[Secure-testing-commits] r31173 - data/CVE
security tracker role
sectracker at moszumanska.debian.org
Wed Jan 7 09:27:30 UTC 2015
Author: sectracker
Date: 2015-01-07 09:24:13 +0000 (Wed, 07 Jan 2015)
New Revision: 31173
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2015-01-07 08:19:36 UTC (rev 31172)
+++ data/CVE/list 2015-01-07 09:24:13 UTC (rev 31173)
@@ -1,6 +1,241 @@
-CVE-2014-9507 [Users can change the content model of other users' user pages to CSS or JS]
+CVE-2015-0558
+ RESERVED
+CVE-2015-0555
+ RESERVED
+CVE-2015-0554
+ RESERVED
+CVE-2015-0553
+ RESERVED
+CVE-2014-9526 (Multiple cross-site scripting (XSS) vulnerabilities in concrete5 ...)
+ TODO: check
+CVE-2014-9525 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ...)
+ TODO: check
+CVE-2014-9524 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ...)
+ TODO: check
+CVE-2014-9523 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Our ...)
+ TODO: check
+CVE-2014-9522 (Multiple cross-site scripting (XSS) vulnerabilities in CMS Papoo Light ...)
+ TODO: check
+CVE-2014-9521 (Unrestricted file upload vulnerability in uploadScript.php in ...)
+ TODO: check
+CVE-2014-9520 (SQL injection vulnerability in execute.php in InfiniteWP Admin Panel ...)
+ TODO: check
+CVE-2014-9519 (SQL injection vulnerability in login.php in InfiniteWP Admin Panel ...)
+ TODO: check
+CVE-2014-9518 (Cross-site scripting (XSS) vulnerability in login.cgi in D-Link router ...)
+ TODO: check
+CVE-2014-9517 (Cross-site scripting (XSS) vulnerability in D-link IP camera DCS-2103 ...)
+ TODO: check
+CVE-2014-9516 (Cross-site scripting (XSS) vulnerability in Social Microblogging PRO ...)
+ TODO: check
+CVE-2014-9515
+ RESERVED
+CVE-2014-9514
+ RESERVED
+CVE-2014-9512
+ RESERVED
+CVE-2014-9511
+ RESERVED
+CVE-2014-9510
+ RESERVED
+CVE-2014-9509 (The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x ...)
+ TODO: check
+CVE-2014-9508 (The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x ...)
+ TODO: check
+CVE-2014-9505
+ RESERVED
+CVE-2014-9504
+ RESERVED
+CVE-2014-9503
+ RESERVED
+CVE-2014-9502
+ RESERVED
+CVE-2014-9501
+ RESERVED
+CVE-2014-9500
+ RESERVED
+CVE-2014-9499
+ RESERVED
+CVE-2014-9498
+ RESERVED
+CVE-2014-9492
+ REJECTED
+ TODO: check
+CVE-2014-9491
+ RESERVED
+CVE-2014-9490
+ RESERVED
+CVE-2014-9488
+ RESERVED
+CVE-2014-9484
+ RESERVED
+CVE-2014-9473
+ RESERVED
+CVE-2014-9472
+ RESERVED
+CVE-2014-9470
+ RESERVED
+CVE-2014-9469
+ RESERVED
+CVE-2014-9468
+ RESERVED
+CVE-2014-9467
+ RESERVED
+CVE-2014-9466
+ RESERVED
+CVE-2014-9464 (SQL injection vulnerability in Category.php in Microweber CMS 0.95 ...)
+ TODO: check
+CVE-2014-9463
+ RESERVED
+CVE-2014-9462
+ RESERVED
+CVE-2014-9461 (Directory traversal vulnerability in models/Cart66.php in the Cart66 ...)
+ TODO: check
+CVE-2014-9460 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ...)
+ TODO: check
+CVE-2014-9459 (Cross-site request forgery (CSRF) vulnerability in the AdminObserver ...)
+ TODO: check
+CVE-2014-9458 (Heap-based buffer overflow in the GDB debugger module in Hex-Rays IDA ...)
+ TODO: check
+CVE-2014-9457 (SQL injection vulnerability in classes/mono_display.class.php in PMB ...)
+ TODO: check
+CVE-2014-9456 (Buffer overflow in NotePad++ 6.6.9 allows remote attackers to have ...)
+ TODO: check
+CVE-2014-9455 (SQL injection vulnerability in showads.php in CTS Projects & Software ...)
+ TODO: check
+CVE-2014-9454 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ...)
