[Secure-testing-commits] r24420 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Mon Nov 25 06:28:43 UTC 2013
Author: carnil
Date: 2013-11-25 06:28:43 +0000 (Mon, 25 Nov 2013)
New Revision: 24420
Modified:
data/CVE/list
Log:
Simulate an automatic update (cronjobs still disabled on alioth)
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2013-11-25 06:04:06 UTC (rev 24419)
+++ data/CVE/list 2013-11-25 06:28:43 UTC (rev 24420)
@@ -1,26 +1,128 @@
-CVE-2013-6869
+CVE-2013-6857
+ RESERVED
+CVE-2013-6856
+ RESERVED
+CVE-2013-6855
+ RESERVED
+CVE-2013-6854
+ RESERVED
+CVE-2013-6853
+ RESERVED
+CVE-2013-6852 (Cross-site request forgery (CSRF) vulnerability in html/json.html on ...)
+ TODO: check
+CVE-2013-6851
+ RESERVED
+CVE-2013-6850
+ RESERVED
+CVE-2013-6849
+ RESERVED
+CVE-2013-6848
+ RESERVED
+CVE-2013-6847
+ RESERVED
+CVE-2013-6846
+ RESERVED
+CVE-2013-6845
+ RESERVED
+CVE-2013-6844
+ RESERVED
+CVE-2013-6843
+ RESERVED
+CVE-2013-6842
+ RESERVED
+CVE-2013-6841
+ RESERVED
+CVE-2013-6840
+ RESERVED
+CVE-2013-6839
+ RESERVED
+CVE-2013-6838
+ RESERVED
+CVE-2013-6837
+ RESERVED
+CVE-2013-6836
+ RESERVED
+CVE-2013-6835
+ RESERVED
+CVE-2013-6834 (The ql_eioctl function in sys/dev/qlxgbe/ql_ioctl.c in the kernel in ...)
+ TODO: check
+CVE-2013-6833 (The qls_eioctl function in sys/dev/qlxge/qls_ioctl.c in the kernel in ...)
+ TODO: check
+CVE-2013-6832 (The nand_ioctl function in sys/dev/nand/nand_geom.c in the nand driver ...)
+ TODO: check
+CVE-2013-6831 (PineApp Mail-SeCure 3.70 and earlier on 5099SK and earlier platforms ...)
+ TODO: check
+CVE-2013-6830 (admin/confnetworking.html in PineApp Mail-SeCure 3.70 and earlier on ...)
+ TODO: check
+CVE-2013-6829 (admin/confnetworking.html in PineApp Mail-SeCure allows remote ...)
+ TODO: check
+CVE-2013-6828 (admin/management.html in PineApp Mail-SeCure allows remote attackers ...)
+ TODO: check
+CVE-2013-6827 (Absolute path traversal vulnerability in admin/viewmsg.php in PineApp ...)
+ TODO: check
+CVE-2013-6826 (cgi-bin/module//sysmanager/admin/SYSAdminUserDialog in Fortinet ...)
+ TODO: check
+CVE-2013-6825
+ RESERVED
+CVE-2013-6824
+ RESERVED
+CVE-2013-6823 (GRMGApp in SAP NetWeaver allows remote attackers to bypass intended ...)
+ TODO: check
+CVE-2013-6822 (GRMGApp in SAP NetWeaver allows remote attackers to have unspecified ...)
+ TODO: check
+CVE-2013-6821 (Directory traversal vulnerability in the Exportability Check Service ...)
+ TODO: check
+CVE-2013-6820 (Unrestricted file upload vulnerability in the SAP NetWeaver ...)
+ TODO: check
+CVE-2013-6819 (Cross-site scripting (XSS) vulnerability in Performance Provider in ...)
+ TODO: check
+CVE-2013-6818 (SAP NetWeaver Logviewer 6.30, when running on Windows, allows remote ...)
+ TODO: check
+CVE-2013-6817 (Heap-based buffer overflow in SAP Network Interface Router (SAProuter) ...)
+ TODO: check
+CVE-2013-6816 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) ...)
+ TODO: check
+CVE-2013-6815 (The SHSTI_UPLOAD_XML function in the Application Server for ABAP (AS ...)
+ TODO: check
+CVE-2013-6814 (The J2EE Engine in SAP NetWeaver 6.40, 7.02, and earlier allows remote ...)
+ TODO: check
+CVE-2013-6813
+ RESERVED
+CVE-2013-6812
+ RESERVED
+CVE-2013-6811
+ RESERVED
+CVE-2013-6810
+ RESERVED
+CVE-2013-6809
+ RESERVED
+CVE-2013-6808
+ RESERVED
+CVE-2012-6607 (The transform_save function in transform_save in Augeas before 1.0.0 ...)
+ TODO: check
+CVE-2013-6869 (SQL injection vulnerability in the SRTT_GET_COUNT_BEFORE_KEY_RFC ...)
NOT-FOR-US: Sap NetWeaver
-CVE-2013-6868
+CVE-2013-6868 (SAP Sybase Adaptive Server Enterprise (ASE) 15.0.3 before 15.0.3 ...)
NOT-FOR-US: SAP Sybase Adaptive Server Enterprise
-CVE-2013-6867
+CVE-2013-6867 (Unspecified vulnerability in SAP Sybase Adaptive Server Enterprise ...)
NOT-FOR-US: SAP Sybase Adaptive Server Enterprise
-CVE-2013-6866
+CVE-2013-6866 (SAP Sybase Adaptive Server Enterprise (ASE) before 15.0.3 ESD#4.3, ...)
NOT-FOR-US: SAP Sybase Adaptive Server Enterprise
-CVE-2013-6865
+CVE-2013-6865 (SAP Sybase Adaptive Server Enterprise (ASE) 15.0.3 before 15.0.3 ...)
