[Secure-testing-commits] r33181 - data/CVE
Author: carnil Date: 2015-03-27 06:35:11 + (Fri, 27 Mar 2015) New Revision: 33181 Modified: data/CVE/list Log: Update CVE-2015-0283/slapi-nis Modified: data/CVE/list === --- data/CVE/list 2015-03-27 06:00:33 UTC (rev 33180) +++ data/CVE/list 2015-03-27 06:35:11 UTC (rev 33181) @@ -8776,10 +8776,10 @@ CVE-2015-0284 RESERVED NOT-FOR-US: Red Hat Satellite -CVE-2015-0283 +CVE-2015-0283 [infinite loop in getgrnam_r() and getgrgid_r()] RESERVED + - slapi-nis TODO: check - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1195729 CVE-2015-0282 (GnuTLS before 3.1.0 does not verify that the RSA PKCS #1 signature ...) {DSA-3191-1 DLA-180-1} - gnutls26 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33180 - data/CVE
Author: fgeek-guest Date: 2015-03-27 06:00:33 + (Fri, 27 Mar 2015) New Revision: 33180 Modified: data/CVE/list Log: NFU, external check Modified: data/CVE/list === --- data/CVE/list 2015-03-26 21:25:59 UTC (rev 33179) +++ data/CVE/list 2015-03-27 06:00:33 UTC (rev 33180) @@ -2257,6 +2257,7 @@ RESERVED CVE-2015-1841 RESERVED + NOT-FOR-US: RHEV CVE-2015-1840 RESERVED CVE-2015-1839 @@ -8777,6 +8778,8 @@ NOT-FOR-US: Red Hat Satellite CVE-2015-0283 RESERVED + TODO: check + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1195729 CVE-2015-0282 (GnuTLS before 3.1.0 does not verify that the RSA PKCS #1 signature ...) {DSA-3191-1 DLA-180-1} - gnutls26 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33179 - data/CVE
Author: carnil Date: 2015-03-26 21:25:59 + (Thu, 26 Mar 2015) New Revision: 33179 Modified: data/CVE/list Log: Remove notes for dulwich, now accepted into t-p-u Modified: data/CVE/list === --- data/CVE/list 2015-03-26 21:13:12 UTC (rev 33178) +++ data/CVE/list 2015-03-26 21:25:59 UTC (rev 33179) @@ -843,7 +843,6 @@ RESERVED - dulwich 0.10.1-1 (bug #780989) [jessie] - dulwich 0.9.7-3 - NOTE: not yet accepted in jessie NOTE: Patch: https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176 NOTE: http://www.openwall.com/lists/oss-security/2015/03/21/1 CVE-2015-2348 @@ -5578,7 +5577,6 @@ RESERVED - dulwich 0.10.1-1 (bug #780958) [jessie] - dulwich 0.9.7-3 - NOTE: not yet accepted in jessie CVE-2015-0837 [data-dependent timing variations in modular exponentiation] RESERVED {DSA-3185-1 DSA-3184-1 DLA-175-1} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33178 - in data: . CVE
Author: jmm Date: 2015-03-26 21:13:12 + (Thu, 26 Mar 2015) New Revision: 33178 Modified: data/CVE/list data/dsa-needed.txt Log: two typo3 no-dsa take freexl Modified: data/CVE/list === --- data/CVE/list 2015-03-26 21:10:15 UTC (rev 33177) +++ data/CVE/list 2015-03-26 21:13:12 UTC (rev 33178) @@ -6452,11 +6452,13 @@ NOT-FOR-US: TP-Link TL-WR840N router CVE-2014-9509 (The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x ...) - typo3-src + [wheezy] - typo3-src (Can be worked around by configuration knobs) [squeeze] - typo3-src (Unsupported in squeeze-lts) NOTE: Solution is to remove he configuration options config.prefixLocalAnchors NOTE: (and optionally also config.baseUrl) in favor of config.absRefPrefix CVE-2014-9508 (The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x ...) - typo3-src 4.5.40+dfsg1-1 (bug #775105) + [wheezy] - typo3-src (Can be worked around by configuration knobs) [squeeze] - typo3-src (Unsupported in squeeze-lts) NOTE: https://review.typo3.org/#/c/35222/ NOTE: https://review.typo3.org/gitweb?p=Packages/TYPO3.CMS.git;a=commitdiff;h=63ae7ddd11d284a121f23ce86282e3149bc16f96 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-03-26 21:10:15 UTC (rev 33177) +++ data/dsa-needed.txt 2015-03-26 21:13:12 UTC (rev 33178) @@ -23,7 +23,7 @@ eglibc (aurel32) some of the other no-dsa bugs could be fixed along -- -freexl +freexl (jmm) -- icu -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33177 - data/CVE
Author: sectracker Date: 2015-03-26 21:10:15 + (Thu, 26 Mar 2015) New Revision: 33177 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2015-03-26 19:25:13 UTC (rev 33176) +++ data/CVE/list 2015-03-26 21:10:15 UTC (rev 33177) @@ -1,3 +1,93 @@ +CVE-2015-2745 + RESERVED +CVE-2015-2744 + RESERVED +CVE-2015-2743 + RESERVED +CVE-2015-2742 + RESERVED +CVE-2015-2741 + RESERVED +CVE-2015-2740 + RESERVED +CVE-2015-2739 + RESERVED +CVE-2015-2738 + RESERVED +CVE-2015-2737 + RESERVED +CVE-2015-2736 + RESERVED +CVE-2015-2735 + RESERVED +CVE-2015-2734 + RESERVED +CVE-2015-2733 + RESERVED +CVE-2015-2732 + RESERVED +CVE-2015-2731 + RESERVED +CVE-2015-2730 + RESERVED +CVE-2015-2729 + RESERVED +CVE-2015-2728 + RESERVED +CVE-2015-2727 + RESERVED +CVE-2015-2726 + RESERVED +CVE-2015-2725 + RESERVED +CVE-2015-2724 + RESERVED +CVE-2015-2723 + RESERVED +CVE-2015-2722 + RESERVED +CVE-2015-2721 + RESERVED +CVE-2015-2720 + RESERVED +CVE-2015-2719 + RESERVED +CVE-2015-2718 + RESERVED +CVE-2015-2717 + RESERVED +CVE-2015-2716 + RESERVED +CVE-2015-2715 + RESERVED +CVE-2015-2714 + RESERVED +CVE-2015-2713 + RESERVED +CVE-2015-2712 + RESERVED +CVE-2015-2711 + RESERVED +CVE-2015-2710 + RESERVED +CVE-2015-2709 + RESERVED +CVE-2015-2708 + RESERVED +CVE-2015-2707 + RESERVED +CVE-2015-2706 + RESERVED +CVE-2015-2705 + RESERVED +CVE-2015-2703 (Multiple cross-site scripting (XSS) vulnerabilities in Websense TRITON ...) + TODO: check +CVE-2015-2702 (Cross-site scripting (XSS) vulnerability in the Message Log in the ...) + TODO: check +CVE-2015-2701 (Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 ...) + TODO: check +CVE-2014-9711 (Multiple cross-site scripting (XSS) vulnerabilities in the ...) + TODO: check CVE-2015-2700 RESERVED CVE-2015-2699 @@ -25,6 +115,7 @@ NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=89205 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/25/6 CVE-2015-2704 [Retrieve info destined for config files after join] + RESERVED - realmd (bug #781179) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=89207 CVE-2015- [Multiple vulnerabilities] @@ -48,7 +139,7 @@ TODO: check CVE-2015-2677 (Multiple cross-site scripting (XSS) vulnerabilities in ocPortal before ...) TODO: check -CVE-2015-2676 (Cross-site request forgery (CSRF) vulnerability in the Asus RT-G32 ...) +CVE-2015-2676 (Cross-site request forgery (CSRF) vulnerability in the ASUS RT-G32 ...) NOT-FOR-US: Asus CVE-2015-2689 [Assertion failure in dns.c, possibly connected to UDP DoS attack] RESERVED @@ -789,8 +880,7 @@ NOT-FOR-US: MyBB CVE-2015-2332 (Cross-site scripting (XSS) vulnerability in member.php in MyBB (aka ...) NOT-FOR-US: MyBB -CVE-2015-2559 [SA-CORE-2015-001: Access bypass] - RESERVED +CVE-2015-2559 (Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated ...) {DSA-3200-1} - drupal7 7.32-1+deb8u2 (bug #780772) - drupal6 @@ -830,15 +920,13 @@ RESERVED CVE-2015-2321 RESERVED -CVE-2015-2317 [Mitigated possible XSS attack via user-supplied redirect URLs] - RESERVED +CVE-2015-2317 (The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, ...) {DSA-3204-1} - python-django 1.7.7-1 (bug #780873) [squeeze] - python-django (Minor issue, can wait next security upload) NOTE: https://github.com/django/django/commit/2342693b31f740a422abf7267c53b4e7bc487c1b (1.4.x) NOTE: https://github.com/django/django/commit/2a4113dbd532ce952308992633d802dc169a75f1 (1.7.x) -CVE-2015-2316 [Denial-of-service possibility with strip_tags()] - RESERVED +CVE-2015-2316 (The utils.html.strip_tags function in Django 1.6.x before 1.6.11, ...) - python-django 1.7.7-1 (bug #780874) [wheezy] - python-django (vulnerable code not present) [squeeze] - python-django (vulnerable code not present) @@ -5868,10 +5956,10 @@ RESERVED CVE-2015-0674 RESERVED -CVE-2015-0673 - RESERVED -CVE-2015-0672 - RESERVED +CVE-2015-0673 (Cisco Mobility Services Engine (MSE) 8.0(110.0) allows remote ...) + TODO: check +CVE-2015-0672 (The DHCPv4 server in Cisco IOS XR 5.2.2 on ASR 9000 devices allows ...) + TODO: check CVE-2015-0671 (The DNS implementation in Cisco Videoscape Distribution Suite for ...) TODO: check CVE-2015-0670 (The default configuration of Cisco Small Business IP phones SPA 300 ...) @@ -5914,52 +6002,37 @@ NOT-FOR-US: Cisco CVE-2015-0651 (Cross-site requ
[Secure-testing-commits] r33176 - data/CVE
Author: carnil Date: 2015-03-26 19:25:13 + (Thu, 26 Mar 2015) New Revision: 33176 Modified: data/CVE/list Log: Add fixed version for wireshark, #780372 Modified: data/CVE/list === --- data/CVE/list 2015-03-26 19:23:27 UTC (rev 33175) +++ data/CVE/list 2015-03-26 19:25:13 UTC (rev 33176) @@ -1325,32 +1325,32 @@ RESERVED NOT-FOR-US: Evergreen library CVE-2015-2192 (Integer overflow in the dissect_osd2_cdb_continuation function in ...) - - wireshark (bug #780372) + - wireshark 1.12.1+g01b65bf-4 (bug #780372) [wheezy] - wireshark (Only affects 1.12.x) [squeeze] - wireshark (Only affects 1.12.x) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11024 CVE-2015-2191 (Integer overflow in the dissect_tnef function in ...) - - wireshark (bug #780372) + - wireshark 1.12.1+g01b65bf-4 (bug #780372) [wheezy] - wireshark (Only affects 1.10.x and 1.12.x) [squeeze] - wireshark (Only affects 1.10.x and 1.12.x) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11023 CVE-2015-2190 (epan/proto.c in Wireshark 1.12.x before 1.12.4 does not properly ...) - - wireshark (bug #780372) + - wireshark 1.12.1+g01b65bf-4 (bug #780372) [wheezy] - wireshark (Only affects 1.12.x) [squeeze] - wireshark (Only affects 1.12.x) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10983 CVE-2015-2189 (Off-by-one error in the pcapng_read function in wiretap/pcapng.c in ...) - - wireshark (bug #780372) + - wireshark 1.12.1+g01b65bf-4 (bug #780372) [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10895 CVE-2015-2188 (epan/dissectors/packet-wcp.c in the WCP dissector in Wireshark 1.10.x ...) - - wireshark (bug #780372) + - wireshark 1.12.1+g01b65bf-4 (bug #780372) [wheezy] - wireshark (Only affects 1.10.x and 1.12.x) [squeeze] - wireshark (Only affects 1.10.x and 1.12.x) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10844 CVE-2015-2187 (The dissect_atn_cpdlc_heur function in ...) - - wireshark (bug #780372) + - wireshark 1.12.1+g01b65bf-4 (bug #780372) [wheezy] - wireshark (Only affects 1.12.x) [squeeze] - wireshark (Only affects 1.12.x) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9952 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33175 - data/CVE
Author: carnil Date: 2015-03-26 19:23:27 + (Thu, 26 Mar 2015) New Revision: 33175 Modified: data/CVE/list Log: Add fixed version for upload to unstable for freexl, #781228 Modified: data/CVE/list === --- data/CVE/list 2015-03-26 18:45:12 UTC (rev 33174) +++ data/CVE/list 2015-03-26 19:23:27 UTC (rev 33175) @@ -29,7 +29,7 @@ NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=89207 CVE-2015- [Multiple vulnerabilities] [experimental] - freexl 1.0.1-1~exp1 - - freexl (bug #781228) + - freexl 1.0.0g-1+deb8u1 (bug #781228) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/25/1 NOTE: entry might be split up depending on how many CVEs MITRE assigns CVE-2015-2685 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33174 - data/DSA
Author: carnil Date: 2015-03-26 18:45:12 + (Thu, 26 Mar 2015) New Revision: 33174 Modified: data/DSA/list Log: Add CVE-2015-2750 for DSA-3200-1 Modified: data/DSA/list === --- data/DSA/list 2015-03-26 18:44:43 UTC (rev 33173) +++ data/DSA/list 2015-03-26 18:45:12 UTC (rev 33174) @@ -13,7 +13,7 @@ {CVE-2015-0817 CVE-2015-0818} [wheezy] - iceweasel 31.5.3esr-1~deb7u1 [20 Mar 2015] DSA-3200-1 drupal7 - security update - {CVE-2015-2559 CVE-2015-2749} + {CVE-2015-2559 CVE-2015-2749 CVE-2015-2750} [wheezy] - drupal7 7.14-2+deb7u9 [20 Mar 2015] DSA-3199-1 xerces-c - security update {CVE-2015-0252} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33173 - data/CVE
Author: carnil Date: 2015-03-26 18:44:43 + (Thu, 26 Mar 2015) New Revision: 33173 Modified: data/CVE/list Log: Remove workaround entry Modified: data/CVE/list === --- data/CVE/list 2015-03-26 18:44:15 UTC (rev 33172) +++ data/CVE/list 2015-03-26 18:44:43 UTC (rev 33173) @@ -809,7 +809,6 @@ {DSA-3200-1} - drupal7 7.32-1+deb8u2 (bug #780772) - drupal6 - [wheezy] - drupal7 7.14-2+deb7u9 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2015-001 NOTE: http://www.openwall.com/lists/oss-security/2015/03/19/5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33172 - data/CVE
Author: carnil Date: 2015-03-26 18:44:15 + (Thu, 26 Mar 2015) New Revision: 33172 Modified: data/CVE/list Log: Add CVE-2015-2750 for drupal Modified: data/CVE/list === --- data/CVE/list 2015-03-26 18:40:36 UTC (rev 33171) +++ data/CVE/list 2015-03-26 18:44:15 UTC (rev 33172) @@ -797,6 +797,14 @@ [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2015-001 NOTE: http://cgit.drupalcode.org/drupal/commit/?id=8e54eca05a65c6231b02510e1917af0c9191e549 +CVE-2015-2750 [SA-CORE-2015-001: Open redirect -- underlying problem lack of checks for special "//"] + {DSA-3200-1} + - drupal7 7.32-1+deb8u2 (bug #780772) + - drupal6 + [squeeze] - drupal6 + NOTE: https://www.drupal.org/SA-CORE-2015-001 + NOTE: http://cgit.drupalcode.org/drupal/commit/includes/menu.inc?h=6.x&id=8ffc5db3c0ab926f3d4b2cf8bc51714c8c0f3c93 + NOTE: http://cgit.drupalcode.org/drupal/commit/includes/common.inc?h=7.x&id=b44056d2f8e8c71d35c85ec5c2fb8f7c8a02d8a8 CVE-2015-2749 [SA-CORE-2015-001: Open redirect -- issue related "destination" use] {DSA-3200-1} - drupal7 7.32-1+deb8u2 (bug #780772) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33171 - data/DSA
Author: carnil Date: 2015-03-26 18:40:36 + (Thu, 26 Mar 2015) New Revision: 33171 Modified: data/DSA/list Log: Add CVE to DSA list Modified: data/DSA/list === --- data/DSA/list 2015-03-26 18:40:32 UTC (rev 33170) +++ data/DSA/list 2015-03-26 18:40:36 UTC (rev 33171) @@ -13,7 +13,7 @@ {CVE-2015-0817 CVE-2015-0818} [wheezy] - iceweasel 31.5.3esr-1~deb7u1 [20 Mar 2015] DSA-3200-1 drupal7 - security update - {CVE-2015-2559} + {CVE-2015-2559 CVE-2015-2749} [wheezy] - drupal7 7.14-2+deb7u9 [20 Mar 2015] DSA-3199-1 xerces-c - security update {CVE-2015-0252} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33170 - data/CVE
