[Secure-testing-commits] r43401 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Sat Jul 23 13:09:26 UTC 2016
Author: carnil
Date: 2016-07-23 13:09:26 +0000 (Sat, 23 Jul 2016)
New Revision: 43401
Modified:
data/CVE/list
Log:
Refresh some top-down sortings
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-07-23 10:33:34 UTC (rev 43400)
+++ data/CVE/list 2016-07-23 13:09:26 UTC (rev 43401)
@@ -1878,8 +1878,8 @@
- phpmyadmin 4:4.6.3-1
CVE-2016-5732 (Multiple cross-site scripting (XSS) vulnerabilities in the ...)
- phpmyadmin 4:4.6.3-1
+ [jessie] - phpmyadmin <not-affected> (Vulnerable code not present)
[wheezy] - phpmyadmin <not-affected> (Vulnerable code not present)
- [jessie] - phpmyadmin <not-affected> (Vulnerable code not present)
CVE-2016-5731 (Cross-site scripting (XSS) vulnerability in examples/openid.php in ...)
{DLA-551-1}
- phpmyadmin 4:4.6.3-1 (low)
@@ -1957,16 +1957,16 @@
[wheezy] - phpmyadmin <not-affected> (Vulnerable code not present)
CVE-2016-5704 (Cross-site scripting (XSS) vulnerability in the table-structure page ...)
- phpmyadmin 4:4.6.3-1
+ [jessie] - phpmyadmin <not-affected> (Vulnerable code not present)
[wheezy] - phpmyadmin <not-affected> (Vulnerable code not present)
- [jessie] - phpmyadmin <not-affected> (Vulnerable code not present)
CVE-2016-5703 (SQL injection vulnerability in libraries/central_columns.lib.php in ...)
- phpmyadmin 4:4.6.3-1
+ [jessie] - phpmyadmin <not-affected> (Vulnerable code not present)
[wheezy] - phpmyadmin <not-affected> (Vulnerable code not present)
- [jessie] - phpmyadmin <not-affected> (Vulnerable code not present)
CVE-2016-5702 (phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF ...)
- phpmyadmin 4:4.6.3-1 (low)
+ [jessie] - phpmyadmin <no-dsa> (Minor issue)
[wheezy] - phpmyadmin <no-dsa> (Minor issue)
- [jessie] - phpmyadmin <no-dsa> (Minor issue)
CVE-2016-5701 (setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, ...)
- phpmyadmin 4:4.6.3-1
[wheezy] - phpmyadmin <no-dsa> (Minor issue)
@@ -11314,15 +11314,15 @@
RESERVED
CVE-2016-2563 (Stack-based buffer overflow in the SCP command-line utility in PuTTY ...)
- putty 0.67-1 (bug #816921)
+ [jessie] - putty <no-dsa> (Minor issue)
[wheezy] - putty <no-dsa> (Minor issue)
- [jessie] - putty <no-dsa> (Minor issue)
NOTE: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html
NOTE: http://tartarus.org/~simon-git/gitweb/?p=putty.git;a=commitdiff;h=bc6c15ab5f636e05b7e91883f0031a7e06117947
NOTE: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563
CVE-2016-2562 (The checkHTTP function in libraries/Config.class.php in phpMyAdmin ...)
- phpmyadmin 4:4.5.5.1-1 (unimportant)
+ [jessie] - phpmyadmin <not-affected>
[wheezy] - phpmyadmin <not-affected>
- [jessie] - phpmyadmin <not-affected>
NOTE: vulnerabilty is only in the test suite
CVE-2016-2561 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin ...)
- phpmyadmin 4:4.5.5.1-1
@@ -11336,8 +11336,8 @@
NOTE: b8f1e0f325f8f32bd82af64111d8c2e9055a363c and 73c8245a3d1893a710447957e28dcfb18d9b47ad present in wheezy and later, patch in lists.debian.org/87lh4fpyap.fsf at angela.anarcat.ath.cx
CVE-2016-2559 (Cross-site scripting (XSS) vulnerability in the format function in ...)
- phpmyadmin 4:4.5.5.1-1 (low)
+ [jessie] - phpmyadmin <not-affected>
[wheezy] - phpmyadmin <not-affected>
- [jessie] - phpmyadmin <not-affected>
CVE-2016-XXXX [out-of-bounds reads]
- cpio <unfixed> (low; bug #815965)
[jessie] - cpio <no-dsa> (Minor issue)
@@ -13031,8 +13031,8 @@
[jessie] - libjgroups-java <no-dsa> (Minor issue)
CVE-2016-2140 (The libvirt driver in OpenStack Compute (Nova) before 2015.1.4 (kilo) ...)
- nova <unfixed>
+ [jessie] - nova <no-dsa> (Minor issue)
[wheezy] - nova <no-dsa> (Minor issue)
- [jessie] - nova <no-dsa> (Minor issue)
NOTE: Affects: <=2015.1.3, >=12.0.0 <=12.0.2
CVE-2016-2139
RESERVED
@@ -13370,8 +13370,8 @@
RESERVED
CVE-2016-2091 (The dwarf_read_cie_fde_prefix function in dwarf_frame2.c in libdwarf ...)
- dwarfutils 20160507-1 (bug #813148)
+ [jessie] - dwarfutils <no-dsa> (Minor issue)
[wheezy] - dwarfutils <no-dsa> (Minor issue)
- [jessie] - dwarfutils <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2016/01/19/3
NOTE: Fixed by http://sourceforge.net/p/libdwarf/code/ci/9565964f26966d8391fe2cfa8e6e8e59278c5f91
CVE-2016-2090 [Heap buffer overflow in fgetwln function of libbsd]
@@ -13525,16 +13525,16 @@
NOTE: https://www.phpmyadmin.net/security/PMASA-2016-9/
CVE-2016-2044 (libraries/sql-parser/autoload.php in the SQL parser in phpMyAdmin ...)
- phpmyadmin 4:4.5.4-1
+ [jessie] - phpmyadmin <not-affected> (vulnerable code not present)
+ [wheezy] - phpmyadmin <not-affected> (vulnerable code not present)
[squeeze] - phpmyadmin <not-affected> (vulnerable code not present)
- [wheezy] - phpmyadmin <not-affected> (vulnerable code not present)
- [jessie] - phpmyadmin <not-affected> (vulnerable code not present)
NOTE: https://www.phpmyadmin.net/security/PMASA-2016-8/
NOTE: vulnerability introduced in 4.5.0.1 / 718ef31
CVE-2016-2043 (Cross-site scripting (XSS) vulnerability in the goToFinish1NF function ...)
- phpmyadmin 4:4.5.4-1
+ [jessie] - phpmyadmin <not-affected> (vulnerable code not present)
+ [wheezy] - phpmyadmin <not-affected> (vulnerable code not present)
[squeeze] - phpmyadmin <not-affected> (vulnerable code not present)
- [wheezy] - phpmyadmin <not-affected> (vulnerable code not present)
- [jessie] - phpmyadmin <not-affected> (vulnerable code not present)
NOTE: https://www.phpmyadmin.net/security/PMASA-2016-7/
NOTE: vulnerability introduced in 4.3.3 / 1e971f3
CVE-2016-2042 (phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote ...)
@@ -16035,8 +16035,8 @@
RESERVED
{DLA-388-1}
- dwarfutils 20160507-1 (bug #813182)
+ [jessie] - dwarfutils <no-dsa> (Minor issue)
[wheezy] - dwarfutils <no-dsa> (Minor issue)
- [jessie] - dwarfutils <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1294264
NOTE: https://github.com/tomhughes/libdwarf/commit/11750a2838e52953013e3114ef27b3c7b1780697
CVE-2015-8749 (The volume_utils._parse_volume_info function in OpenStack Compute ...)
@@ -17419,9 +17419,9 @@
CVE-2015-8621 [t-coffee: creates world-writable directories]
RESERVED
- t-coffee 11.00.8cbe486-2 (low; bug #751579)
+ [jessie] - t-coffee <no-dsa> (Minor issue)
+ [wheezy] - t-coffee <no-dsa> (Minor issue)
[squeeze] - t-coffee <not-affected> (version in Squeeze uses system() and umask is handled correctly by sh (as opposed to later versions that use mkdir()))
- [wheezy] - t-coffee <no-dsa> (Minor issue)
- [jessie] - t-coffee <no-dsa> (Minor issue)
CVE-2015-8617 (Format string vulnerability in the zend_throw_or_error function in ...)
- php7.0 7.0.1-1
NOTE: https://bugs.php.net/bug.php?id=71105
@@ -18006,8 +18006,8 @@
NOTE: Introduced by: https://git.kernel.org/linus/42d5ec27f873c654a68f7f865dcd7737513e9508 (v3.10-rc1)
CVE-2016-0757 (OpenStack Image Service (Glance) before 2015.1.3 (kilo) and 11.0.x ...)
- glance <unfixed>
+ [jessie] - glance <no-dsa> (Minor issue)
[wheezy] - glance <no-dsa> (Minor issue)
- [jessie] - glance <no-dsa> (Minor issue)
NOTE: <=2015.1.2, >=11.0.0 <= 11.0.1
NOTE: https://bugs.launchpad.net/bugs/1525915
CVE-2016-0756 (The generate_dialback function in the mod_dialback module in Prosody ...)
@@ -21347,9 +21347,9 @@
NOTE: Issue in Linux related to unprivileged CLONE_NEWUSER affecting systemd, but we disable unprivileged use by default
CVE-2015-XXXX [update-smart-drivedb downloads unauthenticated data from the web]
- smartmontools 6.4+svn4214-1 (low; bug #804299)
+ [jessie] - smartmontools <no-dsa> (Minor issue)
+ [wheezy] - smartmontools <no-dsa> (Minor issue)
[squeeze] - smartmontools <no-dsa> (Minor issue)
- [wheezy] - smartmontools <no-dsa> (Minor issue)
- [jessie] - smartmontools <no-dsa> (Minor issue)
CVE-2015-8125 (Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before ...)
{DSA-3402-1}
- symfony 2.7.7+dfsg-1
@@ -22397,17 +22397,17 @@
CVE-2015-8011 [lldpd: buffer overflow when handling management address TLV]
RESERVED
- lldpd 0.7.19-1
+ [jessie] - lldpd 0.7.11-2+deb8u1
+ [wheezy] - lldpd <not-affected> (Vulnerable code not present)
[squeeze] - lldpd <not-affected> (Vulnerable code not present)
- [wheezy] - lldpd <not-affected> (Vulnerable code not present)
- [jessie] - lldpd 0.7.11-2+deb8u1
NOTE: https://github.com/vincentbernat/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2
NOTE: http://www.openwall.com/lists/oss-security/2015/10/16/2
CVE-2015-8012 [lldpd: asserts triggered by malformed packets]
RESERVED
- lldpd 0.7.19-1
+ [jessie] - lldpd 0.7.11-2+deb8u1
+ [wheezy] - lldpd <not-affected> (Vulnerable code not present)
[squeeze] - lldpd <not-affected> (Vulnerable code not present)
- [wheezy] - lldpd <not-affected> (Vulnerable code not present)
- [jessie] - lldpd 0.7.11-2+deb8u1
NOTE: https://github.com/vincentbernat/lldpd/commit/793526f8884455f43daecd0a2c46772388417a00
NOTE: http://www.openwall.com/lists/oss-security/2015/10/18/2
CVE-2015-XXXX [cakephp: XML class SSRF vulnerability]
@@ -22719,22 +22719,22 @@
CVE-2015-7747 [When changing both sample format and number of channels, data gets corrupted; if new sample format smaller than old, possible buffer overflow]
RESERVED
- audiofile 0.3.6-3 (bug #801102)
+ [jessie] - audiofile <no-dsa> (Minor issue)
[wheezy] - audiofile <no-dsa> (Minor issue)
- [jessie] - audiofile <no-dsa> (Minor issue)
[squeeze] - audiofile <not-affected> (Vulnerable code introduced later)
NOTE: http://www.openwall.com/lists/oss-security/2015/10/06/2
CVE-2015-XXXX [gvfsd-dav: null pointer dereference if server response is not escaped]
- gvfs 1.23.90-1
+ [jessie] - gvfs <no-dsa> (Minor issue)
+ [wheezy] - gvfs <no-dsa> (Minor issue)
[squeeze] - gvfs <no-dsa> (Minor issue)
- [wheezy] - gvfs <no-dsa> (Minor issue)
- [jessie] - gvfs <no-dsa> (Minor issue)
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/10/06/3
CVE-2015-7705 [An attacker can forge packets that claim to be from the target and send them to servers often enough that a server that implements KoD rate limiting will send the target machine a KoD response to attempt to reduce the rate of incoming packets]
RESERVED
- ntp <unfixed>
+ [jessie] - ntp <no-dsa> (Default config not affected)
+ [wheezy] - ntp <no-dsa> (Default config not affected)
[squeeze] - ntp <no-dsa> (Default config not affected)
- [wheezy] - ntp <no-dsa> (Default config not affected)
- [jessie] - ntp <no-dsa> (Default config not affected)
NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner
NOTE: https://github.com/ntp-project/ntp/commit/21d57dc336dbe9a975baca5ce5ae4da5b71ff123
NOTE: https://github.com/ntp-project/ntp/commit/492758c3d0690d3ccf7130fabfcf670997f12f7b
@@ -23269,8 +23269,8 @@
NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d35e428c8400f9ddc07e5a15ff19622c869b9ba0 (v1.2.0-rc0)
CVE-2015-7548 (OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before ...)
- nova <unfixed>
+ [jessie] - nova <no-dsa> (Minor issue)
[wheezy] - nova <no-dsa> (Minor issue)
- [jessie] - nova <no-dsa> (Minor issue)
NOTE: Affects: Nova: <=2015.1.2, ==12.0.0
NOTE: https://bugs.launchpad.net/bugs/1524274
CVE-2015-7547 (Multiple stack-based buffer overflows in the (1) send_dg and (2) ...)
@@ -23281,8 +23281,8 @@
NOTE: https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
CVE-2015-7546 (The identity service in OpenStack Identity (Keystone) before 2015.1.3 ...)
- keystone <unfixed>
+ [jessie] - keystone <no-dsa> (Too intrusive to backport, needs to switch to different token provider)
[wheezy] - keystone <no-dsa> (Too intrusive to backport, needs to switch to different token provider)
- [jessie] - keystone <no-dsa> (Too intrusive to backport, needs to switch to different token provider)
- python-keystonemiddleware <unfixed>
[jessie] - python-keystonemiddleware <no-dsa> (Too intrusive to backport, needs to switch to different token provider)
NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0062
@@ -25268,8 +25268,8 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=706087#c1 notes that the fix breaks ABI
CVE-2015-6938 (Cross-site scripting (XSS) vulnerability in the file browser in ...)
- ipython 2.4.1-1 (low; bug #798886)
+ [jessie] - ipython <no-dsa> (Minor issue)
[wheezy] - ipython <no-dsa> (Minor issue)
- [jessie] - ipython <no-dsa> (Minor issue)
[squeeze] - ipython <not-affected> (Vulnerable code not present)
NOTE: Affected versions: 0.12 <= x <= 4.0
NOTE: http://www.openwall.com/lists/oss-security/2015/09/02/3
@@ -25552,8 +25552,8 @@
CVE-2015-6748 [XSS vulnerability in jsoup related to incomplete tags at EOF]
RESERVED
- jsoup 1.8.3-1 (bug #797275)
+ [jessie] - jsoup <no-dsa> (Minor issue)
[wheezy] - jsoup <no-dsa> (Minor issue)
- [jessie] - jsoup <no-dsa> (Minor issue)
NOTE: https://github.com/jhy/jsoup/pull/582
NOTE: https://hibernate.atlassian.net/browse/HV-1012
NOTE: https://issues.jboss.org/browse/WFLY-5223
@@ -28116,10 +28116,10 @@
NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f15133df088ecadd141ea1907f2c96df67c729f0 (v4.1-rc3)
CVE-2015-XXXX [Stack buffer overflow when printing bad bytes in Intel Hex objects]
- binutils 2.25.90.20151125-1
+ [jessie] - binutils <no-dsa> (Minor issue)
+ [wheezy] - binutils <no-dsa> (Minor issue)
[squeeze] - binutils 2.20.1-16+deb6u2
NOTE: workaround entry for DLA 324-1-1 until/if CVE assigned
- [wheezy] - binutils <no-dsa> (Minor issue)
- [jessie] - binutils <no-dsa> (Minor issue)
- gdb <undetermined>
- sdcc <undetermined>
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/31/6
@@ -29402,8 +29402,8 @@
NOT-FOR-US: abrt is Red Hat / Fedora specific
CVE-2015-5286 (OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x ...)
- glance 1:11.0.0-1 (bug #800741)
+ [jessie] - glance <not-affected> (Vulnerable code not present)
[wheezy] - glance <not-affected> (Vulnerable code not present)
- [jessie] - glance <not-affected> (Vulnerable code not present)
NOTE: jessie: According to confirmation via upstream the fix for CVE-2014-9623
NOTE: was complete here so CVE-2015-5286 not affecting jessie.
NOTE: <=2014.2.3, >=2015.1.0, <=2015.1.1
@@ -29554,8 +29554,8 @@
NOTE: https://www.samba.org/samba/security/CVE-2015-5252.html
CVE-2015-5251 (OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x ...)