+ TODO: check
+CVE-2014-9453 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
+ TODO: check
+CVE-2014-9452 (Directory traversal vulnerability in VDG Security SENSE (formerly ...)
+ TODO: check
+CVE-2014-9451 (Multiple stack-based buffer overflows in the DIVA web service API ...)
+ TODO: check
+CVE-2014-9448 (Buffer overflow in Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 ...)
+ TODO: check
+CVE-2014-9445 (SQL injection vulnerability in incl/create.inc.php in Installatron GQ ...)
+ TODO: check
+CVE-2014-9444 (Cross-site scripting (XSS) vulnerability in the Frontend Uploader ...)
+ TODO: check
+CVE-2014-9443 (Cross-site scripting (XSS) vulnerability in the Relevanssi plugin ...)
+ TODO: check
+CVE-2014-9442 (SQL injection vulnerability in models/Cart66Ajax.php in the Cart66 ...)
+ TODO: check
+CVE-2014-9441 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ...)
+ TODO: check
+CVE-2014-9440 (SQL injection vulnerability in browse.php in phpMyRecipes 1.2.2 allows ...)
+ TODO: check
+CVE-2014-9439 (Cross-site scripting (XSS) vulnerability in Easy File Sharing Web ...)
+ TODO: check
+CVE-2014-9438 (Cross-site request forgery (CSRF) vulnerability in the Moderator ...)
+ TODO: check
+CVE-2014-9437 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ...)
+ TODO: check
+CVE-2014-9436 (Absolute path traversal vulnerability in SysAid On-Premise before ...)
+ TODO: check
+CVE-2014-9435 (Multiple SQL injection vulnerabilities in Absolut Engine 1.73 allow ...)
+ TODO: check
+CVE-2014-9434 (Cross-site scripting (XSS) vulnerability in admin/managerrelated.php ...)
+ TODO: check
+CVE-2014-9431 (Multiple cross-site request forgery (CSRF) vulnerabilities in ...)
+ TODO: check
+CVE-2014-9430 (Cross-site scripting (XSS) vulnerability in ...)
+ TODO: check
+CVE-2014-9429 (Multiple cross-site scripting (XSS) vulnerabilities in Smoothwall ...)
+ TODO: check
+CVE-2013-7418 (cgi-bin/iptablesgui.cgi in IPCop (aka IPCop Firewall) before 2.1.5 ...)
+ TODO: check
+CVE-2013-7417 (Cross-site scripting (XSS) vulnerability in cgi-bin/ipinfo.cgi in ...)
+ TODO: check
+CVE-2011-5318 (Multiple cross-site request forgery (CSRF) vulnerabilities in ...)
+ TODO: check
+CVE-2011-5317 (Cross-site scripting (XSS) vulnerability in editText.php in WonderCMS ...)
+ TODO: check
+CVE-2011-5316 (Cross-site request forgery (CSRF) vulnerability in admin/index.php in ...)
+ TODO: check
+CVE-2011-5315 (Cross-site request forgery (CSRF) vulnerability in admin/index.php in ...)
+ TODO: check
+CVE-2011-5314 (templates/default/index.php in Redaxscript 0.3.2 allows remote ...)
+ TODO: check
+CVE-2011-5313 (Multiple SQL injection vulnerabilities in includes/password.php in ...)
+ TODO: check
+CVE-2011-5312 (Multiple cross-site scripting (XSS) vulnerabilities in Gollos 2.8 ...)
+ TODO: check
+CVE-2011-5311 (Cross-site request forgery (CSRF) vulnerability in pages.php in ...)
+ TODO: check
+CVE-2011-5310 (Directory traversal vulnerability in pages.php in Wikipad 1.6.0 allows ...)
+ TODO: check
+CVE-2011-5309 (Cross-site scripting (XSS) vulnerability in pages.php in Wikipad 1.6.0 ...)
+ TODO: check
+CVE-2011-5308 (Multiple SQL injection vulnerabilities in cdnvote-post.php in the ...)
+ TODO: check
+CVE-2011-5307 (Cross-site scripting (XSS) vulnerability in index.php in the ...)
+ TODO: check
+CVE-2011-5306 (Cross-site request forgery (CSRF) vulnerability in ...)
+ TODO: check
+CVE-2011-5305 (Multiple cross-site scripting (XSS) vulnerabilities in CosmoShop ePRO ...)
+ TODO: check
+CVE-2011-5304 (Multiple cross-site scripting (XSS) vulnerabilities in the Sodahead ...)
+ TODO: check
+CVE-2011-5303 (Cross-site scripting (XSS) vulnerability in Spitfire CMS 1.0.436 ...)
+ TODO: check
+CVE-2011-5302 (Cross-site request forgery (CSRF) vulnerability in adm/admin_edit.php ...)
+ TODO: check
+CVE-2011-5301 (Multiple cross-site scripting (XSS) vulnerabilities in PHPDug 2.0.0 ...)
+ TODO: check
+CVE-2011-5300 (Cross-site request forgery (CSRF) vulnerability in ...)
+ TODO: check
+CVE-2011-5299 (Multiple cross-site scripting (XSS) vulnerabilities in poMMo Aardvark ...)
+ TODO: check
+CVE-2011-5298 (Multiple cross-site request forgery (CSRF) vulnerabilities in Argyle ...)
+ TODO: check
+CVE-2011-5297 (Multiple cross-site scripting (XSS) vulnerabilities in TTChat 1.0.4 ...)
+ TODO: check
+CVE-2011-5296 (Cross-site scripting (XSS) vulnerability in profilo.php in Happy Chat ...)
+ TODO: check
+CVE-2011-5295 (Buffer overflow in the Download method in a certain ActiveX control in ...)
+ TODO: check
+CVE-2011-5294 (The SaveMessage method in the LEADeMail.LEADSmtp.20 ActiveX control in ...)
+ TODO: check
+CVE-2011-5293 (The cmdSave method in the ThreeDify.ThreeDifyDesigner.1 ActiveX ...)
+ TODO: check
+CVE-2011-5292 (The EaseWeFtp.FtpLibrary ActiveX control in EaseWeFtp.ocx in Easewe ...)
+ TODO: check
+CVE-2011-5291 (The SaveData method in the Cygnicon.ViewControl.1 ActiveX control in ...)
+ TODO: check
+CVE-2011-5290 (The SaveToFile method in the UniBasicPack.UniTextBox ActiveX control ...)
+ TODO: check
+CVE-2011-5289 (The SaveDecrypted method in the ChilkatCrypt2.ChilkatOmaDrm.1 ActiveX ...)
+ TODO: check
+CVE-2011-5288 (Multiple buffer overflows in the ThreeDify.ThreeDifyDesigner.1 ActiveX ...)
+ TODO: check
+CVE-2011-5287 (Multiple cross-site scripting (XSS) vulnerabilities in HESK before ...)
+ TODO: check
+CVE-2011-5286 (SQL injection vulnerability in social-slider-2/ajax.php in the Social ...)
+ TODO: check
+CVE-2011-5285 (Multiple cross-site scripting (XSS) vulnerabilities in BugFree 2.1.3 ...)
+ TODO: check
+CVE-2011-5284 (Cross-site request forgery (CSRF) vulnerability in the web management ...)
+ TODO: check
+CVE-2011-5283 (Cross-site scripting (XSS) vulnerability in the web management ...)
+ TODO: check
+CVE-2010-5320 (Multiple cross-site request forgery (CSRF) vulnerabilities in MemHT ...)
+ TODO: check
+CVE-2010-5319 (Multiple cross-site request forgery (CSRF) vulnerabilities in Kandidat ...)
+ TODO: check
+CVE-2010-5318 (The password-reset feature in as/index.php in SweetRice CMS before ...)
+ TODO: check
+CVE-2010-5317 (Multiple SQL injection vulnerabilities in index.php in SweetRice CMS ...)
+ TODO: check
+CVE-2010-5316 (Cross-site scripting (XSS) vulnerability in as/index.php in SweetRice ...)
+ TODO: check
+CVE-2010-5315 (Multiple cross-site request forgery (CSRF) vulnerabilities in BEdita ...)
+ TODO: check
+CVE-2010-5314 (Cross-site scripting (XSS) vulnerability in ...)
+ TODO: check
+CVE-2014-9507 (MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and ...)
- mediawiki <not-affected> (There is no content handler in REL1_19)
-CVE-2014-9506
+CVE-2014-9506 (MantisBT before 1.2.18 does not properly check permissions when ...)
