Author: joeyh
Date: 2014-06-05 09:14:11 +0000 (Thu, 05 Jun 2014)
New Revision: 27156
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2014-06-05 07:43:18 UTC (rev 27155)
+++ data/CVE/list 2014-06-05 09:14:11 UTC (rev 27156)
@@ -1,3 +1,67 @@
+CVE-2014-3959 (Cross-site scripting (XSS) vulnerability in list.jsp in the ...)
+ TODO: check
+CVE-2014-3958
+ RESERVED
+CVE-2014-3957
+ RESERVED
+CVE-2014-3955
+ RESERVED
+CVE-2014-3954
+ RESERVED
+CVE-2014-3953
+ RESERVED
+CVE-2014-3952
+ RESERVED
+CVE-2014-3951
+ RESERVED
+CVE-2014-3950
+ RESERVED
+CVE-2014-3949
+ RESERVED
+CVE-2014-3948
+ RESERVED
+CVE-2014-3947
+ RESERVED
+CVE-2014-3939
+ RESERVED
+CVE-2014-3938
+ RESERVED
+CVE-2014-3937 (SQL injection vulnerability in the Contextual Related Posts
plugin ...)
+ TODO: check
+CVE-2014-3936 (Stack-based buffer overflow in the do_hnap function in
www/my_cgi.cgi ...)
+ TODO: check
+CVE-2014-3935 (SQL injection vulnerability in glossaire-aff.php in the
Glossaire ...)
+ TODO: check
+CVE-2014-3934 (SQL injection vulnerability in the Submit_News module for
PHP-Nuke 8.3 ...)
+ TODO: check
+CVE-2014-3933 (Cross-site scripting (XSS) vulnerability in the address
components ...)
+ TODO: check
+CVE-2014-3932 (SQL injection vulnerability in the device registration
component in ...)
+ TODO: check
+CVE-2014-3931
+ RESERVED
+CVE-2014-3930
+ RESERVED
+CVE-2014-3929
+ RESERVED
+CVE-2014-3928
+ RESERVED
+CVE-2014-3927
+ RESERVED
+CVE-2014-3926
+ RESERVED
+CVE-2014-3924 (Multiple cross-site scripting (XSS) vulnerabilities in Webmin
before ...)
+ TODO: check
+CVE-2014-3923 (Multiple cross-site scripting (XSS) vulnerabilities in the
Digital ...)
+ TODO: check
+CVE-2014-3922 (Cross-site scripting (XSS) vulnerability in Trend Micro
InterScan ...)
+ TODO: check
+CVE-2014-3921 (Cross-site scripting (XSS) vulnerability in popup.php in the
Simple ...)
+ TODO: check
+CVE-2013-7387 (Session fixation vulnerability in DataLife Engine (DLE) 9.7 and
...)
+ TODO: check
+CVE-2011-5280 (Multiple stack-based buffer overflows in BOINC 6.13.x allow
remote ...)
+ TODO: check
CVE-2014-XXXX [Stricter parameter check in bind() to detect empty passwords]
- php-horde-ldap 2.0.6-1
CVE-2014-3969 [XSA-98]
@@ -18,15 +82,16 @@
CVE-2014-3966 [mediawiki Javascript inject by anonymous users on private wikis
with $wgRawHtml enabled]
- mediawiki <unfixed> (low; bug #750527)
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=65501
-CVE-2014-3956 [sendmail: close-on-exec]
+CVE-2014-3956 (The sm_close_on_exec function in conf.c in sendmail before
8.14.9 has ...)
- sendmail 8.14.4-6 (bug #750562)
NOTE: http://www.openwall.com/lists/oss-security/2014/06/03/1
CVE-2014-3940 [missing check during hugepage migration]
+ RESERVED
- linux <unfixed>
- linux-2.6 <removed>
NOTE: https://lkml.org/lkml/2014/3/18/784
TODO: check
-CVE-2014-3925 [sosreport: does not indicate data sent is potentially sensitive]
+CVE-2014-3925 (sosreport in Red Hat sos 1.7 and earlier on Red Hat Enterprise
Linux ...)
- sosreport <not-affected> (RedHat-specific issue)
CVE-2014-3920
RESERVED
@@ -198,27 +263,27 @@
NOT-FOR-US: gdm-guest-session (Ubuntu-specific)
CVE-2010-5299 (Stack-based buffer overflow in MicroP 0.1.1.1600 allows remote
...)
NOT-FOR-US: MicroP
-CVE-2014-3946 [TYPO3-CORE-SA-2014-001]
+CVE-2014-3946 (The query caching functionality in the Extbase Framework
component in ...)