- glance 1:11.0.0-1 (bug #799931)
+ [jessie] - glance 2014.1.3-12+deb8u1
[wheezy] - glance <no-dsa> (Minor issue)
- [jessie] - glance 2014.1.3-12+deb8u1
NOTE: <=2014.2.3, >=2015.1.0, <=2015.1.1
CVE-2015-5250 (The API server in OpenShift Origin 1.0.5 allows remote attackers to ...)
NOT-FOR-US: OpenShift
@@ -29743,9 +29743,9 @@
CVE-2015-5203 [double free triggered by jasper_image_stop_load function]
RESERVED
- jasper <unfixed> (bug #796107)
+ [jessie] - jasper <no-dsa> (Minor issue)
+ [wheezy] - jasper <no-dsa> (Minor issue)
[squeeze] - jasper <no-dsa> (Minor issue)
- [wheezy] - jasper <no-dsa> (Minor issue)
- [jessie] - jasper <no-dsa> (Minor issue)
NOTE: Analysis/More information: https://bugzilla.redhat.com/show_bug.cgi?id=1254242#c3
NOTE: The patch http://sf.net/projects/mancha/files/sec/jasper-1.900.1_CVE-2015-5203.diff
NOTE: breaks ABI.
@@ -31701,8 +31701,8 @@
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-94/
CVE-2015-4496 (Multiple integer overflows in libstagefright in Mozilla Firefox before ...)
- iceweasel 38.0-1
+ [jessie] - iceweasel 38.2.0esr-1~deb8u1
[wheezy] - iceweasel 38.2.0esr-1~deb7u1
- [jessie] - iceweasel 38.2.0esr-1~deb8u1
[squeeze] - iceweasel <end-of-life> (Not supported in Squeeze LTS)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-93/
CVE-2015-4495 (The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x ...)
@@ -33012,9 +33012,9 @@
- python3.1 <removed>
[squeeze] - python3.1 <no-dsa> (Minor issue)
- python2.7 2.7.9-1
+ [stretch] - python2.7 <no-dsa> (Minor issue, too intrusive to backport)
+ [jessie] - python2.7 <no-dsa> (Minor issue, too intrusive to backport)
[wheezy] - python2.7 <no-dsa> (Minor issue, too intrusive to backport)
- [jessie] - python2.7 <no-dsa> (Minor issue, too intrusive to backport)
- [stretch] - python2.7 <no-dsa> (Minor issue, too intrusive to backport)
- python2.6 <removed>
[wheezy] - python2.6 <no-dsa> (Minor issue, too intrusive to backport)
[squeeze] - python2.6 <no-dsa> (Minor issue)
@@ -34037,15 +34037,15 @@
NOTE: http://www.openwall.com/lists/oss-security/2015/05/12/2
CVE-2015-XXXX [pdf2djvu: insecure use of /tmp when executing c44]
- pdf2djvu 0.7.21-1 (bug #784889)
+ [jessie] - pdf2djvu 0.7.17-4+deb8u1
+ [wheezy] - pdf2djvu 0.7.12-2+deb7u1
[squeeze] - pdf2djvu <no-dsa> (Minor issue)
- [wheezy] - pdf2djvu 0.7.12-2+deb7u1
- [jessie] - pdf2djvu 0.7.17-4+deb8u1
NOTE: https://bitbucket.org/jwilk/pdf2djvu/issue/103
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/05/09/7
CVE-2015-XXXX [didjvu: insecure use of /tmp when executing c44]
- didjvu 0.4-1 (bug #784888)
+ [jessie] - didjvu 0.2.8-1+deb8u1
[wheezy] - didjvu 0.2.3-2+deb7u1
- [jessie] - didjvu 0.2.8-1+deb8u1
NOTE: https://bitbucket.org/jwilk/didjvu/issue/8
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/05/09/7
CVE-2015-4146 (The EAP-pwd peer implementation in hostapd and wpa_supplicant 1.0 ...)
@@ -34114,27 +34114,27 @@
NOTE: http://www.openwall.com/lists/oss-security/2015/05/09/4
CVE-2015-XXXX [incorrect parsing of from header when assigning pgp keys]
- semi 1.14.7~0.20120428-17 (bug #784712)
+ [jessie] - semi 1.14.7~0.20120428-14+deb8u1
+ [wheezy] - semi <no-dsa> (Minor issue)
[squeeze] - semi <no-dsa> (Minor issue)
- [wheezy] - semi <no-dsa> (Minor issue)
- [jessie] - semi 1.14.7~0.20120428-14+deb8u1
NOTE: http://thread.gmane.org/gmane.mail.wanderlust.general.japanese/9819
NOTE: Fixed in https://github.com/wanderlust/semi/commit/9976269556c5bcc021e4edf1b0e1accd39929528
CVE-2015-XXXX [incorrect substring matching when assigning pgp keys]
- semi 1.14.7~0.20120428-17 (bug #784712)
+ [jessie] - semi 1.14.7~0.20120428-14+deb8u1
+ [wheezy] - semi <no-dsa> (Minor issue)
[squeeze] - semi <no-dsa> (Minor issue)
- [wheezy] - semi <no-dsa> (Minor issue)
- [jessie] - semi 1.14.7~0.20120428-14+deb8u1
NOTE: https://github.com/wanderlust/semi/issues/9
NOTE: https://github.com/wanderlust/semi/commit/5c8466321d281d72850c298b9ebcd466b4b0160c
NOTE: https://github.com/wanderlust/semi/commit/da44c8e0ea6baf5dac2b8debf86f720a541f31a5
- mew 1:6.6-3
+ [jessie] - mew 1:6.6-2+deb8u1
+ [wheezy] - mew <no-dsa> (Minor issue)
[squeeze] - mew <no-dsa> (Minor issue)
- [wheezy] - mew <no-dsa> (Minor issue)
- [jessie] - mew 1:6.6-2+deb8u1
- mew-beta 7.0.50~6.6+0.20150508-1
+ [jessie] - mew-beta 7.0.50~6.6+0.20140902-1+deb8u1
+ [wheezy] - mew-beta <no-dsa> (Minor issue)
[squeeze] - mew-beta <no-dsa> (Minor issue)
- [wheezy] - mew-beta <no-dsa> (Minor issue)
- [jessie] - mew-beta 7.0.50~6.6+0.20140902-1+deb8u1
CVE-2015-3429 (Cross-site scripting (XSS) vulnerability in example.html in Genericons ...)
{DSA-3328-1}
- wordpress 4.2.2+dfsg-1 (bug #784603)
@@ -34531,17 +34531,17 @@
NOTE: http://www.openwall.com/lists/oss-security/2015/05/13/9
CVE-2015-XXXX [crashes on crafted upack packed file]
- clamav 0.98.7+dfsg-1
+ [jessie] - clamav 0.98.7+dfsg-0+deb8u1
+ [wheezy] - clamav 0.98.7+dfsg-0+deb7u1
[squeeze] - clamav 0.98.7+dfsg-0+deb6u1
- [wheezy] - clamav 0.98.7+dfsg-0+deb7u1
- [jessie] - clamav 0.98.7+dfsg-0+deb8u1
NOTE: https://github.com/vrtadmin/clamav-devel/commit/a18af359decd270f5088e80e2ee2866c62e0843e
NOTE: https://github.com/vrtadmin/clamav-devel/commit/ed56f56c1f1529bda877ddd116ae7bc064667c73
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/05/03/3
CVE-2015-XXXX [crash during algorithmic detection on crafted PE file]
- clamav 0.98.7+dfsg-1
+ [jessie] - clamav 0.98.7+dfsg-0+deb8u1
+ [wheezy] - clamav 0.98.7+dfsg-0+deb7u1
[squeeze] - clamav 0.98.7+dfsg-0+deb6u1
- [wheezy] - clamav 0.98.7+dfsg-0+deb7u1
- [jessie] - clamav 0.98.7+dfsg-0+deb8u1
NOTE: https://github.com/vrtadmin/clamav-devel/commit/a7bdfb4f0d3210eeab49280726ff3ea6d703280e
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/05/03/4
CVE-2015-XXXX [BUG/MAJOR: http: don't read past buffer's end in http_replace_value]
@@ -35560,8 +35560,8 @@
NOTE: https://www.openssl.org/news/secadv/20151203.txt
CVE-2015-3192 (Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not ...)
- libspring-java 4.1.9-1 (low; bug #796137)
+ [jessie] - libspring-java <no-dsa> (Minor issue)
[wheezy] - libspring-java <no-dsa> (Minor issue)
- [jessie] - libspring-java <no-dsa> (Minor issue)
NOTE: https://pivotal.io/security/cve-2015-3192
NOTE: https://jira.spring.io/browse/SPR-13136
CVE-2015-3191
@@ -35607,9 +35607,9 @@
NOTE: http://svn.apache.org/viewvc?view=revision&revision=1687339 (2.2.x)
CVE-2015-3182 (epan/dissectors/packet-dec-dnart.c in the DECnet NSP/RT dissector in ...)
- wireshark 1.12.0~rc1-1
+ [jessie] - wireshark <not-affected> (Only affected 1.10.x)
+ [wheezy] - wireshark <not-affected> (Only affected 1.10.x)
[squeeze] - wireshark <not-affected> (Only affected 1.10.x)
- [wheezy] - wireshark <not-affected> (Only affected 1.10.x)
- [jessie] - wireshark <not-affected> (Only affected 1.10.x)
NOTE: https://www.wireshark.org/security/wnpa-sec-2015-01.html
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1219409
CVE-2015-3181 (files/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, ...)
@@ -36590,9 +36590,9 @@
NOTE: http://permalink.gmane.org/gmane.linux.kernel.containers/29177
CVE-2015-2924 (The receive_ra function in rdisc/nm-lndp-rdisc.c in the Neighbor ...)
- network-manager 1.0.2-1 (bug #783295)
+ [jessie] - network-manager <no-dsa> (Minor issue)
+ [wheezy] - network-manager <no-dsa> (Minor issue)
[squeeze] - network-manager <no-dsa> (Minor issue)
- [wheezy] - network-manager <no-dsa> (Minor issue)
- [jessie] - network-manager <no-dsa> (Minor issue)
CVE-2015-2923 [IPv6 Hop limit lowering via RA messages]
RESERVED
{DSA-3175-2}
@@ -37269,8 +37269,8 @@
CVE-2015-2668 (ClamAV before 0.98.7 allows remote attackers to cause a denial of ...)
{DLA-233-1}
- clamav 0.98.7+dfsg-1
+ [jessie] - clamav 0.98.7+dfsg-0+deb8u1
[wheezy] - clamav 0.98.7+dfsg-0+deb7u1
- [jessie] - clamav 0.98.7+dfsg-0+deb8u1
CVE-2015-2667 (Untrusted search path vulnerability in GNS3 1.2.3 allows local users ...)
- gns3 <not-affected> (Windows specific)
CVE-2015-2665 (Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows ...)
@@ -38662,14 +38662,14 @@
CVE-2015-2222 (ClamAV before 0.98.7 allows remote attackers to cause a denial of ...)
{DLA-233-1}
- clamav 0.98.7+dfsg-1
+ [jessie] - clamav 0.98.7+dfsg-0+deb8u1
[wheezy] - clamav 0.98.7+dfsg-0+deb7u1
- [jessie] - clamav 0.98.7+dfsg-0+deb8u1
NOTE: https://github.com/vrtadmin/clamav-devel/commit/8aeedf3c4282bc916d6f6c290e1e530d125ec953
CVE-2015-2221 (ClamAV before 0.98.7 allows remote attackers to cause a denial of ...)
{DLA-233-1}
- clamav 0.98.7+dfsg-1
+ [jessie] - clamav 0.98.7+dfsg-0+deb8u1
[wheezy] - clamav 0.98.7+dfsg-0+deb7u1
- [jessie] - clamav 0.98.7+dfsg-0+deb8u1
NOTE: https://github.com/vrtadmin/clamav-devel/commit/0844d0cfe118b4041ed8e2ee49ff18bfbca8eaa5
NOTE: https://github.com/vrtadmin/clamav-devel/commit/26b19809fb3b940cb0fda0422d685fff02a53b5f
CVE-2015-2220 (Multiple cross-site scripting (XSS) vulnerabilities in the Ninja Forms ...)
@@ -38837,8 +38837,8 @@
CVE-2015-2170 (The upx decoder in ClamAV before 0.98.7 allows remote attackers to ...)
{DLA-233-1}
- clamav 0.98.7+dfsg-1
+ [jessie] - clamav 0.98.7+dfsg-0+deb8u1
[wheezy] - clamav 0.98.7+dfsg-0+deb7u1
- [jessie] - clamav 0.98.7+dfsg-0+deb8u1
NOTE: https://github.com/vrtadmin/clamav-devel/commit/625f5a9b8f008b8714850e4aa064dee1de06e534
CVE-2015-2169 (Cross-site scripting (XSS) vulnerability in Zoho ManageEngine ...)
NOT-FOR-US: Zoho ManageEngine AssetExplorer
@@ -38867,8 +38867,8 @@
- netty3.1 <removed>
[wheezy] - netty3.1 <no-dsa> (Minor issue)
- netty 1:4.0.31-1 (bug #796114)
+ [jessie] - netty <no-dsa> (Minor issue)
[wheezy] - netty <no-dsa> (Minor issue)
- [jessie] - netty <no-dsa> (Minor issue)
- netty-3.9 <unfixed> (bug #793770)
[jessie] - netty-3.9 <no-dsa> (Minor issue)
- playframework <itp> (bug #646523)
@@ -39735,8 +39735,8 @@
NOT-FOR-US: RHEV
CVE-2015-1840 (jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and ...)
- ruby-jquery-rails 4.0.4-1 (bug #790395)
+ [jessie] - ruby-jquery-rails <no-dsa> (Minor issue)
[wheezy] - ruby-jquery-rails <no-dsa> (Minor issue)
- [jessie] - ruby-jquery-rails <no-dsa> (Minor issue)
NOTE: https://hackerone.com/reports/49935
NOTE: https://groups.google.com/forum/#!msg/rubyonrails-security/XIZPbobuwaY/fqnzzpuOlA4J
NOTE: https://nodesecurity.io/advisories/15
@@ -40349,8 +40349,8 @@
NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/20/14
CVE-2015-XXXX [Linux ASLR mmap weakness: Reducing entropy by half]
- linux 4.0.2-1
+ [jessie] - linux 3.16.7-ckt17-1
[wheezy] - linux 3.2.71-1
- [jessie] - linux 3.16.7-ckt17-1
- linux-2.6 <removed>
[squeeze] - linux-2.6 <not-affected> (powerpc not supported in Squeeze LTS)
NOTE: http://hmarco.org/bugs/linux-ASLR-reducing-mmap-by-half.html
@@ -42635,8 +42635,8 @@
NOT-FOR-US: Apache CloudStack
CVE-2015-1308 (kde-workspace 4.2.0 and plasma-workspace before 5.1.95 allows remote ...)
- kde-workspace 4:5.1.95-1
+ [jessie] - kde-workspace <no-dsa> (Minor issue)
[wheezy] - kde-workspace <no-dsa> (Minor issue)
- [jessie] - kde-workspace <no-dsa> (Minor issue)
CVE-2015-1307 (plasma-workspace before 5.1.95 allows remote attackers to obtain ...)
NOT-FOR-US: KDE Plasma 5 desktop, not yet packaged
CVE-2015-1306 (The newsletter posting area in the web interface in Sympa 6.0.x before ...)
@@ -42662,9 +42662,9 @@
CVE-2015-1199 [directory traversal vulnerabilities]
RESERVED
- ppmd <removed> (low; bug #775218)
+ [jessie] - ppmd <no-dsa> (Minor issue)
+ [wheezy] - ppmd <no-dsa> (Minor issue)
[squeeze] - ppmd <no-dsa> (Minor issue)
- [wheezy] - ppmd <no-dsa> (Minor issue)
- [jessie] - ppmd <no-dsa> (Minor issue)
CVE-2015-1195 (The V2 API in OpenStack Image Registry and Delivery Service (Glance) ...)
- glance 2014.1.3-11 (bug #775926)
[wheezy] - glance <not-affected> (Vulnerable code not present)
@@ -43428,16 +43428,16 @@
CVE-2015-0854 [Insecure use of system()]
RESERVED
- shutter 0.93.1-1 (low; bug #798862)
+ [jessie] - shutter <no-dsa> (Minor issue)
+ [wheezy] - shutter <no-dsa> (Minor issue)
[squeeze] - shutter <no-dsa> (Minor issue)
- [wheezy] - shutter <no-dsa> (Minor issue)
- [jessie] - shutter <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/shutter/+bug/1495163
CVE-2015-0853 [insecure use of os.system()]
RESERVED
- svn-workbench 1.7.0-1 (low; bug #798863)
+ [jessie] - svn-workbench <no-dsa> (Minor issue)
+ [wheezy] - svn-workbench <no-dsa> (Minor issue)
[squeeze] - svn-workbench <no-dsa> (Minor issue)
- [wheezy] - svn-workbench <no-dsa> (Minor issue)
- [jessie] - svn-workbench <no-dsa> (Minor issue)
CVE-2015-0852 (Multiple integer underflows in PluginPCX.cpp in FreeImage 3.17.0 and ...)
{DSA-3392-1 DLA-327-1}
- freeimage 3.15.4-5 (bug #797165)
@@ -44344,9 +44344,9 @@
NOTE: http://www.openwall.com/lists/oss-security/2015/02/03/11
CVE-2015-XXXX [directory traversal]
- arc <unfixed> (low; bug #774527)
+ [jessie] - arc <no-dsa> (Minor issue)
+ [wheezy] - arc <no-dsa> (Minor issue)
[squeeze] - arc <no-dsa> (Minor issue)
- [wheezy] - arc <no-dsa> (Minor issue)
- [jessie] - arc <no-dsa> (Minor issue)
CVE-2015-XXXX [saves unknown host's fingerprint in known_hosts without any prompt]
- lftp 4.6.1-2 (low; bug #774769)
[jessie] - lftp 4.6.0-1+deb8u1
@@ -65882,9 +65882,9 @@
CVE-2014-1935 [insecure use of /tmp]
RESERVED
- 9base <unfixed> (low; bug #737206)
+ [jessie] - 9base <no-dsa> (Minor issue)
+ [wheezy] - 9base <no-dsa> (Minor issue)
[squeeze] - 9base <no-dsa> (Minor issue)
- [wheezy] - 9base <no-dsa> (Minor issue)
- [jessie] - 9base <no-dsa> (Minor issue)
CVE-2014-1934 (tag.py in eyeD3 (aka python-eyed3) 7.0.3, 0.6.18, and earlier for ...)
- eyed3 <unfixed> (low; bug #737062)
[jessie] - eyed3 <no-dsa> (Minor issue)
@@ -75211,9 +75211,9 @@
NOT-FOR-US: YingZhi Python for iOS
CVE-2013-5651 (The virBitmapParse function in util/virbitmap.c in libvirt before ...)
- libvirt 1.1.2~rc1-1
+ [jessie] - libvirt <not-affected> (vulnerable code not introduced, introduced in v0.10.2-rc1)
+ [wheezy] - libvirt <not-affected> (vulnerable code not introduced, introduced in v0.10.2-rc1)
[squeeze] - libvirt <not-affected> (vulnerable code not introduced, introduced in v0.10.2-rc1)
- [wheezy] - libvirt <not-affected> (vulnerable code not introduced, introduced in v0.10.2-rc1)
- [jessie] - libvirt <not-affected> (vulnerable code not introduced, introduced in v0.10.2-rc1)
NOTE: introduced by: http://libvirt.org/git/?p=libvirt.git;a=commit;h=0fc89098a68f0f6962de8be4fc03ddd960ffbf08
NOTE: Upstream fix: http://libvirt.org/git/?p=libvirt.git;a=commit;h=47b9127e883677a0d60d767030a147450e919a25
CVE-2013-5646 (Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git ...)
@@ -78839,14 +78839,14 @@
NOT-FOR-US: Red Hat JBoss Operations Network
CVE-2013-4292 (libvirt 1.1.0 and 1.1.1 allows local users to cause a denial of ...)
- libvirt 1.1.2~rc2-1 (bug #721325)
+ [jessie] - libvirt <not-affected> (Introduced with 1.1.0)
+ [wheezy] - libvirt <not-affected> (Introduced with 1.1.0)
[squeeze] - libvirt <not-affected> (Introduced with 1.1.0)
- [wheezy] - libvirt <not-affected> (Introduced with 1.1.0)
- [jessie] - libvirt <not-affected> (Introduced with 1.1.0)
CVE-2013-4291 (The virSecurityManagerSetProcessLabel function in libvirt 0.10.2.7, ...)
- libvirt 1.1.2-2
+ [jessie] - libvirt <not-affected> (vulnerable code not introduced, introduced in 1.1.1)
+ [wheezy] - libvirt <not-affected> (vulnerable code not introduced, introduced in 1.1.1)
[squeeze] - libvirt <not-affected> (vulnerable code not introduced, introduced in 1.1.1)
- [wheezy] - libvirt <not-affected> (vulnerable code not introduced, introduced in 1.1.1)
- [jessie] - libvirt <not-affected> (vulnerable code not introduced, introduced in 1.1.1)
NOTE: http://libvirt.org/git/?p=libvirt.git;a=commit;h=745aa55fbf3e076c4288d5ec3239f5a5d43508a6
CVE-2013-4290 (Stack-based buffer overflow in OpenJPEG before 1.5.2 allows remote ...)
- openjpeg <unfixed> (unimportant; bug #722540)
@@ -79206,8 +79206,8 @@
CVE-2013-4184 [symlink attacks]
RESERVED
- libdata-uuid-perl <unfixed> (low; bug #718949)
+ [jessie] - libdata-uuid-perl <no-dsa> (Rendered non-exploitable by kernel hardening)
[wheezy] - libdata-uuid-perl <no-dsa> (Rendered non-exploitable by kernel hardening)
- [jessie] - libdata-uuid-perl <no-dsa> (Rendered non-exploitable by kernel hardening)
CVE-2013-4183 (The clear_volume function in LVMVolumeDriver driver in OpenStack ...)
- cinder 2013.1.2-4 (bug #719010)
CVE-2013-4182 (app/controllers/api/v1/hosts_controller.rb in Foreman before 1.2.2 ...)
@@ -84076,8 +84076,8 @@
- keystone 2014.1-1
[wheezy] - keystone <no-dsa> (Minor issue)
- nova <unfixed>
+ [jessie] - nova <no-dsa> (Minor issue)
[wheezy] - nova <no-dsa> (Minor issue)
- [jessie] - nova <no-dsa> (Minor issue)
- quantum <unfixed>
[wheezy] - quantum <no-dsa> (Minor issue)
- swift <not-affected> (See https://bugs.launchpad.net/keystone/+bug/1188189/comments/5)
@@ -84156,9 +84156,9 @@
- qemu <not-affected> (Only affects win32 build)
CVE-2013-2230 (The qemu driver (qemu/qemu_driver.c) in libvirt before 1.1.1 allows ...)
