[Secure-testing-commits] r28345 - data/CVE
Joey Hess
joeyh at moszumanska.debian.org
Mon Aug 18 21:14:11 UTC 2014
Author: joeyh
Date: 2014-08-18 21:14:11 +0000 (Mon, 18 Aug 2014)
New Revision: 28345
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2014-08-18 20:45:36 UTC (rev 28344)
+++ data/CVE/list 2014-08-18 21:14:11 UTC (rev 28345)
@@ -1,32 +1,148 @@
+CVE-2014-5312
+ RESERVED
+CVE-2014-5311
+ RESERVED
+CVE-2014-5310
+ RESERVED
+CVE-2014-5309
+ RESERVED
+CVE-2014-5308
+ RESERVED
+CVE-2014-5307
+ RESERVED
+CVE-2014-5306
+ RESERVED
+CVE-2014-5305
+ RESERVED
+CVE-2014-5304
+ RESERVED
+CVE-2014-5303
+ RESERVED
+CVE-2014-5302
+ RESERVED
+CVE-2014-5301
+ RESERVED
+CVE-2014-5300
+ RESERVED
+CVE-2014-5299
+ RESERVED
+CVE-2014-5298
+ RESERVED
+CVE-2014-5297
+ RESERVED
+CVE-2014-5296
+ RESERVED
+CVE-2014-5295
+ RESERVED
+CVE-2014-5294
+ RESERVED
+CVE-2014-5293
+ RESERVED
+CVE-2014-5292
+ RESERVED
+CVE-2014-5291
+ RESERVED
+CVE-2014-5290
+ RESERVED
+CVE-2014-5289
+ RESERVED
+CVE-2014-5288
+ RESERVED
+CVE-2014-5287
+ RESERVED
+CVE-2014-5286
+ RESERVED
+CVE-2014-5285
+ RESERVED
+CVE-2014-5284
+ RESERVED
+CVE-2014-5283
+ RESERVED
+CVE-2014-5282
+ RESERVED
+CVE-2014-5281
+ RESERVED
+CVE-2014-5280
+ RESERVED
+CVE-2014-5279
+ RESERVED
+CVE-2014-5278
+ RESERVED
+CVE-2014-5277
+ RESERVED
+CVE-2014-5276
+ RESERVED
+CVE-2014-5275
+ RESERVED
+CVE-2014-5264
+ RESERVED
+CVE-2014-5259
+ RESERVED
+CVE-2014-5258
+ RESERVED
+CVE-2014-5257
+ RESERVED
+CVE-2014-5256
+ RESERVED
+CVE-2014-5248 (Cross-site scripting (XSS) vulnerability in MyBB before 1.6.15 allows ...)
+ TODO: check
+CVE-2014-5246
+ RESERVED
+CVE-2014-5245
+ RESERVED
+CVE-2014-5244
+ RESERVED
+CVE-2014-5239 (The Microsoft Outlook.com application before 7.8.2.12.49.7090 for ...)
+ TODO: check
+CVE-2014-5238
+ RESERVED
+CVE-2014-5237
+ RESERVED
+CVE-2014-5236
+ RESERVED
+CVE-2014-5235
+ RESERVED
+CVE-2014-5234
+ RESERVED
+CVE-2012-6654 (Multiple SQL injection vulnerabilities in ZPanel 10.0.1 and earlier ...)
+ TODO: check
CVE-2014-5274 [XSS in view operations page]
+ RESERVED
- phpmyadmin <unfixed> (bug #758536)
NOTE: http://www.phpmyadmin.net/home_page/security/PMASA-2014-9.php
CVE-2014-5273 [Multiple XSS vulnerabilities in browse table, ENUM editor, monitor, query charts and table relations pages]
+ RESERVED
- phpmyadmin <unfixed> (bug #758536)
NOTE: http://www.phpmyadmin.net/home_page/security/PMASA-2014-8.php
CVE-2014-5268
+ RESERVED
NOT-FOR-US: Drupal addon
-CVE-2014-5250
+CVE-2014-5250 (Unspecified vulnerability in the AJAX autocompletion callback in the ...)
NOT-FOR-US: Drupal addon
-CVE-2014-5249
+CVE-2014-5249 (SQL injection vulnerability in the "Biblio self autocomplete" ...)
NOT-FOR-US: Drupal addon
CVE-2012-6655 [passes (encrypted) passwords as commandline arguments]
+ RESERVED
- accountsservice <unfixed> (low; bug #757912)
[wheezy] - accountsservice <no-dsa> (Minor issue)
NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=55000
CVE-2014-5272 [out of array access]
+ RESERVED
- ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing)
- libav <unfixed>
NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3539d6c63a16e1b2874bb037a86f317449c58770
CVE-2014-5271 [buffer overflow]
+ RESERVED
- ffmpeg <not-affected> (Vulnerable code not present)
- libav <unfixed>
[wheezy] - libav <not-affected> (Vulnerable code not present)
NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=52b81ff4635c077b2bc8b8d3637d933b6629d803
CVE-2014-5262 [SQL injection]
+ RESERVED
- cacti 0.8.8b+dfsg-8
NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7454
CVE-2014-5261 [cacti remote code execution]
+ RESERVED
- cacti 0.8.8b+dfsg-8
NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7454
CVE-2014-XXXX [unspecific error when handling MyISAM temporary files can be exploited to execute arbitrary code]
@@ -36,20 +152,22 @@
- percona-xtradb-cluster-5.5 <undetermined>
TODO: check details unknown, relates to Secunia Advisory SA60599 (Debian maintainers contacted)
CVE-2014-5270 [side-channel attack on Elgamal encryption subkeys]
+ RESERVED
- libgcrypt11 1.5.4-1
- libgcrypt20 1.6.0-2
NOTE: http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html
CVE-2014-5267 [ code change to reject any XRDS document with a /<!DOCTYPE/i match]
+ RESERVED
{DSA-2999-1}
- drupal7 7.31-1
-CVE-2014-5266 [XML entity expansion attack related to xmlrpc.php]
+CVE-2014-5266 (The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 ...)
{DSA-3001-1 DSA-2999-1}
- wordpress 3.9.2+dfsg-1 (bug #757312)
NOTE: https://core.trac.wordpress.org/changeset/29405/branches/3.9
- drupal7 7.31-1
- drupal6 <removed>
NOTE: https://www.drupal.org/SA-CORE-2014-004
-CVE-2014-5265 [XML entity expansion attack related to xmlrpc.php]
+CVE-2014-5265 (The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 ...)
{DSA-3001-1 DSA-2999-1}
- wordpress 3.9.2+dfsg-1 (bug #757312)
NOTE: https://core.trac.wordpress.org/changeset/29405/branches/3.9
@@ -57,33 +175,40 @@
- drupal6 <removed>
NOTE: https://www.drupal.org/SA-CORE-2014-004
CVE-2014-5253 [vulnerabilities in Keystone revocation events]
+ RESERVED
- keystone 2014.1.2.1-1
[wheezy] - keystone <not-affected> (Affects 2014.1 versions up to 2014.1.1)
NOTE: https://launchpad.net/bugs/1349597
NOTE: https://git.openstack.org/cgit/openstack/keystone/commit/?id=317f9d34b4da20c21edd5b851889298b67c843e1
CVE-2014-5252 [vulnerabilities in Keystone revocation events]
+ RESERVED
- keystone 2014.1.2.1-1
[wheezy] - keystone <not-affected> (Affects 2014.1 versions up to 2014.1.1)
NOTE: https://launchpad.net/bugs/1348820
NOTE: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bdb88c662ac2035f9b0d8a229a5db5f60f5f16ae
CVE-2014-5251 [vulnerabilities in Keystone revocation events]
+ RESERVED
- keystone 2014.1.2.1-1
[wheezy] - keystone <not-affected> (Affects 2014.1 versions up to 2014.1.1)
NOTE: https://launchpad.net/bugs/1347961
NOTE: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6cbf835542d62e6e5db4b4aef7141b1731cad9dc
CVE-2014-5263 [missing field list terminator in vmstate_xhci_event]
+ RESERVED
- qemu 2.1+dfsg-1
[wheezy] - qemu <not-affected> (Vulnerable code introduced in v1.6.0)
[squeeze] - qemu <not-affected> (Vulnerable code introduced in v1.6.0)
- qemu-kvm <not-affected> (Vulnerable code not present)
NOTE: patch http://git.qemu.org/?p=qemu.git;a=commit;h=3afca1d6d413592c2b78cf28f52fa24a586d8f56
CVE-2014-5269 [bypass of file access restriction / information disclosure]
+ RESERVED
- libplack-perl 1.0031-1
NOTE: https://github.com/plack/Plack/issues/405
CVE-2014-5255 [Insecure use of temporary file related to the /tmp/get_infos_dvd.sh]
+ RESERVED
- xcfa <unfixed> (low; bug #756600)
[wheezy] - xcfa <no-dsa> (Minor issue)
CVE-2014-5254 [Symlink following issues]
+ RESERVED
- xcfa <unfixed> (low; bug #756600)
[wheezy] - xcfa <no-dsa> (Minor issue)
CVE-2014-XXXX [Enforce use of HTTPS for MathJax in IPython]
@@ -93,7 +218,7 @@
NOTE: https://github.com/ipython/ipython/issues/6246
NOTE: patch: https://github.com/ipython/ipython/commit/f58dabb277d0cdfb603d46cd01fcf29819ae7613
NOTE: in Debian patch to use mathjax from system was added right away in version 0.12
-CVE-2014-5260 [Insecure use of temporary files]
+CVE-2014-5260 (The (1) mkxmltype and (2) mkdtskel scripts in XML-DT before 0.64 allow ...)
- libxml-dt-perl 0.66-1 (bug #756566)
[wheezy] - libxml-dt-perl <no-dsa> (Minor issue)
[squeeze] - libxml-dt-perl <not-affected> (Vulnerable code introduced later)
@@ -103,14 +228,17 @@
- dhcpcd <not-affected> (Affects dhcpcd 4.0.0 to 6.4.2)
NOTE: http://roy.marples.name/projects/dhcpcd/ci/1d2b93aa5ce25a8a710082fe2d36a6bf7f5794d5?sbs=0
CVE-2014-5243 [Copy prevent-clickjacking between OutputPage and ParserOutput]
+ RESERVED
- mediawiki <unfixed> (bug #758510)
[squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=65778
CVE-2014-5242 [XSS]
+ RESERVED
- mediawiki <not-affected> (Vulnerable code not present)
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=66608
NOTE: Introduced in 1.22wmf14, https://bugzilla.wikimedia.org/show_bug.cgi?id=66608#c18
CVE-2014-5241 [Prepend jsonp callback with comment]
+ RESERVED
- mediawiki <unfixed> (bug #758510)
[squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=68187
@@ -178,7 +306,7 @@
NOT-FOR-US: Splunk
CVE-2014-5197 (Directory traversal vulnerability in (1) Splunk Web or the (2) Splunkd ...)
NOT-FOR-US: Splunk
-CVE-2014-5196 (Cross-site scripting (XSS) vulnerability in ...)
+CVE-2014-5196 (Cross-site request forgery (CSRF) vulnerability in ...)
NOT-FOR-US: WordPress plugin improved-user-search-in-backend
CVE-2014-5195 (Unity before 7.2.3 and 7.3.x before 7.3.1, as used in Ubuntu, does not ...)
- unity <itp> (bug #609278)
@@ -236,41 +364,37 @@
NOT-FOR-US: WordPress plugin all-video-gallery
CVE-2007-6756 (ZOLL Defibrillator / Monitor M Series, E Series, and R Series have a ...)
NOT-FOR-US: ZOLL Defibrillator / Monitor M Series, E Series, and R Series
-CVE-2014-5207 [ro bind mount bypass using user namespaces]
- RESERVED
+CVE-2014-5207 (fs/namespace.c in the Linux kernel through 3.16.1 does not properly ...)
- linux <unfixed>
[wheezy] - linux <not-affected> (User namespaces only usable in later kernels)
- linux-2.6 <not-affected> (User namespaces only usable in later kernels)
NOTE: https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-linus&id=9566d6742852c527bf5af38af5cbb878dad75705
NOTE: Thread starting at http://www.openwall.com/lists/oss-security/2014/08/12/6
-CVE-2014-5206 [ro bind mount bypass using user namespaces]
- RESERVED
+CVE-2014-5206 (The do_remount function in fs/namespace.c in the Linux kernel through ...)
- linux <unfixed>
[wheezy] - linux <not-affected> (User namespaces only usable in later kernels)
- linux-2.6 <not-affected> (User namespaces only usable in later kernels)
NOTE: https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-linus&id=db181ce011e3c033328608299cd6fac06ea50130
NOTE: Thread starting at http://www.openwall.com/lists/oss-security/2014/08/12/6
CVE-2014-5247 [insecure archive permission]
+ RESERVED
- ganeti 2.11.5-1
[wheezy] - ganeti <not-affected> (Vulnerable code not present)
[squeeze] - ganeti <not-affected> (Vulnerable code not present)
NOTE: http://www.ocert.org/advisories/ocert-2014-006.html
-CVE-2014-5240 [cross-site scripting]
+CVE-2014-5240 (Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php ...)
{DSA-3001-1}
- wordpress 3.9.2+dfsg-1 (bug #757312)
NOTE: https://core.trac.wordpress.org/changeset/29398
-CVE-2014-5205 [protections against brute attacks against CSRF tokens]
- RESERVED
+CVE-2014-5205 (wp-includes/pluggable.php in WordPress before 3.9.2 does not use ...)
{DSA-3001-1}
- wordpress 3.9.2+dfsg-1 (bug #757312)
NOTE: https://core.trac.wordpress.org/changeset/29408
-CVE-2014-5204 [protections against brute attacks against CSRF tokens]
- RESERVED
+CVE-2014-5204 (wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid ...)
{DSA-3001-1}
- wordpress 3.9.2+dfsg-1 (bug #757312)
NOTE: https://core.trac.wordpress.org/changeset/29384
-CVE-2014-5203 [unsafe serialization vulnerability]
- RESERVED
+CVE-2014-5203 (wp-includes/class-wp-customize-widgets.php in the widget ...)
- wordpress 3.9.2+dfsg-1 (bug #757312)
[wheezy] - wordpress <not-affected> (Vulnerable code not present)
[squeeze] - wordpress <not-affected> (Vulnerable code not present)
@@ -326,7 +450,7 @@
CVE-2014-5158
RESERVED
CVE-2014-5157
- RESERVED
+ REJECTED
CVE-2014-5156
RESERVED
CVE-2014-5155
@@ -373,8 +497,7 @@
RESERVED
CVE-2014-5140
RESERVED
-CVE-2014-5139 [Crash with SRP ciphersuite in Server Hello message]
- RESERVED
+CVE-2014-5139 (The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 ...)
{DSA-2998-1}
- openssl 1.0.1i-1
[squeeze] - openssl <not-affected> (vulnerable code not present)
@@ -497,8 +620,8 @@
CVE-2014-5075 [MitM vulnerability]
RESERVED
- libsmack-java <itp> (bug #640873)
-CVE-2014-5074
- RESERVED
+CVE-2014-5074 (Siemens SIMATIC S7-1500 CPU devices with firmware before 1.6 allow ...)
+ TODO: check
CVE-2014-5073
RESERVED
CVE-2014-5072
@@ -571,7 +694,7 @@
- linux-2.6 <removed>
NOTE: upstream fix: http://patchwork.ozlabs.org/patch/372475/
CVE-2014-5043 ["System Utilities - View User Log" XSS issue]
- RESERVED
+ REJECTED
- cacti 0.8.8b+dfsg-7
NOTE: this CVE might be rejected, check reply from MITRE
CVE-2014-5042
@@ -1208,8 +1331,8 @@
RESERVED
CVE-2014-4776
RESERVED
-CVE-2014-4775
- RESERVED
+CVE-2014-4775 (IBM InfoSphere Master Data Management - Collaborative Edition 10.x ...)
+ TODO: check
CVE-2014-4774
RESERVED
CVE-2014-4773
@@ -2232,21 +2355,18 @@
NOT-FOR-US: Citrix NetScaler Application Delivery Controller
CVE-2014-4346 (Cross-site scripting (XSS) vulnerability in administration user ...)
NOT-FOR-US: Citrix NetScaler Application Delivery Controller
-CVE-2014-4345 [buffer overrun in kadmind]
- RESERVED
+CVE-2014-4345 (Off-by-one error in the krb5_encode_krbsecretkey function in ...)
{DSA-3000-1}
- krb5 1.12.1+dfsg-7 (bug #757416)
[squeeze] - krb5 1.8.3+dfsg-4squeeze8
NOTE: https://github.com/krb5/krb5/commit/81c332e29f10887c6b9deb065f81ba259f4c7e03
NOTE: http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2014-001.txt
-CVE-2014-4344 [NULL dereference in GSSAPI servers]
- RESERVED
+CVE-2014-4344 (The acc_ctx_cont function in the SPNEGO acceptor in ...)
{DSA-3000-1}
- krb5 1.12.1+dfsg-5 (bug #755521)
[squeeze] - krb5 1.8.3+dfsg-4squeeze8
NOTE: https://github.com/krb5/krb5/commit/524688ce87a15fc75f87efc8c039ba4c7d5c197b
-CVE-2014-4343 [double-free in SPNEGO initiators]
- RESERVED
+CVE-2014-4343 (Double free vulnerability in the init_ctx_reselect function in the ...)
{DSA-3000-1}
- krb5 1.12.1+dfsg-5 (bug #755520)
[squeeze] - krb5 1.8.3+dfsg-4squeeze8
@@ -3003,6 +3123,7 @@
CVE-2014-4040 (snap in powerpc-utils 1.2.20 produces an archive with fstab and ...)
- ppc64-diag <itp> (bug #740179)
CVE-2014-4021 (Xen 3.2.x through 4.4.x does not properly clean memory pages recovered ...)
+ {DSA-3006-1}
- xen <unfixed> (bug #751894)
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
CVE-2014-4020 (The dissect_frame function in epan/dissectors/packet-frame.c in the ...)
@@ -3275,22 +3396,22 @@
RESERVED
CVE-2014-3906
RESERVED
-CVE-2014-3905
- RESERVED
-CVE-2014-3904
- RESERVED
+CVE-2014-3905 (Cross-site scripting (XSS) vulnerability in tenfourzero Shutter 0.1.4 ...)
+ TODO: check
+CVE-2014-3904 (SQL injection vulnerability in lib/admin.php in tenfourzero Shutter ...)
+ TODO: check
CVE-2014-3903
RESERVED
-CVE-2014-3902
- RESERVED
+CVE-2014-3902 (The CyberAgent Ameba application 3.x and 4.x before 4.5.0 for Android ...)
+ TODO: check
CVE-2014-3901 (Raritan Japan Dominion KX2-101 switches before 2 allow remote ...)
NOT-FOR-US: Raritan Japan Dominion KX2-101 switches
-CVE-2014-3900
- RESERVED
+CVE-2014-3900 (Cross-site scripting (XSS) vulnerability in admin/picture_modify.php ...)
+ TODO: check
CVE-2014-3899 (Gretech GOM Player 2.2.51.5149 and earlier allows remote attackers to ...)
NOT-FOR-US: Gretech GOM Player
-CVE-2014-3898
- RESERVED
+CVE-2014-3898 (Cross-site scripting (XSS) vulnerability in Fujitsu ServerView ...)
+ TODO: check
CVE-2014-3897 (Cross-site scripting (XSS) vulnerability in Homepage Decorator ...)
NOT-FOR-US: Homepage Decorator PerlMailer
CVE-2014-3896 (Multiple cross-site request forgery (CSRF) vulnerabilities in CGI ...)
@@ -3547,7 +3668,7 @@
CVE-2014-3802 (msdia.dll in Microsoft Debug Interface Access (DIA) SDK, as ...)
NOT-FOR-US: Microsoft Visual Studio
CVE-2014-3799
- RESERVED
+ REJECTED
CVE-2014-3798
RESERVED
CVE-2014-3797
@@ -4177,46 +4298,38 @@
TODO: needs to check the others rails versions
CVE-2014-3513
RESERVED
-CVE-2014-3512 [SRP buffer overrun]
- RESERVED
+CVE-2014-3512 (Multiple buffer overflows in crypto/srp/srp_lib.c in the SRP ...)
{DSA-2998-1}
- openssl 1.0.1i-1
[squeeze] - openssl <not-affected> (vulnerable code not present)
-CVE-2014-3511 [TLS protocol downgrade attack]
- RESERVED
+CVE-2014-3511 (The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 ...)
{DSA-2998-1}
- openssl 1.0.1i-1
[squeeze] - openssl <not-affected> (Doesn't support TLS higher than 1.0)
-CVE-2014-3510 [DTLS anonymous (EC)DH denial of service]
- RESERVED
+CVE-2014-3510 (The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL ...)
{DSA-2998-1}
- openssl 1.0.1i-1
-CVE-2014-3509 [Race condition in ssl_parse_serverhello_tlsext]
- RESERVED
+CVE-2014-3509 (Race condition in the ssl_parse_serverhello_tlsext function in ...)
{DSA-2998-1}
- openssl 1.0.1i-1
[squeeze] - openssl <not-affected> (vulnerable code not present)
-CVE-2014-3508 [Information leak in pretty printing functions]
- RESERVED
+CVE-2014-3508 (The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 ...)
{DSA-2998-1}
- openssl 1.0.1i-1
-CVE-2014-3507 [DTLS memory leak from zero-length fragments]
- RESERVED
+CVE-2014-3507 (Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 ...)
{DSA-2998-1}
- openssl 1.0.1i-1
-CVE-2014-3506 [DTLS memory exhaustion]
- RESERVED
+CVE-2014-3506 (d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, ...)
{DSA-2998-1}
- openssl 1.0.1i-1
-CVE-2014-3505 [Double Free when processing DTLS packets]
- RESERVED
+CVE-2014-3505 (Double free vulnerability in d1_both.c in the DTLS implementation in ...)
{DSA-2998-1}
- openssl 1.0.1i-1
CVE-2014-3504 [failure to properly handle a NUL character in the CommonName or SubjectAltNames fields]
RESERVED
- serf 1.3.7-1 (bug #757965)
- [wheezy] - serf <no-dsa> (Minor issue)
- [squeeze] - serf <no-dsa> (Minor issue)
+ [wheezy] - serf <no-dsa> (Minor issue)
+ [squeeze] - serf <no-dsa> (Minor issue)
CVE-2014-3503 (Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate ...)
NOT-FOR-US: Apache Syncope
CVE-2014-3502
@@ -5292,6 +5405,7 @@
CVE-2014-3125 (Xen 4.4.x, when running on an ARM system, does not properly context ...)
- xen <not-affected> (Only 32- and 64-bit ARM systems are affected from Xen 4.4 onwards)
CVE-2014-3124 (The HVMOP_set_mem_type control in Xen 4.1 through 4.4.x allows local ...)
+ {DSA-3006-1}
- xen <unfixed> (bug #757724)
[squeeze] - xen <not-affected> (Xen versions from 4.1 onwards are vulnerable)
CVE-2014-3123 (Cross-site scripting (XSS) vulnerability in admin/manage-images.php in ...)
@@ -5364,22 +5478,22 @@
RESERVED
CVE-2014-3088 (stconf.nsf in IBM Sametime Meeting Server 8.5.1 relies on the client ...)
NOT-FOR-US: IBM Sametime
-CVE-2014-3087
- RESERVED
+CVE-2014-3087 (callService.do in IBM Business Process Manager (BPM) 7.5 through 8.5.5 ...)
+ TODO: check
CVE-2014-3086 (Unspecified vulnerability in the IBM Java Virtual Machine, as used in ...)
TODO: check
-CVE-2014-3085
- RESERVED
+CVE-2014-3085 (systest.php on IBM GCM16 and GCM32 Global Console Manager switches ...)
+ TODO: check
CVE-2014-3084
RESERVED
CVE-2014-3083
RESERVED
CVE-2014-3082
RESERVED
-CVE-2014-3081
- RESERVED
-CVE-2014-3080
- RESERVED
+CVE-2014-3081 (prodtest.php on IBM GCM16 and GCM32 Global Console Manager switches ...)
+ TODO: check
+CVE-2014-3080 (Multiple cross-site scripting (XSS) vulnerabilities on IBM GCM16 and ...)
+ TODO: check
CVE-2014-3079
RESERVED
CVE-2014-3078
@@ -5412,8 +5526,8 @@
RESERVED
CVE-2014-3064 (The GDS component in IBM InfoSphere Master Data Management - ...)
NOT-FOR-US: IBM
-CVE-2014-3063
- RESERVED
+CVE-2014-3063 (IBM InfoSphere Master Data Management - Collaborative Edition 10.x ...)
+ TODO: check
CVE-2014-3062
RESERVED
CVE-2014-3061
@@ -5655,8 +5769,8 @@
NOT-FOR-US: Resin Pro
CVE-2014-2965 (Cross-site scripting (XSS) vulnerability in auth-settings-x.php in ...)
NOT-FOR-US: SpamTitan
-CVE-2014-2964
- RESERVED
+CVE-2014-2964 (Cobham Aviator 700D and 700E satellite terminals have hardcoded ...)
+ TODO: check
CVE-2014-2963 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
NOT-FOR-US: Liferay Portal
CVE-2014-2962 (Absolute path traversal vulnerability in the webproc cgi module on the ...)
@@ -5702,14 +5816,14 @@
RESERVED
CVE-2014-2944
RESERVED
-CVE-2014-2943
- RESERVED
+CVE-2014-2943 (Cobham Aviator 700D and 700E satellite terminals use an improper ...)
+ TODO: check
CVE-2014-2942
RESERVED
-CVE-2014-2941
- RESERVED
-CVE-2014-2940
- RESERVED
+CVE-2014-2941 (** DISPUTED ** Cobham Sailor 6000 satellite terminals have hardcoded ...)
+ TODO: check
+CVE-2014-2940 (Cobham Sailor 900 and 6000 satellite terminals with firmware 1.08 MFHF ...)
+ TODO: check
CVE-2014-2939 (Multiple cross-site scripting (XSS) vulnerabilities in Alfresco ...)
NOT-FOR-US: Alfresco
CVE-2014-2938 (Hanvon FaceID before 1.007.110 does not require authentication, which ...)
@@ -6863,6 +6977,7 @@
CVE-2009-5139
RESERVED
CVE-2014-2599 (The HVMOP_set_mem_access HVM control operations in Xen 4.1.x for ...)
+ {DSA-3006-1}
- xen <unfixed> (bug #757724)
[squeeze] - xen <not-affected> (Only affects 4.1 and later)
CVE-2014-2585 (ownCloud before 5.0.15 and 6.x before 6.0.2, when the file_external ...)
@@ -7252,8 +7367,8 @@
RESERVED
CVE-2014-2389 (Stack-based buffer overflow in a certain decryption function in ...)
NOT-FOR-US: BlackBerry Z 10
-CVE-2014-2388
- RESERVED
+CVE-2014-2388 (The Storage and Access service in BlackBerry OS 10.x before ...)
