[Secure-testing-commits] r23798 - data/CVE
Author: carnil Date: 2013-09-27 06:38:08 + (Fri, 27 Sep 2013) New Revision: 23798 Modified: data/CVE/list Log: Add CVE-2013-4378, NFU, Javamelody Modified: data/CVE/list === --- data/CVE/list 2013-09-27 05:43:28 UTC (rev 23797) +++ data/CVE/list 2013-09-27 06:38:08 UTC (rev 23798) @@ -3415,8 +3415,9 @@ RESERVED CVE-2013-4379 RESERVED -CVE-2013-4378 +CVE-2013-4378 [blind XSS through X-Forwarded-For header] RESERVED + NOT-FOR-US: Javamelody CVE-2013-4377 [qemu host crash from within guest] RESERVED - qemu ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
Re: [Secure-testing-commits] r23796 - data/CVE
On Fri, Sep 27, 2013 at 08:04:02AM +0200, Moritz Muehlenhoff wrote: > On Fri, Sep 27, 2013 at 05:31:02AM +, Salvatore Bonaccorso wrote: > > Author: carnil > > Date: 2013-09-27 05:31:01 + (Fri, 27 Sep 2013) > > New Revision: 23796 > > > > Modified: > >data/CVE/list > > Log: > > Add CVE-2013-5697/libapache-mod-acct (removed) > > > > Note: marking removed, but package was removed already long time ago. > > More appropriate to mark NFU here? > > If it's no longer part of even oldstable, we can mark it as NFU. > > Once a Debian LTS effort starts we might need to reconsider to allow > proper tracking of oldoldstable, but for now both is fine. Ok, and thanks for even reviewing the commit messages and commenting :) Regards Salvatore ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
Re: [Secure-testing-commits] r23796 - data/CVE
On Fri, Sep 27, 2013 at 05:31:02AM +, Salvatore Bonaccorso wrote: > Author: carnil > Date: 2013-09-27 05:31:01 + (Fri, 27 Sep 2013) > New Revision: 23796 > > Modified: >data/CVE/list > Log: > Add CVE-2013-5697/libapache-mod-acct (removed) > > Note: marking removed, but package was removed already long time ago. > More appropriate to mark NFU here? If it's no longer part of even oldstable, we can mark it as NFU. Once a Debian LTS effort starts we might need to reconsider to allow proper tracking of oldoldstable, but for now both is fine. Cheers, Moritz ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23797 - data/CVE
Author: carnil Date: 2013-09-27 05:43:28 + (Fri, 27 Sep 2013) New Revision: 23797 Modified: data/CVE/list Log: Add some fixed version for mysql-5.5 CVEs Modified: data/CVE/list === --- data/CVE/list 2013-09-27 05:31:01 UTC (rev 23796) +++ data/CVE/list 2013-09-27 05:43:28 UTC (rev 23797) @@ -4979,7 +4979,7 @@ CVE-2013-3813 (Unspecified vulnerability in Oracle Solaris 10 allows remote attackers ...) NOT-FOR-US: Oracle Solaris CVE-2013-3812 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - - mysql-5.5 + - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 (Only affects 5.5 and 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3811 (Unspecified vulnerability in the MySQL Server component in Oracle ...) @@ -4991,7 +4991,7 @@ - mysql-5.1 (Only affects Mysql 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3809 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - - mysql-5.5 + - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 (Only affects 5.5 and 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3808 (Unspecified vulnerability in the MySQL Server component in Oracle ...) @@ -5011,13 +5011,13 @@ - mysql-5.1 (Only affects Mysql 5.5 and 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3804 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - - mysql-5.5 + - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3803 (Unspecified vulnerability in the Hyperion BI+ component in Oracle ...) NOT-FOR-US: Oracle Hyperion CVE-2013-3802 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - - mysql-5.5 + - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3801 (Unspecified vulnerability in the MySQL Server component in Oracle ...) @@ -5047,7 +5047,7 @@ - mysql-5.1 (Only affects 5.5 and 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3793 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - - mysql-5.5 + - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 (Only affects 5.5 and 5.6) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3792 [virtio-net host DoS] @@ -5073,7 +5073,7 @@ CVE-2013-3784 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS component ...) NOT-FOR-US: Oracle PeopleSoft Products CVE-2013-3783 (Unspecified vulnerability in the MySQL Server component in Oracle ...) - - mysql-5.5 + - mysql-5.5 5.5.33+dfsg-1 - mysql-5.1 (Only affects 5.5) NOTE: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html CVE-2013-3782 (Unspecified vulnerability in the Secure Global Desktop component in ...) @@ -10144,7 +10144,7 @@ - apache2 2.4.1-1 (unimportant) NOTE: Such injection issues are not treated as security issues CVE-2013-1861 (MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15, ...) - - mysql-5.5 (low; bug #706715) + - mysql-5.5 5.5.33+dfsg-1 (low; bug #706715) - mysql-5.1 (low; bug #706715) NOTE: https://mariadb.atlassian.net/browse/MDEV-4252 CVE-2013-1860 (Heap-based buffer overflow in the wdm_in_callback function in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23796 - data/CVE
Author: carnil Date: 2013-09-27 05:31:01 + (Fri, 27 Sep 2013) New Revision: 23796 Modified: data/CVE/list Log: Add CVE-2013-5697/libapache-mod-acct (removed) Note: marking removed, but package was removed already long time ago. More appropriate to mark NFU here? Modified: data/CVE/list === --- data/CVE/list 2013-09-26 21:14:26 UTC (rev 23795) +++ data/CVE/list 2013-09-27 05:31:01 UTC (rev 23796) @@ -510,8 +510,9 @@ RESERVED CVE-2013-5698 (Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite and ...) - open-xchange (bug #269329) -CVE-2013-5697 +CVE-2013-5697 [Blind SQL Injection] RESERVED + - libapache-mod-acct CVE-2013-5696 (inc/central.class.php in GLPI before 0.84.2 does not attempt to make ...) - glpi (bug #723837) NOTE: CVE split pending ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23795 - data/CVE
Author: joeyh
Date: 2013-09-26 21:14:26 + (Thu, 26 Sep 2013)
New Revision: 23795
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2013-09-26 21:05:28 UTC (rev 23794)
+++ data/CVE/list 2013-09-26 21:14:26 UTC (rev 23795)
@@ -1,3 +1,13 @@
+CVE-2013-5941
+ RESERVED
+CVE-2013-5940
+ RESERVED
+CVE-2013-5939
+ RESERVED
+CVE-2013-5938 (Cross-site scripting (XSS) vulnerability in the Click2Sell
Suite ...)
+ TODO: check
+CVE-2013-5937 (Cross-site request forgery (CSRF) vulnerability in the
Click2Sell ...)
+ TODO: check
CVE-2013-5936 (The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before
...)
TODO: check
CVE-2013-5935 (The Hazelcast cluster API in Open-Xchange AppSuite 7.0.x before
...)
@@ -783,8 +793,7 @@
- linux
[wheezy] - linux (KVM for arm introduced in 3.9)
- linux-2.6 (KVM for arm introduced in 3.9)
-CVE-2013-5586 [XSS]
- RESERVED
+CVE-2013-5586 (Cross-site scripting (XSS) vulnerability in wikka.php in
WikkaWiki ...)
NOT-FOR-US: WikkaWiki
CVE-2013-5585
RESERVED
@@ -857,7 +866,7 @@
RESERVED
- joomla (bug #571794)
CVE-2013-5575 [integer overflow]
- RESERVED
+ REJECTED
NOTE: Non-issue, to be rejected
CVE-2013-5568
RESERVED
@@ -2529,9 +2538,9 @@
RESERVED
CVE-2013-4775
RESERVED
-CVE-2013-4785 (The web interface for Dell iDRAC 6 firmware 1.7, and possibly
other ...)
+CVE-2013-4785 (The web interface on the Dell iDRAC6 with firmware before 1.95
allows ...)
NOT-FOR-US: Dell
-CVE-2013-4783 (The Dell iDRAC 6 BMC implementation allows remote attackers to
bypass ...)
+CVE-2013-4783 (The Dell iDRAC6 with firmware 1.x before 1.92 and 2.x and 3.x
before ...)
NOT-FOR-US: Dell
CVE-2013-4782 (The Supermicro BMC implementation allows remote attackers to
bypass ...)
NOT-FOR-US: Supermicro
@@ -3450,6 +3459,7 @@
NOTE: CVE for incomplete fix for CVE-2013-4287
CVE-2013-4362 [Insecure use of system]
RESERVED
+ {DSA-2765-1}
- davfs2 1.4.7-3 (bug #723034)
NOTE: http://savannah.nongnu.org/bugs/?40034
CVE-2013-4361
@@ -6181,6 +6191,7 @@
CVE-2013-3279
RESERVED
CVE-2013-3278
+ RESERVED
NOT-FOR-US: EMC
CVE-2013-3277 (Open redirect vulnerability in EMC RSA Archer GRC 5.x before
5.4 ...)
NOT-FOR-US: EMC
@@ -8847,7 +8858,7 @@
[wheezy] - libvirt (Vulnerable code introduced in with
commit abf75aea)
[jessie] - libvirt (Vulnerable code introduced in with
commit abf75aea)
CVE-2013-2229
- RESERVED
+ REJECTED
CVE-2013-2228 [RSA exponent of 1]
RESERVED
- salt 0.15.1-1
@@ -9568,7 +9579,7 @@
CVE-2013-2027
RESERVED
CVE-2013-2026
- RESERVED
+ REJECTED
CVE-2013-2025
RESERVED
NOT-FOR-US: Ushahidi
@@ -14737,7 +14748,7 @@
[squeeze] - pyrad (Minor issue)
NOTE: this is initially related to #700669
CVE-2013-0341 [external entity expansion]
- RESERVED
+ REJECTED
- expat (unimportant)
NOTE: Expat provides API to mitigate expansion attacks, ultimately
under control of the app using Expat
CVE-2013-0340 [internal entity expansion]
@@ -21877,16 +21888,16 @@
TODO: check
CVE-2012-4093 (The Manager component in Cisco Unified Computing System (UCS)
allows ...)
NOT-FOR-US: Cisco Unified Computing System
-CVE-2012-4092
- RESERVED
+CVE-2012-4092 (The management interface in the Central Software component in
Cisco ...)
+ TODO: check
CVE-2012-4091
RESERVED
CVE-2012-4090
RESERVED
CVE-2012-4089 (MCTOOLS in the fabric interconnect in Cisco Unified Computing
System ...)
TODO: check
-CVE-2012-4088
- RESERVED
+CVE-2012-4088 (The FTP server in Cisco Unified Computing System (UCS) has a
hardcoded ...)
+ TODO: check
CVE-2012-4087 (A cluster setup script for fabric interconnect devices in Cisco
...)
TODO: check
CVE-2012-4086 (A setup script for fabric interconnect devices in Cisco Unified
...)
@@ -21903,8 +21914,8 @@
NOT-FOR-US: Cisco
CVE-2012-4080
RESERVED
-CVE-2012-4079
- RESERVED
+CVE-2012-4079 (The XML API service in the Fabric Interconnect component in
Cisco ...)
+ TODO: check
CVE-2012-4078 (The Baseboard Management Controller (BMC) in Cisco Unified
Computing ...)
