diff options
| author | Salvatore Bonaccorso <carnil@debian.org> | 2020-08-24 16:17:56 +0200 |
|---|---|---|
| committer | Salvatore Bonaccorso <carnil@debian.org> | 2020-08-24 16:17:56 +0200 |
| commit | 9ec1e4c263d8c3936840260dd4ec05ed8a8a9216 (patch) | |
| tree | 2fffd62f666d746eb1c862089a2436dde34762fa /data/CVE/2015.list | |
| parent | c0adeec9dbb1f0c55f961a286d8b3d575b6c2242 (diff) | |
Use HTTPS transport for www.openwall.com/lists/oss-security URLs
Diffstat (limited to 'data/CVE/2015.list')
| -rw-r--r-- | data/CVE/2015.list | 712 |
1 files changed, 356 insertions, 356 deletions
diff --git a/data/CVE/2015.list b/data/CVE/2015.list index b724f87810..00a5e2c97f 100644 --- a/data/CVE/2015.list +++ b/data/CVE/2015.list @@ -1224,7 +1224,7 @@ CVE-2015-8979 (Stack-based buffer overflow in the parsePresentationContext funct NOTE: 3.6.1~20160216-2 is the first version in unstable containing the fix NOTE: http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5384.php NOTE: Fixed by: https://github.com/commontk/DCMTK/commit/1b6bb76 - NOTE: http://www.openwall.com/lists/oss-security/2016/12/17/2 + NOTE: https://www.openwall.com/lists/oss-security/2016/12/17/2 CVE-2015-8978 (In Soap Lite (aka the SOAP::Lite extension for Perl) 1.14 and earlier, ...) {DLA-723-1} - libsoap-lite-perl 1.19-1 @@ -1250,7 +1250,7 @@ CVE-2015-8971 (Terminology 0.7.0 allows remote attackers to execute arbitrary co {DSA-3712-1} - terminology 0.7.0-2 (bug #843434) NOTE: https://git.enlightenment.org/apps/terminology.git/commit/?id=b80bedc7c21ecffe99d8d142930db696eebdd6a5 - NOTE: http://www.openwall.com/lists/oss-security/2016/11/04/12 + NOTE: https://www.openwall.com/lists/oss-security/2016/11/04/12 CVE-2015-8969 (git-fastclone before 1.0.5 passes user modifiable strings directly to ...) NOT-FOR-US: git-fastclone CVE-2015-8968 (git-fastclone before 1.0.1 permits arbitrary shell command execution f ...) @@ -1264,7 +1264,7 @@ CVE-2015-8970 (crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not NOTE: Fixed by: https://git.kernel.org/linus/dd504589577d8e8e70f51f997ad487a4cb6c026f (v4.5-rc1) NOTE: Followed by a complete set of related upstrema commits. See kernel-sec NOTE: triage for details. - NOTE: http://www.openwall.com/lists/oss-security/2016/11/03/6 + NOTE: https://www.openwall.com/lists/oss-security/2016/11/03/6 CVE-2015-8967 (arch/arm64/kernel/sys.c in the Linux kernel before 4.0 allows local us ...) - linux 4.0.2-1 (unimportant) NOTE: Fixed by: https://git.kernel.org/linus/c623b33b4e9599c6ac5076f7db7369eb9869aa04 (v4.0-rc1) @@ -1340,7 +1340,7 @@ CVE-2015-8957 (Buffer overflow in ImageMagick before 6.9.0-4 Beta allows remote NOTE: https://github.com/ImageMagick/ImageMagick/commit/78f82d9d1c2944725a279acd573a22168dc6e22a NOTE: https://github.com/ImageMagick/ImageMagick/commit/bd96074b254c6607a0f7731e59f923ad19d5a46d NOTE: https://github.com/ImageMagick/ImageMagick/commit/450bd716ed3b9186dd10f9e60f630a3d9eeea2a4 - NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 + NOTE: https://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2015-8958 (coders/sun.c in ImageMagick before 6.9.0-4 Beta allows remote attacker ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832465) @@ -1349,14 +1349,14 @@ CVE-2015-8958 (coders/sun.c in ImageMagick before 6.9.0-4 Beta allows remote att NOTE: https://github.com/ImageMagick/ImageMagick/commit/1aa0c6dab6dcef4d9bc3571866ae1c1ddbec7d8f NOTE: https://github.com/ImageMagick/ImageMagick/commit/6b4aff0f117b978502ee5bcd6e753c17aec5a961 NOTE: https://github.com/ImageMagick/ImageMagick/commit/8ea44b48a182dd46d018f4b4f09a5e2ee9638105 - NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 + NOTE: https://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2015-8959 (coders/dds.c in ImageMagick before 6.9.0-4 Beta allows remote attacker ...) {DSA-3652-1 DLA-731-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #832944) NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26861 NOTE: https://github.com/ImageMagick/ImageMagick/commit/3ab016764c7f787829d9065440d86f5609765110 NOTE: https://github.com/ImageMagick/ImageMagick/commit/9b428b7af688fe319320aed15f2b94281d1e37b4 - NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 + NOTE: https://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2015-8949 (Use-after-free vulnerability in the my_login function in DBD::mysql be ...) {DSA-3635-1 DLA-576-1} - libdbd-mysql-perl 4.035-1 @@ -1379,7 +1379,7 @@ CVE-2015-8946 (ecryptfs-setup-swap in eCryptfs before 111 does not prevent the u [wheezy] - ecryptfs-utils <no-dsa> (Only happens if using systemd v207 onward) NOTE: https://launchpad.net/bugs/1447282 NOTE: Fixed by: https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/857 - NOTE: http://www.openwall.com/lists/oss-security/2016/07/13/2 + NOTE: https://www.openwall.com/lists/oss-security/2016/07/13/2 CVE-2015-8945 (openshift-node in OpenShift Origin 1.1.6 and earlier improperly stores ...) NOT-FOR-US: OpenShift CVE-2015-8944 (The ioresources_init function in kernel/resource.c in the Linux kernel ...) @@ -1403,7 +1403,7 @@ CVE-2015-8936 (Cross-site scripting (XSS) vulnerability in squidGuard.cgi in squ - squidguard 1.5-5 (unimportant) NOTE: Only affects an example script NOTE: Fix applied: 16_XSS-security-bugfix.patch in 1.5-5 - NOTE: http://www.openwall.com/lists/oss-security/2016/06/20/2 + NOTE: https://www.openwall.com/lists/oss-security/2016/06/20/2 CVE-2015-8935 (The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x ...) - php5 5.6.6+dfsg-1 [wheezy] - php5 5.4.38-0+deb7u1 @@ -1605,8 +1605,8 @@ CVE-2015-8896 (Integer truncation issue in coders/pict.c in ImageMagick before 7 [wheezy] - imagemagick 8:6.7.7.10-5+deb7u4 NOTE: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803 NOTE: https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734 - NOTE: http://www.openwall.com/lists/oss-security/2015/10/07/2 - NOTE: http://www.openwall.com/lists/oss-security/2016/02/22/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/07/2 + NOTE: https://www.openwall.com/lists/oss-security/2016/02/22/4 CVE-2015-8895 (Integer overflow in coders/icon.c in ImageMagick 6.9.1-3 and later all ...) {DLA-353-1} - imagemagick 8:6.8.9.9-7 (bug #806441) @@ -1614,8 +1614,8 @@ CVE-2015-8895 (Integer overflow in coders/icon.c in ImageMagick 6.9.1-3 and late [wheezy] - imagemagick 8:6.7.7.10-5+deb7u4 NOTE: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1459747 NOTE: https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734 - NOTE: http://www.openwall.com/lists/oss-security/2015/10/07/2 - NOTE: http://www.openwall.com/lists/oss-security/2016/02/22/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/07/2 + NOTE: https://www.openwall.com/lists/oss-security/2016/02/22/4 NOTE: The issue is only exploitable on 32 bit architectures. CVE-2015-8894 (Double free vulnerability in coders/tga.c in ImageMagick 7.0.0 and lat ...) - imagemagick 8:6.8.9.9-6 (bug #806442; bug #799524) @@ -1624,8 +1624,8 @@ CVE-2015-8894 (Double free vulnerability in coders/tga.c in ImageMagick 7.0.0 an [squeeze] - imagemagick <not-affected> (Can't reproduce crash with file) NOTE: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1490362 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4f68e9661518463fca523c9726bb5d940a2aa6d8 - NOTE: http://www.openwall.com/lists/oss-security/2015/10/07/2 - NOTE: http://www.openwall.com/lists/oss-security/2016/02/22/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/07/2 + NOTE: https://www.openwall.com/lists/oss-security/2016/02/22/4 NOTE: The problem can only be triggered with recent versions of ImageMagick (8:6.9.1.2-1 in experimental is vulnerable, 8:6.8.9.9-6 in sid is not vulnerable, older versions are not vulnerable) CVE-2015-8893 (app/aboot/aboot.c in the Qualcomm bootloader in Android before 2016-07 ...) NOT-FOR-US: Qualcomm components for Android @@ -1719,7 +1719,7 @@ CVE-2015-8869 (OCaml before 4.03.0 does not properly handle sign extensions, whi - ocaml 4.02.3-9 (bug #824139) [jessie] - ocaml <no-dsa> (Minor issue; can be fixed via point release and sheduling binNMUs there) NOTE: https://github.com/ocaml/ocaml/commit/659615c7b100a89eafe6253e7a5b9d84d0e8df74#diff-a97df53e3ebc59bb457191b496c90762 - NOTE: http://www.openwall.com/lists/oss-security/2016/04/29/1 + NOTE: https://www.openwall.com/lists/oss-security/2016/04/29/1 NOTE: Ocaml applications using the patched functions need to be recompiled with the NOTE: fixed ocaml version. CVE-2015-8864 (Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1 ...) @@ -1729,7 +1729,7 @@ CVE-2015-8864 (Cross-site scripting (XSS) vulnerability in Roundcube Webmail bef NOTE: https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115 NOTE: https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18 NOTE: https://github.com/roundcube/roundcubemail/commit/7bbefdb63b12e2344cf1cb87aeb6e3933b4063e0 (release-1.1) - NOTE: http://www.openwall.com/lists/oss-security/2016/04/23/3 + NOTE: https://www.openwall.com/lists/oss-security/2016/04/23/3 NOTE: https://lists.debian.org/debian-lts/2016/06/msg00159.html CVE-2015-8862 (mustache package before 2.2.1 for Node.js allows remote attackers to c ...) - mustache.js <unfixed> (unimportant) @@ -1763,7 +1763,7 @@ CVE-2015-8866 (ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, NOTE: http://framework.zend.com/security/advisory/ZF2015-06 -> Relation to CVE-2015-5161 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9 NOTE: Fixed in 5.6.6, 5.5.22 - NOTE: http://www.openwall.com/lists/oss-security/2016/04/21/8 + NOTE: https://www.openwall.com/lists/oss-security/2016/04/21/8 CVE-2015-8867 (The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in P ...) - php7.0 7.0.0-1 - php5 5.6.12+dfsg-1 @@ -1773,20 +1773,20 @@ CVE-2015-8867 (The openssl_random_pseudo_bytes function in ext/openssl/openssl.c NOTE: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1534203 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=16023f3e3b9c06cf677c3c980e8d574e4c162827 NOTE: Fixed in 7.0.0, 5.6.12, 5.5.28, 5.5.44 - NOTE: http://www.openwall.com/lists/oss-security/2016/04/21/8 + NOTE: https://www.openwall.com/lists/oss-security/2016/04/21/8 CVE-2015-8853 (The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in ...) - perl 5.22.1-1 (bug #821848) [jessie] - perl 5.20.2-3+deb8u5 [wheezy] - perl <no-dsa> (Minor issue) NOTE: https://rt.perl.org/Public/Bug/Display.html?id=123562 NOTE: http://perl5.git.perl.org/perl.git/commitdiff/22b433eff9a1ffa2454e18405a56650f07b385b5 - NOTE: http://www.openwall.com/lists/oss-security/2016/04/20/5 + NOTE: https://www.openwall.com/lists/oss-security/2016/04/20/5 CVE-2015-8863 (Off-by-one error in the tokenadd function in jv_parse.c in jq allows r ...) - jq 1.5+dfsg-1.1 (low; bug #802231) [jessie] - jq 1.4-2.1+deb8u1 NOTE: https://github.com/stedolan/jq/issues/995 NOTE: https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd - NOTE: http://www.openwall.com/lists/oss-security/2016/04/23/1 + NOTE: https://www.openwall.com/lists/oss-security/2016/04/23/1 CVE-2015-8850 RESERVED CVE-2015-8849 @@ -1825,7 +1825,7 @@ CVE-2015-8868 (Heap-based buffer overflow in the ExponentialFunction::Exponentia - poppler 0.38.0-3 (bug #822578) NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=93476 - NOTE: http://www.openwall.com/lists/oss-security/2016/04/12/1 + NOTE: https://www.openwall.com/lists/oss-security/2016/04/12/1 CVE-2015-8841 (Heap-based buffer overflow in the Archive support module in ESET NOD32 ...) NOT-FOR-US: ESET NOD32 CVE-2015-8840 (The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does ...) @@ -1851,7 +1851,7 @@ CVE-2015-8865 (The file_check_mem function in funcs.c in file before 5.23, as us NOTE: https://bugs.php.net/bug.php?id=71527 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=fe13566c93f118a15a96320a546c7878fd0cfc5e NOTE: PHP fixed in 7.0.5, 5.6.20, 5.5.34 - NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/7 + NOTE: https://www.openwall.com/lists/oss-security/2016/04/11/7 NOTE: Fix in HHVM: https://github.com/facebook/hhvm/commit/4e614ba041e24af8351afbb49c92444c0850f23b CVE-2015-8839 (Multiple race conditions in the ext4 filesystem implementation in the ...) {DLA-2241-1} @@ -1897,19 +1897,19 @@ CVE-2015-8833 (Use-after-free vulnerability in the create_smp_dialog function in NOTE: https://bugs.otr.im/issues/128 NOTE: Fixed by: https://bugs.otr.im/projects/pidgin-otr/repository/revisions/aaf551b9dd5cbba8c4abaa3d4dc7ead860efef94 NOTE: Introduced by: https://bugs.otr.im/projects/pidgin-otr/repository/revisions/c276bfa786bef8a4572a37d5633cf40f480d3ae0 - NOTE: http://www.openwall.com/lists/oss-security/2016/03/09/8 + NOTE: https://www.openwall.com/lists/oss-security/2016/03/09/8 CVE-2015-8832 (Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.cor ...) - dotclear <removed> (bug #815979) NOTE: https://hg.dotclear.org/dotclear/rev/198580bc3d80 NOTE: https://dotclear.org/blog/post/2015/10/25/Dotclear-2.8.2 NOTE: Fixed upstream in 2.8.2 - NOTE: http://www.openwall.com/lists/oss-security/2016/03/05/4 + NOTE: https://www.openwall.com/lists/oss-security/2016/03/05/4 CVE-2015-8831 (Cross-site scripting (XSS) vulnerability in admin/comments.php in Dotc ...) - dotclear <removed> (bug #815979) NOTE: https://hg.dotclear.org/dotclear/rev/65e65154dadf NOTE: https://dotclear.org/blog/post/2015/10/25/Dotclear-2.8.2 NOTE: Fixed upstream in 2.8.2 - NOTE: http://www.openwall.com/lists/oss-security/2016/03/05/4 + NOTE: https://www.openwall.com/lists/oss-security/2016/03/05/4 CVE-2015-8829 REJECTED CVE-2015-8828 @@ -1938,7 +1938,7 @@ CVE-2015-8818 (The cpu_physical_memory_write_rom_internal function in exec.c in [wheezy] - qemu <not-affected> (Affects Qemu versions >= 1.6.0 and <= 2.3.1) [squeeze] - qemu <not-affected> (Affects Qemu versions >= 1.6.0 and <= 2.3.1) - qemu-kvm <not-affected> (Affects Qemu versions >= 1.6.0 and <= 2.3.1) - NOTE: http://www.openwall.com/lists/oss-security/2016/03/01/10 + NOTE: https://www.openwall.com/lists/oss-security/2016/03/01/10 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=b242e0e0e2969c044a318e56f7988bbd84de1f63 (v2.4.0-rc0) NOTE: same patchset than CVE-2015-8817 NOTE: https://lists.gnu.org/archive/html/qemu-stable/2016-01/msg00065.html @@ -1948,7 +1948,7 @@ CVE-2015-8817 (QEMU (aka Quick Emulator) built to use 'address_space_translate' [wheezy] - qemu <not-affected> (Affects Qemu versions >= 1.6.0 and <= 2.3.1) [squeeze] - qemu <not-affected> (Affects Qemu versions >= 1.6.0 and <= 2.3.1) - qemu-kvm <not-affected> (Affects Qemu versions >= 1.6.0 and <= 2.3.1) - NOTE: http://www.openwall.com/lists/oss-security/2016/03/01/10 + NOTE: https://www.openwall.com/lists/oss-security/2016/03/01/10 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=c3c1bb99d1c11978d9ce94d1bdcf0705378c1459 (v2.3.0-rc1) NOTE: https://lists.gnu.org/archive/html/qemu-stable/2016-01/msg00060.html NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=23820dbfc79d1c9dce090b4c555994f2bb6a69b3 (v2.4.0-rc0) @@ -1956,7 +1956,7 @@ CVE-2015-8817 (QEMU (aka Quick Emulator) built to use 'address_space_translate' CVE-2015-8852 (Varnish 3.x before 3.0.7, when used in certain stacked installations, ...) {DSA-3553-1} - varnish 4.0.0-1 (bug #783510) - NOTE: http://www.openwall.com/lists/oss-security/2016/04/16/1 + NOTE: https://www.openwall.com/lists/oss-security/2016/04/16/1 NOTE: fixed in 3.0.7 upstream, mark as fixed with first 4.x version in unstable NOTE: 4.x not affected CVE-2015-8857 (The uglify-js package before 2.4.24 for Node.js does not properly acco ...) @@ -2012,7 +2012,7 @@ CVE-2015-8812 (drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before {DSA-3503-1 DLA-439-1} - linux 4.4.2-1 - linux-2.6 <removed> - NOTE: http://www.openwall.com/lists/oss-security/2016/02/11/1 + NOTE: https://www.openwall.com/lists/oss-security/2016/02/11/1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1303532 NOTE: Fixed by: https://git.kernel.org/linus/67f1aee6f45059fd6b0f5b0ecb2c97ad0451f6b3 (v4.5-rc1) NOTE: Introduced by: https://git.kernel.org/linus/04b5d028f50ff05a8f9ae049ee71f8fdfcf1f5de (v2.6.30-rc2) @@ -2025,7 +2025,7 @@ CVE-2015-8809 CVE-2015-8808 (The DecodeImage function in coders/gif.c in GraphicsMagick 1.3.18 allo ...) {DSA-3746-1 DLA-484-1} - graphicsmagick 1.3.21-2 - NOTE: http://www.openwall.com/lists/oss-security/2016/02/06/1 + NOTE: https://www.openwall.com/lists/oss-security/2016/02/06/1 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=8e8fa353f53 CVE-2015-8802 REJECTED @@ -2041,7 +2041,7 @@ CVE-2015-8807 (Cross-site scripting (XSS) vulnerability in the _renderVarInput_n {DSA-3496-1} - php-horde-core 2.22.4+debian0-1 (bug #813590) NOTE: https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253 - NOTE: http://www.openwall.com/lists/oss-security/2016/02/06/4 + NOTE: https://www.openwall.com/lists/oss-security/2016/02/06/4 CVE-2015-8806 (dict.c in libxml2 allows remote attackers to cause a denial of service ...) {DSA-3593-1 DLA-503-1} - libxml2 2.9.3+dfsg1-1.1 (bug #813613) @@ -2108,7 +2108,7 @@ CVE-2015-XXXX [Type Confusion Vulnerability in PHP_to_XMLRPC_worker()] NOTE: Workaround entry for DLA-533-1 until CVE is assigned NOTE: https://git.php.net/?p=php-src.git;a=commit;h=f3c1863aa2721343245b63ac7bd68cfdc3dd41f3 NOTE: https://bugs.php.net/bug.php?id=70728 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/03/3 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2016/02/03/3 CVE-2015-XXXX [Session WDDX Packet Deserialization Type Confusion Vulnerability] - php5 5.6.17+dfsg-1 [jessie] - php5 5.6.17+dfsg-0+deb8u1 @@ -2116,7 +2116,7 @@ CVE-2015-XXXX [Session WDDX Packet Deserialization Type Confusion Vulnerability] NOTE: Workaround entry for DLA-533-1 until CVE is assigned NOTE: https://git.php.net/?p=php-src.git;a=commit;h=1785d2b805f64eaaacf98c14c9e13107bf085ab1 NOTE: https://bugs.php.net/bug.php?id=70741 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/03/3 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2016/02/03/3 CVE-2015-XXXX [Use-after-free in WDDX Packet Deserialization] - php5 5.6.17+dfsg-1 [jessie] - php5 5.6.17+dfsg-0+deb8u1 @@ -2124,7 +2124,7 @@ CVE-2015-XXXX [Use-after-free in WDDX Packet Deserialization] NOTE: Workaround entry for DLA-533-1 until CVE is assigned NOTE: https://git.php.net/?p=php-src.git;a=commit;h=366f9505a4aae98ef2f4ca39a838f628a324b746 NOTE: https://bugs.php.net/bug.php?id=70661 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/02/03/3 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2016/02/03/3 CVE-2015-8792 (The KaxInternalBlock::ReadData function in libMatroska before 1.4.4 al ...) {DSA-3526-1 DLA-420-1} - libmatroska 1.4.4-1 @@ -2147,7 +2147,7 @@ CVE-2015-8787 (The nf_nat_redirect_ipv4 function in net/netfilter/nf_nat_redirec NOTE: https://lkml.org/lkml/2015/12/2/618 NOTE: Introduced by: https://git.kernel.org/linus/8b13eddfdf04cbfa561725cfc42d6868fe896f56 (v3.19-rc1) NOTE: Fixed by: https://git.kernel.org/linus/94f9cd81436c85d8c3a318ba92e236ede73752fc (v4.4-rc1) - NOTE: http://www.openwall.com/lists/oss-security/2016/01/27/6 + NOTE: https://www.openwall.com/lists/oss-security/2016/01/27/6 CVE-2015-8786 (The Management plugin in RabbitMQ before 3.6.1 allows remote authentic ...) - rabbitmq-server 3.6.5-1 [jessie] - rabbitmq-server <no-dsa> (Minor issue) @@ -2161,21 +2161,21 @@ CVE-2015-8783 (tif_luv.c in libtiff allows attackers to cause a denial of servic - tiff3 <removed> NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2522 NOTE: Commit: https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 - NOTE: http://www.openwall.com/lists/oss-security/2016/01/24/3 + NOTE: https://www.openwall.com/lists/oss-security/2016/01/24/3 CVE-2015-8782 (tif_luv.c in libtiff allows attackers to cause a denial of service (ou ...) {DSA-3467-1 DLA-880-1 DLA-405-1} - tiff 4.0.6-1 - tiff3 <removed> NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2522 NOTE: Commit: https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 - NOTE: http://www.openwall.com/lists/oss-security/2016/01/24/3 + NOTE: https://www.openwall.com/lists/oss-security/2016/01/24/3 CVE-2015-8781 (tif_luv.c in libtiff allows attackers to cause a denial of service (ou ...) {DSA-3467-1 DLA-880-1 DLA-405-1} - tiff 4.0.6-1 - tiff3 <removed> NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2522#0 NOTE: Commit: https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65 - NOTE: http://www.openwall.com/lists/oss-security/2016/01/24/3 + NOTE: https://www.openwall.com/lists/oss-security/2016/01/24/3 CVE-2015-8784 (The NeXTDecode function in tif_next.c in LibTIFF allows remote attacke ...) {DSA-3467-1 DLA-880-1 DLA-405-1} - tiff 4.0.6-1 @@ -2184,7 +2184,7 @@ CVE-2015-8784 (The NeXTDecode function in tif_next.c in LibTIFF allows remote at NOTE: Can be reproduced with tiff compiled with AddressSanitizer NOTE: and the same reproducer file http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif NOTE: Commit: https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c - NOTE: http://www.openwall.com/lists/oss-security/2016/01/24/4 + NOTE: https://www.openwall.com/lists/oss-security/2016/01/24/4 CVE-2015-XXXX [buffer overflows in init_cups] - cups-filters 1.6.0-1 (unimportant) - foomatic-filters <unfixed> (unimportant) @@ -2264,7 +2264,7 @@ CVE-2015-8767 (net/sctp/sm_sideeffect.c in the Linux kernel before 4.3 does not [wheezy] - linux 3.2.73-2+deb7u3 - linux-2.6 <removed> NOTE: https://git.kernel.org/linus/635682a14427d241bab7bbdeebb48a7d7b91638e (v4.3-rc4) - NOTE: http://www.openwall.com/lists/oss-security/2016/01/11/4 + NOTE: https://www.openwall.com/lists/oss-security/2016/01/11/4 CVE-2015-XXXX [use after free / double free] - lighttpd 1.4.39-1 [jessie] - lighttpd <not-affected> (Regression introduced in 1.4.36) @@ -2317,7 +2317,7 @@ CVE-2015-8604 (SQL injection vulnerability in the host_new_graphs function in gr {DSA-3494-1 DLA-386-1} - cacti 0.8.8f+ds1-4 NOTE: http://bugs.cacti.net/view.php?id=2652 - NOTE: http://www.openwall.com/lists/oss-security/2016/01/04/8 + NOTE: https://www.openwall.com/lists/oss-security/2016/01/04/8 CVE-2015-8742 (The dissect_CPMSetBindings function in epan/dissectors/packet-mswsp.c ...) - wireshark 2.0.1+g59ea380-1 [jessie] - wireshark <not-affected> (Only affects 2.x) @@ -2601,7 +2601,7 @@ CVE-2015-8743 (QEMU (aka Quick Emulator) built with the NE2000 device emulation NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1264929 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg00050.html NOTE: Introduced by (at least after): http://git.qemu.org/?p=qemu.git;a=commit;h=69b910399a3c40620a5213adaeb14a37366d97ac - NOTE: http://www.openwall.com/lists/oss-security/2016/01/04/1 + NOTE: https://www.openwall.com/lists/oss-security/2016/01/04/1 CVE-2015-8706 RESERVED CVE-2015-8705 (buffer.c in named in ISC BIND 9.10.x before 9.10.3-P3, when debug logg ...) @@ -2624,7 +2624,7 @@ CVE-2015-8701 (QEMU (aka Quick Emulator) built with the Rocker switch emulation [wheezy] - qemu <not-affected> (Vulnerable code introduced after qemu 2.3) [squeeze] - qemu <not-affected> (Vulnerable code introduced after qemu 2.3) - qemu-kvm <not-affected> (Vulnerable code introduced after qemu 2.3) - NOTE: http://www.openwall.com/lists/oss-security/2015/12/28/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/28/6 CVE-2015-8700 RESERVED CVE-2015-8699 (Multiple cross-site scripting (XSS) vulnerabilities in CA Release Auto ...) @@ -2808,13 +2808,13 @@ CVE-2015-8683 (The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0 {DSA-3467-1 DLA-610-1 DLA-402-1} - tiff 4.0.6-1 (bug #809021) - tiff3 <removed> - NOTE: http://www.openwall.com/lists/oss-security/2015/12/25/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/25/1 NOTE: https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 CVE-2015-8665 (tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a den ...) {DSA-3467-1 DLA-610-1 DLA-402-1} - tiff 4.0.6-1 (bug #808968) - tiff3 <removed> - NOTE: http://www.openwall.com/lists/oss-security/2015/12/24/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/24/2 NOTE: https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 CVE-2015-8666 (Heap-based buffer overflow in QEMU, when built with the Q35-chipset-ba ...) {DLA-1497-1} @@ -2826,7 +2826,7 @@ CVE-2015-8666 (Heap-based buffer overflow in QEMU, when built with the Q35-chips [wheezy] - qemu-kvm <no-dsa> (Minor issue) NOTE: Upstream commit: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d9a3b33d2c9f996537b7f1d0246dee2d0120cefb (v2.5.0-rc1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1283722 - NOTE: http://www.openwall.com/lists/oss-security/2015/12/24/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/24/1 NOTE: Vulnerable code introduced after 0.14.50: http://git.qemu.org/?p=qemu.git;a=commit;h=23910d3f669d46073b403876e30a7314599633af CVE-2015-8660 (The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel t ...) - linux 4.3.3-3 @@ -2835,7 +2835,7 @@ CVE-2015-8660 (The ovl_setattr function in fs/overlayfs/inode.c in the Linux ker - linux-2.6 <not-affected> (Vulnerable code not present) NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=acff81ec2c79492b180fade3c2894425cd35a545 (v4.4-rc4) NOTE: OverlayFS introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c (v3.18-rc2) - NOTE: http://www.openwall.com/lists/oss-security/2015/12/23/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/23/5 CVE-2015-8659 (The idle stream handling in nghttp2 before 1.6.0 allows attackers to h ...) - nghttp2 1.6.0-1 [jessie] - nghttp2 <not-affected> (Vulnerable code introduced later) @@ -2887,11 +2887,11 @@ CVE-2015-8617 (Format string vulnerability in the zend_throw_or_error function i CVE-2015-8616 (Use-after-free vulnerability in the Collator::sortWithSortKeys functio ...) - php7.0 7.0.1-1 NOTE: https://bugs.php.net/bug.php?id=71020 - NOTE: http://www.openwall.com/lists/oss-security/2015/12/22/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/22/4 CVE-2015-8697 (stalin 0.11-5 allows local users to write to arbitrary files. ...) - stalin <unfixed> (unimportant; bug #808730) [squeeze] - stalin <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/12/27/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/27/1 NOTE: Not exploitable with kernel hardening since wheezy CVE-2015-8708 (Stack-based buffer overflow in the conv_euctojis function in codeconv. ...) - claws-mail 3.13.1-1.1 (bug #811048) @@ -2922,7 +2922,7 @@ CVE-2015-8613 (Stack-based buffer overflow in the megasas_ctrl_get_info function - qemu-kvm <not-affected> (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03737.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1284008 - NOTE: http://www.openwall.com/lists/oss-security/2015/12/21/7 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/21/7 NOTE: LSI Megaraid SAS HBA emulation introduced in http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e8f943c3bcc2a578bfd30b825f2ebaf345c63a09 (v1.2.0-rc0) CVE-2015-8618 (The Int.Exp Montgomery code in the math/big library in Go 1.5.x before ...) - golang 2:1.5.3-1 (bug #809168) @@ -2930,7 +2930,7 @@ CVE-2015-8618 (The Int.Exp Montgomery code in the math/big library in Go 1.5.x b [wheezy] - golang <not-affected> (Introduced in 1.5 release) NOTE: https://go-review.googlesource.com/#/c/17672/ NOTE: Introduced in 1.5 release. Fixed in 1.5.3 upstream. - NOTE: http://www.openwall.com/lists/oss-security/2015/12/21/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/21/6 CVE-2015-8615 (The hvm_set_callback_via function in arch/x86/hvm/irq.c in Xen 4.6 doe ...) {DLA-479-1} - xen 4.8.0~rc3-1 (bug #823620) @@ -3001,13 +3001,13 @@ CVE-2015-8612 (The EnableNetwork method in the Network class in plugins/mechanis [squeeze] - blueman <not-affected> (vulnerable code not present) NOTE: https://twitter.com/thegrugq/status/677809527882813440 NOTE: https://github.com/blueman-project/blueman/commit/a3845bbed5fdddf14daec436b7e74f62719a71c1 - NOTE: http://www.openwall.com/lists/oss-security/2015/12/18/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/18/6 CVE-2015-8709 (** DISPUTED ** kernel/ptrace.c in the Linux kernel through 4.4.1 misha ...) - linux 4.3.3-3 [jessie] - linux 3.16.7-ckt20-1+deb8u2 [wheezy] - linux <not-affected> (Vulnerable code not present) - linux-2.6 <not-affected> (Vulnerable code not present) - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/12/17/12 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/12/17/12 NOTE: https://lkml.org/lkml/2015/12/12/259 CVE-2015-8591 REJECTED @@ -3151,7 +3151,7 @@ CVE-2015-8569 (The (1) pptp_bind and (2) pptp_connect functions in drivers/net/p - linux 4.3.3-3 - linux-2.6 <removed> [squeeze] - linux-2.6 <not-affected> (Vulnerable code introduced later) - NOTE: http://www.openwall.com/lists/oss-security/2015/12/15/7 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/15/7 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=09ccfd238e5a0e670d8178cf50180ea81ae09ae1 (v4.4-rc6) NOTE: pptp_{connect,bind} introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=00959ade36acadc00e757f87060bf6e4501d545f (v2.6.37-rc1) NOTE: https://lkml.org/lkml/2015/12/14/252 @@ -3162,7 +3162,7 @@ CVE-2015-8568 (Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual [squeeze] - qemu <not-affected> (Vulnerable code not present) - qemu-kvm <not-affected> (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html - NOTE: http://www.openwall.com/lists/oss-security/2015/12/15/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/15/4 CVE-2015-8567 (Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause ...) {DSA-3471-1} - qemu 1:2.5+dfsg-3 (bug #808145) @@ -3170,7 +3170,7 @@ CVE-2015-8567 (Memory leak in net/vmxnet3.c in QEMU allows remote attackers to c [squeeze] - qemu <not-affected> (Vulnerable code not present) - qemu-kvm <not-affected> (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html - NOTE: http://www.openwall.com/lists/oss-security/2015/12/15/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/15/4 CVE-2015-8559 (The knife bootstrap command in chef leaks the validator.pem private RS ...) - chef <removed> (low; bug #809670) [buster] - chef <ignored> (Minor issue; workaround using validatorless bootstrapping) @@ -3179,7 +3179,7 @@ CVE-2015-8559 (The knife bootstrap command in chef leaks the validator.pem priva [wheezy] - chef <ignored> (Minor issue; workaround using validatorless bootstrapping) NOTE: https://github.com/chef/chef/issues/3871 NOTE: https://github.com/chef/chef/pull/8885 - NOTE: http://www.openwall.com/lists/oss-security/2015/12/14/10 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/14/10 NOTE: Workaround: use validatorless bootstrapping CVE-2015-8558 (The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows loca ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} @@ -3188,13 +3188,13 @@ CVE-2015-8558 (The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows - qemu-kvm <removed> [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS) NOTE: Upstream commit: http://git.qemu.org/?p=qemu.git;a=commit;h=156a2e4dbffa85997636a7a39ef12da6f1b40254 - NOTE: http://www.openwall.com/lists/oss-security/2015/12/14/9 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/14/9 CVE-2015-8557 (The FontManager._get_nix_font_path function in formatters/img.py in Py ...) {DSA-3445-1 DLA-369-1} - pygments 2.0.1+dfsg-2 (bug #802828) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1276321 NOTE: https://bitbucket.org/birkenfeld/pygments-main/commits/0036ab1c99e256298094505e5e92f - NOTE: http://www.openwall.com/lists/oss-security/2015/12/14/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/14/6 CVE-2015-8548 (Multiple unspecified vulnerabilities in Google V8 before 4.7.80.23, as ...) {DSA-3418-1} - chromium-browser 47.0.2526.80-1 @@ -3210,7 +3210,7 @@ CVE-2015-8542 (An issue was discovered in Open-Xchange Guard before 2.2.0-rev8. NOT-FOR-US: Open-Xchange CVE-2015-8556 (Local privilege escalation vulnerability in the Gentoo QEMU package be ...) - qemu <not-affected> (Issue specific to virtfs-proxy-helper in Gentoo installed suid) - NOTE: http://www.openwall.com/lists/oss-security/2015/12/14/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/14/5 CVE-2015-8785 (The fuse_fill_write_pages function in fs/fuse/file.c in the Linux kern ...) {DSA-3503-1 DLA-412-1} - linux 4.3.5-1 @@ -3218,7 +3218,7 @@ CVE-2015-8785 (The fuse_fill_write_pages function in fs/fuse/file.c in the Linux NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3ca8138f014a913f98e6ef40e939868e1e9ea876 (v4.4-rc5) NOTE: Introduced in: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ea9b9907b82a09bd1a708004454f7065de77c5b0 (v2.6.26-rc1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1290642 - NOTE: http://www.openwall.com/lists/oss-security/2016/01/24/1 + NOTE: https://www.openwall.com/lists/oss-security/2016/01/24/1 CVE-2015-XXXX [remotely triggerable crash] - ruby-eventmachine 1.0.7-1 (bug #678512; bug #696015) [jessie] - ruby-eventmachine 1.0.3-6+deb8u1 @@ -3231,12 +3231,12 @@ CVE-2015-8560 (Incomplete blacklist vulnerability in util.c in foomatic-rip in c [wheezy] - cups-filters <not-affected> (Vulnerable code not present; introduced in 1.0.42) - foomatic-filters 4.0.17-7 (bug #807993) NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7419 - NOTE: http://www.openwall.com/lists/oss-security/2015/12/13/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/13/2 CVE-2015-9097 (The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is ...) {DLA-489-1} - ruby-mail 2.6.1+dfsg1-1 NOTE: https://github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/12/11/3 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/12/11/3 NOTE: Fixed in 2.6.0 NOTE: "Note that, this patch might not be complete ..." https://bugzilla.redhat.com/show_bug.cgi?id=1293598 CVE-2015-8547 (The CoreUserInputHandler::doMode function in core/coreuserinputhandler ...) @@ -3247,7 +3247,7 @@ CVE-2015-8547 (The CoreUserInputHandler::doMode function in core/coreuserinputha NOTE: https://github.com/quassel/quassel/commit/b8edbda019eeb99da8663193e224efc9d1265dc7 NOTE: Support for oping a whole channel with /op * was only added in NOTE: https://github.com/quassel/quassel/commit/7ecbc1bf921880f7b03af779de7d9611853a0d46 (0.10-beta1) - NOTE: http://www.openwall.com/lists/oss-security/2015/12/12/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/12/1 CVE-2015-8541 RESERVED CVE-2015-8536 (MITRE is populating this ID because it was assigned prior to Lenovo be ...) @@ -3259,7 +3259,7 @@ CVE-2015-8534 (MITRE is populating this ID because it was assigned prior to Leno CVE-2015-8540 (Integer underflow in the png_check_keyword function in pngwutil.c in l ...) {DSA-3443-1 DLA-375-1} - libpng <removed> (bug #807694) - NOTE: http://www.openwall.com/lists/oss-security/2015/12/10/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/10/6 NOTE: https://sourceforge.net/p/libpng/bugs/244/ NOTE: http://sourceforge.net/p/libpng/code/ci/d9006f683c641793252d92254a75ae9b815b42ed/ NOTE: Fixed in 1.0.66, 1.2.56, 1.4.19, and 1.5.26 @@ -3269,7 +3269,7 @@ CVE-2015-8543 (The networking implementation in the Linux kernel through 4.3.3, [jessie] - linux 3.16.7-ckt20-1+deb8u1 [wheezy] - linux 3.2.73-2+deb7u2 - linux-2.6 <removed> - NOTE: http://www.openwall.com/lists/oss-security/2015/12/09/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/09/3 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=79462ad02e861803b3840cc782248c7359451cd9 (v4.4-rc6) CVE-2015-8539 (The KEYS subsystem in the Linux kernel before 4.4 allows local users t ...) - linux <not-affected> (Vulnerable code not present) @@ -3277,14 +3277,14 @@ CVE-2015-8539 (The KEYS subsystem in the Linux kernel before 4.4 allows local us NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=096fe9eaea40a17e125569f9e657e34cdb6d73bd (v4.4-rc3) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=146aa8b1453bd8f1ff2304ffb71b4ee0eb9acdcc (v4.4-rc1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1284450 - NOTE: http://www.openwall.com/lists/oss-security/2015/12/09/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/09/1 CVE-2015-8538 (dwarf_leb.c in libdwarf allows attackers to cause a denial of service ...) {DLA-669-1} - dwarfutils 20160507-1 (bug #807817) [jessie] - dwarfutils 20120410-2+deb8u1 [squeeze] - dwarfutils <not-affected> (No segfault with provided test case) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1289385 - NOTE: http://www.openwall.com/lists/oss-security/2015/12/09/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/09/2 NOTE: http://sourceforge.net/p/libdwarf/code/ci/da724a0bc5eec8e9ec0b0cb0c238a80e34466459/ CVE-2015-8533 REJECTED @@ -3398,7 +3398,7 @@ CVE-2015-8504 (Qemu, when built with VNC display driver support, allows remote a [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS) NOTE: Fixed by http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3 (v2.5.0-rc3) NOTE: Issue possibly introduced after http://git.qemu.org/?p=qemu.git;a=commitdiff;h=6cec5487990bf3f1f22b3fcb871978255e92ae0d (v0.10.0) - NOTE: http://www.openwall.com/lists/oss-security/2015/12/08/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/08/4 CVE-2015-8480 (The VideoFramePool::PoolImpl::CreateFrame function in media/base/video ...) - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser <end-of-life> (Not supported in Wheezy) @@ -3445,7 +3445,7 @@ CVE-2015-8537 (app/views/journals/index.builder in Redmine before 2.6.9, 3.0.x b NOTE: https://www.redmine.org/issues/21419 (private) NOTE: https://github.com/redmine/redmine/commit/7e423fb4538247d59e01958c48b491f196a1de56 NOTE: upstream fixed in 2.6.9, 3.0.6 and 3.1.3 - NOTE: http://www.openwall.com/lists/oss-security/2015/12/08/8 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/08/8 CVE-2015-8476 (Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 all ...) {DSA-3416-1 DLA-363-1} - libphp-phpmailer 5.2.14+dfsg-1 (bug #807265) @@ -3459,7 +3459,7 @@ CVE-2015-8474 (Open redirect vulnerability in the valid_back_url function in app NOTE: https://www.redmine.org/issues/19577 (private) NOTE: commit: https://github.com/redmine/redmine/commit/032f2c9be6520d9d1a1608aa4f1d5d1f184f2472 NOTE: upstream fixed in 2.6.7, 3.0.5 and 3.1.1 - NOTE: http://www.openwall.com/lists/oss-security/2015/12/04/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/04/1 NOTE: depends on the CVE-2014-1985 fix first CVE-2015-8473 (The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x ...) {DSA-3529-1} @@ -3468,7 +3468,7 @@ CVE-2015-8473 (The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3 [wheezy] - redmine <end-of-life> (Redmine not supported because of rails) NOTE: https://www.redmine.org/projects/redmine/wiki/Changelog_3_0 NOTE: https://www.redmine.org/issues/21136 - NOTE: http://www.openwall.com/lists/oss-security/2015/12/03/7 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/03/7 NOTE: https://github.com/redmine/redmine/commit/8d8f612fa368a72c56b63f7ce6b7e98cab9feb22 CVE-2015-8465 RESERVED @@ -3632,7 +3632,7 @@ CVE-2015-8400 (The HTTPS fallback implementation in Shell In A Box (aka shellina - shellinabox 2.19 [jessie] - shellinabox <no-dsa> (Minor issue) [wheezy] - shellinabox <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/12/02/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/02/6 CVE-2015-8377 (SQL injection vulnerability in the host_new_graphs_save function in gr ...) {DSA-3494-1 DLA-374-1} - cacti 0.8.8f+ds1-4 @@ -3669,7 +3669,7 @@ CVE-2015-8378 (In KeePassX before 0.4.4, a cleartext copy of password data is cr [jessie] - keepassx 0.4.3+dfsg-0.1+deb8u1 [wheezy] - keepassx <no-dsa> (Minor issue) [squeeze] - keepassx <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/11/30/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/11/30/4 CVE-2015-8375 (Cross-site scripting (XSS) vulnerability in PHP-Fusion 9. ...) NOT-FOR-US: PHP-Fusion CVE-2015-8368 (ntopng (aka ntop) before 2.2 allows remote authenticated users to chan ...) @@ -3817,7 +3817,7 @@ CVE-2015-8374 (fs/btrfs/inode.c in the Linux kernel before 4.3.3 mishandles comp - linux-2.6 <removed> [squeeze] - linux-2.6 <no-dsa> (btrfs in 2.6.32 is just a tech preview and not usable for production) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0305cd5f7fca85dae392b9ba85b116896eb7c1c7 (v4.4-rc1) - NOTE: http://www.openwall.com/lists/oss-security/2015/11/27/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/11/27/2 NOTE: CVE assignment for the vulnerability with the impact of "User B now NOTE: gets to see the 1000 bytes that user A truncated from its file before NOTE: it made its file world readable" @@ -3852,7 +3852,7 @@ CVE-2015-8325 (The do_setup_env function in session.c in sshd in OpenSSH through NOTE: Upstream fix: https://anongit.mindrot.org/openssh.git/commit/?id=85bdcd7c92fe7ff133bbc4e10a65c91810f88755 CVE-2015-XXXX [RCE in gitlab-shell 2.6.6-2.6.7] - gitlab-shell <not-affected> (Only affects version 2.6.6-2.6.7) - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/11/25/5 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/11/25/5 CVE-2015-8345 (The eepro100 emulator in QEMU qemu-kvm blank allows local guest users ...) {DSA-3471-1 DSA-3470-1 DSA-3469-1} - qemu 1:2.5+dfsg-1 (bug #806373) @@ -3864,7 +3864,7 @@ CVE-2015-8345 (The eepro100 emulator in QEMU qemu-kvm blank allows local guest u [wheezy] - qemu-kvm <no-dsa> (Minor issue, can be fixed along in a later DSA) [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html - NOTE: http://www.openwall.com/lists/oss-security/2015/11/25/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/11/25/3 CVE-2015-8346 (app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before ...) {DSA-3529-1 DLA-351-1} - redmine 3.2.0-1 (bug #806376) @@ -3873,7 +3873,7 @@ CVE-2015-8346 (app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x b NOTE: https://www.redmine.org/projects/redmine/wiki/Changelog_3_0 NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/21150 (private) - NOTE: http://www.openwall.com/lists/oss-security/2015/11/25/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/11/25/1 NOTE: Commit: https://github.com/redmine/redmine/commit/945a091c94a9ed651f61e225fa8646479478e9d4 NOTE: Commit: https://github.com/redmine/redmine/commit/c096dde88ff02872ba35edc4dc403c80a7867b5c NOTE: For squeeze, the bug is in app/views/timelog/edit.rhtml @@ -3894,7 +3894,7 @@ CVE-2015-8326 (The IPTables-Parse module before 1.6 for Perl allows local users [wheezy] - libiptables-parse-perl 1.1-1+deb7u1 [squeeze] - libiptables-parse-perl <no-dsa> (Minor issue) NOTE: https://github.com/mtrmac/IPTables-Parse/commit/b400b976d81140f6971132e94eb7657b5b0a2b87 - NOTE: http://www.openwall.com/lists/oss-security/2015/11/24/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/11/24/6 CVE-2015-8381 (The compile_regex function in pcre_compile.c in PCRE before 8.38 and p ...) - pcre3 2:8.38-1 (bug #796762; bug #795539) [jessie] - pcre3 2:8.35-3.3+deb8u2 @@ -3902,9 +3902,9 @@ CVE-2015-8381 (The compile_regex function in pcre_compile.c in PCRE before 8.38 [squeeze] - pcre3 <not-affected> (Vulnerable code introduced later) NOTE: https://bugs.exim.org/show_bug.cgi?id=1672 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1594 - NOTE: http://www.openwall.com/lists/oss-security/2015/08/24/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/24/1 NOTE: https://bugs.exim.org/show_bug.cgi?id=1667 - NOTE: http://www.openwall.com/lists/oss-security/2015/08/05/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/05/3 NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1585 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1250943 CVE-2015-8380 (The pcre_exec function in pcre_exec.c in PCRE before 8.38 mishandles a ...) @@ -3964,7 +3964,7 @@ CVE-2015-8324 (The ext4 implementation in the Linux kernel before 2.6.34 does no {DLA-360-1} - linux 2.6.37-1 - linux-2.6 <removed> - NOTE: http://www.openwall.com/lists/oss-security/2015/11/23/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/11/23/2 NOTE: https://bugs.openvz.org/browse/OVZ-6541 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1267261 NOTE: Commit fixing the issue: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=744692dc059845b2a3022119871846e74d4f6e11 (v2.6.34-rc1) @@ -3974,7 +3974,7 @@ CVE-2015-8316 (Array index error in LightDM (aka Light Display Manager) 1.14.3, - lightdm 1.16.6-1 [jessie] - lightdm <not-affected> (Affects 1.14.x, 1.16.x and development 1.17.x) [wheezy] - lightdm <not-affected> (Affects 1.14.x, 1.16.x and development 1.17.x) - NOTE: http://www.openwall.com/lists/oss-security/2015/11/21/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/11/21/2 NOTE: https://bugs.launchpad.net/lightdm/+bug/15168 NOTE: https://bazaar.launchpad.net/~lightdm-team/lightdm/1.14/revision/2166 (1.14.x) NOTE: https://bazaar.launchpad.net/~lightdm-team/lightdm/1.16/revision/2207 (1.16.x) @@ -4128,7 +4128,7 @@ CVE-2015-8308 (LXDM before 0.5.2 did not start X server with -auth, which allows NOTE: http://git.lxde.org/gitweb/?p=lxde/lxdm.git;a=commitdiff;h=e8f387089e241360bdc6955d3e479450722dcea3 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1268900 NOTE: http://advisories.mageia.org/MGASA-2015-0411.html - NOTE: http://www.openwall.com/lists/oss-security/2015/11/20/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/11/20/2 CVE-2015-8243 RESERVED CVE-2015-8240 (The Traffic Management Microkernel (TMM) in F5 BIG-IP LTM, AAM, AFM, A ...) @@ -4185,13 +4185,13 @@ CVE-2015-8241 (The xmlNextChar function in libxml2 2.9.2 does not properly check NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=756263 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe NOTE: Introduced/Uncovered by https://git.gnome.org/browse/libxml2/commit/?id=a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 (fix for CVE-2015-7941) - NOTE: http://www.openwall.com/lists/oss-security/2015/11/17/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/11/17/5 CVE-2015-8239 (The SHA-2 digest support in the sudoers plugin in sudo after 1.8.7 all ...) - sudo 1.8.17p1-1 (bug #805563) [jessie] - sudo <no-dsa> (Minor issue) [wheezy] - sudo <not-affected> (Command digests are only supported by version 1.8.7 or higher) [squeeze] - sudo <not-affected> (Command digests are only supported by version 1.8.7 or higher) - NOTE: http://www.openwall.com/lists/oss-security/2015/11/10/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/11/10/2 CVE-2015-8234 (The image signature algorithm in OpenStack Glance 11.0.0 allows remote ...) - glance <unfixed> (unimportant) CVE-2015-8219 (The init_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2. ...) @@ -4506,10 +4506,10 @@ CVE-2015-8472 (Buffer overflow in the png_set_PLTE function in libpng before 1.0 CVE-2015-8126 (Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE ...) {DSA-3507-1 DSA-3399-1 DLA-410-1 DLA-343-1} - libpng 1.2.54-1 (bug #805113) - NOTE: http://www.openwall.com/lists/oss-security/2015/11/12/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/11/12/2 NOTE: Fixed in 1.6.19, 1.5.24, 1.4.17, 1.2.54, and 1.0.64 NOTE: The original patch was incomplete, cf. - NOTE: http://www.openwall.com/lists/oss-security/2015/12/03/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/03/6 NOTE: and fixed in new upstream versions 1.6.20, 1.5.25, NOTE: 1.4.18, 1.2.55, and 1.0.65 - chromium-browser 49.0.2623.75-1 @@ -4596,7 +4596,7 @@ CVE-2015-7501 (Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; D - libcommons-collections4-java <unfixed> (unimportant) NOTE: severity unimportant since this is a hardening change, actual vulnerability relies in specific NOTE: https://issues.apache.org/jira/browse/COLLECTIONS-580 - NOTE: No CVE is expected to be assigned, cf http://www.openwall.com/lists/oss-security/2015/11/17/19 + NOTE: No CVE is expected to be assigned, cf https://www.openwall.com/lists/oss-security/2015/11/17/19 NOTE: Patches for 3.2.x: NOTE: https://github.com/apache/commons-collections/commit/1642b00d67b96de87cad44223efb9ab5b4fb7be5 NOTE: https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee @@ -4734,7 +4734,7 @@ CVE-2015-8035 (The xz_decomp function in xzlib.c in libxml2 2.9.1 does not prope NOTE: so it barfs on the problematic file (parser error : Start tag expected, NOTE: '<' not found) even though it does not have the fix yet. The next upstream NOTE: release will fix this issue and will restore XZ support. - NOTE: http://www.openwall.com/lists/oss-security/2015/11/02/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/11/02/2 CVE-2015-7984 (Multiple cross-site request forgery (CSRF) vulnerabilities in Horde be ...) {DSA-3391-1} - php-horde 5.2.8+debian0-1 (bug #803641) @@ -4788,12 +4788,12 @@ CVE-2015-XXXX [iptables-persistent minor local info leak] [jessie] - iptables-persistent 1.0.3+deb8u1 [wheezy] - iptables-persistent 0.5.7+deb7u1 [squeeze] - iptables-persistent <no-dsa> (Minor issue) - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2016/01/05/5 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2016/01/05/5 CVE-2015-XXXX - cinnamon-settings-daemon 2.8.3-1 (low) [jessie] - cinnamon-settings-daemon 2.2.4.repack-7+deb8u1 NOTE: https://github.com/linuxmint/cinnamon-settings-daemon/commit/ac5e0be8c1817616dbdb056b6881cfc4660f57a8 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/10/28/3 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/10/28/3 CVE-2015-8025 (driver/subprocs.c in XScreenSaver before 5.34 does not properly perfor ...) {DSA-3438-1 DLA-338-1} - xscreensaver 5.34-1 (bug #802914) @@ -4855,7 +4855,7 @@ CVE-2015-7985 (Valve Steam 2.10.91.91 uses weak permissions (Users: read and wri CVE-2015-8019 (The skb_copy_and_csum_datagram_iovec function in net/core/datagram.c i ...) - linux <not-affected> (Vulnerable code not present) - linux-2.6 <not-affected> (Vulnerable code not present) - NOTE: http://www.openwall.com/lists/oss-security/2015/10/27/11 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/27/11 NOTE: Only for all stable kernels before v3.19 which have backported commit NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=89c22d8c3b278212eef6a8cc66b570bc840a6f5a NOTE: but are lacking the ioviter conversion. @@ -4870,7 +4870,7 @@ CVE-2015-7990 (Race condition in the rds_sendmsg function in net/rds/sendmsg.c i - linux 4.2.6-1 - linux-2.6 <removed> NOTE: https://lkml.org/lkml/2015/10/16/530 - NOTE: http://www.openwall.com/lists/oss-security/2015/10/27/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/27/5 CVE-2015-7979 (NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to ...) {DSA-3629-1 DLA-559-1} - ntp 1:4.2.8p7+dfsg-1 @@ -5002,7 +5002,7 @@ CVE-2015-9261 (huft_build in archival/libarchive/decompress_gunzip.c in BusyBox {DLA-1445-1 DLA-337-1} - busybox 1:1.27.2-1 (bug #803097) [stretch] - busybox <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/10/25/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/25/3 NOTE: http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e NOTE: https://git.busybox.net/busybox/commit/archival/libarchive/decompress_gunzip.c?id=6bd3fff51aa74e2ee2d87887b12182a3b09792ef CVE-2015-7995 (The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does n ...) @@ -5010,7 +5010,7 @@ CVE-2015-7995 (The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 d - libxslt 1.1.28-2.1 (bug #802971) [squeeze] - libxslt <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1257962 - NOTE: http://www.openwall.com/lists/oss-security/2015/10/27/10 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/27/10 NOTE: https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617 (v1.1.29-rc1) CVE-2015-8982 (Integer overflow in the strxfrm function in the GNU C Library (aka gli ...) - glibc 2.21-1 (bug #803927) @@ -5042,7 +5042,7 @@ CVE-2015-XXXX [Endlees loop issue] NOTE: https://github.com/relan/exfat/issues/6 NOTE: https://crashes.fuzzing-project.org/exfatfsck-endless-loop NOTE: https://github.com/relan/exfat/commit/35a1f77f9be2d8b21731f758baba4334935bf18b - NOTE: will possibly not get a CVE, cf. http://www.openwall.com/lists/oss-security/2015/10/29/13 + NOTE: will possibly not get a CVE, cf. https://www.openwall.com/lists/oss-security/2015/10/29/13 CVE-2015-8010 (Cross-site scripting (XSS) vulnerability in the Classic-UI with the CS ...) - icinga 1.13.3-3 (bug #803432) [jessie] - icinga <no-dsa> (Minor issue) @@ -5051,7 +5051,7 @@ CVE-2015-8010 (Cross-site scripting (XSS) vulnerability in the Classic-UI with t NOTE: Introduced by: https://dev.icinga.org/issues/593 in 1.3. NOTE: Upstream issue: https://dev.icinga.org/issues/10453 NOTE: Upstream fix: https://dev.icinga.org/projects/icinga-core/repository/revisions/5c816f5d9352c373e9dadb95b63612a96cf96dff - NOTE: http://www.openwall.com/lists/oss-security/2015/10/23/15 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/23/15 CVE-2015-7981 (The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1. ...) {DSA-3399-1 DLA-343-1} - libpng 1.2.54-1 (bug #803078) @@ -5196,7 +5196,7 @@ CVE-2015-7943 (Open redirect vulnerability in the Overlay module in Drupal 7.x b - drupal7 7.41-1 [jessie] - drupal7 7.32-1+deb8u9 NOTE: https://www.drupal.org/SA-CORE-2015-004 - NOTE: http://www.openwall.com/lists/oss-security/2015/10/21/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/21/6 NOTE: http://cgit.drupalcode.org/drupal/commit/?id=9f72251c9291b5613acb9ca4ea7a51b4739e3f93 CVE-2015-7885 (The dgnc_mgmt_ioctl function in drivers/staging/dgnc/dgnc_mgmt.c in th ...) - linux 4.4.2-1 (unimportant) @@ -5325,10 +5325,10 @@ CVE-2015-7872 (The key_gc_unused_keys function in security/keys/gc.c in the Linu NOTE: Prerequisite for Fedora patches: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=94c4554ba07adbdde396748ee7ae01e86cf2d8d7 NOTE: Patches from Fedora: http://pkgs.fedoraproject.org/cgit/kernel.git/commit/?id=d76d5fe34b5c151ad83761160998b1075729b541 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61 (v4.3-rc7) - NOTE: http://www.openwall.com/lists/oss-security/2015/10/20/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/20/5 CVE-2015-8013 (s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of pas ...) - node-openpgp <itp> (bug #787774) - NOTE: http://www.openwall.com/lists/oss-security/2015/10/13/7 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/13/7 CVE-2015-7840 (The command line management console (CMC) in SolarWinds Log and Event ...) NOT-FOR-US: SolarWinds CVE-2015-7839 (SolarWinds Log and Event Manager (LEM) allows remote attackers to exec ...) @@ -5427,14 +5427,14 @@ CVE-2015-8011 (Buffer overflow in the lldp_decode function in daemon/protocols/l [wheezy] - lldpd <not-affected> (Vulnerable code not present) [squeeze] - lldpd <not-affected> (Vulnerable code not present) NOTE: https://github.com/vincentbernat/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2 - NOTE: http://www.openwall.com/lists/oss-security/2015/10/16/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/16/2 CVE-2015-8012 (lldpd before 0.8.0 allows remote attackers to cause a denial of servic ...) - lldpd 0.7.19-1 [jessie] - lldpd 0.7.11-2+deb8u1 [wheezy] - lldpd <not-affected> (Vulnerable code not present) [squeeze] - lldpd <not-affected> (Vulnerable code not present) NOTE: https://github.com/vincentbernat/lldpd/commit/793526f8884455f43daecd0a2c46772388417a00 - NOTE: http://www.openwall.com/lists/oss-security/2015/10/18/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/18/2 CVE-2015-XXXX [cakephp: XML class SSRF vulnerability] - cakephp 2.6.7-1 (bug #832283) [jessie] - cakephp <no-dsa> (Minor issue) @@ -5455,9 +5455,9 @@ CVE-2015-7810 (libbluray MountManager class has a time-of-check time-of-use (TOC [jessie] - libbluray <no-dsa> (Minor issue, too intrusive to backport) [wheezy] - libbluray <no-dsa> (Minor issue) NOTE: CVE was assigned specific to the Fedora packages, cf. - NOTE: http://www.openwall.com/lists/oss-security/2015/10/12/7 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/12/7 NOTE: Salvatored asked if Debian needs a separate CVE: - NOTE: http://www.openwall.com/lists/oss-security/2015/10/13/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/13/6 NOTE: No reply, so we'll just use the same ID NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=959434 CVE-2015-7808 (The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 t ...) @@ -5703,20 +5703,20 @@ CVE-2015-7758 (Gummi 0.6.5 allows local users to write to arbitrary files via a - gummi 0.6.5-6 (bug #756432) [jessie] - gummi 0.6.5-3+deb8u1 [wheezy] - gummi 0.6.3-1.2+deb7u2 - NOTE: http://www.openwall.com/lists/oss-security/2015/10/08/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/08/4 CVE-2015-7740 (Huawei P7 before P7-L00C17B851, P7-L05C00B851, and P7-L09C92B851 and P ...) NOT-FOR-US: ARM Mali GPU driver CVE-2015-7545 (The (1) git-remote-ext and (2) unspecified other remote helper program ...) {DSA-3435-1} - git 1:2.6.1-1 [squeeze] - git <not-affected> (git 1.7.2 did not have git-remote-ext yet) - NOTE: http://www.openwall.com/lists/oss-security/2015/10/06/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/06/1 CVE-2015-7747 (Buffer overflow in the afReadFrames function in audiofile (aka libaudi ...) - audiofile 0.3.6-3 (bug #801102) [jessie] - audiofile 0.3.6-2+deb8u1 [wheezy] - audiofile <no-dsa> (Minor issue) [squeeze] - audiofile <not-affected> (Vulnerable code introduced later) - NOTE: http://www.openwall.com/lists/oss-security/2015/10/06/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/06/2 CVE-2015-7705 (The rate limiting feature in NTP 4.x before 4.2.8p4 and 4.3.x before 4 ...) - ntp 1:4.2.8p4+dfsg-3 [jessie] - ntp <no-dsa> (Default config not affected) @@ -5820,10 +5820,10 @@ CVE-2015-7713 (OpenStack Compute (Nova) before 2014.2.4 (juno) and 2015.1.x befo [jessie] - nova <no-dsa> (Minor issue) [wheezy] - nova <no-dsa> (Minor issue) NOTE: <=2014.2.3, >=2015.1.0, <=2015.1.1 - NOTE: http://www.openwall.com/lists/oss-security/2015/10/05/10 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/05/10 CVE-2015-XXXX [Remotely triggerable buffer overflow in OpenSMTPD] - opensmtpd 5.7.3p1-1 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/10/04/2 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/10/04/2 NOTE: Fixed with 5.7.3 upstream release CVE-2015-7687 (Use-after-free vulnerability in OpenSMTPD before 5.7.2 allows remote a ...) - opensmtpd 5.7.3p1-1 (bug #800787) @@ -5833,7 +5833,7 @@ CVE-2015-7686 (Algorithmic complexity vulnerability in Address.pm in the Email-A [jessie] - libemail-address-perl <no-dsa> (Minor issue) [wheezy] - libemail-address-perl <no-dsa> (Minor issue) [squeeze] - libemail-address-perl <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/10/02/13 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/02/13 NOTE: Possibility of DoS vs. usability issue for Email::Address NOTE: Mitigation: https://github.com/Perl-Email-Project/Email-Address/commit/aeaf0d7f1b0897b54cb246b8ac15d3ef177e5cae CVE-2015-7671 @@ -5954,7 +5954,7 @@ CVE-2015-7612 (Multiple cross-site request forgery (CSRF) vulnerabilities in the NOT-FOR-US: McAfee CVE-2015-7665 (Tails before 1.7 includes the wget program but does not prevent automa ...) NOT-FOR-US: wget as used in Tails - NOTE: http://www.openwall.com/lists/oss-security/2015/10/01/10 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/01/10 CVE-2015-7613 (Race condition in the IPC object implementation in the Linux kernel th ...) {DSA-3372-1 DLA-325-1} - linux 4.2.3-1 @@ -5976,7 +5976,7 @@ CVE-2015-7673 (io-tga.c in gdk-pixbuf before 2.32.0 uses heap memory after its a {DSA-3378-1 DLA-434-1} - gdk-pixbuf 2.32.0-1 - gtk+2.0 2.21.5-1 - NOTE: http://www.openwall.com/lists/oss-security/2015/10/01/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/01/3 NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=19f9685dbff7d1f929c61cf99188df917a18811d NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=edf6fb8d856574bc3bb3a703037f56533229267c NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=6ddca835100107e6b5841ce9d56074f6d98c387e @@ -5985,11 +5985,11 @@ CVE-2015-8875 (Multiple integer overflows in the (1) pixops_composite_nearest, ( {DSA-3589-1 DLA-450-1} - gdk-pixbuf 2.34.0-1 NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=dbfe8f70471864818bf458a39c8a99640895bd22 (2.33.1) - NOTE: http://www.openwall.com/lists/oss-security/2016/05/12/3 + NOTE: https://www.openwall.com/lists/oss-security/2016/05/12/3 CVE-2015-7674 (Integer overflow in the pixops_scale_nearest function in pixops/pixops ...) {DSA-3378-1 DLA-450-1 DLA-434-1} - gdk-pixbuf 2.32.1-1 - NOTE: http://www.openwall.com/lists/oss-security/2015/10/01/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/01/4 NOTE: Fix for CVE-2015-7674: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=e9a5704edaa9aee9498f1fbf6e1b70fcce2e55aa (2.32.1) NOTE: Additional hardening against further overflows (but not part of the CVE assignment): https://git.gnome.org/browse/gdk-pixbuf/commit/?id=dbfe8f70471864818bf458a39c8a99640895bd22 (2.33.1) NOTE: The CVE is only assigned for the overflow in the pixops_scale_nearest function. @@ -6123,7 +6123,7 @@ CVE-2015-7575 (Mozilla Network Security Services (NSS) before 3.20.2, as used in NOTE: https://gitlab.com/gnutls/gnutls/commit/7d9d5c61f8445dc9e9ca47bb575c77cef17da17a NOTE: https://gitlab.com/gnutls/gnutls/commit/0e3fc7881d37246fc2d51dc404cad95b205c0e1e NOTE: https://gitlab.com/gnutls/gnutls/commit/6822a37947d4e38c45b1afc0121cda35ba897182 - NOTE: http://www.openwall.com/lists/oss-security/2015/05/05/8 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/05/8 NOTE: http://www.mitls.org/pages/attacks/SLOTH CVE-2015-7574 REJECTED @@ -6194,7 +6194,7 @@ CVE-2015-7554 (The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows - tiff 4.0.7-7 (bug #809066; bug #842043; bug #850316) [jessie] - tiff 4.0.3-12.3+deb8u4 - tiff3 <removed> - NOTE: http://www.openwall.com/lists/oss-security/2015/12/26/7 + NOTE: https://www.openwall.com/lists/oss-security/2015/12/26/7 NOTE: SUSE seem to have a fix (disputed): https://bugzilla.suse.com/show_bug.cgi?id=960341 NOTE: Reproducer file here: https://bugzilla.suse.com/attachment.cgi?id=665389 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2564 @@ -6680,7 +6680,7 @@ CVE-2015-8076 (The index_urlfetch function in index.c in Cyrus IMAP 2.3.x before - cyrus-imapd-2.4 2.4.17+nocaldav-2 [jessie] - cyrus-imapd-2.4 2.4.17+nocaldav-0~deb8u1 [wheezy] - cyrus-imapd-2.4 <no-dsa> (Minor issue; can be fixed alone in a future DLA) - NOTE: http://www.openwall.com/lists/oss-security/2015/09/29/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/29/2 NOTE: https://cyrus.foundation/cyrus-imapd/commit/?id=07de4ff1bf2fa340b9d77b8e7de8d43d47a33921 NOTE: https://cyrus.foundation/cyrus-imapd/commit/?id=c21e179c1f6b968fe69bebe079176714e511587b CVE-2015-7383 (Multiple cross-site scripting (XSS) vulnerabilities in Web Reference D ...) @@ -6743,7 +6743,7 @@ CVE-2015-XXXX [DoS] NOTE: No CVE will be assigned for behaviour change between 1.907 and 1.908 NOTE: See CVE-2015-7686 for the underlying CWE-407 ("Algorithmic Complexity") NOTE: issue still present in 1.908 - NOTE: http://www.openwall.com/lists/oss-security/2015/10/02/13 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/02/13 CVE-2015-7359 (The (1) IsVolumeAccessibleByCurrentUser and (2) MountDevice methods in ...) NOT-FOR-US: TrueCrypt CVE-2015-7358 (The IsDriveLetterAvailable method in Driver/Ntdriver.c in TrueCrypt 7. ...) @@ -6889,7 +6889,7 @@ CVE-2015-7296 (Securifi Almond devices with firmware before AL1-R201EXP10-L304-W NOT-FOR-US: Securifi Almond devices CVE-2015-7294 (ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP inj ...) NOT-FOR-US: NodeJS ldapauth - NOTE: http://www.openwall.com/lists/oss-security/2015/09/18/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/18/4 NOTE: https://github.com/vesse/node-ldapauth-fork/issues/21 NOTE: https://github.com/vesse/node-ldapauth-fork/commit/3feea43e243698bcaeffa904a7324f4d96df60e4 NOTE: https://nodesecurity.io/advisories/19 @@ -7039,7 +7039,7 @@ CVE-2015-7295 (hw/virtio/virtio.c in the Virtual Network Device (virtio-net) sup - qemu-kvm <removed> [wheezy] - qemu-kvm <no-dsa> (Minor issue; can be fixed along in a later DSA) [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS) - NOTE: http://www.openwall.com/lists/oss-security/2015/09/18/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/18/5 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg04729.html NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg04730.html NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg04731.html @@ -7727,7 +7727,7 @@ CVE-2015-7236 (Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c - rpcbind 0.2.1-6.1 (bug #799307) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=946204 NOTE: http://www.spinics.net/lists/linux-nfs/msg53045.html - NOTE: http://www.openwall.com/lists/oss-security/2015/09/17/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/17/1 CVE-2015-6961 (Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows ...) - web2py 2.12.3-1 [jessie] - web2py <ignored> (Minor issue) @@ -7783,10 +7783,10 @@ CVE-2015-7989 (Cross-site scripting (XSS) vulnerability in the user list table i {DSA-3383-1 DSA-3375-1 DLA-321-1} - wordpress 4.3.1+dfsg-1 (bug #799140) NOTE: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a - NOTE: http://www.openwall.com/lists/oss-security/2015/10/26/7 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/26/7 CVE-2015-7337 (The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x ...) - ipython <not-affected> (Affects versions 3.0 to 3.2.1) - NOTE: http://www.openwall.com/lists/oss-security/2015/09/16/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/16/3 CVE-2015-7940 (The Bouncy Castle Java library