[Secure-testing-commits] r24071 - data/CVE
Yves-Alexis Perez
corsac at alioth.debian.org
Sat Oct 19 06:23:45 UTC 2013
Author: corsac
Date: 2013-10-19 06:23:44 +0000 (Sat, 19 Oct 2013)
New Revision: 24071
Modified:
data/CVE/list
Log:
revert r24069
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2013-10-18 21:14:25 UTC (rev 24070)
+++ data/CVE/list 2013-10-19 06:23:44 UTC (rev 24071)
@@ -1,3 +1,21 @@
+CVE-2013-XXXX [echoping buffer overflows]
+ - echoping 6.0.2-4 (bug #606808)
+ NOTE: Upstream fix http://sourceforge.net/p/echoping/bugs/55/
+ NOTE: https://bugs.gentoo.org/show_bug.cgi?id=349569
+ NOTE: http://xforce.iss.net/xforce/xfdb/64141
+ NOTE: http://secunia.com/advisories/42619/
+CVE-2013-XXXX [slapd segfaults on certain queries with rwm overlay enabled]
+ - openldap <unfixed>
+ TODO: check
+ NOTE: http://www.openldap.org/its/index.cgi/Incoming?id=7723
+ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1019490
+CVE-2013-6167
+ - iceweasel <unfixed> (low)
+ NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=858215
+CVE-2013-6166
+ - chromium-browser <unfixed> (low)
+ [squeeze] - chromium-browser <end-of-life>
+ NOTE: https://code.google.com/p/chromium/issues/detail?id=238041
CVE-2013-6063
RESERVED
CVE-2013-6062
@@ -159,6 +177,7 @@
RESERVED
CVE-2013-5984
RESERVED
+ NOT-FOR-US: Microweber
CVE-2013-5983
RESERVED
CVE-2013-5982
@@ -185,8 +204,10 @@
RESERVED
CVE-2013-5971
RESERVED
+ NOT-FOR-US: VMware vSphere
CVE-2013-5970
RESERVED
+ NOT-FOR-US: VMware ESXi and ESX
CVE-2013-5969
RESERVED
CVE-2013-5968
@@ -443,6 +464,8 @@
- openjdk-7 <unfixed>
CVE-2013-5850
RESERVED
+ - openjdk-6 <unfixed>
+ - openjdk-7 <unfixed>
CVE-2013-5849
RESERVED
- openjdk-6 <unfixed>
@@ -453,14 +476,18 @@
- openjdk-7 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
CVE-2013-5847
RESERVED
+ NOT-FOR-US: Oracle PeopleSoft Products
CVE-2013-5846
RESERVED
- openjdk-6 <not-affected> (JavaFX not part of OpenJDK)
- openjdk-7 <not-affected> (JavaFX not part of OpenJDK)
CVE-2013-5845
RESERVED
+ NOT-FOR-US: Oracle iLearning
CVE-2013-5844
RESERVED
+ - openjdk-6 <not-affected> (JavaFX not part of OpenJDK)
+ - openjdk-7 <not-affected> (JavaFX not part of OpenJDK)
CVE-2013-5843
RESERVED
TODO: This issue was fixed in Oracle Java, but not in OpenJDK. Likely not-affected, but needs further check
@@ -470,6 +497,7 @@
- openjdk-7 <unfixed>
CVE-2013-5841
RESERVED
+ NOT-FOR-US: Oracle PeopleSoft Products
CVE-2013-5840
RESERVED
- openjdk-6 <unfixed>
@@ -486,8 +514,10 @@
NOT-FOR-US: Solaris
CVE-2013-5836
RESERVED
+ NOT-FOR-US: Oracle PeopleSoft Products
CVE-2013-5835
RESERVED
+ NOT-FOR-US: Oracle Siebel CRM
CVE-2013-5834
RESERVED
CVE-2013-5833
@@ -509,10 +539,13 @@
- openjdk-7 <unfixed>
CVE-2013-5828
RESERVED
+ NOT-FOR-US: Oracle Enterprise Manager Grid Control
CVE-2013-5827
RESERVED
+ NOT-FOR-US: Oracle Enterprise Manager Grid Control
CVE-2013-5826
RESERVED
+ NOT-FOR-US: Oracle Supply Chain Products Suite
CVE-2013-5825
RESERVED
- openjdk-6 <unfixed>
@@ -526,6 +559,7 @@
TODO: This issue was fixed in Oracle Java, but not in OpenJDK. Likely not-affected, but needs further check
CVE-2013-5822
RESERVED
+ NOT-FOR-US: Oracle iLearning
