[Secure-testing-commits] r23959 - data/DSA
Author: carnil Date: 2013-10-11 07:21:57 + (Fri, 11 Oct 2013) New Revision: 23959 Modified: data/DSA/list Log: Add CVE reference for DSA-2740-1 released in august Modified: data/DSA/list === --- data/DSA/list 2013-10-11 07:20:26 UTC (rev 23958) +++ data/DSA/list 2013-10-11 07:21:57 UTC (rev 23959) @@ -126,6 +126,7 @@ {CVE-2013-2887 CVE-2013-2900 CVE-2013-2901 CVE-2013-2902 CVE-2013-2903 CVE-2013-2904 CVE-2013-2905} [wheezy] - chromium-browser 29.0.1547.57-1~deb7u1 [23 Aug 2013] DSA-2740-1 python-django - cross-site scripting vulnerability + {CVE-2013-6044} [squeeze] - python-django 1.2.3-3+squeeze6 [wheezy] - python-django 1.4.5-1+deb7u1 [21 Aug 2013] DSA-2739-1 cacti - several ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23960 - data/CVE
Author: carnil Date: 2013-10-11 07:24:01 + (Fri, 11 Oct 2013) New Revision: 23960 Modified: data/CVE/list Log: Add missed python-django-djblets (removed) for CVE-2013-4409 Modified: data/CVE/list === --- data/CVE/list 2013-10-11 07:21:57 UTC (rev 23959) +++ data/CVE/list 2013-10-11 07:24:01 UTC (rev 23960) @@ -3621,6 +3621,7 @@ CVE-2013-4409 [unsanitized eval() vulnerability] RESERVED - djblets unfixed + - python-django-djblets removed CVE-2013-4408 RESERVED CVE-2013-4407 [remote command-injection] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23963 - data/CVE
Author: carnil Date: 2013-10-11 09:01:40 + (Fri, 11 Oct 2013) New Revision: 23963 Modified: data/CVE/list Log: Add bugreference for CVE-2013-4421 Modified: data/CVE/list === --- data/CVE/list 2013-10-11 07:49:21 UTC (rev 23962) +++ data/CVE/list 2013-10-11 09:01:40 UTC (rev 23963) @@ -3588,7 +3588,7 @@ - quassel not-affected (Postgres support not enabled in Debian, see #552374) CVE-2013-4421 [memory exhaustion denial of service] RESERVED - - dropbear unfixed + - dropbear unfixed (bug #726019) NOTE: https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f CVE-2013-4420 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23967 - data/CVE
Author: carnil Date: 2013-10-11 14:25:08 + (Fri, 11 Oct 2013) New Revision: 23967 Modified: data/CVE/list Log: Add bug number for CVE-2013-4409/djblets Modified: data/CVE/list === --- data/CVE/list 2013-10-11 13:13:36 UTC (rev 23966) +++ data/CVE/list 2013-10-11 14:25:08 UTC (rev 23967) @@ -3623,7 +3623,7 @@ - reviewboard itp (bug #653113) CVE-2013-4409 [unsanitized eval() vulnerability] RESERVED - - djblets unfixed (low) + - djblets unfixed (low; bug #726039) - python-django-djblets removed (low) [squeeze] - python-django-djblets no-dsa (Minor issue) NOTE: Fix: https://github.com/djblets/djblets/commit/36cd15763742652ca990f913b44e91c69c707269 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23970 - data/CVE
Author: carnil Date: 2013-10-11 16:00:07 + (Fri, 11 Oct 2013) New Revision: 23970 Modified: data/CVE/list Log: Process NFUs Modified: data/CVE/list === --- data/CVE/list 2013-10-11 15:59:51 UTC (rev 23969) +++ data/CVE/list 2013-10-11 16:00:07 UTC (rev 23970) @@ -104,7 +104,7 @@ CVE-2013-6012 RESERVED CVE-2013-6011 (Citrix NetScaler Application Delivery Controller (ADC) 10.0 before ...) - TODO: check + NOT-FOR-US: Citrix NetScaler Application Delivery Controller CVE-2013-6010 (Cross-site scripting (XSS) vulnerability in the Comment Attachment ...) TODO: check CVE-2013-6009 (CRLF injection vulnerability in Open-Xchange AppSuite before 7.2.2, ...) @@ -192,7 +192,7 @@ CVE-2013-5968 RESERVED CVE-2013-5967 (Multiple SQL injection vulnerabilities in AlienVault Open Source ...) - TODO: check + NOT-FOR-US: AlienVault Open Source Security Information Management CVE-2013-5966 RESERVED CVE-2013-5965 (The Node View Permissions module 7.x-1.x before 7.x-1.2 for Drupal ...) @@ -1206,15 +1206,15 @@ CVE-2013-5528 RESERVED CVE-2013-5527 (The OSPF functionality in Cisco IOS and IOS XE allows remote attackers ...) - TODO: check + NOT-FOR-US: Cisco CVE-2013-5526 (Cisco 9900 fourth-generation IP phones do not properly perform SDP ...) - TODO: check + NOT-FOR-US: Cisco CVE-2013-5525 (SQL injection vulnerability in the web framework in Cisco Identity ...) - TODO: check + NOT-FOR-US: Cisco CVE-2013-5524 (Cross-site scripting (XSS) vulnerability in the troubleshooting page ...) - TODO: check + NOT-FOR-US: Cisco CVE-2013-5523 (The Sponsor Portal in Cisco Identity Services Engine (ISE) 1.2 and ...) - TODO: check + NOT-FOR-US: Cisco CVE-2013-5522 RESERVED CVE-2013-5521 @@ -1262,7 +1262,7 @@ CVE-2013-5500 (Multiple cross-site scripting (XSS) vulnerabilities in the oraadmin ...) NOT-FOR-US: Cisco MediaSense CVE-2013-5499 (The remember feature in the DHCP server in Cisco IOS allows remote ...) - TODO: check + NOT-FOR-US: Cisco CVE-2013-5498 (The PPTP-ALG component in CRS Carrier Grade Services Engine (CGSE) and ...) NOT-FOR-US: Cisco IOS XR CVE-2013-5497 (The authentication manager process in the web framework in Cisco ...) @@ -1422,7 +1422,7 @@ CVE-2013-5420 RESERVED CVE-2013-5419 (Multiple buffer overflows in (1) mkque and (2) mkquedev in ...) - TODO: check + NOT-FOR-US: IBM AIX CVE-2013-5418 RESERVED CVE-2013-5417 @@ -1606,11 +1606,11 @@ CVE-2013-5328 RESERVED CVE-2013-5327 (MDBMS.dll in Adobe RoboHelp 10 allows attackers to execute arbitrary ...) - TODO: check + NOT-FOR-US: Adobe RoboHelp CVE-2013-5326 RESERVED CVE-2013-5325 (Adobe Reader and Acrobat 11.x before 11.0.05 on Windows allow remote ...) - TODO: check + NOT-FOR-US: Adobe CVE-2013-5324 (Adobe Flash Player before 11.7.700.242 and 11.8.x before 11.8.800.168 ...) NOT-FOR-US: Adobe Flash CVE-2013-5323 (Cross-site scripting (XSS) vulnerability in the Static Info Tables ...) @@ -2091,7 +2091,7 @@ CVE-2013-5092 RESERVED CVE-2013-5091 (SQL injection vulnerability in CalendarCommon.php in vTiger CRM 5.4.0 ...) - TODO: check + NOT-FOR-US: vTiger CRM CVE-2013-5090 RESERVED CVE-2013-5089 @@ -2263,7 +2263,7 @@ CVE-2013-5009 RESERVED CVE-2013-5008 (The agent and task-agent components in Symantec Management Platform ...) - TODO: check + NOT-FOR-US: Symantec CVE-2013-5007 RESERVED CVE-2013-5006 (main_internet.php on the Western Digital My Net N600 and N750 with ...) @@ -5122,43 +5122,43 @@ CVE-2013-3898 RESERVED CVE-2013-3897 (Use-after-free vulnerability in the CDisplayPointer class in ...) - TODO: check + NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3896 (Microsoft Silverlight 5 before 5.1.20913.0 does not properly validate ...) - TODO: check + NOT-FOR-US: Microsoft Silverlight CVE-2013-3895 (Microsoft SharePoint Server 2007 SP3 and 2010 SP1 and SP2 allows ...) - TODO: check + NOT-FOR-US: Microsoft SharePoint Server CVE-2013-3894 (The kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows ...) - TODO: check + NOT-FOR-US: Microsoft Windows CVE-2013-3893 (Use-after-free vulnerability in the SetMouseCapture implementation in ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2013-3892 (Microsoft Word 2007 SP3 and Office Compatibility Pack SP3 allow remote ...) - TODO: check + NOT-FOR-US: Microsoft Word CVE-2013-3891 (Microsoft Word 2003 SP3 allows remote attackers to execute arbitrary ...) - TODO: check + NOT-FOR-US: Microsoft Word CVE-2013-3890 (Microsoft Excel 2007 SP3, Excel Viewer, and Office Compatibility Pack ...) - TODO: check +
[Secure-testing-commits] r23971 - data/CVE
Author: carnil Date: 2013-10-11 16:00:32 + (Fri, 11 Oct 2013) New Revision: 23971 Modified: data/CVE/list Log: Add CVE-2013-4767, eucalyptus (it was removed again) Modified: data/CVE/list === --- data/CVE/list 2013-10-11 16:00:07 UTC (rev 23970) +++ data/CVE/list 2013-10-11 16:00:32 UTC (rev 23971) @@ -2821,7 +2821,7 @@ CVE-2013-4768 RESERVED CVE-2013-4767 (Unspecified vulnerability in Eucalyptus before 3.3.2 has unknown ...) - TODO: check + - eucalyptus removed CVE-2013-4766 (The gather log service in Eucalyptus before 3.3.1 allows remote ...) - eucalyptus removed CVE-2013-4765 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23972 - data/CVE
Author: carnil Date: 2013-10-11 16:00:59 + (Fri, 11 Oct 2013) New Revision: 23972 Modified: data/CVE/list Log: Add CVE-2013-1061/software-properties, todo check Modified: data/CVE/list === --- data/CVE/list 2013-10-11 16:00:32 UTC (rev 23971) +++ data/CVE/list 2013-10-11 16:00:59 UTC (rev 23972) @@ -12766,6 +12766,7 @@ CVE-2013-1062 (ubuntu-system-service 0.2.4 before 0.2.4.1. 0.2.3 before 0.2.3.1, and ...) NOT-FOR-US: ubuntu-system-service CVE-2013-1061 (dbus/SoftwarePropertiesDBus.py in Software Properties 0.92.17 before ...) + - software-properties unfixed TODO: check CVE-2013-1060 (A certain Ubuntu build procedure for perf, as distributed in the Linux ...) NOT-FOR-US: Ubuntu packaging specific ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23973 - data/CVE
Author: carnil Date: 2013-10-11 20:32:31 + (Fri, 11 Oct 2013) New Revision: 23973 Modified: data/CVE/list Log: Add four more NFU's in Cisco products Modified: data/CVE/list === --- data/CVE/list 2013-10-11 16:00:59 UTC (rev 23972) +++ data/CVE/list 2013-10-11 20:32:31 UTC (rev 23973) @@ -22137,6 +22137,7 @@ NOT-FOR-US: Cisco CVE-2012-4121 RESERVED + NOT-FOR-US: Cisco CVE-2012-4120 RESERVED CVE-2012-4119 @@ -22181,10 +22182,12 @@ RESERVED CVE-2012-4099 RESERVED + NOT-FOR-US: Cisco CVE-2012-4098 (The BGP implementation in Cisco NX-OS does not properly filter AS ...) NOT-FOR-US: Cisco CVE-2012-4097 RESERVED + NOT-FOR-US: Cisco CVE-2012-4096 (The local file editor in the Baseboard Management Controller (BMC) in ...) TODO: check CVE-2012-4095 (The local file editor in the fabric-interconnect component in Cisco ...) @@ -5,6 +8,7 @@ NOT-FOR-US: Cisco Unified Computing System CVE-2012-4077 RESERVED + NOT-FOR-US: Cisco CVE-2012-4076 RESERVED CVE-2012-4075 (Cisco NX-OS allows local users to gain privileges and execute ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23975 - in data: . DSA
Author: carnil Date: 2013-10-11 21:55:12 + (Fri, 11 Oct 2013) New Revision: 23975 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA number for libapache2-mod-fcgid Modified: data/DSA/list === --- data/DSA/list 2013-10-11 21:14:23 UTC (rev 23974) +++ data/DSA/list 2013-10-11 21:55:12 UTC (rev 23975) @@ -1,3 +1,7 @@ +[12 Oct 2013] DSA-2778-1 libapache2-mod-fcgid - heap-based buffer overflow + {CVE-2013-4365} + [squeeze] - libapache2-mod-fcgid 1:2.3.6-1+squeeze2 + [wheezy] - libapache2-mod-fcgid 1:2.3.6-1.2+deb7u1 [11 Oct 2013] DSA-2777-1 systemd - several {CVE-2013-4327 CVE-2013-4391 CVE-2013-4394} [wheezy] - systemd 44-11+deb7u4 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-10-11 21:14:23 UTC (rev 23974) +++ data/dsa-needed.txt 2013-10-11 21:55:12 UTC (rev 23975) @@ -54,8 +54,6 @@ -- memcached -- -libapache2-mod-fcgid (carnil) --- mysql-5.1/oldstable (jmm) -- mysql-5.5/stable (carnil) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23977 - data/CVE
Author: carnil Date: 2013-10-12 07:44:51 + (Sat, 12 Oct 2013) New Revision: 23977 Modified: data/CVE/list Log: Add bugnumber for CVE-2013-4251/python-scipy Modified: data/CVE/list === --- data/CVE/list 2013-10-12 07:23:10 UTC (rev 23976) +++ data/CVE/list 2013-10-12 07:44:51 UTC (rev 23977) @@ -4153,7 +4153,7 @@ RESERVED CVE-2013-4251 [weave /tmp and current directory issues] RESERVED - - python-scipy unfixed + - python-scipy unfixed (bug #726093) NOTE: https://github.com/scipy/scipy/commit/bd296e0336420b840fcd2faabb97084fd252a973 CVE-2013-4250 [Vulnerable subcomponent: Backend File Upload / File Abstraction Layer] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23982 - data
Author: carnil Date: 2013-10-12 21:29:11 + (Sat, 12 Oct 2013) New Revision: 23982 Modified: data/next-point-update.txt Log: Add CVE-2013-4326/rtkit to next stable point release Modified: data/next-point-update.txt === --- data/next-point-update.txt 2013-10-12 15:11:17 UTC (rev 23981) +++ data/next-point-update.txt 2013-10-12 21:29:11 UTC (rev 23982) @@ -0,0 +1,2 @@ +CVE-2013-4326 + [wheezy] - rtkit 0.10-2+wheezy1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23983 - data
Author: carnil Date: 2013-10-13 06:24:28 + (Sun, 13 Oct 2013) New Revision: 23983 Modified: data/next-oldstable-point-update.txt Log: Add various CVE's for zabbix fixed trough opu Modified: data/next-oldstable-point-update.txt === --- data/next-oldstable-point-update.txt2013-10-12 21:29:11 UTC (rev 23982) +++ data/next-oldstable-point-update.txt2013-10-13 06:24:28 UTC (rev 23983) @@ -26,3 +26,15 @@ [squeeze] - pcp 3.3.3-squeeze3 CVE-2013-4124 [squeeze] - samba 2:3.5.6~dfsg-3squeeze10 +CVE-2013-5743 + [squeeze] - zabbix 1:1.8.2-1squeeze5 +CVE-2011-3263 + [squeeze] - zabbix 1:1.8.2-1squeeze5 +CVE-2011-3265 + [squeeze] - zabbix 1:1.8.2-1squeeze5 +CVE-2011-3264 + [squeeze] - zabbix 1:1.8.2-1squeeze5 +CVE-2011-3265 + [squeeze] - zabbix 1:1.8.2-1squeeze5 +CVE-2013-1364 + [squeeze] - zabbix 1:1.8.2-1squeeze5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23985 - data/CVE
Author: carnil Date: 2013-10-13 09:12:34 + (Sun, 13 Oct 2013) New Revision: 23985 Modified: data/CVE/list Log: Correct source package name: typo3 - typo3-src Modified: data/CVE/list === --- data/CVE/list 2013-10-13 07:09:29 UTC (rev 23984) +++ data/CVE/list 2013-10-13 09:12:34 UTC (rev 23985) @@ -3931,10 +3931,10 @@ RESERVED CVE-2013-4321 [TYPO3 File Abstraction Layer: Remote Code Execution] RESERVED - - typo3 not-affected (All versions from 6.0.0 up to the development branch of 6.2) + - typo3-src not-affected (All versions from 6.0.0 up to the development branch of 6.2) CVE-2013-4320 [TYPO3 Core: Cross-Site Scripting, Remote Code Execution] RESERVED - - typo3 not-affected (All versions from 6.0.0 up to the development branch of 6.2) + - typo3-src not-affected (All versions from 6.0.0 up to the development branch of 6.2) CVE-2013-4319 [Torque privilege escalation] RESERVED {DSA-2770-1} @@ -4160,7 +4160,7 @@ NOTE: https://github.com/scipy/scipy/commit/bd296e0336420b840fcd2faabb97084fd252a973 CVE-2013-4250 [Vulnerable subcomponent: Backend File Upload / File Abstraction Layer] RESERVED - - typo3 not-affected (All versions from 6.0.0 up to the development branch of 6.2) + - typo3-src not-affected (All versions from 6.0.0 up to the development branch of 6.2) CVE-2013-4249 (Cross-site scripting (XSS) vulnerability in the AdminURLFieldWidget ...) - python-django 1.5.2-1 [wheezy] - python-django not-affected (1.4.x not affected) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23997 - data
Author: carnil Date: 2013-10-15 15:32:43 + (Tue, 15 Oct 2013) New Revision: 23997 Modified: data/dsa-needed.txt Log: Handling libhttp-body-perl withing the pkg-perl group Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-10-15 15:25:02 UTC (rev 23996) +++ data/dsa-needed.txt 2013-10-15 15:32:43 UTC (rev 23997) @@ -40,7 +40,7 @@ -- ffmpeg/oldstable (geissert) -- -libhttp-body-perl +libhttp-body-perl (carnil) -- librack-ruby/oldstable (thijs) Package to review was already prepared ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23998 - data
Author: carnil Date: 2013-10-15 15:39:35 + (Tue, 15 Oct 2013) New Revision: 23998 Modified: data/dsa-needed.txt Log: Add annotation that libhttp-body-perl only needs DSA for stable Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-10-15 15:32:43 UTC (rev 23997) +++ data/dsa-needed.txt 2013-10-15 15:39:35 UTC (rev 23998) @@ -40,7 +40,7 @@ -- ffmpeg/oldstable (geissert) -- -libhttp-body-perl (carnil) +libhttp-body-perl/stable (carnil) -- librack-ruby/oldstable (thijs) Package to review was already prepared ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r23999 - data/CVE
Author: carnil Date: 2013-10-15 16:58:23 + (Tue, 15 Oct 2013) New Revision: 23999 Modified: data/CVE/list Log: Two more NFUs in Cisco Modified: data/CVE/list === --- data/CVE/list 2013-10-15 15:39:35 UTC (rev 23998) +++ data/CVE/list 2013-10-15 16:58:23 UTC (rev 23999) @@ -22197,8 +22197,10 @@ NOT-FOR-US: Cisco CVE-2012-4108 RESERVED + NOT-FOR-US: Cisco Unified Computing System CVE-2012-4107 RESERVED + NOT-FOR-US: Cisco Unified Computing System CVE-2012-4106 RESERVED NOT-FOR-US: Cisco Unified Computing System ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24000 - data/CVE
Author: carnil Date: 2013-10-15 17:00:12 + (Tue, 15 Oct 2013) New Revision: 24000 Modified: data/CVE/list Log: Add NFU ins Ciso WebEx Meetings Server Modified: data/CVE/list === --- data/CVE/list 2013-10-15 16:58:23 UTC (rev 23999) +++ data/CVE/list 2013-10-15 17:00:12 UTC (rev 24000) @@ -1208,6 +1208,7 @@ RESERVED CVE-2013-5529 RESERVED + NOT-FOR-US: Cisco WebEx Meetings Server CVE-2013-5528 RESERVED CVE-2013-5527 (The OSPF functionality in Cisco IOS and IOS XE allows remote attackers ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24001 - data/CVE
Author: carnil Date: 2013-10-15 19:04:15 + (Tue, 15 Oct 2013) New Revision: 24001 Modified: data/CVE/list Log: Add fixed version for CVE-2013-2014/keystone Modified: data/CVE/list === --- data/CVE/list 2013-10-15 17:00:12 UTC (rev 24000) +++ data/CVE/list 2013-10-15 19:04:15 UTC (rev 24001) @@ -9977,9 +9977,8 @@ - linux-2.6 removed (low) CVE-2013-2014 [no limitation for requests and headers size which can cause a crash] RESERVED - - keystone unfixed (bug #708515) + - keystone 2013.1.1-2 (bug #708515) [wheezy] - keystone no-dsa (Minor issue) - NOTE: fixed in 2013.1-1 for experimental CVE-2013-2013 (The user-password-update command in python-keystoneclient before 0.2.4 ...) - python-keystoneclient 1:0.2.5-1 (bug #709535) [wheezy] - python-keystoneclient 2012.1-3+deb7u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24002 - data/CVE
Author: carnil Date: 2013-10-15 19:13:48 + (Tue, 15 Oct 2013) New Revision: 24002 Modified: data/CVE/list Log: Add reference for CVE-2013-0247/keystone Modified: data/CVE/list === --- data/CVE/list 2013-10-15 19:04:15 UTC (rev 24001) +++ data/CVE/list 2013-10-15 19:13:48 UTC (rev 24002) @@ -15382,6 +15382,7 @@ NOTE: Only affects example code CVE-2013-0247 (OpenStack Keystone Essex 2012.1.3 and earlier, Folsom 2012.2.3 and ...) - keystone 2012.1.1-12 (bug #699835) + NOTE: https://bugs.launchpad.net/keystone/+bug/1098307 CVE-2013-0246 (The Image module in Drupal 7.x before 7.19, when a private file system ...) - drupal7 7.14-1.3 (bug #698334) NOTE: https://drupal.org/SA-CORE-2013-001 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24003 - data/CVE
Author: carnil Date: 2013-10-15 19:29:51 + (Tue, 15 Oct 2013) New Revision: 24003 Modified: data/CVE/list Log: Update entry for CVE-2013-0270/keystone, add note Modified: data/CVE/list === --- data/CVE/list 2013-10-15 19:13:48 UTC (rev 24002) +++ data/CVE/list 2013-10-15 19:29:51 UTC (rev 24003) @@ -15304,9 +15304,9 @@ - pidgin 2.10.6-3 NOTE: http://pidgin.im/news/security/?id=65 CVE-2013-0270 (OpenStack Keystone Grizzly before 2013.1, Folsom, and possibly earlier ...) - NOTE: Duplicate of CVE-2013-0247, see bug #700240? + - keystone 2013.1.1-2 NOTE: https://bugs.launchpad.net/keystone/+bug/1099025 - TODO: Recheck again, see comment http://bugs.debian.org/708515#27, mark accordingly + NOTE: See notes on ubuntu security tracker, change too intrusive to be backported CVE-2013-0269 (The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 ...) - ruby-json 1.7.3-3 (bug #700436) - libjson-ruby removed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24004 - data/CVE
Author: carnil Date: 2013-10-15 19:59:01 + (Tue, 15 Oct 2013) New Revision: 24004 Modified: data/CVE/list Log: Add glance issue, CVE is requested on oss-security list Modified: data/CVE/list === --- data/CVE/list 2013-10-15 19:29:51 UTC (rev 24003) +++ data/CVE/list 2013-10-15 19:59:01 UTC (rev 24004) @@ -1,3 +1,5 @@ +CVE-2013- [image_download policy not enforced for cached images] + - glance unfixed CVE-2013- [xhprof: unspecified XSS] - xhprof unfixed (bug #726284) CVE-2013- [dropbear: avoid disclosing existence of valid users through inconsistent delays] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24008 - data/CVE
Author: carnil Date: 2013-10-16 05:13:50 + (Wed, 16 Oct 2013) New Revision: 24008 Modified: data/CVE/list Log: Add bugnumber to CVE-2013-1739, leave todo item as per comment on bugreport Modified: data/CVE/list === --- data/CVE/list 2013-10-16 03:49:01 UTC (rev 24007) +++ data/CVE/list 2013-10-16 05:13:50 UTC (rev 24008) @@ -10873,7 +10873,7 @@ RESERVED CVE-2013-1739 [nss uninitialized data read in the event of a decryption failure] RESERVED - - nss unfixed + - nss unfixed (bug #726473) TODO: check NOTE: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.2_release_notes NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1012656 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24010 - data
Author: carnil Date: 2013-10-16 05:20:46 + (Wed, 16 Oct 2013) New Revision: 24010 Modified: data/dsa-needed.txt Log: Remove first part, as actual patch might still be improved There is discussion on upstream list if the patch is correct or should be improved. No final conclusion yet. Patch for CVE-2013-4420 still not available. Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-10-16 05:14:27 UTC (rev 24009) +++ data/dsa-needed.txt 2013-10-16 05:20:46 UTC (rev 24010) @@ -46,7 +46,7 @@ Package to review was already prepared -- libtar (carnil) - Maintainer prepared packages already, no patch for CVE-2013-4420 yet + no patch for CVE-2013-4420 yet -- libv8 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24012 - data/CVE
Author: carnil Date: 2013-10-16 06:03:34 + (Wed, 16 Oct 2013) New Revision: 24012 Modified: data/CVE/list Log: pyxtrlock NFUs Modified: data/CVE/list === --- data/CVE/list 2013-10-16 05:52:38 UTC (rev 24011) +++ data/CVE/list 2013-10-16 06:03:34 UTC (rev 24012) @@ -3583,10 +3583,12 @@ RESERVED CVE-2013-4428 RESERVED -CVE-2013-4427 +CVE-2013-4427 [pyxtrlock Incorrect return value checking] RESERVED -CVE-2013-4426 + NOT-FOR-US: pyxtrlock +CVE-2013-4426 [pyxtrlock mis-spelled variable name] RESERVED + NOT-FOR-US: pyxtrlock CVE-2013-4425 RESERVED CVE-2013-4424 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24013 - data/CVE
Author: carnil Date: 2013-10-16 06:07:46 + (Wed, 16 Oct 2013) New Revision: 24013 Modified: data/CVE/list Log: Add four mahara CVEs (to be checked affected versions) raphael might already have done and know more already Modified: data/CVE/list === --- data/CVE/list 2013-10-16 06:03:34 UTC (rev 24012) +++ data/CVE/list 2013-10-16 06:07:46 UTC (rev 24013) @@ -3575,12 +3575,24 @@ RESERVED CVE-2013-4432 RESERVED -CVE-2013-4431 + - mahara unfixed + NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5831 + TODO: check +CVE-2013-4431 [Not checking ownership of blocks before editing them] RESERVED + - mahara unfixed + NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5832 + TODO: check CVE-2013-4430 + - mahara unfixed + NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5830 + TODO: check RESERVED -CVE-2013-4429 +CVE-2013-4429 [Arbitrary image download] RESERVED + - mahara unfixed + NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5833 + TODO: check CVE-2013-4428 RESERVED CVE-2013-4427 [pyxtrlock Incorrect return value checking] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24014 - data/CVE
Author: carnil Date: 2013-10-16 06:09:13 + (Wed, 16 Oct 2013) New Revision: 24014 Modified: data/CVE/list Log: CVE assigned for xhprof issue Modified: data/CVE/list === --- data/CVE/list 2013-10-16 06:07:46 UTC (rev 24013) +++ data/CVE/list 2013-10-16 06:09:13 UTC (rev 24014) @@ -1,7 +1,5 @@ CVE-2013- [image_download policy not enforced for cached images] - glance unfixed -CVE-2013- [xhprof: unspecified XSS] - - xhprof unfixed (bug #726284) CVE-2013- [dropbear: avoid disclosing existence of valid users through inconsistent delays] - dropbear unfixed (bug #726118) CVE-2013-6063 @@ -3571,8 +3569,9 @@ RESERVED CVE-2013-4434 RESERVED -CVE-2013-4433 +CVE-2013-4433 [xhprof: unspecified XSS] RESERVED + - xhprof unfixed (bug #726284) CVE-2013-4432 RESERVED - mahara unfixed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24016 - data/CVE
Author: carnil Date: 2013-10-16 06:12:57 + (Wed, 16 Oct 2013) New Revision: 24016 Modified: data/CVE/list Log: CVE for glance was assigned Modified: data/CVE/list === --- data/CVE/list 2013-10-16 06:11:06 UTC (rev 24015) +++ data/CVE/list 2013-10-16 06:12:57 UTC (rev 24016) @@ -1,5 +1,3 @@ -CVE-2013- [image_download policy not enforced for cached images] - - glance unfixed CVE-2013- [dropbear: avoid disclosing existence of valid users through inconsistent delays] - dropbear unfixed (bug #726118) CVE-2013-6063 @@ -3592,8 +3590,9 @@ - mahara unfixed NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5833 TODO: check -CVE-2013-4428 +CVE-2013-4428 [image_download policy not enforced for cached images] RESERVED + - glance unfixed CVE-2013-4427 [pyxtrlock Incorrect return value checking] RESERVED NOT-FOR-US: pyxtrlock ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24017 - data/CVE
Author: carnil Date: 2013-10-16 06:20:11 + (Wed, 16 Oct 2013) New Revision: 24017 Modified: data/CVE/list Log: Added bugreference for glance issue Modified: data/CVE/list === --- data/CVE/list 2013-10-16 06:12:57 UTC (rev 24016) +++ data/CVE/list 2013-10-16 06:20:11 UTC (rev 24017) @@ -3592,7 +3592,7 @@ TODO: check CVE-2013-4428 [image_download policy not enforced for cached images] RESERVED - - glance unfixed + - glance unfixed (bug #726478) CVE-2013-4427 [pyxtrlock Incorrect return value checking] RESERVED NOT-FOR-US: pyxtrlock ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24035 - data/CVE
Author: carnil Date: 2013-10-16 20:03:36 + (Wed, 16 Oct 2013) New Revision: 24035 Modified: data/CVE/list Log: Add also ruby-actionmailer-2.3 entry Furthermore rails is a transitional package since 2.3.14.1, try to mark the tracker entry accordingly. This commit needs a second look/review for correctness/completness Modified: data/CVE/list === --- data/CVE/list 2013-10-16 19:51:56 UTC (rev 24034) +++ data/CVE/list 2013-10-16 20:03:36 UTC (rev 24035) @@ -3859,7 +3859,10 @@ RESERVED CVE-2013-4389 RESERVED - - ruby-actionmailer-3.2 unfixed + - ruby-actionmailer-3.2 unfixed + - ruby-actionmailer-2.3 not-affected (2.3.x not affected) + - rails 2.3.14.1 + NOTE: Starting with 2.3.14.1 rails is a transition package CVE-2013-4388 [buffer overflow in the mp4a packetizer] RESERVED - vlc unfixed (bug #726528) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24038 - data/CVE
Author: carnil Date: 2013-10-17 05:36:17 + (Thu, 17 Oct 2013) New Revision: 24038 Modified: data/CVE/list Log: Add NFU for two Drupal contributed modules Modified: data/CVE/list === --- data/CVE/list 2013-10-17 05:28:45 UTC (rev 24037) +++ data/CVE/list 2013-10-17 05:36:17 UTC (rev 24038) @@ -4256,10 +4256,12 @@ - lcms2 not-affected (Vulnerable code not present) CVE-2013-4275 RESERVED + NOT-FOR-US: Drupal contributed module Zen CVE-2013-4274 (Cross-site scripting (XSS) vulnerability in the ...) NOT-FOR-US: Drupal addon CVE-2013-4273 RESERVED + NOT-FOR-US: Drupal contributed module Entity API CVE-2013-4272 (The BOTCHA Spam Prevention module 7.x-1.x before 7.x-1.6, 7.x-2.x ...) NOT-FOR-US: Drupal addon CVE-2013-4271 (The default configuration of the ObjectRepresentation class in Restlet ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24041 - data/CVE
Author: carnil Date: 2013-10-17 05:51:42 + (Thu, 17 Oct 2013) New Revision: 24041 Modified: data/CVE/list Log: Add tree NFUs on earlier assigned CVEs on oss-security post Modified: data/CVE/list === --- data/CVE/list 2013-10-17 05:49:24 UTC (rev 24040) +++ data/CVE/list 2013-10-17 05:51:42 UTC (rev 24041) @@ -4072,10 +4072,13 @@ NOT-FOR-US: Drupal module CVE-2013-4335 RESERVED + NOT-FOR-US: opOpenSocialPlugin CVE-2013-4334 RESERVED + NOT-FOR-US: opWebAPIPlugin CVE-2013-4333 RESERVED + NOT-FOR-US: OpenPNE CVE-2013-4332 (Multiple integer overflows in malloc/malloc.c in the GNU C Library ...) - eglibc 2.17-93 (bug #722536) CVE-2013-4331 [incorrect .Xauthority permissions] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24046 - data/CVE
Author: carnil Date: 2013-10-17 07:13:44 + (Thu, 17 Oct 2013) New Revision: 24046 Modified: data/CVE/list Log: Add CVE-2013-4299 from external check Modified: data/CVE/list === --- data/CVE/list 2013-10-17 06:05:20 UTC (rev 24045) +++ data/CVE/list 2013-10-17 07:13:44 UTC (rev 24046) @@ -4207,8 +4207,11 @@ - linux unfixed [wheezy] - linux not-affected (Not exploitable by unprivileged users in 3.2) - linux-2.6 not-affected (Not exploitable by unprivileged users in 2.6.32) -CVE-2013-4299 +CVE-2013-4299 [dm: dm-snapshot data leak] RESERVED + - linux-2.6 removed + - linux unfixed + NOTE: upstream commit: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9c6a182649f4259db704ae15a91ac820e63b0ca CVE-2013-4297 (The virFileNBDDeviceAssociate function in util/virfile.c in libvirt ...) - libvirt 1.1.2-2 [jessie] - libvirt not-affected (Introduced with 8aabd597b379db5ae1655e36dff4f10d5622830a) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24048 - data/CVE
Author: carnil Date: 2013-10-17 07:56:36 + (Thu, 17 Oct 2013) New Revision: 24048 Modified: data/CVE/list Log: Add NFU, Microweber Modified: data/CVE/list === --- data/CVE/list 2013-10-17 07:22:00 UTC (rev 24047) +++ data/CVE/list 2013-10-17 07:56:36 UTC (rev 24048) @@ -164,6 +164,7 @@ RESERVED CVE-2013-5984 RESERVED + NOT-FOR-US: Microweber CVE-2013-5983 RESERVED CVE-2013-5982 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24049 - data/CVE
Author: carnil Date: 2013-10-17 12:12:09 + (Thu, 17 Oct 2013) New Revision: 24049 Modified: data/CVE/list Log: Add fixed version for CVE-2013-5745/vino Modified: data/CVE/list === --- data/CVE/list 2013-10-17 07:56:36 UTC (rev 24048) +++ data/CVE/list 2013-10-17 12:12:09 UTC (rev 24049) @@ -803,7 +803,7 @@ CVE-2013-5741 RESERVED CVE-2013-5745 (The vino_server_client_data_pending function in vino-server.c in GNOME ...) - - vino unfixed (low; bug #724545) + - vino 3.10.1-1 (low; bug #724545) [wheezy] - vino no-dsa (Minor issue) [squeeze] - vino no-dsa (Minor issue) NOTE: http://seclists.org/fulldisclosure/2013/Sep/105 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24051 - data/CVE
Author: carnil Date: 2013-10-17 13:25:16 + (Thu, 17 Oct 2013) New Revision: 24051 Modified: data/CVE/list Log: Add fixed version and bugreference for echoping issue Modified: data/CVE/list === --- data/CVE/list 2013-10-17 12:55:50 UTC (rev 24050) +++ data/CVE/list 2013-10-17 13:25:16 UTC (rev 24051) @@ -1,6 +1,5 @@ CVE-2013- [echoping buffer overflows] - - echoping unfixed - TODO: check + - echoping 6.0.2-4 (bug #606808) NOTE: Upstream fix http://sourceforge.net/p/echoping/bugs/55/ NOTE: https://bugs.gentoo.org/show_bug.cgi?id=349569 NOTE: http://xforce.iss.net/xforce/xfdb/64141 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24052 - data/CVE
Author: carnil Date: 2013-10-17 14:49:37 + (Thu, 17 Oct 2013) New Revision: 24052 Modified: data/CVE/list Log: Add CVEs CVE-2013-6166 and CVE-2013-6167 Modified: data/CVE/list === --- data/CVE/list 2013-10-17 13:25:16 UTC (rev 24051) +++ data/CVE/list 2013-10-17 14:49:37 UTC (rev 24052) @@ -9,6 +9,14 @@ TODO: check NOTE: http://www.openldap.org/its/index.cgi/Incoming?id=7723 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1019490 +CVE-2013-6167 + - iceweasel unfixed + NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=858215 + TODO: check +CVE-2013-6166 + - chromium-browser unfixed + NOTE: https://code.google.com/p/chromium/issues/detail?id=238041 + TODO: check CVE-2013-6063 RESERVED CVE-2013-6062 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24053 - data/CVE
Author: carnil Date: 2013-10-17 14:53:42 + (Thu, 17 Oct 2013) New Revision: 24053 Modified: data/CVE/list Log: Remove todo entry, current version in unstable does not have the fix Modified: data/CVE/list === --- data/CVE/list 2013-10-17 14:49:37 UTC (rev 24052) +++ data/CVE/list 2013-10-17 14:53:42 UTC (rev 24053) @@ -16,7 +16,6 @@ CVE-2013-6166 - chromium-browser unfixed NOTE: https://code.google.com/p/chromium/issues/detail?id=238041 - TODO: check CVE-2013-6063 RESERVED CVE-2013-6062 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24054 - data/CVE
Author: carnil Date: 2013-10-17 15:05:00 + (Thu, 17 Oct 2013) New Revision: 24054 Modified: data/CVE/list Log: Two CVEs NFU, Cisco Modified: data/CVE/list === --- data/CVE/list 2013-10-17 14:53:42 UTC (rev 24053) +++ data/CVE/list 2013-10-17 15:05:00 UTC (rev 24054) @@ -22438,8 +22438,10 @@ RESERVED CVE-2012-4113 RESERVED + NOT-FOR-US: Cisco CVE-2012-4112 RESERVED + NOT-FOR-US: Cisco CVE-2012-4111 (The create certreq command in the fabric-interconnect component in ...) NOT-FOR-US: Cisco CVE-2012-4110 (run-script in the fabric-interconnect component in Cisco Unified ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24055 - data/CVE
Author: carnil Date: 2013-10-17 17:03:57 + (Thu, 17 Oct 2013) New Revision: 24055 Modified: data/CVE/list Log: Add CVE-2013-1445/python-crypto Modified: data/CVE/list === --- data/CVE/list 2013-10-17 15:05:00 UTC (rev 24054) +++ data/CVE/list 2013-10-17 17:03:57 UTC (rev 24055) @@ -12152,8 +12152,9 @@ RESERVED CVE-2013-1446 RESERVED -CVE-2013-1445 +CVE-2013-1445 [PRNG not correctly reseeded in some situations] RESERVED + - python-crypto 2.6.1-1 CVE-2013-1444 (A certain Debian patch for txt2man 1.5.5, as used in txt2man 1.5.5-2, ...) - txt2man 1.5.5-4.1 (bug #724614) [wheezy] - txt2man no-dsa (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24057 - data/CVE
Author: carnil Date: 2013-10-17 21:00:40 + (Thu, 17 Oct 2013) New Revision: 24057 Modified: data/CVE/list Log: Add four CVEs for bugzilla Modified: data/CVE/list === --- data/CVE/list 2013-10-17 18:40:25 UTC (rev 24056) +++ data/CVE/list 2013-10-17 21:00:40 UTC (rev 24057) @@ -11108,10 +11108,17 @@ RESERVED CVE-2013-1744 RESERVED -CVE-2013-1743 +CVE-2013-1743 [Cross-Site Scripting] RESERVED -CVE-2013-1742 + - bugzilla not-affected + - bugzilla4 itp (bug #669643) + NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=924932 + TODO: check (advisory mentions only 4.x beeing affected) +CVE-2013-1742 [Cross-Site Scripting] RESERVED + - bugzilla removed + - bugzilla4 itp (bug #669643) + NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=924802 CVE-2013-1741 RESERVED CVE-2013-1740 @@ -11150,10 +11157,17 @@ [squeeze] - icedove end-of-life - iceape unfixed [squeeze] - iceape end-of-life -CVE-2013-1734 +CVE-2013-1734 [Cross-Site Request Forgery] RESERVED -CVE-2013-1733 + - bugzilla removed + - bugzilla4 itp (bug #669643) + NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=913904 +CVE-2013-1733 [Cross-Site Request Forgery] RESERVED + - bugzilla removed + - bugzilla4 itp (bug #669643) + NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=911593 + TODO: check (advisory mentions only 4.x) CVE-2013-1732 (Buffer overflow in the nsFloatManager::GetFlowArea function in Mozilla ...) {DSA-2762-1 DSA-2759-1} - iceweasel 24.0-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24058 - data/CVE
Author: carnil Date: 2013-10-17 21:11:19 + (Thu, 17 Oct 2013) New Revision: 24058 Modified: data/CVE/list Log: Add CVE-2013-4419/libguestfs Modified: data/CVE/list === --- data/CVE/list 2013-10-17 21:00:40 UTC (rev 24057) +++ data/CVE/list 2013-10-17 21:11:19 UTC (rev 24058) @@ -3802,8 +3802,10 @@ CVE-2013-4420 [tar_extract_glob and tar_extract_all path prefix directory traversal] RESERVED - libtar unfixed -CVE-2013-4419 +CVE-2013-4419 [insecure temporary directory handling for guestfish's network socket] RESERVED + - libguestfs unfixed + [wheezy] - libguestfs no-dsa (Minor issue) CVE-2013-4418 RESERVED CVE-2013-4417 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24059 - data/CVE
Author: carnil Date: 2013-10-17 21:36:37 + (Thu, 17 Oct 2013) New Revision: 24059 Modified: data/CVE/list Log: Add fixed version for CVE-2013-4419/libguestfs Modified: data/CVE/list === --- data/CVE/list 2013-10-17 21:11:19 UTC (rev 24058) +++ data/CVE/list 2013-10-17 21:36:37 UTC (rev 24059) @@ -3804,7 +3804,7 @@ - libtar unfixed CVE-2013-4419 [insecure temporary directory handling for guestfish's network socket] RESERVED - - libguestfs unfixed + - libguestfs 1:1.22.7-1 [wheezy] - libguestfs no-dsa (Minor issue) CVE-2013-4418 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24060 - data
Author: carnil Date: 2013-10-17 21:56:12 + (Thu, 17 Oct 2013) New Revision: 24060 Modified: data/next-point-update.txt Log: Add CVE-2013-4419/libguestfs to next-point-update list Modified: data/next-point-update.txt === --- data/next-point-update.txt 2013-10-17 21:36:37 UTC (rev 24059) +++ data/next-point-update.txt 2013-10-17 21:56:12 UTC (rev 24060) @@ -6,3 +6,5 @@ [wheezy] - ruby-passenger 3.0.13debian-1+deb7u1 CVE-2013-4288 [wheezy] - policykit-1 0.105-3+deb7u1 +CVE-2013-4419 + [wheezy] - libguestfs 1:1.18.1-1+deb7u3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24061 - data/CVE
Author: carnil Date: 2013-10-18 05:49:29 + (Fri, 18 Oct 2013) New Revision: 24061 Modified: data/CVE/list Log: Add two NFUs in VMware Modified: data/CVE/list === --- data/CVE/list 2013-10-17 21:56:12 UTC (rev 24060) +++ data/CVE/list 2013-10-18 05:49:29 UTC (rev 24061) @@ -204,8 +204,10 @@ RESERVED CVE-2013-5971 RESERVED + NOT-FOR-US: VMware vSphere CVE-2013-5970 RESERVED + NOT-FOR-US: VMware ESXi and ESX CVE-2013-5969 RESERVED CVE-2013-5968 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24081 - data/CVE
Author: carnil Date: 2013-10-20 20:16:33 + (Sun, 20 Oct 2013) New Revision: 24081 Modified: data/CVE/list Log: Add three NFUs in drupal contributed modules Modified: data/CVE/list === --- data/CVE/list 2013-10-20 19:15:49 UTC (rev 24080) +++ data/CVE/list 2013-10-20 20:16:33 UTC (rev 24081) @@ -3719,10 +3719,13 @@ NOTE: http://secunia.com/advisories/42619/ CVE-2013-4447 RESERVED + NOT-FOR-US: Simplenews Drupal contributed module CVE-2013-4446 RESERVED + NOT-FOR-US: Context Drupal contributed module CVE-2013-4445 RESERVED + NOT-FOR-US: Context Drupal contributed module CVE-2013- RESERVED CVE-2013-4443 [Secure mode has bias towards numbers and uppercase letters] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24082 - data/CVE
Author: carnil Date: 2013-10-20 20:19:24 + (Sun, 20 Oct 2013) New Revision: 24082 Modified: data/CVE/list Log: CVE assigned for nodejs issue Modified: data/CVE/list === --- data/CVE/list 2013-10-20 20:16:33 UTC (rev 24081) +++ data/CVE/list 2013-10-20 20:19:24 UTC (rev 24082) @@ -1,7 +1,3 @@ -CVE-2013- [nodejs: HTTP Pipelining DoS] - - nodejs 0.10.21~dfsg1-1 (medium) - NOTE: https://github.com/joyent/node/commit/085dd30e93da67362f044ad1b3b6b2d997064692 - NOTE: http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/ CVE-2013-6167 - iceweasel unfixed (low) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=858215 @@ -3702,8 +3698,10 @@ RESERVED CVE-2013-4451 RESERVED -CVE-2013-4450 - RESERVED +CVE-2013-4450 [nodejs: HTTP Pipelining DoS] + - nodejs 0.10.21~dfsg1-1 (medium) + NOTE: https://github.com/joyent/node/commit/085dd30e93da67362f044ad1b3b6b2d997064692 + NOTE: http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/ CVE-2013-4449 [slapd segfaults on certain queries with rwm overlay enabled] RESERVED - openldap unfixed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24083 - data/CVE
Author: carnil Date: 2013-10-20 20:31:09 + (Sun, 20 Oct 2013) New Revision: 24083 Modified: data/CVE/list Log: Add fixed version for linux/3.11.5-1 upload to unstable Modified: data/CVE/list === --- data/CVE/list 2013-10-20 20:19:24 UTC (rev 24082) +++ data/CVE/list 2013-10-20 20:31:09 UTC (rev 24083) @@ -3922,7 +3922,7 @@ NOTE: http://git.videolan.org/?p=vlc.git;a=commitdiff;h=9794ec1cd268c04c8bca13a5fae15df6594dff3e CVE-2013-4387 (net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not ...) - linux-2.6 removed - - linux unfixed + - linux 3.11.5-1 CVE-2013-4386 RESERVED CVE-2013-4385 (Buffer overflow in the quot;read-string!quot; procedure in the quot;extrasquot; unit ...) @@ -4056,7 +4056,7 @@ - gnupg2 2.0.22-1 (low; bug #722724) CVE-2013-4350 (The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel ...) - linux-2.6 removed - - linux unfixed + - linux 3.11.5-1 NOTE: http://www.openwall.com/lists/oss-security/2013/09/13/2 NOTE: http://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=95ee62083cb6453e056562d91f597552021e6ae7 CVE-2013-4349 [IcedTeaScriptableJavaObject::invoke off-by-one heap-based buffer overflow] @@ -4081,7 +4081,7 @@ NOTE: https://github.com/simplegeo/python-oauth2/issues/129 CVE-2013-4345 (Off-by-one error in the get_prng_bytes function in crypto/ansi_cprng.c ...) - linux-2.6 removed - - linux unfixed + - linux 3.11.5-1 CVE-2013-4344 (Buffer overflow in the SCSI implementation in QEMU, as used in Xen, ...) - xen 4.2-1 - qemu 1.6.0+dfsg-2 (unimportant; bug #725944) @@ -4092,7 +4092,7 @@ NOTE: Xen in Wheezy includes qemu NOTE: Xen after Wheezy uses qemu-system-x86 from qemu, marking 4.2 as pseudo fixed CVE-2013-4343 (Use-after-free vulnerability in drivers/net/tun.c in the Linux kernel ...) - - linux unfixed + - linux 3.11.5-1 [wheezy] - linux not-affected (Introduced in 3.8) - linux-2.6 not-affected (Introduced in 3.8) CVE-2013-4342 (xinetd does not enforce the user and group configuration directives ...) @@ -7658,21 +7658,21 @@ [wheezy] - linux not-affected (driver introduced in 3.7) - linux-2.6 not-affected (driver introduced in 3.7) CVE-2013-2897 (Multiple array index errors in drivers/hid/hid-multitouch.c in the ...) - - linux unfixed (low) + - linux 3.11.5-1 (low) - linux-2.6 not-affected (driver introduced in 2.6.38) CVE-2013-2896 (drivers/hid/hid-ntrig.c in the Human Interface Device (HID) subsystem ...) - linux 3.10.11-1 (low) [wheezy] - linux 3.2.51-1 - linux-2.6 not-affected (Vulnerable feature probing code not present) CVE-2013-2895 (drivers/hid/hid-logitech-dj.c in the Human Interface Device (HID) ...) - - linux unfixed (low) + - linux 3.11.5-1 (low) - linux-2.6 not-affected (driver introduced in 3.2) CVE-2013-2894 (drivers/hid/hid-lenovo-tpkbd.c in the Human Interface Device (HID) ...) - - linux unfixed (low) + - linux 3.11.5-1 (low) [wheezy] - linux not-affected (driver introduced in 3.6) - linux-2.6 not-affected (driver introduced in 3.6) CVE-2013-2893 (The Human Interface Device (HID) subsystem in the Linux kernel through ...) - - linux unfixed (low) + - linux 3.11.5-1 (low) - linux-2.6 removed (low) CVE-2013-2892 (drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in ...) {DSA-2766-1} @@ -7680,14 +7680,14 @@ [wheezy] - linux 3.2.51-1 - linux-2.6 removed (low) CVE-2013-2891 (drivers/hid/hid-steelseries.c in the Human Interface Device (HID) ...) - - linux unfixed (low) + - linux 3.11.5-1 (low) [wheezy] - linux not-affected (steelseries driver introduced in 3.9) - linux-2.6 not-affected (steelseries driver introduced in 3.9) CVE-2013-2890 (drivers/hid/hid-sony.c in the Human Interface Device (HID) subsystem ...) - linux not-affected (buzz driver introduced in 3.11 cycle, only in experimental) - linux-2.6 not-affected (buzz driver introduced in 3.11 cycle) CVE-2013-2889 (drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem ...) - - linux unfixed (low) + - linux 3.11.5-1 (low) - linux-2.6 removed (low) CVE-2013-2888 (Multiple array index errors in drivers/hid/hid-core.c in the Human ...) {DSA-2766-1} @@ -9760,7 +9760,7 @@ - linux 3.9.8-1 (low) CVE-2013-2147 (The HP Smart Array controller disk-array driver and Compaq SMART2 ...) - linux-2.6 removed (low) - - linux unfixed (low) + - linux 3.11.5-1 (low) CVE-2013-2146 (arch/x86/kernel/cpu/perf_event_intel.c in the Linux kernel before ...) - linux-2.6 not-affected (Introduced in 3.1) - linux 3.9.4-1
[Secure-testing-commits] r24085 - data/CVE
Author: carnil Date: 2013-10-20 21:46:52 + (Sun, 20 Oct 2013) New Revision: 24085 Modified: data/CVE/list Log: Add fixed version for CVE-2013-4179/nova Modified: data/CVE/list === --- data/CVE/list 2013-10-20 21:14:25 UTC (rev 24084) +++ data/CVE/list 2013-10-20 21:46:52 UTC (rev 24085) @@ -4648,7 +4648,7 @@ CVE-2013-4180 (The (1) power and (2) ipmi_boot actions in the HostController in ...) - foreman itp (bug #663101) CVE-2013-4179 (The security group extension in OpenStack Compute (Nova) Grizzly ...) - - nova unfixed + - nova 2013.1.3-1 CVE-2013-4178 RESERVED NOT-FOR-US: GA Login Drupal contributed module ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24086 - data/CVE
Author: carnil Date: 2013-10-20 21:55:02 + (Sun, 20 Oct 2013) New Revision: 24086 Modified: data/CVE/list Log: Update entry for CVE-2013-4261/nova Modified: data/CVE/list === --- data/CVE/list 2013-10-20 21:46:52 UTC (rev 24085) +++ data/CVE/list 2013-10-20 21:55:02 UTC (rev 24086) @@ -4361,12 +4361,9 @@ - subversion not-affected (Optional admin-side utilities in Subversion 1.8.x) CVE-2013-4261 [DoS] RESERVED - - nova unfixed - NOTE: Advisory mentions that affects Folsom and Grizzly, but 2012.1.1 seems to have similar - NOTE: code in nova/rpc/impl_qpid.py + - nova 2013.2-1 NOTE: https://bugs.launchpad.net/nova/+bug/1215091/comments/10 (relevant question for other components) - NOTE: experimental nova/2013.2~rc1-1 contains the fix - TODO: check + NOTE: According to https://wiki.openstack.org/wiki/ReleaseNotes/2013.1.4 only fixed in 2013.1.4 for grizzly CVE-2013-4260 (lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3, when ...) - ansible not-affected (affected code introduced with ansible 1.2) CVE-2013-4259 (runner/connection_plugins/ssh.py in Ansible before 1.2.3, when using ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24087 - data/CVE
Author: carnil Date: 2013-10-21 03:31:10 + (Mon, 21 Oct 2013) New Revision: 24087 Modified: data/CVE/list Log: Add fixed version for CVE-2013-1739/nss Modified: data/CVE/list === --- data/CVE/list 2013-10-20 21:55:02 UTC (rev 24086) +++ data/CVE/list 2013-10-21 03:31:10 UTC (rev 24087) @@ -11164,8 +11164,8 @@ RESERVED CVE-2013-1739 [nss uninitialized data read in the event of a decryption failure] RESERVED - - nss unfixed (bug #726473) - TODO: check + - nss 2:3.15.2-1 (bug #726473) + [squeeze] - nss not-affected (Introduced in 3.14.3) NOTE: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.2_release_notes NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1012656 CVE-2013-1738 (Use-after-free vulnerability in the JS_GetGlobalForScopeChain function ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24089 - data/CVE
Author: carnil Date: 2013-10-21 04:40:05 + (Mon, 21 Oct 2013) New Revision: 24089 Modified: data/CVE/list Log: Two dropbear issues fixed, CVE-2013-4434 and CVE-2013-4421 Modified: data/CVE/list === --- data/CVE/list 2013-10-21 04:06:29 UTC (rev 24088) +++ data/CVE/list 2013-10-21 04:40:05 UTC (rev 24089) @@ -3759,7 +3759,7 @@ - salt unfixed (bug #726480) CVE-2013-4434 [dropbear: avoid disclosing existence of valid users through inconsistent delays] RESERVED - - dropbear unfixed (low; bug #726118) + - dropbear 2012.55-1.4 (low; bug #726118) [squeeze] - dropbear no-dsa (Minor issue) [wheezy] - dropbear no-dsa (Minor issue) CVE-2013-4433 [xhprof: unspecified XSS] @@ -3805,7 +3805,7 @@ - quassel not-affected (Postgres support not enabled in Debian, see #552374) CVE-2013-4421 [memory exhaustion denial of service] RESERVED - - dropbear unfixed (low; bug #726019) + - dropbear 2012.55-1.4 (low; bug #726019) [squeeze] - dropbear no-dsa (Minor issue) [wheezy] - dropbear no-dsa (Minor issue) NOTE: https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24088 - data
Author: carnil Date: 2013-10-21 04:06:29 + (Mon, 21 Oct 2013) New Revision: 24088 Modified: data/dsa-needed.txt Log: Add nss to dsa-needed list Better safe than sorry: the upstream bug is still closed to the public. Commit addressing CVE-2013-1739 is available via Red Hat bugtracker. Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-10-21 03:31:10 UTC (rev 24087) +++ data/dsa-needed.txt 2013-10-21 04:06:29 UTC (rev 24088) @@ -58,6 +58,8 @@ -- mysql-5.5/stable (carnil) -- +nss +-- openjpeg patches are not yet avaialble -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24090 - data/CVE
Author: carnil Date: 2013-10-21 04:56:39 + (Mon, 21 Oct 2013) New Revision: 24090 Modified: data/CVE/list Log: Remove entry for libpam-rsa with no CVE assigned libpam-rsa is now not anymore in any suite (it was removed from oldstable). Remove this entry referencing a bug in the BTS but anyway never assigned a CVE. Modified: data/CVE/list === --- data/CVE/list 2013-10-21 04:40:05 UTC (rev 24089) +++ data/CVE/list 2013-10-21 04:56:39 UTC (rev 24090) @@ -17553,8 +17553,6 @@ NOT-FOR-US: Sinapsi eSolar Light Photovoltaic System Monitor CVE-2012-5860 (Unspecified vulnerability on Oberthur ID-One COSMO 5.2, 5.2a, and 64 ...) NOT-FOR-US: ID-One COSMO -CVE-2012- [xscreensaver lock bypass] - - libpam-rsa removed (low; bug #693087) CVE-2012-5859 (Samsung Kies Air 2.1.207051 and 2.1.210161 allows remote attackers to ...) NOT-FOR-US: Samsung Kies Air CVE-2012-5858 (Samsung Kies Air 2.1.207051 and 2.1.210161 relies on the IP address ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24091 - data/CVE
Author: carnil Date: 2013-10-21 04:59:22 + (Mon, 21 Oct 2013) New Revision: 24091 Modified: data/CVE/list Log: Add fixed version for irssi-plugin-otr, #569506 Modified: data/CVE/list === --- data/CVE/list 2013-10-21 04:56:39 UTC (rev 24090) +++ data/CVE/list 2013-10-21 04:59:22 UTC (rev 24091) @@ -58815,7 +58815,7 @@ - esmtp 1.2-3 (unimportant; bug #568925) NOTE: Documentation advises against adding password data to the respective config file CVE-2010- [irssi emote leak] - - irssi-plugin-otr unfixed (unimportant; bug #569506) + - irssi-plugin-otr 1.0.0~alpha2-1 (unimportant; bug #569506) CVE-2010-2450 [shibboleth-sp2: world-readable key] RESERVED - shibboleth-sp2 2.3.1+dfsg-2 (low; bug #571631) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24093 - data/CVE
Author: carnil Date: 2013-10-21 05:43:12 + (Mon, 21 Oct 2013) New Revision: 24093 Modified: data/CVE/list Log: Add not-yet CVEified issue in gitolite/gitolite3 But only introduced upstream in commit fa06a34d1dd51e3ce786eb2c0714c8bc55d5c418 (in 3.5.3 and fixed in 3.5.3.1). Modified: data/CVE/list === --- data/CVE/list 2013-10-21 05:31:35 UTC (rev 24092) +++ data/CVE/list 2013-10-21 05:43:12 UTC (rev 24093) @@ -1,3 +1,6 @@ +CVE-2013- [world writable files] + - gitolite not-affected (vulnerable code introduced for v3.5.3) + - gitolite3 not-affected (vulnerable code introduced for v3.5.3) CVE-2013-6167 - iceweasel unfixed (low) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=858215 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24096 - data/CVE
Author: carnil Date: 2013-10-21 06:42:11 + (Mon, 21 Oct 2013) New Revision: 24096 Modified: data/CVE/list Log: Add todo item for CVE-2013-4179/nova Modified: data/CVE/list === --- data/CVE/list 2013-10-21 06:01:24 UTC (rev 24095) +++ data/CVE/list 2013-10-21 06:42:11 UTC (rev 24096) @@ -4651,6 +4651,8 @@ - foreman itp (bug #663101) CVE-2013-4179 (The security group extension in OpenStack Compute (Nova) Grizzly ...) - nova 2013.1.3-1 + NOTE: CVE for incomplete fix applied for CVE-2013-1664 + TODO: check if fix applied in #700949 was already complete CVE-2013-4178 RESERVED NOT-FOR-US: GA Login Drupal contributed module ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24098 - data/CVE
Author: carnil Date: 2013-10-21 13:32:28 + (Mon, 21 Oct 2013) New Revision: 24098 Modified: data/CVE/list Log: Add fixed version for CVE-2013-1881/librsvg Modified: data/CVE/list === --- data/CVE/list 2013-10-21 10:44:26 UTC (rev 24097) +++ data/CVE/list 2013-10-21 13:32:28 UTC (rev 24098) @@ -10714,7 +10714,7 @@ CVE-2013-1882 RESERVED CVE-2013-1881 (GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary ...) - - librsvg unfixed (bug #724741) + - librsvg 2.40.0-1 (bug #724741) CVE-2013-1880 [XSS vulnerability in portfolioPublish demo application] RESERVED - activemq not-affected (portfolio demo app not shipped in Debian package) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24099 - data/CVE
Author: carnil Date: 2013-10-21 14:09:20 + (Mon, 21 Oct 2013) New Revision: 24099 Modified: data/CVE/list Log: Add fixed versions from chromium-browser upload to unstable Modified: data/CVE/list === --- data/CVE/list 2013-10-21 13:32:28 UTC (rev 24098) +++ data/CVE/list 2013-10-21 14:09:20 UTC (rev 24099) @@ -7559,79 +7559,80 @@ RESERVED CVE-2013-2928 RESERVED - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser end-of-life CVE-2013-2927 RESERVED - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser end-of-life CVE-2013-2926 RESERVED - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser end-of-life CVE-2013-2925 RESERVED - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser end-of-life CVE-2013-2924 (Use-after-free vulnerability in International Components for Unicode ...) - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser end-of-life - icu unfixed (bug #726477) CVE-2013-2923 (Multiple unspecified vulnerabilities in Google Chrome before ...) - TODO: check + - chromium-browser 30.0.1599.101-1 + [squeeze] - chromium-browser end-of-life CVE-2013-2922 (Use-after-free vulnerability in core/html/HTMLTemplateElement.cpp in ...) - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser end-of-life CVE-2013-2921 (Double free vulnerability in the ResourceFetcher::didLoadResource ...) - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser end-of-life CVE-2013-2920 (The DoResolveRelativeHost function in url/url_canon_relative.cc in ...) - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser end-of-life CVE-2013-2919 (Google V8, as used in Google Chrome before 30.0.1599.66, allows remote ...) - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser end-of-life - libv8 unfixed - libv8-3.14 unfixed CVE-2013-2918 (Use-after-free vulnerability in the ...) - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser end-of-life CVE-2013-2917 (The ReverbConvolverStage::ReverbConvolverStage function in ...) - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 + [squeeze] - chromium-browser end-of-life CVE-2013-2916 (Blink, as used in Google Chrome before 30.0.1599.66, allows remote ...) + - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser end-of-life - - chromium-browser unfixed - [squeeze] - chromium-browser end-of-life CVE-2013-2915 (Google Chrome before 30.0.1599.66 preserves pending NavigationEntry ...) - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser end-of-life CVE-2013-2914 (Use-after-free vulnerability in the color-chooser dialog in Google ...) - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser end-of-life CVE-2013-2913 (Use-after-free vulnerability in the XMLDocumentParser::append function ...) - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser end-of-life TODO: Might affect libxml2 CVE-2013-2912 (Use-after-free vulnerability in the PepperInProcessRouter::SendToHost ...) - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser end-of-life CVE-2013-2911 (Use-after-free vulnerability in the XSLStyleSheet::compileStyleSheet ...) - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 TODO: Might affect libxslt CVE-2013-2910 (Use-after-free vulnerability in ...) - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser end-of-life CVE-2013-2909 (Use-after-free vulnerability in Blink, as used in Google Chrome before ...) - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser end-of-life CVE-2013-2908 (Google Chrome before 30.0.1599.66 uses incorrect function calls to ...) - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1 [squeeze] - chromium-browser end-of-life CVE-2013-2907 (The Window.prototype object implementation in Google Chrome before ...) - - chromium-browser unfixed + - chromium-browser 30.0.1599.101-1
