NFUs: 109

unfixed: firebird2 iceape iceweasel ircii-pana kvirc redhat-cluster sun-java6 tomcat5 tomcat5.5 websvn wordpress xulrunner fixed: awffull hiki squirrelmail sun-java5 not-affected: iceweasel sudo xscreensaver removed: firefox mozilla tomcat4 git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@6074 e39458fd-73e7-0310-bf30-c45bca0a0e42
author: Kees Cook <kees@outflux.net> 2007-06-28 23:18:08 +0000
committer: Kees Cook <kees@outflux.net> 2007-06-28 23:18:08 +0000
commit: f8ba502facf13ce7daf29010612e66c01db26523 (patch)
tree: 5f5658aef5298c575628892dcd4b917eac937b0a
parent: 59adf4d4e06b6dc662ac0c88b7297417c48dc899 (diff)
1 files changed, 157 insertions, 132 deletions
diff --git a/data/CVE/2007.list b/data/CVE/2007.list
index 687abd14f8..e691cbf33b 100644
--- a/data/CVE/2007.list
+++ b/data/CVE/2007.list
@@ -1,39 +1,39 @@
 CVE-2007-3455 (cgiChkMasterPwd.exe before 8.0.0.142 in Trend Micro OfficeScan ...)
-	TODO: check
+	NOT-FOR-US: Trend Micro OfficeScan Corporate Edition
 CVE-2007-3454 (Buffer overflow in CGIOCommon.dll before 8.0.0.1042 in Trend Micro ...)
-	TODO: check
+	NOT-FOR-US: Trend Micro OfficeScan Corporate Edition
 CVE-2007-3453 (SQL injection vulnerability in Papoo 3.6, and possibly earlier, allows ...)
-	TODO: check
+	NOT-FOR-US: Papoo
 CVE-2007-3452 (SQL injection vulnerability in essentials/minutes/doc.php in eDocStore ...)
-	TODO: check
+	NOT-FOR-US: eDocStore
 CVE-2007-3451 (PHP remote file inclusion vulnerability in admin/index.php in 6ALBlog ...)
-	TODO: check
+	NOT-FOR-US: 6ALBlog
 CVE-2007-3450 (SQL injection vulnerability in member.php in 6ALBlog allows remote ...)
-	TODO: check
+	NOT-FOR-US: 6ALBlog
 CVE-2007-3449 (SQL injection vulnerability in member.php in 6ALBlog allows remote ...)
-	TODO: check
+	NOT-FOR-US: 6ALBlog
 CVE-2007-3448 (Cross-site scripting (XSS) vulnerability in index.php in BugMall ...)
-	TODO: check
+	NOT-FOR-US: BugMall Shopping Cart
 CVE-2007-3447 (SQL injection vulnerability in BugMall Shopping Cart 2.5 and earlier ...)
-	TODO: check
+	NOT-FOR-US: BugMall Shopping Cart
 CVE-2007-3446 (BugMall Shopping Cart 2.5 and earlier has a default username &quot;demo&quot; ...)
-	TODO: check
+	NOT-FOR-US: BugMall Shopping Cart
 CVE-2007-3445 (Buffer overflow in SJ Labs SJphone 1.60.303c, running under Windows ...)
-	TODO: check
+	NOT-FOR-US: SJphone
 CVE-2007-3444 (The Research in Motion BlackBerry 7270 with 4.0 SP1 Bundle 83 allows ...)
-	TODO: check
+	NOT-FOR-US: BlackBerry 7270
 CVE-2007-3443 (The Research in Motion BlackBerry 7270 before 4.0 SP1 Bundle 108 does ...)
-	TODO: check
+	NOT-FOR-US: BlackBerry 7270
 CVE-2007-3442 (Format string vulnerability on the Research in Motion BlackBerry 7270 ...)
-	TODO: check
+	NOT-FOR-US: BlackBerry 7270
 CVE-2007-3441 (Format string vulnerability in the Aastra 9112i SIP Phone with ...)
-	TODO: check
+	NOT-FOR-US: Aastra 9112i SIP Phone
 CVE-2007-3440 (The Snom 320 SIP Phone, running snom320 linux 3.25, snom320-SIP 6.2.3, ...)
-	TODO: check
+	NOT-FOR-US: Snom 320 SIP Phone
 CVE-2007-3439 (The Snom 320 SIP Phone, running snom320 linux 3.25, snom320-SIP 6.2.3, ...)
-	TODO: check
+	NOT-FOR-US: Snom 320 SIP Phone
 CVE-2007-3438 (Buffer overflow in the SIP header parsing module in the Nortel PC ...)
-	TODO: check
+	NOT-FOR-US: Nortel PC Client SIP Soft Phone
 CVE-2007-3437 (AOL Instant Messenger (AIM) 6.1.32.1 on Windows XP allows remote ...)
 	TODO: check
 CVE-2007-3436 (Microsoft MSN Messenger 4.7 on Windows XP allows remote attackers to ...)
@@ -41,53 +41,53 @@ CVE-2007-3436 (Microsoft MSN Messenger 4.7 on Windows XP allows remote attackers
 CVE-2007-3435 (Stack-based buffer overflow in the BeginPrint method in a certain ...)
 	TODO: check
 CVE-2007-3434 (index.php in Pharmacy System 2 and earlier allows remote attackers to ...)
-	TODO: check
+	NOT-FOR-US: Pharmacy System
 CVE-2007-3433 (SQL injection vulnerability in index.php in Pharmacy System 2 and ...)
-	TODO: check
+	NOT-FOR-US: Pharmacy System
 CVE-2007-3432 (Unrestricted file upload vulnerability in admin/images.php in Pluxml ...)
-	TODO: check
+	NOT-FOR-US: Pluxml
 CVE-2007-3431 (PHP remote file inclusion vulnerability in cal.func.php in Valerio ...)
-	TODO: check
+	NOT-FOR-US: Dagger
 CVE-2007-3430 (SQL injection vulnerability in index.php in Simple Invoices 2007 05 25 ...)
-	TODO: check
+	NOT-FOR-US: Simple Invoices
 CVE-2007-3429 (Unrestricted file upload vulnerability in signup.php in e107 0.7.8 and ...)
-	TODO: check
+	NOT-FOR-US: e107
 CVE-2007-3428 (Multiple unspecified vulnerabilities in phpTrafficA before 1.4.2 allow ...)
-	TODO: check
+	NOT-FOR-US: phpTrafficA
 CVE-2007-3427 (SQL injection vulnerability in index.php in phpTrafficA 1.4.2 and ...)
-	TODO: check
+	NOT-FOR-US: phpTrafficA
 CVE-2007-3426 (Cross-site scripting (XSS) vulnerability in index.php in phpTrafficA ...)
-	TODO: check
+	NOT-FOR-US: phpTrafficA
 CVE-2007-3425 (Directory traversal vulnerability in index.php in phpTrafficA 1.4.2 ...)
-	TODO: check
+	NOT-FOR-US: phpTrafficA
 CVE-2007-3424 (The moveim function in cgi-bin/cgi-lib/instantmessage.pl in ...)
-	TODO: check
+	NOT-FOR-US: WebAPP
 CVE-2007-3423 (cgi-bin/cgi-lib/instantmessage.pl in web-app.org WebAPP before 0.9.9.7 ...)
-	TODO: check
+	NOT-FOR-US: WebAPP
 CVE-2007-3422 (The getcgi function in cgi-bin/cgi-lib/subs.pl in web-app.org WebAPP ...)
-	TODO: check
+	NOT-FOR-US: WebAPP
 CVE-2007-3421 (The (1) login, (2) admin profile edit, (3) reminder, (4) edit profile, ...)
-	TODO: check
+	NOT-FOR-US: WebAPP
 CVE-2007-3420 (The Random Cookie Password functionality in the loaduser function in ...)
-	TODO: check
+	NOT-FOR-US: WebAPP
 CVE-2007-3419 (The editprofile3 function in cgi-bin/cgi-lib/user.pl in web-app.org ...)
-	TODO: check
+	NOT-FOR-US: WebAPP
 CVE-2007-3418 (The displaypost function in cgi-bin/cgi-lib/forum_display.pl in ...)
-	TODO: check
+	NOT-FOR-US: WebAPP
 CVE-2007-3417 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
-	TODO: check
+	NOT-FOR-US: WebAPP
 CVE-2007-3416 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ...)
-	TODO: check
+	NOT-FOR-US: WebAPP
 CVE-2007-3415 (Multiple SQL injection vulnerabilities in index.php in phpRaider 1.0.0 ...)
-	TODO: check
+	NOT-FOR-US: phpRaider
 CVE-2007-3414 (Multiple cross-site scripting (XSS) vulnerabilities in access2asp 4.5 ...)
-	TODO: check
+	NOT-FOR-US: access2asp
 CVE-2007-3413 (Multiple cross-site scripting (XSS) vulnerabilities in bosDataGrid ...)
-	TODO: check
+	NOT-FOR-US: bosDataGrid
 CVE-2007-3412 (Cross-site scripting (XSS) vulnerability in edit_image.asp in ...)
-	TODO: check
+	NOT-FOR-US: ClickGallery Server
 CVE-2007-3411 (SQL injection vulnerability in edit_image.asp in ClickGallery Server ...)
-	TODO: check
+	NOT-FOR-US: ClickGallery Server
 CVE-2007-3410 (Buffer overflow in the wallclock functionality ...)
 	- helix-player <not-affected> (Debian versions of Helix player not affected according to maintainer)
 CVE-2007-3409 (Net::DNS before 0.60, a Perl module, allows remote attackers to cause ...)
@@ -95,33 +95,34 @@ CVE-2007-3409 (Net::DNS before 0.60, a Perl module, allows remote attackers to c
 CVE-2007-3408 (Multiple unspecified vulnerabilities in Dia before 0.96.1-6 have ...)
 	TODO: check
 CVE-2007-3407 (Sergey Lyubka Simple HTTPD (shttpd) 1.38 allows remote attackers to ...)
-	TODO: check
+	NOT-FOR-US: Simple HTTPD
 CVE-2007-3406 (Multiple absolute path traversal vulnerabilities in Microsoft Internet ...)
 	TODO: check
 CVE-2007-3405 (Multiple cross-site scripting (XSS) vulnerabilities in defter_yaz.asp ...)
-	TODO: check
+	NOT-FOR-US: Lebisoft zdefter
 CVE-2007-3404 (Directory traversal vulnerability in ShowImage.php in SiteDepth CMS ...)
-	TODO: check
+	NOT-FOR-US: SiteDepth CMS
 CVE-2007-3403 (Unrestricted file upload vulnerability in upload.php in dreamLog (aka ...)