CVE-2013-5821
RESERVED
CVE-2013-5820
@@ -546,20 +580,24 @@
- openjdk-7 <unfixed>
CVE-2013-5816
RESERVED
+ NOT-FOR-US: Oracle Fusion Middleware
CVE-2013-5815
RESERVED
+ NOT-FOR-US: Oracle Fusion Middleware Oracle Identity Analytics
CVE-2013-5814
RESERVED
- openjdk-6 <unfixed>
- openjdk-7 <unfixed>
CVE-2013-5813
RESERVED
+ NOT-FOR-US: Oracle Fusion Middleware
CVE-2013-5812
RESERVED
- openjdk-6 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
- openjdk-7 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java)
CVE-2013-5811
RESERVED
+ NOT-FOR-US: Oracle Industry Applications
CVE-2013-5810
RESERVED
- openjdk-6 <not-affected> (JavaFX not part of OpenJDK)
@@ -604,18 +642,22 @@
- openjdk-7 <unfixed>
CVE-2013-5799
RESERVED
+ NOT-FOR-US: Oracle Supply Chain Products Suite
CVE-2013-5798
RESERVED
+ NOT-FOR-US: Oracle Fusion Middleware
CVE-2013-5797
RESERVED
- openjdk-6 <unfixed>
- openjdk-7 <unfixed>
CVE-2013-5796
RESERVED
+ NOT-FOR-US: Oracle Siebel CRM
CVE-2013-5795
RESERVED
CVE-2013-5794
RESERVED
+ NOT-FOR-US: Oracle PeopleSoft Products
CVE-2013-5793
RESERVED
- mysql-5.5 <not-affected> (Only affects Mysql 5.6)
@@ -776,7 +818,7 @@
CVE-2013-5741
RESERVED
CVE-2013-5745 (The vino_server_client_data_pending function in vino-server.c in GNOME ...)
- - vino <unfixed> (low; bug #724545)
+ - vino 3.10.1-1 (low; bug #724545)
[wheezy] - vino <no-dsa> (Minor issue)
[squeeze] - vino <no-dsa> (Minor issue)
NOTE: http://seclists.org/fulldisclosure/2013/Sep/105
@@ -3762,8 +3804,10 @@
CVE-2013-4420 [tar_extract_glob and tar_extract_all path prefix directory traversal]
RESERVED
- libtar <unfixed>
-CVE-2013-4419
+CVE-2013-4419 [insecure temporary directory handling for guestfish's network socket]
RESERVED
+ - libguestfs 1:1.22.7-1
+ [wheezy] - libguestfs <no-dsa> (Minor issue)
CVE-2013-4418
RESERVED
CVE-2013-4417
@@ -3863,7 +3907,11 @@
RESERVED
CVE-2013-4389
RESERVED
+ - rails-4.0 <not-affected> (Only affects 3.x)
- ruby-actionmailer-3.2 <unfixed> (bug #726576)
+ - ruby-actionmailer-2.3 <not-affected> (Only affects 3.x)
+ - rails <not-affected> (Only affects 3.x)
+ NOTE: Starting with 2.3.14.1 rails is a transition package
CVE-2013-4388 [buffer overflow in the mp4a packetizer]
RESERVED
- vlc <unfixed> (bug #726528)
@@ -4069,10 +4117,13 @@
NOT-FOR-US: Drupal module
CVE-2013-4335
RESERVED
+ NOT-FOR-US: opOpenSocialPlugin
CVE-2013-4334
RESERVED
+ NOT-FOR-US: opWebAPIPlugin
CVE-2013-4333
RESERVED
+ NOT-FOR-US: OpenPNE
CVE-2013-4332 (Multiple integer overflows in malloc/malloc.c in the GNU C Library ...)
- eglibc 2.17-93 (bug #722536)
CVE-2013-4331 [incorrect .Xauthority permissions]
@@ -4174,8 +4225,11 @@
- linux <unfixed>
[wheezy] - linux <not-affected> (Not exploitable by unprivileged users in 3.2)
- linux-2.6 <not-affected> (Not exploitable by unprivileged users in 2.6.32)
-CVE-2013-4299
+CVE-2013-4299 [dm: dm-snapshot data leak]
RESERVED
+ - linux-2.6 <removed>
+ - linux <unfixed>
+ NOTE: upstream commit: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9c6a182649f4259db704ae15a91ac820e63b0ca
CVE-2013-4297 (The virFileNBDDeviceAssociate function in util/virfile.c in libvirt ...)
- libvirt 1.1.2-2
[jessie] - libvirt <not-affected> (Introduced with 8aabd597b379db5ae1655e36dff4f10d5622830a)
@@ -4245,7 +4299,7 @@
[wheezy] - nova <not-affected> (Affected code not present)
NOTE: incomplete fix for CVE-2013-2256
CVE-2013-4277 (Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through ...)
- - subversion <unfixed> (low; bug #721542)
+ - subversion 1.7.13-1 (low; bug #721542)
[squeeze] - subversion <no-dsa> (Minor issue, PID file not created by default)
[wheezy] - subversion <no-dsa> (Minor issue, PID file not created by default)
NOTE: http://subversion.apache.org/security/CVE-2013-4277-advisory.txt
@@ -4256,10 +4310,12 @@
- lcms2 <not-affected> (Vulnerable code not present)
CVE-2013-4275
RESERVED
+ NOT-FOR-US: Drupal contributed module Zen
CVE-2013-4274 (Cross-site scripting (XSS) vulnerability in the ...)
NOT-FOR-US: Drupal addon
CVE-2013-4273
RESERVED
+ NOT-FOR-US: Drupal contributed module Entity API
CVE-2013-4272 (The BOTCHA Spam Prevention module 7.x-1.x before 7.x-1.6, 7.x-2.x ...)
NOT-FOR-US: Drupal addon
CVE-2013-4271 (The default configuration of the ObjectRepresentation class in Restlet ...)
@@ -4740,7 +4796,7 @@
NOTE: https://projects.kde.org/projects/kde/kde-workspace/repository/revisions/45b7f137fbc0b942fd2c9b4e8d8c1f0293e64ba7
NOTE: only relevant with eglibc >= 2.17.
CVE-2013-4131 (The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through ...)
- - subversion <unfixed> (bug #717794)
+ - subversion 1.7.13-1 (bug #717794)
[squeeze] - subversion <not-affected> (Only affects >= 1.7)
[wheezy] - subversion <not-affected> (Only affects >= 1.7)
CVE-2013-4130 (The (1) red_channel_pipes_add_type and (2) ...)
@@ -7491,58 +7547,79 @@
CVE-2013-2928
RESERVED
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-2927
RESERVED
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-2926
RESERVED
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-2925
RESERVED
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-2924 (Use-after-free vulnerability in International Components for Unicode ...)
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
- icu <unfixed> (bug #726477)
CVE-2013-2923 (Multiple unspecified vulnerabilities in Google Chrome before ...)
TODO: check
CVE-2013-2922 (Use-after-free vulnerability in core/html/HTMLTemplateElement.cpp in ...)
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-2921 (Double free vulnerability in the ResourceFetcher::didLoadResource ...)
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-2920 (The DoResolveRelativeHost function in url/url_canon_relative.cc in ...)
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-2919 (Google V8, as used in Google Chrome before 30.0.1599.66, allows remote ...)
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
- libv8 <unfixed>
- libv8-3.14 <unfixed>
CVE-2013-2918 (Use-after-free vulnerability in the ...)
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-2917 (The ReverbConvolverStage::ReverbConvolverStage function in ...)
- chromium-browser <unfixed>
CVE-2013-2916 (Blink, as used in Google Chrome before 30.0.1599.66, allows remote ...)
+ [squeeze] - chromium-browser <end-of-life>
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-2915 (Google Chrome before 30.0.1599.66 preserves pending NavigationEntry ...)
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-2914 (Use-after-free vulnerability in the color-chooser dialog in Google ...)
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-2913 (Use-after-free vulnerability in the XMLDocumentParser::append function ...)
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
TODO: Might affect libxml2
CVE-2013-2912 (Use-after-free vulnerability in the PepperInProcessRouter::SendToHost ...)
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-2911 (Use-after-free vulnerability in the XSLStyleSheet::compileStyleSheet ...)
- chromium-browser <unfixed>
TODO: Might affect libxslt
CVE-2013-2910 (Use-after-free vulnerability in ...)
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-2909 (Use-after-free vulnerability in Blink, as used in Google Chrome before ...)
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-2908 (Google Chrome before 30.0.1599.66 uses incorrect function calls to ...)
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-2907 (The Window.prototype object implementation in Google Chrome before ...)
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-2906 (Multiple race conditions in the Web Audio implementation in Blink, as ...)
- chromium-browser <unfixed>
+ [squeeze] - chromium-browser <end-of-life>
CVE-2013-2905 (The SharedMemory::Create function in memory/shared_memory_posix.cc in ...)