{DSA-3120-1}
- mantis <removed>
[squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts)
@@ -28,33 +263,41 @@
[wheezy] - libquvi <no-dsa> (Minor issue)
[squeeze] - libquvi <no-dsa> (Minor issue)
CVE-2014-9489
+ RESERVED
NOT-FOR-US: Gollum wiki
CVE-2014-9487
+ RESERVED
NOT-FOR-US: Mediawiki extension not packaged in src:mediawiki-extensions
CVE-2014-9481
+ RESERVED
NOT-FOR-US: Mediawiki extension not packaged in src:mediawiki-extensions
CVE-2014-9480
+ RESERVED
NOT-FOR-US: Mediawiki extension not packaged in src:mediawiki-extensions
CVE-2014-9479
+ RESERVED
NOT-FOR-US: Mediawiki extension not packaged in src:mediawiki-extensions
CVE-2014-9478
+ RESERVED
NOT-FOR-US: Mediawiki extension not packaged in src:mediawiki-extensions
CVE-2014-9477
+ RESERVED
NOT-FOR-US: Mediawiki extension not packaged in src:mediawiki-extensions
-CVE-2014-9450 [SQL injection in chart_bar.php]
+CVE-2014-9450 (Multiple SQL injection vulnerabilities in chart_bar.php in the ...)
- zabbix <unfixed> (bug #774750)
[squeeze] - zabbix <end-of-life> (Unsupported in squeeze-lts)
NOTE: https://support.zabbix.com/browse/ZBX-8582
NOTE: https://github.com/svn2github/zabbix/commit/984bd3bec2d6ca5a80104a5574d19b7f4d04f24b
-CVE-2014-9449 [buffer overflow in RiffVideo::infoTagsHandler]
+CVE-2014-9449 (Buffer overflow in the RiffVideo::infoTagsHandler function in ...)
- exiv2 <unfixed>
NOTE: http://dev.exiv2.org/issues/960
NOTE: http://dev.exiv2.org/projects/exiv2/repository/diff?rev=3264&rev_to=3263
-CVE-2014-9447 [directory traversal in read_long_names()]
+CVE-2014-9447 (Directory traversal vulnerability in the read_long_names function in ...)
- elfutils <unfixed>
NOTE: https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e
TODO: check, duplicate of CVE-2014-9486?
CVE-2015-0552 [directory traversal]
+ RESERVED
- gcab 0.4-2 (bug #774580)
CVE-2015-XXXX [use after free in seg_write_packet()]
- ffmpeg <unfixed>
@@ -69,8 +312,10 @@
[wheezy] - arc <no-dsa> (Minor issue)
[squeeze] - arc <no-dsa> (Minor issue)
CVE-2015-0557 [directory traversal via //multiple/leading/slash]
+ RESERVED
- arj <unfixed> (bug #774435)
CVE-2015-0556 [symlink directory traversal]
+ RESERVED
- arj <unfixed> (bug #774434)
CVE-2014-9529 [security/keys/gc.c race condition]
- linux <unfixed>
@@ -78,20 +323,23 @@
NOTE: http://marc.info/?l=linux-kernel&m=141986398232547&w=2
NOTE: http://marc.info/?l=linux-kernel&m=142047362307894&w=2
CVE-2014-9513 [insecure use of temporary files]
+ RESERVED
- xbindkeys-config <unfixed> (bug #772473)
[wheezy] - xbindkeys-config <no-dsa> (Minor issue)
[squeeze] - xbindkeys-config <no-dsa> (Minor issue)
CVE-2014-9495 [Heap Overflow]
+ RESERVED
- libpng <not-affected> (Affects 1.5.x and 1.6.x series)
NOTE: http://tfpwn.com/files/libpng_heap_overflow_1.6.15.txt
NOTE: http://sourceforge.net/p/png-mng/mailman/message/33173461/
CVE-2014-9465
+ RESERVED
- zarafa <itp> (bug #658433)
-CVE-2014-9446 [XSS]
+CVE-2014-9446 (Multiple cross-site scripting (XSS) vulnerabilities in the Staff ...)
- koha <itp> (bug #702134)
-CVE-2014-9433
+CVE-2014-9433 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
NOT-FOR-US: Contenido CMS
-CVE-2014-9432
+CVE-2014-9432 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
NOT-FOR-US: Serendipity
CVE-2014-XXXX [denial of service with specific packets]
- libhtp <unfixed>
@@ -100,6 +348,7 @@
NOTE: https://redmine.openinfosecfoundation.org/issues/1272
NOTE: https://github.com/inliniac/libhtp/commit/4acebf251bb6c8343dd5f37f1b48cb38fec4fed4
CVE-2014-9485 [miniunzip directory traversal]
+ RESERVED
- minizip <unfixed> (low; bug #774321)
CVE-2014-9426 (The apprentice_load function in libmagic/apprentice.c in the Fileinfo ...)