{DSA-2942-1}
- typo3-src 4.5.34+dfsg1-1 (bug #749215)
[squeeze] - typo3-src <end-of-life> (Unsupported in squeeze-lts)
-CVE-2014-3945 [TYPO3-CORE-SA-2014-001]
+CVE-2014-3945 (The Authentication component in TYPO3 before 6.2, when salting
for ...)
{DSA-2942-1}
- typo3-src 4.5.34+dfsg1-1 (bug #749215)
[squeeze] - typo3-src <end-of-life> (Unsupported in squeeze-lts)
-CVE-2014-3944 [TYPO3-CORE-SA-2014-001]
+CVE-2014-3944 (The Authentication component in TYPO3 6.2.0 before 6.2.3 does
not ...)
{DSA-2942-1}
- typo3-src 4.5.34+dfsg1-1 (bug #749215)
[squeeze] - typo3-src <end-of-life> (Unsupported in squeeze-lts)
-CVE-2014-3943 [TYPO3-CORE-SA-2014-001]
+CVE-2014-3943 (Multiple cross-site scripting (XSS) vulnerabilities in
unspecified ...)
{DSA-2942-1}
- typo3-src 4.5.34+dfsg1-1 (bug #749215)
[squeeze] - typo3-src <end-of-life> (Unsupported in squeeze-lts)
-CVE-2014-3942 [TYPO3-CORE-SA-2014-001]
+CVE-2014-3942 (The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34,
4.7.0 ...)
{DSA-2942-1}
- typo3-src 4.5.34+dfsg1-1 (bug #749215)
[squeeze] - typo3-src <end-of-life> (Unsupported in squeeze-lts)
-CVE-2014-3941 [TYPO3-CORE-SA-2014-001]
+CVE-2014-3941 (TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before
6.0.14, ...)
{DSA-2942-1}
- typo3-src 4.5.34+dfsg1-1 (bug #749215)
[squeeze] - typo3-src <end-of-life> (Unsupported in squeeze-lts)
@@ -227,11 +292,9 @@
- linux <unfixed>
- linux-2.6 <removed>
NOTE: http://article.gmane.org/gmane.linux.kernel/1713179
-CVE-2014-3865
- RESERVED
+CVE-2014-3865 (Multiple directory traversal vulnerabilities in dpkg-source in
...)
- dpkg <unfixed> (bug #749183)
-CVE-2014-3864
- RESERVED
+CVE-2014-3864 (Directory traversal vulnerability in dpkg-source in dpkg-dev
1.3.0 ...)
- dpkg <unfixed> (bug #746498)
CVE-2014-3870 (Cross-site scripting (XSS) vulnerability in the bib2html plugin
0.9.3 ...)
NOT-FOR-US: WordPress plugin bib2html
@@ -329,21 +392,21 @@
RESERVED
CVE-2014-3794
RESERVED
-CVE-2014-3793
- RESERVED
+CVE-2014-3793 (VMware Tools in VMware Workstation 10.x before 10.0.2, VMware
Player ...)
+ TODO: check
CVE-2014-3792 (Cross-site request forgery (CSRF) vulnerability in Beetel
450TC2 ...)
NOT-FOR-US: Beetel Router
CVE-2014-3791 (Stack-based buffer overflow in Easy File Sharing (EFS) Web
Server 6.8 ...)
NOT-FOR-US: Easy File Sharing
-CVE-2014-3790
- RESERVED
+CVE-2014-3790 (Ruby vSphere Console (RVC) in VMware vCenter Server Appliance
allows ...)
+ TODO: check
CVE-2014-3789 (GetPermissions.asp in Cogent Real-Time Systems Cogent DataHub
before ...)
NOT-FOR-US: Cogent DataHub
CVE-2014-3788 (Heap-based buffer overflow in the Web Server in Cogent
Real-Time ...)
NOT-FOR-US: Cogent DataHub
CVE-2014-3787 (SAP NetWeaver 7.20 and earlier allows remote attackers to read
...)
NOT-FOR-US: SAP NetWeaver
-CVE-2013-7386 [boinc: format string vulnerability]
+CVE-2013-7386 (Format string vulnerability in the PROJECT::write_account_file
...)
- boinc 7.1.10+dfsg-1 (low)
[squeeze] - boinc <no-dsa> (Minor issue)
[wheezy] - boinc <no-dsa> (Minor issue)
@@ -370,8 +433,8 @@
CVE-2014-3781 [(XML-RPC Interface) Authentication Bypass Vulnerability]
RESERVED
- dotclear 2.6.3+dfsg-1
-CVE-2014-3780
- RESERVED
+CVE-2014-3780 (Unspecified vulnerability in Citrix VDI-In-A-Box 5.3.x before
5.3.8 ...)
