[Secure-testing-commits] r23771 - in data: . DSA
Author: carnil
Date: 2013-09-24 13:38:40 + (Tue, 24 Sep 2013)
New Revision: 23771
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for pyopenssl
Modified: data/DSA/list
===
--- data/DSA/list 2013-09-24 11:52:01 UTC (rev 23770)
+++ data/DSA/list 2013-09-24 13:38:40 UTC (rev 23771)
@@ -1,3 +1,7 @@
+[24 Sep 2013] DSA-2763-1 pyopenssl - hostname check bypassing
+ {CVE-2013-4314}
+ [squeeze] - pyopenssl 0.10-1+squeeze1
+ [wheezy] - pyopenssl 0.13-2+deb7u1
[23 Sep 2013] DSA-2762-1 icedove - several
{CVE-2013-1718 CVE-2013-1722 CVE-2013-1725 CVE-2013-1730 CVE-2013-1732
CVE-2013-1735 CVE-2013-1736 CVE-2013-1737}
[wheezy] - icedove 17.0.9-1~deb7u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2013-09-24 11:52:01 UTC (rev 23770)
+++ data/dsa-needed.txt 2013-09-24 13:38:40 UTC (rev 23771)
@@ -77,8 +77,6 @@
--
policykit-1
--
-pyopenssl (carnil)
---
quagga
--
qt4-x11/oldstable
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23774 - data/CVE
Author: carnil Date: 2013-09-25 07:28:25 + (Wed, 25 Sep 2013) New Revision: 23774 Modified: data/CVE/list Log: Update tracker info for CVE-2013-4222 Modified: data/CVE/list === --- data/CVE/list 2013-09-24 23:21:16 UTC (rev 23773) +++ data/CVE/list 2013-09-25 07:28:25 UTC (rev 23774) @@ -3919,6 +3919,7 @@ CVE-2013-4222 [Keystone disabling a tenant does not disable a user token] RESERVED - keystone 2013.1.3-1 (bug #719290) + [wheezy] - keystone not-affected (Vulnerable code not present in Openstack Essex) NOTE: http://lists.openstack.org/pipermail/openstack-security/2013-August/000263.html CVE-2013-4221 [remote code execution due to XML deserialization in Restlet] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23776 - data/CVE
Author: carnil
Date: 2013-09-25 12:29:28 + (Wed, 25 Sep 2013)
New Revision: 23776
Modified:
data/CVE/list
Log:
Add CVE-2013-1442/xen
Modified: data/CVE/list
===
--- data/CVE/list 2013-09-25 09:04:16 UTC (rev 23775)
+++ data/CVE/list 2013-09-25 12:29:28 UTC (rev 23776)
@@ -11546,8 +11546,11 @@
CVE-2013-1443 (The authentication framework (django.contrib.auth) in Django
1.4.x ...)
{DSA-2758-1}
- python-django 1.5.4-1 (bug #723043)
-CVE-2013-1442
+CVE-2013-1442 [Information leak on AVX and/or LWP capable CPUs]
RESERVED
+ - xen unfixed
+ TODO: check, see NOTE
+ NOTE: advisory say: In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x
XSAVE support is disabled by default
CVE-2013-1441 (econvert in ExactImage 0.8.9 and earlier does not properly
initialize ...)
{DSA-2754-1}
- exactimage 0.8.9-2
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23778 - data/CVE
Author: carnil
Date: 2013-09-25 14:23:24 + (Wed, 25 Sep 2013)
New Revision: 23778
Modified:
data/CVE/list
Log:
Add assigned CVE for txt2man
Modified: data/CVE/list
===
--- data/CVE/list 2013-09-25 13:56:02 UTC (rev 23777)
+++ data/CVE/list 2013-09-25 14:23:24 UTC (rev 23778)
@@ -11542,8 +11542,11 @@
RESERVED
CVE-2013-1445
RESERVED
-CVE-2013-1444
+CVE-2013-1444 [txt2man: Unsafe use of /tmp]
RESERVED
+ - txt2man unfixed
+ [wheezy] - txt2man no-dsa (Minor issue)
+ [squeeze] - txt2man no-dsa (Minor issue)
CVE-2013-1443 (The authentication framework (django.contrib.auth) in Django
1.4.x ...)
{DSA-2758-1}
- python-django 1.5.4-1 (bug #723043)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23781 - data/CVE
Author: carnil Date: 2013-09-25 20:30:42 + (Wed, 25 Sep 2013) New Revision: 23781 Modified: data/CVE/list Log: Add CVE-2013-4376/x2goserver (itp'ed) Modified: data/CVE/list === --- data/CVE/list 2013-09-25 20:15:34 UTC (rev 23780) +++ data/CVE/list 2013-09-25 20:30:42 UTC (rev 23781) @@ -3399,8 +3399,9 @@ RESERVED CVE-2013-4377 RESERVED -CVE-2013-4376 +CVE-2013-4376 [arbitrary code as the x2go user] RESERVED + - x2goserver itp (bug #465821) CVE-2013-4375 RESERVED CVE-2013-4374 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23782 - data/CVE
Author: carnil Date: 2013-09-25 21:06:10 + (Wed, 25 Sep 2013) New Revision: 23782 Modified: data/CVE/list Log: Add NFU, CVE-2013-5692 and CVE-2013-5693 Modified: data/CVE/list === --- data/CVE/list 2013-09-25 20:30:42 UTC (rev 23781) +++ data/CVE/list 2013-09-25 21:06:10 UTC (rev 23782) @@ -502,10 +502,12 @@ RESERVED CVE-2013-5694 RESERVED -CVE-2013-5693 +CVE-2013-5693 [Cross-Site Scripting] RESERVED -CVE-2013-5692 + NOT-FOR-US: X2CRM +CVE-2013-5692 [PHP File Inclusion] RESERVED + NOT-FOR-US: X2CRM CVE-2013-5691 (The (1) IPv6 and (2) ATM ioctl request handlers in the kernel in ...) - kfreebsd-9 9.2~svn255465-1 (bug #722338) - kfreebsd-8 removed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23785 - data/CVE
Author: carnil Date: 2013-09-26 05:06:09 + (Thu, 26 Sep 2013) New Revision: 23785 Modified: data/CVE/list Log: Add CVE-2013-5572/zabbix (unverified) Modified: data/CVE/list === --- data/CVE/list 2013-09-25 21:16:17 UTC (rev 23784) +++ data/CVE/list 2013-09-26 05:06:09 UTC (rev 23785) @@ -806,8 +806,11 @@ RESERVED CVE-2013-5573 RESERVED -CVE-2013-5572 +CVE-2013-5572 [password leak] RESERVED + - zabbix undetermined + NOTE: http://seclists.org/fulldisclosure/2013/Sep/151 + TODO: check CVE-2013-5571 RESERVED CVE-2013-5570 (Cross-site scripting (XSS) vulnerability in the Javascript and CSS ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23786 - data
Author: carnil Date: 2013-09-26 05:10:59 + (Thu, 26 Sep 2013) New Revision: 23786 Modified: data/dsa-needed.txt Log: Add note about status for mysql-5.5 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-09-26 05:06:09 UTC (rev 23785) +++ data/dsa-needed.txt 2013-09-26 05:10:59 UTC (rev 23786) @@ -58,6 +58,7 @@ mysql-5.1/oldstable (jmm) -- mysql-5.5/stable + maintainer pinged to ask about status -- nas -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23788 - data/CVE
Author: carnil Date: 2013-09-26 05:53:24 + (Thu, 26 Sep 2013) New Revision: 23788 Modified: data/CVE/list Log: Add CVE-2013-3565/vlc Modified: data/CVE/list === --- data/CVE/list 2013-09-26 05:27:28 UTC (rev 23787) +++ data/CVE/list 2013-09-26 05:53:24 UTC (rev 23788) @@ -5557,8 +5557,9 @@ - puppet 3.2.2-1 (bug #712745) CVE-2013-3566 RESERVED -CVE-2013-3565 +CVE-2013-3565 [XSS in HTTP Interface] RESERVED + - vlc 2.0.7-1 CVE-2013-3564 RESERVED CVE-2013-3563 (Stack-based buffer overflow in db_netserver in Lianja SQL Server ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23792 - data
Author: carnil Date: 2013-09-26 18:09:58 + (Thu, 26 Sep 2013) New Revision: 23792 Modified: data/embedded-code-copies Log: lnav embedds yajl, add a bugreport for reference Modified: data/embedded-code-copies === --- data/embedded-code-copies 2013-09-26 16:15:29 UTC (rev 23791) +++ data/embedded-code-copies 2013-09-26 18:09:58 UTC (rev 23792) @@ -1147,6 +1147,7 @@ yajl - argyll unfixed (embed; bug #544223) NOTE: reference, confirmed by build logs: http://lists.debian.org/debian-mentors/2009/08/msg00062.html + - lnav unfixed (embed; bug #724693) nusoap - gforge 4.8.2-1 (embed) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23793 - data/CVE
Author: carnil Date: 2013-09-26 19:30:57 + (Thu, 26 Sep 2013) New Revision: 23793 Modified: data/CVE/list Log: Add fixed version for CVE-2012-5524/gajim Modified: data/CVE/list === --- data/CVE/list 2013-09-26 18:09:58 UTC (rev 23792) +++ data/CVE/list 2013-09-26 19:30:57 UTC (rev 23793) @@ -17835,7 +17835,7 @@ - xen not-affected (Only affects Xen 4.2 and xen-unstable) CVE-2012-5524 RESERVED - - gajim unfixed (low; bug #693282) + - gajim 0.15.4-1 (low; bug #693282) [wheezy] - gajim no-dsa (Minor issue) [squeeze] - gajim no-dsa (Minor issue) CVE-2012-5523 (core/email_api.php in MantisBT before 1.2.12 does not properly manage ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23796 - data/CVE
Author: carnil Date: 2013-09-27 05:31:01 + (Fri, 27 Sep 2013) New Revision: 23796 Modified: data/CVE/list Log: Add CVE-2013-5697/libapache-mod-acct (removed) Note: marking removed, but package was removed already long time ago. More appropriate to mark NFU here? Modified: data/CVE/list === --- data/CVE/list 2013-09-26 21:14:26 UTC (rev 23795) +++ data/CVE/list 2013-09-27 05:31:01 UTC (rev 23796) @@ -510,8 +510,9 @@ RESERVED CVE-2013-5698 (Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite and ...) - open-xchange itp (bug #269329) -CVE-2013-5697 +CVE-2013-5697 [Blind SQL Injection] RESERVED + - libapache-mod-acct removed CVE-2013-5696 (inc/central.class.php in GLPI before 0.84.2 does not attempt to make ...) - glpi unfixed (bug #723837) NOTE: CVE split pending ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23797 - data/CVE
Author: carnil Date: 2013-09-27 05:43:28 + (Fri, 27 Sep 2013) New Revision: 23797 Modified: data/CVE/list Log: Add some fixed version for mysql-5.5 CVEs Modified: data/CVE/list === --- data/CVE/list 2013-09-27 05:31:01 UTC (rev 23796) +++ data/CVE/list 2013-09-27 05:43:28 UTC (rev 23797) @@ -4979,7 +4979,7 @@ CVE-2013-3813 (Unspecified vulnerability in Oracle Solaris 10 allows remote attackers ...) NOT-FOR-US: Oracle Solaris CVE-2013-3812 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - - mysql-5.5 unfixed + - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 not-affected (Only affects 5.5 and 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3811 (Unspecified vulnerability in the MySQL Server component in Oracle ...) @@ -4991,7 +4991,7 @@ - mysql-5.1 not-affected (Only affects Mysql 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3809 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - - mysql-5.5 unfixed + - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 not-affected (Only affects 5.5 and 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3808 (Unspecified vulnerability in the MySQL Server component in Oracle ...) @@ -5011,13 +5011,13 @@ - mysql-5.1 not-affected (Only affects Mysql 5.5 and 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3804 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - - mysql-5.5 unfixed + - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 removed NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3803 (Unspecified vulnerability in the Hyperion BI+ component in Oracle ...) NOT-FOR-US: Oracle Hyperion CVE-2013-3802 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - - mysql-5.5 unfixed + - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 removed NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3801 (Unspecified vulnerability in the MySQL Server component in Oracle ...) @@ -5047,7 +5047,7 @@ - mysql-5.1 not-affected (Only affects 5.5 and 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3793 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - - mysql-5.5 unfixed + - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 not-affected (Only affects 5.5 and 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3792 [virtio-net host DoS] @@ -5073,7 +5073,7 @@ CVE-2013-3784 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-3783 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - - mysql-5.5 unfixed + - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 not-affected (Only affects 5.5) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3782 (Unspecified vulnerability in the Secure Global Desktop component in ...) @@ -10144,7 +10144,7 @@ - apache2 2.4.1-1 (unimportant) NOTE: Such injection issues are not treated as security issues CVE-2013-1861 (MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15, ...) - - mysql-5.5 unfixed (low; bug #706715) + - mysql-5.5 5.5.33+dfsg-1 (low; bug #706715) - mysql-5.1 removed (low; bug #706715) NOTE: https://mariadb.atlassian.net/browse/MDEV-4252 CVE-2013-1860 (Heap-based buffer overflow in the wdm_in_callback function in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
