[Secure-testing-commits] r40918 - data/CVE
security tracker role
sectracker at moszumanska.debian.org
Wed Apr 13 21:10:12 UTC 2016
Author: sectracker
Date: 2016-04-13 21:10:12 +0000 (Wed, 13 Apr 2016)
New Revision: 40918
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-04-13 20:09:33 UTC (rev 40917)
+++ data/CVE/list 2016-04-13 21:10:12 UTC (rev 40918)
@@ -1,3 +1,9 @@
+CVE-2016-4005
+ RESERVED
+CVE-2016-4004 (Directory traversal vulnerability in Dell OpenManage Server ...)
+ TODO: check
+CVE-2016-4003 (Cross-site scripting (XSS) vulnerability in the URLDecoder function in ...)
+ TODO: check
CVE-2016-XXXX [i386: leakage of stack memory to guest in kvmvapic.c]
- qemu <unfixed>
- qemu-kvm <removed>
@@ -912,14 +918,14 @@
- tiff <unfixed>
- tiff3 <removed>
TODO: check
-CVE-2016-3657
- RESERVED
-CVE-2016-3656
- RESERVED
-CVE-2016-3655
- RESERVED
-CVE-2016-3654
- RESERVED
+CVE-2016-3657 (Buffer overflow in the GlobalProtect Portal in Palo Alto Networks ...)
+ TODO: check
+CVE-2016-3656 (The GlobalProtect Portal in Palo Alto Networks PAN-OS before 5.0.18, ...)
+ TODO: check
+CVE-2016-3655 (The management web interface in Palo Alto Networks PAN-OS before ...)
+ TODO: check
+CVE-2016-3654 (The device management command line interface (CLI) in Palo Alto ...)
+ TODO: check
CVE-2016-3653
RESERVED
CVE-2016-3652
@@ -1993,8 +1999,7 @@
NOTE: versions (but which is sufficient only on Xen 4.3.x, and insufficient
NOTE: on later versions). Ie for the second hunk in xsa172.patch (the only
NOTE: hunk in xsa172-4.3.patch), which patches the function xrstor.
-CVE-2016-3157 [I/O port access privilege escalation in x86-64 Linux]
- RESERVED
+CVE-2016-3157 (The __switch_to function in arch/x86/kernel/process_64.c in the Linux ...)
- linux <unfixed>
NOTE: http://xenbits.xen.org/xsa/advisory-171.html
NOTE: https://git.kernel.org/linus/b7a584598aea7ca73140cb87b40319944dd3393f
@@ -2720,8 +2725,7 @@
[jessie] - cgit 0.10.2.git2.0.1-3+deb8u1
NOTE: https://git.zx2c4.com/cgit/commit/filters/html-converters/txt2html?id=13c2d3df0440ce04273de3149631a9bd97490c6e
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/03/05/8
-CVE-2016-3172 [SQL Injection Vulnerability]
- RESERVED
+CVE-2016-3172 (SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier ...)
- cacti <unfixed> (bug #818647)
NOTE: http://bugs.cacti.net/view.php?id=2667
NOTE: http://www.openwall.com/lists/oss-security/2016/03/10/13
@@ -3700,12 +3704,12 @@
RESERVED
- policykit-1 <unfixed> (bug #816062)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1300746
-CVE-2016-2558
- RESERVED
-CVE-2016-2557
- RESERVED
-CVE-2016-2556
- RESERVED
+CVE-2016-2558 (The Escape interface in the Kernel Mode Driver layer in the NVIDIA GPU ...)
+ TODO: check
+CVE-2016-2557 (The Escape interface in the Kernel Mode Driver layer in the NVIDIA GPU ...)
+ TODO: check
+CVE-2016-2556 (The Escape interface in the Kernel Mode Driver layer in the NVIDIA GPU ...)
+ TODO: check
CVE-2016-2555
RESERVED
CVE-2016-2553
@@ -3724,24 +3728,21 @@
NOTE: pcre2: http://vcs.pcre.org/pcre2?view=revision&revision=489
NOTE: https://bugs.exim.org/show_bug.cgi?id=1791
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1311503
-CVE-2016-3162 [File upload access bypass and denial of service]
- RESERVED
+CVE-2016-3162 (The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows ...)
{DSA-3498-1}
- drupal8 <itp> (bug #756305)
- drupal7 7.43-1
- drupal6 <not-affected> (Only affects Drupal 7.x and Drupal 8.x)
NOTE: https://www.drupal.org/SA-CORE-2016-001
NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19
-CVE-2016-3163 [Brute force amplification attacks via XML-RPC]
- RESERVED
+CVE-2016-3163 (The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might ...)