[Secure-testing-commits] r24100 - data/CVE
Author: carnil Date: 2013-10-21 16:16:46 + (Mon, 21 Oct 2013) New Revision: 24100 Modified: data/CVE/list Log: Mark CVE-2013-4381 and CVE-2013-4382 as REJECTED Modified: data/CVE/list === --- data/CVE/list 2013-10-21 14:09:20 UTC (rev 24099) +++ data/CVE/list 2013-10-21 16:16:46 UTC (rev 24100) @@ -3946,11 +3946,9 @@ RESERVED NOT-FOR-US: Drupal module CVE-2013-4382 - RESERVED - NOT-FOR-US: Drupal module + REJECTED CVE-2013-4381 - RESERVED - NOT-FOR-US: Drupal module + REJECTED CVE-2013-4380 RESERVED NOT-FOR-US: Drupal module ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24103 - data
Author: carnil Date: 2013-10-21 19:56:10 + (Mon, 21 Oct 2013) New Revision: 24103 Modified: data/dsa-needed.txt Log: Add note about status for libhttp-body-perl Upstream is unsure about what to choose as default. See https://rt.cpan.org/Ticket/Display.html?id=88342#txn-1277340 for upstream's comment on CVE-2013-4407. Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-10-21 19:08:01 UTC (rev 24102) +++ data/dsa-needed.txt 2013-10-21 19:56:10 UTC (rev 24103) @@ -43,6 +43,7 @@ ffmpeg/oldstable (geissert) -- libhttp-body-perl/stable (carnil) + upstream is still discussing about choosing good default and making regexp configurable -- libtar (carnil) no patch for CVE-2013-4420 yet ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24104 - data/CVE
Author: carnil Date: 2013-10-21 20:29:50 + (Mon, 21 Oct 2013) New Revision: 24104 Modified: data/CVE/list Log: CVE for echoping issue CVE was initially assigned from 2013 pool. Rejected CVE-2013-4448 and new CVE, CVE-2010-5111 for echoping issue. Modified: data/CVE/list === --- data/CVE/list 2013-10-21 19:56:10 UTC (rev 24103) +++ data/CVE/list 2013-10-21 20:29:50 UTC (rev 24104) @@ -3716,14 +3716,8 @@ [squeeze] - openldap no-dsa (Minor issue) NOTE: http://www.openldap.org/its/index.cgi/Incoming?id=7723 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1019490 -CVE-2013-4448 [echoping buffer overflows] - RESERVED - - echoping 6.0.2-4 (low; bug #606808) - [squeeze] - echoping no-dsa (Minor issue) - NOTE: Upstream fix http://sourceforge.net/p/echoping/bugs/55/ - NOTE: https://bugs.gentoo.org/show_bug.cgi?id=349569 - NOTE: http://xforce.iss.net/xforce/xfdb/64141 - NOTE: http://secunia.com/advisories/42619/ +CVE-2013-4448 + REJECTED CVE-2013-4447 RESERVED NOT-FOR-US: Simplenews Drupal contributed module @@ -26778,8 +26772,14 @@ RESERVED CVE-2010-5112 RESERVED -CVE-2010-5111 +CVE-2010-5111 [echoping buffer overflows] RESERVED + - echoping 6.0.2-4 (low; bug #606808) + [squeeze] - echoping no-dsa (Minor issue) + NOTE: Upstream fix http://sourceforge.net/p/echoping/bugs/55/ + NOTE: https://bugs.gentoo.org/show_bug.cgi?id=349569 + NOTE: http://xforce.iss.net/xforce/xfdb/64141 + NOTE: http://secunia.com/advisories/42619/ CVE-2010-5110 [poppler: JPEG error handler] RESERVED - poppler 0.16.3-1 (bug #722705) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24105 - data/CVE
Author: carnil Date: 2013-10-21 20:31:32 + (Mon, 21 Oct 2013) New Revision: 24105 Modified: data/CVE/list Log: CVE assigned for gitolite issue Modified: data/CVE/list === --- data/CVE/list 2013-10-21 20:29:50 UTC (rev 24104) +++ data/CVE/list 2013-10-21 20:31:32 UTC (rev 24105) @@ -1,6 +1,3 @@ -CVE-2013- [world writable files] - - gitolite not-affected (vulnerable code introduced for v3.5.3) - - gitolite3 not-affected (vulnerable code introduced for v3.5.3) CVE-2013-6167 - iceweasel unfixed (low) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=858215 @@ -3702,8 +3699,9 @@ RESERVED CVE-2013-4452 RESERVED -CVE-2013-4451 - RESERVED +CVE-2013-4451 [world writable files] + - gitolite not-affected (vulnerable code introduced for v3.5.3) + - gitolite3 not-affected (vulnerable code introduced for v3.5.3) CVE-2013-4450 [nodejs: HTTP Pipelining DoS] RESERVED - nodejs 0.10.21~dfsg1-1 (medium) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24107 - data/CVE
Author: carnil Date: 2013-10-21 21:23:59 + (Mon, 21 Oct 2013) New Revision: 24107 Modified: data/CVE/list Log: Add temporary item for ldap-account-manager, CVE requested Modified: data/CVE/list === --- data/CVE/list 2013-10-21 21:14:26 UTC (rev 24106) +++ data/CVE/list 2013-10-21 21:23:59 UTC (rev 24107) @@ -1,3 +1,7 @@ +CVE-2013- [XSS] + - ldap-account-manager unfixed + [wheezy] - ldap-account-manager no-dsa (Minor issue) + [squeeze] - ldap-account-manager no-dsa (Minor issue) CVE-2013-6167 - iceweasel unfixed (low) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=858215 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24108 - data/CVE
Author: carnil Date: 2013-10-21 21:26:19 + (Mon, 21 Oct 2013) New Revision: 24108 Modified: data/CVE/list Log: Add bug reference for ldap-account-manager issue Modified: data/CVE/list === --- data/CVE/list 2013-10-21 21:23:59 UTC (rev 24107) +++ data/CVE/list 2013-10-21 21:26:19 UTC (rev 24108) @@ -1,5 +1,5 @@ CVE-2013- [XSS] - - ldap-account-manager unfixed + - ldap-account-manager unfixed (medium; bug #726976) [wheezy] - ldap-account-manager no-dsa (Minor issue) [squeeze] - ldap-account-manager no-dsa (Minor issue) CVE-2013-6167 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24109 - data/CVE
Author: carnil Date: 2013-10-22 04:40:50 + (Tue, 22 Oct 2013) New Revision: 24109 Modified: data/CVE/list Log: Add one NFU Modified: data/CVE/list === --- data/CVE/list 2013-10-21 21:26:19 UTC (rev 24108) +++ data/CVE/list 2013-10-22 04:40:50 UTC (rev 24109) @@ -915,6 +915,7 @@ RESERVED CVE-2013-5702 RESERVED + NOT-FOR-US: Watchguard Server Center CVE-2013-5701 (Multiple untrusted search path vulnerabilities in (1) Watchguard Log ...) NOT-FOR-US: Watchguard Server Center CVE-2013-5700 (The Bloom Filter implementation in bitcoind and Bitcoin-Qt 0.8.x ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24110 - data/CVE
Author: carnil Date: 2013-10-22 04:47:24 + (Tue, 22 Oct 2013) New Revision: 24110 Modified: data/CVE/list Log: Add NFU in VBulletin Modified: data/CVE/list === --- data/CVE/list 2013-10-22 04:40:50 UTC (rev 24109) +++ data/CVE/list 2013-10-22 04:47:24 UTC (rev 24110) @@ -9,6 +9,9 @@ - chromium-browser unfixed (low) [squeeze] - chromium-browser end-of-life NOTE: https://code.google.com/p/chromium/issues/detail?id=238041 +CVE-2013-6129 + RESERVED + NOT-FOR-US: VBulletin CVE-2013-6063 RESERVED CVE-2013-6062 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24111 - data/CVE
Author: carnil Date: 2013-10-22 05:18:37 + (Tue, 22 Oct 2013) New Revision: 24111 Modified: data/CVE/list Log: NFUs in Cisco products Modified: data/CVE/list === --- data/CVE/list 2013-10-22 04:47:24 UTC (rev 24110) +++ data/CVE/list 2013-10-22 05:18:37 UTC (rev 24111) @@ -22507,12 +22507,16 @@ RESERVED CVE-2012-4117 RESERVED + NOT-FOR-US: Cisco CVE-2012-4116 RESERVED + NOT-FOR-US: Cisco CVE-2012-4115 RESERVED + NOT-FOR-US: Cisco CVE-2012-4114 RESERVED + NOT-FOR-US: Cisco CVE-2012-4113 RESERVED NOT-FOR-US: Cisco ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24113 - data/CVE
Author: carnil Date: 2013-10-22 06:04:51 + (Tue, 22 Oct 2013) New Revision: 24113 Modified: data/CVE/list Log: Add NFU in Apache Shindig Modified: data/CVE/list === --- data/CVE/list 2013-10-22 05:52:36 UTC (rev 24112) +++ data/CVE/list 2013-10-22 06:04:51 UTC (rev 24113) @@ -4256,6 +4256,7 @@ NOTE: Fix: http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=e7f400a110e2e3673b96518170bfea0855dd82c0 CVE-2013-4295 RESERVED + NOT-FOR-US: Apache Shindig CVE-2013-4294 (The (1) mamcache and (2) KVS token backends in OpenStack Identity ...) - keystone 2013.1.3-2 (bug #722505) [wheezy] - keystone not-affected (only affects Folsom release and above) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24114 - data/CVE
Author: carnil Date: 2013-10-22 07:09:40 + (Tue, 22 Oct 2013) New Revision: 24114 Modified: data/CVE/list Log: Add CVE-2013-4401 from external check NOTE: still mark as todo as I wanted to verify the versions Modified: data/CVE/list === --- data/CVE/list 2013-10-22 06:04:51 UTC (rev 24113) +++ data/CVE/list 2013-10-22 07:09:40 UTC (rev 24114) @@ -3871,8 +3871,12 @@ {DSA-2774-1 DSA-2773-1} - gnupg2 2.0.22-1 (bug #725433) - gnupg 1.4.15-1 (bug #725439) -CVE-2013-4401 +CVE-2013-4401 [unintended API access due to incorrect permissions checks] RESERVED + - libvirt unfixed + NOTE: introduced in libvirt 1.1.0 + NOTE: http://libvirt.org/git/?p=libvirt.git;a=commit;h=57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c + TODO: check CVE-2013-4400 RESERVED CVE-2013-4399 [unprivileged user can crash libvirtd when ACLs are enabled] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24115 - data/CVE
Author: carnil Date: 2013-10-22 07:12:10 + (Tue, 22 Oct 2013) New Revision: 24115 Modified: data/CVE/list Log: Add CVE-2013-4400 from external check TODO: verify the version, report and remove todo item. Modified: data/CVE/list === --- data/CVE/list 2013-10-22 07:09:40 UTC (rev 24114) +++ data/CVE/list 2013-10-22 07:12:10 UTC (rev 24115) @@ -3877,8 +3877,12 @@ NOTE: introduced in libvirt 1.1.0 NOTE: http://libvirt.org/git/?p=libvirt.git;a=commit;h=57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c TODO: check -CVE-2013-4400 +CVE-2013-4400 [virt-login-shell arbitrary file overwrites vulnerability] RESERVED + - libvirt unfixed + NOTE: introduced in libvirt 1.1.2 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1015228#c3 + TODO: check CVE-2013-4399 [unprivileged user can crash libvirtd when ACLs are enabled] RESERVED - libvirt unfixed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24119 - data/CVE
Author: carnil Date: 2013-10-22 11:23:30 + (Tue, 22 Oct 2013) New Revision: 24119 Modified: data/CVE/list Log: Add bug number for libvirt issues Modified: data/CVE/list === --- data/CVE/list 2013-10-22 10:11:47 UTC (rev 24118) +++ data/CVE/list 2013-10-22 11:23:30 UTC (rev 24119) @@ -3873,13 +3873,13 @@ - gnupg 1.4.15-1 (bug #725439) CVE-2013-4401 [unintended API access due to incorrect permissions checks] RESERVED - - libvirt unfixed + - libvirt unfixed (bug #727101) [squeeze] - libvirt not-affected (Introduced in 1.1.0, REMOTE_PROC_CONNECT_DOMAIN_XML_TO|FROM_NATIVE not yet present) [wheezy] - libvirt not-affected (Introduced in 1.1.0, REMOTE_PROC_CONNECT_DOMAIN_XML_TO|FROM_NATIVE not yet present) NOTE: http://libvirt.org/git/?p=libvirt.git;a=commit;h=57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c CVE-2013-4400 [virt-login-shell arbitrary file overwrites vulnerability] RESERVED - - libvirt unfixed + - libvirt unfixed (bug #727101) [squeeze] - libvirt not-affected (Introduced in 1.1.2, virt-login-shell not yet present) [wheezy] - libvirt not-affected (Introduced in 1.1.2, virt-login-shell not yet present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1015228#c3 @@ -3991,7 +3991,7 @@ RESERVED CVE-2013-4373 RESERVED - NOT-FOR-US: Red Hat JBoss Operations Network + NOT-FOR-US: Red Hat JBoss Operations Network CVE-2013-4372 (Multiple cross-site scripting (XSS) vulnerabilities in Fuse Management ...) NOT-FOR-US: JBoss Fuse CVE-2013-4371 [use-after-free in libxl_list_cpupool under memory pressure] @@ -4271,7 +4271,7 @@ [wheezy] - keystone not-affected (only affects Folsom release and above) CVE-2013-4293 RESERVED - NOT-FOR-US: Red Hat JBoss Operations Network + NOT-FOR-US: Red Hat JBoss Operations Network CVE-2013-4292 (libvirt 1.1.0 and 1.1.1 allows local users to cause a denial of ...) - libvirt 1.1.2~rc2-1 (bug #721325) [squeeze] - libvirt not-affected (Introduced with 1.1.0) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24120 - data/CVE
Author: carnil Date: 2013-10-22 12:23:42 + (Tue, 22 Oct 2013) New Revision: 24120 Modified: data/CVE/list Log: Add note for samba4/samba (unified in unstable upload) Modified: data/CVE/list === --- data/CVE/list 2013-10-22 11:23:30 UTC (rev 24119) +++ data/CVE/list 2013-10-22 12:23:42 UTC (rev 24120) @@ -4845,6 +4845,8 @@ - samba4 unfixed (low) [wheezy] - samba4 no-dsa (Minor issue) NOTE: https://www.samba.org/samba/security/CVE-2013-4124 + NOTE: samba as per 2:4.0.9+dfsg-2 is the first upload of the unified samba 4.x package to unstable. + NOTE: Issue also fixed in 4.0.8 upstream, thus the fix still contained in 4.x in unstable CVE-2013-4123 (client_side_request.cc in Squid 3.2.x before 3.2.13 and 3.3.x before ...) - squid not-affected (Only affects 3.2 onwards) - squid3 3.3.8-1 (bug #716743) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24121 - data/CVE
Author: carnil Date: 2013-10-22 16:07:01 + (Tue, 22 Oct 2013) New Revision: 24121 Modified: data/CVE/list Log: Update entry for CVE-2013-4261 Modified: data/CVE/list === --- data/CVE/list 2013-10-22 12:23:42 UTC (rev 24120) +++ data/CVE/list 2013-10-22 16:07:01 UTC (rev 24121) @@ -4377,7 +4377,7 @@ RESERVED - nova 2013.2-1 NOTE: https://bugs.launchpad.net/nova/+bug/1215091/comments/10 (relevant question for other components) - NOTE: According to https://wiki.openstack.org/wiki/ReleaseNotes/2013.1.4 only fixed in 2013.1.4 for grizzly + NOTE: probably does not affect Essex/2012.1, see https://bugs.launchpad.net/nova/+bug/1215091/comments/6 CVE-2013-4260 (lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3, when ...) - ansible not-affected (affected code introduced with ansible 1.2) CVE-2013-4259 (runner/connection_plugins/ssh.py in Ansible before 1.2.3, when using ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24122 - data/CVE
Author: carnil Date: 2013-10-22 17:31:50 + (Tue, 22 Oct 2013) New Revision: 24122 Modified: data/CVE/list Log: Add temporary item for mantis issue, CVE assignment pending Modified: data/CVE/list === --- data/CVE/list 2013-10-22 16:07:01 UTC (rev 24121) +++ data/CVE/list 2013-10-22 17:31:50 UTC (rev 24122) @@ -1,3 +1,6 @@ +CVE-2013- + - mantis unfixed + NOTE: http://www.mantisbt.org/bugs/view.php?id=16513 CVE-2013-6167 - iceweasel unfixed (low) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=858215 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24124 - data/CVE
Author: carnil Date: 2013-10-22 20:40:46 + (Tue, 22 Oct 2013) New Revision: 24124 Modified: data/CVE/list Log: Add NFU for Cocaine rubygem Modified: data/CVE/list === --- data/CVE/list 2013-10-22 17:49:58 UTC (rev 24123) +++ data/CVE/list 2013-10-22 20:40:46 UTC (rev 24124) @@ -3695,6 +3695,7 @@ RESERVED CVE-2013-4457 RESERVED + NOT-FOR-US: Cocaine rubygem CVE-2013-4456 RESERVED CVE-2013-4455 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24127 - data/CVE
Author: carnil Date: 2013-10-23 04:20:26 + (Wed, 23 Oct 2013) New Revision: 24127 Modified: data/CVE/list Log: CVE-2013-4443 was REJECTED Modified: data/CVE/list === --- data/CVE/list 2013-10-23 03:39:06 UTC (rev 24126) +++ data/CVE/list 2013-10-23 04:20:26 UTC (rev 24127) @@ -3738,9 +3738,8 @@ NOT-FOR-US: Context Drupal contributed module CVE-2013- RESERVED -CVE-2013-4443 [Secure mode has bias towards numbers and uppercase letters] - RESERVED - - pwgen unfixed (bug #726578) +CVE-2013-4443 + REJECTED CVE-2013-4442 [Silent fallback to insecure entropy] RESERVED - pwgen unfixed (bug #726578) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24128 - data/CVE
Author: carnil Date: 2013-10-23 04:27:45 + (Wed, 23 Oct 2013) New Revision: 24128 Modified: data/CVE/list Log: CVE for mantis assigned Modified: data/CVE/list === --- data/CVE/list 2013-10-23 04:20:26 UTC (rev 24127) +++ data/CVE/list 2013-10-23 04:27:45 UTC (rev 24128) @@ -1,6 +1,3 @@ -CVE-2013- - - mantis unfixed - NOTE: http://www.mantisbt.org/bugs/view.php?id=16513 CVE-2013-6167 - iceweasel unfixed (low) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=858215 @@ -3687,8 +3684,9 @@ RESERVED CVE-2013-4461 RESERVED -CVE-2013-4460 - RESERVED +CVE-2013-4460 [XSS in account_sponsor_page.php project names] + - mantis unfixed + NOTE: http://www.mantisbt.org/bugs/view.php?id=16513 CVE-2013-4459 RESERVED CVE-2013-4458 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24129 - data/CVE
Author: carnil Date: 2013-10-23 04:30:41 + (Wed, 23 Oct 2013) New Revision: 24129 Modified: data/CVE/list Log: Add CVE-2013-4459/lightdm Modified: data/CVE/list === --- data/CVE/list 2013-10-23 04:27:45 UTC (rev 24128) +++ data/CVE/list 2013-10-23 04:30:41 UTC (rev 24129) @@ -3687,8 +3687,9 @@ CVE-2013-4460 [XSS in account_sponsor_page.php project names] - mantis unfixed NOTE: http://www.mantisbt.org/bugs/view.php?id=16513 -CVE-2013-4459 +CVE-2013-4459 [no longer confines guest profile with AppArmor] RESERVED + - lightdm not-affected (Only in combination with guest profile, apparmor and 1.8.x branch) CVE-2013-4458 RESERVED CVE-2013-4457 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24130 - data/CVE
Author: carnil Date: 2013-10-23 04:31:42 + (Wed, 23 Oct 2013) New Revision: 24130 Modified: data/CVE/list Log: Add bugnumber for mantis CVE-2013-4460 Modified: data/CVE/list === --- data/CVE/list 2013-10-23 04:30:41 UTC (rev 24129) +++ data/CVE/list 2013-10-23 04:31:42 UTC (rev 24130) @@ -3685,7 +3685,7 @@ CVE-2013-4461 RESERVED CVE-2013-4460 [XSS in account_sponsor_page.php project names] - - mantis unfixed + - mantis unfixed (bug #727180) NOTE: http://www.mantisbt.org/bugs/view.php?id=16513 CVE-2013-4459 [no longer confines guest profile with AppArmor] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24132 - data/CVE
Author: carnil Date: 2013-10-23 04:52:10 + (Wed, 23 Oct 2013) New Revision: 24132 Modified: data/CVE/list Log: Add description for CVE-2013-4458 Modified: data/CVE/list === --- data/CVE/list 2013-10-23 04:43:41 UTC (rev 24131) +++ data/CVE/list 2013-10-23 04:52:10 UTC (rev 24132) @@ -3690,7 +3690,7 @@ CVE-2013-4459 [no longer confines guest profile with AppArmor] RESERVED - lightdm not-affected (Only in combination with guest profile, apparmor and 1.8.x branch) -CVE-2013-4458 +CVE-2013-4458 [Stack (frame) overflow in getaddrinfo() when called with AF_INET6] RESERVED - eglibc unfixed (low) [wheezy] - eglibc no-dsa (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24133 - data/CVE
Author: carnil Date: 2013-10-23 04:59:42 + (Wed, 23 Oct 2013) New Revision: 24133 Modified: data/CVE/list Log: Add bugnumber for CVE-2013-4458 Modified: data/CVE/list === --- data/CVE/list 2013-10-23 04:52:10 UTC (rev 24132) +++ data/CVE/list 2013-10-23 04:59:42 UTC (rev 24133) @@ -3692,7 +3692,7 @@ - lightdm not-affected (Only in combination with guest profile, apparmor and 1.8.x branch) CVE-2013-4458 [Stack (frame) overflow in getaddrinfo() when called with AF_INET6] RESERVED - - eglibc unfixed (low) + - eglibc unfixed (low; bug #727181) [wheezy] - eglibc no-dsa (Minor issue) [squeeze] - eglibc no-dsa (Minor issue) NOTE: https://sourceware.org/ml/libc-alpha/2013-10/msg00733.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24134 - data/CVE
Author: carnil Date: 2013-10-23 05:58:53 + (Wed, 23 Oct 2013) New Revision: 24134 Modified: data/CVE/list Log: Add fixed version for CVE-2013-4251/python-scipy Modified: data/CVE/list === --- data/CVE/list 2013-10-23 04:59:42 UTC (rev 24133) +++ data/CVE/list 2013-10-23 05:58:53 UTC (rev 24134) @@ -4415,7 +4415,7 @@ RESERVED CVE-2013-4251 [weave /tmp and current directory issues] RESERVED - - python-scipy unfixed (bug #726093) + - python-scipy 0.12.0-3 (bug #726093) [wheezy] - python-scipy no-dsa (Minor issue) [squeeze] - python-scipy no-dsa (Minor issue) NOTE: https://github.com/scipy/scipy/commit/bd296e0336420b840fcd2faabb97084fd252a973 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24135 - data/CVE
Author: carnil Date: 2013-10-23 07:07:16 + (Wed, 23 Oct 2013) New Revision: 24135 Modified: data/CVE/list Log: CVE-2013-4455, NFU, concludes external check Modified: data/CVE/list === --- data/CVE/list 2013-10-23 05:58:53 UTC (rev 24134) +++ data/CVE/list 2013-10-23 07:07:16 UTC (rev 24135) @@ -3704,6 +3704,7 @@ RESERVED CVE-2013-4455 RESERVED + NOT-FOR-US: Katello CVE-2013-4454 RESERVED CVE-2013-4453 [XSS] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24137 - data/CVE
Author: carnil Date: 2013-10-23 20:36:21 + (Wed, 23 Oct 2013) New Revision: 24137 Modified: data/CVE/list Log: Add one NFU Modified: data/CVE/list === --- data/CVE/list 2013-10-23 09:14:27 UTC (rev 24136) +++ data/CVE/list 2013-10-23 20:36:21 UTC (rev 24137) @@ -171,6 +171,7 @@ NOT-FOR-US: Microweber CVE-2013-5983 RESERVED + NOT-FOR-US: GuppY CVE-2013-5982 RESERVED CVE-2013-5981 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24139 - data/CVE
Author: carnil Date: 2013-10-24 04:42:27 + (Thu, 24 Oct 2013) New Revision: 24139 Modified: data/CVE/list Log: CVE-2013-3280 NFU Modified: data/CVE/list === --- data/CVE/list 2013-10-24 03:55:26 UTC (rev 24138) +++ data/CVE/list 2013-10-24 04:42:27 UTC (rev 24139) @@ -6806,6 +6806,7 @@ RESERVED CVE-2013-3280 RESERVED + NOT-FOR-US: RSA Authentication Agent for Web for Internet Information Services CVE-2013-3279 RESERVED NOT-FOR-US: EMC ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24140 - data
Author: carnil Date: 2013-10-24 05:35:19 + (Thu, 24 Oct 2013) New Revision: 24140 Modified: data/dsa-needed.txt Log: Add comment for nss Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2013-10-24 04:42:27 UTC (rev 24139) +++ data/dsa-needed.txt 2013-10-24 05:35:19 UTC (rev 24140) @@ -57,6 +57,7 @@ mysql-5.5/stable (carnil) -- nss + waiting for feedback -- openjpeg patches are not yet avaialble ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24141 - data/CVE
Author: carnil Date: 2013-10-24 05:43:25 + (Thu, 24 Oct 2013) New Revision: 24141 Modified: data/CVE/list Log: Add one more NFU Modified: data/CVE/list === --- data/CVE/list 2013-10-24 05:35:19 UTC (rev 24140) +++ data/CVE/list 2013-10-24 05:43:25 UTC (rev 24141) @@ -1,3 +1,5 @@ +CVE-2013-6243 [SQL Injection] + NOT-FOR-US: WordPress Landing Pages Plugin CVE-2013-6167 - iceweasel unfixed (low) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=858215 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24142 - data/CVE
Author: carnil Date: 2013-10-24 06:34:45 + (Thu, 24 Oct 2013) New Revision: 24142 Modified: data/CVE/list Log: Update entry for CVE-2013-4432/mahara Modified: data/CVE/list === --- data/CVE/list 2013-10-24 05:43:25 UTC (rev 24141) +++ data/CVE/list 2013-10-24 06:34:45 UTC (rev 24142) @@ -3781,11 +3781,11 @@ CVE-2013-4433 [xhprof: unspecified XSS] RESERVED - xhprof 0.9.4-1 (bug #726284) -CVE-2013-4432 +CVE-2013-4432 [a group member with no access rights to folder can still view it] RESERVED - mahara unfixed NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5831 - TODO: check + NOTE: https://gitorious.org/mahara/mahara/commit/0b4952e063f50c001e4c2dfc5749f55258bff952 CVE-2013-4431 [Not checking ownership of blocks before editing them] RESERVED - mahara unfixed ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24143 - data/CVE
Author: carnil Date: 2013-10-24 06:49:12 + (Thu, 24 Oct 2013) New Revision: 24143 Modified: data/CVE/list Log: Add bugreference for CVE-2013-4432 Modified: data/CVE/list === --- data/CVE/list 2013-10-24 06:34:45 UTC (rev 24142) +++ data/CVE/list 2013-10-24 06:49:12 UTC (rev 24143) @@ -3783,7 +3783,7 @@ - xhprof 0.9.4-1 (bug #726284) CVE-2013-4432 [a group member with no access rights to folder can still view it] RESERVED - - mahara unfixed + - mahara unfixed (bug #727539) NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5831 NOTE: https://gitorious.org/mahara/mahara/commit/0b4952e063f50c001e4c2dfc5749f55258bff952 CVE-2013-4431 [Not checking ownership of blocks before editing them] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24144 - data/CVE
Author: carnil Date: 2013-10-24 07:21:54 + (Thu, 24 Oct 2013) New Revision: 24144 Modified: data/CVE/list Log: Update entry for CVE-2013-4429/mahara Modified: data/CVE/list === --- data/CVE/list 2013-10-24 06:49:12 UTC (rev 24143) +++ data/CVE/list 2013-10-24 07:21:54 UTC (rev 24144) @@ -3800,7 +3800,8 @@ RESERVED - mahara unfixed NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5833 - TODO: check + NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.5_STABLE/revision/5543 + NOTE: https://bugs.launchpad.net/mahara/+bug/1211758 CVE-2013-4428 [image_download policy not enforced for cached images] RESERVED - glance unfixed (bug #726478) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24145 - data/CVE
Author: carnil Date: 2013-10-24 07:41:06 + (Thu, 24 Oct 2013) New Revision: 24145 Modified: data/CVE/list Log: Add bug reference for CVE-2013-4429 Modified: data/CVE/list === --- data/CVE/list 2013-10-24 07:21:54 UTC (rev 24144) +++ data/CVE/list 2013-10-24 07:41:06 UTC (rev 24145) @@ -3798,7 +3798,7 @@ TODO: check CVE-2013-4429 [Arbitrary image download] RESERVED - - mahara unfixed + - mahara unfixed (bug #727545) NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5833 NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.5_STABLE/revision/5543 NOTE: https://bugs.launchpad.net/mahara/+bug/1211758 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24146 - data/CVE
Author: carnil Date: 2013-10-24 08:06:41 + (Thu, 24 Oct 2013) New Revision: 24146 Modified: data/CVE/list Log: Add note for CVE-2013-4430 Modified: data/CVE/list === --- data/CVE/list 2013-10-24 07:41:06 UTC (rev 24145) +++ data/CVE/list 2013-10-24 08:06:41 UTC (rev 24146) @@ -3795,7 +3795,7 @@ RESERVED - mahara unfixed NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5830 - TODO: check + NOTE: https://bugs.launchpad.net/mahara/+bug/1175446 CVE-2013-4429 [Arbitrary image download] RESERVED - mahara unfixed (bug #727545) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24147 - data/CVE
Author: carnil Date: 2013-10-24 08:15:15 + (Thu, 24 Oct 2013) New Revision: 24147 Modified: data/CVE/list Log: Add bugreference for CVE-2013-4430 Modified: data/CVE/list === --- data/CVE/list 2013-10-24 08:06:41 UTC (rev 24146) +++ data/CVE/list 2013-10-24 08:15:15 UTC (rev 24147) @@ -3793,7 +3793,7 @@ TODO: check CVE-2013-4430 RESERVED - - mahara unfixed + - mahara unfixed (bug #727548) NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5830 NOTE: https://bugs.launchpad.net/mahara/+bug/1175446 CVE-2013-4429 [Arbitrary image download] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24148 - data/CVE
Author: carnil Date: 2013-10-24 08:23:36 + (Thu, 24 Oct 2013) New Revision: 24148 Modified: data/CVE/list Log: Update notes for CVE-2013-4431/mahara Modified: data/CVE/list === --- data/CVE/list 2013-10-24 08:15:15 UTC (rev 24147) +++ data/CVE/list 2013-10-24 08:23:36 UTC (rev 24148) @@ -3790,7 +3790,8 @@ RESERVED - mahara unfixed NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5832 - TODO: check + NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.5_STABLE/revision/5542 + NOTE: https://bugs.launchpad.net/mahara/+bug/1233500 CVE-2013-4430 RESERVED - mahara unfixed (bug #727548) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24149 - data/CVE
Author: carnil Date: 2013-10-24 08:44:02 + (Thu, 24 Oct 2013) New Revision: 24149 Modified: data/CVE/list Log: Add bug reference for CVE-2013-4431 Modified: data/CVE/list === --- data/CVE/list 2013-10-24 08:23:36 UTC (rev 24148) +++ data/CVE/list 2013-10-24 08:44:02 UTC (rev 24149) @@ -3788,7 +3788,7 @@ NOTE: https://gitorious.org/mahara/mahara/commit/0b4952e063f50c001e4c2dfc5749f55258bff952 CVE-2013-4431 [Not checking ownership of blocks before editing them] RESERVED - - mahara unfixed + - mahara unfixed (bug #727552) NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5832 NOTE: https://bazaar.launchpad.net/~mahara-release/mahara/1.5_STABLE/revision/5542 NOTE: https://bugs.launchpad.net/mahara/+bug/1233500 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24151 - data/CVE
Author: carnil Date: 2013-10-24 10:59:55 + (Thu, 24 Oct 2013) New Revision: 24151 Modified: data/CVE/list Log: Update CVE-2013-6169/ejabberd entry Modified: data/CVE/list === --- data/CVE/list 2013-10-24 09:14:26 UTC (rev 24150) +++ data/CVE/list 2013-10-24 10:59:55 UTC (rev 24151) @@ -145,7 +145,7 @@ CVE-2013-6170 (Juniper Junos 10.0 before 10.0S28, 10.4 before 10.4R7, 11.1 before ...) TODO: check CVE-2013-6169 (The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2) ...) - TODO: check + - ejabberd 2.1.11-1 (bug #722105) CVE-2013-6168 RESERVED CVE-2013-6165 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24152 - data/DSA
Author: carnil Date: 2013-10-24 11:02:03 + (Thu, 24 Oct 2013) New Revision: 24152 Modified: data/DSA/list Log: CVE was assigned for the issue we fixed in DSA-2775-1 Modified: data/DSA/list === --- data/DSA/list 2013-10-24 10:59:55 UTC (rev 24151) +++ data/DSA/list 2013-10-24 11:02:03 UTC (rev 24152) @@ -31,6 +31,7 @@ {CVE-2012-0825 CVE-2012-0826 CVE-2012-5651 CVE-2012-5652 CVE-2012-5653 CVE-2013-0244 CVE-2013-0245} [squeeze] - drupal6 6.28-1 [10 Oct 2013] DSA-2775-1 ejabberd - insecure SSL usage + {CVE-2013-6169} [squeeze] - ejabberd 2.1.5-3+squeeze2 [wheezy] - ejabberd 2.1.10-4+deb7u1 [10 Oct 2013] DSA-2774-1 gnupg2 - several ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24153 - data/CVE
Author: carnil Date: 2013-10-24 11:03:51 + (Thu, 24 Oct 2013) New Revision: 24153 Modified: data/CVE/list Log: Create the cross-reference to the DSA Modified: data/CVE/list === --- data/CVE/list 2013-10-24 11:02:03 UTC (rev 24152) +++ data/CVE/list 2013-10-24 11:03:51 UTC (rev 24153) @@ -145,6 +145,7 @@ CVE-2013-6170 (Juniper Junos 10.0 before 10.0S28, 10.4 before 10.4R7, 11.1 before ...) TODO: check CVE-2013-6169 (The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2) ...) + {DSA-2775-1} - ejabberd 2.1.11-1 (bug #722105) CVE-2013-6168 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24154 - data/DSA
Author: carnil Date: 2013-10-24 12:10:45 + (Thu, 24 Oct 2013) New Revision: 24154 Modified: data/DSA/list Log: Add CVE-2013-0183, it was also added and is the patch wich caused a regression Modified: data/DSA/list === --- data/DSA/list 2013-10-24 11:03:51 UTC (rev 24153) +++ data/DSA/list 2013-10-24 12:10:45 UTC (rev 24154) @@ -3,7 +3,7 @@ [squeeze] - xorg-server 2:1.7.7-17 [wheezy] - xorg-server 2:1.12.4-6+deb7u1 [21 Oct 2013] DSA-2783-1 librack-ruby - several - {CVE-2011-5036 CVE-2013-0184 CVE-2013-0263} + {CVE-2011-5036 CVE-2013-0183 CVE-2013-0184 CVE-2013-0263} [squeeze] - librack-ruby 1.1.0-4+squeeze1 [20 Oct 2013] DSA-2782-1 polarssl - several {CVE-2013-4623 CVE-2013-5914 CVE-2013-5915} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r24157 - data/CVE
Author: carnil Date: 2013-10-25 03:54:16 + (Fri, 25 Oct 2013) New Revision: 24157 Modified: data/CVE/list Log: Remove no-dsa tags for CVE-2013-4623 as DSA was released Modified: data/CVE/list === --- data/CVE/list 2013-10-24 21:14:30 UTC (rev 24156) +++ data/CVE/list 2013-10-25 03:54:16 UTC (rev 24157) @@ -3597,8 +3597,6 @@ CVE-2013-4623 (The x509parse_crt function in x509.h in PolarSSL 1.1.x before 1.1.7 ...) {DSA-2782-1} - polarssl 1.2.8-1 (low; bug #719954) - [squeeze] - polarssl no-dsa (Minor issue) - [wheezy] - polarssl no-dsa (Minor issue) CVE-2013-4622 (The 3G Mobile Hotspot feature on the HTC Droid Incredible has a ...) NOT-FOR-US: HTC Droid Incredible CVE-2013-4621 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits