diff options
author | Joey Hess <joeyh@debian.org> | 2014-07-23 21:14:13 +0000 |
---|---|---|
committer | Joey Hess <joeyh@debian.org> | 2014-07-23 21:14:13 +0000 |
commit | 7ae55d5acb018ee304097c238931d09b9d3d670f (patch) | |
tree | 7006711efeebf85a86b89decf2c3a3c98efbac03 | |
parent | fd4a8a3244b4bf836a7bcfcd9adbc13da4489a13 (diff) |
automatic update
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@27926 e39458fd-73e7-0310-bf30-c45bca0a0e42
-rw-r--r-- | data/CVE/2002.list | 1 | ||||
-rw-r--r-- | data/CVE/2008.list | 1 | ||||
-rw-r--r-- | data/CVE/2011.list | 2 | ||||
-rw-r--r-- | data/CVE/2012.list | 5 | ||||
-rw-r--r-- | data/CVE/2013.list | 18 | ||||
-rw-r--r-- | data/CVE/2014.list | 378 |
6 files changed, 229 insertions, 176 deletions
diff --git a/data/CVE/2002.list b/data/CVE/2002.list index ee9db27e8f..03cf206787 100644 --- a/data/CVE/2002.list +++ b/data/CVE/2002.list @@ -1,6 +1,7 @@ CVE-2002-2483 - linux-2.6 2.4.20 CVE-2002-2444 [snoopy: Security hole in exec cURL] + RESERVED - libphp-snoopy <not-affected> (affected version never was in the repo) NOTE: http://www.openwall.com/lists/oss-security/2014/07/18/2 NOTE: http://sourceforge.net/p/snoopy/bugs/13/ diff --git a/data/CVE/2008.list b/data/CVE/2008.list index f5279f0eb5..edf3fc6f9a 100644 --- a/data/CVE/2008.list +++ b/data/CVE/2008.list @@ -1,4 +1,5 @@ CVE-2008-7313 [Incomplete fix for CVE-2008-4796] + RESERVED - libphp-snoopy <unfixed> NOTE: additional commit missing, so fix for CVE-2008-4796 was incomplete NOTE: http://snoopy.cvs.sourceforge.net/viewvc/snoopy/Snoopy/Snoopy.class.php?view=log#rev1.27 diff --git a/data/CVE/2011.list b/data/CVE/2011.list index 1132167c99..9ea6ffdfce 100644 --- a/data/CVE/2011.list +++ b/data/CVE/2011.list @@ -1,3 +1,5 @@ +CVE-2011-5281 + RESERVED CVE-2011-5280 (Multiple stack-based buffer overflows in BOINC 6.13.x allow remote ...) - boinc 7.0.2+dfsg-1 (low) [squeeze] - boinc <no-dsa> (Minor issue) diff --git a/data/CVE/2012.list b/data/CVE/2012.list index f767ced1cd..4771e00f31 100644 --- a/data/CVE/2012.list +++ b/data/CVE/2012.list @@ -366,7 +366,7 @@ CVE-2012-6508 (Multiple cross-site request forgery (CSRF) vulnerabilities in Net NOT-FOR-US: NetArt Media Car Portal CVE-2012-6507 (Multiple SQL injection vulnerabilities in admin.php in ChurchCMS 0.0.1 ...) NOT-FOR-US: ChurchCMS -CVE-2012-6506 (Multiple cross-site scripting (XSS) vulnerabilities in he Zingiri Web ...) +CVE-2012-6506 (Multiple cross-site scripting (XSS) vulnerabilities in the Zingiri Web ...) NOT-FOR-US: Zingiri Web Shop wordpress plugin not in Debian CVE-2012-6505 (Cross-site scripting (XSS) vulnerability in ...) NOT-FOR-US: PHP Volunteer Management not in Debian @@ -9839,8 +9839,7 @@ CVE-2012-2684 (Multiple SQL injection vulnerabilities in the ...) NOT-FOR-US: Cumin CVE-2012-2683 (Multiple cross-site scripting (XSS) vulnerabilities in Cumin before ...) NOT-FOR-US: Cumin -CVE-2012-2682 - RESERVED +CVE-2012-2682 (Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG ...) NOT-FOR-US: Cumin CVE-2012-2681 (Cumin before 0.1.5444, as used in Red Hat Enterprise Messaging, ...) NOT-FOR-US: Cumin diff --git a/data/CVE/2013.list b/data/CVE/2013.list index a2141e8260..fcce9bf2eb 100644 --- a/data/CVE/2013.list +++ b/data/CVE/2013.list @@ -1,3 +1,9 @@ +CVE-2013-7392 (Gitlist allows remote attackers to execute arbitrary commands via ...) + TODO: check +CVE-2013-7391 (The Entity API module 7.x-1.x before 7.x-1.2 for Drupal, when using ...) + TODO: check +CVE-2013-7390 + RESERVED CVE-2013-7389 (Multiple cross-site scripting (XSS) vulnerabilities in D-Link DIR-645 ...) NOT-FOR-US: D-Link router CVE-2013-7388 (Heap-based buffer overflow in paintlib, as used in Trimble SketchUp ...) @@ -7841,8 +7847,7 @@ CVE-2013-4353 (The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 befo {DSA-2837-1} - openssl 1.0.1f-1 [squeeze] - openssl <not-affected> (Only affects 1.0.1 to 1.0.1e) -CVE-2013-4352 - RESERVED +CVE-2013-4352 (The cache_invalidate function in modules/cache/cache_storage.c in the ...) - apache2 2.4.7-1 (low) NOTE: According to http://httpd.apache.org/security/vulnerabilities_24.html this should only affect NOTE: 2.4.6, but that seems wrong, since 2.4.6 was a single-change regression update @@ -8120,8 +8125,7 @@ CVE-2013-4275 NOT-FOR-US: Drupal contributed module Zen CVE-2013-4274 (Cross-site scripting (XSS) vulnerability in the ...) NOT-FOR-US: Drupal addon -CVE-2013-4273 - RESERVED +CVE-2013-4273 (The Entity API module 7.x-1.x before 7.x-1.2 for Drupal does not ...) NOT-FOR-US: Drupal contributed module Entity API CVE-2013-4272 (The BOTCHA Spam Prevention module 7.x-1.x before 7.x-1.6, 7.x-2.x ...) NOT-FOR-US: Drupal addon @@ -13898,7 +13902,7 @@ CVE-2013-2023 (Cross-site scripting (XSS) vulnerability in actionscript/Jplayer. - jquery-jplayer 2.1.0-2 NOTE: used for jPlayer 2.2.23 XSS NOTE: http://www.openwall.com/lists/oss-security/2013/05/05/3 -CVE-2013-2022 (Cross-site scripting (XSS) vulnerability in actionscript/Jplayer.as in ...) +CVE-2013-2022 (Multiple cross-site scripting (XSS) vulnerabilities in ...) - jquery-jplayer 2.1.0-2 NOTE: https://github.com/happyworm/jPlayer/commit/c5fe17bb4459164bd59153b57248cf94b8867373 NOTE: used for jPlayer 2.2.20 XSS @@ -14174,7 +14178,7 @@ CVE-2013-1944 (The tailMatch function in cookie.c in cURL and libcurl before 7.3 CVE-2013-1943 (The KVM subsystem in the Linux kernel before 3.0 does not check ...) - linux <not-affected> (RHEL-specific backport regression) - linux-2.6 <not-affected> (RHEL-specific backport regression) -CVE-2013-1942 (Cross-site scripting (XSS) vulnerability in actionscript/Jplayer.as in ...) +CVE-2013-1942 (Multiple cross-site scripting (XSS) vulnerabilities in ...) - owncloud <not-affected> (Depends on libjs-jquery-jplayer) - jquery-jplayer 2.1.0-2 NOTE: http://owncloud.org/about/security/advisories/oC-SA-2013-014/ @@ -15851,7 +15855,7 @@ CVE-2013-1466 (Multiple cross-site scripting (XSS) vulnerabilities in glFusion b NOT-FOR-US: glFusion CVE-2013-1465 (The Cubecart::_basket method in classes/cubecart.class.php in CubeCart ...) NOT-FOR-US: CubeCart -CVE-2013-1464 (Cross-site scripting (XSS) vulnerability in ssets/player.swf in the ...) +CVE-2013-1464 (Cross-site scripting (XSS) vulnerability in assets/player.swf in the ...) {DSA-2772-1} - typo3-src 4.5.29+dfsg1-1 [squeeze] - typo3-src <no-dsa> (Too intrusive to backport) diff --git a/data/CVE/2014.list b/data/CVE/2014.list index 01c827aa41..82aea24ec6 100644 --- a/data/CVE/2014.list +++ b/data/CVE/2014.list @@ -1,71 +1,140 @@ +CVE-2014-5043 + RESERVED +CVE-2014-5042 + RESERVED +CVE-2014-5041 + RESERVED +CVE-2014-5040 + RESERVED +CVE-2014-5039 + RESERVED +CVE-2014-5038 + RESERVED +CVE-2014-5037 + RESERVED +CVE-2014-5036 + RESERVED +CVE-2014-5035 + RESERVED +CVE-2014-5034 + RESERVED +CVE-2014-5023 (Repository.php in Gitter, as used in Gitlist, allows remote attackers ...) + TODO: check +CVE-2014-5018 (Incomplete blacklist vulnerability in the autoEscape function in ...) + TODO: check +CVE-2014-5017 (SQL injection vulnerability in CPDB in ...) + TODO: check +CVE-2014-5016 (Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey ...) + TODO: check +CVE-2014-5014 + RESERVED +CVE-2014-5013 + RESERVED +CVE-2014-5012 + RESERVED +CVE-2014-5011 + RESERVED +CVE-2014-5010 + RESERVED +CVE-2014-5007 + RESERVED +CVE-2014-5006 + RESERVED +CVE-2014-5005 + RESERVED CVE-2014-XXXX [vfs: refcount issues during unmount on symlink] - linux <unfixed> - linux-2.6 <removed> NOTE: https://lkml.org/lkml/2014/7/21/98 CVE-2014-5033 [kauth authentication bypass] + RESERVED - kde4libs <unfixed> (bug #755814) NOTE: https://bugzilla.novell.com/show_bug.cgi?id=864716 NOTE: http://quickgit.kde.org/?p=kdelibs.git&a=commit&h=e4e7b53b71e2659adaf52691d4accc3594203b23 CVE-2014-5032 [glpi: unprivileged users can access cost information] + RESERVED - glpi <unfixed> (unimportant) NOTE: CVE request http://www.openwall.com/lists/oss-security/2014/07/22/6 NOTE: Only supported behind an authenticated HTTP zone CVE-2014-5031 [file/directory does not have world read permissions for dirctory index files] + RESERVED - cups 1.7.4-2 NOTE: https://cups.org/str.php?L4455 CVE-2014-5030 [dissalow symlinks for directory index files] + RESERVED - cups 1.7.4-2 NOTE: https://cups.org/str.php?L4455 CVE-2014-5029 [Incomplete fix CVE-2014-3537] + RESERVED - cups 1.7.4-2 NOTE: https://cups.org/str.php?L4455 CVE-2014-5028 + RESERVED - reviewboard <itp> (bug #653113) CVE-2014-5027 + RESERVED - reviewboard <itp> (bug #653113) CVE-2014-5026 [XSS vulnerability] + RESERVED - cacti <unfixed> NOTE: http://bugs.cacti.net/view.php?id=2456 CVE-2014-5025 [XSS vulnerability] + RESERVED - cacti <unfixed> NOTE: http://bugs.cacti.net/view.php?id=2456 CVE-2014-5024 + RESERVED NOT-FOR-US: DELL SonicWALL GMS CVE-2014-5015 [basic http authentication bypass] + RESERVED - bozohttpd <unfixed> (bug #755197) [wheezy] - bozohttpd <no-dsa> (Minor issue) [squeeze] - bozohttpd <no-dsa> (Minor issue) CVE-2014-5009 [Incorrect fix for CVE-2014-5008] + RESERVED - libphp-snoopy <not-affected> (Incorrect fix not applied) NOTE: This issue exists because of an incorrect fix for CVE-2014-5008. NOTE: https://github.com/cogdog/feed2js/pull/12#issuecomment-48283706 CVE-2014-5008 [Incorrect fix for CVE-2008-4796, escapeshellarg required] + RESERVED - libphp-snoopy <unfixed> NOTE: http://mstrokin.com/sec/feed2js-magpierss-0day-vulnerability-not-really-it-is-actually-cve-2005-3330-cve-2008-4796/ NOTE: This issue exists because of an incorrect fix for CVE-2008-4796 (i.e., use of escapeshellcmd where escapeshellarg was required). CVE-2014-5004 [Ruby Gem brbackup-0.1.1: exposes the database password to the command line] + RESERVED NOT-FOR-US: Ruby Gem brbackup CVE-2014-5003 [Ruby Gem ciborg-3.0.0: race condition when creating /tmp/perlbrew-installer] + RESERVED NOT-FOR-US: Ruby Gem ciborg CVE-2014-5002 [Ruby Gem lynx-0.2.0: expose the password to the process table] + RESERVED NOT-FOR-US: Ruby Gem lynx CVE-2014-5001 [Ruby Gem kcapifony-2.1.6: expose the password to the process table] + RESERVED NOT-FOR-US: Ruby Gem kcapifony CVE-2014-5000 [Ruby Gem lawn-login-0.0.7: exposes the mysql password to the process table] + RESERVED NOT-FOR-US: Ruby Gem lawn-login CVE-2014-4999 [Ruby Gem kajam-1.0.3.rc2: exposes the mysql password to the process table] + RESERVED NOT-FOR-US: Ruby Gem kajam CVE-2014-4998 [Ruby Gem lean-ruport-0.3.8: exposes the mysql password to the process