[Secure-testing-commits] r23798 - data/CVE
Author: carnil Date: 2013-09-27 06:38:08 + (Fri, 27 Sep 2013) New Revision: 23798 Modified: data/CVE/list Log: Add CVE-2013-4378, NFU, Javamelody Modified: data/CVE/list === --- data/CVE/list 2013-09-27 05:43:28 UTC (rev 23797) +++ data/CVE/list 2013-09-27 06:38:08 UTC (rev 23798) @@ -3415,8 +3415,9 @@ RESERVED CVE-2013-4379 RESERVED -CVE-2013-4378 +CVE-2013-4378 [blind XSS through X-Forwarded-For header] RESERVED + NOT-FOR-US: Javamelody CVE-2013-4377 [qemu host crash from within guest] RESERVED - qemu ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
Re: [Secure-testing-commits] r23796 - data/CVE
On Fri, Sep 27, 2013 at 08:04:02AM +0200, Moritz Muehlenhoff wrote: > On Fri, Sep 27, 2013 at 05:31:02AM +, Salvatore Bonaccorso wrote: > > Author: carnil > > Date: 2013-09-27 05:31:01 + (Fri, 27 Sep 2013) > > New Revision: 23796 > > > > Modified: > >data/CVE/list > > Log: > > Add CVE-2013-5697/libapache-mod-acct (removed) > > > > Note: marking removed, but package was removed already long time ago. > > More appropriate to mark NFU here? > > If it's no longer part of even oldstable, we can mark it as NFU. > > Once a Debian LTS effort starts we might need to reconsider to allow > proper tracking of oldoldstable, but for now both is fine. Ok, and thanks for even reviewing the commit messages and commenting :) Regards Salvatore ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
Re: [Secure-testing-commits] r23796 - data/CVE
On Fri, Sep 27, 2013 at 05:31:02AM +, Salvatore Bonaccorso wrote: > Author: carnil > Date: 2013-09-27 05:31:01 + (Fri, 27 Sep 2013) > New Revision: 23796 > > Modified: >data/CVE/list > Log: > Add CVE-2013-5697/libapache-mod-acct (removed) > > Note: marking removed, but package was removed already long time ago. > More appropriate to mark NFU here? If it's no longer part of even oldstable, we can mark it as NFU. Once a Debian LTS effort starts we might need to reconsider to allow proper tracking of oldoldstable, but for now both is fine. Cheers, Moritz ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23797 - data/CVE
Author: carnil Date: 2013-09-27 05:43:28 + (Fri, 27 Sep 2013) New Revision: 23797 Modified: data/CVE/list Log: Add some fixed version for mysql-5.5 CVEs Modified: data/CVE/list === --- data/CVE/list 2013-09-27 05:31:01 UTC (rev 23796) +++ data/CVE/list 2013-09-27 05:43:28 UTC (rev 23797) @@ -4979,7 +4979,7 @@ CVE-2013-3813 (Unspecified vulnerability in Oracle Solaris 10 allows remote attackers ...) NOT-FOR-US: Oracle Solaris CVE-2013-3812 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - - mysql-5.5 + - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 (Only affects 5.5 and 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3811 (Unspecified vulnerability in the MySQL Server component in Oracle ...) @@ -4991,7 +4991,7 @@ - mysql-5.1 (Only affects Mysql 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3809 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - - mysql-5.5 + - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 (Only affects 5.5 and 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3808 (Unspecified vulnerability in the MySQL Server component in Oracle ...) @@ -5011,13 +5011,13 @@ - mysql-5.1 (Only affects Mysql 5.5 and 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3804 