Author: carnil Date: 2015-03-26 18:40:32 + (Thu, 26 Mar 2015) New Revision: 33170 Modified: data/CVE/list Log: One CVE assigned for drupal7 Modified: data/CVE/list === --- data/CVE/list 2015-03-26 16:18:29 UTC (rev 33169) +++ data/CVE/list 2015-03-26 18:40:32 UTC (rev 33170) @@ -797,13 +797,14 @@ [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2015-001 NOTE: http://cgit.drupalcode.org/drupal/commit/?id=8e54eca05a65c6231b02510e1917af0c9191e549 -CVE-2015- [SA-CORE-2015-001: Open redirect] +CVE-2015-2749 [SA-CORE-2015-001: Open redirect -- issue related "destination" use] + {DSA-3200-1} - drupal7 7.32-1+deb8u2 (bug #780772) - drupal6 [wheezy] - drupal7 7.14-2+deb7u9 [squeeze] - drupal6 NOTE: https://www.drupal.org/SA-CORE-2015-001 - NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/19/5 + NOTE: http://www.openwall.com/lists/oss-security/2015/03/19/5 CVE-2015-2329 RESERVED CVE-2015-2328 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33169 - data/CVE
Author: jmm Date: 2015-03-26 16:18:29 + (Thu, 26 Mar 2015) New Revision: 33169 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2015-03-26 15:50:17 UTC (rev 33168) +++ data/CVE/list 2015-03-26 16:18:29 UTC (rev 33169) @@ -702,7 +702,7 @@ CVE-2015-2353 RESERVED CVE-2015-2352 (The cache handler in MyBB (aka MyBulletinBoard) before 1.8.4 does not ...) - TODO: check + NOT-FOR-US: MyBB CVE-2015-2351 (Multiple cross-site scripting (XSS) vulnerabilities in Alkacon OpenCms ...) NOT-FOR-US: Alkacon OpenCms CVE-2015-2350 (Cross-site request forgery (CSRF) vulnerability in MikroTik RouterOS ...) @@ -1040,7 +1040,7 @@ NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4a2b5fddd53b80efcb3266ee36e23b8de28e761a (v2.6.28-rc1) NOTE: 3.2.20-1 is the first version after the src:linux-2.6 -> src:linux rename. CVE-2015-2284 (userlogin.jsp in SolarWinds Firewall Security Manager (FSM) before ...) - TODO: check + NOT-FOR-US: SolarWinds Firewall Security Manager CVE-2010-5322 (Cross-site scripting (XSS) vulnerability in ZeusCart 4.0 and earlier ...) NOT-FOR-US: ZeusCart CVE-2015-2674 [Doesn't Validate TLS] @@ -1270,7 +1270,7 @@ CVE-2015-2209 (DLGuard 4.5 allows remote attackers to obtain the installation path ...) NOT-FOR-US: DLGuard CVE-2015-2208 (The saveObject function in moadmin.php in phpMoAdmin 1.1.2 allows ...) - TODO: check + NOT-FOR-US: phpMoAdmin CVE-2015-2207 RESERVED CVE-2015-2206 (libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33168 - data/CVE
Author: fgeek-guest Date: 2015-03-26 15:50:17 + (Thu, 26 Mar 2015) New Revision: 33168 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2015-03-26 14:48:41 UTC (rev 33167) +++ data/CVE/list 2015-03-26 15:50:17 UTC (rev 33168) @@ -9135,41 +9135,41 @@ CVE-2015-0140 RESERVED CVE-2015-0139 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.0 ...) - TODO: check + NOT-FOR-US: IBM WebSphere Portal CVE-2015-0138 (GSKit in IBM Tivoli Directory Server (ITDS) 6.0 before ...) - TODO: check + NOT-FOR-US: IBM Tivoli Directory Server CVE-2015-0137 (IBM PowerVC Standard 1.2.0.x before 1.2.0.4 and 1.2.1.x before 1.2.2 ...) - TODO: check + NOT-FOR-US: IBM PowerVC CVE-2015-0136 (powervc-iso-import in IBM PowerVC 1.2.0.x before 1.2.0.4 and 1.2.1.x ...) - TODO: check + NOT-FOR-US: IBM PowerVC CVE-2015-0135 RESERVED CVE-2015-0134 RESERVED CVE-2015-0133 (IBM WebSphere Commerce 7.0 Feature Pack 4 through 8 allows remote ...) - TODO: check + NOT-FOR-US: IBM CVE-2015-0132 (The XML parser in IBM Rational DOORS Next Generation 4.x before 4.0.7 ...) - TODO: check + NOT-FOR-US: IBM CVE-2015-0131 RESERVED CVE-2015-0130 RESERVED CVE-2015-0129 (Cross-site scripting (XSS) vulnerability in IBM Rational Quality ...) - TODO: check + NOT-FOR-US: IBM Rational Quality Manager CVE-2015-0128 (Cross-site scripting (XSS) vulnerability in IBM Rational Quality ...) - TODO: check + NOT-FOR-US: IBM Rational Quality Manager CVE-2015-0127 RESERVED CVE-2015-0126 RESERVED CVE-2015-0125 (Cross-site scripting (XSS) vulnerability in IBM Rational DOORS Next ...) - TODO: check + NOT-FOR-US: IBM Rational DOORS Next Generation CVE-2015-0124 (Cross-site scripting (XSS) vulnerability in IBM Rational Quality ...) - TODO: check + NOT-FOR-US: IBM Rational Quality Manager CVE-2015-0123 (Cross-site scripting (XSS) vulnerability in IBM Rational Team Concert ...) - TODO: check + NOT-FOR-US: IBM Rational Team Concert CVE-2015-0122 (Cross-site scripting (XSS) vulnerability in IBM Rational Team Concert ...) - TODO: check + NOT-FOR-US: IBM Rational Team Concert CVE-2015-0121 RESERVED CVE-2015-0120 @@ -9201,13 +9201,13 @@ CVE-2015-0107 RESERVED CVE-2015-0106 (Cross-site scripting (XSS) vulnerability in IBM Business Process ...) - TODO: check + NOT-FOR-US: IBM Business Process Manager CVE-2015-0105 (Cross-site scripting (XSS) vulnerability in the Process Portal in IBM ...) - TODO: check + NOT-FOR-US: IBM Business Process Manager CVE-2015-0104 RESERVED CVE-2015-0103 (Multiple cross-site scripting (XSS) vulnerabilities in the Process ...) - TODO: check + NOT-FOR-US: IBM Business Process Manager CVE-2015-0102 RESERVED CVE-2015-0101 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33167 - data
Author: carnil Date: 2015-03-26 14:48:41 + (Thu, 26 Mar 2015) New Revision: 33167 Modified: data/dsa-needed.txt Log: Add php5 to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-03-26 14:36:16 UTC (rev 33166) +++ data/dsa-needed.txt 2015-03-26 14:48:41 UTC (rev 33167) @@ -55,6 +55,9 @@ -- pdns -- +php5 + NOTE: Follow-up for regression, maintainer prepared update +-- phpmyadmin (thijs) -- pound (thijs) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33166 - data/CVE
Author: carnil Date: 2015-03-26 14:36:16 + (Thu, 26 Mar 2015) New Revision: 33166 Modified: data/CVE/list Log: Add bug reference for qemu issues, #781250 Modified: data/CVE/list === --- data/CVE/list 2015-03-26 12:47:21 UTC (rev 33165) +++ data/CVE/list 2015-03-26 14:36:16 UTC (rev 33166) @@ -720,7 +720,7 @@ NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5f5bc6b1e2d5a6f827bc860ef2dc5b6f365d1339 (v3.19-rc1) NOTE: http://www.openwall.com/lists/oss-security/2015/03/24/11 CVE-2015- [malicious PRDT flow from guest to host] - - qemu + - qemu (bug #781250) - qemu-kvm NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3251bdcf1c67427d964517053c3d185b46e618e8 (v2.2.0-rc2) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/24/4 @@ -2334,7 +2334,7 @@ NOT-FOR-US: oVirt Engine backend CVE-2015-1779 [denial of service in VNC web] RESERVED - - qemu + - qemu (bug #781250) [wheezy] - qemu (Websocket protocol support introduced in v1.4.0-rc0) - qemu-kvm (Websocket protocol support introduced in v1.4.0-rc0) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04894.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33165 - data/CVE
Author: carnil Date: 2015-03-26 12:47:21 + (Thu, 26 Mar 2015) New Revision: 33165 Modified: data/CVE/list Log: Add fixed version for another dulwich issue Modified: data/CVE/list === --- data/CVE/list 2015-03-26 12:36:19 UTC (rev 33164) +++ data/CVE/list 2015-03-26 12:47:21 UTC (rev 33165) @@ -7369,7 +7369,7 @@ - mercurial 3.1.2-2 (bug #773640) [wheezy] - mercurial (Minor issue) [squeeze] - mercurial (Minor issue) - - dulwich + - dulwich 0.10.1-1 [jessie] - dulwich (Minor issue) [wheezy] - dulwich (Minor issue) CVE-2014-9376 (Integer underflow in Ettercap 0.8.1 allows remote attackers to cause a ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33164 - data/CVE
Author: carnil Date: 2015-03-26 12:36:19 + (Thu, 26 Mar 2015) New Revision: 33164 Modified: data/CVE/list Log: Add fixed version for dulwich in unstable Modified: data/CVE/list === --- data/CVE/list 2015-03-26 11:27:15 UTC (rev 33163) +++ data/CVE/list 2015-03-26 12:36:19 UTC (rev 33164) @@ -750,7 +750,7 @@ TODO: check affected versions CVE-2014-9706 [dulwich: does not reject commits with invalid paths] RESERVED - - dulwich (bug #780989) + - dulwich 0.10.1-1 (bug #780989) [jessie] - dulwich 0.9.7-3 NOTE: not yet accepted in jessie NOTE: Patch: https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176 @@ -5480,7 +5480,7 @@ RESERVED CVE-2015-0838 [buffer overflow in the C implementation of the apply_delta() function] RESERVED - - dulwich (bug #780958) + - dulwich 0.10.1-1 (bug #780958) [jessie] - dulwich 0.9.7-3 NOTE: not yet accepted in jessie CVE-2015-0837 [data-dependent timing variations in modular exponentiation] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33163 - data/CVE
Author: carnil Date: 2015-03-26 11:27:15 + (Thu, 26 Mar 2015) New Revision: 33163 Modified: data/CVE/list Log: Add bug reference for CVE-2015-1820, #781238 Modified: data/CVE/list === --- data/CVE/list 2015-03-26 09:11:18 UTC (rev 33162) +++ data/CVE/list 2015-03-26 11:27:15 UTC (rev 33163) @@ -2206,7 +2206,7 @@ RESERVED CVE-2015-1820 [session fixation vulnerability] RESERVED - - ruby-rest-client + - ruby-rest-client (bug #781238) - librestclient-ruby NOTE: https://github.com/rest-client/rest-client/issues/369 CVE-2015-1819 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33162 - data/CVE
