diff options
author | Joey Hess <joeyh@debian.org> | 2014-10-01 21:14:11 +0000 |
---|---|---|
committer | Joey Hess <joeyh@debian.org> | 2014-10-01 21:14:11 +0000 |
commit | bbbc25fb68680d75d0f1c5b72e50a335a52a64c1 (patch) | |
tree | 013ee50613964653bc8d86d8513a1ae12233bf9c | |
parent | 5ec427fddde495087a9cf2f3059cb07e2021b917 (diff) |
automatic update
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@29194 e39458fd-73e7-0310-bf30-c45bca0a0e42
-rw-r--r-- | data/CVE/2000.list | 2 | ||||
-rw-r--r-- | data/CVE/2001.list | 2 | ||||
-rw-r--r-- | data/CVE/2002.list | 2 | ||||
-rw-r--r-- | data/CVE/2003.list | 2 | ||||
-rw-r--r-- | data/CVE/2004.list | 2 | ||||
-rw-r--r-- | data/CVE/2006.list | 2 | ||||
-rw-r--r-- | data/CVE/2007.list | 2 | ||||
-rw-r--r-- | data/CVE/2009.list | 2 | ||||
-rw-r--r-- | data/CVE/2010.list | 10 | ||||
-rw-r--r-- | data/CVE/2011.list | 2 | ||||
-rw-r--r-- | data/CVE/2012.list | 87 | ||||
-rw-r--r-- | data/CVE/2013.list | 52 | ||||
-rw-r--r-- | data/CVE/2014.list | 680 |
13 files changed, 478 insertions, 369 deletions
diff --git a/data/CVE/2000.list b/data/CVE/2000.list index 73066f91ab..6662fd4a62 100644 --- a/data/CVE/2000.list +++ b/data/CVE/2000.list @@ -1,3 +1,5 @@ +CVE-2000-1253 + RESERVED CVE-2000-1252 RESERVED CVE-2000-1251 diff --git a/data/CVE/2001.list b/data/CVE/2001.list index 76d7dfe520..fadcecaeb3 100644 --- a/data/CVE/2001.list +++ b/data/CVE/2001.list @@ -1,3 +1,5 @@ +CVE-2001-1594 + RESERVED CVE-2001-1593 (The tempname_ensure function in lib/routines.h in a2ps 4.14 and ...) {DSA-2892-1} - a2ps 1:4.14-1.2 (low; bug #737385) diff --git a/data/CVE/2002.list b/data/CVE/2002.list index 03cf206787..6dc165d7cc 100644 --- a/data/CVE/2002.list +++ b/data/CVE/2002.list @@ -1,3 +1,5 @@ +CVE-2002-2445 + RESERVED CVE-2002-2483 - linux-2.6 2.4.20 CVE-2002-2444 [snoopy: Security hole in exec cURL] diff --git a/data/CVE/2003.list b/data/CVE/2003.list index d6695a5ea8..ba31f3aaac 100644 --- a/data/CVE/2003.list +++ b/data/CVE/2003.list @@ -1,3 +1,5 @@ +CVE-2003-1603 + RESERVED CVE-2003-1602 RESERVED CVE-2003-1601 diff --git a/data/CVE/2004.list b/data/CVE/2004.list index ae5b992a26..61df163ed1 100644 --- a/data/CVE/2004.list +++ b/data/CVE/2004.list @@ -1,3 +1,5 @@ +CVE-2004-2777 + RESERVED CVE-2004-XXXX [base-passwd: sets valid shells for system services] - base-passwd 3.5.30 (unimportant; bug #274229) NOTE: Hardening, not a direct vulnerability diff --git a/data/CVE/2006.list b/data/CVE/2006.list index 68ad9f2303..3a98092e3f 100644 --- a/data/CVE/2006.list +++ b/data/CVE/2006.list @@ -1,3 +1,5 @@ +CVE-2006-7253 + RESERVED CVE-2006-7252 (Integer overflow in the calloc function in libc/stdlib/malloc.c in ...) NOT-FOR-US: NetBSD/FreeBSD libc CVE-2006-7251 diff --git a/data/CVE/2007.list b/data/CVE/2007.list index e1d75e4aff..f624e395fc 100644 --- a/data/CVE/2007.list +++ b/data/CVE/2007.list @@ -1,3 +1,5 @@ +CVE-2007-6757 + RESERVED CVE-2007-6756 (ZOLL Defibrillator / Monitor M Series, E Series, and R Series have a ...) NOT-FOR-US: ZOLL Defibrillator / Monitor M Series, E Series, and R Series CVE-2007-6755 (The NIST SP 800-90A default statement of the Dual Elliptic Curve ...) diff --git a/data/CVE/2009.list b/data/CVE/2009.list index 5328adb867..a79855e192 100644 --- a/data/CVE/2009.list +++ b/data/CVE/2009.list @@ -1,3 +1,5 @@ +CVE-2009-5143 + RESERVED CVE-2009-5142 (Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb ...) NOT-FOR-US: TimThumb CVE-2009-5141 (Format string vulnerability in War FTP Daemon (warftpd) 1.82 RC 12 ...) diff --git a/data/CVE/2010.list b/data/CVE/2010.list index c8475e31b4..f64c57caa5 100644 --- a/data/CVE/2010.list +++ b/data/CVE/2010.list @@ -1,3 +1,13 @@ +CVE-2010-5310 + RESERVED +CVE-2010-5309 + RESERVED +CVE-2010-5308 + RESERVED +CVE-2010-5307 + RESERVED +CVE-2010-5306 + RESERVED CVE-2010-XXXX [execute code from imported modules / documentation missmatch ] - pylint <unfixed> (bug #591676) CVE-2010-5305 diff --git a/data/CVE/2011.list b/data/CVE/2011.list index a23d2f10f6..baac8dd722 100644 --- a/data/CVE/2011.list +++ b/data/CVE/2011.list @@ -1,3 +1,5 @@ +CVE-2011-5374 + RESERVED CVE-2011-5281 RESERVED CVE-2011-5280 (Multiple stack-based buffer overflows in BOINC 6.13.x allow remote ...) diff --git a/data/CVE/2012.list b/data/CVE/2012.list index 42518c5045..396d070ae7 100644 --- a/data/CVE/2012.list +++ b/data/CVE/2012.list @@ -1,9 +1,10 @@ +CVE-2012-6660 + RESERVED CVE-2012-6659 (Cross-site scripting (XSS) vulnerability in the admin interface in ...) NOT-FOR-US: Phorum CVE-2012-6658 (Multiple cross-site scripting (XSS) vulnerabilities in SpiceWorks ...) NOT-FOR-US: SpiceWorks -CVE-2012-6657 [net: guard tcp_set_keepalive against crash] - RESERVED +CVE-2012-6657 (The sock_setsockopt function in net/core/sock.c in the Linux kernel ...) - linux 3.6.4-1 [wheezy] - linux 3.2.32-1 - linux-2.6 <removed> @@ -407,8 +408,7 @@ CVE-2012-6503 (Unspecified vulnerability in the NinjaXplorer component before 1. NOT-FOR-US: NinjaXplorer for Joomla! CVE-2012-6502 (Microsoft Internet Explorer before 10 allows remote attackers to ...) NOT-FOR-US: Microsoft Internet Explorer -CVE-2012-6110 [bcron file descriptors not closed] - RESERVED +CVE-2012-6110 (bcron-exec in bcron before 0.10 does not close file descriptors ...) - bcron 0.09-13 (low; bug #686650) [squeeze] - bcron 0.09-11+squeeze1 CVE-2012-6501 (The KillProcess method in the HP PKI ActiveX control (HPPKI.ocx) ...) @@ -803,8 +803,8 @@ CVE-2012-6318 RESERVED CVE-2012-6317 RESERVED -CVE-2012-6316 - RESERVED +CVE-2012-6316 (Multiple cross-site scripting (XSS) vulnerabilities in the TP-LINK ...) + TODO: check CVE-2012-6315 REJECTED CVE-2012-6314 (Citrix XenDesktop Virtual Desktop Agent (VDA) 5.6.x before 5.6.200, ...) @@ -1307,8 +1307,7 @@ CVE-2012-6109 (lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1 NOTE: https://groups.google.com/forum/#!msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ CVE-2012-6108 (HP Linux Imaging and Printing (HPLIP) before 3.13.2 uses ...) - hplip <not-affected> (permissions are 755 on wheezy, sid and experimental) -CVE-2012-6107 [Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate] - RESERVED +CVE-2012-6107 (Apache Axis2/C does not verify that the server hostname matches a ...) - axis2c <unfixed> (bug #697974) NOTE: https://issues.apache.org/jira/browse/AXIS2C-1619 CVE-2012-6106 (calendar/managesubscriptions.php in the Manage Subscriptions ...) @@ -2573,15 +2572,13 @@ CVE-2012-5623 NOT-FOR-US: change_passwd plugin for Squirrelmail CVE-2012-5622 (Cross-site request forgery (CSRF) vulnerability in the management ...) NOT-FOR-US: OpenShift -CVE-2012-5621 [Ekiga (x < 4.0.0): DoS (crash) after receiving call from other party with not UTF-8 valid name] - RESERVED +CVE-2012-5621 (lib/engine/components/opal/opal-call.cpp in ekiga before 4.0.0 allows ...) - ekiga 3.2.7-6 (bug #702282; low) [squeeze] - ekiga <no-dsa> (Minor issue) CVE-2012-5620 RESERVED NOT-FOR-US: Docecot non-issue, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695138#15 -CVE-2012-5619 - RESERVED +CVE-2012-5619 (The Sleuth Kit (TSK) 4.0.1 does not properly handle "." (dotfile) file ...) - sleuthkit 4.1.2-1 (unimportant; bug #695097) CVE-2012-5618 RESERVED @@ -2910,80 +2907,58 @@ CVE-2012-5508 [ Zope/Plone: PRNG isn't reseeded] RESERVED - zope2.12 2.12.26-1 (bug #692899) NOTE: https://plone.org/products/plone/security/advisories/20121106/24 -CVE-2012-5507 [ Zope/Plone: Timing attack in password validation ] - RESERVED +CVE-2012-5507 (AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone ...) - zope2.12 2.12.26-1 (bug #692899) NOTE: https://plone.org/products/plone/security/advisories/20121106/23 -CVE-2012-5506 [ Zope/Plone: DoS through RSS on private folder ] - RESERVED +CVE-2012-5506 (python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 -CVE-2012-5505 [ Zope/Plone: Attempting to access a view with no name returns an internal data structure ] - RESERVED +CVE-2012-5505 (atat.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote ...) - zope2.12 2.12.26-1 (bug #692899) NOTE: https://plone.org/products/plone/security/advisories/20121106/21 -CVE-2012-5504 [ Zope/Plone: Persistent XSS ] - RESERVED +CVE-2012-5504 (Cross-site scripting (XSS) vulnerability in widget_traversal.py in ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 -CVE-2012-5503 [ Zope/Plone: Users connected through FTP can list hidden folder contents ] - RESERVED +CVE-2012-5503 (ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 -CVE-2012-5502 [ Zope/Plone: Persistent XSS via filtering bypass ] - RESERVED +CVE-2012-5502 (Cross-site scripting (XSS) vulnerability in safe_html.py in Plone ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 -CVE-2012-5501 [ Zope/Plone: Crafted URL allows downloading of BLOBs that are not visible to the user ] - RESERVED +CVE-2012-5501 (at_download.py in Plone before 4.2.3 and 4.3 before beta 1 allows ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 CVE-2012-5500 [ Zope/Plone: Anonymous users can batch change titles of content items ] RESERVED NOT-FOR-US: Plone not packaged in Debian, see bug #692899 -CVE-2012-5499 [ Zope/Plone: Partial denial of service through internal function ] - RESERVED +CVE-2012-5499 (python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 -CVE-2012-5498 [ Zope/Plone: Partial denial of service through Collections functionality ] - RESERVED +CVE-2012-5498 (queryCatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 -CVE-2012-5497 [ Zope/Plone: Anonymous users can list user account names ] - RESERVED +CVE-2012-5497 (membership_tool.py in Plone before 4.2.3 and 4.3 before beta 1 allows ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 -CVE-2012-5496 [ Zope/Plone: DoS through unsanitised inputs into Kupu ] - RESERVED +CVE-2012-5496 (kupu_spellcheck.py in Kupu in Plone before 4.0 allows remote attackers ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 -CVE-2012-5495 [ Zope/Plone: Restricted Python injection ] - RESERVED +CVE-2012-5495 (python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 -CVE-2012-5494 [ Zope/Plone: Reflexive XSS ] - RESERVED +CVE-2012-5494 (Cross-site scripting (XSS) vulnerability in python_scripts.py in Plone ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 -CVE-2012-5493 [ Zope/Plone: Restricted Python sandbox escape ] - RESERVED +CVE-2012-5493 (gtbn.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 -CVE-2012-5492 [ Zope/Plone: Partial permissions bypass ] - RESERVED +CVE-2012-5492 (uid_catalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 -CVE-2012-5491 [ Zope/Plone: Form detail exposure ] - RESERVED +CVE-2012-5491 (z3c.form, as used in Plone before 4.2.3 and 4.3 before beta 1, allows ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 -CVE-2012-5490 [ Zope/Plone: Reflexive XSS ] - RESERVED +CVE-2012-5490 (Cross-site scripting (XSS) vulnerability in kssdevel.py in Plone ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 -CVE-2012-5489 [ Zope/Plone: Partial restricted Python sandbox escape ] - RESERVED +CVE-2012-5489 (The App.Undo.UndoSupport.get_request_var_or_attr function in Zope ...) - zope2.12 <unfixed> (bug #692899) [wheezy] - zope2.12 <no-dsa> (Minor issue) NOTE: https://plone.org/products/plone/security/advisories/20121106/05 -CVE-2012-5488 [ Zope/Plone: Restricted Python injection ] - RESERVED +CVE-2012-5488 (python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 -CVE-2012-5487 [ Zope/Plone: Restricted Python sandbox escape ] - RESERVED +CVE-2012-5487 (The sandbox whitelisting function (allowmodule.py) in Plone before ...) - zope2.12 <unfixed> (unimportant; bug #692899) NOTE: Non-issue, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692899#20 -CVE-2012-5486 [ Zope/Plone: Reflexive HTTP header injection ] - RESERVED +CVE-2012-5486 (ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used ...) - zope2.12 2.12.26-1 (bug #692899) NOTE: https://plone.org/products/plone/security/advisories/20121106/02 -CVE-2012-5485 [ Restricted Python injection ] - RESERVED +CVE-2012-5485 (registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 ...) NOT-FOR-US: Plone not packaged in Debian, see bug #692899 NOTE: https://plone.org/products/plone/security/advisories/20121106/01 CVE-2012-5484 (The client in FreeIPA 2.x and 3.x before 3.1.2 does not properly ...) diff --git a/data/CVE/2013.list b/data/CVE/2013.list index ad34c6cb55..697c10a98e 100644 --- a/data/CVE/2013.list +++ b/data/CVE/2013.list @@ -1,4 +1,9 @@ +CVE-2013-7405 + RESERVED +CVE-2013-7404 + RESERVED