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - - mysql-5.5 + - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3803 (Unspecified vulnerability in the Hyperion BI+ component in Oracle ...) NOT-FOR-US: Oracle Hyperion CVE-2013-3802 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - - mysql-5.5 + - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3801 (Unspecified vulnerability in the MySQL Server component in Oracle ...) @@ -5047,7 +5047,7 @@ - mysql-5.1 (Only affects 5.5 and 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3793 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - - mysql-5.5 + - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 (Only affects 5.5 and 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3792 [virtio-net host DoS] @@ -5073,7 +5073,7 @@ CVE-2013-3784 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-3783 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - - mysql-5.5 + - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 (Only affects 5.5) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3782 (Unspecified vulnerability in the Secure Global Desktop component in ...) @@ -10144,7 +10144,7 @@ - apache2 2.4.1-1 (unimportant) NOTE: Such injection issues are not treated as security issues CVE-2013-1861 (MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15, ...) - - mysql-5.5 (low; bug #706715) + - mysql-5.5 5.5.33+dfsg-1 (low; bug #706715) - mysql-5.1 (low; bug #706715) NOTE: https://mariadb.atlassian.net/browse/MDEV-4252 CVE-2013-1860 (Heap-based buffer overflow in the wdm_in_callback function in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23796 - data/CVE
Author: carnil Date: 2013-09-27 05:31:01 + (Fri, 27 Sep 2013) New Revision: 23796 Modified: data/CVE/list Log: Add CVE-2013-5697/libapache-mod-acct (removed) Note: marking removed, but package was removed already long time ago. More appropriate to mark NFU here? Modified: data/CVE/list === --- data/CVE/list 2013-09-26 21:14:26 UTC (rev 23795) +++ data/CVE/list 2013-09-27 05:31:01 UTC (rev 23796) @@ -510,8 +510,9 @@ RESERVED CVE-2013-5698 (Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite and ...) - open-xchange (bug #269329) -CVE-2013-5697 +CVE-2013-5697 [Blind SQL Injection] RESERVED + - libapache-mod-acct CVE-2013-5696 (inc/central.class.php in GLPI before 0.84.2 does not attempt to make ...) - glpi (bug #723837) NOTE: CVE split pending ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23795 - data/CVE
Author: joeyh Date: 2013-09-26 21:14:26 + (Thu, 26 Sep 2013) New Revision: 23795 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2013-09-26 21:05:28 UTC (rev 23794) +++ data/CVE/list 2013-09-26 21:14:26 UTC (rev 23795) @@ -1,3 +1,13 @@ +CVE-2013-5941 + RESERVED +CVE-2013-5940 + RESERVED +CVE-2013-5939 + RESERVED +CVE-2013-5938 (Cross-site scripting (XSS) vulnerability in the Click2Sell Suite ...) + TODO: check +CVE-2013-5937 (Cross-site request forgery (CSRF) vulnerability in the Click2Sell ...) + TODO: check CVE-2013-5936 (The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before ...) TODO: check CVE-2013-5935 (The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before ...) @@ -783,8 +793,7 @@ - linux [wheezy] - linux (KVM for arm introduced in 3.9) - linux-2.6 (KVM for arm introduced in 3.9) -CVE-2013-5586 [XSS] - RESERVED +CVE-2013-5586 (Cross-site scripting (XSS) vulnerability in wikka.php in WikkaWiki ...) NOT-FOR-US: WikkaWiki CVE-2013-5585 RESERVED @@ -857,7 +866,7 @@ RESERVED - joomla (bug #571794) CVE-2013-5575 [integer overflow] - RESERVED + REJECTED NOTE: Non-issue, to be rejected CVE-2013-5568 RESERVED @@ -2529,9 +2538,9 @@ RESERVED CVE-2013-4775 RESERVED -CVE-2013-4785 (The web interface for Dell iDRAC 6 firmware 1.7, and possibly other ...) +CVE-2013-4785 (The web interface on the Dell iDRAC6 with firmware before 1.95 allows ...) NOT-FOR-US: Dell -CVE-2013-4783 (The Dell iDRAC 6 BMC implementation allows remote attackers to bypass ...) +CVE-2013-4783 (The Dell iDRAC6 with firmware 1.x before 1.92 and 2.x and 3.x before ...) NOT-FOR-US: Dell CVE-2013-4782 (The Supermicro BMC implementation allows remote attackers to bypass ...) NOT-FOR-US: Supermicro @@ -3450,6 +3459,7 @@ NOTE: CVE for incomplete fix for CVE-2013-4287 CVE-2013-4362 [Insecure use of system] RESERVED + {DSA-2765-1} - davfs2 1.4.7-3 (bug #723034) NOTE: http://savannah.nongnu.org/bugs/?40034 CVE-2013-4361 @@ -6181,6 +6191,7 @@ CVE-2013-3279 RESERVED CVE-2013-3278 + RESERVED NOT-FOR-US: EMC CVE-2013-3277 (Open redirect vulnerability in EMC RSA Archer GRC 5.x before 5.4 ...) NOT-FOR-US: EMC @@ -8847,7 +8858,7 @@ [wheezy] - libvirt (Vulnerable code introduced in with commit abf75aea) [jessie] - libvirt (Vulnerable code introduced in with commit abf75aea) CVE-2013-2229 - RESERVED + REJECTED CVE-2013-2228 [RSA exponent of 1] RESERVED - salt 0.15.1-1 @@ -9568,7 +9579,7 @@ CVE-2013-2027 RESERVED CVE-2013-2026 - RESERVED + REJECTED CVE-2013-2025 RESERVED NOT-FOR-US: Ushahidi @@ -14737,7 +14748,7 @@ [squeeze] - pyrad (Minor issue) NOTE: this is initially related to #700669 CVE-2013-0341 [external entity expansion] - RESERVED + REJECTED - expat (unimportant) NOTE: Expat provides API to mitigate expansion attacks, ultimately under control of the app using Expat CVE-2013-0340 [internal entity expansion] @@ -21877,16 +21888,16 @@ TODO: check CVE-2012-4093 (The Manager component in Cisco Unified Computing System (UCS) allows ...) NOT-FOR-US: Cisco Unified Computing System -CVE-2012-4092 - RESERVED +CVE-2012-4092 (The management interface in the Central Software component in Cisco ...) + TODO: check CVE-2012-4091 RESERVED CVE-2012-4090 RESERVED CVE-2012-4089 (MCTOOLS in the fabric interconnect in Cisco Unified Computing System ...) TODO: check -CVE-2012-4088 - RESERVED +CVE-2012-4088 (The FTP server in Cisco Unified Computing System (UCS) has a hardcoded ...) + TODO: check CVE-2012-4087 (A cluster setup script for fabric interconnect devices in Cisco ...) TODO: check CVE-2012-4086 (A setup script for fabric interconnect devices in Cisco Unified ...) @@ -21903,8 +21914,8 @@ NOT-FOR-US: Cisco CVE-2012-4080 RESERVED -CVE-2012-4079 - RESERVED +CVE-2012-4079 (The XML API service in the Fabric Interconnect component in Cisco ...) + TODO: check CVE-2012-4078 (The Baseboard Management Controller (BMC) in Cisco Unified Computing ...) TODO: check CVE-2012-4077 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23794 - data/CVE