before 1.51 does not validate a point i ...) {DSA-3417-1 DLA-361-1} - bouncycastle 1.51-1 (bug #802671) @@ -7815,7 +7815,7 @@ CVE-2015-8871 (Use-after-free vulnerability in the opj_j2k_write_mco function in NOTE: https://github.com/uclouvain/openjpeg/commit/940100c28ae28931722290794889cf84a92c5f6f NOTE: https://github.com/uclouvain/openjpeg/issues/563 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1263359 - NOTE: http://www.openwall.com/lists/oss-security/2015/09/15/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/15/4 CVE-2015-6930 RESERVED CVE-2015-6929 (Multiple cross-site scripting (XSS) vulnerabilities in Nokia Networks ...) @@ -8006,13 +8006,13 @@ CVE-2015-6908 (The ber_get_next function in libraries/liblber/io.c in OpenLDAP 2 - openldap 2.4.42+dfsg-2 (bug #798622) NOTE: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=6fe51a9ab04fd28bbc171da3cf12f1c1040d6629 NOTE: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240;selectid=8240 - NOTE: http://www.openwall.com/lists/oss-security/2015/09/11/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/11/2 CVE-2015-7312 (Multiple race conditions in the Advanced Union Filesystem (aufs) aufs3 ...) - linux 4.2.1-1 (bug #796036) [jessie] - linux 3.16.7-ckt11-1+deb8u4 [wheezy] - linux <not-affected> (Vulnerable code not present) - linux-2.6 <not-affected> (Vulnerable code not present) - NOTE: http://www.openwall.com/lists/oss-security/2015/09/10/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/10/3 NOTE: http://sourceforge.net/p/aufs/mailman/message/34449209/ NOTE: For Linux kernel with aufs aufs3-mmap.patch or aufs4-mmap.patch mmap patch CVE-2015-6855 (hw/ide/core.c in QEMU does not properly restrict the commands accepted ...) @@ -8021,7 +8021,7 @@ CVE-2015-6855 (hw/ide/core.c in QEMU does not properly restrict the commands acc - qemu-kvm <removed> [squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS) [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS) - NOTE: http://www.openwall.com/lists/oss-security/2015/09/10/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/10/1 NOTE: Fix commit: http://git.qemu.org/?p=qemu.git;a=commit;h=d9033e1d3aa666c5071580617a57bd853c5d794a NOTE: exec_cmd introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=7cff87ff6ab117799e32e42c2e4dc4c0588e583a NOTE: cmd_table introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=844505b12e722d9ba7060480e766351fc6313501 @@ -8127,34 +8127,34 @@ CVE-2015-XXXX [hardening for RSA-CRT leak] - libgcrypt20 1.6.4-3 [jessie] - libgcrypt20 <no-dsa> (Minor issue; additional hardening) NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=b85c8d6645039fc9d403791750510e439731d479 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/09/08/5 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/09/08/5 NOTE: Thread on oss-security to clarify if this should be CVE-2015-5738 or a new CVE CVE-2015-6838 (The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP be ...) {DSA-3358-1 DLA-341-1} - php5 5.6.13+dfsg-1 - hhvm 3.12.1+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69782 - NOTE: http://www.openwall.com/lists/oss-security/2015/09/07/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/07/5 NOTE: Fixed in 5.5.45 and 5.6.13 NOTE: https://github.com/facebook/hhvm/commit/f358ec0e905df41feaa9dc75f4dee814cfe5a60a CVE-2015-6837 (The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP be ...) {DSA-3358-1 DLA-341-1} - php5 5.6.13+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69782 - NOTE: http://www.openwall.com/lists/oss-security/2015/09/07/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/07/5 NOTE: Fixed in 5.5.45 and 5.6.13 CVE-2015-6836 (The SoapClient __call method in ext/soap/soap.c in PHP before 5.4.45, ...) {DSA-3358-1 DLA-341-1} - php5 5.6.13+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=70388 - NOTE: http://www.openwall.com/lists/oss-security/2015/09/07/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/07/5 NOTE: Fixed in 5.5.45 and 5.6.13 CVE-2015-6835 (The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, an ...) {DSA-3358-1} - php5 5.6.13+dfsg-1 [squeeze] - php5 <no-dsa> (Too intrusive to backport) NOTE: https://bugs.php.net/bug.php?id=70219 - NOTE: http://www.openwall.com/lists/oss-security/2015/09/07/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/07/5 NOTE: Fixed in 5.5.45 and 5.6.13 CVE-2015-6834 (Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x be ...) {DSA-3358-1 DLA-341-1} @@ -8162,18 +8162,18 @@ CVE-2015-6834 (Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5 NOTE: https://bugs.php.net/bug.php?id=70172 NOTE: https://bugs.php.net/bug.php?id=70365 NOTE: https://bugs.php.net/bug.php?id=70366 - NOTE: http://www.openwall.com/lists/oss-security/2015/09/07/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/07/5 NOTE: Fixed in 5.5.45 and 5.6.13 CVE-2015-7225 (Tinfoil Devise-two-factor before 2.0.0 does not strictly follow sectio ...) - ruby-devise-two-factor 2.0.0-1 (bug #798466) - NOTE: http://www.openwall.com/lists/oss-security/2015/09/06/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/06/2 CVE-2015-8777 (The process_envvars function in elf/rtld.c in the GNU C Library (aka g ...) {DSA-3480-1 DLA-316-1} - glibc 2.21-1 (bug #798316; bug #801691) [jessie] - glibc 2.19-18+deb8u2 - eglibc <removed> [squeeze] - eglibc 2.11.3-4+deb6u7 - NOTE: http://www.openwall.com/lists/oss-security/2015/09/05/8 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/05/8 NOTE: Upstream bug https://sourceware.org/bugzilla/show_bug.cgi?id=18928 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7 CVE-2015-6815 (The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 ...) @@ -8182,7 +8182,7 @@ CVE-2015-6815 (The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4 [squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS) - qemu-kvm <removed> [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS) - NOTE: http://www.openwall.com/lists/oss-security/2015/09/04/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/04/4 NOTE: Upstream fix: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg01199.html CVE-2015-6816 (ganglia-web before 3.7.1 allows remote attackers to bypass authenticat ...) - ganglia-web <unfixed> (unimportant; bug #798213) @@ -8190,7 +8190,7 @@ CVE-2015-6816 (ganglia-web before 3.7.1 allows remote attackers to bypass authen [squeeze] - ganglia <not-affected> (affected code not present) NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone, #702776 NOTE: starting with 3.6.0-1 the web front is no longer built from src:ganglia so marking this version as fixed - NOTE: http://www.openwall.com/lists/oss-security/2015/09/04/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/04/2 NOTE: https://github.com/ganglia/ganglia-web/issues/267 CVE-2015-6817 (PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows r ...) - pgbouncer 1.6.1-1 @@ -8199,7 +8199,7 @@ CVE-2015-6817 (PgBouncer 1.6.x before 1.6.1, when configured with auth_user, all [squeeze] - pgbouncer <not-affected> (Introduced in 1.6) NOTE: http://web.archive.org/web/20150905195759/http://pgbouncer.github.io/2015/09/pgbouncer-1-6-1/ NOTE: https://github.com/pgbouncer/pgbouncer/issues/69 - NOTE: http://www.openwall.com/lists/oss-security/2015/09/04/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/04/3 CVE-2015-XXXX [val_dane_check: usage DANE-TA(2) may bypass cert validation entirely] [experimental] - dnsval 2.1-1 - dnsval 2.0-2 (bug #797470) @@ -8211,7 +8211,7 @@ CVE-2015-XXXX [Memory corruption] [squeeze] - libvncserver 0.9.7-2+deb6u2 NOTE: workaround entry for DLA-380-1 until/if CVE assigned NOTE: https://github.com/LibVNC/libvncserver/commit/804335f9d296440bb708ca844f5d89b58b50b0c6 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/09/03/8 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/09/03/8 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=706087#c1 notes that the fix breaks ABI CVE-2015-6938 (Cross-site scripting (XSS) vulnerability in the file browser in notebo ...) - ipython 2.4.1-1 (low; bug #798886) @@ -8219,7 +8219,7 @@ CVE-2015-6938 (Cross-site scripting (XSS) vulnerability in the file browser in n [wheezy] - ipython <no-dsa> (Minor issue) [squeeze] - ipython <not-affected> (Vulnerable code not present) NOTE: Affected versions: 0.12 <= x <= 4.0 - NOTE: http://www.openwall.com/lists/oss-security/2015/09/02/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/02/3 CVE-2015-6804 RESERVED CVE-2015-6803 @@ -8477,12 +8477,12 @@ CVE-2015-6806 (The MScrollV function in ansi.c in GNU screen 4.3.1 and earlier d {DSA-3352-1 DLA-305-1} - screen 4.3.1-2 (bug #797624) NOTE: https://savannah.gnu.org/bugs/?45713 - NOTE: http://www.openwall.com/lists/oss-security/2015/09/01/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/01/1 CVE-2015-6749 (Buffer overflow in the aiff_open function in oggenc/audio.c in vorbis- ...) {DLA-1010-1 DLA-317-1} - vorbis-tools 1.4.0-7 (bug #797461) [jessie] - vorbis-tools 1.4.0-6+deb8u1 - NOTE: http://www.openwall.com/lists/oss-security/2015/08/29/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/29/1 NOTE: https://trac.xiph.org/ticket/2212 CVE-2015-6741 RESERVED @@ -8499,7 +8499,7 @@ CVE-2015-6748 (Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3. . NOTE: https://github.com/jhy/jsoup/pull/582 NOTE: https://hibernate.atlassian.net/browse/HV-1012 NOTE: https://issues.jboss.org/browse/WFLY-5223 - NOTE: http://www.openwall.com/lists/oss-security/2015/08/28/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/28/3 CVE-2015-6726 RESERVED CVE-2015-6725 (The ANSendForSharedReview method in Adobe Reader and Acrobat 10.x befo ...) @@ -8958,36 +8958,36 @@ CVE-2015-6661 (Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attacker - drupal6 <removed> [squeeze] - drupal6 <end-of-life> NOTE: https://www.drupal.org/SA-CORE-2015-003 - NOTE: http://www.openwall.com/lists/oss-security/2015/08/21/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/21/5 CVE-2015-6660 (The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not pr ...) {DSA-3346-1} - drupal7 7.39-1 - drupal6 <removed> [squeeze] - drupal6 <end-of-life> NOTE: https://www.drupal.org/SA-CORE-2015-003 - NOTE: http://www.openwall.com/lists/oss-security/2015/08/21/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/21/5 CVE-2015-6659 (SQL injection vulnerability in the SQL comment filtering system in the ...) {DSA-3346-1} - drupal7 7.39-1 NOTE: https://www.drupal.org/SA-CORE-2015-003 - NOTE: http://www.openwall.com/lists/oss-security/2015/08/21/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/21/5 CVE-2015-6658 (Cross-site scripting (XSS) vulnerability in the Autocomplete system in ...) {DSA-3346-1} - drupal7 7.39-1 - drupal6 <removed> [squeeze] - drupal6 <end-of-life> NOTE: https://www.drupal.org/SA-CORE-2015-003 - NOTE: http://www.openwall.com/lists/oss-security/2015/08/21/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/21/5 CVE-2015-6665 (Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal ...) {DSA-3346-1} - drupal7 7.39-1 NOTE: https://www.drupal.org/SA-CORE-2015-003 - NOTE: http://www.openwall.com/lists/oss-security/2015/08/21/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/21/5 CVE-2015-6673 (Use-after-free vulnerability in Decoder.cpp in libpgf before 6.15.32. ...) {DLA-2035-1} - libpgf 6.14.12-3.2 (bug #798032) - NOTE: http://www.openwall.com/lists/oss-security/2015/08/19/14 - NOTE: Details on the CVE assignment: http://www.openwall.com/lists/oss-security/2015/08/25/9 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/19/14 + NOTE: Details on the CVE assignment: https://www.openwall.com/lists/oss-security/2015/08/25/9 NOTE: https://sourceforge.net/p/libpgf/code/147/ NOTE: https://sourceforge.net/p/libpgf/code/148/ CVE-2015-6527 (The php_str_replace_in_subject function in ext/standard/string.c in PH ...) @@ -9026,7 +9026,7 @@ CVE-2015-6833 (Directory traversal vulnerability in the PharData class in PHP be {DSA-3344-1 DLA-341-1} - php5 5.6.12+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=70019 - NOTE: http://www.openwall.com/lists/oss-security/2015/08/19/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/19/3 NOTE: Fixed upstream in 5.4.44 and 5.6.12 CVE-2015-6831 (Multiple use-after-free vulnerabilities in SPL in PHP before 5.4.44, 5 ...) {DSA-3344-1 DLA-341-1} @@ -9035,13 +9035,13 @@ CVE-2015-6831 (Multiple use-after-free vulnerabilities in SPL in PHP before 5.4. NOTE: https://bugs.php.net/bug.php?id=70168 NOTE: https://bugs.php.net/bug.php?id=70166 NOTE: https://bugs.php.net/bug.php?id=70155 - NOTE: http://www.openwall.com/lists/oss-security/2015/08/19/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/19/3 NOTE: Fixed upstream in 5.4.44 and 5.6.12 CVE-2015-6832 (Use-after-free vulnerability in the SPL unserialize implementation in ...) {DSA-3344-1 DLA-341-1} - php5 5.6.12+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=70068 - NOTE: http://www.openwall.com/lists/oss-security/2015/08/19/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/19/3 NOTE: Fixed upstream in 5.4.44 and 5.6.12 CVE-2015-6505 RESERVED @@ -9563,7 +9563,7 @@ CVE-2015-6526 (The perf_callchain_user_64 function in arch/powerpc/perf/callchai [wheezy] - linux 3.2.71-1 - linux-2.6 <removed> [squeeze] - linux-2.6 <not-affected> (powerpc not supported in Squeeze LTS) - NOTE: http://www.openwall.com/lists/oss-security/2015/08/18/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/18/4 NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9a5cbce421a283e6aea3c4007f141735bf9da8c3 (v4.1-rc1) CVE-2015-6252 (The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux ker ...) {DSA-3364-1} @@ -10140,7 +10140,7 @@ CVE-2015-5986 (openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-P3 and 9. CVE-2015-6496 (conntrackd in conntrack-tools 1.4.2 and earlier does not ensure that t ...) {DSA-3341-1 DLA-295-1} - conntrack 1:1.4.2-3 (bug #796103) - NOTE: http://www.openwall.com/lists/oss-security/2015/08/14/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/14/4 NOTE: http://bugzilla.netfilter.org/show_bug.cgi?id=910 NOTE: https://git.netfilter.org/conntrack-tools/commit/?id=c392c159605956c7bd4a264ab4490e2b2704c0cd CVE-2015-5985 @@ -10191,26 +10191,26 @@ CVE-2015-6506 (Cross-site scripting (XSS) vulnerability in the cryptography inte [jessie] - request-tracker4 4.2.8-3+deb8u1 [wheezy] - request-tracker4 <not-affected> (Vulnerable code not present) NOTE: https://github.com/bestpractical/rt/commit/36a461947b00b105336adb4997d1c7767d8484c4 - NOTE: http://www.openwall.com/lists/oss-security/2015/08/13/8 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/13/8 CVE-2015-6565 (sshd in OpenSSH 6.8 and 6.9 uses world-writable permissions for TTY de ...) - openssh <not-affected> (Vulnerable code introduce in V_6_8_P1) NOTE: https://anongit.mindrot.org/openssh.git/commit/?id=6f941396b6835ad18018845f515b0c4fe20be21a NOTE: Issue introduced with https://anongit.mindrot.org/openssh.git/commit/?id=a5883d4eccb94b16c355987f58f86a7dee17a0c2 (V_6_8_P1) - NOTE: http://www.openwall.com/lists/oss-security/2015/08/12/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/12/1 CVE-2015-6563 (The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD pla ...) {DLA-1500-1} - openssh 1:6.9p1-1 (bug #795711) [wheezy] - openssh <no-dsa> (Minor issue) [squeeze] - openssh <no-dsa> (Minor issue) NOTE: https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b - NOTE: http://www.openwall.com/lists/oss-security/2015/08/11/9 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/11/9 CVE-2015-6564 (Use-after-free vulnerability in the mm_answer_pam_free_ctx function in ...) {DLA-1500-1} - openssh 1:6.9p1-1 (bug #795711) [wheezy] - openssh <no-dsa> (Minor issue) [squeeze] - openssh <no-dsa> (Minor issue) NOTE: https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7 - NOTE: http://www.openwall.com/lists/oss-security/2015/08/11/9 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/11/9 CVE-2015-6737 (Cross-site scripting (XSS) vulnerability in the Widgets extension for ...) NOT-FOR-US: Widgets extension for MediaWiki NOTE: https://phabricator.wikimedia.org/T88964 @@ -10271,7 +10271,7 @@ CVE-2015-5960 (Mozilla Firefox OS before 2.2 allows physically proximate attacke NOT-FOR-US: Mozilla Firefox OS CVE-2015-6520 (IPPUSBXD before 1.22 listens on all interfaces, which allows remote at ...) - ippusbxd 1.22-1 (bug #795162) - NOTE: http://www.openwall.com/lists/oss-security/2015/08/11/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/11/1 NOTE: https://github.com/tillkamppeter/ippusbxd/commit/46844402bca7a38fc224483ba6f0a93c4613203f NOTE: https://github.com/tillkamppeter/ippusbxd/commit/a632841f8e65d402e13e81921515f5a1e2736c82 CVE-2015-XXXX [publicfile-installer: insecure use of /tmp] @@ -10282,12 +10282,12 @@ CVE-2015-XXXX [net/http: broken trailers don't close a server connection] [wheezy] - golang <no-dsa> (Minor issue) NOTE: https://github.com/golang/go/issues/12027 NOTE: https://github.com/golang/go/commit/26049f6f9171d1190f3bbe05ec304845cfe6399f - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/06/2 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/08/06/2 CVE-2015-6251 (Double free vulnerability in GnuTLS before 3.3.17 and 3.4.x before 3.4 ...) {DSA-3334-1} - gnutls28 3.3.17-1 (bug #795068) - gnutls26 <not-affected> (Vulnerable code not present) - NOTE: http://www.openwall.com/lists/oss-security/2015/08/10/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/10/1 NOTE: https://gitlab.com/gnutls/gnutls/commit/272854367efc130fbd4f1a51840d80c630214e12 NOTE: http://www.gnutls.org/security.html#GNUTLS-SA-2015-3 NOTE: _gnutls_x509_dn_to_string() introduced in 3.1.10 via: @@ -10754,7 +10754,7 @@ CVE-2015-5745 (Buffer overflow in the send_control_msg function in hw/char/virti [squeeze] - qemu <not-affected> (Vulnerable code introduced later) - qemu-kvm <removed> [squeeze] - qemu-kvm <not-affected> (Vulnerable code introduced later) - NOTE: http://www.openwall.com/lists/oss-security/2015/08/06/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/06/3 NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=7882080388be5088e72c425b02223c02e6cb4295 (v2.4.0-rc3) NOTE: Introduced in: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=98b19252cf1bd97c54bc4613f3537c5ec0aae263 (v0.13.0-rc0) NOTE: Patch for wheezy needs change since uses iov_from_buf: @@ -10975,7 +10975,7 @@ CVE-2015-8383 (PCRE before 8.38 mishandles certain repeated conditional groups, [wheezy] - pcre3 <not-affected> (vulnerable coded introduce in 8.34) [squeeze] - pcre3 <not-affected> (vulnerable code introduced in 8.34) NOTE: Fixed in 8.38 - NOTE: http://www.openwall.com/lists/oss-security/2015/11/29/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/11/29/1 NOTE: Fixed by http://vcs.pcre.org/pcre?view=revision&revision=1557 NOTE: Introduced by/first bad commit: http://vcs.pcre.org/pcre?view=revision&revision=1365 CVE-2015-8382 (The match function in pcre_exec.c in PCRE before 8.37 mishandles the / ...) @@ -10986,7 +10986,7 @@ CVE-2015-8382 (The match function in pcre_exec.c in PCRE before 8.37 mishandles NOTE: http://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502&r2=1510 NOTE: https://bugs.exim.org/show_bug.cgi?id=1537 NOTE: Fixed upstream in upstream release pcre-8.37 - NOTE: http://www.openwall.com/lists/oss-security/2015/08/04/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/04/2 CVE-2015-XXXX [more to CVE-2015-2059] - libidn 1.32-1 [jessie] - libidn 1.29-1+deb8u1 @@ -11005,26 +11005,26 @@ CVE-2015-XXXX [Sidekiq::Web lacks CSRF protection] NOTE: Fix released in sidekiq 3.4.2 NOTE: Follow-up fix: https://github.com/mperham/sidekiq/commit/75a3524c919857aac16e0541b0cb107f48d00694 NOTE: Follow-up commit not included in 3.4.2~dfsg-1 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/01/2 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/08/01/2 CVE-2015-XXXX [XSS via job arguments display class in Sidekiq::Web] - ruby-sidekiq 3.4.2~dfsg-3 [jessie] - ruby-sidekiq <no-dsa> (Minor issue) NOTE: https://github.com/mperham/sidekiq/pull/2309 NOTE: Fixed by https://github.com/mperham/sidekiq/commit/54766f336620ca0ce3b0b87a7a56382496e64b61 NOTE: Fix released in sidekiq 3.4.0 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/01/2 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/08/01/2 CVE-2015-XXXX [XSS via queue name in Sidekiq::Web] - ruby-sidekiq 3.4.2~dfsg-3 [jessie] - ruby-sidekiq <no-dsa> (Minor issue) NOTE: https://github.com/mperham/sidekiq/issues/2330 NOTE: Fixed by https://github.com/mperham/sidekiq/commit/2178d66b6686fbf4430223c34c184a64c9906828 NOTE: Fix released in sidekiq 3.4.0 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/01/2 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/08/01/2 CVE-2015-5707 (Integer overflow in the sg_start_req function in drivers/scsi/sg.c in ...) {DSA-3329-1 DLA-310-1} - linux 4.1.3-1 - linux-2.6 <removed> - NOTE: http://www.openwall.com/lists/oss-security/2015/08/01/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/01/6 NOTE: Probably introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=10db10d144c0248f285242f79daf6b9de6b00a62 (v2.6.28-rc1) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=451a2886b6bf90e2fb378f7c46c655450fb96e81 (v4.1-rc1) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fdc81f45e9f57858da6351836507fbcf1b7583ee (v4.1-rc1) @@ -11033,7 +11033,7 @@ CVE-2015-5706 (Use-after-free vulnerability in the path_openat function in fs/na [jessie] - linux 3.16.7-ckt11-1+deb8u3 [wheezy] - linux <not-affected> (Introduced in v3.11-rc1) - linux-2.6 <not-affected> (Introduced in v3.11-rc1) - NOTE: http://www.openwall.com/lists/oss-security/2015/08/01/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/01/5 NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=60545d0d4610b02e55f65d141c95b18ccf855b6e (v3.11-rc1) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f15133df088ecadd141ea1907f2c96df67c729f0 (v4.1-rc3) CVE-2015-5702 @@ -11050,7 +11050,7 @@ CVE-2015-5704 (scripts/licensecheck.pl in devscripts before 2.15.7 allows local [wheezy] - devscripts <not-affected> (Vulnerable code not present) [squeeze] - devscripts <not-affected> (Vulnerable code not present) NOTE: Introduced in https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=025ad4ea8ba92d32bd698a83149f782c17f78bf0 (v2.15.5) - NOTE: http://www.openwall.com/lists/oss-security/2015/08/01/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/01/1 CVE-2015-5699 (The Switch Configuration Tools Backend (clcmd_server) in Cumulus Linux ...) NOT-FOR-US: Cumulus Linux NOTE: https://lists.cumulusnetworks.com/pipermail/cumulus-security-announce/2015-July/000002.html @@ -11234,7 +11234,7 @@ CVE-2015-5697 (The get_bitmap_file function in drivers/md/md.c in the Linux kern - linux 4.1.3-1 - linux-2.6 <removed> NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b6878d9e03043695dbf3fa1caa6dfc09db225b16 (v4.2-rc6) - NOTE: http://www.openwall.com/lists/oss-security/2015/07/28/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/07/28/2 CVE-2015-5620 RESERVED CVE-2015-5619 (Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack out ...) @@ -11425,13 +11425,13 @@ CVE-2015-XXXX [integer overflow] [jessie] - freexl 1.0.0g-1+deb8u2 [wheezy] - freexl 1.0.0b-1+deb7u2 NOTE: For the issue fixed in DSA-3310-1 not yet CVEified - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/06/7 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/07/06/7 CVE-2015-XXXX [SQL Injection in host_templates.php] - cacti 0.8.8e+ds1-1 [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2584 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-XXXX [SQL Injection in graph_templates.php] @@ -11439,7 +11439,7 @@ CVE-2015-XXXX [SQL Injection in graph_templates.php] [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2583 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-XXXX [SQL Injection in data_templates.php] @@ -11447,7 +11447,7 @@ CVE-2015-XXXX [SQL Injection in data_templates.php] [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2582 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-XXXX [SQL Injection in cdef.php] @@ -11455,7 +11455,7 @@ CVE-2015-XXXX [SQL Injection in cdef.php] [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2580 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-XXXX [SQL Injection Vulnerability in data sources] @@ -11463,7 +11463,7 @@ CVE-2015-XXXX [SQL Injection Vulnerability in data sources] [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2579 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-XXXX [SQL Injection Vulnerability in graph items and graph template items] @@ -11471,7 +11471,7 @@ CVE-2015-XXXX [SQL Injection Vulnerability in graph items and graph template ite [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2574 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-5590 (Stack-based buffer overflow in the phar_fix_filepath function in ext/p ...) @@ -11531,7 +11531,7 @@ CVE-2015-5516 (Memory leak in the last hop kernel module in F5 BIG-IP LTM, GTM, CVE-2015-6240 (The chroot, jail, and zone connection plugins in ansible before 1.9.2 ...) {DLA-1923-1} - ansible 1.9.2+dfsg-1 (low) - NOTE: http://www.openwall.com/lists/oss-security/2015/07/14/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/07/14/3 CVE-2015-5515 (The Views Bulk Operations (VBO) module 6.x-1.x and 7.x-3.x before 7.x- ...) NOT-FOR-US: Drupal addon not packaged in Debian CVE-2015-5514 (Cross-site scripting (XSS) vulnerability in the Migrate module 7.x-2.x ...) @@ -11658,7 +11658,7 @@ CVE-2015-5607 (Cross-site request forgery in the REST API in IPython 2 and 3. .. NOTE: https://github.com/ipython/ipython/commit/a05fe052a18810e92d9be8c1185952c13fe4e5b0 (2.x) NOTE: https://github.com/ipython/ipython/commit/1415a9710407e7c14900531813c15ba6165f0816 (3.x) NOTE: Affected versions: 0.12 <= version <= 3.2.0 - NOTE: http://www.openwall.com/lists/oss-security/2015/07/12/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/07/12/4 CVE-2015-5461 (Open redirect vulnerability in the Redirect function in stageshow_redi ...) NOT-FOR-US: Redirect function in stageshow_redirect.php in the StageShow plugin for WordPress CVE-2015-5460 (Cross-site scripting (XSS) vulnerability in app/views/events/_menu.htm ...) @@ -11848,13 +11848,13 @@ CVE-2015-8041 (Multiple integer overflows in the NDEF record parser in hostapd b [squeeze] - wpasupplicant <not-affected> (0.7.0-v2.4 with with CONFIG_WPS_NFC=y) - hostapd <removed> [squeeze] - hostapd <not-affected> (v0.7.0-v2.4 with CONFIG_WPS_NFC=y) - NOTE: http://www.openwall.com/lists/oss-security/2015/07/08/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/07/08/3 NOTE: http://w1.fi/security/2015-5/ CVE-2015-5395 (Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. ...) - sogo 3.2.4-0.2 (bug #796197) [wheezy] - sogo <end-of-life> (not supported in Wheezy LTS) NOTE: https://lists.debian.org/debian-lts/2016/05/msg00197.html - NOTE: http://www.openwall.com/lists/oss-security/2015/07/07/10 + NOTE: https://www.openwall.com/lists/oss-security/2015/07/07/10 NOTE: http://www.sogo.nu/bugs/view.php?id=3246 NOTE: https://github.com/inverse-inc/sogo/commit/582baf2960969c73f98643e46cfb49432c30b711 (SOGo-3.1.0) CVE-2015-5470 (The label decompression functionality in PowerDNS Recursor before 3.6. ...) @@ -11865,24 +11865,24 @@ CVE-2015-5470 (The label decompression functionality in PowerDNS Recursor before - pdns-recursor 3.7.3-1 [wheezy] - pdns-recursor <not-affected> (3.5 and up affected) [squeeze] - pdns-recursor <not-affected> (3.5 and up affected) - NOTE: http://www.openwall.com/lists/oss-security/2015/07/07/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/07/07/6 NOTE: https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/ NOTE: Patch: http://downloads.powerdns.com/patches/2015-01/rec-3.7.2.patch CVE-2015-5383 (Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain ...) - roundcube <not-affected> (protection is done in apache config in binary package) - NOTE: http://www.openwall.com/lists/oss-security/2015/07/06/10 + NOTE: https://www.openwall.com/lists/oss-security/2015/07/06/10 NOTE: http://trac.roundcube.net/ticket/1490378 CVE-2015-5382 (program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 ...) - roundcube 1.1.2+dfsg.1-1 (bug #791643) [wheezy] - roundcube <not-affected> (Vulnerable code not present) [squeeze] - roundcube <not-affected> (Vulnerable code not present) - NOTE: http://www.openwall.com/lists/oss-security/2015/07/06/10 + NOTE: https://www.openwall.com/lists/oss-security/2015/07/06/10 NOTE: http://trac.roundcube.net/ticket/1490379 CVE-2015-5381 (Cross-site scripting (XSS) vulnerability in program/include/rcmail.php ...) - roundcube 1.1.2+dfsg.1-1 (bug #791643) [wheezy] - roundcube <not-affected> (Vulnerable code not present) [squeeze] - roundcube <not-affected> (Vulnerable code not present) - NOTE: http://www.openwall.com/lists/oss-security/2015/07/06/10 + NOTE: https://www.openwall.com/lists/oss-security/2015/07/06/10 NOTE: http://trac.roundcube.net/ticket/1490417 CVE-2015-5400 (Squid before 3.5.6 does not properly handle CONNECT method peer respon ...) {DSA-3327-1 DLA-286-1} @@ -11893,13 +11893,13 @@ CVE-2015-5400 (Squid before 3.5.6 does not properly handle CONNECT method peer r NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856.patch (3.5) NOTE: http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch (3.4) NOTE: http://www.squid-cache.org/Advisories/SQUID-2015_2.txt - NOTE: http://www.openwall.com/lists/oss-security/2015/07/06/8 + NOTE: https://www.openwall.com/lists/oss-security/2015/07/06/8 NOTE: In squeeze's squid3 the code is structured differently but the bug still appears to be present. NOTE: For squid 2.x all versions are affected, cf. comment by upstream in NOTE: https://bugs.debian.org/793128#12 CVE-2015-5380 (The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in ...) - nodejs <not-affected> (Only affects 0.12.x) - NOTE: http://www.openwall.com/lists/oss-security/2015/07/05/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/07/05/1 CVE-2015-5365 (Cross-site scripting (XSS) vulnerability in Zurmo CRM 3.0.2 allows rem ...) NOT-FOR-US: Zurmo CRM CVE-2015-5363 (The SRX Network Security Daemon (nsd) in Juniper SRX Series services g ...) @@ -12105,7 +12105,7 @@ CVE-2015-5311 (PowerDNS (aka pdns) Authoritative Server 3.4.4 before 3.4.7 allow [wheezy] - pdns <not-affected> (Only 3.4.4 and later affected) [squeeze] - pdns <not-affected> (Only 3.4.4 and later affected) - pdns-recursor <not-affected> (recursor not affected) - NOTE: http://www.openwall.com/lists/oss-security/2015/11/09/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/11/09/3 CVE-2015-5310 (The WNM Sleep Mode code in wpa_supplicant 2.x before 2.6 does not prop ...) {DSA-3397-1} - wpa 2.3-2.3 (bug #804707) @@ -12476,7 +12476,7 @@ CVE-2015-5221 (Use-after-free vulnerability in the mif_process_cmpt function in - jasper <removed> (bug #796253) [wheezy] - jasper <no-dsa> (Minor issue) [squeeze] - jasper <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/08/20/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/20/4 NOTE: Fixed by https://github.com/mdadams/jasper/commit/df5d2867e8004e51e18b89865bc4aa69229227b3 CVE-2015-5220 (The Web Console in Red Hat Enterprise Application Platform (EAP) befor ...) NOT-FOR-US: JBoss EAP @@ -12707,7 +12707,7 @@ CVE-2015-5162 (The image parser in OpenStack Cinder 7.0.2 and 8.0.0 through 8.1. - nova 2:13.0.0-1 (low) [jessie] - nova <no-dsa> (Minor issue) [wheezy] - nova <no-dsa> (Minor issue) - NOTE: Patches: http://www.openwall.com/lists/oss-security/2016/10/06/8 + NOTE: Patches: https://www.openwall.com/lists/oss-security/2016/10/06/8 CVE-2015-5161 (The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework ...) {DSA-3340-1 DLA-302-1} - zendframework 1.12.14+dfsg-1 @@ -12940,12 +12940,12 @@ CVE-2015-5352 (The x11_open_helper function in channels.c in ssh in OpenSSH befo {DLA-1500-1 DLA-288-1} - openssh 1:6.9p1-1 (bug #790798) [wheezy] - openssh <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/07/01/7 + NOTE: https://www.openwall.com/lists/oss-security/2015/07/01/7 NOTE: https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=1bf477d3cdf1a864646d59820878783d42357a1d CVE-2015-5147 (Stack-based buffer overflow in the header_anchor function in the HTML ...) - ruby-redcarpet <not-affected> (Affects v3.3.0 - v3.3.1) NOTE: https://github.com/vmg/redcarpet/commit/2cee777c1e5babe8a1e2683d31ea75cc4afe55fb - NOTE: http://www.openwall.com/lists/oss-security/2015/06/29/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/29/3 CVE-2015-5081 (Cross-site request forgery (CSRF) vulnerability in django CMS before 3 ...) - python-django-cms <itp> (bug #516183) CVE-2015-5073 (Heap-based buffer overflow in the find_fixedlength function in pcre_co ...) @@ -12956,7 +12956,7 @@ CVE-2015-5073 (Heap-based buffer overflow in the find_fixedlength function in pc NOTE: https://bugs.exim.org/show_bug.cgi?id=1651 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1571 (8.38) NOTE: Introduced in http://vcs.pcre.org/pcre?view=revision&revision=454 (8.00) - NOTE: http://www.openwall.com/lists/oss-security/2015/06/26/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/26/1 CVE-2015-5068 (XML external entity (XXE) vulnerability in SAP Mobile Platform 3 allow ...) NOT-FOR-US: SAP CVE-2015-5067 (The (1) Cross-System Tools and (2) Data Transfer Workbench in SAP NetW ...) @@ -13999,7 +13999,7 @@ CVE-2015-4707 (Cross-site scripting (XSS) vulnerability in IPython before 3.2 al [wheezy] - ipython <not-affected> (Problematic code introduced in rel-2.0.0) [squeeze] - ipython <not-affected> (Problematic code introduced in rel-2.0.0) NOTE: https://github.com/ipython/ipython/commit/1fcc9943c000ab553ebc029db99ecbd0536960d6 - NOTE: http://www.openwall.com/lists/oss-security/2015/06/22/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/22/4 CVE-2015-4706 (Cross-site scripting (XSS) vulnerability in IPython 3.x before 3.2 all ...) - ipython <not-affected> (Only affects 3.x) CVE-2015-4704 (Directory traversal vulnerability in the Download Zip Attachments plug ...) @@ -14118,21 +14118,21 @@ CVE-2015-4642 (The escapeshellarg function in ext/standard/exec.c in PHP before - php5 <not-affected> (Windows specific) NOTE: https://bugs.php.net/bug.php?id=69646 NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=d2ac264ffea5ca2e85640b6736e0c7cd4ee9a4a9 - NOTE: http://www.openwall.com/lists/oss-security/2015/06/18/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/18/3 CVE-2015-4643 (Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP b ...) {DSA-3344-1 DLA-307-1} - php5 5.6.11+dfsg-1 NOTE: Fixed in 5.6.10 / 5.5.26 / 5.4.42 NOTE: https://bugs.php.net/bug.php?id=69545#1431550655 NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=0765623d6991b62ffcd93ddb6be8a5203a2fa7e2 - NOTE: http://www.openwall.com/lists/oss-security/2015/06/18/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/18/3 CVE-2015-4644 (The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgs ...) {DSA-3344-1 DLA-307-1} - php5 5.6.11+dfsg-1 NOTE: Fixed in 5.6.10 / 5.5.26 / 5.4.42 NOTE: https://bugs.php.net/bug.php?id=69667 NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=2cc4e69cc6d8dbc4b3568ad3dd583324a7c11d64 - NOTE: http://www.openwall.com/lists/oss-security/2015/06/18/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/18/3 CVE-2015-4639 (Cross-site scripting (XSS) vulnerability in opac-addbybiblionumber.pl ...) NOT-FOR-US: Koha CVE-2015-4638 (The FastL4 virtual server in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ...) @@ -14497,7 +14497,7 @@ CVE-2015-4491 (Integer overflow in the make_filter_table function in pixops/pixo NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=752297 NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=ffec86ed5010c5a2be14f47b33bcf4ed3169a199 NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=8dba67cb4f38d62a47757741ad41e3f245b4a32a - NOTE: http://www.openwall.com/lists/oss-security/2015/07/17/17 + NOTE: https://www.openwall.com/lists/oss-security/2015/07/17/17 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-88/ NOTE: gtk+2.0 2.21.5-1 removed the embedded copy of gdk-pixbuf and build-depends on external gdk-pixbuf CVE-2015-4490 (The nsCSPHostSrc::permits function in dom/security/nsCSPUtils.cpp in M ...) @@ -14653,7 +14653,7 @@ CVE-2015-4556 (The string-translate* procedure in the data-structures unit in CH [jessie] - chicken <no-dsa> (Minor issue) [wheezy] - chicken <no-dsa> (Minor issue) [squeeze] - chicken <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/06/15/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/15/1 CVE-2015-2967 (Cross-site scripting (XSS) vulnerability in settings.php in Cacti befo ...) {DSA-3295-1 DLA-255-1} - cacti 0.8.8d+ds1-1 @@ -15225,7 +15225,7 @@ CVE-2015-4692 (The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the L [jessie] - linux 3.16.7-ckt11-1+deb8u3 [wheezy] - linux <not-affected> (Vulnerable code not present) - linux-2.6 <not-affected> (vulnerable code not present) - NOTE: http://www.openwall.com/lists/oss-security/2015/06/10/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/10/6 NOTE: Vulnerable function introduced in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=66450a21f99636af4fafac2afd33f1a40631bc3a (v3.10-rc1) CVE-2015-4625 (Integer overflow in the authentication_agent_new_cookie function in Po ...) [experimental] - policykit-1 0.113-1 @@ -15237,7 +15237,7 @@ CVE-2015-4625 (Integer overflow in the authentication_agent_new_cookie function NOTE: http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=90837 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=90832 - NOTE: http://www.openwall.com/lists/oss-security/2015/06/08/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/08/3 NOTE: http://cgit.freedesktop.org/polkit/commit/?id=ea544ffc18405237ccd95d28d7f45afef49aca17 NOTE: http://cgit.freedesktop.org/polkit/commit/?id=493aa5dc1d278ab9097110c1262f5229bbaf1766 NOTE: http://cgit.freedesktop.org/polkit/commit/?id=fb5076b7c05d01a532d593a4079a29cf2d63a228 @@ -15254,7 +15254,7 @@ CVE-2015-4410 (The Moped::BSON::ObjecId.legal? method in rubygem-moped before co NOTE: Fix: https://github.com/mongodb/mongo-ruby-driver/commit/bb544c2f6fd62940f04ddc1abeeaa3f23c1a9ade (1.x-stable) NOTE: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html NOTE: https://sources.debian.org/src/ruby-bson/1.10.0-1/lib/bson/types/object_id.rb/#L54 - NOTE: http://www.openwall.com/lists/oss-security/2015/06/06/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/06/1 CVE-2015-4338 (Static code injection vulnerability in the XCloner plugin 3.1.2 for Wo ...) NOT-FOR-US: WordPress plugin xclonerbackupandrestore CVE-2015-4337 (Cross-site scripting (XSS) vulnerability in the XCloner plugin 3.1.2 f ...) @@ -15268,23 +15268,23 @@ CVE-2015-4335 (Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers [squeeze] - redis <not-affected> (Lua support introduced in version 2.6.0) NOTE: http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/ NOTE: Patch: https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411 - NOTE: http://www.openwall.com/lists/oss-security/2015/06/05/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/05/3 CVE-2015-XXXX [Null pointer access in inflatehd tool] - nghttp2 <unfixed> (unimportant) NOTE: Upstream report: https://github.com/tatsuhiro-t/nghttp2/issues/235 NOTE: Git commit: https://github.com/tatsuhiro-t/nghttp2/commit/3572e7c6343cb85fc21f5667a7ed0902cf5305cf - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/06/03/20 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/06/03/20 NOTE: inflatehd not installed into the Debian binary packages CVE-2015-5523 (The ParseValue function in lexer.c in tidy before 4.9.31 allows remote ...) {DSA-3309-1 DLA-273-1} - tidy 20091223cvs-1.5 (bug #792571) NOTE: https://github.com/htacg/tidy-html5/issues/217#issuecomment-108565501 - NOTE: http://www.openwall.com/lists/oss-security/2015/06/04/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/04/2 CVE-2015-5522 (Heap-based buffer overflow in the ParseValue function in lexer.c in ti ...) {DSA-3309-1 DLA-273-1} - tidy 20091223cvs-1.5 (bug #792571) NOTE: https://github.com/htacg/tidy-html5/issues/217 - NOTE: http://www.openwall.com/lists/oss-security/2015/06/04/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/04/2 CVE-2015-6593 REJECTED CVE-2015-4179 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Code ...) @@ -15369,7 +15369,7 @@ CVE-2015-5366 (The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux - linux-2.6 <removed> NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=beb39db59d14990e401e235faf66a6b9b31240b0 (v4.1-rc7) NOTE: http://web.archive.org/web/20160309082241/https://twitter.com/grsecurity/status/605854034260426753 - NOTE: http://www.openwall.com/lists/oss-security/2015/06/30/13 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/30/13 CVE-2015-5364 (The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kerne ...) {DSA-3313-1 DLA-310-1} - linux 4.0.7-1 @@ -15377,17 +15377,17 @@ CVE-2015-5364 (The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux - linux-2.6 <removed> NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=beb39db59d14990e401e235faf66a6b9b31240b0 (v4.1-rc7) NOTE: http://web.archive.org/web/20160309082241/https://twitter.com/grsecurity/status/605854034260426753 - NOTE: http://www.openwall.com/lists/oss-security/2015/06/30/13 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/30/13 CVE-2015-XXXX [uudecode: stack out of bounds read access] - sharutils <unfixed> (unimportant) NOTE: Negligible security impact - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/06/02/8 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/06/02/8 CVE-2015-4167 (The udf_read_inode function in fs/udf/inode.c in the Linux kernel befo ...) {DSA-3313-1 DSA-3290-1 DLA-246-1} - linux 4.0.2-1 - linux-2.6 <removed> NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 (v4.0-rc1) - NOTE: http://www.openwall.com/lists/oss-security/2015/06/02/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/02/6 CVE-2015-4140 (Cross-site request forgery (CSRF) vulnerability in the WP Smiley plugi ...) NOT-FOR-US: WordPress plugin wp-smiley CVE-2015-4139 (Cross-site scripting (XSS) vulnerability in smilies4wp.php in the WP S ...) @@ -15421,7 +15421,7 @@ CVE-2015-4178 (The fs_pin implementation in the Linux kernel before 4.0.5 does n - linux-2.6 <not-affected> (Introduced and fixed in 4.1-rc1 upstream) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce07d891a0891d3c0d0c2d73d577490486b809e1 (v4.1-rc1) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=820f9f147dcce2602eefd9b575bbbd9ea14f0953 (v4.1-rc1) - NOTE: http://www.openwall.com/lists/oss-security/2015/05/29/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/29/5 CVE-2015-4177 (The collect_mounts function in fs/namespace.c in the Linux kernel befo ...) - linux <not-affected> (Commit was applied to 4.0.2 as well but fixed in Debian by two subsequent commits) NOTE: Debian both applies "mnt: Fail collect_mounts when applied to unmounted mounts" @@ -15430,7 +15430,7 @@ CVE-2015-4177 (The collect_mounts function in fs/namespace.c in the Linux kernel - linux-2.6 <not-affected> (Introduced and fixed in 4.1-rc1 upstream) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce07d891a0891d3c0d0c2d73d577490486b809e1 (v4.1-rc1) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cd4a40174b71acd021877341684d8bb1dc8ea4ae (v4.1-rc1) - NOTE: http://www.openwall.com/lists/oss-security/2015/05/29/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/29/5 CVE-2015-4126 RESERVED CVE-2015-4125 @@ -15605,20 +15605,20 @@ CVE-2015-XXXX [hwclock(8) SUID privilege