diff options
author | Joey Hess <joeyh@debian.org> | 2014-04-30 21:14:10 +0000 |
---|---|---|
committer | Joey Hess <joeyh@debian.org> | 2014-04-30 21:14:10 +0000 |
commit | 19de4a08aec58f7e1a1a9fd77a1b489a71f6f07d (patch) | |
tree | 236c22b47cebe75133d2f9dd9cbb31e1259a1263 /data/CVE | |
parent | d0a727b279b13253e154f5d24a17d456ab5d4ce8 (diff) |
automatic update
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@26763 e39458fd-73e7-0310-bf30-c45bca0a0e42
Diffstat (limited to 'data/CVE')
-rw-r--r-- | data/CVE/2001.list | 2 | ||||
-rw-r--r-- | data/CVE/2009.list | 2 | ||||
-rw-r--r-- | data/CVE/2010.list | 3 | ||||
-rw-r--r-- | data/CVE/2011.list | 11 | ||||
-rw-r--r-- | data/CVE/2012.list | 20 | ||||
-rw-r--r-- | data/CVE/2013.list | 115 | ||||
-rw-r--r-- | data/CVE/2014.list | 600 |
7 files changed, 481 insertions, 272 deletions
diff --git a/data/CVE/2001.list b/data/CVE/2001.list index 4fbb51f28f..19cd2bcfba 100644 --- a/data/CVE/2001.list +++ b/data/CVE/2001.list @@ -1,4 +1,4 @@ -CVE-2001-1593 (The tempname_ensure function lib/routines.h in a2ps 4.14 and earlier, ...) +CVE-2001-1593 (The tempname_ensure function in lib/routines.h in a2ps 4.14 and ...) {DSA-2892-1} - a2ps 1:4.14-1.2 (low; bug #737385) [wheezy] - a2ps <no-dsa> (Minor issue) diff --git a/data/CVE/2009.list b/data/CVE/2009.list index c0b8f533da..127ab0356f 100644 --- a/data/CVE/2009.list +++ b/data/CVE/2009.list @@ -10305,7 +10305,7 @@ CVE-2009-1268 (The Check Point High-Availability Protocol (CPHAP) dissector in . [etch] - wireshark 0.99.4-5.etch.4 CVE-2009-1267 (Unspecified vulnerability in the LDAP dissector in Wireshark 0.99.2 ...) - wireshark <not-affected> (Only affects Wireshark on Windows) -CVE-2009-1266 (Unspecified vulnerability in Wireshark before 1.0.7-0.1-1 has unknown ...) +CVE-2009-1266 (Unspecified vulnerability in Wireshark before 1.0.7 has unknown impact ...) NOTE: Dupe of CVE-2009-1210 CVE-2009-1265 (Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux ...) {DSA-1800-1 DSA-1794-1 DSA-1787-1} diff --git a/data/CVE/2010.list b/data/CVE/2010.list index f23bcf9a1b..8849ce1b48 100644 --- a/data/CVE/2010.list +++ b/data/CVE/2010.list @@ -404,8 +404,7 @@ CVE-2010-5107 (The default configuration of OpenSSH through 6.1 enforces a fixed [squeeze] - openssh 1:5.5p1-6+squeeze3 CVE-2010-5106 (The XML-RPC remote publishing interface in xmlrpc.php in WordPress ...) - wordpress 3.0.3-1 -CVE-2010-5105 [blender /tmp/quit.blend temp file issue] - RESERVED +CVE-2010-5105 (The undo save quit routine in the kernel in Blender 2.5, 2.63a, and ...) - blender <unfixed> (low; bug #584621) [squeeze] - blender <no-dsa> (Minor issue) [wheezy] - blender <no-dsa> (Minor issue) diff --git a/data/CVE/2011.list b/data/CVE/2011.list index f0e3625095..70d2a076bd 100644 --- a/data/CVE/2011.list +++ b/data/CVE/2011.list @@ -1,3 +1,5 @@ +CVE-2011-5279 (CRLF injection vulnerability in the CGI implementation in Microsoft ...) + TODO: check CVE-2011-5278 (SQL injection vulnerability in signature.php in Advanced Forum ...) NOT-FOR-US: MyBB plugin Advanced Forum Signatures CVE-2011-5277 (Multiple SQL injection vulnerabilities in signature.php in the ...) @@ -4160,12 +4162,10 @@ CVE-2011-3604 (The process_ra function in the router advertisement daemon (radvd {DSA-2323-1} - radvd 1:1.8-1.1 (bug #644614) NOTE: http://seclists.org/oss-sec/2011/q4/30 -CVE-2011-3603 - RESERVED +CVE-2011-3603 (The router advertisement daemon (radvd) before 1.8.2 does not properly ...) NOTE: http://seclists.org/oss-sec/2011/q4/30 NOTE: should be rejected (http://seclists.org/oss-sec/2011/q4/72) -CVE-2011-3602 - RESERVED +CVE-2011-3602 (Directory traversal vulnerability in device-linux.c in the router ...) {DSA-2323-1} - radvd 1:1.8-1.1 (bug #644614) NOTE: http://seclists.org/oss-sec/2011/q4/30 @@ -5367,8 +5367,7 @@ CVE-2011-3154 (DistUpgrade/DistUpgradeViewKDE.py in Update Manager before ...) NOTE: see bug #650307 CVE-2011-3153 (dmrc.c in Light Display Manager (aka LightDM) before 1.1.1 allows ...) - lightdm 1.0.6-2 -CVE-2011-3152 - RESERVED +CVE-2011-3152 (DistUpgrade/DistUpgradeFetcherCore.py in Update Manager before ...) - update-manager <not-affected> (ubuntu-specific issue) NOTE: see bug #650307 CVE-2011-3151 diff --git a/data/CVE/2012.list b/data/CVE/2012.list index 9210be463a..565dac93a4 100644 --- a/data/CVE/2012.list +++ b/data/CVE/2012.list @@ -337,7 +337,7 @@ CVE-2012-6516 (SQL injection vulnerability in PHP Ticket System Beta 1 allows re NOT-FOR-US: PHP Ticket System Beta CVE-2012-6515 (eFront 3.6.10, 3.6.11 build 15059, and earlier allows remote attackers ...) NOT-FOR-US: eFront -CVE-2012-6514 (Cross-site scripting (XSS) vulnerability in the nBill (com_netinvoice) ...) +CVE-2012-6514 (Cross-site scripting (XSS) vulnerability in the nBill (com_nbill) ...) NOT-FOR-US: nBill for Joomla! CVE-2012-6513 (Cross-site scripting (XSS) vulnerability in ...) NOT-FOR-US: gpEasy CMS @@ -2251,8 +2251,8 @@ CVE-2012-5725 RESERVED CVE-2012-5724 RESERVED -CVE-2012-5723 - RESERVED +CVE-2012-5723 (Cisco ASR 1000 devices with software before 3.8S, when BDI routing is ...) + TODO: check CVE-2012-5722 RESERVED CVE-2012-5721 @@ -4573,7 +4573,7 @@ CVE-2012-4755 (Untrusted search path vulnerability in SciTools Understand before CVE-2012-4754 (Multiple untrusted search path vulnerabilities in MindManager 2012 ...) NOT-FOR-US: MindManager CVE-2012-4410 - RESERVED + REJECTED NOTE: to be rejected CVE-2012-4753 (Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud ...) NOTE: http://www.openwall.com/lists/oss-security/2012/09/05/17 @@ -5900,8 +5900,7 @@ CVE-2012-4232 (SQL injection vulnerability in admin/index.php in jCore before 1. NOT-FOR-US: jCore CVE-2012-4231 (Cross-site scripting (XSS) vulnerability in admin/index.php in jCore ...) NOT-FOR-US: jCore -CVE-2012-4230 [XSS attacks via security policy bypass] - RESERVED +CVE-2012-4230 (The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the ...) - tinymce <unfixed> - python-django-tinymce <unfixed> TODO: check @@ -6744,8 +6743,8 @@ CVE-2012-3948 RESERVED CVE-2012-3947 RESERVED -CVE-2012-3946 - RESERVED +CVE-2012-3946 (Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ...) + TODO: check CVE-2012-3945 RESERVED CVE-2012-3944 @@ -7983,7 +7982,7 @@ CVE-2012-3417 (The good_client function in rquotad (rquota_svc.c) in Linux DiskQ CVE-2012-3416 (Condor before 7.8.2 allows remote attackers to bypass host-based ...) - condor 7.8.2~dfsg.1-1 (bug #685366) CVE-2012-3415 - RESERVED + REJECTED - plpupload <itp> (bug #668396) - wordpress 3.3.2 CVE-2012-3414 (Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload ...) @@ -9075,7 +9074,8 @@ CVE-2012-2953 (The management console in