table] + RESERVED NOT-FOR-US: Ruby Gem lean-ruport CVE-2014-4997 [Ruby Gem point-cli-0.0.1: exposes the username and password combination to the process table] + RESERVED NOT-FOR-US: Ruby Gem point-cli CVE-2014-4996 [Ruby Gem VladTheEnterprising-0.2: clobber files via symlink attack] + RESERVED NOT-FOR-US: Ruby Gem VladTheEnterprising CVE-2014-4995 [Ruby Gem VladTheEnterprising-0.2: Information Leakage] + RESERVED NOT-FOR-US: Ruby Gem VladTheEnterprising CVE-2014-4994 [Ruby Gem gyazo-1.0.0: Insecure Temporary File] + RESERVED NOT-FOR-US: Ruby Gem gyazo CVE-2014-4993 [Ruby Gems backup-agoddard and backup_checksum: expose the password to the process table] + RESERVED NOT-FOR-US: Ruby Gems backup-agoddard and backup_checksum CVE-2014-4992 [Ruby Gem cap-strap-0.1.5: expose the password to the process table] RESERVED @@ -79,13 +148,11 @@ CVE-2014-4989 RESERVED CVE-2014-4988 RESERVED -CVE-2014-4987 [PMASA-2014-7 Access for an unprivileged user to MySQL user list.] - RESERVED +CVE-2014-4987 (server_user_groups.php in phpMyAdmin 4.1.x before 4.1.14.2 and 4.2.x ...) - phpmyadmin 4:4.2.6-1 (low) [wheezy] - phpmyadmin <not-affected> (Vulnerable code not present) [squeeze] - phpmyadmin <not-affected> (Vulnerable code not present) -CVE-2014-4986 [PMASA-2014-6 Multiple XSS in AJAX confirmation messages.] - RESERVED +CVE-2014-4986 (Multiple cross-site scripting (XSS) vulnerabilities in js/functions.js ...) - phpmyadmin 4:4.2.6-1 (low) [wheezy] - phpmyadmin <no-dsa> (Minor issue) [squeeze] - phpmyadmin <no-dsa> (Minor issue) @@ -107,19 +174,23 @@ CVE-2014-4977 (Multiple SQL injection vulnerabilities in Dell SonicWall Scrutini TODO: check CVE-2014-4976 (Dell SonicWall Scrutinizer 11.0.1 allows remote authenticated users to ...) TODO: check -CVE-2014-5022 [Cross-site scripting - Ajax system] +CVE-2014-5022 (Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal ...) + {DSA-2983-1} - drupal6 <not-affected> (Only affects Drupal 7 core) - drupal7 7.29-1 (bug #755038) NOTE: https://www.drupal.org/SA-CORE-2014-003 -CVE-2014-5021 [Cross-site scripting - Form API option groups] +CVE-2014-5021 (Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x ...) + {DSA-2983-1} - drupal6 <removed> - drupal7 7.29-1 (bug #755038) NOTE: https://www.drupal.org/SA-CORE-2014-003 -CVE-2014-5020 [Access bypass] +CVE-2014-5020 (The File module in Drupal 7.x before 7.29 does not properly check ...) + {DSA-2983-1} - drupal6 <not-affected> (Only affects Drupal 7 core) - drupal7 7.29-1 (bug #755038) NOTE: https://www.drupal.org/SA-CORE-2014-003 -CVE-2014-5019 [Denial of service with malicious HTTP Host header] +CVE-2014-5019 (The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 ...) + {DSA-2983-1} - drupal6 <removed> - drupal7 7.29-1 (bug #755038) NOTE: https://www.drupal.org/SA-CORE-2014-003 @@ -163,8 +234,8 @@ CVE-2014-4962 (Shopizer 1.1.5 and earlier allows remote attackers to reduce the TODO: check CVE-2014-4961 RESERVED -CVE-2014-4960 - RESERVED +CVE-2014-4960 (Multiple SQL injection vulnerabilities in models\gallery.php in ...) + TODO: check CVE-2014-4959 RESERVED CVE-2014-4958 @@ -173,13 +244,12 @@ CVE-2014-4957 RESERVED CVE-2014-4956 RESERVED -CVE-2014-4955 [PMASA-2014-5 Self-XSS due to unescaped HTML output in database triggers page.] - RESERVED +CVE-2014-4955 (Cross-site scripting (XSS) vulnerability in the PMA_TRI_getRowForList ...) - phpmyadmin 4:4.2.6-1 (low) [wheezy] - phpmyadmin <not-affected> (Vulnerable code not present) [squeeze] - phpmyadmin <not-affected> (Vulnerable code not present) -CVE-2014-4954 - RESERVED +CVE-2014-4954 (Cross-site scripting (XSS) vulnerability in the ...) + TODO: check CVE-2014-4953 RESERVED CVE-2014-4952 @@ -190,18 +260,17 @@ CVE-2014-4950 RESERVED CVE-2014-4949 RESERVED -CVE-2014-4948 - RESERVED -CVE-2014-4947 - RESERVED +CVE-2014-4948 (Unspecified vulnerability in Citrix XenServer 6.2 Service Pack 1 and ...) + TODO: check +CVE-2014-4947 (Buffer overflow in the HVM graphics console support in Citrix ...) + TODO: check CVE-2014-4946 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet ...) TODO: check CVE-2014-4945 (Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet ...) TODO: check CVE-2014-4944 (Multiple SQL injection vulnerabilities in inc/bsk-pdf-dashboard.php in ...) NOT-FOR-US: WordPress plugin -CVE-2014-4943 [privilege escalation in ppp over l2tp sockets] - RESERVED +CVE-2014-4943 (The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel ...) - linux 3.14.13-1 - linux-2.6 <removed> NOTE: upstream commit: https://git.kernel.org/linus/3cf521f7dc87c031617fd47e4b7aa2593c2f3daf @@ -607,8 +676,7 @@ CVE-2014-4736 RESERVED CVE-2014-4735 RESERVED -CVE-2014-4734 - RESERVED +CVE-2014-4734 (Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 ...) NOT-FOR-US: e107 CVE-2014-4733 RESERVED @@ -661,8 +729,7 @@ CVE-2014-4913 [ZF2014-03: Potential XSS vector in multiple view helpers] - zendframework <undetermined> NOTE: http://framework.zend.com/security/advisory/ZF2014-03 TODO: check -CVE-2014-4911 [polarssl: Denial of Service against GCM enabled servers and clients] - RESERVED +CVE-2014-4911 (The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before ...) {DSA-2981-1} - polarssl 1.3.7-2.1 (bug #754655) NOTE: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02 @@ -786,7 +853,7 @@ CVE-2014-4674 RESERVED CVE-2014-4673 RESERVED -CVE-2014-4672 (The CDetailView widget in Yii PHP Framework before 1.1.15 allows ...) +CVE-2014-4672 (The CDetailView widget in Yii PHP Framework 1.1.14 allows remote ...) - yii-framework-php <itp> (bug #683810) CVE-2014-4671 (Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on ...) NOT-FOR-US: Adobe Flash @@ -1162,8 +1229,8 @@ CVE-2014-4513 (Multiple cross-site scripting (XSS) vulnerabilities in ...) NOT-FOR-US: WordPress plugin ActiveHelper LiveHelp Live Chat CVE-2014-4512 RESERVED -CVE-2014-4511 - RESERVED +CVE-2014-4511 (Gitlist before 0.5.0 allows remote attackers to execute arbitrary ...) + TODO: check CVE-2014-4509 (The MKDQUOTESAFE function in the Fan-out driver scripts in Fan-Out ...) NOT-FOR-US: Novell Identity Manager CVE-2014-4507 (Directory traversal vulnerability in Smart-Proxy in Foreman before ...) @@ -1544,12 +1611,10 @@ CVE-2014-4343 [double-free in SPNEGO initiators] RESERVED - krb5 <unfixed> (bug #755520) NOTE: https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f -CVE-2014-4342 [Handle invalid RFC 1964 tokens] - RESERVED +CVE-2014-4342 (MIT Kerberos 5 (aka krb5) 1.7.x through 1.12.x before 1.12.2 allows ...) - krb5 1.12.1+dfsg-4 (bug #753625) NOTE: https://github.com/krb5/krb5/commit/fb99962cbd063ac04c9a9d2cc7c75eab73f3533d -CVE-2014-4341 [Handle invalid RFC 1964 tokens] - RESERVED +CVE-2014-4341 (MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to ...) - krb5 1.12.1+dfsg-4 (bug #753624) NOTE: https://github.com/krb5/krb5/commit/fb99962cbd063ac04c9a9d2cc7c75eab73f3533d CVE-2014-4340 @@ -1564,8 +1629,8 @@ CVE-2014-4333 (Cross-site request forgery (CSRF) vulnerability in ...) NOT-FOR-US: Dolphin (php thing) CVE-2014-4332 RESERVED -CVE-2014-4331 - RESERVED +CVE-2014-4331 (Cross-site scripting (XSS) vulnerability in admin/viewer.php in ...) + TODO: check CVE-2014-4330 RESERVED CVE-2014-4329 (Cross-site scripting (XSS) vulnerability in lua/host_details.lua in ...) @@ -1574,8 +1639,8 @@ CVE-2014-4328 RESERVED CVE-2014-4327 RESERVED -CVE-2014-4326 - RESERVED +CVE-2014-4326 (Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote ...) + TODO: check CVE-2014-4325 RESERVED CVE-2014-4324 @@ -1691,13 +1756,13 @@ CVE-2014-4270 (Unspecified vulnerability in the Hyperion Common Admin component CVE-2014-4269 (Unspecified vulnerability in the Hyperion Common Admin component in ...) TODO: check CVE-2014-4268 (Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and ...) - {DSA-2980-1} + {DSA-2987-1 DSA-2980-1} - openjdk-6 6b32-1.13.4-1 - openjdk-7 7u65-2.5.1-1 CVE-2014-4267 (Unspecified vulnerability in the Oracle WebLogic Server component in ...) TODO: check CVE-2014-4266 (Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote ...) - {DSA-2980-1} + {DSA-2987-1 DSA-2980-1} - openjdk-6 6b32-1.13.4-1 NOTE: http://hg.openjdk.java.net/jdk6/jdk6/jdk/rev/de40a32a44f5 - openjdk-7 7u65-2.5.1-1 @@ -1706,15 +1771,16 @@ CVE-2014-4265 (Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 a - openjdk-6 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-4264 (Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote ...) + {DSA-2987-1} - openjdk-6 <not-affected> (Vulnerable code not present) - openjdk-7 7u65-2.5.1-1 NOTE: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/c084492f9e3d CVE-2014-4263 (Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and ...) - {DSA-2980-1} + {DSA-2987-1 DSA-2980-1} - openjdk-6 6b32-1.13.4-1 - openjdk-7 7u65-2.5.1-1 CVE-2014-4262 (Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and ...) - {DSA-2980-1} + {DSA-2987-1 DSA-2980-1} - openjdk-6 6b32-1.13.4-1 - openjdk-7 7u65-2.5.1-1 CVE-2014-4261 (Unspecified vulnerability in the Oracle VM VirtualBox component in ...) @@ -1745,7 +1811,7 @@ CVE-2014-4254 (Unspecified vulnerability in the Oracle WebLogic Server component CVE-2014-4253 (Unspecified vulnerability in the Oracle WebLogic Server component in ...) TODO: check CVE-2014-4252 (Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and ...) - {DSA-2980-1} + {DSA-2987-1 DSA-2980-1} - openjdk-6 6b32-1.13.4-1 - openjdk-7 7u65-2.5.1-1 CVE-2014-4251 (Unspecified vulnerability in the Oracle HTTP Server component in ...) @@ -1764,7 +1830,7 @@ CVE-2014-4246 (Unspecified vulnerability in the Hyperion Analytic Provider Servi CVE-2014-4245 (Unspecified vulnerability in the RDBMS Core component in Oracle ...) TODO: check CVE-2014-4244 (Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and ...) - {DSA-2980-1} + {DSA-2987-1 DSA-2980-1} - openjdk-6 6b32-1.13.4-1 - openjdk-7 7u65-2.5.1-1 CVE-2014-4243 (Unspecified vulnerability in the MySQL Server component in Oracle ...) @@ -1824,12 +1890,14 @@ CVE-2014-4225 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local u CVE-2014-4224 (Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11.1 ...) TODO: check CVE-2014-4223 (Unspecified vulnerability in Oracle Java SE 7u60 allows remote ...) + {DSA-2987-1} - openjdk-6 <not-affected> (Vulnerable code not present) - openjdk-7 7u65-2.5.1-1 NOTE: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/84bce1b3d28a CVE-2014-4222 (Unspecified vulnerability in the Oracle HTTP Server