Author: jmm Date: 2015-03-26 09:11:18 + (Thu, 26 Mar 2015) New Revision: 33162 Modified: data/CVE/list Log: freexl bug Modified: data/CVE/list === --- data/CVE/list 2015-03-26 09:10:21 UTC (rev 33161) +++ data/CVE/list 2015-03-26 09:11:18 UTC (rev 33162) @@ -29,7 +29,7 @@ NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=89207 CVE-2015- [Multiple vulnerabilities] [experimental] - freexl 1.0.1-1~exp1 - - freexl + - freexl (bug #781228) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/25/1 NOTE: entry might be split up depending on how many CVEs MITRE assigns CVE-2015-2685 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33161 - data/CVE
Author: sectracker Date: 2015-03-26 09:10:21 + (Thu, 26 Mar 2015) New Revision: 33161 Modified: data/CVE/list Log: automatic update Modified: data/CVE/list === --- data/CVE/list 2015-03-26 09:09:10 UTC (rev 33160) +++ data/CVE/list 2015-03-26 09:10:21 UTC (rev 33161) @@ -1,3 +1,25 @@ +CVE-2015-2700 + RESERVED +CVE-2015-2699 + RESERVED +CVE-2015-2698 + RESERVED +CVE-2015-2697 + RESERVED +CVE-2015-2696 + RESERVED +CVE-2015-2695 + RESERVED +CVE-2015-2694 + RESERVED +CVE-2015-2693 + RESERVED +CVE-2015-2692 + RESERVED +CVE-2015-2691 + RESERVED +CVE-2015-2690 + RESERVED CVE-2015- [Don't try to do join without authentication unless explicitly requested] - realmd (bug #781179) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=89205 @@ -29,10 +51,12 @@ CVE-2015-2676 (Cross-site request forgery (CSRF) vulnerability in the Asus RT-G32 ...) NOT-FOR-US: Asus CVE-2015-2689 [Assertion failure in dns.c, possibly connected to UDP DoS attack] + RESERVED {DSA-3203-1 DLA-178-1} - tor 0.2.5.11-1 NOTE: https://bugs.torproject.org/14129 CVE-2015-2688 [relay could crash with an assertion] + RESERVED {DSA-3203-1 DLA-178-1} - tor 0.2.5.11-1 NOTE: https://trac.torproject.org/projects/tor/ticket/15083 @@ -690,6 +714,7 @@ CVE-2014-9707 RESERVED CVE-2014-9710 [btrfs: non-atomic xattr replace operation] + RESERVED - linux - linux-2.6 NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5f5bc6b1e2d5a6f827bc860ef2dc5b6f365d1339 (v3.19-rc1) @@ -1014,8 +1039,8 @@ NOTE: Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c290f8358acaeffd8e0c551ddcc24d1206143376 (v3.2-rc1) NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4a2b5fddd53b80efcb3266ee36e23b8de28e761a (v2.6.28-rc1) NOTE: 3.2.20-1 is the first version after the src:linux-2.6 -> src:linux rename. -CVE-2015-2284 - RESERVED +CVE-2015-2284 (userlogin.jsp in SolarWinds Firewall Security Manager (FSM) before ...) + TODO: check CVE-2010-5322 (Cross-site scripting (XSS) vulnerability in ZeusCart 4.0 and earlier ...) NOT-FOR-US: ZeusCart CVE-2015-2674 [Doesn't Validate TLS] @@ -1150,8 +1175,7 @@ NOTE: https://bugs.php.net/bug.php?id=68552 NOTE: http://svn.php.net/viewvc/pecl/enchant/trunk/enchant.c?r1=317600&r2=335803 NOTE: http://www.openwall.com/lists/oss-security/2015/03/10/6 -CVE-2015-2265 [Incomplete fix for CVE-2014-2707; CUPS-filters remove_bad_chars() bypass] - RESERVED +CVE-2015-2265 (The remove_bad_chars function in utils/cups-browsed.c in cups-filters ...) - cups-filters 1.0.61-5 (bug #780267) [wheezy] - cups-filters (vulnerable code not present) NOTE: https://bugs.linuxfoundation.org/show_bug.cgi?id=1265 @@ -1381,18 +1405,15 @@ RESERVED CVE-2015-2156 RESERVED -CVE-2015-2155 [issue with force printer] - RESERVED +CVE-2015-2155 (The force printer in tcpdump before 4.7.2 allows remote attackers to ...) {DSA-3193-1 DLA-174-1} - tcpdump 4.6.2-4 NOTE: http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch -CVE-2015-2154 [issue with ethernet printer] - RESERVED +CVE-2015-2154 (The osi_print_cksum function in print-isoclns.c in the ethernet ...) {DSA-3193-1 DLA-174-1} - tcpdump 4.6.2-4 NOTE: http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch -CVE-2015-2153 [issue with tcp printer] - RESERVED +CVE-2015-2153 (The rpki_rtr_pdu_print function in print-rpki-rtr.c in the TCP printer ...) {DSA-3193-1} - tcpdump 4.6.2-4 [squeeze] - tcpdump (Vulnerable code not present) @@ -3599,8 +3620,8 @@ RESERVED CVE-2015-1389 RESERVED -CVE-2015-1388 - RESERVED +CVE-2015-1388 (The "RAP console" feature in ArubaOS 5.x through 6.2.x, 6.3.x before ...) + TODO: check CVE-2015-1387 RESERVED CVE-2015-1385 (Cross-site scripting (XSS) vulnerability in the Blubrry PowerPress ...) @@ -8676,8 +8697,7 @@ NOT-FOR-US: Red Hat Satellite CVE-2015-0283 RESERVED -CVE-2015-0282 [Signature forgery] - RESERVED +CVE-2015-0282 (GnuTLS before 3.1.0 does not verify that the RSA PKCS #1 signature ...) {DSA-3191-1 DLA-180-1} - gnutls26 - gnutls28 (Fixed in 3.1.0) @@ -8743,8 +8763,7 @@ NOT-FOR-US: Apache Camel CVE-2015-0262 RESERVED -CVE-2015-0261 [IPv6 mobility header check issue] - RESERVED +CVE-2015-0261 (Integer signedness error in the mobility_opt_print function in the ...) {DSA-3193-1 DLA-174-1} - tcpdump 4.
