[Secure-testing-commits] r28289 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Fri Aug 15 06:14:32 UTC 2014
Author: carnil
Date: 2014-08-15 06:14:31 +0000 (Fri, 15 Aug 2014)
New Revision: 28289
Modified:
data/CVE/list
Log:
Collect all the not yet assigned CVE requests from last two weeks up to the list
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2014-08-14 21:14:10 UTC (rev 28288)
+++ data/CVE/list 2014-08-15 06:14:31 UTC (rev 28289)
@@ -1,3 +1,54 @@
+CVE-2014-XXXX [cacti remote code execution]
+ - cacti <unfixed>
+ NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7454
+ NOTE: CVE id requested via oss-sec, maintainer in the loop
+CVE-2014-XXXX [unspecific error when handling MyISAM temporary files can be exploited to execute arbitrary code]
+ - mariadb-5.5 5.5.39-1
+ - mysql-5.5 <undetermined>
+ - mysql-5.1 <removed>
+ - percona-xtradb-cluster-5.5 <undetermined>
+ TODO: check details unknown, relates to Secunia Advisory SA60599 (Debian maintainers contacted)
+CVE-2014-XXXX [side-channel attack on Elgamal encryption subkeys]
+ - libgcrypt11 1.5.4-1
+ - libgcrypt20 1.6.0-2
+ NOTE: http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html
+CVE-2014-XXXX [XML entity expansion attack related to xmlrpc.php]
+ - wordpress 3.9.2+dfsg-1 (bug #757312)
+ NOTE: https://core.trac.wordpress.org/changeset/29405/branches/3.9
+ - drupal7 7.31-1
+ - drupal6 <removed>
+ NOTE: https://www.drupal.org/SA-CORE-2014-004
+CVE-2014-XXXX [vulnerabilities in Keystone revocation events]
+ - keystone <unfixed>
+ [wheezy] - keystone <not-affected> (Affects 2014.1 versions up to 2014.1.1)
+CVE-2014-XXXX [missing field list terminator in vmstate_xhci_event]
+ - qemu 2.1+dfsg-1
+ [wheezy] - qemu <not-affected> (Vulnerable code introduced in v1.6.0)
+ [squeeze] - qemu <not-affected> (Vulnerable code introduced in v1.6.0)
+ - qemu-kvm <not-affected> (Vulnerable code not present)
+ NOTE: patch http://git.qemu.org/?p=qemu.git;a=commit;h=3afca1d6d413592c2b78cf28f52fa24a586d8f56
+CVE-2014-XXXX [bypass of file access restriction / information disclosure]
+ - libplack-perl 1.0031-1
+ NOTE: https://github.com/plack/Plack/issues/405
+CVE-2014-XXXX [Insecure use of temporary files]
+ - xcfa <unfixed> (low; bug #756600)
+ [wheezy] - xcfa <no-dsa> (Minor issue)
+CVE-2014-XXXX [Enforce use of HTTPS for MathJax in IPython]
+ - ipython 0.12-1
+ [wheezy] - ipython <no-dsa> (Minor issue)
+ [squeeze] - ipython <not-affected> (Affects versions <= 2.1 and >= 0.12)
+ NOTE: https://github.com/ipython/ipython/issues/6246
+ NOTE: patch: https://github.com/ipython/ipython/commit/f58dabb277d0cdfb603d46cd01fcf29819ae7613
+ NOTE: in Debian patch to use mathjax from system was added right away in version 0.12
+CVE-2014-XXXX [Insecure use of temporary files]
+ - libxml-dt-perl 0.65-1 (bug #756566)
+ [wheezy] - libxml-dt-perl <no-dsa> (Minor issue)
+ [squeeze] - libxml-dt-perl <not-affected> (Vulnerable code introduced later)
+CVE-2014-XXXX [dhcpcd DoS attack]
+ - dhcpcd5 <unfixed> (low)
+ [wheezy] - dhcpcd5 <no-dsa> (Minor issue)
+ - dhcpcd <not-affected> (Affects dhcpcd 4.0.0 to 6.4.2)
+ NOTE: http://roy.marples.name/projects/dhcpcd/ci/1d2b93aa5ce25a8a710082fe2d36a6bf7f5794d5?sbs=0
CVE-2014-5243 [Copy prevent-clickjacking between OutputPage and ParserOutput]
- mediawiki <unfixed>
[squeeze] - mediawiki <end-of-life>
@@ -146,25 +197,11 @@
- linux-2.6 <not-affected> (User namespaces only usable in later kernels)
NOTE: https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-linus&id=db181ce011e3c033328608299cd6fac06ea50130
NOTE: Thread starting at http://www.openwall.com/lists/oss-security/2014/08/12/6
-CVE-2014-XXXX [cacti remote code execution]
- - cacti <unfixed>
- NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7454
