[Secure-testing-commits] r33181 - data/CVE
Author: carnil
Date: 2015-03-27 06:35:11 + (Fri, 27 Mar 2015)
New Revision: 33181
Modified:
data/CVE/list
Log:
Update CVE-2015-0283/slapi-nis
Modified: data/CVE/list
===
--- data/CVE/list 2015-03-27 06:00:33 UTC (rev 33180)
+++ data/CVE/list 2015-03-27 06:35:11 UTC (rev 33181)
@@ -8776,10 +8776,10 @@
CVE-2015-0284
RESERVED
NOT-FOR-US: Red Hat Satellite
-CVE-2015-0283
+CVE-2015-0283 [infinite loop in getgrnam_r() and getgrgid_r()]
RESERVED
+ - slapi-nis
TODO: check
- NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1195729
CVE-2015-0282 (GnuTLS before 3.1.0 does not verify that the RSA PKCS #1
signature ...)
{DSA-3191-1 DLA-180-1}
- gnutls26
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33180 - data/CVE
Author: fgeek-guest
Date: 2015-03-27 06:00:33 + (Fri, 27 Mar 2015)
New Revision: 33180
Modified:
data/CVE/list
Log:
NFU, external check
Modified: data/CVE/list
===
--- data/CVE/list 2015-03-26 21:25:59 UTC (rev 33179)
+++ data/CVE/list 2015-03-27 06:00:33 UTC (rev 33180)
@@ -2257,6 +2257,7 @@
RESERVED
CVE-2015-1841
RESERVED
+ NOT-FOR-US: RHEV
CVE-2015-1840
RESERVED
CVE-2015-1839
@@ -8777,6 +8778,8 @@
NOT-FOR-US: Red Hat Satellite
CVE-2015-0283
RESERVED
+ TODO: check
+ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1195729
CVE-2015-0282 (GnuTLS before 3.1.0 does not verify that the RSA PKCS #1
signature ...)
{DSA-3191-1 DLA-180-1}
- gnutls26
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33179 - data/CVE
Author: carnil
Date: 2015-03-26 21:25:59 + (Thu, 26 Mar 2015)
New Revision: 33179
Modified:
data/CVE/list
Log:
Remove notes for dulwich, now accepted into t-p-u
Modified: data/CVE/list
===
--- data/CVE/list 2015-03-26 21:13:12 UTC (rev 33178)
+++ data/CVE/list 2015-03-26 21:25:59 UTC (rev 33179)
@@ -843,7 +843,6 @@
RESERVED
- dulwich 0.10.1-1 (bug #780989)
[jessie] - dulwich 0.9.7-3
- NOTE: not yet accepted in jessie
NOTE: Patch:
https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176
NOTE: http://www.openwall.com/lists/oss-security/2015/03/21/1
CVE-2015-2348
@@ -5578,7 +5577,6 @@
RESERVED
- dulwich 0.10.1-1 (bug #780958)
[jessie] - dulwich 0.9.7-3
- NOTE: not yet accepted in jessie
CVE-2015-0837 [data-dependent timing variations in modular exponentiation]
RESERVED
{DSA-3185-1 DSA-3184-1 DLA-175-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33178 - in data: . CVE
Author: jmm Date: 2015-03-26 21:13:12 + (Thu, 26 Mar 2015) New Revision: 33178 Modified: data/CVE/list data/dsa-needed.txt Log: two typo3 no-dsa take freexl Modified: data/CVE/list === --- data/CVE/list 2015-03-26 21:10:15 UTC (rev 33177) +++ data/CVE/list 2015-03-26 21:13:12 UTC (rev 33178) @@ -6452,11 +6452,13 @@ NOT-FOR-US: TP-Link TL-WR840N router CVE-2014-9509 (The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x ...) - typo3-src + [wheezy] - typo3-src (Can be worked around by configuration knobs) [squeeze] - typo3-src (Unsupported in squeeze-lts) NOTE: Solution is to remove he configuration options config.prefixLocalAnchors NOTE: (and optionally also config.baseUrl) in favor of config.absRefPrefix CVE-2014-9508 (The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x ...) - typo3-src 4.5.40+dfsg1-1 (bug #775105) + [wheezy] - typo3-src (Can be worked around by configuration knobs) [squeeze] - typo3-src (Unsupported in squeeze-lts) NOTE: https://review.typo3.org/#/c/35222/ NOTE: https://review.typo3.org/gitweb?p=Packages/TYPO3.CMS.git;a=commitdiff;h=63ae7ddd11d284a121f23ce86282e3149bc16f96 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-03-26 21:10:15 UTC (rev 33177) +++ data/dsa-needed.txt 2015-03-26 21:13:12 UTC (rev 33178) @@ -23,7 +23,7 @@ eglibc (aurel32) some of the other no-dsa bugs could be fixed along -- -freexl +freexl (jmm) -- icu -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33177 - data/CVE
Author: sectracker
Date: 2015-03-26 21:10:15 + (Thu, 26 Mar 2015)
New Revision: 33177
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2015-03-26 19:25:13 UTC (rev 33176)
+++ data/CVE/list 2015-03-26 21:10:15 UTC (rev 33177)
@@ -1,3 +1,93 @@
+CVE-2015-2745
+ RESERVED
+CVE-2015-2744
+ RESERVED
+CVE-2015-2743
+ RESERVED
+CVE-2015-2742
+ RESERVED
+CVE-2015-2741
+ RESERVED
+CVE-2015-2740
+ RESERVED
+CVE-2015-2739
+ RESERVED
+CVE-2015-2738
+ RESERVED
+CVE-2015-2737
+ RESERVED
+CVE-2015-2736
+ RESERVED
+CVE-2015-2735
+ RESERVED
+CVE-2015-2734
+ RESERVED
+CVE-2015-2733
+ RESERVED
+CVE-2015-2732
+ RESERVED
+CVE-2015-2731
+ RESERVED
+CVE-2015-2730
+ RESERVED
+CVE-2015-2729
+ RESERVED
+CVE-2015-2728
+ RESERVED
+CVE-2015-2727
+ RESERVED
+CVE-2015-2726
+ RESERVED
+CVE-2015-2725
+ RESERVED
+CVE-2015-2724
+ RESERVED
+CVE-2015-2723
+ RESERVED
+CVE-2015-2722
+ RESERVED
+CVE-2015-2721
+ RESERVED
+CVE-2015-2720
+ RESERVED
+CVE-2015-2719
+ RESERVED
+CVE-2015-2718
+ RESERVED
+CVE-2015-2717
+ RESERVED
+CVE-2015-2716
+ RESERVED
+CVE-2015-2715
+ RESERVED
+CVE-2015-2714
+ RESERVED
+CVE-2015-2713
+ RESERVED
+CVE-2015-2712
+ RESERVED
+CVE-2015-2711
+ RESERVED
+CVE-2015-2710
+ RESERVED
+CVE-2015-2709
+ RESERVED
+CVE-2015-2708
+ RESERVED
+CVE-2015-2707
+ RESERVED
+CVE-2015-2706
+ RESERVED
+CVE-2015-2705
+ RESERVED
+CVE-2015-2703 (Multiple cross-site scripting (XSS) vulnerabilities in Websense
TRITON ...)
+ TODO: check
+CVE-2015-2702 (Cross-site scripting (XSS) vulnerability in the Message Log in
the ...)
+ TODO: check
+CVE-2015-2701 (Cross-site request forgery (CSRF) vulnerability in CS-Cart
4.2.4 ...)
+ TODO: check
+CVE-2014-9711 (Multiple cross-site scripting (XSS) vulnerabilities in the ...)
+ TODO: check
CVE-2015-2700
RESERVED
CVE-2015-2699
@@ -25,6 +115,7 @@
NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=89205
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/03/25/6
CVE-2015-2704 [Retrieve info destined for config files after join]
+ RESERVED
- realmd (bug #781179)
NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=89207
CVE-2015- [Multiple vulnerabilities]
@@ -48,7 +139,7 @@
TODO: check
CVE-2015-2677 (Multiple cross-site scripting (XSS) vulnerabilities in ocPortal
before ...)
TODO: check
-CVE-2015-2676 (Cross-site request forgery (CSRF) vulnerability in the Asus
RT-G32 ...)
+CVE-2015-2676 (Cross-site request forgery (CSRF) vulnerability in the ASUS
RT-G32 ...)
NOT-FOR-US: Asus
CVE-2015-2689 [Assertion failure in dns.c, possibly connected to UDP DoS
attack]
RESERVED
@@ -789,8 +880,7 @@
NOT-FOR-US: MyBB
CVE-2015-2332 (Cross-site scripting (XSS) vulnerability in member.php in MyBB
(aka ...)
NOT-FOR-US: MyBB
-CVE-2015-2559 [SA-CORE-2015-001: Access bypass]
- RESERVED
+CVE-2015-2559 (Drupal 6.x before 6.35 and 7.x before 7.35 allows remote
authenticated ...)
{DSA-3200-1}
- drupal7 7.32-1+deb8u2 (bug #780772)
- drupal6
@@ -830,15 +920,13 @@
RESERVED
CVE-2015-2321
RESERVED
-CVE-2015-2317 [Mitigated possible XSS attack via user-supplied redirect URLs]
- RESERVED
+CVE-2015-2317 (The utils.http.is_safe_url function in Django before 1.4.20,
1.5.x, ...)
{DSA-3204-1}
- python-django 1.7.7-1 (bug #780873)
[squeeze] - python-django (Minor issue, can wait next security
upload)
NOTE:
https://github.com/django/django/commit/2342693b31f740a422abf7267c53b4e7bc487c1b
(1.4.x)
NOTE:
https://github.com/django/django/commit/2a4113dbd532ce952308992633d802dc169a75f1
(1.7.x)
-CVE-2015-2316 [Denial-of-service possibility with strip_tags()]
- RESERVED
+CVE-2015-2316 (The utils.html.strip_tags function in Django 1.6.x before
1.6.11, ...)
- python-django 1.7.7-1 (bug #780874)
[wheezy] - python-django (vulnerable code not present)
[squeeze] - python-django (vulnerable code not present)
@@ -5868,10 +5956,10 @@
RESERVED
CVE-2015-0674
RESERVED
-CVE-2015-0673
- RESERVED
-CVE-2015-0672
- RESERVED
+CVE-2015-0673 (Cisco Mobility Services Engine (MSE) 8.0(110.0) allows remote
...)
+ TODO: check
+CVE-2015-0672 (The DHCPv4 server in Cisco IOS XR 5.2.2 on ASR 9000 devices
allows ...)
+ TODO: check
CVE-2015-0671 (The DNS implementation in Cisco Videoscape Distribution Suite
for ...)
TODO: check
CVE-2015-0670 (The default configuration of Cisco Small Business IP phones SPA
300 ...)
@@ -5914,52 +6002,37 @@
NOT-FOR-US: Cisco
CVE-2015-0651 (Cross-site requ
[Secure-testing-commits] r33176 - data/CVE
Author: carnil Date: 2015-03-26 19:25:13 + (Thu, 26 Mar 2015) New Revision: 33176 Modified: data/CVE/list Log: Add fixed version for wireshark, #780372 Modified: data/CVE/list === --- data/CVE/list 2015-03-26 19:23:27 UTC (rev 33175) +++ data/CVE/list 2015-03-26 19:25:13 UTC (rev 33176) @@ -1325,32 +1325,32 @@ RESERVED NOT-FOR-US: Evergreen library CVE-2015-2192 (Integer overflow in the dissect_osd2_cdb_continuation function in ...) - - wireshark (bug #780372) + - wireshark 1.12.1+g01b65bf-4 (bug #780372) [wheezy] - wireshark (Only affects 1.12.x) [squeeze] - wireshark (Only affects 1.12.x) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11024 CVE-2015-2191 (Integer overflow in the dissect_tnef function in ...) - - wireshark (bug #780372) + - wireshark 1.12.1+g01b65bf-4 (bug #780372) [wheezy] - wireshark (Only affects 1.10.x and 1.12.x) [squeeze] - wireshark (Only affects 1.10.x and 1.12.x) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11023 CVE-2015-2190 (epan/proto.c in Wireshark 1.12.x before 1.12.4 does not properly ...) - - wireshark (bug #780372) + - wireshark 1.12.1+g01b65bf-4 (bug #780372) [wheezy] - wireshark (Only affects 1.12.x) [squeeze] - wireshark (Only affects 1.12.x) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10983 CVE-2015-2189 (Off-by-one error in the pcapng_read function in wiretap/pcapng.c in ...) - - wireshark (bug #780372) + - wireshark 1.12.1+g01b65bf-4 (bug #780372) [wheezy] - wireshark (Vulnerable code not present) [squeeze] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10895 CVE-2015-2188 (epan/dissectors/packet-wcp.c in the WCP dissector in Wireshark 1.10.x ...) - - wireshark (bug #780372) + - wireshark 1.12.1+g01b65bf-4 (bug #780372) [wheezy] - wireshark (Only affects 1.10.x and 1.12.x) [squeeze] - wireshark (Only affects 1.10.x and 1.12.x) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10844 CVE-2015-2187 (The dissect_atn_cpdlc_heur function in ...) - - wireshark (bug #780372) + - wireshark 1.12.1+g01b65bf-4 (bug #780372) [wheezy] - wireshark (Only affects 1.12.x) [squeeze] - wireshark (Only affects 1.12.x) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9952 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33175 - data/CVE
Author: carnil Date: 2015-03-26 19:23:27 + (Thu, 26 Mar 2015) New Revision: 33175 Modified: data/CVE/list Log: Add fixed version for upload to unstable for freexl, #781228 Modified: data/CVE/list === --- data/CVE/list 2015-03-26 18:45:12 UTC (rev 33174) +++ data/CVE/list 2015-03-26 19:23:27 UTC (rev 33175) @@ -29,7 +29,7 @@ NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=89207 CVE-2015- [Multiple vulnerabilities] [experimental] - freexl 1.0.1-1~exp1 - - freexl (bug #781228) + - freexl 1.0.0g-1+deb8u1 (bug #781228) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/25/1 NOTE: entry might be split up depending on how many CVEs MITRE assigns CVE-2015-2685 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33174 - data/DSA
Author: carnil
Date: 2015-03-26 18:45:12 + (Thu, 26 Mar 2015)
New Revision: 33174
Modified:
data/DSA/list
Log:
Add CVE-2015-2750 for DSA-3200-1
Modified: data/DSA/list
===
--- data/DSA/list 2015-03-26 18:44:43 UTC (rev 33173)
+++ data/DSA/list 2015-03-26 18:45:12 UTC (rev 33174)
@@ -13,7 +13,7 @@
{CVE-2015-0817 CVE-2015-0818}
[wheezy] - iceweasel 31.5.3esr-1~deb7u1
[20 Mar 2015] DSA-3200-1 drupal7 - security update
- {CVE-2015-2559 CVE-2015-2749}
+ {CVE-2015-2559 CVE-2015-2749 CVE-2015-2750}
[wheezy] - drupal7 7.14-2+deb7u9
[20 Mar 2015] DSA-3199-1 xerces-c - security update
{CVE-2015-0252}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33173 - data/CVE
Author: carnil
Date: 2015-03-26 18:44:43 + (Thu, 26 Mar 2015)
New Revision: 33173
Modified:
data/CVE/list
Log:
Remove workaround entry
Modified: data/CVE/list
===
--- data/CVE/list 2015-03-26 18:44:15 UTC (rev 33172)
+++ data/CVE/list 2015-03-26 18:44:43 UTC (rev 33173)
@@ -809,7 +809,6 @@
{DSA-3200-1}
- drupal7 7.32-1+deb8u2 (bug #780772)
- drupal6
- [wheezy] - drupal7 7.14-2+deb7u9
[squeeze] - drupal6
NOTE: https://www.drupal.org/SA-CORE-2015-001
NOTE: http://www.openwall.com/lists/oss-security/2015/03/19/5
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33172 - data/CVE
Author: carnil
Date: 2015-03-26 18:44:15 + (Thu, 26 Mar 2015)
New Revision: 33172
Modified:
data/CVE/list
Log:
Add CVE-2015-2750 for drupal
Modified: data/CVE/list
===
--- data/CVE/list 2015-03-26 18:40:36 UTC (rev 33171)
+++ data/CVE/list 2015-03-26 18:44:15 UTC (rev 33172)
@@ -797,6 +797,14 @@
[squeeze] - drupal6
NOTE: https://www.drupal.org/SA-CORE-2015-001
NOTE:
http://cgit.drupalcode.org/drupal/commit/?id=8e54eca05a65c6231b02510e1917af0c9191e549
+CVE-2015-2750 [SA-CORE-2015-001: Open redirect -- underlying problem lack of
checks for special "//"]
+ {DSA-3200-1}
+ - drupal7 7.32-1+deb8u2 (bug #780772)
+ - drupal6
+ [squeeze] - drupal6
+ NOTE: https://www.drupal.org/SA-CORE-2015-001
+ NOTE:
http://cgit.drupalcode.org/drupal/commit/includes/menu.inc?h=6.x&id=8ffc5db3c0ab926f3d4b2cf8bc51714c8c0f3c93
+ NOTE:
http://cgit.drupalcode.org/drupal/commit/includes/common.inc?h=7.x&id=b44056d2f8e8c71d35c85ec5c2fb8f7c8a02d8a8
CVE-2015-2749 [SA-CORE-2015-001: Open redirect -- issue related "destination"
use]
{DSA-3200-1}
- drupal7 7.32-1+deb8u2 (bug #780772)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33171 - data/DSA
Author: carnil
Date: 2015-03-26 18:40:36 + (Thu, 26 Mar 2015)