[Secure-testing-commits] r33160 - data/CVE
Author: jmm Date: 2015-03-26 09:09:10 + (Thu, 26 Mar 2015) New Revision: 33160 Modified: data/CVE/list Log: freeipa n/a Modified: data/CVE/list === --- data/CVE/list 2015-03-26 09:07:21 UTC (rev 33159) +++ data/CVE/list 2015-03-26 09:09:10 UTC (rev 33160) @@ -2169,7 +2169,7 @@ RESERVED CVE-2015-1827 [memory corruption when using get_user_grouplist()] RESERVED - - freeipa (bug #781224) + - freeipa (Only affects 4.1, see bug #781224) NOTE: https://fedorahosted.org/freeipa/ticket/4908 CVE-2015-1826 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33159 - data
Author: jmm Date: 2015-03-26 09:07:21 + (Thu, 26 Mar 2015) New Revision: 33159 Modified: data/dsa-needed.txt Log: add freexl and libgd2 to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-03-26 09:04:58 UTC (rev 33158) +++ data/dsa-needed.txt 2015-03-26 09:07:21 UTC (rev 33159) @@ -23,6 +23,8 @@ eglibc (aurel32) some of the other no-dsa bugs could be fixed along -- +freexl +-- icu -- imagemagick @@ -33,6 +35,8 @@ -- jqueryui -- +libgd2 +-- libphp-snoopy -- libzip (carnil) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33158 - data
Author: seb Date: 2015-03-26 09:04:58 + (Thu, 26 Mar 2015) New Revision: 33158 Modified: data/dsa-needed.txt Log: Take batik Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-03-26 08:51:40 UTC (rev 33157) +++ data/dsa-needed.txt 2015-03-26 09:04:58 UTC (rev 33158) @@ -14,7 +14,8 @@ -- asterisk -- -batik +batik (seb) + NOTE: upload prepared by maintainer -- dulwich (carnil) NOTE: not yet released due to checking for the issue other than CVE-2015-0838 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33157 - data/CVE
Author: jmm Date: 2015-03-26 08:51:40 + (Thu, 26 Mar 2015) New Revision: 33157 Modified: data/CVE/list Log: jenkins/freeipa bugs Modified: data/CVE/list === --- data/CVE/list 2015-03-26 08:40:06 UTC (rev 33156) +++ data/CVE/list 2015-03-26 08:51:40 UTC (rev 33157) @@ -2169,9 +2169,8 @@ RESERVED CVE-2015-1827 [memory corruption when using get_user_grouplist()] RESERVED - - freeipa + - freeipa (bug #781224) NOTE: https://fedorahosted.org/freeipa/ticket/4908 - TODO: check if it affects as well 4.0.x, upstream commits have testcases CVE-2015-1826 RESERVED CVE-2015-1825 @@ -2203,39 +2202,39 @@ NOT-FOR-US: setroubleshoot CVE-2015-1814 [SECURITY-180, orced API token change] RESERVED - - jenkins + - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 CVE-2015-1813 [SECURITY-177, Reflective XSS vulnerability] RESERVED - - jenkins + - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 CVE-2015-1812 [SECURITY-171, Reflective XSS vulnerability] RESERVED - - jenkins + - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 CVE-2015-1811 [External entity processing in XML can reveal sensitive local files (SECURITY-167)] RESERVED - - jenkins + - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1810 [HudsonPrivateSecurityRealm allows creation of reserved names (SECURITY-166)] RESERVED - - jenkins + - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1809 [external entity injection via XPath (SECURITY-165)] RESERVED - - jenkins + - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1808 [pdate center metadata retrieval DoS attack (SECURITY-163)] RESERVED - - jenkins + - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1807 [directory traversal from artifacts via symlink (SECURITY-162)] RESERVED - - jenkins + - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1806 [Combination filter Groovy script unsecured (SECURITY-125)] RESERVED - - jenkins + - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1805 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33156 - data/packages
Author: sectracker Date: 2015-03-26 08:40:06 + (Thu, 26 Mar 2015) New Revision: 33156 Modified: data/packages/removed-packages Log: These packages have been removed Modified: data/packages/removed-packages === --- data/packages/removed-packages 2015-03-26 08:35:30 UTC (rev 33155) +++ data/packages/removed-packages 2015-03-26 08:40:06 UTC (rev 33156) @@ -458,3 +458,4 @@ # Packages in experimental which used to be in other suites. dtc +php-symfony2-yaml ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33155 - data/CVE
Author: jmm Date: 2015-03-26 08:35:30 + (Thu, 26 Mar 2015) New Revision: 33155 Modified: data/CVE/list Log: jenkins update Modified: data/CVE/list === --- data/CVE/list 2015-03-26 08:15:18 UTC (rev 33154) +++ data/CVE/list 2015-03-26 08:35:30 UTC (rev 33155) @@ -2204,42 +2204,39 @@ CVE-2015-1814 [SECURITY-180, orced API token change] RESERVED - jenkins - TODO: check + NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 CVE-2015-1813 [SECURITY-177, Reflective XSS vulnerability] RESERVED - jenkins - TODO: check + NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 CVE-2015-1812 [SECURITY-171, Reflective XSS vulnerability] RESERVED - jenkins - TODO: check + NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 CVE-2015-1811 [External entity processing in XML can reveal sensitive local files (SECURITY-167)] RESERVED - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 - TODO: check CVE-2015-1810 [HudsonPrivateSecurityRealm allows creation of reserved names (SECURITY-166)] RESERVED - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 - TODO: check CVE-2015-1809 [external entity injection via XPath (SECURITY-165)] RESERVED - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 - TODO: check CVE-2015-1808 [pdate center metadata retrieval DoS attack (SECURITY-163)] RESERVED + - jenkins + NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1807 [directory traversal from artifacts via symlink (SECURITY-162)] RESERVED - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 - TODO: check CVE-2015-1806 [Combination filter Groovy script unsecured (SECURITY-125)] RESERVED - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 - TODO: check CVE-2015-1805 RESERVED NOTE: Red Hat bug not accessible, Satement on ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33154 - data/CVE