Symantec Web Gateway 5.0.x before 5.0.3 NOT-FOR-US: Symantec Web Gateway CVE-2012-2952 (SQL injection vulnerability in add_ons.php in Jaow 2.4.5 and earlier ...) NOT-FOR-US: Jaow -CVE-2012-2951 (SQL injection vulnerability in plog-rss.php in Plogger allows remote ...) +CVE-2012-2951 + REJECTED NOT-FOR-US: Plogger CVE-2012-2950 RESERVED diff --git a/data/CVE/2013.list b/data/CVE/2013.list index 7303673f87..a8f68b3840 100644 --- a/data/CVE/2013.list +++ b/data/CVE/2013.list @@ -1,3 +1,7 @@ +CVE-2013-7373 (Android before 4.4 does not properly arrange for seeding of the ...) + TODO: check +CVE-2013-7372 (The engineNextBytes function in ...) + TODO: check CVE-2013-XXXX [buffer overflow in miniupnpc] - miniupnpc <unfixed> NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1085618 @@ -6,6 +10,7 @@ CVE-2013-XXXX [buffer overflow in miniupnpc] CVE-2013-7369 (SQL injection vulnerability in an unspecified DLL in the FSDBCom ...) NOT-FOR-US: F-Secure Anti-Virus CVE-2013-7374 + RESERVED NOT-FOR-US: indicator-datetime CVE-2013-7371 [XSS in the Sencha Labs Connect middleware] RESERVED @@ -227,8 +232,7 @@ CVE-2013-7303 (Multiple cross-site scripting (XSS) vulnerabilities in (1) ...) - spip 3.0.13-1 (bug #736170) [wheezy] - spip 2.1.17-1+deb7u3 [squeeze] - spip 2.1.1-3squeeze8 -CVE-2013-7302 - RESERVED +CVE-2013-7302 (Session fixation vulnerability in the Ubercart module 6.x-2.x before ...) NOT-FOR-US: Drupal contrib CVE-2013-7301 (Cantata before 1.2.2 does not restrict access to files in the play ...) - cantata <not-affected> (Vulnerable code introduced with 1.2.0; bug #736154) @@ -298,12 +302,10 @@ CVE-2013-7285 [remote code execution via deserialization in XStream] NOTE: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html NOTE: http://markmail.org/message/kfqoqdfj5fnup5co?q=list:org.codehaus.xstream.dev&page=3 NOTE: initial patch: https://fisheye.codehaus.org/changelog/xstream?cs=2210 -CVE-2013-7284 [libplrpc-perl remote code execution due to Storable] - RESERVED +CVE-2013-7284 (The PlRPC module, possibly 0.2020 and earlier, for Perl uses the ...) - libplrpc-perl <removed> (high; bug #734789) NOTE: Upstream appears dead. -CVE-2013-7273 [no prompt anymore after login cancel using disable_user_list] - RESERVED +CVE-2013-7273 (GNOME Display Manager (gdm) 3.4.1 and earlier, when disable-user-list ...) - gdm3 <unfixed> (low; bug #683338) [wheezy] - gdm3 <no-dsa> (Minor issue) [squeeze] - gdm3 <not-affected> (Vulnerable code not present) @@ -397,8 +399,7 @@ CVE-2013-7238 RESERVED CVE-2013-7237 RESERVED -CVE-2013-7259 - RESERVED +CVE-2013-7259 (Multiple cross-site request forgery (CSRF) vulnerabilities in Neo4J ...) - neo4j-community <itp> (bug #685615) NOTE: http://blog.diniscruz.com/2013/08/neo4j-csrf-payload-to-start-processes.html CVE-2013-7258 (Cross-site scripting (XSS) vulnerability in web2ldap 1.1.x before ...) @@ -593,14 +594,11 @@ CVE-2013-7239 (memcached before 1.4.17 allows remote attackers to bypass ...) NOTE: https://code.google.com/p/memcached/wiki/ReleaseNotes1417 NOTE: https://code.google.com/p/memcached/issues/detail?id=316 NOTE: https://github.com/memcached/memcached/commit/87c1cf0f20be20608d3becf854e9cf0910f4ad32 -CVE-2013-7236 - RESERVED +CVE-2013-7236 (Simple Machines Forum (SMF) 2.0.6, 1.1.19, and earlier allows remote ...) NOT-FOR-US: Simple Machines Forum -CVE-2013-7235 - RESERVED +CVE-2013-7235 (Simple Machines Forum (SMF) before 1.1.19 and 2.x before 2.0.6 allows ...) NOT-FOR-US: Simple Machines Forum -CVE-2013-7234 - RESERVED +CVE-2013-7234 (Simple Machines Forum (SMF) before 1.1.19 and 2.x before 2.0.6 allows ...) NOT-FOR-US: Simple Machines Forum CVE-2013-7225 (Multiple SQL injection vulnerabilities in ...) NOT-FOR-US: Fat Free CRM @@ -610,14 +608,12 @@ CVE-2013-7223 (Multiple cross-site request forgery (CSRF) vulnerabilities in Fat NOT-FOR-US: Fat Free CRM CVE-2013-7222 (config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has ...) NOT-FOR-US: Fat Free CRM -CVE-2013-7221 [run command dialog visible above screen locker] - RESERVED +CVE-2013-7221 (The automatic screen lock functionality in GNOME Shell (aka ...) - gnome-shell <unfixed> [wheezy] - gnome-shell <not-affected> (Vulnerable code not present) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=708313 NOTE: https://git.gnome.org/browse/gnome-shell/commit/js/ui/main.js?id=efdf1ff755943fba1f8a9aaeff77daa3ed338088 -CVE-2013-7220 [blind command execution via activities search keyboard focus] - RESERVED +CVE-2013-7220 (js/ui/screenShield.js in GNOME Shell (aka gnome-shell) before 3.8 ...) - gnome-shell <unfixed> [wheezy] - gnome-shell <not-affected> (Vulnerable code not present) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=686740 @@ -672,8 +668,7 @@ CVE-2013-7135 (The Proc::Daemon module 0.14 for Perl uses world-writable permiss [wheezy] - libproc-daemon-perl <no-dsa> (Minor issue) [squeeze] - libproc-daemon-perl <not-affected> (does not have pid_file option) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=91450 -CVE-2013-7134 - RESERVED +CVE-2013-7134 (Juvia uses the same secret key for all installations, which allows ...) NOT-FOR-US: Juvia CVE-2013-7133 RESERVED @@ -769,8 +764,7 @@ CVE-2013-7112 (The dissect_sip_common function in epan/dissectors/packet-sip.c i NOTE: https://www.wireshark.org/security/wnpa-sec-2013-66.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9388 NOTE: Not suitable for code injection -CVE-2013-7111 - RESERVED +CVE-2013-7111 (The put_call function in the API client (api/api_client.rb) in the ...) NOT-FOR-US: Bio Basespace SDK Ruby Gem CVE-2013-7110 RESERVED @@ -797,21 +791,17 @@ CVE-2013-7106 (Multiple stack-based buffer overflows in Icinga before 1.8.5, 1.9 NOTE: https://dev.icinga.org/issues/5250 CVE-2013-7083 RESERVED -CVE-2013-7068 - RESERVED +CVE-2013-7068 (The Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal ...) + TODO: check CVE-2013-7067 (The OG Features module 6.x-1.x before 6.x-1.4 for Drupal does not ...) NOT-FOR-US: Drupal module -CVE-2013-7066 - RESERVED +CVE-2013-7066 (The Entity reference module 7.x-1.x before 7.x-1.1-rc1 for Drupal ...) NOT-FOR-US: Drupal module -CVE-2013-7065 - RESERVED +CVE-2013-7065 (The Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal ...) NOT-FOR-US: Drupal module -CVE-2013-7064 - RESERVED +CVE-2013-7064 (Cross-site scripting (XSS) vulnerability in the EU Cookie Compliance ...) NOT-FOR-US: Drupal module -CVE-2013-7063 - RESERVED +CVE-2013-7063 (The Invitation module 7.x-2.x for Drupal does not properly check ...) NOT-FOR-US: Drupal module CVE-2013-7059 RESERVED @@ -1369,8 +1359,7 @@ CVE-2013-6889 [Allows reading arbitrary files] CVE-2013-6888 (Uscan in devscripts before 2.13.9 allows remote attackers to execute ...) {DSA-2836-1} - devscripts 2.13.9 -CVE-2013-6887 - RESERVED +CVE-2013-6887 (OpenJPEG 1.5.1 allows remote attackers to cause a denial of service ...) - openjpeg 1.5.2-1 (bug #731237) [wheezy] - openjpeg <not-affected> (Only affects 1.5) [squeeze] - openjpeg <not-affected> (Only affects 1.5) @@ -1697,8 +1686,8 @@ CVE-2013-6740 RESERVED CVE-2013-6739 RESERVED -CVE-2013-6738 - RESERVED +CVE-2013-6738 (Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics ...) + TODO: check CVE-2013-6737 RESERVED CVE-2013-6736 @@ -3517,8 +3506,7 @@ CVE-2013-6055 CVE-2013-6054 (Heap-based buffer overflow in OpenJPEG 1.3 has unspecified impact and ...) {DSA-2808-1} - openjpeg 1.3+dfsg-4.7 (bug #731237) -CVE-2013-6053 - RESERVED +CVE-2013-6053 (OpenJPEG 1.5.1 allows remote attackers to obtain sensitive information ...) - openjpeg 1.5.2-1 (bug #731237) [wheezy] - openjpeg <not-affected> (Only affects 1.5) [squeeze] - openjpeg <not-affected> (Only affects 1.5) @@ -3729,12 +3717,11 @@ CVE-2013-5958 RESERVED CVE-2013-5957 (Multiple SQL injection vulnerabilities in ...) NOT-FOR-US: CiviCRM -CVE-2013-5956 - RESERVED +CVE-2013-5956 (Cross-site scripting (XSS) vulnerability in includes/flvthumbnail.php ...) + TODO: check CVE-2013-5955 (Cross-site scripting (XSS) vulnerability in manage.php in the ...) NOT-FOR-US: Joomla plugin -CVE-2013-5954 - RESERVED +CVE-2013-5954 (Multiple cross-site request forgery (CSRF) vulnerabilities in OpenX ...) NOT-FOR-US: OpenX CVE-2013-5953 (Multiple cross-site scripting (XSS) vulnerabilities in ...) NOT-FOR-US: Joomla component multi calendar @@ -4462,8 +4449,8 @@ CVE-2013-5661 [DNS response rate limiting can simplify cache poisoning attacks] NOTE: DNS protocol flaw NOTE: http://www.certa.ssi.gouv.fr/site/CERTA-2013-AVI-506/index.html NOTE: https://www.isc.org/blogs/cache-poisoning-gets-a-second-wind-from-rrl-probably-not/ -CVE-2013-5660 - RESERVED +CVE-2013-5660 (Buffer overflow in Power Software WinArchiver 3.2 allows remote ...) + TODO: check CVE-2013-5659 RESERVED CVE-2013-5658 @@ -6597,16 +6584,16 @@ CVE-2013-4728 RESERVED CVE-2013-4727 RESERVED -CVE-2013-4726 - RESERVED +CVE-2013-4726 (Cross-site request forgery (CSRF) vulnerability in DDSN Interactive ...) + TODO: check CVE-2013-4725 RESERVED CVE-2013-4724 RESERVED -CVE-2013-4723 - RESERVED -CVE-2013-4722 - RESERVED +CVE-2013-4723 (Open redirect vulnerability in DDSN Interactive cm3 Acora CMS ...) + TODO: check +CVE-2013-4722 (Multiple cross-site scripting (XSS) vulnerabilities in ...) + TODO: check CVE-2013-4721 (SQL injection vulnerability in the RSS feed from records extension ...) NOT-FOR-US: records extension for TYPO3 CVE-2013-4720 (SQL injection vulnerability in the WEC Discussion Forum extension ...) @@ -6986,8 +6973,7 @@ CVE-2013-4567 (Incomplete blacklist vulnerability in Sanitizer::checkCss in Medi CVE-2013-4566 (mod_nss 1.0.8 and earlier, when NSSVerifyClient is set to none for the ...) - libapache2-mod-nss 1.0.8-4 (low; bug #731627) [wheezy] - libapache2-mod-nss <no-dsa> (Minor issue) -CVE-2013-4565 [heap-based buffer overflow] - RESERVED +CVE-2013-4565 (Heap-based buffer overflow in the __OLEdecode function in ppthtml ...) - xlhtml <removed> (bug #729279) CVE-2013-4564 (Libreswan 3.6 allows remote attackers to cause a denial of service ...) NOT-FOR-US: libreswan @@ -7880,10 +7866,9 @@ CVE-2013-4338 (wp-includes/functions.php in WordPress before 3.6.1 does not prop - wordpress 3.6.1+dfsg-1 (bug #722537) NOTE: http://core.trac.wordpress.org/changeset/25325 CVE-2013-4337 - RESERVED + REJECTED NOT-FOR-US: Drupal module -CVE-2013-4336 - RESERVED +CVE-2013-4336 (Cross-site scripting (XSS) vulnerability in the admin page in the Flag ...) NOT-FOR-US: Drupal module CVE-2013-4335 RESERVED @@ -8053,8 +8038,8 @@ CVE-2013-4286 (Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before .. - tomcat6 6.0.39 - tomcat7 7.0.47 - tomcat8 8.0.0 -CVE-2013-4285 - RESERVED +CVE-2013-4285 (A certain Gentoo patch for the PAM S/Key module does not properly ...) + TODO: check CVE-2013-4284 (Cumin, as used in Red Hat Enterprise MRG 2.4, allows remote attackers ...) NOT-FOR-US: Cumin CVE-2013-4283 (ns-slapd in 389 Directory Server before 1.3.0.8 allows remote ...) @@ -8528,7 +8513,7 @@ CVE-2013-4147 (Multiple format string vulnerabilities in Yet Another Radius Daem CVE-2013-4146 RESERVED CVE-2013-4145 - RESERVED + REJECTED CVE-2013-4144 RESERVED CVE-2013-4143 @@ -10988,8 +10973,8 @@ CVE-2013-3071 RESERVED CVE-2013-3070 RESERVED -CVE-2013-3069 - RESERVED +CVE-2013-3069 (Multiple cross-site scripting (XSS) vulnerabilities in NETGEAR ...) + TODO: check CVE-2013-3068 RESERVED CVE-2013-3067 @@ -13854,8 +13839,7 @@ CVE-2013-2027 RESERVED CVE-2013-2026 REJECTED -CVE-2013-2025 - RESERVED +CVE-2013-2025 (Cross-site scripting (XSS) vulnerability in Ushahidi Platform 2.5.x ...) NOT-FOR-US: Ushahidi CVE-2013-2024 [OS command injection vulnerability in Chicken Scheme] RESERVED @@ -14621,8 +14605,8 @@ CVE-2013-1806 RESERVED CVE-2013-1805 RESERVED -CVE-2013-1804 - RESERVED +CVE-2013-1804 (Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion ...) + TODO: check CVE-2013-1803 RESERVED CVE-2013-1802 (The extlib gem 0.9.15 and earlier for Ruby does not properly restrict ...) @@ -18750,8 +18734,7 @@ CVE-2013-0298 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4 CVE-2013-0297 (Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before ...) - owncloud 4.0.8debian-1.5 (bug #701115) NOTE: http://owncloud.org/about/security/advisories/oC-SA-2013-003/ -CVE-2013-0296 [creates temp files with too wide permissions] - RESERVED +CVE-2013-0296 (Race condition in pigz before 2.2.5 uses permissions derived from the ...) - pigz 2.2.4-2 (low; bug #700608) [squeeze] - pigz 2.1.6-1+squeeze1 CVE-2013-0295 [CreateID() creates serialized packet IDs for RADIUS] diff --git a/data/CVE/2014.list b/data/CVE/2014.list index 76b55624c7..fa90994c04 100644 --- a/data/CVE/2014.list +++ b/data/CVE/2014.list @@ -1,3 +1,285 @@ +CVE-2014-3128 + RESERVED +CVE-2014-3127 + RESERVED +CVE-2014-3126 + RESERVED +CVE-2014-3125 + RESERVED +CVE-2014-3124 + RESERVED +CVE-2014-3123 + RESERVED +CVE-2014-3122 + RESERVED +CVE-2014-3121 + RESERVED +CVE-2014-3120 + RESERVED +CVE-2014-3119 + RESERVED +CVE-2014-3118 + RESERVED +CVE-2014-3117 + RESERVED +CVE-2014-3116 + RESERVED +CVE-2014-3115 + RESERVED +CVE-2014-3114 + RESERVED +CVE-2014-3113 + RESERVED +CVE-2014-3112 + RESERVED +CVE-2014-3110 + RESERVED +CVE-2014-3109 + RESERVED +CVE-2014-3108 + RESERVED +CVE-2014-3107 + RESERVED +CVE-2014-3106 + RESERVED +CVE-2014-3105 + RESERVED +CVE-2014-3104 + RESERVED +CVE-2014-3103 + RESERVED +CVE-2014-3102 + RESERVED +CVE-2014-3101 + RESERVED +CVE-2014-3100 + RESERVED +CVE-2014-3099 + RESERVED +CVE-2014-3098 + RESERVED +CVE-2014-3097 + RESERVED +CVE-2014-3096 + RESERVED +CVE-2014-3095 + RESERVED +CVE-2014-3094 + RESERVED +CVE-2014-3093 + RESERVED +CVE-2014-3092 + RESERVED +CVE-2014-3091 + RESERVED +CVE-2014-3090 + RESERVED +CVE-2014-3089 + RESERVED +CVE-2014-3088 + RESERVED +CVE-2014-3087 + RESERVED +CVE-2014-3086 + RESERVED +CVE-2014-3085 + RESERVED +CVE-2014-3084 + RESERVED +CVE-2014-3083 + RESERVED +CVE-2014-3082 + RESERVED +CVE-2014-3081 + RESERVED +CVE-2014-3080 + RESERVED +CVE-2014-3079 + RESERVED +CVE-2014-3078 + RESERVED +CVE-2014-3077 + RESERVED +CVE-2014-3076 + RESERVED +CVE-2014-3075 + RESERVED +CVE-2014-3074 + RESERVED +CVE-2014-3073 + RESERVED +CVE-2014-3072 + RESERVED +CVE-2014-3071 + RESERVED +CVE-2014-3070 + RESERVED +CVE-2014-3069 + RESERVED +CVE-2014-3068 + RESERVED +CVE-2014-3067 + RESERVED +CVE-2014-3066 + RESERVED +CVE-2014-3065 + RESERVED +CVE-2014-3064 + RESERVED +CVE-2014-3063 + RESERVED +CVE-2014-3062 + RESERVED +CVE-2014-3061 + RESERVED +CVE-2014-3060 + RESERVED +CVE-2014-3059 + RESERVED +CVE-2014-3058 + RESERVED +CVE-2014-3057 + RESERVED +CVE-2014-3056 + RESERVED +CVE-2014-3055 + RESERVED +CVE-2014-3054 + RESERVED +CVE-2014-3053 + RESERVED +CVE-2014-3052 + RESERVED +CVE-2014-3051 + RESERVED +CVE-2014-3050 + RESERVED +CVE-2014-3049 + RESERVED +CVE-2014-3048 + RESERVED +CVE-2014-3047 + RESERVED +CVE-2014-3046 + RESERVED +CVE-2014-3045 + RESERVED +CVE-2014-3044 + RESERVED +CVE-2014-3043 + RESERVED +CVE-2014-3042 + RESERVED +CVE-2014-3041 + RESERVED +CVE-2014-3040 + RESERVED +CVE-2014-3039 + RESERVED +CVE-2014-3038 + RESERVED +CVE-2014-3037 + RESERVED +CVE-2014-3036 + RESERVED +CVE-2014-3035 + RESERVED +CVE-2014-3034 + RESERVED +CVE-2014-3033 + RESERVED +CVE-2014-3032 + RESERVED +CVE-2014-3031 + RESERVED +CVE-2014-3030 + RESERVED +CVE-2014-3029 + RESERVED +CVE-2014-3028 + RESERVED +CVE-2014-3027 + RESERVED +CVE-2014-3026 + RESERVED +CVE-2014-3025 + RESERVED +CVE-2014-3024 + RESERVED +CVE-2014-3023 + RESERVED +CVE-2014-3022 + RESERVED +CVE-2014-3021 + RESERVED +CVE-2014-3020 + RESERVED +CVE-2014-3019 + RESERVED +CVE-2014-3018 + RESERVED +CVE-2014-3017 + RESERVED +CVE-2014-3016 + RESERVED +CVE-2014-3015 + RESERVED +CVE-2014-3014 + RESERVED +CVE-2014-3013 + RESERVED +CVE-2014-3012 + RESERVED +CVE-2014-3011 + RESERVED +CVE-2014-3010 + RESERVED +CVE-2014-3009 + RESERVED +CVE-2014-3008 (Unitrends Enterprise Backup 7.3.0 allows remote authenticated users to ...) + TODO: check +CVE-2014-3007 (Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might ...) + TODO: check +CVE-2014-3006 + RESERVED +CVE-2014-3005 + RESERVED +CVE-2014-3004 + RESERVED +CVE-2014-3003 + RESERVED +CVE-2014-3002 + RESERVED +CVE-2014-3001 + RESERVED +CVE-2014-3000 + RESERVED +CVE-2014-2999 + RESERVED +CVE-2014-2998 + RESERVED +CVE-2014-2997 + RESERVED +CVE-2014-2996 (XCloner Standalone 3.5 and earlier, when enable_db_backup and sql_mem ...) + TODO: check +CVE-2014-2995 + RESERVED +CVE-2014-2994 (Stack-based buffer overflow in Acunetix Web Vulnerability Scanner ...) + TODO: check +CVE-2014-2993 (The Birebin.com application for Android does not verify X.509 ...) + TODO: check +CVE-2014-2992 (The Misli.com application for Android does not verify X.509 ...) + TODO: check +CVE-2014-2991 + RESERVED +CVE-2014-2990 + RESERVED +CVE-2014-2989 + RESERVED +CVE-2014-2988 + RESERVED +CVE-2014-2987 + RESERVED CVE-2014-XXXX [mm: try_to_unmap_cluster() should lock_page() before mlocking] - linux <unfixed> - linux-2.6 <removed> @@ -16,11 +298,12 @@ CVE-2014-XXXX [incomplete fix for CVE-2014-2707] NOTE: incomplete fix was applied NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7194 CVE-2014-3111 + RESERVED NOT-FOR-US: fog cloning solution, not in Debian CVE-2014-2985 RESERVED CVE-2014-2984 - RESERVED + REJECTED CVE-2014-2982 RESERVED CVE-2014-2981 @@ -31,8 +314,8 @@ CVE-2014-2978 RESERVED CVE-2014-2977 RESERVED -CVE-2014-2976 - RESERVED +CVE-2014-2976 (Directory traversal vulnerability in Sixnet SixView Manager 2.4.1 ...) + TODO: check CVE-2014-2975 RESERVED CVE-2014-2974 @@ -165,10 +448,10 @@ CVE-2014-2911 RESERVED CVE-2014-2910 RESERVED -CVE-2014-2909 - RESERVED -CVE-2014-2908 - RESERVED +CVE-2014-2909 (CRLF injection vulnerability in the integrated web server on Siemens ...) + TODO: check +CVE-2014-2908 (Cross-site scripting (XSS) vulnerability in the integrated web server ...) + TODO: check CVE-2014-2906 [unsafe temporary file creationg leading to privilege escalation] RESERVED - fish <unfixed> (low; bug #746259) @@ -207,23 +490,20 @@ CVE-2014-XXXX [Insecure default permissions for ~/.virtualenvs and scripts] - virtualenvwrapper <unfixed> (low; bug #745580) [wheezy] - virtualenvwrapper <no-dsa> (Minor issue) [squeeze] - virtualenvwrapper <no-dsa> (Minor issue) -CVE-2014-2907 - RESERVED +CVE-2014-2907 (The srtp_add_address function in epan/dissectors/packet-rtp.c in the ...) - wireshark 1.10.7-1 (bug #745595) [wheezy] - wireshark <not-affected> (Affects 1.10.x only) [squeeze] - wireshark <not-affected> (Affects 1.10.x only) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9885 NOTE: http://www.wireshark.org/security/wnpa-sec-2014-06.html -CVE-2014-2986 [XSA-94 ARM hypervisor crash on guest interrupt controller access] +CVE-2014-2986 (The vgic_distr_mmio_write function in the virtual guest interrupt ...) - xen <not-affected> (Only 32-bit and 64-bit ARM systems are vulnerable from Xen 4.4 onwards) -CVE-2014-2980 [DoS] - RESERVED +CVE-2014-2980 (Tools/gdomap.c in gdomap in GNUstep Base 1.24.6 and earlier, when run ...) - gnustep-base <unfixed> (bug #745470) [wheezy] - gnustep-base <no-dsa> (Minor issue) [squeeze] - gnustep-base <no-dsa> (Minor issue) NOTE: https://savannah.gnu.org/bugs/?41751 -CVE-2014-2915 [XSA-93] - RESERVED +CVE-2014-2915 (Xen 4.4.x, when running on ARM systems, does not properly restrict ...) - xen <not-affected> (Only 32-bit and 64-bit ARM systems are vulnerable from Xen 4.4 onwards) CVE-2014-2913 [Remote command execution] RESERVED @@ -231,8 +511,7 @@ CVE-2014-2913 [Remote command execution] [wheezy] - nagios-nrpe <no-dsa> (Minor issue) [squeeze] - nagios-nrpe <no-dsa> (Minor issue) NOTE: http://seclists.org/fulldisclosure/2014/Apr/240 -CVE-2014-2983 [information disclosure] - RESERVED +CVE-2014-2983 (Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate ...) {DSA-2914-1 DSA-2913-1} - drupal7 7.27-1 - drupal6 <removed> @@ -264,8 +543,7 @@ CVE-2014-2896 - cyassl <itp> (bug #598391) CVE-2014-2890 (Cross-site scripting (XSS) vulnerability in the wrap_html function in ...) - phpmyid <itp> (bug #492325) -CVE-2014-2888 - RESERVED +CVE-2014-2888 (lib/sfpagent/bsig.rb in the sfpagent gem before 0.4.15 for Ruby allows ...) NOT-FOR-US: Ruby Gem sfpagent CVE-2014-2885 RESERVED @@ -314,15 +592,13 @@ CVE-2014-2892 (Heap-based buffer overflow in the get_answer function in mmsh.c i - libmms 0.6.2-4 (bug #745301) - xine-lib <not-affected> (mmsh is libmms-specific) NOTE: http://sourceforge.net/p/libmms/code/ci/03bcfccc22919c72742b7338d02859962861e0e8 -CVE-2014-2893 [scan-build: insecure use of /tmp] - RESERVED +CVE-2014-2893 (The GetHTMLRunDir function in the scan-build utility in Clang 3.5 and ...) - llvm-toolchain-snapshot <unfixed> (bug #744817) - llvm-toolchain-3.3 <unfixed> - llvm-toolchain-3.4 <unfixed> CVE-2014-2854 RESERVED -CVE-2014-2853 [mediawiki (bug 63251) SECURITY: escape sortKey in pageInfo.] - RESERVED +CVE-2014-2853 (Cross-site scripting (XSS) vulnerability in ...) - mediawiki <not-affected> (Vulnerable code not present) CVE-2014-2852 (OpenAFS before 1.6.7 delays the listen thread when an ...) {DSA-2899-1} @@ -335,8 +611,7 @@ CVE-2014-2848 (A race condition in the wmi_malware_scan.nbin plugin before ...) NOT-FOR-US: Nessus CVE-2014-2847 (SQL injection vulnerability in default.asp in CIS Manager CMS allows ...) NOT-FOR-US: CIS Manager CMS -CVE-2014-2846 - RESERVED +CVE-2014-2846 (Directory traversal vulnerability in opt/arkeia/wui/htdocs/index.php ...) NOT-FOR-US: Arkeia Server Backup CVE-2014-2845 RESERVED @@ -538,13 +813,11 @@ CVE-2014-2738 RESERVED CVE-2014-2737 (SQL injection vulnerability in the get_active_session function in the ...) NOT-FOR-US: KnowledgeTree -CVE-2014-2736 - RESERVED +CVE-2014-2736 (Multiple SQL injection vulnerabilities in MODX Revolution before ...) NOT-FOR-US: MODX Revolution CVE-2014-2735 (WinSCP before 5.5.3, when FTP with TLS is used, does not verify that ...) NOT-FOR-US: WinSCP -CVE-2014-2734 - RESERVED +CVE-2014-2734 (The openssl extension in Ruby 2.x does not properly maintain the state ...) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1091156#c1 NOTE: https://gist.github.com/gdisneyleugers/10446549 CVE-2014-2733 (Siemens SINEMA Server before 12 SP1 allows remote attackers to cause a ...) @@ -553,22 +826,19 @@ CVE-2014-2732 (Multiple directory traversal vulnerabilities in the integrated we NOT-FOR-US: Siemens SINEMA CVE-2014-2731 (Multiple unspecified vulnerabilities in the integrated web server in ...) NOT-FOR-US: Siemens SINEMA -CVE-2014-2889 [arch: x86: net: bpf_jit: an off-by-one bug in x86_64 cond jump target] - RESERVED +CVE-2014-2889 (Off-by-one error in the bpf_jit_compile function in ...) - linux 3.2.1-1 - linux-2.6 3.2.1-1 [squeeze] - linux-2.6 <not-affected> (Introduced in 3.0) NOTE: introduced by https://git.kernel.org/linus/0a14842f5a3c0e88a1e59fac5c3025db39721f74 NOTE: Upstrem fix in https://git.kernel.org/linus/a03ffcf873fe0f2565386ca8ef832144c42e67fa -CVE-2014-2894 [qemu: out of bounds buffer access, guest triggerable via IDE SMART] - RESERVED +CVE-2014-2894 (Off-by-one error in the cmd_smart function in the smart self test in ...) - qemu 2.0.0+dfsg-1 (bug #745157) [squeeze] - qemu <not-affected> (Vulnerable code not present) - qemu-kvm <removed> [squeeze] - qemu-kvm <not-affected> (Vulnerable code not present) NOTE: Upstream fix https://lists.nongnu.org/archive/html/qemu-devel/2014-04/msg02016.html -CVE-2014-2855 [Daemon infinite loop when no matched user in secrets] - RESERVED +CVE-2014-2855 (The check_secret function in authenticate.c in rsync 3.1.0 and earlier ...) - rsync 3.1.0-3 (bug #744791) [wheezy] - rsync <not-affected> (Introduced in 3.1.0) [squeeze] - rsync <not-affected> (Introduced in 3.1.0) @@ -614,15 +884,14 @@ CVE-2014-2743 (plugins/mod_compression.lua in Lightwitch Metronome through 3.4 d NOT-FOR-US: Openfire CVE-2014-2742 (Isode M-Link before 16.0v7 does not properly restrict the processing ...) NOT-FOR-US: Openfire -CVE-2014-2741 (Ignite Realtime Openfire before 3.9.2 does not properly restrict the ...) +CVE-2014-2741 (nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 ...) NOT-FOR-US: Openfire CVE-2014-2730 (The XML parser in Microsoft Office 2007 SP3, 2010 SP1 and SP2, and ...) NOT-FOR-US: Microsoft Office CVE-2014-2739 (The cma_req_handler function in drivers/infiniband/core/cma.c in the ...) - linux <not-affected> (Introduced and fixed in 3.14) - linux-2.6 <not-affected> ((Introduced and fixed in 3.14) -CVE-2014-2729 - RESERVED +CVE-2014-2729 (Cross-site scripting (XSS) vulnerability in content.aspx in Ektron CMS ...) NOT-FOR-US: Ektron Web Content Management System CVE-2014-2728 RESERVED @@ -655,8 +924,8 @@ CVE-2014-2717 RESERVED CVE-2014-2716 RESERVED -CVE-2014-2715 - RESERVED +CVE-2014-2715 (Multiple cross-site scripting (XSS) vulnerabilities in ...) + TODO: check CVE-2014-2714 (The Enhanced Web Filtering (EWF) in Juniper Junos before 10.4R15, 11.4 ...) NOT-FOR-US: Juniper Junos CVE-2014-2713 (Juniper Junos before 11.4R11, 12.1 before 12.1R9, 12.2 before 12.2R7, ...) @@ -707,13 +976,12 @@ CVE-2014-2687 RESERVED CVE-2014-5880 REJECTED -CVE-2014-2709 - RESERVED +CVE-2014-2709 (lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote ...) - cacti 0.8.8b+dfsg-4 (bug #743565) NOTE: http://bugs.cacti.net/view.php?id=2405 (not yet public) NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7439 NOTE: CVE for all changes to lib/rrd.php to add cacti_escapeshellarg calls -CVE-2014-2708 (SQL injection vulnerability in graph_xport.php in Cacti 0.8.8b allows ...) +CVE-2014-2708 (Multiple SQL injection vulnerabilities in graph_xport.php in Cacti ...) - cacti 0.8.8b+dfsg-4 (bug #743565) NOTE: http://bugs.cacti.net/view.php?id=2405 (not yet public) NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7439 @@ -760,10 +1028,10 @@ CVE-2014-2660 RESERVED CVE-2014-2659 (Cross-site request forgery (CSRF) vulnerability in the admin UI in ...) TODO: check -CVE-2014-2658 - RESERVED -CVE-2014-2657 - RESERVED +CVE-2014-2658 (Unspecified vulnerability in Papercut MF and NG before 14.1 (Build ...) + TODO: check +CVE-2014-2657 (Unspecified vulnerability in the print release functionality in ...) + TODO: check CVE-2014-2654 (Multiple SQL injection vulnerabilities in MobFox mAdserve 2.0 and ...) TODO: check CVE-2014-2685 [zendframework ZF2014-02] @@ -942,8 +1210,7 @@ CVE-2014-2603 RESERVED CVE-2014-2602 RESERVED -CVE-2014-2601 - RESERVED +CVE-2014-2601 (The server in HP Integrated Lights-Out 2 (aka iLO 2) 2.23 and earlier ...) NOT-FOR-US: HP CVE-2014-2600 (Unspecified vulnerability in HP IceWall Identity Manager 4.0 through ...) NOT-FOR-US: HP @@ -982,8 +1249,7 @@ CVE-2014-2583 (Multiple directory traversal vulnerabilities in pam_timestamp.c i NOTE: Fix: https://git.fedorahosted.org/cgit/linux-pam.git/commit/?id=Linux-PAM-1_1_8-32-g9dcead8 CVE-2014-2582 RESERVED -CVE-2014-2579 - RESERVED +CVE-2014-2579 (Multiple cross-site request forgery (CSRF) vulnerabilities in XCloner ...) NOT-FOR-US: WordPress plugin xcloner CVE-2014-2578 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk ...) NOT-FOR-US: Splunk Web @@ -1021,8 +1287,7 @@ CVE-2014-2556 RESERVED CVE-2014-2555 RESERVED -CVE-2014-2554 [Clickjacking issue] - RESERVED +CVE-2014-2554 (OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 ...) - otrs2 3.3.6-1 [wheezy] - otrs2 <no-dsa> (Minor issue) [squeeze] - otrs2 <no-dsa> (Minor issue) @@ -1045,8 +1310,8 @@ CVE-2014-2547 RESERVED CVE-2014-2546 RESERVED -CVE-2014-2545 - RESERVED +CVE-2014-2545 (TIBCO Managed File Transfer Internet Server before 7.2.2, Managed File ...) + TODO: check CVE-2014-2544 (Unspecified vulnerability in Spotfire Web Player Engine, Spotfire ...) NOT-FOR-US: Spotfire CVE-2014-2543 (Buffer overflow in the Rendezvous Daemon (rvd), Rendezvous Routing ...) @@ -1485,8 +1750,7 @@ CVE-2014-2385 RESERVED CVE-2014-2384 (vmx86.sys in VMware Workstation 10.0.1 build 1379776 and VMware Player ...) NOT-FOR-US: VMware on Windows -CVE-2014-2383 [dompdf: arbitrary file read] - RESERVED +CVE-2014-2383 (dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, ...) - php-dompdf 0.6.1+dfsg-2 (unimportant; bug #745619) NOTE: requires DOMPDF_ENABLE_REMOTE (disabled by default) to be enabled CVE-2014-2382 @@ -1606,15 +1870,13 @@ CVE-2014-2329 RESERVED - check-mk <unfixed> (bug #742689) NOTE: http://packetstormsecurity.com/files/125850/DTC-A-20140324-002.txt -CVE-2014-2328 [Unspecified Remote Command Execution Vulnerability] - RESERVED +CVE-2014-2328 (lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows ...) - cacti 0.8.8b+dfsg-4 (bug #742768) NOTE: http://bugs.cacti.net/view.php?id=2433 -CVE-2014-2327 [Cross Site Request Forgery Vulnerability] - RESERVED +CVE-2014-2327 (Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, ...) - cacti <unfixed> (bug #742768) NOTE: http://bugs.cacti.net/view.php?id=2432 -CVE-2014-2326 (Cross-site scripting (XSS) vulnerability in Cacti 0.8.7g allows remote ...) +CVE-2014-2326 (Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, ...) - cacti 0.8.8b+dfsg-4 (bug #742768) NOTE: http://bugs.cacti.net/view.php?id=2431 CVE-2014-2318 (SQL injection vulnerability in ATCOM Netvolution 3 allows remote ...) @@ -1909,20 +2171,20 @@ CVE-2014-2188 RESERVED CVE-2014-2187 RESERVED -CVE-2014-2186 - RESERVED -CVE-2014-2185 - RESERVED -CVE-2014-2184 - RESERVED -CVE-2014-2183 - RESERVED -CVE-2014-2182 - RESERVED +CVE-2014-2186 (Cross-site request forgery (CSRF) vulnerability in the web framework ...) + TODO: check +CVE-2014-2185 (The Call Detail Records (CDR) Management component in Cisco Unified ...) + TODO: check +CVE-2014-2184 (The IP Manager Assistant (IPMA) component in Cisco Unified ...) + TODO: check +CVE-2014-2183 (The L2TP module in Cisco IOS XE 3.10S(.2) and earlier on ASR 1000 ...) + TODO: check +CVE-2014-2182 (Cisco Adaptive Security Appliance (ASA) Software, when DHCPv6 replay ...) + TODO: check CVE-2014-2181 RESERVED -CVE-2014-2180 - RESERVED +CVE-2014-2180 (The Document Management component in Cisco Unified Contact Center ...) + TODO: check CVE-2014-2179 RESERVED CVE-2014-2178 @@ -2106,8 +2368,7 @@ CVE-2014-2088 (Unrestricted file upload vulnerability in ilias.php in ILIAS 4.4. NOT-FOR-US: ILIAS CVE-2014-2087 (Stack-based buffer overflow in the CDownloads_Deleted::UpdateDownload ...) NOT-FOR-US: Free Download Manager -CVE-2014-2285 [snmptrapd crash when using a trap with empty community string] - RESERVED +CVE-2014-2285 (The perl_trapd_handler function in perl/TrapReceiver/TrapReceiver.xs ...) - net-snmp 5.7.2.1~dfsg-3 (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1072044 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1072778 @@ -2331,8 +2592,7 @@ CVE-2014-2044 [owncloud: autenticated remote code execution] - owncloud <not-affected> (Windows-specific) CVE-2014-2043 (SQL injection vulnerability in Resources/System/Templates/Data.aspx in ...) NOT-FOR-US: Procentia IntelliPen -CVE-2014-2042 - RESERVED +CVE-2014-2042 (Unrestricted file upload vulnerability in the Manage Project ...) NOT-FOR-US: Livetecs Timelive CVE-2014-2041 RESERVED @@ -2815,14 +3075,11 @@ CVE-2014-1847 RESERVED CVE-2014-1844 RESERVED -CVE-2014-1843 - RESERVED +CVE-2014-1843 (Directory traversal vulnerability in the web interface in Titan FTP ...) NOT-FOR-US: Titan FTP Server -CVE-2014-1842 - RESERVED +CVE-2014-1842 (Directory traversal vulnerability in the web interface in Titan FTP ...) NOT-FOR-US: Titan FTP Server -CVE-2014-1841 - RESERVED +CVE-2014-1841 (Directory traversal vulnerability in the web interface in Titan FTP ...) NOT-FOR-US: Titan FTP Server CVE-2014-1840 (Cross-site scripting (XSS) vulnerability in Upload/search.php in MyBB ...) NOT-FOR-US: MyBB @@ -3020,8 +3277,8 @@ CVE-2014-1778 RESERVED CVE-2014-1777 RESERVED -CVE-2014-1776 - RESERVED +CVE-2014-1776 (Use-after-free vulnerability in VGX.DLL in Microsoft Internet Explorer ...) + TODO: check CVE-2014-1775 RESERVED CVE-2014-1774 @@ -3040,16 +3297,16 @@ CVE-2014-1768 RESERVED CVE-2014-1767 RESERVED -CVE-2014-1766 - RESERVED -CVE-2014-1765 - RESERVED -CVE-2014-1764 - RESERVED -CVE-2014-1763 - RESERVED -CVE-2014-1762 - RESERVED +CVE-2014-1766 (Unspecified vulnerability in the kernel in Microsoft Windows 8.1 ...) + TODO: check +CVE-2014-1765 (Multiple use-after-free vulnerabilities in Microsoft Internet Explorer ...) + TODO: check +CVE-2014-1764 (Microsoft Internet Explorer 11 allows remote attackers to execute ...) + TODO: check +CVE-2014-1763 (Use-after-free vulnerability in Microsoft Internet Explorer 11 allows ...) + TODO: check +CVE-2014-1762 (Unspecified vulnerability in Microsoft Internet Explorer 11 allows ...) + TODO: check CVE-2014-1761 (Microsoft Word 2003 SP3, 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 ...) NOT-FOR-US: Microsoft Word CVE-2014-1760 (Microsoft Internet Explorer 11 allows remote attackers to execute ...) @@ -3104,32 +3361,26 @@ CVE-2014-1736 [squeeze] - chromium-browser <end-of-life> - libv8 <removed> - libv8-3.14 <unfixed> -CVE-2014-1735 - RESERVED +CVE-2014-1735 (Multiple unspecified vulnerabilities in Google V8 before 3.24.35.33, ...) - chromium-browser <unfixed> [squeeze] - chromium-browser <end-of-life> - libv8 <removed> - libv8-3.14 <unfixed> -CVE-2014-1734 - RESERVED +CVE-2014-1734 (Multiple unspecified vulnerabilities in Google Chrome before ...) - chromium-browser <unfixed> [squeeze] - chromium-browser <end-of-life> -CVE-2014-1733 - RESERVED +CVE-2014-1733 (The PointerCompare function in