[Secure-testing-commits] r39986 - data/CVE
Paul Wise
pabs at moszumanska.debian.org
Sat Feb 27 10:58:46 UTC 2016
Author: pabs
Date: 2016-02-27 10:58:46 +0000 (Sat, 27 Feb 2016)
New Revision: 39986
Modified:
data/CVE/list
Log:
Update/add some issues from nodesecurity.io
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-02-27 10:36:05 UTC (rev 39985)
+++ data/CVE/list 2016-02-27 10:58:46 UTC (rev 39986)
@@ -544,6 +544,12 @@
NOT-FOR-US: SAP
CVE-2016-2386 (SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE ...)
NOT-FOR-US: SAP
+CVE-2015-XXXX [incorrect handling of non-boolean comparisons during minification]
+ - uglifyjs <unfixed>
+ NOTE: fixed in 2.4.24
+ NOTE: https://zyan.scripts.mit.edu/blog/backdooring-js/
+ NOTE: https://github.com/mishoo/UglifyJS2/issues/751
+ NOTE: https://nodesecurity.io/advisories/39
CVE-2015-XXXX [regex DoS]
- uglifyjs <unfixed>
NOTE: fixed in 2.6.0
@@ -11418,8 +11424,13 @@
NOTE: http://xenbits.xen.org/xsa/advisory-142.html
CVE-2015-7296 (Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 ...)
NOT-FOR-US: Securifi Almond devices
-CVE-2015-7294
+CVE-2015-7294 [LDAP Injection]
RESERVED
+ NOT-FOR-US: NodeJS ldapauth
+ NOTE: http://www.openwall.com/lists/oss-security/2015/09/18/4
+ NOTE: https://github.com/vesse/node-ldapauth-fork/issues/21
+ NOTE: https://github.com/vesse/node-ldapauth-fork/commit/3feea43e243698bcaeffa904a7324f4d96df60e4
+ NOTE: https://nodesecurity.io/advisories/19
CVE-2015-7293
RESERVED
CVE-2015-7292
@@ -13345,7 +13356,12 @@
CVE-2015-6585
RESERVED
CVE-2015-6584 (Cross-site scripting (XSS) vulnerability in the DataTables plugin ...)
- NOT-FOR-US: DataTables plugin for jQuery
+ - datatables.js 1.10.9+dfsg-1
+ NOTE: http://www.securityfocus.com/archive/1/archive/1/536437/100/0/threaded
+ NOTE: https://www.netsparker.com/cve-2015-6384-xss-vulnerability-identified-in-datatables/
+ NOTE: https://github.com/DataTables/DataTables/issues/602
+ NOTE: https://github.com/DataTables/DataTablesSrc/commit/ccf86dc5982bd8e16d
+ NOTE: https://nodesecurity.io/advisories/5
CVE-2015-6583 (Google Chrome before 45.0.2454.85 does not display a location bar for ...)
- chromium-browser 45.0.2454.85-1
[jessie] - chromium-browser 45.0.2454.85-1~deb8u1
@@ -15663,6 +15679,9 @@
[jessie] - designate <not-affected> (Vulnerable code doesn't exist)
CVE-2015-5688 (Directory traversal vulnerability in lib/app/index.js in Geddy before ...)
NOT-FOR-US: Geddy
+ NOTE: https://github.com/geddy/geddy/issues/697
+ NOTE: https://github.com/geddy/geddy/pull/699
+ NOTE: https://nodesecurity.io/advisories/10
CVE-2015-5687 (system/session/drivers/cookie.php in Anchor CMS 0.9.x allows remote ...)
TODO: check
CVE-2015-5686
@@ -27161,6 +27180,9 @@
NOT-FOR-US: RHEV
CVE-2015-1840 (jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and ...)
- ruby-jquery-rails <unfixed> (bug #790395)
+ NOTE: https://hackerone.com/reports/49935
+ NOTE: https://groups.google.com/forum/#!msg/rubyonrails-security/XIZPbobuwaY/fqnzzpuOlA4J
+ NOTE: https://nodesecurity.io/advisories/15
CVE-2015-1839 [insecure /tmp file handling in salt/modules/chef.py]
RESERVED
- salt <not-affected> (Vulnerable code only present in experimental version; introduced in 2014.7.0)
More information about the Secure-testing-commits
mailing list