[Git][security-tracker-team/security-tracker][master] Switch all bugzilla.novell.com URLs to bugzilla.suse.com
Paul Wise
pabs at debian.org
Wed Sep 18 05:28:22 BST 2019
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b37757a5 by Paul Wise at 2019-09-18T04:26:18Z
Switch all bugzilla.novell.com URLs to bugzilla.suse.com
The novell.com address is historical and deprecated.
Requested-by: Alexandros Toptsoglou <atoptsoglou at suse.com>
Requested-in: <a3bc5c9f-d52d-a79d-e1da-6a6484cee9ea at suse.com>
- - - - -
2 changed files:
- bin/tracker_service.py
- data/CVE/list
Changes:
=====================================
bin/tracker_service.py
=====================================
@@ -1545,7 +1545,7 @@ Debian bug number.'''),
def url_gentoo_bug(self, url, name):
return url.absolute("https://bugs.gentoo.org/show_bug.cgi", id=name)
def url_suse_bug(self, url, name):
- return url.absolute("https://bugzilla.novell.com/show_bug.cgi",
+ return url.absolute("https://bugzilla.suse.com/show_bug.cgi",
id=name)
def url_suse_cve(self, url, name):
return url.absolute("https://www.suse.com/security/cve/%s/" % name)
=====================================
data/CVE/list
=====================================
@@ -12503,7 +12503,7 @@ CVE-2019-12360 (A stack-based buffer over-read exists in FoFiTrueType::dumpStrin
NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/cdb7ad95f7c8fbf63ade040d8a07ec96467042fc (poppler-0.32.0)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/bf4aae25a244b1033a2479b9a8f633224f7d5de5 (poppler-0.32.0)
NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=85243
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1136620
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1136620
CVE-2019-12359
RESERVED
CVE-2019-12358
@@ -25983,7 +25983,7 @@ CVE-2019-7637 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4497
NOTE: https://hg.libsdl.org/SDL/rev/9b0e5c555c0f
NOTE: https://hg.libsdl.org/SDL/rev/32075e9e2135
- NOTE: Patch causes regressions for some applications/games: https://bugzilla.novell.com/show_bug.cgi?id=1124825
+ NOTE: Patch causes regressions for some applications/games: https://bugzilla.suse.com/show_bug.cgi?id=1124825
CVE-2019-7636 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
{DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
@@ -35028,7 +35028,7 @@ CVE-2019-3886 (An incorrect permissions check was discovered in libvirt 4.8.0 an
[jessie] - libvirt <not-affected> (Vulnerable code not present)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1694880
NOTE: https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1131595#c3
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1131595#c3
NOTE: Introduced in: https://libvirt.org/git/?p=libvirt.git;a=commit;h=25736a4c7ed50c101b4f87935f350f1a39a89f6e (v4.8.0-rc1)
NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=2a07c990bd9143d7a0fe8d1b6b7c763c52185240
NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=ae076bb40e0e150aef41361b64001138d04d6c60
@@ -46999,7 +46999,7 @@ CVE-2018-19296 (PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an
CVE-2018-19295 (Sylabs Singularity 2.4 to 2.6 allows local users to conduct Improper I ...)
- singularity-container 2.6.1-1
NOTE: https://www.openwall.com/lists/oss-security/2018/12/12/2
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1111411
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1111411
CVE-2018-19294
RESERVED
CVE-2018-19293
@@ -47574,7 +47574,7 @@ CVE-2018-19216 (Netwide Assembler (NASM) before 2.13.02 has a use-after-free in
[jessie] - nasm <ignored> (Minor issue)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392425
NOTE: Fix: https://repo.or.cz/nasm.git/commitdiff/9b7ee09abfd426b99aa1ea81d19a3b2818eeabf9
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1115758#c7
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1115758#c7
CVE-2018-19215 (Netwide Assembler (NASM) 2.14rc16 has a heap-based buffer over-read in ...)
- nasm 2.14-1 (unimportant)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392525
@@ -51030,7 +51030,7 @@ CVE-2018-17954
RESERVED
CVE-2018-17953 (A incorrect variable in a SUSE specific patch for pam_access rule matc ...)
- pam <not-affected> (Issue introduced by SUSE specific patch)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1115640
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1115640
NOTE: Issue introduced by SUSE specific patch (pam-hostnames-in-access_conf.patch)
NOTE: https://build.opensuse.org/package/view_file/Linux-PAM/pam/pam-hostnames-in-access_conf.patch
NOTE: And fixed with (use-correct-IP-address.patch)
@@ -54548,7 +54548,7 @@ CVE-2018-16589
RESERVED
CVE-2018-16588 (Privilege escalation can occur in the SUSE useradd.c code in useradd, ...)