-	TODO: check
+	NOT-FOR-US: dreamLog
 CVE-2007-3402 (SQL injection vulnerability in index.php in pagetool 1.07 allows ...)
-	TODO: check
+	NOT-FOR-US: pagetool
 CVE-2007-3401 (PHP remote file inclusion vulnerability in footer.inc.php in B1G b1gBB ...)
-	TODO: check
+	NOT-FOR-US: B1GBB
 CVE-2007-3400 (The NCTAudioEditor2 ActiveX control in NCTWMAFile2.dll 2.6.2.157 ...)
 	TODO: check
 CVE-2007-3399 (SQL injection vulnerability in include/get_userdata.php in Power ...)
-	TODO: check
+	NOT-FOR-US: Power Phlogger
 CVE-2007-3398 (LiteWEB 2.7 allows remote attackers to cause a denial of service ...)
-	TODO: check
+	NOT-FOR-US: LiveWEB
 CVE-2007-3397 (The web container in IBM WebSphere Application Server (WAS) before ...)
-	TODO: check
+	NOT-FOR-US: IBM WebSphere Application Server
 CVE-2007-3396 (Cross-site scripting (XSS) vulnerability in index.wkf in KeyFocus (KF) ...)
-	TODO: check
+	NOT-FOR-US: KeyFocus
 CVE-2007-3395 (Directory traversal vulnerability in session.rb in Hiki 0.8.0 through ...)
-	TODO: check
+	- hiki 0.8.7-1 (bug #430691; medium)
+	NOTE: Duplicate of CVE-2007-2836
 CVE-2007-3394 (Multiple SQL injection vulnerabilities in eNdonesia 8.4 allow remote ...)
-	TODO: check
+	NOT-FOR-US: eNdonesia
 CVE-2007-3388
 	RESERVED
 CVE-2007-3387
@@ -151,11 +152,11 @@ CVE-2007-3377 (Header.pm in Net::DNS before 0.60, a Perl module, (1) generates .
 CVE-2007-3376 (Buffer overflow in Apple Safari 3.0.2 on Windows XP SP2 allows ...)
 	TODO: check
 CVE-2007-3375 (Stack-based buffer overflow in Lhaca File Archiver allows ...)
-	TODO: check
+	NOT-FOR-US: Lhaca
 CVE-2007-3374 (Buffer overflow in cluster/cman/daemon/daemon.c in cman ...)
-	TODO: check
+	- redhat-cluster <unfixed> (medium)
 CVE-2007-3373 (daemon.c in cman (redhat-cluster-suite) before 20070622 does not clear ...)
-	TODO: check
+	- redhat-cluster <unfixed> (low)
 CVE-2007-3389 (Wireshark before 0.99.6 allows remote attackers to cause a denial of ...)
 	- wireshark 0.99.6pre1-1
 	[etch] - wireshark <not-affected> (Only affected 0.99.5)
@@ -182,9 +183,9 @@ CVE-2007-3372 (The Avahi daemon in Avahi before 0.6.20 allows attackers to cause
 	- avahi <unfixed> (low)
 	[etch] - avahi <no-dsa> (Minor issue, only affects local users)
 CVE-2007-3371 (PHP remote file inclusion vulnerability in ...)
-	TODO: check
+	NOT-FOR-US: Powl
 CVE-2007-3370 (Multiple PHP remote file inclusion vulnerabilities in Sun Board ...)
-	TODO: check
+	NOT-FOR-US: Sun Board
 CVE-2007-3369 (Buffer overflow in the Polycom SoundPoint IP 601 SIP phone with ...)
 	NOT-FOR-US: Polycom SoundPoint IP 601 SIP phone
 CVE-2007-3368 (Buffer overflow in the HTTP server on the Polycom SoundPoint IP 601 ...)
@@ -204,7 +205,7 @@ CVE-2007-3362 (ageet AGEphone before 1.6.2, running on Windows Mobile 5 on the H
 CVE-2007-3361 (The Nortel PC Client SIP Soft Phone 4.1 3.5.208[20051015] allows ...)
 	NOT-FOR-US: Nortel PC Client SIP Soft Phone
 CVE-2007-3360 (hook.c in BitchX 1.1-final allows remote IRC servers to execute ...)
-	TODO: check
+	- ircii-pana <unfixed> (low)
 CVE-2007-3359 (Multiple PHP remote file inclusion vulnerabilities in SerWeb 0.9.6 and ...)
 	NOT-FOR-US: SerWeb
 CVE-2007-3358 (PHP remote file inclusion vulnerability in html/load_lang.php in ...)
@@ -218,11 +219,11 @@ CVE-2007-3355 (Multiple cross-site scripting (XSS) vulnerabilities in NetClassif
 CVE-2007-3354 (Multiple SQL injection vulnerabilities in NetClassifieds Premium ...)
 	NOT-FOR-US: NetClassifieds Premium Edition
 CVE-2007-3353 (** DISPUTED ** ...)
-	TODO: check
+	NOT-FOR-US: MyEvent
 CVE-2007-3352 (Cross-site scripting (XSS) vulnerability in the preview form in ...)
 	NOT-FOR-US: Stephen Ostermiller Contact Form
 CVE-2007-3351 (The SJPhone SIP soft phone 1.60.303c, when installed on the Dell Axim ...)
