[Secure-testing-commits] r42404 - data/CVE
security tracker role
sectracker at moszumanska.debian.org
Wed Jun 8 21:10:11 UTC 2016
Author: sectracker
Date: 2016-06-08 21:10:11 +0000 (Wed, 08 Jun 2016)
New Revision: 42404
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-06-08 20:34:20 UTC (rev 42403)
+++ data/CVE/list 2016-06-08 21:10:11 UTC (rev 42404)
@@ -1,3 +1,27 @@
+CVE-2016-5336
+ RESERVED
+CVE-2016-5335
+ RESERVED
+CVE-2016-5334
+ RESERVED
+CVE-2016-5333
+ RESERVED
+CVE-2016-5332
+ RESERVED
+CVE-2016-5331
+ RESERVED
+CVE-2016-5330
+ RESERVED
+CVE-2016-5329
+ RESERVED
+CVE-2016-5328
+ RESERVED
+CVE-2016-5327
+ RESERVED
+CVE-2016-5326
+ RESERVED
+CVE-2016-5325
+ RESERVED
CVE-2016-XXXX [wnpa-sec-2016-38]
- wireshark 2.0
NOTE: Only affects 1.12, marking 2.0 as fixed
@@ -1343,7 +1367,7 @@
- onionshare 0.8.1-2 (unimportant)
[jessie] - onionshare <not-affected> (Vulnerable code not present)
NOTE: Neutralised by kernel hardening (also contrib and non-free not supported)
-CVE-2016-4963 (The libxl device-handling in Xen through 4.6.x allows local OS guest ...)
+CVE-2016-4963 (The libxl device-handling in Xen through 4.6.x allows local guest OS ...)
- xen <unfixed>
[jessie] - xen <no-dsa> (Minor issue, too intrusive to backport)
NOTE: http://xenbits.xen.org/xsa/advisory-178.html
@@ -2328,8 +2352,8 @@
RESERVED
CVE-2016-4548
RESERVED
-CVE-2016-4545
- RESERVED
+CVE-2016-4545 (Virtual servers in F5 BIG-IP 11.5.4, when SSL profiles are enabled, ...)
+ TODO: check
CVE-2016-4561 (Cross-site scripting (XSS) vulnerability in the cgierror function in ...)
{DSA-3571-1 DLA-463-1}
- ikiwiki 3.20160506
@@ -6222,8 +6246,7 @@
NOT-FOR-US: Pulp (Red Hat)
CVE-2016-3094 (PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker ...)
NOT-FOR-US: Apache Qpid Java Broker
-CVE-2016-3093
- RESERVED
+CVE-2016-3093 (Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method ...)
- libstruts1.2-java <not-affected> (Only affects Struts 2.x)
NOTE: https://struts.apache.org/docs/s2-034.html
CVE-2016-3092
@@ -6239,8 +6262,7 @@
[jessie] - activemq <not-affected> (file server was only enabled in 5.13.2+dfsg-2)
[wheezy] - activemq <not-affected> (file server was only enabled in 5.13.2+dfsg-2)
NOTE: http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
-CVE-2016-3087
- RESERVED
+CVE-2016-3087 (Apache Struts 2.3.20.x before 2.3.20.3, 2.3.24.x before 2.3.24.3, and ...)
- libstruts1.2-java <not-affected> (Only affects Struts 2.x)
NOTE: https://struts.apache.org/docs/s2-033.html
CVE-2016-3086
@@ -6300,8 +6322,7 @@
TODO: check (texlive, libwmf)
CVE-2016-3073
RESERVED
-CVE-2016-3072
- RESERVED
+CVE-2016-3072 (Multiple SQL injection vulnerabilities in the scoped_search function ...)
NOT-FOR-US: Katello
CVE-2016-3071 (Libreswan 3.16 might allow remote attackers to cause a denial of ...)
- libreswan <itp> (bug #773459)
@@ -19138,8 +19159,7 @@
CVE-2015-7696 (Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of ...)
{DSA-3386-1 DLA-330-1}
- unzip 6.0-19 (bug #802162)
-CVE-2015-7695 [ZF2015-08: Potential SQL injection vector using null byte for PDO (MsSql, SQLite)]
- RESERVED
+CVE-2015-7695 (The PDO adapters in Zend Framework before 1.12.16 do not filer null ...)
{DSA-3369-1 DLA-326-1}
- zendframework 1.12.16+dfsg-1
NOTE: http://framework.zend.com/security/advisory/ZF2015-08
@@ -19406,8 +19426,7 @@
- owncloud 7.0.9~dfsg-1
NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-018
NOTE: https://github.com/owncloud/core/commit/b05e178bbf884b120d1106e6a28f35aa50d6d06f
-CVE-2015-7611
- RESERVED
+CVE-2015-7611 (Apache James Server 2.3.2, when configured with file-based user ...)
NOT-FOR-US: Apache James
CVE-2015-7604 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk ...)
NOT-FOR-US: Splunk
@@ -21430,8 +21449,7 @@
NOTE: https://savannah.nongnu.org/bugs/?41590
NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=df14e6c0b9592cbb24d5381dfc6106b14f915e75 (VER-2-5-3)
NOTE: http://www.openwall.com/lists/oss-security/2015/09/11/4
-CVE-2014-9746 [use of uninitialized data]
- RESERVED
+CVE-2014-9746 (The (1) t1_parse_font_matrix function in type1/t1load.c, (2) ...)
{DSA-3370-1 DLA-319-1}
- freetype 2.6-1 (bug #798619)
NOTE: https://launchpad.net/bugs/1449225
@@ -21439,8 +21457,7 @@
NOTE: https://savannah.nongnu.org/bugs/?41309
NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=8b281f83e8516535756f92dbf90940ac44bd45e1 (VER-2-5-3)
NOTE: http://www.openwall.com/lists/oss-security/2015/09/11/4
-CVE-2014-9747 [t42parse.c vulnerability]
- RESERVED
+CVE-2014-9747 (The t42_parse_encoding function in type42/t42parse.c in FreeType ...)
{DSA-3370-1 DLA-319-1}
- freetype 2.6-1 (bug #798619)
NOTE: https://launchpad.net/bugs/1449225
@@ -21927,8 +21944,7 @@
NOT-FOR-US: Adobe
CVE-2015-6724 (The ANSendForApproval method in Adobe Reader and Acrobat 10.x before ...)
NOT-FOR-US: Adobe
-CVE-2015-5723 [Security Misconfiguration Vulnerability in various Doctrine projects]
- RESERVED
+CVE-2015-5723 (Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before ...)
{DSA-3369-1}
- php-doctrine-annotations 1.2.7-1 (low)
[jessie] - php-doctrine-annotations 1.2.1-1+deb8u1
@@ -25585,7 +25601,7 @@
CVE-2015-5325 (CloudBees Jenkins before 1.638 and LTS before 1.625.2 allow attackers ...)
- jenkins <removed>
NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
-CVE-2015-5324 (CloudBees Jenkins before 1.638 and LTS before 1.625.2 allow remote ...)
+CVE-2015-5324 (Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to ...)
- jenkins <removed>
NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11
CVE-2015-5323 (CloudBees Jenkins before 1.638 and LTS before 1.625.2 do not properly ...)
@@ -25884,12 +25900,10 @@
NOTE: Proposed patch for commons-httpclient: https://bugzilla.redhat.com/show_bug.cgi?id=1259892
NOTE: Checked that both 4.0.1 (in Squeeze) and 4.1.1 (in Wheezy) have the call to set the timout before the SSL connection is opened.
NOTE: Jessie's 4.3.5-2 is however missing the upstream patch: http://svn.apache.org/viewvc/httpcomponents/httpclient/branches/4.3.x/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java?r1=1560975&r2=1626784
-CVE-2015-5261 [host memory access from guest using crafted images]
- RESERVED
+CVE-2015-5261 (Heap-based buffer overflow in SPICE before 0.12.6 allows guest OS ...)
{DSA-3371-1}
- spice 0.12.5-1.3 (bug #801091)
-CVE-2015-5260 [Insufficient validation of surface_id parameter can cause crash]
- RESERVED
+CVE-2015-5260 (Heap-based buffer overflow in SPICE before 0.12.6 allows guest OS ...)
{DSA-3371-1}
- spice 0.12.5-1.3 (bug #801089)
CVE-2015-5259 (Integer overflow in the read_string function in ...)
@@ -26005,8 +26019,7 @@
CVE-2015-5232
RESERVED
NOT-FOR-US: OPA Fabric Manager and OPA tools and Fast Fabric
-CVE-2015-5231 [service daemon allows to bypass ptrace policy]
- RESERVED
+CVE-2015-5231 (The service daemon in CRIU does not properly restrict access to ...)
- criu 1.8-2 (bug #797110)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1256728
CVE-2015-5230
@@ -26019,8 +26032,7 @@
CVE-2015-5229 (The calloc function in the glibc package in Red Hat Enterprise Linux ...)
- glibc <not-affected> (RHEL-specific backport)
- eglibc <not-affected> (RHEL-specific backport)
-CVE-2015-5228 [arbitrary file creation and chown]
- RESERVED
+CVE-2015-5228 (The service daemon in CRIU creates log and dump files insecurely, ...)
- criu 1.8-2 (bug #797111)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1255782
CVE-2015-5227
@@ -29374,8 +29386,7 @@
RESERVED
CVE-2015-4027 (The AcuWVSSchedulerv10 service in Acunetix Web Vulnerability Scanner ...)
NOT-FOR-US: Acunetix Web Vulnerability Scanner
-CVE-2013-7440 [incorrect wildcard matching rules]
- RESERVED
+CVE-2013-7440 (The ssl.match_hostname function in CPython (aka Python) before 2.7.9 ...)
- python3.4 3.4~b1-4
- python3.3 3.3.3-1
- python3.2 <removed>
@@ -46053,8 +46064,7 @@
CVE-2014-8178
RESERVED
- docker.io 1.8.3~ds1-1
-CVE-2014-8177
- RESERVED
+CVE-2014-8177 (The Red Hat gluster-swift package, as used in Red Hat Gluster Storage ...)
NOT-FOR-US: gluster-swift
CVE-2014-8176 (The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before ...)
{DSA-3287-1 DLA-247-1}
More information about the Secure-testing-commits
mailing list