escalation] - util-linux 2.27-1 (unimportant; bug #786804) NOTE: hwclock is not installed suid in Debian NOTE: https://github.com/karelzak/util-linux/commit/687cc5d58942b24a9f4013c68876d8cbea907ab1 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/05/26/10 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/05/26/10 CVE-2015-4082 (attic before 0.15 does not confirm unencrypted backups with the user, ...) - attic 0.16-1 (bug #787435) [jessie] - attic <no-dsa> (Minor issue) NOTE: https://github.com/jborg/attic/issues/271 NOTE: https://github.com/jborg/attic/commit/78f9ad1faba7193ca7f0acccbc13b1ff6ebf9072 - NOTE: http://www.openwall.com/lists/oss-security/2015/05/25/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/25/3 CVE-2015-4170 (Race condition in the ldsem_cmpxchg function in drivers/tty/tty_ldsem. ...) - linux 3.13.4-1 [wheezy] - linux <not-affected> (commit 4898e640caf03fdbaf2122d5a33949bf3e4a5b34 not backported) - linux-2.6 <not-affected> (commit 4898e640caf03fdbaf2122d5a33949bf3e4a5b34 not backported) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cf872776fc84128bb779ce2b83a37c884c3203ae (v3.13-rc5) NOTE: Affected code was introduced by the rewrite in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4898e640caf03fdbaf2122d5a33949bf3e4a5b34 (v3.11-rc1) - NOTE: http://www.openwall.com/lists/oss-security/2015/05/26/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/26/1 CVE-2015-4065 (Cross-site scripting (XSS) vulnerability in shared/shortcodes/inbound- ...) NOT-FOR-US: WordPress plugin landing-pages CVE-2015-4064 (SQL injection vulnerability in modules/module.ab-testing.php in the La ...) @@ -15655,7 +15655,7 @@ CVE-2015-4054 (PgBouncer before 1.5.5 allows remote attackers to cause a denial NOTE: https://github.com/pgbouncer/pgbouncer/commit/edab5be6665b9e8de66c25ba527509b229468573 (master) NOTE: https://github.com/pgbouncer/pgbouncer/commit/74d6e5f7de5ec736f71204b7b422af7380c19ac5 (stable-1.5) NOTE: https://github.com/pgbouncer/pgbouncer/issues/42 - NOTE: http://www.openwall.com/lists/oss-security/2015/05/21/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/21/2 CVE-2015-8147 REJECTED CVE-2015-8146 @@ -15701,7 +15701,7 @@ CVE-2015-4027 (The AcuWVSSchedulerv10 service in Acunetix Web Vulnerability Scan CVE-2015-4047 (racoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause ...) {DSA-3272-1 DLA-234-1} - ipsec-tools 1:0.8.2+20140711-3 (bug #785778) - NOTE: http://www.openwall.com/lists/oss-security/2015/05/20/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/20/1 CVE-2015-4023 RESERVED CVE-2015-4020 (RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4 ...) @@ -15746,7 +15746,7 @@ CVE-2015-4041 (The keycompare_mb function in sort.c in sort in GNU Coreutils thr NOTE: http://pkgs.fedoraproject.org/cgit/coreutils.git/plain/coreutils-i18n.patch CVE-2015-4035 (scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not ...) - xz-utils <not-affected> (Affects 4.999.9beta) - NOTE: http://www.openwall.com/lists/oss-security/2015/05/18/7 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/18/7 CVE-2015-4010 (Cross-site request forgery (CSRF) vulnerability in the Encrypted Conta ...) NOT-FOR-US: Encrypted Contact Form plugin for WordPress CVE-2015-4009 @@ -15855,7 +15855,7 @@ CVE-2015-4024 (Algorithmic complexity vulnerability in the multipart_buffer_head - php5 5.6.9+dfsg-1 [squeeze] - php5 <no-dsa> (Too intrusive to backport) NOTE: https://bugs.php.net/bug.php?id=69364 - NOTE: http://www.openwall.com/lists/oss-security/2015/05/18/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/18/2 NOTE: Fixed upstream in 5.4.41, 5.5.25, 5.6.9 - hhvm 3.11.0+dfsg-1 NOTE: HHVM fix: https://github.com/facebook/hhvm/commit/6188457bd90ed2f3516e778dca8e91536d91802e @@ -15863,14 +15863,14 @@ CVE-2015-4022 (Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in {DSA-3280-1 DLA-307-1} - php5 5.6.9+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69545 - NOTE: http://www.openwall.com/lists/oss-security/2015/05/18/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/18/2 NOTE: Fixed upstream in 5.4.41, 5.5.25, 5.6.9 CVE-2015-4021 (The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41 ...) {DSA-3280-1 DLA-307-1} - php5 5.6.9+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69453 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=c27f012b7a447e59d4a704688971cbfa7dddaa74 - NOTE: http://www.openwall.com/lists/oss-security/2015/05/17/2 and http://www.openwall.com/lists/oss-security/2015/05/18/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/17/2 and https://www.openwall.com/lists/oss-security/2015/05/18/2 NOTE: Fixed upstream in 5.4.41, 5.5.25, 5.6.9 CVE-2015-3987 (Multiple unquoted Windows search path vulnerabilities in the (1) Clien ...) NOT-FOR-US: McAfee @@ -16043,7 +16043,7 @@ CVE-2015-3909 CVE-2015-3908 (Ansible before 1.9.2 does not verify that the server hostname matches ...) {DLA-1923-1} - ansible 1.9.2+dfsg-1 (low) - NOTE: http://www.openwall.com/lists/oss-security/2015/07/14/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/07/14/4 NOTE: Fixed in commit https://github.com/ansible/ansible/commit/be7c59c7bbe2c7cfaad0151c42693ebd0ea4243f CVE-2015-3907 (CodeIgniter Rest Server (aka codeigniter-restserver) 2.7.1 allows XXE ...) NOT-FOR-US: CodeIgniter Rest Server @@ -16251,12 +16251,12 @@ CVE-2015-4036 (Array index error in the tcm_vhost_make_tpg function in drivers/v - linux-2.6 <removed> [squeeze] - linux-2.6 <not-affected> (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=59c816c1f24df0204e01851431d3bab3eb76719c (v4.0-rc1) - NOTE: http://www.openwall.com/lists/oss-security/2015/05/13/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/13/4 CVE-2015-3988 (Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashb ...) - horizon 2015.1.0-2 (bug #786741) [jessie] - horizon <not-affected> (Vulnerable code not present) [wheezy] - horizon <not-affected> (Vulnerable code not present) - NOTE: http://www.openwall.com/lists/oss-security/2015/05/12/9 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/12/9 CVE-2015-3886 (libinfinity before 0.6.6-1 does not validate expired SSL certificates, ...) - libinfinity 0.6.6-1 (bug #783601) [jessie] - libinfinity 0.6.6-1~deb8u1 @@ -16264,7 +16264,7 @@ CVE-2015-3886 (libinfinity before 0.6.6-1 does not validate expired SSL certific [squeeze] - libinfinity <not-affected> (vulnerable code not present) NOTE: https://github.com/gobby/libinfinity/commit/c97f870f5ae13112988d9f8ad464b4f679903706 NOTE: https://github.com/gobby/gobby/issues/61 - NOTE: http://www.openwall.com/lists/oss-security/2015/05/12/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/12/1 CVE-2015-3815 (The detect_version function in wiretap/logcat.c in the Android Logcat ...) {DSA-3277-1} - wireshark 1.12.5+g5819e5b-1 @@ -16695,20 +16695,20 @@ CVE-2015-3880 (Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x befo [squeeze] - phpbb3 <no-dsa> (Minor issue) NOTE: https://wiki.phpbb.com/Release_Highlights/3.0.14 NOTE: Patch: https://github.com/phpbb/phpbb/commit/1a3350619f428d9d69d196c52128727e27ef2f04 - NOTE: http://www.openwall.com/lists/oss-security/2015/05/12/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/12/2 CVE-2015-XXXX [pdf2djvu: insecure use of /tmp when executing c44] - pdf2djvu 0.7.21-1 (bug #784889) [jessie] - pdf2djvu 0.7.17-4+deb8u1 [wheezy] - pdf2djvu 0.7.12-2+deb7u1 [squeeze] - pdf2djvu <no-dsa> (Minor issue) NOTE: https://bitbucket.org/jwilk/pdf2djvu/issue/103 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/05/09/7 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/05/09/7 CVE-2015-XXXX [didjvu: insecure use of /tmp when executing c44] - didjvu 0.4-1 (bug #784888) [jessie] - didjvu 0.2.8-1+deb8u1 [wheezy] - didjvu 0.2.3-2+deb7u1 NOTE: https://bitbucket.org/jwilk/didjvu/issue/8 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/05/09/7 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/05/09/7 CVE-2015-4146 (The EAP-pwd peer implementation in hostapd and wpa_supplicant 1.0 thro ...) {DSA-3397-1} - wpa 2.3-2.2 (bug #787371) @@ -16719,7 +16719,7 @@ CVE-2015-4146 (The EAP-pwd peer implementation in hostapd and wpa_supplicant 1.0 NOTE: http://w1.fi/security/2015-4/ NOTE: http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt NOTE: http://w1.fi/security/2015-4/0005-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch - NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/07/5 CVE-2015-4145 (The EAP-pwd server and peer implementation in hostapd and wpa_supplica ...) {DSA-3397-1} - wpa 2.3-2.2 (bug #787371) @@ -16731,7 +16731,7 @@ CVE-2015-4145 (The EAP-pwd server and peer implementation in hostapd and wpa_sup NOTE: http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt NOTE: http://w1.fi/security/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch NOTE: http://w1.fi/security/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch - NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/07/5 CVE-2015-4144 (The EAP-pwd server and peer implementation in hostapd and wpa_supplica ...) {DSA-3397-1} - wpa 2.3-2.2 (bug #787371) @@ -16743,7 +16743,7 @@ CVE-2015-4144 (The EAP-pwd server and peer implementation in hostapd and wpa_sup NOTE: http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt NOTE: http://w1.fi/security/2015-4/0003-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch NOTE: http://w1.fi/security/2015-4/0004-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch - NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/07/5 CVE-2015-4143 (The EAP-pwd server and peer implementation in hostapd and wpa_supplica ...) {DSA-3397-1} - wpa 2.3-2.2 (bug #787371) @@ -16753,7 +16753,7 @@ CVE-2015-4143 (The EAP-pwd server and peer implementation in hostapd and wpa_sup NOTE: http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt NOTE: http://w1.fi/security/2015-4/0001-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch NOTE: http://w1.fi/security/2015-4/0002-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch - NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/07/5 CVE-2015-4142 (Integer underflow in the WMM Action frame parser in hostapd 0.5.5 thro ...) {DSA-3397-1 DLA-260-1} - wpa 2.3-2.2 (bug #787373) @@ -16762,7 +16762,7 @@ CVE-2015-4142 (Integer underflow in the WMM Action frame parser in hostapd 0.5.5 - hostapd <removed> NOTE: http://w1.fi/security/2015-3/ NOTE: http://w1.fi/security/2015-3/integer-underflow-in-ap-mode-wmm-action-frame.txt - NOTE: http://www.openwall.com/lists/oss-security/2015/05/09/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/09/5 CVE-2015-4141 (The WPS UPnP function in hostapd, when using WPS AP, and wpa_supplican ...) {DSA-3397-1} - wpa 2.3-2.2 (bug #787372) @@ -16772,7 +16772,7 @@ CVE-2015-4141 (The WPS UPnP function in hostapd, when using WPS AP, and wpa_supp [squeeze] - hostapd <not-affected> (Affects 0.7.0-v2.4 with CONFIG_WPS_UPNP=y in the build configuration and upnp_iface parameter on runtime) NOTE: http://w1.fi/security/2015-2/ NOTE: http://w1.fi/security/2015-2/wps-upnp-http-chunked-transfer-encoding.txt - NOTE: http://www.openwall.com/lists/oss-security/2015/05/09/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/09/4 CVE-2015-XXXX [incorrect parsing of from header when assigning pgp keys] - semi 1.14.7~0.20120428-17 (bug #784712) [jessie] - semi 1.14.7~0.20120428-14+deb8u1 @@ -16832,18 +16832,18 @@ CVE-2015-3632 (Foxit Reader, Enterprise Reader, and PhantomPDF before 7.1.5 allo NOT-FOR-US: Foxit Reader, Enterprise Reader, PhantomPDF CVE-2015-3631 (Docker Engine before 1.6.1 allows local users to set arbitrary Linux S ...) - docker.io 1.6.1+dfsg1-1 (bug #784726) - NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/10 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/07/10 CVE-2015-3630 (Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, ...) - docker.io 1.6.1+dfsg1-1 (bug #784726) - NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/10 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/07/10 CVE-2015-3629 (Libcontainer 1.6.0, as used in Docker Engine, allows local users to es ...) - docker.io 1.6.1+dfsg1-1 (bug #784726) - NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/10 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/07/10 CVE-2015-3628 (The iControl API in F5 BIG-IP LTM, AFM, Analytics, APM, ASM, Link Cont ...) NOT-FOR-US: F5 CVE-2015-3627 (Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor ...) - docker.io 1.6.1+dfsg1-1 (bug #784726) - NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/10 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/07/10 CVE-2015-3626 (Cross-site scripting (XSS) vulnerability in the DHCP Monitor page in t ...) NOT-FOR-US: Fortinet FortiOS CVE-2015-3625 (The NVIDIA GPU driver for FreeBSD R352 before 352.09, 346 before 346.7 ...) @@ -17183,7 +17183,7 @@ CVE-2015-3905 (Buffer overflow in the set_cs_start function in t1disasm.c in t1u - t1utils 1.38-4 (bug #779274) [wheezy] - t1utils <no-dsa> (Minor issue) NOTE: https://github.com/kohler/t1utils/issues/4 - NOTE: http://www.openwall.com/lists/oss-security/2015/05/13/9 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/13/9 CVE-2015-XXXX [crashes on crafted upack packed file] - clamav 0.98.7+dfsg-1 [jessie] - clamav 0.98.7+dfsg-0+deb8u1 @@ -17191,14 +17191,14 @@ CVE-2015-XXXX [crashes on crafted upack packed file] [squeeze] - clamav 0.98.7+dfsg-0+deb6u1 NOTE: https://github.com/vrtadmin/clamav-devel/commit/a18af359decd270f5088e80e2ee2866c62e0843e NOTE: https://github.com/vrtadmin/clamav-devel/commit/ed56f56c1f1529bda877ddd116ae7bc064667c73 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/05/03/3 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/05/03/3 CVE-2015-XXXX [crash during algorithmic detection on crafted PE file] - clamav 0.98.7+dfsg-1 [jessie] - clamav 0.98.7+dfsg-0+deb8u1 [wheezy] - clamav 0.98.7+dfsg-0+deb7u1 [squeeze] - clamav 0.98.7+dfsg-0+deb6u1 NOTE: https://github.com/vrtadmin/clamav-devel/commit/a7bdfb4f0d3210eeab49280726ff3ea6d703280e - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/05/03/4 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/05/03/4 CVE-2015-XXXX [BUG/MAJOR: http: don't read past buffer's end in http_replace_value] - haproxy 1.5.12-1 [jessie] - haproxy <no-dsa> (Minor issue) @@ -17213,7 +17213,7 @@ CVE-2015-XXXX [BUG/MAJOR: http: prevent risk of reading past end with balance ur NOTE: For squeeze, the above commit message implies that the fix does not need to be backported to version 1.4 and indeed, the code already contains a (different) check that limits the value of "len". CVE-2015-4017 (Salt before 2014.7.6 does not verify certificates when connecting via ...) - salt <not-affected> (Vulnerable code not present in the version in Debian stable/unstable) - NOTE: http://www.openwall.com/lists/oss-security/2015/05/02/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/02/1 CVE-2015-3646 (OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014 ...) - keystone 2015.1.0-1 [jessie] - keystone <no-dsa> (Minor issue) @@ -17357,7 +17357,7 @@ CVE-2015-3420 (The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when S [jessie] - dovecot 1:2.2.13-12~deb8u1 [wheezy] - dovecot <not-affected> (Problematic patch introducing the issue not applied) [squeeze] - dovecot <not-affected> (Vulnerable code not present & not reproducible) - NOTE: http://www.openwall.com/lists/oss-security/2015/04/26/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/26/3 NOTE: Patch: http://web.archive.org/web/20150907231530/http://hg.dovecot.org/dovecot-2.2/rev/86f535375750 NOTE: Segfault reproducible if using openssl/1.0.2a-1 from sid. NOTE: http://dovecot.org/pipermail/dovecot/2015-April/100579.html @@ -17370,7 +17370,7 @@ CVE-2015-3440 (Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php - wordpress 4.2.1+dfsg-1 (bug #783554) NOTE: http://klikki.fi/adv/wordpress2.html NOTE: https://wordpress.org/news/2015/04/wordpress-4-2-1/ - NOTE: http://www.openwall.com/lists/oss-security/2015/04/27/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/27/4 NOTE: https://core.trac.wordpress.org/changeset/32299 CVE-2015-XXXX [Some plugins were vulnerable to an SQL injection vulnerability] - wordpress 4.2+dfsg-1 (bug #783347) @@ -17378,17 +17378,17 @@ CVE-2015-XXXX [Some plugins were vulnerable to an SQL injection vulnerability] [wheezy] - wordpress 3.6.1+dfsg-1~deb7u6 [squeeze] - wordpress 3.6.1+dfsg-1~deb6u6 NOTE: https://wordpress.org/news/2015/04/wordpress-4-1-2/ - NOTE: http://www.openwall.com/lists/oss-security/2015/04/26/2 - NOTE: To be decided: http://www.openwall.com/lists/oss-security/2015/04/28/7 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/26/2 + NOTE: To be decided: https://www.openwall.com/lists/oss-security/2015/04/28/7 CVE-2015-XXXX [files with invalid or unsafe names could be uploaded] - wordpress 4.2+dfsg-1 (bug #783347) [jessie] - wordpress 4.1+dfsg-1+deb8u1 [wheezy] - wordpress <not-affected> (File upload vulnerability only in WordPress 4.1 and higher) [squeeze] - wordpress <not-affected> (File upload vulnerability only in WordPress 4.1 and higher) NOTE: https://wordpress.org/news/2015/04/wordpress-4-1-2/ - NOTE: http://www.openwall.com/lists/oss-security/2015/04/26/2 - NOTE: To be decided: http://www.openwall.com/lists/oss-security/2015/04/28/7 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/06/10/11 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/26/2 + NOTE: To be decided: https://www.openwall.com/lists/oss-security/2015/04/28/7 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/06/10/11 CVE-2015-3439 (Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiec ...) {DSA-3250-1 DLA-236-1} - wordpress 4.2+dfsg-1 (bug #783347) @@ -17402,7 +17402,7 @@ CVE-2015-3438 (Multiple cross-site scripting (XSS) vulnerabilities in WordPress CVE-2015-3451 (The _clone function in XML::LibXML before 2.0119 does not properly set ...) {DSA-3243-1 DLA-214-1} - libxml-libxml-perl 2.0116+dfsg-2 (bug #783443) - NOTE: http://www.openwall.com/lists/oss-security/2015/04/25/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/25/2 NOTE: https://bitbucket.org/shlomif/perl-xml-libxml/commits/5962fd067580767777e94640b129ae8930a68a30 NOTE: https://bitbucket.org/shlomif/perl-xml-libxml/commits/915f1dbaf21c5f3c21d7c519c70fd93859e47152 CVE-2015-3418 (The ProcPutImage function in dix/dispatch.c in X.Org Server (aka xserv ...) @@ -17609,7 +17609,7 @@ CVE-2015-3339 (Race condition in the prepare_binprm function in fs/exec.c in the - linux 3.16.7-ckt9-3 - linux-2.6 <removed> NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8b01fc86b9f425899f8a3a8fc1c47d73c2c20543 - NOTE: http://www.openwall.com/lists/oss-security/2015/04/20/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/20/1 CVE-2015-7942 (The xmlParseConditionalSections function in parser.c in libxml2 does n ...) {DSA-3430-1 DLA-334-1} - libxml2 2.9.3+dfsg1-1 (bug #802827) @@ -17621,15 +17621,15 @@ CVE-2015-7941 (libxml2 2.9.2 does not properly stop parsing invalid input, which {DSA-3430-1 DLA-266-1} - libxml2 2.9.2+really2.9.1+dfsg1-0.1 (bug #783010) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=744980 - NOTE: http://www.openwall.com/lists/oss-security/2015/04/19/5 - NOTE: http://www.openwall.com/lists/oss-security/2015/10/22/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/19/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/10/22/5 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 (v2.9.3) NOTE: https://git.gnome.org/browse/libxml2/commit/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489 (v2.9.3) CVE-2015-8710 (The htmlParseComment function in HTMLparser.c in libxml2 allows attack ...) {DSA-3430-1 DLA-266-1} - libxml2 2.9.2+really2.9.1+dfsg1-0.1 (bug #782985) NOTE: Added workaround item to reflect entry fixed status, remove once CVE assigned - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/04/19/4 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/04/19/4 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=746048 NOTE: https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c CVE-2015-3328 @@ -17656,8 +17656,8 @@ CVE-2015-3330 (The php_handler function in sapi/apache2handler/sapi_apache2.c in NOTE: https://bugs.php.net/bug.php?id=69218 NOTE: https://bugs.php.net/bug.php?id=68486 NOTE: Fixed by: https://git.php.net/?p=php-src.git;a=commit;h=809610f5ea38a83b284e1125d1fff129bdd615e7 - NOTE: http://www.openwall.com/lists/oss-security/2015/04/17/3 - NOTE: For details on scope of the CVE assignment: http://www.openwall.com/lists/oss-security/2015/04/17/7 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/17/3 + NOTE: For details on scope of the CVE assignment: https://www.openwall.com/lists/oss-security/2015/04/17/7 CVE-2015-3319 (Hotspot Express hotEx Billing Manager 73 does not include the HTTPOnly ...) NOT-FOR-US: Hotspot Express hotEx Billing Manager CVE-2015-3318 (CA Common Services, as used in CA Client Automation r12.5 SP01, r12.8, ...) @@ -17684,7 +17684,7 @@ CVE-2015-3329 (Multiple stack-based buffer overflows in the phar_set_inode funct - php5 5.6.9+dfsg-1 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=f59b67ae50064560d7bfcdb0d6a8ab284179053c NOTE: https://bugs.php.net/bug.php?id=69441 - NOTE: http://www.openwall.com/lists/oss-security/2015/04/16/22 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/16/22 NOTE: Fixed in 5.6.8 and 5.4.40 CVE-2015-3315 (Automatic Bug Reporting Tool (ABRT) allows local users to read, change ...) NOT-FOR-US: abrt is Red Hat / Fedora specific @@ -17884,7 +17884,7 @@ CVE-2015-3251 (Apache CloudStack before 4.5.2 might allow remote authenticated a NOT-FOR-US: Apache CloudStack CVE-2015-3250 (Apache Directory LDAP API before 1.0.0-M31 allows attackers to conduct ...) - apache-directory-api 1.0.0~M20-3 (bug #791957) - NOTE: http://www.openwall.com/lists/oss-security/2015/07/07/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/07/07/5 