Author: carnil Date: 2013-09-26 21:05:28 + (Thu, 26 Sep 2013) New Revision: 23794 Modified: data/CVE/list Log: Add CVE-2013-4377/qemu NOTE: only added to tracker so far, needs basic check first if affected versions present, and report to BTS. Modified: data/CVE/list === --- data/CVE/list 2013-09-26 19:30:57 UTC (rev 23793) +++ data/CVE/list 2013-09-26 21:05:28 UTC (rev 23794) @@ -3407,8 +3407,11 @@ RESERVED CVE-2013-4378 RESERVED -CVE-2013-4377 +CVE-2013-4377 [qemu host crash from within guest] RESERVED + - qemu + NOTE: patches: http://thread.gmane.org/gmane.comp.emulators.qemu/234440 + TODO: check CVE-2013-4376 [arbitrary code as the x2go user] RESERVED - x2goserver (bug #465821) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23793 - data/CVE
Author: carnil Date: 2013-09-26 19:30:57 + (Thu, 26 Sep 2013) New Revision: 23793 Modified: data/CVE/list Log: Add fixed version for CVE-2012-5524/gajim Modified: data/CVE/list === --- data/CVE/list 2013-09-26 18:09:58 UTC (rev 23792) +++ data/CVE/list 2013-09-26 19:30:57 UTC (rev 23793) @@ -17835,7 +17835,7 @@ - xen (Only affects Xen 4.2 and xen-unstable) CVE-2012-5524 RESERVED - - gajim (low; bug #693282) + - gajim 0.15.4-1 (low; bug #693282) [wheezy] - gajim (Minor issue) [squeeze] - gajim (Minor issue) CVE-2012-5523 (core/email_api.php in MantisBT before 1.2.12 does not properly manage ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23792 - data
Author: carnil Date: 2013-09-26 18:09:58 + (Thu, 26 Sep 2013) New Revision: 23792 Modified: data/embedded-code-copies Log: lnav embedds yajl, add a bugreport for reference Modified: data/embedded-code-copies === --- data/embedded-code-copies 2013-09-26 16:15:29 UTC (rev 23791) +++ data/embedded-code-copies 2013-09-26 18:09:58 UTC (rev 23792) @@ -1147,6 +1147,7 @@ yajl - argyll (embed; bug #544223) NOTE: reference, confirmed by build logs: http://lists.debian.org/debian-mentors/2009/08/msg00062.html + - lnav (embed; bug #724693) nusoap - gforge 4.8.2-1 (embed) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23791 - data/CVE
Author: fgeek-guest Date: 2013-09-26 16:15:29 + (Thu, 26 Sep 2013) New Revision: 23791 Modified: data/CVE/list Log: NFU CVE-2013-3278 Modified: data/CVE/list === --- data/CVE/list 2013-09-26 14:52:07 UTC (rev 23790) +++ data/CVE/list 2013-09-26 16:15:29 UTC (rev 23791) @@ -6178,7 +6178,7 @@ CVE-2013-3279 RESERVED CVE-2013-3278 - RESERVED + NOT-FOR-US: EMC CVE-2013-3277 (Open redirect vulnerability in EMC RSA Archer GRC 5.x before 5.4 ...) NOT-FOR-US: EMC CVE-2013-3276 (EMC RSA Archer GRC 5.x before 5.4 allows remote authenticated users to ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23790 - in data: . DSA
Author: luciano Date: 2013-09-26 14:52:07 + (Thu, 26 Sep 2013) New Revision: 23790 Modified: data/DSA/list data/dsa-needed.txt Log: DSA-2765-1: davfs2 Modified: data/DSA/list === --- data/DSA/list 2013-09-26 06:41:10 UTC (rev 23789) +++ data/DSA/list 2013-09-26 14:52:07 UTC (rev 23790) @@ -1,3 +1,7 @@ +[26 Sep 2013] DSA-2765-1 davfs2 - privilege escalation + {CVE-2013-4362} + [squeeze] - davfs2 1.4.6-1.1+squeeze1 + [wheezy] - davfs2 1.4.6-1.1+deb7u1 [25 Sep 2013] DSA-2764-1 libvirt - programming error {CVE-2013-4296} [wheezy] - libvirt 0.9.12-11+deb7u4 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-09-26 06:41:10 UTC (rev 23789) +++ data/dsa-needed.txt 2013-09-26 14:52:07 UTC (rev 23790) @@ -15,8 +15,6 @@ -- apache2 (sf) -- -davfs2 (luciano) --- drupal6/oldstable -- eglibc ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits