[Secure-testing-commits] r40936 - data/CVE
Luciano Bello
luciano at moszumanska.debian.org
Thu Apr 14 20:16:46 UTC 2016
Author: luciano
Date: 2016-04-14 20:16:46 +0000 (Thu, 14 Apr 2016)
New Revision: 40936
Modified:
data/CVE/list
Log:
broken links
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-04-14 19:56:57 UTC (rev 40935)
+++ data/CVE/list 2016-04-14 20:16:46 UTC (rev 40936)
@@ -4919,12 +4919,14 @@
- uclibc <unfixed> (unimportant)
NOTE: Just for cross-compiling, not used for actual packages
NOTE: http://repo.or.cz/uclibc-ng.git/commit/16719c1a7078421928e6d31dd1dec574825ef515
+ TODO: The link in the previous line is broken. Please, consider replacing it. Error: 404
NOTE: http://www.openwall.com/lists/oss-security/2016/02/05/2
CVE-2016-2225 [crafted packet will make the parser terminate early]
RESERVED
- uclibc <unfixed> (unimportant)
NOTE: Just for cross-compiling, not used for actual packages
NOTE: http://repo.or.cz/uclibc-ng.git/commit/bb01edff0377f2585ce304ecbadcb7b6cde372ac
+ TODO: The link in the previous line is broken. Please, consider replacing it. Error: 404
NOTE: http://www.openwall.com/lists/oss-security/2016/02/05/2
CVE-2016-2216 (The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 ...)
- nodejs 4.3.0~dfsg-1 (unimportant)
@@ -5389,16 +5391,16 @@
[wheezy] - roundcube <not-affected> (Vulnerable code not present)
[squeeze] - roundcube <not-affected> (Vulnerable code not present)
NOTE: http://www.scip.ch/en/?vuldb.80732
- NOTE: https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/
+ NOTE: http://web.archive.org/web/20160329044745/http://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released
NOTE: http://trac.roundcube.net/ticket/1490379
CVE-2015-8793 (Cross-site scripting (XSS) vulnerability in program/include/rcmail.php ...)
- roundcube 1.1.2+dfsg.1-1
[wheezy] - roundcube <not-affected> (Vulnerable code not present)
[squeeze] - roundcube <not-affected> (Vulnerable code not present)
- NOTE: https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/
+ NOTE: http://web.archive.org/web/20160329044745/http://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released
NOTE: http://www.scip.ch/en/?vuldb.80731
NOTE: http://trac.roundcube.net/ticket/1490417 - mentions 1.0 not vulnerable, verified code not present in squeeze
- NOTE: http://trac.roundcube.net/changeset/b782815dac/github
+ NOTE: http://web.archive.org/web/20150627125240/http://trac.roundcube.net:80/changeset/b782815dac/github
CVE-2015-8791 (The EbmlElement::ReadCodedSizeValue function in libEBML before 1.3.3 ...)
{DSA-3538-1 DLA-438-1}
- libebml 1.3.3-1
@@ -6767,7 +6769,7 @@
CVE-2015-8770 (Directory traversal vulnerability in the set_skin function in ...)
{DSA-3541-1 DLA-392-1}
- roundcube 1.1.4+dfsg.1-1
- NOTE: https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/
+ NOTE: http://web.archive.org/web/20160329044421/http://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released
NOTE: https://github.com/roundcube/roundcubemail/commit/10e5192a2b1bc90ec137f5e69d0aa072c1210d6d
CVE-2015-8769 (SQL injection vulnerability in Joomla! 3.x before 3.4.7 allows ...)
- joomla <itp> (bug #571794)
@@ -7465,7 +7467,7 @@
[wheezy] - lighttpd <not-affected> (Regression introduced in 1.4.36)
[squeeze] - lighttpd <not-affected> (Regression introduced in 1.4.36)
NOTE: http://redmine.lighttpd.net/issues/2700
- NOTE: Introduced in 1.4.36: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2976
+ NOTE: Introduced in 1.4.36: http://web.archive.org/web/20150906061055/http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2976
CVE-2016-1503 [heap overflow via malformed dhcp responses in print_option (via dhcp_envoption1) due to incorrect option length values]
RESERVED
- dhcpcd5 6.10.1-1 (bug #810621)
@@ -13182,6 +13184,7 @@
[squeeze] - roundcube <not-affected> (Vulnerable code not present)
NOTE: http://trac.roundcube.net/ticket/1490530
NOTE: http://trac.roundcube.net/changeset/dd7db2179/github
+ TODO: The link in the previous line is broken. Please, consider replacing it. Error: 404
CVE-2015-XXXX [directory traversal in servefile]
- servefile 0.4.4-1
[jessie] - servefile <no-dsa> (Minor issue)
@@ -13544,6 +13547,7 @@
[wheezy] - dovecot <not-affected> (Bug with pop3_deleted_flag introduced in 2.2.10)
[squeeze] - dovecot <not-affected> (Bug with pop3_deleted_flag introduced in 2.2.10)
NOTE: http://hg.dovecot.org/dovecot-2.2/rev/05e0700daea3
+ TODO: The link in the previous line is broken. Please, consider replacing it. Error: 404
CVE-2015-8019 [Buffer overflow when copying data from skbuff to userspace]
RESERVED
- linux <not-affected> (Vulnerable code not present)
@@ -17028,7 +17032,7 @@
[jessie] - pgbouncer <not-affected> (Introduced in 1.6)
[wheezy] - pgbouncer <not-affected> (Introduced in 1.6)
[squeeze] - pgbouncer <not-affected> (Introduced in 1.6)
- NOTE: https://pgbouncer.github.io/2015/09/pgbouncer-1-6-1/
+ NOTE: http://web.archive.org/web/20150905195759/http://pgbouncer.github.io/2015/09/pgbouncer-1-6-1/
NOTE: https://github.com/pgbouncer/pgbouncer/issues/69
NOTE: http://www.openwall.com/lists/oss-security/2015/09/04/3
CVE-2015-XXXX [val_dane_check: usage DANE-TA(2) may bypass cert validation entirely]
@@ -26509,13 +26513,13 @@
[wheezy] - dovecot <not-affected> (Problematic patch introducing the issue not applied)
[squeeze] - dovecot <not-affected> (Vulnerable code not present & not reproducible)
NOTE: http://www.openwall.com/lists/oss-security/2015/04/26/3
- NOTE: Patch: http://hg.dovecot.org/dovecot-2.2/rev/86f535375750
+ NOTE: Patch: http://web.archive.org/web/20150907231530/http://hg.dovecot.org/dovecot-2.2/rev/86f535375750
NOTE: Segfault reproducible if using openssl/1.0.2a-1 from sid.
NOTE: http://dovecot.org/pipermail/dovecot/2015-April/100579.html
NOTE: It is openssl crashing but because dovecot ignores an erlier
NOTE: returned error from dovecot, related to openssl bug:
NOTE: https://rt.openssl.org/Ticket/Display.html?id=3818&user=guest&pass=guest
- NOTE: Possibly introduced due to http://hg.dovecot.org/dovecot-2.2/rev/09d3c9c6f0ad
+ NOTE: Possibly introduced due to http://web.archive.org/web/20150121182933/http://hg.dovecot.org:80/dovecot-2.2/rev/09d3c9c6f0ad
CVE-2015-3440 (Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in ...)
{DSA-3250-1 DLA-236-1}
- wordpress 4.2.1+dfsg-1 (bug #783554)
@@ -27094,6 +27098,7 @@
[jessie] - libunwind <no-dsa> (Minor issue)
[wheezy] - libunwind <no-dsa> (Minor issue)
NOTE: http://savannah.nongnu.org/bugs/?45276
+ TODO: The link in the previous line is broken. Please, consider replacing it. Error: 404
NOTE: http://git.savannah.gnu.org/cgit/libunwind.git/commit/?id=396b6c7ab737e2bff244d640601c436a26260ca1
CVE-2015-3238 (The _unix_run_helper_binary function in the pam_unix module in ...)
- pam 1.1.8-3.2 (bug #789986)
@@ -27304,7 +27309,7 @@
CVE-2015-3202 (fusermount in FUSE before 2.9.3-15 does not properly clear the ...)
{DSA-3268-2 DSA-3268-1 DSA-3266-1 DLA-238-1 DLA-226-2 DLA-226-1}
- fuse 2.9.3-16 (bug #786439)
- NOTE: Upstream fix: http://sourceforge.net/p/fuse/fuse/ci/fe2d96/
+ NOTE: Upstream fix: http://web.archive.org/web/20150529051222/http://sourceforge.net:80/p/fuse/fuse/ci/fe2d96
- ntfs-3g 1:2014.2.15AR.3-3 (bug #786475)
NOTE: ntfs-3g source wise affected but wheezy version uses --with-fuse=external
NOTE: ntfs-3g is built with internal copy since 1:2013.1.13AR.3-2
@@ -27375,7 +27380,7 @@
[wheezy] - apache2 <not-affected> (Bug introduced during 2.4 development)
[squeeze] - apache2 <not-affected> (Bug introduced during 2.4 development)
NOTE: https://www.apache.org/dist/httpd/Announcement2.4.txt
- NOTE: https://www.apache.org/dist/httpd/CHANGES_2.4.16
+ NOTE: http://web.archive.org/web/20150918024815/http://www.apache.org:80/dist/httpd/CHANGES_2.4.16
NOTE: http://svn.apache.org/viewvc?view=revision&revision=1684525
NOTE: Behavior changed in 2.4.x refactoring, API no longer usable in 2.4.x
CVE-2015-3184 (mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x ...)
@@ -27390,7 +27395,7 @@
{DSA-3325-1 DLA-284-1}
- apache2 2.4.16-1
NOTE: https://www.apache.org/dist/httpd/Announcement2.4.txt
- NOTE: https://www.apache.org/dist/httpd/CHANGES_2.4.16
+ NOTE: http://web.archive.org/web/20150918024815/http://www.apache.org:80/dist/httpd/CHANGES_2.4.16
NOTE: http://svn.apache.org/viewvc?view=revision&revision=1684515
NOTE: http://svn.apache.org/viewvc?view=revision&revision=1687338 (2.2.x)
NOTE: http://svn.apache.org/viewvc?view=revision&revision=1687339 (2.2.x)
@@ -30125,7 +30130,7 @@
[squeeze] - imagemagick <no-dsa> (Minor issue)
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/20/4
NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26933
- NOTE: http://trac.imagemagick.org/changeset/17856
+ NOTE: http://web.archive.org/web/20150428140926/http://trac.imagemagick.org/changeset/17856
CVE-2015-XXXX [denial of service flaw in PDB file processing]
[experimental] - imagemagick 8:6.9.1.2-1
- imagemagick 8:6.8.9.9-6 (low)
@@ -30134,7 +30139,7 @@
[squeeze] - imagemagick <no-dsa> (Minor issue)
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/20/4
NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26932
- NOTE: http://trac.imagemagick.org/changeset/17855
+ NOTE: http://web.archive.org/web/20150428145652/http://trac.imagemagick.org/changeset/17855
CVE-2015-XXXX [denial of service flaw in MIFF file processing]
[experimental] - imagemagick 8:6.9.1.2-1
- imagemagick 8:6.8.9.9-6
@@ -30144,6 +30149,7 @@
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/20/4
NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26931
NOTE: http://trac.imagemagick.org/changeset/17854
+ TODO: The link in the previous line is broken. Please, consider replacing it. Error: Name or service not known
CVE-2015-XXXX [denial of service flaw in HDR file processing]
[experimental] - imagemagick 8:6.9.1.2-1
- imagemagick 8:6.8.9.9-6
@@ -30152,8 +30158,8 @@
[squeeze] - imagemagick <no-dsa> (Minor issue)
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/20/4
NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26929
- NOTE: http://trac.imagemagick.org/changeset/17845
- NOTE: http://trac.imagemagick.org/changeset/17846
+ NOTE: http://web.archive.org/web/20150501030131/http://trac.imagemagick.org/changeset/17845
+ NOTE: http://web.archive.org/web/20150429001241/http://trac.imagemagick.org/changeset/17846
CVE-2015-XXXX [Incomplete fix for CVE-2014-7940]
- icu 52.1-8 (bug #780503)
[wheezy] - icu <not-affected> (Incomplete patch was never applied)
@@ -30625,7 +30631,7 @@
[squeeze] - netty <no-dsa> (Minor issue)
NOTE: http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
NOTE: https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
- NOTE: http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156
+ NOTE: http://web.archive.org/web/20150925094949/http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156
NOTE: https://github.com/slandelle/netty/commit/800555417e77029dcf8a31d7de44f27b5a8f79b8
CVE-2015-2155 (The force printer in tcpdump before 4.7.2 allows remote attackers to ...)
{DSA-3193-1 DLA-174-1}
@@ -30785,7 +30791,7 @@
[squeeze] - putty 0.60+2010-02-20-1+squeeze3
NOTE: temporary workaround until CVE assigned to explitly tag for wheezy+squeeze
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/27/4
- NOTE: https://www.trustmatta.com/advisories/MATTA-2015-002.txt (not yet published)
+ NOTE: http://advisories.mageia.org/MGASA-2015-0098.html
CVE-2015-2172 (DokuWiki before 2014-05-05d and before 2014-09-29c does not properly ...)
- dokuwiki 0.0.20140929.d-1 (bug #779547)
[jessie] - dokuwiki 0.0.20140505.a+dfsg-4
@@ -34366,7 +34372,7 @@
[wheezy] - python-imaging <no-dsa> (Minor issue)
[squeeze] - python-imaging <no-dsa> (Minor issue)
NOTE: https://github.com/python-pillow/Pillow/commit/b3e09122e527ae554eb590741bbd7611d5710e40
- NOTE: http://pillow.readthedocs.org/releasenotes/2.7.0.html#png-text-chunk-size-limits
+ NOTE: http://web.archive.org/web/20150921104441/http://pillow.readthedocs.org:80/releasenotes/2.7.0.html#png-text-chunk-size-limits
CVE-2014-9600 (Untrusted search path vulnerability in Macroplant iExplorer 3.6.3.0 ...)
NOT-FOR-US: Macroplant iExplorer
CVE-2014-9599 (Cross-site scripting (XSS) vulnerability in the filemanager in ...)
@@ -35266,6 +35272,7 @@
[squeeze] - hplip <no-dsa> (Minor issue)
NOTE: http://seclists.org/oss-sec/2015/q2/581
NOTE: https://bugs.launchpad.net/bugs/1432516
+ TODO: The link in the previous line is broken. Please, consider replacing it. Error: 404
CVE-2015-0838 (Buffer overflow in the C implementation of the apply_delta function in ...)
{DSA-3206-1 DLA-231-1}
- dulwich 0.10.1-1 (bug #780958)
@@ -38259,7 +38266,7 @@
{DSA-3084-1 DLA-98-1}
- openvpn 2.3.4-5
NOTE: https://github.com/OpenVPN/openvpn/commit/c5590a6821e37f3b29735f55eb0c2b9c0924138c
- NOTE: https://forums.openvpn.net/topic17625.html
+ NOTE: http://web.archive.org/web/20150514123219/https://forums.openvpn.net/topic17625.html
CVE-2014-9272 (The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x ...)
{DSA-3120-1}
- mantis <removed>
@@ -40206,6 +40213,7 @@
[squeeze] - imagemagick <no-dsa> (Minor issue)
NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26456
NOTE: Patch here: http://trac.imagemagick.org/changeset/16872
+ TODO: The link in the previous line is broken. Please, consider replacing it. Error: Name or service not known
CVE-2014-8714 (The dissect_write_structured_field function in ...)
{DSA-3076-1 DLA-198-1}
- wireshark 1.12.1+g01b65bf-2 (bug #769410)
@@ -40580,6 +40588,7 @@
[wheezy] - imagemagick <no-dsa> (Minor issue)
[squeeze] - imagemagick <no-dsa> (Minor issue)
NOTE: Upstream commit: http://trac.imagemagick.org/changeset/16773 (imagemagick)
+ TODO: The link in the previous line is broken. Please, consider replacing it. Error: Name or service not known
NOTE: https://int21.de/cve/CVE-2014-8355-pcx-oob-heap-overflow.html
- graphicsmagick 1.3.20-3+deb8u1 (bug #778238)
[wheezy] - graphicsmagick <no-dsa> (Minor issue)
@@ -40592,7 +40601,7 @@
[wheezy] - imagemagick <no-dsa> (Minor issue)
[squeeze] - imagemagick <no-dsa> (Minor issue)
NOTE: Upstream patch: http://trac.imagemagick.org/changeset/16795
- NOTE: https://int21.de/cve/CVE-2014-8562-dcm-oob-heap-overflow.html
+ TODO: The link in the previous line is broken. Please, consider replacing it. Error: Name or service not known
CVE-2014-8354 [out-of-bounds memory access in resize code]
RESERVED
{DLA-242-1}
@@ -40601,6 +40610,7 @@
[squeeze] - imagemagick <no-dsa> (Minor issue)
NOTE: https://int21.de/cve/CVE-2014-8354-oob-heap-overflow.html
NOTE: Upstream commit: http://trac.imagemagick.org/changeset/16765
+ TODO: The link in the previous line is broken. Please, consider replacing it. Error: Name or service not known
CVE-2014-8561 [Remotely DOS: convert +profile regression enters infinite loop exhausting memory]
RESERVED
- imagemagick 8:6.8.9.9-1 (bug #764872)
@@ -49824,7 +49834,7 @@
- transmission 2.84-0.1 (bug #755985)
[squeeze] - transmission <not-affected> (Vulnerable code not present)
NOTE: http://trac.transmissionbt.com/wiki/Changes#version-2.84
- NOTE: PoC: http://inertiawar.com/submission.go
+ NOTE: PoC: http://web.archive.org/web/20140815000641/http://inertiawar.com:80/submission.go
CVE-2013-7389 (Multiple cross-site scripting (XSS) vulnerabilities in D-Link DIR-645 ...)
NOT-FOR-US: D-Link router
CVE-2014-4723 (Cross-site scripting (XSS) vulnerability in the Easy Banners plugin ...)
@@ -55963,7 +55973,7 @@
[wheezy] - php5 <not-affected> (imagecreatefromxpm function not in used gd extension)
[squeeze] - php5 <not-affected> (imagecreatefromxpm function not in used gd extension)
- libgd2 2.1.0-4 (low; bug #744719)
- NOTE: http://net-ninja-mr.me/2014/03/14/php-gd-v5-4-17-2-color-visual-null-pointer-dereference/
+ NOTE: http://web.archive.org/web/20150221193227/http://net-ninja-mr.me/2014/03/14/php-gd-v5-4-17-2-color-visual-null-pointer-dereference/
CVE-2014-2496 (Unspecified vulnerability in the PeopleSoft Enterprise PT PeopleTools ...)
NOT-FOR-US: Oracle
CVE-2014-2495 (Unspecified vulnerability in the PeopleSoft Enterprise SCM Purchasing ...)
@@ -57409,6 +57419,7 @@
[squeeze] - imagemagick <not-affected> (CVE only for versions with r1448 applied)
NOTE: for the issue in newer imagemagick versions using "L%06ld" string.
NOTE: http://trac.imagemagick.org/changeset/1448
+ TODO: The link in the previous line is broken. Please, consider replacing it. Error: Name or service not known
CVE-2014-2029 [remote code execution / information leak]
RESERVED
- percona-toolkit 2.2.7-1~dfsg1 (bug #740846)
@@ -57439,6 +57450,7 @@
NOTE: squeeze: DecodePSDPixels not present but there was a rewrite from DecodeImage?
NOTE: http://secunia.com/advisories/56844/
NOTE: http://trac.imagemagick.org/changeset/14801
+ TODO: The link in the previous line is broken. Please, consider replacing it. Error: Name or service not known
CVE-2014-1950 (Use-after-free vulnerability in the xc_cpupool_getinfo function in Xen ...)
{DSA-3006-1}
- xen 4.4.0-1
@@ -57460,7 +57472,7 @@
RESERVED
{DSA-2898-1}
- imagemagick 8:6.7.7.10+dfsg-1 (bug #740250)
- NOTE: http://trac.imagemagick.org/changeset/13736
+ NOTE: http://web.archive.org/web/20090120112751/http://trac.imagemagick.org:80/changeset/13736
- graphicsmagick 1.3.20-1 (unimportant)
NOTE: for graphicsmagick: https://bugzilla.redhat.com/show_bug.cgi?id=1064098#c13
NOTE: Rendered non-exploitable by fortified source for graphicsmagick
@@ -57851,7 +57863,7 @@
[wheezy] - staden-io-lib <no-dsa> (Minor issue)
CVE-2013-XXXX [cakephp: local file inclusion]
- cakephp <not-affected> (AssetDispatcher not present in 1.3)
- NOTE: http://bakery.cakephp.org/articles/markstory/2013/07/18/cakephp_2_3_8_2_2_9_released
+ NOTE: http://web.archive.org/web/20140531064939/http://bakery.cakephp.org:80/articles/markstory/2013/07/18/cakephp_2_3_8_2_2_9_released
NOTE: http://seclists.org/bugtraq/2013/Aug/97, needs a CVE assignment
CVE-2013-XXXX [automysqlbackup code injection]
- automysqlbackup 2.6+debian.3-1 (bug #706099)
@@ -65603,7 +65615,7 @@
{DSA-2787-1}
- roundcube 0.9.4-1.1 (bug #727668)
[squeeze] - roundcube <not-affected> (Vulnerable code not present)
- NOTE: http://roundcube.net/news/2013/10/21/security-updates-095-and-087/
+ NOTE: http://web.archive.org/web/20160304042345/http://roundcube.net/news/2013/10/21/security-updates-095-and-087/
NOTE: http://trac.roundcube.net/ticket/1489382
CVE-2013-6171 (checkpassword-reply in Dovecot before 2.2.7 performs setuid operations ...)
- dovecot 1:2.2.9-1 (low; bug #729063)
@@ -66922,8 +66934,8 @@
- roundcube 0.9.4-1 (bug #721592)
[wheezy] - roundcube <no-dsa> (Minor issue)
[squeeze] - roundcube <no-dsa> (Minor issue)
- NOTE: http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github
- NOTE: http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github
+ NOTE: http://web.archive.org/web/20160311164159/http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github
+ NOTE: http://web.archive.org/web/20160311132902/http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github
NOTE: http://trac.roundcube.net/ticket/1489251
CVE-2013-5644
RESERVED
@@ -69060,7 +69072,7 @@
RESERVED
{DSA-2733-1}
- otrs2 3.2.9-1
- NOTE: http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-05/
+ NOTE: http://web.archive.org/web/20131023033811/http://www.otrs.com:80/en/open-source/community-news/security-advisories/security-advisory-2013-05/
CVE-2012-6581 (Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before ...)
{DSA-2567-1}
- request-tracker3.8 <removed>
@@ -71242,7 +71254,7 @@
- otrs2 3.2.8-1
[squeeze] - otrs2 2.4.9+dfsg1-3+squeeze4
NOTE: DSA-2733-1
- NOTE: http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-04/
+ NOTE: http://web.archive.org/web/20130827134500/http://www.otrs.com:80/en/open-source/community-news/security-advisories/security-advisory-2013-04/
CVE-2013-4087
RESERVED
CVE-2013-4086
@@ -72059,7 +72071,6 @@
CVE-2013-3843 (Stack-based buffer overflow in the mk_request_header_process function ...)
- monkey <removed>
[squeeze] - monkey <no-dsa> (Minor issue)
- NOTE: http://bugs.monkey-project.com/ticket/182
CVE-2013-3919 (resolver.c in ISC BIND 9.8.5 before 9.8.5-P1, 9.9.3 before 9.9.3-P1, ...)
- bind9 <not-affected> (vulnerable code not present)
NOTE: https://kb.isc.org/article/AA-00967
@@ -72098,7 +72109,6 @@
CVE-2013-3724 (The mk_request_header_process function in mk_request.c in Monkey 1.1.1 ...)
- monkey <removed> (low)
[squeeze] - monkey <no-dsa> (Minor issue)
- NOTE: http://bugs.monkey-project.com/ticket/181
CVE-2013-3723
RESERVED
CVE-2013-3722
@@ -72422,7 +72432,7 @@
RESERVED
NOTE: not something we can concretely fix somewhere
NOTE: mitigations must be done in webapps
- NOTE: http://breachattack.com/
+ NOTE: http://web.archive.org/web/20160304210825/http://breachattack.com/
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=995168
NOTE: https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
NOTE: https://www.mail-archive.com/dev@httpd.apache.org/msg57592.html
@@ -72579,7 +72589,7 @@
CVE-2013-3526 (Cross-site scripting (XSS) vulnerability in js/ta_loaded.js.php in the ...)
NOT-FOR-US: WordPress plugin
CVE-2013-3525 (** DISPUTED ** ...)
- NOTE: http://blog.bestpractical.com/2013/04/on-our-security-policies.html
+ NOTE: http://web.archive.org/web/20151225141212/http://blog.bestpractical.com/2013/04/on-our-security-policies.html
CVE-2013-3524 (SQL injection vulnerability in popupnewsitem/ in the Pop Up News ...)
NOT-FOR-US: phpVMS
CVE-2013-3523 (SQL injection vulnerability in This HTML Is Simple (THIS) before 1.2.4 ...)
@@ -74703,7 +74713,7 @@
- otrs2 3.1.7+dfsg1-8
[squeeze] - otrs2 2.4.9+dfsg1-3+squeeze4
NOTE: DSA-2733-1
- NOTE: http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-01/
+ NOTE: http://web.archive.org/web/20130716120019/http://www.otrs.com:80/en/open-source/community-news/security-advisories/security-advisory-2013-01/
CVE-2013-2624
RESERVED
CVE-2013-2623
@@ -75770,7 +75780,7 @@
[jessie] - nova <no-dsa> (Minor issue)
- quantum <unfixed>
[wheezy] - quantum <no-dsa> (Minor issue)
- - swift <not-affected> (See https://bugs.launchpad.net/keystone/+bug/1188189/comments/5)
+ - swift <not-affected> (See https://bugs.launchpad.net/keystone/+bug/1188189/comments/5 )
NOTE: Fixes for keystone: https://review.openstack.org/#/c/76476/
CVE-2013-2254 (The deepGetOrCreateNode function in ...)
NOT-FOR-US: Apache Sling
@@ -80201,7 +80211,6 @@
[squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing)
- libav 6:9.10-1
NOTE: ffmpeg commit: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f18c873ab5ee3c78d00fdcc2582b39c133faecb4
- NOTE: libav commit: http://git.libav.org/?p=libav.git;a=commitdiff;h=12576afe206d35231ccd61f9033c5fdab6a11e08
NOTE: Fixed in 0.8.9
CVE-2013-0843 (content/renderer/media/webrtc_audio_renderer.cc in Google Chrome ...)
- chromium-browser <not-affected> (MacOS-specific)
@@ -83215,12 +83224,12 @@
CVE-2012-6090 (Multiple stack-based buffer overflows in the expand function in ...)
- swi-prolog 5.10.4-5 (low; bug #697416)
[squeeze] - swi-prolog 5.10.1-1+squeeze1
- NOTE: https://lists.iai.uni-bonn.de/pipermail/swi-prolog/2012/009428.html
+ NOTE: http://web.archive.org/web/20130309013536/http://web.archive.org/web/20130309013536/https://lists.iai.uni-bonn.de/pipermail/swi-prolog/2012/009428.html
NOTE: http://www.swi-prolog.org/git/pl.git/commitdiff/b2c88972e7515ada025e97e7d3ce3e34f81cf33e
CVE-2012-6089 (Multiple stack-based buffer overflows in the canoniseFileName function ...)
- swi-prolog 5.10.4-5 (low; bug #697416)
[squeeze] - swi-prolog 5.10.1-1+squeeze1
- NOTE: https://lists.iai.uni-bonn.de/pipermail/swi-prolog/2012/009428.html
+ NOTE: http://web.archive.org/web/20130309013536/http://web.archive.org/web/20130309013536/https://lists.iai.uni-bonn.de/pipermail/swi-prolog/2012/009428.html
NOTE: http://www.swi-prolog.org/git/pl.git/commitdiff/a9a6fc8a2a9cf3b9154b490a4b1ffaa8be4d723c
CVE-2012-6088 (The rpmpkgRead function in lib/package.c in RPM 4.10.x before 4.10.2 ...)