-	TODO: check
+	NOT-FOR-US: SJPhone SIP
 CVE-2007-3350 (AOL Instant Messenger (AIM) 6.1.32.1 on Windows XP allows remote ...)
 	NOT-FOR-US: AIM
 CVE-2007-3349 (The Aastra 9112i SIP Phone with firmware 1.4.0.1048 and boot version ...)
@@ -240,11 +241,11 @@ CVE-2007-3344 (Multiple cross-site scripting (XSS) vulnerabilities in netjukebox
 CVE-2007-3343 (Cross-site scripting (XSS) vulnerability in RaidenHTTPD before 2.0.14 ...)
 	NOT-FOR-US: RaidenHTTPD
 CVE-2007-3342 (Multiple cross-site scripting (XSS) vulnerabilities in Movable Type ...)
-	TODO: check
+	NOT-FOR-US: Movable Type
 CVE-2007-3341 (Unspecified vulnerability in the FTP implementation in Microsoft ...)
 	NOT-FOR-US: Microsoft
 CVE-2007-3340 (HTTP SERVER 1.6.2 allows remote attackers to cause a denial of service ...)
-	TODO: check
+	NOT-FOR-US: HTTP Server 1.6.2
 CVE-2007-3339 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
 	NOT-FOR-US: ColdFusion
 CVE-2007-3338 (Multiple buffer stack-based overflows in Ingres database server 2006 ...)
@@ -260,7 +261,7 @@ CVE-2007-3334 (Multiple heap-based buffer overflows in the (1) Communications Se
 CVE-2007-3333
 	RESERVED
 CVE-2007-3332 (Directory traversal vulnerability in Satellite.php in Satel Lite for ...)
-	TODO: check
+	NOT-FOR-US: Satel Lite for PhpNuke
 CVE-2007-3331 (Cross-site request forgery (CSRF) vulnerability in STphp EasyNews PRO ...)
 	NOT-FOR-US: STphp EasyNews PRO
 CVE-2007-3330 (Cross-site scripting (XSS) vulnerability in STphp EasyNews PRO 4.0 ...)
@@ -268,13 +269,13 @@ CVE-2007-3330 (Cross-site scripting (XSS) vulnerability in STphp EasyNews PRO 4.
 CVE-2007-3329 (Multiple array index errors in the (1) get_intra_block, (2) ...)
 	TODO: check
 CVE-2007-3328 (Multiple cross-site scripting (XSS) vulnerabilities in Interact 2.4 ...)
-	TODO: check
+	NOT-FOR-US: Interact
 CVE-2007-3327 (httpsv.exe in HTTP Server 1.6.2 allows remote attackers to obtain ...)
-	TODO: check
+	NOT-FOR-US: HTTP Server 1.6.2
 CVE-2007-3326 (Multiple directory traversal vulnerabilities in vBulletin 3.x.x allow ...)
 	NOT-FOR-US: vBulletin
 CVE-2007-3325 (PHP remote file inclusion vulnerability in lib/language.php in LAN ...)
-	TODO: check
+	NOT-FOR-US: LAN Management System
 CVE-2007-3324 (Multiple cross-site scripting (XSS) vulnerabilities in Comersus Cart ...)
 	NOT-FOR-US: Comersus Cart
 CVE-2007-3323 (SQL injection vulnerability in comersus_optReviewReadExec.asp in ...)
@@ -334,9 +335,9 @@ CVE-2007-3302
 CVE-2007-3301 (SQL injection vulnerability in forum/include/error/autherror.cfm in ...)
 	NOT-FOR-US: FuseTalk
 CVE-2007-3300 (Multiple F-Secure anti-virus products for Microsoft Windows and Linux ...)
-	TODO: check
+	NOT-FOR-US: F-Secure
 CVE-2007-3299 (Cross-site scripting (XSS) vulnerability in AWFFull before 3.7.4, when ...)
-	TODO: check
+	- awffull 3.7.4final-1 (low)
 CVE-2007-3298 (SQL injection vulnerability in Spey before 0.4.1 allows remote ...)
 	NOT-FOR-US: Spey
 CVE-2007-3297 (Multiple PHP remote file inclusion vulnerabilities in Musoo 0.21 allow ...)
@@ -344,35 +345,39 @@ CVE-2007-3297 (Multiple PHP remote file inclusion vulnerabilities in Musoo 0.21
 CVE-2007-3296 (The ThunderServer.webThunder.1 ActiveX control in xunlei Web ...)
 	TODO: check
 CVE-2007-3295 (Directory traversal vulnerability in Yet another Bulletin Board (YaBB) ...)
-	TODO: check
+	NOT-FOR-US: YaBB
 CVE-2007-3294 (Multiple buffer overflows in the Tidy extension for PHP 5.2.3 allow ...)
 	TODO: check
 CVE-2007-3293 (SQL injection vulnerability in categoria.php in LiveCMS 3.4 and ...)
-	TODO: check
+	NOT-FOR-US: LiveCMS
 CVE-2007-3292 (Unrestricted file upload vulnerability in LiveCMS 3.4 and earlier ...)
-	TODO: check
+	NOT-FOR-US: LiveCMS
 CVE-2007-3291 (Cross-site scripting (XSS) vulnerability in LiveCMS 3.4 and earlier ...)
-	TODO: check
+	NOT-FOR-US: LiveCMS
 CVE-2007-3290 (categoria.php in LiveCMS 3.4 and earlier allows remote attackers to ...)