TODO: check
CVE-2012-4077
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23794 - data/CVE
Author: carnil Date: 2013-09-26 21:05:28 + (Thu, 26 Sep 2013) New Revision: 23794 Modified: data/CVE/list Log: Add CVE-2013-4377/qemu NOTE: only added to tracker so far, needs basic check first if affected versions present, and report to BTS. Modified: data/CVE/list === --- data/CVE/list 2013-09-26 19:30:57 UTC (rev 23793) +++ data/CVE/list 2013-09-26 21:05:28 UTC (rev 23794) @@ -3407,8 +3407,11 @@ RESERVED CVE-2013-4378 RESERVED -CVE-2013-4377 +CVE-2013-4377 [qemu host crash from within guest] RESERVED + - qemu + NOTE: patches: http://thread.gmane.org/gmane.comp.emulators.qemu/234440 + TODO: check CVE-2013-4376 [arbitrary code as the x2go user] RESERVED - x2goserver (bug #465821) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23793 - data/CVE
Author: carnil Date: 2013-09-26 19:30:57 + (Thu, 26 Sep 2013) New Revision: 23793 Modified: data/CVE/list Log: Add fixed version for CVE-2012-5524/gajim Modified: data/CVE/list === --- data/CVE/list 2013-09-26 18:09:58 UTC (rev 23792) +++ data/CVE/list 2013-09-26 19:30:57 UTC (rev 23793) @@ -17835,7 +17835,7 @@ - xen (Only affects Xen 4.2 and xen-unstable) CVE-2012-5524 RESERVED - - gajim (low; bug #693282) + - gajim 0.15.4-1 (low; bug #693282) [wheezy] - gajim (Minor issue) [squeeze] - gajim (Minor issue) CVE-2012-5523 (core/email_api.php in MantisBT before 1.2.12 does not properly manage ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23792 - data
Author: carnil Date: 2013-09-26 18:09:58 + (Thu, 26 Sep 2013) New Revision: 23792 Modified: data/embedded-code-copies Log: lnav embedds yajl, add a bugreport for reference Modified: data/embedded-code-copies === --- data/embedded-code-copies 2013-09-26 16:15:29 UTC (rev 23791) +++ data/embedded-code-copies 2013-09-26 18:09:58 UTC (rev 23792) @@ -1147,6 +1147,7 @@ yajl - argyll (embed; bug #544223) NOTE: reference, confirmed by build logs: http://lists.debian.org/debian-mentors/2009/08/msg00062.html + - lnav (embed; bug #724693) nusoap - gforge 4.8.2-1 (embed) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23791 - data/CVE
Author: fgeek-guest Date: 2013-09-26 16:15:29 + (Thu, 26 Sep 2013) New Revision: 23791 Modified: data/CVE/list Log: NFU CVE-2013-3278 Modified: data/CVE/list === --- data/CVE/list 2013-09-26 14:52:07 UTC (rev 23790) +++ data/CVE/list 2013-09-26 16:15:29 UTC (rev 23791) @@ -6178,7 +6178,7 @@ CVE-2013-3279 RESERVED CVE-2013-3278 - RESERVED + NOT-FOR-US: EMC CVE-2013-3277 (Open redirect vulnerability in EMC RSA Archer GRC 5.x before 5.4 ...) NOT-FOR-US: EMC CVE-2013-3276 (EMC RSA Archer GRC 5.x before 5.4 allows remote authenticated users to ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23790 - in data: . DSA
Author: luciano
Date: 2013-09-26 14:52:07 + (Thu, 26 Sep 2013)
New Revision: 23790
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
DSA-2765-1: davfs2
Modified: data/DSA/list
===
--- data/DSA/list 2013-09-26 06:41:10 UTC (rev 23789)
+++ data/DSA/list 2013-09-26 14:52:07 UTC (rev 23790)
@@ -1,3 +1,7 @@
+[26 Sep 2013] DSA-2765-1 davfs2 - privilege escalation
+ {CVE-2013-4362}
+ [squeeze] - davfs2 1.4.6-1.1+squeeze1
+ [wheezy] - davfs2 1.4.6-1.1+deb7u1
[25 Sep 2013] DSA-2764-1 libvirt - programming error
{CVE-2013-4296}
[wheezy] - libvirt 0.9.12-11+deb7u4
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2013-09-26 06:41:10 UTC (rev 23789)
+++ data/dsa-needed.txt 2013-09-26 14:52:07 UTC (rev 23790)
@@ -15,8 +15,6 @@
--
apache2 (sf)
--
-davfs2 (luciano)
---
drupal6/oldstable
--
eglibc
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