NOT-FOR-US: SAP Sybase Adaptive Server Enterprise
-CVE-2013-6864
+CVE-2013-6864 (Directory traversal vulnerability in SAP Sybase Adaptive Server ...)
NOT-FOR-US: SAP Sybase Adaptive Server Enterprise
-CVE-2013-6863
+CVE-2013-6863 (SAP Sybase Adaptive Server Enterprise (ASE) 15.0.3 before 15.0.3 ...)
NOT-FOR-US: SAP Sybase Adaptive Server Enterprise
-CVE-2013-6862
+CVE-2013-6862 (Unspecified vulnerability in SAP Sybase Adaptive Server Enterprise ...)
NOT-FOR-US: SAP Sybase Adaptive Server Enterprise
-CVE-2013-6861
+CVE-2013-6861 (Unspecified vulnerability in SAP Sybase Adaptive Server Enterprise ...)
NOT-FOR-US: SAP Sybase Adaptive Server Enterprise
-CVE-2013-6860
+CVE-2013-6860 (Unspecified vulnerability in SAP Sybase Adaptive Server Enterprise ...)
NOT-FOR-US: SAP Sybase Adaptive Server Enterprise
-CVE-2013-6859
+CVE-2013-6859 (SAP Sybase Adaptive Server Enterprise (ASE) before 15.0.3 ESD#4.3. ...)
NOT-FOR-US: SAP Sybase Adaptive Server Enterprise
-CVE-2013-6858
+CVE-2013-6858 (Multiple cross-site scripting (XSS) vulnerabilities in OpenStack ...)
TODO: check
CVE-2013-6807
RESERVED
@@ -238,22 +340,22 @@
RESERVED
CVE-2013-6700
RESERVED
-CVE-2013-6699
- RESERVED
-CVE-2013-6698
- RESERVED
+CVE-2013-6699 (The Control and Provisioning of Wireless Access Points (CAPWAP) ...)
+ TODO: check
+CVE-2013-6698 (The web interface on Cisco Wireless LAN Controller (WLC) devices does ...)
+ TODO: check
CVE-2013-6697
RESERVED
CVE-2013-6696
RESERVED
CVE-2013-6695
RESERVED
-CVE-2013-6694
- RESERVED
-CVE-2013-6693
- RESERVED
-CVE-2013-6692
- RESERVED
+CVE-2013-6694 (The IPSec implementation in Cisco IOS allows remote attackers to cause ...)
+ TODO: check
+CVE-2013-6693 (The MLDP implementation in Cisco IOS 15.3(3)S and earlier on 7600 ...)
+ TODO: check
+CVE-2013-6692 (Cisco IOS XE 3.8S(.2) and earlier does not properly use a DHCP pool ...)
+ TODO: check
CVE-2013-6691
RESERVED
CVE-2013-6690
@@ -933,8 +1035,7 @@
- drupal6 <removed>
- drupal7 7.24-1
NOTE: https://drupal.org/SA-CORE-2013-003
-CVE-2013-6384 [Ceilometer log contains DB password in plain text]
- RESERVED
+CVE-2013-6384 ((1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 ...)
- ceilometer <unfixed> (bug #730227)
CVE-2013-6383
RESERVED
@@ -972,11 +1073,10 @@
NOTE: http://git.kernel.org/linus/a497e47d4aec37aaf8f13509f3ef3d1f6a717d88
TODO: check
CVE-2013-6377
- RESERVED
+ REJECTED
CVE-2013-6376
RESERVED
-CVE-2013-6375 [XSA-78 Insufficient TLB flushing in VT-d (iommu) code]
- RESERVED
+CVE-2013-6375 (Xen 4.2.x and 4.3.x, when using Intel VT-d for PCI passthrough, does ...)
- xen <unfixed> (bug #730254)
[squeeze] - xen <not-affected> (Only affects >= 4.2)
[wheezy] - xen <not-affected> (Only affects >= 4.2)
@@ -1039,8 +1139,8 @@
NOT-FOR-US: Novell ZENworks Configuration Management
CVE-2013-6343
RESERVED
-CVE-2013-6342
- RESERVED
+CVE-2013-6342 (Cross-site scripting (XSS) vulnerability in the Tweet Blender plugin ...)
+ TODO: check
CVE-2013-6341
RESERVED
CVE-2004-XXXX [base-passwd: sets valid shells for system services]
@@ -1124,8 +1224,8 @@
RESERVED
CVE-2013-6313
RESERVED
-CVE-2013-6312
- RESERVED
+CVE-2013-6312 (Unspecified vulnerability in IBM Rational Service Tester 8.3.x and ...)
+ TODO: check
CVE-2013-6311
RESERVED
CVE-2013-6310
@@ -1179,8 +1279,7 @@
CVE-2013-6283 (VideoLAN VLC Media Player 2.0.8 and earlier allows remote attackers to ...)
- vlc <unfixed>
TODO: check, seems not to affect 2.1.0-2
-CVE-2013-6282 [missing access checks for put_user/get_user on ARM v6k/v7]
- RESERVED
+CVE-2013-6282 (The (1) get_user and (2) put_user API functions in the Linux kernel ...)
- linux 3.6.4-1~experimental.1
- linux-2.6 <removed>
NOTE: issue present in wheezy and squeeze
@@ -1403,20 +1502,15 @@
RESERVED
CVE-2013-6178
RESERVED
-CVE-2013-6177
- RESERVED
+CVE-2013-6177 (Directory traversal vulnerability in EMC Document Sciences xPression ...)
NOT-FOR-US: EMC
-CVE-2013-6176
- RESERVED
+CVE-2013-6176 (Multiple SQL injection vulnerabilities in EMC Document Sciences ...)