-	TODO: check
+	NOT-FOR-US: LiveCMS
 CVE-2007-3289 (PHP remote file inclusion vulnerability in spaw/spaw_control.class.php ...)
-	TODO: check
+	NOT-FOR-US: WiwiMod for XOOPS
 CVE-2007-3288 (Cross-site scripting (XSS) vulnerability in the skeltoac stats ...)
-	TODO: check
+	NOT-FOR-US: skeltoac stats plugin for WordPress
 CVE-2007-3287
 	RESERVED
 CVE-2007-3286
 	RESERVED
 CVE-2007-3285 (Mozilla Firefox allows remote attackers to bypass file type checks via ...)
-	TODO: check
+	- iceweasel <unfixed> (medium)
+	- iceape <unfixed> (medium)
+	- firefox <removed> (medium)
+	- mozilla <removed> (medium)
+	- xulrunner <unfixed> (medium)
 CVE-2007-3284 (corefoundation.dll in Apple Safari 3.0.1 (552.12.2) for Windows allows ...)
-	TODO: check
+	NOT-FOR-US: Apple Safari
 CVE-2007-3283 (GNOME XScreenSaver in Sun Solaris 8 and 9 before 20070417, when root ...)
-	TODO: check
+	- xscreensaver <not-affected> (Not a security issue: works as documented)
 CVE-2007-3282 (Buffer overflow in the Microsoft Office MSODataSourceControl ActiveX ...)
 	TODO: check
 CVE-2007-3281 (Cross-site scripting (XSS) vulnerability in index.php in Php Hosting ...)
-	TODO: check
+	NOT-FOR-US: Php Hosting Biller
 CVE-2007-3280 (The Database Link library (dblink) in PostgreSQL 8.1 implements ...)
 	TODO: check
 CVE-2007-3279 (PostgreSQL 8.1 and probably later versions, when the PL/pgSQL ...)
@@ -380,43 +385,43 @@ CVE-2007-3279 (PostgreSQL 8.1 and probably later versions, when the PL/pgSQL ...
 CVE-2007-3278 (PostgreSQL 8.1 and probably later versions, when local trust ...)
 	TODO: check
 CVE-2007-3277 (Unspecified vulnerability in the localization before 1.2 module for ...)
-	TODO: check
+	NOT-FOR-US: localization module for WIKINDX
 CVE-2007-3276 (Cross-site scripting (XSS) vulnerability in index.php in Site@School ...)
-	TODO: check
+	NOT-FOR-US: Site
 CVE-2007-3275 (MailWasher Server before 2.2.1, when used with LDAP or Active ...)
-	TODO: check
+	NOT-FOR-US: MailWasher Server
 CVE-2007-3274 (Apple Safari 3.0 and 3.0.1 on Windows XP SP2 allows attackers to cause ...)
 	TODO: check
 CVE-2007-3273 (SQL injection vulnerability in index.cfm in FuseTalk 2.0 allows remote ...)
-	TODO: check
+	NOT-FOR-US: FuseTalk
 CVE-2007-3272 (Directory traversal vulnerability in index.php in MiniBB 2.0.5 allows ...)
-	TODO: check
+	NOT-FOR-US: MiniBB
 CVE-2007-3271 (PHP remote file inclusion vulnerability in ...)
-	TODO: check
+	NOT-FOR-US: YourFreeScreamer
 CVE-2007-3270 (PHP remote file inclusion vulnerability in Includes/global.inc.php in ...)
-	TODO: check
+	NOT-FOR-US: phpMyInventory
 CVE-2007-3269 (Multiple cross-site scripting (XSS) vulnerabilities in Papoo Light 3.6 ...)
-	TODO: check
+	NOT-FOR-US: Papoo Light
 CVE-2007-3268
 	RESERVED
 CVE-2007-3267 (Cross-site scripting (XSS) vulnerability in low.php in Fuzzylime Forum ...)
-	TODO: check
+	NOT-FOR-US: Fuzzylime Forum
 CVE-2007-3266 (Directory traversal vulnerability in webif.cgi in ifnet WEBIF allows ...)
-	TODO: check
+	NOT-FOR-US: WEBIF
 CVE-2007-3265 (Cross-site scripting (XSS) vulnerability in the Samples component in ...)
-	TODO: check
+	NOT-FOR-US: IBM WebSphere Application Server
 CVE-2007-3264 (Unspecified vulnerability in the PD tools component in IBM WebSphere ...)
-	TODO: check
+	NOT-FOR-US: IBM WebSphere Application Server
 CVE-2007-3263 (Unspecified vulnerability in the Default Messaging Component in IBM ...)
-	TODO: check
+	NOT-FOR-US: IBM WebSphere Application Server
 CVE-2007-3262 (Unspecified vulnerability in the Default Messaging Component in IBM ...)
-	TODO: check
+	NOT-FOR-US: IBM WebSphere Application Server
 CVE-2007-3261 (Cross-site scripting (XSS) vulnerability in widgets/widget_search.php ...)
-	TODO: check
+	NOT-FOR-US: dKret
 CVE-2007-3260 (HP System Management Homepage (SMH) before 2.1.9 for Linux, when used ...)
-	TODO: check
+	NOT-FOR-US: HP System Management Homepage
 CVE-2007-3259 (Calendarix 0.7.20070307 allows remote attackers to obtain sensitive ...)
-	TODO: check
+	NOT-FOR-US: Calendarix
 CVE-2007-3258
 	RESERVED
 CVE-2007-3257 (Camel (camel-imap-folder.c) in the mailer component for Evolution Data ...)
@@ -430,23 +435,23 @@ CVE-2007-3255
 CVE-2007-3254
 	RESERVED
 CVE-2007-3253 (Multiple unspecified vulnerabilities in Astaro Security Gateway (ASG) ...)
-	TODO: check
+	NOT-FOR-US: Astaro Security Gateway
 CVE-2007-3252 (PortalApp stores sensitive information under the web root with ...)
-	TODO: check
+	NOT-FOR-US: PortalApp
 CVE-2007-3251 (Multiple directory traversal vulnerabilities in e-Vision CMS 2.02 and ...)
-	TODO: check
+	NOT-FOR-US: e-Vision CMS
 CVE-2007-3250 (SQL injection vulnerability in mod_banners.php in Elxis CMS before ...)
-	TODO: check
+	NOT-FOR-US: Elxis CMS
 CVE-2007-3249 (Cross-site scripting (XSS) vulnerability in mod_lettermansubscribe.php ...)
-	TODO: check
+	NOT-FOR-US: Letterman Subscriber
 CVE-2007-3248 (Unspecified vulnerability in Sun Solaris 10 before 20070614, when IPv6 ...)
-	TODO: check
+	NOT-FOR-US: Sun Solaris
 CVE-2007-3247 (SQL injection vulnerability in VirtueMart before 1.0.11 allows remote ...)
-	TODO: check
+	NOT-FOR-US: VirtueMart
 CVE-2007-3246 (The do_set_password function in modules/chanserv/set.c in IRC Services ...)
-	TODO: check
+	NOT-FOR-US: IRC Services
 CVE-2007-3245 (IRC Services before 5.0.62, and 5.1 before 5.1pre3, allows remote ...)
-	TODO: check
+	NOT-FOR-US: IRC Services
 CVE-2007-3244 (SQL injection vulnerability in bb-includes/formatting-functions.php in ...)
 	NOT-FOR-US: bbPress
 CVE-2007-3243 (Cross-site scripting (XSS) vulnerability in bb-login.php in bbPress ...)
@@ -460,7 +465,7 @@ CVE-2007-3240 (Cross-site scripting (XSS) vulnerability in 404.php in the ...)
 CVE-2007-3239 (Cross-site scripting (XSS) vulnerability in searchform.php in the ...)
 	NOT-FOR-US: AndyBlue theme for WordPress
 CVE-2007-3238 (Cross-site scripting (XSS) vulnerability in functions.php in the ...)
-	TODO: check
+	- wordpress <unfixed> (low)
 CVE-2007-3237 (PHP remote file inclusion vulnerability in ...)
 	NOT-FOR-US: XOOPS
 CVE-2007-3236 (PHP remote file inclusion vulnerability in footer.php in the Horoscope ...)
@@ -537,7 +542,7 @@ CVE-2007-3209 (Mail Notification 4.0, when WITH_SSL is set to 0 at compile time,
 CVE-2007-3208 (CRLF injection vulnerability in Yet another Bulletin Board (YaBB) 2.1 ...)
 	NOT-FOR-US: YaBB
 CVE-2007-3207 (Buffer overflow in the NFS mount daemon (XNFS.NLM) in Novell NetWare ...)
-	TODO: check
+	NOT-FOR-US: Novell NetWare
 CVE-2007-3206
 	RESERVED
 CVE-2007-3205 (The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Subhosin, ...)
@@ -587,11 +592,11 @@ CVE-2007-3185 (Apple Safari Beta 3.0.1 for Windows public beta allows remote ...
 CVE-2007-3184 (Cisco Trust Agent (CTA) before 2.1.104.0, when running on MacOS X, ...)
 	NOT-FOR-US: Cisco
 CVE-2007-3183 (Multiple SQL injection vulnerabilities in Calendarix 0.7.20070307, ...)
-	TODO: check
+	NOT-FOR-US: Calendarix
 CVE-2007-3182 (Multiple cross-site scripting (XSS) vulnerabilities in Calendarix ...)
-	TODO: check
+	NOT-FOR-US: Calendarix
 CVE-2007-3181 (Buffer overflow in fbserver.exe in Firebird SQL 2 before 2.0.1 allows ...)
-	TODO: check
+	- firebird2 <unfixed> (medium)
 CVE-2007-3180 (Buffer overflow in Help and Support Center before 4.4 C on HP Windows ...)
 	NOT-FOR-US: HP
 CVE-2007-3179 (Multiple SQL injection vulnerabilities in archives.php in Particle ...)
@@ -660,7 +665,7 @@ CVE-2007-3151 (rpttop.htm in the web management interface in Packeteer PacketSha
 CVE-2007-3150 (Google Desktop allows user-assisted remote attackers to execute ...)
 	NOT-FOR-US: Google Desktop
 CVE-2007-3149 (sudo, when linked with MIT Kerberos 5 (krb5), does not properly check ...)
-	TODO: check
+	- sudo <not-affected> (Not linked with krb5)
 CVE-2007-3148 (Buffer overflow in the Yahoo! Webcam Viewer ActiveX control in ...)
 	NOT-FOR-US: Yahoo! Webcam Viewer
 CVE-2007-3147 (Buffer overflow in the Yahoo! Webcam Upload ActiveX control in ...)