Author: jmm Date: 2015-03-26 08:15:18 + (Thu, 26 Mar 2015) New Revision: 33154 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2015-03-26 07:35:05 UTC (rev 33153) +++ data/CVE/list 2015-03-26 08:15:18 UTC (rev 33154) @@ -2200,6 +2200,7 @@ RESERVED CVE-2015-1815 RESERVED + NOT-FOR-US: setroubleshoot CVE-2015-1814 [SECURITY-180, orced API token change] RESERVED - jenkins ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33153 - data/CVE
Author: helmutg Date: 2015-03-26 07:35:05 + (Thu, 26 Mar 2015) New Revision: 33153 Modified: data/CVE/list Log: misc NFUs Modified: data/CVE/list === --- data/CVE/list 2015-03-26 06:45:30 UTC (rev 33152) +++ data/CVE/list 2015-03-26 07:35:05 UTC (rev 33153) @@ -1017,7 +1017,7 @@ CVE-2015-2284 RESERVED CVE-2010-5322 (Cross-site scripting (XSS) vulnerability in ZeusCart 4.0 and earlier ...) - TODO: check + NOT-FOR-US: ZeusCart CVE-2015-2674 [Doesn't Validate TLS] RESERVED - python-restkit @@ -1214,11 +1214,11 @@ CVE-2015-2218 (Multiple cross-site scripting (XSS) vulnerabilities in the ...) NOT-FOR-US: wp_ajax_save_item function in wonderpluginaudio.php in the WonderPlugin Audio Player plugin for WordPress CVE-2015-2217 (Multiple cross-site scripting (XSS) vulnerabilities in Ultimate PHP ...) - TODO: check + NOT-FOR-US: myUPB CVE-2015-2216 (SQL injection vulnerability in ecomm-sizes.php in the Photocrati theme ...) NOT-FOR-US: Photocrati theme for WordPress CVE-2015-2215 (Open redirect vulnerability in the Services single sign-on server ...) - TODO: check + NOT-FOR-US: Drupal module Services single sign-on server helper CVE-2015-2214 (NetCat 5.01 and earlier allows remote attackers to obtain the ...) NOT-FOR-US: NetCat CMS CVE-2015-2213 @@ -1327,11 +1327,11 @@ CVE-2015-2185 RESERVED CVE-2015-2184 (ZeusCart 4 allows remote attackers to obtain configuration information ...) - TODO: check + NOT-FOR-US: ZeusCart CVE-2015-2183 (Multiple SQL injection vulnerabilities in the administrative backend ...) - TODO: check + NOT-FOR-US: ZeusCart CVE-2015-2182 (Multiple cross-site scripting (XSS) vulnerabilities in ZeusCart 4 ...) - TODO: check + NOT-FOR-US: ZeusCart CVE-2015-2181 RESERVED CVE-2015-2180 @@ -2072,7 +2072,7 @@ CVE-2015-1876 RESERVED CVE-2015-1875 (SQL injection vulnerability in a2billing/customer/iridium_threed.php ...) - TODO: check + NOT-FOR-US: Elastix CVE-2015-1874 (Cross-site request forgery (CSRF) vulnerability in the Contact Form DB ...) NOT-FOR-US: Contact Form DB (aka CFDB and contact-form-7-to-database-extension) plugin for WordPress CVE-2015-1873 @@ -2617,15 +2617,15 @@ CVE-2015-1633 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint ...) NOT-FOR-US: Microsoft SharePoint CVE-2015-1632 (Cross-site scripting (XSS) vulnerability in errorfe.aspx in Outlook ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2015-1631 (Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2015-1630 (Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2015-1629 (Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2015-1628 (Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2015-1627 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1626 (Microsoft Internet Explorer 11 allows remote attackers to execute ...) @@ -4198,7 +4198,7 @@ CVE-2015-1171 RESERVED CVE-2015-1170 (The NVIDIA Display Driver R304 before 309.08, R340 before 341.44, R343 ...) - TODO: check + NOT-FOR-US: NVIDIA Windows driver CVE-2015-1169 (Apereo Central Authentication Service (CAS) Server before 3.5.3 allows ...) NOT-FOR-US: Apereo Central Authentication Service CVE-2015-1168 @@ -4514,7 +4514,7 @@ CVE-2015-1068 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1067 (Secure Transport in Apple iOS before 8.2, Apple OS X through 10.10.2, ...) - TODO: check + NOT-FOR-US: Apple CVE-2015-1066 (Off-by-one error in IOAcceleratorFamily in Apple OS X through 10.10.2 ...) TODO: check CVE-2015-1065 (Multiple buffer overflows in iCloud Keychain in Apple iOS before 8.2 ...) @@ -4797,7 +4797,7 @@ NOTE: Automatic version check is disabled and inherently insecure (CVE-2014-2029) NOTE: Patch applied to OpenSUSE 13.1: https://build.opensuse.org/package/view_file/openSUSE:13.1:Update/xtrabackup/percona-xtrabackup-CVE-2015-1027.patch?expand=1 CVE-2015-1026 (Multiple cross-site scripting (XSS) vulnerabilities in ZOHO ...) - TODO: check + NOT-FOR-US: ZOHO ManageEngine CVE-2015-1025 RESERVED CVE-2015-1024 @@ -6128,7 +6128,7 @@ CVE-2014-9567 (Unrestricted file upload vulnerability in process-upload.php in ...) NOT-FOR-US: ProjectSend CV