+ TODO: check
CVE-2014-3779
RESERVED
CVE-2014-3778
@@ -970,8 +1033,7 @@
RESERVED
- libtasn1-3 <removed>
- libtasn1-6 3.6-1
-CVE-2014-3466
- RESERVED
+CVE-2014-3466 (Buffer overflow in the read_server_hello function in ...)
{DSA-2944-1}
- gnutls26 2.12.23-16
- gnutls28 3.2.15-1
@@ -1436,8 +1498,8 @@
NOT-FOR-US: Cisco Unified Communications Domain Manager
CVE-2014-3281
RESERVED
-CVE-2014-3280
- RESERVED
+CVE-2014-3280 (The web framework in VOSS in Cisco Unified Communications
Domain ...)
+ TODO: check
CVE-2014-3279 (The Administration GUI in the web framework in VOSS in Cisco
Unified ...)
NOT-FOR-US: Cisco Unified Communications Domain Manager
CVE-2014-3278
@@ -1538,8 +1600,8 @@
RESERVED
CVE-2014-3228
RESERVED
-CVE-2014-3227
- RESERVED
+CVE-2014-3227 (dpkg 1.15.9, 1.16.x before 1.16.14, and 1.17.x before 1.17.9
expect ...)
+ TODO: check
CVE-2014-3226
RESERVED
CVE-2014-3224
@@ -1557,12 +1619,14 @@
CVE-2013-7375 (SQL injection vulnerability in
includes/classes/Authenticate.class.php ...)
NOT-FOR-US: PHP-Fusion
CVE-2014-3145 (The BPF_S_ANC_NLATTR_NEST extension implementation in the ...)
+ {DSA-2949-1}
- linux 3.14.4-1
- linux-2.6 <removed>
NOTE: Upstream fix
https://git.kernel.org/linus/05ab8f2647e4221cbdb3856dd7d32bd5407316b3
NOTE: Introduced by
https://git.kernel.org/linus/4738c1db1593687713869fa69e733eebc7b0d6d8
NOTE:
https://git.kernel.org/linus/d214c7537bbf2f247991fb65b3420b0b3d712c67
CVE-2014-3144 (The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST
extension ...)
+ {DSA-2949-1}
- linux 3.14.4-1
- linux-2.6 <removed>
NOTE: Upstream fix
https://git.kernel.org/linus/05ab8f2647e4221cbdb3856dd7d32bd5407316b3
@@ -1750,6 +1814,7 @@
RESERVED
CVE-2014-3153
RESERVED
+ {DSA-2949-1}
- linux <unfixed>
- linux-2.6 <removed>
NOTE: http://thread.gmane.org/gmane.linux.kernel.stable/92357
@@ -1828,7 +1893,7 @@
- python-bottle 0.12.6-1 (bug #746322)
CVE-2014-3128
RESERVED
-CVE-2014-3127 (dpkg 1.17.x before 1.17.9, 1.16.x before 1.16.14, and 1.15.x
before ...)
+CVE-2014-3127 (dpkg 1.15.9 on Debian squeeze introduces support for the
"C-style ...)
{DSA-2915-2}
- dpkg 1.17.9
CVE-2014-3126
@@ -2062,8 +2127,8 @@
RESERVED
CVE-2014-3011
RESERVED
-CVE-2014-3010
- RESERVED
+CVE-2014-3010 (Cross-site scripting (XSS) vulnerability in the Web UI in IBM
...)
+ TODO: check
CVE-2014-3009
RESERVED
CVE-2014-3008 (Unitrends Enterprise Backup 7.3.0 allows remote authenticated
users to ...)
@@ -2197,8 +2262,8 @@
RESERVED
CVE-2014-2960
RESERVED
-CVE-2014-2959
- RESERVED
+CVE-2014-2959 (logViewer.htm on the Dell ML6000 tape backup system with
firmware ...)
+ TODO: check
CVE-2014-2958
RESERVED
CVE-2014-2957
@@ -2228,8 +2293,8 @@
NOT-FOR-US: Bizagi BPM
CVE-2014-2947 (Cross-site scripting (XSS) vulnerability in Login.aspx in
Bizagi BPM ...)
NOT-FOR-US: Bizagi BPM
-CVE-2014-2946
- RESERVED
+CVE-2014-2946 (Cross-site request forgery (CSRF) vulnerability in
api/sms/send-sms in ...)
+ TODO: check
CVE-2014-2945
RESERVED
CVE-2014-2944
@@ -2242,8 +2307,8 @@
RESERVED
CVE-2014-2940
RESERVED
-CVE-2014-2939
- RESERVED
+CVE-2014-2939 (Multiple cross-site scripting (XSS) vulnerabilities in Alfresco
...)
+ TODO: check
CVE-2014-2938 (Hanvon FaceID before 1.007.110 does not require authentication,
which ...)
NOT-FOR-US: Hanvon FaceID
CVE-2014-2937
@@ -3338,8 +3403,8 @@
NOT-FOR-US: EMC Documentum D2
CVE-2014-2503
RESERVED
-CVE-2014-2502
- RESERVED
+CVE-2014-2502 (Cross-site scripting (XSS) vulnerability in rsa_fso.swf in EMC
RSA ...)
+ TODO: check
CVE-2014-2501
RESERVED
CVE-2014-2500
@@ -3814,12 +3879,12 @@
RESERVED
CVE-2014-2355
RESERVED
-CVE-2014-2354
- RESERVED
-CVE-2014-2353
- RESERVED
-CVE-2014-2352
- RESERVED
+CVE-2014-2354 (Cogent DataHub before 7.3.5 does not use a salt during password
...)
+ TODO: check
+CVE-2014-2353 (Cross-site scripting (XSS) vulnerability in Cogent DataHub
before ...)
+ TODO: check
+CVE-2014-2352 (Directory traversal vulnerability in Cogent DataHub before
7.3.5 ...)
+ TODO: check
CVE-2014-2351 (SQL injection vulnerability in the LiveData service in CSWorks
before ...)
NOT-FOR-US: CSWorks
CVE-2014-2350 (Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded
...)
@@ -3836,10 +3901,10 @@
RESERVED
CVE-2014-2344
RESERVED
-CVE-2014-2343
- RESERVED
-CVE-2014-2342
- RESERVED
+CVE-2014-2343 (Triangle MicroWorks SCADA Data Gateway before 3.00.0635 allows
...)
+ TODO: check
+CVE-2014-2342 (Triangle MicroWorks SCADA Data Gateway before 3.00.0635 allows
remote ...)
+ TODO: check
CVE-2014-2341 (Session fixation vulnerability in CubeCart before 5.2.9 allows
remote ...)
NOT-FOR-US: CubeCart
CVE-2014-2340 (Cross-site request forgery (CSRF) vulnerability in the XCloner
plugin ...)
@@ -7197,8 +7262,8 @@
RESERVED
CVE-2014-0936
RESERVED
-CVE-2014-0935
- RESERVED
+CVE-2014-0935 (Unspecified vulnerability in IBM Smart Analytics System 7700
before FP ...)
+ TODO: check
CVE-2014-0934
RESERVED
CVE-2014-0933 (Cross-site request forgery (CSRF) vulnerability in IBM
InfoSphere ...)
@@ -7217,8 +7282,8 @@
RESERVED
CVE-2014-0926
RESERVED
-CVE-2014-0925
- RESERVED
+CVE-2014-0925 (Open redirect vulnerability in IBM Sterling Control Center
5.4.0 ...)
+ TODO: check
CVE-2014-0924 (IBM MessageSight 1.x before 1.1.0.0-IBM-IMA-IT01015 does not
verify ...)
NOT-FOR-US: IBM MessageSight
CVE-2014-0923 (IBM MessageSight 1.x before 1.1.0.0-IBM-IMA-IT01015 allows
remote ...)
@@ -7253,8 +7318,8 @@
RESERVED
CVE-2014-0908 (The User Attribute implementation in IBM Business Process
Manager ...)
NOT-FOR-US: IBM Business Process Manager
-CVE-2014-0907
- RESERVED
+CVE-2014-0907 (Multiple untrusted search path vulnerabilities in unspecified
(1) ...)
+ TODO: check
CVE-2014-0906 (The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x
through ...)
NOT-FOR-US: IBM Sametime
CVE-2014-0905
@@ -8104,6 +8169,7 @@
NOTE: http://article.gmane.org/gmane.comp.security.oss.general/11822
NOTE: https://jira.mongodb.org/browse/SERVER-7769
CVE-2012-6618 (The av_probe_input_buffer function in libavformat/utils.c in
FFmpeg ...)
+ {DSA-2947-1}
- libav 6:9.11-1
- ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks
missing)
NOTE: Fix in ffmpeg:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e74cd2f4706f71da5e9205003c1d8263b54ed3fb
@@ -9763,13 +9829,11 @@
[squeeze] - samba <not-affected> (AD feature not present)
[wheezy] - samba <not-affected> (AD feature not present)
NOTE: AD-related packages removed from src:samba4 in
4.0.0~beta2+dfsg1-3.2+deb7u2
-CVE-2014-0238
- RESERVED
+CVE-2014-0238 (The cdf_read_property_info function in cdf.c in the Fileinfo
component ...)