- libvirt 1.1.0-3 (bug #715559)
+ [jessie] - libvirt <not-affected> (Vulnerable code introduced in with commit abf75aea)
+ [wheezy] - libvirt <not-affected> (Vulnerable code introduced in with commit abf75aea)
[squeeze] - libvirt <not-affected> (Vulnerable code introduced in with commit abf75aea)
- [wheezy] - libvirt <not-affected> (Vulnerable code introduced in with commit abf75aea)
- [jessie] - libvirt <not-affected> (Vulnerable code introduced in with commit abf75aea)
CVE-2013-2229
REJECTED
CVE-2013-2228 [RSA exponent of 1]
@@ -84198,9 +84198,9 @@
- 389-ds-base 1.3.2.9-1 (bug #718325)
CVE-2013-2218 (Double free vulnerability in the virConnectListAllInterfaces method in ...)
- libvirt 1.1.0-1 (bug #714699)
+ [jessie] - libvirt <not-affected> (Vulnerable code introduced in 1.0.6)
+ [wheezy] - libvirt <not-affected> (Vulnerable code introduced in 1.0.6)
[squeeze] - libvirt <not-affected> (Vulnerable code introduced in 1.0.6)
- [wheezy] - libvirt <not-affected> (Vulnerable code introduced in 1.0.6)
- [jessie] - libvirt <not-affected> (Vulnerable code introduced in 1.0.6)
NOTE: http://libvirt.org/git/?p=libvirt.git;a=commit;h=244e0b8cf15ca2ef48d82058e728656e6c4bad11
NOTE: Vulnerable code introduced in http://libvirt.org/git/?p=libvirt.git;a=commit;h=7ac2c4fe624f30f2c8270116513fa2ddab07631f
CVE-2013-2217 (cache.py in Suds 0.4, when tempdir is set to None, allows local users ...)
@@ -84618,8 +84618,8 @@
- python2.7 2.7.5-5 (low; bug #709066)
[wheezy] - python2.7 <not-affected> (Backport was introduced in 2.7.3-11)
- linkchecker 8.5-1 (low; bug #709067)
+ [wheezy] - linkchecker <no-dsa> (Minor issue)
[squeeze] - linkchecker <no-dsa> (Minor issue)
- [wheezy] - linkchecker <no-dsa> (Minor issue)
- python3.2 <removed> (low; bug #708530)
[wheezy] - python3.2 <no-dsa> (Minor issue)
- python3.3 3.3.2-3 (low; bug #708530)
@@ -84627,17 +84627,17 @@
- python2.5 <not-affected> (Introduced in Python 3.2)
- python3.1 <not-affected> (Introduced in Python 3.2)
- bzr 2.6.0~bzr6574-1 (low; bug #709068)
+ [wheezy] - bzr <no-dsa> (Minor issue)
[squeeze] - bzr <no-dsa> (Minor issue)
- [wheezy] - bzr <no-dsa> (Minor issue)
- python-urllib3 1.6-2 (low; bug #709070)
[wheezy] - python-urllib3 <no-dsa> (Minor issue)
- python-tornado 2.4.1-3 (low; bug #709069)
+ [wheezy] - python-tornado <no-dsa> (Minor issue)
[squeeze] - python-tornado <no-dsa> (Minor issue)
- [wheezy] - python-tornado <no-dsa> (Minor issue)
- w3af <unfixed> (low; bug #709071)
+ [jessie] - w3af <no-dsa> (Minor issue)
+ [wheezy] - w3af <no-dsa> (Minor issue)
[squeeze] - w3af <no-dsa> (Minor issue)
- [wheezy] - w3af <no-dsa> (Minor issue)
- [jessie] - w3af <no-dsa> (Minor issue)
- u1db 13.10-1 (low; bug #709486)
CVE-2013-2098
REJECTED
@@ -90778,8 +90778,8 @@
- gnutls28 3.0.22-3
- cyassl 2.9.4+dfsg-1
- haskell-tls <unfixed> (bug #796342)
+ [jessie] - haskell-tls <no-dsa> (Minor issue)
[wheezy] - haskell-tls <no-dsa> (Minor issue)
- [jessie] - haskell-tls <no-dsa> (Minor issue)
- matrixssl <removed> (low)
[squeeze] - matrixssl <no-dsa> (Minor issue)
[wheezy] - matrixssl <no-dsa> (Minor issue)
@@ -93685,11 +93685,11 @@
NOTE: btrfs support in Squeeze/Wheezy is not ready for production use
CVE-2012-5373 (Oracle Java SE 7 and earlier, and OpenJDK 7 and earlier, computes hash ...)
- openjdk-6 <removed> (low)
+ [wheezy] - openjdk-6 <no-dsa> (Minor issue, no icedtea fix, too complex to backport)
[squeeze] - openjdk-6 <no-dsa> (Minor issue, no icedtea fix, too complex to backport)
- [wheezy] - openjdk-6 <no-dsa> (Minor issue, no icedtea fix, too complex to backport)
- openjdk-7 <removed> (low)
+ [jessie] - openjdk-7 <no-dsa> (Minor issue, no icedtea fix, too complex to backport)
[wheezy] - openjdk-7 <no-dsa> (Minor issue, no icedtea fix, too complex to backport)
- [jessie] - openjdk-7 <no-dsa> (Minor issue, no icedtea fix, too complex to backport)
CVE-2012-5372 (Rubinius computes hash values without properly restricting the ability ...)
- rubinius <itp> (bug #591817)
CVE-2012-5371 (Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes ...)
More information about the Secure-testing-commits
mailing list