- rpm 4.10.1-2.1 (bug #697375)
@@ -86562,9 +86571,9 @@
CVE-2012-4903 (Google Chrome before 18.0.1025308 on Android does not properly ...)
- chromium-browser <not-affected> (Chrome on Android)
CVE-2012-4902 (Multiple cross-site request forgery (CSRF) vulnerabilities in Template ...)
- NOT-FOR-US: Template CMS (http://template-cms.ru)
+ NOT-FOR-US: Template CMS ( http://template-cms.ru )
CVE-2012-4901 (Cross-site scripting (XSS) vulnerability in Template CMS 2.1.1 and ...)
- NOT-FOR-US: Template CMS (http://template-cms.ru)
+ NOT-FOR-US: Template CMS ( http://template-cms.ru )
CVE-2012-4900
RESERVED
CVE-2012-4899 (WellinTech KingView 6.5.3 and earlier uses a weak password-hashing ...)
@@ -88050,19 +88059,19 @@
CVE-2012-4441 [jenkins XSS in CI game plugin]
RESERVED
- jenkins <not-affected> (Plugin not built in Debian source package)
- NOTE: http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
+ NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
CVE-2012-4440 [jenkins XSS in Violations plugin]
RESERVED
- jenkins <not-affected> (Plugin not built in Debian source package)
- NOTE: http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
+ NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
CVE-2012-4439 [jenkins XSS]
RESERVED
- jenkins 1.447.2+dfsg-2 (bug #688298)
- NOTE: http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
+ NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
CVE-2012-4438 [jenkins remote code execution]
RESERVED
- jenkins 1.447.2+dfsg-2 (bug #688298)
- NOTE: http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
+ NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
CVE-2012-4437 (Cross-site scripting (XSS) vulnerability in the SmartyException class ...)
- smarty3 3.1.10-2 (bug #688153)
- smarty <removed> (bug #702710)
@@ -88218,7 +88227,7 @@
CVE-2012-4399 (The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 ...)
- cakephp <not-affected> (Does not affect 1.3)
NOTE: http://seclists.org/bugtraq/2012/Jul/101
- NOTE: http://bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1
+ NOTE: http://web.archive.org/web/20140822011643/http://bakery.cakephp.org:80/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1
CVE-2012-4398 (The __request_module function in kernel/kmod.c in the Linux kernel ...)
- linux 3.2.35-1 (low)
- linux-2.6 <removed>
@@ -93577,13 +93586,13 @@
CVE-2012-2332 (SQL injection vulnerability in serendipity/serendipity_admin.php in ...)
- serendipity <removed> (bug #671937; low)
[squeeze] - serendipity <no-dsa> (Minor issue)
- NOTE: http://www.koramis.com/advisories/2012/KORAMIS-ADV2012-001.txt
+ NOTE: http://web.archive.org/web/20120527103654/http://www.koramis.com:80/advisories/2012/KORAMIS-ADV2012-001.txt
NOTE: http://blog.s9y.org/archives/240-Serendipity-1.6.1-released.html
NOTE: CVE id requested http://seclists.org/oss-sec/2012/q2/276
CVE-2012-2331 (Cross-site scripting (XSS) vulnerability in ...)
- serendipity <removed> (bug #671937; low)
[squeeze] - serendipity <no-dsa> (Minor issue)
- NOTE: http://www.koramis.com/advisories/2012/KORAMIS-ADV2012-001.txt
+ NOTE: http://web.archive.org/web/20120527103654/http://www.koramis.com:80/advisories/2012/KORAMIS-ADV2012-001.txt
NOTE: http://blog.s9y.org/archives/240-Serendipity-1.6.1-released.html
NOTE: CVE id requested http://seclists.org/oss-sec/2012/q2/276
CVE-2012-2330 (The Update method in src/node_http_parser.cc in Node.js before 0.6.17 ...)
@@ -98495,7 +98504,7 @@
NOTE: the kcheckpass utility is not present in sid (still present in src package, will check with KDE maints)
NOTE: Not exploitable without OpenPAM
CVE-2011-5053 (The Wi-Fi Protected Setup (WPS) protocol, when the "external ...)
- NOT-FOR-US: This vulnerability affects a protocol, not a product. More information can be found at http://www.kb.cert.org/vuls/id/723755. All products listed there are not part of Debian.
+ NOT-FOR-US: This vulnerability affects a protocol, not a product. More information can be found at http://www.kb.cert.org/vuls/id/723755 . All products listed there are not part of Debian.
CVE-2012-0390 (The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain ...)
- gnutls28 3.0.11-1
- gnutls26 <not-affected> (lacks DTLS support and is not affected)
@@ -102346,7 +102355,7 @@
[squeeze] - xorg-server 2:1.7.7-14
[lenny] - xorg-server <no-dsa> (Minor issue)
NOTE: http://cgit.freedesktop.org/xorg/xserver/commit/?id=b67581cf825940fdf52bf2e0af4330e695d724a4
- NOTE: this has a poc now: http://vladz.devzero.fr/Xorg-CVE-2011-4029.txt
+ NOTE: this has a poc now: http://web.archive.org/web/20111204204028/http://vladz.devzero.fr:80/Xorg-CVE-2011-4029.txt
CVE-2011-4028 (The LockServer function in os/utils.c in X.Org xserver before 1.11.2 ...)
- xorg-server 2:1.11.1.901-2 (low)
[squeeze] - xorg-server 2:1.7.7-14
@@ -106577,7 +106586,7 @@
- cifs-utils 2:5.1-1 (low)
[squeeze] - cifs-utils 2:4.5-2+squeeze1
NOTE: cifs-utils was split off from the samba source package with 2:3.4.7~dfsg-2, so marking it as fixed
- NOTE: http://git.samba.org/?p=cifs-utils.git;a=commit;h=1e7a32924b22d1f786b6f490ce8590656f578f91
+ NOTE: http://web.archive.org/web/20111209193822/http://git.samba.org/?p=cifs-utils.git;a=commit;h=1e7a32924b22d1f786b6f490ce8590656f578f91
CVE-2011-2723 (The skb_gro_header_slow function in include/linux/netdevice.h in the ...)
{DSA-2303-1}
- linux-2.6 3.0.0-2
@@ -106649,7 +106658,7 @@
- eglibc 2.13-10
[squeeze] - eglibc <not-affected> (ssse3 optimizations not included in squeeze version)
- glibc <not-affected> (ssse3 optimizations not included)
- NOTE: http://www.nodefense.org/eglibc.txt
+ NOTE: http://web.archive.org/web/20110824011938/http://www.nodefense.org:80/eglibc.txt
NOTE: fixed well before 2.13-10, but that is the present testing version that was available to check
CVE-2011-2701 (The ocsp_check function in rlm_eap_tls.c in FreeRADIUS 2.1.11, when ...)
- freeradius <not-affected> (Introduced in 2.1.11, even sid ships 2.1.10+dfsg-3+b2)
@@ -108643,7 +108652,7 @@
- plone3 <removed>
CVE-2011-1947 (fetchmail 5.9.9 through 6.3.19 does not properly limit the wait time ...)
- fetchmail 6.3.22-1 (unimportant)
- NOTE: http://gitorious.org/fetchmail/fetchmail/blobs/legacy_63/fetchmail-SA-2011-01.txt
+ NOTE: http://www.fetchmail.info/fetchmail-SA-2011-01.txt
CVE-2011-1946 (gnomesu-pam-backend in libgnomesu 1.0.0 prints an error message but ...)
NOT-FOR-US: libgnomesu
CVE-2011-1945 (The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and ...)
@@ -109915,7 +109924,7 @@
- php-htmlpurifier 4.3.0+dfsg1-1 (unimportant)
- mahara 1.2.5-1
[lenny] - mahara 1.0.4-4+lenny10
- NOTE: http://htmlpurifier.org/news/2011/0327-4.3.0-released
+ NOTE: http://web.archive.org/web/20120515064303/http://htmlpurifier.org/news/2011/0327-4.3.0-released
NOTE: htmlpurifier only provides library functions, it's not vulnerable by itself
NOTE: If apps are vulnerable, this must be addressed there (as done for Mahara)
CVE-2011-1517
@@ -109979,7 +109988,7 @@
- httpcomponents-client 4.1.1-1 (bug #628727)
[squeeze] - httpcomponents-client 4.0.1-1squeeze1
NOTE: http://seclists.org/oss-sec/2011/q2/188
- NOTE: http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.1.x.txt
+ NOTE: http://web.archive.org/web/20130102213624/http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.1.x.txt
CVE-2011-1497
RESERVED
CVE-2011-1496 (tmux 1.3 and 1.4 does not properly drop group privileges, which allows ...)
@@ -111002,7 +111011,7 @@
[wheezy] - planet-venus <no-dsa> (Minor issue)
[squeeze] - planet-venus <no-dsa> (Minor issue)
[lenny] - planet-venus <no-dsa> (Minor issue)
- NOTE: https://code.google.com/p/feedparser/issues/detail?id=255
+ NOTE: http://web.archive.org/web/20120304003020/https://code.google.com/p/feedparser/issues/detail?id=255
CVE-2011-1157 (Cross-site scripting (XSS) vulnerability in feedparser.py in Universal ...)
- feedparser 5.0.1-1 (low; bug #617998)
[squeeze] - feedparser <no-dsa> (Minor issue)
@@ -111011,7 +111020,7 @@
[wheezy] - planet-venus <no-dsa> (Minor issue)
[squeeze] - planet-venus <no-dsa> (Minor issue)
[lenny] - planet-venus <no-dsa> (Minor issue)
- NOTE: https://code.google.com/p/feedparser/issues/detail?id=254
+ NOTE: http://web.archive.org/web/20120211010803/https://code.google.com/p/feedparser/issues/detail?id=254
CVE-2011-1156 (feedparser.py in Universal Feed Parser (aka feedparser or ...)
- feedparser 5.0.1-1 (low; bug #617998)
[squeeze] - feedparser <no-dsa> (Minor issue)
@@ -111020,7 +111029,7 @@
[wheezy] - planet-venus <no-dsa> (Minor issue)
[squeeze] - planet-venus <no-dsa> (Minor issue)
[lenny] - planet-venus <no-dsa> (Minor issue)
- NOTE: https://code.google.com/p/feedparser/issues/detail?id=91
+ NOTE: http://web.archive.org/web/20130326201801/http://code.google.com/p/feedparser/issues/detail?id=91
CVE-2011-1155 (The writeState function in logrotate.c in logrotate 3.7.9 and earlier ...)
- logrotate 3.8.0-1
[squeeze] - logrotate <no-dsa> (Minor issue)
@@ -111564,8 +111573,8 @@
- clamav 0.97+dfsg-1 (low)
[squeeze] - clamav 0.97+dfsg-2~squeeze1 (bug #617444)
[lenny] - clamav <end-of-life>
- NOTE: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2486
- NOTE: http://git.clamav.net/gitweb?p=clamav-devel.git;a=commit;h=d21fb8d975f8c9688894a8cef4d50d977022e09f
+ NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=2486
+ NOTE: http://web.archive.org/web/20110304224953/http://git.clamav.net:80/gitweb?p=clamav-devel.git;a=commit;h=d21fb8d975f8c9688894a8cef4d50d977022e09f
CVE-2011-1002 (avahi-core/socket.c in avahi-daemon in Avahi before 0.6.29 allows ...)
{DSA-2174-1}
- avahi 0.6.28-4 (bug #614785)
@@ -112367,7 +112376,7 @@
CVE-2011-0724 (The Live DVD for Edubuntu 9.10, 10.04 LTS, and 10.10 does not ...)
- italc <not-affected> (Only Edubuntu Live DVD affected)
NOTE: https://bugs.launchpad.net/ubuntu/+source/italc/+bug/714864
- NOTE: https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-February/001245.html
+ NOTE: http://web.archive.org/web/20140817234205/https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-February/001245.html
CVE-2011-0723 (FFmpeg 0.5.x, as used in MPlayer and other products, allows remote ...)
{DSA-2306-1}
- libav 4:0.6-1
@@ -113201,8 +113210,7 @@
- ikiwiki 3.20110122
[squeeze] - ikiwiki 3.20100815.5
[lenny] - ikiwiki <not-affected> (Vulnerable code not present)
- NOTE: http://ikiwiki.info/security/
- NOTE: http://ikiwiki.info/news/version_3.20110122/
+ NOTE: https://ikiwiki.info/security/#index38h2
CVE-2011-0427 (Heap-based buffer overflow in Tor before 0.2.1.29 and 0.2.2.x before ...)
{DSA-2148-1}
- tor 0.2.1.29-1
@@ -116982,7 +116990,7 @@
{DSA-2130-1}
- bind9 1:9.7.2.dfsg.P2-1 (bug #599515)
NOTE: http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html
- NOTE: ACL bypass claimed to only affect >=9.7.2: https://lists.isc.org/pipermail/bind-announce/2010-September/000655.html
+ NOTE: ACL bypass claimed to only affect >=9.7.2: https://kb.isc.org/article/AA-00935/0/CVE-2010-3762%3A-failure-to-handle-bad-signatures-if-multiple-trust-anchors-configured.html
NOTE: The crash with multiple trust anchors affects 9.6 and is fixed in 9.6-ESV-R2.
CVE-2010-3761 (Unspecified vulnerability in IBM Tivoli Storage Manager (TSM) FastBack ...)
NOT-FOR-US: IBM Tivoli Storage Manager
@@ -124917,7 +124925,7 @@
NOT-FOR-US: Discloser
CVE-2010-XXXX [dojo can be used as a redirector]
- dojo 1.4.2+dfsg-1 (low)
- NOTE: http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/
+ NOTE: http://web.archive.org/web/20101029020014/http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/
NOTE: http://bugs.dojotoolkit.org/ticket/10773
CVE-2010-0985 (Directory traversal vulnerability in the Abbreviations Manager ...)
NOT-FOR-US: com_abbrev component for Joomla!
@@ -126541,7 +126549,7 @@
- otrs <not-affected> (vulnerable code not present)
[etch] - otrs2 <not-affected> (vulnerable code not present)
- otrs2 2.4.7-1 (medium)
- NOTE: http://otrs.org/advisory/OSA-2010-01-en/
+ NOTE: http://web.archive.org/web/20111224162621/http://otrs.org/advisory/OSA-2010-01-en/
CVE-2010-0437 (The ip6_dst_lookup_tail function in net/ipv6/ip6_output.c in the Linux ...)
- linux-2.6 2.6.26-9
CVE-2010-0436 (Race condition in backend/ctrl.c in KDM in KDE Software Compilation ...)
@@ -127907,7 +127915,7 @@
- mysql-dfsg-5.0 <removed> (medium)
- mysql-5.1 5.1.41-4 (medium)
- cyassl <not-affected> (Fixed before initial upload to archive)
- NOTE: http://intevydis.blogspot.com/2010/01/mysq-yassl-stack-overflow.html
+ NOTE: http://web.archive.org/web/20100129040903/http://intevydis.blogspot.com:80/2010/01/mysq-yassl-stack-overflow.html
NOTE: http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.0/revision/2837.1.1
CVE-2009-4483 (Unspecified vulnerability in LDAP3A.exe in MailSite 8.0.4 allows ...)
NOT-FOR-US: MailSite
@@ -129365,7 +129373,7 @@
CVE-2009-4022 (Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before ...)
{DSA-1961-1}
- bind9 1:9.6.1.dfsg.P2-1 (medium)
- NOTE: <https://www.isc.org/node/504>
+ NOTE: https://www.isc.org/node/504
NOTE: Only affects installations with trust anchors, but then the
NOTE: consequences are quite severe.
CVE-2009-4020 (Stack-based buffer overflow in the hfs subsystem in the Linux kernel ...)
@@ -129377,8 +129385,8 @@
{DSA-1997-1}
- mysql-5.1 5.1.41-1
- mysql-dfsg-5.0 <removed>
- NOTE: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html
- NOTE: http://dev.mysql.com/doc/refman/5.0/en/news-5-0-88.html
+ NOTE: http://web.archive.org/web/20140722233305/http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html
+ NOTE: http://web.archive.org/web/20140723045533/http://dev.mysql.com/doc/refman/5.0/en/news-5-0-88.html
NOTE: http://bugs.mysql.com/47780
NOTE: http://bugs.mysql.com/48291
CVE-2009-4018 (The proc_open function in ext/standard/proc_open.c in PHP before ...)
@@ -129998,7 +130006,7 @@
[lenny] - kdelibs <no-dsa> (minor and unlikely to be exploited)
[etch] - kdelibs <no-dsa> (minor and unlikely to be exploited)
NOTE: http://www.ocert.org/advisories/ocert-2009-015.html
- NOTE: http://www.portcullis-security.com/advisories
+ NOTE: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/pre-2014-advisories/
NOTE: advisory mentions kmail and ark (from kdepim and kdeutils, respectively)
NOTE: but the "fixes" linked from the advisory only change code in kdelibs
NOTE: more info at oss-sec threads
@@ -135014,7 +135022,7 @@
CVE-2009-2346 (The IAX2 protocol implementation in Asterisk Open Source 1.2.x before ...)
- asterisk 1:1.6.2.0~dfsg~beta3-1 (bug #539473)
[etch] - asterisk <end-of-life> (Etch Packages no longer covered by security support)
- [lenny] - asterisk <no-dsa> (Intrusive protocol-level vulnerabilitity, see http://downloads.asterisk.org/pub/security/IAX2-security.pdf)
+ [lenny] - asterisk <no-dsa> (Intrusive protocol-level vulnerabilitity, see http://downloads.asterisk.org/pub/security/IAX2-security.pdf )
CVE-2009-2345 (Multiple SQL injection vulnerabilities in ClanSphere before 2009.0.1 ...)
NOT-FOR-US: ClanSphere
CVE-2009-2344 (The web-based management interfaces in Sourcefire Defense Center (DC) ...)
@@ -136665,7 +136673,7 @@
- kde4libs <not-affected> (medium; bug #538349)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=513813#c18
NOTE: patch http://trac.webkit.org/changeset/44799/
- NOTE: PoC https://cevans-app.appspot.com/static/webkitentityoffbyone.html
+ NOTE: PoC http://web.archive.org/web/20110813092643/https://cevans-app.appspot.com/static/webkitentityoffbyone.html
CVE-2009-1724 (Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari ...)
- qt4-x11 <not-affected> (bug #538403)
[etch] - qt4-x11 <not-affected> (webkit support introduced in version 4.4)
@@ -137327,15 +137335,15 @@
NOT-FOR-US: BluSky CMS
CVE-2009-XXXX [prewkikka: pasword world-readable]
- prewikka 0.9.11.3-2 (low; bug #527476)
- NOTE: FEDORA-2009-3761 (http://lwn.net/Articles/330642)
+ NOTE: FEDORA-2009-3761 http://lwn.net/Articles/330642
CVE-2009-XXXX [prelude-manager: password world-readable]
- prelude-manager <not-affected> (The postinst sets correct permissions, see bug #527344)
- NOTE: FEDORA-2009-3931 (http://lwn.net/Articles/331612)
+ NOTE: FEDORA-2009-3931 http://lwn.net/Articles/331612
CVE-2009-XXXX [bash-completion: does not properly quote characters]
- bash-completion 200811xx~bzr1223 (bug #259987)
NOTE: adding this reference to track the fact that this has already been addressed by debian security
NOTE: fixed over a year ago in debian; but fedora finally got around to addressing the issue recently
- NOTE: FEDORA-2009-3639 (http://lwn.net/Articles/331605)
+ NOTE: FEDORA-2009-3639 http://lwn.net/Articles/331605
CVE-2009-1547 (Unspecified vulnerability in Microsoft Internet Explorer 5.01 SP4, 6, ...)
NOT-FOR-US: Microsoft Internet Explorer
CVE-2009-1546 (Integer overflow in Avifil32.dll in the Windows Media file handling ...)
@@ -138178,12 +138186,12 @@
CVE-2009-1371 (The CLI_ISCONTAINED macro in libclamav/others.h in ClamAV before ...)
{DSA-1771-1}
- clamav 0.95.1+dfsg-1
- NOTE: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1552
+ NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=1552
CVE-2009-1372 (Stack-based buffer overflow in the cli_url_canon function in ...)
- clamav 0.95.1+dfsg-1
[etch] - clamav <not-affected> (vulnerable code not present)
[lenny] - clamav <not-affected> (vulnerable code not present)
- NOTE: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1552
+ NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=1552
CVE-2009-1291 (Stack-based buffer overflow in TIBCO SmartSockets before 6.8.2, ...)
NOT-FOR-US: SmartSockets
CVE-2009-1290 (Multiple cross-site request forgery (CSRF) vulnerabilities in the web ...)
@@ -142694,7 +142702,7 @@
[lenny] - xmlsec1 <no-dsa> (Minor issue)
- mono 2.4.2.3+dfsg-1
NOTE: http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
- NOTE: http://anonsvn.mono-project.com/viewvc?view=rev&revision=137891
+ NOTE: http://web.archive.org/web/20090124230233/http://anonsvn.mono-project.com:80/viewvc?view=rev
NOTE: http://www.aleksey.com/xmlsec/download.html (1.2.12 has fix)
- sun-java6 6-15-1
[lenny] - sun-java6 6-20-0lenny1
@@ -144656,7 +144664,7 @@
- sun-java6 6-12-1 (bug #508195)
[lenny] - sun-java6 6-20-0lenny1
- openjdk-6 <not-affected> (bug in plugin code)
- NOTE: For OpenJDK, see: <http://mail.openjdk.java.net/pipermail/core-libs-dev/2009-June/001784.html>
+ NOTE: For OpenJDK, see: http://mail.openjdk.java.net/pipermail/core-libs-dev/2009-June/001784.html
CVE-2008-5344 (Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in ...)
- sun-java5 1.5.0-17-0.1 (bug #508194)
[etch] - sun-java5 <no-dsa> (Non-free not supported)
@@ -145147,7 +145155,7 @@
[lenny] - kfreebsd-7 7.0-7lenny1
CVE-2008-5161 (Error handling in the SSH protocol in (1) SSH Tectia Client and Server ...)
- openssh 1:5.1p1-5 (low; bug #506115)
- [etch] - openssh <no-dsa> (Minor issue, see http://www.openssh.org/txt/cbc.adv)
+ [etch] - openssh <no-dsa> (Minor issue, see http://www.openssh.org/txt/cbc.adv )
CVE-2008-5185 (The highlighting functionality in geshi.php in GeSHi before 1.0.8 ...)
{DTSA-179-1}
- geshi 1.0.8.1-1 (medium)
@@ -150807,7 +150815,7 @@
- checkinstall 1.6.1-7 (low; bug #488140)
CVE-2008-XXXX [werkzeug hashes its secret instead of using hmac]
- python-werkzeug 0.3.1-1
- NOTE: http://lucumr.pocoo.org/cogitations/2008/06/24/werkzeug-031-released/
+ NOTE: http://web.archive.org/web/20081229140824/http://lucumr.pocoo.org:80/cogitations/2008/06/24/werkzeug-031-released/
CVE-2008-2841 (Argument injection vulnerability in XChat 2.8.7b and earlier on ...)
- xchat <not-affected> (Windows specific problem)
CVE-2008-2840 (Multiple directory traversal vulnerabilities in Exero CMS 1.0.0 and ...)
@@ -152508,7 +152516,7 @@
CVE-2008-2108 (The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, ...)
{DSA-1789-1}
- php5 5.2.2-1 (low)
- NOTE: http://www.sektioneins.de/advisories/SE-2008-02.txt
+ NOTE: http://web.archive.org/web/20120118120046/http://www.sektioneins.de/advisories/SE-2008-02.txt
CVE-2008-2107 (The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, ...)
{DSA-1789-1}
- php5 5.2.2-1 (low)
@@ -152659,7 +152667,7 @@
{DSA-1578-1 DSA-1572-1 DTSA-135-1}
- php5 5.2.6-1
NOTE: http://www.php.net/ChangeLog-5.php
- NOTE: http://www.sektioneins.de/advisories/SE-2008-03.txt
+ NOTE: http://web.archive.org/web/20120524033327/http://www.sektioneins.de/advisories/SE-2008-03.txt
CVE-2008-2050 (Stack-based buffer overflow in the FastCGI SAPI (fastcgi.c) in PHP ...)
{DSA-1572-1 DTSA-135-1}
- php5 5.2.6-1
@@ -157036,7 +157044,7 @@
CVE-2008-0299 (common.py in Paramiko 1.7.1 and earlier, when using threads or forked ...)
- paramiko 1.6.4-1.1 (low; bug #460706)
[etch] - paramiko <no-dsa> (Minor issue)
- NOTE: http://www.lag.net/pipermail/paramiko/2008-January/000599.html
+ NOTE: http://web.archive.org/web/20100715101310/http://www.lag.net/pipermail/paramiko/2008-January/000599.html
CVE-2008-0237 (The Microsoft Rich Textbox ActiveX Control (RICHTX32.OCX) 6.1.97.82 ...)
NOT-FOR-US: Microsoft Rich Textbox ActiveX Control
CVE-2008-0236 (An ActiveX control for Microsoft Visual FoxPro (vfp6r.dll 6.0.8862.0) ...)
@@ -157230,7 +157238,7 @@
{DSA-1465-2}
- apt-listchanges 2.82 (medium)
[sarge] - apt-listchanges <not-affected> (Vulnerable code not present)
- NOTE: see http://git.madism.org/?p=apt-listchanges.git;a=commitdiff;h=1bcfbf3dc55413bb83a1782dc9a54515a963fb32
+ NOTE: see http://web.archive.org/web/20080206193307/http://git.madism.org:80/?p=apt-listchanges.git;a=commitdiff;h=1bcfbf3dc55413bb83a1782dc9a54515a963fb32
CVE-2008-0160
RESERVED
CVE-2007-6680 (Trusted Execution in IBM AIX 6.1 uses an incorrect pathname argument ...)
@@ -164427,7 +164435,7 @@
NOT-FOR-US: snif
CVE-2007-4280 (The Skinny channel driver (chan_skinny) in Asterisk Open Source before ...)
- asterisk 1:1.4.10~dfsg-1
- NOTE: http://ftp.digium.com/pub/asa/ASA-2007-019.html
+ NOTE: https://downloads.avaya.com/elmodocs2/security/ASA-2007-019.htm
[sarge] - asterisk <not-affected> (not affected according to advisory)
[etch] - asterisk <not-affected> (not affected according to advisory)
CVE-2007-4263 (Unspecified vulnerability in the server side of the Secure Copy (SCP) ...)
@@ -165591,22 +165599,22 @@
- asterisk 1:1.4.8~dfsg-1 (bug #433681)
[sarge] - asterisk <not-affected> (1.0.x not affected)
[etch] - asterisk <not-affected> (1.2.x not affected)
- NOTE: http://ftp.digium.com/pub/asa/ASA-2007-017.html
+ NOTE: https://downloads.avaya.com/elmodocs2/security/ASA-2007-017.htm
CVE-2007-3764 (The Skinny channel driver (chan_skinny) in Asterisk before 1.2.22 and ...)
{DSA-1358-1}
- asterisk 1:1.4.8~dfsg-1
NOTE: Etch and Sarge affected
- NOTE: http://ftp.digium.com/pub/asa/ASA-2007-016.html
+ NOTE: https://downloads.avaya.com/elmodocs2/security/ASA-2007-016.htm
CVE-2007-3763 (The IAX2 channel driver (chan_iax2) in Asterisk before 1.2.22 and ...)
{DSA-1358-1}
- asterisk 1:1.4.8~dfsg-1
NOTE: Etch and Sarge affected
- NOTE: http://ftp.digium.com/pub/asa/ASA-2007-015.html
+ NOTE: https://downloads.avaya.com/elmodocs2/security/ASA-2007-015.htm
CVE-2007-3762 (Stack-based buffer overflow in the IAX2 channel driver (chan_iax2) in ...)
{DSA-1358-1}
- asterisk 1:1.4.8~dfsg-1 (high)
NOTE: Etch and Sarge affected
- NOTE: http://ftp.digium.com/pub/asa/ASA-2007-014.html
+ NOTE: https://downloads.avaya.com/elmodocs2/security/ASA-2007-014.htm
CVE-2007-3820 (konqueror/konq_combo.cc in Konqueror 3.5.7 allows remote attackers to ...)
- kdebase 4:3.5.7-3 (bug #433072; low)
[sarge] - kdebase <no-dsa> (Minor issue)
@@ -166535,7 +166543,7 @@
{DSA-1426-1}
- qt-x11-free 3:3.3.7-6
- qt4-x11 <not-affected> (This problem is not present in any version of Qt 4)
- NOTE: http://trolltech.com/company/newsroom/announcements/press.2007-07-27.7503755960
+ NOTE: http://web.archive.org/web/20080206133848/http://trolltech.com:80/company/newsroom/announcements/press.2007-07-27.7503755960
CVE-2007-3387 (Integer overflow in the StreamPredictor::StreamPredictor function in ...)
{DSA-1357-1 DSA-1355-1 DSA-1354-1 DSA-1352-1 DSA-1350-1 DSA-1349-1 DSA-1348-1 DSA-1347-1 DTSA-49-1 DTSA-50-1 DTSA-54-1 DTSA-62-1}
- poppler 0.5.4-6.1 (bug #435460)
@@ -168127,7 +168135,7 @@
[sarge] - libgd <no-dsa> (Minor issue)
[etch] - libgd2 <no-dsa> (Minor issue)
[sarge] - libgd2 <no-dsa> (Minor issue)
- NOTE: http://bugs.libgd.org/?do=details&task_id=86
+ NOTE: https://web.archive.org/web/20090212193455/http://bugs.libgd.org/?do=details&task_id=86
CVE-2007-2755 (The PrecisionID Barcode 1.9 ActiveX control in ...)
NOT-FOR-US: PrecisionID
CVE-2007-2754 (Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and ...)
@@ -168753,7 +168761,7 @@
- asterisk 1:1.4.5~dfsg-1 (low)
NOTE: no-dsa / unimportant candidate, the opposite side of the telephone line
NOTE: could just as well hang-up
- NOTE: http://ftp.digium.com/pub/asa/ASA-2007-013.html
+ NOTE: https://downloads.avaya.com/elmodocs2/security/ASA-2007-013.htm
CVE-2007-2480 (The _udp_lib_get_port function in net/ipv4/udp.c in Linux kernel ...)
- linux-2.6 2.6.22-1 (medium)
CVE-2007-2479 (Cerulean Studios Trillian Pro before 3.1.5.1 allows remote attackers ...)
@@ -169075,7 +169083,7 @@
CVE-2007-2378 (The Google Web Toolkit (GWT) framework exchanges data using JavaScript ...)
- gwt <removed> (unimportant; bug #563542)
NOTE: javascript security guidelines provided to developers to avoid these issues
- NOTE: http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications
+ NOTE: https://developers.google.com/web-toolkit/articles/security_for_gwt_applications
CVE-2007-2377 (The Getahead Direct Web Remoting (DWR) framework 1.1.4 exchanges data ...)
NOT-FOR-US: Getahead Direct Web Remoting
CVE-2007-2376 (The Dojo framework exchanges data using JavaScript Object Notation ...)
@@ -169270,13 +169278,13 @@
{DSA-1358-1}
- asterisk 1:1.4.3~dfsg-1 (low)
NOTE: Etch and Sarge affected
- NOTE: http://ftp.digium.com/pub/asa/ASA-2007-012.html
+ NOTE: https://downloads.avaya.com/elmodocs2/security/ASA-2007-012.htm
CVE-2007-2293 (Multiple stack-based buffer overflows in the process_sdp function in ...)
- asterisk 1:1.4.3~dfsg-1 (high)
[sarge] - asterisk <not-affected> (1.0.x not affected)
[etch] - asterisk <not-affected> (1.2.x not affected)
[lenny] - asterisk <not-affected> (vulnerable code not present)
- NOTE: http://ftp.digium.com/pub/asa/ASA-2007-010.html
+ NOTE: https://downloads.avaya.com/elmodocs2/security/ASA-2007-010.htm
CVE-2007-2292 (CRLF injection vulnerability in the Digest Authentication support for ...)
{DSA-1401-1 DSA-1396-1 DSA-1392-1 DTSA-69-1 DTSA-80-1}
- iceweasel 2.0.0.8-1 (low)
@@ -169866,7 +169874,7 @@
CVE-2007-2029 (File descriptor leak in the PDF handler in Clam AntiVirus (ClamAV) ...)
{DSA-1281-1 DTSA-37-1}
- clamav 0.90.2-1 (low; bug #418849)
- NOTE: closed report: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=459
+ NOTE: closed report: https://bugzilla.clamav.net/show_bug.cgi?id=459
NOTE: Commit r3021 looks as if it's just a null pointer dereference.
CVE-2007-2028 (Memory leak in freeRADIUS 1.1.5 and earlier allows remote attackers to ...)
- freeradius 1.1.6-1 (low)
@@ -174061,7 +174069,7 @@
- smb4k 0.8.1-1 (low)
[etch] - smb4k <no-dsa> (Minor issue)
NOTE: not fixed in 0.8.0, see
- NOTE: http://developer.berlios.de/bugs/?func=detailbug&bug_id=9631&group_id=769
+ NOTE: https://web.archive.org/web/20070712072042/http://developer.berlios.de/bugs/?func=detailbug&bug_id=9631&group_id=769
CVE-2007-0473 (The writeFile function in core/smb4kfileio.cpp in Smb4K before 0.8.0 ...)
- smb4k 0.8.0-1 (low)
[etch] - smb4k <no-dsa> (Minor issue)
@@ -174993,7 +175001,7 @@
NOT-FOR-US: Serene Bach
CVE-2007-0136 (Multiple cross-site scripting (XSS) vulnerabilities in Drupal before ...)
- drupal 4.7.5-1
- NOTE: vendor advisory: http://drupal.org/node/104233, DRUPAL-SA-2007-001
+ NOTE: vendor advisory: http://drupal.org/node/104233 - DRUPAL-SA-2007-001
CVE-2007-0135 (PHP remote file inclusion vulnerability in inc/init.inc.php in Aratix ...)
NOT-FOR-US: Aratix
CVE-2007-0134 (Multiple eval injection vulnerabilities in iGeneric iG Shop 1.0 allow ...)
@@ -175249,11 +175257,11 @@
CVE-2006-6876 (Buffer overflow in the fetchsms function in the SMS handling module ...)
- openser 1.1.1-1 (medium)
[etch] - openser 1.1.0-9etch1
- NOTE: http://www.openser.org/pub/openser/1.1.1/ChangeLog
+ NOTE: http://web.archive.org/web/20151126200215/http://www.openser.org/pub/openser/1.1.1/ChangeLog
CVE-2006-6875 (Buffer overflow in the validateospheader function in the Open ...)
- openser 1.1.1-1 (medium)
[etch] - openser 1.1.0-9etch1
- NOTE: http://www.openser.org/pub/openser/1.1.1/ChangeLog
+ NOTE: http://web.archive.org/web/20151126200215/http://www.openser.org/pub/openser/1.1.1/ChangeLog
CVE-2006-6874 (Multiple cross-site scripting (XSS) vulnerabilities in friend.php in ...)
NOT-FOR-US: eNdonesia CMS
CVE-2006-6873 (Multiple SQL injection vulnerabilities in mod.php in eNdonesia 8.4 ...)
@@ -182020,7 +182028,7 @@
CVE-2006-3946 (WebCore in Apple Mac OS X 10.3.9 and 10.4 through 10.4.7 allows remote ...)
NOT-FOR-US: Apple Safari 2.0.4
NOTE: konqueror 3.5.x is not affected
- NOTE: PoC http://browserfun.blogspot.com/2006/07/mobb-31-safari-khtmlparserpoponeblock.html
+ NOTE: PoC http://web.archive.org/web/20130701013045/http://browserfun.blogspot.com/2006/07/mobb-31-safari-khtmlparserpoponeblock.html
CVE-2006-3945 (The CSS functionality in Opera 9 on Windows XP SP2 allows remote ...)
NOT-FOR-US: Opera
CVE-2006-3944 (Microsoft Internet Explorer 6 on Windows XP SP2 allows remote ...)
@@ -190406,7 +190414,7 @@
[sarge] - mozilla <no-dsa> (Hardly exploitable)
- xulrunner <unfixed> (unimportant)
CVE-2005-4684 (Konqueror can associate a cookie with multiple domains when the DNS ...)
- NOTE: http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/fc5?root=fedora&rev=1.172&view=markup says "ignore (kdebase) not fixed upstream, low, can't fix"
+ NOTE: http://www.redhat.com/archives/fedora-extras-commits/2006-August/msg01104.html says "ignore (kdebase) not fixed upstream, low, can't fix"
- kdebase <unfixed> (unimportant)
[sarge] - kdebase <no-dsa> (Hardly exploitable)
CVE-2005-4683 (PADL MigrationTools 46, when a failure occurs, stores contents of ...)
@@ -192646,7 +192654,7 @@
- mozilla 2:1.7.13-0.1 (unimportant)
[sarge] - mozilla-thunderbird 1.0.2-2.sarge1.0.8 (unimportant)
NOTE: Not exploitable beyond a sluggish browser startup, see
- NOTE: http://www.mozilla.org/security/history-title.html
+ NOTE: http://web.archive.org/web/20141206010602/https://www.mozilla.org/security/history-title.html
CVE-2005-4133 (Sun Update Connection in Sun Solaris 10, when configured to use a web ...)
NOT-FOR-US: Solaris
CVE-2005-4132 (Unspecified "security leak" vulnerability in Contenido before 4.6.4, ...)
@@ -195304,7 +195312,7 @@
- linux-2.6 2.6.12-2
[sarge] - kernel-source-2.4.27 <not-affected>
[sarge] - kernel-source-2.6.8 <not-affected>
- NOTE: http://www.kernel.org/git/?p=linux/kernel/git/chrisw/linux-2.6.12.y.git;a=commit;h=4717ecd49ce5c556d38e8c7b6fdc9fac5d35c00e
+ NOTE: http://kernel.suse.com/cgit/kernel/commit/?h=v2.6.12.5&id=4717ecd49ce5c556d38e8c7b6fdc9fac5d35c00e
CVE-2005-XXXX [Insecure temp file usage in thttpd's syslogtocern]
- thttpd 2.23beta1-4 (low)
[sarge] - thttpd <no-dsa> (Minor issue in addon package)
@@ -196081,7 +196089,7 @@
- webmin 1.230-1 (high; bug #329741)
[sarge] - webmin <not-affected> (Vulnerable code not present, see #329741)
- usermin 1.160-1 (high; bug #329742)
- NOTE: SNS Advisory 83, http://marc.theaimsgroup.com/?m=112733083203821
+ NOTE: SNS Advisory 83, http://web.archive.org/web/20060509133229/http://marc.theaimsgroup.com:80/?m=112733083203821
CVE-2005-3041 (Unspecified "drag-and-drop vulnerability" in Opera Web Browser before ...)
NOT-FOR-US: Opera
CVE-2005-3040 (Directory traversal vulnerability in the web interface (ISALogin.dll) ...)
@@ -197312,7 +197320,7 @@
NOT-FOR-US: Sun JSSE and JRE
CVE-2005-2617 (The syscall32_setup_pages function in syscall32.c for Linux kernel ...)
{DTSA-16-1}
- NOTE: http://lists.debian.org/debian-kernel/2005/08/msg00991.html, amd64 specific DOS
+ NOTE: http://lists.debian.org/debian-kernel/2005/08/msg00991.html - amd64 specific DOS
- linux-2.6 2.6.12-6
CVE-2005-2616 (Multiple PHP file include vulnerabilities in ezUpload 2.2 allow remote ...)
NOT-FOR-US: ezUpload
@@ -198727,7 +198735,7 @@
NOT-FOR-US: Microsoft
CVE-2002-2061 (Heap-based buffer overflow in Netscape 6.2.3 and Mozilla 1.0 and ...)
NOTE: fixed in upstream 1.0.1
- NOTE: see http://www.mozilla.org/releases/mozilla1.0.1/security-fixes-1.0.1.html
+ NOTE: see http://web.archive.org/web/20090628044831/http://www.mozilla.org/releases/mozilla1.0.1/security-fixes-1.0.1.html
- mozilla 2:1.1-1 (low)
CVE-2002-2060 (Buffer overflow in Links 2.0 pre4 allows remote attackers to crash ...)
- links2 <not-affected> (Fixed before upload into archiv; 2.0pre5)
@@ -204404,7 +204412,7 @@
NOT-FOR-US: Cayman DSL router
CVE-2001-1429 (Buffer overflow in mcedit in Midnight Commander 4.5.1 allows local ...)
NOTE: I could track this down to this posting
- NOTE: http://cert.uni-stuttgart.de/archive/vuln-dev/2001/11/msg00104.html
+ NOTE: http://web.archive.org/web/20051206035530/http://cert.uni-stuttgart.de:80/archive/vuln-dev/2001/11/msg00104.html
NOTE: This looks very obscure an does not contain useful information on how this
NOTE: was triggered and even then it's not a problem, as mcedit usage does not
NOTE: have a remote impact and is not suid
@@ -206078,7 +206086,7 @@
CVE-2005-0406 (A design flaw in image processing software that modifies JPEG images ...)
- imagemagick <unfixed> (bug #298051; unimportant)
NOTE: <Maulkin> The EXIF spec says "if your app can't handle $foo, don't touch $foo"
- NOTE: <Piet> 'convert -strip' will remove exif data according to http://www.imagemagick.org/pipermail/magick-users/2006-May/017538.html
+ NOTE: <Piet> 'convert -strip' will remove exif data according to http://web.archive.org/web/20130922031724/http://www.imagemagick.org:80/pipermail/magick-users/2006-May/017538.html
CVE-2005-0405
RESERVED
CVE-2005-0404 (KMail 1.7.1 in KDE 3.3.2 allows remote attackers to spoof email ...)
@@ -208418,7 +208426,7 @@
- mysql-dfsg-4.1 4.1.10a-6
- mysql-dfsg 4.0.24-5
CVE-2004-0956 (MySQL before 4.0.20 allows remote attackers to cause a denial of ...)
- - mysql-dfsg <not-affected> (Not vulnerable, http://www.debian.org/security/nonvulns-sarge)
+ - mysql-dfsg <not-affected> (Not vulnerable, http://web.archive.org/web/20070529152436/http://www.debian.org/security/nonvulns-sarge)
CVE-2004-0955
REJECTED
CVE-2004-0954
@@ -208857,7 +208865,7 @@
CVE-2004-0787 (Cross-site scripting (XSS) vulnerability in the web frontend in OpenCA ...)
NOT-FOR-US: OpenCA
CVE-2004-0786 (The IPv6 URI parsing routines in the apr-util library for Apache ...)
- - apache <not-affected> (not vulnerable according to http://www.debian.org/security/nonvulns-sarge)
+ - apache <not-affected> (not vulnerable according to http://web.archive.org/web/20070529152436/http://www.debian.org/security/nonvulns-sarge)
- apache2 2.0.51
CVE-2004-0785 (Multiple buffer overflows in Gaim before 0.82 allow remote attackers ...)
- gaim 1:0.82
@@ -209815,7 +209823,7 @@
CVE-2004-0394 (A "potential" buffer overflow exists in the panic() function in Linux ...)
{DSA-1082-1 DSA-1070-1 DSA-1069-1 DSA-1067-1}
- linux-2.6 <not-affected>
- NOTE: patch: http://www.ultramonkey.org/bugs/cve-patch/CVE-2004-0394.patch
+ NOTE: patch: http://www.ultramonkey.org/bugs/cve-patch/CAN-2004-0394.patch
CVE-2004-0393 (Format string vulnerability in the msg function for rlpr daemon ...)
{DSA-524}
- rlpr 2.02-7.1 (bug #255402)
@@ -210026,7 +210034,7 @@
NOTE: it's not quite clear which version exactly fixes the problem;
NOTE: I checked the source code of the most recent version and compared
NOTE: it with the problematic section described in the advisory
- NOTE: (http://marc.theaimsgroup.com/?l=bugtraq&m=107695139930726&w=2)
+ NOTE: (http://web.archive.org/web/20060430085228/http://marc.theaimsgroup.com/?l=bugtraq&m=107695139930726&w=2)
NOTE: and I can confirm the buffer overflow is fixed there
CVE-2004-0287 (Xlight FTP server 1.52 allows remote authenticated users to cause a ...)
NOT-FOR-US: Xlight FTP server 1.52;
@@ -212530,7 +212538,7 @@
- balsa 2.0.10
- mutt 1.4.0
CVE-2003-0166 (Integer signedness error in emalloc() function for PHP before 4.3.2 ...)
- - php4 <not-affected> (Non-issue; see http://marc.theaimsgroup.com/?l=bugtraq&m=104931415307111&w=2)
+ - php4 <not-affected> (Non-issue; see http://marc.theaimsgroup.com/?l=bugtraq&m=104931415307111&w=2 )
CVE-2003-0165 (Format string vulnerability in Eye Of Gnome (EOG) allows attackers to ...)
- eog 2.2.1
CVE-2003-0164
@@ -214287,7 +214295,7 @@
- rxvt 1:2.6.4-6.1
CVE-2003-0021 (The "screen dump" feature in Eterm 0.9.1 and earlier allows attackers ...)
- eterm 0.9.2-1
- NOTE: According to upstream changelog and http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
+ NOTE: According to upstream changelog and http://web.archive.org/web/20060505232225/http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
NOTE: this is fixed in eterm 0.9.2
CVE-2003-0020 (Apache does not filter terminal escape sequences from its error logs, ...)
- apache2 2.0.49
@@ -214417,7 +214425,7 @@
- evolution 1.2.0-1 (bug #280883)
CVE-2002-1469 (scponly does not properly verify the path when finding the (1) scp or ...)
- scponly 3.8-1
- NOTE: according to http://sublimation.org/scponly/ (scponly home page)
+ NOTE: according to http://web.archive.org/web/20150425070754/http://sublimation.org/scponly/ (scponly home page)
NOTE: only versions of scponly older than scponly-2.4 are affected
CVE-2002-1468 (Buffer overflow in errpt in AIX 4.3.3 allows local users to execute ...)
NOT-FOR-US: AIX
@@ -221045,7 +221053,7 @@
CVE-2002-0001 (Vulnerability in RFC822 address parser in mutt before 1.2.5.1 and mutt ...)
NOT-FOR-US: Data pre-dating the Security Tracker
CVE-2001-1413 (Stack-based buffer overflow in the comprexx function for ncompress ...)
- NOTE: not vulnerable according to http://www.debian.org/security/nonvulns-sarge
+ NOTE: not vulnerable according to http://web.archive.org/web/20070529152436/http://www.debian.org/security/nonvulns-sarge
NOTE: discussion at:
NOTE: http://archives.neohapsis.com/archives/linux/lsap/2001-q2/0081.html
NOTE: listed sarge version contains a fix like the patch from Gentoo
More information about the Secure-testing-commits
mailing list