Author: joeyh
Date: 2013-12-30 21:14:12 +0000 (Mon, 30 Dec 2013)
New Revision: 24982
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2013-12-30 19:14:16 UTC (rev 24981)
+++ data/CVE/list 2013-12-30 21:14:12 UTC (rev 24982)
@@ -1,3 +1,113 @@
+CVE-2014-0611
+ RESERVED
+CVE-2014-0610
+ RESERVED
+CVE-2014-0609
+ RESERVED
+CVE-2014-0608
+ RESERVED
+CVE-2014-0607
+ RESERVED
+CVE-2014-0606
+ RESERVED
+CVE-2014-0605
+ RESERVED
+CVE-2014-0604
+ RESERVED
+CVE-2014-0603
+ RESERVED
+CVE-2014-0602
+ RESERVED
+CVE-2014-0601
+ RESERVED
+CVE-2014-0600
+ RESERVED
+CVE-2014-0599
+ RESERVED
+CVE-2014-0598
+ RESERVED
+CVE-2014-0597
+ RESERVED
+CVE-2014-0596
+ RESERVED
+CVE-2014-0595
+ RESERVED
+CVE-2014-0594
+ RESERVED
+CVE-2014-0593
+ RESERVED
+CVE-2014-0592
+ RESERVED
+CVE-2014-0591
+ RESERVED
+CVE-2013-7233 (Cross-site request forgery (CSRF) vulnerability in the
retrospam ...)
+ TODO: check
+CVE-2013-7232 (SQL injection vulnerability in ESRI ArcGIS for Server through
10.2 ...)
+ TODO: check
+CVE-2013-7231 (Cross-site scripting (XSS) vulnerability in the Mobile Content
Server ...)
+ TODO: check
+CVE-2013-7230
+ RESERVED
+CVE-2013-7229
+ RESERVED
+CVE-2013-7228
+ RESERVED
+CVE-2013-7227
+ RESERVED
+CVE-2013-7226
+ RESERVED
+CVE-2013-7219
+ RESERVED
+CVE-2013-7218
+ RESERVED
+CVE-2013-7217 (Unspecified vulnerability in Zimbra Collaboration Server 7.2.5
and ...)
+ TODO: check
+CVE-2013-7216 (Multiple SQL injection vulnerabilities in Classifieds Creator
2.0 ...)
+ TODO: check
+CVE-2013-7215
+ RESERVED
+CVE-2013-7214
+ RESERVED
+CVE-2013-7213
+ RESERVED
+CVE-2013-7212
+ RESERVED
+CVE-2013-7211
+ RESERVED
+CVE-2013-7210
+ RESERVED
+CVE-2013-7209
+ RESERVED
+CVE-2013-7208
+ RESERVED
+CVE-2013-7207
+ RESERVED
+CVE-2013-7206
+ RESERVED
+CVE-2013-7204
+ RESERVED
+CVE-2013-7202
+ RESERVED
+CVE-2013-7201
+ RESERVED
+CVE-2013-7200
+ RESERVED
+CVE-2013-7199
+ RESERVED
+CVE-2013-7198
+ RESERVED
+CVE-2013-7197
+ RESERVED
+CVE-2012-6618 (The av_probe_input_buffer function in libavformat/utils.c in
FFmpeg ...)
+ TODO: check
+CVE-2012-6617 (The prepare_sdp_description function in ffserver.c in FFmpeg
before ...)
+ TODO: check
+CVE-2012-6616 (The mov_text_decode_frame function in libavcodec/movtextdec.c
in ...)
+ TODO: check
+CVE-2012-6615 (The ff_ass_split_override_codes function in
libavcodec/ass_split.c in ...)
+ TODO: check
+CVE-2011-5268 (connection.c in Bip before 0.8.9 does not properly close
sockets, ...)
+ TODO: check
CVE-2014-0590
RESERVED
CVE-2014-0589
@@ -549,33 +659,44 @@
NOTE: https://code.google.com/p/memcached/issues/detail?id=316
NOTE:
https://github.com/memcached/memcached/commit/87c1cf0f20be20608d3becf854e9cf0910f4ad32
CVE-2013-7236
+ RESERVED
NOT-FOR-US: Simple Machines Forum
CVE-2013-7235
+ RESERVED
NOT-FOR-US: Simple Machines Forum
CVE-2013-7234
+ RESERVED
NOT-FOR-US: Simple Machines Forum
CVE-2013-7225
+ RESERVED
NOT-FOR-US: Fat Free CRM
CVE-2013-7224
+ RESERVED
NOT-FOR-US: Fat Free CRM
CVE-2013-7223
+ RESERVED
NOT-FOR-US: Fat Free CRM
CVE-2013-7222
+ RESERVED
NOT-FOR-US: Fat Free CRM
CVE-2013-7221 [run command dialog visible above screen locker]
+ RESERVED
- gnome-shell <unfixed>
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=708313
NOTE:
https://git.gnome.org/browse/gnome-shell/commit/js/ui/main.js?id=efdf1ff755943fba1f8a9aaeff77daa3ed338088
TODO: check
CVE-2013-7220 [blind command execution via activities search keyboard focus]
+ RESERVED
- gnome-shell <unfixed>
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=686740
NOTE:
https://git.gnome.org/browse/gnome-shell/commit/js/ui/screenShield.js?id=209014b083dbe86ed0e0860a6016735571b56f94
TODO: check
CVE-2013-7205 [off-by-one]
+ RESERVED
- nagios3 <unfixed>
NOTE: additional changed files for nagios3, cf. CVE-2013-7108
CVE-2013-7203
+ RESERVED
- gitolite3 <unfixed>
CVE-2013-7191 (Cross-site scripting (XSS) vulnerability in Tenmiles Helpdesk
Pilot ...)
NOT-FOR-US: Tenmiles Helpdesk Pilot
@@ -585,8 +706,7 @@
NOT-FOR-US: HostBill
CVE-2013-7187 (SQL injection vulnerability in form.php in the FormCraft plugin
1.3.7 ...)
NOT-FOR-US: WordPress plugin FormCraft
-CVE-2013-7149
- RESERVED
+CVE-2013-7149 (SQL injection vulnerability in www/delivery/axmlrpc.php (aka
the ...)
NOT-FOR-US: Revive Adserver
CVE-2013-7148
RESERVED
@@ -669,8 +789,8 @@
NOT-FOR-US: McAfee Email Gateway
CVE-2013-7103 (McAfee Email Gateway 7.6 allows remote authenticated
administrators to ...)
NOT-FOR-US: McAfee Email Gateway
-CVE-2013-7102
- RESERVED
+CVE-2013-7102 (Multiple unrestricted file upload vulnerabilities in (1) ...)
+ TODO: check
CVE-2013-7101
RESERVED
CVE-2013-7100 (Buffer overflow in the unpacksms16 function in apps/app_sms.c
in ...)
@@ -839,16 +959,13 @@
NOT-FOR-US: Typo3 Flow
NOTE: https://review.typo3.org/#/c/26176/
NOTE: CVE assigned for Typo3 Flow, correspond to CVE-2013-7078
-CVE-2013-7081 [Information Disclosure potentially leading to Privilege
Escalation]
- RESERVED
+CVE-2013-7081 (The (old) Form Content Element component in TYPO3 4.5.0 through
...)
- typo3-src 4.5.32+dfsg1-1 (bug #731999)
NOTE: https://review.typo3.org/#/c/26182/
-CVE-2013-7080 [Mass Assignment]
- RESERVED
+CVE-2013-7080 (The creating record functionality in Extension table
administration ...)
- typo3-src 4.5.32+dfsg1-1 (bug #731999)
NOTE: https://review.typo3.org/#/c/26178/
-CVE-2013-7079 [Open Redirection]
- RESERVED
+CVE-2013-7079 (Open redirect vulnerability in the OpenID extension in TYPO3
4.5.0 ...)
- typo3-src 4.5.32+dfsg1-1 (bug #731999)
NOTE: https://review.typo3.org/#/c/26179/
CVE-2013-7078 [Cross-Site Scripting]
@@ -860,8 +977,7 @@
CVE-2013-7076 (Cross-site scripting (XSS) vulnerability in Extension Manager
in TYPO3 ...)
- typo3-src 4.5.32+dfsg1-1 (bug #731999)
NOTE: https://review.typo3.org/#/c/26181/
-CVE-2013-7075 [Insecure Unserialize]
- RESERVED
+CVE-2013-7075 (The Content Editing Wizards component in TYPO3 4.5.0 through
4.5.31, ...)
- typo3-src 4.5.32+dfsg1-1 (bug #731999)
NOTE: https://review.typo3.org/#/c/26175/
CVE-2013-7074 (Multiple cross-site scripting (XSS) vulnerabilities in Content
Editing ...)
@@ -869,8 +985,7 @@
NOTE: https://review.typo3.org/#/c/26184/
NOTE: https://review.typo3.org/#/c/26183/
NOTE: https://review.typo3.org/#/c/26177/
-CVE-2013-7073 [Information Disclosure]
- RESERVED
+CVE-2013-7073 (The Content Editing Wizards component in TYPO3 4.5.0 through
4.5.31, ...)
- typo3-src 4.5.32+dfsg1-1 (bug #731999)
NOTE: https://review.typo3.org/#/c/26180/
CVE-2013-7072
@@ -893,8 +1008,7 @@
CVE-2013-7060 [Filesystem path information leak]
RESERVED
NOT-FOR-US: Plone
-CVE-2013-7049 [ZNC IRC Bouncer DoS in FiSH Plugin]
- RESERVED
+CVE-2013-7049 (Stack-based buffer overflow in fish.cpp in the Fish plugin for
ZNC, as ...)
NOTE: vulnerable code not found in Debian
NOTE: http://www.openwall.com/lists/oss-security/2013/12/11/14
NOT-FOR-US: FiSH Plugin for ZNC IRC Bouncer
@@ -1170,13 +1284,11 @@
RESERVED
CVE-2013-6982
RESERVED
-CVE-2013-6981
- RESERVED
+CVE-2013-6981 (Cisco IOS XE 3.7S(.1) and earlier allows remote attackers to
cause a ...)
NOT-FOR-US: Cisco IOS XE
CVE-2013-6980
RESERVED
-CVE-2013-6979
- RESERVED
+CVE-2013-6979 (The VTY authentication implementation in Cisco IOS XE
03.02.xxSE and ...)
NOT-FOR-US: Cisco IOS XE
CVE-2013-6978 (The disaster recovery system (DRS) component in Cisco Unified
...)
NOT-FOR-US: Cisco
@@ -1273,14 +1385,14 @@
RESERVED
CVE-2013-6933
RESERVED
-CVE-2013-6932
- RESERVED
+CVE-2013-6932 (Buffer overflow in IrfanView before 4.37, when a
multibyte-character ...)
+ TODO: check
CVE-2013-6931
RESERVED
CVE-2013-6930
RESERVED
-CVE-2013-6929
- RESERVED
+CVE-2013-6929 (SQL injection vulnerability in Cybozu Garoon 3.7 SP2 and
earlier ...)
+ TODO: check
CVE-2013-6928
RESERVED
CVE-2013-6927
@@ -2011,8 +2123,7 @@
RESERVED
CVE-2013-6891
RESERVED
-CVE-2013-6890
- RESERVED
+CVE-2013-6890 (denyhosts 2.6 uses an incorrect regular expression when
analyzing ...)
{DSA-2826-1}
- denyhosts 2.6-10.1
CVE-2013-6889 [Allows reading arbitrary files]
@@ -2025,8 +2136,8 @@
CVE-2013-6887
RESERVED
- openjpeg <not-affected> (only affects 1.5, in experimental)
-CVE-2013-6886
- RESERVED
+CVE-2013-6886 (RealVNC VNC 5.0.6 on Mac OS X, Linux, and UNIX allows local
users to ...)
+ TODO: check
CVE-2013-6884
RESERVED
NOT-FOR-US: Ditto Forensic FieldStation
@@ -2181,16 +2292,16 @@
NOT-FOR-US: SAP
CVE-2013-6813
RESERVED
-CVE-2013-6812
- RESERVED
+CVE-2013-6812 (The ONEDC app before 1.7 for iOS does not properly verify X.509
...)
+ TODO: check
CVE-2013-6811
RESERVED
CVE-2013-6810 (The server in EMC Connectrix Manager Converged Network Edition
(CMCNE) ...)
NOT-FOR-US: EMC Connectrix Manager Converged Network Edition
CVE-2013-6809 (Format string vulnerability in the client in Tftpd32 before
4.50 ...)
NOT-FOR-US: Tftpd32
-CVE-2013-6808
- RESERVED
+CVE-2013-6808 (Cross-site scripting (XSS) vulnerability in lib/NSSDropoff.php
in ...)
+ TODO: check
CVE-2012-6607 (The transform_save function in transform_save in Augeas before
1.0.0 ...)
- augeas 1.0.0-1 (low)
[squeeze] - augeas <no-dsa> (Minor issue)
@@ -2246,8 +2357,7 @@
NOT-FOR-US: Wordpress plugin
CVE-2013-6796
RESERVED
-CVE-2013-6795
- RESERVED
+CVE-2013-6795 (The Updater in Rackspace Openstack Windows Guest Agent for
XenServer ...)
NOT-FOR-US: Rackspace Windows Agent and Updater
CVE-2013-6794 (Cross-site scripting (XSS) vulnerability in the Calendar module
in ...)
NOT-FOR-US: Olat
@@ -3060,8 +3170,7 @@
RESERVED
- openssl 1.0.1e-5 (low)
[squeeze] - openssl <no-dsa> (Minor issue, limited DTLS support in
0.9.8 branch)
-CVE-2013-6449 [crash when using TLS 1.2]
- RESERVED
+CVE-2013-6449 (The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL
before ...)