- NOTE: CVE id requested via oss-sec, maintainer in the loop
CVE-2014-5247 [insecure archive permission]
- ganeti 2.11.5-1
[wheezy] - ganeti <not-affected> (Vulnerable code not present)
[squeeze] - ganeti <not-affected> (Vulnerable code not present)
NOTE: http://www.ocert.org/advisories/ocert-2014-006.html
-CVE-2014-XXXX [unspecific error when handling MyISAM temporary files can be exploited to execute arbitrary code]
- - mariadb-5.5 5.5.39-1
- - mysql-5.5 <undetermined>
- - mysql-5.1 <removed>
- - percona-xtradb-cluster-5.5 <undetermined>
- TODO: check details unknown, relates to Secunia Advisory SA60599 (Debian maintainers contacted)
-CVE-2014-XXXX [side-channel attack on Elgamal encryption subkeys]
- - libgcrypt11 1.5.4-1
- - libgcrypt20 1.6.0-2
- NOTE: http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html
CVE-2014-5240 [cross-site scripting]
{DSA-3001-1}
- wordpress 3.9.2+dfsg-1 (bug #757312)
@@ -185,40 +222,12 @@
[wheezy] - wordpress <not-affected> (Vulnerable code not present)
[squeeze] - wordpress <not-affected> (Vulnerable code not present)
NOTE: https://core.trac.wordpress.org/changeset/29389
-CVE-2014-XXXX [XML entity expansion attack related to xmlrpc.php]
- - wordpress 3.9.2+dfsg-1 (bug #757312)
- NOTE: https://core.trac.wordpress.org/changeset/29405/branches/3.9
- - drupal7 7.31-1
- - drupal6 <removed>
- NOTE: https://www.drupal.org/SA-CORE-2014-004
-CVE-2014-XXXX [vulnerabilities in Keystone revocation events]
- - keystone <unfixed>
- [wheezy] - keystone <not-affected> (Affects 2014.1 versions up to 2014.1.1)
-CVE-2014-XXXX [missing field list terminator in vmstate_xhci_event]
- - qemu 2.1+dfsg-1
- [wheezy] - qemu <not-affected> (Vulnerable code introduced in v1.6.0)
- [squeeze] - qemu <not-affected> (Vulnerable code introduced in v1.6.0)
- - qemu-kvm <not-affected> (Vulnerable code not present)
- NOTE: patch http://git.qemu.org/?p=qemu.git;a=commit;h=3afca1d6d413592c2b78cf28f52fa24a586d8f56
-CVE-2014-XXXX [bypass of file access restriction / information disclosure]
- - libplack-perl 1.0031-1
- NOTE: https://github.com/plack/Plack/issues/405
-CVE-2014-XXXX [Insecure use of temporary files]
- - xcfa <unfixed> (low; bug #756600)
- [wheezy] - xcfa <no-dsa> (Minor issue)
CVE-2014-3528 [MD5 collision authentication leak]
RESERVED
- subversion 1.8.10-1 (low)
[squeeze] - subversion <no-dsa> (Minor issue)
[wheezy] - subversion <no-dsa> (Minor issue)
NOTE: http://mail-archives.apache.org/mod_mbox/subversion-dev/201407.mbox/%3C53DAB4A7.8030004%40reser.org%3E
-CVE-2014-XXXX [Enforce use of HTTPS for MathJax in IPython]
- - ipython 0.12-1
- [wheezy] - ipython <no-dsa> (Minor issue)
- [squeeze] - ipython <not-affected> (Affects versions <= 2.1 and >= 0.12)
- NOTE: https://github.com/ipython/ipython/issues/6246
- NOTE: patch: https://github.com/ipython/ipython/commit/f58dabb277d0cdfb603d46cd01fcf29819ae7613
- NOTE: in Debian patch to use mathjax from system was added right away in version 0.12
CVE-2014-5179 (The freelinking module for Drupal, as used in the Freelinking for Case ...)
NOT-FOR-US: drupal6-freelinking module
CVE-2014-5177 (libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access ...)
@@ -489,15 +498,6 @@
RESERVED
CVE-2014-5046
RESERVED
-CVE-2014-XXXX [Insecure use of temporary files]
- - libxml-dt-perl 0.65-1 (bug #756566)
- [wheezy] - libxml-dt-perl <no-dsa> (Minor issue)
- [squeeze] - libxml-dt-perl <not-affected> (Vulnerable code introduced later)
-CVE-2014-XXXX [dhcpcd DoS attack]
- - dhcpcd5 <unfixed> (low)
- [wheezy] - dhcpcd5 <no-dsa> (Minor issue)
- - dhcpcd <not-affected> (Affects dhcpcd 4.0.0 to 6.4.2)
- NOTE: http://roy.marples.name/projects/dhcpcd/ci/1d2b93aa5ce25a8a710082fe2d36a6bf7f5794d5?sbs=0
CVE-2014-5118
RESERVED
NOT-FOR-US: tboot
More information about the Secure-testing-commits
mailing list