[Secure-testing-commits] r22373 - data/CVE
Moritz Muehlenhoff
jmm at alioth.debian.org
Mon May 27 16:33:07 UTC 2013
Author: jmm
Date: 2013-05-27 16:33:07 +0000 (Mon, 27 May 2013)
New Revision: 22373
Modified:
data/CVE/list
Log:
fixup python/ssl CVE ID assignment mess, no-dsa
gallery not-affected
sort out mysql IDs: one already fixed, the other three no-dsa until fixed in Oracle MySQL CPUs
wordpress, pyrad, mediawiki, openjdk no-dsa
one java issue unimportant
jquery-jplayer fixed
NFU
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2013-05-27 08:24:35 UTC (rev 22372)
+++ data/CVE/list 2013-05-27 16:33:07 UTC (rev 22373)
@@ -3513,7 +3513,11 @@
[squeeze] - linkchecker <no-dsa> (Minor issue)
[wheezy] - linkchecker <no-dsa> (Minor issue)
- python3.2 <unfixed> (low; bug #708530)
+ [wheezy] - python3.2 <no-dsa> (Minor issue)
- python3.3 <unfixed> (low; bug #708530)
+ - python2.6 <not-affected> (Introduced in Python 3.2)
+ - python2.5 <not-affected> (Introduced in Python 3.2)
+ - python3.1 <not-affected> (Introduced in Python 3.2)
- bzr 2.6.0~bzr6574-1 (low; bug #709068)
[squeeze] - bzr <no-dsa> (Minor issue)
[wheezy] - bzr <no-dsa> (Minor issue)
@@ -3528,13 +3532,7 @@
CVE-2013-2098
RESERVED
NOTE: http://www.openwall.com/lists/oss-security/2013/05/16/5
- - python2.7 <not-affected> (Introduced in Python 3.2)
- - python2.6 <not-affected> (Introduced in Python 3.2)
- - python2.5 <not-affected> (Introduced in Python 3.2)
- - python3.1 <not-affected> (Introduced in Python 3.2)
- - python3.2 <unfixed> (low)
- - python3.3 <unfixed> (low)
- TODO: is python-backports-ssl_match_hostname packaged/included somewhere?
+ NOTE: This ID is solely for the backport, CVE-2013-2099 is for standard Python
CVE-2013-2097 [zPanel themes remote command execution as root]
RESERVED
NOT-FOR-US: zPanel
@@ -3567,8 +3565,7 @@
RESERVED
CVE-2013-2087 [gallery: multiple xss]
RESERVED
- - gallery <unfixed>
- TODO: check if affects 1.5.10.dfsg-1.1 and report bug
+ - gallery <not-affected> (Vulnerable code not present)
CVE-2013-2086 [owncloud: oC-SA-2013-027]
RESERVED
- owncloud <not-affected> (Only owncloud 5.0.x)
@@ -3635,7 +3632,7 @@
[squeeze] - nginx <not-affected> (Vulnerable code not present)
CVE-2013-2069
RESERVED
- TODO: check
+ NOT-FOR-US: Red Hat livecd-tools
NOTE: http://www.openwall.com/lists/oss-security/2013/05/23/2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=964299
CVE-2013-2068
@@ -3757,11 +3754,15 @@
- jenkins <unfixed> (bug #706725)
CVE-2013-2032 [Extensions can't fully block password changes]
RESERVED
- - mediawiki 1:1.19.6-1 (bug #706601)
+ - mediawiki 1:1.19.6-1 (low; bug #706601)
+ [wheezy] - mediawiki <no-dsa> (Minor issue)
+ [squeeze] - mediawiki <no-dsa> (Minor issue)
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=46590
CVE-2013-2031 [SVG JavaScript detection bypass]
RESERVED
- mediawiki 1:1.19.6-1 (bug #706601)
+ [wheezy] - mediawiki <no-dsa> (Minor issue)
+ [squeeze] - mediawiki <no-dsa> (Minor issue)
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=47304
CVE-2013-2030 [Nova uses insecure keystone middleware tmpdir by default]
RESERVED
@@ -3787,10 +3788,9 @@
NOTE: http://lists.nongnu.org/archive/html/chicken-announce/2013-04/msg00000.html
CVE-2013-2023
RESERVED
- - jquery-jplayer 2.3.0-1
+ - jquery-jplayer 2.1.0-2
NOTE: used for jPlayer 2.2.23 XSS
NOTE: http://www.openwall.com/lists/oss-security/2013/05/05/3
- TODO: check if 2.1.0-2 already fixed this issue
CVE-2013-2022
RESERVED
- jquery-jplayer 2.1.0-2
@@ -4351,9 +4351,9 @@
- apache2 <unfixed> (unimportant)
NOTE: Such injection issues are not treated as security issues
CVE-2013-1861 (MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15, ...)
- - mysql-5.5 <unfixed> (bug #706715)
- - mysql-5.1 <removed>
- [squeeze] - mysql-5.1 <unfixed> (bug #706715)
+ - mysql-5.5 <unfixed> (low; bug #706715)
+ [wheezy] - mysql-5.5 <no-dsa> (Minor issue, currently not fixed in MySQL, can be included once fixed in 5.5.x)
+ - mysql-5.1 <removed> (low; bug #706715)
NOTE: https://mariadb.atlassian.net/browse/MDEV-4252
CVE-2013-1860 (Heap-based buffer overflow in the wdm_in_callback function in ...)
{DSA-2668-1}
@@ -5280,7 +5280,7 @@
CVE-2013-1524 (Unspecified vulnerability in the Oracle Application Object Library ...)
NOT-FOR-US: Oracle E-Business Suite
CVE-2013-1523 (Unspecified vulnerability in Oracle MySQL 5.5.29 and earlier and ...)
- - mysql-5.5 <unfixed>
+ - mysql-5.5 5.5.30+dfsg-1
- mysql-5.1 <not-affected> (Only affects MySQL 5.5 and 5.6)
CVE-2013-1522 (Unspecified vulnerability in the Oracle WebCenter Content component in ...)
NOT-FOR-US: Oracle Fusion Middleware
@@ -8396,7 +8396,9 @@
- linux-2.6 <removed> (low)
CVE-2013-0342 [CreateID() creates serialized packet IDs for RADIUS]
RESERVED
- - pyrad <unfixed> (bug #701151)
+ - pyrad <unfixed> (low; bug #701151)
+ [wheezy] - pyrad <no-dsa> (Minor issue)
+ [squeeze] - pyrad <no-dsa> (Minor issue)
NOTE: this is initially related to #700669
CVE-2013-0341
RESERVED
@@ -10491,7 +10493,9 @@
CVE-2012-5869
RESERVED
CVE-2012-5868 (WordPress 3.4.2 does not invalidate a wordpress_sec session cookie ...)
- - wordpress <unfixed> (bug #696868)
+ - wordpress <unfixed> (low; bug #696868)
+ [squeeze] - wordpress <no-dsa> (Minor issue)
+ [wheezy] - wordpress <no-dsa> (Minor issue)
CVE-2012-5867
RESERVED
CVE-2012-5866
@@ -11158,6 +11162,7 @@
RESERVED
- mysql-5.1 <unfixed> (low)
- mysql-5.5 <unfixed> (low)
+ [wheezy] - mysql-5.5 <no-dsa> (Minor issue, currently not fixed in MySQL, can be included once fixed in 5.5.x)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=883719
CVE-2012-5626
RESERVED
@@ -11195,6 +11200,7 @@
CVE-2012-5615 (MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a, 5.3.11, ...)
- mysql-5.1 <unfixed> (low; bug #695001)
- mysql-5.5 <unfixed> (low; bug #695001)
+ [wheezy] - mysql-5.5 <no-dsa> (Minor issue, currently not fixed in MySQL, can be included once fixed in 5.5.x)
NOTE: https://mariadb.atlassian.net/browse/MDEV-3909
NOTE: http://seclists.org/fulldisclosure/2012/Dec/9
CVE-2012-5614 (Oracle MySQL 5.1.67 and earlier and 5.5.29 and earlier, and MariaDB ...)
@@ -11813,8 +11819,10 @@
- linux-2.6 <unfixed> (unimportant)
NOTE: btrfs support in Squeeze/Wheezy is not ready for production use
CVE-2012-5373 (Oracle Java SE 7 and earlier, and OpenJDK 7 and earlier, computes hash ...)
- - openjdk-6 <unfixed>
- - openjdk-7 <unfixed>
+ - openjdk-6 <unfixed> (low)
+ [squeeze] - openjdk-6 <no-dsa> (Minor issue, no icedtea fix, too complex to backport)
+ [wheezy] - openjdk-6 <no-dsa> (Minor issue, no icedtea fix, too complex to backport)
+ - openjdk-7 <unfixed> (low)
CVE-2012-5372 (Rubinius computes hash values without properly restricting the ability ...)
- rubinius <itp> (bug #591817)
CVE-2012-5371 (Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes ...)
@@ -18797,8 +18805,9 @@
CVE-2012-2740 (SQL injection vulnerability in public_html/lists/admin in phpList ...)
NOT-FOR-US: phplist
CVE-2012-2739 (Oracle Java SE before 7 Update 6, and OpenJDK 7 before 7u6 build 12 ...)
- - openjdk-6 <unfixed>
+ - openjdk-6 <unfixed> (unimportant)
- openjdk-7 <unfixed>
+ NOTE: Upstream disputes this and states it needs to be fixed in Java apps itself
NOTE: http://mail.openjdk.java.net/pipermail/core-libs-dev/2012-May/010238.html
NOTE: http://armoredbarista.blogspot.de/2012/02/investigating-hashdos-issue.html
NOTE: http://www.openwall.com/lists/oss-security/2012/06/15/12
More information about the Secure-testing-commits
mailing list