam doesn't ship freshclam setuid or setgid) + - clamav not-affected (clamav-freshclam doesn't ship freshclam setuid or setgid) CVE-2006-2426 (Sun Java Runtime Environment (JRE) 1.5.0_6 and earlier, JDK 1.5.0_6 ...) TODO: check CVE-2006-2425 (Multiple cross-site scripting (XSS) vulnerabilities in PRV.php in ...) @@ -70,7 +70,7 @@ TODO: check CVE-2006-2420 (Bugzilla 2.20rc1 through 2.20 and 2.21.1, when using RSS 1.0, allows ...) NOTE: this issue normally would not be included in CVE, it is being identified since the Bugzilla developers have addressed it. - bugzilla unfixed (low) + - bugzilla unfixed (unimportant) CVE-2006-2419 (Cross-site scripting (XSS) vulnerability in index.php in Directory ...) TODO: check CVE-2006-2418 (Cross-site scripting (XSS) vulnerabilities in certain versions of ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3984 - data/CVE
Author: alec-guest Date: 2006-05-19 18:23:58 + (Fri, 19 May 2006) New Revision: 3984 Modified: data/CVE/list Log: * two new phpMyAdmin CVEs * many NFUs Modified: data/CVE/list === --- data/CVE/list 2006-05-19 16:08:02 UTC (rev 3983) +++ data/CVE/list 2006-05-19 18:23:58 UTC (rev 3984) @@ -57,30 +57,30 @@ CVE-2006-2427 (freshclam in (1) Clam Antivirus (ClamAV) 0.88 and (2) ClamXav 1.0.3h ...) - clamav not-affected (clamav-freshclam doesn't ship freshclam setuid or setgid) CVE-2006-2426 (Sun Java Runtime Environment (JRE) 1.5.0_6 and earlier, JDK 1.5.0_6 ...) - TODO: check + NOT-FOR-US: in non-free CVE-2006-2425 (Multiple cross-site scripting (XSS) vulnerabilities in PRV.php in ...) - TODO: check + NOT-FOR-US: phpRemoteView CVE-2006-2424 (PHP remote file inclusion vulnerability in ezUserManager 1.6 and ...) - TODO: check + NOT-FOR-US: ezUserManager CVE-2006-2423 (Cross-site scripting (XSS) vulnerability in ftplogin/index.php in ...) - TODO: check + NOT-FOR-US: Confixx CVE-2006-2422 (phpCOIN 1.2.3 and earlier stores messages based upon e-mail addresses, ...) - TODO: check + NOT-FOR-US: phpCOIN CVE-2006-2421 (Stack-based buffer overflow in Pragma FortressSSH 4.0.7.20 allows ...) - TODO: check + NOT-FOR-US: Pragma CVE-2006-2420 (Bugzilla 2.20rc1 through 2.20 and 2.21.1, when using RSS 1.0, allows ...) NOTE: this issue normally would not be included in CVE, it is being identified since the Bugzilla developers have addressed it. - bugzilla unfixed (unimportant) CVE-2006-2419 (Cross-site scripting (XSS) vulnerability in index.php in Directory ...) - TODO: check + NOT-FOR-US: Directory Listing Script CVE-2006-2418 (Cross-site scripting (XSS) vulnerabilities in certain versions of ...) - TODO: check + - phpmyadmin unfixed (medium) CVE-2006-2417 (Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.x before ...) - TODO: check + - phpmyadmin unfixed (medium) CVE-2006-2416 (SQL injection vulnerability in class2.php in e107 0.7.2 and earlier ...) - TODO: check + NOT-FOR-US: e107 CVE-2006-2415 (Multiple cross-site scripting (XSS) vulnerabilities in FlexChat 2.0 ...) - TODO: check + NOT-FOR-US: FlexChat CVE-2006-2414 (Directory traversal vulnerability in Dovecot 1.0 beta and 1.0 allows ...) TODO: check CVE-2006-2413 (GNUnet before SVN revision 2781 allows remote attackers to cause a ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3986 - data/DSA
Author: fw Date: 2006-05-19 20:41:39 + (Fri, 19 May 2006) New Revision: 3986 Modified: data/DSA/list Log: DSA-1059-1: quagga Modified: data/DSA/list === --- data/DSA/list 2006-05-19 19:11:04 UTC (rev 3985) +++ data/DSA/list 2006-05-19 20:41:39 UTC (rev 3986) @@ -1,3 +1,6 @@ +[19 May 2006] DSA-1059-1 quagga - several vulnerabilities +{CVE-2006-2223 CVE-2006-2224 CVE-2006-2276} +[sarge] - quagga 0.98.3-7.2 [18 May 2006] DSA-1058-1 awstats - missing input sanitising {CVE-2006-2237} [woody] - awstats not-affected ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r3987 - data/CVE
Author: joeyh Date: 2006-05-19 21:14:26 + (Fri, 19 May 2006) New Revision: 3987 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2006-05-19 20:41:39 UTC (rev 3986) +++ data/CVE/list 2006-05-19 21:14:26 UTC (rev 3987) @@ -380,6 +380,7 @@ CVE-2006-2277 (Multiple Apple Mac OS X 10.4 applications might allow ...) NOT-FOR-US: Apple Mac OS X CVE-2006-2276 (bgpd in Quagga 0.98 and 0.99 before 20060504 allows local users to ...) + {DSA-1059-1} - quagga 0.99.4-1 (bug #366980; low) CVE-2006-2275 (Linux SCTP (lksctp) before 2.6.17 allows remote attackers to cause a ...) - linux-2.6 unfixed @@ -490,8 +491,10 @@ CVE-2006-2225 (Buffer overflow in XM Easy Personal FTP Server 4.3 and earlier allows ...) NOT-FOR-US: Easy Personal FTP Server CVE-2006-2224 (RIPd in Quagga 0.98 and 0.99 before 20060503 does not properly enforce ...) + {DSA-1059-1} - quagga 0.99.3-2 (bug #365940; medium) CVE-2006-2223 (RIPd in Quagga 0.98 and 0.99 before 20060503 does not properly ...) + {DSA-1059-1} - quagga 0.99.3-2 (bug #365940; medium) CVE-2006- (Buffer overflow in zawhttpd 0.8.23, and possibly previous versions, ...) NOT-FOR-US: zawhttpd @@ -655,6 +658,7 @@ CVE-2006-2149 (PHP remote file inclusion vulnerability in sources/lostpw.php in ...) NOT-FOR-US: Aardvark Topsites CVE-2006-2147 (resmgrd in resmgr for SUSE Linux and other distributions does not ...) + {DSA-1047-1} - resmgr 1.0-4 (low) CVE-2006-2146 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in ...) TODO: check ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits