[Secure-testing-commits] r31964 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Wed Feb 4 18:55:43 UTC 2015


Author: jmm
Date: 2015-02-04 18:55:43 +0000 (Wed, 04 Feb 2015)
New Revision: 31964

Modified:
   data/CVE/list
Log:
rsync n/a
no-dsa: squid3, rabbitmq
remove old bogus TEMP PHP issues, safe_mode/basedir bypasses are no security issues, so no need to track them


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2015-02-04 18:52:08 UTC (rev 31963)
+++ data/CVE/list	2015-02-04 18:55:43 UTC (rev 31964)
@@ -59,7 +59,7 @@
 	[squeeze] - xymon <not-affected> (Vulnerable code not present)
 	[wheezy] - xymon <not-affected> (Vulnerable code not present)
 	NOTE: Upstream patch: http://sourceforge.net/p/xymon/code/7483/
-	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/30/17
+	NOTE: http://www.openwall.com/lists/oss-security/2015/01/30/17
 CVE-2015-1425
 	RESERVED
 CVE-2015-1424 (Cross-site request forgery (CSRF) vulnerability in Gecko CMS 2.2 and ...)
@@ -218,7 +218,7 @@
 	RESERVED
 	- glibc 2.19-4
 	- eglibc 2.17-2
-	NOTE: CVE Request: http://seclists.org/oss-sec/2015/q1/306
+	NOTE: http://seclists.org/oss-sec/2015/q1/306
 	NOTE: Upstream fix: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2e96f1c7
 	NOTE: 2.19-4 first version after the eglibc -> glibc rename which was in unstable
 CVE-2015-1421 [net: sctp: slab corruption from use after free on INIT collisions]
@@ -251,6 +251,8 @@
 CVE-2014-XXXX [Digest authentification never replay Ldap requests]
 	- squid <undetermined>
 	- squid3 3.4.8-6 (bug #776464)
+	[wheezy] - squid3 <no-dsa> (Minor issue)
+	[squeeze] - squid3 <no-dsa> (Minor issue)
 	NOTE: http://bugs.squid-cache.org/show_bug.cgi?id=4066
 	NOTE: Upstream patch for Squid 3.4: http://bazaar.launchpad.net/~squid/squid/3.4/revision/13211
 CVE-2015-1369 (SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js ...)
@@ -373,7 +375,7 @@
 	- socat <unfixed> (bug #776234)
 	[wheezy] - socat <no-dsa> (Minor issue)
 	[squeeze] - socat <no-dsa> (Minor issue)
-	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/24/6
+	NOTE: http://www.openwall.com/lists/oss-security/2015/01/24/6
 	NOTE: Upstream advisory: http://www.dest-unreach.org/socat/contrib/socat-secadv6.txt
 CVE-2015-1378 [Issues with sourcing cmdlineopts.clp from current working directory]
 	RESERVED
@@ -389,7 +391,7 @@
 	[wheezy] - patch <not-affected> (Support for git-style patches added in 2.7)
 	[squeeze] - patch <not-affected> (Support for git-style patches added in 2.7)
 	NOTE: Upstream report: https://savannah.gnu.org/bugs/?44059
-	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/24/2
+	NOTE: http://www.openwall.com/lists/oss-security/2015/01/24/2
 CVE-2015-1370 (Incomplete blacklist vulnerability in marked 0.3.2 and earlier for ...)
 	- node-marked <unfixed> (unimportant)
 	NOTE: https://nodesecurity.io/advisories/marked_vbscript_injection
@@ -400,7 +402,7 @@
 	- glibc 2.19-1 (bug #722075)
 	- eglibc <removed>
 	NOTE: Upstream report: https://sourceware.org/bugzilla/show_bug.cgi?id=15946
-	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/28/16
+	NOTE: http://www.openwall.com/lists/oss-security/2015/01/28/16
 CVE-2013-7421 [Linux kernel crypto api unprivileged arbitrary module load]
 	RESERVED
 	- linux 3.16.7-ckt4-2
@@ -428,7 +430,7 @@
 	[wheezy] - perl <no-dsa> (Minor issue)
 	[squeeze] - perl <no-dsa> (Minor issue)
 	NOTE: https://rt.perl.org/Public/Bug/Display.html?id=119505
-	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/23/9
+	NOTE: http://www.openwall.com/lists/oss-security/2015/01/23/9
 CVE-2015-1304
 	RESERVED
 CVE-2015-1303
@@ -706,19 +708,21 @@
 	NOTE: Upstream fix: https://trac.xiph.org/changeset/19117
 CVE-2014-9649 (Cross-site scripting (XSS) vulnerability in the management plugin in ...)
 	- rabbitmq-server 3.4.1-1
+	[wheezy] - rabbitmq-server <no-dsa> (Minor issue)
 	NOTE: https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs
-	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/21/13
+	NOTE: http://www.openwall.com/lists/oss-security/2015/01/21/13
 CVE-2014-9650 (CRLF injection vulnerability in the management plugin in RabbitMQ ...)
 	- rabbitmq-server 3.4.1-1
+	[wheezy] - rabbitmq-server <no-dsa> (Minor issue)
 	NOTE: https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs
 	NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-management/commit/b5a5fc31bd49ad821a655ea9e2fe920d670a62ad
-	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/21/13
+	NOTE: http://www.openwall.com/lists/oss-security/2015/01/21/13
 CVE-2015-1396 [(another) directory traversal via symlinks -- incomplete fix for CVE-2015-1196]
 	RESERVED
 	- patch 2.7.3-1 (bug #775901)
 	[wheezy] - patch <not-affected> (Not affected by CVE-2015-1196 and no incomplete fix applied)
 	[squeeze] - patch <not-affected>  (Not affected by CVE-2015-1196 and no incomplete fix applied)
-	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/24/3
+	NOTE: http://www.openwall.com/lists/oss-security/2015/01/24/3
 CVE-2015-1353 [PHP int overflow]
 	RESERVED
 	- php5 <unfixed> (unimportant)
@@ -2704,9 +2708,10 @@
 	RESERVED
 CVE-2014-9512 [path spoofing attack vulnerability]
 	RESERVED
-	- rsync <unfixed>
+	- rsync <unfixed> (low)
+	[wheezy] - rsync <not-affected> (Affected sanitising functionality not yet present)
+	[squeeze] - rsync <not-affected> (Affected sanitising functionality not yet present)
 	NOTE: http://xteam.baidu.com/?p=169
-	TODO: check
 CVE-2014-9511
 	RESERVED
 CVE-2014-9510 (Cross-site request forgery (CSRF) vulnerability in the administration ...)
@@ -103709,10 +103714,6 @@
 CVE-2009-XXXX [ntop: access.log permissions]
 	- ntop <not-affected> (fedora-specific configuration issue; debian package not affected)
 	NOTE: bug #524801 (http://bugs.debian.org/524801)
-CVE-2008-XXXX [PHP 5.2.9 curl safe_mode & open_basedir bypass]
-	- php5 <unfixed> (unimportant)
-	NOTE: php4 is likely to be affected as well
-	NOTE: http://securityreason.com/achievement_securityalert/61
 CVE-2009-1402
 	RESERVED
 CVE-2009-1401




More information about the Secure-testing-commits mailing list