Re: [Secure-testing-commits] r23796 - data/CVE
On Fri, Sep 27, 2013 at 08:04:02AM +0200, Moritz Muehlenhoff wrote: On Fri, Sep 27, 2013 at 05:31:02AM +, Salvatore Bonaccorso wrote: Author: carnil Date: 2013-09-27 05:31:01 + (Fri, 27 Sep 2013) New Revision: 23796 Modified: data/CVE/list Log: Add CVE-2013-5697/libapache-mod-acct (removed) Note: marking removed, but package was removed already long time ago. More appropriate to mark NFU here? If it's no longer part of even oldstable, we can mark it as NFU. Once a Debian LTS effort starts we might need to reconsider to allow proper tracking of oldoldstable, but for now both is fine. Ok, and thanks for even reviewing the commit messages and commenting :) Regards Salvatore ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23798 - data/CVE
Author: carnil Date: 2013-09-27 06:38:08 + (Fri, 27 Sep 2013) New Revision: 23798 Modified: data/CVE/list Log: Add CVE-2013-4378, NFU, Javamelody Modified: data/CVE/list === --- data/CVE/list 2013-09-27 05:43:28 UTC (rev 23797) +++ data/CVE/list 2013-09-27 06:38:08 UTC (rev 23798) @@ -3415,8 +3415,9 @@ RESERVED CVE-2013-4379 RESERVED -CVE-2013-4378 +CVE-2013-4378 [blind XSS through X-Forwarded-For header] RESERVED + NOT-FOR-US: Javamelody CVE-2013-4377 [qemu host crash from within guest] RESERVED - qemu unfixed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23800 - data/CVE
Author: carnil Date: 2013-09-27 09:17:44 + (Fri, 27 Sep 2013) New Revision: 23800 Modified: data/CVE/list Log: Add CVE-2013-4385/chicken Modified: data/CVE/list === --- data/CVE/list 2013-09-27 07:41:02 UTC (rev 23799) +++ data/CVE/list 2013-09-27 09:17:44 UTC (rev 23800) @@ -3401,8 +3401,10 @@ RESERVED CVE-2013-4386 RESERVED -CVE-2013-4385 +CVE-2013-4385 [Buffer overrun] RESERVED + - chicken unfixed + NOTE: http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=cd1b9775005ebe220ba11265dbf5396142e65f26 CVE-2013-4384 RESERVED CVE-2013-4383 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23805 - data/CVE
Author: carnil Date: 2013-09-27 13:03:27 + (Fri, 27 Sep 2013) New Revision: 23805 Modified: data/CVE/list Log: CVE-2013-5903 is rejected Modified: data/CVE/list === --- data/CVE/list 2013-09-27 12:45:58 UTC (rev 23804) +++ data/CVE/list 2013-09-27 13:03:27 UTC (rev 23805) @@ -74,8 +74,8 @@ RESERVED CVE-2013-5904 RESERVED -CVE-2013-5903 (Cross-site scripting (XSS) vulnerability in Graphite before 0.9.11 ...) - - graphite-web 0.9.12+debian-1 (low) +CVE-2013-5903 + REJECTED CVE-2013-5902 RESERVED CVE-2013-5901 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23806 - data/CVE
Author: carnil Date: 2013-09-27 13:08:19 + (Fri, 27 Sep 2013) New Revision: 23806 Modified: data/CVE/list Log: Add two CVEs for graphite-web which were clarified by mitre Modified: data/CVE/list === --- data/CVE/list 2013-09-27 13:03:27 UTC (rev 23805) +++ data/CVE/list 2013-09-27 13:08:19 UTC (rev 23806) @@ -1,3 +1,7 @@ +CVE-2013-5943 (Multiple cross-site scripting (XSS) vulnerabilities in Graphite before ...) + - graphite-web 0.9.12+debian-1 +CVE-2013-5942 (Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, ...) + - graphite-web 0.9.12+debian-1 CVE-2013-5941 RESERVED CVE-2013-5940 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23807 - data
Author: carnil Date: 2013-09-27 14:16:01 + (Fri, 27 Sep 2013) New Revision: 23807 Modified: data/dsa-needed.txt Log: Will try to take care of coordination for mysql-5.5 and DSA release Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-09-27 13:08:19 UTC (rev 23806) +++ data/dsa-needed.txt 2013-09-27 14:16:01 UTC (rev 23807) @@ -55,8 +55,7 @@ -- mysql-5.1/oldstable (jmm) -- -mysql-5.5/stable - maintainer pinged to ask about status +mysql-5.5/stable (carnil) -- nas -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23809 - data/CVE
Author: carnil Date: 2013-09-27 17:57:33 + (Fri, 27 Sep 2013) New Revision: 23809 Modified: data/CVE/list Log: Add round of NFUs Modified: data/CVE/list === --- data/CVE/list 2013-09-27 14:35:26 UTC (rev 23808) +++ data/CVE/list 2013-09-27 17:57:33 UTC (rev 23809) @@ -9,9 +9,9 @@ CVE-2013-5939 RESERVED CVE-2013-5938 (Cross-site scripting (XSS) vulnerability in the Click2Sell Suite ...) - TODO: check + NOT-FOR-US: Click2Sell Suite Drupal contributed module CVE-2013-5937 (Cross-site request forgery (CSRF) vulnerability in the Click2Sell ...) - TODO: check + NOT-FOR-US: Click2Sell Suite Drupal contributed module CVE-2013-5936 (The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before ...) TODO: check CVE-2013-5935 (The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before ...) @@ -1266,7 +1266,7 @@ CVE-2013-5374 RESERVED CVE-2013-5373 (The RemoteClient component in IBM Rational ClearCase 8.0.0.03 through ...) - TODO: check + NOT-FOR-US: IBM Rational ClearCase CVE-2013-5372 RESERVED CVE-2013-5371 @@ -1784,7 +1784,7 @@ CVE-2013-5119 (Zimbra Collaboration Suite (ZCS) 6.0.16 and earlier allows ...) NOT-FOR-US: Zimbra Collaboration Suite CVE-2013-5118 (Cross-site scripting (XSS) vulnerability in the Good for Enterprise ...) - TODO: check + NOT-FOR-US: Good for Enterprise app for iOS CVE-2013-5117 RESERVED CVE-2013-5116 @@ -4573,13 +4573,13 @@ CVE-2013-4026 RESERVED CVE-2013-4025 (IBM Data Studio Web Console 3.x before 3.2, Optim Performance Manager ...) - TODO: check + NOT-FOR-US: IBM CVE-2013-4024 (IBM Data Studio Web Console 3.x before 3.2, Optim Performance Manager ...) - TODO: check + NOT-FOR-US: IBM CVE-2013-4023 RESERVED CVE-2013-4022 (IBM Data Studio Web Console 3.x before 3.2, Optim Performance Manager ...) - TODO: check + NOT-FOR-US: IBM CVE-2013-4021 RESERVED CVE-2013-4020 @@ -12543,13 +12543,13 @@ CVE-2013-1034 (Multiple cross-site scripting (XSS) vulnerabilities in Wiki Server in ...) NOT-FOR-US: Apple Mac OS X Server CVE-2013-1033 (Screen Lock in Apple Mac OS X before 10.8.5 does not properly track ...) - TODO: check + NOT-FOR-US: Screen Lock in Apple Mac OS X CVE-2013-1032 (QuickTime in Apple Mac OS X before 10.8.5 allows remote attackers to ...) - TODO: check + NOT-FOR-US: QuickTime in Apple Mac OS X CVE-2013-1031 (Power Management in Apple Mac OS X before 10.8.5 does not properly ...) - TODO: check + NOT-FOR-US: Power Management in Apple Mac OS X CVE-2013-1030 (mdmclient in Mobile Device Management in Apple Mac OS X before 10.8.5 ...) - TODO: check + NOT-FOR-US: Mobile Device Management in Apple Mac OS X CVE-2013-1029 (The kernel in Apple Mac OS X before 10.8.5 allows remote attackers to ...) NOT-FOR-US: Apple Mac OS X CVE-2013-1028 (The IPSec implementation in Apple Mac OS X before 10.8.5, when Hybrid ...) @@ -13978,7 +13978,7 @@ CVE-2013-0597 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Application ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2013-0596 (Cross-site scripting (XSS) vulnerability in the Administrative console ...) - TODO: check + NOT-FOR-US: IBM WebSphere Application Server CVE-2013-0595 (Multiple cross-site scripting (XSS) vulnerabilities in iNotes 8.5.x in ...) NOT-FOR-US: IBM Lotus Domino CVE-2013-0594 @@ -18363,7 +18363,7 @@ CVE-2012-5339 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin ...) - phpmyadmin not-affected (Only affects 3.5.x, not packaged yet, see #691728) CVE-2012-5338 (Open redirect vulnerability in JForum 2.1.9 allows remote attackers to ...) - TODO: check + NOT-FOR-US: JForum CVE-2012-5337 (Multiple cross-site scripting (XSS) vulnerabilities in jforum.page in ...) NOT-FOR-US: jForum CVE-2012-5336 @@ -21906,23 +21906,23 @@ CVE-2012-4095 RESERVED CVE-2012-4094 (Buffer overflow in the Smart Call Home feature in the fabric ...) - TODO: check + NOT-FOR-US: Cisco Unified Computing System CVE-2012-4093 (The Manager component in Cisco Unified Computing System (UCS) allows ...) NOT-FOR-US: Cisco Unified Computing System CVE-2012-4092 (The management interface in the Central Software component in Cisco ...) - TODO: check + NOT-FOR-US: Cisco Unified Computing System CVE-2012-4091 RESERVED CVE-2012-4090 RESERVED CVE-2012-4089 (MCTOOLS in the fabric interconnect in Cisco Unified Computing System ...) - TODO: check + NOT-FOR-US: Cisco Unified Computing System CVE-2012-4088 (The FTP server in Cisco Unified Computing System (UCS) has a hardcoded ...) - TODO: check + NOT-FOR-US: Cisco Unified Computing System CVE-2012-4087
[Secure-testing-commits] r23810 - data/CVE
Author: carnil Date: 2013-09-27 17:57:47 + (Fri, 27 Sep 2013) New Revision: 23810 Modified: data/CVE/list Log: Add three CVE's related to open-xchange (not clear if affected components will actually be part of any package provided by the ITP, anyway really old ITP/RFP) Modified: data/CVE/list === --- data/CVE/list 2013-09-27 17:57:33 UTC (rev 23809) +++ data/CVE/list 2013-09-27 17:57:47 UTC (rev 23810) @@ -13,11 +13,11 @@ CVE-2013-5937 (Cross-site request forgery (CSRF) vulnerability in the Click2Sell ...) NOT-FOR-US: Click2Sell Suite Drupal contributed module CVE-2013-5936 (The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before ...) - TODO: check + - open-xchange itp (bug #269329) CVE-2013-5935 (The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before ...) - TODO: check + - open-xchange itp (bug #269329) CVE-2013-5934 (Open-Xchange AppSuite 7.0.x before 7.0.2-rev15 and 7.2.x before ...) - TODO: check + - open-xchange itp (bug #269329) CVE-2013-5933 (Stack-based buffer overflow in the sub_E110 function in init in a ...) TODO: check CVE-2013-5932 (Unspecified vulnerability in WebAdmin in Sophos UTM (aka Astaro ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23813 - data/CVE
