[Secure-testing-commits] r26420 - in data: . CVE DSA
Moritz Muehlenhoff
jmm at moszumanska.debian.org
Wed Apr 2 13:59:30 UTC 2014
Author: jmm
Date: 2014-04-02 13:59:30 +0000 (Wed, 02 Apr 2014)
New Revision: 26420
Modified:
data/CVE/list
data/DSA/list
data/dsa-needed.txt
Log:
address silly CVE split for spring
iceweasel fixed
jinja2, mojarra, livlivemedia no-dsa
dsa-needed: vbox, py26
one xen issue limited to xen 4.1 and 4.2, so mark 4.3 as fixed
fix one more mediawiki issue which is actually a NFU
mark mediawiki/oldstable as end-of-life
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2014-04-02 13:46:39 UTC (rev 26419)
+++ data/CVE/list 2014-04-02 13:59:30 UTC (rev 26420)
@@ -1,10 +1,9 @@
CVE-2014-5880
REJECTED
CVE-2014-2706
- - linux 3.13.7-1
- - linux-2.6 <removed>
+ - linux 3.13.7-1 (low)
+ - linux-2.6 <removed> (low)
NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1d147bfa64293b2723c4fec50922168658e613ba
- TODO: check when introduced
CVE-2014-2686
RESERVED
CVE-2014-2680
@@ -107,6 +106,7 @@
RESERVED
{DSA-2891-1}
- mediawiki 1:1.19.14+dfsg-1 (bug #742857)
+ [squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=62497
NOTE: http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-March/000145.html
CVE-2014-2656 [arbitrary insertions of malicious data within cube parameter]
@@ -1439,10 +1439,12 @@
NOTE: https://gerrit.wikimedia.org/r/#/q/Idf985e4e69c2f11778a8a90503914678441cb3fb,n,z
CVE-2014-2243 (includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x ...)
- mediawiki 1:1.19.12+dfsg-1
+ [squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=61346
NOTE: https://gerrit.wikimedia.org/r/#/q/I2a9e89120f7092015495e638c6fa9f67adc9b84f,n,z
CVE-2014-2242 (includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and ...)
- mediawiki 1:1.19.12+dfsg-1
+ [squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=60771
NOTE: https://gerrit.wikimedia.org/r/#/q/7d923a6b53f7fbcb0cbc3a19797d741bf6f440eb,n,z
CVE-2014-2238 (SQL injection vulnerability in the manage configuration page ...)
@@ -2716,8 +2718,8 @@
CVE-2013-7316 (Cross-site scripting (XSS) vulnerability in GitLab 6.0 allows remote ...)
- gitlab <itp> (bug #651606)
CVE-2013-7315 (The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through ...)
- NOTE: this is split from CVE-2013-4152 due to different affected versions
- TODO: check
+ {DSA-2842-1}
+ - libspring-java 3.0.6.RELEASE-10 (low; bug #720902)
CVE-2013-7314 (The OSPF implementation on NEC IP38X, IX1000, IX2000, and IX3000 ...)
NOT-FOR-US: NEC routers
CVE-2013-7313 (The OSPF implementation in Juniper Junos through 13.x, JunosE, and ...)
@@ -2797,6 +2799,7 @@
CVE-2014-1610 (MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before ...)
{DSA-2891-1}
- mediawiki 1:1.19.11+dfsg-1
+ [squeeze] - mediawiki <end-of-life>
CVE-2014-1609 (Multiple SQL injection vulnerabilities in MantisBT before 1.2.16 allow ...)
- mantis <removed>
NOTE: https://github.com/mantisbt/mantisbt/commit/7efe0175f0853e18ebfacedfd2374c4179028b3f
@@ -3918,7 +3921,9 @@
NOT-FOR-US: Conceptronic C54APM access point
CVE-2014-1402 [jinja2.bccache.FileSystemBytecodeCache: insecure default directory]
RESERVED
- - jinja2 2.7.2-1 (bug #734747)
+ - jinja2 2.7.2-1 (low; bug #734747)
+ [squeeze] - jinja2 <no-dsa> (Minor issue)
+ [wheezy] - jinja2 <no-dsa> (Minor issue)
NOTE: 2.7.2 does not create safely temporary files, new CVE-2014-0012 was assigned for this issue
CVE-2014-1401 (Multiple SQL injection vulnerabilities in AuraCMS 2.3 and earlier ...)
NOT-FOR-US: AuraCMS
@@ -6324,6 +6329,7 @@
- mplayer2 <not-affected> (b-d's on liblivemedia but doesn't actually build the support for it)
CVE-2013-6933 (The parseRTSPRequestString function in Live Networks Live555 Streaming ...)