component in ...) TODO: check CVE-2014-4221 (Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote ...) + {DSA-2987-1} - openjdk-6 <not-affected> (Vulnerable code not present) - openjdk-7 7u65-2.5.1-1 NOTE: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/bac16c82c14a @@ -1837,17 +1905,17 @@ CVE-2014-4220 (Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows r - openjdk-6 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2014-4219 (Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows ...) - {DSA-2980-1} + {DSA-2987-1 DSA-2980-1} - openjdk-6 6b32-1.13.4-1 - openjdk-7 7u65-2.5.1-1 CVE-2014-4218 (Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and ...) - {DSA-2980-1} + {DSA-2987-1 DSA-2980-1} - openjdk-6 6b32-1.13.4-1 - openjdk-7 7u65-2.5.1-1 CVE-2014-4217 (Unspecified vulnerability in the Oracle WebLogic Server component in ...) TODO: check CVE-2014-4216 (Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and ...) - {DSA-2980-1} + {DSA-2987-1 DSA-2980-1} - openjdk-6 6b32-1.13.4-1 - openjdk-7 7u65-2.5.1-1 CVE-2014-4215 (Unspecified vulnerability in Oracle Solaris 10 and 11.1 allows local ...) @@ -1866,7 +1934,7 @@ CVE-2014-4211 (Unspecified vulnerability in the Oracle WebCenter Portal componen CVE-2014-4210 (Unspecified vulnerability in the Oracle WebLogic Server component in ...) TODO: check CVE-2014-4209 (Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and ...) - {DSA-2980-1} + {DSA-2987-1 DSA-2980-1} - openjdk-6 6b32-1.13.4-1 - openjdk-7 7u65-2.5.1-1 CVE-2014-4208 (Unspecified vulnerability in the Java SE component in Oracle Java SE ...) @@ -2573,12 +2641,12 @@ CVE-2014-3896 RESERVED CVE-2014-3895 RESERVED -CVE-2014-3894 - RESERVED +CVE-2014-3894 (Cross-site scripting (XSS) vulnerability in PHP Kobo Multifunctional ...) + TODO: check CVE-2014-3893 RESERVED -CVE-2014-3892 - RESERVED +CVE-2014-3892 (Cross-site scripting (XSS) vulnerability in Nexa Meridian before 2014 ...) + TODO: check CVE-2014-3891 (Buffer overflow in RimArts Becky! Internet Mail before 2.68 allows ...) TODO: check CVE-2014-3890 (silex SX-2000WG devices with firmware before 1.5.4 allow remote ...) @@ -2589,12 +2657,12 @@ CVE-2014-3888 (Stack-based buffer overflow in BKFSim_vhfd.exe in Yokogawa CENTUM TODO: check CVE-2014-3887 RESERVED -CVE-2014-3886 - RESERVED -CVE-2014-3885 - RESERVED -CVE-2014-3884 - RESERVED +CVE-2014-3886 (Cross-site scripting (XSS) vulnerability in Webmin before 1.690, when ...) + TODO: check +CVE-2014-3885 (Cross-site scripting (XSS) vulnerability in Webmin before 1.690 allows ...) + TODO: check +CVE-2014-3884 (Cross-site scripting (XSS) vulnerability in Usermin before 1.600 ...) + TODO: check CVE-2014-3883 (Usermin before 1.600 allows remote attackers to execute arbitrary ...) NOT-FOR-US: Usermin CVE-2014-3882 (Cross-site request forgery (CSRF) vulnerability in the Login rebuilder ...) @@ -3372,14 +3440,12 @@ CVE-2014-3534 [Kernel memory protection bypass on s390] RESERVED - linux <unfixed> - linux-2.6 <not-affected> (Vulnerable code was introduced later) -CVE-2014-3533 [DoS] - RESERVED +CVE-2014-3533 (dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to ...) {DSA-2971-1} - dbus 1.8.6-1 [squeeze] - dbus <not-affected> (Vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=80469 -CVE-2014-3532 [DoS] - RESERVED +CVE-2014-3532 (dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux ...) {DSA-2971-1} - dbus 1.8.6-1 [squeeze] - dbus <not-affected> (Fix for other kernel version) @@ -3387,8 +3453,7 @@ CVE-2014-3532 [DoS] CVE-2014-3531 RESERVED - foreman <itp> (bug #663101) -CVE-2014-3530 - RESERVED +CVE-2014-3530 (The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory ...) NOT-FOR-US: PicketLink CVE-2014-3529 RESERVED @@ -3403,8 +3468,7 @@ CVE-2014-3525 - trafficserver 5.0.1-1 CVE-2014-3524 RESERVED -CVE-2014-3523 [WinNT MPM denial of service] - RESERVED +CVE-2014-3523 (Memory leak in the winnt_accept function in server/mpm/winnt/child.c ...) - apache2 <not-affected> (Affects only Windows systems) CVE-2014-3522 RESERVED @@ -3418,8 +3482,7 @@ CVE-2014-3519 RESERVED - linux-2.6 <not-affected> (Vulnerable code not yet present) - linux <not-affected> (Kernels after squeeze no longer contain the openvz flavour) -CVE-2014-3518 - RESERVED +CVE-2014-3518 (jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss ...) NOT-FOR-US: JBoss Application Server CVE-2014-3517 [Use of non-constant time comparison operation] RESERVED @@ -3973,18 +4036,18 @@ CVE-2014-3327 RESERVED CVE-2014-3326 RESERVED -CVE-2014-3325 - RESERVED +CVE-2014-3325 (Multiple cross-site scripting (XSS) vulnerabilities in Cisco Unified ...) + TODO: check CVE-2014-3324 RESERVED -CVE-2014-3323 - RESERVED +CVE-2014-3323 (Directory traversal vulnerability in Cisco Unified Contact Center ...) + TODO: check CVE-2014-3322 RESERVED -CVE-2014-3321 - RESERVED -CVE-2014-3320 - RESERVED +CVE-2014-3321 (Cisco IOS XR 4.3.4 and earlier on ASR 9000 devices, when bridge-group ...) + TODO: check +CVE-2014-3320 (Multiple open redirect vulnerabilities in the admin web interface in ...) + TODO: check CVE-2014-3319 (Directory traversal vulnerability in the Real-Time Monitoring Tool ...) NOT-FOR-US: Cisco Unified Communications Manager CVE-2014-3318 (Directory traversal vulnerability in dna/viewfilecontents.do in the ...) @@ -4011,8 +4074,8 @@ CVE-2014-3308 (Cisco IOS XR on Trident line cards in ASR 9000 devices lacks a st NOT-FOR-US: Cisco IOS XR CVE-2014-3307 (The DHCP client implementation in Universal Small Cell firmware on ...) NOT-FOR-US: Cisco Small Cell -CVE-2014-3306 - RESERVED +CVE-2014-3306 (The web server on Cisco DPC3010, DPC3212, DPC3825, DPC3925, DPQ3925, ...) + TODO: check CVE-2014-3305 RESERVED CVE-2014-3304 @@ -4381,20 +4444,18 @@ CVE-2014-3164 RESERVED CVE-2014-3163 RESERVED -CVE-2014-3162 [address sanitizer fixes] - RESERVED +CVE-2014-3162 (Multiple unspecified vulnerabilities in Google Chrome before ...) - chromium-browser <unfixed> [wheezy] - chromium-browser <no-dsa> (minor issue) [squeeze] - chromium-browser <end-of-life> -CVE-2014-3161 - RESERVED -CVE-2014-3160 [same origin bypass] - RESERVED +CVE-2014-3161 (The WebMediaPlayerAndroid::load function in ...) + TODO: check +CVE-2014-3160 (The ResourceFetcher::canRequest function in ...) - chromium-browser <unfixed> [wheezy] - chromium-browser <no-dsa> (minor issue) [squeeze] - chromium-browser <end-of-life> -CVE-2014-3159 - RESERVED +CVE-2014-3159 (The WebContentsDelegateAndroid::OpenURLFromTab function in ...) + TODO: check CVE-2014-3158 RESERVED CVE-2014-3157 (Heap-based buffer overflow in the FFmpegVideoDecoder::GetVideoBuffer ...) @@ -4622,8 +4683,8 @@ CVE-2014-3066 (IBM Tivoli Endpoint Manager 9.1 before 9.1.1088.0 allows remote . NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2014-3065 RESERVED -CVE-2014-3064 - RESERVED +CVE-2014-3064 (The GDS component in IBM InfoSphere Master Data Management - ...) + TODO: check CVE-2014-3063 RESERVED CVE-2014-3062 @@ -4660,12 +4721,12 @@ CVE-2014-3047 RESERVED CVE-2014-3046 RESERVED -CVE-2014-3045 - RESERVED +CVE-2014-3045 (IBM Scale Out Network Attached Storage (SONAS) 1.3.x and 1.4.x before ...) + TODO: check CVE-2014-3044 RESERVED -CVE-2014-3043 - RESERVED +CVE-2014-3043 (IBM Storwize V7000 Unified 1.3.x and 1.4.x before 1.4.3.3 allows ...) + TODO: check CVE-2014-3042 (IBM CICS Transaction Server 3.1, 3.2, 4.1, 4.2, and 5.1 on z/OS does ...) NOT-FOR-US: IBM CICS Transaction Serve CVE-2014-3041 @@ -5713,8 +5774,7 @@ CVE-2014-2625 NOT-FOR-US: HP Network Virtualization CVE-2014-2624 RESERVED -CVE-2014-2623 - RESERVED +CVE-2014-2623 (Unspecified vulnerability in HP Storage Data Protector 8.x allows ...) NOT-FOR-US: HP Data Protector CVE-2014-2622 (Unspecified vulnerability in HP Intelligent Management Center (iMC) ...) NOT-FOR-US: HP Intelligent Management Center @@ -5900,8 +5960,7 @@ CVE-2014-2521 RESERVED CVE-2014-2520 RESERVED -CVE-2014-2519 - RESERVED +CVE-2014-2519 (The default configuration of EMC RecoverPoint Appliance (RPA) 4.1 ...) NOT-FOR-US: EMC RecoverPoint Appliance CVE-2014-2518 RESERVED @@ -6044,7 +6103,7 @@ CVE-2014-2492 (Unspecified vulnerability in the Oracle Agile Product Collaborati CVE-2014-2491 (Unspecified vulnerability in the Siebel UI Framework component in ...) TODO: check CVE-2014-2490 (Unspecified vulnerability in the Java SE component in Oracle Java SE ...) - {DSA-2980-1} + {DSA-2987-1 DSA-2980-1} - openjdk-6 6b32-1.13.4-1 NOTE: http://hg.openjdk.java.net/jdk6/jdk6/hotspot/rev/dd7d490e72af - openjdk-7 7u65-2.5.1-1 @@ -6069,6 +6128,7 @@ CVE-2014-2484 (Unspecified vulnerability in the MySQL Server component in Oracle - mariadb-5.5 <not-affected> (Only affects 5.6) - percona-xtradb-cluster-5.5 <not-affected> (Only affects 5.6) CVE-2014-2483 (Unspecified vulnerability in the Java SE component in Oracle Java SE ...) + {DSA-2987-1} - openjdk-6 <not-affected> (vulnerable code not present) - openjdk-7 7u65-2.5.1-1 NOTE: http://hg.openjdk.java.net/jdk7u/jdk7u/hotspot/rev/848481af9003 @@ -6328,8 +6388,7 @@ CVE-2014-2389 (Stack-based buffer overflow in a certain decryption function in . NOT-FOR-US: BlackBerry Z 10 CVE-2014-2388 RESERVED -CVE-2014-2385 - RESERVED +CVE-2014-2385 (Multiple cross-site scripting (XSS) vulnerabilities in the web UI in ...) NOT-FOR-US: Sophos Antivirus CVE-2014-2384 (vmx86.sys in VMware Workstation 10.0.1 build 1379776 and VMware Player ...) NOT-FOR-US: VMware on Windows @@ -6364,16 +6423,16 @@ CVE-2014-2370 RESERVED CVE-2014-2369 RESERVED -CVE-2014-2368 - RESERVED -CVE-2014-2367 - RESERVED -CVE-2014-2366 - RESERVED -CVE-2014-2365 - RESERVED -CVE-2014-2364 - RESERVED +CVE-2014-2368 (The BrowseFolder method in the bwocxrun ActiveX control in Advantech ...) + TODO: check +CVE-2014-2367 (The ChkCookie subroutine in an ActiveX control in ...) + TODO: check +CVE-2014-2366 (upAdminPg.asp in Advantech WebAccess before 7.2 allows remote ...) + TODO: check +CVE-2014-2365 (Unspecified vulnerability in Advantech WebAccess before 7.2 allows ...) + TODO: check +CVE-2014-2364 (Multiple stack-based buffer overflows in Advantech WebAccess before ...) + TODO: check CVE-2014-2363 RESERVED CVE-2014-2362 @@ -7255,22 +7314,22 @@ CVE-2014-2001 (The East Japan Railway Company JR East Japan application before 1 NOT-FOR-US: Android application for East Japan Railway Company CVE-2014-2000 (The NTT 050 plus application before 4.2.1 for Android allows attackers ...) NOT-FOR-US: NTT application for Android -CVE-2014-1999 - RESERVED +CVE-2014-1999 (The auto-format feature in the Request_Curl class in FuelPHP 1.1 ...) + TODO: check CVE-2014-1998 (Cross-site scripting (XSS) vulnerability in Nippon Institute of ...) NOT-FOR-US: SOY CMS CVE-2014-1997 (The ATEN CN8000 remote-access unit with firmware 1.6.154 and earlier ...) NOT-FOR-US: ATEN IP KVM Switch -CVE-2014-1996 - RESERVED -CVE-2014-1995 - RESERVED -CVE-2014-1994 - RESERVED -CVE-2014-1993 - RESERVED -CVE-2014-1992 - RESERVED +CVE-2014-1996 (Cybozu Garoon 3.7 before SP4 allows remote authenticated users to ...) + TODO: check +CVE-2014-1995 (Cross-site scripting (XSS) vulnerability in the Map search ...) + TODO: check +CVE-2014-1994 (Cross-site scripting (XSS) vulnerability in the Notices portlet in ...) + TODO: check +CVE-2014-1993 (The Portlets subsystem in Cybozu Garoon 2.x and 3.x before 3.7 SP4 ...) + TODO: check +CVE-2014-1992 (Cross-site scripting (XSS) vulnerability in the Messages functionality ...) + TODO: check CVE-2014-1991 (Open redirect vulnerability in WebPlatform / AppFramework 6.0 through ...) NOT-FOR-US: NTT DATA INTRAMART CVE-2014-1990 (Cross-site request forgery (CSRF) vulnerability in TopAccess (aka the ...) @@ -7279,8 +7338,8 @@ CVE-2014-1989 (Cybozu Garoon 3.0 through 3.7 SP3 allows remote authenticated use NOT-FOR-US: Cybozu Garoon CVE-2014-1988 (The Phone Messages feature in Cybozu Garoon 2.0.0 through 3.7 SP2 ...) NOT-FOR-US: Cybozu Garoon -CVE-2014-1987 - RESERVED +CVE-2014-1987 (The CGI component in Cybozu Garoon 3.1.0 through 3.7 SP3 allows remote ...) + TODO: check CVE-2014-1986 (The Content Provider in the KOKUYO CamiApp application 1.21.1 and ...) NOT-FOR-US: KOKUYO CamiApp application CVE-2014-1984 (Session fixation vulnerability in the management screen in Cybozu ...) @@ -7305,8 +7364,8 @@ CVE-2014-1975 (Directory traversal vulnerability in the R-Company Unzipper ...) NOT-FOR-US: Unzipper Android app CVE-2014-1974 (Directory traversal vulnerability in the LYSESOFT AndExplorer ...) NOT-FOR-US: LYSESOFT -CVE-2014-1973 - RESERVED +CVE-2014-1973 (Directory traversal vulnerability in the NextApp File Explorer ...) + TODO: check CVE-2014-1972 RESERVED CVE-2014-1971 (Cross-site scripting (XSS) vulnerability in Silex before 2.0.0 allows ...) @@ -8456,14 +8515,12 @@ CVE-2014-1563 RESERVED CVE-2014-1562 RESERVED -CVE-2014-1561 [Toolbar dialog customization event spoofing] - RESERVED +CVE-2014-1561 (Mozilla Firefox before 31.0 does not properly restrict use of ...) - iceweasel 31.0-1 [wheezy] - iceweasel <not-affected> (Only affects releases after ESR24) [squeeze] - iceweasel <end-of-life> NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-60.html -CVE-2014-1560 [Certificate parsing broken by non-standard character] - RESERVED +CVE-2014-1560 (Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote ...) - iceweasel 31.0-1 - icedove <unfixed> [wheezy] - iceweasel <not-affected> (Only affects releases after ESR24) @@ -8471,8 +8528,7 @@ CVE-2014-1560 [Certificate parsing broken by non-standard character] [squeeze] - iceweasel <end-of-life> [squeeze] - icedove <end-of-life> NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-65.html -CVE-2014-1559 [Certificate parsing broken by non-standard character] - RESERVED +CVE-2014-1559 (Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote ...) - iceweasel 31.0-1 - icedove <unfixed> [wheezy] - iceweasel <not-affected> (Only affects releases after ESR24) @@ -8480,8 +8536,7 @@ CVE-2014-1559 [Certificate parsing broken by non-standard character] [squeeze] - iceweasel <end-of-life> [squeeze] - icedove <end-of-life> NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-65.html -CVE-2014-1558 [Certificate parsing broken by non-standard character] - RESERVED +CVE-2014-1558 (Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote ...) - iceweasel 31.0-1 - icedove <unfixed> [wheezy] - iceweasel <not-affected> (Only affects releases after ESR24) @@ -8489,22 +8544,22 @@ CVE-2014-1558 [Certificate parsing broken by non-standard character] [squeeze] - iceweasel <end-of-life> [squeeze] - icedove <end-of-life> NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-65.html -CVE-2014-1557 [Crash in Skia library when scaling high quality images] - RESERVED +CVE-2014-1557 (The ConvolveHorizontally function in Skia, as used in Mozilla Firefox ...) + {DSA-2986-1} - iceweasel 31.0-1 [squeeze] - iceweasel <end-of-life> - icedove <unfixed> [squeeze] - icedove <end-of-life> NOTE: http://www.mozilla.org/security/announce/2014/mfsa2014-64.html -CVE-2014-1556 [Exploitable WebGL crash with Cesium JavaScript] - RESERVED +CVE-2014-1556 (Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and ...) + {DSA-2986-1} - iceweasel 31.0-1 [squeeze] - iceweasel <end-of-life> - icedove <unfixed> [squeeze] - icedove <end-of-life> NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-62.html -CVE-2014-1555 [Use-after-free with FireOnStateChange event] - RESERVED +CVE-2014-1555 (Use-after-free vulnerability in the nsDocLoader::OnProgress function ...) + {DSA-2986-1} - iceweasel 31.0-1 [squeeze] - iceweasel <end-of-life> - icedove <unfixed> @@ -8514,8 +8569,7 @@ CVE-2014-1554 RESERVED CVE-2014-1553 RESERVED -CVE-2014-1552 [IFRAME sandbox same-origin access through redirect] - RESERVED +CVE-2014-1552 (Mozilla Firefox before 31.0 and Thunderbird before 31.0 do not ...) - iceweasel 31.0-1 - icedove <unfixed> [wheezy] - iceweasel <not-affected> (Only affects releases after ESR24) @@ -8523,13 +8577,11 @@ CVE-2014-1552 [IFRAME sandbox same-origin access through redirect] [squeeze] - iceweasel <end-of-life> [squeeze] - icedove <end-of-life> NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-66.html -CVE-2014-1551 [Use-after-free in DirectWrite font handling] - RESERVED +CVE-2014-1551 (Use-after-free vulnerability in the FontTableRec destructor in Mozilla ...) - iceweasel <not-affected> (Affects only Windows platform) - icedove <not-affected> (Affects only Windows platform) NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-59.html -CVE-2014-1550 [Use-after-free in Web Audio due to incorrect control message ordering] - RESERVED +CVE-2014-1550 (Use-after-free vulnerability in the MediaInputPort class in Mozilla ...) - iceweasel 31.0-1 [wheezy] - iceweasel <not-affected> (Only affects releases after ESR24) [squeeze] - iceweasel <end-of-life> @@ -8537,8 +8589,7 @@ CVE-2014-1550 [Use-after-free in Web Audio due to incorrect control message orde [squeeze] - icedove <end-of-life> [wheezy] - icedove <not-affected> (Only affects releases after ESR24) NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-58.html -CVE-2014-1549 [Buffer overflow during Web Audio buffering for playback] - RESERVED +CVE-2014-1549 (The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer ...) - iceweasel 31.0-1 [wheezy] - iceweasel <not-affected> (Only affects releases after ESR24) [squeeze] - iceweasel <end-of-life> @@ -8546,13 +8597,12 @@ CVE-2014-1549 [Buffer overflow during Web Audio buffering for playback] [squeeze] - icedove <end-of-life> [wheezy] - icedove <not-affected> (Only affects releases after ESR24) NOTE: https://www.mozilla.org/security/announce/2014/mfsa2014-57.html -CVE-2014-1548 - RESERVED +CVE-2014-1548 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel 31.0-1 [wheezy] - iceweasel <not-affected> (Only affects releases after ESR24) [squeeze] - iceweasel <end-of-life> -CVE-2014-1547 [Miscellaneous memory safety hazards] - RESERVED +CVE-2014-1547 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) + {DSA-2986-1} - iceweasel 31.0-1 [squeeze] - iceweasel <end-of-life> - icedove <unfixed> @@ -8568,8 +8618,8 @@ CVE-2014-1545 (Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows rem [squeeze] - iceweasel <end-of-life> [squeeze] - icedove <end-of-life> NOTE: Only the Wheezy builds use the bundled nspr -CVE-2014-1544 [Race-condition in certificate verification can lead to Remote code execution] - RESERVED +CVE-2014-1544 (Use-after-free vulnerability in the CERT_DestroyCertificate function ...) + {DSA-2986-1} - nss 2:3.16.3-1 - iceweasel <unfixed> [squeeze] - iceweasel <end-of-life> @@ -9597,14 +9647,14 @@ CVE-2014-0977 (Cross-site scripting (XSS) vulnerability in the Rich Text Editor - movabletype-opensource 5.2.9+dfsg-1 (bug #734304) CVE-2014-0971 RESERVED -CVE-2014-0970 - RESERVED +CVE-2014-0970 (The GDS component in IBM InfoSphere Master Data Management - ...) + TODO: check CVE-2014-0969 RESERVED -CVE-2014-0968 - RESERVED -CVE-2014-0967 - RESERVED +CVE-2014-0968 (Cross-site scripting (XSS) vulnerability in the GDS component in IBM ...) + TODO: check +CVE-2014-0967 (Cross-site scripting (XSS) vulnerability in the GDS component in IBM ...) + TODO: check CVE-2014-0966 RESERVED CVE-2014-0965 @@ -9623,8 +9673,8 @@ CVE-2014-0959 (IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6. NOT-FOR-US: IBM WebSphere Portal CVE-2014-0958 (Open redirect vulnerability in IBM WebSphere Portal 6.1.0 through ...) NOT-FOR-US: IBM WebSphere Portal -CVE-2014-0957 - RESERVED +CVE-2014-0957 (Cross-site scripting (XSS) vulnerability in IBM Business Process ...) + TODO: check CVE-2014-0956 (Cross-site scripting (XSS) vulnerability in googlemap.jsp in IBM ...) NOT-FOR-US: IBM WebSphere Portal CVE-2014-0955 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0 ...) @@ -11249,8 +11299,7 @@ CVE-2014-0233 NOT-FOR-US: OpenShift CVE-2014-0232 RESERVED -CVE-2014-0231 [mod_cgid denial of service] - RESERVED +CVE-2014-0231 (The mod_cgid module in the Apache HTTP Server before 2.4.10 does not ...) - apache2 2.4.10-1 CVE-2014-0230 RESERVED @@ -11261,8 +11310,7 @@ CVE-2014-0228 NOT-FOR-US: Apache Hive CVE-2014-0227 RESERVED -CVE-2014-0226 [mod_status buffer overflow] - RESERVED +CVE-2014-0226 (Race condition in the mod_status module in the Apache HTTP Server ...) - apache2 2.4.10-1 CVE-2014-0225 [Information disclosure via SSRF] RESERVED @@ -11653,11 +11701,9 @@ CVE-2014-0119 (Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8. - tomcat8 8.0.8-1 - tomcat7 7.0.54-1 - tomcat6 6.0.41-1 -CVE-2014-0118 [mod_deflate denial of service] - RESERVED +CVE-2014-0118 (The deflate_in_filter function in mod_deflate.c in the mod_deflate ...) - apache2 2.4.10-1 -CVE-2014-0117 [mod_proxy denial of service] - RESERVED +CVE-2014-0117 (The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, ...) - apache2 2.4.10-1 [squeeze] - apache2 <not-affected> (Affects 2.4.6 to 2.4.9) [wheezy] - apache2 <not-affected> (Affects 2.4.6 to 2.4.9) |