Author: carnil Date: 2013-09-28 04:31:28 + (Sat, 28 Sep 2013) New Revision: 23813 Modified: data/CVE/list Log: Add fixed version for CVE-2013-1444/txt2man Modified: data/CVE/list === --- data/CVE/list 2013-09-27 22:14:29 UTC (rev 23812) +++ data/CVE/list 2013-09-28 04:31:28 UTC (rev 23813) @@ -11589,7 +11589,7 @@ RESERVED CVE-2013-1444 [txt2man: Unsafe use of /tmp] RESERVED - - txt2man unfixed (bug #724614) + - txt2man 1.5.5-4.1 (bug #724614) [wheezy] - txt2man no-dsa (Minor issue) [squeeze] - txt2man no-dsa (Minor issue) CVE-2013-1443 (The authentication framework (django.contrib.auth) in Django 1.4.x ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23814 - data/CVE
Author: carnil Date: 2013-09-28 04:53:44 + (Sat, 28 Sep 2013) New Revision: 23814 Modified: data/CVE/list Log: NFUs for Cisco IOS Modified: data/CVE/list === --- data/CVE/list 2013-09-28 04:31:28 UTC (rev 23813) +++ data/CVE/list 2013-09-28 04:53:44 UTC (rev 23814) @@ -1050,25 +1050,25 @@ CVE-2013-5482 (Cisco Prime LAN Management Solution (LMS) does not properly restrict ...) NOT-FOR-US: Cisco CVE-2013-5481 (The PPTP implementation in Cisco IOS 12.2 and 15.0 through 15.3, when ...) - TODO: check + NOT-FOR-US: Cisco IOS CVE-2013-5480 (The DNS-over-TCP implementation in Cisco IOS 12.2 and 15.0 through ...) - TODO: check + NOT-FOR-US: Cisco IOS CVE-2013-5479 (The DNS-over-TCP implementation in Cisco IOS 12.2 and 15.0 through ...) - TODO: check + NOT-FOR-US: Cisco IOS CVE-2013-5478 (Cisco IOS 15.0 through 15.3 and IOS XE 3.2 through 3.8, when a VRF ...) - TODO: check + NOT-FOR-US: Cisco IOS CVE-2013-5477 (The T1/E1 driver-queue functionality in Cisco IOS 12.2 and 15.0 ...) - TODO: check + NOT-FOR-US: Cisco IOS CVE-2013-5476 (The Zone-Based Firewall (ZFW) feature in Cisco IOS 15.1 through 15.2, ...) - TODO: check + NOT-FOR-US: Cisco IOS CVE-2013-5475 (Cisco IOS 12.2 through 12.4 and 15.0 through 15.3, and IOS XE 2.1 ...) - TODO: check + NOT-FOR-US: Cisco IOS CVE-2013-5474 (Race condition in the IPv6 virtual fragmentation reassembly (VFR) ...) - TODO: check + NOT-FOR-US: Cisco IOS CVE-2013-5473 (Memory leak in Cisco IOS 12.2, 15.1, and 15.2; IOS XE 3.4.2S through ...) - TODO: check + NOT-FOR-US: Cisco IOS CVE-2013-5472 (The NTP implementation in Cisco IOS 12.0 through 12.4 and 15.0 through ...) - TODO: check + NOT-FOR-US: Cisco IOS CVE-2013-5471 (Cross-site request forgery (CSRF) vulnerability in the web framework ...) NOT-FOR-US: Cisco Global Site Selector CVE-2013-5470 (Cisco Secure Access Control System (ACS) does not properly handle ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23815 - data/CVE
Author: carnil Date: 2013-09-28 04:54:00 + (Sat, 28 Sep 2013) New Revision: 23815 Modified: data/CVE/list Log: NFU in symfony FOSUserBundle bundle Modified: data/CVE/list === --- data/CVE/list 2013-09-28 04:53:44 UTC (rev 23814) +++ data/CVE/list 2013-09-28 04:54:00 UTC (rev 23815) @@ -385,7 +385,7 @@ CVE-2013-5751 (Directory traversal vulnerability in SAP NetWeaver 7.x allows remote ...) NOT-FOR-US: SAP NetWeaver 7.x CVE-2013-5750 (The login form in the FriendsOfSymfony FOSUserBundle bundle before ...) - TODO: check + NOT-FOR-US: FriendsOfSymfony FOSUserBundle CVE-2013-5749 RESERVED CVE-2013-5748 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23823 - data/CVE
Author: carnil Date: 2013-09-29 20:52:21 + (Sun, 29 Sep 2013) New Revision: 23823 Modified: data/CVE/list Log: Add source package name for CVE-2013-4387 NOTE: checked code for linux/3.10.11-1 currently in unstable for https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=2811ebac2521ceac84f2bdae402455baa6a7fb47 Leave the TODO item. Modified: data/CVE/list === --- data/CVE/list 2013-09-29 15:04:50 UTC (rev 23822) +++ data/CVE/list 2013-09-29 20:52:21 UTC (rev 23823) @@ -3409,9 +3409,10 @@ RESERVED CVE-2013-4388 RESERVED -CVE-2013-4387 +CVE-2013-4387 [memory corruption with ipv6 udp offloading] RESERVED - NOTE: http://www.openwall.com/lists/oss-security/2013/09/29/1 + - linux-2.6 removed + - linux unfixed TODO: check CVE-2013-4386 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23831 - data/CVE
Author: carnil Date: 2013-09-30 12:24:13 + (Mon, 30 Sep 2013) New Revision: 23831 Modified: data/CVE/list Log: Add CVE-2013-4356/xen (with TODO item) Modified: data/CVE/list === --- data/CVE/list 2013-09-30 12:21:51 UTC (rev 23830) +++ data/CVE/list 2013-09-30 12:24:13 UTC (rev 23831) @@ -3510,8 +3510,11 @@ - eglibc unfixed NOTE: http://sourceware.org/bugzilla/show_bug.cgi?id=12671 TODO: check -CVE-2013-4356 +CVE-2013-4356 [Memory accessible by 64-bit PV guests under live migration] RESERVED + - xen unfixed + NOTE: according to XSA-64, 4.2.x and earlier releases are not vulnerable + TODO: check CVE-2013-4355 [Information leaks through I/O instruction emulation] RESERVED - xen unfixed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23829 - data/CVE
Author: carnil Date: 2013-09-30 12:21:12 + (Mon, 30 Sep 2013) New Revision: 23829 Modified: data/CVE/list Log: Add CVE-2013-4355/xen Modified: data/CVE/list === --- data/CVE/list 2013-09-30 08:47:16 UTC (rev 23828) +++ data/CVE/list 2013-09-30 12:21:12 UTC (rev 23829) @@ -3512,8 +3512,9 @@ TODO: check CVE-2013-4356 RESERVED -CVE-2013-4355 +CVE-2013-4355 [Information leaks through I/O instruction emulation] RESERVED + - xen unfixed CVE-2013-4354 [Glance image creation in other tenant accounts] RESERVED - glance unfixed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23833 - data/CVE
Author: carnil Date: 2013-09-30 14:29:56 + (Mon, 30 Sep 2013) New Revision: 23833 Modified: data/CVE/list Log: Mark CVE-2013-4356 not affecting (old-)stable versions of xen Modified: data/CVE/list === --- data/CVE/list 2013-09-30 12:25:07 UTC (rev 23832) +++ data/CVE/list 2013-09-30 14:29:56 UTC (rev 23833) @@ -3514,8 +3514,8 @@ CVE-2013-4356 [Memory accessible by 64-bit PV guests under live migration] RESERVED - xen unfixed - NOTE: according to XSA-64, 4.2.x and earlier releases are not vulnerable - TODO: check + [wheezy] - xen not-affected (Only affects 4.3+) + [squeeze] - xen not-affected (Only affects 4.3+) CVE-2013-4355 [Information leaks through I/O instruction emulation] RESERVED - xen unfixed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23834 - data/CVE
Author: carnil Date: 2013-09-30 14:40:25 + (Mon, 30 Sep 2013) New Revision: 23834 Modified: data/CVE/list Log: Remove items tagged jessie which are not needed anymore Version from unstable (which fixed the issue) migrated already to testing now. Remove the extra tags which where added as workaround to mark jessie as not affected by the bug. Modified: data/CVE/list === --- data/CVE/list 2013-09-30 14:29:56 UTC (rev 23833) +++ data/CVE/list 2013-09-30 14:40:25 UTC (rev 23834) @@ -2600,7 +2600,6 @@ CVE-2013-4758 [Double Free Memory Corruption in ElasticSearch Plugin] RESERVED - rsyslog not-affected (omelasticsearch plugin not enabled; see #715009) - [jessie] - rsyslog not-affected (omelasticsearch plugin not enabled) [squeeze] - rsyslog not-affected (omelasticsearch plugin not yet present) [wheezy] - rsyslog not-affected (omelasticsearch plugin not yet present) NOTE: http://bugzilla.adiscon.com/show_bug.cgi?id=461 @@ -7458,7 +7457,6 @@ - modsecurity-apache 2.6.6-9 (bug #710217) - libapache-mod-security removed (bug #710217) [wheezy] - modsecurity-apache 2.6.6-6+deb7u1 - [jessie] - modsecurity-apache 2.6.6-6+deb7u1 [squeeze] - libapache-mod-security no-dsa (Minor issue) NOTE: https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES NOTE: https://github.com/SpiderLabs/ModSecurity/commit/0840b13612a0b7ef1ce7441cf811dcfc6b463fba @@ -9314,7 +9312,6 @@ [wheezy] - dovecot not-affected (vulnerable code appeared in 2.2) CVE-2013-2110 (Heap-based buffer overflow in the php_quot_print_encode function in ...) - php5 5.5.0~rc3+dfsg-1 - [jessie] - php5 not-affected (Vulnerable code not present) [wheezy] - php5 not-affected (Vulnerable code not present) [squeeze] - php5 not-affected (Vulnerable code not present) NOTE: https://github.com/php/php-src/commit/93e0d78ec655f59ebfa82b2c6f8486c43651c1d0 @@ -9514,7 +9511,6 @@ CVE-2013-2059 (OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly ...) - keystone 2013.1.1-2 (bug #707598) [wheezy] - keystone 2012.1.1-13+wheezy1 - [jessie] - keystone 2012.1.1-13+wheezy1 NOTE: http://lists.openstack.org/pipermail/openstack-announce/2013-May/99.html CVE-2013-2058 [linux: chipidea: allow disabling streaming in host mode] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23836 - data/CVE
Author: carnil
Date: 2013-09-30 21:17:31 + (Mon, 30 Sep 2013)
New Revision: 23836
Modified:
data/CVE/list
Log:
Add one NFU
Modified: data/CVE/list
===
--- data/CVE/list 2013-09-30 21:14:34 UTC (rev 23835)
+++ data/CVE/list 2013-09-30 21:17:31 UTC (rev 23836)
@@ -480,6 +480,7 @@
RESERVED
CVE-2013-5725
RESERVED
+ NOT-FOR-US: Byword for iOS
CVE-2013-5724 (Phpbb3 before 3.0.11-4 for Debian GNU/Linux uses world-writable
...)
{DSA-2752-1}
- phpbb3 3.0.11-4 (bug #711172)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23837 - data/CVE
Author: carnil Date: 2013-09-30 21:23:49 + (Mon, 30 Sep 2013) New Revision: 23837 Modified: data/CVE/list Log: Add hylafax issue (undetermined, unchecked) with reference Modified: data/CVE/list === --- data/CVE/list 2013-09-30 21:17:31 UTC (rev 23836) +++ data/CVE/list 2013-09-30 21:23:49 UTC (rev 23837) @@ -588,8 +588,11 @@ RESERVED CVE-2013-5681 RESERVED -CVE-2013-5680 +CVE-2013-5680 [heap overflow] RESERVED + - hylafax undetermined + NOTE: http://www.securityfocus.com/archive/1/528943/30/0/threaded + TODO: check CVE-2013-5679 (The authenticated-encryption feature in the symmetric-encryption ...) TODO: check CVE-2013-5678 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23838 - data/CVE
Author: carnil
Date: 2013-09-30 22:48:04 + (Mon, 30 Sep 2013)
New Revision: 23838
Modified:
data/CVE/list
Log:
Add fixed versions for asterisk
Modified: data/CVE/list
===
--- data/CVE/list 2013-09-30 21:23:49 UTC (rev 23837)
+++ data/CVE/list 2013-09-30 22:48:04 UTC (rev 23838)
@@ -734,11 +734,11 @@
NOT-FOR-US: Sounder Ruby Gem
CVE-2013-5642 (The SIP channel driver (channels/chan_sip.c) in Asterisk Open
Source ...)
{DSA-2749-1}
- - asterisk unfixed (bug #721220)
+ - asterisk 1:11.5.1~dfsg-1 (bug #721220)
NOTE: http://downloads.asterisk.org/pub/security/AST-2013-005.html
CVE-2013-5641 (The SIP channel driver (channels/chan_sip.c) in Asterisk Open
Source ...)
{DSA-2749-1}
- - asterisk unfixed (bug #721220)
+ - asterisk 1:11.5.1~dfsg-1 (bug #721220)
NOTE: http://downloads.asterisk.org/pub/security/AST-2013-004.html
CVE-2013-5638
RESERVED
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23844 - data/CVE
Author: carnil Date: 2013-10-01 11:08:57 + (Tue, 01 Oct 2013) New Revision: 23844 Modified: data/CVE/list Log: Add CVE-2013-4388 for vlc Modified: data/CVE/list === --- data/CVE/list 2013-10-01 09:13:31 UTC (rev 23843) +++ data/CVE/list 2013-10-01 11:08:57 UTC (rev 23844) @@ -3454,8 +3454,11 @@ RESERVED CVE-2013-4389 RESERVED -CVE-2013-4388 +CVE-2013-4388 [buffer overflow in the mp4a packetizer] RESERVED + - vlc unfixed + NOTE: http://git.videolan.org/?p=vlc.git;a=commitdiff;h=9794ec1cd268c04c8bca13a5fae15df6594dff3e + TODO: check older versions as 2.0.8 CVE-2013-4387 [memory corruption with ipv6 udp offloading] RESERVED - linux-2.6 removed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23845 - data/CVE
Author: carnil Date: 2013-10-01 11:19:36 + (Tue, 01 Oct 2013) New Revision: 23845 Modified: data/CVE/list Log: Also add NFU for CVE-2013-5960 (similar to CVE-2013-5679) Modified: data/CVE/list === --- data/CVE/list 2013-10-01 11:08:57 UTC (rev 23844) +++ data/CVE/list 2013-10-01 11:19:36 UTC (rev 23845) @@ -12,7 +12,7 @@ - systemd unfixed NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=862324 CVE-2013-5960 (The authenticated-encryption feature in the symmetric-encryption ...) - TODO: check + NOT-FOR-US: OWASP Enterprise Security API for Java CVE-2013-5958 RESERVED CVE-2013-5957 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23846 - data/CVE
Author: carnil Date: 2013-10-01 15:12:00 + (Tue, 01 Oct 2013) New Revision: 23846 Modified: data/CVE/list Log: Remove annotation about pending check, vulnerable code present Modified: data/CVE/list === --- data/CVE/list 2013-10-01 11:19:36 UTC (rev 23845) +++ data/CVE/list 2013-10-01 15:12:00 UTC (rev 23846) @@ -3458,7 +3458,6 @@ RESERVED - vlc unfixed NOTE: http://git.videolan.org/?p=vlc.git;a=commitdiff;h=9794ec1cd268c04c8bca13a5fae15df6594dff3e - TODO: check older versions as 2.0.8 CVE-2013-4387 [memory corruption with ipv6 udp offloading] RESERVED - linux-2.6 removed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23847 - data/CVE
Author: carnil Date: 2013-10-01 16:45:29 + (Tue, 01 Oct 2013) New Revision: 23847 Modified: data/CVE/list Log: CVE for systemd where assigned, add to data/CVE/list Modified: data/CVE/list === --- data/CVE/list 2013-10-01 15:12:00 UTC (rev 23846) +++ data/CVE/list 2013-10-01 16:45:29 UTC (rev 23847) @@ -1,16 +1,3 @@ -CVE-2013- [systemd: Integer overflow, leading to heap-based buffer overflow by processing native messages] - - systemd unfixed - [wheezy] - systemd not-affected (Vulnerable code not present) - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=859051 -CVE-2013- [systemd: TOCTOU race condition when updating file permissions and SELinux security contexts] - - systemd unfixed - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=859060 -CVE-2013- [systemd: Possibility of denial of logging service by processing native messages from file] - - systemd unfixed - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=859104 -CVE-2013- [systemd: Improper sanitization of invalid XKB layouts descriptions] - - systemd unfixed - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=862324 CVE-2013-5960 (The authenticated-encryption feature in the symmetric-encryption ...) NOT-FOR-US: OWASP Enterprise Security API for Java CVE-2013-5958 @@ -3442,14 +3429,19 @@ RESERVED CVE-2013-4395 RESERVED -CVE-2013-4394 - RESERVED -CVE-2013-4393 - RESERVED -CVE-2013-4392 - RESERVED -CVE-2013-4391 - RESERVED +CVE-2013-4394 [systemd: Improper sanitization of invalid XKB layouts descriptions] + - systemd unfixed + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=862324 +CVE-2013-4393 [systemd: Possibility of denial of logging service by processing native messages from file] + - systemd unfixed + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=859104 +CVE-2013-4392 [systemd: TOCTOU race condition when updating file permissions and SELinux security contexts] + - systemd unfixed + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=859060 +CVE-2013-4391 [systemd: Integer overflow, leading to heap-based buffer overflow by processing native messages] + - systemd unfixed + [wheezy] - systemd not-affected (Vulnerable code not present) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=859051 CVE-2013-4390 RESERVED CVE-2013-4389 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23849 - data/CVE
Author: carnil Date: 2013-10-01 19:22:53 + (Tue, 01 Oct 2013) New Revision: 23849 Modified: data/CVE/list Log: Add NFU for Simple Machines Forum Modified: data/CVE/list === --- data/CVE/list 2013-10-01 19:19:23 UTC (rev 23848) +++ data/CVE/list 2013-10-01 19:22:53 UTC (rev 23849) @@ -3429,6 +3429,7 @@ RESERVED CVE-2013-4395 RESERVED + NOT-FOR-US: Simple Machines Forum CVE-2013-4394 [systemd: Improper sanitization of invalid XKB layouts descriptions] - systemd unfixed NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=862324 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23850 - data/CVE
Author: carnil
Date: 2013-10-01 20:13:22 + (Tue, 01 Oct 2013)
New Revision: 23850
Modified:
data/CVE/list
Log:
Add fixed versions for CVE-2013-1439 and CVE-2013-1438 (libkdcraw)
Modified: data/CVE/list
===
--- data/CVE/list 2013-10-01 19:22:53 UTC (rev 23849)
+++ data/CVE/list 2013-10-01 20:13:22 UTC (rev 23850)
@@ -11664,14 +11664,14 @@
RESERVED
CVE-2013-1439 (The quot;faster LJPEG decoderquot; in libraw 0.13.x, 0.14.x,
and 0.15.x before ...)
- libraw unfixed (bug #721338)
- - libkdcraw unfixed (bug #721340)
+ - libkdcraw 4:4.10.5-2 (bug #721340)
- darktable 1.2.2-2 (bug #721339)
[wheezy] - darktable no-dsa (end-user app)
CVE-2013-1438 [dcraw: multiple DoS]
RESERVED
{DSA-2748-1}
- libraw unfixed (bug #721231)
- - libkdcraw unfixed (bug #721239)
+ - libkdcraw 4:4.10.5-2 (bug #721239)
- darktable 1.2.2-2 (bug #721233)
[wheezy] - darktable no-dsa (end-user app)
- dcraw unfixed (unimportant; bug #721232)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23852 - data/CVE
Author: carnil Date: 2013-10-02 05:17:31 + (Wed, 02 Oct 2013) New Revision: 23852 Modified: data/CVE/list Log: Add CVE-2013-4986, NFU Modified: data/CVE/list === --- data/CVE/list 2013-10-01 21:14:37 UTC (rev 23851) +++ data/CVE/list 2013-10-02 05:17:31 UTC (rev 23852) @@ -2092,6 +2092,7 @@ RESERVED CVE-2013-4986 RESERVED + NOT-FOR-US: PDFCool CVE-2013-4985 RESERVED CVE-2013-4984 (The close_connections function in /opt/cma/bin/clear_keys.pl in Sophos ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23853 - data/CVE
Author: carnil Date: 2013-10-02 05:19:34 + (Wed, 02 Oct 2013) New Revision: 23853 Modified: data/CVE/list Log: Add CVE-2013-4987, NFU Modified: data/CVE/list === --- data/CVE/list 2013-10-02 05:17:31 UTC (rev 23852) +++ data/CVE/list 2013-10-02 05:19:34 UTC (rev 23853) @@ -2090,6 +2090,7 @@ RESERVED CVE-2013-4987 RESERVED + NOT-FOR-US: PinApp CVE-2013-4986 RESERVED NOT-FOR-US: PDFCool ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23856 - data
Author: carnil Date: 2013-10-02 07:55:46 + (Wed, 02 Oct 2013) New Revision: 23856 Modified: data/dsa-needed.txt Log: icedtea-web DSA note Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-10-02 07:29:21 UTC (rev 23855) +++ data/dsa-needed.txt 2013-10-02 07:55:46 UTC (rev 23856) @@ -29,7 +29,9 @@ -- hplip -- -icedtea-web +icedtea-web (carnil) + Packages for unstable prepared and uploaded + Need to rebuild packages for wheezy and test -- iceape (jmm) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23860 - data
Author: carnil Date: 2013-10-02 21:19:57 + (Wed, 02 Oct 2013) New Revision: 23860 Modified: data/dsa-needed.txt Log: Remove rtkit from dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-10-02 21:19:54 UTC (rev 23859) +++ data/dsa-needed.txt 2013-10-02 21:19:57 UTC (rev 23860) @@ -83,8 +83,6 @@ -- qt4-x11/oldstable -- -rtkit/stable --- ruby1.8/oldstable -- ruby1.9.1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23859 - data/CVE
Author: carnil Date: 2013-10-02 21:19:54 + (Wed, 02 Oct 2013) New Revision: 23859 Modified: data/CVE/list Log: Mark CVE-2013-4326/rtkit as no-dsa for wheezy Modified: data/CVE/list === --- data/CVE/list 2013-10-02 21:14:47 UTC (rev 23858) +++ data/CVE/list 2013-10-02 21:19:54 UTC (rev 23859) @@ -3683,6 +3683,7 @@ CVE-2013-4326 [use of insecure polkit DBUS API] RESERVED - rtkit 0.10-3 (bug #723714) + [wheezy] - rtkit no-dsa (user can get realtime scheduling privileges) CVE-2013-4325 (The check_permission_v1 function in base/pkit.py in HP Linux Imaging ...) - hplip 3.13.9-1 (bug #723716) CVE-2013-4324 [Insecure calling of polkit via polkit_unix_process_new()] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23862 - data/CVE
Author: carnil Date: 2013-10-03 08:18:21 + (Thu, 03 Oct 2013) New Revision: 23862 Modified: data/CVE/list Log: Update entry for CVE-2013-2924 from external check Not removing TODO, only adding possibly affected source packages. Needs check. Modified: data/CVE/list === --- data/CVE/list 2013-10-03 05:35:22 UTC (rev 23861) +++ data/CVE/list 2013-10-03 08:18:21 UTC (rev 23862) @@ -7058,6 +7058,8 @@ CVE-2013-2925 RESERVED CVE-2013-2924 (Use-after-free vulnerability in International Components for Unicode ...) + - chromium-browser unfixed + - icu unfixed TODO: check CVE-2013-2923 (Multiple unspecified vulnerabilities in Google Chrome before ...) TODO: check ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23863 - data/CVE
Author: carnil Date: 2013-10-03 08:21:58 + (Thu, 03 Oct 2013) New Revision: 23863 Modified: data/CVE/list Log: Add CVE-2013-4342/xinetd from external check Modified: data/CVE/list === --- data/CVE/list 2013-10-03 08:18:21 UTC (rev 23862) +++ data/CVE/list 2013-10-03 08:21:58 UTC (rev 23863) @@ -3635,8 +3635,9 @@ - linux unfixed [wheezy] - linux not-affected (Introduced in 3.8) - linux-2.6 not-affected (Introduced in 3.8) -CVE-2013-4342 +CVE-2013-4342 [xinetd: ignores user and group directives for tcpmux services] RESERVED + - xinetd unfixed (bug #324678) CVE-2013-4341 (Multiple cross-site scripting (XSS) vulnerabilities in Moodle through ...) - moodle 2.5.2-1 CVE-2013-4340 (wp-admin/includes/post.php in WordPress before 3.6.1 allows remote ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23869 - data
Author: carnil Date: 2013-10-04 07:05:00 + (Fri, 04 Oct 2013) New Revision: 23869 Modified: data/dsa-needed.txt Log: Remove annotations, package ready, but some builds missing Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-10-03 21:25:20 UTC (rev 23868) +++ data/dsa-needed.txt 2013-10-04 07:05:00 UTC (rev 23869) @@ -30,8 +30,6 @@ hplip -- icedtea-web (carnil) - Packages for unstable prepared and uploaded - Need to rebuild packages for wheezy and test -- iceape (jmm) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23870 - data/CVE
Author: carnil Date: 2013-10-04 07:09:19 + (Fri, 04 Oct 2013) New Revision: 23870 Modified: data/CVE/list Log: Add CVE-2013-4399/libvirt Modified: data/CVE/list === --- data/CVE/list 2013-10-04 07:05:00 UTC (rev 23869) +++ data/CVE/list 2013-10-04 07:09:19 UTC (rev 23870) @@ -3471,8 +3471,12 @@ RESERVED CVE-2013-4400 RESERVED -CVE-2013-4399 +CVE-2013-4399 [unprivileged user can crash libvirtd when ACLs are enabled] RESERVED + - libvirt unfixed + [wheezy] - libvirt not-affected (Introduced in 1.1.0) + [squeeze] - libvirt not-affected (Introduced in 1.1.0) + NOTE: fixed in 1.1.3 (not yet in unstable) CVE-2013-4398 RESERVED CVE-2013-4397 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23873 - data/CVE
Author: carnil Date: 2013-10-04 09:21:11 + (Fri, 04 Oct 2013) New Revision: 23873 Modified: data/CVE/list Log: mark CVE-2013-4342/xinetd as no-dsa Modified: data/CVE/list === --- data/CVE/list 2013-10-04 07:25:46 UTC (rev 23872) +++ data/CVE/list 2013-10-04 09:21:11 UTC (rev 23873) @@ -3670,6 +3670,8 @@ CVE-2013-4342 [xinetd: ignores user and group directives for tcpmux services] RESERVED - xinetd unfixed (bug #324678) + [wheezy] - xinetd no-dsa (Minor issue) + [squeeze] - xinetd no-dsa (Minor issue) CVE-2013-4341 (Multiple cross-site scripting (XSS) vulnerabilities in Moodle through ...) - moodle 2.5.2-1 CVE-2013-4340 (wp-admin/includes/post.php in WordPress before 3.6.1 allows remote ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23874 - data/CVE
Author: carnil Date: 2013-10-04 11:17:41 + (Fri, 04 Oct 2013) New Revision: 23874 Modified: data/CVE/list Log: Add fixed version for CVE-2013-4342/xinetd Modified: data/CVE/list === --- data/CVE/list 2013-10-04 09:21:11 UTC (rev 23873) +++ data/CVE/list 2013-10-04 11:17:41 UTC (rev 23874) @@ -3669,7 +3669,7 @@ - linux-2.6 not-affected (Introduced in 3.8) CVE-2013-4342 [xinetd: ignores user and group directives for tcpmux services] RESERVED - - xinetd unfixed (bug #324678) + - xinetd 1:2.3.15-2 (bug #324678) [wheezy] - xinetd no-dsa (Minor issue) [squeeze] - xinetd no-dsa (Minor issue) CVE-2013-4341 (Multiple cross-site scripting (XSS) vulnerabilities in Moodle through ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23875 - data/CVE
Author: carnil Date: 2013-10-04 13:45:45 + (Fri, 04 Oct 2013) New Revision: 23875 Modified: data/CVE/list Log: Add CVE-2013-5914/polarssl Modified: data/CVE/list === --- data/CVE/list 2013-10-04 11:17:41 UTC (rev 23874) +++ data/CVE/list 2013-10-04 13:45:45 UTC (rev 23875) @@ -145,8 +145,10 @@ NOT-FOR-US: WordPress plugin wp-e-commerce CVE-2013-5915 RESERVED -CVE-2013-5914 +CVE-2013-5914 [Buffer overflow in ssl_read_record()] RESERVED + - polarssl 1.2.0-1 + NOTE: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-04 CVE-2013-5913 RESERVED CVE-2013-5912 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23876 - data/CVE
Author: carnil Date: 2013-10-04 13:48:19 + (Fri, 04 Oct 2013) New Revision: 23876 Modified: data/CVE/list Log: Add CVE-2013-5915/polarssl Modified: data/CVE/list === --- data/CVE/list 2013-10-04 13:45:45 UTC (rev 23875) +++ data/CVE/list 2013-10-04 13:48:19 UTC (rev 23876) @@ -143,8 +143,10 @@ CVE-2013-5916 RESERVED NOT-FOR-US: WordPress plugin wp-e-commerce -CVE-2013-5915 +CVE-2013-5915 [Timing Attack against protected RSA-CRT implementation] RESERVED + - polarssl unfixed + NOTE: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05 CVE-2013-5914 [Buffer overflow in ssl_read_record()] RESERVED - polarssl 1.2.0-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23881 - data/CVE
Author: carnil Date: 2013-10-04 17:52:23 + (Fri, 04 Oct 2013) New Revision: 23881 Modified: data/CVE/list Log: Update note on CVE-2013-4344, needs details Modified: data/CVE/list === --- data/CVE/list 2013-10-04 15:15:33 UTC (rev 23880) +++ data/CVE/list 2013-10-04 17:52:23 UTC (rev 23881) @@ -3667,10 +3667,12 @@ RESERVED - linux-2.6 removed - linux unfixed -CVE-2013-4344 +CVE-2013-4344 [buffer overflow in scsi_target_emulate_report_luns] RESERVED - xen unfixed - TODO: check + - qemu unfixed + - qemu-kvm removed + TODO: check, details needed CVE-2013-4343 (Use-after-free vulnerability in drivers/net/tun.c in the Linux kernel ...) - linux unfixed [wheezy] - linux not-affected (Introduced in 3.8) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23882 - in data: . DSA
Author: carnil
Date: 2013-10-04 18:57:52 + (Fri, 04 Oct 2013)
New Revision: 23882
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for icedtea-web release
Modified: data/DSA/list
===
--- data/DSA/list 2013-10-04 17:52:23 UTC (rev 23881)
+++ data/DSA/list 2013-10-04 18:57:52 UTC (rev 23882)
@@ -1,3 +1,6 @@
+[04 Oct 2013] DSA-2768-1 icedtea-web - heap-based buffer overflow
+ {CVE-2013-4349}
+ [wheezy] - icedtea-web 1.4-3~deb7u2
[28 Sep 2013] DSA-2767-1 proftpd-dfsg - denial of service
{CVE-2013-4359}
[squeeze] - proftpd-dfsg 1.3.3a-6squeeze7
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2013-10-04 17:52:23 UTC (rev 23881)
+++ data/dsa-needed.txt 2013-10-04 18:57:52 UTC (rev 23882)
@@ -29,8 +29,6 @@
--
hplip
--
-icedtea-web (carnil)
---
iceape (jmm)
--
jquery/oldstable
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23886 - data/CVE
Author: carnil Date: 2013-10-05 14:01:20 + (Sat, 05 Oct 2013) New Revision: 23886 Modified: data/CVE/list Log: Add NFU, drupal contributed module Modified: data/CVE/list === --- data/CVE/list 2013-10-05 08:08:48 UTC (rev 23885) +++ data/CVE/list 2013-10-05 14:01:20 UTC (rev 23886) @@ -3464,6 +3464,7 @@ RESERVED CVE-2013-4406 RESERVED + NOT-FOR-US: Quick Tabs Drupal contributed module CVE-2013-4405 RESERVED CVE-2013-4404 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23887 - data/CVE
Author: carnil Date: 2013-10-05 20:44:39 + (Sat, 05 Oct 2013) New Revision: 23887 Modified: data/CVE/list Log: Add entry for CVE-2013-4402/gnupg2 Modified: data/CVE/list === --- data/CVE/list 2013-10-05 14:01:20 UTC (rev 23886) +++ data/CVE/list 2013-10-05 20:44:39 UTC (rev 23887) @@ -3471,8 +3471,9 @@ RESERVED CVE-2013-4403 RESERVED -CVE-2013-4402 +CVE-2013-4402 [infinite recursion in the compressed packet parser] RESERVED + - gnupg2 unfixed (bug #725433) CVE-2013-4401 RESERVED CVE-2013-4400 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23888 - data/CVE
Author: carnil Date: 2013-10-05 20:46:33 + (Sat, 05 Oct 2013) New Revision: 23888 Modified: data/CVE/list Log: Add also source package gnupg Modified: data/CVE/list === --- data/CVE/list 2013-10-05 20:44:39 UTC (rev 23887) +++ data/CVE/list 2013-10-05 20:46:33 UTC (rev 23888) @@ -3474,6 +3474,7 @@ CVE-2013-4402 [infinite recursion in the compressed packet parser] RESERVED - gnupg2 unfixed (bug #725433) + - gnupg unfixed CVE-2013-4401 RESERVED CVE-2013-4400 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23889 - data
Author: carnil Date: 2013-10-05 20:50:24 + (Sat, 05 Oct 2013) New Revision: 23889 Modified: data/dsa-needed.txt Log: Add gnupg and gnupg2 to DSA needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-10-05 20:46:33 UTC (rev 23888) +++ data/dsa-needed.txt 2013-10-05 20:50:24 UTC (rev 23889) @@ -25,6 +25,10 @@ -- gimp/oldstable -- +gnupg +-- +gnupg2 +-- gnutls26/oldstable -- hplip ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23890 - data/CVE
Author: carnil Date: 2013-10-05 20:58:25 + (Sat, 05 Oct 2013) New Revision: 23890 Modified: data/CVE/list Log: Add bugnumber for CVE-2013-4402/gnupg Modified: data/CVE/list === --- data/CVE/list 2013-10-05 20:50:24 UTC (rev 23889) +++ data/CVE/list 2013-10-05 20:58:25 UTC (rev 23890) @@ -3474,7 +3474,7 @@ CVE-2013-4402 [infinite recursion in the compressed packet parser] RESERVED - gnupg2 unfixed (bug #725433) - - gnupg unfixed + - gnupg unfixed (bug #725439) CVE-2013-4401 RESERVED CVE-2013-4400 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23891 - data/CVE
Author: carnil Date: 2013-10-05 21:01:47 + (Sat, 05 Oct 2013) New Revision: 23891 Modified: data/CVE/list Log: Add fixed version for CVE-2013-1439/libraw Modified: data/CVE/list === --- data/CVE/list 2013-10-05 20:58:25 UTC (rev 23890) +++ data/CVE/list 2013-10-05 21:01:47 UTC (rev 23891) @@ -11723,7 +11723,7 @@ CVE-2013-1440 RESERVED CVE-2013-1439 (The quot;faster LJPEG decoderquot; in libraw 0.13.x, 0.14.x, and 0.15.x before ...) - - libraw unfixed (bug #721338) + - libraw 0.15.4-1 (bug #721338) - libkdcraw 4:4.10.5-2 (bug #721340) - darktable 1.2.2-2 (bug #721339) [wheezy] - darktable no-dsa (end-user app) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23892 - data/CVE
Author: carnil
Date: 2013-10-05 21:02:31 + (Sat, 05 Oct 2013)
New Revision: 23892
Modified:
data/CVE/list
Log:
Add fixed version for CVE-2013-1438/libraw
Modified: data/CVE/list
===
--- data/CVE/list 2013-10-05 21:01:47 UTC (rev 23891)
+++ data/CVE/list 2013-10-05 21:02:31 UTC (rev 23892)
@@ -11730,7 +11730,7 @@
CVE-2013-1438 [dcraw: multiple DoS]
RESERVED
{DSA-2748-1}
- - libraw unfixed (bug #721231)
+ - libraw 0.15.4-1 (bug #721231)
- libkdcraw 4:4.10.5-2 (bug #721239)
- darktable 1.2.2-2 (bug #721233)
[wheezy] - darktable no-dsa (end-user app)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23893 - data/CVE
Author: carnil Date: 2013-10-06 05:37:35 + (Sun, 06 Oct 2013) New Revision: 23893 Modified: data/CVE/list Log: Add fixed version for CVE-2013-4402/gnupg2 Modified: data/CVE/list === --- data/CVE/list 2013-10-05 21:02:31 UTC (rev 23892) +++ data/CVE/list 2013-10-06 05:37:35 UTC (rev 23893) @@ -3473,7 +3473,7 @@ RESERVED CVE-2013-4402 [infinite recursion in the compressed packet parser] RESERVED - - gnupg2 unfixed (bug #725433) + - gnupg2 2.0.22-1 (bug #725433) - gnupg unfixed (bug #725439) CVE-2013-4401 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23894 - data/CVE
Author: carnil Date: 2013-10-06 05:37:51 + (Sun, 06 Oct 2013) New Revision: 23894 Modified: data/CVE/list Log: Add fixed version for CVE-2013-4351/gnupg2 Modified: data/CVE/list === --- data/CVE/list 2013-10-06 05:37:35 UTC (rev 23893) +++ data/CVE/list 2013-10-06 05:37:51 UTC (rev 23894) @@ -3639,7 +3639,7 @@ - gnupg unfixed (low; bug #722722) [squeeze] - gnupg no-dsa (Minor issue) [wheezy] - gnupg no-dsa (Minor issue) - - gnupg2 unfixed (low; bug #722724) + - gnupg2 2.0.22-1 (low; bug #722724) [squeeze] - gnupg2 no-dsa (Minor issue) [wheezy] - gnupg2 no-dsa (Minor issue) CVE-2013-4350 (The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23896 - data
Author: carnil Date: 2013-10-06 11:40:27 + (Sun, 06 Oct 2013) New Revision: 23896 Modified: data/next-point-update.txt Log: Add CVE-2013-4342/xinetd to next-point-update list Modified: data/next-point-update.txt === --- data/next-point-update.txt 2013-10-06 11:34:22 UTC (rev 23895) +++ data/next-point-update.txt 2013-10-06 11:40:27 UTC (rev 23896) @@ -28,3 +28,5 @@ [wheezy] - linux 3.2.51-1 CVE-2013-2899 [wheezy] - linux 3.2.51-1 +CVE-2013-4342 + [wheezy] - xinetd 1:2.3.14-7.1+deb7u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23898 - data/CVE
Author: carnil Date: 2013-10-07 04:52:21 + (Mon, 07 Oct 2013) New Revision: 23898 Modified: data/CVE/list Log: Add four NFU, IBM products Modified: data/CVE/list === --- data/CVE/list 2013-10-06 17:49:02 UTC (rev 23897) +++ data/CVE/list 2013-10-07 04:52:21 UTC (rev 23898) @@ -1341,13 +1341,13 @@ CVE-2013-5384 RESERVED CVE-2013-5383 (IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 before 7.1.1.12, ...) - TODO: check + NOT-FOR-US: IBM Maximo Asset Management CVE-2013-5382 (IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 before 7.1.1.12, ...) - TODO: check + NOT-FOR-US: IBM Maximo Asset Management CVE-2013-5381 (IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 through 7.1.1.12, ...) - TODO: check + NOT-FOR-US: IBM Maximo Asset Management CVE-2013-5380 (IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 before 7.1.1.12, ...) - TODO: check + NOT-FOR-US: IBM Maximo Asset Management CVE-2013-5379 RESERVED CVE-2013-5378 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23899 - data/CVE
Author: carnil Date: 2013-10-07 04:55:39 + (Mon, 07 Oct 2013) New Revision: 23899 Modified: data/CVE/list Log: Add fixed version for CVE-2013-4160/lcms2 Modified: data/CVE/list === --- data/CVE/list 2013-10-07 04:52:21 UTC (rev 23898) +++ data/CVE/list 2013-10-07 04:55:39 UTC (rev 23899) @@ -4284,7 +4284,7 @@ - lcms unfixed (low) [squeeze] - lcms no-dsa (Minor issue) [wheezy] - lcms no-dsa (Minor issue) - - lcms2 unfixed (bug #714529) + - lcms2 2.2+git20110628-2.3 (bug #714529) [wheezy] - lcms2 no-dsa (Minor issue) NOTE: https://github.com/mm2/Little-CMS/commit/91c2db7f2559be504211b283bc3a2c631d6f06d9 NOTE: https://bugzilla.novell.com/show_bug.cgi?id=826097#c9 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23900 - data/CVE
Author: carnil Date: 2013-10-07 05:17:31 + (Mon, 07 Oct 2013) New Revision: 23900 Modified: data/CVE/list Log: Add explicit [jessie] (not-affected) for CVE-2013-2016 Modified: data/CVE/list === --- data/CVE/list 2013-10-07 04:55:39 UTC (rev 23899) +++ data/CVE/list 2013-10-07 05:17:31 UTC (rev 23900) @@ -9765,6 +9765,7 @@ CVE-2013-2016 [qemu: virtio: out-of-bounds config space access] RESERVED - qemu 1.5.0+dfsg-1 (bug #710822) + [jessie] - qemu not-affected (vulnerability introduced in 1.3.0) [wheezy] - qemu not-affected (vulnerability introduced in 1.3.0) [squeeze] - qemu not-affected (vulnerability introduced in 1.3.0) - qemu-kvm not-affected (vulnerability introduced in 1.3.0) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23901 - data/CVE
Author: carnil Date: 2013-10-07 05:17:47 + (Mon, 07 Oct 2013) New Revision: 23901 Modified: data/CVE/list Log: CVE-2013-4377: Add explicit not-affected tag for jessie Modified: data/CVE/list === --- data/CVE/list 2013-10-07 05:17:31 UTC (rev 23900) +++ data/CVE/list 2013-10-07 05:17:47 UTC (rev 23901) @@ -3558,6 +3558,7 @@ CVE-2013-4377 [qemu host crash from within guest] RESERVED - qemu unfixed + [jessie] - qemu not-affected (Introduced in 1.4) [wheezy] - qemu not-affected (Introduced in 1.4) [squeeze] - qemu not-affected (Introduced in 1.4) - qemu-kvm not-affected (Introduced in 1.4) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23903 - data/CVE
Author: carnil
Date: 2013-10-07 14:26:15 + (Mon, 07 Oct 2013)
New Revision: 23903
Modified:
data/CVE/list
Log:
Add fixed version for CVE-2013-4359/proftpd-dfsg
Modified: data/CVE/list
===
--- data/CVE/list 2013-10-07 08:45:05 UTC (rev 23902)
+++ data/CVE/list 2013-10-07 14:26:15 UTC (rev 23903)
@@ -3609,7 +3609,7 @@
RESERVED
CVE-2013-4359 (Integer overflow in kbdint.c in mod_sftp in ProFTPD 1.3.4d and
1.3.5r3 ...)
{DSA-2767-1}
- - proftpd-dfsg unfixed (bug #723179)
+ - proftpd-dfsg 1.3.5~rc3-2.1 (bug #723179)
CVE-2013-4358
RESERVED
- libav 6:9.1-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23904 - data/CVE
Author: carnil Date: 2013-10-07 14:52:40 + (Mon, 07 Oct 2013) New Revision: 23904 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2013-10-07 14:26:15 UTC (rev 23903) +++ data/CVE/list 2013-10-07 14:52:40 UTC (rev 23904) @@ -15,15 +15,15 @@ CVE-2013-5980 RESERVED CVE-2013-5979 (Directory traversal vulnerability in Spring Signage Xibo 1.2.x before ...) - TODO: check + NOT-FOR-US: Xibo CVE-2013-5978 RESERVED CVE-2013-5977 RESERVED CVE-2013-5976 (Cross-site scripting (XSS) vulnerability in the access policy logout ...) - TODO: check + NOT-FOR-US: F5 BIG-IP APM CVE-2013-5975 (The access policy logon page (logon.inc) in F5 BIG-IP APM 11.1.0 ...) - TODO: check + NOT-FOR-US: F5 BIG-IP APM CVE-2013-5974 RESERVED CVE-2013-5973 @@ -49,7 +49,7 @@ CVE-2013-5963 (Unrestricted file upload vulnerability in multi.php in Simple Dropbox ...) TODO: check CVE-2013-5962 (Unrestricted file upload vulnerability in frames/upload-images.php in ...) - TODO: check + NOT-FOR-US: Complete Gallery Manager plugin for Wordpress CVE-2013-5961 (Unrestricted file upload vulnerability in lazyseo.php in the Lazy SEO ...) TODO: check CVE-2013-5960 (The authenticated-encryption feature in the symmetric-encryption ...) @@ -83,7 +83,7 @@ CVE-2013-5945 RESERVED CVE-2013-5944 (The integrated web server on Siemens SCALANCE X-200 switches with ...) - TODO: check + NOT-FOR-US: web server on Siemens switches CVE-2013-5959 (Blue Coat ProxySG before 6.2.14.1, 6.3.x, 6.4.x, and 6.5 before 6.5.2 ...) NOT-FOR-US: Blue Coat ProxySG CVE-2013-5943 (Multiple cross-site scripting (XSS) vulnerabilities in Graphite before ...) @@ -1070,13 +1070,13 @@ CVE-2013-5520 RESERVED CVE-2013-5519 (Cross-site scripting (XSS) vulnerability in the management interface ...) - TODO: check + NOT-FOR-US: Cisco CVE-2013-5518 RESERVED CVE-2013-5517 (SQL injection vulnerability in the web framework in Cisco Unified ...) - TODO: check + NOT-FOR-US: Cisco CVE-2013-5516 (The Media Snapshot implementation on Cisco TelePresence Multipoint ...) - TODO: check + NOT-FOR-US: Cisco CVE-2013-5515 RESERVED CVE-2013-5514 @@ -1098,11 +1098,11 @@ CVE-2013-5506 RESERVED CVE-2013-5505 (Cross-site scripting (XSS) vulnerability in an administration page in ...) - TODO: check + NOT-FOR-US: Cisco CVE-2013-5504 (Cross-site scripting (XSS) vulnerability in the Mobile Device ...) - TODO: check + NOT-FOR-US: Cisco CVE-2013-5503 (The UDP process in Cisco IOS XR 4.3.1 does not free packet memory upon ...) - TODO: check + NOT-FOR-US: Cisco CVE-2013-5502 (The web interface in Cisco MediaSense does not properly protect the ...) NOT-FOR-US: Cisco MediaSense CVE-2013-5501 (Cross-site scripting (XSS) vulnerability in the oraservice page in ...) @@ -1318,7 +1318,7 @@ CVE-2013-5396 RESERVED CVE-2013-5395 (IBM Maximo Asset Management 6.2 through 6.2.8, 7.1 before 7.1.1.12, ...) - TODO: check + NOT-FOR-US: IBM Maximo Asset Management CVE-2013-5394 RESERVED CVE-2013-5393 @@ -1368,7 +1368,7 @@ CVE-2013-5371 RESERVED CVE-2013-5370 (Unspecified vulnerability in IBM SPSS Collaboration and Deployment ...) - TODO: check + NOT-FOR-US: IBM SPSS Collaboration and Deployment Services CVE-2013-5369 (IBM SPSS Analytical Decision Management 6.1 before IF1, 6.2 before ...) NOT-FOR-US: IBM SPSS Analytical Decision Management CVE-2013-5368 @@ -2831,7 +2831,7 @@ CVE-2013-4709 (Buffer overflow in the PPP Access Concentrator (PPPAC) on the SEIL/x86 ...) NOT-FOR-US: PPP Access Concentrator CVE-2013-4708 (The PPP Access Concentrator (PPPAC) in Internet Initiative Japan Inc. ...) - TODO: check + NOT-FOR-US: Internet Initiative Japan Inc CVE-2013-4707 (The SSH implementation on D-Link Japan DES-3810 devices with firmware ...) NOT-FOR-US: D-Link CVE-2013-4706 (The SSH implementation on the D-Link Japan DWL-2100AP with firmware ...) @@ -4609,9 +4609,9 @@ CVE-2013-4068 (Buffer overflow in iNotes in IBM Domino 8.5.3 before FP5 IF1 and 9.0 ...) NOT-FOR-US: IBM CVE-2013-4067 (IBM InfoSphere Information Server 8.0, 8.1, 8.5 through FP3, 8.7, and ...) - TODO: check + NOT-FOR-US: IBM InfoSphere Information Server CVE-2013-4066 (IBM InfoSphere Information Server 8.0, 8.1, 8.5 through FP3, 8.7, and ...) - TODO: check + NOT-FOR-US: IBM InfoSphere Information Server CVE-2013-4065 RESERVED CVE-2013-4064 @@ -4659,7 +4659,7 @@ CVE-2013-4043 RESERVED CVE-2013-4042 (Unspecified vulnerability in IBM SPSS Collaboration and Deployment ...) - TODO: check + NOT-FOR-US: IBM SPSS Collaboration and
[Secure-testing-commits] r23905 - data/CVE
Author: carnil Date: 2013-10-07 15:07:49 + (Mon, 07 Oct 2013) New Revision: 23905 Modified: data/CVE/list Log: Add further note on CVE-2013-4261/nova Modified: data/CVE/list === --- data/CVE/list 2013-10-07 14:52:40 UTC (rev 23904) +++ data/CVE/list 2013-10-07 15:07:49 UTC (rev 23905) @@ -3946,6 +3946,7 @@ NOTE: Advisory mentions that affects Folsom and Grizzly, but 2012.1.1 seems to have similar NOTE: code in nova/rpc/impl_qpid.py NOTE: https://bugs.launchpad.net/nova/+bug/1215091/comments/10 (relevant question for other components) + NOTE: experimental nova/2013.2~rc1-1 contains the fix TODO: check CVE-2013-4260 (lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3, when ...) - ansible not-affected (affected code introduced with ansible 1.2) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23907 - data/CVE
Author: carnil Date: 2013-10-07 21:12:49 + (Mon, 07 Oct 2013) New Revision: 23907 Modified: data/CVE/list Log: Add fixed version for CVE-2013-4351/gnupg, #722722 Modified: data/CVE/list === --- data/CVE/list 2013-10-07 19:27:07 UTC (rev 23906) +++ data/CVE/list 2013-10-07 21:12:49 UTC (rev 23907) @@ -3638,7 +3638,7 @@ RESERVED CVE-2013-4351 [GnuPG treats no-usage-permitted keys as all-usages-permitted] RESERVED - - gnupg unfixed (low; bug #722722) + - gnupg 1.4.15-1 (low; bug #722722) [squeeze] - gnupg no-dsa (Minor issue) [wheezy] - gnupg no-dsa (Minor issue) - gnupg2 2.0.22-1 (low; bug #722724) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23908 - data/CVE
Author: carnil Date: 2013-10-08 04:25:36 + (Tue, 08 Oct 2013) New Revision: 23908 Modified: data/CVE/list Log: Add tempoary item for libhttp-body-perl Modified: data/CVE/list === --- data/CVE/list 2013-10-07 21:12:49 UTC (rev 23907) +++ data/CVE/list 2013-10-08 04:25:36 UTC (rev 23908) @@ -1,3 +1,5 @@ +CVE-2013- [remote command-injection] + - libhttp-body-perl unfixed (bug #721634) CVE-2013-5987 RESERVED CVE-2013-5986 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23915 - data/DSA
Author: carnil
Date: 2013-10-08 14:35:12 + (Tue, 08 Oct 2013)
New Revision: 23915
Modified:
data/DSA/list
Log:
Add source package name for DSA-2769-1
Modified: data/DSA/list
===
--- data/DSA/list 2013-10-08 14:12:39 UTC (rev 23914)
+++ data/DSA/list 2013-10-08 14:35:12 UTC (rev 23915)
@@ -1,6 +1,6 @@
[08 Oct 2013] DSA-2769-1 kfreebsd-9 - several
{CVE-2013-5691 CVE-2013-5710}
- [wheezy] - 9.0-10+deb70.4
+ [wheezy] - kfreebsd-9 9.0-10+deb70.4
[04 Oct 2013] DSA-2768-1 icedtea-web - heap-based buffer overflow
{CVE-2013-4349}
[wheezy] - icedtea-web 1.4-3~deb7u2
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23916 - data
Author: carnil Date: 2013-10-08 17:29:25 + (Tue, 08 Oct 2013) New Revision: 23916 Modified: data/dsa-needed.txt Log: Add note about torque Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-10-08 14:35:12 UTC (rev 23915) +++ data/dsa-needed.txt 2013-10-08 17:29:25 UTC (rev 23916) @@ -96,6 +96,7 @@ tomcat7/stable (jmm) -- torque + testing packages for unstable and wheezy (not yet squeeze) -- vlc it probably makes sense to update to the 2.0.x point releases ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23917 - data/CVE
Author: carnil Date: 2013-10-08 20:34:50 + (Tue, 08 Oct 2013) New Revision: 23917 Modified: data/CVE/list Log: Add CVE-2013-4396/xorg Modified: data/CVE/list === --- data/CVE/list 2013-10-08 17:29:25 UTC (rev 23916) +++ data/CVE/list 2013-10-08 20:34:50 UTC (rev 23917) @@ -3494,8 +3494,9 @@ RESERVED CVE-2013-4397 RESERVED -CVE-2013-4396 +CVE-2013-4396 [Use after free in Xserver handling of ImageText requests] RESERVED + - xorg unfixed CVE-2013-4395 RESERVED NOT-FOR-US: Simple Machines Forum ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23918 - data/CVE
Author: carnil Date: 2013-10-08 20:38:38 + (Tue, 08 Oct 2013) New Revision: 23918 Modified: data/CVE/list Log: Correct source package name and add fixed verison Modified: data/CVE/list === --- data/CVE/list 2013-10-08 20:34:50 UTC (rev 23917) +++ data/CVE/list 2013-10-08 20:38:38 UTC (rev 23918) @@ -3496,7 +3496,7 @@ RESERVED CVE-2013-4396 [Use after free in Xserver handling of ImageText requests] RESERVED - - xorg unfixed + - xorg-server 2:1.14.3-4 CVE-2013-4395 RESERVED NOT-FOR-US: Simple Machines Forum ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23919 - data
Author: carnil Date: 2013-10-08 21:42:35 + (Tue, 08 Oct 2013) New Revision: 23919 Modified: data/dsa-needed.txt Log: Take DSA for torque Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-10-08 20:38:38 UTC (rev 23918) +++ data/dsa-needed.txt 2013-10-08 21:42:35 UTC (rev 23919) @@ -95,8 +95,7 @@ -- tomcat7/stable (jmm) -- -torque - testing packages for unstable and wheezy (not yet squeeze) +torque (carnil) -- vlc it probably makes sense to update to the 2.0.x point releases ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23921 - data/CVE
Author: carnil Date: 2013-10-09 11:49:42 + (Wed, 09 Oct 2013) New Revision: 23921 Modified: data/CVE/list Log: Add NFU for Apache Sling Modified: data/CVE/list === --- data/CVE/list 2013-10-09 06:03:11 UTC (rev 23920) +++ data/CVE/list 2013-10-09 11:49:42 UTC (rev 23921) @@ -8931,6 +8931,7 @@ TODO: check if complete and possibly report to BTS, sec announcement from upstream in preparation CVE-2013-2254 RESERVED + NOT-FOR-US: Apache Sling CVE-2013-2253 RESERVED CVE-2013-2252 @@ -27022,7 +27023,6 @@ - ruby-mail 2.4.4-1 CVE-2012-2138 (The @CopyFrom operation in the POST servlet in the ...) NOT-FOR-US: Apache Sling - NOTE: http://lists.grok.org.uk/pipermail/full-disclosure/2012-July/087554.html CVE-2012-2137 (Buffer overflow in virt/kvm/irq_comm.c in the KVM subsystem in the ...) - linux 3.2.20-1 CVE-2012-2136 (The sock_alloc_send_pskb function in net/core/sock.c in the Linux ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23923 - in data: . DSA
Author: carnil
Date: 2013-10-09 14:16:20 + (Wed, 09 Oct 2013)
New Revision: 23923
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for torque DSA
Modified: data/DSA/list
===
--- data/DSA/list 2013-10-09 13:35:08 UTC (rev 23922)
+++ data/DSA/list 2013-10-09 14:16:20 UTC (rev 23923)
@@ -1,3 +1,7 @@
+[09 Oct 2013] DSA-2770-1 torque - authentication bypass
+ {CVE-2013-4319}
+ [squeeze] - torque 2.4.8+dfsg-9squeeze2
+ [wheezy] - torque 2.4.16+dfsg-1+deb7u1
[08 Oct 2013] DSA-2769-1 kfreebsd-9 - several
{CVE-2013-5691 CVE-2013-5710}
[wheezy] - kfreebsd-9 9.0-10+deb70.4
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2013-10-09 13:35:08 UTC (rev 23922)
+++ data/dsa-needed.txt 2013-10-09 14:16:20 UTC (rev 23923)
@@ -95,8 +95,6 @@
--
tomcat7/stable (jmm)
--
-torque (carnil)
---
vlc
it probably makes sense to update to the 2.0.x point releases
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23924 - data/CVE
Author: carnil Date: 2013-10-09 14:53:40 + (Wed, 09 Oct 2013) New Revision: 23924 Modified: data/CVE/list Log: Add NFU Modified: data/CVE/list === --- data/CVE/list 2013-10-09 14:16:20 UTC (rev 23923) +++ data/CVE/list 2013-10-09 14:53:40 UTC (rev 23924) @@ -491,6 +491,7 @@ RESERVED CVE-2013-5744 RESERVED + NOT-FOR-US: Feng Office CVE-2013-5743 RESERVED - zabbix 1:2.0.8+dfsg-2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23925 - data/CVE
Author: carnil Date: 2013-10-09 14:59:53 + (Wed, 09 Oct 2013) New Revision: 23925 Modified: data/CVE/list Log: Add three NFUs in Uebimiau Webmail Modified: data/CVE/list === --- data/CVE/list 2013-10-09 14:53:40 UTC (rev 23924) +++ data/CVE/list 2013-10-09 14:59:53 UTC (rev 23925) @@ -7898,10 +7898,13 @@ RESERVED CVE-2013-2623 RESERVED + NOT-FOR-US: Uebimiau Webmail CVE-2013-2622 RESERVED + NOT-FOR-US: Uebimiau Webmail CVE-2013-2621 RESERVED + NOT-FOR-US: Uebimiau Webmail CVE-2013-2620 RESERVED CVE-2013-2619 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23926 - data/CVE
Author: carnil Date: 2013-10-09 15:01:10 + (Wed, 09 Oct 2013) New Revision: 23926 Modified: data/CVE/list Log: CVE-2013-2651, NFU Modified: data/CVE/list === --- data/CVE/list 2013-10-09 14:59:53 UTC (rev 23925) +++ data/CVE/list 2013-10-09 15:01:10 UTC (rev 23926) @@ -7833,6 +7833,7 @@ RESERVED CVE-2013-2651 RESERVED + NOT-FOR-US: Boltwire CVE-2013-2650 RESERVED CVE-2013-2649 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23929 - data/CVE
Author: carnil Date: 2013-10-09 20:18:45 + (Wed, 09 Oct 2013) New Revision: 23929 Modified: data/CVE/list Log: Add NFU, CVE-2013-4413 Modified: data/CVE/list === --- data/CVE/list 2013-10-09 15:59:13 UTC (rev 23928) +++ data/CVE/list 2013-10-09 20:18:45 UTC (rev 23929) @@ -3458,8 +3458,9 @@ RESERVED CVE-2013-4414 RESERVED -CVE-2013-4413 +CVE-2013-4413 [arbitrary files read] RESERVED + NOT-FOR-US: Wicked Ruby Gem CVE-2013-4412 RESERVED CVE-2013-4411 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23930 - data/CVE
Author: carnil Date: 2013-10-09 20:29:38 + (Wed, 09 Oct 2013) New Revision: 23930 Modified: data/CVE/list Log: Add CVE-2013-4412/slim Modified: data/CVE/list === --- data/CVE/list 2013-10-09 20:18:45 UTC (rev 23929) +++ data/CVE/list 2013-10-09 20:29:38 UTC (rev 23930) @@ -3461,8 +3461,12 @@ CVE-2013-4413 [arbitrary files read] RESERVED NOT-FOR-US: Wicked Ruby Gem -CVE-2013-4412 +CVE-2013-4412 [NULL ptr dereference] RESERVED + - slim unfixed + [wheezy] - slim not-affected (Only exploitable with eglibc 2.17 and later) + [squeeze] - slim not-affected (Only exploitable with eglibc 2.17 and later) + NOTE: Upstream fix: http://git.berlios.de/cgi-bin/cgit.cgi/slim/commit/?id=fbdfae3b406b1bb6f4e5e440e79b9b8bb8f071f CVE-2013-4411 RESERVED CVE-2013-4410 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23931 - data/CVE
Author: carnil Date: 2013-10-09 20:39:46 + (Wed, 09 Oct 2013) New Revision: 23931 Modified: data/CVE/list Log: Add bugnumber for CVE-2013-4412/slim Modified: data/CVE/list === --- data/CVE/list 2013-10-09 20:29:38 UTC (rev 23930) +++ data/CVE/list 2013-10-09 20:39:46 UTC (rev 23931) @@ -3463,7 +3463,7 @@ NOT-FOR-US: Wicked Ruby Gem CVE-2013-4412 [NULL ptr dereference] RESERVED - - slim unfixed + - slim unfixed (bug #725902) [wheezy] - slim not-affected (Only exploitable with eglibc 2.17 and later) [squeeze] - slim not-affected (Only exploitable with eglibc 2.17 and later) NOTE: Upstream fix: http://git.berlios.de/cgi-bin/cgit.cgi/slim/commit/?id=fbdfae3b406b1bb6f4e5e440e79b9b8bb8f071f ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23933 - data/CVE
Author: carnil Date: 2013-10-10 05:44:11 + (Thu, 10 Oct 2013) New Revision: 23933 Modified: data/CVE/list Log: Add libtar issue (CVE-2013-4397) Modified: data/CVE/list === --- data/CVE/list 2013-10-09 21:14:23 UTC (rev 23932) +++ data/CVE/list 2013-10-10 05:44:11 UTC (rev 23933) @@ -3504,8 +3504,9 @@ NOTE: fixed in 1.1.3 (not yet in unstable) CVE-2013-4398 RESERVED -CVE-2013-4397 +CVE-2013-4397 [Integer overflow] RESERVED + - libtar unfixed CVE-2013-4396 [Use after free in Xserver handling of ImageText requests] RESERVED - xorg-server 2:1.14.3-4 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23934 - data/CVE
Author: carnil Date: 2013-10-10 06:05:57 + (Thu, 10 Oct 2013) New Revision: 23934 Modified: data/CVE/list Log: Add bugereference for CVE-2013-4397/libtar Modified: data/CVE/list === --- data/CVE/list 2013-10-10 05:44:11 UTC (rev 23933) +++ data/CVE/list 2013-10-10 06:05:57 UTC (rev 23934) @@ -3506,7 +3506,7 @@ RESERVED CVE-2013-4397 [Integer overflow] RESERVED - - libtar unfixed + - libtar unfixed (bug #725938) CVE-2013-4396 [Use after free in Xserver handling of ImageText requests] RESERVED - xorg-server 2:1.14.3-4 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23936 - data/CVE
Author: carnil Date: 2013-10-10 07:47:14 + (Thu, 10 Oct 2013) New Revision: 23936 Modified: data/CVE/list Log: Add bugreference for CVE-2013-4344 in qemu part Modified: data/CVE/list === --- data/CVE/list 2013-10-10 07:19:24 UTC (rev 23935) +++ data/CVE/list 2013-10-10 07:47:14 UTC (rev 23936) @@ -3695,7 +3695,7 @@ CVE-2013-4344 [buffer overflow in scsi_target_emulate_report_luns] RESERVED - xen unfixed - - qemu unfixed + - qemu unfixed (bug #725944) - qemu-kvm removed TODO: check, details needed CVE-2013-4343 (Use-after-free vulnerability in drivers/net/tun.c in the Linux kernel ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23938 - data/CVE
Author: carnil Date: 2013-10-10 12:31:42 + (Thu, 10 Oct 2013) New Revision: 23938 Modified: data/CVE/list Log: Add CVE-2013-4368/xen Modified: data/CVE/list === --- data/CVE/list 2013-10-10 08:13:54 UTC (rev 23937) +++ data/CVE/list 2013-10-10 12:31:42 UTC (rev 23938) @@ -3599,8 +3599,9 @@ RESERVED CVE-2013-4369 RESERVED -CVE-2013-4368 +CVE-2013-4368 [Information leak through outs instruction emulation] RESERVED + - xen unfixed CVE-2013-4367 RESERVED NOT-FOR-US: ovirt ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23940 - data/CVE
Author: carnil Date: 2013-10-10 12:35:05 + (Thu, 10 Oct 2013) New Revision: 23940 Modified: data/CVE/list Log: Add CVE-2013-4370/xen Modified: data/CVE/list === --- data/CVE/list 2013-10-10 12:33:41 UTC (rev 23939) +++ data/CVE/list 2013-10-10 12:35:05 UTC (rev 23940) @@ -3595,8 +3595,11 @@ NOT-FOR-US: JBoss Fuse CVE-2013-4371 RESERVED -CVE-2013-4370 +CVE-2013-4370 [misplaced free in ocaml xc_vcpu_getaffinity stub] RESERVED + - xen unfixed + [wheezy] - xen not-affected (Vulnerable code only present from 4.2 onwards) + [squeeze] - xen not-affected (Vulnerable code only present from 4.2 onwards) CVE-2013-4369 [possible null dereference when parsing vif ratelimiting info] RESERVED - xen unfixed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23939 - data/CVE
Author: carnil Date: 2013-10-10 12:33:41 + (Thu, 10 Oct 2013) New Revision: 23939 Modified: data/CVE/list Log: Add CVE-2013-4369/xen Modified: data/CVE/list === --- data/CVE/list 2013-10-10 12:31:42 UTC (rev 23938) +++ data/CVE/list 2013-10-10 12:33:41 UTC (rev 23939) @@ -3597,8 +3597,11 @@ RESERVED CVE-2013-4370 RESERVED -CVE-2013-4369 +CVE-2013-4369 [possible null dereference when parsing vif ratelimiting info] RESERVED + - xen unfixed + [wheezy] - xen not-affected (Vulnerable code only present from 4.2 onwards) + [squeeze] - xen not-affected (Vulnerable code only present from 4.2 onwards) CVE-2013-4368 [Information leak through outs instruction emulation] RESERVED - xen unfixed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23941 - data/CVE
Author: carnil Date: 2013-10-10 12:37:17 + (Thu, 10 Oct 2013) New Revision: 23941 Modified: data/CVE/list Log: Add CVE-2013-4371/xen Modified: data/CVE/list === --- data/CVE/list 2013-10-10 12:35:05 UTC (rev 23940) +++ data/CVE/list 2013-10-10 12:37:17 UTC (rev 23941) @@ -3593,18 +3593,24 @@ RESERVED CVE-2013-4372 (Multiple cross-site scripting (XSS) vulnerabilities in Fuse Management ...) NOT-FOR-US: JBoss Fuse -CVE-2013-4371 +CVE-2013-4371 [use-after-free in libxl_list_cpupool under memory pressure] RESERVED + - xen unfixed + [wheezy] - xen not-affected (Vulnerable code only present from 4.2 onwards) + [squeeze] - xen not-affected (Vulnerable code only present from 4.2 onwards) + TODO: verify CVE-2013-4370 [misplaced free in ocaml xc_vcpu_getaffinity stub] RESERVED - xen unfixed [wheezy] - xen not-affected (Vulnerable code only present from 4.2 onwards) [squeeze] - xen not-affected (Vulnerable code only present from 4.2 onwards) + TODO: verify CVE-2013-4369 [possible null dereference when parsing vif ratelimiting info] RESERVED - xen unfixed [wheezy] - xen not-affected (Vulnerable code only present from 4.2 onwards) [squeeze] - xen not-affected (Vulnerable code only present from 4.2 onwards) + TODO: verify CVE-2013-4368 [Information leak through outs instruction emulation] RESERVED - xen unfixed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23942 - data/CVE
Author: carnil Date: 2013-10-10 12:42:05 + (Thu, 10 Oct 2013) New Revision: 23942 Modified: data/CVE/list Log: Add CVE-2013-4375 for xen, qemu and qemu-kvm Modified: data/CVE/list === --- data/CVE/list 2013-10-10 12:37:17 UTC (rev 23941) +++ data/CVE/list 2013-10-10 12:42:05 UTC (rev 23942) @@ -3585,7 +3585,14 @@ CVE-2013-4376 [arbitrary code as the x2go user] RESERVED - x2goserver itp (bug #465821) -CVE-2013-4375 +CVE-2013-4375 [qemu disk backend (qdisk) resource leak] + - xen unfixed + [squeeze] - xen not-affected (potentially affected by 4.1 versions and above) + - qemu unfixed + [squeeze] - qemu not-affected (vulnerable from version 1.1 onwards) + - qemu-kvm removed + [squeeze] - qemu-kvm not-affected (vulnerable from version 1.1 onwards) + TODO: check RESERVED CVE-2013-4374 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23947 - data/CVE
Author: carnil Date: 2013-10-10 17:58:36 + (Thu, 10 Oct 2013) New Revision: 23947 Modified: data/CVE/list Log: Add fixed version for CVE-2013-4397/libtar Modified: data/CVE/list === --- data/CVE/list 2013-10-10 17:49:48 UTC (rev 23946) +++ data/CVE/list 2013-10-10 17:58:36 UTC (rev 23947) @@ -3506,7 +3506,7 @@ RESERVED CVE-2013-4397 [Integer overflow] RESERVED - - libtar unfixed (bug #725938) + - libtar 1.2.20-1 (bug #725938) CVE-2013-4396 [Use after free in Xserver handling of ImageText requests] RESERVED - xorg-server 2:1.14.3-4 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23948 - data/CVE
Author: carnil Date: 2013-10-10 18:06:47 + (Thu, 10 Oct 2013) New Revision: 23948 Modified: data/CVE/list Log: Add fixed version for CVE-2013-4365/libapache2-mod-fcgid Modified: data/CVE/list === --- data/CVE/list 2013-10-10 17:58:36 UTC (rev 23947) +++ data/CVE/list 2013-10-10 18:06:47 UTC (rev 23948) @@ -3628,7 +3628,7 @@ RESERVED CVE-2013-4365 RESERVED - - libapache2-mod-fcgid unfixed (bug #725942) + - libapache2-mod-fcgid 1:2.3.9-1 (bug #725942) CVE-2013-4364 RESERVED CVE-2013-4363 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23949 - data/CVE
Author: carnil
Date: 2013-10-10 18:07:39 + (Thu, 10 Oct 2013)
New Revision: 23949
Modified:
data/CVE/list
Log:
Add fixed version for CVE-2013-4319/torque
Modified: data/CVE/list
===
--- data/CVE/list 2013-10-10 18:06:47 UTC (rev 23948)
+++ data/CVE/list 2013-10-10 18:07:39 UTC (rev 23949)
@@ -3793,7 +3793,7 @@
CVE-2013-4319 [Torque privilege escalation]
RESERVED
{DSA-2770-1}
- - torque unfixed (bug #722306)
+ - torque 2.4.16+dfsg-1.1 (bug #722306)
NOTE:
http://www.supercluster.org/pipermail/torqueusers/2013-September/016098.html
CVE-2013-4318
RESERVED
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23951 - data
Author: carnil Date: 2013-10-11 04:54:11 + (Fri, 11 Oct 2013) New Revision: 23951 Modified: data/dsa-needed.txt Log: Add myself for the libapache2-mod-fcgid dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-10-10 21:14:29 UTC (rev 23950) +++ data/dsa-needed.txt 2013-10-11 04:54:11 UTC (rev 23951) @@ -53,7 +53,7 @@ -- memcached -- -libapache2-mod-fcgid +libapache2-mod-fcgid (carnil) -- mysql-5.1/oldstable (jmm) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23954 - data/CVE
Author: carnil Date: 2013-10-11 05:59:49 + (Fri, 11 Oct 2013) New Revision: 23954 Modified: data/CVE/list Log: Add CVE-2013-4422/quassel Modified: data/CVE/list === --- data/CVE/list 2013-10-11 05:55:51 UTC (rev 23953) +++ data/CVE/list 2013-10-11 05:59:49 UTC (rev 23954) @@ -3582,8 +3582,10 @@ RESERVED CVE-2013-4423 RESERVED -CVE-2013-4422 +CVE-2013-4422 [SQL injection] RESERVED + - quassel unfixed + TODO: check, mentions only a problem with QT4 = 4.8.5 CVE-2013-4421 [memory exhaustion denial of service] RESERVED - dropbear unfixed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23957 - data/CVE
Author: carnil Date: 2013-10-11 07:17:02 + (Fri, 11 Oct 2013) New Revision: 23957 Modified: data/CVE/list Log: Add items from external check in reviewboard (itp'ed) and djblets Modified: data/CVE/list === --- data/CVE/list 2013-10-11 06:38:28 UTC (rev 23956) +++ data/CVE/list 2013-10-11 07:17:02 UTC (rev 23957) @@ -3614,10 +3614,13 @@ NOTE: Upstream fix: http://git.berlios.de/cgi-bin/cgit.cgi/slim/commit/?id=fbdfae3b406b1bb6f4e5e440e79b9b8bb8f071f CVE-2013-4411 RESERVED + - reviewboard itp (bug #653113) CVE-2013-4410 RESERVED -CVE-2013-4409 + - reviewboard itp (bug #653113) +CVE-2013-4409 [unsanitized eval() vulnerability] RESERVED + - djblets unfixed CVE-2013-4408 RESERVED CVE-2013-4407 [remote command-injection] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23958 - data/CVE
Author: carnil Date: 2013-10-11 07:20:26 + (Fri, 11 Oct 2013) New Revision: 23958 Modified: data/CVE/list Log: Add CVE-2013-6046/python-django (part of external check, finished) Modified: data/CVE/list === --- data/CVE/list 2013-10-11 07:17:02 UTC (rev 23957) +++ data/CVE/list 2013-10-11 07:20:26 UTC (rev 23958) @@ -37,7 +37,7 @@ CVE-2013-6045 RESERVED CVE-2013-6044 (The is_safe_url function in utils/http.py in Django 1.4.x before ...) - TODO: check + - python-django 1.5.2-1 CVE-2013-6043 RESERVED CVE-2013-6042 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
