[Secure-testing-commits] r2038 - data/CAN

Sun, 18 Sep 2005 03:25:33 -0700 

Author: fw
Date: 2005-09-18 10:25:05 +0000 (Sun, 18 Sep 2005)
New Revision: 2038

Modified:
   data/CAN/list
Log:
Resolve a few TODOs, adding BTS xrefs where necessary.




Modified: data/CAN/list
===================================================================
--- data/CAN/list       2005-09-18 10:11:02 UTC (rev 2037)
+++ data/CAN/list       2005-09-18 10:25:05 UTC (rev 2038)
@@ -2266,8 +2266,9 @@
 CAN-2002-2039 (/bin/su in QNX realtime operating system (RTOS) 4.25 and 6.1.0 
allows ...)
        NOTE: not-for-us (QNX)
 CAN-2002-2038 (Next Generation POSIX Threading (NGPT) 1.9.0 uses a 
filesystem-based ...)
-       TODO: check, ISS says Linux: Linux Any version
+       NOTE: not-for-us (NGPT)
        NOTE: http://lists.debian.org/debian-user/2003/10/msg03627.html
+       NOTE: NPTL does not have this problem.
 CAN-2002-2037 (The Cisco Media Gateway Controller (MGC) in (1) SC2200 7.4 and 
...)
        NOTE: not-for-us (Cisco)
 CAN-2002-2036 (Sun Ray Server Software (SRSS) 1.3, when Non-Smartcard Mobility 
(NSCM) ...)
@@ -2440,7 +2441,11 @@
 CAN-2001-1541 (Buffer overflow in Unix-to-Unix Copy Protocol (UUCP) in BSDI 
BSD/OS ...)
        NOTE: not-for-us (BSDI UUCP)
 CAN-2001-1540 (IPRoute 0.973, 0.974 and 1.18 allows remote attackers to cause 
a ...)
-       TODO: try nmap exploit
+       NOTE: not-for-us (IPRoute router software)
+       NOTE: This is not for iproute/iproute2.
+       NOTE: From Chris Gragsone's message on BUGTRAQ:
+       NOTE: "IPRoute, by David F. Mischler, is PC-based router software
+       NOTE: "for networks running the Internet Protocol (IP)."
 CAN-2001-1539 (The JavaScript settimeout function in Internet Explorer allows 
remote ...)
        NOTE: not-for-us (MSIE)
 CAN-2001-1538 (SpeedXess HA-120 DSL router has a default administrative 
password of ...)
@@ -2451,12 +2456,12 @@
 CAN-2001-1536 (Autogalaxy stores usernames and passwords in cleartext in 
cookies, ...)
        NOTE: not-for-us (Autogalaxy)
 CAN-2001-1535 (Slashcode 2.0 creates new accounts with an 8-character random 
...)
-       NOTE: cannot find paper about this anymore
-       TODO: followup
+       - slash (bug #328927; unfixed; low)
 CAN-2001-1534 (mod_usertrack in Apache 1.3.11 through 1.3.20 generates session 
ID's ...)
-       NOTE: cannot find paper about this anymore
-       NOTE: only affects things misusing apache session IDs
-       TODO: followup
+       - apache (bug #328919; unimportant)
+       - apache2 (unfixed; unimportant)
+       NOTE: Cookies are only used for invading user privacy,
+       NOTE: not for authentication, so apache and apache2 should be fine.
 CAN-2001-1533 (** DISPUTED * ...)
        NOTE: not-for-us (Microsoft)
 CAN-2001-1532 (WebX stores authentication information in the HTTP_REFERER 
variable, ...)
@@ -3189,9 +3194,10 @@
 CAN-2002-1977 (Network Associates PGP 7.0.4 and 7.1 does not time out 
according to ...)
        NOTE: not-for-us (Proprietary PGP)
 CAN-2002-1976 (ifconfig, when used on the Linux kernel 2.2 and later, does not 
report ...)
-       NOTE: Kernel 2.2 introduced a different way to set promisc mode through 
setsockopt()
-       NOTE: instead through an ioctl() as before.
-       TODO: check, whether current ifconfig handles that correctly, I guess so
+       - net-tools (unfixed; unimportant)
+       NOTE: This seems to be a misunderstanding of what the PROMISC flag
+       NOTE: is about.  ifconfig reports properly when it is set using
+       NOTE: "ifconfig promisc".
 CAN-2002-1975 (Sharp Zaurus PDA SL-5000D and SL-5500 uses a salt of 
"A0" to encrypt ...)
        NOTE: not-for-us (Zaurus hardware)
 CAN-2002-1974 (The FTP service in Zaurus PDAs SL-5000D and SL-5500 does not 
require ...)
@@ -4029,7 +4035,7 @@
 CAN-2001-1484 (Alcatel ADSL modems allow remote attackers to access the 
Trivial File ...)
        NOTE: not-for-us (Alcatel hardware issue)
 CAN-2001-1483 (One-Time Passwords In Everything (a.k.a OPIE) 2.32 and 2.4 
allows ...)
-       TODO: check
+       - libpam-opie (unfixed; bug #112279; low)
 CAN-2001-1482 (SQL injection vulnerability in bb_memberlist.php for phpBB 
1.4.2 ...)
        NOTE: phpbb was initially uploaded as version 2 or phpbb has been 
removed now
 CAN-2001-1481 (Xitami 2.4 through 2.5 b4 stores the Administrator password in 
...)
@@ -9014,10 +9020,10 @@
 CAN-2003-1085 (The HTTP server in the Thomson TWC305, TWC315, and TCW690 cable 
modem ...)
        NOTE: not-for-us (Thomson cable modem)
 CAN-2005-0488 (Certain BSD-based Telnet clients, including those used on 
Solaris and ...)
-       NOTE: netkit-telnet not affected
-       TODO: check heimdal
+       TODO: check heimdal, netkit-telnet-ssl
        - krb4 (unfixed; low)
        - krb5 (unfixed; low)
+       - netkit-telnet not-affected (netkit-telnet is not affected)
 CAN-2004-1639 (Mozilla Firefox before 0.10, Mozilla 5.0, and Gecko 20040913 
allows ...)
        NOTE: This is not a real security issue; it just describes the fact 
that the Gecko
        NOTE: engine of the Mozillae may be lead into a crash if you feed it 
with large chunks


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits

Reply via email to