Author: sectracker
Date: 2014-12-02 21:10:17 +0000 (Tue, 02 Dec 2014)
New Revision: 30495
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2014-12-02 20:02:25 UTC (rev 30494)
+++ data/CVE/list 2014-12-02 21:10:17 UTC (rev 30495)
@@ -1,3 +1,415 @@
+CVE-2015-0360
+ RESERVED
+CVE-2015-0359
+ RESERVED
+CVE-2015-0358
+ RESERVED
+CVE-2015-0357
+ RESERVED
+CVE-2015-0356
+ RESERVED
+CVE-2015-0355
+ RESERVED
+CVE-2015-0354
+ RESERVED
+CVE-2015-0353
+ RESERVED
+CVE-2015-0352
+ RESERVED
+CVE-2015-0351
+ RESERVED
+CVE-2015-0350
+ RESERVED
+CVE-2015-0349
+ RESERVED
+CVE-2015-0348
+ RESERVED
+CVE-2015-0347
+ RESERVED
+CVE-2015-0346
+ RESERVED
+CVE-2015-0345
+ RESERVED
+CVE-2015-0344
+ RESERVED
+CVE-2015-0343
+ RESERVED
+CVE-2015-0342
+ RESERVED
+CVE-2015-0341
+ RESERVED
+CVE-2015-0340
+ RESERVED
+CVE-2015-0339
+ RESERVED
+CVE-2015-0338
+ RESERVED
+CVE-2015-0337
+ RESERVED
+CVE-2015-0336
+ RESERVED
+CVE-2015-0335
+ RESERVED
+CVE-2015-0334
+ RESERVED
+CVE-2015-0333
+ RESERVED
+CVE-2015-0332
+ RESERVED
+CVE-2015-0331
+ RESERVED
+CVE-2015-0330
+ RESERVED
+CVE-2015-0329
+ RESERVED
+CVE-2015-0328
+ RESERVED
+CVE-2015-0327
+ RESERVED
+CVE-2015-0326
+ RESERVED
+CVE-2015-0325
+ RESERVED
+CVE-2015-0324
+ RESERVED
+CVE-2015-0323
+ RESERVED
+CVE-2015-0322
+ RESERVED
+CVE-2015-0321
+ RESERVED
+CVE-2015-0320
+ RESERVED
+CVE-2015-0319
+ RESERVED
+CVE-2015-0318
+ RESERVED
+CVE-2015-0317
+ RESERVED
+CVE-2015-0316
+ RESERVED
+CVE-2015-0315
+ RESERVED
+CVE-2015-0314
+ RESERVED
+CVE-2015-0313
+ RESERVED
+CVE-2015-0312
+ RESERVED
+CVE-2015-0311
+ RESERVED
+CVE-2015-0310
+ RESERVED
+CVE-2015-0309
+ RESERVED
+CVE-2015-0308
+ RESERVED
+CVE-2015-0307
+ RESERVED
+CVE-2015-0306
+ RESERVED
+CVE-2015-0305
+ RESERVED
+CVE-2015-0304
+ RESERVED
+CVE-2015-0303
+ RESERVED
+CVE-2015-0302
+ RESERVED
+CVE-2015-0301
+ RESERVED
+CVE-2014-9172
+ RESERVED
+CVE-2014-9171
+ RESERVED
+CVE-2014-9170
+ RESERVED
+CVE-2014-9169
+ RESERVED
+CVE-2014-9168
+ RESERVED
+CVE-2014-9167
+ RESERVED
+CVE-2014-9166
+ RESERVED
+CVE-2014-9165
+ RESERVED
+CVE-2014-9164
+ RESERVED
+CVE-2014-9163
+ RESERVED
+CVE-2014-9162
+ RESERVED
+CVE-2014-9161
+ RESERVED
+CVE-2014-9160
+ RESERVED
+CVE-2014-9159
+ RESERVED
+CVE-2014-9158
+ RESERVED
+CVE-2014-9155 (Directory traversal vulnerability in the Avatar Uploader module
...)
+ TODO: check
+CVE-2014-9154 (The Notify module 7.x-1.x before 7.x-1.1 for Drupal does not
properly ...)
+ TODO: check
+CVE-2014-9153 (Cross-site scripting (XSS) vulnerability in the Services module
...)
+ TODO: check
+CVE-2014-9152 (The _user_resource_create function in the Services module
7.x-3.x ...)
+ TODO: check
+CVE-2014-9151 (The Services module 7.x-3.x before 7.x-3.10 for Drupal does not
...)
+ TODO: check
+CVE-2014-9150 (Race condition in the MoveFileEx call hook feature in Adobe
Reader and ...)
+ TODO: check
+CVE-2014-9149
+ RESERVED
+CVE-2014-9148
+ RESERVED
+CVE-2014-9147
+ RESERVED
+CVE-2014-9146
+ RESERVED
+CVE-2014-9145
+ RESERVED
+CVE-2014-9144
+ RESERVED
+CVE-2014-9143
+ RESERVED
+CVE-2014-9142
+ RESERVED
+CVE-2014-9141
+ RESERVED
+CVE-2014-9139
+ RESERVED
+CVE-2014-9138
+ RESERVED
+CVE-2014-9137
+ RESERVED
+CVE-2014-9136
+ RESERVED
+CVE-2014-9135
+ RESERVED
+CVE-2014-9134
+ RESERVED
+CVE-2014-9133
+ RESERVED
+CVE-2014-9132
+ RESERVED
+CVE-2014-9131
+ RESERVED
+CVE-2014-9128
+ RESERVED
+CVE-2014-9127
+ RESERVED
+CVE-2014-9126
+ RESERVED
+CVE-2014-9125
+ RESERVED
+CVE-2014-9124
+ RESERVED
+CVE-2014-9123
+ RESERVED
+CVE-2014-9122
+ RESERVED
+CVE-2014-9121
+ RESERVED
+CVE-2014-9120
+ RESERVED
+CVE-2014-9119
+ RESERVED
+CVE-2014-9118
+ RESERVED
+CVE-2014-9115
+ RESERVED
+CVE-2014-9113
+ RESERVED
+CVE-2014-9111
+ RESERVED
+CVE-2014-9110
+ RESERVED
+CVE-2014-9109
+ RESERVED
+CVE-2014-9108
+ RESERVED
+CVE-2014-9107
+ RESERVED
+CVE-2014-9106
+ RESERVED
+CVE-2014-9105
+ RESERVED
+CVE-2014-9104 (Multiple cross-site request forgery (CSRF) vulnerabilities in
the ...)
+ TODO: check
+CVE-2014-9103 (Multiple cross-site scripting (XSS) vulnerabilities in the
Kunena ...)
+ TODO: check
+CVE-2014-9102 (Multiple SQL injection vulnerabilities in the Kunena component
before ...)
+ TODO: check
+CVE-2014-9101 (Multiple cross-site request forgery (CSRF) vulnerabilities in
Oxwall 1.7.0 ...)
+ TODO: check
+CVE-2014-9100 (Cross-site scripting (XSS) vulnerability in the WhyDoWork
AdSense ...)
+ TODO: check
+CVE-2014-9099 (Cross-site request forgery (CSRF) vulnerability in the
WhyDoWork ...)
+ TODO: check
+CVE-2014-9098 (Multiple cross-site scripting (XSS) vulnerabilities in the
Apptha ...)
+ TODO: check
+CVE-2014-9097 (Multiple SQL injection vulnerabilities in the Apptha WordPress
Video ...)
+ TODO: check
+CVE-2014-9096 (Multiple SQL injection vulnerabilities in recover.php in Pligg
CMS ...)
+ TODO: check
+CVE-2014-9095 (Multiple SQL injection vulnerabilities in Raritan Power IQ
4.1.0 and ...)
+ TODO: check
+CVE-2014-9094 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
+ TODO: check
+CVE-2014-9088
+ RESERVED
+CVE-2014-9086
+ RESERVED
+CVE-2014-9085
+ RESERVED
+CVE-2014-9084
+ RESERVED
+CVE-2014-9083
+ RESERVED
+CVE-2014-9082
+ RESERVED
+CVE-2014-9081
+ RESERVED
+CVE-2014-9080
+ RESERVED
+CVE-2014-9079
+ RESERVED
+CVE-2014-9078
+ RESERVED
+CVE-2014-9077
+ RESERVED
+CVE-2014-9076
+ RESERVED
+CVE-2014-9075
+ RESERVED
+CVE-2014-9074
+ RESERVED
+CVE-2014-9073
+ RESERVED
+CVE-2014-9072
+ RESERVED
+CVE-2014-9071
+ RESERVED
+CVE-2014-9070
+ RESERVED
+CVE-2014-9069
+ RESERVED
+CVE-2014-9068
+ RESERVED
+CVE-2014-9067
+ RESERVED
+CVE-2014-9066
+ RESERVED
+CVE-2014-9065
+ RESERVED
+CVE-2014-9064
+ RESERVED
+CVE-2014-9063
+ RESERVED
+CVE-2014-9062
+ RESERVED
+CVE-2014-9061
+ RESERVED
+CVE-2014-9060 (The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9,
2.6.x ...)
+ TODO: check
+CVE-2014-9058
+ RESERVED
+CVE-2014-9057
+ RESERVED
+CVE-2014-9056
+ RESERVED
+CVE-2014-9055
+ RESERVED
+CVE-2014-9054
+ RESERVED
+CVE-2014-9053
+ RESERVED
+CVE-2014-9052
+ RESERVED
+CVE-2014-9051
+ RESERVED
+CVE-2014-9049
+ RESERVED
+CVE-2014-9048
+ RESERVED
+CVE-2014-9047
+ RESERVED
+CVE-2014-9046
+ RESERVED
+CVE-2014-9045
+ RESERVED
+CVE-2014-9044
+ RESERVED
+CVE-2014-9043
+ RESERVED
+CVE-2014-9042
+ RESERVED
+CVE-2014-9041
+ RESERVED
+CVE-2014-9040
+ RESERVED
+CVE-2014-9029
+ RESERVED
+CVE-2014-9027 (Multiple cross-site request forgery (CSRF) vulnerabilities in
ZTE ...)
