[Secure-testing-commits] r41119 - data/CVE

Salvatore Bonaccorso carnil at moszumanska.debian.org
Sun Apr 24 14:28:57 UTC 2016 

Author: carnil
Date: 2016-04-24 14:28:57 +0000 (Sun, 24 Apr 2016)
New Revision: 41119

Modified:
   data/CVE/list
Log:
More CVEs added from external check

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-04-24 14:10:31 UTC (rev 41118)
+++ data/CVE/list	2016-04-24 14:28:57 UTC (rev 41119)
@@ -76,20 +76,26 @@
 	RESERVED
 CVE-2015-8862
 	RESERVED
+	- node-mustache <unfixed> (unimportant)
+	NOTE: node-handlebars only in experimental for now, fixed in 4.0.0
+	NOTE: libv8 is not covered by security support
 CVE-2015-8861
 	RESERVED
+	- node-mustache <unfixed> (unimportant)
+	NOTE: node-handlebars only in experimental for now, fixed in 4.0.0
+	NOTE: libv8 is not covered by security support
 CVE-2015-8860
 	RESERVED
+	- node-tar <unfixed> (unimportant)
+	NOTE: libv8 is not covered by security support
 CVE-2015-8859
 	RESERVED
 CVE-2015-8858
 	RESERVED
+	- node-uglify <unfixed> (unimportant)
+	NOTE: libv8 is not covered by security support
 CVE-2015-8857
 	RESERVED
-CVE-2015-8856
-	RESERVED
-CVE-2015-8855
-	RESERVED
 CVE-2015-8854 [marked: regular expression denial of service]
 	RESERVED
 	- node-marked <unfixed> (unimportant)
@@ -10153,7 +10159,7 @@
 	- libreoffice 1:5.0.5~rc1-1
 	NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2016-0794/
 CVE-2016-0793 (Incomplete blacklist vulnerability in the servlet filter restriction ...)
-	TODO: check
+	NOT-FOR-US: WildFly / Red Hat JBoss EAP
 CVE-2016-0792 (Multiple unspecified API endpoints in CloudBees Jenkins before 1.650 ...)
 	- jenkins <removed>
 	NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24
@@ -10177,7 +10183,9 @@
 CVE-2016-0786
 	RESERVED
 CVE-2016-0785 (Apache Struts 2.x before 2.3.28 allows remote attackers to execute ...)
-	TODO: check
+	- libstruts1.2-java <undetermined>
+	NOTE: http://struts.apache.org/docs/s2-029.html
+	TODO: check, possibly only 2.x
 CVE-2016-0784 (Directory traversal vulnerability in the Import/Export System Backups ...)
 	NOT-FOR-US: Apache OpenMeetings
 CVE-2016-0783 (The sendHashByUser function in Apache OpenMeetings before 3.1.1 ...)
@@ -10352,7 +10360,8 @@
 	NOTE: http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html
 	NOTE: https://github.com/nginx/nginx/commit/c44fd4e837f979912749a5a19490ccb9b46398d3 (release-1.9.10)
 CVE-2016-0741 (slapd/connection.c in 389 Directory Server (formerly Fedora Directory ...)
-	TODO: check
+	- 389-ds-base 1.3.4.8-1
+	TODO: check older versions
 CVE-2016-0740 (Buffer overflow in the ImagingLibTiffDecode function in ...)
 	{DSA-3499-1}
 	- pillow 3.1.1-1 (bug #813905)
@@ -10411,6 +10420,8 @@
 	NOTE: http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/
 CVE-2016-0726
 	RESERVED
+	- nagios3 <undetermined>
+	TODO: check, possibly only Fedora specific
 CVE-2016-0725 (Cross-site scripting (XSS) vulnerability in the search_pagination ...)
 	- moodle <not-affected> (Only affects 3.0 to 3.0.1, 2.9 to 2.9.3 and 2.8 to 2.8.9)
 	[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
@@ -10428,10 +10439,20 @@
 	NOTE: https://git.kernel.org/linus/5c17c861a357e9458001f021a7afa7aab9937439 (v4.5-rc2)
 CVE-2016-0722
 	REJECTED
-CVE-2016-0721
+CVE-2016-0721 [cookies are not invalidated upon logout]
 	RESERVED
-CVE-2016-0720
+	- pcs <undetermined>
+	NOTE: https://github.com/feist/pcs/commit/bc6ad9086857559db57f4e3e6de66762291c0774
+	NOTE: https://github.com/feist/pcs/commit/e9b28833d54a47ec441f6dbad0db96e1fc662a5b
+	NOTE: https://github.com/feist/pcs/commit/acdbbe8307e6f4a36b2c7754765e732e43fe8d17
+	TODO: check
+CVE-2016-0720 [Cross-Site Request Forgery in web UI]
 	RESERVED
+	- pcs <undetermined>
+	NOTE: https://github.com/feist/pcs/commit/3360ecd318f7631bf5826d99a20bf4b29d86dc9c
+	NOTE: https://github.com/feist/pcs/commit/d49435de20f71bd0816c42b445ed484dd21fbe96
+	NOTE: https://github.com/feist/pcs/commit/b9e7f061788c3b86a0c67d2d4158f067ec5eb625
+	TODO: check
 CVE-2016-0719
 	RESERVED
 CVE-2016-0718
@@ -28804,7 +28825,7 @@
 	- ownclound-contacts <itp> (bug #779055)
 	NOTE: owncloud-contacts fixed in 0.3.0.18+8.0.0+dfsg-1
 	NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-001
-CVE-2015-XXXX [Regular Expression Denial of Service]
+CVE-2015-8855 [Regular Expression Denial of Service]
 	- node-semver <unfixed> (unimportant)
 	NOTE: https://nodesecurity.io/advisories/semver_redos
 	NOTE: https://github.com/npm/npm/releases/tag/v2.7.5
@@ -30564,7 +30585,7 @@
 CVE-2015-2310 [Integer overflow in pointer validation]
 	RESERVED
 	- capnproto 0.4.1-3 (bug #780565)
-CVE-2015-XXXX [XSS via filename]
+CVE-2015-8856 [XSS via filename]
 	- node-serve-index <unfixed> (unimportant)
 	NOTE: libv8 is not covered by security support
 	NOTE: https://nodesecurity.io/advisories/serve-static-xss

More information about the Secure-testing-commits mailing list