[Secure-testing-commits] r26713 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Sat Apr 26 11:15:31 UTC 2014
Author: carnil
Date: 2014-04-26 11:15:31 +0000 (Sat, 26 Apr 2014)
New Revision: 26713
Modified:
data/CVE/list
Log:
Add fixed version from Wheezy 7.5 point release
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2014-04-26 10:51:28 UTC (rev 26712)
+++ data/CVE/list 2014-04-26 11:15:31 UTC (rev 26713)
@@ -782,6 +782,7 @@
NOTE: fixed in 1.0.51, pending in git http://anonscm.debian.org/gitweb/?p=printing/cups-filters.git;a=commitdiff;h=e7293d18836d90815277a7efb410275b9baa27c7
CVE-2014-2706 (Race condition in the mac80211 subsystem in the Linux kernel before ...)
- linux 3.13.7-1 (low)
+ [wheezy] - linux 3.2.57-1
- linux-2.6 <removed> (low)
NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1d147bfa64293b2723c4fec50922168658e613ba
CVE-2014-2686
@@ -850,6 +851,7 @@
NOTE: http://framework.zend.com/security/advisory/ZF2014-01
CVE-2014-2678 (The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel ...)
- linux 3.13.10-1
+ [wheezy] - linux 3.2.57-1
- linux-2.6 <removed>
NOTE: https://lkml.org/lkml/2014/3/29/188
CVE-2014-2673 (The arch_dup_task_struct function in the Transactional Memory (TM) ...)
@@ -860,6 +862,7 @@
NOTE: only affects powerpc architecture
CVE-2014-2672 (Race condition in the ath_tx_aggr_sleep function in ...)
- linux 3.13.7-1
+ [wheezy] - linux 3.2.57-1
- linux-2.6 <removed>
NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=21f8aaee0c62708654988ce092838aa7df4d25d8
CVE-2014-2669 (Multiple integer overflows in contrib/hstore/hstore_io.c in PostgreSQL ...)
@@ -1296,6 +1299,7 @@
CVE-2014-2523 (net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through ...)
{DSA-2906-1}
- linux 3.13.10-1
+ [wheezy] - linux 3.2.57-1
- linux-2.6 <removed>
NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/nf_conntrack_proto_dccp.c?id=b22f5126a24b3b2f15448c3f2a254fc10cbc2b92
CVE-2014-2522 (curl and libcurl 7.27.0 through 7.35.0, when runnning on Windows and ...)
@@ -1726,6 +1730,7 @@
CVE-2013-7339 (The rds_ib_laddr_check function in net/rds/ib.c in the Linux kernel ...)
{DSA-2906-1}
- linux 3.13-1
+ [wheezy] - linux 3.2.57-1
- linux-2.6 <removed>
NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c2349758acf1874e4c2b93fe41d072336f1a31d0
CVE-2013-7336 [libvirt: unprivileged user can crash libvirtd during spice migration]
@@ -1839,12 +1844,13 @@
RESERVED
CVE-2014-2309 (The ip6_route_add function in net/ipv6/route.c in the Linux kernel ...)
- linux 3.13.6-1
+ [wheezy] - linux 3.2.57-1
- linux-2.6 <not-affected> (Introduced in v3.0)
NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=957c665f37007de93ccbe45902a23143724170d0
NOTE: Fix: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=c88507fbad8055297c1d1e21e599f46960cbee39
CVE-2014-2310 (The AgentX subagent in Net-SNMP before 5.4.4 allows remote attackers ...)
- net-snmp 5.7.2~dfsg-3 (bug #684388)
- [wheezy] - net-snmp <no-dsa> (Minor issue)
+ [wheezy] - net-snmp 5.4.3~dfsg-2.8
[squeeze] - net-snmp <no-dsa> (Minor issue)
NOTE: http://sourceforge.net/p/net-snmp/patches/1113/
CVE-2012-6639
@@ -2304,19 +2310,19 @@
CVE-2014-2096 (Untrusted search path vulnerability in Catfish 0.6.0 through 1.0.0 ...)
