diff options
author | Moritz Muehlenhoff <jmm@debian.org> | 2011-12-22 17:51:22 +0000 |
---|---|---|
committer | Moritz Muehlenhoff <jmm@debian.org> | 2011-12-22 17:51:22 +0000 |
commit | 2abe952af3304306d00abf2c93ff397e1a91f085 (patch) | |
tree | c00b3627b818430f6814de8fcd378008fe9ec28e /data/CVE | |
parent | beb049b3053e663142d0f5d7f12767268a75bb69 (diff) |
new phpmyadmin issues
new chrome issues
new old and unimportant firefox info leaks
new jasper issues
rails not affected
xmlsec1 issue is actually a duped/mis-assigned webkit bug
NFUs
remove libpam-ssh entry, it's not a vulnerability per se and libpam-ssh has been
removed in the mean time
remove stunnel fd issue, minor hardening
rpcbind issue already fixed
openswan fixed
new kernel issue
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@17848 e39458fd-73e7-0310-bf30-c45bca0a0e42
Diffstat (limited to 'data/CVE')
-rw-r--r-- | data/CVE/2002.list | 6 | ||||
-rw-r--r-- | data/CVE/2010.list | 15 | ||||
-rw-r--r-- | data/CVE/2011.list | 124 |
3 files changed, 71 insertions, 74 deletions
diff --git a/data/CVE/2002.list b/data/CVE/2002.list index ffdfcd6037..db54eff047 100644 --- a/data/CVE/2002.list +++ b/data/CVE/2002.list @@ -1,9 +1,9 @@ CVE-2002-2437 (The JavaScript implementation in Mozilla Firefox before 4.0, ...) - TODO: check + - iceweasel 4.0-1 (unimportant) CVE-2002-2436 (The Cascading Style Sheets (CSS) implementation in Mozilla Firefox ...) - TODO: check + - iceweasel 4.0-1 (unimportant) CVE-2002-2435 (The Cascading Style Sheets (CSS) implementation in Microsoft Internet ...) - TODO: check + NOT-FOR-US: Internet Explorer CVE-2002-2434 (NWFTPD.nlm before 5.02i in the FTP server in Novell NetWare does not ...) NOT-FOR-US: Novell NetWare CVE-2002-2433 (NWFTPD.nlm before 5.03b in the FTP server in Novell NetWare allows ...) diff --git a/data/CVE/2010.list b/data/CVE/2010.list index 110b4cd891..6c16410734 100644 --- a/data/CVE/2010.list +++ b/data/CVE/2010.list @@ -11,19 +11,21 @@ CVE-2010-5076 CVE-2010-5075 RESERVED CVE-2010-5074 (The layout engine in Mozilla Firefox before 4.0, Thunderbird before ...) - TODO: check + - iceweasel 4.0-1 (unimportant) CVE-2010-5073 (The JavaScript implementation in Google Chrome 4 does not properly ...) - TODO: check + - chromium-browser <unfixed> + - webkit <undetermined> CVE-2010-5072 (The JavaScript implementation in Opera 10.5 does not properly restrict ...) NOT-FOR-US: Opera CVE-2010-5071 (The JavaScript implementation in Microsoft Internet Explorer 8.0 and ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2010-5070 (The JavaScript implementation in Apple Safari 4 does not properly ...) - TODO: check + NOT-FOR-US: Safari CVE-2010-5069 (The Cascading Style Sheets (CSS) implementation in Google Chrome 4 ...) - TODO: check + - chromium-browser <unfixed> + - webkit <undetermined> CVE-2010-5068 (The Cascading Style Sheets (CSS) implementation in Opera 10.5 does not ...) - TODO: check + NOT-FOR-US: Opera CVE-2010-5067 RESERVED CVE-2010-5066 @@ -7659,7 +7661,8 @@ CVE-2010-2065 (Integer overflow in the TIFFroundup macro in LibTIFF before 3.9.3 NOTE: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/589565 CVE-2010-2064 RESERVED - - rpcbind <unfixed> + - rpcbind 0.2.0-4.1 + NOTE: This version changed the state directory to /var/run/rpcbind, which is only writable by root CVE-2010-2063 (Buffer overflow in the SMB1 packet chaining implementation in the ...) {DSA-2061-1} - samba 2:3.4.0~pre1-1 (high) diff --git a/data/CVE/2011.list b/data/CVE/2011.list index 5ea06ce037..03419ff14e 100644 --- a/data/CVE/2011.list +++ b/data/CVE/2011.list @@ -15,15 +15,15 @@ CVE-2011-4863 CVE-2011-4862 RESERVED CVE-2011-4861 (The modbus_125_handler function in the Schneider Electric Quantum ...) - TODO: check + NOT-FOR-US: Schneider Electric Quantum Ethernet Module CVE-2011-4860 (The ComputePassword function in the Schneider Electric Quantum ...) - TODO: check + NOT-FOR-US: Schneider Electric Quantum Ethernet Module CVE-2011-4859 (The Schneider Electric Quantum Ethernet Module, as used in the Quantum ...) - TODO: check + NOT-FOR-US: Schneider Electric Quantum Ethernet Module CVE-2011-4858 RESERVED CVE-2011-4857 (Heap-based buffer overflow in the in_mod.dll plugin in Winamp before ...) - TODO: check + NOT-FOR-US: Winamp CVE-2011-4856 (The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 ...) NOT-FOR-US: Plesk CVE-2011-4855 (The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 ...) @@ -174,10 +174,12 @@ CVE-2011-4783 RESERVED CVE-2011-4782 RESERVED + - phpmyadmin 4:3.4.9-1 CVE-2011-4781 RESERVED CVE-2011-4780 RESERVED + - phpmyadmin 4:3.4.9-1 CVE-2011-4779 RESERVED CVE-2011-4778 @@ -293,7 +295,7 @@ CVE-2011-4725 (Multiple SQL injection vulnerabilities in the Server Administrati CVE-2011-4724 RESERVED CVE-2011-4723 (The D-Link DIR-300 router stores cleartext passwords, which allows ...) - TODO: check + NOT-FOR-US: D-Link DIR-300 router CVE-2011-4722 RESERVED CVE-2011-4721 @@ -301,11 +303,12 @@ CVE-2011-4721 CVE-2011-4720 RESERVED CVE-2011-4719 (Multiple unspecified vulnerabilities in Google Chrome before ...) - TODO: check + - chromium-browser <unfixed> + - webkit <undetermined> CVE-2011-4718 RESERVED CVE-2011-4717 (Directory traversal vulnerability in zFTPServer Suite 6.0.0.52 allows ...) - TODO: check + NOT-FOR-US: zFTPServer Suite CVE-2011-4716 (Directory traversal vulnerability in file in DreamBox DM800 1.6rc3, ...) NOT-FOR-US: DreamBox CVE-2011-4715 (Directory traversal vulnerability in cgi-bin/koha/mainpage.pl in Koha ...) @@ -355,15 +358,17 @@ CVE-2011-4694 (Unspecified vulnerability in Adobe Flash Player 11.1.102.55 on Wi CVE-2011-4693 (Unspecified vulnerability in Adobe Flash Player 11.1.102.55 on Windows ...) NOT-FOR-US: Adobe Flash Player CVE-2011-4692 (WebKit, as used in Apple Safari 5.1.1 and earlier and Google Chrome 15 ...) - TODO: check + - chromium-browser <unfixed> + - webkit <undetermined> CVE-2011-4691 (Google Chrome 15.0.874.121 and earlier does not prevent capture of ...) - TODO: check + - chromium-browser <unfixed> + - webkit <undetermined> CVE-2011-4690 (Opera 11.60 and earlier does not prevent capture of data about the ...) NOT-FOR-US: Opera CVE-2011-4689 (Microsoft Internet Explorer 6 through 9 does not prevent capture of ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2011-4688 (Mozilla Firefox 8.0.1 and earlier does not prevent capture of data ...) - TODO: check + - iceweasel <unfixed> (unimportant) CVE-2011-4687 (Opera before 11.60 allows remote attackers to cause a denial of ...) NOT-FOR-US: Opera CVE-2011-4686 (Unspecified vulnerability in the Web Workers implementation in Opera ...) @@ -395,11 +400,11 @@ CVE-2011-4675 (The pathname canonicalization functionality in ...) CVE-2011-4674 (SQL injection vulnerability in popup.php in Zabbix 1.8.3 and 1.8.4, ...) - zabbix <unfixed> (high; bug #651225) CVE-2011-4673 (SQL injection vulnerability in modules/sharedaddy.php in the Jetpack ...) - TODO: check + NOT-FOR-US: Jetpack plugin for Wordpress CVE-2011-4672 (Multiple SQL injection vulnerabilities in Valid tiny-erp 1.6 and ...) - TODO: check + NOT-FOR-US: Valid tiny-erp, different from TinyERP, the former name of OpenERP CVE-2011-4671 (SQL injection vulnerability in adrotate/adrotate-out.php in the ...) - TODO: check + NOT-FOR-US: Adrorate plugin for Wordpress CVE-2011-4670 (Multiple cross-site scripting (XSS) vulnerabilities in vTiger CRM ...) NOT-FOR-US: vTiger CRM CVE-2011-4669 (SQL injection vulnerability in wp-users.php in WordPress Users plugin ...) @@ -503,6 +508,7 @@ CVE-2011-4622 RESERVED CVE-2011-4621 RESERVED + - linux-2.6 <unfixed> CVE-2011-4620 RESERVED CVE-2011-4619 @@ -765,9 +771,9 @@ CVE-2011-4519 CVE-2011-4518 RESERVED CVE-2011-4517 (The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer ...) - TODO: check + - jasper <unfixed> (bug #652649) CVE-2011-4516 (Heap-based buffer overflow in the jpc_cox_getcompparms function in ...) - TODO: check + - jasper <unfixed> (bug #652649) CVE-2011-4515 RESERVED CVE-2011-4514 @@ -1068,7 +1074,7 @@ CVE-2011-4370 CVE-2011-4369 (Unspecified vulnerability in the PRC component in Adobe Reader and ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2011-4368 (Cross-site scripting (XSS) vulnerability in Remote Development ...) - TODO: check + NOT-FOR-US: Adobe Cold Fusion CVE-2011-4367 RESERVED CVE-2011-4366 @@ -1162,7 +1168,7 @@ CVE-2011-4347 RESERVED - linux-2.6 <unfixed> CVE-2011-4346 (Cross-site scripting (XSS) vulnerability in the web interface in Red ...) - TODO: check + NOT-FOR-US: Red Hat Satellite CVE-2011-4345 (Cross-site scripting (XSS) vulnerability in Namazu before 2.0.21, when ...) - namazu2 2.0.21-1 (low) [squeeze] - namazu2 <no-dsa> (Minor issue) @@ -1238,7 +1244,7 @@ CVE-2011-4320 [ejabberd DoS in pubsub module] - ejabberd 2.1.9-1 NOTE: https://support.process-one.net/browse/EJAB-1498 CVE-2011-4319 (Cross-site scripting (XSS) vulnerability in the i18n translations ...) - TODO: check + - rails <not-affected> (Only affects RoR 3.0 and above) CVE-2011-4318 RESERVED - dovecot <unfixed> (unimportant; bug #649511) @@ -1394,13 +1400,13 @@ CVE-2011-4268 CVE-2011-4267 RESERVED CVE-2011-4266 (Untrusted search path vulnerability in FFFTP before 1.98d allows local ...) - TODO: check + NOT-FOR-US: FFFTP CVE-2011-4265 (Cross-site scripting (XSS) vulnerability in phpWebSite before 1.0.0 ...) - TODO: check + NOT-FOR-US: phpWebSite CVE-2011-4264 (Cross-site scripting (XSS) vulnerability in Etomite before 1.1 allows ...) - TODO: check + NOT-FOR-US: Etomite CVE-2011-4263 (Cross-site scripting (XSS) vulnerability in Schneider Electric ...) - TODO: check + NOT-FOR-US: Schneider Electric PowerChute Business Edition CVE-2011-4262 (Unspecified vulnerability in RealNetworks RealPlayer before 15.0.0 ...) NOT-FOR-US: RealNetworks RealPlayer CVE-2011-4261 (RealNetworks RealPlayer before 15.0.0 allows remote attackers to ...) @@ -1522,9 +1528,9 @@ CVE-2011-4204 CVE-2011-4203 RESERVED CVE-2011-4202 (The Tadasoft Restorepoint 3.2 evaluation image uses weak permissions ...) - TODO: check + NOT-FOR-US: Tadasoft Restorepoint CVE-2011-4201 (remote_support.cgi in the Tadasoft Restorepoint 3.2 evaluation image ...) - TODO: check + NOT-FOR-US: Tadasoft Restorepoint CVE-2011-4200 RESERVED CVE-2011-4199 @@ -1618,9 +1624,9 @@ CVE-2011-4164 CVE-2011-4163 RESERVED CVE-2011-4162 (The (1) AddUser, (2) AddUserEx, (3) RemoveUser, (4) RemoveUserByGuide, ...) - TODO: check + NOT-FOR-US: HP Protect Tools Device Access Manager CVE-2011-4161 (The default configuration of the HP CM8060 Color MFP with Edgeline; ...) - TODO: check + NOT-FOR-US: HP CM8060 Color MFP CVE-2011-4160 (Unspecified vulnerability in HP Operations Agent 11.00 and Performance ...) NOT-FOR-US: HP Operations Agent CVE-2011-4159 (Unspecified vulnerability in System Administration Manager (SAM) in ...) @@ -1661,7 +1667,7 @@ CVE-2011-4143 CVE-2011-4142 RESERVED CVE-2011-4141 (Untrusted search path vulnerability in EMC RSA SecurID Software Token ...) - TODO: check + NOT-FOR-US: RSA SecurID CVE-2011-4140 (The CSRF protection mechanism in Django through 1.2.7 and 1.3.x ...) {DSA-2332-1} - python-django 1.3.1-1 (bug #641405) @@ -1866,7 +1872,7 @@ CVE-2011-4074 (Cross-site scripting (XSS) vulnerability in cmd.php in phpLDAPadm {DSA-2333-1} - phpldapadmin 1.2.0.5-2.1 (bug #646769) CVE-2011-4073 (Use-after-free vulnerability in the cryptographic helper handler ...) - - openswan <unfixed> (low; bug #650674) + - openswan 1:2.6.37-1 (low; bug #650674) CVE-2011-XXXX [incorrect OPENSSL_assert() in DTLS code] - openssl <unfixed> (low; bug #645805) NOTE: http://rt.openssl.org/Ticket/Display.html?id=2625&user=guest&pass=guest @@ -1913,13 +1919,13 @@ CVE-2011-4056 CVE-2011-4055 RESERVED CVE-2011-4054 (Cross-site scripting (XSS) vulnerability in login.fcc in CA SiteMinder ...) - TODO: check + NOT-FOR-US: CA SiteMinder