@@ -704,11 +709,11 @@ CVE-2007-3131 (Cross-site scripting (XSS) vulnerability in add_comment.php in Li
 CVE-2007-3130 (Multiple PHP remote file inclusion vulnerabilities in the OpenWiki ...)
 	NOT-FOR-US: OpenWiki
 CVE-2007-3129 (Cross-site scripting (XSS) vulnerability in login.php in Utopia News ...)
-	TODO: check
+	NOT-FOR-US: Utopia News Pro
 CVE-2007-3128 (SQL injection vulnerability in content.php in WSPortal 1.0, when ...)
-	TODO: check
+	NOT-FOR-US: WSPortal
 CVE-2007-3127 (content.php in WSPortal 1.0, when magic_quotes_gpc is disabled, allows ...)
-	TODO: check
+	NOT-FOR-US: WSPortal
 CVE-2007-3126 (Gimp 2.3.14 allows context-dependent attackers to cause a denial of ...)
 	- gimp <unfixed> (unimportant)
 CVE-2007-3125
@@ -773,7 +778,7 @@ CVE-2007-3103
 CVE-2007-3102
 	RESERVED
 CVE-2007-3101 (Multiple cross-site scripting (XSS) vulnerabilities in certain JSF ...)
-	TODO: check
+	NOT-FOR-US: Apache MyFaces Tomahawk
 CVE-2007-3100 (usr/log.c in iscsid in open-iscsi (iscsi-initiator-utils) before ...)
 	{DSA-1314-1}
 	- open-iscsi 2.0.865-1 (low; bug #429225)
@@ -797,9 +802,17 @@ CVE-2007-3092 (Microsoft Internet Explorer 6 allows remote attackers to spoof th
 CVE-2007-3091 (Race condition in Microsoft Internet Explorer 6 and 7 allows remote ...)
 	NOT-FOR-US: Microsoft Internet Explorer
 CVE-2007-3090 (Mozilla Firefox does not properly manage a delay timer used in ...)
-	TODO: check
+	- iceweasel <unfixed> (medium)
+	- iceape <unfixed> (medium)
+	- firefox <removed> (medium)
+	- mozilla <removed> (medium)
+	- xulrunner <unfixed> (medium)
 CVE-2007-3089 (Mozilla Firefox does not prevent use of document.write to replace an ...)
-	TODO: check
+	- iceweasel <unfixed> (low)
+	- iceape <unfixed> (low)
+	- firefox <removed> (low)
+	- mozilla <removed> (low)
+	- xulrunner <unfixed> (low)
 CVE-2007-3088 (SQL injection vulnerability in index.php in Comicsense allows remote ...)
 	NOT-FOR-US: Comicsense
 CVE-2007-3087 (Peercast places a cleartext password in a query string, which might ...)
@@ -829,11 +842,16 @@ CVE-2007-3076 (A certain ActiveX control in sasatl.dll in Zenturi ProgramChecker
 CVE-2007-3075 (Directory traversal vulnerability in Microsoft Internet Explorer ...)
 	NOT-FOR-US: Microsoft Internet Explorer
 CVE-2007-3074 (Mozilla Firefox 2.0.0.4 and earlier allows remote attackers to read ...)
-	TODO: check
+	- iceweasel <unfixed> (low)
+	- iceape <unfixed> (low)
+	- firefox <removed> (low)
+	- mozilla <removed> (low)
+	- xulrunner <unfixed> (low)
 CVE-2007-3073 (Directory traversal vulnerability in Mozilla Firefox 2.0.0.4 and ...)
 	TODO: check
 CVE-2007-3072 (Directory traversal vulnerability in Mozilla Firefox before 2.0.0.4 on ...)
-	TODO: check
+	- iceweasel <not-affected>
+	NOTE: Windows only
 CVE-2007-3071 (Buffer overflow in the GetWebStoreURL function in a certain ActiveX ...)
 	NOT-FOR-US: eSellerate
 CVE-2007-3070 (Cross-site scripting (XSS) vulnerability in index.php in BDigital Web ...)
@@ -865,7 +883,7 @@ CVE-2007-3058 (Multiple PHP remote file inclusion vulnerabilities in Madirish We
 CVE-2007-3057 (PHP remote file inclusion vulnerability in ...)
 	NOT-FOR-US: XOOPS
 CVE-2007-3056 (Cross-site scripting (XSS) vulnerability in filedetails.php in WebSVN ...)
-	TODO: check
+	- websvn <unfixed> (low)
 CVE-2007-3055 (Cross-site scripting (XSS) vulnerability in index.php in Codelib ...)
 	NOT-FOR-US: Codelib Linker
 CVE-2007-3054 (Cross-site scripting (XSS) vulnerability in search.php in Codelib ...)
@@ -969,9 +987,11 @@ CVE-2007-3007 (PHP 5 before 5.2.3 does not enforce the open_basedir or safe_mode
 CVE-2007-3006 (Buffer overflow in Acoustica MP3 CD Burner 4.32 allows user-assisted ...)
 	NOT-FOR-US: Acoustica MP3 CD Burner
 CVE-2007-3005 (Unspecified vulnerability in the Sun Java Runtime Environment in JDK ...)
-	TODO: check
+	- sun-java5 1.5.0-11-1 (low)
+	- sun-java6 <unfixed> (low)
 CVE-2007-3004 (Buffer overflow in the image parsing implementation in the Sun Java ...)