codegen.cc in Seccomp-BPF, as used in ...) - chromium-browser <unfixed> [squeeze] - chromium-browser <end-of-life> -CVE-2014-1732 - RESERVED +CVE-2014-1732 (Use-after-free vulnerability in ...) - chromium-browser <unfixed> [squeeze] - chromium-browser <end-of-life> -CVE-2014-1731 - RESERVED +CVE-2014-1731 (core/html/HTMLSelectElement.cpp in the DOM implementation in Blink, as ...) - chromium-browser <unfixed> [squeeze] - chromium-browser <end-of-life> - libv8 <removed> - libv8-3.14 <unfixed> -CVE-2014-1730 - RESERVED +CVE-2014-1730 (Google V8, as used in Google Chrome before 34.0.1847.131 on Windows ...) - chromium-browser <unfixed> [squeeze] - chromium-browser <end-of-life> CVE-2014-1729 (Multiple unspecified vulnerabilities in Google V8 before 3.24.35.22, ...) @@ -3378,10 +3629,10 @@ CVE-2014-1649 RESERVED CVE-2014-1648 (Cross-site scripting (XSS) vulnerability in ...) TODO: check -CVE-2014-1647 - RESERVED -CVE-2014-1646 - RESERVED +CVE-2014-1647 (Symantec PGP Desktop 10.0.x through 10.2.x and Encryption Desktop ...) + TODO: check +CVE-2014-1646 (Symantec PGP Desktop 10.0.x through 10.2.x and Encryption Desktop ...) + TODO: check CVE-2014-1645 (SQL injection vulnerability in forcepasswd.do in the management GUI in ...) NOT-FOR-US: Symantec LiveUpdate Administrator CVE-2014-1644 (The forgotten-password feature in forcepasswd.do in the management GUI ...) @@ -3604,72 +3855,65 @@ CVE-2014-1534 RESERVED CVE-2014-1533 RESERVED -CVE-2014-1532 - RESERVED +CVE-2014-1532 (Use-after-free vulnerability in the ...) + {DSA-2918-1} - iceweasel 24.5.0esr-1 - icedove 24.5.0-1 [squeeze] - iceweasel <end-of-life> [squeeze] - icedove <end-of-life> -CVE-2014-1531 - RESERVED +CVE-2014-1531 (Use-after-free vulnerability in the ...) + {DSA-2918-1} - iceweasel 24.5.0esr-1 - icedove 24.5.0-1 [squeeze] - iceweasel <end-of-life> [squeeze] - icedove <end-of-life> -CVE-2014-1530 - RESERVED +CVE-2014-1530 (The docshell implementation in Mozilla Firefox before 29.0, Firefox ...) + {DSA-2918-1} - iceweasel 24.5.0esr-1 - icedove 24.5.0-1 [squeeze] - iceweasel <end-of-life> [squeeze] - icedove <end-of-life> -CVE-2014-1529 - RESERVED +CVE-2014-1529 (The Web Notification API in Mozilla Firefox before 29.0, Firefox ESR ...) + {DSA-2918-1} - iceweasel 24.5.0esr-1 - icedove 24.5.0-1 [squeeze] - iceweasel <end-of-life> [squeeze] - icedove <end-of-life> -CVE-2014-1528 - RESERVED +CVE-2014-1528 (The sse2_composite_src_x888_8888 function in Pixman, as used in Cairo ...) - iceweasel <not-affected> (Windows-specific) -CVE-2014-1527 - RESERVED +CVE-2014-1527 (Mozilla Firefox before 29.0 on Android allows remote attackers to ...) - iceweasel <not-affected> (Only affects Firefox on Android) - icedove <not-affected> (Only affects Firefox on Android) -CVE-2014-1526 - RESERVED +CVE-2014-1526 (The XrayWrapper implementation in Mozilla Firefox before 29.0 and ...) - iceweasel <not-affected> (Only affects Firefox 28) - icedove <not-affected> (Only affects Firefox 28) -CVE-2014-1525 - RESERVED +CVE-2014-1525 (The mozilla::dom::TextTrack::AddCue function in Mozilla Firefox before ...) - iceweasel <not-affected> (Only affects Firefox 28) - icedove <not-affected> (Only affects Firefox 28) -CVE-2014-1524 - RESERVED +CVE-2014-1524 (The nsXBLProtoImpl::InstallImplementation function in Mozilla Firefox ...) + {DSA-2918-1} - iceweasel 24.5.0esr-1 - icedove 24.5.0-1 [squeeze] - iceweasel <end-of-life> [squeeze] - icedove <end-of-life> -CVE-2014-1523 - RESERVED +CVE-2014-1523 (Heap-based buffer overflow in the read_u32 function in Mozilla Firefox ...) + {DSA-2918-1} - iceweasel 24.5.0esr-1 - icedove 24.5.0-1 [squeeze] - iceweasel <end-of-life> [squeeze] - icedove <end-of-life> -CVE-2014-1522 - RESERVED +CVE-2014-1522 (The mozilla::dom::OscillatorNodeEngine::ComputeCustom function in the ...) - iceweasel <not-affected> (Only affects Firefox 28) - icedove <not-affected> (Only affects Firefox 28) CVE-2014-1521 RESERVED -CVE-2014-1520 - RESERVED +CVE-2014-1520 (maintenservice_installer.exe in the Maintenance Service Installer in ...) - iceweasel <not-affected> (Windows-specific) -CVE-2014-1519 - RESERVED +CVE-2014-1519 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) - iceweasel <not-affected> (Only affects Firefox 28) - icedove <not-affected> (Only affects Firefox 28) -CVE-2014-1518 - RESERVED +CVE-2014-1518 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) + {DSA-2918-1} - iceweasel 24.5.0esr-1 - icedove 24.5.0-1 [squeeze] - iceweasel <end-of-life> @@ -4324,7 +4568,7 @@ CVE-2014-1265 (The systemsetup program in the Date and Time subsystem in Apple O NOT-FOR-US: Apple CVE-2014-1264 (Finder in Apple OS X before 10.9.2 does not ensure ACL integrity after ...) NOT-FOR-US: Apple -CVE-2014-1263 (curl in Apple OS X 10.9.x before 10.9.2 does not verify X.509 ...) +CVE-2014-1263 (curl and libcurl 7.27.0 through 7.35.0, when using the ...) - curl <not-affected> (Only applies to Curl on Mac OS or iOS) NOTE: http://curl.haxx.se/docs/adv_20140326C.html CVE-2014-1262 (Apple Type Services (ATS) in Apple OS X before 10.9.2 allows attackers ...) @@ -4414,8 +4658,7 @@ CVE-2014-1219 (CA 2E Web Option r8.1.2 accepts a predictable substring of a W2E_ NOT-FOR-US: 2E Web Option CVE-2014-1218 RESERVED -CVE-2014-1217 - RESERVED +CVE-2014-1217 (Livetecs Timelive before 6.2.8 does not properly restrict access to ...) NOT-FOR-US: Livetecs Timelive CVE-2014-1216 (FitNesse Wiki 20131110, 20140201, and earlier allows remote attackers ...) NOT-FOR-US: Fitnesse Wiki @@ -4720,8 +4963,8 @@ CVE-2014-0894 RESERVED CVE-2014-0893 RESERVED -CVE-2014-0892 - RESERVED +CVE-2014-0892 (IBM Notes and Domino 8.5.x before 8.5.3 FP6 IF3 and 9.x before 9.0.1 ...) + TODO: check CVE-2014-0891 RESERVED CVE-2014-0890 (The Connect client in IBM Sametime 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, ...) @@ -4916,7 +5159,7 @@ CVE-2014-0796 RESERVED CVE-2014-0795 RESERVED -CVE-2014-0794 (Cross-site scripting (XSS) vulnerability in JV Comment (com_jvcomment) ...) +CVE-2014-0794 (SQL injection vulnerability in the JV Comment (com_jvcomment) ...) NOT-FOR-US: JV Comment Joomla Extension CVE-2014-0793 (Multiple cross-site scripting (XSS) vulnerabilities in the StackIdeas ...) NOT-FOR-US: Komento Joomla Extension @@ -4947,8 +5190,8 @@ CVE-2014-0782 RESERVED CVE-2014-0781 (Heap-based buffer overflow in BKCLogSvr.exe in Yokogawa CENTUM CS 3000 ...) NOT-FOR-US: Yokogawa CENTUM CS 3000 -CVE-2014-0780 - RESERVED +CVE-2014-0780 (Directory traversal vulnerability in NTWebServer in InduSoft Web ...) + TODO: check CVE-2014-0779 (The PLC driver in ServerMain.exe in the Kepware KepServerEX 4 ...) NOT-FOR-US: Schneider Electric CVE-2014-0778 (The