- catfish 1.0.1-1 (low; bug #739958)
[squeeze] - catfish <no-dsa> (Minor issue)
- [wheezy] - catfish <no-dsa> (Minor issue)
+ [wheezy] - catfish 0.3.2-2+deb7u1
CVE-2014-2095 (Untrusted search path vulnerability in Catfish 0.6.0 through 1.0.0, ...)
- catfish 1.0.1-1 (low; bug #739958)
[squeeze] - catfish <no-dsa> (Minor issue)
- [wheezy] - catfish <no-dsa> (Minor issue)
+ [wheezy] - catfish 0.3.2-2+deb7u1
CVE-2014-2094 (Untrusted search path vulnerability in Catfish through 0.4.0.3, when a ...)
- catfish 1.0.1-1 (low; bug #739958)
[squeeze] - catfish <no-dsa> (Minor issue)
- [wheezy] - catfish <no-dsa> (Minor issue)
+ [wheezy] - catfish 0.3.2-2+deb7u1
CVE-2014-2093 (Untrusted search path vulnerability in Catfish through 0.4.0.3 allows ...)
- catfish 1.0.1-1 (low; bug #739958)
[squeeze] - catfish <no-dsa> (Minor issue)
- [wheezy] - catfish <no-dsa> (Minor issue)
+ [wheezy] - catfish 0.3.2-2+deb7u1
CVE-2014-2086
RESERVED
CVE-2014-2085
@@ -2425,7 +2431,7 @@
RESERVED
- owncloud 6.0.2+dfsg-1
- php-getid3 1.9.7-2
- [wheezy] - php-getid3 <no-dsa> (Minor issue)
+ [wheezy] - php-getid3 1.9.3-1+deb7u1
[squeeze] - php-getid3 <not-affected> (Vulnerable code not present)
NOTE: owncloud advisory does not mention details for GetID3
NOTE: http://owncloud.org/about/security/advisories/oC-SA-2014-006/
@@ -2659,6 +2665,7 @@
CVE-2014-2039 (arch/s390/kernel/head64.S in the Linux kernel before 3.13.5 on the ...)
{DSA-2906-1}
- linux 3.13.5-1
+ [wheezy] - linux 3.2.57-1
- linux-2.6 <removed>
NOTE: https://git.kernel.org/linus/8d7f6690cedb83456edd41c9bd583783f0703bf0
CVE-2014-2037 [incomplete fix for CVE-2013-6466 DoS in openSwan]
@@ -3023,6 +3030,7 @@
CVE-2014-1874 (The security_context_to_sid_core function in ...)
{DSA-2906-1}
- linux 3.13.4-1
+ [wheezy] - linux 3.2.57-1
- linux-2.6 <removed>
NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2172fa709ab32ca60e86179dc67d0857be8e2c98, first included in v3.14-rc2
CVE-2014-1860 [PHP object insertion]
@@ -3036,7 +3044,7 @@
CVE-2014-1831 [insecure use of /tmp]
RESERVED
- ruby-passenger 4.0.37-1 (low; bug #736958)
- [wheezy] - ruby-passenger <no-dsa> (low; bug #736958)
+ [wheezy] - ruby-passenger 3.0.13debian-1+deb7u2 (low; bug #736958)
- passenger <removed>
[squeeze] - passenger <no-dsa> (minor issue)
CVE-2001-1593 (The tempname_ensure function lib/routines.h in a2ps 4.14 and earlier, ...)
@@ -7735,6 +7743,7 @@
- 389-ds-base 1.3.2.9-1.1 (bug #741600)
CVE-2014-0131 (Use-after-free vulnerability in the skb_segment function in ...)
- linux 3.13.6-1
+ [wheezy] - linux 3.2.57-1
- linux-2.6 <removed>
NOTE: http://marc.info/?l=linux-netdev&m=139446896921968&w=2
CVE-2014-0130
@@ -7830,6 +7839,7 @@
CVE-2014-0101 (The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the ...)
