From 9ec1e4c263d8c3936840260dd4ec05ed8a8a9216 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Mon, 24 Aug 2020 16:17:56 +0200 Subject: Use HTTPS transport for www.openwall.com/lists/oss-security URLs --- data/CVE/2014.list | 110 ++++++++++++++++++++++++++--------------------------- 1 file changed, 55 insertions(+), 55 deletions(-) (limited to 'data/CVE/2014.list') diff --git a/data/CVE/2014.list b/data/CVE/2014.list index c608091064..9119efc646 100644 --- a/data/CVE/2014.list +++ b/data/CVE/2014.list @@ -1325,7 +1325,7 @@ CVE-2014-9913 (Buffer overflow in the list_files function in list.c in Info-Zip NOTE: Same reproducer as in https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1643750 NOTE: can be used to verify a fix (which trigger the issue in unzip -l but crash NOTE: in different areas of the unzip codebase) - NOTE: http://www.openwall.com/lists/oss-security/2014/11/03/5 + NOTE: https://www.openwall.com/lists/oss-security/2014/11/03/5 CVE-2014-9912 (The get_icu_disp_value_src_php function in ext/intl/locale/locale_meth ...) - php5 5.6.0+dfsg-1 [wheezy] - php5 5.4.34-0+deb7u1 @@ -1352,7 +1352,7 @@ CVE-2014-9907 (coders/dds.c in ImageMagick allows remote attackers to cause a de NOTE: https://github.com/ImageMagick/ImageMagick/commit/21eae25a8db5fdcd112dbcfcd9e5c37e32d32e2f NOTE: https://github.com/ImageMagick/ImageMagick/commit/d7325bac173492b358417a0ad49fabad44447d52 NOTE: https://github.com/ImageMagick/ImageMagick/commit/504ada82b6fa38a30c846c1c29116af7290decb2 - NOTE: http://www.openwall.com/lists/oss-security/2016/08/07/1 + NOTE: https://www.openwall.com/lists/oss-security/2016/08/07/1 CVE-2014-9906 (Use-after-free vulnerability in DBD::mysql before 4.029 allows attacke ...) {DSA-3635-1 DLA-576-1} - libdbd-mysql-perl 4.033-1 @@ -1703,7 +1703,7 @@ CVE-2014-9773 (modules/chanserv/flags.c in Atheme before 7.2.7 allows remote att NOTE: https://github.com/atheme/atheme/issues/397 NOTE: Fixed by: https://github.com/atheme/atheme/commit/c597156adc60a45b5f827793cd420945f47bc03b NOTE: Introduced in: https://github.com/atheme/atheme/commit/5c734f28068cf47b9b450af4dcf37195734b15be - NOTE: http://www.openwall.com/lists/oss-security/2016/05/02/2 + NOTE: https://www.openwall.com/lists/oss-security/2016/05/02/2 CVE-2014-9772 (The validator package before 2.0.0 for Node.js allows remote attackers ...) - validator.js (Fixed before initial release) CVE-2014-9771 (Integer overflow in imlib2 before 1.4.7 allows remote attackers to cau ...) @@ -1711,7 +1711,7 @@ CVE-2014-9771 (Integer overflow in imlib2 before 1.4.7 allows remote attackers t - imlib2 1.4.7-1 (bug #820206) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=143f299 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1324774 - NOTE: http://www.openwall.com/lists/oss-security/2016/04/09/3 + NOTE: https://www.openwall.com/lists/oss-security/2016/04/09/3 CVE-2014-9770 (tmpfiles.d/systemd.conf in systemd before 214 uses weak permissions fo ...) - systemd 215-1 [wheezy] - systemd (Vulnerable code not present) @@ -1724,7 +1724,7 @@ CVE-2014-9769 (pcre_jit_compile.c in PCRE 8.35 does not properly use table jumps [wheezy] - pcre3 (Vulnerable code not present) NOTE: Upstream fix: http://vcs.pcre.org/pcre?view=revision&revision=1475 (8.36) NOTE: Introduced in: http://vcs.pcre.org/pcre?view=revision&revision=1434 (8.35) - NOTE: http://www.openwall.com/lists/oss-security/2016/03/26/1 + NOTE: https://www.openwall.com/lists/oss-security/2016/03/26/1 CVE-2014-9768 (** DISPUTED ** IBM Tivoli NetView Access Services (NVAS) allows remote ...) NOT-FOR-US: Tivoli CVE-2014-9767 (Directory traversal vulnerability in the ZipArchive::extractTo functio ...) @@ -1744,7 +1744,7 @@ CVE-2014-9765 (Buffer overflow in the main_get_appheader function in xdelta3-mai {DSA-3484-1 DLA-417-1} - xdelta3 3.0.8-dfsg-1.1 (bug #814067) NOTE: https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2 - NOTE: http://www.openwall.com/lists/oss-security/2016/02/08/1 + NOTE: https://www.openwall.com/lists/oss-security/2016/02/08/1 CVE-2014-9764 (imlib2 before 1.4.7 allows remote attackers to cause a denial of servi ...) {DSA-3537-1 DLA-401-1} - imlib2 1.4.7-1 @@ -1778,7 +1778,7 @@ CVE-2014-9759 (Incomplete blacklist vulnerability in the config_is_private funct NOTE: http://github.com/mantisbt/mantisbt/commit/7927c275 NOTE: https://sourceforge.net/p/mantisbt/mailman/message/32948048/ NOTE: https://mantisbt.org/bugs/view.php?id=20277 - NOTE: http://www.openwall.com/lists/oss-security/2016/01/02/1 + NOTE: https://www.openwall.com/lists/oss-security/2016/01/02/1 CVE-2014-9758 (Cross-site scripting (XSS) vulnerability in Magento E-Commerce Platfor ...) NOT-FOR-US: Magento CVE-2014-9757 (The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before ...) @@ -1823,7 +1823,7 @@ CVE-2014-9745 (The parse_encoding function in type1/t1load.c in FreeType before NOTE: http://www.ubuntu.com/usn/usn-2739-1/ NOTE: https://savannah.nongnu.org/bugs/?41590 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=df14e6c0b9592cbb24d5381dfc6106b14f915e75 (VER-2-5-3) - NOTE: http://www.openwall.com/lists/oss-security/2015/09/11/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/11/4 CVE-2014-9746 (The (1) t1_parse_font_matrix function in type1/t1load.c, (2) cid_parse ...) {DSA-3370-1 DLA-319-1} - freetype 2.6-1 (bug #798619) @@ -1831,7 +1831,7 @@ CVE-2014-9746 (The (1) t1_parse_font_matrix function in type1/t1load.c, (2) cid_ NOTE: http://www.ubuntu.com/usn/usn-2739-1/ NOTE: https://savannah.nongnu.org/bugs/?41309 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=8b281f83e8516535756f92dbf90940ac44bd45e1 (VER-2-5-3) - NOTE: http://www.openwall.com/lists/oss-security/2015/09/11/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/11/4 CVE-2014-9747 (The t42_parse_encoding function in type42/t42parse.c in FreeType befor ...) {DSA-3370-1 DLA-319-1} - freetype 2.6-1 (bug #798619) @@ -1839,7 +1839,7 @@ CVE-2014-9747 (The t42_parse_encoding function in type42/t42parse.c in FreeType NOTE: http://www.ubuntu.com/usn/usn-2739-1/ NOTE: https://savannah.nongnu.org/bugs/?41309 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=8b281f83e8516535756f92dbf90940ac44bd45e1 (VER-2-5-3) - NOTE: http://www.openwall.com/lists/oss-security/2015/09/11/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/09/11/4 CVE-2014-9744 (Memory leak in PolarSSL before 1.3.9 allows remote attackers to cause ...) - polarssl 1.3.9-1 [wheezy] - polarssl (Affects only 1.3.x series) @@ -1858,7 +1858,7 @@ CVE-2014-9939 (ihex.c in GNU Binutils before 2.26 contains a stack buffer overfl - binutils 2.25.90.20151125-1 [jessie] - binutils (Minor issue) - gdb 7.10-1 (unimportant) - NOTE: http://www.openwall.com/lists/oss-security/2015/07/31/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/07/31/6 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18750 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=7e27a9d5f22f9f7ead11738b1546d0b5c737266b CVE-2014-8878 (KDE KMail does not encrypt attachments in emails when "automatic encry ...) @@ -1867,7 +1867,7 @@ CVE-2014-8878 (KDE KMail does not encrypt attachments in emails when "automatic [wheezy] - kdepim (Minor issue) [squeeze] - kdepim (Bogus condition not present) NOTE: https://bugs.kde.org/show_bug.cgi?id=340312 - NOTE: http://www.openwall.com/lists/oss-security/2015/07/15/5 + NOTE: https://www.openwall.com/lists/oss-security/2015/07/15/5 CVE-2014-9741 (Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for ...) NOT-FOR-US: ArcGIS CVE-2014-9740 (Cross-site scripting (XSS) vulnerability in the Rules Link module 7.x- ...) @@ -1894,21 +1894,21 @@ CVE-2014-9731 (The UDF filesystem implementation in the Linux kernel before 3.18 [wheezy] - linux 3.2.68-1 - linux-2.6 NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0e5cc9a40ada6046e6bc3bdfcd0c0d7e4b706b14 (v3.19-rc3) - NOTE: http://www.openwall.com/lists/oss-security/2015/06/03/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/03/4 CVE-2014-9730 (The udf_pc_to_char function in fs/udf/symlink.c in the Linux kernel be ...) {DLA-246-1} - linux 3.16.7-ckt4-1 [wheezy] - linux 3.2.68-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e237ec37ec154564f8690c5bd1795339955eeef9 (v3.19-rc3) - NOTE: http://www.openwall.com/lists/oss-security/2015/06/02/7 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/02/7 CVE-2014-9729 (The udf_read_inode function in fs/udf/inode.c in the Linux kernel befo ...) {DLA-246-1} - linux 3.16.7-ckt4-1 [wheezy] - linux 3.2.68-1 - linux-2.6 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e159332b9af4b04d882dbcfe1bb0117f0a6d4b58 (v3.19-rc3) - NOTE: http://www.openwall.com/lists/oss-security/2015/06/02/7 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/02/7 CVE-2014-9728 (The UDF filesystem implementation in the Linux kernel before 3.18.2 do ...) {DLA-246-1} - linux 3.16.7-ckt4-1 @@ -1917,7 +1917,7 @@ CVE-2014-9728 (The UDF filesystem implementation in the Linux kernel before 3.18 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e159332b9af4b04d882dbcfe1bb0117f0a6d4b58 (v3.19-rc3) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e237ec37ec154564f8690c5bd1795339955eeef9 (v3.19-rc3) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a1d47b262952a45aae62bd49cfaf33dd76c11a2c (v3.19-rc3) - NOTE: http://www.openwall.com/lists/oss-security/2015/06/02/7 + NOTE: https://www.openwall.com/lists/oss-security/2015/06/02/7 CVE-2014-9726 RESERVED CVE-2014-9725 @@ -1941,7 +1941,7 @@ CVE-2014-9721 (libzmq before 4.0.6 and 4.1.x before 4.1.1 allows remote attacker - zeromq3 4.0.5+dfsg-3 (bug #784366) NOTE: https://github.com/zeromq/libzmq/issues/1273 NOTE: https://github.com/zeromq/zeromq4-x/commit/b6e3e0f601e2c1ec1f3aac880ed6a3fe63043e51 - NOTE: http://www.openwall.com/lists/oss-security/2015/05/07/8 + NOTE: https://www.openwall.com/lists/oss-security/2015/05/07/8 CVE-2014-9717 (fs/namespace.c in the Linux kernel before 4.0.2 processes MNT_DETACH u ...) - linux 4.0.2-1 (low) [jessie] - linux (Too intrusive to backport) @@ -1949,7 +1949,7 @@ CVE-2014-9717 (fs/namespace.c in the Linux kernel before 4.0.2 processes MNT_DET - linux-2.6 (user namespaces known broken before 3.5, see kernel-sec info) NOTE: https://groups.google.com/forum/#!topic/linux.kernel/HnegnbXk0Vs NOTE: Proposed fixes: http://www.spinics.net/lists/linux-containers/msg30786.html - NOTE: http://www.openwall.com/lists/oss-security/2015/04/17/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/17/4 NOTE: CVE assignement for issue in http://marc.info/?l=linux-kernel&m=141271552117745&w=2 CVE-2014-9716 (Cross-site scripting (XSS) vulnerability in WebODF before 0.5.4 allows ...) - owncloud (embedded partial copy doesn't contain the related code) @@ -1963,7 +1963,7 @@ CVE-2014-9715 (include/net/netfilter/nf_conntrack_extend.h in the netfilter subs NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=223b02d923ecd7c84cf9780bb3686f455d279279 (v3.15-rc1) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5b423f6a40a0327f9d40bc8b97ce9be266f74368 (v3.6-rc5) NOTE: Introduced in 3.2.x in https://git.kernel.org/cgit/linux/kernel/git/bwh/linux-3.2.y.git/commit/?id=cc1b75d796ad050c83c95733c4220aaa04fa1304 (v3.2.33) - NOTE: http://www.openwall.com/lists/oss-security/2015/04/08/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/04/08/1 CVE-2014-9714 (Cross-site scripting (XSS) vulnerability in the WddxPacket::recursiveA ...) - hhvm 3.11.0+dfsg-1 NOTE: https://github.com/facebook/hhvm/commit/324701c9fd31beb4f070f1b7ef78b115fbdfec34 @@ -1984,7 +1984,7 @@ CVE-2014-9710 (The Btrfs