diff options
author | Joey Hess <joeyh@debian.org> | 2014-04-08 21:14:09 +0000 |
---|---|---|
committer | Joey Hess <joeyh@debian.org> | 2014-04-08 21:14:09 +0000 |
commit | 2a4d4cfe68670b1ded4d67982ae907cc1d26f3b7 (patch) | |
tree | e35f0f146ee72c3ba0d376fab71adf9a1e2f4fb2 | |
parent | 9de517b51f2b9dcbe676700dc8d3d61d4f2830f2 (diff) |
automatic update
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@26470 e39458fd-73e7-0310-bf30-c45bca0a0e42
-rw-r--r-- | data/CVE/2001.list | 3 | ||||
-rw-r--r-- | data/CVE/2012.list | 32 | ||||
-rw-r--r-- | data/CVE/2013.list | 19 | ||||
-rw-r--r-- | data/CVE/2014.list | 74 |
4 files changed, 67 insertions, 61 deletions
diff --git a/data/CVE/2001.list b/data/CVE/2001.list index 68d8334261..4fbb51f28f 100644 --- a/data/CVE/2001.list +++ b/data/CVE/2001.list @@ -1,5 +1,4 @@ -CVE-2001-1593 [insecure use of /tmp] - RESERVED +CVE-2001-1593 (The tempname_ensure function lib/routines.h in a2ps 4.14 and earlier, ...) {DSA-2892-1} - a2ps 1:4.14-1.2 (low; bug #737385) [wheezy] - a2ps <no-dsa> (Minor issue) diff --git a/data/CVE/2012.list b/data/CVE/2012.list index 40f9a636cb..a9ad3fef20 100644 --- a/data/CVE/2012.list +++ b/data/CVE/2012.list @@ -1,3 +1,7 @@ +CVE-2012-6641 (Cross-site scripting (XSS) vulnerability in redirect.php in the ...) + TODO: check +CVE-2012-6640 (Cross-site scripting (XSS) vulnerability in Horde Internet Mail ...) + TODO: check CVE-2012-6639 RESERVED - cloud-init 0.7.1-1 @@ -509,8 +513,8 @@ CVE-2012-6431 (Symfony 2.0.x before 2.0.20 does not process URL encoded data ... NOT-FOR-US: Symfony CVE-2012-6430 (Cross-site scripting (XSS) vulnerability in Open Solution Quick.Cms ...) NOT-FOR-US: Open Solution Quick.Cart and Quick.Cms -CVE-2012-6429 - RESERVED +CVE-2012-6429 (Buffer overflow in the PrepareSync method in the SyncService.dll ...) + TODO: check CVE-2012-6428 (Carlo Gavazzi EOS-Box with firmware before 1.0.0.1080_2.1.10 ...) NOT-FOR-US: Carlo Gavazzi EOS-Box CVE-2012-6427 (Multiple SQL injection vulnerabilities in Carlo Gavazzi EOS-Box with ...) @@ -2428,8 +2432,8 @@ CVE-2012-5650 (Cross-site scripting (XSS) vulnerability in the Futon UI in Apach CVE-2012-5649 [JSONP arbitrary code execution with Adobe Flash] RESERVED - couchdb 1.2.0-5 (bug #698439) -CVE-2012-5648 - RESERVED +CVE-2012-5648 (Multiple SQL injection vulnerabilities in Foreman before 1.0.2 allow ...) + TODO: check CVE-2012-5647 (Open redirect vulnerability in node-util/www/html/restorer.php in Red ...) NOT-FOR-US: OpenShift CVE-2012-5646 (node-util/www/html/restorer.php in the Red Hat OpenShift Origin before ...) @@ -2692,14 +2696,11 @@ CVE-2012-5568 (Apache Tomcat through 7.0.x allows remote attackers to cause a de [wheezy] - tomcat6 <no-dsa> (Minor issue) - tomcat7 <unfixed> (low) [wheezy] - tomcat7 <no-dsa> (Minor issue) -CVE-2012-5567 - RESERVED +CVE-2012-5567 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith ...) - kronolith2 <not-affected> (Vulnerable code not present in 2.x codebase and later versions not yet packaged in sid) -CVE-2012-5566 - RESERVED +CVE-2012-5566 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith ...) - kronolith2 <not-affected> (Vulnerable code not present in 2.x codebase and later versions not yet packaged in sid) -CVE-2012-5565 - RESERVED +CVE-2012-5565 (Cross-site scripting (XSS) vulnerability in js/compose-dimp.js in ...) NOT-FOR-US: This doesn't seem to be packaged in sid's Horde and the imp3 and dimp1 packages from stable do not include the affected code CVE-2012-5564 (android-tools 4.1.1 in Android Debug Bridge (ADB) allows local users ...) - android-tools <unfixed> (bug #688280) @@ -4222,8 +4223,8 @@ CVE-2012-4922 (The tor_timegm function in common/util.c in Tor before 0.2.2.39, - tor 0.2.3.22-rc-1 CVE-2012-4921 RESERVED -CVE-2012-4920 - RESERVED +CVE-2012-4920 (Directory traversal vulnerability in the zing_forum_output function in ...) + TODO: check CVE-2012-4919 RESERVED CVE-2012-4918 (Call of Duty Elite for iOS 2.0.1 does not properly validate the server ...) @@ -10943,8 +10944,7 @@ CVE-2012-2217 (The HTC IQRD service for Android on the HTC EVO 4G before 4.67.65 NOT-FOR-US: Android CVE-2012-2216 RESERVED -CVE-2012-2095 [wicd command execution with root privileges] - RESERVED +CVE-2012-2095 (The SetWiredProperty function in the D-Bus interface in WICD before ...) - wicd 1.7.2.4-1 (low; bug #668397) [squeeze] - wicd 1.7.0+ds1-5+squeeze2 CVE-2012-2215 (Directory traversal vulnerability in the Preboot Service in Novell ...) @@ -11921,8 +11921,8 @@ CVE-2012-1836 (Heap-based buffer overflow in dns.cpp in InspIRCd 2.0.5 might all - inspircd 2.0.5-0.1 (bug #667914) CVE-2012-1835 (Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One ...) NOT-FOR-US: All-in-One Event Calendar plugin for WordPress -CVE-2012-1834 - RESERVED +CVE-2012-1834 (Cross-site scripting (XSS) vulnerability in the cms_tpv_admin_head ...) + TODO: check CVE-2012-1833 (VMware SpringSource Grails before 1.3.8, and 2.x before 2.0.2, does ...) NOT-FOR-US: Grails CVE-2012-1832 (WellinTech KingView 6.53 allows remote attackers to execute arbitrary ...) diff --git a/data/CVE/2013.list b/data/CVE/2013.list index 6bd935125a..c12eeb57ed 100644 --- a/data/CVE/2013.list +++ b/data/CVE/2013.list @@ -4346,8 +4346,7 @@ CVE-2013-5682 RESERVED CVE-2013-5681 RESERVED -CVE-2013-5680 [heap overflow] - RESERVED +CVE-2013-5680 (Heap-based buffer overflow in hfaxd in HylaFAX+ 5.2.4 through 5.5.3, ...) - hylafax <not-affected> (Not built with LDAP support) NOTE: http://www.securityfocus.com/archive/1/528943/30/0/threaded CVE-2013-5679 (The authenticated-encryption feature in the symmetric-encryption ...) @@ -7819,6 +7818,7 @@ CVE-2013-4324 (spice-gtk 0.14, and possibly other versions, invokes the polkit . CVE-2013-4323 RESERVED CVE-2013-4322 (Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before ...) + {DSA-2897-1} - tomcat6 6.0.39 - tomcat7 7.0.50 - tomcat8 <itp> (bug #722675) @@ -7944,6 +7944,7 @@ CVE-2013-4287 (Algorithmic complexity vulnerability in Gem::Version::VERSION_PAT NOTE: Non-issue, you trust the site providing the gem with installing arbitrary code, allowing NOTE: it a potential elevated CPU consumption doesn't add any extra harm CVE-2013-4286 (Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before ...) + {DSA-2897-1} - tomcat6 6.0.39 - tomcat7 7.0.47 - tomcat8 <itp> (bug #722675) @@ -8975,8 +8976,8 @@ CVE-2013-3932 RESERVED CVE-2013-3931 RESERVED -CVE-2013-3930 - RESERVED +CVE-2013-3930 (Stack-based buffer overflow in Core FTP before 2.2 build 1785 allows ...) + TODO: check CVE-2013-3929 (Cross-site scripting (XSS) vulnerability in admin/editevent.php in CMS ...) NOT-FOR-US: CMS Made Simple CVE-2013-3928 (Stack-based buffer overflow in the ReadFile function in flt_BMP.dll in ...) @@ -12890,8 +12891,8 @@ CVE-2013-2289 (Cross-site scripting (XSS) vulnerability in ...) NOT-FOR-US: Batavi CVE-2013-2288 RESERVED -CVE-2013-2287 - RESERVED +CVE-2013-2287 (Multiple cross-site scripting (XSS) vulnerabilities in ...) + TODO: check CVE-2013-2286 RESERVED CVE-2013-2285 @@ -13610,6 +13611,7 @@ CVE-2013-2072 (Buffer overflow in the Python bindings for the xc_vcpu_setaffinit [squeeze] - xen <no-dsa> (Minor issue, can be postponed to the next Xen DSA) [wheezy] - xen <no-dsa> (Minor issue, can be postponed to the next Xen DSA) CVE-2013-2071 (java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat ...) + {DSA-2897-1} - tomcat7 7.0.40-1 (bug #707704) NOTE: https://issues.apache.org/bugzilla/show_bug.cgi?id=54178 CVE-2013-2070 (http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and ...) @@ -13623,7 +13625,7 @@ CVE-2013-2069 (Red Hat livecd-tools before 13.4.4, 17.x before 17.17, 18.x befor CVE-2013-2068 (Multiple directory traversal vulnerabilities in the AgentController in ...) NOT-FOR-US: RedHat CloudForms Management Engine CVE-2013-2067 (java/org/apache/catalina/authenticator/FormAuthenticator.java in the ...) - {DSA-2725-1} + {DSA-2897-1 DSA-2725-1} - tomcat7 7.0.33 - tomcat6 6.0.37 CVE-2013-2066 (Buffer overflow in X.org libXv 1.0.7 and earlier allows X servers to ...) @@ -14024,8 +14026,7 @@ CVE-2013-1948 (converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-depe NOT-FOR-US: Ruby gem md2pdf CVE-2013-1947 (kelredd-pruview gem 0.3.8 for Ruby allows context-dependent attackers ...) NOT-FOR-US: Ruby Gem kelredd-pruview -CVE-2013-1946 - RESERVED +CVE-2013-1946 (The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and ...) NOT-FOR-US: RESTful Web Services (RESTWS) Drupal cotributed module CVE-2013-1945 RESERVED diff --git a/data/CVE/2014.list b/data/CVE/2014.list index eaadd524c4..6d140c485b 100644 --- a/data/CVE/2014.list +++ b/data/CVE/2014.list @@ -1,3 +1,11 @@ +CVE-2014-2730 (The XML parser in Microsoft Office 2007 SP3, 2010 SP1 and SP2, and ...) + TODO: check +CVE-2014-2729 + RESERVED +CVE-2014-2728 + RESERVED +CVE-2014-2727 + RESERVED CVE-2014-XXXX [Open redirector] - redmine <unfixed> (bug #743828) NOTE: https://github.com/redmine/redmine/commit/7567c3d8b21fe67e5f04e6839c1fce061600f2f3 @@ -311,8 +319,7 @@ CVE-2014-2602 RESERVED CVE-2014-2601 RESERVED -CVE-2014-2600 - RESERVED +CVE-2014-2600 (Unspecified vulnerability in HP IceWall Identity Manager 4.0 through ...) NOT-FOR-US: HP CVE-2014-2598 RESERVED @@ -1180,8 +1187,7 @@ CVE-2014-2216 RESERVED CVE-2014-2215 RESERVED -CVE-2014-2210 - RESERVED +CVE-2014-2210 (Multiple directory traversal vulnerabilities in CA ERwin Web Portal ...) NOT-FOR-US: Erwin Web Portal CVE-2014-2209 RESERVED @@ -1309,12 +1315,12 @@ CVE-2014-2147 RESERVED CVE-2014-2146 RESERVED -CVE-2014-2145 - RESERVED -CVE-2014-2144 - RESERVED -CVE-2014-2143 - RESERVED +CVE-2014-2145 (Directory traversal vulnerability in the messaging API in Cisco Unity ...) + TODO: check +CVE-2014-2144 (Cisco IOS XR does not properly throttle ICMPv6 redirect packets, which ...) + TODO: check +CVE-2014-2143 (The IKE implementation in Cisco IOS 15.4(1)T and earlier and IOS XE ...) + TODO: check CVE-2014-2142 RESERVED CVE-2014-2141 @@ -1365,14 +1371,14 @@ CVE-2014-2119 (The End User Safelist/Blocklist (aka SLBL) service in Cisco Async NOT-FOR-US: Cisco AsyncOS CVE-2014-2118 (Multiple cross-site scripting (XSS) vulnerabilities in ...) NOT-FOR-US: Cisco PRSM -CVE-2014-2117 - RESERVED -CVE-2014-2116 - RESERVED -CVE-2014-2115 - RESERVED -CVE-2014-2114 - RESERVED +CVE-2014-2117 (Multiple open redirect vulnerabilities in Cisco Emergency Responder ...) + TODO: check +CVE-2014-2116 (Cisco Emergency Responder (ER) 8.6 and earlier allows remote attackers ...) + TODO: check +CVE-2014-2115 (Multiple cross-site request forgery (CSRF) vulnerabilities in ...) + TODO: check +CVE-2014-2114 (Cross-site scripting (XSS) vulnerability in UserServlet in Cisco ...) + TODO: check CVE-2014-2113 (Cisco IOS 15.1 through 15.3 and IOS XE 3.3 and 3.5 before 3.5.2E; 3.7 ...) NOT-FOR-US: Cisco IOS CVE-2014-2112 (The SSL VPN (aka WebVPN) feature in Cisco IOS 15.1 through 15.4 allows ...) @@ -1848,6 +1854,7 @@ CVE-2014-2031 [logic error] NOTE: https://github.com/samboy/MaraDNS/commit/f015495d221f1c2b2f10db38e87cecf3839d6093 CVE-2014-2030 RESERVED + {DSA-2898-1} - imagemagick 8:6.7.7.10+dfsg-1 (bug #740250) [squeeze] - imagemagick <not-affected> (CVE only for versions with r1448 applied) NOTE: for the issue in newer imagemagick versions using "L%06ld" string. @@ -1878,6 +1885,7 @@ CVE-2014-1959 (lib/x509/verify.c in GnuTLS before 3.1.21 and 3.2.x before 3.2.11 NOTE: introduced by https://www.gitorious.org/gnutls/gnutls/commit/60ee8a0eb9975d123002b1cffbefd60a8cd5fae6 CVE-2014-1958 [PSD Images Processing RLE Decoding Buffer Overflow Vulnerability] RESERVED + {DSA-2898-1} - imagemagick 8:6.7.7.10+dfsg-1 (bug #740250) [squeeze] - imagemagick <not-affected> (DecodePSDPixels function is not present) NOTE: squeeze: DecodePSDPixels not present but there was a rewrite from DecodeImage? @@ -1902,6 +1910,7 @@ CVE-2014-1948 (OpenStack Image Registry and Delivery Service (Glance) 2013.2 thr NOTE: https://launchpad.net/bugs/1275062 CVE-2014-1947 [Buffer overflow vulnerability] RESERVED + {DSA-2898-1} - imagemagick 8:6.7.7.10+dfsg-1 (bug #740250) NOTE: http://trac.imagemagick.org/changeset/13736 - graphicsmagick <unfixed> @@ -4053,8 +4062,8 @@ CVE-2014-0829 (Multiple buffer overflows in IBM Rational ClearCase 7.x before .. NOT-FOR-US: IBM Rational ClearCase CVE-2014-0828 (Cross-site scripting (XSS) vulnerability in the WCM (Web Content ...) NOT-FOR-US: IBM WebSphere Portal -CVE-2014-0827 - RESERVED +CVE-2014-0827 (Cross-site scripting (XSS) vulnerability in IBM InfoSphere Optim ...) + TODO: check CVE-2014-0826 RESERVED CVE-2014-0825 @@ -4132,8 +4141,8 @@ CVE-2014-0791 (Integer overflow in the license_read_scope_list function in ...) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=998941 NOTE: https://github.com/FreeRDP/FreeRDP/commit/f1d6afca6ae620f9855a33280bdc6f3ad9153be0#diff-b6d68bbca6e0f5875c57ef225cd65c45 NOTE: A malicous license has simpler means to DoS a RDP client, e.g. by simply stating that no valid license exists etc. -CVE-2014-0789 - RESERVED +CVE-2014-0789 (Multiple buffer overflows in the OPC Automation 2.0 Server Object ...) + TODO: check CVE-2014-0788 RESERVED CVE-2014-0787 @@ -4435,11 +4444,9 @@ CVE-2014-0640 RESERVED CVE-2014-0639 RESERVED -CVE-2014-0638 - RESERVED +CVE-2014-0638 (Cross-site scripting (XSS) vulnerability in RSA Adaptive ...) NOT-FOR-US: RSA Adaptive Authentication -CVE-2014-0637 - RESERVED +CVE-2014-0637 (Cross-site scripting (XSS) vulnerability in the back-office ...) NOT-FOR-US: RSA Adaptive Authentication CVE-2014-0636 RESERVED @@ -4529,8 +4536,8 @@ CVE-2014-0594 RESERVED CVE-2014-0593 RESERVED -CVE-2014-0592 - RESERVED +CVE-2014-0592 (Barclamp (aka barclamp-network) 1.7 for the Crowbar Framework, as used ...) + TODO: check CVE-2014-0591 (The query_findclosestnsec3 function in query.c in named in ISC BIND ...) - bind9 1:9.9.5.dfsg-2 (bug #735190) [wheezy] - bind9 <not-affected> (Only exploitable in combination with glibc 2.17 and later) @@ -5083,7 +5090,7 @@ CVE-2014-0348 CVE-2014-0347 RESERVED CVE-2014-0346 - RESERVED + REJECTED CVE-2014-0345 RESERVED CVE-2014-0344 (Properties.do in ZOHO ManageEngine OpStor before build 8500 does not ...) @@ -5100,8 +5107,8 @@ CVE-2014-0339 (Cross-site scripting (XSS) vulnerability in view.cgi in Webmin be NOT-FOR-US: Webmin CVE-2014-0338 (Multiple cross-site scripting (XSS) vulnerabilities in the firewall ...) NOT-FOR-US: WatchGuard Fireware XTM -CVE-2014-0337 - RESERVED +CVE-2014-0337 (Cross-site scripting (XSS) vulnerability in the web interface on ...) + TODO: check CVE-2014-0336 (Cross-site request forgery (CSRF) vulnerability in the web client in ...) NOT-FOR-US: Serena Dimensions CM CVE-2014-0335 (Multiple cross-site scripting (XSS) vulnerabilities in the web client ...) @@ -5457,8 +5464,7 @@ CVE-2014-0162 RESERVED CVE-2014-0161 RESERVED -CVE-2014-0160 [OpenSSL 1.0.1 TLS/DTLS heartbeat information disclosure] - RESERVED +CVE-2014-0160 (The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before ...) {DSA-2896-1} - openssl 1.0.1g-1 (bug #743883) [squeeze] - openssl <not-affected> (vulnerable code introduced in upstream commit 4817504) @@ -5845,7 +5851,7 @@ CVE-2014-0052 CVE-2014-0051 RESERVED CVE-2014-0050 (MultipartStream.java in Apache Commons FileUpload before 1.3.1, as ...) - {DSA-2856-1} + {DSA-2897-1 DSA-2856-1} - libcommons-fileupload-java 1.3.1-1 - tomcat7 7.0.52-1 - tomcat6 <not-affected> (access to Manager application limited to authenticated administrators) |