CVE-2013-7403 + RESERVED NOT-FOR-US: WordPress plugin wp-video-commando CVE-2013-7402 RESERVED @@ -9864,8 +9869,8 @@ CVE-2013-3634 (The SNMPv3 functionality on Siemens Scalance X200 IRT switches wi NOT-FOR-US: Siemens switches CVE-2013-3633 (The web interface on Siemens Scalance X200 IRT switches with firmware ...) NOT-FOR-US: Siemens -CVE-2013-3632 - RESERVED +CVE-2013-3632 (The Cron service in rpc.php in OpenMediaVault allows remote ...) + TODO: check CVE-2013-3631 (NAS4Free 9.1.0.1.804 and earlier allows remote authenticated users to ...) NOT-FOR-US: NAS4Free CVE-2013-3630 (Moodle through 2.5.2 allows remote authenticated administrators to ...) @@ -11048,26 +11053,26 @@ CVE-2013-3094 RESERVED CVE-2013-3093 RESERVED -CVE-2013-3092 - RESERVED +CVE-2013-3092 (The Belkin N300 (F7D7301v1) router allows remote attackers to bypass ...) + TODO: check CVE-2013-3091 RESERVED CVE-2013-3090 (Multiple cross-site scripting (XSS) vulnerabilities in Belkin N300 ...) NOT-FOR-US: Belkin N300 router -CVE-2013-3089 - RESERVED +CVE-2013-3089 (Cross-site request forgery (CSRF) vulnerability in apply.cgi in Belkin ...) + TODO: check CVE-2013-3088 RESERVED CVE-2013-3087 (Multiple cross-site scripting (XSS) vulnerabilities in Belkin N900 ...) NOT-FOR-US: Belkin N900 router -CVE-2013-3086 - RESERVED +CVE-2013-3086 (Cross-site request forgery (CSRF) vulnerability in util_system.html in ...) + TODO: check CVE-2013-3085 RESERVED CVE-2013-3084 (Multiple cross-site scripting (XSS) vulnerabilities in Belkin Model ...) NOT-FOR-US: Belkin router -CVE-2013-3083 - RESERVED +CVE-2013-3083 (Cross-site request forgery (CSRF) vulnerability in ...) + TODO: check CVE-2013-3082 (Cross-site scripting (XSS) vulnerability in ...) NOT-FOR-US: Jojo CMS CVE-2013-3081 (SQL injection vulnerability in the checkEmailFormat function in ...) @@ -11103,16 +11108,16 @@ CVE-2013-3070 RESERVED CVE-2013-3069 (Multiple cross-site scripting (XSS) vulnerabilities in NETGEAR ...) NOT-FOR-US: NETGEAR devices -CVE-2013-3068 - RESERVED +CVE-2013-3068 (Cross-site request forgery (CSRF) vulnerability in apply.cgi in ...) + TODO: check CVE-2013-3067 RESERVED -CVE-2013-3066 - RESERVED -CVE-2013-3065 - RESERVED -CVE-2013-3064 - RESERVED +CVE-2013-3066 (Linksys EA6500 with firmware 1.1.28.147876 does not properly restrict ...) + TODO: check +CVE-2013-3065 (Cross-site scripting (XSS) vulnerability in the Parental Controls ...) + TODO: check +CVE-2013-3064 (Open redirect vulnerability in ui/dynamic/unsecured.html in Linksys ...) + TODO: check CVE-2013-3063 (SAP BASIS Communication Services 4.6B through 7.30 allows remote ...) NOT-FOR-US: SAP BASIS Communication Services CVE-2013-3062 (The CP_RC_TRANSACTION_CALL_BY_SET function in the Engineering ...) @@ -12309,8 +12314,8 @@ CVE-2013-2588 RESERVED CVE-2013-2587 RESERVED -CVE-2013-2586 - RESERVED +CVE-2013-2586 (XAMPP 1.8.1 does not properly restrict access to xampp/lang.php, which ...) + TODO: check CVE-2013-2585 (Cross-site scripting (XSS) vulnerability in Atmail Webmail Server ...) NOT-FOR-US: AtMail CVE-2013-2584 @@ -13719,8 +13724,7 @@ CVE-2013-2102 (The default configuration of Red Hat JBoss Portal before 6.1.0 en CVE-2013-2101 RESERVED NOT-FOR-US: Katello -CVE-2013-2100 - RESERVED +CVE-2013-2100 (The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage ...) NOT-FOR-US: Gentoo Portage binary package installer CVE-2013-2099 (Algorithmic complexity vulnerability in the ssl.match_hostname ...) - python2.7 2.7.5-5 (low; bug #709066) @@ -13832,6 +13836,7 @@ CVE-2013-2073 (Transifex command-line client before 0.9 does not validate X.509 [wheezy] - transifex-client <no-dsa> (Minor issue) NOTE: http://seclists.org/oss-sec/2013/q2/394 CVE-2013-2072 (Buffer overflow in the Python bindings for the xc_vcpu_setaffinity ...) + {DSA-3041-1} - xen 4.2.2-1 (low) [squeeze] - xen <no-dsa> (Minor issue, can be postponed to the next Xen DSA) [wheezy] - xen <no-dsa> (Minor issue, can be postponed to the next Xen DSA) @@ -14480,8 +14485,7 @@ CVE-2013-1876 REJECTED CVE-2013-1875 (command_wrap.rb in the command_wrap Gem for Ruby allows remote ...) NOT-FOR-US: ruby gem command_wrap -CVE-2013-1874 [Chicken Scheme: code execution] - RESERVED +CVE-2013-1874 (Untrusted search path vulnerability in csi in Chicken before 4.8.2 ...) - chicken 4.8.0.3-1 (low; bug #702410) [squeeze] - chicken <no-dsa> (Minor issue) [wheezy] - chicken <no-dsa> (Minor issue) diff --git a/data/CVE/2014.list b/data/CVE/2014.list index f7d9fce625..d1b946e39b 100644 --- a/data/CVE/2014.list +++ b/data/CVE/2014.list @@ -1,3 +1,129 @@ +CVE-2014-7270 + RESERVED +CVE-2014-7269 + RESERVED +CVE-2014-7268 + RESERVED +CVE-2014-7267 + RESERVED +CVE-2014-7266 + RESERVED +CVE-2014-7265 + RESERVED +CVE-2014-7264 + RESERVED +CVE-2014-7263 + RESERVED +CVE-2014-7262 + RESERVED +CVE-2014-7261 + RESERVED +CVE-2014-7260 + RESERVED +CVE-2014-7259 + RESERVED +CVE-2014-7258 + RESERVED +CVE-2014-7257 + RESERVED +CVE-2014-7256 + RESERVED +CVE-2014-7255 + RESERVED +CVE-2014-7254 + RESERVED +CVE-2014-7253 + RESERVED +CVE-2014-7252 + RESERVED +CVE-2014-7251 + RESERVED +CVE-2014-7250 + RESERVED +CVE-2014-7249 + RESERVED +CVE-2014-7248 + RESERVED +CVE-2014-7247 + RESERVED +CVE-2014-7246 + RESERVED +CVE-2014-7245 + RESERVED +CVE-2014-7244 + RESERVED +CVE-2014-7243 + RESERVED +CVE-2014-7242 + RESERVED +CVE-2014-7241 + RESERVED +CVE-2014-7240 + RESERVED +CVE-2014-7239 + RESERVED +CVE-2014-7238 + RESERVED +CVE-2014-7237 + RESERVED +CVE-2014-7236 + RESERVED +CVE-2014-7235 + RESERVED +CVE-2014-7234 + RESERVED +CVE-2014-7233 + RESERVED +CVE-2014-7232 + RESERVED +CVE-2014-7229 + RESERVED +CVE-2014-7228 + RESERVED +CVE-2014-7227 + RESERVED +CVE-2014-7226 + RESERVED +CVE-2014-7225 + RESERVED +CVE-2014-7224 + RESERVED +CVE-2014-7223 + RESERVED +CVE-2014-7222 + RESERVED +CVE-2014-7221 + RESERVED +CVE-2014-7220 + RESERVED +CVE-2014-7219 + RESERVED +CVE-2014-7218 + RESERVED +CVE-2014-7217 + RESERVED +CVE-2014-7216 + RESERVED +CVE-2014-7215 + RESERVED +CVE-2014-7214 + RESERVED +CVE-2014-7213 + RESERVED +CVE-2014-7212 + RESERVED +CVE-2014-7211 + RESERVED +CVE-2014-7210 + RESERVED +CVE-2014-7209 + RESERVED +CVE-2014-7208 + RESERVED +CVE-2014-7207 + RESERVED +CVE-2014-7206 + RESERVED CVE-2014-XXXX [various sddm issues] - sddm <itp> (bug #703519) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=897788 @@ -6,16 +132,19 @@ CVE-2014-XXXX [gnome-shell lockscreen bypass with printscreen key] NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=737456 TODO: check CVE-2014-7231 + RESERVED - python-oslo.utils <unfixed> NOTE: https://launchpad.net/bugs/1345233 TODO: check CVE-2014-7230 + RESERVED - cinder <unfixed> - nova <unfixed> - trove <unfixed> NOTE: https://launchpad.net/bugs/1343604 TODO: check CVE-2014-7205 [Arbitrary JavaScript Execution in Bassmaster] + RESERVED NOTE: https://nodesecurity.io/advisories/bassmaster_js_injection TODO: check CVE-2014-7201 @@ -47,6 +176,7 @@ CVE-2014-7191 [qs Denial-of-Service Memory Exhaustion] NOTE: https://nodesecurity.io/advisories/qs_dos_memory_exhaustion CVE-2014-7188 RESERVED + {DSA-3041-1} - xen <unfixed> CVE-2014-7184 RESERVED @@ -79,6 +209,7 @@ CVE-2014-7171 CVE-2014-7170 RESERVED CVE-2014-7204 [endless loog + disk usage bomp on minified js file] + RESERVED - exuberant-ctags 1:5.9~svn20110310-8 (bug #742605) NOTE: http://sourceforge.net/p/ctags/code/791/ CVE-2014-7203 [does not implement uniqueness check on connection nonces] @@ -93,8 +224,7 @@ CVE-2014-7202 [does not validate the other party's security handshake properly] - zeromq3 <unfixed> NOTE: Code commit: https://github.com/zeromq/libzmq/issues/1190 TODO: check -CVE-2014-7190 - RESERVED +CVE-2014-7190 (Multiple cross-site request forgery (CSRF) vulnerabilities in ...) NOT-FOR-US: Openfiler CVE-2014-7189 [Go crypto/tls vulnerability] RESERVED @@ -102,12 +232,10 @@ CVE-2014-7189 [Go crypto/tls vulnerability] [wheezy] - golang <not-affected> (Vulnerable code not present, only Go 1.1 onwards) NOTE: https://groups.google.com/forum/#!msg/golang-nuts/eeOHNw_shwU/OHALUmroA5kJ NOTE: https://code.google.com/p/go/source/detail?r=eae0457c101512f59296538f0162749eba325892&name=release-branch.go1.3 -CVE-2014-7187 - RESERVED +CVE-2014-7187 (Off-by-one error in the read_token_word function in parse.y in GNU ...) {DSA-3035-1 DLA-63-1} - bash 4.3-9.2 -CVE-2014-7186 - RESERVED +CVE-2014-7186 (The redirection implementation in parse.y in GNU Bash through 4.3 ...) {DSA-3035-1 DLA-63-1} - bash 4.3-9.2 CVE-2014-7185 [integer overflow in 'buffer' type allows reading memory] @@ -154,8 +282,7 @@ CVE-2014-XXXX [gnutls: certificate sanitization issue] NOTE: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7663 NOTE: http://www.intelsecurity.com/advanced-threat-research/# NOTE: similar to CVE-2014-1568 in nss -CVE-2014-7199 [mediawiki: releases 1.19.19, 1.22.11 and 1.23.4] - RESERVED +CVE-2014-7199 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.19, ...) {DSA-3036-1} - mediawiki 1:1.19.19+dfsg-1 (bug #762754) [squeeze] - mediawiki <end-of-life> @@ -164,14 +291,17 @@ CVE-2014-7169 (GNU Bash through 4.3 bash43-025 processes trailing strings after - bash 4.3-9.2 (bug #762760) CVE-2014-7156 [XSA-106] RESERVED + {DSA-3041-1} - xen <unfixed> [squeeze] - xen <end-of-life> CVE-2014-7155 [XSA-105] RESERVED + {DSA-3041-1} - xen <unfixed> [squeeze] - xen <end-of-life> CVE-2014-7154 [XSA-104] RESERVED + {DSA-3041-1} - xen <unfixed> [squeeze] - xen <end-of-life> CVE-2014-7152 (Cross-site scripting (XSS) vulnerability in the Easy MailChimp Forms ...) @@ -758,222 +888,222 @@ CVE-2014-6857 RESERVED CVE-2014-6856 RESERVED -CVE-2014-6855 - RESERVED -CVE-2014-6854 - RESERVED -CVE-2014-6853 - RESERVED -CVE-2014-6852 - RESERVED -CVE-2014-6851 - RESERVED -CVE-2014-6850 - RESERVED +CVE-2014-6855 (The Long (aka com.imop.longjiang.android) application 1.0.4 for ...) + TODO: check +CVE-2014-6854 (The EyeXam (aka com.globaleyeventures.eyexam) application 1.4 for ...) + TODO: check +CVE-2014-6853 (The Foxit MobilePDF - PDF Reader (aka com.foxit.mobile.pdf.lite) ...) + TODO: check +CVE-2014-6852 (The LedLine.gr Official (aka com.automon.ledline.gr) application ...) + TODO: check +CVE-2014-6851 (The New Beginnings CFC (aka com.goodbarber.nbcfc) application 1.1 for ...) + TODO: check +CVE-2014-6850 (The SED Account (aka com.starkville.smartapps) application 1.153.0034 ...) + TODO: check CVE-2014-6849 RESERVED -CVE-2014-6848 - RESERVED -CVE-2014-6847 - RESERVED -CVE-2014-6846 - RESERVED -CVE-2014-6845 - RESERVED -CVE-2014-6844 - RESERVED -CVE-2014-6843 - RESERVED -CVE-2014-6842 - RESERVED -CVE-2014-6841 - RESERVED -CVE-2014-6840 - RESERVED -CVE-2014-6839 - RESERVED -CVE-2014-6838 - RESERVED -CVE-2014-6837 - RESERVED -CVE-2014-6836 - RESERVED -CVE-2014-6835 - RESERVED -CVE-2014-6834 - RESERVED -CVE-2014-6833 - RESERVED -CVE-2014-6832 - RESERVED -CVE-2014-6831 - RESERVED -CVE-2014-6830 - RESERVED -CVE-2014-6829 - RESERVED -CVE-2014-6828 - RESERVED -CVE-2014-6827 - RESERVED -CVE-2014-6826 - RESERVED -CVE-2014-6825 - RESERVED -CVE-2014-6824 - RESERVED -CVE-2014-6823 - RESERVED -CVE-2014-6822 - RESERVED -CVE-2014-6821 - RESERVED -CVE-2014-6820 - RESERVED -CVE-2014-6819 - RESERVED -CVE-2014-6818 - RESERVED -CVE-2014-6817 - RESERVED -CVE-2014-6816 - RESERVED -CVE-2014-6815 - RESERVED -CVE-2014-6814 - RESERVED -CVE-2014-6813 - RESERVED -CVE-2014-6812 - RESERVED +CVE-2014-6848 (The DS file (aka com.synology.DSfile) application 4.1.1 for Android ...) + TODO: check +CVE-2014-6847 (The Horoscopes and Dreams (aka com.horoscopesanddreams) application ...) + TODO: check +CVE-2014-6846 (The Four Seasons Beverly Hills (aka ...) + TODO: check +CVE-2014-6845 (The MediaFire (aka com.mediafire.android) application 1.1.1 for ...) + TODO: check +CVE-2014-6844 (The ABC Song (aka com.tabtale.abcsingalong) application 1.0.0 for ...) + TODO: check +CVE-2014-6843 (The Sweatshop (aka com.orderingapps.sweatshop) application 2.96 for ...) + TODO: check +CVE-2014-6842 (The Daily Advertiser Print (aka com.lafayettedailyadv.android.prod) ...) + TODO: check +CVE-2014-6841 (The RTI INDIA (aka com.vbulletin.build_890) application 3.8.21 for ...) + TODO: check +CVE-2014-6840 (The My Wedding Planner (aka app.wedding) application 1.5 for Android ...) + TODO: check +CVE-2014-6839 (The Alma Corinthiana (aka com.alma.corinthiana) application 1.0 for ...) + TODO: check +CVE-2014-6838 (The Groupama toujours la (aka com.groupama.toujoursla) application ...) + TODO: check +CVE-2014-6837 (The Hillside (aka com.hillside.hermanus) application 1.1 for Android ...) + TODO: check +CVE-2014-6836 (The DS photo+ (aka com.synology.dsphoto) application 3.3 for Android ...) + TODO: check +CVE-2014-6835 (The Herbal Guide (aka com.pocket.herbal.guide) application 1.0 for ...) + TODO: check +CVE-2014-6834 (The Instaroid - Instagram Viewer (aka net.muik.instaroid) application ...) + TODO: check +CVE-2014-6833 (The AuctionTrac Dealer (aka com.adesa.dealer.phone) application 2.0.3 ...) + TODO: check +CVE-2014-6832 (The Bersa Forum (aka com.gcspublishing.bersaforum) application 3.9.16 ...) + TODO: check +CVE-2014-6831 (The Hippo Studio (aka com.appgreen.hippostudio) application 1.0 for ...) + TODO: check +CVE-2014-6830 (The Covet Fashion - Shopping Game (aka com.crowdstar.covetfashion) ...) + TODO: check +CVE-2014-6829 (The Hook (aka com.hook.android) application 0.9.3 for Android does not ...) + TODO: check +CVE-2014-6828 (The Gulf Credit Union (aka Fi_Mobile.Gulf) application 1.1 for Android ...) + TODO: check +CVE-2014-6827 (The DK ONLINE Beta (aka com.sgmobile.dkonline) application 1.0.2 for ...) + TODO: check +CVE-2014-6826 (The Tic-Tac To The MAX FREE (aka com.tothemax) application 1.2 for ...) + TODO: check +CVE-2014-6825 (The Teatro Franco Parenti (aka com.mintlab.mx.teatroparenti) ...) + TODO: check +CVE-2014-6824 (The kamkomesan (aka com.anek.kamkomesan) application 1.0 for Android ...) + TODO: check +CVE-2014-6823 (The kuailecaidengmi (aka com.licai.kuailecaidengmi) application ...) + TODO: check +CVE-2014-6822 (The Nerdico (aka com.nerdico.danielepais) application 1.9 Stable for ...) + TODO: check +CVE-2014-6821 (The voetbal (aka nl.jborsje.android.voetbal.az) application 4.7.2 for ...) + TODO: check +CVE-2014-6820 (The Amebra Ameba (aka jp.honeytrap15.amebra) application 1.0.0 for ...) + TODO: check +CVE-2014-6819 (The Lapp Group Catalogue (aka com.prinovis.LappKabel) application 1.4 ...) + TODO: check +CVE-2014-6818 (The OHBM 20th Annual Meeting (aka ...) + TODO: check +CVE-2014-6817 (The Cove (aka org.covechurch.app) application 1.0.2 for Android does ...) + TODO: check +CVE-2014-6816 (The WISDOM (aka lvtu99.com.nescmxiaoniuniu) application 2.1 for ...) + TODO: check +CVE-2014-6815 (The Vouch! (aka com.voucherry.voucherry) application 2.1.6 for Android ...) + TODO: check +CVE-2014-6814 (The Sentinels Randomizer (aka com.mikehipps.sentinelsrandomizer) ...) + TODO: check +CVE-2014-6813 (The klassens (aka com.mcreda.klassens.apps) application 1.0 for ...) + TODO: check +CVE-2014-6812 (The Aloha Guide (aka com.aloha.guide.english) application 1.5 for ...) + TODO: check CVE-2014-6811 RESERVED -CVE-2014-6810 - RESERVED +CVE-2014-6810 (The RIMS 2014 Annual Conference (aka ...) + TODO: check CVE-2014-6809 - RESERVED -CVE-2014-6808 - RESERVED -CVE-2014-6807 - RESERVED -CVE-2014-6806 - RESERVED -CVE-2014-6805 - RESERVED -CVE-2014-6804 - RESERVED -CVE-2014-6803 - RESERVED -CVE-2014-6802 - RESERVED -CVE-2014-6801 - RESERVED -CVE-2014-6800 - RESERVED -CVE-2014-6799 - RESERVED -CVE-2014-6798 - RESERVED -CVE-2014-6797 - RESERVED -CVE-2014-6796 - RESERVED -CVE-2014-6795 - RESERVED -CVE-2014-6794 - RESERVED -CVE-2014-6793 - RESERVED -CVE-2014-6792 - RESERVED -CVE-2014-6791 - RESERVED -CVE-2014-6790 - RESERVED -CVE-2014-6789 - RESERVED -CVE-2014-6788 - RESERVED -CVE-2014-6787 - RESERVED -CVE-2014-6786 - RESERVED -CVE-2014-6785 - RESERVED -CVE-2014-6784 - RESERVED -CVE-2014-6783 - RESERVED -CVE-2014-6782 - RESERVED -CVE-2014-6781 - RESERVED -CVE-2014-6780 - RESERVED -CVE-2014-6779 - RESERVED -CVE-2014-6778 - RESERVED -CVE-2014-6777 - RESERVED -CVE-2014-6776 - RESERVED -CVE-2014-6775 - RESERVED -CVE-2014-6774 - RESERVED -CVE-2014-6773 - RESERVED -CVE-2014-6772 - RESERVED -CVE-2014-6771 - RESERVED -CVE-2014-6770 - RESERVED -CVE-2014-6769 - RESERVED -CVE-2014-6768 - RESERVED -CVE-2014-6767 - RESERVED -CVE-2014-6766 - RESERVED -CVE-2014-6765 - RESERVED -CVE-2014-6764 - RESERVED -CVE-2014-6763 - RESERVED -CVE-2014-6762 - RESERVED -CVE-2014-6761 - RESERVED -CVE-2014-6760 - RESERVED -CVE-2014-6759 - RESERVED -CVE-2014-6758 - RESERVED -CVE-2014-6757 - RESERVED -CVE-2014-6756 - RESERVED -CVE-2014-6755 - RESERVED -CVE-2014-6754 - RESERVED -CVE-2014-6753 - RESERVED -CVE-2014-6752 - RESERVED -CVE-2014-6751 - RESERVED -CVE-2014-6750 - RESERVED -CVE-2014-6749 - RESERVED -CVE-2014-6748 - RESERVED + REJECTED +CVE-2014-6808 (The Active 24 (aka com.zentity.app.active24) application 1.0.1 for ...) + TODO: check +CVE-2014-6807 (The OLA School (aka ...) + TODO: check +CVE-2014-6806 (The Thanodi - Setswana Translator (aka com.thanodi.thanodi) ...) + TODO: check +CVE-2014-6805 (The weibo (aka magic.weibo) application 1.2 for Android does not ...) + TODO: check +CVE-2014-6804 (The Deschutes Public MobileLibrary (aka com.bredir.boopsie.deschutes) ...) + TODO: check +CVE-2014-6803 (The Bank of Moscow EIRTS Rent (aka ru.bm.rbs.android) application ...) + TODO: check +CVE-2014-6802 (The First Assembly NLR (aka ...) + TODO: check +CVE-2014-6801 (The frank matano (aka com.frank.matano) application 1.0 for Android ...) + TODO: check +CVE-2014-6800 (The Bloom Township 206 (aka net.parentlink.bloom) application 4.0.500 ...) + TODO: check +CVE-2014-6799 (The Investigation Tool (aka gov.ca.post.lp.itool) application 1.0.0 ...) + TODO: check +CVE-2014-6798 (The McMaster Marauders (aka com.weever.marauders) application 1.0.1 ...) + TODO: check +CVE-2014-6797 (The Abu Ali Anasheeds (aka com.faapps.abuali_anasheeds) application ...) + TODO: check +CVE-2014-6796 (The LocalSense (aka com.LocalSense) application 1.2.1 for Android does ...) + TODO: check +CVE-2014-6795 (The Beekeeping Forum (aka com.tapatalk.supporttapatalkcomxxxxx) ...) + TODO: check +CVE-2014-6794 (The AAPLD (aka com.bredir.boopsie.aapld) application 4.5.110 for ...) + TODO: check +CVE-2014-6793 (The Arch Friend (aka com.xyproto.archfriend) application 0.4.2 for ...) + TODO: check +CVE-2014-6792 (The Suriname Radio (aka com.wordbox.surinameRadio) application 1.5 for ...) + TODO: check +CVE-2014-6791 (The Angel Reigns (aka ...) + TODO: check +CVE-2014-6790 (The INVEX (aka com.mobilatolye.keyinternet) application 1.0.2 for ...) + TODO: check +CVE-2014-6789 (The Anaheim Library 2Go! (aka com.bredir.boopsie.anaheim) application ...) + TODO: check +CVE-2014-6788 (The Oman News (aka com.oman.news.rmtzlnbuooordciw) application 1.0 for ...) + TODO: check +CVE-2014-6787 (The Counter Intuition (aka com.counter.intuition) application 1.2 for ...) + TODO: check +CVE-2014-6786 (The Math for Kids - Subtraction (aka it.tinytap.attsa.deepsub) ...) + TODO: check +CVE-2014-6785 (The Renny McLean Ministries (aka com.subsplash.thechurchapp.s_GJQX72) ...) + TODO: check +CVE-2014-6784 (The Fermononrespiri Mobile (aka com.tapatalk.rmonlineitforums) ...) + TODO: check +CVE-2014-6783 (The Campus Link - Campus TV HKUSU (aka com.campus.tv.hkusu) ...) + TODO: check +CVE-2014-6782 (The Abraham Tours (aka com.mytoursapp.android.app432) application ...) + TODO: check +CVE-2014-6781 (The Aloha Stadium - Hawaii (aka com.stadium.aloha) application 1.2 for ...) + TODO: check +CVE-2014-6780 (The MeiTalk (aka com.playjia.meitalk) application @7F060012 for ...) + TODO: check +CVE-2014-6779 (The Cart App (aka com.virtecha.mobilewallet) application 1.5 for ...) + TODO: check +CVE-2014-6778 (The Goat Forum (aka com.gcspublishing.goatspot) application 3.9.15 for ...) + TODO: check +CVE-2014-6777 (The blueeleph (aka eg.film.blueeleph) application 1.0 for Android does ...) + TODO: check +CVE-2014-6776 (The United Advantage NW Federal Cr (aka com.myappengine.uanwfcu) ...) + TODO: check +CVE-2014-6775 (The Light for Pets (aka com.helenwoodward.light4pets) application 1.0 ...) + TODO: check +CVE-2014-6774 (The USEK (aka com.university.usek) application 1.0.8 for Android does ...) + TODO: check +CVE-2014-6773 (The CIH Quiz game (aka com.bowenehs.cihquizgameapp) application 1.3 ...) + TODO: check +CVE-2014-6772 (The United Educational CU (aka com.metova.cuae.uecu) application ...) + TODO: check +CVE-2014-6771 (The United Heritage Mobile (aka Fi_Mobile.UHCU) application 1.1 for ...) + TODO: check +CVE-2014-6770 (The Aerospace Jobs (aka com.app_aerospacejobs.layout) application ...) + TODO: check +CVE-2014-6769 (The Meteo Belgique (aka com.mobilesoft.belgiumweather) application 3.2 ...) + TODO: check +CVE-2014-6768 (The Anywhere Anytime Yoga Workout (aka com.bayart.yoga) application ...) + TODO: check +CVE-2014-6767 (The Juggle! FREE (aka com.jakyl.juggleforfree) application 3.0.0 for ...) + TODO: check +CVE-2014-6766 (The Afro-Beat (aka com.zero.themelock.tambourine) application 0.2 for ...) + TODO: check +CVE-2014-6765 (The No Fuss Home Loans (aka ...) + TODO: check +CVE-2014-6764 (The Assyrian (aka com.b2.assyrian.activity) application 2.2 for ...) + TODO: check +CVE-2014-6763 (The Codename Birdgame (aka ...) + TODO: check +CVE-2014-6762 (The bongomovie (aka com.mbwasi.bongomovie) application 1.0 for Android ...) + TODO: check +CVE-2014-6761 (The Aprende a Meditar (aka com.rareartifact.aprendeameditar544CB0A2) ...) + TODO: check +CVE-2014-6760 (The Harem Thief Dating (aka com.haremthief.haremthief) application ...) + TODO: check +CVE-2014-6759 (The Downton Abbey Fan Portal (aka com.downton.abbey.fan.portal) ...) + TODO: check +CVE-2014-6758 (The Qin Story (aka com.kongzhong.tjmammoth.android.cqqslengp) ...) + TODO: check +CVE-2014-6757 (The Koran - AlqoranVideos (aka com.alqoran.videos.example) application ...) + TODO: check +CVE-2014-6756 (The Reddit Aww (aka org.biais.redditawww) application 1.2.1 for ...) + TODO: check +CVE-2014-6755 (The SDN Forum (TapaTalk) (aka com.tapatalk.forumshiftdeletenet) ...) + TODO: check +CVE-2014-6754 (The Vector Outage Manager (aka nz.co.vector.outagemanager) application ...) + TODO: check +CVE-2014-6753 (The sunnat e rasool (aka com.imsoft.sunnat_e_rasool) application 2.0 ...) + TODO: check +CVE-2014-6752 (The Mindless Behavior Fan Base (aka com.mindless.behavior.fan.base) ...) + TODO: check +CVE-2014-6751 (The Grasshopper Beta (aka com.grasshopper.dialer) application 2.1 for ...) + TODO: check +CVE-2014-6750 (The $0.99 Kindle Books (aka com.kindle.books.for99) application 6.0 ...) + TODO: check +CVE-2014-6749 (The American Nurses Association (aka com.dub.poweredbydub.assoc.ana) ...) + TODO: check +CVE-2014-6748 (The GEMAIRE's HVAC Assist (aka com.es.Gemaire) application 5.0 for ...) + TODO: check CVE-2014-6747 (The SeeOn (aka com.seeon) application 4.0.7 for Android does not ...) NOT-FOR-US: SeeOn (aka com.seeon) application for Android CVE-2014-6746 (The Infiniti Roadside Assistance (aka com.ccas.rsa.common.infiniti) ...) @@ -1232,10 +1362,10 @@ CVE-2014-6621 RESERVED CVE-2014-6620 RESERVED -CVE-2014-6619 - RESERVED -CVE-2014-6618 - RESERVED +CVE-2014-6619 (Multiple cross-site scripting (XSS) vulnerabilities in ...) + TODO: check +CVE-2014-6618 (Cross-site scripting (XSS) vulnerability in Your Online Shop allows ...) + TODO: check CVE-2014-6617 RESERVED CVE-2014-6616 @@ -1688,8 +1818,7 @@ CVE-2014-6389 NOT-FOR-US: PhpCompta CVE-2014-6388 RESERVED -CVE-2014-7145 [null ptr deref in SMB2_tcon] - RESERVED +CVE-2014-7145 (The SMB2_tcon function in fs/cifs/smb2pdu.c in the Linux kernel before ...) - linux <unfixed> [wheezy] - linux <not-affected> (Introduced in 3.7) - linux-2.6 <not-affected> (Introduced in 3.7) @@ -1736,24 +1865,21 @@ CVE-2014-6421 (Use-after-free vulnerability in the SDP dissector in Wireshark 1. - wireshark <unfixed> NOTE: https://www.wireshark.org/security/wnpa-sec-2014-12.html TODO: check, 1.12 series possibly not affected (only 1.10.0 to 1.10.9) -CVE-2014-6418 [libceph: missing validation of the auth reply] - RESERVED +CVE-2014-6418 (net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, ...) - linux 3.16.3-1 [wheezy] - linux <no-dsa> (Will be fixed in next point release) - linux-2.6 <removed> [squeeze] - linux-2.6 <not-affected> (Introduced in 2.6.34) NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c27a3e4d667fdcad3db7b104f75659478e0c68d8 (v3.17-rc5) NOTE: http://tracker.ceph.com/issues/8979 -CVE-2014-6417 [libceph: issue of incorrect handling of kmalloc failures] - RESERVED +CVE-2014-6417 (net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, ...) [wheezy] - linux <no-dsa> (Will be fixed in next point release) - linux 3.16.3-1 - linux-2.6 <removed> [squeeze] - linux-2.6 <not-affected> (Introduced in 2.6.34) NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c27a3e4d667fdcad3db7b104f75659478e0c68d8 (v3.17-rc5) NOTE: http://tracker.ceph.com/issues/8979 -CVE-2014-6416 [libceph: buffer