- openssl 1.0.1e-5 (bug #732754)
[squeeze] - openssl <not-affected> (TLS 1.2 support introduced in 1.0.1)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1045363
@@ -3093,8 +3202,7 @@
- opensaml2 <not-affected> (Debian provides the C-based Shibboleth
implementation)
NOTE: http://shibboleth.net/community/advisories/secadv_20131213.txt
NOTE:
http://blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml-xml
-CVE-2013-6439 [insecure authentication enabled by default]
- RESERVED
+CVE-2013-6439 (Candlepin in Red Hat Subscription Asset Manager 1.0 through 1.3
uses a ...)
NOT-FOR-US: Candlepin
CVE-2013-6438
RESERVED
@@ -3147,8 +3255,7 @@
- xorg-server <unfixed>
CVE-2013-6423
RESERVED
-CVE-2013-6422 [libcurl cert name check ignore GnuTLS]
- RESERVED
+CVE-2013-6422 (The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when
disabling ...)
{DSA-2824-1}
- curl 7.34.0-1
[squeeze] - curl <not-affected> (issue introduced with 59cf93cc, 7.21.4)
@@ -3231,8 +3338,7 @@
[wheezy] - quassel <no-dsa> (Minor issue)
[squeeze] - quassel <no-dsa> (Minor issue)
NOTE: https://github.com/quassel/quassel/commit/a1a24da
-CVE-2013-6403 [security bypass on admin page]
- RESERVED
+CVE-2013-6403 (The admin page in ownCloud before 5.0.13 allows remote
attackers to ...)
- owncloud 5.0.13+dfsg-1
CVE-2013-6402 [hplip insecure temporary file handling in pkit.py]
RESERVED
@@ -3281,12 +3387,10 @@
CVE-2013-6389 (Open redirect vulnerability in the Overlay module in Drupal 7.x
before ...)
{DSA-2804-1}
- drupal7 7.24-1
-CVE-2013-6388 [Cross-site scripting]
- RESERVED
+CVE-2013-6388 (Cross-site scripting (XSS) vulnerability in the Color module in
Drupal ...)
{DSA-2804-1}
- drupal7 7.24-1
-CVE-2013-6387 [Cross-site scripting]
- RESERVED
+CVE-2013-6387 (Cross-site scripting (XSS) vulnerability in the Image module in
Drupal ...)
{DSA-2804-1}
- drupal7 7.24-1
CVE-2013-6386 (Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand
...)
@@ -3729,10 +3833,10 @@
RESERVED
CVE-2013-6199
RESERVED
-CVE-2013-6198
- RESERVED
-CVE-2013-6197
- RESERVED
+CVE-2013-6198 (Cross-site scripting (XSS) vulnerability in HP Service Manager
WebTier ...)
+ TODO: check
+CVE-2013-6197 (Unspecified vulnerability in HP Service Manager WebTier and
Windows ...)
+ TODO: check
CVE-2013-6196 (Cross-site scripting (XSS) vulnerability in HP Autonomy
Ultraseek 5 ...)
NOT-FOR-US: HP Autonomy Ultraseek
CVE-2013-6195
@@ -3747,8 +3851,8 @@
NOT-FOR-US: HP Operations Orchestration
CVE-2013-6190
RESERVED
-CVE-2013-6189
- RESERVED
+CVE-2013-6189 (Unspecified vulnerability in the Archive Query Server in HP ...)
+ TODO: check
CVE-2013-6188
RESERVED
CVE-2013-6187
@@ -3761,11 +3865,9 @@
RESERVED
CVE-2013-6183
RESERVED
-CVE-2013-6182
- RESERVED
+CVE-2013-6182 (Unquoted Windows search path vulnerability in EMC Replication
Manager ...)
NOT-FOR-US: EMC Replication Manager
-CVE-2013-6181
- RESERVED
+CVE-2013-6181 (EMC Watch4Net before 6.3 stores cleartext polled-device
passwords in ...)
NOT-FOR-US: EMC Watch4net
CVE-2013-6180 (EMC RSA Security Analytics (SA) 10.x before 10.3, and RSA
NetWitness ...)
NOT-FOR-US: RSA Security Analytics
@@ -4151,8 +4253,8 @@
RESERVED
CVE-2013-6007
RESERVED
-CVE-2013-6006
- RESERVED
+CVE-2013-6006 (Cybozu Garoon 3.5 through 3.7 SP2 allows remote attackers to
bypass ...)
+ TODO: check
CVE-2013-6005 (Cross-site scripting (XSS) vulnerability in Cybozu Dezie before
8.1.0 ...)
NOT-FOR-US: Cybozu Dezie
CVE-2013-6004 (Session fixation vulnerability in Cybozu Garoon before 3.7.2
allows ...)