{DSA-2906-1}
- linux 3.13.6-1
+ [wheezy] - linux 3.2.57-1
- linux-2.6 <removed>
NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bbd0d59809f923ea2b540cbd781b32110e249f6e
NOTE: http://patchwork.ozlabs.org/patch/325898/
@@ -7912,6 +7922,7 @@
RESERVED
CVE-2014-0077 (drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable ...)
- linux 3.13.10-1
+ [wheezy] - linux 3.2.57-1
- linux-2.6 <not-affected> (Vulnerable code not present)
NOTE: seems introduced in https://github.com/torvalds/linux/commit/8dd014adfea6f173c1ef6378f7e5e7924866c923
NOTE: qemu is built with support for vhost_net, module loaded post-wheezy when linux < 3.4 but root:root 0600
@@ -7936,6 +7947,7 @@
REJECTED
CVE-2014-0069 (The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel ...)
- linux 3.13.6-1 (bug #741958)
+ [wheezy] - linux 3.2.57-1
- linux-2.6 <not-affected> (Only affects 2.6.38 and later)
NOTE: http://article.gmane.org/gmane.linux.kernel.cifs/9401
NOTE: upstream fix 5d81de8e8667da7135d3a32a964087c0faf5483f included in v3.14-rc4
@@ -8004,6 +8016,7 @@
- neutron 2013.2.2-4 (bug #742800)
CVE-2014-0055 (The get_rx_bufs function in drivers/vhost/net.c in the vhost-net ...)
- linux 3.13.10-1
+ [wheezy] - linux 3.2.57-1
- linux-2.6 <not-affected> (Vulnerable code not present)
NOTE: introduced in https://github.com/torvalds/linux/commit/8dd014adfea6f173c1ef6378f7e5e7924866c923
NOTE: qemu is built with support for vhost_net, module loaded post-wheezy when linux < 3.4 but root:root 0600
@@ -8077,7 +8090,7 @@
CVE-2014-0032 (The get_resource function in repos.c in the mod_dav_svn module in ...)
- subversion 1.8.8-1 (low; bug #737815)
[squeeze] - subversion <no-dsa> (Minor issue)
- [wheezy] - subversion <no-dsa> (Minor issue)
+ [wheezy] - subversion 1.6.17dfsg-4+deb7u5
CVE-2014-0031 (The (1) ListNetworkACL and (2) listNetworkACLLists APIs in Apache ...)
NOT-FOR-US: Apache CloudStack
CVE-2014-0030
@@ -9432,7 +9445,7 @@
[squeeze] - samba <not-affected> (Only affects 4.x and later)
[wheezy] - samba <not-affected> (Only affects 4.x and later)
- samba4 <removed>
- [wheezy] - samba4 <no-dsa> (Minor issue)
+ [wheezy] - samba4 4.0.0~beta2+dfsg1-3.2+deb7u1
NOTE: http://www.samba.org/samba/security/CVE-2013-6442
CVE-2013-6441 (The lxc-sshd template (templates/lxc-sshd.in) in LXC before ...)
- lxc <unfixed> (unimportant)
@@ -9585,7 +9598,7 @@
REJECTED
CVE-2013-6404 (Quassel core (server daemon) in Quassel IRC before 0.9.2 does not ...)
- quassel 0.9.2-1 (low)
- [wheezy] - quassel <no-dsa> (Minor issue)
+ [wheezy] - quassel 0.8.0-1+deb7u1
[squeeze] - quassel <no-dsa> (Minor issue)
NOTE: https://github.com/quassel/quassel/commit/a1a24da
CVE-2013-6403 (The admin page in ownCloud before 5.0.13 allows remote attackers to ...)
@@ -14324,10 +14337,10 @@
NOTE: https://github.com/openstack/nova/commit/5cced7a6dd32d231c606e25dbf762d199bf9cca7
CVE-2013-4496 (Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 ...)