+ TODO: check
CVE-2014-2385 (Multiple cross-site scripting (XSS) vulnerabilities in the web UI in ...)
NOT-FOR-US: Sophos Antivirus
CVE-2014-2384 (vmx86.sys in VMware Workstation 10.0.1 build 1379776 and VMware Player ...)
@@ -8257,8 +8372,8 @@
NOT-FOR-US: Allied Telesis AT-RG634A ADSL Broadband router
CVE-2014-1981
RESERVED
-CVE-2014-1980
- RESERVED
+CVE-2014-1980 (Cross-site scripting (XSS) vulnerability in ...)
+ TODO: check
CVE-2014-1979 (The NTT DOCOMO sp mode mail application 5900 through 6300 for Android ...)
NOT-FOR-US: NTT DOCOMO mail app
CVE-2014-1978 (The application link interface in the NTT DOCOMO sp mode mail ...)
@@ -8412,6 +8527,7 @@
[squeeze] - phpbb3 <no-dsa> (Minor issue)
NOTE: http://seclists.org/bugtraq/2014/Feb/33
CVE-2014-1950 (Use-after-free vulnerability in the xc_cpupool_getinfo function in Xen ...)
+ {DSA-3006-1}
- xen 4.4.0-1
[squeeze] - xen <not-affected> (Xen 4.1 onwards affected)
CVE-2014-1949 [cinnamon-screensaver lock bypass]
@@ -9626,8 +9742,7 @@
- icedove 31.0-1
[squeeze] - icedove <end-of-life>
NOTE: http://www.mozilla.org/security/announce/2014/mfsa2014-56.html
-CVE-2014-1546
- RESERVED
+CVE-2014-1546 (The response function in the JSONP endpoint in ...)
- bugzilla4 <itp> (bug #669643)
- bugzilla <removed>
NOTE: bugzilla part for Adobe Flash's CVE-2014-4671.
@@ -10042,9 +10157,9 @@
- otrs2 3.3.4-1 (low)
NOTE: https://www.otrs.com/security-advisory-2014-02-sql-injection-issue/
CVE-2014-1470
- RESERVED
-CVE-2014-1469
- RESERVED
+ REJECTED
+CVE-2014-1469 (BlackBerry Enterprise Server 5.x before 5.0.4 MR7 and Enterprise ...)
+ TODO: check
CVE-2014-1468
RESERVED
CVE-2014-1467 (BlackBerry Enterprise Service 10 before 10.2.1, Universal Device ...)
@@ -10250,20 +10365,20 @@
RESERVED
CVE-2014-1391
RESERVED
-CVE-2014-1390
- RESERVED
-CVE-2014-1389
- RESERVED
-CVE-2014-1388
- RESERVED
-CVE-2014-1387
- RESERVED
-CVE-2014-1386
- RESERVED
-CVE-2014-1385
- RESERVED
-CVE-2014-1384
- RESERVED
+CVE-2014-1390 (WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, ...)
+ TODO: check
+CVE-2014-1389 (WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, ...)
+ TODO: check
+CVE-2014-1388 (WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, ...)
+ TODO: check
+CVE-2014-1387 (WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, ...)
+ TODO: check
+CVE-2014-1386 (WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, ...)
+ TODO: check
+CVE-2014-1385 (WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, ...)
+ TODO: check
+CVE-2014-1384 (WebKit, as used in Apple Safari before 6.1.6 and 7.x before 7.0.6, ...)
+ TODO: check
CVE-2014-1383 (Apple TV before 6.1.2 allows remote authenticated users to bypass an ...)
NOT-FOR-US: Apple TV
CVE-2014-1382 (WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 ...)
@@ -10786,14 +10901,14 @@
RESERVED
CVE-2014-0970 (The GDS component in IBM InfoSphere Master Data Management - ...)
NOT-FOR-US: IBM InfoSphere
-CVE-2014-0969
- RESERVED
+CVE-2014-0969 (Cross-site request forgery (CSRF) vulnerability in the GDS component ...)
+ TODO: check
CVE-2014-0968 (Cross-site scripting (XSS) vulnerability in the GDS component in IBM ...)
NOT-FOR-US: IBM InfoSphere
CVE-2014-0967 (Cross-site scripting (XSS) vulnerability in the GDS component in IBM ...)
NOT-FOR-US: IBM InfoSphere
-CVE-2014-0966
- RESERVED
+CVE-2014-0966 (SQL injection vulnerability in the GDS component in IBM InfoSphere ...)
+ TODO: check
CVE-2014-0965
RESERVED
CVE-2014-0964 (IBM WebSphere Application Server (WAS) 6.1.0.0 through 6.1.0.47 and ...)
@@ -10914,8 +11029,8 @@
NOT-FOR-US: IBM DB2
CVE-2014-0906 (The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through ...)
NOT-FOR-US: IBM Sametime
-CVE-2014-0905
- RESERVED
+CVE-2014-0905 (IBM InfoSphere BigInsights 2.0 through 2.1.2 does not set the secure ...)
+ TODO: check
CVE-2014-0904 (The update process in IBM Security AppScan Standard 7.9 through 8.8 ...)
NOT-FOR-US: IBM Security AppScan Standard
CVE-2014-0903
@@ -10972,8 +11087,8 @@
NOT-FOR-US: IBM JDK
CVE-2014-0877
RESERVED
-CVE-2014-0876
- RESERVED
+CVE-2014-0876 (Buffer overflow in the Java GUI Configuration Wizard and Preferences ...)
+ TODO: check
CVE-2014-0875 (Active Cloud Engine (ACE) in IBM Storwize V7000 Unified 1.3.0.0 ...)