NOT-FOR-US: EMC
-CVE-2013-6175
- RESERVED
+CVE-2013-6175 (Multiple cross-site scripting (XSS) vulnerabilities in EMC Document ...)
NOT-FOR-US: EMC
-CVE-2013-6174
- RESERVED
+CVE-2013-6174 (Multiple open redirect vulnerabilities in xAdmin in EMC Document ...)
NOT-FOR-US: EMC
-CVE-2013-6173
- RESERVED
+CVE-2013-6173 (Multiple cross-site request forgery (CSRF) vulnerabilities in EMC ...)
NOT-FOR-US: EMC
CVE-2013-6172 (steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x ...)
{DSA-2787-1}
@@ -1618,8 +1712,7 @@
CVE-2013-6075 (The compare_dn function in utils/identification.c in strongSwan 4.3.3 ...)
{DSA-2789-1}
- strongswan 5.1.0-3
-CVE-2013-6074
- RESERVED
+CVE-2013-6074 (Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite ...)
- open-xchange <itp> (bug #269329)
CVE-2013-6073
RESERVED
@@ -1792,24 +1885,24 @@
RESERVED
CVE-2013-6000
RESERVED
-CVE-2013-5999
- RESERVED
-CVE-2013-5998
- RESERVED
-CVE-2013-5997
- RESERVED
-CVE-2013-5996
- RESERVED
-CVE-2013-5995
- RESERVED
-CVE-2013-5994
- RESERVED
-CVE-2013-5993
- RESERVED
-CVE-2013-5992
- RESERVED
-CVE-2013-5991
- RESERVED
+CVE-2013-5999 (Kingsoft KDrive Personal before 1.21.0.1880 on Windows does not verify ...)
+ TODO: check
+CVE-2013-5998 (Unspecified vulnerability in the Web manager implementation on D-Link ...)
+ TODO: check
+CVE-2013-5997 (Unspecified vulnerability in the SSH implementation on D-Link Japan ...)
+ TODO: check
+CVE-2013-5996 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
+ TODO: check
+CVE-2013-5995 (data/class/helper/SC_Helper_Address.php in the front-features ...)
+ TODO: check
+CVE-2013-5994 (data/class/pages/mypage/LC_Page_Mypage_DeliveryAddr.php in LOCKON ...)
+ TODO: check
+CVE-2013-5993 (Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE ...)
+ TODO: check
+CVE-2013-5992 (Cross-site scripting (XSS) vulnerability in the displaySystemError ...)
+ TODO: check
+CVE-2013-5991 (The displaySystemError function in html/handle_error.php in LOCKON ...)
+ TODO: check
CVE-2013-5990 (Unspecified vulnerability in JustSystems Ichitaro 2006 through 2011; ...)
TODO: check
CVE-2013-5989
@@ -1860,8 +1953,7 @@
NOT-FOR-US: CA SiteMinder
CVE-2013-5967 (Multiple SQL injection vulnerabilities in AlienVault Open Source ...)
NOT-FOR-US: AlienVault Open Source Security Information Management
-CVE-2013-5966
- RESERVED
+CVE-2013-5966 (Cross-site scripting (XSS) vulnerability in ZK Framework before 5.0.13 ...)
NOT-FOR-US: ZK Framework
CVE-2013-5965 (The Node View Permissions module 7.x-1.x before 7.x-1.2 for Drupal ...)
NOT-FOR-US: Drupal addon
@@ -2413,8 +2505,8 @@
RESERVED
CVE-2013-5731
RESERVED
-CVE-2013-5730
- RESERVED
+CVE-2013-5730 (Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link ...)
+ TODO: check
CVE-2013-5729
RESERVED
CVE-2013-5728
@@ -2742,8 +2834,7 @@
RESERVED
CVE-2013-5608
RESERVED
-CVE-2013-5607
- RESERVED
+CVE-2013-5607 (Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape ...)
- nspr 2:4.10.2-1
CVE-2013-5606 (The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla ...)
- nss 2:3.15.3-1
@@ -3635,8 +3726,7 @@
RESERVED
CVE-2013-5216 (Directory traversal vulnerability in logreader/uploadreader.jsp in ...)
NOT-FOR-US: Performance Guard
-CVE-2013-5215
- RESERVED
+CVE-2013-5215 (Cross-site scripting (XSS) vulnerability in the web interface "WiFi ...)
NOT-FOR-US: FOSCAM Wireless IP Camera
CVE-2013-5214
RESERVED
@@ -5045,12 +5135,10 @@
CVE-2013-4593
RESERVED
- ruby-omniauth-facebook <itp> (bug #705766)
-CVE-2013-4592 [kvm: memory leak when memory slot is moved with assigned device]
- RESERVED
+CVE-2013-4592 (Memory leak in the __kvm_set_memory_region function in ...)
- linux 3.8-1
- linux-2.6 <removed>
-CVE-2013-4591
- RESERVED
+CVE-2013-4591 (Buffer overflow in the __nfs4_get_acl_uncached function in ...)
- linux 3.8-1
[wheezy] - linux <not-affected> (Introduced in 3.6)
- linux-2.6 <not-affected> (Introduced in 3.6)
@@ -5058,13 +5146,11 @@
NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e40f193f5bb022e927a57a4f5d5194e4f12ddb74
CVE-2013-4590
RESERVED
-CVE-2013-4589
- RESERVED
+CVE-2013-4589 (The ExportAlphaQuantumType function in export.c in GraphicsMagick ...)
- graphicsmagick <unfixed> (low; bug #729661)
[squeeze] - graphicsmagick <no-dsa> (Minor issue)
[wheezy] - graphicsmagick <no-dsa> (Minor issue)
-CVE-2013-4588 [net: ipvs stack buffer overflow]
- RESERVED
+CVE-2013-4588 (Multiple stack-based buffer overflows in ...)