- samba 2:4.1.6+dfsg-1 (low)
- [wheezy] - samba <no-dsa> (Minor issue)
+ [wheezy] - samba 2:3.6.6-6+deb7u3
[squeeze] - samba <no-dsa> (Minor issue)
- samba4 <removed>
- [wheezy] - samba4 <no-dsa> (Minor issue)
+ [wheezy] - samba4 4.0.0~beta2+dfsg1-3.2+deb7u1
NOTE: http://www.samba.org/samba/security/CVE-2013-4496
CVE-2013-4495 (The send_the_mail function in server/svr_mail.c in Terascale ...)
{DSA-2796-1}
@@ -14374,6 +14387,7 @@
NOTE: https://www.varnish-cache.org/trac/ticket/1367
CVE-2013-4483 (The ipc_rcu_putref function in ipc/util.c in the Linux kernel before ...)
- linux 3.11.8-1 (low)
+ [wheezy] - linux 3.2.57-1
- linux-2.6 <removed> (low)
[squeeze] - linux-2.6 <no-dsa> (Minor issue, too intrusive to backport)
NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6062a8
@@ -14401,11 +14415,12 @@
[wheezy] - samba <not-affected> (Doesn't provide AD functionality)
[squeeze] - samba <not-affected> (Doesn't provide AD functionality)
- samba4 <removed> (low)
+ [wheezy] - samba4 4.0.0~beta2+dfsg1-3.2+deb7u1
CVE-2013-4475 (Samba 3.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1, ...)
{DSA-2812-1}
- samba 2:4.0.11+dfsg-1 (low)
- samba4 <removed> (low)
- [wheezy] - samba4 <no-dsa> (Minor issue)
+ [wheezy] - samba4 4.0.0~beta2+dfsg1-3.2+deb7u1
CVE-2013-4474 (Format string vulnerability in the extractPages function in ...)
- poppler 0.18.4-9 (low; bug #729064)
[squeeze] - poppler <not-affected> (pdfseparate not yet present)
@@ -14625,6 +14640,7 @@
{DSA-2812-1}
- samba 2:4.0.13+dfsg-1
- samba4 <removed>
+ [wheezy] - samba4 4.0.0~beta2+dfsg1-3.2+deb7u1
CVE-2013-4407 (HTTP::Body::Multipart in the HTTP-Body 1.08, 1.17, and earlier module ...)
{DSA-2801-1}
- libhttp-body-perl 1.17-2 (bug #721634)
@@ -15471,7 +15487,7 @@
[squeeze] - lcms <no-dsa> (Minor issue)
[wheezy] - lcms <no-dsa> (Minor issue)
- lcms2 2.2+git20110628-2.3 (bug #714529)
- [wheezy] - lcms2 <no-dsa> (Minor issue)
+ [wheezy] - lcms2 2.2+git20110628-2.2+deb7u1
NOTE: https://github.com/mm2/Little-CMS/commit/91c2db7f2559be504211b283bc3a2c631d6f06d9
NOTE: https://bugzilla.novell.com/show_bug.cgi?id=826097#c9
CVE-2013-4159
@@ -15604,7 +15620,7 @@
[wheezy] - samba 2:3.6.6-6+deb7u1
[squeeze] - samba 2:3.5.6~dfsg-3squeeze10
- samba4 <unfixed> (low)
- [wheezy] - samba4 <no-dsa> (Minor issue)
+ [wheezy] - samba4 4.0.0~beta2+dfsg1-3.2+deb7u1
NOTE: https://www.samba.org/samba/security/CVE-2013-4124
NOTE: samba as per 2:4.0.9+dfsg-2 is the first upload of the unified samba 4.x package to unstable.
NOTE: Issue also fixed in 4.0.8 upstream, thus the fix still contained in 4.x in unstable
@@ -27301,7 +27317,7 @@
NOTE: Upstream patch: http://sourceforge.net/p/net-snmp/code/ci/793d596838ff7cb48a73b675d62897c56c9e62df/
CVE-2012-6150 (The winbind_name_list_to_sid_string_list function in ...)