overflow] - RESERVED +CVE-2014-6416 (Buffer overflow in net/ceph/auth_x.c in Ceph, as used in the Linux ...) - linux 3.16.3-1 [wheezy] - linux <no-dsa> (Will be fixed in next point release) - linux-2.6 <removed> @@ -1764,8 +1890,7 @@ CVE-2014-6414 [Admin-only network attributes may be reset to defaults by non-pri RESERVED - neutron <unfixed> NOTE: vulnerable versions up to 2013.2.4 and 2014.1 versions up to 2014.1.2 -CVE-2014-6410 [udf: Avoid infinite loop when processing indirect ICBs] - RESERVED +CVE-2014-6410 (The __udf_read_inode function in fs/udf/inode.c in the Linux kernel ...) - linux <unfixed> [wheezy] - linux <no-dsa> (Will be fixed in next point release) - linux-2.6 <removed> @@ -2001,8 +2126,7 @@ CVE-2014-6280 NOT-FOR-US: OsClass CVE-2014-6279 RESERVED -CVE-2014-6278 [code execution via specially crafted environment variables] - RESERVED +CVE-2014-6278 (GNU Bash through 4.3 bash43-026 does not properly parse function ...) - bash 4.3-9.2 (high) [wheezy] - bash 4.2+dfsg-0.1+deb7u3 (high) [squeeze] - bash 4.1-3+deb6u2 (high) @@ -2012,8 +2136,7 @@ CVE-2014-6278 [code execution via specially crafted environment variables] NOTE: exploitation of this issue by making bash only use environment NOTE: variables with specific names (BASH_FUNC_*()) to define functions NOTE: from its environment. -CVE-2014-6277 [untrusted pointer use issue leading to code execution] - RESERVED +CVE-2014-6277 (GNU Bash through 4.3 bash43-026 does not properly parse function ...) - bash 4.3-9.2 [wheezy] - bash 4.2+dfsg-0.1+deb7u3 [squeeze] - bash 4.1-3+deb6u2 @@ -2034,8 +2157,7 @@ CVE-2014-6274 [S3 and Glacier remotes creds embedded in the git repo were not en - git-annex 5.20140919 [wheezy] - git-annex <not-affected> (Vulnerable code introduced in 3.20121126) NOTE: https://git-annex.branchable.com/upgrades/insecure_embedded_creds/ -CVE-2014-6273 [buffer overflow in the HTTP transport code in apt-get] - RESERVED +CVE-2014-6273 (Buffer overflow in the HTTP transport code in apt-get in APT 1.0.1 and ...) {DSA-3031-1 DLA-58-1} - apt 1.0.3 CVE-2014-6272 @@ -2522,8 +2644,7 @@ CVE-2014-6057 RESERVED CVE-2014-6056 RESERVED -CVE-2014-6055 [Multiple stack overflows in File Transfer feature] - RESERVED +CVE-2014-6055 (Multiple stack-based buffer overflows in the File Transfer feature in ...) - libvncserver <unfixed> (bug #762745) NOTE: https://github.com/newsoft/libvncserver/commit/06ccdf016154fde8eccb5355613ba04c59127b2e NOTE: https://github.com/newsoft/libvncserver/commit/f528072216dec01cee7ca35d94e171a3b909e677 @@ -2541,8 +2662,7 @@ CVE-2014-6052 [Lack of malloc() return value checking on client side] RESERVED - libvncserver <unfixed> (bug #762745) NOTE: https://github.com/newsoft/libvncserver/commit/045a044e8ae79db9244593fbce154cdf6e843273 -CVE-2014-6051 [Integer overflow in MallocFrameBuffer() on client side] - RESERVED +CVE-2014-6051 (Integer overflow in the MallocFrameBuffer function in vncviewer.c in ...) - libvncserver <unfixed> (bug #762745) NOTE: https://github.com/newsoft/libvncserver/commit/045a044e8ae79db9244593fbce154cdf6e843273 CVE-2014-6050 @@ -3712,8 +3832,7 @@ CVE-2014-5462 RESERVED CVE-2014-5460 (Unrestricted file upload vulnerability in the Tribulant Slideshow ...) NOT-FOR-US: Tribulant Slideshow Gallery plugin for WordPress -CVE-2014-6269 [remote client denial of service vulnerability] - RESERVED +CVE-2014-6269 (Multiple integer overflows in the http_request_forward_body function ...) - haproxy 1.5.4-1 [squeeze] - haproxy <not-affected> (Vulnerable code not present) NOTE: http://article.gmane.org/gmane.comp.web.haproxy/17726 @@ -3778,8 +3897,7 @@ CVE-2014-5446 RESERVED CVE-2014-5445 RESERVED -CVE-2014-5444 [failure to handle certificate errors] - RESERVED +CVE-2014-5444 (Geary before 0.6.3 does not present the user with a warning when a TLS ...) - geary 0.6.3-1 NOTE: Upstream bugreport: https://bugzilla.gnome.org/show_bug.cgi?id=713247 NOTE: Upstream fix: https://git.gnome.org/browse/geary/commit/?h=geary-0.6&id=55f06a7bdcedb7efde6a516bde626ea28793ca7e @@ -4280,8 +4398,7 @@ CVE-2014-5270 [side-channel attack on Elgamal encryption subkeys] - libgcrypt11 1.5.4-1 - libgcrypt20 1.6.0-2 NOTE: http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html -CVE-2014-5267 [ code change to reject any XRDS document with a /<!DOCTYPE/i match] - RESERVED +CVE-2014-5267 (modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 ...) {DSA-2999-1} - drupal7 7.31-1 CVE-2014-5266 (The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 ...) @@ -5537,11 +5654,9 @@ CVE-2014-4730 RESERVED CVE-2014-4729 RESERVED -CVE-2014-4728 - RESERVED +CVE-2014-4728 (The web server in the TP-LINK N750 Wireless Dual Band Gigabit Router ...) NOT-FOR-US: TP-Link -CVE-2014-4727 - RESERVED +CVE-2014-4727 (Cross-site scripting (XSS) vulnerability in the DHCP clients page in ...) NOT-FOR-US: TP-Link CVE-2014-4726 (Unspecified vulnerability in the MailPoet Newsletters ...) NOT-FOR-US: wysija-newsletters @@ -6509,8 +6624,7 @@ CVE-2014-4332 RESERVED CVE-2014-4331 (Cross-site scripting (XSS) vulnerability in admin/viewer.php in ...) NOT-FOR-US: OctavoCMS -CVE-2014-4330 [stack exhaustion] - RESERVED +CVE-2014-4330 (The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 ...) - perl 5.20.1-1 (bug #762256) [wheezy] - perl <no-dsa> (Minor issue) [squeeze] - perl <no-dsa> (Minor issue) @@ -7738,16 +7852,16 @@ CVE-2014-3826 RESERVED CVE-2014-3825 RESERVED -CVE-2014-3824 - RESERVED -CVE-2014-3823 - RESERVED +CVE-2014-3824 (Cross-site scripting (XSS) vulnerability in the web server in the ...) + TODO: check +CVE-2014-3823 (The Juniper Junos Pulse Secure Access Service (SSL VPN) devices with ...) + TODO: check CVE-2014-3822 (Juniper Junos 11.4 before 11.4R8, 12.1 before 12.1R5, 12.1X44 before ...) NOT-FOR-US: Juniper Junos CVE-2014-3821 (Cross-site scripting (XSS) vulnerability in SRX Web Authentication ...) NOT-FOR-US: Juniper Junos -CVE-2014-3820 - RESERVED +CVE-2014-3820 (Cross-site scripting (XSS) vulnerability in the SSL VPN/UAC web server ...) + TODO: check CVE-2014-3819 (Juniper Junos 11.4 before 11.4R12, 12.1 before 12.1R10, 12.1X44 before ...) NOT-FOR-US: Juniper Junos CVE-2014-3818 @@ -7764,8 +7878,8 @@ CVE-2014-3813 (Unspecified vulnerability in the Juniper Networks NetScreen Firew NOT-FOR-US: Juniper Networks NetScreen Firewall CVE-2014-3812 (The Juniper Junos Pulse Secure Access Service (SSL VPN) devices with ...) NOT-FOR-US: Juniper Junos Pulse Secure Access Service -CVE-2014-3811 - RESERVED +CVE-2014-3811 (Juniper Installer Service (JIS) Client 7.x before 7.4R6 for Windows ...) + TODO: check CVE-2014-3810 (SQL injection vulnerability in administration/profiles.php in BoonEx ...) NOT-FOR-US: Dolphin (php thingy) CVE-2014-3809 @@ -8124,8 +8238,7 @@ CVE-2014-3632 RESERVED - neutron <unfixed> NOTE: Regression of fix for CVE-2013-6433, possibly Red Hat specific in RedHat Enterprise Open Stack Platform 5.0 -CVE-2014-3631 [keys: incorrect termination condition in assoc array garbage collection] - RESERVED +CVE-2014-3631 (The assoc_array_gc function in the associative-array implementation in ...) - linux 3.16.3-1 [wheezy] - linux <not-affected> (Vulnerable code introduced later) - linux-2.6 <not-affected> (Vulnerable code introduced later) @@ -8347,8 +8460,7 @@ CVE-2014-3560 (NetBIOS name services daemon (nmbd) in Samba 4.0.x before 4.0.21 [wheezy] - samba <not-affected> (Only affects 4.x) CVE-2014-3559 (The oVirt storage backend in Red Hat Enterprise Virtualization 3.4 ...) NOT-FOR-US: ovirt-engine-backend -CVE-2014-3558 - RESERVED +CVE-2014-3558 (ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in ...) - libhibernate-validator-java <unfixed> (low; bug #762690) NOTE: RedHat upgraded to new upstream versions in their security NOTE: updates. No patches are available for the 4.0.x branch we @@ -8433,8 +8545,7 @@ CVE-2014-3537 (The web interface in CUPS before 1.7.4 allows local users in the NOTE: https://www.cups.org/str.php?L4450 CVE-2014-3536 RESERVED -CVE-2014-3535 [netdevice.h: NULL pointer dereference over VxLAN] - RESERVED +CVE-2014-3535 (include/linux/netdevice.h in the Linux kernel before 2.6.36 ...) - linux <not-affected> (RHEL-specific, incomplete backport) - linux-2.6 <not-affected> (RHEL-specific, incomplete backport) NOTE: Fix: https://git.kernel.org/linus/256df2f3879efdb2e9808bdb1b54b16fbb11fa38 @@ -8927,8 +9038,8 @@ CVE-2014-3397 RESERVED CVE-2014-3396 RESERVED -CVE-2014-3395 - RESERVED +CVE-2014-3395 (Cisco WebEx Meetings Server (WMS) 2.5 allows remote attackers to ...) + TODO: check CVE-2014-3394 RESERVED CVE-2014-3393 @@ -9431,43 +9542,37 @@ CVE-2014-3188 RESERVED CVE-2014-3187 RESERVED -CVE-2014-3186 [PicoLCD HID device driver pool overflow] - RESERVED +CVE-2014-3186 (Buffer overflow in the picolcd_raw_event function in ...) - linux <unfixed> [wheezy] - linux <no-dsa> (Will be fixed in next point release) - linux-2.6 <not-affected> (Vulnerable code not present) NOTE: https://code.google.com/p/google-security-research/issues/detail?id=101 NOTE: Upstream fix: https://git.kernel.org/linus/844817e47eef14141cf59b8d5ac08dd11c0a9189 (v3.17-rc3) -CVE-2014-3185 [Linux Kernel Buffer Overflow in Whiteheat USB Serial Driver] - RESERVED +CVE-2014-3185 (Multiple buffer overflows in the command_port_read_callback function ...) - linux <unfixed> [wheezy] - linux <no-dsa> (Will be fixed in next point release) - linux-2.6 <removed> NOTE: https://code.google.com/p/google-security-research/issues/detail?id=98 NOTE: Upstream fix: https://git.kernel.org/linus/6817ae225cd650fb1c3295d769298c38b1eba818 (v3.17-rc3) -CVE-2014-3184 [Linux kernel HID report fixup multiple off-by-one issues] - RESERVED +CVE-2014-3184 (The report_fixup functions in the HID subsystem in the Linux kernel ...) - linux <unfixed> [wheezy] - linux <no-dsa> (Will be fixed in next point release) - linux-2.6 <removed> NOTE: https://code.google.com/p/google-security-research/issues/detail?id=91 NOTE: Upstream fix: https://git.kernel.org/linus/4ab25786c87eb20857bbb715c3ae34ec8fd6a214 (v3.17-rc2) -CVE-2014-3183 [Linux kernel hid-logitech-dj.c logi_dj_ll_raw_request heap overflow] - RESERVED +CVE-2014-3183 (Heap-based buffer overflow in the logi_dj_ll_raw_request function in ...) - linux <unfixed> [wheezy] - linux <no-dsa> (Will be fixed in next point release) - linux-2.6 <removed> NOTE: https://code.google.com/p/google-security-research/issues/detail?id=90 NOTE: Upstream fix: https://git.kernel.org/linus/51217e69697fba92a06e07e16f55c9a52d8e8945 (v3.17-rc2) -CVE-2014-3182 [Linux kernel hid-logitech-dj.c device_index arbitrary kfree] - RESERVED +CVE-2014-3182 (Array index error in the logi_dj_raw_event function in ...) - linux <unfixed> [wheezy] - linux <no-dsa> (Will be fixed in next point release) - linux-2.6 <removed> NOTE: https://code.google.com/p/google-security-research/issues/detail?id=89 NOTE: Upstream fix: https://git.kernel.org/linus/ad3e14d7c5268c2e24477c6ef54bbdf88add5d36 (v3.17-rc2) -CVE-2014-3181 [Magic Mouse HID device driver overflow] - RESERVED +CVE-2014-3181 (Multiple stack-based buffer overflows in the magicmouse_raw_event ...) - linux <unfixed> [wheezy] - linux <no-dsa> (Will be fixed in next point release) - linux-2.6 <not-affected> (Vulnerable code not present) @@ -10854,8 +10959,7 @@ CVE-2014-2641 CVE-2014-2640 RESERVED NOT-FOR-US: HP System Management Homepage -CVE-2014-2639 - RESERVED +CVE-2014-2639 (Unspecified vulnerability in HP MPIO Device Specific Module Manager ...) NOT-FOR-US: HP MPIO Device CVE-2014-2638 RESERVED @@ -16617,8 +16721,7 @@ CVE-2014-0206 (Array index error in the aio_read_events_ring function in fs/aio. - linux-2.6 <not-affected> (introduced by a31ad380bed817aa25f8830ad23e1a0480fef797) NOTE: Introduced by: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a31ad380bed817aa25f8830ad23e1a0480fef797 (v3.10) NOTE: Upstream patches: https://lkml.org/lkml/2014/6/24/619 https://lkml.org/lkml/2014/6/24/623 -CVE-2014-0205 [futex: refcount issue in case of requeue] - RESERVED +CVE-2014-0205 (The futex_wait function in kernel/futex.c in the Linux kernel before ...) - linux 2.6.37 - linux-2.6 2.6.37-1 NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7ada876a8703f23befbb20a7465a702ee39b1704 (v2.6.37) @@ -16736,8 +16839,7 @@ CVE-2014-0172 (Integer overflow in the check_section function in dwarf_begin_elf [wheezy] - elfutils <no-dsa> (Minor issue) CVE-2014-0171 RESERVED -CVE-2014-0170 - RESERVED +CVE-2014-0170 (Teiid before 8.4.3 and before 8.7 and Red Hat JBoss Data ...) NOT-FOR-US: Teiid CVE-2014-0169 RESERVED |