Author: sectracker Date: 2016-06-08 21:10:11 +0000 (Wed, 08 Jun 2016) New Revision: 42404
Modified: data/CVE/list Log: automatic update Modified: data/CVE/list =================================================================== --- data/CVE/list 2016-06-08 20:34:20 UTC (rev 42403) +++ data/CVE/list 2016-06-08 21:10:11 UTC (rev 42404) @@ -1,3 +1,27 @@ +CVE-2016-5336 + RESERVED +CVE-2016-5335 + RESERVED +CVE-2016-5334 + RESERVED +CVE-2016-5333 + RESERVED +CVE-2016-5332 + RESERVED +CVE-2016-5331 + RESERVED +CVE-2016-5330 + RESERVED +CVE-2016-5329 + RESERVED +CVE-2016-5328 + RESERVED +CVE-2016-5327 + RESERVED +CVE-2016-5326 + RESERVED +CVE-2016-5325 + RESERVED CVE-2016-XXXX [wnpa-sec-2016-38] - wireshark 2.0 NOTE: Only affects 1.12, marking 2.0 as fixed @@ -1343,7 +1367,7 @@ - onionshare 0.8.1-2 (unimportant) [jessie] - onionshare <not-affected> (Vulnerable code not present) NOTE: Neutralised by kernel hardening (also contrib and non-free not supported) -CVE-2016-4963 (The libxl device-handling in Xen through 4.6.x allows local OS guest ...) +CVE-2016-4963 (The libxl device-handling in Xen through 4.6.x allows local guest OS ...) - xen <unfixed> [jessie] - xen <no-dsa> (Minor issue, too intrusive to backport) NOTE: http://xenbits.xen.org/xsa/advisory-178.html @@ -2328,8 +2352,8 @@ RESERVED CVE-2016-4548 RESERVED -CVE-2016-4545 - RESERVED +CVE-2016-4545 (Virtual servers in F5 BIG-IP 11.5.4, when SSL profiles are enabled, ...) + TODO: check CVE-2016-4561 (Cross-site scripting (XSS) vulnerability in the cgierror function in ...) {DSA-3571-1 DLA-463-1} - ikiwiki 3.20160506 @@ -6222,8 +6246,7 @@ NOT-FOR-US: Pulp (Red Hat) CVE-2016-3094 (PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the broker ...) NOT-FOR-US: Apache Qpid Java Broker -CVE-2016-3093 - RESERVED +CVE-2016-3093 (Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method ...) - libstruts1.2-java <not-affected> (Only affects Struts 2.x) NOTE: https://struts.apache.org/docs/s2-034.html CVE-2016-3092 @@ -6239,8 +6262,7 @@ [jessie] - activemq <not-affected> (file server was only enabled in 5.13.2+dfsg-2) [wheezy] - activemq <not-affected> (file server was only enabled in 5.13.2+dfsg-2) NOTE: http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt -CVE-2016-3087 - RESERVED +CVE-2016-3087 (Apache Struts 2.3.20.x before 2.3.20.3, 2.3.24.x before 2.3.24.3, and ...) - libstruts1.2-java <not-affected> (Only affects Struts 2.x) NOTE: https://struts.apache.org/docs/s2-033.html CVE-2016-3086 @@ -6300,8 +6322,7 @@ TODO: check (texlive, libwmf) CVE-2016-3073 RESERVED -CVE-2016-3072 - RESERVED +CVE-2016-3072 (Multiple SQL injection vulnerabilities in the scoped_search function ...) NOT-FOR-US: Katello CVE-2016-3071 (Libreswan 3.16 might allow remote attackers to cause a denial of ...) - libreswan <itp> (bug #773459) @@ -19138,8 +19159,7 @@ CVE-2015-7696 (Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of ...) {DSA-3386-1 DLA-330-1} - unzip 6.0-19 (bug #802162) -CVE-2015-7695 [ZF2015-08: Potential SQL injection vector using null byte for PDO (MsSql, SQLite)] - RESERVED +CVE-2015-7695 (The PDO adapters in Zend Framework before 1.12.16 do not filer null ...) {DSA-3369-1 DLA-326-1} - zendframework 1.12.16+dfsg-1 NOTE: http://framework.zend.com/security/advisory/ZF2015-08 @@ -19406,8 +19426,7 @@ - owncloud 7.0.9~dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-018 NOTE: https://github.com/owncloud/core/commit/b05e178bbf884b120d1106e6a28f35aa50d6d06f -CVE-2015-7611 - RESERVED +CVE-2015-7611 (Apache James Server 2.3.2, when configured with file-based user ...) NOT-FOR-US: Apache James CVE-2015-7604 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk ...) NOT-FOR-US: Splunk @@ -21430,8 +21449,7 @@ NOTE: https://savannah.nongnu.org/bugs/?41590 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=df14e6c0b9592cbb24d5381dfc6106b14f915e75 (VER-2-5-3) NOTE: http://www.openwall.com/lists/oss-security/2015/09/11/4 -CVE-2014-9746 [use of uninitialized data] - RESERVED +CVE-2014-9746 (The (1) t1_parse_font_matrix function in type1/t1load.c, (2) ...) {DSA-3370-1 DLA-319-1} - freetype 2.6-1 (bug #798619) NOTE: https://launchpad.net/bugs/1449225 @@ -21439,8 +21457,7 @@ NOTE: https://savannah.nongnu.org/bugs/?41309 NOTE: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=8b281f83e8516535756f92dbf90940ac44bd45e1 (VER-2-5-3) NOTE: http://www.openwall.com/lists/oss-security/2015/09/11/4 -CVE-2014-9747 [t42parse.c vulnerability] - RESERVED +CVE-2014-9747 (The t42_parse_encoding function in type42/t42parse.c in FreeType ...) {DSA-3370-1 DLA-319-1} - freetype 2.6-1 (bug #798619) NOTE: https://launchpad.net/bugs/1449225 @@ -21927,8 +21944,7 @@ NOT-FOR-US: Adobe CVE-2015-6724 (The ANSendForApproval method in Adobe Reader and Acrobat 10.x before ...) NOT-FOR-US: Adobe -CVE-2015-5723 [Security Misconfiguration Vulnerability in various Doctrine projects] - RESERVED +CVE-2015-5723 (Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before ...) {DSA-3369-1} - php-doctrine-annotations 1.2.7-1 (low) [jessie] - php-doctrine-annotations 1.2.1-1+deb8u1 @@ -25585,7 +25601,7 @@ CVE-2015-5325 (CloudBees Jenkins before 1.638 and LTS before 1.625.2 allow attackers ...) - jenkins <removed> NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 -CVE-2015-5324 (CloudBees Jenkins before 1.638 and LTS before 1.625.2 allow remote ...) +CVE-2015-5324 (Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to ...) - jenkins <removed> NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11 CVE-2015-5323 (CloudBees Jenkins before 1.638 and LTS before 1.625.2 do not properly ...) @@ -25884,12 +25900,10 @@ NOTE: Proposed patch for commons-httpclient: https://bugzilla.redhat.com/show_bug.cgi?id=1259892 NOTE: Checked that both 4.0.1 (in Squeeze) and 4.1.1 (in Wheezy) have the call to set the timout before the SSL connection is opened. NOTE: Jessie's 4.3.5-2 is however missing the upstream patch: http://svn.apache.org/viewvc/httpcomponents/httpclient/branches/4.3.x/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java?r1=1560975&r2=1626784 -CVE-2015-5261 [host memory access from guest using crafted images] - RESERVED +CVE-2015-5261 (Heap-based buffer overflow in SPICE before 0.12.6 allows guest OS ...) {DSA-3371-1} - spice 0.12.5-1.3 (bug #801091) -CVE-2015-5260 [Insufficient validation of surface_id parameter can cause crash] - RESERVED +CVE-2015-5260 (Heap-based buffer overflow in SPICE before 0.12.6 allows guest OS ...) {DSA-3371-1} - spice 0.12.5-1.3 (bug #801089) CVE-2015-5259 (Integer overflow in the read_string function in ...) @@ -26005,8 +26019,7 @@ CVE-2015-5232 RESERVED NOT-FOR-US: OPA Fabric Manager and OPA tools and Fast Fabric -CVE-2015-5231 [service daemon allows to bypass ptrace policy] - RESERVED +CVE-2015-5231 (The service daemon in CRIU does not properly restrict access to ...) - criu 1.8-2 (bug #797110) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1256728 CVE-2015-5230 @@ -26019,8 +26032,7 @@ CVE-2015-5229 (The calloc function in the glibc package in Red Hat Enterprise Linux ...) - glibc <not-affected> (RHEL-specific backport) - eglibc <not-affected> (RHEL-specific backport) -CVE-2015-5228 [arbitrary file creation and chown] - RESERVED +CVE-2015-5228 (The service daemon in CRIU creates log and dump files insecurely, ...) - criu 1.8-2 (bug #797111) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1255782 CVE-2015-5227 @@ -29374,8 +29386,7 @@ RESERVED CVE-2015-4027 (The AcuWVSSchedulerv10 service in Acunetix Web Vulnerability Scanner ...) NOT-FOR-US: Acunetix Web Vulnerability Scanner -CVE-2013-7440 [incorrect wildcard matching rules] - RESERVED +CVE-2013-7440 (The ssl.match_hostname function in CPython (aka Python) before 2.7.9 ...) - python3.4 3.4~b1-4 - python3.3 3.3.3-1 - python3.2 <removed> @@ -46053,8 +46064,7 @@ CVE-2014-8178 RESERVED - docker.io 1.8.3~ds1-1 -CVE-2014-8177 - RESERVED +CVE-2014-8177 (The Red Hat gluster-swift package, as used in Red Hat Gluster Storage ...) NOT-FOR-US: gluster-swift CVE-2014-8176 (The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before ...) {DSA-3287-1 DLA-247-1} _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits