Author: jmm
Date: 2015-02-04 18:55:43 +0000 (Wed, 04 Feb 2015)
New Revision: 31964
Modified:
data/CVE/list
Log:
rsync n/a
no-dsa: squid3, rabbitmq
remove old bogus TEMP PHP issues, safe_mode/basedir bypasses are no security
issues, so no need to track them
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2015-02-04 18:52:08 UTC (rev 31963)
+++ data/CVE/list 2015-02-04 18:55:43 UTC (rev 31964)
@@ -59,7 +59,7 @@
[squeeze] - xymon <not-affected> (Vulnerable code not present)
[wheezy] - xymon <not-affected> (Vulnerable code not present)
NOTE: Upstream patch: http://sourceforge.net/p/xymon/code/7483/
- NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/01/30/17
+ NOTE: http://www.openwall.com/lists/oss-security/2015/01/30/17
CVE-2015-1425
RESERVED
CVE-2015-1424 (Cross-site request forgery (CSRF) vulnerability in Gecko CMS
2.2 and ...)
@@ -218,7 +218,7 @@
RESERVED
- glibc 2.19-4
- eglibc 2.17-2
- NOTE: CVE Request: http://seclists.org/oss-sec/2015/q1/306
+ NOTE: http://seclists.org/oss-sec/2015/q1/306
NOTE: Upstream fix:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2e96f1c7
NOTE: 2.19-4 first version after the eglibc -> glibc rename which was
in unstable
CVE-2015-1421 [net: sctp: slab corruption from use after free on INIT
collisions]
@@ -251,6 +251,8 @@
CVE-2014-XXXX [Digest authentification never replay Ldap requests]
- squid <undetermined>
- squid3 3.4.8-6 (bug #776464)
+ [wheezy] - squid3 <no-dsa> (Minor issue)
+ [squeeze] - squid3 <no-dsa> (Minor issue)
NOTE: http://bugs.squid-cache.org/show_bug.cgi?id=4066
NOTE: Upstream patch for Squid 3.4:
http://bazaar.launchpad.net/~squid/squid/3.4/revision/13211
CVE-2015-1369 (SQL injection vulnerability in Sequelize before 2.0.0-rc7 for
Node.js ...)
@@ -373,7 +375,7 @@
- socat <unfixed> (bug #776234)
[wheezy] - socat <no-dsa> (Minor issue)
[squeeze] - socat <no-dsa> (Minor issue)
- NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/01/24/6
+ NOTE: http://www.openwall.com/lists/oss-security/2015/01/24/6
NOTE: Upstream advisory:
http://www.dest-unreach.org/socat/contrib/socat-secadv6.txt
CVE-2015-1378 [Issues with sourcing cmdlineopts.clp from current working
directory]
RESERVED
@@ -389,7 +391,7 @@
[wheezy] - patch <not-affected> (Support for git-style patches added in
2.7)
[squeeze] - patch <not-affected> (Support for git-style patches added
in 2.7)
NOTE: Upstream report: https://savannah.gnu.org/bugs/?44059
- NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/01/24/2
+ NOTE: http://www.openwall.com/lists/oss-security/2015/01/24/2
CVE-2015-1370 (Incomplete blacklist vulnerability in marked 0.3.2 and earlier
for ...)
- node-marked <unfixed> (unimportant)
NOTE: https://nodesecurity.io/advisories/marked_vbscript_injection
@@ -400,7 +402,7 @@
- glibc 2.19-1 (bug #722075)
- eglibc <removed>
NOTE: Upstream report:
https://sourceware.org/bugzilla/show_bug.cgi?id=15946
- NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/01/28/16
+ NOTE: http://www.openwall.com/lists/oss-security/2015/01/28/16
CVE-2013-7421 [Linux kernel crypto api unprivileged arbitrary module load]
RESERVED
- linux 3.16.7-ckt4-2
@@ -428,7 +430,7 @@
[wheezy] - perl <no-dsa> (Minor issue)
[squeeze] - perl <no-dsa> (Minor issue)
NOTE: https://rt.perl.org/Public/Bug/Display.html?id=119505
- NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/01/23/9
+ NOTE: http://www.openwall.com/lists/oss-security/2015/01/23/9
CVE-2015-1304
RESERVED
CVE-2015-1303
@@ -706,19 +708,21 @@
NOTE: Upstream fix: https://trac.xiph.org/changeset/19117
CVE-2014-9649 (Cross-site scripting (XSS) vulnerability in the management
plugin in ...)
- rabbitmq-server 3.4.1-1
+ [wheezy] - rabbitmq-server <no-dsa> (Minor issue)
NOTE: https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs
- NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/01/21/13
+ NOTE: http://www.openwall.com/lists/oss-security/2015/01/21/13
CVE-2014-9650 (CRLF injection vulnerability in the management plugin in
RabbitMQ ...)
- rabbitmq-server 3.4.1-1
+ [wheezy] - rabbitmq-server <no-dsa> (Minor issue)
NOTE: https://groups.google.com/forum/#!topic/rabbitmq-users/-3Z2FyGtXhs
NOTE: Fixed by:
https://github.com/rabbitmq/rabbitmq-management/commit/b5a5fc31bd49ad821a655ea9e2fe920d670a62ad
- NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/01/21/13
+ NOTE: http://www.openwall.com/lists/oss-security/2015/01/21/13
CVE-2015-1396 [(another) directory traversal via symlinks -- incomplete fix
for CVE-2015-1196]
RESERVED
- patch 2.7.3-1 (bug #775901)
[wheezy] - patch <not-affected> (Not affected by CVE-2015-1196 and no
incomplete fix applied)
[squeeze] - patch <not-affected> (Not affected by CVE-2015-1196 and no
incomplete fix applied)
- NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/01/24/3
+ NOTE: http://www.openwall.com/lists/oss-security/2015/01/24/3
CVE-2015-1353 [PHP int overflow]
RESERVED
- php5 <unfixed> (unimportant)
@@ -2704,9 +2708,10 @@
RESERVED
CVE-2014-9512 [path spoofing attack vulnerability]
RESERVED
- - rsync <unfixed>
+ - rsync <unfixed> (low)
+ [wheezy] - rsync <not-affected> (Affected sanitising functionality not
yet present)
+ [squeeze] - rsync <not-affected> (Affected sanitising functionality not
yet present)
NOTE: http://xteam.baidu.com/?p=169
- TODO: check
CVE-2014-9511
RESERVED
CVE-2014-9510 (Cross-site request forgery (CSRF) vulnerability in the
administration ...)
@@ -103709,10 +103714,6 @@
CVE-2009-XXXX [ntop: access.log permissions]
- ntop <not-affected> (fedora-specific configuration issue; debian
package not affected)
NOTE: bug #524801 (http://bugs.debian.org/524801)
-CVE-2008-XXXX [PHP 5.2.9 curl safe_mode & open_basedir bypass]
- - php5 <unfixed> (unimportant)
- NOTE: php4 is likely to be affected as well
- NOTE: http://securityreason.com/achievement_securityalert/61
CVE-2009-1402
RESERVED
CVE-2009-1401
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