{DSA-2943-1}
[squeeze] - php5 <no-dsa> (Minor issue, can be fixed along with a
future DSA)
- php5 <unfixed> (low)
-CVE-2014-0237
- RESERVED
+CVE-2014-0237 (The cdf_unpack_summary_info function in cdf.c in the Fileinfo
...)
{DSA-2943-1}
[squeeze] - php5 <no-dsa> (Minor issue, can be fixed along with a
future DSA)
- php5 <unfixed> (low)
@@ -9873,8 +9937,7 @@
[wheezy] - keystone <not-affected>
CVE-2014-0203
RESERVED
-CVE-2014-0202
- RESERVED
+CVE-2014-0202 (The setup script in ovirt-engine-dwh, as used in the Red Hat
...)
NOT-FOR-US: ovirt / RHEV
CVE-2014-0201 (ovirt-engine-reports, as used in the Red Hat Enterprise
Virtualization ...)
NOT-FOR-US: ovirt / RHEV
@@ -10158,8 +10221,7 @@
CVE-2014-0120
RESERVED
NOT-FOR-US: hawtio-karaf-terminal
-CVE-2014-0119 [information disclosure]
- RESERVED
+CVE-2014-0119 (Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before
8.0.6 ...)
- tomcat8 8.0.8-1
- tomcat7 7.0.54-1
- tomcat6 6.0.41-1
@@ -10229,8 +10291,7 @@
- linux-2.6 <not-affected> (Introduced in v3.9)
NOTE: Introduced by
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3ef0eb0db4bf92c6d2510fe5c4dc51852746f206
NOTE: http://patchwork.ozlabs.org/patch/325844/
-CVE-2014-0099 [information disclosure]
- RESERVED
+CVE-2014-0099 (Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java
in ...)
- tomcat8 8.0.5-1
- tomcat7 7.0.53-1
- tomcat6 6.0.41-1
@@ -10242,13 +10303,11 @@
CVE-2014-0097
RESERVED
- libspring-java <not-affected> (ActiveDirectoryLdapAuthenticator not
yet present, introduced in 3.1)
-CVE-2014-0096 [information disclosure]
- RESERVED
+CVE-2014-0096 (java/org/apache/catalina/servlets/DefaultServlet.java in the
default ...)
- tomcat8 8.0.5-1
- tomcat7 7.0.53-1
- tomcat6 6.0.41-1
-CVE-2014-0095 [tomcat8: Denial of Service]
- RESERVED
+CVE-2014-0095 (java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache
Tomcat ...)
- tomcat8 8.0.5-1
CVE-2014-0094 (The ParametersInterceptor in Apache Struts before 2.3.16.1
allows ...)
- libstruts1.2-java <not-affected> (Affects Struts 2.0.0 - Struts
2.3.16)
@@ -10321,8 +10380,7 @@
- openssl 1.0.1g-1 (low; bug #742923)
[squeeze] - openssl <no-dsa> (Minor issue, local attack)
NOTE:
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=f9b6c0ba4c02497782f801e3c45688f3efaac55c
-CVE-2014-0075 [Denial of Service]
- RESERVED
+CVE-2014-0075 (Integer overflow in the parseChunkHeader function in ...)
- tomcat8 8.0.5-1
- tomcat7 7.0.53-1
- tomcat6 6.0.41-1
@@ -10451,14 +10509,11 @@
[squeeze] - mumble <not-affected> (Opus support not present)
CVE-2014-0043
RESERVED
-CVE-2014-0042
- RESERVED
+CVE-2014-0042 (OpenStack Heat Templates (heat-templates), as used in Red Hat
...)
NOT-FOR-US: openstack-heat-templates
-CVE-2014-0041
- RESERVED
+CVE-2014-0041 (OpenStack Heat Templates (heat-templates), as used in Red Hat
...)
NOT-FOR-US: openstack-heat-templates
-CVE-2014-0040
- RESERVED
+CVE-2014-0040 (OpenStack Heat Templates (heat-templates), as used in Red Hat
...)
NOT-FOR-US: openstack-heat-templates
CVE-2014-0039 (Untrusted search path vulnerability in fwsnort before 1.6.4,
when not ...)
- fwsnort <unfixed> (low; bug #737495)
@@ -10903,8 +10958,7 @@
RESERVED
CVE-2013-6789 (security/MemberLoginForm.php in SilverStripe 3.0.3 supports ...)
- silverstripe <itp> (bug #528461)
-CVE-2013-6788
- RESERVED
+CVE-2013-6788 (The Bitrix e-Store module before 14.0.1 for Bitrix Site Manager
uses ...)
NOT-FOR-US: Bitrix Site Manager
CVE-2013-6787 (SQL injection vulnerability in the check_user_password function
in ...)
NOT-FOR-US: Chamilo LMS
@@ -10994,8 +11048,8 @@
NOT-FOR-US: IBM FileNet Business Process Manager
CVE-2013-6745 (Cross-site scripting (XSS) vulnerability in the IMS server
before Ifix ...)
NOT-FOR-US: IBM
-CVE-2013-6744
- RESERVED
+CVE-2013-6744 (The Stored Procedure infrastructure in IBM DB2 9.5, 9.7 before
FP9a, ...)
+ TODO: check
CVE-2013-6743 (Cross-site scripting (XSS) vulnerability in the Meeting Server
in IBM ...)
NOT-FOR-US: IBM Sametime
CVE-2013-6742 (The Meeting Server in IBM Sametime 8.5.2 through 8.5.2.1 and
9.x ...)
@@ -11746,8 +11800,7 @@
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=58699
CVE-2013-6471
RESERVED
-CVE-2013-6470
- RESERVED
+CVE-2013-6470 (The default configuration in the standalone controller
quickstack ...)
NOT-FOR-US: openstack foreman-installer
CVE-2013-6469 (JBoss Overlord Run Time Governance (RTGov) 1.0 for JBossAS
allows ...)
NOT-FOR-US: JBoss SOA RTgov
@@ -11886,8 +11939,7 @@
RESERVED
CVE-2013-6434 (The remote-viewer in Red Hat Enterprise Virtualization Manager
...)
NOT-FOR-US: RHEV Manager
-CVE-2013-6433 [rootwrap sudo config allows potential privilege escalation]
- RESERVED
+CVE-2013-6433 (The default configuration in the Red Hat openstack-neutron
package ...)
- quantum <removed>
[wheezy] - quantum <no-dsa> (Minor issue)
- neutron <unfixed>
@@ -13136,8 +13188,8 @@
RESERVED
CVE-2013-5920
RESERVED
-CVE-2013-5919
- RESERVED
+CVE-2013-5919 (Suricata before 1.4.6 allows remote attackers to cause a denial
of ...)
+ TODO: check
CVE-2013-5918 (Cross-site scripting (XSS) vulnerability in
platinum_seo_pack.php in ...)
NOT-FOR-US: Platinum SEO plugin for WordPress
CVE-2013-5917 (SQL injection vulnerability in wp-comments-post.php in the
NOSpam PTI ...)
@@ -16325,8 +16377,8 @@
NOT-FOR-US: Drupal module GCC
CVE-2013-4597
RESERVED
-CVE-2013-4596
- RESERVED
+CVE-2013-4596 (The Node Access Keys module 7.x-1.x before 7.x-1.1 for Drupal
does not ...)
+ TODO: check
CVE-2013-4595
RESERVED
CVE-2013-4594
@@ -17972,8 +18024,7 @@
REJECTED
CVE-2013-4144
RESERVED
-CVE-2013-4143
- RESERVED
+CVE-2013-4143 (The (1) checkPasswd and (2) checkGroupXlockPasswds functions in
...)
NOT-FOR-US: xlockmore
NOTE: http://openwall.com/lists/oss-security/2013/07/16/8
CVE-2013-4142
@@ -19567,8 +19618,8 @@
NOT-FOR-US: Apptha WordPress Video Gallery
CVE-2013-3477 (Cross-site request forgery (CSRF) vulnerability in the Related
Posts ...)
NOT-FOR-US: WordPress plugin related-posts-by-zemanta
-CVE-2013-3476
- RESERVED
+CVE-2013-3476 (Cross-site request forgery (CSRF) vulnerability in the
WordPress ...)
+ TODO: check
CVE-2013-3475 (Stack-based buffer overflow in db2aud in the Audit Facility in
IBM DB2 ...)
NOT-FOR-US: IBM
CVE-2013-3474 (The Web Administrator Interface on Cisco Wireless LAN
Controller (WLC) ...)
@@ -20030,10 +20081,10 @@
NOT-FOR-US: INMATRIX Zoom Player
CVE-2013-3259 (Stack-based buffer overflow in INMATRIX Zoom Player before 8.7
beta 11 ...)
NOT-FOR-US: INMATRIX Zoom Player
-CVE-2013-3258
- RESERVED
-CVE-2013-3257
- RESERVED
+CVE-2013-3258 (Cross-site request forgery (CSRF) vulnerability in he Digg Digg
plugin ...)
+ TODO: check
+CVE-2013-3257 (Cross-site request forgery (CSRF) vulnerability in the Related
Posts ...)
+ TODO: check
CVE-2013-3256 (Cross-site request forgery (CSRF) vulnerability in the
Shareaholic ...)
NOT-FOR-US: WordPress plugin sexybookmarks
CVE-2013-3255
@@ -21400,8 +21451,8 @@
NOT-FOR-US: KrisonAV
CVE-2013-2711
RESERVED
-CVE-2013-2710
- RESERVED
+CVE-2013-2710 (Cross-site request forgery (CSRF) vulnerability in the
Contextual ...)
+ TODO: check
CVE-2013-2709 (Cross-site request forgery (CSRF) vulnerability in the
FourSquare ...)
NOT-FOR-US: WordPress plugin FourSquare Checkins
CVE-2013-2708 (Cross-site request forgery (CSRF) vulnerability in the Content
Slide ...)
@@ -22515,8 +22566,7 @@
NOT-FOR-US: FlickWnn Android App
CVE-2013-2299 (Cross-site scripting (XSS) vulnerability in Advantech WebAccess
...)
NOT-FOR-US: Advantech WebAccess
-CVE-2013-2298
- RESERVED
+CVE-2013-2298 (Multiple stack-based buffer overflows in the XML parser in
BOINC 7.x ...)
- boinc 7.0.65+dfsg-1 (low)
[wheezy] - boinc <no-dsa> (Minor issue, only exploitable by a rogue
BOINC server)
[squeeze] - boinc <no-dsa> (Minor issue, only exploitable by a rogue
BOINC server)
@@ -23420,8 +23470,7 @@
CVE-2013-2020 (Integer underflow in the cli_scanpe function in pe.c in ClamAV
before ...)
- clamav 0.97.8+dfsg-1
[squeeze] - clamav 0.97.8+dfsg-1~squeeze1
-CVE-2013-2019 [stack overflow vulnerabilities in the XML parser]
- RESERVED
+CVE-2013-2019 (Stack-based buffer overflow in BOINC 6.10.58 and 6.12.34 allows
remote ...)
- boinc 6.13.6+dfsg-1 (low)
[squeeze] - boinc <no-dsa> (Minor issue)
NOTE:
http://boinc.berkeley.edu/gitweb/?p=boinc-v2.git;a=commitdiff;h=9a4140ae30a72e5175f3f31646d91f2d58df7156
@@ -23452,8 +23501,7 @@
{DSA-2669-1 DSA-2668-1}
- linux 3.8-1 (low)
- linux-2.6 <removed> (low)
-CVE-2013-2014 [no limitation for requests and headers size which can cause a
crash]
- RESERVED
+CVE-2013-2014 (OpenStack Identity (Keystone) before 2013.1 allows remote
attackers to ...)
- keystone 2013.1.1-2 (bug #708515)
[wheezy] - keystone <no-dsa> (Minor issue)
CVE-2013-2013 (The user-password-update command in python-keystoneclient
before 0.2.4 ...)
@@ -24115,8 +24163,7 @@
- linux-2.6 <removed> (low)
[squeeze] - linux-2.6 <no-dsa> (Too risky to backport, minor impact)
[wheezy] - linux <no-dsa> (Too risky to backport, minor impact)
-CVE-2013-1818 [mediawiki mwdoc-filter.php information disclosure]
- RESERVED
+CVE-2013-1818 (maintenance/mwdoc-filter.php in MediaWiki before 1.20.3 allows
remote ...)
- mediawiki <not-affected> (mwdoc-filter.php introduced in 1.20)
NOTE: register_globals is not supported in Debian anyway, see PHP's
README.Debian.security
CVE-2013-1817 [mediawiki information disclosure in unblock API]
@@ -25633,8 +25680,8 @@
NOT-FOR-US: Microsoft Internet Explorer
CVE-2013-1413 (Multiple cross-site scripting (XSS) vulnerabilities in synetics
i-doit ...)
NOT-FOR-US: synetics i-doit
-CVE-2013-1412
- RESERVED
+CVE-2013-1412 (DataLife Engine (DLE) 9.7 allows remote attackers to execute
arbitrary ...)
+ TODO: check
CVE-2013-1411
RESERVED
CVE-2013-1410
@@ -25668,8 +25715,8 @@
- puppet <not-affected> (Only affects Puppet Enterprise)
CVE-2013-1398 (The pe_mcollective module in Puppet Enterprise (PE) before
2.7.1 does ...)
- puppet <not-affected> (Only affects Puppet Enterprise)
-CVE-2013-1397
- RESERVED
+CVE-2013-1397 (Symfony 2.0.x before 2.0.22, 2.1.x before 2.1.7, and 2.2.x
remote ...)
+ TODO: check
CVE-2013-1396
RESERVED
CVE-2013-1395
@@ -25774,8 +25821,8 @@
CVE-2013-1349 (Eval injection vulnerability in ajax.php in openSIS 4.5 through
5.2 ...)
NOT-FOR-US: openSIS
NOTE: Ubuntu package opensis
-CVE-2013-1348
- RESERVED
+CVE-2013-1348 (The Yaml::parse function in Symfony 2.0.x before 2.0.22 remote
...)
+ TODO: check
CVE-2013-1347 (Microsoft Internet Explorer 8 does not properly handle objects
in ...)
NOT-FOR-US: Microsoft Internet Explorer
CVE-2013-1346 (mpengine.dll in Microsoft Malware Protection Engine before
1.1.9506.0 ...)
@@ -29134,8 +29181,7 @@
NOTE: squid-cgi was removed in 2.7.STABLE9-2
- squid3 3.1.20-2.1 (bug #696187)
NOTE: possible regression, see #701123
-CVE-2013-0191 [pam-pgsql NULL password handling issue]
- RESERVED
+CVE-2013-0191 (libpam-pgsql (aka pam_pgsql) 0.7 does not properly handle a
NULL value ...)
- pam-pgsql 0.7.3.1-4 (bug #698241)
[squeeze] - pam-pgsql 0.7.1-4+squeeze2
NOTE: patch:
https://sourceforge.net/u/lvella/pam-pgsql/ci/9361f5970e5dd90a747319995b67c2f73b91448c/
@@ -30760,10 +30806,10 @@
NOT-FOR-US: McAfee Virtual Technician
CVE-2012-5878
RESERVED
-CVE-2012-5877
- RESERVED
-CVE-2012-5876
- RESERVED
+CVE-2012-5877 (Nero MediaHome 4.5.8.0 and earlier allows remote attackers to
cause a ...)
+ TODO: check
+CVE-2012-5876 (Multiple off-by-one errors in NMMediaServerService.dll in Nero
...)
+ TODO: check
CVE-2012-5875 (Firefly Media Server 1.0.0.1359 allows remote attackers to
cause a ...)
NOT-FOR-US: Firefly Media Server
CVE-2012-5874 (Multiple SQL injection vulnerabilities in the (1) ...)
@@ -31630,8 +31676,7 @@
CVE-2012-5573 (The connection_edge_process_relay_cell function in or/relay.c
in Tor ...)
- tor 0.2.3.25-1 (low)
[squeeze] - tor <no-dsa> (Minor issue)
-CVE-2012-5572 [Dancer::Cookie: Cookie name CRLF injection]
- RESERVED
+CVE-2012-5572 (CRLF injection vulnerability in the cookie method ...)
- libdancer-perl 1.3114+dfsg-1 (low; bug #694279)
[wheezy] - libdancer-perl <no-dsa> (Minor issue)
NOTE: https://github.com/PerlDancer/Dancer/issues/859
@@ -31661,8 +31706,7 @@
NOT-FOR-US: Red Hat Satellite
CVE-2012-5561 (script/katello-generate-passphrase in Katello 1.1 uses
world-readable ...)
NOT-FOR-US: Katello
-CVE-2012-5560
- RESERVED
+CVE-2012-5560 (The default configuration in mate-settings-daemon 1.5.3 allows
local ...)
NOT-FOR-US: MATE gnome fork
CVE-2012-5559 (Cross-site scripting (XSS) vulnerability in the page manager
node view ...)
NOT-FOR-US: Drupal chaos tool addon
@@ -32079,8 +32123,7 @@
RESERVED
CVE-2012-5396
RESERVED
-CVE-2012-5395
- RESERVED
+CVE-2012-5395 (Session fixation vulnerability in the CentralAuth extension for
...)
NOT-FOR-US: Mediawiki extension CentralAuth
CVE-2012-5394 (Cross-site request forgery (CSRF) vulnerability in the
CentralAuth ...)
NOT-FOR-US: mediawiki extension CentralAuth
@@ -32088,8 +32131,7 @@
RESERVED
CVE-2012-5392
RESERVED
-CVE-2012-5391
- RESERVED
+CVE-2012-5391 (Session fixation vulnerability in Special:UserLogin in
MediaWiki ...)
- mediawiki 1:1.19.3-1 (bug #694998)
[squeeze] - mediawiki 1:1.15.5-2squeeze5
CVE-2012-5390 [Possible privilege escalation]
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