- liblivemedia 2014.01.13-1
+ [wheezy] - liblivemedia <no-dsa> (Minor issue)
[squeeze] - liblivemedia <not-affected> (vuln. code introduced in 2011.08.13)
- vlc 2.1.2-2+b1
[squeeze] - vlc <not-affected> (not built against vuln. liblivemedia)
@@ -8369,6 +8375,7 @@
RESERVED
{DSA-2891-1}
- mediawiki 1:1.19.10+dfsg-1
+ [squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=58699
CVE-2013-6471
RESERVED
@@ -8429,26 +8436,29 @@
[squeeze] - libvirt <not-affected> (Vulnerable code not present, introduced in v1.0.1)
CVE-2013-6455
RESERVED
- - mediawiki <unfixed>
- NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=57081
+ NOT-FOR-US: Mediawiki CentralAuth extension
CVE-2013-6454
RESERVED
{DSA-2891-1}
- mediawiki 1:1.19.10+dfsg-1
+ [squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=58472
CVE-2013-6453
RESERVED
{DSA-2891-1}
- mediawiki 1:1.19.10+dfsg-1
+ [squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=58553
CVE-2013-6452
RESERVED
{DSA-2891-1}
- mediawiki 1:1.19.10+dfsg-1
+ [squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=57550
CVE-2013-6451
RESERVED
- mediawiki 1:1.19.10+dfsg-1
+ [squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=58088
NOTE: Introduced by the fix for CVE-2013-4568
CVE-2013-6450 (The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l ...)
@@ -9912,7 +9922,9 @@
NOT-FOR-US: Oracle Industry Applications
CVE-2013-5855
RESERVED
- - mojarra <unfixed> (bug #740586)
+ - mojarra <unfixed> (low; bug #740586)
+ [squeeze] - mojarra <no-dsa> (Minor issue)
+ [wheezy] - mojarra <no-dsa> (Minor issue)
NOTE: https://java.net/jira/browse/JAVASERVERFACES-3150
NOTE: https://java.net/projects/mojarra/sources/svn/revision/12793
CVE-2013-5854 (Unspecified vulnerability in Oracle Java SE 7u40 and earlier and ...)
@@ -10732,7 +10744,7 @@
- icedove <not-affected> (Only affects Firefox > 17)
- iceape <not-affected> (Only affects Firefox > 17)
CVE-2013-5592 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...)
- - iceweasel <unfixed>
+ - iceweasel 24.1.0esr-1
[wheezy] - iceweasel <not-affected> (Only affects Firefox >=24)
[squeeze] - iceweasel <end-of-life>
- icedove <not-affected> (Only affects Firefox >=24)
@@ -13025,6 +13037,7 @@
RESERVED
{DSA-2891-1}
- mediawiki 1:1.19.8+dfsg-2.2 (bug #729629)
+ [squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=53032
CVE-2013-4571
RESERVED
@@ -13039,10 +13052,12 @@
CVE-2013-4568 (Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki ...)
{DSA-2891-1}
- mediawiki 1:1.19.8+dfsg-2.2 (bug #729629)
+ [squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=55332
CVE-2013-4567 (Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki ...)
{DSA-2891-1}
- mediawiki 1:1.19.8+dfsg-2.2 (bug #729629)
+ [squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=55332
CVE-2013-4566 (mod_nss 1.0.8 and earlier, when NSSVerifyClient is set to none for the ...)
- libapache2-mod-nss 1.0.8-4 (low; bug #731627)
@@ -14009,6 +14024,7 @@
CVE-2013-4302 ((1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ...)
{DSA-2753-1}
- mediawiki 1:1.19.8+dfsg-1
+ [squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=49090
CVE-2013-4301 (includes/resourceloader/ResourceLoaderContext.php in MediaWiki 1.19.x ...)
- mediawiki 1:1.19.8+dfsg-1 (unimportant)
@@ -20237,6 +20253,7 @@
CVE-2013-1951
RESERVED
- mediawiki 1:1.19.5-1
+ [squeeze] - mediawiki <end-of-life>
CVE-2013-1950 (The svc_dg_getargs function in libtirpc 0.2.3 and earlier allows ...)
- libtirpc <not-affected> (regression code not present)
NOTE: Regression introduced with 82cc2e6129c872c8be09381055f2fb5641c5e6fe
@@ -20698,9 +20715,11 @@
CVE-2013-1817 [mediawiki information disclosure in unblock API]
RESERVED
- mediawiki 1:1.19.4-1 (bug #702305)
+ [squeeze] - mediawiki <end-of-life>
CVE-2013-1816 [mediawiki insecure curl usage]
RESERVED
- mediawiki 1:1.19.4-1
+ [squeeze] - mediawiki <end-of-life>
CVE-2013-1815 (PackStack 2012.2.3 in Red Hat OpenStack Essex and Folsom can create ...)
NOT-FOR-US: OpenStack PackStack
CVE-2013-1814 (The users/get program in the User RPC API in Apache Rave 0.11 through ...)
@@ -22104,7 +22123,7 @@
CVE-2013-1433
RESERVED
CVE-2013-1432 (Xen 4.1.x and 4.2.x, when the XSA-45 patch is in place, does not ...)
- - xen <unfixed>
+ - xen 4.3.0-1
NOTE: All Xen versions having the XSA-45/CVE-2013-1918 fixes applied are vulnerable
CVE-2013-1431 (The Wocky module in Telepathy Gabble before 0.16.6 and 0.17.x before ...)
{DSA-2702-1}
@@ -29937,6 +29956,7 @@
NOT-FOR-US: WPS Office
CVE-2012-4885 (The wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x ...)
- mediawiki 1:1.19.0-1 (low)
+ [squeeze] - mediawiki <end-of-life>
CVE-2012-4884 (Argument injection vulnerability in Request Tracker (RT) 3.8.x before ...)
{DSA-2567-1}
- request-tracker3.8 <removed>
@@ -31594,26 +31614,31 @@
CVE-2012-4382 [Info leak in user blocks]
RESERVED
- mediawiki 1:1.19.2-1 (bug #686330)
+ [squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=39823
NOTE: http://www.openwall.com/lists/oss-security/2012/08/31/6
CVE-2012-4381 [Passwords were stored in local DB even if auth systems like LDAP were used]
RESERVED
- mediawiki 1:1.19.2-1 (bug #686330)
+ [squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=39184
NOTE: http://www.openwall.com/lists/oss-security/2012/08/31/6
CVE-2012-4380 [Insufficient API for account creation block]
RESERVED
- mediawiki 1:1.19.2-1 (bug #686330)
+ [squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=39824
NOTE: http://www.openwall.com/lists/oss-security/2012/08/31/6
CVE-2012-4379 [CSRF]
RESERVED
- mediawiki 1:1.19.2-1 (bug #686330)
+ [squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=39180
NOTE: http://www.openwall.com/lists/oss-security/2012/08/31/6
CVE-2012-4378 [DOM-based XSS]
RESERVED
- mediawiki 1:1.19.2-1 (bug #686330)
+ [squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=37587
NOTE: http://www.openwall.com/lists/oss-security/2012/08/31/6
CVE-2012-4377 [[mediawiki stored XSS]
@@ -38757,8 +38782,10 @@
- linux-2.6 2.6.22-1
CVE-2012-1582 (Cross-site scripting (XSS) vulnerability in the wikitext parser in ...)
- mediawiki 1:1.15.5-9 (bug #666269)
+ [squeeze] - mediawiki <end-of-life>
CVE-2012-1581 (MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 uses weak ...)
- mediawiki 1:1.15.5-9 (bug #666269)
+ [squeeze] - mediawiki <end-of-life>
CVE-2012-1580 (Cross-site request forgery (CSRF) vulnerability in Special:Upload in ...)
- mediawiki <not-affected> (Vulnerable code not present, see bug #666269)
CVE-2012-1579 (The resource loader in MediaWiki 1.17.x before 1.17.3 and 1.18.x ...)
Modified: data/DSA/list
===================================================================
--- data/DSA/list 2014-04-02 13:46:39 UTC (rev 26419)
+++ data/DSA/list 2014-04-02 13:59:30 UTC (rev 26420)
@@ -183,7 +183,7 @@
[squeeze] - graphviz 2.26.3-5+squeeze2
[wheezy] - graphviz 2.26.3-14+deb7u1
[13 Jan 2014] DSA-2842-1 libspring-java - several
- {CVE-2013-4152}
+ {CVE-2013-4152 CVE-2013-7315}
[wheezy] - libspring-java 3.0.6.RELEASE-6+deb7u1
[11 Jan 2014] DSA-2841-1 movabletype-opensource - cross-site scripting
{CVE-2014-0977}
Modified: data/dsa-needed.txt
===================================================================
--- data/dsa-needed.txt 2014-04-02 13:46:39 UTC (rev 26419)
+++ data/dsa-needed.txt 2014-04-02 13:59:30 UTC (rev 26420)
@@ -63,6 +63,8 @@
--
php-openid (jmm)
--
+python2.6
+--
python-gnupg
--
qt4-x11/oldstable
@@ -73,6 +75,8 @@
--
tomcat7/stable (jmm)
--
+virtualbox
+--
vlc
--
xen
More information about the Secure-testing-commits
mailing list