- file <not-affected> (PHP specific modification in libmagic/apprentice.c)
@@ -126,11 +375,12 @@
CVE-2014-9413 (Multiple cross-site request forgery (CSRF) vulnerabilities in the IP ...)
NOT-FOR-US: IP Ban (simple-ip-ban) plugin for WordPress
CVE-2014-9482 [dwarfdump use after free]
+ RESERVED
- dwarfutils <unfixed> (bug #774530)
[wheezy] - dwarfutils <no-dsa> (Minor issue)
[squeeze] - dwarfutils <no-dsa> (Minor issue)
NOTE: CVE request http://www.openwall.com/lists/oss-security/2014/12/31/3
-CVE-2014-9427 [out of bounds read crashes php-cgi]
+CVE-2014-9427 (sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x ...)
{DSA-3117-1}
- php5 <unfixed>
NOTE: https://bugs.php.net/bug.php?id=68618
@@ -139,6 +389,7 @@
- dbmail <not-affected> (Only affects versions supporting cram-md5, so 3.0.0 and later)
NOTE: http://blog.gmane.org/gmane.mail.imap.dbmail/day=20141219
CVE-2014-9483 [a left-click in Emacs sometimes modifies the PRIMARY selection]
+ RESERVED
- emacs24 <unfixed> (unimportant; bug #774090)
- emacs23 <not-affected> (Only affects Emacs 24)
NOTE: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=18939
@@ -149,10 +400,11 @@
[wheezy] - cabextract <no-dsa> (Minor issue)
[squeeze] - cabextract <no-dsa> (Minor issue)
CVE-2012-6685 [ruby-nokogiri XXE]
+ RESERVED
- ruby-nokogiri 1.5.4-1 (low)
- libnokogiri-ruby <removed>
NOTE: https://github.com/sparklemotion/nokogiri/issues/693
-CVE-2014-9428 [Remote crash of kernel via batman-adv module]
+CVE-2014-9428 (The batadv_frag_merge_packets function in ...)
- linux <unfixed> (bug #774155)
[wheezy] - linux <not-affected> (Introduced in 3.13)
- linux-2.6 <not-affected> (Introduced in 3.13)
@@ -160,6 +412,7 @@
NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=610bfc6bc99bc83680d190ebc69359a05fc7f605 (v3.13-rc1)
NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5b6698b0e4a37053de35cc24ee695b98a7eb712b
CVE-2014-9496 [libsndfile: two buffer read overflows]
+ RESERVED
- libsndfile <unfixed> (low; bug #774162)
[squeeze] - libsndfile <no-dsa> (Minor issue)
[wheezy] - libsndfile <no-dsa> (Minor issue)
@@ -169,11 +422,13 @@
[squeeze] - perl <no-dsa> (Minor issue)
[wheezy] - perl <no-dsa> (Minor issue)
CVE-2014-9486 [dir traversal]
+ RESERVED
- elfutils <unfixed>
[wheezy] - elfutils <no-dsa> (Minor issue)
[squeeze] - elfutils <no-dsa> (Minor issue)
NOTE: https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=147018e729e7c22eeabf15b82d26e4bf68a0d18e
CVE-2014-9497 [Buffer overflow]
+ RESERVED
- mpg123 1.18.0-1
[wheezy] - mpg123 <no-dsa> (Minor issue)
[squeeze] - mpg123 <not-affected> (Introduced in 1.14.1)
@@ -589,30 +844,30 @@
RESERVED
CVE-2014-9404
RESERVED
-CVE-2014-9401
- RESERVED
-CVE-2014-9400
- RESERVED
-CVE-2014-9399
- RESERVED
-CVE-2014-9398
- RESERVED
-CVE-2014-9397
- RESERVED
-CVE-2014-9396
- RESERVED
-CVE-2014-9395
- RESERVED
-CVE-2014-9394
- RESERVED
-CVE-2014-9393
- RESERVED
-CVE-2014-9392
- RESERVED
-CVE-2014-9391
- RESERVED
-CVE-2014-9389
- RESERVED
+CVE-2014-9401 (Cross-site request forgery (CSRF) vulnerability in the WP Limit Posts ...)
+ TODO: check
+CVE-2014-9400 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Wp ...)
+ TODO: check
+CVE-2014-9399 (Cross-site request forgery (CSRF) vulnerability in the TweetScribe ...)
+ TODO: check
+CVE-2014-9398 (Cross-site request forgery (CSRF) vulnerability in the Twitter ...)
+ TODO: check
+CVE-2014-9397 (Cross-site request forgery (CSRF) vulnerability in the twimp-wp plugin ...)