NOT-FOR-US: IBM Storwize V7000 Unified
CVE-2014-0874 (Cross-site scripting (XSS) vulnerability in IBM Content Navigator 2.x ...)
@@ -11020,8 +11135,8 @@
NOT-FOR-US: IBM Cognos Business Intelligence
CVE-2014-0853 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) ...)
NOT-FOR-US: IBM Rational Requirements Composer
-CVE-2014-0852
- RESERVED
+CVE-2014-0852 (IBM WebSphere DataPower SOA appliances through 4.0.2.15, 5.x through ...)
+ TODO: check
CVE-2014-0851
RESERVED
CVE-2014-0850 (Cross-site scripting (XSS) vulnerability in IBM InfoSphere Master Data ...)
@@ -11627,8 +11742,8 @@
RESERVED
CVE-2014-0610
RESERVED
-CVE-2014-0609
- RESERVED
+CVE-2014-0609 (Unspecified vulnerability in Novell Open Enterprise Server (OES) 11 ...)
+ TODO: check
CVE-2014-0608
RESERVED
CVE-2014-0607 (Unrestricted file upload vulnerability in Attachmate Verastream ...)
@@ -12077,8 +12192,8 @@
NOT-FOR-US: Fortinet FortiOS
CVE-2013-7181 (Cross-site scripting (XSS) vulnerability in user/ldap_user/add in ...)
NOT-FOR-US: FortiWeb
-CVE-2013-7180
- RESERVED
+CVE-2013-7180 (Cobham SAILOR 900 VSAT; SAILOR FleetBroadBand 150, 250, and 500; ...)
+ TODO: check
CVE-2013-7179 (The ping functionality in cgi-bin/diagnostic.cgi on Seowon Intech ...)
NOT-FOR-US: Seowon Intech SWC-9100 routers
CVE-2013-7178
@@ -12519,8 +12634,8 @@
RESERVED
CVE-2013-7145
RESERVED
-CVE-2013-7144
- RESERVED
+CVE-2013-7144 (LINE 3.2.1.83 and earlier on Windows and 3.2.1 and earlier on OS X ...)
+ TODO: check
CVE-2013-7143 (Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite ...)
- open-xchange <itp> (bug #269329)
CVE-2013-7142 (Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite ...)
@@ -12932,12 +13047,12 @@
NOT-FOR-US: Dell KACE K1000 management appliance
CVE-2014-0329 (The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded ...)
NOT-FOR-US: TELNET service on the ZTE ZXV10 W300 router
-CVE-2014-0328
- RESERVED
-CVE-2014-0327
- RESERVED
-CVE-2014-0326
- RESERVED
+CVE-2014-0328 (The thraneLINK protocol implementation on Cobham devices does not ...)
+ TODO: check
+CVE-2014-0327 (The Terminal Upgrade Tool in the Pilot Below Deck Equipment (BDE) and ...)
+ TODO: check
+CVE-2014-0326 (The Pilot Below Deck Equipment (BDE) and OpenPort implementations on ...)
+ TODO: check
CVE-2013-7041 (The pam_userdb module for Pam uses a case-insensitive method to ...)
- pam <unfixed> (low; bug #731368)
[squeeze] - pam <no-dsa> (Minor issue)
@@ -20211,6 +20326,7 @@
CVE-2013-4554 (Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), ...)
- xen <not-affected> (Doesn't affect Linux)
CVE-2013-4553 (The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x ...)
+ {DSA-3006-1}
- xen 4.4.0-1
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
CVE-2013-4552 (lib/Auth/Source/External.php in the drupalauth module before 1.2.2 for ...)
@@ -20507,6 +20623,7 @@
{DSA-2796-1}
- torque 2.4.16+dfsg-1.3 (bug #729333)
CVE-2013-4494 (Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock ...)
+ {DSA-3006-1}
- xen 4.4.0-1
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
CVE-2013-4493
@@ -20936,6 +21053,7 @@
[wheezy] - xen <not-affected> (Vulnerable code only present from 4.2 onwards)
[squeeze] - xen <not-affected> (Vulnerable code only present from 4.2 onwards)
CVE-2013-4368 (The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and ...)
+ {DSA-3006-1}
- xen 4.4.0-1
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
CVE-2013-4367
@@ -20960,6 +21078,7 @@
- davfs2 1.4.7-3 (bug #723034)
NOTE: http://savannah.nongnu.org/bugs/?40034
CVE-2013-4361 (The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use ...)
+ {DSA-3006-1}
- xen 4.4.0-1
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
CVE-2013-4360
@@ -20981,6 +21100,7 @@
[wheezy] - xen <not-affected> (Only affects 4.3+)
[squeeze] - xen <not-affected> (Only affects 4.3+)
CVE-2013-4355 (Xen 4.3.x and earlier does not properly handle certain errors, which ...)
+ {DSA-3006-1}
- xen 4.4.0-1
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
CVE-2013-4354 (The API before 2.1 in OpenStack Image Registry and Delivery Service ...)
@@ -21087,6 +21207,7 @@
CVE-2013-4330 (Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, ...)
NOT-FOR-US: Apache Camel
CVE-2013-4329 (The xenlight library (libxl) in Xen 4.0.x through 4.2.x, when IOMMU is ...)
+ {DSA-3006-1}
- xen 4.3.0-1
[squeeze] - xen <not-affected> (libxl not packaged in squeeze)
NOTE: http://lists.xen.org/archives/html/xen-announce/2013-09/msg00001.html
@@ -26519,6 +26640,7 @@
NOTE: Hardware design flaw, no software solution
NOTE: http://xenbits.xen.org/xsa/advisory-60.html
CVE-2013-2211 (The libxenlight (libxl) toolstack library in Xen 4.0.x, 4.1.x, and ...)
+ {DSA-3006-1}
- xen 4.3.0-1
[squeeze] - xen <not-affected> (libxl not packaged in squeeze)
CVE-2013-2210 (Heap-based buffer overflow in the XML Signature Reference ...)
@@ -26567,12 +26689,15 @@
CVE-2013-2197 (The Login Security module 6.x-1.x before 6.x-1.3 and 7.x-1.x before ...)
NOT-FOR-US: Login Security Drupal contributed module
CVE-2013-2196 (Multiple unspecified vulnerabilities in the Elf parser (libelf) in Xen ...)
+ {DSA-3006-1}
- xen 4.3.0-1
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
CVE-2013-2195 (The Elf parser (libelf) in Xen 4.2.x and earlier allow local guest ...)
+ {DSA-3006-1}
- xen 4.3.0-1
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
CVE-2013-2194 (Multiple integer overflows in the Elf parser (libelf) in Xen 4.2.x and ...)
+ {DSA-3006-1}
- xen 4.3.0-1
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
CVE-2013-2193 (Apache HBase 0.92.x before 0.92.3 and 0.94.x before 0.94.9, when the ...)
@@ -26973,14 +27098,17 @@
- moodle <not-affected> (Only affects 2.3 and later)
NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443
CVE-2013-2078 (Xen 4.0.2 through 4.0.4, 4.1.x, and 4.2.x allows local PV guest users ...)
+ {DSA-3006-1}
- xen 4.2.2-1
[squeeze] - xen <not-affected> (No PVSAVE support in squeeze)
NOTE: http://lists.xen.org/archives/html/xen-announce/2013-06/msg00000.html
CVE-2013-2077 (Xen 4.0.x, 4.1.x, and 4.2.x does not properly restrict the contents of ...)
+ {DSA-3006-1}
- xen 4.2.2-1
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
NOTE: http://lists.xen.org/archives/html/xen-announce/2013-06/msg00001.html
CVE-2013-2076 (Xen 4.0.x, 4.1.x, and 4.2.x, when running on AMD64 processors, only ...)
+ {DSA-3006-1}
- xen 4.2.2-1
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
NOTE: http://lists.xen.org/archives/html/xen-announce/2013-06/msg00002.html
@@ -27115,6 +27243,7 @@
CVE-2013-2033 (Cross-site scripting (XSS) vulnerability in CloudBees Jenkins before ...)
- jenkins 1.509.2+dfsg-1 (bug #706725)
CVE-2013-2032 (MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow ...)
+ {DSA-2891-1}
- mediawiki 1:1.19.6-1 (low; bug #706601)
[squeeze] - mediawiki <end-of-life>
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=46590
@@ -29206,6 +29335,7 @@
{DSA-2758-1}
- python-django 1.5.4-1 (bug #723043)
CVE-2013-1442 (Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not ...)
+ {DSA-3006-1}
- xen 4.4.0-1
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
NOTE: advisory say: In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is disabled by default
@@ -29267,6 +29397,7 @@
CVE-2013-1433
RESERVED
CVE-2013-1432 (Xen 4.1.x and 4.2.x, when the XSA-45 patch is in place, does not ...)
+ {DSA-3006-1}
- xen 4.3.0-1
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
NOTE: All Xen versions having the XSA-45/CVE-2013-1918 fixes applied are vulnerable
@@ -34966,12 +35097,12 @@
NOT-FOR-US: TP-LINK TL-WR841N router
CVE-2012-5686
RESERVED
-CVE-2012-5685
- RESERVED
-CVE-2012-5684
- RESERVED
-CVE-2012-5683
- RESERVED
+CVE-2012-5685 (SQL injection vulnerability in ZPanel 10.0.1 and earlier allows remote ...)
+ TODO: check
+CVE-2012-5684 (Cross-site scripting (XSS) vulnerability in ZPanel 10.0.1 and earlier ...)
+ TODO: check
+CVE-2012-5683 (Multiple cross-site request forgery (CSRF) vulnerabilities in ZPanel ...)
+ TODO: check
CVE-2012-5682
RESERVED
CVE-2012-5681
@@ -40252,8 +40383,8 @@
RESERVED
CVE-2012-3821
RESERVED
-CVE-2012-3820
- RESERVED
+CVE-2012-3820 (Multiple SQL injection vulnerabilities in Campaign11.exe in Arial ...)
+ TODO: check
CVE-2012-3819 (Stack consumption vulnerability in dartwebserver.dll 1.9 and earlier, ...)
NOT-FOR-US: dartwebserver.dll
CVE-2012-3818 (The fpm exporter in Revelation 0.4.13-2 and earlier encrypts the ...)
@@ -47444,10 +47575,10 @@
RESERVED
CVE-2012-0940
RESERVED
-CVE-2012-0939
- RESERVED
-CVE-2012-0938
- RESERVED
+CVE-2012-0939 (Multiple SQL injection vulnerabilities in TestLink 1.8.5b and earlier ...)
+ TODO: check
+CVE-2012-0938 (Multiple SQL injection vulnerabilities in TestLink 1.9.3, 1.8.5b, and ...)
+ TODO: check
CVE-2012-0937 (** DISPUTED ** wp-admin/setup-config.php in the installation component ...)
- wordpress <unfixed> (unimportant)
CVE-2012-0936 (Cross-site scripting (XSS) vulnerability in ...)
More information about the Secure-testing-commits
mailing list