[Secure-testing-commits] r27700 - data/CVE
Author: fgeek-guest Date: 2014-07-13 07:51:44 + (Sun, 13 Jul 2014) New Revision: 27700 Modified: data/CVE/list Log: CVE-2014-4911/polarssl Modified: data/CVE/list === --- data/CVE/list 2014-07-13 07:49:08 UTC (rev 27699) +++ data/CVE/list 2014-07-13 07:51:44 UTC (rev 27700) @@ -18,6 +18,9 @@ - zendframework undetermined NOTE: http://framework.zend.com/security/advisory/ZF2014-03 TODO: check +CVE-2014-4911 [polarssl: Denial of Service against GCM enabled servers and clients] + - polarssl unfixed + NOTE: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02 CVE-2014-4910 - xserver-xorg-video-intel not-affected (Vulnerable code not present) NOTE: http://lists.x.org/archives/xorg-commit/2014-July/036840.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r27701 - data/CVE
Author: fgeek-guest Date: 2014-07-13 08:03:24 + (Sun, 13 Jul 2014) New Revision: 27701 Modified: data/CVE/list Log: polarssl bug Modified: data/CVE/list === --- data/CVE/list 2014-07-13 07:51:44 UTC (rev 27700) +++ data/CVE/list 2014-07-13 08:03:24 UTC (rev 27701) @@ -19,7 +19,7 @@ NOTE: http://framework.zend.com/security/advisory/ZF2014-03 TODO: check CVE-2014-4911 [polarssl: Denial of Service against GCM enabled servers and clients] - - polarssl unfixed + - polarssl unfixed (bug #754655) NOTE: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02 CVE-2014-4910 - xserver-xorg-video-intel not-affected (Vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r27702 - in data: . CVE
Author: thijs Date: 2014-07-13 12:40:35 + (Sun, 13 Jul 2014) New Revision: 27702 Modified: data/CVE/list data/next-point-update.txt Log: 7.6 point update Modified: data/CVE/list === --- data/CVE/list 2014-07-13 08:03:24 UTC (rev 27701) +++ data/CVE/list 2014-07-13 12:40:35 UTC (rev 27702) @@ -65,7 +65,7 @@ RESERVED CVE-2014- [Quassel: /var/lib/quassel/quasselCert.pem world-readable] - quassel 0.10.0-2 (low) - [wheezy] - quassel no-dsa (Minor issue) + [wheezy] - quassel 0.8.0-1+deb7u2 [squeeze] - quassel no-dsa (Minor issue) CVE-2014-4908 [XSS via views/kohana_error_page.php and views/template.php] - pnp4nagios unfixed (low) @@ -1651,7 +1651,7 @@ CVE-2014-4150 [Insecure use of temporary file] RESERVED - scheme48 1.9-4 (bug #748766) - [wheezy] - scheme48 no-dsa (Minor issue) + [wheezy] - scheme48 1.8+dfsg-1+deb7u1 [squeeze] - scheme48 1.8+dfsg-1+deb6u1 CVE-2014-4027 (The rd_build_device_space function in drivers/target/target_core_rd.c ...) - linux 3.14.2-1 @@ -3752,7 +3752,7 @@ RESERVED - ldns 1.6.17-4 (low; bug #746758) [squeeze] - ldns no-dsa (Minor issue) - [wheezy] - ldns no-dsa (Minor issue) + [wheezy] - ldns 1.6.13-1+deb7u1 CVE-2014-3230 [HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL] RESERVED - liblwp-protocol-https-perl 6.04-3 (bug #746579) @@ -3762,7 +3762,7 @@ CVE-2014-3207 (Cross-site scripting (XSS) vulnerability in wserver.ml in SKS ...) - sks 1.1.5-1 (low; bug #746626) [squeeze] - sks no-dsa (Minor issue) - [wheezy] - sks no-dsa (Minor issue) + [wheezy] - sks 1.1.3-2+deb7u1 NOTE: https://bitbucket.org/skskeyserver/sks-keyserver/issue/26/unfiltered-xss NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=952077 CVE-2014-3137 [JSON content-type not restrictive enough] @@ -4713,7 +4713,7 @@ CVE-2014-2856 (Cross-site scripting (XSS) vulnerability