CVE-2015-3249 (The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before ...) - trafficserver 5.3.1-1 [wheezy] - trafficserver <not-affected> (HTTP2 support does not exist) @@ -18657,7 +18657,7 @@ CVE-2015-3306 (The mod_copy module in ProFTPD 1.3.5 allows remote attackers to r {DSA-3263-1} - proftpd-dfsg 1.3.5-2 (bug #782781) [squeeze] - proftpd-dfsg <not-affected> (mod_copy not available in version 1.3.3) - NOTE: http://www.openwall.com/lists/oss-security/2015/04/15/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/15/2 NOTE: https://github.com/proftpd/proftpd/pull/109 NOTE: http://bugs.proftpd.org/show_bug.cgi?id=4169 NOTE: https://cxsecurity.com/issue/WLB-2015040075 @@ -18666,7 +18666,7 @@ CVE-2015-3331 (The __driver_rfc4106_decrypt function in arch/x86/crypto/aesni-in - linux 3.16.7-ckt9-3 (bug #782561) - linux-2.6 <removed> [squeeze] - linux-2.6 <not-affected> (Vulnerable code introduced in v2.6.38-rc1) - NOTE: http://www.openwall.com/lists/oss-security/2015/04/14/16 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/14/16 NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ccfe8c3f7e52ae83155cb038753f4c75b774ca8a (v4.0-rc5) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0bd82f5f6355775fbaf7d3c664432ce1b862be1e (v2.6.38-rc1) CVE-2015-3332 (A certain backport in the TCP Fast Open implementation for the Linux k ...) @@ -18674,34 +18674,34 @@ CVE-2015-3332 (A certain backport in the TCP Fast Open implementation for the Li [jessie] - linux 3.16.7-ckt9-3~deb8u1 [wheezy] - linux <not-affected> (TCP Fast Open introduced in v3.6-rc1) - linux-2.6 <not-affected> (TCP Fast Open introduced in v3.6-rc1) - NOTE: http://www.openwall.com/lists/oss-security/2015/04/14/14 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/14/14 NOTE: http://thread.gmane.org/gmane.linux.network/359588 CVE-2015-3310 (Buffer overflow in the rc_mksid function in plugins/radius/util.c in P ...) {DSA-3228-1 DLA-205-1} - ppp 2.4.6-3.1 (bug #782450) - NOTE: http://www.openwall.com/lists/oss-security/2015/04/13/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/13/4 NOTE: Patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=17;filename=ppp_2.4.6-3.1-nmu.diff;att=1;bug=782450 CVE-2015-5621 (The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and earlie ...) {DSA-4154-1 DLA-1317-1} - net-snmp 5.7.3+dfsg-1.1 (bug #788964) [squeeze] - net-snmp <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/04/13/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/13/1 NOTE: Upstream patch: https://sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791/ NOTE: https://sourceforge.net/p/net-snmp/bugs/2615/ (currently not public) CVE-2015-4085 (Directory traversal vulnerability in node/hooks/express/tests.js in Et ...) - etherpad-lite <itp> (bug #576998) - NOTE: http://www.openwall.com/lists/oss-security/2015/04/11/10 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/11/10 CVE-2015-3297 (Directory traversal vulnerability in node/utils/Minify.js in Etherpad ...) - etherpad-lite <itp> (bug #576998) CVE-2015-3010 (ceph-deploy before 1.5.23 uses weak permissions (644) for ceph/ceph.cl ...) - ceph-deploy <not-affected> (Fixed with initial upload to Debian) - NOTE: http://www.openwall.com/lists/oss-security/2015/04/09/9 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/09/9 CVE-2015-3405 (ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 d ...) {DSA-3223-1 DLA-192-1} - ntp 1:4.2.6.p5+dfsg-7 NOTE: https://bugs.ntp.org/show_bug.cgi?id=2797 NOTE: Patch: http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=55199296N2gFqH1Hm5GOnhrk9Ypygg - NOTE: http://www.openwall.com/lists/oss-security/2015/04/09/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/09/5 CVE-2015-3008 (Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x be ...) {DSA-3700-1 DLA-455-1} - asterisk 1:13.7.2~dfsg-1 (bug #782411) @@ -18843,7 +18843,7 @@ CVE-2015-3026 (Icecast before 2.4.2, when a stream_auth handler is defined for U [wheezy] - icecast2 <not-affected> (stream_auth introduced in 2.3.3) [squeeze] - icecast2 <not-affected> (stream_auth introduced in 2.3.3) NOTE: https://trac.xiph.org/ticket/2191 - NOTE: http://www.openwall.com/lists/oss-security/2015/04/08/8 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/08/8 CVE-2015-3030 (The web interface in McAfee Advanced Threat Defense (MATD) before 3.4. ...) NOT-FOR-US: McAfee Advanced Threat Defense CVE-2015-3029 (The web interface in McAfee Advanced Threat Defense (MATD) before 3.4. ...) @@ -18858,25 +18858,25 @@ CVE-2015-3406 (The PGP signature parsing in Module::Signature before 0.74 allows {DSA-3261-1 DLA-264-1} - libmodule-signature-perl 0.78-1 (bug #783451) NOTE: Upstream fix: https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f - NOTE: http://www.openwall.com/lists/oss-security/2015/04/07/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/07/1 NOTE: Changes might needed in libtest-signature-perl, need further investigation CVE-2015-3407 (Module::Signature before 0.74 allows remote attackers to bypass signat ...) {DSA-3261-1 DLA-264-1} - libmodule-signature-perl 0.78-1 (bug #783451) NOTE: Upstream fix: https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f - NOTE: http://www.openwall.com/lists/oss-security/2015/04/07/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/07/1 NOTE: libtest-signature-perl needed to be updated CVE-2015-3408 (Module::Signature before 0.74 allows remote attackers to execute arbit ...) {DSA-3261-1 DLA-264-1} - libmodule-signature-perl 0.78-1 (bug #783451) NOTE: Upstream fix: https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f - NOTE: http://www.openwall.com/lists/oss-security/2015/04/07/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/07/1 NOTE: Changes might needed in libtest-signature-perl, need further investigation CVE-2015-3409 (Untrusted search path vulnerability in Module::Signature before 0.75 a ...) {DSA-3261-1 DLA-264-1} - libmodule-signature-perl 0.78-1 (bug #783451) NOTE: Upstream fix: https://github.com/audreyt/module-signature/commit/c41e8885b862b9fce2719449bc9336f0bea658ef - NOTE: http://www.openwall.com/lists/oss-security/2015/04/07/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/07/1 NOTE: Changes might needed in libtest-signature-perl, need further investigation CVE-2015-2921 RESERVED @@ -19054,12 +19054,12 @@ CVE-2015-2929 (The Hidden Service (HS) client implementation in Tor before 0.2.4 {DSA-3216-1 DLA-187-1} - tor 0.2.5.12-1 NOTE: https://trac.torproject.org/projects/tor/ticket/15601 - NOTE: http://www.openwall.com/lists/oss-security/2015/04/06/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/06/5 CVE-2015-2928 (The Hidden Service (HS) server implementation in Tor before 0.2.4.27, ...) {DSA-3216-1 DLA-187-1} - tor 0.2.5.12-1 NOTE: https://trac.torproject.org/projects/tor/ticket/15600 - NOTE: http://www.openwall.com/lists/oss-security/2015/04/06/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/06/5 CVE-2015-2837 RESERVED CVE-2015-2836 @@ -19077,12 +19077,12 @@ CVE-2015-2927 (node 0.3.2 and URONode before 1.0.5r3 allows remote attackers to [jessie] - node <no-dsa> (Minor issue) [squeeze] - node <no-dsa> (Minor issue) [wheezy] - node <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/04/03/10 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/03/10 CVE-2015-XXXX [caja automounts USB flash drives and CD/DVD drives while session is locked] - caja 1.8.2-4 (bug #781608) [jessie] - caja 1.8.2-3+deb8u1 NOTE: https://github.com/mate-desktop/caja/issues/398 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/04/03/12 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/04/03/12 CVE-2015-3013 (ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 ...) {DSA-3244-1} [experimental] - owncloud 7.0.5+dfsg-1 @@ -19179,12 +19179,12 @@ CVE-2015-2830 (arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does - linux 3.16.7-ckt9-1 - linux-2.6 <removed> NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=956421fbb74c3a6261903f3836c0740187cf038b (v4.0-rc3) - NOTE: http://www.openwall.com/lists/oss-security/2015/04/02/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/02/1 CVE-2015-XXXX [Signature Bypass in several JSON Web Token Libraries] - pyjwt 1.3.0-1 (bug #781640) [jessie] - pyjwt 0.2.1-1+deb8u1 NOTE: Added workaround item to reflect entry fixed status, remove once CVE assigned - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/04/01/4 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/04/01/4 NOTE: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ NOTE: ruby-jwt not directly affected, see https://github.com/jwt/ruby-jwt/issues/76 CVE-2015-2810 (Integer overflow in the HwpApp::CHncSDS_Manager function in Hancom Off ...) @@ -19207,7 +19207,7 @@ CVE-2015-2831 (Buffer overflow in das_watchdog 0.9.0 allows local users to execu {DSA-3221-1 DLA-194-1} - das-watchdog 0.9.0-3.1 (bug #781806) NOTE: Upstream commit: https://github.com/kmatheussen/das_watchdog/commit/bd20bb02e75e2c - NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/8 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/8 CVE-2015-2805 (Cross-site request forgery (CSRF) vulnerability in sec/content/sec_asa ...) NOT-FOR-US: Alcatel-Lucent OmniSwitch CVE-2015-2804 (The management web interface in Alcatel-Lucent OmniSwitch 6450, 6250, ...) @@ -19248,71 +19248,71 @@ CVE-2015-2931 (Incomplete blacklist vulnerability in includes/upload/UploadBase. [wheezy] - mediawiki <end-of-life> (Not supported in Wheezy LTS) [squeeze] - mediawiki <end-of-life> (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html - NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2932 (Incomplete blacklist vulnerability in MediaWiki before 1.19.24, 1.2x b ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki <end-of-life> (Not supported in Wheezy LTS) [squeeze] - mediawiki <end-of-life> (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html - NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2933 (Cross-site scripting (XSS) vulnerability in the Html class in MediaWik ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki <end-of-life> (Not supported in Wheezy LTS) [squeeze] - mediawiki <end-of-life> (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html - NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2934 (MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki <end-of-life> (Not supported in Wheezy LTS) [squeeze] - mediawiki <end-of-life> (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html - NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2935 (MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki <end-of-life> (Not supported in Wheezy LTS) [squeeze] - mediawiki <end-of-life> (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html - NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2936 (MediaWiki 1.24.x before 1.24.2, when using PBKDF2 for password hashing ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki <end-of-life> (Not supported in Wheezy LTS) [squeeze] - mediawiki <end-of-life> (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html - NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2937 (MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki <end-of-life> (Not supported in Wheezy LTS) [squeeze] - mediawiki <end-of-life> (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html - NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2938 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki <end-of-life> (Not supported in Wheezy LTS) [squeeze] - mediawiki <end-of-life> (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html - NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2939 (Cross-site scripting (XSS) vulnerability in the Scribunto extension fo ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki <end-of-life> (Not supported in Wheezy LTS) [squeeze] - mediawiki <end-of-life> (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html - NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2940 (Cross-site request forgery (CSRF) vulnerability in the CheckUser exten ...) - mediawiki 1:1.19.20+dfsg-2.3 [wheezy] - mediawiki <end-of-life> (Not supported in Wheezy LTS) [squeeze] - mediawiki <end-of-life> (Not supported in Squeeze LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html - NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2941 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, ...) - mediawiki 1:1.19.20+dfsg-2.3 (unimportant) NOTE: HHVM not packaged in Debian NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html - NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2942 (MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 ...) - mediawiki 1:1.19.20+dfsg-2.3 (unimportant) NOTE: HHVM not packaged in Debian NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html - NOTE: http://www.openwall.com/lists/oss-security/2015/04/01/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/01/1 CVE-2015-2786 (Unspecified vulnerability in MyBB (aka MyBulletinBoard) before 1.8.4 h ...) NOT-FOR-US: MyBB CVE-2015-2784 (The papercrop gem before 0.3.0 for Ruby on Rails does not properly han ...) @@ -19376,14 +19376,14 @@ CVE-2015-2793 (Cross-site scripting (XSS) vulnerability in templates/openid-sele - ikiwiki 3.20141016.2 (bug #781483) [wheezy] - ikiwiki 3.20120629.2 [squeeze] - ikiwiki <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/03/30/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/30/5 CVE-2015-2806 (Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4. ...) {DSA-3220-1 DLA-195-1} [experimental] - libtasn1-6 4.4-1 - libtasn1-6 4.2-3 - libtasn1-3 <removed> NOTE: https://gitlab.com/gnutls/libtasn1/commit/4d4f992826a4962790ecd0cce6fbba4a415ce149 - NOTE: http://www.openwall.com/lists/oss-security/2015/03/29/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/29/4 NOTE: Only in the asn1 definition parser, not in the asn1 parser itself NOTE: https://lists.gnu.org/archive/html/help-libtasn1/2015-01/msg00000.html CVE-2015-2787 (Use-after-free vulnerability in the process_nested_data function in ex ...) @@ -19393,7 +19393,7 @@ CVE-2015-2787 (Use-after-free vulnerability in the process_nested_data function CVE-2015-2782 (Buffer overflow in Open-source ARJ archiver 3.10.22 allows remote atta ...) {DSA-3213-1 DLA-188-1} - arj 3.10.22-13 (bug #774015) - NOTE: http://www.openwall.com/lists/oss-security/2015/03/28/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/28/5 CVE-2015-2756 (QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict a ...) {DSA-3259-1 DLA-479-1} - xen 4.2.0~rc2-1 (bug #781620) @@ -20535,35 +20535,35 @@ CVE-2015-6674 (Buffer underflow vulnerability in the Debian inspircd package bef {DSA-3226-1 DLA-276-1} - inspircd 2.0.16-1 (bug #780880) NOTE: Correct fix: https://github.com/inspircd/inspircd/commit/ed28c1ba666b39581adb860bf51cdde43c84cc89 - NOTE: http://www.openwall.com/lists/oss-security/2015/03/29/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/29/5 CVE-2015-2788 (Multiple stack-based buffer overflows in the ib_fill_isqlda function i ...) {DSA-3219-1} - libdbd-firebird-perl 1.18-2 (bug #780925) - NOTE: http://www.openwall.com/lists/oss-security/2015/03/30/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/30/4 CVE-2015-4148 (The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5 ...) {DLA-307-1} - php5 5.6.7+dfsg-1 [wheezy] - php5 5.4.39-0+deb7u1 NOTE: https://bugs.php.net/bug.php?id=69085 - NOTE: http://www.openwall.com/lists/oss-security/2015/03/20/14 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/20/14 CVE-2015-4147 (The SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, ...) {DLA-307-1} - php5 5.6.7+dfsg-1 [wheezy] - php5 5.4.39-0+deb7u1 NOTE: https://bugs.php.net/bug.php?id=69085 - NOTE: http://www.openwall.com/lists/oss-security/2015/03/20/14 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/20/14 CVE-2015-2779 (Stack consumption vulnerability in the message splitting functionality ...) - quassel 1:0.10.0-2.3 (bug #781024) [wheezy] - quassel <not-affected> (According to upstream issue isn't triggerable in 0.8) [squeeze] - quassel <not-affected> (According to upstream issue isn't triggerable in 0.6) NOTE: https://github.com/quassel/quassel/commit/b5e38970ffd55e2dd9f706ce75af9a8d7730b1b8 - NOTE: http://www.openwall.com/lists/oss-security/2015/03/20/12 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/20/12 CVE-2015-2778 (Quassel before 0.12-rc1 uses an incorrect data-type size when splittin ...) - quassel 1:0.10.0-2.3 (bug #781024) [wheezy] - quassel <not-affected> (According to upstream issue isn't triggerable in 0.8) [squeeze] - quassel <not-affected> (According to upstream issue isn't triggerable in 0.6) NOTE: https://github.com/quassel/quassel/commit/b5e38970ffd55e2dd9f706ce75af9a8d7730b1b8 - NOTE: http://www.openwall.com/lists/oss-security/2015/03/20/12 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/20/12 CVE-2015-2348 (The move_uploaded_file implementation in ext/standard/basic_functions. ...) {DSA-3198-1 DLA-444-1} - php5 5.6.7+dfsg-1 @@ -20621,7 +20621,7 @@ CVE-2015-2749 (Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x bef - drupal6 <removed> [squeeze] - drupal6 <end-of-life> NOTE: https://www.drupal.org/SA-CORE-2015-001 - NOTE: http://www.openwall.com/lists/oss-security/2015/03/19/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/19/5 CVE-2015-2329 (Cross-site scripting (XSS) vulnerability in the WooCommerce plugin bef ...) NOT-FOR-US: WooCommerce plugin for WordPress CVE-2015-2328 (PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and related ...) @@ -20635,7 +20635,7 @@ CVE-2015-2328 (PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and rel [squeeze] - pcre3 <no-dsa> (Minor issue) NOTE: https://bugs.exim.org/show_bug.cgi?id=1515 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1498 - NOTE: http://www.openwall.com/lists/oss-security/2015/05/31/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/31/4 CVE-2015-2327 (PCRE before 8.36 mishandles the /(((a\2)|(a*)\g<-1>))*/ pattern ...) - mongodb <removed> (unimportant) NOTE: CVE for bundled version of pcre3 in mongodb @@ -20647,7 +20647,7 @@ CVE-2015-2327 (PCRE before 8.36 mishandles the /(((a\2)|(a*)\g<-1>))*/ pat [squeeze] - pcre3 <no-dsa> (Minor issue) NOTE: https://bugs.exim.org/show_bug.cgi?id=1503 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1495 - NOTE: http://www.openwall.com/lists/oss-security/2015/05/31/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/31/5 CVE-2015-2326 (The pcre_compile2 function in PCRE before 8.37 allows context-dependen ...) - pcre3 2:8.35-7.2 (bug #783285) [jessie] - pcre3 2:8.35-3.3+deb8u1 @@ -20702,7 +20702,7 @@ CVE-2015-2666 (Stack-based buffer overflow in the get_matching_model_microcode f - linux-2.6 <not-affected> (Introduced in 3.9) NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ec400ddeff200b068ddc6c70f7321f49ecf32ed5 (v3.9-rc1) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f84598bd7c851f8b0bf8cd0d7c3be0d73c432ff4 (v4.0-rc1) - NOTE: http://www.openwall.com/lists/oss-security/2015/03/18/7 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/18/7 CVE-2015-2684 (Shibboleth Service Provider (SP) before 2.5.4 allows remote authentica ...) {DSA-3207-1 DLA-259-1} - shibboleth-sp2 2.5.3+dfsg-2 @@ -20712,7 +20712,7 @@ CVE-2015-2672 (The xsave/xrstor implementation in arch/x86/include/asm/xsave.h i - linux-2.6 <not-affected> NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f31a9f7c71691569359fa7fb8b0acaa44bce0324 (v3.17-rc1) NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=06c8173eb92bbfc03a0fe8bb64315857d0badd06 (v4.0-rc3) - NOTE: http://www.openwall.com/lists/oss-security/2015/03/18/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/18/6 CVE-2015-2331 (Integer overflow in the _zip_cdir_new function in zip_dirent.c in libz ...) {DSA-3198-1 DLA-212-1} - php5 5.6.7+dfsg-1 (bug #780713) @@ -20721,7 +20721,7 @@ CVE-2015-2331 (Integer overflow in the _zip_cdir_new function in zip_dirent.c in [squeeze] - libzip <not-affected> (Vulnerable code introduced with added Zip64 support in 0.11) NOTE: https://bugs.php.net/bug.php?id=69253 NOTE: https://github.com/php/php-src/commit/ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 - NOTE: http://www.openwall.com/lists/oss-security/2015/03/18/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/18/1 NOTE: libzip patch: http://hg.nih.at/libzip/rev/9f11d54f692e CVE-2015-2330 (Late TLS certificate verification in WebKitGTK+ prior to 2.6.6 allows ...) - webkitgtk 2.4.9-1 (unimportant) @@ -20791,7 +20791,7 @@ CVE-2015-8903 (The ReadVICARImage function in coders/vicar.c in ImageMagick 6.x - imagemagick 8:6.8.9.9-6 (low) [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [squeeze] - imagemagick <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/20/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/20/4 NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26933 NOTE: http://web.archive.org/web/20150428140926/http://trac.imagemagick.org/changeset/17856 CVE-2015-8902 (The ReadBlobByte function in coders/pdb.c in ImageMagick 6.x before 6. ...) @@ -20800,7 +20800,7 @@ CVE-2015-8902 (The ReadBlobByte function in coders/pdb.c in ImageMagick 6.x befo - imagemagick 8:6.8.9.9-6 (low) [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [squeeze] - imagemagick <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/20/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/20/4 NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26932 NOTE: http://web.archive.org/web/20150428145652/http://trac.imagemagick.org/changeset/17855 CVE-2015-8901 (ImageMagick 6.x before 6.9.0-5 Beta allows remote attackers to cause a ...) @@ -20809,7 +20809,7 @@ CVE-2015-8901 (ImageMagick 6.x before 6.9.0-5 Beta allows remote attackers to ca - imagemagick 8:6.8.9.9-6 [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [squeeze] - imagemagick <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/20/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/20/4 NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26931 CVE-2015-8900 (The ReadHDRImage function in coders/hdr.c in ImageMagick 6.x and 7.x a ...) {DLA-960-1} @@ -20817,7 +20817,7 @@ CVE-2015-8900 (The ReadHDRImage function in coders/hdr.c in ImageMagick 6.x and - imagemagick 8:6.8.9.9-6 [jessie] - imagemagick 8:6.8.9.9-5+deb8u1 [squeeze] - imagemagick <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/20/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/20/4 NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26929 NOTE: http://web.archive.org/web/20150501030131/http://trac.imagemagick.org/changeset/17845 NOTE: http://web.archive.org/web/20150429001241/http://trac.imagemagick.org/changeset/17846 @@ -20849,7 +20849,7 @@ CVE-2015-2674 (Restkit allows man-in-the-middle attackers to spoof TLS servers b [wheezy] - python-restkit <ignored> (Minor issue) [squeeze] - python-restkit <no-dsa> (Minor issue) NOTE: https://github.com/benoitc/restkit/issues/140 - NOTE: http://www.openwall.com/lists/oss-security/2015/03/12/9 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/12/9 CVE-2015-2283 RESERVED CVE-2015-2282 (Stack-based buffer overflow in the LZC decompression implementation (C ...) @@ -20957,12 +20957,12 @@ CVE-2015-2301 (Use-after-free vulnerability in the phar_rename_archive function - php5 5.6.6+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=68901 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=b2cf3f064b8f5efef89bb084521b61318c71781b - NOTE: http://www.openwall.com/lists/oss-security/2015/03/10/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/10/6 CVE-2015-2265 (The remove_bad_chars function in utils/cups-browsed.c in cups-filters ...) - cups-filters 1.0.61-5 (bug #780267) [wheezy] - cups-filters <not-affected> (vulnerable code not present) NOTE: https://bugs.linuxfoundation.org/show_bug.cgi?id=1265 - NOTE: http://www.openwall.com/lists/oss-security/2015/03/09/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/09/5 CVE-2015-2241 (Cross-site scripting (XSS) vulnerability in the contents function in a ...) - python-django 1.7.6-1 [wheezy] - python-django <not-affected> (Only affects 1.7.x and 1.8.x) @@ -21091,7 +21091,7 @@ CVE-2015-2675 (The OAuth implementation in librest before 0.7.93 incorrectly tru [squeeze] - librest <not-affected> (rest_proxy_call_get_url not yet used) NOTE: Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=742644 NOTE: Commit: https://git.gnome.org/browse/librest/commit/?id=b50ace7738ea038 - NOTE: http://www.openwall.com/lists/oss-security/2015/03/04/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/04/6 CVE-2015-2204 (Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 all ...) NOT-FOR-US: Evergreen library CVE-2015-2203 (Evergreen 2.5.9, 2.6.7, and 2.7.4 allows remote authenticated users wi ...) @@ -21361,7 +21361,7 @@ CVE-2015-XXXX [MATTA-2015-002: Enforce acceptable range for Diffie-Hellman serve [wheezy] - putty 0.62-9+deb7u2 [squeeze] - putty 0.60+2010-02-20-1+squeeze3 NOTE: temporary workaround until CVE assigned to explitly tag for wheezy+squeeze - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/27/4 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/02/27/4 NOTE: http://advisories.mageia.org/MGASA-2015-0098.html CVE-2015-2172 (DokuWiki before 2014-05-05d and before 2014-09-29c does not properly c ...) - dokuwiki 0.0.20140929.d-1 (bug #779547) @@ -21375,7 +21375,7 @@ CVE-2015-2158 (Off-by-one error in the pngcrush_measure_idat function in pngcrus - pngcrush <not-affected> (Vulnerable code not present) NOTE: Introduced by http://sourceforge.net/p/pmt/code/ci/e1a36a9639e2db16494d90459c7c2b78677a20bf/ (1.7.83) NOTE: Fixed by: http://sourceforge.net/p/pmt/code/ci/a1ce646d00a400fd9ec321ab5cb522f40b7bdfe6/ (1.7.84) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/28/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/28/6 CVE-2015-2157 (The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY ...) {DSA-3190-1 DLA-173-1} - putty 0.63-10 (bug #779488) @@ -21431,7 +21431,7 @@ CVE-2015-8984 (The fnmatch function in the GNU C Library (aka glibc or libc6) be [wheezy] - eglibc 2.13-38+deb7u9 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18032 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4a28f4d55a6cc33474c0792fe93b5942d81bf185 - NOTE: http://www.openwall.com/lists/oss-security/2015/02/26/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/26/5 CVE-2015-2079 RESERVED CVE-2015-2078 (The SDK for Komodia Redirector with SSL Digestor, as used in Lavasoft ...) @@ -21519,7 +21519,7 @@ CVE-2015-8983 (Integer overflow in the _IO_wstr_overflow function in libio/wstro NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=17269 NOTE: Fixed upstream in 2.22 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33 - NOTE: http://www.openwall.com/lists/oss-security/2015/02/22/15 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/22/15 CVE-2015-8477 (Cross-site scripting (XSS) vulnerability in Redmine before 2.6.2 allow ...) - redmine 3.0~20140825-5 (low) [squeeze] - redmine <end-of-life> (Redmine not supported because of rails) @@ -21986,7 +21986,7 @@ CVE-2015-1852 (The s3_token middleware in OpenStack keystonemiddleware before 1. CVE-2015-1851 (OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4 ...) {DSA-3292-1} - cinder 2015.1.0+2015.06.16.git26.9634b76ba5-1 (bug #788996) - NOTE: http://www.openwall.com/lists/oss-security/2015/06/13/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/13/1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1231817 NOTE: https://bugs.launchpad.net/cinder/+bug/1415087 CVE-2015-1850 @@ -22614,7 +22614,7 @@ CVE-2015-XXXX [incorrect memory management in Gtk2::Gdk::Display::list_devices] NOTE: CVE needs to be added to data/D[SL]A/list NOTE: https://mail.gnome.org/archives/gtk-perl-list/2015-January/msg00039.html NOTE: https://bugs.mageia.org/show_bug.cgi?id=15173 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/20/14 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/02/20/14 CVE-2015-XXXX [Linux ASLR mmap weakness: Reducing entropy by half] - linux 4.0.2-1 [jessie] - linux 3.16.7-ckt17-1 @@ -22631,7 +22631,7 @@ CVE-2015-2060 (cabextract before 1.6 does not properly check for leading slashes [jessie] - cabextract <no-dsa> (Minor issue) [wheezy] - cabextract <no-dsa> (Minor issue) [squeeze] - cabextract <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/18/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/18/3 NOTE: Upstream commit: http://sourceforge.net/p/libmspack/code/217 NOTE: CVE assigned for issue were path traversal occurs because the unpatched NOTE: code does neither of the following: 1) checking for slashes after decoding @@ -22642,7 +22642,7 @@ CVE-2015-2297 (nanohttp in libcsoap allows remote attackers to cause a denial of [squeeze] - libcsoap <no-dsa> (Minor issue) [wheezy] - libcsoap <no-dsa> (Minor issue) NOTE: CVE assigned only for the null pointer dereference, not all issues in - NOTE: http://www.openwall.com/lists/oss-security/2015/02/17/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/17/2 CVE-2015-2091 (The authentication hook (mgs_hook_authz) in mod-gnutls 0.5.10 and earl ...) {DSA-3177-1 DLA-170-1} - mod-gnutls 0.6-1.3 (bug #578663) @@ -22716,7 +22716,7 @@ CVE-2015-1592 (Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro - movabletype-opensource <removed> [squeeze] - movabletype-opensource <end-of-life> (Not supported in Squeeze LTS) NOTE: https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html - NOTE: http://www.openwall.com/lists/oss-security/2015/02/12/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/12/2 CVE-2015-1572 (Heap-based buffer overflow in closefs.c in the libext2fs library in e2 ...) {DSA-3166-1 DLA-162-1} - e2fsprogs 1.42.12-1.1 (bug #778948) @@ -22772,7 +22772,7 @@ CVE-2015-2305 (Integer overflow in the regcomp implementation in the Henry Spenc NOTE: No security impact in nvi/vigor and openrpt NOTE: http://www.kb.cert.org/vuls/id/695940 NOTE: https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/ - NOTE: http://www.openwall.com/lists/oss-security/2015/02/16/8 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/16/8 CVE-2015-XXXX [insecure storage of password in the NUT-monitor app] - nut 2.7.2-2 (low; bug #777706) [wheezy] - nut <no-dsa> (Minor issue) @@ -22959,7 +22959,7 @@ CVE-2015-2046 (Cross-site scripting (XSS) vulnerability in MantisBT 1.2.13 and l [squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts) NOTE: Upstream patch: https://github.com/mantisbt/mantisbt/commit/6defeed5 (1.2.x) NOTE: https://www.mantisbt.org/bugs/view.php?id=19301 - NOTE: http://www.openwall.com/lists/oss-security/2015/02/09/10 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/09/10 NOTE: CVE for specific portion of the original May 2014 adm_config_report.php discovery NOTE: that remains present in version 1.2.18 and 1.2.19 CVE-2015-XXXX [fails to detect silent driver failure to change MAC] @@ -22970,17 +22970,17 @@ CVE-2015-9101 (The fill_buffer_resample function in util.c in libmp3lame.a in LA - lame 3.99.5+repack1-6 (bug #777161) [wheezy] - lame 3.99.5+repack1-3+deb7u1 [squeeze] - lame <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/12/8 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/12/8 CVE-2015-9100 (The fill_buffer_resample function in util.c in libmp3lame.a in LAME 3. ...) - lame 3.99.5+repack1-6 (bug #777160) [wheezy] - lame 3.99.5+repack1-3+deb7u1 [squeeze] - lame <no-dsa> (minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/12/8 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/12/8 CVE-2015-9099 (The lame_init_params function in lame.c in libmp3lame.a in LAME 3.99.5 ...) - lame 3.99.5+repack1-6 (bug #775959) [wheezy] - lame 3.99.5+repack1-3+deb7u1 [squeeze] - lame <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/12/8 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/12/8 CVE-2015-XXXX [denial of service under memory stress] - libhtp 1:0.5.25-1 (bug #777522) [squeeze] - libhtp <no-dsa> (Minor issue) @@ -22989,11 +22989,11 @@ CVE-2015-XXXX [denial of service under memory stress] CVE-2015-2058 (c2s/c2s.c in Jabber Open Source Server 2.3.2 and earlier truncates dat ...) - jabberd2 2.3.3-1 (bug #779154) NOTE: https://github.com/jabberd2/jabberd2/issues/85 - NOTE: http://www.openwall.com/lists/oss-security/2015/02/09/13 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/09/13 CVE-2015-2059 (The stringprep_utf8_to_ucs4 function in libin before 1.31, as used in ...) {DSA-3578-1 DLA-476-1 DLA-277-1} - libidn 1.31-1 (medium) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/23/25 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/23/25 NOTE: Patch: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c2796581c27213962c77f5a8571a598f9a2e NOTE: This could be attributed to a misuse of a (poorly documented) API NOTE: but since upstream provided a patch it makes more sense to fix @@ -23014,20 +23014,20 @@ CVE-2015-1546 (Double free vulnerability in the get_vrFilter function in servers CVE-2015-2785 (The GIF encoder in Byzanz allows remote attackers to cause a denial of ...) - byzanz <unfixed> (unimportant; bug #778261) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=852481 - NOTE: http://www.openwall.com/lists/oss-security/2015/02/06/11 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/06/11 NOTE: Only applies to debug recordings, negligable security impact CVE-2015-8837 (Stack-based buffer overflow in the isofs_real_readdir function in isof ...) {DSA-3551-1 DLA-323-1} - fuseiso 20070708-3.2 (bug #779047) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=863091 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=862211 - NOTE: http://www.openwall.com/lists/oss-security/2015/02/06/7 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/06/7 CVE-2015-8836 (Integer overflow in the isofs_real_read_zf function in isofs.c in Fuse ...) {DSA-3551-1 DLA-323-1} - fuseiso 20070708-3.2 (bug #779047) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=863102 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=861358 - NOTE: http://www.openwall.com/lists/oss-security/2015/02/06/7 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/06/7 CVE-2015-1547 (The NeXTDecode function in tif_next.c in LibTIFF allows remote attacke ...) {DSA-3273-1 DLA-610-1 DLA-221-1} - tiff 4.0.3-12.1 (bug #777390) @@ -23161,21 +23161,21 @@ CVE-2015-XXXX [Invalid read in ensure_filepath] - cabextract 1.4-5 [wheezy] - cabextract <no-dsa> (Minor issue) [squeeze] - cabextract <no-dsa> (Minor issue) - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/03/12 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/02/03/12 NOTE: Starting with 1.4-5 cabextract uses the mspack system library CVE-2015-XXXX [Invalid read in create_output_name] - libmspack 0.5-1 - cabextract 1.4-5 [wheezy] - cabextract <no-dsa> (Minor issue) [squeeze] - cabextract <no-dsa> (Minor issue) - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/03/12 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/02/03/12 NOTE: Starting with 1.4-5 cabextract uses the mspack system library CVE-2015-1465 (The IPv4 implementation in the Linux kernel before 3.18.8 does not pro ...) - linux 3.16.7-ckt7-1 [wheezy] - linux <not-affected> (Introduced in 3.16) - linux-2.6 <not-affected> (Introduced in 3.16) NOTE: Upstream patch: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=df4d92549f23e1c037e83323aff58a21b3de7fe0 (v3.19-rc7) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/02/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/02/2 CVE-2015-1473 (The ADDW macro in stdio-common/vfscanf.c in the GNU C Library (aka gli ...) {DSA-3169-1 DLA-165-1} - glibc 2.19-15 (bug #777197) @@ -23224,7 +23224,7 @@ CVE-2015-1430 (Buffer overflow in xymon 4.3.17-1. ...) [squeeze] - xymon <not-affected> (Vulnerable code not present) [wheezy] - xymon <not-affected> (Vulnerable code not present) NOTE: Upstream patch: http://sourceforge.net/p/xymon/code/7483/ - NOTE: http://www.openwall.com/lists/oss-security/2015/01/30/17 + NOTE: https://www.openwall.com/lists/oss-security/2015/01/30/17 CVE-2015-1425 (JAKWEB Gecko CMS has Multiple Input Validation Vulnerabilities ...) NOT-FOR-US: JAKWEB Gecko CMS CVE-2015-1424 (Cross-site request forgery (CSRF) vulnerability in Gecko CMS 2.2 and 2 ...) @@ -23241,7 +23241,7 @@ CVE-2015-1589 (Directory traversal vulnerability in arCHMage 0.2.4 allows remote - archmage 1:0.2.4-4 (bug #776164) [squeeze] - archmage <no-dsa> (Minor issue) [wheezy] - archmage <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/12/9 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/12/9 CVE-2015-1419 (Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remote at ...) - vsftpd 3.0.2-18 (unimportant; bug #776922) [jessie] - vsftpd 3.0.2-17+deb8u1 @@ -23254,7 +23254,7 @@ CVE-2015-1417 (The inet module in FreeBSD 10.2x before 10.2-PRERELEASE, 10.2-BET NOTE: kfreebsd not covered by security support in Jessie CVE-2015-1416 (Larry Wall's patch; patch in FreeBSD 10.2-RC1 before 10.2-RC1-p1, 10.2 ...) - patch 2.5-1 - NOTE: http://www.openwall.com/lists/oss-security/2015/08/02/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/08/02/6 NOTE: CVE assignment applies as well to GNU patch before 2.3 and 2.2.5 CVE-2015-1415 (The bsdinstall installer in FreeBSD 10.x before 10.1 p9, when configur ...) NOT-FOR-US: FreeBSD installer @@ -23543,7 +23543,7 @@ CVE-2015-1379 (The signal handler implementations in socat before 1.7.3.0 and 2. - socat 1.7.2.4-2 (bug #776234) [wheezy] - socat <no-dsa> (Minor issue) [squeeze] - socat <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/01/24/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/01/24/6 NOTE: Upstream advisory: http://www.dest-unreach.org/socat/contrib/socat-secadv6.txt CVE-2015-1378 (cmdlineopts.clp in grml-debootstrap in Debian 0.54, 0.68.x before 0.68 ...) - grml-debootstrap 0.68.1 (low; bug #776502) @@ -23556,7 +23556,7 @@ CVE-2015-1395 (Directory traversal vulnerability in GNU patch versions which sup [wheezy] - patch <not-affected> (Support for git-style patches added in 2.7) [squeeze] - patch <not-affected> (Support for git-style patches added in 2.7) NOTE: Upstream report: https://savannah.gnu.org/bugs/?44059 - NOTE: http://www.openwall.com/lists/oss-security/2015/01/24/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/01/24/2 CVE-2015-1370 (Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Nod ...) - node-marked 0.3.6+dfsg-1 (unimportant) NOTE: https://nodesecurity.io/advisories/marked_vbscript_injection @@ -24112,18 +24112,18 @@ CVE-2015-1396 (A Directory Traversal vulnerability exists in the GNU patch befor - patch 2.7.3-1 (bug #775901) [wheezy] - patch <not-affected> (Not affected by CVE-2015-1196 and no incomplete fix applied) [squeeze] - patch <not-affected> (Not affected by CVE-2015-1196 and no incomplete fix applied) - NOTE: http://www.openwall.com/lists/oss-security/2015/01/24/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/01/24/3 CVE-2015-1353 REJECTED CVE-2015-4471 (Off-by-one error in the lzxd_decompress function in lzxd.c in libmspac ...) - libmspack 0.5-1 (bug #775499) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/03/11 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015-4470 (Off-by-one error in the inflate function in mszipd.c in libmspack befo ...) - libmspack 0.5-1 (bug #775498) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/03/11 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015-4472 (Off-by-one error in the READ_ENCINT macro in chmd.c in libmspack befor ...) - libmspack 0.5-1 (bug #775687) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/03/11 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015-1591 (The kamailio build in kamailio before 4.2.0-2 process allows local use ...) - kamailio 4.2.0-2 (bug #775681) NOTE: https://github.com/kamailio/kamailio/issues/48 @@ -24410,7 +24410,7 @@ CVE-2015-1051 (Open redirect vulnerability in the Context UI module in the Conte CVE-2015-2304 (Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 a ...) {DSA-3180-1 DLA-166-1} - libarchive 3.1.2-11 (bug #778266) - NOTE: http://www.openwall.com/lists/oss-security/2015/01/16/7 + NOTE: https://www.openwall.com/lists/oss-security/2015/01/16/7 NOTE: Patch: https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526 CVE-2015-1200 (Race condition in pxz 4.999.99 Beta 3 uses weak file permissions for t ...) - pxz 4.999.99~beta3+git659fc9b-3 (bug #775306) @@ -24709,8 +24709,8 @@ CVE-2015-5700 (mktexlsr revision 22855 through revision 36625 as packaged in tex - texlive-bin 2014.20140926.35254-5 (bug #775139) [wheezy] - texlive-bin <no-dsa> (Minor issue) [squeeze] - texlive-bin <no-dsa> (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/04/23/22 - NOTE: http://www.openwall.com/lists/oss-security/2015/07/28/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/23/22 + NOTE: https://www.openwall.com/lists/oss-security/2015/07/28/5 NOTE: https://www.tug.org/svn/texlive/trunk/Build/source/texk/kpathsea/mktexlsr?r1=19613&r2=22885 CVE-2015-1196 (GNU patch 2.7.1 allows remote attackers to write to arbitrary files vi ...) - patch 2.7.1-7 (bug #775227) @@ -24846,7 +24846,7 @@ CVE-2015-0881 (CRLF injection vulnerability in Squid before 3.1.1 allows remote [squeeze] - squid <no-dsa> (Minor issue) [wheezy] - squid <no-dsa> (Minor issue) - squid3 3.1.1-1 - NOTE: http://www.openwall.com/lists/oss-security/2015/03/01/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/01/2 NOTE: Patch: http://www.squid-cache.org/Versions/v3/3.1/changesets/b9619.patch NOTE: https://jvn.jp/en/jp/JVN64455813/index.html CVE-2015-0880 (Buffer overflow in CREAR AL-Mail32 before 1.13d allows remote attacker ...) @@ -25705,13 +25705,13 @@ CVE-2015-1197 (cpio 2.11, when using the --no-absolute-filenames option, allows NOTE: Regression in upstream's handling of patch https://bugs.debian.org/946267 CVE-2015-4469 (The chmd_read_headers function in chmd.c in libmspack before 0.5 does ...) - libmspack 0.4-3 (bug #774726) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/03/11 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015-4468 (Multiple integer overflows in the search_chunk function in chmd.c in l ...) - libmspack 0.4-3 (bug #774726) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/03/11 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015-4467 (The chmd_init_decomp function in chmd.c in libmspack before 0.5 does n ...) - libmspack 0.4-3 (bug #774725) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/03/11 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2015-9275 (ARC 5.21q allows directory traversal via a full pathname in an archive ...) - arc 5.21q-6 (low; bug #774527) [stretch] - arc 5.21q-4+deb9u1 @@ -25723,7 +25723,7 @@ CVE-2015-XXXX [saves unknown host's fingerprint in known_hosts without any promp [jessie] - lftp 4.6.0-1+deb8u1 [squeeze] - lftp <no-dsa> (Minor issue) [wheezy] - lftp <no-dsa> (Minor issue) - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/12/10 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/03/12/10 CVE-2015-0564 (Buffer underflow in the ssl_decrypt_record function in epan/dissectors ...) {DSA-3141-1 DLA-198-1} - wireshark 1.12.1+g01b65bf-3 (bug #776135) @@ -25972,7 +25972,7 @@ CVE-2015-0480 (Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, a - openjdk-8 8u45-b14-1 - openjdk-7 7u79-2.5.5-1 (bug #774953) - openjdk-6 6b35-1.13.7-1 - NOTE: http://www.openwall.com/lists/oss-security/2015/01/16/2 + NOTE: https://www.openwall.com/lists/oss-security/2015/01/16/2 CVE-2015-0479 (Unspecified vulnerability in the XDK and XDB - XML Database component ...) NOT-FOR-US: Oracle CVE-2015-0478 (Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u ...) |