{DSA-2741-1}
- chromium-browser 29.0.1547.57-1
@@ -9549,6 +9626,7 @@
RESERVED
CVE-2013-2186
RESERVED
+ - libcommons-fileupload-java <unfixed> (bug #726601)
CVE-2013-2185 [tomcat: arbitrary file upload via deserialization]
RESERVED
NOT-FOR-US: Red Hat JBoss Enterprise Application Platform
@@ -9847,6 +9925,7 @@
RESERVED
CVE-2013-2102
RESERVED
+ NOT-FOR-US: GateIn Portal
CVE-2013-2101
RESERVED
CVE-2013-2100
@@ -11061,10 +11140,17 @@
RESERVED
CVE-2013-1744
RESERVED
-CVE-2013-1743
+CVE-2013-1743 [Cross-Site Scripting]
RESERVED
-CVE-2013-1742
+ - bugzilla <not-affected> (Only affects 4.1 to 4.4)
+ - bugzilla4 <itp> (bug #669643)
+ NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=924932
+CVE-2013-1742 [Cross-Site Scripting]
RESERVED
+ - bugzilla <removed> (low)
+ [squeeze] - bugzilla <no-dsa> (Minor issue)
+ - bugzilla4 <itp> (bug #669643)
+ NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=924802
CVE-2013-1741
RESERVED
CVE-2013-1740
@@ -11103,10 +11189,17 @@
[squeeze] - icedove <end-of-life>
- iceape <unfixed>
[squeeze] - iceape <end-of-life>
-CVE-2013-1734
+CVE-2013-1734 [Cross-Site Request Forgery]
RESERVED
-CVE-2013-1733
+ - bugzilla <removed> (low)
+ [squeeze] - bugzilla <no-dsa> (Minor issue)
+ - bugzilla4 <itp> (bug #669643)
+ NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=913904
+CVE-2013-1733 [Cross-Site Request Forgery]
RESERVED
+ - bugzilla <not-affected> (Only affects 4.4)
+ - bugzilla4 <itp> (bug #669643)
+ NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=911593
CVE-2013-1732 (Buffer overflow in the nsFloatManager::GetFlowArea function in Mozilla ...)
{DSA-2762-1 DSA-2759-1}
- iceweasel 24.0-1
@@ -12112,8 +12205,9 @@
RESERVED
CVE-2013-1446
RESERVED
-CVE-2013-1445 [python-crypto PRNG not correctly reseeded in some situation]
+CVE-2013-1445 [PRNG not correctly reseeded in some situations]
RESERVED
+ RESERVED
{DSA-2781-1}
- python-crypto 2.6.1-1
CVE-2013-1444 (A certain Debian patch for txt2man 1.5.5, as used in txt2man 1.5.5-2, ...)
@@ -13017,6 +13111,7 @@
RESERVED
CVE-2013-1056
RESERVED
+ - xorg-server <not-affected> (Ubuntu-specific patch, see http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1056.html)
CVE-2013-1055
RESERVED
CVE-2013-1054
@@ -22406,8 +22501,10 @@
RESERVED
CVE-2012-4113
RESERVED
+ NOT-FOR-US: Cisco
CVE-2012-4112
RESERVED
+ NOT-FOR-US: Cisco
CVE-2012-4111 (The create certreq command in the fabric-interconnect component in ...)
NOT-FOR-US: Cisco
CVE-2012-4110 (run-script in the fabric-interconnect component in Cisco Unified ...)
@@ -50054,11 +50151,13 @@
- webkit 1.2.6-1
[lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps)
- chromium-browser 29.0.1547.57-1
+ [squeeze] - chromium-browser <end-of-life>
NOTE: fixed much earlier in chromium, but this was the version checked
CVE-2010-3812 (Integer overflow in the Text::wholeText method in dom/Text.cpp in ...)
- webkit 1.2.6-1
[lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps)
- chromium-browser 29.0.1547.57-1
+ [squeeze] - chromium-browser <end-of-life>
NOTE: fixed much earlier in chromium, but this was the version checked
NOTE: http://www.zerodayinitiative.com/advisories/ZDI-10-257
CVE-2010-3811 (Use-after-free vulnerability in WebKit in Apple Safari before 5.0.3 on ...)
@@ -64144,7 +64243,7 @@
- tomcat-native 1.1.18-1
[lenny] - tomcat-native <no-dsa> (Minor issue)
- gnutls26 <not-affected> (safely handles renegotiation; however support for RFC 5746 would be useful)
- - polarssl <undetermined> (bug #704946)
+ - polarssl 1.3.1-1 (bug #704946)
- classpath <removed>
- zorp 3.9.2-1
[squeeze] - zorp <no-dsa> (Minor issue)
More information about the Secure-testing-commits
mailing list