[Secure-testing-commits] r22189 - data/CVE
Moritz Muehlenhoff
jmm at alioth.debian.org
Tue May 7 04:57:52 UTC 2013
Author: jmm
Date: 2013-05-07 04:57:51 +0000 (Tue, 07 May 2013)
New Revision: 22189
Modified:
data/CVE/list
Log:
no-dsa cleanup for wheezy: x3270, freeciv, busybox, privoxy, gambas, xmp, chicken, libnet-server-perl, lcgdm, glusterfs, isc-dhcp, libuser, nfs-utils, qemu, open-vm-tools, boinc
jboss not-affected
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2013-05-06 21:14:44 UTC (rev 22188)
+++ data/CVE/list 2013-05-07 04:57:51 UTC (rev 22189)
@@ -187,7 +187,9 @@
CVE-2013-3237 (The vsock_stream_sendmsg function in net/vmw_vsock/af_vsock.c in the ...)
- linux-2.6 <not-affected> ((net/vmw_vsock/af_vsock.c not present)
- linux <not-affected> (net/vmw_vsock/af_vsock.c not present)
- - open-vm-tools <unfixed> (bug #706557)
+ - open-vm-tools <unfixed> (low; bug #706557)
+ [wheezy] - open-vm-tools <no-dsa> (Minor information leak)
+ [squeeze] - open-vm-tools <no-dsa> (Contrib not supported, minor information leak)
NOTE: open-vm-tools fixed in experimental with 2:9.2.2-893683-8 (update entry when unstable has the fix)
CVE-2013-3236 (The vmci_transport_dgram_dequeue function in ...)
- linux-2.6 <not-affected> (VM Sockets only introduced in 3.9-rc1)
@@ -1760,6 +1762,7 @@
RESERVED
CVE-2013-2503 (Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and ...)
- privoxy <unfixed> (low; bug #702896)
+ [wheezy] - privoxy <no-dsa> (Minor issue)
[squeeze] - privoxy <no-dsa> (Minor issue)
NOTE: http://blog.c22.cc/2013/03/11/privoxy-proxy-authentication-credential-exposure-cve-2013-2503/
NOTE: http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/ChangeLog?revision=1.188&view=markup
@@ -1783,6 +1786,7 @@
- ffmpeg <removed>
CVE-2013-2494 (libdns in ISC DHCP 4.2.x before 4.2.5-P1 allows remote name servers to ...)
- isc-dhcp 4.2.4-6 (low; bug #704426)
+ [wheezy] - isc-dhcp <no-dsa> (Minor issue)
[squeeze] - isc-dhcp <not-affected> (Only affects 4.2.x)
CVE-2013-2493 (The Hook_Terminate function in chrome_frame/protocol_sink_wrap.cc in ...)
NOT-FOR-US: Google Chrome Frame plugin for Internet Explorer
@@ -2284,7 +2288,9 @@
RESERVED
CVE-2013-2298
RESERVED
- - boinc 7.0.65+dfsg-1
+ - boinc 7.0.65+dfsg-1 (low)
+ [wheezy] - boinc <no-dsa> (Minor issue, only exploitable by a rogue BOINC server)
+ [squeeze] - boinc <no-dsa> (Minor issue, only exploitable by a rogue BOINC server)
NOTE: http://boinc.berkeley.edu/gitweb/?p=boinc-v2.git;a=commitdiff;h=2fea03824925cbcb976f4191f4d8321e41a4d95b
CVE-2013-2297
RESERVED
@@ -3004,7 +3010,9 @@
RESERVED
CVE-2013-1980
RESERVED
- - xmp <unfixed> (bug #706667)
+ - xmp <unfixed> (low; bug #706667)
+ [wheezy] - xmp <no-dsa> (Minor issue)
+ [squeeze] - xmp <no-dsa> (Minor issue)
CVE-2013-1979 (The scm_set_cred function in include/net/scm.h in the Linux kernel ...)
- linux 3.8.11-1
- linux-2.6 <not-affected> (Introduced in 2.6.36)
@@ -3183,12 +3191,16 @@
NOT-FOR-US: Commerce Skrill Drupal module
CVE-2013-1923
RESERVED
- - nfs-utils <unfixed>
- TODO: check
+ - nfs-utils <unfixed> (low)
+ [squeeze] - nfs-utils <no-dsa> (Minor issue)
+ [wheezy] - nfs-utils <no-dsa> (Minor issue)
+ TODO: file bug
CVE-2013-1922 [qemu-nbd format-guessing due to missing format specification]
RESERVED
- xen <not-affected> (qemu-nbd-xen built, but not installed into the binary packages)
- - qemu <unfixed> (bug #705544)
+ - qemu <unfixed> (low; bug #705544)
+ [squeeze] - qemu <no-dsa> (Minor issue)
+ [wheezy] - qemu <no-dsa> (Minor issue)
- xen-qemu-dm-4.0 <not-affected> (qemu-nbd not installed by the binary package)
CVE-2013-1921
RESERVED
@@ -3462,6 +3474,7 @@
CVE-2013-1841 [Reverse lookup issue in Net::Server]
RESERVED
- libnet-server-perl <unfixed> (low; bug #702914)
+ [wheezy] - libnet-server-perl <no-dsa> (Minor issue)
[squeeze] - libnet-server-perl <no-dsa> (Minor issue)
NOTE: https://rt.cpan.org/Ticket/Display.html?id=83909
CVE-2013-1840 (The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and ...)
@@ -3551,6 +3564,7 @@
CVE-2013-1813 [busybox insecure subdir creation under /dev]
RESERVED
- busybox 1:1.20.0-8 (low; bug #701965)
+ [wheezy] - busybox <no-dsa> (Minor issue)
[squeeze] - busybox <no-dsa> (Minor issue)
CVE-2013-1812
RESERVED
@@ -3568,6 +3582,7 @@
RESERVED
- gambas3 <unfixed> (low; bug #702184)
- gambas2 <removed>
+ [wheezy] - gambas3 <no-dsa> (Minor issue)
[squeeze] - gambas2 <no-dsa> (Minor issue)
NOTE: https://code.google.com/p/gambas/issues/detail?id=365
CVE-2013-1808 (Cross-site scripting (XSS) vulnerability in ZeroClipboard.swf and ...)
@@ -8516,18 +8531,22 @@
CVE-2012-6125
RESERVED
- chicken 4.8.0-1 (low; bug #702410)
+ [wheezy] - chicken <no-dsa> (Minor issue)
[squeeze] - chicken <no-dsa> (Minor issue)
CVE-2012-6124
RESERVED
- chicken 4.8.0-1 (low; bug #702410)
+ [wheezy] - chicken <no-dsa> (Minor issue)
[squeeze] - chicken <no-dsa> (Minor issue)
CVE-2012-6123
RESERVED
- chicken 4.8.0-1 (low; bug #702410)
+ [wheezy] - chicken <no-dsa> (Minor issue)
[squeeze] - chicken <no-dsa> (Minor issue)
CVE-2012-6122
RESERVED
- chicken <unfixed> (low; bug #702410)
+ [wheezy] - chicken <no-dsa> (Minor issue)
[squeeze] - chicken <no-dsa> (Minor issue)
CVE-2012-6121 (Cross-site scripting (XSS) vulnerability in Roundcube Webmail before ...)
- roundcube <not-affected> (vulnerable code not in stable or testing)
@@ -8676,6 +8695,7 @@
RESERVED
- freeciv <unfixed> (low; bug #696306)
[squeeze] - freeciv <no-dsa> (Minor issue)
+ [wheezy] - freeciv <no-dsa> (Minor issue)
CVE-2012-6082 (Cross-site scripting (XSS) vulnerability in the rsslink function in ...)