- samba 2:4.0.13+dfsg-1 (low)
- [wheezy] - samba <no-dsa> (Can be fixed along in a future DSA)
+ [wheezy] - samba 2:3.6.6-6+deb7u3
[squeeze] - samba <no-dsa> (Can be fixed along in a future DSA)
- samba4 <not-affected> (Samba 4 winbind does not implement this feature)
NOTE: introduced http://git.samba.org/?p=samba.git;a=commit;h=31f1a36901b5b8959dc51401c09c114829b50392
@@ -27558,7 +27574,7 @@
RESERVED
- freeciv 2.3.4-1 (low; bug #696306)
[squeeze] - freeciv <no-dsa> (Minor issue)
- [wheezy] - freeciv <no-dsa> (Minor issue)
+ [wheezy] - freeciv 2.3.2-1+deb7u1
CVE-2012-6082 (Cross-site scripting (XSS) vulnerability in the rsslink function in ...)
{DSA-2593-1}
- moin 1.9.5-2
@@ -28955,7 +28971,7 @@
RESERVED
- freeciv 2.3.4-1 (low; bug #696306)
[squeeze] - freeciv <no-dsa> (Minor issue)
- [wheezy] - freeciv <no-dsa> (Minor issue)
+ [wheezy] - freeciv 2.3.2-1+deb7u1
CVE-2012-5644 [(Complete) Information disclosure when moving user's home directory]
RESERVED
- libuser <unfixed> (low; bug #705690)
@@ -131638,7 +131654,7 @@
{DSA-1074-1}
- mpg123 0.59r-22 (bug #361863)
- mp3gain 1.5.2-r2-6 (low)
- [wheezy] - mp3gain <no-dsa> (Minor issue)
+ [wheezy] - mp3gain 1.5.2-r2-2+deb7u1
[squeeze] - mp3gain <no-dsa> (Minor issue)
CVE-2006-1654 (Directory traversal vulnerability in the HP Color LaserJet 2500 ...)
NOT-FOR-US: HP Colour LaserJet 2500 and 4600 Toolbox
@@ -152481,7 +152497,7 @@
CVE-2004-0991 (Buffer overflow in mpg123 before 0.59s-r9 allows remote attackers to ...)
- mpg123 0.59r-19
- mp3gain 1.5.2-r2-6 (low)
- [wheezy] - mp3gain <no-dsa> (Minor issue)
+ [wheezy] - mp3gain 1.5.2-r2-2+deb7u1
[squeeze] - mp3gain <no-dsa> (Minor issue)
CVE-2004-0990 (Integer overflow in GD Graphics Library libgd 2.0.28 (libgd2), and ...)
{DSA-602-1 DSA-601-1 DSA-591-1 DSA-589-1}
@@ -152967,7 +152983,7 @@
{DSA-564-1}
- mpg123 0.59r-16
- mp3gain 1.5.2-r2-6 (low)
- [wheezy] - mp3gain <no-dsa> (Minor issue)
+ [wheezy] - mp3gain 1.5.2-r2-2+deb7u1
[squeeze] - mp3gain <no-dsa> (Minor issue)
CVE-2004-0804 (Vulnerability in tif_dirread.c for libtiff allows remote attackers to ...)
{DSA-567-1}
@@ -155735,7 +155751,7 @@
CVE-2003-0577 (mpg123 0.59r allows remote attackers to cause a denial of service and ...)
- mpg123 0.59r-1
- mp3gain 1.5.2-r2-6 (low)
- [wheezy] - mp3gain <no-dsa> (Minor issue)
+ [wheezy] - mp3gain 1.5.2-r2-2+deb7u1
[squeeze] - mp3gain <no-dsa> (Minor issue)
CVE-2003-0576 (Unknown vulnerability in the NFS daemon (nfsd) in SGI IRIX 6.5.19f and ...)
NOT-FOR-US: IRIX
More information about the Secure-testing-commits
mailing list