in scheduler/client.c in ...) - cups 1.7.2-1 [squeeze] - cups no-dsa (minor issue) - [wheezy] - cups no-dsa (minor issue) + [wheezy] - cups 1.5.3-5+deb7u2 NOTE: http://www.cups.org/str.php?L4356 CVE-2014- [node-marked: multiple content injection vulnerabilities] - node-marked 0.3.1+dfsg-1 @@ -13428,10 +13428,10 @@ - libjpeg-turbo 1.3.0-3 (low; bug #729873) - libjpeg6b 6b1-4 (low; bug #729867) [squeeze] - libjpeg6b no-dsa (Minor issue) - [wheezy] - libjpeg6b no-dsa (Minor issue) + [wheezy] - libjpeg6b 6b1-3+deb7u1 - libjpeg8 8d-2 (low; bug #729867) [squeeze] - libjpeg8 no-dsa (Minor issue) - [wheezy] - libjpeg8 no-dsa (Minor issue) + [wheezy] - libjpeg8 8d-1+deb7u1 - iceweasel 24.2.0esr-1 [squeeze] - iceweasel end-of-life - icedove 24.2.0-1 @@ -13446,11 +13446,11 @@ [squeeze] - chromium-browser end-of-life - libjpeg-turbo 1.3.0-3 (low; bug #729873) - libjpeg6b 6b1-4 (low; bug #729867) + [wheezy] - libjpeg6b 6b1-3+deb7u1 [squeeze] - libjpeg6b no-dsa (Minor issue) - [wheezy] - libjpeg6b no-dsa (Minor issue) - libjpeg8 8d-2 (low; bug #729867) [squeeze] - libjpeg8 no-dsa (Minor issue) - [wheezy] - libjpeg8 no-dsa (Minor issue) + [wheezy] - libjpeg8 8d-1+deb7u1 - iceweasel 24.2.0esr-1 [squeeze] - iceweasel end-of-life - icedove 24.2.0-1 @@ -13956,7 +13956,7 @@ CVE-2013-6438 (The dav_xml_get_cdata function in main/util.c in the mod_dav module in ...) - apache2 2.4.9-1 [squeeze] - apache2 no-dsa (will be fixed in point release unless CVE-2014-0098 needs a DSA) - [wheezy] - apache2 no-dsa (will be fixed in point release unless CVE-2014-0098 needs a DSA) + [wheezy] - apache2 2.2.22-13+deb7u2 CVE-2013-6437 (The libvirt driver in OpenStack Compute (Nova) before 2013.2.2 and ...) - nova 2013.2.2 [wheezy] - nova not-affected (Vulnerable code not present) @@ -24853,8 +24853,8 @@ NOTE: Vulnerable code introduced in http://libvirt.org/git/?p=libvirt.git;a=commit;h=7ac2c4fe624f30f2c8270116513fa2ddab07631f CVE-2013-2217 (cache.py in Suds 0.4, when tempdir is set to None, allows local users ...) - suds 0.4.1-8 (low; bug #714340) - [wheezy] - suds no-dsa (Minor issue) [squeeze] - suds 0.3.9-1+deb6u1 + [wheezy] - suds 0.4.1-5+deb7u1 CVE-2013-2216 RESERVED CVE-2013-2215 Modified: data/next-point-update.txt === --- data/next-point-update.txt 2014-07-13 08:03:24 UTC (rev 27701) +++ data/next-point-update.txt 2014-07-13 12:40:35 UTC (rev 27702) @@ -1,20 +0,0 @@ -CVE-2014-2856 - [wheezy] - cups 1.5.3-5+deb7u2 -CVE-2014-3207 - [wheezy] - sks
[Secure-testing-commits] r27703 - data/CVE
Author: iuculano Date: 2014-07-13 17:10:57 + (Sun, 13 Jul 2014) New Revision: 27703 Modified: data/CVE/list Log: CVE-2014-0591: bind9 in squeeze and wheezy are affected Modified: data/CVE/list === --- data/CVE/list 2014-07-13 12:40:35 UTC (rev 27702) +++ data/CVE/list 2014-07-13 17:10:57 UTC (rev 27703) @@ -10036,8 +10036,6 @@ NOT-FOR-US: Crowbar CVE-2014-0591 (The query_findclosestnsec3 function in query.c in named in ISC BIND ...) - bind9 1:9.9.5.dfsg-2 (bug #735190) - [wheezy] - bind9 not-affected (Only exploitable in combination with glibc 2.17 and later) - [squeeze] - bind9 not-affected (Only exploitable in combination with glibc 2.17 and later) NOTE: https://kb.isc.org/article/AA-01078 NOTE: https://kb.isc.org/article/AA-01085 CVE-2013-7259 (Multiple cross-site request forgery (CSRF) vulnerabilities in Neo4J ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r27704 - data/CVE
Author: carnil Date: 2014-07-13 17:46:20 + (Sun, 13 Jul 2014) New Revision: 27704 Modified: data/CVE/list Log: Add fixed version for CVE-2013-2035/hawtjni Modified: data/CVE/list === --- data/CVE/list 2014-07-13 17:10:57 UTC (rev 27703) +++ data/CVE/list 2014-07-13 17:46:20 UTC (rev 27704) @@ -25458,7 +25458,7 @@ CVE-2013-2036 (Cross-site scripting (XSS) vulnerability in the Filebrowser module ...) NOT-FOR-US: Drupal module Filebrowser CVE-2013-2035 (Race condition in ...) - - hawtjni unfixed (low; bug #708293) + - hawtjni 1.10-1 (low; bug #708293) [wheezy] - hawtjni no-dsa (Minor issue) CVE-2013-2034 (Multiple cross-site request forgery (CSRF) vulnerabilities in ...) - jenkins 1.509.2+dfsg-1 (bug #706725) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r27705 - data/CVE
Author: carnil Date: 2014-07-13 17:59:07 + (Sun, 13 Jul 2014) New Revision: 27705 Modified: data/CVE/list Log: Add fixed version for CVE-204-0475/glibc Modified: data/CVE/list === --- data/CVE/list 2014-07-13 17:46:20 UTC (rev 27704) +++ data/CVE/list 2014-07-13 17:59:07 UTC (rev 27705) @@ -10395,7 +10395,7 @@ CVE-2014-0475 [directory traversal in LC_* locale handling] RESERVED {DSA-2976-1} - - glibc unfixed + - glibc 2.19-7 - eglibc removed CVE-2014-0474 (The (1) FilePathField, (2) GenericIPAddressField, and (3) ...) {DSA-2934-1} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r27706 - data/CVE
Author: carnil Date: 2014-07-13 17:59:44 + (Sun, 13 Jul 2014) New Revision: 27706 Modified: data/CVE/list Log: Correct debian revision for CVE-2014-0475 Modified: data/CVE/list === --- data/CVE/list 2014-07-13 17:59:07 UTC (rev 27705) +++ data/CVE/list 2014-07-13 17:59:44 UTC (rev 27706) @@ -10395,7 +10395,7 @@ CVE-2014-0475 [directory traversal in LC_* locale handling] RESERVED {DSA-2976-1} - - glibc 2.19-7 + - glibc 2.19-6 - eglibc removed CVE-2014-0474 (The (1) FilePathField, (2) GenericIPAddressField, and (3) ...) {DSA-2934-1} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r27707 - data
Author: alteholz Date: 2014-07-13 20:09:39 + (Sun, 13 Jul 2014) New Revision: 27707 Modified: data/lts-needed.txt Log: take libxml2 Modified: data/lts-needed.txt === --- data/lts-needed.txt 2014-07-13 17:59:44 UTC (rev 27706) +++ data/lts-needed.txt 2014-07-13 20:09:39 UTC (rev 27707) @@ -49,7 +49,7 @@ -- libwpd -- -libxml2 +libxml2 (Thorsten Alteholz) -- libxml-security-java -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r27708 - in data: . DLA
Author: mgilbert Date: 2014-07-13 23:21:50 + (Sun, 13 Jul 2014) New Revision: 27708 Added: data/DLA/ data/DLA/list Log: initial DLA (debian-lts-announce) list Added: data/DLA/list === --- data/DLA/list (rev 0) +++ data/DLA/list 2014-07-13 23:21:50 UTC (rev 27708) @@ -0,0 +1,45 @@ +[12 Jul 2014] DLA-0015-1 linux-2.6 - security update + {CVE-2013-4387 CVE-2013-4470 CVE-2014-0203 CVE-2014-2678 CVE-2014-3122 CVE-2014-3144 CVE-2014-3917 CVE-2014-4652 CVE-2014-4699 CVE-2015-3145 CVE-2014-4656 CVE-2014-4667} + [squeeze] - linux-2.6 2.6.32-48squeeze8 +[09 Jul 2014] DLA-0014-1 phpmyadmin - security update + {CVE-2013-3239 CVE-2013-4995 CVE-2013-4996 CVE-2013-5003} + [squeeze] - phpmyadmin 4:3.3.7-8 +[01 Jul 2014] DLA-0013-1 tiff - security update + {CVE-2013-4243} + [squeeze] - tiff 3.9.4-5+squeeze11 +[30 Jun 2014] DLA-0012-1 gnupg - security update + {CVE-2014-4617} + [squeeze] - gnupg 1.4.10-4+squeeze5 +[29 Jun 2014] DLA-0011-1 libemail-address-perl - security update + {CVE-2014-0477} + [squeeze] - libemail-address-perl 1.889-2+deb6u1 +[27 Jun 2014] DLA-0010-1 php5 - security update + {CVE-2014-4049} + [squeeze] - php5 5.3.3-7+squeeze20 +[26 Jun 2014] DLA-0009-1 lxml - security update + {CVE-2014-3146} + [squeeze] - lxml 2.2.8-2+deb6u1 +[20 Jun 2014] DLA-0008-1 openssl - security update + {CVE-2012-4929 CVE-2014-0224} + [squeeze] - openssl 0.9.8o-4squeeze16 +[19 Jun 2014] DLA-0007-1 linux-2.6 - security update + {CVE-2014-3153 CVE-2014-1438} + [squeeze] - linux-2.6 2.6.32-48squeeze7 +[16 Jun 2014] DLA-0006-1 scheme48 - security update + {CVE-2014-4150} + [squeeze] - scheme48 1.8+dfsg-1+deb6u1 +[12 Jun 2014] DLA-0005-1 apt - security update + {CVE-2011-3634 CVE-2014-0478} + [squeeze] - apt 0.8.10.3+squeeze2 +[11 Jun 2014] DLA-0004-1 dovecot - security update + {CVE-2014-3430} + [squeeze] - dovecot 1:1.2.15-7+deb6u1 +[05 Jun 2014] DLA-0003-1 openssl - security update + {CVE-2014-0076 CVE-2014-0195 CVE-2014-0221 CVE-2014-3470 CVE-2014-0224} + [squeeze] - openssl 0.9.8o-4squeeze15 +[04 Jun 2014] DLA-0002-1 chkrootkit - security update + {CVE-2014-0476} + [squeeze] - chkrootkit 0.49-4+deb6u1 +[02 Jun 2014] DLA-0001-1 gnutls26 - security update + {CVE-2014-3466} + [squeeze] - gnutls26 2.8.6-1+squeeze4 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r27709 - data/CVE
Author: carnil Date: 2014-07-14 05:41:25 + (Mon, 14 Jul 2014) New Revision: 27709 Modified: data/CVE/list Log: Add fixed version for two krb5 CVEs Modified: data/CVE/list === --- data/CVE/list 2014-07-13 23:21:50 UTC (rev 27708) +++ data/CVE/list 2014-07-14 05:41:25 UTC (rev 27709) @@ -898,11 +898,11 @@ RESERVED CVE-2014-4342 [Handle invalid RFC 1964 tokens] RESERVED - - krb5 unfixed (bug #753625) + - krb5 1.12.1+dfsg-4 (bug #753625) NOTE: https://github.com/krb5/krb5/commit/fb99962cbd063ac04c9a9d2cc7c75eab73f3533d CVE-2014-4341 [Handle invalid RFC 1964 tokens] RESERVED - - krb5 unfixed (bug #753624) + - krb5 1.12.1+dfsg-4 (bug #753624) NOTE: https://github.com/krb5/krb5/commit/fb99962cbd063ac04c9a9d2cc7c75eab73f3533d CVE-2014-4340 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r27710 - data/CVE
Author: jmm Date: 2014-07-14 05:51:33 + (Mon, 14 Jul 2014) New Revision: 27710 Modified: data/CVE/list Log: fix version entries for squeeze-lts update; the entries in CVE/list refer to unstable, [squeeze] needs to be used for the specific suites Modified: data/CVE/list === --- data/CVE/list 2014-07-14 05:41:25 UTC (rev 27709) +++ data/CVE/list 2014-07-14 05:51:33 UTC (rev 27710) @@ -89,7 +89,8 @@ RESERVED {DSA-2972-1} - linux 3.14.10-1 - - linux-2.6 2.6.32-48squeeze8 + - linux-2.6 removed + [squeeze] - linux-2.6 2.6.32-48squeeze8 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a CVE-2014-4698 RESERVED @@ -188,12 +189,14 @@ [squeeze] - cherokee no-dsa (Minor issue) CVE-2014-4667 (The sctp_association_free function in net/sctp/associola.c in the ...) - linux 3.14.9-1 - - linux-2.6 2.6.32-48squeeze8 + - linux-2.6 removed + [squeeze] - linux-2.6 2.6.32-48squeeze8 NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d3217b15a19a4779c39b212358a5c71d725822ee (v3.16-rc1) CVE-2014-4656 (Multiple integer overflows in sound/core/control.c in the ALSA control ...) - linux 3.14.9-1 [wheezy] - linux 3.2.60-1 - - linux-2.6 2.6.32-48squeeze8 + - linux-2.6 removed + [squeeze] - linux-2.6 2.6.32-48squeeze8 CVE-2014-4655 (The snd_ctl_elem_add function in sound/core/control.c in the ALSA ...) - linux 3.14.9-1 [wheezy] - linux 3.2.60-1 @@ -2029,7 +2032,8 @@ CVE-2014-3917 (kernel/auditsc.c in the Linux kernel through 3.14.5, when ...) - linux 3.14.7-1 [wheezy] - linux 3.2.60-1 - - linux-2.6 2.6.32-48squeeze8 + - linux-2.6 removed + [squeeze] - linux-2.6 2.6.32-48squeeze8 NOTE: http://article.gmane.org/gmane.linux.kernel/1713179 CVE-2014-3865 (Multiple directory traversal vulnerabilities in dpkg-source in ...) {DSA-2953-1} @@ -3484,14 +3488,16 @@ CVE-2014-3145 (The BPF_S_ANC_NLATTR_NEST extension implementation in the ...) {DSA-2949-1} - linux 3.14.4-1 - - linux-2.6 2.6.32-48squeeze8 + - linux-2.6 removed + [squeeze] - linux-2.6 2.6.32-48squeeze8 NOTE: Upstream fix https://git.kernel.org/linus/05ab8f2647e4221cbdb3856dd7d32bd5407316b3 NOTE: Introduced by https://git.kernel.org/linus/4738c1db1593687713869fa69e733eebc7b0d6d8 NOTE: https://git.kernel.org/linus/d214c7537bbf2f247991fb65b3420b0b3d712c67 CVE-2014-3144 (The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension ...) {DSA-2949-1} - linux 3.14.4-1 - - linux-2.6 2.6.32-48squeeze8 + - linux-2.6 removed + [squeeze] - linux-2.6 2.6.32-48squeeze8 NOTE: Upstream fix https://git.kernel.org/linus/05ab8f2647e4221cbdb3856dd7d32bd5407316b3 NOTE: Introduced by https://git.kernel.org/linus/4738c1db1593687713869fa69e733eebc7b0d6d8 NOTE: https://git.kernel.org/linus/d214c7537bbf2f247991fb65b3420b0b3d712c67 @@ -4076,7 +4082,8 @@ CVE-2014-3122 (The try_to_unmap_cluster function in mm/rmap.c in the Linux kernel ...) {DSA-2926-1} - linux 3.14.4-1 (bug #747326) - - linux-2.6 2.6.32-48squeeze8 + - linux-2.6 removed + [squeeze] - linux-2.6 2.6.32-48squeeze8 NOTE: Introduced by https://git.kernel.org/linus/b291f000393f5a0b679012b39d79fbc85c018233 NOTE: Fixed by https://git.kernel.org/linus/57e68e9cd65b4b8eb4045a1e0d0746458502554c (v3.15-rc1) CVE-2014-3985 [buffer overflow in miniupnpc] @@ -4968,7 +4975,8 @@ CVE-2014-2678 (The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel ...) - linux 3.13.10-1 [wheezy] - linux 3.2.57-1 - - linux-2.6 2.6.32-48squeeze8 + - linux-2.6 removed + [squeeze] - linux-2.6 2.6.32-48squeeze8 NOTE: https://lkml.org/lkml/2014/3/29/188 CVE-2014-2673 (The arch_dup_task_struct function in the Transactional Memory (TM) ...) - linux 3.13.7-1 @@ -18957,7 +18965,8 @@ NOTE: https://bugs.launchpad.net/horizon/+bug/1237989 CVE-2013-4470 (The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is ...) - linux 3.11.7-1 - - linux-2.6 2.6.32-48squeeze8 + - linux-2.6 removed + [squeeze] - linux-2.6 2.6.32-48squeeze8 [wheezy] - linux 3.2.53-1 CVE-2013-4469 (OpenStack Compute (Nova) Folsom, Grizzly, and Havana, when ...) - nova 2013.2-3 (low; bug #728605) @@ -19227,7 +19236,8 @@ [squeeze] - vlc end-of-life (Unsupported in squeeze-lts) NOTE: http://git.videolan.org/?p=vlc.git;a=commitdiff;h=9794ec1cd268c04c8bca13a5fae15df6594dff3e CVE-2013-4387 (net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not ...) - - linux-2.6 2.6.32-48squeeze8