- linux <not-affected> (fixed in 2.6.33)
- linux-2.6 2.6.37-1
NOTE: 2.6.37-1 first version including 2.6.33 in unstable for linux-2.6
@@ -5093,8 +5179,7 @@
CVE-2013-4580 [Unauthenticated API access to GitLab when using MySQL]
RESERVED
- gitlab <itp> (bug #651606)
-CVE-2013-4579 [ath9k_htc improperly updates MAC address]
- RESERVED
+CVE-2013-4579 (The ath9k_htc_set_bssid_mask function in ...)
- linux-2.6 <removed>
- linux <unfixed> (bug #729573)
NOTE: http://www.mathyvanhoef.com/2013/11/unmasking-spoofed-mac-address.html
@@ -5140,8 +5225,7 @@
CVE-2013-4564
RESERVED
NOT-FOR-US: libreswan
-CVE-2013-4563 [net: large udp packet over IPv6 over UFO-enabled device with TBF qdisc panic]
- RESERVED
+CVE-2013-4563 (The udp6_ufo_fragment function in net/ipv6/udp_offload.c in the Linux ...)
- linux-2.6 <not-affected> (Introduced in v3.10-rc5)
- linux <unfixed>
[wheezy] - linux <not-affected> (Introduced in v3.10-rc5)
@@ -5154,12 +5238,10 @@
CVE-2013-4561
RESERVED
NOT-FOR-US: OpenShift
-CVE-2013-4560 [use-after-free in fam]
- RESERVED
+CVE-2013-4560 (Use-after-free vulnerability in lighttpd before 1.4.33 allows remote ...)
{DSA-2795-1}
- lighttpd 1.4.33-1+nmu1 (bug #729453)
-CVE-2013-4559 [setuid privilege escalation issue]
- RESERVED
+CVE-2013-4559 (lighttpd before 1.4.33 does not check the return value of the (1) ...)
{DSA-2795-1}
- lighttpd 1.4.33-1+nmu1 (bug #729453)
CVE-2013-4558
@@ -5197,16 +5279,14 @@
- openssh 1:6.4p1-1 (bug #729029)
[wheezy] - openssh <not-affected> (AES-GCM support introduced in 6.2)
[squeeze] - openssh <not-affected> (AES-GCM support introduced in 6.2)
-CVE-2013-4547 [security restrictions bypass]
- RESERVED
+CVE-2013-4547 (nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote ...)
{DSA-2802-1}
- nginx 1.4.4-1 (bug #730012)
[squeeze] - nginx <not-affected> (Only applies to 0.8.41 - 1.5.6)
CVE-2013-4546 [remote command execution]
RESERVED
- gitlab <itp> (bug #651606)
-CVE-2013-4545
- RESERVED
+CVE-2013-4545 (cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, ...)
{DSA-2798-1}
- curl 7.33.0-1
CVE-2013-4544
@@ -5301,8 +5381,7 @@
{DSA-2791-1}
- tryton-client 2.8.4-1
NOTE: https://bugs.tryton.org/issue3446
-CVE-2013-4509 [showing passwords during password input]
- RESERVED
+CVE-2013-4509 (The default configuration of IBUS 1.5.4, and possibly 1.5.2 and ...)
- ibus <unfixed> (low; bug #729065)
NOTE: http://www.openwall.com/lists/oss-security/2013/11/04/2
NOTE: This is rather a bug in the various IBus engines not in ibus itself, asked maintainers to investigate affected engines,
@@ -5313,8 +5392,7 @@
- lighttpd 1.4.33-1+nmu1 (bug #729453)
NOTE: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
NOTE: http://redmine.lighttpd.net/issues/2525
-CVE-2013-4507 [XSS]
- RESERVED
+CVE-2013-4507 (Cross-site scripting (XSS) vulnerability in CollectiveAccess ...)
NOT-FOR-US: CollectiveAccess
CVE-2013-4506
RESERVED
@@ -5349,8 +5427,7 @@
NOTE: https://github.com/openstack/nova/commit/5cced7a6dd32d231c606e25dbf762d199bf9cca7
CVE-2013-4496
RESERVED
-CVE-2013-4495 [remote command execution]
- RESERVED
+CVE-2013-4495 (The send_the_mail function in server/svr_mail.c in Terascale ...)
{DSA-2796-1}
- torque 2.4.16+dfsg-1.3 (bug #729333)
CVE-2013-4494 (Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock ...)
@@ -5371,15 +5448,13 @@
RESERVED
- libgadu <unfixed> (unimportant)
NOTE: Intentional design decision
-CVE-2013-4487
- RESERVED
+CVE-2013-4487 (Off-by-one error in the dane_raw_tlsa in the DANE library (libdane) in ...)
- gnutls28 <not-affected> (libdane is not built; original patch for CVE-2013-4466 not applied)
- gnutls26 <not-affected> (only 3.1.x and 3.2.x)
NOTE: off-by one issue in original fix for CVE-2013-4466
CVE-2013-4486
RESERVED
-CVE-2013-4485 [DoS due to improper handling of ger attr searches]
- RESERVED
+CVE-2013-4485 (389 Directory Server 1.2.11.15 (aka Red Hat Directory Server before ...)
- 389-ds-base <unfixed> (bug #730115)
CVE-2013-4484 (Varnish before 3.0.5 allows remote attackers to cause a denial of ...)
- varnish <unfixed> (medium; bug #728989)
@@ -5388,11 +5463,10 @@
- linux <unfixed> (low)
- linux-2.6 <removed> (low)
NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6062a8
-CVE-2013-4482
- RESERVED
+CVE-2013-4482 (Untrusted search path vulnerability in python-paste-script (aka ...)
TODO: check
-CVE-2013-4481
- RESERVED
+CVE-2013-4481 (Race condition in Luci 0.26.0 creates /var/lib/luci/etc/luci.ini with ...)