TCPUploader module in Progea Movicon 11.4 before 11.4.1150 allows ...) @@ -4969,8 +5212,8 @@ CVE-2014-0771 (The OpenUrlToBuffer method in the BWOCXRUN.BwocxrunCtrl.1 ActiveX NOT-FOR-US: Advantech WebAccess CVE-2014-0770 (Stack-based buffer overflow in Advantech WebAccess before 7.2 allows ...) NOT-FOR-US: Advantech WebAccess -CVE-2014-0769 - RESERVED +CVE-2014-0769 (The Festo CECX-X-C1 Modular Master Controller with CoDeSys and ...) + TODO: check CVE-2014-0768 (Stack-based buffer overflow in Advantech WebAccess before 7.2 allows ...) NOT-FOR-US: Advantech WebAccess CVE-2014-0767 (Stack-based buffer overflow in Advantech WebAccess before 7.2 allows ...) @@ -4987,8 +5230,8 @@ CVE-2014-0762 RESERVED CVE-2014-0761 RESERVED -CVE-2014-0760 - RESERVED +CVE-2014-0760 (The Festo CECX-X-C1 Modular Master Controller with CoDeSys and ...) + TODO: check CVE-2014-0759 (Unquoted Windows search path vulnerability in Schneider Electric ...) NOT-FOR-US: Schneider Electric Floating License Manager CVE-2014-0758 (An ActiveX control in GenLaunch.htm in ICONICS GENESIS32 8.0, 8.02, ...) @@ -5482,8 +5725,7 @@ CVE-2014-0517 RESERVED CVE-2014-0516 RESERVED -CVE-2014-0515 - RESERVED +CVE-2014-0515 (Buffer overflow in Adobe Flash Player before 11.7.700.279 and 11.8.x ...) NOT-FOR-US: Flash plugin CVE-2014-0514 (The Adobe Reader Mobile application before 11.2 for Android does not ...) NOT-FOR-US: Adobe Reader Mobile application @@ -5565,14 +5807,11 @@ CVE-2014-0476 RESERVED CVE-2014-0475 RESERVED -CVE-2014-0474 [MySQL typecasting could result in unexpected matches] - RESERVED +CVE-2014-0474 (The (1) FilePathField, (2) GenericIPAddressField, and (3) ...) - python-django 1.6.3-1 -CVE-2014-0473 [Caching of anonymous pages could reveal CSRF token] - RESERVED +CVE-2014-0473 (The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, ...) - python-django 1.6.3-1 -CVE-2014-0472 [Unexpected code execution using ``reverse()``] - RESERVED +CVE-2014-0472 (The django.core.urlresolvers.reverse function in Django before 1.4.11, ...) - python-django 1.6.3-1 CVE-2014-0471 [dpkg-source: directory traversal during unpack] RESERVED @@ -5887,16 +6126,16 @@ CVE-2014-0366 (Unspecified vulnerability in the Oracle Applications Framework .. NOT-FOR-US: Oracle E-Business Suite CVE-2014-0365 RESERVED -CVE-2014-0364 - RESERVED -CVE-2014-0363 - RESERVED +CVE-2014-0364 (The ParseRoster component in the Ignite Realtime Smack XMPP API before ...) + TODO: check +CVE-2014-0363 (The ServerTrustManager component in the Ignite Realtime Smack XMPP API ...) + TODO: check CVE-2014-0362 RESERVED CVE-2014-0361 (The default configuration of IBM 4690 OS, as used in Toshiba Global ...) TODO: check CVE-2014-0360 - RESERVED + REJECTED CVE-2014-0359 (Xangati XSR before 11 and XNR before 7 allows remote attackers to ...) NOT-FOR-US: Xangati CVE-2014-0358 (Multiple directory traversal vulnerabilities in Xangati XSR before 11 ...) @@ -5915,8 +6154,7 @@ CVE-2014-0352 RESERVED CVE-2014-0351 RESERVED -CVE-2014-0350 [certificate validation issue] - RESERVED +CVE-2014-0350 (The Poco::Net::X509Certificate::verify method in the NetSSL library in ...) - poco <unfixed> TODO: check CVE-2014-0349 (Multiple unspecified vulnerabilities in J2k-Codec allow remote ...) @@ -6248,11 +6486,9 @@ CVE-2014-0190 CVE-2014-0189 RESERVED NOT-FOR-US: RedHat virt-who -CVE-2014-0188 - RESERVED +CVE-2014-0188 (The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, ...) NOT-FOR-US: OpenShift -CVE-2014-0187 [Neutron security groups bypass through invalid CIDR] - RESERVED +CVE-2014-0187 (The openvswitch-agent process in OpenStack Neutron 2013.1 before ...) - neutron <unfixed> [wheezy] - neutron <not-affected> (Only affects 2013.1 to 2013.2.3, and 2014.1) CVE-2014-0186 @@ -6270,8 +6506,7 @@ CVE-2014-0182 [virtio: out-of-bounds buffer write on state load with invalid con RESERVED - qemu <unfixed> - qemu-kvm <removed> -CVE-2014-0181 [Linux network reconfiguration due to incorrect netlink checks] - RESERVED +CVE-2014-0181 (The Netlink implementation in the Linux kernel through 3.14.1 does not ...) - linux <undetermined> - linux-2.6 <removed> TODO: check, details are missing from oss-security post @@ -6319,8 +6554,7 @@ CVE-2014-0164 RESERVED CVE-2014-0163 RESERVED -CVE-2014-0162 [Remote code execution in Glance Sheepdog backend] - RESERVED +CVE-2014-0162 (The Sheepdog backend in OpenStack Image Registry and Delivery Service ...) - glance 2014.1-1 [wheezy] - glance <not-affected> (Only affects 2013.2 to 2013.2.3) CVE-2014-0161 @@ -6481,17 +6715,14 @@ CVE-2014-0116 RESERVED CVE-2014-0115 RESERVED -CVE-2014-0114 - RESERVED +CVE-2014-0114 (The ActionForm object in Apache Struts 1.x through 1.3.10 allows ...) - libstruts1.2-java <unfixed> (bug #745897) NOTE: http://mail-archives.apache.org/mod_mbox/struts-announcements/201404.mbox/%3C535F5F52.4040108%40apache.org%3E -CVE-2014-0113 - RESERVED +CVE-2014-0113 (CookieInterceptor in Apache Struts before 2.3.16.2, when a wildcard ...) - libstruts1.2-java <unfixed> TODO: check NOTE: https://struts.apache.org/release/2.3.x/docs/s2-021.html -CVE-2014-0112 - RESERVED +CVE-2014-0112 (ParametersInterceptor in Apache Struts before 2.3.16.2 does not ...) - libstruts1.2-java <unfixed> TODO: check NOTE: https://struts.apache.org/release/2.3.x/docs/s2-021.html @@ -6571,8 +6802,7 @@ CVE-2014-0090 - foreman <itp> (bug #663101) CVE-2014-0089 (Cross-site scripting (XSS) vulnerability in ...) - foreman <itp> (bug #663101) -CVE-2014-0088 - RESERVED +CVE-2014-0088 (The SPDY implementation in the ngx_http_spdy_module module in nginx ...) - nginx <not-affected> (Only affects 1.5.10) CVE-2014-0087 RESERVED @@ -6608,8 +6838,7 @@ CVE-2014-0080 (SQL injection vulnerability in ...) - ruby-activerecord-3.2 <not-affected> (affects only rails 4.0.x) - ruby-activerecord-2.3 <not-affected> (affects only rails 4.0.x) - rails <not-affected> (affects only rails 4.0.x) -CVE-2014-0079 - RESERVED +CVE-2014-0079 (The ValidateUserLogon function in provider/libserver/ECSession.cpp in ...) NOT-FOR-US: Zarafa Collaboration Platform CVE-2014-0078 RESERVED @@ -6770,8 +6999,7 @@ CVE-2014-0038 (The compat_sys_recvmmsg function in net/compat.c in the Linux ker - linux-2.6 <not-affected> (Introduced in 3.4+) NOTE: introduced by http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/compat.c?id=ee4fa23c4bfcc635d077a9633d405610de45bc70 NOTE: Debian does not enable CONFIG_X86_X32, see #708070 -CVE-2014-0037 - RESERVED +CVE-2014-0037 (The ValidateUserLogon function in provider/libserver/ECSession.cpp in ...) NOT-FOR-US: Zarafa Collaboration Platform CVE-2014-0036 (The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with ...) NOT-FOR-US: rbovirt |