php4 adv; remove never released kdelibs adv

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@5915 e39458fd-73e7-0310-bf30-c45bca0a0e42

3 files changed, 59 insertions, 16 deletions

diff --git a/data/DTSA/advs/39-qemu.adv b/data/DTSA/advs/39-qemu.adv
index 8e349cc2fb..75f07af4be 100644
--- a/data/DTSA/advs/39-qemu.adv
+++ b/data/DTSA/advs/39-qemu.adv
@@ -1,4 +1,4 @@
-source: samba
+source: qemu
 date: May 24th, 2007
 author: Stefan Fritsch
 vuln-type: several vulnerabilities
diff --git a/data/DTSA/advs/40-php4.adv b/data/DTSA/advs/40-php4.adv
new file mode 100644
index 0000000000..1a269346ab
--- /dev/null
+++ b/data/DTSA/advs/40-php4.adv
@@ -0,0 +1,58 @@
+source: php4
+date: May 24th, 2007
+author: Stefan Fritsch
+vuln-type: several vulnerabilities
+problem-scope: remote
+debian-specifc: no
+cve: CVE-2007-1286 CVE-2007-1380 CVE-2007-1521 CVE-2007-1583 CVE-2007-1718 CVE-2007-1777 CVE-2007-2509
+vendor-advisory: 
+testing-fix: 6:4.4.4-9lenny1
+sid-fix: 6:4.4.6-2
+upgrade: apt-get upgrade
+
+IMPORTANT NOTE: 
+    php4 will be removed from testing (lenny); thus you are strongly
+    advised to migrate to php5. If you cannot upgrade, you should
+    consider using the stable distribution (etch) instead.
+
+Several remote vulnerabilities have been discovered in PHP, a
+server-side, HTML-embedded scripting language, which may lead to the
+execution of arbitrary code. The Common Vulnerabilities and Exposures
+project identifies the following problems:
+
+CVE-2007-1286
+    Stefan Esser discovered an overflow in the object reference handling
+    code of the unserialize() function, which allows the execution of
+    arbitrary code if malformed input is passed from an application.
+
+CVE-2007-1380
+    Stefan Esser discovered that the session handler performs
+    insufficient validation of variable name length values, which allows
+    information disclosure through a heap information leak.
+
+CVE-2007-1521
+    Stefan Esser discovered a double free vulnerability in the
+    session_regenerate_id() function, which allows the execution of
+    arbitrary code. 
+
+CVE-2007-1538
+    Stefan Esser discovered that the mb_parse_str function sets the internal
+    register_globals flag and does not disable it in certain cases when a script
+    terminates, which allows remote attackers to invoke available PHP scripts with
+    register_globals functionality that is not detectable by these scripts
+
+CVE-2007-1718
+    Stefan Esser discovered that the mail() function performs
+    insufficient validation of folded mail headers, which allows mail
+    header injection.
+
+CVE-2007-1777
+    Stefan Esser discovered that the extension to handle ZIP archives
+    performs insufficient length checks, which allows the execution of
+    arbitrary code.
+
+CVE-2007-2509
+    It was discovered that the ftp extension of PHP, a server-side,
+    HTML-embedded scripting language performs insufficient input sanitising,
+    which permits an attacker to execute arbitrary FTP commands. This
+    requires the attacker to already have access to the FTP server.
diff --git a/data/DTSA/advs/44-kdelibs.adv b/data/DTSA/advs/44-kdelibs.adv
deleted file mode 100644
index e3fd2d3b7d..0000000000
--- a/data/DTSA/advs/44-kdelibs.adv
+++ /dev/null
@@ -1,15 +0,0 @@
-source: kdelibs
-date: September 13th, 2005
-author: Moritz Muehlenhoff
-vuln-type: insecure default permissions
-problem-scope: local
-debian-specifc: no
-cve: CVE-2005-1920
-vendor-advisory: 
-testing-fix: 4:3.3.2-6.1etch1
-sid-fix: 4:3.4.2-1
-upgrade: apt-get install kdelibs4
-
-kate always created backup files for edited files with default permissions,
-even if the original permissions were stricter. This could lead to information
-disclosure.
\ No newline at end of file