+ TODO: check
CVE-2013-4480 (Red Hat Satellite 5.6 and earlier does not disable the web interface ...)
NOT-FOR-US: Red Hat Satellite
CVE-2013-4479 [prevent remote command injection in content_type]
@@ -5418,13 +5492,11 @@
[squeeze] - samba <no-dsa> (Minor issue)
- samba4 <removed> (low)
[wheezy] - samba4 <no-dsa> (Minor issue)
-CVE-2013-4474 [User controlled format string]
- RESERVED
+CVE-2013-4474 (Format string vulnerability in the extractPages function in ...)
- poppler 0.18.4-9 (low; bug #729064)
[squeeze] - poppler <not-affected> (pdfseparate not yet present)
[wheezy] - poppler <no-dsa> (Minor issue, cli tool)
-CVE-2013-4473 [Stack based buffer overflow]
- RESERVED
+CVE-2013-4473 (Stack-based buffer overflow in the extractPages function in ...)
- poppler 0.18.4-9 (low; bug #729064)
[squeeze] - poppler <not-affected> (pdfseparate not yet present)
[wheezy] - poppler <no-dsa> (Minor issue, cli tool)
@@ -5450,8 +5522,7 @@
CVE-2013-4467
RESERVED
NOT-FOR-US: VICIDIAL
-CVE-2013-4466 [gnutls/libdane buffer overflow]
- RESERVED
+CVE-2013-4466 (Buffer overflow in the dane_query_tlsa function in the DANE library ...)
- gnutls26 <not-affected> (only 3.1.x and 3.2.x)
- gnutls28 <not-affected> (libdane is not built)
NOTE: http://www.gnutls.org/security.html#GNUTLS-SA-2013-3
@@ -5474,8 +5545,7 @@
[squeeze] - mantis <no-dsa> (Minor issue)
[wheezy] - mantis <no-dsa> (Minor issue)
NOTE: http://www.mantisbt.org/bugs/view.php?id=16513
-CVE-2013-4459 [no longer confines guest profile with AppArmor]
- RESERVED
+CVE-2013-4459 (LightDM 1.7.5 through 1.8.3 and 1.9.x before 1.9.2 does not apply the ...)
- lightdm <not-affected> (Only in combination with guest profile, apparmor and 1.8.x branch)
CVE-2013-4458 [Stack (frame) overflow in getaddrinfo() when called with AF_INET6]
RESERVED
@@ -5641,8 +5711,7 @@
NOTE: Fix: https://github.com/djblets/djblets/commit/36cd15763742652ca990f913b44e91c69c707269
CVE-2013-4408
RESERVED
-CVE-2013-4407 [remote command-injection]
- RESERVED
+CVE-2013-4407 (HTTP::Body::Multipart in the HTTP-Body 1.08, 1.17, and earlier module ...)
{DSA-2801-1}
- libhttp-body-perl 1.17-2 (bug #721634)
[squeeze] - libhttp-body-perl <not-affected> (Vulnerable code introduced in 1.08)
@@ -5719,8 +5788,7 @@
CVE-2013-4387 (net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not ...)
- linux-2.6 <removed>
- linux 3.11.5-1
-CVE-2013-4386 [host and host group parameter SQL injection]
- RESERVED
+CVE-2013-4386 (Multiple SQL injection vulnerabilities in ...)
- foreman <itp> (bug #663101)
CVE-2013-4385 (Buffer overflow in the "read-string!" procedure in the "extras" unit ...)
- chicken <unfixed> (bug #724740; low)
@@ -5830,8 +5898,7 @@
[squeeze] - xen <not-affected> (Only affects 4.3+)
CVE-2013-4355 (Xen 4.3.x and earlier does not properly handle certain errors, which ...)
- xen <unfixed>
-CVE-2013-4354 [Glance image creation in other tenant accounts]
- RESERVED
+CVE-2013-4354 (The API before 2.1 in OpenStack Image Registry and Delivery Service ...)
- glance <unfixed>
NOTE: https://bugs.launchpad.net/glance/+bug/1226078
CVE-2013-4353
@@ -6125,18 +6192,15 @@
- ajaxplorer <itp> (bug #668381)
CVE-2013-4266
REJECTED
-CVE-2013-4265 [av_reallocp_array]
- RESERVED
+CVE-2013-4265 (The av_reallocp_array function in libavutil/mem.c in FFmpeg before ...)
- ffmpeg <not-affected> (Affected function codec not present in 0.5 ffmpeg)
- libav <not-affected> (Affected function not present in libav)
NOTE: https://github.com/FFmpeg/FFmpeg/commit/c94f9e854228e0ea00e1de8769d8d3f7cab84a55
-CVE-2013-4264 [g2meet out of array write]
- RESERVED
+CVE-2013-4264 (The kempf_decode_tile function in libavcodec/g2meet.c in FFmpeg before ...)
- ffmpeg <not-affected> (g2meet codec not present in 0.5 ffmpeg)
- libav <not-affected> (g2meet codec not present in libav)
NOTE: https://github.com/FFmpeg/FFmpeg/commit/2960576378d17d71cc8dccc926352ce568b5eec1
-CVE-2013-4263 [libavfilter out of array writes]
- RESERVED
+CVE-2013-4263 (libavfilter in FFmpeg before 2.0.1 allows has unspecified impact and ...)
- ffmpeg <not-affected> (Affected video filters not present in ffmpeg 0.5)
- libav <unfixed>
NOTE: https://github.com/FFmpeg/FFmpeg/commit/e43a0a232dbf6d3c161823c2e07c52e76227a1bc
@@ -6313,8 +6377,7 @@
RESERVED
- nagios-plugins <unfixed> (unimportant)
NOTE: vulnerable code present, but check_ipxping not build and installed
-CVE-2013-4214 [insecure temporary file usage]
- RESERVED
+CVE-2013-4214 (rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when ...)
- nagios3 <unfixed> (low; bug #719056)
[wheezy] - nagios3 <no-dsa> (Minor issue)
[squeeze] - nagios3 <not-affected> (html/rss-newsfeed.php not present)
@@ -6468,8 +6531,7 @@
CVE-2013-4165 (The HTTPAuthorized function in bitcoinrpc.cpp in bitcoind 0.8.1 ...)
- bitcoin 0.8.4-1 (bug #717828)
NOTE: https://github.com/bitcoin/bitcoin/issues/2838
-CVE-2013-4164 [Heap Overflow in Floating Point Parsing]
- RESERVED
+CVE-2013-4164 (Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 ...)
- ruby1.8 <unfixed> (bug #730189)
- ruby1.9.1 <unfixed> (bug #730178)
- ruby2.0 <unfixed> (bug #730190)
@@ -8527,8 +8589,7 @@
RESERVED
CVE-2013-3289
RESERVED
-CVE-2013-3288
- RESERVED
+CVE-2013-3288 (Cross-site scripting (XSS) vulnerability on the EMC RSA Data ...)
NOT-FOR-US: EMC
CVE-2013-3287 (EMC Unisphere for VMAX before 1.6.1.6, when using an unspecified level ...)
NOT-FOR-US: EMC Unisphere for VMAX
@@ -8977,8 +9038,8 @@
RESERVED
CVE-2013-3096
RESERVED
-CVE-2013-3095
- RESERVED
+CVE-2013-3095 (Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link ...)
+ TODO: check
CVE-2013-3094
RESERVED
CVE-2013-3093
@@ -9712,8 +9773,8 @@
RESERVED
CVE-2013-2824
RESERVED
-CVE-2013-2823
- RESERVED
+CVE-2013-2823 (The (1) Catapult DNP3 I/O driver before 7.2.0.60 and the (2) GE ...)
+ TODO: check
CVE-2013-2822
RESERVED
CVE-2013-2821
@@ -9736,8 +9797,8 @@
RESERVED
CVE-2013-2812
RESERVED
-CVE-2013-2811
- RESERVED
+CVE-2013-2811 (The (1) Catapult DNP3 I/O driver before 7.2.0.60 and the (2) GE ...)
+ TODO: check
CVE-2013-2810
RESERVED
CVE-2013-2809
@@ -10347,8 +10408,7 @@
CVE-2013-2562
RESERVED
NOT-FOR-US: Mambo CMS
-CVE-2013-2561 [improper use of files in /tmp]
- RESERVED
+CVE-2013-2561 (OpenFabrics ibutils 1.5.7 allows local users to overwrite arbitrary ...)
- ibutils <unfixed> (low; bug #704063)
[squeeze] - ibutils <no-dsa> (Minor issue)
[wheezy] - ibutils <no-dsa> (Minor issue)
@@ -11972,8 +12032,7 @@
RESERVED
- nova <not-affected> (Option not present in nova/2012.1.1)
NOTE: http://lists.openstack.org/pipermail/openstack-announce/2013-May/000098.html
-CVE-2013-2029
- RESERVED
+CVE-2013-2029 (nagios.upgrade_to_v3.sh, as distributed by Red Hat and possibly others ...)
- nagios <not-affected> (Affected file nagios.upgrade_to_v3.sh not in Debian)
NOTE: http://www.openwall.com/lists/oss-security/2013/04/30/8
CVE-2013-2028 (The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx ...)
@@ -12439,7 +12498,7 @@
[squeeze] - python-bcrypt <not-affected> (thread support only introduced after 0.1 release)
NOTE: https://code.google.com/p/py-bcrypt/source/detail?r=b03cc5246ea21a839fd027da5616d8d470247558
CVE-2013-1894
- RESERVED
+ REJECTED
CVE-2013-1893
RESERVED
- owncloud <not-affected> (only affecting 5.0 branch)
@@ -12722,8 +12781,7 @@
NOT-FOR-US: OpenStack PackStack
CVE-2013-1814 (The users/get program in the User RPC API in Apache Rave 0.11 through ...)
NOT-FOR-US: Apache Rave
-CVE-2013-1813 [busybox insecure subdir creation under /dev]
- RESERVED
+CVE-2013-1813 (util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for ...)
- busybox 1:1.20.0-8 (low; bug #701965)
[wheezy] - busybox <no-dsa> (Minor issue)
[squeeze] - busybox <no-dsa> (Minor issue)
@@ -14091,8 +14149,7 @@
[wheezy] - krb5 <no-dsa> (Minor issue)
NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7757
NOTE: https://github.com/krb5/krb5/commit/5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf
-CVE-2013-1417 [KDC null deref due to referrals]
- RESERVED
+CVE-2013-1417 (do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 ...)
- krb5 <unfixed> (low; bug #730085)
[squeeze] - krb5 <not-affected> (Vulnerable code only present in 1.11.x)
[wheezy] - krb5 <not-affected> (Vulnerable code only present in 1.11.x)
@@ -14894,8 +14951,7 @@
- linux 3.10.1-1 (low)
- linux-2.6 <removed> (low)
[squeeze] - linux-2.6 <not-affected> (CEPH was introduced in 2.6.34)
-CVE-2013-1058
- RESERVED
+CVE-2013-1058 (maas-import-pxe-files in MAAS before 13.10 does not verify the ...)
NOT-FOR-US: Ubuntu MAAS
CVE-2013-1057 (Untrusted search path vulnerability in maas-import-pxe-files in MAAS ...)
NOT-FOR-US: Ubuntu MAAS
@@ -15313,35 +15369,28 @@
CVE-2013-0879 (Google Chrome before 25.0.1364.97 on Windows and Linux, and before ...)
- chromium-browser 25.0.1364.97-1
[squeeze] - chromium-browser <end-of-life>
-CVE-2013-0878 [libavcodec/targa.c out of array accesses: 796012af6c780b5b13ebca39a491f215515a18fe]
- RESERVED
+CVE-2013-0878 (The advance_line function in libavcodec/targa.c in FFmpeg before 1.1.3 ...)
- ffmpeg <not-affected> (Affected code not present in 0.5 ffmpeg)
- libav <not-affected> (Affected code not present in libav)
-CVE-2013-0877 [libavcodec/sanm.c out of array accesses: 365270aec5c2b9284230abc702b11168818f14cf]
- RESERVED
+CVE-2013-0877 (The old_codec37 function in libavcodec/sanm.c in FFmpeg before 1.1.3 ...)
- ffmpeg <not-affected> (Smush codec not present in 0.5 ffmpeg)
- libav <not-affected> (Smush codec not present in libav)
-CVE-2013-0876 [libavcodec/sanm.c integer overflow and out of array accesses: 5260edee7e5bd975837696c8c8c1a80eb2fbd7c1]
- RESERVED
+CVE-2013-0876 (Multiple integer overflows in the (1) old_codec37 and (2) old_codec47 ...)
- ffmpeg <not-affected> (Smush codec not present in 0.5 ffmpeg)
- libav <not-affected> (Smush codec not present in libav)
-CVE-2013-0875 [libavcodec/pngdec.c dont access out array elements: 1ac0fa50eff30d413206cffa5f47f7fe6d4849b1]
- RESERVED
+CVE-2013-0875 (The ff_add_png_paeth_prediction function in libavcodec/pngdec.c in ...)
- ffmpeg <not-affected> (Affected code not present in 0.5 ffmpeg)
- libav <not-affected> (Affected code not present in libav)
-CVE-2013-0874 [libavcodec/tiff.c out of array accesses: e1219cdaf9fb4bc8cea410e1caf802373c1bfe51]
- RESERVED
+CVE-2013-0874 (The (1) doubles2str and (2) shorts2str functions in libavcodec/tiff.c ...)
- ffmpeg <not-affected> (Affected code not present in 0.5 ffmpeg)
- libav <not-affected> (Affected code not present in libav)
-CVE-2013-0873 [libavcodec/shorten.c freeing invalid addresses]
- RESERVED
+CVE-2013-0873 (The read_header function in libavcodec/shorten.c in FFmpeg before ...)
- ffmpeg <removed>
- libav 6:0.8.6-1 (bug #717009)
NOTE: Commit in libav trunk http://git.libav.org/?p=libav.git;a=commit;h=c10da30d8426a1f681d99a780b6e311f7fb4e5c5
NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=4f1279154ee9baf2078241bf5619774970d18b25
NOTE: Fix needed for ffmpeg 0.5
-CVE-2013-0872 [libswresample/swresample.c out of array accesses: 21cd905cd44a4bbafe8631bbaa6021d328413ce5]
- RESERVED
+CVE-2013-0872 (The swr_init function in libswresample/swresample.c in FFmpeg before ...)
- ffmpeg <not-affected> (libswresample not yet present in ffmpeg/0.5)
- libav <not-affected> (libswresample not present in libav, linavresamle not affected)
CVE-2013-0871 (Race condition in the ptrace functionality in the Linux kernel before ...)
@@ -15352,56 +15401,46 @@
RESERVED
- ffmpeg <not-affected> (No threading support in vp3 from ffmpeg 0.5)
- libav <not-affected> (Vulnerable code added in ffmpeg post-merge)
-CVE-2013-0869 [libavcodec/h264.c out of array accesses]
- RESERVED
+CVE-2013-0869 (The field_end function in libavcodec/h264.c in FFmpeg before 1.1.2 ...)
- ffmpeg <removed>
- libav 6:0.8.5-1
NOTE: libav fix: http://git.libav.org/?p=libav.git;a=commit;h=706acb558a38eba633056773280155d66c2f4b24
NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=695af8eed642ff0104834495652d1ee784a4c14d
NOTE: Fix needed in ffmpeg 0.5
-CVE-2013-0868 [libavcodec/huffyuvdec.c out of array writes]
- RESERVED
+CVE-2013-0868 (libavcodec/huffyuvdec.c in FFmpeg before 1.1.2 allows remote attackers ...)
- ffmpeg <removed>
- libav <unfixed>
NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f67a0d115254461649470452058fa3c28c0df294
NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0dfc01c2bbf4b71bb56201bc4a393321e15d1b31
-CVE-2013-0867 [libavcodec/h264.c out of array accesses]
- RESERVED
+CVE-2013-0867 (The decode_slice_header function in libavcodec/h264.c in FFmpeg before ...)
- ffmpeg <removed>
- libav <not-affected> (Code in libav is different/not affect as per libav h264 maintainer)
NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=11c99c78bafa77f679a1a3ba06ad00984b9a4cae
-CVE-2013-0866 [libavcodec/aacdec.c out of array accesses]
- RESERVED
+CVE-2013-0866 (The aac_decode_init function in libavcodec/aacdec.c in FFmpeg before ...)
{DSA-2793-1}
- ffmpeg <not-affected> (Code in 0.5 is different/not affected)
- libav 6:0.8.7-1 (bug #717009)
NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=96f452ac647dae33c53c242ef3266b65a9beafb6
NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=a943a132f36f4df8fe2f749744677b71984abce7
-CVE-2013-0865 [libavcodec/vqavideo.c out of array writes]
- RESERVED
+CVE-2013-0865 (The vqa_decode_chunk function in libavcodec/vqavideo.c in FFmpeg ...)
- ffmpeg <removed>
- libav 6:9.8-1 (bug #717009)
NOTE: libav commit: http://git.libav.org/?p=libav.git;a=commit;h=f7d18deb73d1dd1b27b2c7062c9a10d168a6c62a
-CVE-2013-0864 [libavcodec/gifdec.c out of array accesses: c10350358da58600884292c08a8690289b81de29]
- RESERVED
+CVE-2013-0864 (The gif_copy_img_rect function in libavcodec/gifdec.c in FFmpeg before ...)
- ffmpeg <not-affected> (These changes are specific to current ffmpeg and don't affect ffmpeg 0.5)
- libav <not-affected> ((These changes are specific to ffmpeg and don't affect libav)
-CVE-2013-0863 [libavcodec/sanm.c buffer overflow: 7357ca900efcf829de4cce4cec6ddc286526d417]
- RESERVED
+CVE-2013-0863 (Buffer overflow in the rle_decode function in libavcodec/sanm.c in ...)
- ffmpeg <not-affected> (Smush codec not present in 0.5 ffmpeg)
- libav <not-affected> (Smush codec not present in libav)
-CVE-2013-0862 [libavcodec/sanm.c integer overflows and out of array accesses: 49b729d3af8464de431362e6c5b3027102bc2f88]
- RESERVED
+CVE-2013-0862 (Multiple integer overflows in the process_frame_obj function in ...)
- ffmpeg <not-affected> (Smush codec not present in 0.5 ffmpeg)
- libav <not-affected> (Smush codec not present in libav)
-CVE-2013-0861 [libavcodec/utils.c memory corruption]
- RESERVED
+CVE-2013-0861 (The avcodec_decode_audio4 function in libavcodec/utils.c in FFmpeg ...)
- ffmpeg <not-affected> (These changes are specific to current ffmpeg and don't affect ffmpeg 0.5)
- libav <not-affected> (Affected code not present in libav 0.8.x)
NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d270c3202539e8364c46410e15f7570800e33343
NOTE: Affects the libav version in experimental
-CVE-2013-0860 [libavcodec/error_resilience.c state inconsistency and null pointer deref]
- RESERVED
+CVE-2013-0860 (The ff_er_frame_end function in libavcodec/error_resilience.c in ...)
- ffmpeg <removed>
- libav <unfixed>
NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=23318a57358358e7a4dc551e830e4503f0638cfe
@@ -17370,8 +17409,7 @@
RESERVED
CVE-2013-0282 (OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, ...)
- keystone 2012.1.1-13 (bug #700947)
-CVE-2013-0281 [DoS when remote CIB management enabled]
- RESERVED
+CVE-2013-0281 (Pacemaker 1.1.10, when remote Cluster Information Base (CIB) ...)
- pacemaker 1.1.10-1 (low; bug #700923)
[squeeze] - pacemaker <no-dsa> (Minor issue)
[wheezy] - pacemaker <no-dsa> (Minor issue)
@@ -17569,16 +17607,13 @@
NOT-FOR-US: Drupal addon
CVE-2013-0224 (The Video module 7.x-2.x before 7.x-2.9 for Drupal, when using the ...)
NOT-FOR-US: Drupal addon
-CVE-2013-0223
- RESERVED
+CVE-2013-0223 (The SUSE coreutils-i18n.patch for GNU coreutils allows ...)
- coreutils <not-affected> (Affected patch not added to Debian package)
NOTE: http://www.openwall.com/lists/oss-security/2013/01/21/14
-CVE-2013-0222
- RESERVED
+CVE-2013-0222 (The SUSE coreutils-i18n.patch for GNU coreutils allows ...)
- coreutils <not-affected> (Affected patch not added to Debian package)
NOTE: http://www.openwall.com/lists/oss-security/2013/01/21/14
-CVE-2013-0221
- RESERVED
+CVE-2013-0221 (The SUSE coreutils-i18n.patch for GNU coreutils allows ...)
- coreutils <not-affected> (Affected patch not added to Debian package)
NOTE: http://www.openwall.com/lists/oss-security/2013/01/21/14
CVE-2013-0220 (The (1) sss_autofs_cmd_getautomntent and (2) ...)
@@ -32687,13 +32722,11 @@
CVE-2012-0788 (The PDORow implementation in PHP before 5.3.9 does not properly ...)
{DSA-2408-1}
- php5 5.3.9-1
-CVE-2012-0787 [mountpoint attack]
- RESERVED
+CVE-2012-0787 (The clone_file function in transfer.c in Augeas before 1.0.0, when ...)
- augeas 1.0.0-1 (low)
[squeeze] - augeas <no-dsa> (Minor issue)
[wheezy] - augeas <no-dsa> (Minor issue)
-CVE-2012-0786 [symlink attack]
- RESERVED
+CVE-2012-0786 (The transform_save function in transform_save in Augeas before 1.0.0 ...)
- augeas 1.0.0-1 (low)
[squeeze] - augeas <no-dsa> (Minor issue)
[wheezy] - augeas <no-dsa> (Minor issue)
@@ -52987,8 +53020,7 @@
CVE-2010-3444 (Buffer overflow in the log2vis_utf8 function in pyfribidi.c in GNU ...)
- pyfribidi 0.10.0-2 (bug #570068)
[lenny] - pyfribidi <not-affected> (fribidi 0.19.1 or higher needs to be installed to trigger this)
-CVE-2010-3443 [quassel CTCP DoS]
- RESERVED
+CVE-2010-3443 (ctcphandler.cpp in Quassel before 0.6.3 and 0.7.x before 0.7.1 allows ...)
- quassel 0.7.1-1 (bug #597853)
[squeeze] - quassel 0.6.3-1
NOTE: https://bugs.launchpad.net/ubuntu/+source/quassel/+bug/629774
More information about the Secure-testing-commits
mailing list