+ TODO: check
+CVE-2014-9026 (The Ubercart module 7.x-3.x before 7.x-3.7 for Drupal does not
...)
+ TODO: check
+CVE-2014-9025 (The default checkout completion rule in the commerce_order
module in ...)
+ TODO: check
+CVE-2014-9024 (The Protected Pages module 7.x-2.x before 7.x-2.4 for Drupal
allows ...)
+ TODO: check
+CVE-2014-9023 (The Twilio module 7.x-1.x before 7.x-1.9 for Drupal does not
properly ...)
+ TODO: check
+CVE-2014-9022 (The Webform Component Roles module 6.x-1.x before 6.x-1.8 and
7.x-1.x ...)
+ TODO: check
+CVE-2014-9021 (Multiple cross-site scripting (XSS) vulnerabilities in ZTE
ZXDSL 831 ...)
+ TODO: check
+CVE-2014-9020 (Cross-site scripting (XSS) vulnerability in the Quick Stats
page ...)
+ TODO: check
+CVE-2014-9019 (Multiple cross-site request forgery (CSRF) vulnerabilities in
ZTE ...)
+ TODO: check
+CVE-2014-9017
+ RESERVED
+CVE-2012-6683
+ RESERVED
+CVE-2012-6682
+ RESERVED
+CVE-2012-6681
+ RESERVED
+CVE-2012-6680
+ RESERVED
+CVE-2012-6679
+ RESERVED
+CVE-2012-6678
+ RESERVED
+CVE-2012-6677
+ RESERVED
+CVE-2012-6676
+ RESERVED
+CVE-2012-6675
+ RESERVED
+CVE-2012-6674
+ RESERVED
+CVE-2012-6673
+ RESERVED
+CVE-2012-6672
+ RESERVED
+CVE-2012-6671
+ RESERVED
+CVE-2012-6670
+ RESERVED
+CVE-2012-6669
+ RESERVED
+CVE-2012-6668
+ RESERVED
+CVE-2012-6667
+ RESERVED
+CVE-2012-6666
+ RESERVED
+CVE-2010-5313 (Race condition in arch/x86/kvm/x86.c in the Linux kernel before
2.6.38 ...)
+ TODO: check
CVE-2014-XXXX [~/.k5users unexpectedly grants remote login]
- openssh <not-affected> (patch not applied to Debian)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1169843
@@ -2,5 +414,6 @@
NOTE: Patch https://bugzilla.mindrot.org/show_bug.cgi?id=1867 from not
applied in Debian
-CVE-2014-9156
+CVE-2014-9156 (The FileField module 6.x-3.x before 6.x-3.13 for Drupal does
not ...)
NOT-FOR-US: Drupal module FileField
CVE-2014-9129
+ RESERVED
NOT-FOR-US: WordPress plugin cm-download-manager
@@ -12,7 +425,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2014/12/01/4
CVE-2014-8104 [DoS]
RESERVED
- {DSA-3084-1}
+ {DSA-3084-1 DLA-98-1}
- openvpn 2.3.4-5
NOTE:
https://github.com/OpenVPN/openvpn/commit/c5590a6821e37f3b29735f55eb0c2b9c0924138c
NOTE: https://forums.openvpn.net/topic17625.html
@@ -55,9 +468,11 @@
CVE-2014-XXXX [nvi: insecure use of /var/tmp in postinst]
- nvi <unfixed> (bug #771375)
CVE-2014-9140 [buffer overflow in the PPP dissector]
+ RESERVED
- tcpdump 4.6.2-3
NOTE:
https://github.com/the-tcpdump-group/tcpdump/commit/0f95d441e4b5d7512cc5c326c8668a120e048eda
CVE-2014-9130 [denial-of-service/application crash with untrusted yaml input]
+ RESERVED
- libyaml 0.1.6-3 (bug #771366)
- libyaml-libyaml-perl 0.41-6 (bug #771365)
- pyyaml <unfixed>
@@ -65,24 +480,28 @@
NOTE:
https://bitbucket.org/xi/libyaml/commits/2b9156756423e967cfd09a61d125d883fca6f4f2
NOTE: for pyyaml: might be need to be removed here (no-CVE assigned) or
separate CVE
CVE-2014-9117 [CAPTCHA bypass]
+ RESERVED
- mantis <removed>
[squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts)
NOTE:
http://github.com/mantisbt/mantisbt/commit/7bb78e4581ff1092c811ea96582fe602624cdcdd
NOTE: https://www.mantisbt.org/bugs/view.php?id=17811
CVE-2014-9116 [mutt: incorrect use of mutt_substrdup() in write_one_header()]
+ RESERVED
{DSA-3083-1}
- mutt 1.5.23-2 (bug #771125)
NOTE: Detailed analysis in
https://bugzilla.redhat.com/show_bug.cgi?id=1168463#c4
NOTE: Upstream bugreport: http://dev.mutt.org/trac/ticket/3716
CVE-2014-9114 [blkid command injection]
+ RESERVED
- util-linux <unfixed> (bug #771274)
NOTE: http://www.openwall.com/lists/oss-security/2014/11/26/13
NOTE:
https://github.com/karelzak/util-linux/commit/89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc
CVE-2014-9112 [heap-based buffer overflow]
+ RESERVED
- cpio <unfixed>
NOTE: http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio
TODO: check
-CVE-2014-9089 [SQL-injection in /view_all_set.php and/or core/filter_api.php]
+CVE-2014-9089 (Multiple SQL injection vulnerabilities in view_all_bug_page.php
in ...)
- mantis <removed>
[squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts)
NOTE: https://www.mantisbt.org/bugs/view.php?id=17841
@@ -91,13 +510,14 @@
- hivex 1.3.11-1
NOTE:
https://github.com/libguestfs/hivex/commit/357f26fa64fd1d9ccac2331fe174a8ee9c607adb
NOTE:
https://github.com/libguestfs/hivex/commit/4bbdf555f88baeae0fa804a369a81a83908bd705
-CVE-2014-9087 [buffer overflow in ksba_oid_to_str]
+CVE-2014-9087 (Integer underflow in the ksba_oid_to_str function in Libksba
before ...)
{DSA-3078-1}
- libksba 1.3.2-1 (bug #770972)
- gnupg2 <not-affected> (Affects only 2.1 and betas)
NOTE: http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html
NOTE: Upstream commit:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=f715b9e156dfa99ae829fc694e5a0abd23ef97d7
CVE-2014-9157 [format string vulnerability]
+ RESERVED
- graphviz <unfixed>
NOTE:
https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081
CVE-2014-XXXX [parse_datetime() bug]
@@ -110,61 +530,62 @@
[squeeze] - teeworlds <not-affected> (Vulnerable code not present)
NOTE:
https://github.com/teeworlds/teeworlds/commit/a766cb44bcffcdb0b88e776d01c5ee1323d44f85
NOTE: https://www.teeworlds.com/?page=news&id=11200
-CVE-2014-9093 [crash importing malformed .rtf]
+CVE-2014-9093 (LibreOffice before 4.3.5 allows remote attackers to cause a
denial of ...)
- libreoffice 1:4.3.3-2 (bug #771163)
NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=86449
NOTE:
http://cgit.freedesktop.org/libreoffice/core/commit/?h=libreoffice-4-3&id=b4840d3632e4404bee4bd192a7db916cbad3a401
NOTE: fixed in experimental with 1:4.4.0~beta1-1
CVE-2014-9092
+ RESERVED
- libjpeg-turbo 1:1.3.1-11 (bug #768369)
-CVE-2014-9090
+CVE-2014-9090 (The do_double_fault function in arch/x86/kernel/traps.c in the
Linux ...)
- linux <unfixed>
- linux-2.6 <removed>
NOTE:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6f442be2fb22be02cafa606f1769fa1e6f894441
(v3.18-rc6)
-CVE-2014-9059 [XSS vulnerability in AJAX scripts]
+CVE-2014-9059 (lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9,
2.6.x ...)
- moodle <unfixed>
[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
NOTE:
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966
NOTE: https://moodle.org/mod/forum/discuss.php?d=275146
-CVE-2014-9050 [buffer overflow parsing crafted y0da Crypter obfuscated PE file]
+CVE-2014-9050 (Heap-based buffer overflow in the cli_scanpe function in ...)
{DLA-95-1}
- clamav 0.98.5+dfsg-1 (bug #770985)
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11155
NOTE: Upstream commit:
https://github.com/vrtadmin/clamav-devel/commit/fc3794a54d2affe5770c1f876484a871c783e91e
-CVE-2014-9039 [Previously an email address change would not invalidate a
previous password reset email]
+CVE-2014-9039 (wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5,
3.9.x ...)
- wordpress 4.0.1+dfsg-1 (bug #770425)
NOTE: Upstream patch: http://core.trac.wordpress.org/changeset/30431
NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/
-CVE-2014-9038 [SSRF: Safe HTTP requests did not sufficiently block the
loopback IP address space]
+CVE-2014-9038 (wp-includes/http.php in WordPress before 3.7.5, 3.8.x before
3.8.5, ...)
- wordpress 4.0.1+dfsg-1 (bug #770425)
NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/
NOTE: Upstream patch: https://core.trac.wordpress.org/changeset/30444
-CVE-2014-9037 [Hash comparison vulnerability in old-style MD5-stored passwords]
+CVE-2014-9037 (WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3,
and ...)
- wordpress 4.0.1+dfsg-1 (bug #770425)
NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/
-CVE-2014-9036 [XSS in HTML filtering of CSS in posts]
+CVE-2014-9036 (Cross-site scripting (XSS) vulnerability in WordPress before
3.7.5, ...)
- wordpress 4.0.1+dfsg-1 (bug #770425)
NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/
-CVE-2014-9035 [XSS in Press This]
+CVE-2014-9035 (Cross-site scripting (XSS) vulnerability in Press This in
WordPress ...)