{DSA-3498-1}
- drupal7 7.43-1
- drupal6 <removed>
[squeeze] - drupal6 <end-of-life>
NOTE: https://www.drupal.org/SA-CORE-2016-001
NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19
-CVE-2016-3164 [Open redirect via path manipulation]
- RESERVED
+CVE-2016-3164 (Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might ...)
{DSA-3498-1}
- drupal8 <itp> (bug #756305)
- drupal7 7.43-1
@@ -3749,53 +3750,46 @@
[squeeze] - drupal6 <end-of-life>
NOTE: https://www.drupal.org/SA-CORE-2016-001
NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19
-CVE-2016-3165 [Form API ignores access restrictions on submit buttons]
- RESERVED
+CVE-2016-3165 (The Form API in Drupal 6.x before 6.38 ignores access restrictions on ...)
- drupal7 <not-affected> (Only affects Drupal 6)
- drupal6 <removed>
[squeeze] - drupal6 <end-of-life>
NOTE: https://www.drupal.org/SA-CORE-2016-001
NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19
-CVE-2016-3166 [HTTP header injection using line breaks]
- RESERVED
+CVE-2016-3166 (CRLF injection vulnerability in the drupal_set_header function in ...)
- drupal7 <not-affected> (Only affects Drupal 6)
- drupal6 <removed>
[squeeze] - drupal6 <end-of-life>
NOTE: https://www.drupal.org/SA-CORE-2016-001
NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19
-CVE-2016-3167 [Open redirect via double-encoded 'destination' parameter]
- RESERVED
+CVE-2016-3167 (Open redirect vulnerability in the drupal_goto function in Drupal 6.x ...)
- drupal7 <not-affected> (Only affects Drupal 6)
- drupal6 <removed>
[squeeze] - drupal6 <end-of-life>
NOTE: https://www.drupal.org/SA-CORE-2016-001
NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19
-CVE-2016-3168 [Reflected file download vulnerability]
- RESERVED
+CVE-2016-3168 (The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might ...)
{DSA-3498-1}
- drupal7 7.43-1
- drupal6 <removed>
[squeeze] - drupal6 <end-of-life>
NOTE: https://www.drupal.org/SA-CORE-2016-001
NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19
-CVE-2016-3169 [Saving user accounts can sometimes grant the user all roles]
- RESERVED
+CVE-2016-3169 (The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows ...)
{DSA-3498-1}
- drupal7 7.43-1
- drupal6 <removed>
[squeeze] - drupal6 <end-of-life>
NOTE: https://www.drupal.org/SA-CORE-2016-001
NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19
-CVE-2016-3170 [Email address can be matched to an account]
- RESERVED
+CVE-2016-3170 (The "have you forgotten your password" links in the User module in ...)
{DSA-3498-1}
- drupal8 <itp> (bug #756305)
- drupal7 7.43-1
- drupal6 <not-affected> (Only affects Drupal 7.x and Drupal 8.x)
NOTE: https://www.drupal.org/SA-CORE-2016-001
NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19
-CVE-2016-3171 [Session data truncation can lead to unserialization of user provided data]
- RESERVED
+CVE-2016-3171 (Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before ...)
- drupal7 <not-affected> (Only affects Drupal 6)
- drupal6 <removed>
[squeeze] - drupal6 <end-of-life>
@@ -4246,8 +4240,8 @@
RESERVED
CVE-2016-2406
RESERVED
-CVE-2016-2405
- RESERVED
+CVE-2016-2405 (Huawei Policy Center with software before V100R003C10SPC020 allows ...)
+ TODO: check
CVE-2016-2404
RESERVED
CVE-2016-2403
@@ -5112,8 +5106,7 @@
RESERVED
CVE-2016-2171 (The User Manager service in Apache Jetspeed before 2.3.1 does not ...)
NOT-FOR-US: Apache Jetspeed
-CVE-2016-2170
- RESERVED
+CVE-2016-2170 (Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow ...)
NOT-FOR-US: Apache OFBiz
CVE-2016-2169
RESERVED
@@ -5121,8 +5114,7 @@
RESERVED
CVE-2016-2167
RESERVED
-CVE-2016-2166 [reactor sends messages in clear if ssl is requested but not available]
- RESERVED
+CVE-2016-2166 (The (1) proton.reactor.Connector, (2) proton.reactor.Container, and ...)
- qpid-proton <not-affected> (Vulnerable code not present)
NOTE: https://issues.apache.org/jira/browse/PROTON-1157
NOTE: http://qpid.apache.org/releases/qpid-proton-0.12.1/
@@ -5133,8 +5125,8 @@
NOT-FOR-US: Apache OpenMeetings
CVE-2016-2163 (Cross-site scripting (XSS) vulnerability in Apache OpenMeetings before ...)
NOT-FOR-US: Apache OpenMeetings
-CVE-2016-2162
- RESERVED
+CVE-2016-2162 (Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale ...)
+ TODO: check
CVE-2016-2161
RESERVED
CVE-2016-2160
@@ -5202,8 +5194,7 @@
NOT-FOR-US: OpenShift
CVE-2016-2141
RESERVED
-CVE-2016-2140 [Nova host data leak through resize/migration]
- RESERVED
+CVE-2016-2140 (The libvirt driver in OpenStack Compute (Nova) before 2015.1.4 (kilo) ...)
- nova <unfixed>
[wheezy] - nova <no-dsa> (Minor issue)
[jessie] - nova <no-dsa> (Minor issue)
@@ -5250,8 +5241,7 @@
RESERVED
CVE-2016-2119
RESERVED
-CVE-2016-2118 [SAMR and LSA man in the middle attacks possible]
- RESERVED
+CVE-2016-2118 (The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x ...)
{DSA-3548-1}
- samba 2:4.3.7+dfsg-1
NOTE: https://www.samba.org/samba/security/CVE-2016-2118.html
@@ -5833,8 +5823,7 @@
RESERVED
CVE-2016-2002
RESERVED
-CVE-2016-2001
- RESERVED
+CVE-2016-2001 (HPE Universal CMDB Foundation 10.0, 10.01, 10.10, 10.11, and 10.20 ...)
NOT-FOR-US: HPE Universal CMDB
CVE-2016-2000 (HPE Asset Manager 9.40, 9.41, and 9.50 and Asset Manager CloudSystem ...)
TODO: check
@@ -6219,7 +6208,7 @@
NOT-FOR-US: SAP
CVE-2016-1910 (The User Management Engine (UME) in SAP NetWeaver 7.4 allows attackers ...)
NOT-FOR-US: SAP
-CVE-2016-1909 (FortiOS 4.x before 4.3.17 and 5.0.x before 5.0.8 has a hardcoded ...)
+CVE-2016-1909 (FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x ...)
NOT-FOR-US: FortiOS
CVE-2015-8775
RESERVED
@@ -6386,8 +6375,7 @@
RESERVED
CVE-2016-1868
RESERVED
-CVE-2016-1866
- RESERVED
+CVE-2016-1866 (Salt 2015.8.x before 2015.8.4 does not properly handle clear messages ...)
- salt 2015.8.5+ds-1
[jessie] - salt <not-affected> (affects only the 2015.8.x releases of Salt)
NOTE: https://docs.saltstack.com/en/latest/topics/releases/2015.8.5.html
@@ -7715,10 +7703,10 @@
RESERVED
CVE-2016-1378
RESERVED
-CVE-2016-1377
- RESERVED
-CVE-2016-1376
- RESERVED
+CVE-2016-1377 (Cross-site scripting (XSS) vulnerability in Cisco Unity Connection ...)
+ TODO: check
+CVE-2016-1376 (Cisco IOS XR 4.2.3, 4.3.0, 4.3.4, and 5.3.1 on ASR 9000 devices allows ...)
+ TODO: check
CVE-2016-1375 (Cross-site scripting (XSS) vulnerability in Cisco IP Interoperability ...)
TODO: check
CVE-2016-1374
@@ -8373,8 +8361,7 @@
NOTE: https://kb.isc.org/article/AA-01335
CVE-2015-8703 (ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE and ZXV10 ...)
NOT-FOR-US: ZTE router
-CVE-2015-8702 [DoS caused by PTR lookup of connecting users]
- RESERVED
+CVE-2015-8702 (The DNS::GetResult function in dns.cpp in InspIRCd before 2.0.19 ...)
{DSA-3527-1 DLA-384-1}
- inspircd 2.0.20-1
NOTE: https://github.com/inspircd/inspircd/commit/6058483d9fbc1b904d5ae7cfea47bfcde5c5b559
@@ -9035,10 +9022,10 @@
RESERVED
CVE-2016-1036
RESERVED
-CVE-2016-1035
- RESERVED
-CVE-2016-1034
- RESERVED
+CVE-2016-1035 (Adobe RoboHelp Server 9 before 9.0.1 mishandles SQL queries, which ...)
+ TODO: check
+CVE-2016-1034 (The Sync Process in the JavaScript API for Creative Cloud Libraries in ...)
+ TODO: check
CVE-2016-1033 (Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before ...)
TODO: check
CVE-2016-1032 (Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before ...)
@@ -9479,8 +9466,8 @@
RESERVED
CVE-2016-0888 (EMC Documentum D2 before 4.6 lacks intended ACLs for configuration ...)
NOT-FOR-US: EMC Documentum D2
-CVE-2016-0887
- RESERVED
+CVE-2016-0887 (EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x and 4.1.x before 4.1.5, ...)
+ TODO: check
CVE-2016-0886 (EMC Documentum xCP 2.1 before patch 24 and 2.2 before patch 12 allows ...)
NOT-FOR-US: EMC Documentum
CVE-2016-0885
@@ -9780,8 +9767,8 @@
NOTE: Upstream patch only fixes DH SHA-256 key exchange type, not DH SHA-1
CVE-2016-0786
RESERVED
-CVE-2016-0785
- RESERVED
+CVE-2016-0785 (Apache Struts 2.x before 2.3.28 allows remote attackers to execute ...)
+ TODO: check
CVE-2016-0784 (Directory traversal vulnerability in the Import/Export System Backups ...)
NOT-FOR-US: Apache OpenMeetings
CVE-2016-0783 (The sendHashByUser function in Apache OpenMeetings before 3.1.1 ...)
@@ -9987,8 +9974,7 @@
CVE-2016-0734 (The web-based administration console in Apache ActiveMQ 5.x before ...)
- activemq <not-affected> (Admin console not enabled in the Debian package, see #702670)
NOTE: https://activemq.apache.org/security-advisories.data/CVE-2016-0734-announcement.txt
-CVE-2016-0733
- RESERVED
+CVE-2016-0733 (The Admin UI in Apache Ranger before 0.5.1 does not properly handle ...)
NOT-FOR-US: Apache Ranger
CVE-2016-0732
RESERVED
@@ -11672,72 +11658,72 @@
RESERVED
CVE-2016-0168
RESERVED
-CVE-2016-0167
- RESERVED
-CVE-2016-0166
- RESERVED
-CVE-2016-0165
- RESERVED
-CVE-2016-0164
- RESERVED
+CVE-2016-0167 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...)
+ TODO: check
+CVE-2016-0166 (Microsoft Internet Explorer 11 allows remote attackers to execute ...)
+ TODO: check
+CVE-2016-0165 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...)
+ TODO: check
+CVE-2016-0164 (Microsoft Internet Explorer 10 and 11 allows remote attackers to ...)
+ TODO: check
CVE-2016-0163
RESERVED
-CVE-2016-0162
- RESERVED
-CVE-2016-0161
- RESERVED
-CVE-2016-0160
- RESERVED
-CVE-2016-0159
- RESERVED
-CVE-2016-0158
- RESERVED
-CVE-2016-0157
- RESERVED
-CVE-2016-0156
- RESERVED
-CVE-2016-0155
- RESERVED
-CVE-2016-0154
- RESERVED
-CVE-2016-0153
- RESERVED
+CVE-2016-0162 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ...)
+ TODO: check
+CVE-2016-0161 (Microsoft Edge allows remote attackers to bypass the Same Origin ...)
+ TODO: check
+CVE-2016-0160 (Microsoft Internet Explorer 11 mishandles DLL loading, which allows ...)
+ TODO: check
+CVE-2016-0159 (Microsoft Internet Explorer 9 allows remote attackers to execute ...)
+ TODO: check
+CVE-2016-0158 (Microsoft Edge allows remote attackers to bypass the Same Origin ...)
+ TODO: check
+CVE-2016-0157 (Microsoft Edge allows remote attackers to execute arbitrary code or ...)
+ TODO: check
+CVE-2016-0156 (Microsoft Edge allows remote attackers to execute arbitrary code or ...)
+ TODO: check
+CVE-2016-0155 (Microsoft Edge allows remote attackers to execute arbitrary code or ...)
+ TODO: check
+CVE-2016-0154 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow ...)
+ TODO: check
+CVE-2016-0153 (OLE in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 ...)
+ TODO: check
CVE-2016-0152
RESERVED
-CVE-2016-0151
- RESERVED
-CVE-2016-0150
- RESERVED
+CVE-2016-0151 (The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8.1, ...)
+ TODO: check
+CVE-2016-0150 (HTTP.sys in Microsoft Windows 10 Gold and 1511 allows remote attackers ...)
+ TODO: check
CVE-2016-0149
RESERVED
-CVE-2016-0148
- RESERVED
-CVE-2016-0147
- RESERVED
+CVE-2016-0148 (Microsoft .NET Framework 4.6 and 4.6.1 mishandles library loading, ...)
+ TODO: check
+CVE-2016-0147 (Microsoft XML Core Services 3.0 allows remote attackers to execute ...)
+ TODO: check
CVE-2016-0146
RESERVED
-CVE-2016-0145
- RESERVED
+CVE-2016-0145 (The font library in Microsoft Windows Vista SP2; Windows Server 2008 ...)
+ TODO: check
CVE-2016-0144
RESERVED
-CVE-2016-0143
- RESERVED
+CVE-2016-0143 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...)
+ TODO: check
CVE-2016-0142
RESERVED
CVE-2016-0141
RESERVED
CVE-2016-0140
RESERVED
-CVE-2016-0139
- RESERVED
+CVE-2016-0139 (Microsoft Excel 2010 SP2, Word for Mac 2011, and Excel Viewer allow ...)
+ TODO: check
CVE-2016-0138
RESERVED
CVE-2016-0137
RESERVED
-CVE-2016-0136
- RESERVED
-CVE-2016-0135
- RESERVED
+CVE-2016-0136 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Office Compatibility Pack ...)
+ TODO: check
+CVE-2016-0135 (The Secondary Logon Service in Microsoft Windows 10 Gold and 1511 ...)
+ TODO: check
CVE-2016-0134 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 ...)
NOT-FOR-US: Microsoft
CVE-2016-0133 (The USB Mass Storage Class driver in Microsoft Windows Vista SP2, ...)
@@ -11750,10 +11736,10 @@
NOT-FOR-US: Microsoft
CVE-2016-0129 (Microsoft Edge allows remote attackers to execute arbitrary code or ...)
NOT-FOR-US: Microsoft
-CVE-2016-0128
- RESERVED
-CVE-2016-0127
- RESERVED
+CVE-2016-0128 (The SAM and LSAD protocol implementations in Microsoft Windows Vista ...)
+ TODO: check
+CVE-2016-0127 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 ...)
+ TODO: check
CVE-2016-0126
RESERVED
CVE-2016-0125 (Microsoft Edge mishandles the Referer policy, which allows remote ...)
@@ -11762,8 +11748,8 @@
NOT-FOR-US: Microsoft
CVE-2016-0123 (Microsoft Edge allows remote attackers to execute arbitrary code or ...)
NOT-FOR-US: Microsoft
-CVE-2016-0122
- RESERVED
+CVE-2016-0122 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 ...)
+ TODO: check
CVE-2016-0121 (The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows ...)
NOT-FOR-US: Microsoft
CVE-2016-0120 (The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows ...)
@@ -11826,12 +11812,12 @@
NOT-FOR-US: Microsoft
CVE-2016-0091 (OLE in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 ...)
NOT-FOR-US: Microsoft
-CVE-2016-0090
- RESERVED
-CVE-2016-0089
- RESERVED
-CVE-2016-0088
- RESERVED
+CVE-2016-0090 (Hyper-V in Microsoft Windows 8.1, Windows Server 2012 R2, and Windows ...)
+ TODO: check
+CVE-2016-0089 (Hyper-V in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, and ...)
+ TODO: check
+CVE-2016-0088 (Hyper-V in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, and ...)
+ TODO: check
CVE-2016-0087 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and ...)
NOT-FOR-US: Microsoft
CVE-2016-0086
@@ -12043,8 +12029,7 @@
CVE-2015-XXXX [uses non-random tempdir /tmp/tmprepo.0/.git/]
- git-repair 1.20151215-1 (unimportant; bug #807341)
NOTE: Non-exploitable on release archs due to kernel hardening
-CVE-2015-8537 [Data disclosure in atom feed]
- RESERVED
+CVE-2015-8537 (app/views/journals/index.builder in Redmine before 2.6.9, 3.0.x before ...)
{DSA-3529-1}
- redmine 3.2.0-1 (bug #807826)
[squeeze] - redmine <not-affected> (Vulnerable code not present in 1.0.1)
@@ -12065,8 +12050,7 @@
{DSA-3416-1 DLA-363-1}
- libphp-phpmailer 5.2.14+dfsg-1 (bug #807265)
NOTE: https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0 (v5.2.14)
-CVE-2015-8474 [Open Redirect vulnerability]
- RESERVED
+CVE-2015-8474 (Open redirect vulnerability in the valid_back_url function in ...)
{DSA-3529-1}
- redmine 3.2.0-1 (bug #807272)
[squeeze] - redmine <end-of-life> (Redmine not supported because of rails)
@@ -12077,8 +12061,7 @@
NOTE: upstream fixed in 2.6.7, 3.0.5 and 3.1.1
NOTE: http://www.openwall.com/lists/oss-security/2015/12/04/1
NOTE: depends on the CVE-2014-1985 fix first
-CVE-2015-8473 [Issues API may disclose changeset messages that are not visible]
- RESERVED
+CVE-2015-8473 (The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x ...)
{DSA-3529-1}
- redmine 3.2.0-1 (bug #807345)
[squeeze] - redmine <not-affected> (code dates from the API changes introduced in 735a83c, part of 1.1)
@@ -12507,8 +12490,7 @@
[squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html
NOTE: http://www.openwall.com/lists/oss-security/2015/11/25/3
-CVE-2015-8346 [Data disclosure on the time logging form]
- RESERVED
+CVE-2015-8346 (app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before ...)
{DSA-3529-1 DLA-351-1}
- redmine 3.2.0-1 (bug #806376)
[wheezy] - redmine <end-of-life> (Redmine not supported because of rails)
@@ -13424,8 +13406,8 @@
NOTE: https://www.strongswan.org/blog/2015/11/16/strongswan-vulnerability-%28cve-2015-8023%29.html
CVE-2015-8022
RESERVED
-CVE-2015-8021
- RESERVED
+CVE-2015-8021 (Incomplete blacklist vulnerability in the Configuration utility in F5 ...)
+ TODO: check
CVE-2015-8020
RESERVED
CVE-2015-8018
@@ -15116,8 +15098,7 @@
RESERVED
CVE-2015-7521 (The authorization framework in Apache Hive 1.0.0, 1.0.1, 1.1.0, 1.1.1, ...)
NOT-FOR-US: Apache Hive
-CVE-2015-7520
- RESERVED
+CVE-2015-7520 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) ...)
NOT-FOR-US: Apache Wicket
CVE-2015-7519 (agent/Core/Controller/SendRequest.cpp in Phusion Passenger before ...)
{DLA-394-1}
@@ -20890,8 +20871,8 @@
CVE-2015-5348
RESERVED
NOT-FOR-US: Apache Camel
-CVE-2015-5347
- RESERVED
+CVE-2015-5347 (Cross-site scripting (XSS) vulnerability in the ...)
+ TODO: check
CVE-2015-5346 (Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x ...)
{DSA-3530-1}
- tomcat9 <itp> (bug #802312)
@@ -21637,8 +21618,7 @@
- libstruts1.2-java <not-affected> (Affects 2.0.0 - 2.3.16.3)
CVE-2015-5168
RESERVED
-CVE-2015-5167
- RESERVED
+CVE-2015-5167 (The Policy Admin Tool in Apache Ranger before 0.5.1 allows remote ...)
NOT-FOR-US: Apache Ranger
CVE-2015-5166 (Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not ...)
- qemu 1:2.4+dfsg-1a (bug #794611)
@@ -26973,8 +26953,7 @@
NOT-FOR-US: Apache Ambari
CVE-2015-3269 (Apache Flex BlazeDS, as used in flex-messaging-core.jar in Adobe ...)
NOT-FOR-US: Adobe
-CVE-2015-3268
- RESERVED
+CVE-2015-3268 (Cross-site scripting (XSS) vulnerability in the ...)
NOT-FOR-US: Apache OFBiz
CVE-2015-3267 (Cross-site scripting (XSS) vulnerability in the 404 error page in Red ...)
NOT-FOR-US: JBoss Operations Network
@@ -30404,7 +30383,7 @@
RESERVED
CVE-2015-2224
RESERVED
-CVE-2015-2223 (Multiple cross-site scripting (XSS) vulnerabilities in Palo Alto ...)
+CVE-2015-2223 (Multiple cross-site scripting (XSS) vulnerabilities in the web-based ...)
NOT-FOR-US: Palo Alto Networks Traps
CVE-2015-2222 (ClamAV before 0.98.7 allows remote attackers to cause a denial of ...)
{DLA-233-1}
More information about the Secure-testing-commits
mailing list