[Secure-testing-commits] r1378 - data/CAN

Thu, 14 Jul 2005 00:06:09 -0700 

Author: joeyh
Date: 2005-07-14 07:04:59 +0000 (Thu, 14 Jul 2005)
New Revision: 1378

Modified:
   data/CAN/list
Log:
canified ekg, but it has a second set of security holes which may get
another can and has a separate bug filed


Modified: data/CAN/list
===================================================================
--- data/CAN/list       2005-07-13 18:57:59 UTC (rev 1377)
+++ data/CAN/list       2005-07-14 07:04:59 UTC (rev 1378)
@@ -1,3 +1,4 @@
+
 CAN-2005-XXXX [base-config log should not be world readable]
        - base-config 2.68 (low)
 CAN-2005-2169 (Directory traversal vulnerability in source.php in Quick & 
Dirty ...)
@@ -113,7 +114,7 @@
 CAN-2004-2154 (CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf 
as ...)
        - cupsys 1.1.20final+rc1-1 (low)
 CAN-2005-XXXX [Insecure tempfile generation in ekg]
-       - ekg (unfixed; bug #317027; medium)
+       - ekg (unfixed; bug #318059; medium)
 CAN-2005-2116 (Unknown vulnerability in the third-party XML-RPC library in 
Drupal ...)
        NOTE: This will probably be re-organized by the CVE editor, but lets 
keep it for now,
        NOTE: as it's the same issue
@@ -170,11 +171,10 @@
        NOTE: We have to check whether zlib 1.1 is really not affected, 
sometimes the CVE
        NOTE: descriptions are flaky wrt affected versions, kernel, mozilla, 
rsync and oo
        NOTE: supposedly use 1.1
-       TODO: - kernel-source-2.6.11 (unfixed; medium)
-       TODO: - kernel-source-2.4.27 (unfixed; medium)
-       TODO: - mozilla (unfixed; medium)
-       TODO: - openoffice.org (unfixed; medium)
-       TODO: - rsync (unfixed; medium)
+       NOTE: Florian Weimer is doing a comprehensive audit using clamav
+       NOTE: to search for static zlib signatures in binaries in Debian
+       NOTE: Not all of the listed packages have been checked for actual
+       NOTE: exploitability using this hole.
        - dpkg (unfixed; bug #317967; medium)
        - zsync (unfixed; bug #317968; medium)
        - dump (unfixed; bug #317966; medium)
@@ -183,6 +183,14 @@
        - ia32-libs (unfixed; bug #317971; medium)
        - dar-static (unfixed; bug #317989; medium)
        - bacula-sd (unfixed; bug #318014; medium)
+       - sash (unfixed; bug #318069; medium)
+       - libphysfs-1.0-0 (unfixed; bug #318091; medium)
+       - mrtg (unfixed; bug #318096; medium)
+       - oops (unfixed; bug #318097; medium)
+       - lsb-rpm (unfixed; bug #318099; medium)
+       - rageircd (unfixed; bug #309196; medium)
+       - systemimager-ssh (unfixed; bug #318101; medium)
+       - texmacs (unfixed; bug #318100; medium)
 CAN-2005-2095
        NOTE: reserved
        - squirrelmail (unfixed; #317094; medium)
@@ -1319,7 +1327,7 @@
 CAN-2005-1917 (kpopper 1.0 and earlier allows local users to create and 
overwrite ...)
        TODO: check
 CAN-2005-1916 (linki.py in ekg 2005-06-05 and earlier allows local users to 
overwrite ...)
-       TODO: check
+       - ekg (unfixed; bug #317027; low)
 CAN-2005-1915
        NOTE: reserved
 CAN-2005-1914 [Insecure tempfile usage in centericq]


_______________________________________________
Secure-testing-commits mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits

Reply via email to