{DSA-2593-1}
- moin 1.9.5-2
@@ -10005,6 +10025,7 @@
CVE-2012-5662
RESERVED
- ibm-3270 <unfixed> (bug #706547)
+ [wheezy] - ibm-3270 <no-dsa> (Non-free not supported)
[squeeze] - ibm-3270 <no-dsa> (Non-free not supported)
CVE-2012-5661
REJECTED
@@ -10054,9 +10075,12 @@
RESERVED
- freeciv <unfixed> (low; bug #696306)
[squeeze] - freeciv <no-dsa> (Minor issue)
+ [wheezy] - freeciv <no-dsa> (Minor issue)
CVE-2012-5644 [(Complete) Information disclosure when moving user's home directory]
RESERVED
- - libuser <unfixed> (bug #705690)
+ - libuser <unfixed> (low; bug #705690)
+ [wheezy] - libuser <no-dsa> (Minor issue)
+ [squeeze] - libuser <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=885724#c7
CVE-2012-5643 (Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid ...)
{DSA-2631-1}
@@ -10102,7 +10126,9 @@
NOT-FOR-US: FreeIPA
CVE-2012-5630 [TOCTOU race conditions by copying and removing directory trees]
RESERVED
- - libuser <unfixed> (bug #705690)
+ - libuser <unfixed> (low; bug #705690)
+ [wheezy] - libuser <no-dsa> (Minor issue)
+ [squeeze] - libuser <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=884685#c31
CVE-2012-5629 (The default configuration of the (1) LdapLoginModule and (2) ...)
- jbossas4 <not-affected> (Only builds a few libraries, not the full application server, #581226)
@@ -10283,7 +10309,6 @@
CVE-2012-5572 [Dancer::Cookie: Cookie name CRLF injection]
RESERVED
- libdancer-perl <unfixed> (low; bug #694279)
- [wheezy] - libdancer-perl <unfixed> (low; bug #694279)
NOTE: https://github.com/PerlDancer/Dancer/issues/859
TODO: check if libdancer2-perl also affected?
CVE-2012-5571 (OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not ...)
@@ -13495,6 +13520,7 @@
NOT-FOR-US: We only provide Axis 1(Java) and the C-version of Axis
CVE-2012-4417 (GlusterFS 3.3.0, as used in Red Hat Storage server 2.0, allows local ...)
- glusterfs 3.2.7-5 (low; bug #693112)
+ [wheezy] - glusterfs <no-dsa> (Minor issue)
[squeeze] - glusterfs <no-dsa> (Minor issue)
CVE-2012-4416 (Unspecified vulnerability in the Java Runtime Environment (JRE) ...)
- openjdk-7 7u3-2.1.3-1 (bug #690774)
@@ -15697,8 +15723,7 @@
CVE-2012-3533 (The python SDK before 3.1.0.6 and CLI before 3.1.0.8 for oVirt 3.1 ...)
NOT-FOR-US: ovirt
CVE-2012-3532 (Cross-site request forgery (CSRF) vulnerability in the GateIn Portal ...)
- - jbossas4 <unfixed>
- TODO: check
+ - jbossas4 <not-affected> (Only builds a few libraries, not the full application server, #581226)
CVE-2012-3531 (Cross-site scripting (XSS) vulnerability in the Install Tool in TYPO3 ...)
{DSA-2537-1}
- typo3-src 4.5.19+dfsg1-1 (bug #685011)
@@ -24236,7 +24261,8 @@
- memcached <unfixed> (bug #706426)
CVE-2011-4970 [Multiple SQL Injection vulnerabilities in Disk Pool Manager (DPM)]
RESERVED
- - lcgdm 1.8.6-1 (bug #702895)
+ - lcgdm 1.8.6-1 (low; bug #702895)
+ [wheezy] - lcgdm <no-dsa> (Minor issue)
- dpm <removed>
CVE-2011-4969 (Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when ...)
- jquery 1.6.4-1 (bug #699482)
More information about the Secure-testing-commits
mailing list