implementation in the Linux kernel before 3.19 does not - linux-2.6 [squeeze] - linux-2.6 (btrfs in 2.6.32 is just a tech preview and not usable for production) NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5f5bc6b1e2d5a6f827bc860ef2dc5b6f365d1339 (v3.19-rc1) - NOTE: http://www.openwall.com/lists/oss-security/2015/03/24/11 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/24/11 CVE-2014-9718 (The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality in ...) {DSA-3259-1} - qemu 1:2.3+dfsg-1 (unimportant; bug #781250) @@ -1992,7 +1992,7 @@ CVE-2014-9718 (The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionalit - qemu-kvm (unimportant) [wheezy] - qemu-kvm (Can be fixed along in later update) NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3251bdcf1c67427d964517053c3d185b46e618e8 (v2.2.0-rc2) - NOTE: http://www.openwall.com/lists/oss-security/2015/03/24/4 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/24/4 NOTE: Per maintainer not a security issue: NOTE: Qemu either leaks memory or loops infinitely. Memory leakage can be easily NOTE: mitigated using some kind of resource limits in security-sensitive environments, @@ -2004,7 +2004,7 @@ CVE-2014-9706 (The build_index_from_tree function in index.py in Dulwich before [jessie] - dulwich 0.9.7-3 [squeeze] - dulwich (Repo.checkout (later renamed to build_index_from_tree) introduced past 0.6.1) NOTE: Patch: https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176 - NOTE: http://www.openwall.com/lists/oss-security/2015/03/21/1 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/21/1 CVE-2014-9704 RESERVED CVE-2014-9703 @@ -2057,7 +2057,7 @@ CVE-2014-9705 (Heap-based buffer overflow in the enchant_broker_request_dict fun - php5 5.6.6+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=68552 NOTE: http://svn.php.net/viewvc/pecl/enchant/trunk/enchant.c?r1=317600&r2=335803 - NOTE: http://www.openwall.com/lists/oss-security/2015/03/10/6 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/10/6 CVE-2014-9689 (content/renderer/device_sensors/device_orientation_event_pump.cc in Go ...) - chromium-browser 41.0.2272.76-1 [wheezy] - chromium-browser @@ -2100,10 +2100,10 @@ CVE-2014-9676 (The seg_write_packet function in libavformat/segment.c in ffmpeg {DLA-464-1} - ffmpeg (Vulnerable code not present in a ffmpeg version in the archive) - libav 6:11.2-1 - NOTE: Patch in http://www.openwall.com/lists/oss-security/2015/01/04/10 seem to apply for libav + NOTE: Patch in https://www.openwall.com/lists/oss-security/2015/01/04/10 seem to apply for libav NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=169065fbfb3da1ab776379c333aebc54bb1f1bc4 NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=b3f04657368a32a9903406395f865e230b1de348 - NOTE: http://www.openwall.com/lists/oss-security/2015/01/04/10 + NOTE: https://www.openwall.com/lists/oss-security/2015/01/04/10 CVE-2014-9675 (bdf/bdflib.c in FreeType before 2.5.4 identifies property names by onl ...) {DSA-3188-1 DLA-185-1} - freetype 2.5.2-3 (bug #777656) @@ -2222,19 +2222,19 @@ CVE-2014-9679 (Integer underflow in the cupsRasterReadPixels function in filter/ NOTE: Marked with [experimental] tag as the fix is only in experimental so far NOTE: Switch this to regular fixed version once the fix is in unstable NOTE: https://www.cups.org/strfiles.php/3438/str4551.patch - NOTE: http://www.openwall.com/lists/oss-security/2015/02/10/15 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/10/15 CVE-2014-9681 REJECTED CVE-2014-9680 (sudo before 1.8.12 does not ensure that the TZ environment variable is ...) {DSA-3167-1 DLA-160-1} - sudo 1.8.12-1 (bug #772707) [jessie] - sudo 1.8.10p3-1+deb8u2 - NOTE: http://www.openwall.com/lists/oss-security/2014/10/15/24 + NOTE: https://www.openwall.com/lists/oss-security/2014/10/15/24 NOTE: http://www.sudo.ws/repos/sudo/rev/650ac6938b59 (1.8.x) NOTE: http://www.sudo.ws/repos/sudo/rev/ac1467f71ac0 (typos) NOTE: http://www.sudo.ws/repos/sudo/rev/91859f613b88 (description) NOTE: http://www.sudo.ws/repos/sudo/rev/579b02f0dbe0 (improved description) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/09/12 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/09/12 CVE-2014-XXXX [RPATH set to untrusted directory] [experimental] - noise (bug #759868) CVE-2014-9655 (The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeX ...) @@ -2254,7 +2254,7 @@ CVE-2014-9653 (readelf.c in file before 5.22, as used in the Fileinfo component - php5 (readelf.c not used and even removed in 5.4.36-0+deb7u3) NOTE: http://bugs.gw.com/view.php?id=409 NOTE: http://mx.gw.com/pipermail/file/2014/001649.html - NOTE: http://www.openwall.com/lists/oss-security/2015/02/04/13 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/04/13 CVE-2014-9983 (Directory Traversal exists in RAR 4.x and 5.x because an unpack operat ...) - rar 2:5.3.b2-1 (bug #774172) [jessie] - rar (Non-free not supported) @@ -2327,7 +2327,7 @@ CVE-2014-9649 (Cross-site scripting (XSS) vulnerability in the management plugin [wheezy] - rabbitmq-server (Minor issue) [squeeze] - rabbitmq-server (Management web UI not available in version 1.8.1) NOTE: https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs - NOTE: http://www.openwall.com/lists/oss-security/2015/01/21/13 + NOTE: https://www.openwall.com/lists/oss-security/2015/01/21/13 CVE-2014-9650 (CRLF injection vulnerability in the management plugin in RabbitMQ 2.1. ...) - rabbitmq-server 3.4.1-1 [jessie] - rabbitmq-server (Minor issue) @@ -2335,10 +2335,10 @@ CVE-2014-9650 (CRLF injection vulnerability in the management plugin in RabbitMQ [squeeze] - rabbitmq-server (Management web UI not available in version 1.8.1) NOTE: https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-management/commit/b5a5fc31bd49ad821a655ea9e2fe920d670a62ad - NOTE: http://www.openwall.com/lists/oss-security/2015/01/21/13 + NOTE: https://www.openwall.com/lists/oss-security/2015/01/21/13 CVE-2014-9732 (The cabd_extract function in cabd.c in libmspack before 0.5 does not p ...) - libmspack 0.5-1 (bug #774665) - NOTE: http://www.openwall.com/lists/oss-security/2015/02/03/11 + NOTE: https://www.openwall.com/lists/oss-security/2015/02/03/11 CVE-2014-9637 (GNU patch 2.7.2 and earlier allows remote attackers to cause a denial ...) - patch 2.7.1-7 [wheezy] - patch (Vulnerability introduced later) @@ -2349,7 +2349,7 @@ CVE-2014-XXXX [formail: memory corruption] - procmail 3.22-24 (bug #769937) [wheezy] - procmail (Minor issue) [squeeze] - procmail (Minor issue) - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/01/21/9 + NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2015/01/21/9 CVE-2014-9630 (The rtp_packetize_xiph_config function in modules/stream_out/rtpfmt.c ...) {DSA-3150-1} - vlc 2.2.0~rc2-2 (bug #775866) @@ -2684,7 +2684,7 @@ CVE-2014-9651 (Buffer overflow in CHICKEN 4.9.0.x before 4.9.0.2, 4.9.x before 4 [jessie] - chicken (Minor issue) [wheezy] - chicken (Minor issue) [squeeze] - chicken (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2015/01/12/3 + NOTE: https://www.openwall.com/lists/oss-security/2015/01/12/3 NOTE: Patch: http://lists.nongnu.org/archive/html/chicken-hackers/2014-12/txt2UqAS9CtvH.txt CVE-2014-1155 REJECTED @@ -2898,7 +2898,7 @@ CVE-2014-9490 (The numtok function in lib/raven/okjson.rb in the raven-ruby gem NOT-FOR-US: raven ruby gem CVE-2014-9488 (The is_utf8_well_formed function in GNU less before 475 allows remote ...) - less 481-1 (unimportant; bug #780247) - NOTE: http://www.openwall.com/lists/oss-security/2015/03/10/14 + NOTE: https://www.openwall.com/lists/oss-security/2015/03/10/14 NOTE: https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html CVE-2014-9484 RESERVED @@ -3102,7 +3102,7 @@ CVE-2014-9413 (Multiple cross-site request forgery (CSRF) vulnerabilities in the NOT-FOR-US: IP Ban (simple-ip-ban) plugin for WordPress CVE-2014-9482 (Use-after-free vulnerability in dwarfdump in libdwarf 20130126 through ...) - dwarfutils (Vulnerable code introduced later, see bug #774530) - NOTE: http://www.openwall.com/lists/oss-security/2014/12/31/3 + NOTE: https://www.openwall.com/lists/oss-security/2014/12/31/3 CVE-2014-9427 (sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x ...) {DSA-3117-1} - php5 5.6.5+dfsg-1 @@ -4085,7 +4085,7 @@ CVE-2014-9129 (Cross-site request forgery (CSRF) vulnerability in the CreativeMi NOT-FOR-US: WordPress plugin cm-download-manager CVE-2014-8123 (Buffer overflow in the bGetPPS function in wordole.c in Antiword 0.37 ...) - antiword 0.37-5 (bug #771768) - NOTE: http://www.openwall.com/lists/oss-security/2014/12/01/4 + NOTE: https://www.openwall.com/lists/oss-security/2014/12/01/4 NOTE: This actually was fixed long time ago in https://bugs.debian.org/407015 CVE-2014-8104 (OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before ...) {DSA-3084-1 DLA-98-1} @@ -4163,7 +4163,7 @@ CVE-2014-9114 (Blkid in util-linux before 2.26rc-1 allows local users to execute - util-linux 2.25.2-4 (bug #771274) [squeeze] - util-linux (Minor issue) [wheezy] - util-linux (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2014/11/26/13 + NOTE: https://www.openwall.com/lists/oss-security/2014/11/26/13 NOTE: https://github.com/karelzak/util-linux/commit/89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc CVE-2014-9112 (Heap-based buffer overflow in the process_copy_in function in GNU Cpio ...) {DSA-3111-1 DLA-111-1} @@ -5581,19 +5581,19 @@ CVE-2014-8559 (The d_walk function in fs/dcache.c in the Linux kernel through 3. {DSA-3170-1} - linux 3.16.7-ckt4-1 - linux-2.6 (Introduced in 2.6.38) - NOTE: References in http://www.openwall.com/lists/oss-security/2014/10/30/7 + NOTE: References in https://www.openwall.com/lists/oss-security/2014/10/30/7 NOTE: Upstream fix: https://git.kernel.org/linus/ca5358ef75fc69fee5322a38a340f5739d997c10 (v3.19-rc1) NOTE: Upstream fix: https://git.kernel.org/linus/946e51f2bf37f1656916eb75bd0742ba33983c28 (v3.19-rc1) CVE-2014-8517 (The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in Net ...) - tnftp 20130505-2 (low; bug #767171) [wheezy] - tnftp (Minor issue) [squeeze] - tnftp (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2014/10/28/4 + NOTE: https://www.openwall.com/lists/oss-security/2014/10/28/4 CVE-2014-9915 (Off-by-one error in ImageMagick before 6.6.0-4 allows remote attackers ...) - imagemagick 8:6.8.9.9-1 (bug #767240) [wheezy] - imagemagick (Vulnerable code not present) [squeeze] - imagemagick (Vulnerable code not present) - NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 + NOTE: https://www.openwall.com/lists/oss-security/2016/12/20/3 CVE-2014-8355 (PCX parser code in ImageMagick before 6.8.9-9 allows remote attackers ...) {DLA-960-1 DLA-242-1} - imagemagick 8:6.8.9.9-1 (bug #767240) @@ -6717,7 +6717,7 @@ CVE-2014-8117 (softmagic.c in file before 5.21 does not properly limit recursion - php5 5.6.4+dfsg-2 NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-14:28.file.asc NOTE: https://github.com/file/file/commit/6f737ddfadb596d7d4a993f7ed2141ffd664a81c - NOTE: Other commits needed as well: http://www.openwall.com/lists/oss-security/2014/12/16/2 + NOTE: Other commits needed as well: https://www.openwall.com/lists/oss-security/2014/12/16/2 CVE-2014-8116 (The ELF parser (readelf.c) in file before 5.21 allows remote attackers ...) {DSA-3121-1 DLA-131-1} - file 1:5.21+15-1 (low; bug #773148) @@ -6727,7 +6727,7 @@ CVE-2014-8116 (The ELF parser (readelf.c) in file before 5.21 allows remote atta NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-14:28.file.asc NOTE: https://github.com/file/file/commit/b4c01141e5367f247b84dcaf6aefbb4e741842b NOTE: https://github.com/file/file/commit/d7cdad007c507e6c79f51f058dd77fab70ceb9f6 - NOTE: Other commits needed as well: http://www.openwall.com/lists/oss-security/2014/12/16/2 + NOTE: Other commits needed as well: https://www.openwall.com/lists/oss-security/2014/12/16/2 CVE-2014-8115 (The default authorization constrains in KIE Workbench 6.0.x allows rem ...) NOT-FOR-US: KIE Workbench CVE-2014-8114 (The UberFire Framework 0.3.x does not properly restrict paths, which a ...) @@ -11236,7 +11236,7 @@ CVE-2014-6228 (Integer overflow in the string_chunk_split function in hphp/runti CVE-2014-3618 (Heap-based buffer overflow in formisc.c in formail in procmail 3.22 al ...) {DSA-3019-1 DLA-46-1} - procmail 3.22-22 (bug #760443) - NOTE: http://www.openwall.com/lists/oss-security/2014/09/03/8 + NOTE: https://www.openwall.com/lists/oss-security/2014/09/03/8 CVE-2014-6241 (SQL injection vulnerability in the wt_directory extension before 1.4.1 ...) NOT-FOR-US: TYPO3 extension wt_directory CVE-2014-6240 (Cross-site scripting (XSS) vulnerability in the Google Sitemap (weeaar ...) @@ -13580,13 +13580,13 @@ CVE-2014-5207 (fs/namespace.c in the Linux kernel through 3.16.1 does not proper NOTE: Fixed by https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-linus&id=9566d6742852c527bf5af38af5cbb878dad75705 (v3.17-rc1) NOTE: and: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ffbc6f0ead47fa5a1dc9642b0331cb75c20a640e (v3.17-rc1) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0c55cfc4166d9a0f38de779bd4d75a90afbe7734 (v3.8) - NOTE: Thread starting at http://www.openwall.com/lists/oss-security/2014/08/12/6 + NOTE: Thread starting at https://www.openwall.com/lists/oss-security/2014/08/12/6 CVE-2014-5206 (The do_remount function in fs/namespace.c in the Linux kernel through ...) - linux 3.16.2-1 [wheezy] - linux (User namespaces only usable in later kernels) - linux-2.6 (User namespaces only usable in later kernels) NOTE: https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-linus&id=db181ce011e3c033328608299cd6fac06ea50130 - NOTE: Thread starting at http://www.openwall.com/lists/oss-security/2014/08/12/6 + NOTE: Thread starting at https://www.openwall.com/lists/oss-security/2014/08/12/6 CVE-2014-5247 (The _UpgradeBeforeConfigurationChange function in lib/client/gnt_clust ...) - ganeti 2.11.5-1 [wheezy] - ganeti (Vulnerable code not present) @@ -13981,7 +13981,7 @@ CVE-2014-5033 (KDE kdelibs before 4.14 and kauth before 5.1 does not properly us NOTE: http://quickgit.kde.org/?p=kdelibs.git&a=commit&h=e4e7b53b71e2659adaf52691d4accc3594203b23 CVE-2014-5032 (GLPI before 0.84.7 does not properly restrict access to cost informati ...) - glpi (unimportant) - NOTE: http://www.openwall.com/lists/oss-security/2014/07/22/6 + NOTE: https://www.openwall.com/lists/oss-security/2014/07/22/6 NOTE: Only supported behind an authenticated HTTP zone CVE-2014-5031 (The web interface in CUPS before 2.0 does not check that files have wo ...) {DSA-2990-1 DLA-0022-1} @@ -14651,7 +14651,7 @@ CVE-2014-5119 (Off-by-one error in the __gconv_translit_find function in gconv_t {DSA-3012-1 DLA-43-1} - glibc 2.19-10 (medium) - eglibc (medium) - NOTE: http://www.openwall.com/lists/oss-security/2014/07/14/2 + NOTE: https://www.openwall.com/lists/oss-security/2014/07/14/2 NOTE: http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html CVE-2014-4909 (Integer overflow in the tr_bitfieldEnsureNthBitAlloced function in bit ...) {DSA-2988-1} @@ -14881,7 +14881,7 @@ CVE-2014-4652 (Race condition in the tlv handler functionality in the snd_ctl_el CVE-2014-4678 (The safe_eval function in Ansible before 1.6.4 does not properly restr ...) - ansible 1.6.6+dfsg-1 NOTE: https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff05fd5e4d1916 - NOTE: See http://www.openwall.com/lists/oss-security/2014/06/26/30 + NOTE: See https://www.openwall.com/lists/oss-security/2014/06/26/30 CVE-2014-4660 (Ansible before 1.5.5 constructs filenames containing user and password ...) - ansible 1.5.5+dfsg-1 NOTE: https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08 @@ -16606,7 +16606,7 @@ CVE-2014-3956 (The sm_close_on_exec function in conf.c in sendmail before 8.14.9 - sendmail 8.14.4-6 (low; bug #750562) [wheezy] - sendmail 8.14.4-4+deb7u1 [squeeze] - sendmail (Minor issue) - NOTE: http://www.openwall.com/lists/oss-security/2014/06/03/1 + NOTE: https://www.openwall.com/lists/oss-security/2014/06/03/1 CVE-2014-3940 (The Linux kernel through 3.14.5 does not properly consider the presenc ...) - linux 3.14.7-1 (low) [wheezy] - linux 3.2.60-1 @@ -19356,7 +19356,7 @@ CVE-2014-3985 (The getHTTPResponse function in miniwget.c in MiniUPnP 1.9 allows [wheezy] - miniupnpc (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1085618 NOTE: https://github.com/miniupnp/miniupnp/commit/3a87aa2f10bd7f1408e1849bdb59c41dd63a9fe9 - NOTE: http://www.openwall.com/lists/oss-security/2014/04/30/3 + NOTE: https://www.openwall.com/lists/oss-security/2014/04/30/3 CVE-2014-4338 (cups-browsed in cups-filters before 1.0.53 allows remote attackers to ...) - cups-filters 1.0.53-1 [wheezy] - cups-filters (vulnerable code not present) @@ -20738,7 +20738,7 @@ CVE-2014-2440 (Unspecified vulnerability in the MySQL Client component in Oracle - mariadb-10.0 (Fixed before initial upload) - mysql-5.1 (Only affects Mysql 5.5/5.6) - percona-xtradb-cluster-5.5 5.5.37-25.10+dfsg-1 - NOTE: this is the same issue as CVE-2014-0001, see http://www.openwall.com/lists/oss-security/2014/09/11/23 + NOTE: this is the same issue as CVE-2014-0001, see https://www.openwall.com/lists/oss-security/2014/09/11/23 CVE-2014-2439 (Unspecified vulnerability in the Oracle Secure Global Desktop (SGD) co ...) NOT-FOR-US: Oracle Secure Global Desktop (SGD) CVE-2014-2438 (Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier an ...) @@ -21993,7 +21993,7 @@ CVE-2014-1949 (GTK+ 3.10.9 and earlier, as used in cinnamon-screensaver, gnome-s [wheezy] - gtk+3.0 (Only affects GTK+ 3.10.9 and later) - gtk+2.0 (Only affects GTK+ 3.10.9 and later) - cinnamon 2.2.14-1 (bug #738828) - NOTE: http://www.openwall.com/lists/oss-security/2014/02/12/7 + NOTE: https://www.openwall.com/lists/oss-security/2014/02/12/7 NOTE: https://git.gnome.org/browse/gtk+/commit/?id=1691bb741d50c90ee938f0b73fe81b0ca9bfd6d4 NOTE: The CVE was originally assigned specifically for cinnamon-screensaver, but the underlying fix lies in gtk+3.0 NOTE: and later MITRE assigned the CVE to GTK+ 3.10.9 and later, see official MITRE CVE description. @@ -23567,7 +23567,7 @@ CVE-2014-1642 (The IRQ setup in Xen 4.2.x and 4.3.x, when using device passthrou - xen 4.4.0-1 [squeeze] - xen (Only affects 4.2 and later) [wheezy] - xen (Only affects 4.2 and later) - NOTE: http://www.openwall.com/lists/oss-security/2014/01/23/2 + NOTE: https://www.openwall.com/lists/oss-security/2014/01/23/2 CVE-2014-1640 (axiom-test.sh in axiom 20100701-1.1 uses tempfile to create a safe tem ...) - axiom 20120501-17 (low; bug #736358) [squeeze] - axiom (Minor issue) @@ -26807,7 +26807,7 @@ CVE-2014-0001 (Buffer overflow in client/mysql.cc in Oracle MySQL and MariaDB be CVE-2014-0158 (Heap-based buffer overflow in the JPEG2000 image tile decoder in OpenJ ...) - openjpeg 1.3+dfsg-4.7 NOTE: Not considering a duplicate of CVE-2013-1447 following - NOTE: http://www.openwall.com/lists/oss-security/2014/04/02/2 . A query + NOTE: https://www.openwall.com/lists/oss-security/2014/04/02/2 . A query NOTE: to MITRE though indicated that CVE-2014-0158 will not be REJECTED NOTE: since people might have tracked CVE-2014-0158 of the much higher NOTE: impact as due https://bugzilla.redhat.com/show_bug.cgi?id=1082925 -- cgit v1.2.3