- shadow <not-affected> (SuSE-specific patch)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1106914
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1106914
NOTE: The SUSE specific patch was a first iteration of https://github.com/shadow-maint/shadow/pull/2
CVE-2018-16587 (In Open Ticket Request System (OTRS) 4.0.x before 4.0.32, 5.0.x before ...)
{DSA-4317-1 DLA-1521-1}
@@ -59550,12 +59550,12 @@ CVE-2018-14622 (A null-pointer dereference vulnerability was found in libtirpc b
- libtirpc 0.2.5-1.3 (bug #907608)
[stretch] - libtirpc 0.2.5-1.2+deb9u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1620293
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=968175
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=968175
NOTE: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=1c77f7a869bdea2a34799d774460d1f9983d45f0
CVE-2018-14621 (An infinite loop vulnerability was found in libtirpc before version 1. ...)
- libtirpc <not-affected> (Vulnerable code not in a released version)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1620290
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=968175
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=968175
NOTE: Introduced by: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=b2c9430f46c4ac848957fb8adaac176a3f6ac03f (0.3.3-rc3)
NOTE: Fixed by: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=fce98161d9815ea016855d9f00274276452c2c4b
CVE-2018-14620 (The OpenStack RabbitMQ container image insecurely retrieves the rabbit ...)
@@ -71616,7 +71616,7 @@ CVE-2018-10195 [rzsz: sz can leak data to receiving side]
[stretch] - lrzsz <no-dsa> (Minor issue)
[jessie] - lrzsz <no-dsa> (Minor issue)
[wheezy] - lrzsz <no-dsa> (Minor issue)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1090051
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1090051
NOTE: Fedora patch: https://src.fedoraproject.org/cgit/rpms/lrzsz.git/tree/lrzsz-0.12.20.patch
CVE-2018-10194 (The set_text_distance function in devices/vector/gdevpdts.c in the pdf ...)
{DLA-1363-1}
@@ -72563,7 +72563,7 @@ CVE-2018-1000161 (nmap version 6.49BETA6 through 7.60, up to and including SVN r
NOTE: Fixed by: https://github.com/nmap/nmap/commit/88631b50676c38824e01d30819f46258a8497b0a
NOTE: Fixed by: https://github.com/nmap/nmap/commit/80e1977308e51b1b7aa038a38f8837a7e90b3849
NOTE: Introduced in https://github.com/nmap/nmap/commit/88381c2e685297a4fafe7182a06877b27da34e1e
- NOTE: Script added in 6.49BETA6 (cf. https://bugzilla.novell.com/show_bug.cgi?id=1088608#c1)
+ NOTE: Script added in 6.49BETA6 (cf. https://bugzilla.suse.com/show_bug.cgi?id=1088608#c1)
CVE-2018-1000159 (tlslite-ng version 0.7.3 and earlier, since commit d7b288316bca7bcdd08 ...)
- tlslite-ng 0.7.4-1 (low; bug #895728)
[stretch] - tlslite-ng 0.6.0-1+deb9u1
@@ -73571,7 +73571,7 @@ CVE-2018-9385 (In driver_override_store of bus.c, there is a possible out of bou
- linux 4.16.12-1
[stretch] - linux 4.9.107-1
[jessie] - linux <not-affected> (Vulnerable code not present)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1100491
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1100491
NOTE: Related, but not the same as CVE-2018-9415
CVE-2018-9384
RESERVED
@@ -81637,7 +81637,7 @@ CVE-2018-1000035 (A heap-based buffer overflow exists in Info-Zip UnZip version
[jessie] - unzip <no-dsa> (Harmless crash, builds with fortified source)
[wheezy] - unzip <no-dsa> (Harmless crash, builds with fortified source)
NOTE: https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html
- NOTE: Patch used in openSUSE:Factory/unzip: https://bugzilla.novell.com/attachment.cgi?id=759406
+ NOTE: Patch used in openSUSE:Factory/unzip: https://bugzilla.suse.com/attachment.cgi?id=759406
CVE-2018-1000034 (An out-of-bounds read exists in Info-Zip UnZip version 6.10c22 that al ...)
- unzip <not-affected> (Only affects 6.1c22)
NOTE: https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html
@@ -89740,7 +89740,7 @@ CVE-2017-17973 (** DISPUTED ** In LibTIFF 4.0.8, there is a heap-based use-after
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2769
NOTE: Details on the issue are not confirmed by the reporter after several attempts
NOTE: and this does like a non-issue. More reprodicibly reports are from SUSE in
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1074318#c5 claiming this might be
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1074318#c5 claiming this might be
NOTE: a duplicate of CVE-2017-9935. Unless the reporter provides more details on
NOTE: upstream report go and consider this as non-issue.
CVE-2017-1000447
@@ -108340,7 +108340,7 @@ CVE-2017-14804 (The build package before 20171128 did not check directory names
- obs-build 20180302-1 (bug #887306)
[stretch] - obs-build 20160921-1+deb9u1
[jessie] - obs-build <no-dsa> (Minor issue)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1069904
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1069904
CVE-2017-14803 (In NetIQ Access Manager 4.3 and 4.4, a bug exists in Identity Server w ...)
NOT-FOR-US: NetIQ Access Manager
CVE-2017-14802 (Novell Access Manager Admin Console and IDP servers before 4.3.3 have ...)
@@ -110717,7 +110717,7 @@ CVE-2017-14033 (The decode method in the OpenSSL::ASN1 module in Ruby before 2.2
- ruby2.1 <removed>
- ruby1.9.1 <removed>
- ruby1.8 <not-affected> (vunlerable code not present)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1058757
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1058757
NOTE: https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/
NOTE: https://github.com/ruby/openssl/commit/1648afef33c1d97fb203c82291b8a61269e85d3b
CVE-2017-14031 (An Improper Access Control issue was discovered in Trihedral VTScada 1 ...)
@@ -120194,7 +120194,7 @@ CVE-2016-10396 (The racoon daemon in IPsec-Tools 0.8.2 contains a remotely explo
[jessie] - ipsec-tools <no-dsa> (Will be fixed via point release)
NOTE: NetBSD applied patch: http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c.diff?r1=1.5&r2=1.5.36.1
NOTE: NetBSD Problem report: https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
- NOTE: Patch disputed, cf. https://bugzilla.novell.com/show_bug.cgi?id=1047443#c1
+ NOTE: Patch disputed, cf. https://bugzilla.suse.com/show_bug.cgi?id=1047443#c1
NOTE: Updated patch: https://anonscm.debian.org/cgit/pkg-ipsec-tools/pkg-ipsec-tools.git/plain/debian/patches/CVE-2016-10396.patch?id=62ac12648a4eb7c5ba5dba0f81998d1acf310d8b
CVE-2017-10929 (The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 al ...)
{DLA-1016-1}
@@ -123655,7 +123655,7 @@ CVE-2017-9670 (An uninitialized stack variable vulnerability in load_tic_series(
[jessie] - gnuplot5 <not-affected> (Vulnerable code introduced later)
NOTE: https://sourceforge.net/p/gnuplot/bugs/1933/
NOTE: The specific CVE is for the uninitialized stack variable fixed via set.c
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1044638#c5
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1044638#c5
NOTE: Fixed by: https://github.com/gnuplot/gnuplot/commit/4e39b1d7b274c7d4a69cbaba85ff321264f4457e
NOTE: Introduced by: https://github.com/gnuplot/gnuplot/commit/cd4b777389379598740fc02decff772b0e7bcbd6
NOTE: Crash in a CLI tool, no security impact
@@ -124973,7 +124973,7 @@ CVE-2017-9274 (A shell command injection in the obs-service-source_validator bef
[stretch] - osc <no-dsa> (Minor issue)
[jessie] - osc <no-dsa> (Minor issue)
[wheezy] - osc <no-dsa> (Minor issue)
- NOTE: Details in https://bugzilla.novell.com/show_bug.cgi?id=938556
+ NOTE: Details in https://bugzilla.suse.com/show_bug.cgi?id=938556
NOTE: SUSE adressed the issue not only in the obs-service-source_validator
NOTE: and adding a validation in 0.162.0 when using OBS 2.9, cf.:
NOTE: https://github.com/openSUSE/osc/commit/f0325eb0b58c266eb0905ccf827dc7eb864378a1
@@ -129198,7 +129198,7 @@ CVE-2017-7860 (Google gRPC before 2017-02-22 has an out-of-bounds write caused b
- grpc 1.2.5-1+nmu0 (bug #860316)
CVE-2017-7859 (FFmpeg before 2017-03-05 has an out-of-bounds write caused by a heap-b ...)
- ffmpeg <not-affected> (Only affected master, not present in a release)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1034183
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1034183
NOTE: https://github.com/FFmpeg/FFmpeg/commit/70ebc05bce51215cd0857194d6cabf1e4d1440fb
CVE-2017-7858 (FreeType 2 before 2017-03-07 has an out-of-bounds write related to the ...)
- freetype <not-affected> (Vulnerable code introduced in 2.6.4)
@@ -160866,7 +160866,7 @@ CVE-2016-6662 (Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x thro
NOTE: yet to which CVE; those will unlikely made public before the next Oracle CPU.
NOTE: https://marc.info/?l=oss-security&m=147367658314062&w=2
NOTE: http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=998309
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=998309
NOTE: Fixed in upstream Oracle MySQL 5.5.52, 5.6.33 and 5.7.15
NOTE: MariaDB: https://jira.mariadb.org/browse/MDEV-10465
NOTE: Fixed in upstream MariaDB 5.5.51, 10.0.27, 10.1.17
@@ -171129,7 +171129,7 @@ CVE-2016-3689 (The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu
[jessie] - linux 3.16.36-1
[wheezy] - linux <not-affected> (Vulnerable code not present)
NOTE: Upstream fix: https://git.kernel.org/linus/a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff (v4.6-rc1)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=971628
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=971628
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1320060
CVE-2016-3682
REJECTED
@@ -175345,7 +175345,7 @@ CVE-2016-2324 (Integer overflow in Git before 2.7.4 allows remote attackers to e
- git 1:2.8.0~rc3-1 (bug #818318)
NOTE: Removal of path_name: https://github.com/git/git/commit/9831e92bfa833ee9c0ce464bbc2f941ae6c2698d (v2.8.0-rc0)
NOTE: http://www.openwall.com/lists/oss-security/2016/03/16/2
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=971328#c4
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=971328#c4
- cgit <not-affected> (path_name function from embedded git is not called)
CVE-2016-2323
RESERVED
@@ -186131,7 +186131,7 @@ CVE-2015-7575 (Mozilla Network Security Services (NSS) before 3.20.2, as used in
[squeeze] - nss <not-affected> (only affects nss post 2012-07-26)
[wheezy] - nss <not-affected> (TLS 1.2 not supported in 3.14, only 3.15.1 and above)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/
- NOTE: Patch in SuSE Bugzilla: https://bugzilla.novell.com/attachment.cgi?id=660286
+ NOTE: Patch in SuSE Bugzilla: https://bugzilla.suse.com/attachment.cgi?id=660286
NOTE: NSS upstream fix is actually in 3.20.2: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.20.2_release_notes
NOTE: NSS patch: https://hg.mozilla.org/projects/nss/raw-rev/891676aa0d85
- openssl 1.0.1f-1
@@ -186223,8 +186223,8 @@ CVE-2015-7554 (The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows
[jessie] - tiff 4.0.3-12.3+deb8u4
- tiff3 <removed>
NOTE: http://www.openwall.com/lists/oss-security/2015/12/26/7
- NOTE: SUSE seem to have a fix (disputed): https://bugzilla.novell.com/show_bug.cgi?id=960341
- NOTE: Reproducer file here: https://bugzilla.novell.com/attachment.cgi?id=665389
+ NOTE: SUSE seem to have a fix (disputed): https://bugzilla.suse.com/show_bug.cgi?id=960341
+ NOTE: Reproducer file here: https://bugzilla.suse.com/attachment.cgi?id=665389
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2564
NOTE: partially fixed by http://bugzilla.maptools.org/show_bug.cgi?id=2564#c2
NOTE: --
@@ -196087,7 +196087,7 @@ CVE-2014-9720
{DLA-475-1 DLA-279-1}
- python-tornado 3.2.2-1
NOTE: https://github.com/tornadoweb/tornado/commit/1c36307463b1e8affae100bf9386948e6c1b2308
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=930362
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=930362
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1222816
CVE-2014-9719
RESERVED
@@ -197667,7 +197667,7 @@ CVE-2015-3418 (The ProcPutImage function in dix/dispatch.c in X.Org Server (aka
- xorg-server 2:1.16.4-1 (bug #774308)
[wheezy] - xorg-server 2:1.12.4-6+deb7u6
NOTE: http://cgit.freedesktop.org/xorg/xserver/commit/?id=dc777c346d5d452a53b13b917c45f6a1bad2f20b
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=928520 (not public yet)
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=928520 (not public yet)
CVE-2015-3417 (Use-after-free vulnerability in the ff_h264_free_tables function in li ...)
{DSA-3288-1}
- ffmpeg 7:2.6.1-1
@@ -206113,7 +206113,7 @@ CVE-2015-0900 (Cross-site scripting (XSS) vulnerability in schedule.cgi in Nishi
CVE-2015-0899 (The MultiPageValidator implementation in Apache Struts 1 1.1 through 1 ...)
{DSA-3536-1 DLA-292-1}
- libstruts1.2-java <removed>
- NOTE: Patch in SuSE Bugzilla: https://bugzilla.novell.com/attachment.cgi?id=629559
+ NOTE: Patch in SuSE Bugzilla: https://bugzilla.suse.com/attachment.cgi?id=629559
NOTE: Patch appplies cleanly to the Wheezy and Squeeze versions
CVE-2015-0898 (futomi CGI Cafe MP Form Mail CGI eCommerce before 2.0.12 on Windows al ...)
NOT-FOR-US: futomi CGI Cafe MP Form Mail CGI eCommerce
@@ -206544,11 +206544,11 @@ CVE-2015-0778 (osc before 0.151.0 allows remote attackers to execute arbitrary c
- osc 0.149.0-2 (low; bug #780410)
[wheezy] - osc 0.134.1-2+deb7u1
[squeeze] - osc <no-dsa> (Minor issue)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=901643
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=901643
CVE-2015-0777 (drivers/xen/usbback/usbback.c in linux-2.6.18-xen-3.4.0 (aka the Xen 3 ...)
- linux <not-affected> (Addon Xen usbback patch not present)
- linux-2.6 <not-affected> (Addon Xen usbback patch not present)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=917830
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=917830
CVE-2015-0776 (telnetd in Cisco IOS XR 5.0.1 on Network Convergence System 6000 devic ...)
NOT-FOR-US: Cisco IOS
CVE-2015-0775 (The banner (aka MOTD) implementation in Cisco NX-OS 4.1(2)E1(1f) on Ne ...)
@@ -217285,7 +217285,7 @@ CVE-2014-6270 (Off-by-one error in the snmpHandleUdp function in snmp_core.cc in
- squid3 3.4.8-1 (low; bug #761002)
[wheezy] - squid3 <no-dsa> (Minor issue)
[squeeze] - squid3 <no-dsa> (Minor issue)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=895773
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=895773
NOTE: Upstream commits: http://bazaar.launchpad.net/~squid/squid/trunk/revision/13574
NOTE: http://bazaar.launchpad.net/~squid/squid/trunk/revision/13582
NOTE: http://www.squid-cache.org/Advisories/SQUID-2014_3.txt
@@ -217296,7 +217296,7 @@ CVE-2014-7142 (The pinger in Squid 3.x before 3.4.8 allows remote attackers to o
- squid3 3.4.8-1 (bug #760999)
[squeeze] - squid3 <no-dsa> (Minor issue)
[wheezy] - squid3 <no-dsa> (Minor issue)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=891268
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=891268
NOTE: http://www.squid-cache.org/Advisories/SQUID-2014_4.txt
CVE-2014-7141 (The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain ...)
- squid 4.1-1
@@ -217305,7 +217305,7 @@ CVE-2014-7141 (The pinger in Squid 3.x before 3.4.8 allows remote attackers to o
- squid3 3.4.8-1 (bug #760999)
[squeeze] - squid3 <no-dsa> (Minor issue)
[wheezy] - squid3 <no-dsa> (Minor issue)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=891268
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=891268
NOTE: http://www.squid-cache.org/Advisories/SQUID-2014_4.txt
CVE-2014-6268 (The evtchn_fifo_set_pending function in Xen 4.4.x allows local guest u ...)
- xen 4.4.1-3
@@ -220146,7 +220146,7 @@ CVE-2014-5044 (Multiple integer overflows in libgfortran might allow remote atta
CVE-2014-5033 (KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-B ...)
{DSA-3004-1 DLA-76-1}
- kde4libs 4:4.13.3-2 (bug #755814)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=864716
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=864716
NOTE: http://quickgit.kde.org/?p=kdelibs.git&a=commit&h=e4e7b53b71e2659adaf52691d4accc3594203b23
CVE-2014-5032 (GLPI before 0.84.7 does not properly restrict access to cost informati ...)
- glpi <removed> (unimportant)
@@ -221165,7 +221165,7 @@ CVE-2014-4611 (Integer overflow in the LZ4 algorithm implementation, as used in
[wheezy] - linux <not-affected> (LZ4 support introduced in 3.11)
- linux-2.6 <not-affected> (LZ4 support introduced in 3.11)
NOTE: possible fix in https://lkml.org/lkml/2014/7/4/288
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=883949#c12
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=883949#c12
- lz4 0.0~r119-1
NOTE: Not exploitable for lz* compressed kernel images: http://fastcompression.blogspot.fr/2014/06/debunking-lz4-20-years-old-bug-myth.html
NOTE: for lz4: https://code.google.com/p/lz4/issues/detail?id=52 and https://code.google.com/p/lz4/source/detail?r=118
@@ -222475,11 +222475,11 @@ CVE-2014-4040 (snap in powerpc-utils 1.2.20 produces an archive with fstab and y
NOTE: 1.3.1-2 upload removed /usr/sbin/snap from the installed binary package
CVE-2014-4039 (ppc64-diag 2.6.1 uses 0775 permissions for /tmp/diagSEsnap and does no ...)
- ppc64-diag 2.7.1-5
- NOTE: SuSE Patch: https://bugzilla.novell.com/attachment.cgi?id=599147
+ NOTE: SuSE Patch: https://bugzilla.suse.com/attachment.cgi?id=599147
CVE-2014-4038 (ppc64-diag 2.6.1 allows local users to overwrite arbitrary files via a ...)
- ppc64-diag 2.7.1-5
NOTE: Issue partially fixed in 2.7.1-1, but not all parts fixed
- NOTE: SuSE Patch: https://bugzilla.novell.com/attachment.cgi?id=599147
+ NOTE: SuSE Patch: https://bugzilla.suse.com/attachment.cgi?id=599147
CVE-2014-4037 (Cross-site scripting (XSS) vulnerability in editor/dialog/fck_spellerp ...)
- fckeditor <removed> (low; bug #752873)
[wheezy] - fckeditor <no-dsa> (Minor issue)
@@ -224029,7 +224029,7 @@ CVE-2014-3535 (include/linux/netdevice.h in the Linux kernel before 2.6.36 incor
- linux <not-affected> (RHEL-specific, incomplete backport)
- linux-2.6 <not-affected> (RHEL-specific, incomplete backport)
NOTE: Fix: https://git.kernel.org/linus/256df2f3879efdb2e9808bdb1b54b16fbb11fa38
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=896015#c8
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=896015#c8
CVE-2014-3534 (arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s39 ...)
{DSA-2992-1}
- linux 3.14.13-2 (bug #728705)
@@ -230954,7 +230954,7 @@ CVE-2014-1203 (The get_login_ip_config_file function in Eyou Mail System before
CVE-2014-0979 (The start_authentication function in lightdm-gtk-greeter.c in LightDM ...)
- lightdm-gtk-greeter 1.6.1-5 (bug #734472)
NOTE: https://bugs.launchpad.net/lightdm-gtk-greeter/+bug/1266449
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=857303
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=857303
[wheezy] - lightdm-gtk-greeter <not-affected> (in Wheezy, lightdm restarts when the greeter crashes, so there's no DoS)
CVE-2014-0978 (Stack-based buffer overflow in the yyerror function in lib/cgraph/scan ...)
{DSA-2843-1}
@@ -235905,7 +235905,7 @@ CVE-2013-6427 (upgrade.py in the hp-upgrade service in HP Linux Imaging and Prin
{DSA-2829-1}
- hplip 3.13.11-2 (bug #731480)
[squeeze] - hplip <not-affected> (Vulnerable code not present)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=853405
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=853405
CVE-2013-6426 (The cloudformation-compatible API in OpenStack Orchestration API (Heat ...)
- heat 2013.2.1-1 (bug #732033)
NOTE: https://launchpad.net/bugs/1256049
@@ -236015,7 +236015,7 @@ CVE-2013-6403 (The admin page in ownCloud before 5.0.13 allows remote attackers
CVE-2013-6402 (base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.11 ...)
{DSA-2829-1}
- hplip 3.13.11-2.1 (bug #725876)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=852368
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=852368
CVE-2013-6401 (Jansson, possibly 2.4 and earlier, does not restrict the ability to tr ...)
- jansson 2.6-1 (bug #738647)
[wheezy] - jansson <no-dsa> (Minor issue)
@@ -241981,7 +241981,7 @@ CVE-2013-4160 (Little CMS (lcms2) before 2.5, as used in OpenJDK 7 and possibly
- lcms2 2.2+git20110628-2.3 (bug #714529)
[wheezy] - lcms2 2.2+git20110628-2.2+deb7u1
NOTE: https://github.com/mm2/Little-CMS/commit/91c2db7f2559be504211b283bc3a2c631d6f06d9
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=826097#c9
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=826097#c9
CVE-2013-4159 (ctdb before 2.3 in OpenSUSE 12.3 and 13.1 does not create temporary fi ...)
- ctdb 2.5.1+debian0-1 (bug #749840)
[wheezy] - ctdb <no-dsa> (Minor issue)
@@ -250527,7 +250527,7 @@ CVE-2013-1091 (Stack-based buffer overflow in Novell iPrint Client before 5.90 a
NOT-FOR-US: Novell iPrint Client
CVE-2013-1090 (The SUSE horde5 package before 5.0.2-2.4.1 sets incorrect ownership fo ...)
- php-horde <not-affected> (SuSE specific packaging flaw)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=811369
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=811369
CVE-2013-1089
RESERVED
CVE-2013-1088 (Cross-site request forgery (CSRF) vulnerability in Novell iManager 2.7 ...)
@@ -253146,7 +253146,7 @@ CVE-2013-0263 (Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.
{DSA-2783-1}
- ruby-rack 1.4.1-2.1 (bug #700226)
- librack-ruby <removed> (bug #700226)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=802794
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=802794
NOTE: Patches in git, commits 0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07 and 9a81b961457805f6d1a5c275d053068440421e11
CVE-2013-0262 (rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before ...)
- ruby-rack 1.4.1-2.1 (bug #700173)
@@ -254202,7 +254202,7 @@ CVE-2012-6098 (grade/edit/outcome/edit_form.php in Moodle 1.9.x through 1.9.19,
CVE-2012-6097 (File descriptor leak in cronie 1.4.8, when running in certain environm ...)
[experimental] - cronie <unfixed> (low; bug #697811)
NOTE: Only present in experimental
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=786096
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=786096
CVE-2012-6096 (Multiple stack-based buffer overflows in the get_history function in h ...)
{DSA-2653-1 DSA-2616-1}
- icinga 1.7.1-5 (bug #697931)
@@ -255880,7 +255880,7 @@ CVE-2012-5581 (Stack-based buffer overflow in tif_dir.c in LibTIFF before 4.0.2
CVE-2012-5580 (Format string vulnerability in the print_proxies function in bin/proxy ...)
- libproxy 0.3.1-4 (low)
[squeeze] - libproxy <no-dsa> (Minor issue)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=791086
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=791086
NOTE: https://code.google.com/p/libproxy/source/detail?r=475
CVE-2012-5579
REJECTED
@@ -261423,7 +261423,7 @@ CVE-2012-3524 (libdbus 1.5.x and earlier, when used in setuid or other privilege
[squeeze] - glib2.0 <not-affected> (Vulnerable code not present)
NOTE: fixed in 2.34.0-1 from experimental
NOTE: http://www.openwall.com/lists/oss-security/2012/09/12/6
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=697105
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=697105
NOTE: http://stealth.openwall.net/null/dzug.c
CVE-2012-3523 (The STARTTLS implementation in nnrpd in INN before 2.5.3 does not prop ...)
- inn <not-affected> (STARTTLS was introduced in 2.3, see bug #685581)
@@ -261562,7 +261562,7 @@ CVE-2012-3481 (Integer overflow in the ReadImage function in plug-ins/common/fil
- gimp 2.8.2-1 (bug #685397)
[squeeze] - gimp 2.6.10-1+squeeze4
NOTE: http://www.openwall.com/lists/oss-security/2012/08/20/8
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=776572
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=776572
CVE-2012-3480 (Multiple integer overflows in the (1) strtod, (2) strtof, (3) strtold, ...)
{DLA-165-1}
- eglibc 2.13-36 (bug #684889)
@@ -261899,11 +261899,11 @@ CVE-2012-3383 (The map_meta_cap function in wp-includes/capabilities.php in Word
CVE-2012-3382 (Cross-site scripting (XSS) vulnerability in the ProcessRequest functio ...)
{DSA-2512-1}
- mono 2.10.8.1-5 (bug #681095)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=769799
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=769799
NOTE: https://github.com/mono/mono/commit/d16d4623edb210635bec3ca3786481b82cde25a2
CVE-2012-3381 (sfcb in sblim-sfcb places a zero-length directory name in the LD_LIBRA ...)
NOT-FOR-US: sblim-sfcb
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=770234
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=770234
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=838160
NOTE: http://www.openwall.com/lists/oss-security/2012/07/06/7
NOTE: http://www.openwall.com/lists/oss-security/2012/07/06/8
@@ -263154,7 +263154,7 @@ CVE-2012-2846 (Google Chrome before 21.0.1180.57 on Linux does not properly isol
CVE-2012-2845 (Integer overflow in the jpeg_data_load_data function in jpeg-data.c in ...)
- exif 0.6.20-2 (low; bug #681465)
[squeeze] - exif <no-dsa> (Minor crasher)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=771229
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=771229
NOTE: http://seclists.org/oss-sec/2012/q3/74
CVE-2012-2844 (The PDF functionality in Google Chrome before 20.0.1132.57 does not pr ...)
- chromium-browser <not-affected>
@@ -263167,12 +263167,12 @@ CVE-2012-2842 (Use-after-free vulnerability in Google Chrome before 20.0.1132.57
CVE-2012-2841 (Integer underflow in the exif_entry_get_value function in exif-entry.c ...)
{DSA-2559-1}
- libexif 0.6.20-3 (bug #681454)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=771229
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=771229
NOTE: http://seclists.org/oss-sec/2012/q3/74
CVE-2012-2840 (Off-by-one error in the exif_convert_utf16_to_utf8 function in exif-en ...)
{DSA-2559-1}
- libexif 0.6.20-3 (bug #681454)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=771229
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=771229
NOTE: http://seclists.org/oss-sec/2012/q3/74
CVE-2012-2839
RESERVED
@@ -263181,12 +263181,12 @@ CVE-2012-2838
CVE-2012-2837 (The mnote_olympus_entry_get_value function in olympus/mnote-olympus-en ...)
{DSA-2559-1}
- libexif 0.6.20-3 (bug #681454)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=771229
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=771229
NOTE: http://seclists.org/oss-sec/2012/q3/74
CVE-2012-2836 (The exif_data_load_data function in exif-data.c in the EXIF Tag Parsin ...)
{DSA-2559-1}
- libexif 0.6.20-3 (bug #681454)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=771229
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=771229
NOTE: http://seclists.org/oss-sec/2012/q3/74
CVE-2012-2835
RESERVED
@@ -263247,17 +263247,17 @@ CVE-2012-2815 (Google Chrome before 20.0.1132.43 allows remote attackers to obta
CVE-2012-2814 (Buffer overflow in the exif_entry_format_value function in exif-entry. ...)
{DSA-2559-1}
- libexif 0.6.20-3 (bug #681454)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=771229
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=771229
NOTE: http://seclists.org/oss-sec/2012/q3/74
CVE-2012-2813 (The exif_convert_utf16_to_utf8 function in exif-entry.c in the EXIF Ta ...)
{DSA-2559-1}
- libexif 0.6.20-3 (bug #681454)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=771229
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=771229
NOTE: http://seclists.org/oss-sec/2012/q3/74
CVE-2012-2812 (The exif_entry_get_value function in exif-entry.c in the EXIF Tag Pars ...)
{DSA-2559-1}
- libexif 0.6.20-3 (bug #681454)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=771229
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=771229
NOTE: http://seclists.org/oss-sec/2012/q3/74
CVE-2012-2811
RESERVED
@@ -263665,7 +263665,7 @@ CVE-2012-2670 (manageuser.php in Collabtive before 0.7.6 allows remote authentic
CVE-2012-2669 (The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distri ...)
- linux 3.2.23-1
[squeeze] - linux-2.6 <not-affected> (userspace daemon not yet present)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=761200
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=761200
CVE-2012-2668 (libraries/libldap/tls_m.c in OpenLDAP, possibly 2.4.31 and earlier, wh ...)
- openldap <not-affected> (OpenLDAP in Debian uses GNUTLS instead of Mozilla NSS)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=825875
@@ -265103,7 +265103,7 @@ CVE-2012-2133 (Use-after-free vulnerability in the Linux kernel before 3.3.6, wh
- linux-2.6 3.2.19-1
CVE-2012-2132 (libsoup 2.32.2 and earlier does not validate certificates or clear the ...)
- midori <unfixed> (unimportant; bug #672880)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=758431
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=758431
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=817692
CVE-2012-2131 (Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSS ...)
{DSA-2454-2}
@@ -276067,9 +276067,9 @@ CVE-2011-3173 (Stack-based buffer overflow in the GetDriverSettings function in
NOT-FOR-US: Novell Open Enterprise Server
CVE-2011-3172 (A vulnerability in pam_modules of SUSE SUSE Linux Enterprise allows at ...)
- libpam-unix2 <removed>
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=707645
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=707645
NOTE: Issue was not fixed up to the version removed from unstable.
- NOTE: Proposed update form SUSE: https://bugzilla.novell.com/attachment.cgi?id=441720
+ NOTE: Proposed update form SUSE: https://bugzilla.suse.com/attachment.cgi?id=441720
CVE-2011-3171 (Directory traversal vulnerability in pure-FTPd 1.0.22 and possibly oth ...)
NOT-FOR-US: pure-FTPd add-on
CVE-2011-3170 (The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and earl ...)
@@ -285835,7 +285835,7 @@ CVE-2009-5029 (Integer overflow in the __tzfile_read function in glibc before 2.
[squeeze] - eglibc 2.11.3-3
- glibc 2.13-24
NOTE: http://support.novell.com/security/cve/CVE-2009-5029.html
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=735850
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=735850
CVE-2009-5028 (Stack-based buffer overflow in Namazu before 2.0.20 allows remote atta ...)
- namazu2 2.0.20-1.0 (low)
CVE-2009-5027
@@ -320455,7 +320455,7 @@ CVE-2008-3423 (IBM WebSphere Portal 5.1 through 6.1.0.0 allows remote attackers
NOT-FOR-US: IBM WebSphere Portal
CVE-2008-3422 (Multiple cross-site scripting (XSS) vulnerabilities in the ASP.net cla ...)
- mono 1.9.1+dfsg-4 (low; bug #494406)
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=413534
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=413534
NOTE: http://n2.nabble.com/-PATCH--HTML-encode-attributes-that-might-need-encoding-td584193.html
CVE-2004-2760 (sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately c ...)
- openssh 1:3.6p1-1 (unimportant)
@@ -358408,7 +358408,7 @@ CVE-2005-4779 (verifiedexecioctl in verified_exec.c in NetBSD 2.0.2 calls NDINIT
NOT-FOR-US: NetBSD
CVE-2005-4778 (The powersave daemon in SUSE Linux 10.0 before 20051007 has an unspeci ...)
- powersave 0.12.7-1
- NOTE: https://bugzilla.novell.com/show_bug.cgi?id=119628&x=18&y=11&=Find
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=119628&x=18&y=11&=Find
CVE-2005-4777 (Tashcom ASPEdit 2.9 stores the administration password (aka the FTP pa ...)
NOT-FOR-US: Tashcom ASPEdit
CVE-2005-4776 (Integer overflow in the FreeBSD compatibility code (freebsd_misc.c) in ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b37757a5658d6f141d207fea480539abf366924e
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b37757a5658d6f141d207fea480539abf366924e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190918/14a9fa83/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list