New Revision: 33171
Modified:
data/DSA/list
Log:
Add CVE to DSA list
Modified: data/DSA/list
===
--- data/DSA/list 2015-03-26 18:40:32 UTC (rev 33170)
+++ data/DSA/list 2015-03-26 18:40:36 UTC (rev 33171)
@@ -13,7 +13,7 @@
{CVE-2015-0817 CVE-2015-0818}
[wheezy] - iceweasel 31.5.3esr-1~deb7u1
[20 Mar 2015] DSA-3200-1 drupal7 - security update
- {CVE-2015-2559}
+ {CVE-2015-2559 CVE-2015-2749}
[wheezy] - drupal7 7.14-2+deb7u9
[20 Mar 2015] DSA-3199-1 xerces-c - security update
{CVE-2015-0252}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33170 - data/CVE
Author: carnil
Date: 2015-03-26 18:40:32 + (Thu, 26 Mar 2015)
New Revision: 33170
Modified:
data/CVE/list
Log:
One CVE assigned for drupal7
Modified: data/CVE/list
===
--- data/CVE/list 2015-03-26 16:18:29 UTC (rev 33169)
+++ data/CVE/list 2015-03-26 18:40:32 UTC (rev 33170)
@@ -797,13 +797,14 @@
[squeeze] - drupal6
NOTE: https://www.drupal.org/SA-CORE-2015-001
NOTE:
http://cgit.drupalcode.org/drupal/commit/?id=8e54eca05a65c6231b02510e1917af0c9191e549
-CVE-2015- [SA-CORE-2015-001: Open redirect]
+CVE-2015-2749 [SA-CORE-2015-001: Open redirect -- issue related "destination"
use]
+ {DSA-3200-1}
- drupal7 7.32-1+deb8u2 (bug #780772)
- drupal6
[wheezy] - drupal7 7.14-2+deb7u9
[squeeze] - drupal6
NOTE: https://www.drupal.org/SA-CORE-2015-001
- NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/03/19/5
+ NOTE: http://www.openwall.com/lists/oss-security/2015/03/19/5
CVE-2015-2329
RESERVED
CVE-2015-2328
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33169 - data/CVE
Author: jmm Date: 2015-03-26 16:18:29 + (Thu, 26 Mar 2015) New Revision: 33169 Modified: data/CVE/list Log: NFUs Modified: data/CVE/list === --- data/CVE/list 2015-03-26 15:50:17 UTC (rev 33168) +++ data/CVE/list 2015-03-26 16:18:29 UTC (rev 33169) @@ -702,7 +702,7 @@ CVE-2015-2353 RESERVED CVE-2015-2352 (The cache handler in MyBB (aka MyBulletinBoard) before 1.8.4 does not ...) - TODO: check + NOT-FOR-US: MyBB CVE-2015-2351 (Multiple cross-site scripting (XSS) vulnerabilities in Alkacon OpenCms ...) NOT-FOR-US: Alkacon OpenCms CVE-2015-2350 (Cross-site request forgery (CSRF) vulnerability in MikroTik RouterOS ...) @@ -1040,7 +1040,7 @@ NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4a2b5fddd53b80efcb3266ee36e23b8de28e761a (v2.6.28-rc1) NOTE: 3.2.20-1 is the first version after the src:linux-2.6 -> src:linux rename. CVE-2015-2284 (userlogin.jsp in SolarWinds Firewall Security Manager (FSM) before ...) - TODO: check + NOT-FOR-US: SolarWinds Firewall Security Manager CVE-2010-5322 (Cross-site scripting (XSS) vulnerability in ZeusCart 4.0 and earlier ...) NOT-FOR-US: ZeusCart CVE-2015-2674 [Doesn't Validate TLS] @@ -1270,7 +1270,7 @@ CVE-2015-2209 (DLGuard 4.5 allows remote attackers to obtain the installation path ...) NOT-FOR-US: DLGuard CVE-2015-2208 (The saveObject function in moadmin.php in phpMoAdmin 1.1.2 allows ...) - TODO: check + NOT-FOR-US: phpMoAdmin CVE-2015-2207 RESERVED CVE-2015-2206 (libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33168 - data/CVE
Author: fgeek-guest Date: 2015-03-26 15:50:17 + (Thu, 26 Mar 2015) New Revision: 33168 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2015-03-26 14:48:41 UTC (rev 33167) +++ data/CVE/list 2015-03-26 15:50:17 UTC (rev 33168) @@ -9135,41 +9135,41 @@ CVE-2015-0140 RESERVED CVE-2015-0139 (Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.0 ...) - TODO: check + NOT-FOR-US: IBM WebSphere Portal CVE-2015-0138 (GSKit in IBM Tivoli Directory Server (ITDS) 6.0 before ...) - TODO: check + NOT-FOR-US: IBM Tivoli Directory Server CVE-2015-0137 (IBM PowerVC Standard 1.2.0.x before 1.2.0.4 and 1.2.1.x before 1.2.2 ...) - TODO: check + NOT-FOR-US: IBM PowerVC CVE-2015-0136 (powervc-iso-import in IBM PowerVC 1.2.0.x before 1.2.0.4 and 1.2.1.x ...) - TODO: check + NOT-FOR-US: IBM PowerVC CVE-2015-0135 RESERVED CVE-2015-0134 RESERVED CVE-2015-0133 (IBM WebSphere Commerce 7.0 Feature Pack 4 through 8 allows remote ...) - TODO: check + NOT-FOR-US: IBM CVE-2015-0132 (The XML parser in IBM Rational DOORS Next Generation 4.x before 4.0.7 ...) - TODO: check + NOT-FOR-US: IBM CVE-2015-0131 RESERVED CVE-2015-0130 RESERVED CVE-2015-0129 (Cross-site scripting (XSS) vulnerability in IBM Rational Quality ...) - TODO: check + NOT-FOR-US: IBM Rational Quality Manager CVE-2015-0128 (Cross-site scripting (XSS) vulnerability in IBM Rational Quality ...) - TODO: check + NOT-FOR-US: IBM Rational Quality Manager CVE-2015-0127 RESERVED CVE-2015-0126 RESERVED CVE-2015-0125 (Cross-site scripting (XSS) vulnerability in IBM Rational DOORS Next ...) - TODO: check + NOT-FOR-US: IBM Rational DOORS Next Generation CVE-2015-0124 (Cross-site scripting (XSS) vulnerability in IBM Rational Quality ...) - TODO: check + NOT-FOR-US: IBM Rational Quality Manager CVE-2015-0123 (Cross-site scripting (XSS) vulnerability in IBM Rational Team Concert ...) - TODO: check + NOT-FOR-US: IBM Rational Team Concert CVE-2015-0122 (Cross-site scripting (XSS) vulnerability in IBM Rational Team Concert ...) - TODO: check + NOT-FOR-US: IBM Rational Team Concert CVE-2015-0121 RESERVED CVE-2015-0120 @@ -9201,13 +9201,13 @@ CVE-2015-0107 RESERVED CVE-2015-0106 (Cross-site scripting (XSS) vulnerability in IBM Business Process ...) - TODO: check + NOT-FOR-US: IBM Business Process Manager CVE-2015-0105 (Cross-site scripting (XSS) vulnerability in the Process Portal in IBM ...) - TODO: check + NOT-FOR-US: IBM Business Process Manager CVE-2015-0104 RESERVED CVE-2015-0103 (Multiple cross-site scripting (XSS) vulnerabilities in the Process ...) - TODO: check + NOT-FOR-US: IBM Business Process Manager CVE-2015-0102 RESERVED CVE-2015-0101 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33167 - data
Author: carnil Date: 2015-03-26 14:48:41 + (Thu, 26 Mar 2015) New Revision: 33167 Modified: data/dsa-needed.txt Log: Add php5 to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-03-26 14:36:16 UTC (rev 33166) +++ data/dsa-needed.txt 2015-03-26 14:48:41 UTC (rev 33167) @@ -55,6 +55,9 @@ -- pdns -- +php5 + NOTE: Follow-up for regression, maintainer prepared update +-- phpmyadmin (thijs) -- pound (thijs) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33166 - data/CVE
Author: carnil Date: 2015-03-26 14:36:16 + (Thu, 26 Mar 2015) New Revision: 33166 Modified: data/CVE/list Log: Add bug reference for qemu issues, #781250 Modified: data/CVE/list === --- data/CVE/list 2015-03-26 12:47:21 UTC (rev 33165) +++ data/CVE/list 2015-03-26 14:36:16 UTC (rev 33166) @@ -720,7 +720,7 @@ NOTE: Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5f5bc6b1e2d5a6f827bc860ef2dc5b6f365d1339 (v3.19-rc1) NOTE: http://www.openwall.com/lists/oss-security/2015/03/24/11 CVE-2015- [malicious PRDT flow from guest to host] - - qemu + - qemu (bug #781250) - qemu-kvm NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3251bdcf1c67427d964517053c3d185b46e618e8 (v2.2.0-rc2) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/24/4 @@ -2334,7 +2334,7 @@ NOT-FOR-US: oVirt Engine backend CVE-2015-1779 [denial of service in VNC web] RESERVED - - qemu + - qemu (bug #781250) [wheezy] - qemu (Websocket protocol support introduced in v1.4.0-rc0) - qemu-kvm (Websocket protocol support introduced in v1.4.0-rc0) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04894.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33165 - data/CVE
Author: carnil Date: 2015-03-26 12:47:21 + (Thu, 26 Mar 2015) New Revision: 33165 Modified: data/CVE/list Log: Add fixed version for another dulwich issue Modified: data/CVE/list === --- data/CVE/list 2015-03-26 12:36:19 UTC (rev 33164) +++ data/CVE/list 2015-03-26 12:47:21 UTC (rev 33165) @@ -7369,7 +7369,7 @@ - mercurial 3.1.2-2 (bug #773640) [wheezy] - mercurial (Minor issue) [squeeze] - mercurial (Minor issue) - - dulwich + - dulwich 0.10.1-1 [jessie] - dulwich (Minor issue) [wheezy] - dulwich (Minor issue) CVE-2014-9376 (Integer underflow in Ettercap 0.8.1 allows remote attackers to cause a ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33164 - data/CVE
Author: carnil Date: 2015-03-26 12:36:19 + (Thu, 26 Mar 2015) New Revision: 33164 Modified: data/CVE/list Log: Add fixed version for dulwich in unstable Modified: data/CVE/list === --- data/CVE/list 2015-03-26 11:27:15 UTC (rev 33163) +++ data/CVE/list 2015-03-26 12:36:19 UTC (rev 33164) @@ -750,7 +750,7 @@ TODO: check affected versions CVE-2014-9706 [dulwich: does not reject commits with invalid paths] RESERVED - - dulwich (bug #780989) + - dulwich 0.10.1-1 (bug #780989) [jessie] - dulwich 0.9.7-3 NOTE: not yet accepted in jessie NOTE: Patch: https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176 @@ -5480,7 +5480,7 @@ RESERVED CVE-2015-0838 [buffer overflow in the C implementation of the apply_delta() function] RESERVED - - dulwich (bug #780958) + - dulwich 0.10.1-1 (bug #780958) [jessie] - dulwich 0.9.7-3 NOTE: not yet accepted in jessie CVE-2015-0837 [data-dependent timing variations in modular exponentiation] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33163 - data/CVE
Author: carnil Date: 2015-03-26 11:27:15 + (Thu, 26 Mar 2015) New Revision: 33163 Modified: data/CVE/list Log: Add bug reference for CVE-2015-1820, #781238 Modified: data/CVE/list === --- data/CVE/list 2015-03-26 09:11:18 UTC (rev 33162) +++ data/CVE/list 2015-03-26 11:27:15 UTC (rev 33163) @@ -2206,7 +2206,7 @@ RESERVED CVE-2015-1820 [session fixation vulnerability] RESERVED - - ruby-rest-client + - ruby-rest-client (bug #781238) - librestclient-ruby NOTE: https://github.com/rest-client/rest-client/issues/369 CVE-2015-1819 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33162 - data/CVE
Author: jmm Date: 2015-03-26 09:11:18 + (Thu, 26 Mar 2015) New Revision: 33162 Modified: data/CVE/list Log: freexl bug Modified: data/CVE/list === --- data/CVE/list 2015-03-26 09:10:21 UTC (rev 33161) +++ data/CVE/list 2015-03-26 09:11:18 UTC (rev 33162) @@ -29,7 +29,7 @@ NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=89207 CVE-2015- [Multiple vulnerabilities] [experimental] - freexl 1.0.1-1~exp1 - - freexl + - freexl (bug #781228) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/03/25/1 NOTE: entry might be split up depending on how many CVEs MITRE assigns CVE-2015-2685 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33161 - data/CVE
Author: sectracker
Date: 2015-03-26 09:10:21 + (Thu, 26 Mar 2015)
New Revision: 33161
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2015-03-26 09:09:10 UTC (rev 33160)
+++ data/CVE/list 2015-03-26 09:10:21 UTC (rev 33161)
@@ -1,3 +1,25 @@
+CVE-2015-2700
+ RESERVED
+CVE-2015-2699
+ RESERVED
+CVE-2015-2698
+ RESERVED
+CVE-2015-2697
+ RESERVED
+CVE-2015-2696
+ RESERVED
+CVE-2015-2695
+ RESERVED
+CVE-2015-2694
+ RESERVED
+CVE-2015-2693
+ RESERVED
+CVE-2015-2692
+ RESERVED
+CVE-2015-2691
+ RESERVED
+CVE-2015-2690
+ RESERVED
CVE-2015- [Don't try to do join without authentication unless explicitly
requested]
- realmd (bug #781179)
NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=89205
@@ -29,10 +51,12 @@
CVE-2015-2676 (Cross-site request forgery (CSRF) vulnerability in the Asus
RT-G32 ...)
NOT-FOR-US: Asus
CVE-2015-2689 [Assertion failure in dns.c, possibly connected to UDP DoS
attack]
+ RESERVED
{DSA-3203-1 DLA-178-1}
- tor 0.2.5.11-1
NOTE: https://bugs.torproject.org/14129
CVE-2015-2688 [relay could crash with an assertion]
+ RESERVED
{DSA-3203-1 DLA-178-1}
- tor 0.2.5.11-1
NOTE: https://trac.torproject.org/projects/tor/ticket/15083
@@ -690,6 +714,7 @@
CVE-2014-9707
RESERVED
CVE-2014-9710 [btrfs: non-atomic xattr replace operation]
+ RESERVED
- linux
- linux-2.6
NOTE: Upstream commit:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5f5bc6b1e2d5a6f827bc860ef2dc5b6f365d1339
(v3.19-rc1)
@@ -1014,8 +1039,8 @@
NOTE: Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c290f8358acaeffd8e0c551ddcc24d1206143376
(v3.2-rc1)
NOTE: Introduced by:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4a2b5fddd53b80efcb3266ee36e23b8de28e761a
(v2.6.28-rc1)
NOTE: 3.2.20-1 is the first version after the src:linux-2.6 ->
src:linux rename.
-CVE-2015-2284
- RESERVED
+CVE-2015-2284 (userlogin.jsp in SolarWinds Firewall Security Manager (FSM)
before ...)
+ TODO: check
CVE-2010-5322 (Cross-site scripting (XSS) vulnerability in ZeusCart 4.0 and
earlier ...)
NOT-FOR-US: ZeusCart
CVE-2015-2674 [Doesn't Validate TLS]
@@ -1150,8 +1175,7 @@
NOTE: https://bugs.php.net/bug.php?id=68552
NOTE:
http://svn.php.net/viewvc/pecl/enchant/trunk/enchant.c?r1=317600&r2=335803
NOTE: http://www.openwall.com/lists/oss-security/2015/03/10/6
-CVE-2015-2265 [Incomplete fix for CVE-2014-2707; CUPS-filters
remove_bad_chars() bypass]
- RESERVED
+CVE-2015-2265 (The remove_bad_chars function in utils/cups-browsed.c in
cups-filters ...)
- cups-filters 1.0.61-5 (bug #780267)
[wheezy] - cups-filters (vulnerable code not present)
NOTE: https://bugs.linuxfoundation.org/show_bug.cgi?id=1265
@@ -1381,18 +1405,15 @@
RESERVED
CVE-2015-2156
RESERVED
-CVE-2015-2155 [issue with force printer]
- RESERVED
+CVE-2015-2155 (The force printer in tcpdump before 4.7.2 allows remote
attackers to ...)
{DSA-3193-1 DLA-174-1}
- tcpdump 4.6.2-4
NOTE:
http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch
-CVE-2015-2154 [issue with ethernet printer]
- RESERVED
+CVE-2015-2154 (The osi_print_cksum function in print-isoclns.c in the ethernet
...)
{DSA-3193-1 DLA-174-1}
- tcpdump 4.6.2-4
NOTE:
http://www.ca.tcpdump.org/cve/0002-test-case-files-for-CVE-2015-2153-2154-2155.patch
-CVE-2015-2153 [issue with tcp printer]
- RESERVED
+CVE-2015-2153 (The rpki_rtr_pdu_print function in print-rpki-rtr.c in the TCP
printer ...)
{DSA-3193-1}
- tcpdump 4.6.2-4
[squeeze] - tcpdump (Vulnerable code not present)
@@ -3599,8 +3620,8 @@
RESERVED
CVE-2015-1389
RESERVED
-CVE-2015-1388
- RESERVED
+CVE-2015-1388 (The "RAP console" feature in ArubaOS 5.x through
6.2.x, 6.3.x before ...)
+ TODO: check
CVE-2015-1387
RESERVED
CVE-2015-1385 (Cross-site scripting (XSS) vulnerability in the Blubrry
PowerPress ...)
@@ -8676,8 +8697,7 @@
NOT-FOR-US: Red Hat Satellite
CVE-2015-0283
RESERVED
-CVE-2015-0282 [Signature forgery]
- RESERVED
+CVE-2015-0282 (GnuTLS before 3.1.0 does not verify that the RSA PKCS #1
signature ...)
{DSA-3191-1 DLA-180-1}
- gnutls26
- gnutls28 (Fixed in 3.1.0)
@@ -8743,8 +8763,7 @@
NOT-FOR-US: Apache Camel
CVE-2015-0262
RESERVED
-CVE-2015-0261 [IPv6 mobility header check issue]
- RESERVED
+CVE-2015-0261 (Integer signedness error in the mobility_opt_print function in
the ...)
{DSA-3193-1 DLA-174-1}
- tcpdump 4.
[Secure-testing-commits] r33160 - data/CVE
Author: jmm Date: 2015-03-26 09:09:10 + (Thu, 26 Mar 2015) New Revision: 33160 Modified: data/CVE/list Log: freeipa n/a Modified: data/CVE/list === --- data/CVE/list 2015-03-26 09:07:21 UTC (rev 33159) +++ data/CVE/list 2015-03-26 09:09:10 UTC (rev 33160) @@ -2169,7 +2169,7 @@ RESERVED CVE-2015-1827 [memory corruption when using get_user_grouplist()] RESERVED - - freeipa (bug #781224) + - freeipa (Only affects 4.1, see bug #781224) NOTE: https://fedorahosted.org/freeipa/ticket/4908 CVE-2015-1826 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33159 - data
Author: jmm Date: 2015-03-26 09:07:21 + (Thu, 26 Mar 2015) New Revision: 33159 Modified: data/dsa-needed.txt Log: add freexl and libgd2 to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-03-26 09:04:58 UTC (rev 33158) +++ data/dsa-needed.txt 2015-03-26 09:07:21 UTC (rev 33159) @@ -23,6 +23,8 @@ eglibc (aurel32) some of the other no-dsa bugs could be fixed along -- +freexl +-- icu -- imagemagick @@ -33,6 +35,8 @@ -- jqueryui -- +libgd2 +-- libphp-snoopy -- libzip (carnil) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33158 - data
Author: seb Date: 2015-03-26 09:04:58 + (Thu, 26 Mar 2015) New Revision: 33158 Modified: data/dsa-needed.txt Log: Take batik Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-03-26 08:51:40 UTC (rev 33157) +++ data/dsa-needed.txt 2015-03-26 09:04:58 UTC (rev 33158) @@ -14,7 +14,8 @@ -- asterisk -- -batik +batik (seb) + NOTE: upload prepared by maintainer -- dulwich (carnil) NOTE: not yet released due to checking for the issue other than CVE-2015-0838 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33157 - data/CVE
Author: jmm Date: 2015-03-26 08:51:40 + (Thu, 26 Mar 2015) New Revision: 33157 Modified: data/CVE/list Log: jenkins/freeipa bugs Modified: data/CVE/list === --- data/CVE/list 2015-03-26 08:40:06 UTC (rev 33156) +++ data/CVE/list 2015-03-26 08:51:40 UTC (rev 33157) @@ -2169,9 +2169,8 @@ RESERVED CVE-2015-1827 [memory corruption when using get_user_grouplist()] RESERVED - - freeipa + - freeipa (bug #781224) NOTE: https://fedorahosted.org/freeipa/ticket/4908 - TODO: check if it affects as well 4.0.x, upstream commits have testcases CVE-2015-1826 RESERVED CVE-2015-1825 @@ -2203,39 +2202,39 @@ NOT-FOR-US: setroubleshoot CVE-2015-1814 [SECURITY-180, orced API token change] RESERVED - - jenkins + - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 CVE-2015-1813 [SECURITY-177, Reflective XSS vulnerability] RESERVED - - jenkins + - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 CVE-2015-1812 [SECURITY-171, Reflective XSS vulnerability] RESERVED - - jenkins + - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 CVE-2015-1811 [External entity processing in XML can reveal sensitive local files (SECURITY-167)] RESERVED - - jenkins + - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1810 [HudsonPrivateSecurityRealm allows creation of reserved names (SECURITY-166)] RESERVED - - jenkins + - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1809 [external entity injection via XPath (SECURITY-165)] RESERVED - - jenkins + - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1808 [pdate center metadata retrieval DoS attack (SECURITY-163)] RESERVED - - jenkins + - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1807 [directory traversal from artifacts via symlink (SECURITY-162)] RESERVED - - jenkins + - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1806 [Combination filter Groovy script unsecured (SECURITY-125)] RESERVED - - jenkins + - jenkins (bug #781223) NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1805 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33156 - data/packages
Author: sectracker Date: 2015-03-26 08:40:06 + (Thu, 26 Mar 2015) New Revision: 33156 Modified: data/packages/removed-packages Log: These packages have been removed Modified: data/packages/removed-packages === --- data/packages/removed-packages 2015-03-26 08:35:30 UTC (rev 33155) +++ data/packages/removed-packages 2015-03-26 08:40:06 UTC (rev 33156) @@ -458,3 +458,4 @@ # Packages in experimental which used to be in other suites. dtc +php-symfony2-yaml ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33155 - data/CVE
Author: jmm Date: 2015-03-26 08:35:30 + (Thu, 26 Mar 2015) New Revision: 33155 Modified: data/CVE/list Log: jenkins update Modified: data/CVE/list === --- data/CVE/list 2015-03-26 08:15:18 UTC (rev 33154) +++ data/CVE/list 2015-03-26 08:35:30 UTC (rev 33155) @@ -2204,42 +2204,39 @@ CVE-2015-1814 [SECURITY-180, orced API token change] RESERVED - jenkins - TODO: check + NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 CVE-2015-1813 [SECURITY-177, Reflective XSS vulnerability] RESERVED - jenkins - TODO: check + NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 CVE-2015-1812 [SECURITY-171, Reflective XSS vulnerability] RESERVED - jenkins - TODO: check + NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-03-23 CVE-2015-1811 [External entity processing in XML can reveal sensitive local files (SECURITY-167)] RESERVED - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 - TODO: check CVE-2015-1810 [HudsonPrivateSecurityRealm allows creation of reserved names (SECURITY-166)] RESERVED - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 - TODO: check CVE-2015-1809 [external entity injection via XPath (SECURITY-165)] RESERVED - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 - TODO: check CVE-2015-1808 [pdate center metadata retrieval DoS attack (SECURITY-163)] RESERVED + - jenkins + NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 CVE-2015-1807 [directory traversal from artifacts via symlink (SECURITY-162)] RESERVED - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 - TODO: check CVE-2015-1806 [Combination filter Groovy script unsecured (SECURITY-125)] RESERVED - jenkins NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27 - TODO: check CVE-2015-1805 RESERVED NOTE: Red Hat bug not accessible, Satement on ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33154 - data/CVE
Author: jmm Date: 2015-03-26 08:15:18 + (Thu, 26 Mar 2015) New Revision: 33154 Modified: data/CVE/list Log: NFU Modified: data/CVE/list === --- data/CVE/list 2015-03-26 07:35:05 UTC (rev 33153) +++ data/CVE/list 2015-03-26 08:15:18 UTC (rev 33154) @@ -2200,6 +2200,7 @@ RESERVED CVE-2015-1815 RESERVED + NOT-FOR-US: setroubleshoot CVE-2015-1814 [SECURITY-180, orced API token change] RESERVED - jenkins ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33153 - data/CVE
Author: helmutg Date: 2015-03-26 07:35:05 + (Thu, 26 Mar 2015) New Revision: 33153 Modified: data/CVE/list Log: misc NFUs Modified: data/CVE/list === --- data/CVE/list 2015-03-26 06:45:30 UTC (rev 33152) +++ data/CVE/list 2015-03-26 07:35:05 UTC (rev 33153) @@ -1017,7 +1017,7 @@ CVE-2015-2284 RESERVED CVE-2010-5322 (Cross-site scripting (XSS) vulnerability in ZeusCart 4.0 and earlier ...) - TODO: check + NOT-FOR-US: ZeusCart CVE-2015-2674 [Doesn't Validate TLS] RESERVED - python-restkit @@ -1214,11 +1214,11 @@ CVE-2015-2218 (Multiple cross-site scripting (XSS) vulnerabilities in the ...) NOT-FOR-US: wp_ajax_save_item function in wonderpluginaudio.php in the WonderPlugin Audio Player plugin for WordPress CVE-2015-2217 (Multiple cross-site scripting (XSS) vulnerabilities in Ultimate PHP ...) - TODO: check + NOT-FOR-US: myUPB CVE-2015-2216 (SQL injection vulnerability in ecomm-sizes.php in the Photocrati theme ...) NOT-FOR-US: Photocrati theme for WordPress CVE-2015-2215 (Open redirect vulnerability in the Services single sign-on server ...) - TODO: check + NOT-FOR-US: Drupal module Services single sign-on server helper CVE-2015-2214 (NetCat 5.01 and earlier allows remote attackers to obtain the ...) NOT-FOR-US: NetCat CMS CVE-2015-2213 @@ -1327,11 +1327,11 @@ CVE-2015-2185 RESERVED CVE-2015-2184 (ZeusCart 4 allows remote attackers to obtain configuration information ...) - TODO: check + NOT-FOR-US: ZeusCart CVE-2015-2183 (Multiple SQL injection vulnerabilities in the administrative backend ...) - TODO: check + NOT-FOR-US: ZeusCart CVE-2015-2182 (Multiple cross-site scripting (XSS) vulnerabilities in ZeusCart 4 ...) - TODO: check + NOT-FOR-US: ZeusCart CVE-2015-2181 RESERVED CVE-2015-2180 @@ -2072,7 +2072,7 @@ CVE-2015-1876 RESERVED CVE-2015-1875 (SQL injection vulnerability in a2billing/customer/iridium_threed.php ...) - TODO: check + NOT-FOR-US: Elastix CVE-2015-1874 (Cross-site request forgery (CSRF) vulnerability in the Contact Form DB ...) NOT-FOR-US: Contact Form DB (aka CFDB and contact-form-7-to-database-extension) plugin for WordPress CVE-2015-1873 @@ -2617,15 +2617,15 @@ CVE-2015-1633 (Cross-site scripting (XSS) vulnerability in Microsoft SharePoint ...) NOT-FOR-US: Microsoft SharePoint CVE-2015-1632 (Cross-site scripting (XSS) vulnerability in errorfe.aspx in Outlook ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2015-1631 (Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2015-1630 (Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2015-1629 (Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2015-1628 (Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2015-1627 (Microsoft Internet Explorer 7 through 11 allows remote attackers to ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2015-1626 (Microsoft Internet Explorer 11 allows remote attackers to execute ...) @@ -4198,7 +4198,7 @@ CVE-2015-1171 RESERVED CVE-2015-1170 (The NVIDIA Display Driver R304 before 309.08, R340 before 341.44, R343 ...) - TODO: check + NOT-FOR-US: NVIDIA Windows driver CVE-2015-1169 (Apereo Central Authentication Service (CAS) Server before 3.5.3 allows ...) NOT-FOR-US: Apereo Central Authentication Service CVE-2015-1168 @@ -4514,7 +4514,7 @@ CVE-2015-1068 (WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and ...) NOT-FOR-US: Webkit / if anything of this affects Chromium, the Chrome sec team will know and fix CVE-2015-1067 (Secure Transport in Apple iOS before 8.2, Apple OS X through 10.10.2, ...) - TODO: check + NOT-FOR-US: Apple CVE-2015-1066 (Off-by-one error in IOAcceleratorFamily in Apple OS X through 10.10.2 ...) TODO: check CVE-2015-1065 (Multiple buffer overflows in iCloud Keychain in Apple iOS before 8.2 ...) @@ -4797,7 +4797,7 @@ NOTE: Automatic version check is disabled and inherently insecure (CVE-2014-2029) NOTE: Patch applied to OpenSUSE 13.1: https://build.opensuse.org/package/view_file/openSUSE:13.1:Update/xtrabackup/percona-xtrabackup-CVE-2015-1027.patch?expand=1 CVE-2015-1026 (Multiple cross-site scripting (XSS) vulnerabilities in ZOHO ...) - TODO: check + NOT-FOR-US: ZOHO ManageEngine CVE-2015-1025 RESERVED CVE-2015-1024 @@ -6128,7 +6128,7 @@ CVE-2014-9567 (Unrestricted file upload vulnerability in process-upload.php in ...) NOT-FOR-US: ProjectSend CV