+ TODO: check
+CVE-2014-9396 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ...)
+ TODO: check
+CVE-2014-9395 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ...)
+ TODO: check
+CVE-2014-9394 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ...)
+ TODO: check
+CVE-2014-9393 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Post ...)
+ TODO: check
+CVE-2014-9392 (Cross-site request forgery (CSRF) vulnerability in the PictoBrowser ...)
+ TODO: check
+CVE-2014-9391 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ...)
+ TODO: check
+CVE-2014-9389 (Directory traversal vulnerability in Sonatype Nexus OSS and Pro before ...)
+ TODO: check
CVE-2014-9388 (bug_report.php in MantisBT before 1.2.18 allows remote attackers to ...)
{DSA-3120-1}
- mantis <removed>
@@ -644,11 +899,12 @@
RESERVED
CVE-2014-9368 (Cross-site request forgery (CSRF) vulnerability in the twitterDash ...)
NOT-FOR-US: WordPress plugin twitterDash
-CVE-2014-9367
- RESERVED
+CVE-2014-9367 (Incomplete blacklist vulnerability in the urlEncode function in ...)
+ TODO: check
CVE-2014-9366
RESERVED
CVE-2014-9493 [Glance v2 API unrestricted path traversal]
+ RESERVED
- glance 2014.1.3-6 (bug #773836)
[wheezy] - glance <not-affected> (Vulnerable code not present)
NOTE: up to 2014.1.3 and 2014.2 version up to 2014.2.1
@@ -658,11 +914,13 @@
[squeeze] - json-glib <not-affected> (Tool not yet present)
[wheezy] - json-glib <not-affected> (Tool not yet present)
CVE-2014-9475 [XSS]
+ RESERVED
{DSA-3110-1}
- mediawiki 1:1.19.20+dfsg-2.2 (bug #773654)
[squeeze] - mediawiki <end-of-life>
NOTE: https://phabricator.wikimedia.org/T76686 (still not public)
CVE-2014-9476 [Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains]
+ RESERVED
- mediawiki <not-affected> (CORS support was added in 1.20)
NOTE: https://phabricator.wikimedia.org/T77028
CVE-2014-9419 (The __switch_to function in arch/x86/kernel/process_64.c in the Linux ...)
@@ -684,19 +942,19 @@
- mercurial 3.1.2-2 (bug #773640)
[wheezy] - mercurial <no-dsa> (Minor issue)
[squeeze] - mercurial <no-dsa> (Minor issue)
-CVE-2014-9376 (Integer underflow in Ettercap 8.1 allows remote attackers to cause a ...)
+CVE-2014-9376 (Integer underflow in Ettercap 0.8.1 allows remote attackers to cause a ...)
- ettercap 1:0.8.1-3 (bug #773416)
[squeeze] - ettercap <not-affected> (Vulnerable code not present according to upstream author in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773416#20)
CVE-2014-9377 (Heap-based buffer overflow in the nbns_spoof function in ...)
- ettercap 1:0.8.1-3 (bug #773416)
[squeeze] - ettercap <not-affected> (Vulnerable code not present according to upstream author in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773416#20)
-CVE-2014-9378 (Ettercap 8.1 does not validate certain return values, which allows ...)
+CVE-2014-9378 (Ettercap 0.8.1 does not validate certain return values, which allows ...)
- ettercap 1:0.8.1-3 (bug #773416)
[squeeze] - ettercap <not-affected> (Vulnerable code not present according to upstream author in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773416#20)
CVE-2014-9379 (The radius_get_attribute function in dissectors/ec_radius.c in ...)
- ettercap 1:0.8.1-3 (bug #773416)
[squeeze] - ettercap <not-affected> (Vulnerable code not present according to upstream author in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773416#20)
-CVE-2014-9380 (The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1 ...)
+CVE-2014-9380 (The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 0.8.1 ...)
{DLA-126-1}
- ettercap 1:0.8.1-3 (bug #773416)
NOTE: Patch for squeeze in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773416#20
@@ -728,6 +986,7 @@
NOTE: Fix: https://github.com/file/file/commit/65437cee25199dbd385fb35901bc0011e164276c
NOTE: Introduced by: https://github.com/file/file/commit/c8451af8ab0c2e2a93ce93b9c68257d31576cc85 (5.16)
CVE-2014-9494 [insufficient 'X-Forwarded-For' header validation]
+ RESERVED
- rabbitmq-server 3.4.1-1 (bug #773134)
[jessie] - rabbitmq-server 3.3.5-1.1
[wheezy] - rabbitmq-server <not-affected> (does not have this access control mechanism)
@@ -833,8 +1092,8 @@
RESERVED
CVE-2014-9326
RESERVED
-CVE-2014-9325
- RESERVED
+CVE-2014-9325 (Multiple cross-site scripting (XSS) vulnerabilities in TWiki 6.0.1 ...)