CVE-2011-4053 RESERVED CVE-2011-4052 (Stack-based buffer overflow in CEServer.exe in the CEServer component ...) - TODO: check + NOT-FOR-US: InduSoft Web Studio CVE-2011-4051 (CEServer.exe in the CEServer component in the Remote Agent module in ...) - TODO: check + NOT-FOR-US: InduSoft Web Studio CVE-2011-4050 RESERVED CVE-2011-4049 @@ -1941,7 +1947,7 @@ CVE-2011-4042 CVE-2011-4041 RESERVED CVE-2011-4040 (Buffer overflow in MiniSmtp 3.0.11818 in NJStar Communicator allows ...) - TODO: check + NOT-FOR-US: NJStar Communicator CVE-2011-4039 RESERVED CVE-2011-4038 @@ -1949,13 +1955,13 @@ CVE-2011-4038 CVE-2011-4037 RESERVED CVE-2011-4036 (Directory traversal vulnerability in Schneider Electric Vijeo ...) - TODO: check + NOT-FOR-US: Schneider Electric Vijeo CVE-2011-4035 (Cross-site scripting (XSS) vulnerability in Schneider Electric Vijeo ...) - TODO: check + NOT-FOR-US: Schneider Electric Vijeo CVE-2011-4034 (Buffer overflow in the Steema TeeChart ActiveX control, as used in ...) - TODO: check + NOT-FOR-US: Steema TeeChart CVE-2011-4033 (Buffer overflow in the Steema TeeChart ActiveX control, as used in ...) - TODO: check + NOT-FOR-US: Steema TeeChart CVE-2011-4032 RESERVED CVE-2011-4031 @@ -2442,7 +2448,7 @@ CVE-2011-3836 CVE-2011-3835 RESERVED CVE-2011-3834 (Multiple integer overflows in the in_avi.dll plugin in Winamp before ...) - TODO: check + NOT-FOR-US: Winamp CVE-2011-3833 RESERVED CVE-2011-3832 @@ -2454,7 +2460,7 @@ CVE-2011-3830 CVE-2011-3829 RESERVED CVE-2011-3828 (DVRemoteAx.ax 2.1.0.39 in the DVR Remote ActiveX control allows remote ...) - TODO: check + NOT-FOR-US: DVR Remote CVE-2011-3827 RESERVED CVE-2011-3826 (Zikula 1.2.4 allows remote attackers to obtain sensitive information ...) @@ -2911,7 +2917,7 @@ CVE-2011-3638 CVE-2011-3637 RESERVED CVE-2011-3636 (Cross-site request forgery (CSRF) vulnerability in the management ...) - TODO: check + NOT-FOR-US: FreeIPA CVE-2011-3635 (Cross-site scripting (XSS) vulnerability in the ...) - empathy 3.2.1.1-1 [lenny] - empathy <not-affected> (only affects webkit theming, not present in Lenny) @@ -3541,41 +3547,41 @@ CVE-2011-3415 CVE-2011-3414 RESERVED CVE-2011-3413 (Microsoft PowerPoint 2007 SP2; Office 2008 for Mac; Office ...) - TODO: check + NOT-FOR-US: Microsoft PowerPoint CVE-2011-3412 (Microsoft Publisher 2003 SP3, and 2007 SP2 and SP3, allows remote ...) - TODO: check + NOT-FOR-US: Microsoft Publisher CVE-2011-3411 (Microsoft Publisher 2003 SP3 allows remote attackers to execute ...) - TODO: check + NOT-FOR-US: Microsoft Publisher CVE-2011-3410 (Array index error in Microsoft Publisher 2003 SP3, and 2007 SP2 and ...) - TODO: check + NOT-FOR-US: Microsoft Publisher CVE-2011-3409 RESERVED CVE-2011-3408 (Csrsrv.dll in the Client/Server Run-time Subsystem (aka CSRSS) in the ...) - TODO: check + NOT-FOR-US: Microsoft Windows XP CVE-2011-3407 RESERVED CVE-2011-3406 (Buffer overflow in Active Directory, Active Directory Application Mode ...) - TODO: check + NOT-FOR-US: Microsoft Active Directory CVE-2011-3405 RESERVED CVE-2011-3404 (Microsoft Internet Explorer 6 through 9 does not properly use the ...) - TODO: check + NOT-FOR-US: Microsoft Internet Explorer CVE-2011-3403 (Microsoft Excel 2003 SP3 and Office 2004 for Mac do not properly ...) - TODO: check + NOT-FOR-US: Microsoft Excel CVE-2011-3402 (Unspecified vulnerability in the Win32k TrueType font parsing engine ...) NOT-FOR-US: Microsoft Windows CVE-2011-3401 (ENCDEC.DLL in Windows Media Player and Media Center in Microsoft ...) - TODO: check + NOT-FOR-US: Microsoft Media Player CVE-2011-3400 (Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 do not properly ...) - TODO: check + NOT-FOR-US: Microsoft Windows XP CVE-2011-3399 RESERVED CVE-2011-3398 RESERVED CVE-2011-3397 (The Microsoft Time component in DATIME.DLL in Microsoft Windows XP SP2 ...) - TODO: check + NOT-FOR-US: Microsoft Windows XP CVE-2011-3396 (Untrusted search path vulnerability in Microsoft PowerPoint 2007 SP2 ...) - TODO: check + NOT-FOR-US: Microsoft PowerPoint CVE-2011-3395 RESERVED CVE-2011-3394 (SQL injection vulnerability in findagent.php in MYRE Real Estate ...) @@ -6919,13 +6925,6 @@ CVE-2011-2198 [vte memory exhaustion] - vte 1:0.28.1-1 (low; bug #629688) [lenny] - vte <no-dsa> (Minor issue) [squeeze] - vte 1:0.24.3-3 -CVE-2011-XXXX [libpam-ssh: pam_ssh not dropping root gid(s)] - - libpam-ssh <unfixed> (low) - [squeeze] - libpam-ssh <no-dsa> (Minor issue) - [lenny] - libpam-ssh <no-dsa> (Minor issue) - NOTE: https://bugzilla.novell.com/show_bug.cgi?id=665061 - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=711170 - NOTE: CVE request and discussion: http://www.openwall.com/lists/oss-security/2011/06/06/3 CVE-2011-2185 (Fabric before 1.1.0 allows local users to overwrite arbitrary files ...) - fabric 1.1.2-1 (low; bug #629003) [squeeze] - fabric <no-dsa> (Minor issue) @@ -7993,8 +7992,8 @@ CVE-2011-1776 (The is_gpt_valid function in fs/partitions/efi.c in the Linux ker CVE-2011-1775 (The CSecurityTLS::processMsg function in common/rfb/CSecurityTLS.cxx ...) NOT-FOR-US: TigerVNC CVE-2011-1774 (WebKit in Apple Safari before 5.0.6 has improper libxslt security ...) - - xmlsec1 1.2.14-1.1 - NOTE: very likely a duplicate of cve-2011-1425 + - webkit <unfixed> + NOTE: CVE-2011-1774 is about webkit's interface to xmlsec, CVE-2011-1425 is the actual issue NOTE: http://www.openwall.com/lists/oss-security/2011/05/09/4 CVE-2011-1773 RESERVED @@ -10772,11 +10771,6 @@ CVE-2011-XXXX [libpurple info leak] [lenny] - pidgin <no-dsa> (Minor issue) [squeeze] - pidgin <no-dsa> (Minor issue) NOTE: http://www.pidgin.im/news/security/?id=50 -CVE-2011-XXXX [stunnel fd leak] - - stunnel4 <unfixed> (low) - [lenny] - stunnel4 <no-dsa> (Minor issue) - [squeeze] - stunnel4 <no-dsa> (Minor issue) - NOTE: http://www.stunnel.org/?page=sdf_ChangeLog (v4.35) CVE-2011-1136 [tesseract tempfile] RESERVED - tesseract 2.04-2.1 (low; bug #612032) |