@@ -4219,8 +4321,7 @@
NOT-FOR-US: F5 BIG-IP APM
CVE-2013-5974
RESERVED
-CVE-2013-5973
- RESERVED
+CVE-2013-5973 (VMware ESXi 4.0 through 5.5 and ESX 4.0 and 4.1 allow local
users to ...)
NOT-FOR-US: VMware ESXi and ESX
CVE-2013-5972 (VMware Workstation 9.x before 9.0.3 and VMware Player 5.x
before 5.0.3 ...)
NOT-FOR-US: VMware
@@ -5284,8 +5385,8 @@
RESERVED
CVE-2013-5584
RESERVED
-CVE-2013-5583
- RESERVED
+CVE-2013-5583 (Cross-site scripting (XSS) vulnerability in ...)
+ TODO: check
CVE-2013-5582
RESERVED
CVE-2013-5581
@@ -5648,8 +5749,8 @@
NOT-FOR-US: IBM Rational ClearQuest
CVE-2013-5421 (Cross-site scripting (XSS) vulnerability in the IMS server
before Ifix ...)
NOT-FOR-US: IBM
-CVE-2013-5420
- RESERVED
+CVE-2013-5420 (The IMS server before Ifix 6 in IBM Security Access Manager for
...)
+ TODO: check
CVE-2013-5419 (Multiple buffer overflows in (1) mkque and (2) mkquedev in ...)
NOT-FOR-US: IBM AIX
CVE-2013-5418 (Cross-site scripting (XSS) vulnerability in the Administrative
console ...)
@@ -6046,16 +6147,16 @@
RESERVED
CVE-2013-5223 (Multiple cross-site scripting (XSS) vulnerabilities in D-Link
...)
NOT-FOR-US: D-Link DSL-2760U Gateway
-CVE-2013-5222
- RESERVED
+CVE-2013-5222 (Multiple cross-site scripting (XSS) vulnerabilities in ESRI
ArcGIS for ...)
+ TODO: check
CVE-2013-5221 (The mobile-upload feature in Esri ArcGIS for Server 10.1
through 10.2 ...)
NOT-FOR-US: Esri ArcGIS
-CVE-2013-5220
- RESERVED
-CVE-2013-5219
- RESERVED
-CVE-2013-5218
- RESERVED
+CVE-2013-5220 (goform/login on the HOT HOTBOX router with software 2.1.11
allows ...)
+ TODO: check
+CVE-2013-5219 (Directory traversal vulnerability on the HOT HOTBOX router with
...)
+ TODO: check
+CVE-2013-5218 (Cross-site scripting (XSS) vulnerability on the HOT HOTBOX
router with ...)
+ TODO: check
CVE-2013-5216 (Directory traversal vulnerability in logreader/uploadreader.jsp
in ...)
NOT-FOR-US: Performance Guard
CVE-2013-5215 (Cross-site scripting (XSS) vulnerability in the web interface
"WiFi ...)
@@ -6073,8 +6174,7 @@
NOTE: http://bugs.ntp.org/show_bug.cgi?id=1532
NOTE: mitigated if noquery used. Only a problem for (public) ntp
servers allowing
NOTE: querying ntpd status, so allowing monlist
-CVE-2013-5210
- RESERVED
+CVE-2013-5210 (Cross-site scripting (XSS) vulnerability in the GUI login page
in ...)
NOT-FOR-US: Adtran Netvanta
CVE-2013-5209 (The sctp_send_initiate_ack function in
sys/netinet/sctp_output.c in ...)
{DSA-2743-1}
@@ -6430,12 +6530,12 @@
RESERVED
CVE-2013-5040
RESERVED
-CVE-2013-5039
- RESERVED
-CVE-2013-5038
- RESERVED
-CVE-2013-5037
- RESERVED
+CVE-2013-5039 (Cross-site request forgery (CSRF) vulnerability in ...)
+ TODO: check
+CVE-2013-5038 (The HOT HOTBOX router with software 2.1.11 allows remote
attackers to ...)
+ TODO: check
+CVE-2013-5037 (The HOT HOTBOX router with software 2.1.11 has a default WPS
PIN of ...)
+ TODO: check
CVE-2013-5036
RESERVED
CVE-2013-5035 (Multiple race conditions in HtmlCleaner before 2.6, as used in
...)
@@ -6850,8 +6950,8 @@
RESERVED
CVE-2013-4859
RESERVED
-CVE-2013-4858
- RESERVED
+CVE-2013-4858 (Microsoft Windows Movie Maker 2.1.4026.0 on Windows XP SP3
allows ...)
+ TODO: check
CVE-2013-4857
RESERVED
CVE-2013-4856
@@ -7598,11 +7698,9 @@
CVE-2013-4555 (Cross-site request forgery (CSRF) vulnerability in ...)
{DSA-2794-1}
- spip 2.1.24-1 (bug #729172)
-CVE-2013-4554 [XSA-76]
- RESERVED
+CVE-2013-4554 (Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly
4.2.3), ...)
- xen <unfixed>
-CVE-2013-4553 [XSA-74]
- RESERVED
+CVE-2013-4553 (The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x
...)
- xen <unfixed>
CVE-2013-4552
RESERVED
@@ -7611,15 +7709,13 @@
- xen <unfixed>
[wheezy] - xen <not-affected> (Only affects 4.2.x and later)
[squeeze] - xen <not-affected> (Only affects 4.2.x and later)
-CVE-2013-4550 [denial of service via resource leak]
- RESERVED
+CVE-2013-4550 (Bip before 0.8.9, when running as a daemon, writes SSL
handshake ...)
- bip 0.8.9-1 (low)
[wheezy] - bip <no-dsa> (Minor issue)
[squeeze] - bip <no-dsa> (Minor issue)
NOTE: Upstream commit:
https://projects.duckcorp.org/projects/bip/repository/revisions/df45c4c2d6f892e3e1dec23ce0ed2575b53a7d8c
NOTE: https://projects.duckcorp.org/issues/261
-CVE-2013-4549 [XML Entity Expansion Denial of Service]
- RESERVED
+CVE-2013-4549 (QXmlSimpleReader in Qt before 5.2 allows context-dependent
attackers ...)
- qtbase-opensource-src 5.1.1+dfsg-6
- qt4-x11 4:4.8.5+git192-g085f851+dfsg-1 (low)
[wheezy] - qt4-x11 <no-dsa> (Minor issue)
@@ -7908,8 +8004,7 @@
CVE-2013-4462
RESERVED
NOT-FOR-US: WordPress plugin
-CVE-2013-4461
- RESERVED
+CVE-2013-4461 (SQL injection vulnerability in the web interface for cumin in
Red Hat ...)
NOT-FOR-US: Cumin
CVE-2013-4460 [XSS in account_sponsor_page.php project names]
RESERVED
@@ -7939,8 +8034,7 @@
- ldap-account-manager 4.4-1 (medium; bug #726976)
[wheezy] - ldap-account-manager <no-dsa> (Minor issue)
[squeeze] - ldap-account-manager <no-dsa> (Minor issue)
-CVE-2013-4452
- RESERVED
+CVE-2013-4452 (Red Hat JBoss Operations Network 3.1.2 uses world-readable
permissions ...)
NOT-FOR-US: JBoss Operation Network
CVE-2013-4451 [world writable files]
RESERVED
@@ -8032,8 +8126,7 @@
NOT-FOR-US: pyxtrlock
CVE-2013-4425 (The DICOM listener in OsiriX before 5.8 and before 2.5-MD, when
...)
NOT-FOR-US: Osirix
-CVE-2013-4424
- RESERVED
+CVE-2013-4424 (Multiple cross-site scripting (XSS) vulnerabilities in the
GateIn ...)
NOT-FOR-US: GateIn
CVE-2013-4423
RESERVED
@@ -8058,8 +8151,7 @@
- xen <not-affected> (ocaml version of the xenstore daemon not used in
Debian)
CVE-2013-4415
RESERVED
-CVE-2013-4414
- RESERVED
+CVE-2013-4414 (Cross-site scripting (XSS) vulnerability in the web interface
for ...)
NOT-FOR-US: Cumin
CVE-2013-4413 [arbitrary files read]
RESERVED
@@ -8082,7 +8174,7 @@
- python-django-djblets <removed> (low)
[squeeze] - python-django-djblets <no-dsa> (Minor issue)
NOTE: Fix:
https://github.com/djblets/djblets/commit/36cd15763742652ca990f913b44e91c69c707269
-CVE-2013-4408 (Buffer overflow in the dcerpc_read_ncacn_packet_done function
in ...)
+CVE-2013-4408 (Heap-based buffer overflow in the dcerpc_read_ncacn_packet_done
...)
{DSA-2812-1}
- samba 2:4.0.13+dfsg-1
- samba4 <removed>
@@ -8093,16 +8185,14 @@
CVE-2013-4406
RESERVED
NOT-FOR-US: Quick Tabs Drupal contributed module
-CVE-2013-4405
- RESERVED
+CVE-2013-4405 (Multiple cross-site request forgery (CSRF) vulnerabilities in
the web ...)
NOT-FOR-US: Cumin
-CVE-2013-4404
- RESERVED
+CVE-2013-4404 (cumin in Red Hat Enterprise MRG Grid 2.4 does not properly
enforce ...)
NOT-FOR-US: Cumin
CVE-2013-4403
REJECTED
NOTE: rejected
-CVE-2013-4402 (GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote
...)
+CVE-2013-4402 (The compressed packet parser in GnuPG 1.4.x before 1.4.15 and
2.0.x ...)
{DSA-2774-1 DSA-2773-1}
- gnupg2 2.0.22-1 (bug #725433)
- gnupg 1.4.15-1 (bug #725439)
@@ -8259,8 +8349,7 @@
CVE-2013-4359 (Integer overflow in kbdint.c in mod_sftp in ProFTPD 1.3.4d and
1.3.5r3 ...)
{DSA-2767-1}
- proftpd-dfsg 1.3.5~rc3-2.1 (bug #723179)
-CVE-2013-4358
- RESERVED
+CVE-2013-4358 (libavcodec/h264.c in FFmpeg before 0.11.4 allows remote
attackers to ...)
- libav 6:9.1-1
- ffmpeg <removed>
NOTE: libav fix:
http://git.libav.org/?p=libav.git;a=commit;h=072be3e8969f24113d599444be4d6a0ed04a6602
@@ -9695,8 +9784,8 @@
NOT-FOR-US: Microsoft
CVE-2013-3847 (Microsoft Word Automation Services in SharePoint Server 2010
SP1, Word ...)
NOT-FOR-US: Microsoft
-CVE-2013-3846
- RESERVED
+CVE-2013-3846 (Use-after-free vulnerability in Microsoft Internet Explorer 9
and 10 ...)
+ TODO: check
CVE-2013-3845 (Microsoft Internet Explorer 8 and 9 allows remote attackers to
execute ...)
NOT-FOR-US: Microsoft
CVE-2013-3844
@@ -10039,8 +10128,8 @@
RESERVED
CVE-2013-3710 (SUSE Lifecycle Management Server (SLMS) before 1.3.7 does not
generate ...)
NOT-FOR-US: SUSE Lifecycle Management Server
-CVE-2013-3709
- RESERVED
+CVE-2013-3709 (WebYaST 1.3 uses weak permissions for ...)
+ TODO: check
CVE-2013-3708 (The id1.GetPrinterURLList function in Novell iPrint Client
before 5.93 ...)
NOT-FOR-US: Novell iPrint Client
CVE-2013-3707 (The HTTPSTK service in the novell-nrm package before ...)
@@ -12581,8 +12670,7 @@
RESERVED
CVE-2013-2630 (Cross-site scripting (XSS) vulnerability in CA Service Desk
Manager ...)
NOT-FOR-US: CA Service Desk Manager
-CVE-2013-2629
- RESERVED
+CVE-2013-2629 (Leed (Light Feed), possibly before 1.5 Stable, allows remote
attackers ...)
NOT-FOR-US: Leed
CVE-2013-2628 (Multiple cross-site request forgery (CSRF) vulnerabilities in
...)
NOT-FOR-US: Leed
@@ -12919,8 +13007,8 @@
NOTE: evince doesnt use an embedded version of this
CVE-2013-2505
RESERVED
-CVE-2013-2504
- RESERVED
+CVE-2013-2504 (Cross-site scripting (XSS) vulnerability in
SPS/Portal/default.aspx in ...)
+ TODO: check
CVE-2013-2503 (Privoxy before 3.0.21 does not properly handle
Proxy-Authenticate and ...)
- privoxy 3.0.21-1 (low; bug #702896)
[wheezy] - privoxy <no-dsa> (Minor issue)
@@ -13894,8 +13982,7 @@
CVE-2013-2180
RESERVED
NOT-FOR-US: uk-cookie Wordpress plugin, not in Debian
-CVE-2013-2179 [possible NULL ptr deref in XDM when using crypt() from glibc
2.17+]
- RESERVED
+CVE-2013-2179 (X.Org xdm 1.1.10, 1.1.11, and possibly other versions, when
performing ...)
- xdm <not-affected> (Not affected when PAM is used)
[squeeze] - xdm <not-affected> (same as above and glibc too old)
[wheezy] - xdm <not-affected> (same as above and glibc too old)
@@ -14423,8 +14510,7 @@
[wheezy] - mediawiki <no-dsa> (Minor issue)
[squeeze] - mediawiki <no-dsa> (Minor issue)
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=47304
-CVE-2013-2030 [Nova uses insecure keystone middleware tmpdir by default]
- RESERVED
+CVE-2013-2030 (keystone/middleware/auth_token.py in OpenStack Nova Folsom,
Grizzly, ...)
- nova <not-affected> (Option not present in nova/2012.1.1)
NOTE:
http://lists.openstack.org/pipermail/openstack-announce/2013-May/000098.html
CVE-2013-2029 (nagios.upgrade_to_v3.sh, as distributed by Red Hat and possibly
others ...)
@@ -17308,8 +17394,8 @@
RESERVED
CVE-2013-1097 (Cross-site scripting (XSS) vulnerability in a ZCC page in
njwc.jar in ...)
NOT-FOR-US: Novell ZENworks Configuration Management
-CVE-2013-1096
- RESERVED
+CVE-2013-1096 (Cross-site scripting (XSS) vulnerability in the Roles Based ...)
+ TODO: check
CVE-2013-1095 (Cross-site scripting (XSS) vulnerability in a ZCC page in
njwc.jar in ...)
NOT-FOR-US: Novell ZENworks Configuration Management
CVE-2013-1094 (Cross-site scripting (XSS) vulnerability in a ZCC page in ...)
@@ -23550,7 +23636,7 @@
NOT-FOR-US: vBSEO
CVE-2012-5222 (HP Service Manager Web Tier 9.31 before 9.31.2004 p2 allows
remote ...)
NOT-FOR-US: HP Service Manager
-CVE-2012-5221 (Unspecified vulnerability on the HP LaserJet 4xxx, 5200, 90xx,
M30xx, ...)
+CVE-2012-5221 (Directory traversal vulnerability in the PostScript
Interpreter, as ...)
NOT-FOR-US: HP LaserJet
CVE-2012-5220 (Unspecified vulnerability in HP Storage Data Protector 6.20,
6.21, ...)
NOT-FOR-US: HP Storage Data Protector
@@ -33350,7 +33436,7 @@
- openjdk-6 <not-affected> (Specific to Oracle Java, not present in
IcedTea)
- openjdk-7 <not-affected> (Specific to Oracle Java, not present in
IcedTea)
NOTE: Due to the vague disclosure policy by Oracle the exact nature is
unknown but since no patch landed in icedtea, we consider it not-affected
-CVE-2012-1530 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5,
and ...)
+CVE-2012-1530 (Heap-based buffer overflow in the XSLT engine in Adobe Reader
and ...)
NOT-FOR-US: Adobe Reader and Acrobat
CVE-2012-1529 (Use-after-free vulnerability in Microsoft Internet Explorer 8
and 9 ...)
NOT-FOR-US: Internet Explorer
@@ -44841,8 +44927,7 @@
[lenny] - linux-2.6 <not-affected> (Vulnerable code not present)
CVE-2011-2520 (fw_dbus.py in system-config-firewall 1.2.29 and earlier uses
the ...)
NOT-FOR-US: system-config-firewall
-CVE-2011-2519
- RESERVED
+CVE-2011-2519 (Xen in the Linux kernel, when running a guest on a host without
...)
- xen-3 3.2.1-2
NOTE: Possibly fixed earlier than 3.2.1-2, but that's the version in
oldstable, which
NOTE: was checked to contain
http://xenbits.xen.org/hg/xen-3.1-testing.hg/rev/15644
@@ -53512,7 +53597,7 @@
- linux-2.6 2.6.32-28
[lenny] - linux-2.6 <not-affected> (RDS introduced in 2.6.30)
CVE-2010-4174
- RESERVED
+ REJECTED
CVE-2010-4173 (The default configuration of libsdp.conf in libsdp 1.1.104 and
earlier ...)
- libsdp 1.1.99-2.1 (bug #603841)
CVE-2010-4172 (Multiple cross-site scripting (XSS) vulnerabilities in the
Manager ...)
@@ -59919,8 +60004,8 @@
RESERVED
CVE-2010-1820 (Apple Filing Protocol (AFP) Server in Apple Mac OS X 10.6.x
through ...)
NOT-FOR-US: Apple Filing Protocol Server
-CVE-2010-1819
- RESERVED
+CVE-2010-1819 (Untrusted search path vulnerability in the Picture Viewer in
Apple ...)
+ TODO: check
CVE-2010-1818 (The IPersistPropertyBag2::Read function in QTPlugin.ocx in
Apple ...)
NOT-FOR-US: QuickTime
CVE-2010-1817 (Buffer overflow in ImageIO in Apple iOS before 4.1 on the
iPhone and ...)
@@ -64199,8 +64284,7 @@
CVE-2010-0431 (QEMU-KVM, as used in the Hypervisor (aka rhev-hypervisor) in
Red Hat ...)
- qemu-kvm <not-affected> (QXL support not yet present in Debian
packages)
- kvm <not-affected> (QXL support not yet present in Debian packages)
-CVE-2010-0430
- RESERVED
+CVE-2010-0430 (libspice, as used in QEMU-KVM in Red Hat Enterprise
Virtualization ...)
- spice <not-affected> (Fixed before initial upload to archive)
CVE-2010-0429 (libspice, as used in QEMU-KVM in the Hypervisor (aka
rhev-hypervisor) ...)
- spice <not-affected> (Fixed before initial upload to archive)
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