+ TODO: check
CVE-2014-9324 (The GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x ...)
- otrs2 3.3.9-3
[squeeze] - otrs2 <not-affected> (Problematic module got introduced later)
@@ -994,8 +1253,8 @@
RESERVED
CVE-2014-9255
RESERVED
-CVE-2014-9254
- RESERVED
+CVE-2014-9254 (bb_func_unsub.php in MiniBB 3.1 before 20141127 uses an incorrect ...)
+ TODO: check
CVE-2014-9253 (The default file type whitelist configuration in conf/mime.conf in the ...)
- dokuwiki <unfixed> (bug #773429)
[wheezy] - dokuwiki <no-dsa> (Minor issue)
@@ -1167,6 +1426,7 @@
CVE-2014-9173 (SQL injection vulnerability in view.php in the Google Doc Embedder ...)
NOT-FOR-US: Google Doc Embedder plugin for WordPress
CVE-2014-9474 [buffer overflow in mpfr_strtofr]
+ RESERVED
- mpfr4 3.1.2-2 (low; bug #772008)
[squeeze] - mpfr4 <no-dsa> (Minor issue)
[wheezy] - mpfr4 <no-dsa> (Minor issue)
@@ -1306,8 +1566,7 @@
- openssh <not-affected> (patch not applied to Debian)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1169843
NOTE: Patch https://bugzilla.mindrot.org/show_bug.cgi?id=1867 from not applied in Debian
-CVE-2014-9277 [<cross-domain-policy> mangling allows injection in API format=php]
- RESERVED
+CVE-2014-9277 (The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki ...)
{DSA-3100-1}
- mediawiki 1:1.19.20+dfsg-2.1 (bug #772764)
[squeeze] - mediawiki <end-of-life>
@@ -1315,8 +1574,7 @@
NOTE: backported patches for 1.19:
NOTE: https://gerrit.wikimedia.org/r/#/c/175725/
NOTE: https://gerrit.wikimedia.org/r/#/c/175960/
-CVE-2014-9276 [XSS in Special:ExpandTemplates]
- RESERVED
+CVE-2014-9276 (Cross-site request forgery (CSRF) vulnerability in the ...)
- mediawiki <not-affected> (Vulnerable code not present)
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=71111
NOTE: No special expand templates before 1.23.x but available as extension.
@@ -1426,8 +1684,7 @@
RESERVED
CVE-2014-9120 (Cross-site scripting (XSS) vulnerability in Subrion CMS before 3.2.3 ...)
NOT-FOR-US: Subrion CMS
-CVE-2014-9119
- RESERVED
+CVE-2014-9119 (Directory traversal vulnerability in download.php in the DB Backup ...)
NOT-FOR-US: WordPress plugin db-backup
CVE-2014-9118
RESERVED
@@ -1594,6 +1851,7 @@
CVE-2014-9017
RESERVED
CVE-2012-6684
+ RESERVED
- ruby-redcloth <unfixed> (bug #774748)
- redcloth <removed>
NOTE: http://co3k.org/blog/redcloth-unfixed-xss-en
@@ -1760,6 +2018,7 @@
- graphviz 2.38.0-7 (bug #772648)
NOTE: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081
CVE-2014-9471 [parse_datetime() bug]
+ RESERVED
- coreutils 8.23-1 (low)
[wheezy] - coreutils <no-dsa> (Minor issue)
NOTE: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16872
@@ -4300,8 +4559,8 @@
NOT-FOR-US: WordPress plugin ad-manager-for-wp
CVE-2014-8753
RESERVED
-CVE-2014-8752
- RESERVED
+CVE-2014-8752 (Multiple cross-site scripting (XSS) vulnerabilities in view.php in ...)
+ TODO: check
CVE-2014-8751 (Multiple cross-site scripting (XSS) vulnerabilities in goYWP WebPress ...)
NOT-FOR-US: goYWP WebPress
CVE-2014-8749 (Server-side request forgery (SSRF) vulnerability in ...)
@@ -4607,12 +4866,10 @@
RESERVED
CVE-2014-8146
RESERVED
-CVE-2014-8145 [two heap-based buffer overflows]
- RESERVED
+CVE-2014-8145 (Multiple heap-based buffer overflows in Sound eXchange (SoX) 14.4.1 ...)
{DSA-3112-1 DLA-128-1}
- sox 14.4.1-5 (bug #773720)
-CVE-2014-8144
- RESERVED
+CVE-2014-8144 (Cross-site request forgery (CSRF) vulnerability in doorkeeper before ...)
NOT-FOR-US: doorkeeper OAuth provider
CVE-2014-8143
RESERVED
@@ -4799,14 +5056,11 @@
NOTE: https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/
CVE-2014-8087
RESERVED
-CVE-2014-8085
- RESERVED
+CVE-2014-8085 (Unrestricted file upload vulnerability in the CWebContact::doModel ...)
NOT-FOR-US: OsClass
-CVE-2014-8084
- RESERVED
+CVE-2014-8084 (Directory traversal vulnerability in ...)
NOT-FOR-US: OsClass
-CVE-2014-8083
- RESERVED
+CVE-2014-8083 (SQL injection vulnerability in the Search::setJsonAlert method in ...)
NOT-FOR-US: OsClass
CVE-2014-8082 (lib/functions/database.class.php in TestLink before 1.9.13 allows ...)
NOT-FOR-US: TestLink
@@ -6553,11 +6807,10 @@
NOT-FOR-US: folder framework in the Enfold theme for WordPress
CVE-2014-7296 (The default configuration in the accessibility engine in SpagoBI 5.0.0 ...)
NOT-FOR-US: Spago
-CVE-2014-7294
- RESERVED
+CVE-2014-7294 (Open redirect vulnerability in the logon page in NYU OpenSSO ...)
NOT-FOR-US: Ex Libris Patron Directory Services
-CVE-2014-7293
- RESERVED
+CVE-2014-7293 (Cross-site scripting (XSS) vulnerability in the logon page in NYU ...)
+ TODO: check
CVE-2014-7292 (Open redirect vulnerability in the Click-Through feature in ...)
NOT-FOR-US: Newtelligence dasBlog
CVE-2014-7291 (Multiple cross-site scripting (XSS) vulnerabilities in api_events.php ...)
@@ -18373,8 +18626,8 @@
NOT-FOR-US: HP
CVE-2014-2600 (Unspecified vulnerability in HP IceWall Identity Manager 4.0 through ...)
NOT-FOR-US: HP
-CVE-2014-2598
- RESERVED
+CVE-2014-2598 (Cross-site request forgery (CSRF) vulnerability in the Quick Page/Post ...)
+ TODO: check
CVE-2014-2597 (PCNetSoftware RAC Server 4.0.4 and 4.0.5 allows local users to cause a ...)
NOT-FOR-US: PCNetSoftware RAC Server
CVE-2014-2596
@@ -21020,8 +21273,7 @@
[squeeze] - chromium-browser <end-of-life>
CVE-2014-1680 (Untrusted search path vulnerability in Bandisoft Bandizip before 3.10 ...)
NOT-FOR-US: Bandisoft Bandizip
-CVE-2014-1679
- RESERVED
+CVE-2014-1679 (Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite ...)
- open-xchange <itp> (bug #269329)
CVE-2014-1678
RESERVED
@@ -28343,9 +28595,9 @@
CVE-2013-6127 (The SUPERGRIDLib.SuperGrid ActiveX control in SuperGrid.ocx before ...)
NOT-FOR-US: WellinTech KingView
CVE-2013-6126
- RESERVED
+ REJECTED
CVE-2013-6125
- RESERVED
+ REJECTED
CVE-2013-6124 (The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora ...)
NOT-FOR-US: Qualcomm (Android)
CVE-2013-6123 (Multiple array index errors in ...)
@@ -38794,8 +39046,7 @@
[squeeze] - pymongo <not-affected> (bson module not present)
NOTE: https://jira.mongodb.org/browse/PYTHON-532
NOTE: https://github.com/mongodb/mongo-python-driver/commit/a060c15ef87e0f0e72974c7c0e57fe811bbd06a2
-CVE-2013-2131 [format string vulnerability]
- RESERVED
+CVE-2013-2131 (Format string vulnerability in the rrdtool module 1.4.7 for Python, as ...)
- rrdtool 1.4.8-1 (unimportant; bug #708866)
NOTE: Non-issue, calling application need to perform sanitising
CVE-2013-2130 (ZNC 1.0 allows remote authenticated users to cause a denial of service ...)
More information about the Secure-testing-commits
mailing list