- wordpress 4.0.1+dfsg-1 (bug #770425)
NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/
-CVE-2014-9034 [Denial of service for giant passwords]
+CVE-2014-9034 (wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x
before ...)
- wordpress 4.0.1+dfsg-1 (bug #770425)
NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/
NOTE: Upstream patch: http://core.trac.wordpress.org/changeset/30467
-CVE-2014-9033 [CSRF in the password reset process]
+CVE-2014-9033 (Cross-site request forgery (CSRF) vulnerability in wp-login.php
in ...)
- wordpress 4.0.1+dfsg-1 (bug #770425)
NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/
NOTE: Upstream patch: http://core.trac.wordpress.org/changeset/30418
-CVE-2014-9032 [XSS in media playlists]
+CVE-2014-9032 (Cross-site scripting (XSS) vulnerability in the media-playlists
...)
- wordpress 4.0.1+dfsg-1 (bug #770425)
[wheezy] - wordpress <not-affected> (Affects 3.9, 3.9.1, 3.9.2, 4.0
only)
[squeeze] - wordpress <not-affected> (Affects 3.9, 3.9.1, 3.9.2, 4.0
only)
NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/
-CVE-2014-9031 [XSS in wptexturize() via comments or posts]
+CVE-2014-9031 (Cross-site scripting (XSS) vulnerability in the wptexturize
function ...)
- wordpress 4.0.1+dfsg-1 (bug #770425)
NOTE: https://wordpress.org/news/2014/11/wordpress-4-0-1/
-CVE-2014-9028 [Heap buffer write overflow]
+CVE-2014-9028 (Heap-based buffer overflow in stream_decoder.c in libFLAC
before 1.3.1 ...)
{DSA-3082-1}
- flac 1.3.0-3 (bug #770918)
NOTE: Upstream patches:
@@ -214,20 +635,21 @@
RESERVED
CVE-2014-8992
RESERVED
-CVE-2014-9030 [XSA-113]
+CVE-2014-9030 (The do_mmu_update function in arch/x86/mm.c in Xen 3.2.x
through 4.4.x ...)
- xen 4.4.1-4 (low; bug #770230)
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
-CVE-2014-9015 [Session hijacking]
+CVE-2014-9015 (Drupal 6.x before 6.34 and 7.x before 7.34 allows remote
attackers to ...)
{DSA-3075-1}
- drupal7 7.32-1+deb8u1 (bug #770469)
- drupal6 <removed>
NOTE: https://www.drupal.org/SA-CORE-2014-006
-CVE-2014-9016 [Denial of service]
+CVE-2014-9016 (The password hashing API in Drupal 7.x before 7.34 and the
Secure ...)
{DSA-3075-1}
- drupal7 7.32-1+deb8u1 (bug #770469)
- drupal6 <not-affected> (Only affects Drupal 7.x)
NOTE: https://www.drupal.org/SA-CORE-2014-006
CVE-2014-9018 [on-connect scripts: icecast can leak output to attentive
sources]
+ RESERVED
- icecast2 2.4.0-1.1 (bug #770222)
NOTE: https://trac.xiph.org/ticket/2089
CVE-2015-0300
@@ -830,17 +1252,14 @@
RESERVED
CVE-2015-0001
RESERVED
-CVE-2014-8994 [Insecure use of /tmp files]
- RESERVED
+CVE-2014-8994 (The check_diskio plugin 3.2.6 and earlier for Nagios and Icinga
allows ...)
NOT-FOR-US: check_diskio nagios/icinga plugin
-CVE-2014-8989 [Linux user namespaces can bypass group-based restrictions]
- RESERVED
+CVE-2014-8989 (The Linux kernel through 3.17.4 does not properly restrict
dropping of ...)
- linux <unfixed>
[wheezy] - linux <not-affected> (User namespaces only usable in later
kernels)
- linux-2.6 <not-affected> (User namespaces only usable in later
kernels)
NOTE: http://thread.gmane.org/gmane.linux.man/7385/
-CVE-2014-8986 [XSS]
- RESERVED
+CVE-2014-8986 (Cross-site scripting (XSS) vulnerability in the selection list
in the ...)
- mantis <removed>
[squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts)
NOTE:
https://github.com/mantisbt/mantisbt/commit/cabacdc291c251bfde0dc2a2c945c02cef41bf40
@@ -898,32 +1317,27 @@
NOTE: seem to be needed for older pcre3 versions.
CVE-2014-8963
RESERVED
-CVE-2014-8962 [Heap buffer read overflow]
- RESERVED
+CVE-2014-8962 (Stack-based buffer overflow in stream_decoder.c in libFLAC
before ...)
{DSA-3082-1}
- flac 1.3.0-3 (bug #770918)
NOTE:
https://git.xiph.org/?p=flac.git;a=patch;h=5b3033a2b355068c11fe637e14ac742d273f076e
NOTE: http://lists.xiph.org/pipermail/flac-dev/2014-November/005185.html
-CVE-2014-8961 [leakage of line count of an arbitrary file (PMASA-2014-16)]
- RESERVED
+CVE-2014-8961 (Directory traversal vulnerability in
libraries/error_report.lib.php in ...)
- phpmyadmin 4:4.2.12-1
[squeeze] - phpmyadmin <not-affected> (Vulnerable code not present)
[wheezy] - phpmyadmin <not-affected> (Vulnerable code not present)
NOTE: http://www.phpmyadmin.net/home_page/security/PMASA-2014-16.php
-CVE-2014-8960 [XSS vulnerability in error reporting functionality
(PMASA-2014-15)]
- RESERVED
+CVE-2014-8960 (Cross-site scripting (XSS) vulnerability in ...)
- phpmyadmin 4:4.2.12-1
[squeeze] - phpmyadmin <not-affected> (Vulnerable code not present)
[wheezy] - phpmyadmin <not-affected> (Vulnerable code not present)
NOTE: http://www.phpmyadmin.net/home_page/security/PMASA-2014-15.php
-CVE-2014-8959 [Local file inclusion vulnerability (PMASA-2014-14)]
- RESERVED
+CVE-2014-8959 (Directory traversal vulnerability in ...)
- phpmyadmin 4:4.2.12-1
[squeeze] - phpmyadmin <not-affected> (Vulnerable code not present)
[wheezy] - phpmyadmin <not-affected> (Vulnerable code not present)
NOTE: http://www.phpmyadmin.net/home_page/security/PMASA-2014-14.php
-CVE-2014-8958 [Multiple XSS vulnerabilities (PMASA-2014-13)]
- RESERVED
+CVE-2014-8958 (Multiple cross-site scripting (XSS) vulnerabilities in
phpMyAdmin ...)
- phpmyadmin 4:4.2.12-1 (low)
NOTE: http://www.phpmyadmin.net/home_page/security/PMASA-2014-13.php
NOTE:
https://github.com/phpmyadmin/phpmyadmin/commit/42b64e12b5f596366f94ef72365fd69a019ba820
and
@@ -1109,12 +1523,10 @@
CVE-2014-8868
RESERVED
NOT-FOR-US: EntryPass N5200
-CVE-2014-8867 [XSA-112]
- RESERVED
+CVE-2014-8867 (The acceleration support for the "REP MOVS"
instruction in Xen 4.4.x, ...)
- xen 4.4.1-5 (bug #770230)
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
-CVE-2014-8866 [XSA-111]
- RESERVED
+CVE-2014-8866 (The compatibility mode hypercall argument translation in Xen
3.3.x ...)
- xen 4.4.1-5 (bug #770230)
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
CVE-2014-8865
@@ -1245,12 +1657,12 @@
RESERVED
CVE-2014-8802
RESERVED
-CVE-2014-8801
- RESERVED
+CVE-2014-8801 (Directory traversal vulnerability in services/getfile.php in
the Paid ...)
+ TODO: check
CVE-2014-8800
RESERVED
-CVE-2014-8799
- RESERVED
+CVE-2014-8799 (Directory traversal vulnerability in the dp_img_resize function
in ...)
+ TODO: check
CVE-2014-8798
RESERVED
CVE-2014-8797
@@ -1265,8 +1677,7 @@
RESERVED
CVE-2014-8792
RESERVED
-CVE-2014-8791
- RESERVED
+CVE-2014-8791 (project/register.php in Tuleap before 7.7, when ...)
NOT-FOR-US: Enalean Tuleap
CVE-2014-8790
RESERVED
@@ -1319,8 +1730,7 @@
CVE-2014-XXXX [zoph multiple issues]
- zoph <removed>
NOTE: http://seclists.org/fulldisclosure/2014/Nov/45
-CVE-2014-8988 [information disclosure in MantisBT attachments]
- RESERVED
+CVE-2014-8988 (MantisBT before 1.2.18 allows remote authenticated users to
bypass the ...)
- mantis <removed>
[squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts)
NOTE: http://github.com/mantisbt/mantisbt/commit/5f0b150b
@@ -1329,8 +1739,7 @@
- xdg-utils <unfixed>
NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=66670
TODO: check
-CVE-2014-8991 [Local DoS with predictable temp directory names]
- RESERVED
+CVE-2014-8991 (pip 1.3 through 1.5.6 allows local users to cause a denial of
service ...)
- python-pip <unfixed> (bug #725847)
[wheezy] - python-pip <not-affected> (Vulnerable code only in >= 1.3)
[squeeze] - python-pip <not-affected> (Vulnerable code only in >= 1.3)
@@ -1344,24 +1753,20 @@
CVE-2014-XXXX [archives are created with read permissions for everyone]
- sosreport 3.2-2 (bug #769521)
NOTE: https://github.com/sosreport/sos/issues/425
-CVE-2014-8884 [ttusb-dec: overflow by descriptor]
- RESERVED
+CVE-2014-8884 (Stack-based buffer overflow in the ...)
- linux <unfixed>
- linux-2.6 <removed>
NOTE: Upstream commit:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f2e323ec96077642d397bb1c355def536d489d16
(v3.18-rc1)
-CVE-2014-8769 [unreliable output using malformed AOVD payload]
- RESERVED
+CVE-2014-8769 (tcpdump 3.8 through 4.6.2 might allow remote attackers to
obtain ...)
- tcpdump 4.6.2-2 (bug #770424)
[wheezy] - tcpdump <no-dsa> (Minor issue)
NOTE: http://www.securityfocus.com/archive/1/534009/30/0/threaded
-CVE-2014-8768 [denial of service in verbose mode using malformed Geonet
payload]
- RESERVED
+CVE-2014-8768 (Multiple Integer underflows in the geonet_print function in
tcpdump ...)
- tcpdump 4.6.2-2 (bug #770415)
[wheezy] - tcpdump <not-affected> (Vulnerable code added in 4.5.0)
[squeeze] - tcpdump <not-affected> (Vulnerable code added in 4.5.0)
NOTE: http://www.securityfocus.com/archive/1/534010/30/0/threaded
-CVE-2014-8767 [denial of service in verbose mode using malformed OLSR payload]
- RESERVED
+CVE-2014-8767 (Integer underflow in the olsr_print function in tcpdump 3.9.6
through ...)
- tcpdump 4.6.2-2 (bug #770434)
[wheezy] - tcpdump <no-dsa> (Minor issue)
NOTE: http://www.securityfocus.com/archive/1/534011/30/0/threaded
@@ -1461,20 +1866,18 @@
RESERVED
CVE-2014-8684
RESERVED
-CVE-2014-8683
- RESERVED
+CVE-2014-8683 (Cross-site scripting (XSS) vulnerability in models/issue.go in
Gogs ...)
NOT-FOR-US: Go Git Service
-CVE-2014-8682
- RESERVED
+CVE-2014-8682 (Multiple SQL injection vulnerabilities in Gogs (aka Go Git
Service) ...)
NOT-FOR-US: Go Git Service
-CVE-2014-8681
- RESERVED
+CVE-2014-8681 (SQL injection vulnerability in the GetIssues function in ...)
+ TODO: check
CVE-2014-8680
RESERVED
CVE-2014-8679
RESERVED
-CVE-2014-8678
- RESERVED
+CVE-2014-8678 (The ConfigSaveServlet servlet in ManageEngine OpUtils before
build ...)
+ TODO: check
CVE-2014-8677
RESERVED
CVE-2014-8676
@@ -1649,6 +2052,7 @@
CVE-2014-8584 (Cross-site scripting (XSS) vulnerability in the Web Dorado
Spider ...)
NOT-FOR-US: WordPress plugin Web Dorado Spider Video Player (aka
WordPress Video Player)
CVE-2013-7416 [canto: feed URL parsing command line injection]
+ RESERVED
- canto <removed> (bug #731582)
[wheezy] - canto <not-affected> (Vulnerable code not present)
[squeeze] - canto <not-affected> (Vulnerable code not present)
@@ -1664,8 +2068,7 @@
RESERVED
CVE-2013-7410
RESERVED
-CVE-2010-5312 [Title XSS Vulnerability]
- RESERVED
+CVE-2010-5312 (Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js
in the ...)
- jqueryui 1.10.1+dfsg-1
NOTE: http://bugs.jqueryui.com/ticket/6016
NOTE:
https://github.com/jquery/jquery-ui/commit/7e9060c109b928769a664dbcc2c17bd21231b6f3
@@ -1694,32 +2097,27 @@
[squeeze] - imagemagick <no-dsa> (Minor issue)
NOTE:
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26456
NOTE: Patch here: http://trac.imagemagick.org/changeset/16872
-CVE-2014-8714 [TN5250 infinite loop]
- RESERVED
+CVE-2014-8714 (The dissect_write_structured_field function in ...)
{DSA-3076-1}
- wireshark 1.12.1+g01b65bf-2 (bug #769410)
NOTE: https://www.wireshark.org/security/wnpa-sec-2014-23.html
NOTE: Versions 1.12.0 to 1.12.1, and 1.10.0 to 1.10.10. It is fixed in
versions 1.12.2 and 1.10.11.
-CVE-2014-8713 [NCP dissector crashes]
- RESERVED
+CVE-2014-8713 (Stack-based buffer overflow in the build_expert_data function
in ...)
{DSA-3076-1}
- wireshark 1.12.1+g01b65bf-2 (bug #769410)
NOTE: https://www.wireshark.org/security/wnpa-sec-2014-22.html
NOTE: Versions 1.12.0 to 1.12.1, and 1.10.0 to 1.10.10. It is fixed in
versions 1.12.2 and 1.10.11.
-CVE-2014-8712 [NCP dissector crashes]
- RESERVED
+CVE-2014-8712 (The build_expert_data function in
epan/dissectors/packet-ncp2222.inc ...)
{DSA-3076-1}
- wireshark 1.12.1+g01b65bf-2 (bug #769410)
NOTE: https://www.wireshark.org/security/wnpa-sec-2014-22.html
NOTE: Versions 1.12.0 to 1.12.1, and 1.10.0 to 1.10.10. It is fixed in
versions 1.12.2 and 1.10.11.
-CVE-2014-8711 [AMQP dissector crash]
- RESERVED
+CVE-2014-8711 (Multiple integer overflows in epan/dissectors/packet-amqp.c in
the ...)
{DSA-3076-1}
- wireshark 1.12.1+g01b65bf-2 (bug #769410)
NOTE: https://www.wireshark.org/security/wnpa-sec-2014-21.html
NOTE: Versions 1.12.0 to 1.12.1, and 1.10.0 to 1.10.10. It is fixed in
versions 1.12.2 and 1.10.11.
-CVE-2014-8710 [SigComp dissector crash]
- RESERVED
+CVE-2014-8710 (The decompress_sigcomp_message function in epan/sigcomp-udvm.c
in the ...)
{DSA-3076-1}
- wireshark 1.12.1+g01b65bf-2 (bug #769410)
NOTE: https://www.wireshark.org/security/wnpa-sec-2014-20.html
@@ -1739,13 +2137,11 @@
RESERVED
- polarssl 1.3.9-1
NOTE: Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1159845#c5 and
following.
-CVE-2014-8627 [server negotiate a weaker signature algorithm than available]
- RESERVED
+CVE-2014-8627 (PolarSSL 1.3.8 does not properly negotiate the signature
algorithm to ...)
- polarssl 1.3.9-1
[wheezy] - polarssl <not-affected> (Problem introduced in 1.3.8)
[squeeze] - polarssl <not-affected> (Problem introduced in 1.3.8)
-CVE-2014-8626 [xmlrpc date_from_ISO8601() buffer overflow]
- RESERVED
+CVE-2014-8626 (Stack-based buffer overflow in the date_from_ISO8601 function
in ...)
- php5 5.2.9.dfsg.1-1
NOTE: https://bugs.php.net/bug.php?id=45226
NOTE:
http://git.php.net/?p=php-src.git;a=commit;h=c818d0d01341907fee82bdb81cab07b7d93bb9db
@@ -1813,8 +2209,7 @@
RESERVED
CVE-2014-8560
RESERVED
-CVE-2014-8558 [Escalation Access]
- RESERVED
+CVE-2014-8558 (JExperts Channel Platform 5.0.33_CCB allows remote
authenticated users ...)
NOT-FOR-US: JExperts Tecnologia Channel Software
CVE-2014-8557 (Multiple cross-site scripting (XSS) vulnerabilities in JExperts
...)
NOT-FOR-US: JExperts Tecnologia Channel Software
@@ -1824,10 +2219,10 @@
NOT-FOR-US: Progress Software OpenEdge
CVE-2014-8553
RESERVED
-CVE-2014-8552
- RESERVED
-CVE-2014-8551
- RESERVED
+CVE-2014-8552 (The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2
before ...)
+ TODO: check
+CVE-2014-8551 (The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2
before ...)
+ TODO: check
CVE-2014-8550
RESERVED
CVE-2014-8549 (libavcodec/on2avc.c in FFmpeg before 2.4.2 does not constrain
the ...)
@@ -1877,8 +2272,8 @@
[squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too
many checks missing)
- libav <undetermined>
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=5c378d6a6df8243f06c87962b873bd563e58cd39
-CVE-2014-8539
- RESERVED
+CVE-2014-8539 (Cross-site scripting (XSS) vulnerability in Simple Email Form
1.8.5 ...)
+ TODO: check
CVE-2013-7409 (Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote
...)
NOT-FOR-US: ALLPlayer
CVE-2014-8651 [Privilege Escalation via KDE Clock KCM polkit helper]
@@ -2010,8 +2405,7 @@
NOT-FOR-US: Citrix XenMobile MDX Toolkit
CVE-2014-8494 (ESTsoft ALUpdate 8.5.1.0.0 uses weak permissions (Users: Full
Control) ...)
NOT-FOR-US: ESTsoft ALUpdate
-CVE-2014-8493
- RESERVED
+CVE-2014-8493 (ZTE ZXHN H108L with firmware 4.0.0d_ZRQ_GR4 allows remote
attackers to ...)
NOT-FOR-US: ZTE ZXHN H108L
CVE-2014-8492
RESERVED
@@ -2109,8 +2503,8 @@
NOT-FOR-US: CA Cloud Service Management
CVE-2014-8470
RESERVED
-CVE-2014-8469
- RESERVED
+CVE-2014-8469 (Cross-site scripting (XSS) vulnerability in Guests/Boots in
AdminCP in ...)
+ TODO: check
CVE-2013-7408 (F5 BIG-IP Analytics 11.x before 11.4.0 uses a predictable
session ...)
NOT-FOR-US: F5 BIG-IP Analytics
CVE-2014-XXXX [unsafe use of flag file in /tmp]
@@ -2211,8 +2605,7 @@
NOT-FOR-US: Adobe Flash Player
CVE-2014-8440 (Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before
...)
NOT-FOR-US: Adobe Flash Player
-CVE-2014-8439
- RESERVED
+CVE-2014-8439 (Adobe Flash Player before 13.0.0.258 and 14.x and 15.x before
...)
NOT-FOR-US: Adobe Flash Player
CVE-2014-8438 (Use-after-free vulnerability in Adobe Flash Player before
13.0.0.252 ...)
NOT-FOR-US: Adobe Flash Player
@@ -2232,72 +2625,65 @@
RESERVED
CVE-2014-8430
RESERVED
-CVE-2014-8429
- RESERVED
+CVE-2014-8429 (Cross-site request forgery (CSRF) vulnerability in Xavoc
Technocrats ...)
+ TODO: check
CVE-2014-8428
RESERVED
CVE-2014-8427
RESERVED
CVE-2014-8426
RESERVED
-CVE-2014-8425
- RESERVED
-CVE-2014-8424
- RESERVED
-CVE-2014-8423
- RESERVED
+CVE-2014-8425 (The management portal in ARRIS VAP2500 before FW08.41 allows
remote ...)
+ TODO: check
+CVE-2014-8424 (ARRIS VAP2500 before FW08.41 does not properly validate
passwords, ...)
+ TODO: check
+CVE-2014-8423 (Unspecified vulnerability in the management portal in ARRIS
VAP2500 ...)
+ TODO: check
CVE-2014-8422
RESERVED
CVE-2014-8421
RESERVED
-CVE-2014-8420
- RESERVED
-CVE-2014-8419
- RESERVED
-CVE-2014-8418 [AST-2014-018]
- RESERVED
+CVE-2014-8420 (The ViewPoint web application in Dell SonicWALL Global
Management ...)
+ TODO: check
+CVE-2014-8419 (Wibu-Systems CodeMeter Runtime before 5.20 uses weak
permissions (read ...)
+ TODO: check
+CVE-2014-8418 (The DB dialplan function in Asterisk Open Source 1.8.x before
1.8.32, ...)
- asterisk <unfixed> (bug #771463)
[squeeze] - asterisk <end-of-life> (Unsupported in squeeze-lts)
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24534
NOTE: http://downloads.digium.com/pub/security/AST-2014-018.html
-CVE-2014-8417 [AST-2014-017]
- RESERVED
+CVE-2014-8417 (ConfBridge in Asterisk 11.x before 11.14.1, 12.x before 12.7.1,
and ...)
- asterisk <unfixed> (bug #771463)
[squeeze] - asterisk <end-of-life> (Unsupported in squeeze-lts)
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24490
NOTE: http://downloads.digium.com/pub/security/AST-2014-017.html
-CVE-2014-8416 [AST-2014-016]
- RESERVED
+CVE-2014-8416 (Use-after-free vulnerability in the PJSIP channel driver in
Asterisk ...)
- asterisk <unfixed>
[jessie] - asterisk <not-affected> (PJSIP channel not available yet)
[wheezy] - asterisk <not-affected> (PJSIP channel not available yet)
[squeeze] - asterisk <not-affected> (PJSIP channel not available yet)
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24471
NOTE: http://downloads.digium.com/pub/security/AST-2014-016.html
-CVE-2014-8415 [AST-2014-015]
- RESERVED
+CVE-2014-8415 (Race condition in the chan_pjsip channel driver in Asterisk
Open ...)
- asterisk <unfixed>
[jessie] - asterisk <not-affected> (PJSIP channel not available yet)
[wheezy] - asterisk <not-affected> (PJSIP channel not available yet)
[squeeze] - asterisk <not-affected> (PJSIP channel not available yet)
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24471
NOTE: http://downloads.digium.com/pub/security/AST-2014-015.html
-CVE-2014-8414 [AST-2014-014]
- RESERVED
+CVE-2014-8414 (ConfBridge in Asterisk 11.x before 11.14.1 and Certified
Asterisk 11.6 ...)
- asterisk <unfixed> (bug #771463)
[squeeze] - asterisk <end-of-life> (Unsupported in squeeze-lts)
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24440
NOTE: http://downloads.digium.com/pub/security/AST-2014-014.html
-CVE-2014-8413 [AST-2014-013]
- RESERVED
+CVE-2014-8413 (The res_pjsip_acl module in Asterisk Open Source 12.x before
12.7.1 ...)
- asterisk <unfixed>
[jessie] - asterisk <not-affected> (PJSIP channel not available yet)
[wheezy] - asterisk <not-affected> (PJSIP channel not available yet)
[squeeze] - asterisk <not-affected> (PJSIP channel not available yet)
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24531
NOTE: http://downloads.digium.com/pub/security/AST-2014-013.html
-CVE-2014-8412 [AST-2014-012]
- RESERVED
+CVE-2014-8412 (The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk
Manager ...)
- asterisk <unfixed> (bug #771463)
[squeeze] - asterisk <end-of-life> (Unsupported in squeeze-lts)
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24469
@@ -2346,8 +2732,7 @@
RESERVED
CVE-2014-8389
RESERVED
-CVE-2014-8388
- RESERVED
+CVE-2014-8388 (Stack-based buffer overflow in Advantech WebAccess, formerly
BroadWin ...)
NOT-FOR-US: Advantech WebAccess
CVE-2014-8387 (cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access
Point ...)
NOT-FOR-US: Advantech EKI-6340
@@ -2391,10 +2776,10 @@
- linux-2.6 <not-affected> (Incomplete fix for CVE-2014-3601 was not
applied)
NOTE: Introduced by
http://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=350b8bdd689cd2ab2c67c8a86a0be86cfa0751a7
NOTE: Fixed by:
https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=3d32e4dbe71374a6780eaf51d719d76f9a9bf22f
-CVE-2014-8368
- RESERVED
-CVE-2014-8367
- RESERVED
+CVE-2014-8368 (The web interface in Aruba Networks AirWave before 7.7.14 and
8.x ...)
+ TODO: check
+CVE-2014-8367 (SQL injection vulnerability in Aruba Networks ClearPass Policy
Manager ...)
+ TODO: check
CVE-2014-8366 (SQL injection vulnerability in openSIS 4.5 through 5.3 allows
remote ...)
NOT-FOR-US: openSIS
CVE-2014-8365 (Multiple cross-site scripting (XSS) vulnerabilities in Xornic
Contact ...)
@@ -2430,8 +2815,7 @@
NOT-FOR-US: CookieViz
CVE-2014-8351 (SQL injection vulnerability in info.php in French National
Commission ...)
NOT-FOR-US: CookieViz
-CVE-2014-8349
- RESERVED
+CVE-2014-8349 (Cross-site scripting (XSS) vulnerability in Liferay Portal
Enterprise ...)
NOT-FOR-US: Liferay Portal
CVE-2014-8348
RESERVED
@@ -2622,8 +3006,8 @@
RESERVED
CVE-2014-8751
RESERVED
-CVE-2014-8749
- RESERVED
+CVE-2014-8749 (Server-side request forgery (SSRF) vulnerability in ...)
+ TODO: check
CVE-2014-8748 (Cross-site scripting (XSS) vulnerability in the Google
Doubleclick for ...)
NOT-FOR-US: Drupal module Google Doubleclick for Publishers
CVE-2014-8747 (Cross-site scripting (XSS) vulnerability in the Drupal Commons
module ...)
@@ -3030,8 +3414,7 @@
RESERVED
CVE-2014-8091
RESERVED
-CVE-2014-8090 [Incomplete fix for CVE-2014-8080]
- RESERVED
+CVE-2014-8090 (The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551,
2.0.x ...)
{DLA-88-1}
- ruby1.8 <not-affected> (Incomplete fix never relesed for 1.9)
- ruby1.9.1 <not-affected> (Incomplete fix never relesed for 1.9)
@@ -3244,18 +3627,18 @@
RESERVED
CVE-2014-8006
RESERVED
-CVE-2014-8005
- RESERVED
-CVE-2014-8004
- RESERVED
+CVE-2014-8005 (Race condition in the lighttpd module in Cisco IOS XR 5.1 and
earlier ...)
+ TODO: check
+CVE-2014-8004 (Cisco IOS XR allows remote attackers to cause a denial of
service ...)
+ TODO: check
CVE-2014-8003
RESERVED
-CVE-2014-8002
- RESERVED
-CVE-2014-8001
- RESERVED
-CVE-2014-8000
- RESERVED
+CVE-2014-8002 (Use-after-free vulnerability in decode_slice.cpp in Cisco
OpenH264 ...)
+ TODO: check
+CVE-2014-8001 (Buffer overflow in decode.cpp in Cisco OpenH264 1.2.0 and
earlier ...)
+ TODO: check
+CVE-2014-8000 (Cisco Unified Communications Manager IM and Presence Service
9.1(1) ...)
+ TODO: check
CVE-2014-7999
RESERVED
CVE-2014-7998 (Cisco IOS on Aironet access points, when "dot11 aaa
authenticator" ...)
@@ -3523,8 +3906,7 @@
RESERVED
CVE-2014-7872
RESERVED
-CVE-2014-7871
- RESERVED
+CVE-2014-7871 (SQL injection vulnerability in Open-Xchange (OX) AppSuite
before ...)
- open-xchange <itp> (bug #269329)
CVE-2014-7870 (Cross-site scripting (XSS) vulnerability in the Custom Search
module ...)
NOT-FOR-US: Drupal module Custom Search
@@ -3596,50 +3978,42 @@
RESERVED
CVE-2014-7851
RESERVED
-CVE-2014-7850 [XSS flaw can be used to escalate privileges]
- RESERVED
+CVE-2014-7850 (Cross-site scripting (XSS) vulnerability in the Web UI in
FreeIPA 4.x ...)
- freeipa <unfixed>
NOTE: https://fedorahosted.org/freeipa/ticket/4742
TODO: check (possibly unimportant severity if we don't include WebUI
part and only have vulnerable code)
CVE-2014-7849
RESERVED
-CVE-2014-7848 [Hardware path disclosed in the error message]
- RESERVED
+CVE-2014-7848 (lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and
2.7.x ...)
- moodle <unfixed>
[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
NOTE:
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47287
-CVE-2014-7847 [Lack of access check in IP lookup functionality]
- RESERVED
+CVE-2014-7847 (iplookup/index.php in Moodle through 2.4.11, 2.5.x before
2.5.9, 2.6.x ...)
- moodle <unfixed>
[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
NOTE:
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47321
-CVE-2014-7846 [Lack of capability check in tags list access]
- RESERVED
+CVE-2014-7846 (tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before
2.5.9, ...)
- moodle <unfixed>
[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
NOTE:
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47965
-CVE-2014-7845 [Weak temporary password generation]
- RESERVED
+CVE-2014-7845 (The generate_password function in Moodle through 2.4.11, 2.5.x
before ...)
- moodle <unfixed>
[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
NOTE:
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47050
CVE-2014-7844
RESERVED
-CVE-2014-7843 [copying from /dev/zero causes local DoS]
- RESERVED
+CVE-2014-7843 (The __clear_user function in arch/arm64/lib/clear_user.S in the
Linux ...)
- linux <unfixed>
[wheezy] - linux <not-affected> (arm64 support introduced in 3.7)
- linux-2.6 <not-affected> (arm64 support introduced in 3.7)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1163744
NOTE: Upstream patch proposal: https://lkml.org/lkml/2014/11/12/584
-CVE-2014-7842 [kvm: reporting emulation failures to userspace]
- RESERVED
+CVE-2014-7842 (Race condition in arch/x86/kvm/x86.c in the Linux kernel before
3.17.4 ...)
- linux <unfixed>
- linux-2.6 <removed>
NOTE:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fc3a9157d314
(v2.6.38-rc1)
NOTE:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a2b9e6c1a35a
(v3.18-rc1)
-CVE-2014-7841 [net: sctp: NULL pointer dereference in af->from_addr_param on
malformed packet]
- RESERVED
+CVE-2014-7841 (The sctp_process_param function in net/sctp/sm_make_chunk.c in
the ...)
- linux <unfixed>
- linux-2.6 <removed>
NOTE: Upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e40607cbe270a9e8360907cb1e62ddf0736e4864
(v3.18-rc5)
@@ -3652,53 +4026,43 @@
[wheezy] - qemu-kvm <no-dsa> (Minor issue, hardly exploitable in
practice)
[squeeze] - qemu-kvm <no-dsa> (Minor issue, hardly exploitable in
practice)
NOTE: http://thread.gmane.org/gmane.comp.emulators.qemu/306117
-CVE-2014-7839 [External entities expanded by DocumentProvider]
- RESERVED
+CVE-2014-7839 (DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure
the ...)
- resteasy 3.0.6-2 (bug #770544)
NOTE: https://issues.jboss.org/browse/RESTEASY-1130
-CVE-2014-7838 [CSRF in forum tracking toggle]
- RESERVED
+CVE-2014-7838 (Multiple cross-site request forgery (CSRF) vulnerabilities in
the ...)
- moodle <unfixed>
[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
NOTE:
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48019
-CVE-2014-7837 [Possible data loss in Wiki activity]
- RESERVED
+CVE-2014-7837 (mod/wiki/admin.php in Moodle through 2.4.11, 2.5.x before
2.5.9, 2.6.x ...)
- moodle <unfixed>
[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
NOTE:
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47949
-CVE-2014-7836 [CSRF in LTI module]
- RESERVED
+CVE-2014-7836 (Multiple cross-site request forgery (CSRF) vulnerabilities in
the LTI ...)
- moodle <unfixed>
[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
NOTE:
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47924
-CVE-2014-7835 [XSS file upload possible through web service]
- RESERVED
+CVE-2014-7835 (webservice/upload.php in Moodle 2.6.x before 2.6.6 and 2.7.x
before ...)
- moodle <unfixed>
[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
NOTE:
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47868
-CVE-2014-7834 [Lack of group check in web service for Forum]
- RESERVED
+CVE-2014-7834 (mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and
2.7.x ...)
- moodle <unfixed>
[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
NOTE:
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45303
-CVE-2014-7833 [Information leak in Database activity module]
- RESERVED
+CVE-2014-7833 (mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9,
2.6.x ...)
- moodle <unfixed>
[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
NOTE:
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47697
-CVE-2014-7832 [Insufficient access check in LTI module]
- RESERVED
+CVE-2014-7832 (mod/lti/launch.php in the LTI module in Moodle through 2.4.11,
2.5.x ...)
- moodle <unfixed>
[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
NOTE:
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47921
-CVE-2014-7831 [Hidden grade information exposed by web services]
- RESERVED
+CVE-2014-7831 (lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3
does not ...)
- moodle <unfixed>
[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
NOTE:
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47766
TODO: check, possibly affects only 2.7.x
-CVE-2014-7830 [XSS in mapcourse script in Feedback module]
- RESERVED
+CVE-2014-7830 (Cross-site scripting (XSS) vulnerability in
mod/feedback/mapcourse.php ...)
- moodle <unfixed>
[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
NOTE:
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47865
@@ -3739,8 +4103,7 @@
NOTE: Fixed by
http://libvirt.org/git/?p=libvirt.git;a=commit;h=b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b
CVE-2014-7822
RESERVED
-CVE-2014-7821 [DoS through invalid DNS configuration]
- RESERVED
+CVE-2014-7821 (OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1
allows ...)
- neutron 2014.1.3-6 (bug #770431)
NOTE: Versions up to 2014.1.3 and 2014.2
NOTE: https://launchpad.net/bugs/1378450
@@ -3757,8 +4120,7 @@
- ruby-actionpack-3.2 <removed>
[wheezy] - ruby-actionpack-3.2 <no-dsa> (Minor issue)
- ruby-actionpack-2.3 <not-affected> (Only affects >= 3)
-CVE-2014-7817 [command execution in wordexp() with WRDE_NOCMD specified]
- RESERVED
+CVE-2014-7817 (The wordexp function in GNU C Library (aka glibc) 2.21 does not
...)
{DLA-97-1}
- glibc <unfixed>
[jessie] - eglibc <not-affected> (eglibc replaced by glibc in jessie,
workaround for #769128)
@@ -3766,8 +4128,7 @@
[wheezy] - eglibc <no-dsa> (Will be fixed through a point update)
NOTE: https://sourceware.org/ml/libc-alpha/2014-11/msg00519.html
NOTE: Git commit:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c
-CVE-2014-7816 [information disclosure via directory traversal]
- RESERVED
+CVE-2014-7816 (Directory traversal vulnerability in JBoss Undertow 1.0.x
before ...)
- undertow <itp> (bug #767001)
NOTE: When this enters the archive it should be marked straight as
not-affected
NOTE: as the issue is only when undertow is running on Windows.
@@ -4817,8 +5178,8 @@
RESERVED
CVE-2014-7292 (Open redirect vulnerability in the Click-Through feature in ...)
NOT-FOR-US: Newtelligence dasBlog
-CVE-2014-7291
- RESERVED
+CVE-2014-7291 (Multiple cross-site scripting (XSS) vulnerabilities in
api_events.php ...)
+ TODO: check
CVE-2014-7290 (Multiple cross-site scripting (XSS) vulnerabilities in Atlas
Systems ...)
TODO: check
CVE-2014-7289
@@ -4925,8 +5286,8 @@
RESERVED
CVE-2014-7248 (Cross-site scripting (XSS) vulnerability in IPA iLogScanner 4.0
allows ...)
NOT-FOR-US: IPA iLogScanner
-CVE-2014-7247
- RESERVED
+CVE-2014-7247 (Unspecified vulnerability in JustSystems Ichitaro 2008 through
2011; ...)
+ TODO: check
CVE-2014-7246 (The Core Server in OpenAM 9.5.3 through 9.5.5, 10.0.0 through
10.0.2, ...)
NOT-FOR-US: OpenAM (SSO Server)
NOTE: This is not the openam answering machine.
@@ -5025,8 +5386,7 @@
RESERVED
CVE-2013-7404
RESERVED
-CVE-2012-6662 [Tooltip: XSS vulnerability in default content]
- RESERVED
+CVE-2012-6662 (Cross-site scripting (XSS) vulnerability in the default content
option ...)
- jqueryui 1.10.1+dfsg-1
NOTE: http://bugs.jqueryui.com/ticket/8861
NOTE:
https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde
@@ -5099,10 +5459,10 @@
RESERVED
CVE-2014-7196
RESERVED
-CVE-2014-7195
- RESERVED
-CVE-2014-7194
- RESERVED
+CVE-2014-7195 (Spotfire Web Player Engine in TIBCO Spotfire Web Player 6.0.x
before ...)
+ TODO: check
+CVE-2014-7194 (TIBCO Managed File Transfer Internet Server before 7.2.4,
Managed File ...)
+ TODO: check
CVE-2014-7193 [Crumb CORS Token Disclosure]
RESERVED
NOT-FOR-US: Crumb
@@ -5128,12 +5488,11 @@
NOT-FOR-US: ElectricCommander
CVE-2014-7179
RESERVED
-CVE-2014-7178
- RESERVED
+CVE-2014-7178 (Enalean Tuleap before 7.5.99.6 allows remote attackers to
execute ...)
NOT-FOR-US: Enalean Tuleap
CVE-2014-7177 (XML External Entity vulnerability in Enalean Tuleap 7.2 and
earlier ...)
NOT-FOR-US: Enalean Tuleap
-CVE-2014-7176 (SQL injection vulnerability in Enalean Tuleap before 7.5 allows
remote ...)
+CVE-2014-7176 (SQL injection vulnerability in Enalean Tuleap before 7.5.99.4
allows remote ...)
NOT-FOR-US: Enalean Tuleap
CVE-2014-7175
RESERVED
@@ -5261,8 +5620,7 @@
NOT-FOR-US: WordPress plugin Contact Form DB
CVE-2014-7138 (Cross-site scripting (XSS) vulnerability in the Google Calendar
Events ...)
NOT-FOR-US: WordPress plugin Google Calendar Events
-CVE-2014-7137 [Multiple SQL Injections]
- RESERVED
+CVE-2014-7137 (Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM
before ...)
- dolibarr <unfixed> (bug #770313)
CVE-2014-7136
RESERVED
@@ -6321,8 +6679,7 @@
RESERVED
CVE-2014-6611 (The BlackBerry World app before 5.0.0.262 on BlackBerry 10 OS
10.2.0, ...)
NOT-FOR-US: BlackBerry
-CVE-2014-6609 [Remote crash based on malformed SIP subscription]
- RESERVED
+CVE-2014-6609 (The res_pjsip_pubsub module in Asterisk Open Source 12.x before
12.5.1 ...)
- asterisk <not-affected> (only affects 12.x series)
NOTE: http://downloads.asterisk.org/pub/security/AST-2014-009.html
CVE-2014-6608
@@ -6350,8 +6707,7 @@
- twisted 14.0.2-1 (bug #761983)
[wheezy] - twisted <not-affected> (Only affects 14.0 series)
[squeeze] - twisted <not-affected> (Only affects 14.0 series)
-CVE-2014-6610 [Remote crash when handling out of call message in certain
dialplan configurations]
- RESERVED
+CVE-2014-6610 (Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1
and ...)
- asterisk 1:11.12.1~dfsg-1 (medium; bug #762164)
[squeeze] - asterisk <not-affected> (Vulnerable code not present)
NOTE: http://downloads.asterisk.org/pub/security/AST-2014-010.html
@@ -6719,8 +7075,8 @@
- mariadb-10.0 <not-affected> (Fixed before initial upload)
- percona-xtradb-cluster-5.5 <undetermined>
- cyassl <undetermined>
-CVE-2014-6477
- RESERVED
+CVE-2014-6477 (Unspecified vulnerability in the JPublisher component in Oracle
...)
+ TODO: check
CVE-2014-6476 (Unspecified vulnerability in Oracle Java SE 7u67 and 8u20
allows ...)
- openjdk-6 <not-affected> (Deployment components not part of OpenJDK,
only present in Oracle Java)
- openjdk-7 <not-affected> (Deployment components not part of OpenJDK,
only present in Oracle Java)
@@ -7302,8 +7658,7 @@
NOTE: Upstream commits:
http://bazaar.launchpad.net/~squid/squid/trunk/revision/13574
NOTE: http://bazaar.launchpad.net/~squid/squid/trunk/revision/13582
NOTE: http://www.squid-cache.org/Advisories/SQUID-2014_3.txt
-CVE-2014-7142 [pinger remote DoS]
- RESERVED
+CVE-2014-7142 (The pinger in Squid 3.x before 3.4.8 allows remote attackers to
obtain ...)
- squid <unfixed>
[squeeze] - squid <no-dsa> (Minor issue)
[wheezy] - squid <no-dsa> (Minor issue)
@@ -7312,8 +7667,7 @@
[wheezy] - squid3 <no-dsa> (Minor issue)
NOTE: https://bugzilla.novell.com/show_bug.cgi?id=891268
NOTE: http://www.squid-cache.org/Advisories/SQUID-2014_4.txt
-CVE-2014-7141 [pinger remote DoS]
- RESERVED
+CVE-2014-7141 (The pinger in Squid 3.x before 3.4.8 allows remote attackers to
obtain ...)
- squid <unfixed>
[squeeze] - squid <no-dsa> (Minor issue)
[wheezy] - squid <no-dsa> (Minor issue)
@@ -7445,8 +7799,8 @@
RESERVED
CVE-2014-6197
RESERVED
-CVE-2014-6196
- RESERVED
+CVE-2014-6196 (Cross-site scripting (XSS) vulnerability in IBM Web Experience
Factory ...)
+ TODO: check
CVE-2014-6195
RESERVED
CVE-2014-6194
@@ -7471,8 +7825,8 @@
RESERVED
CVE-2014-6184
RESERVED
-CVE-2014-6183
- RESERVED
+CVE-2014-6183 (IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1
before ...)
+ TODO: check
CVE-2014-6182
RESERVED
CVE-2014-6181
@@ -7652,8 +8006,8 @@
NOT-FOR-US: IBM
CVE-2014-6094
RESERVED
-CVE-2014-6093
- RESERVED
+CVE-2014-6093 (Cross-site scripting (XSS) vulnerability in IBM WebSphere
Portal 7.0.x ...)
+ TODO: check
CVE-2014-6092
RESERVED
CVE-2014-6091 (Cross-site scripting (XSS) vulnerability in IBM Curam Social
Program ...)
@@ -7688,8 +8042,8 @@
RESERVED
CVE-2014-6076
RESERVED
-CVE-2014-6075
- RESERVED
+CVE-2014-6075 (IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2
Patch ...)
+ TODO: check
CVE-2014-6074 (IBM UrbanCode Deploy 6.1.0.2 before IF1 allows remote
authenticated ...)
NOT-FOR-US: IBM UrbanCode Deploy
CVE-2014-6073
@@ -9040,8 +9394,8 @@
RESERVED
CVE-2014-5427
RESERVED
-CVE-2014-5426
- RESERVED
+CVE-2014-5426 (MatrikonOPC OPC Server for DNP3 1.2.3 and earlier allows remote
...)
+ TODO: check
CVE-2014-5425 (IOServer before Beta2112.exe allows remote attackers to cause a
denial ...)
NOT-FOR-US: IOServer
CVE-2014-5424 (Rockwell Automation Connected Components Workbench (CCW) before
...)
@@ -9102,8 +9456,8 @@
NOT-FOR-US: Schneider Electric
CVE-2014-5396 (The web interface in Schrack Technik microControl with firmware
before ...)
NOT-FOR-US: Schrack Technik microControl
-CVE-2014-5395
- RESERVED
+CVE-2014-5395 (Multiple cross-site request forgery (CSRF) vulnerabilities in
Huawei ...)
+ TODO: check
CVE-2014-5394
RESERVED
CVE-2014-5393 (Directory traversal vulnerability in the JobScheduler
Operations ...)
@@ -9293,11 +9647,9 @@
NOT-FOR-US: Huawei router
CVE-2014-5327 (Buffer overflow in the Webserver component on the Huawei E5332
router ...)
NOT-FOR-US: Huawei router
-CVE-2014-5326 [cross-site scripting flaw]
- RESERVED
+CVE-2014-5326 (Cross-site scripting (XSS) vulnerability in Direct Web Remoting
(DWR) ...)
- dwr <itp> (bug #601517)
-CVE-2014-5325 [XML external entity injection]
- RESERVED
+CVE-2014-5325 (The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter,
and (4) ...)
- dwr <itp> (bug #601517)
CVE-2014-5324 (Unrestricted file upload vulnerability in the N-Media file
uploader ...)
NOT-FOR-US: N-Media file uploader plugin for WordPress
@@ -9319,8 +9671,8 @@
NOT-FOR-US: DotClear
CVE-2014-5315 (Cross-site scripting (XSS) vulnerability in the Help page in
Adobe ...)
NOT-FOR-US: Adobe
-CVE-2014-5314
- RESERVED
+CVE-2014-5314 (Buffer overflow in Cybozu Office 9 and 10 before 10.1.0,
Mailwise 4 ...)
+ TODO: check
CVE-2014-5313 (Cross-site scripting (XSS) vulnerability in the management page
in Six ...)
- movabletype-opensource <undetermined>
CVE-2014-5461 (Buffer overflow in the vararg functions in ldo.c in Lua 5.1
through ...)
@@ -9397,8 +9749,8 @@
RESERVED
CVE-2014-5285 (Unspecified vulnerability in the Authentication Module in TIBCO
...)
NOT-FOR-US: TIBCO Spotfire Server
-CVE-2014-5284
- RESERVED
+CVE-2014-5284 (host-deny.sh in OSSEC before 2.8.1 writes to temporary files
with ...)
+ TODO: check
CVE-2014-5283
RESERVED
CVE-2014-5282 [Tagging image to ID can redirect images on subsequent pulls]
@@ -9442,8 +9794,7 @@
CVE-2014-5238
RESERVED
- open-xchange <itp> (bug #269329)
-CVE-2014-5237
- RESERVED
+CVE-2014-5237 (Server-side request forgery (SSRF) vulnerability in the ...)
- open-xchange <itp> (bug #269329)
CVE-2014-5236
RESERVED
@@ -9467,8 +9818,7 @@
NOTE: http://www.phpmyadmin.net/home_page/security/PMASA-2014-8.php
NOTE: Most of the affected Javascript files do not exist on version 3.3
and 3.4.
NOTE: Those that do do not contain the problematic code.
-CVE-2014-5268
- RESERVED
+CVE-2014-5268 (The Fasttoggle module 7.x-1.3 and 7.x-1.4 for Drupal allows
remote ...)
NOT-FOR-US: Drupal addon
CVE-2014-5250 (Unspecified vulnerability in the AJAX autocompletion callback
in the ...)
NOT-FOR-US: Drupal addon
@@ -10501,8 +10851,7 @@
NOT-FOR-US: CPWORLD Close Protection World (aka
com.tapatalk.closeprotectionworldcom) application for Android
CVE-2014-4884 (The Conrad Hotel (aka com.wConradHotel) application 0.1 for
Android ...)
NOT-FOR-US: Conrad Hotel (aka com.wConradHotel) application for Android
-CVE-2014-4883 [embedded lwIP's DNS resolver does not randomize ID fields or
source ports of DNS query packets]
- RESERVED
+CVE-2014-4883 (resolv.c in the DNS resolver in uIP, and dns.c in the DNS
resolver in ...)
- xen <not-affected> (LWIP DNS code not present in Xen Debian packages)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1169008
CVE-2014-4882
@@ -10611,14 +10960,14 @@
NOT-FOR-US: IBM
CVE-2014-4833 (IBM Security QRadar SIEM QRM 7.1 MR1 and QRM/QVM 7.2 MR2 allows
remote ...)
NOT-FOR-US: IBM Security QRadar SIEM
-CVE-2014-4832
- RESERVED
-CVE-2014-4831
- RESERVED
+CVE-2014-4832 (IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2
Patch ...)
+ TODO: check
+CVE-2014-4831 (IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2
Patch ...)
+ TODO: check
CVE-2014-4830 (IBM Security QRadar SIEM QRM 7.1 MR1 and QRM/QVM 7.2 MR2 does
not ...)
NOT-FOR-US: IBM Security QRadar SIEM
-CVE-2014-4829
- RESERVED
+CVE-2014-4829 (Cross-site request forgery (CSRF) vulnerability in IBM Security
QRadar ...)
+ TODO: check
CVE-2014-4828 (IBM Security QRadar SIEM QRM 7.1 MR1 and QRM/QVM 7.2 MR2 allows
remote ...)
NOT-FOR-US: IBM Security QRadar SIEM
CVE-2014-4827 (Cross-site scripting (XSS) vulnerability in IBM Security QRadar
SIEM ...)
@@ -10661,8 +11010,8 @@
NOT-FOR-US: IBM Security Access Manager
CVE-2014-4808 (Unspecified vulnerability in IBM WebSphere Portal 6.1.0 through
...)
NOT-FOR-US: IBM WebSphere Portal
-CVE-2014-4807
- RESERVED
+CVE-2014-4807 (Sterling Order Management in IBM Sterling Selling and
Fulfillment ...)
+ TODO: check
CVE-2014-4806 (The installation process in IBM Security AppScan Enterprise 8.x
before ...)
NOT-FOR-US: IBM
CVE-2014-4805 (IBM DB2 10.5 before FP4 on Linux and AIX creates temporary
files ...)
@@ -13317,8 +13666,7 @@
{DSA-3051-1}
- drupal7 7.32-1 (bug #765507)
- drupal6 <not-affected> (Only affects Drupal 7)
-CVE-2014-3703
- RESERVED
+CVE-2014-3703 (OpenStack PackStack 2012.2.1, when the Open vSwitch (OVS)
monolithic ...)
NOT-FOR-US: Red Hat Openstack 4 Neutron
TODO: seem Red Hat specific to nova, but double check
CVE-2014-3702
@@ -13369,8 +13717,7 @@
[squeeze] - qemu-kvm <end-of-life>
NOTE: Upstream's quick and easy stopgap for this issue: compile out the
hardware acceleration functions which lack sanity checks.
NOTE:
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=83afa38eb20ca27e30683edc7729880e091387fc
-CVE-2014-3688 [net: sctp: remote memory pressure from excessive queueing]
- RESERVED
+CVE-2014-3688 (The SCTP implementation in the Linux kernel before 3.17.4
allows ...)
{DSA-3060-1}
- linux 3.16.7-1
- linux-2.6 <removed>
@@ -13587,8 +13934,7 @@
RESERVED
CVE-2014-3626
RESERVED
-CVE-2014-3625 [Directory Traversal in Spring Framework]
- RESERVED
+CVE-2014-3625 (Directory traversal vulnerability in Pivitol Spring Framework
3.0.4 ...)
- libspring-java <unfixed> (bug #769698)
NOTE: https://github.com/spring-projects/spring-framework/commit/3f68cd
NOTE: http://www.pivotal.io/security/cve-2014-3625
@@ -13674,7 +14020,7 @@
- python-imaging <removed> (unimportant)
NOTE: not a security issue, see
https://bugzilla.redhat.com/show_bug.cgi?id=1133306#c8
CVE-2014-3605
- RESERVED
+ REJECTED
CVE-2014-3604 (Certificates.java in Not Yet Commons SSL before 0.3.15 does not
...)
- not-yet-commons-ssl 0.3.15-1 (bug #759526)
NOTE:
http://lists.juliusdavies.ca/pipermail/not-yet-commons-ssl-juliusdavies.ca/2014-August/000832.html
@@ -14440,8 +14786,8 @@
NOT-FOR-US: Cisco IOS
CVE-2014-3408 (Cross-site scripting (XSS) vulnerability in the web framework
in Cisco ...)
NOT-FOR-US: Cisco Prime Optical
-CVE-2014-3407
- RESERVED
+CVE-2014-3407 (The SSL VPN implementation in Cisco Adaptive Security Appliance
(ASA) ...)
+ TODO: check
CVE-2014-3406 (Race condition in the IP logging feature in Cisco Intrusion
Prevention ...)
NOT-FOR-US: Cisco Intrusion Prevention System
CVE-2014-3405 (Cisco IOS XE enables the IPv6 Routing Protocol for Low-Power
and Lossy ...)
@@ -14888,6 +15234,7 @@
- emacs24 24.3+1-4
NOTE:
http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00055.html
CVE-2014-9091
+ RESERVED
- icecast2 2.4.0-1 (low)
[squeeze] - icecast2 <no-dsa> (Minor issue)
[wheezy] - icecast2 <no-dsa> (Minor issue)
@@ -15332,15 +15679,13 @@
NOT-FOR-US: IBM WebSphere Application Server
CVE-2014-3069 (Multiple CRLF injection vulnerabilities in the Universal Access
...)
NOT-FOR-US: IBM Curam Social Program Management
-CVE-2014-3068
- RESERVED
+CVE-2014-3068 (IBM Java Runtime Environment (JRE) 7 R1 before SR1 FP1
(7.1.1.1), 7 ...)
NOT-FOR-US: IBM JDK
CVE-2014-3067
RESERVED
CVE-2014-3066 (IBM Tivoli Endpoint Manager 9.1 before 9.1.1088.0 allows remote
...)
NOT-FOR-US: IBM Tivoli Endpoint Manager
-CVE-2014-3065
- RESERVED
+CVE-2014-3065 (Unspecified vulnerability in IBM Java Runtime Environment (JRE)
7 R1 ...)
NOT-FOR-US: IBM JDK
CVE-2014-3064 (The GDS component in IBM InfoSphere Master Data Management -
...)
NOT-FOR-US: IBM
@@ -17578,10 +17923,10 @@
RESERVED
CVE-2014-2234 (A certain Apple patch for OpenSSL in Apple OS X 10.9.2 and
earlier ...)
- openssl <not-affected> (Apple-specific patch)
-CVE-2014-2233
- RESERVED
-CVE-2014-2232
- RESERVED
+CVE-2014-2233 (Server-side request forgery (SSRF) vulnerability in the MapAPI
in ...)
+ TODO: check
+CVE-2014-2232 (Absolute path traversal vulnerability in the MapAPI in Infoware
...)
+ TODO: check
CVE-2014-2231 (Cross-site scripting (XSS) vulnerability in the API in synetics
i-doit ...)
NOT-FOR-US: synetics i-doit pro
CVE-2014-2230 (Open redirect vulnerability in the header function in
adclick.php in ...)
@@ -18309,8 +18654,7 @@
[wheezy] - linux 3.2.57-1
- linux-2.6 <removed>
NOTE:
https://git.kernel.org/linus/8d7f6690cedb83456edd41c9bd583783f0703bf0
-CVE-2014-2037 [incomplete fix for CVE-2013-6466 DoS in openSwan]
- RESERVED
+CVE-2014-2037 (Openswan 2.6.40 allows remote attackers to cause a denial of
service ...)
- openswan <not-affected> (Incomplete fix was never applied)
CVE-2014-2032 [missing input validation]
RESERVED
@@ -20207,8 +20551,7 @@
RESERVED
CVE-2014-1425
RESERVED
-CVE-2014-1424
- RESERVED
+CVE-2014-1424 (apparmor_parser in the apparmor package before
2.8.95~2430-0ubuntu5.1 ...)
- apparmor <not-affected> (Vulnerable code only in Ubuntu-specific
backport of patch)
NOTE: Caused by a patch that was added to the Ubuntu packaging before
NOTE: it was taken upstream. The one that was merged upstream (and part
@@ -20219,8 +20562,7 @@
RESERVED
CVE-2014-1422
RESERVED
-CVE-2014-1421 [insecure mount permissions]
- RESERVED
+CVE-2014-1421 (mountall 1.54, as used in Ubuntu 14.10, does not properly
handle the ...)
- mountall <unfixed>
[wheezy] - mountall <not-affected> (Only affected when using more
recent mount versions)
NOTE: See
https://bugs.launchpad.net/ubuntu/+source/partman-efi/+bug/1390183
@@ -21922,7 +22264,7 @@
NOT-FOR-US: Adobe ColdFusion
CVE-2014-0569 (Integer overflow in Adobe Flash Player before 13.0.0.250 and
14.x and ...)
NOT-FOR-US: Adobe Flash Player
-CVE-2014-0568 (Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before
11.0.09 ...)
+CVE-2014-0568 (The NtSetInformationFile system call hook feature in Adobe
Reader and ...)
NOT-FOR-US: Adobe Reader
CVE-2014-0567 (Heap-based buffer overflow in Adobe Reader and Acrobat 10.x
before ...)
NOT-FOR-US: Adobe Reader
@@ -25514,8 +25856,7 @@
RESERVED
CVE-2013-6498
RESERVED
-CVE-2013-6497 [clamscan -a segmentation fault on valid JavaScript file]
- RESERVED
+CVE-2013-6497 (clamscan in ClamAV before 0.98.5, when using -a option, allows
remote ...)
{DLA-95-1}
- clamav 0.98.5+dfsg-1
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11088
@@ -25524,8 +25865,7 @@
CVE-2013-6495
RESERVED
NOT-FOR-US: JBossWeb Bayeux
-CVE-2013-6494
- RESERVED
+CVE-2013-6494 (fedup 0.9.0 in Fedora 19, 20, and 21 uses a temporary directory
with a ...)
NOT-FOR-US: fedup (Fedora specific)
CVE-2013-6493 (The LiveConnect implementation in
plugin/icedteanp/IcedTeaNPPlugin.cc ...)
- icedtea-web 1.4.2-1 (low)
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