-	TODO: check
+	- sun-java5 1.5.0-11-1 (medium)
+	- sun-java6 <unfixed> (medium)
 CVE-2007-3003 (Multiple SQL injection vulnerabilities in myBloggie 2.1.6 and earlier ...)
 	NOT-FOR-US: myBloggie
 CVE-2007-3002 (PHP JackKnife (PHPJK) allows remote attackers to obtain sensitive ...)
@@ -1084,7 +1104,7 @@ CVE-2007-2953
 CVE-2007-2952
 	RESERVED
 CVE-2007-2951 (The parseIrcUrl function in src/kvirc/kernel/kvi_ircurl.cpp in KVIrc ...)
-	TODO: check
+	- kvirc <unfixed> (medium)
 CVE-2007-2950
 	RESERVED
 CVE-2007-2949
@@ -1355,7 +1375,7 @@ CVE-2007-2838
 	RESERVED
 CVE-2007-2837
 	RESERVED
-CVE-2007-2836 [hiki file delition vulnerability]
+CVE-2007-2836 [hiki file deletion vulnerability]
 	RESERVED
 	- hiki 0.8.7-1 (bug #430691; medium)
 CVE-2007-2835
@@ -1809,7 +1829,8 @@ CVE-2007-2633 (Directory traversal vulnerability in H-Sphere SiteStudio 1.6 allo
 CVE-2007-2632 (Multiple cross-site scripting (XSS) vulnerabilities in PHP Multi User ...)
 	NOT-FOR-US: phpMUR
 CVE-2007-2631 (Cross-site request forgery (CSRF) vulnerability in SquirrelMail ...)
-	TODO: check
+	- squirrelmail 2:1.4.10a-1 (low)
+	NOTE: this is likely a duplicate of CVE-2007-2589
 CVE-2007-2630 (Incomplete blacklist vulnerability in ...)
 	NOT-FOR-US: ActiveCampaign products
 CVE-2007-2629 (Bradford CampusManager Network Control Application Server 3.1(6) ...)
@@ -1859,7 +1880,7 @@ CVE-2007-2608 (PHP remote file inclusion vulnerability in ...)
 CVE-2007-2607 (PHP remote file inclusion vulnerability in views/print/printbar.php in ...)
 	NOT-FOR-US: LaVague
 CVE-2007-2606 (Multiple buffer overflows in Firebird 2.1 allow attackers to trigger ...)
-	TODO: check
+	- firebird2 <unfixed> (low)
 CVE-2007-2605 (Unspecified vulnerability in the GetPropertyById function in ...)
 	NOT-FOR-US: Brujula Toolbar
 CVE-2007-2604 (Unspecified vulnerability in the FlexLabel ActiveX control allows ...)
@@ -2034,7 +2055,7 @@ CVE-2007-2522 (Stack-based buffer overflow in the inoweb Console Server in CA ..
 CVE-2007-2521 (PHP remote file inclusion vulnerability in common.php in E-GADS! 2.2.6 ...)
 	NOT-FOR-US: E-GADS!
 CVE-2007-2520 (SQL injection vulnerability in admin.php in MyNews 0.10, when ...)
-	TODO: check
+	NOT-FOR-US: MyNews
 CVE-2007-2519 (Directory traversal vulnerability in the installer in PEAR 1.0 through ...)
 	TODO: check
 CVE-2007-2518
@@ -2188,9 +2209,13 @@ CVE-2007-2451 (Unspecified vulnerability in drivers/crypto/geode-aes.c in GEODE-
 	- linux-2.6 2.6.21-3
 	[etch] - linux-2.6 <not-affected> (Vulnerable code not present, introduced in 2.6.20)
 CVE-2007-2450 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager ...)
-	TODO: check
+	- tomcat4 <removed> (low)
+	- tomcat5 <unfixed> (low)
+	- tomcat5.5 <unfixed> (low)
 CVE-2007-2449 (Multiple cross-site scripting (XSS) vulnerabilities in certain JSP ...)
-	TODO: check
+	- tomcat4 <removed> (low)
+	- tomcat5 <unfixed> (low)
+	- tomcat5.5 <unfixed> (low)
 CVE-2007-2448 (Subversion 1.4.3 and earlier does not properly implement the &quot;partial ...)
 	- subversion 1.4.4dfsg1-1 (bug #428194; low)
 CVE-2007-2447 (The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 ...)
@@ -2312,7 +2337,7 @@ CVE-2007-2400 (Race condition in Apple Safari 3 Beta before 3.0.2 on Mac OS X, .
 CVE-2007-2399 (WebKit in Apple Mac OS X 10.3.9, and 10.4.9 and later performs an ...)
 	TODO: check
 CVE-2007-2398 (Apple Safari 3.0.1 beta (522.12.12) on Windows allows remote attackers ...)
-	TODO: check
+	NOT-FOR-US: Apple Safari
 CVE-2007-2397
 	RESERVED
 CVE-2007-2396
author	Kees Cook <kees@outflux.net>	2007-06-28 23:18:08 +0000
committer	Kees Cook <kees@outflux.net>	2007-06-28 23:18:08 +0000
commit	f8ba502facf13ce7daf29010612e66c01db26523 (patch)
tree	5f5658aef5298c575628892dcd4b917eac937b0a
parent	59adf4d4e06b6dc662ac0c88b7297417c48dc899 (diff)