Author: joeyh
Date: 2013-10-29 21:14:31 +0000 (Tue, 29 Oct 2013)
New Revision: 24216
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2013-10-29 19:58:25 UTC (rev 24215)
+++ data/CVE/list 2013-10-29 21:14:31 UTC (rev 24216)
@@ -1,13 +1,98 @@
+CVE-2013-6287
+ RESERVED
+CVE-2013-6286
+ RESERVED
+CVE-2013-6284 (Unspecified vulnerability in the Statutory Reporting for
Insurance ...)
+ TODO: check
+CVE-2013-6283 (VideoLAN VLC Media Player 2.0.8 and earlier allows remote
attackers to ...)
+ TODO: check
+CVE-2013-6282
+ RESERVED
+CVE-2013-6281 (Cross-site scripting (XSS) vulnerability in
codebase/spreadsheet.php ...)
+ TODO: check
+CVE-2013-6280 (Cross-site scripting (XSS) vulnerability in Social Sharing
Toolkit ...)
+ TODO: check
+CVE-2013-6279
+ RESERVED
+CVE-2013-6278
+ RESERVED
+CVE-2013-6277
+ RESERVED
+CVE-2013-6276
+ RESERVED
+CVE-2013-6274
+ RESERVED
+CVE-2013-6273
+ RESERVED
+CVE-2013-6272
+ RESERVED
+CVE-2013-6271
+ RESERVED
+CVE-2013-6270
+ RESERVED
+CVE-2013-6269
+ RESERVED
+CVE-2013-6268
+ RESERVED
+CVE-2013-6267
+ RESERVED
+CVE-2013-6266
+ RESERVED
+CVE-2013-6265
+ RESERVED
+CVE-2013-6264
+ RESERVED
+CVE-2013-6263
+ RESERVED
+CVE-2013-6262
+ RESERVED
+CVE-2013-6261
+ RESERVED
+CVE-2013-6260
+ RESERVED
+CVE-2013-6259
+ RESERVED
+CVE-2013-6258
+ RESERVED
+CVE-2013-6257
+ RESERVED
+CVE-2013-6256
+ RESERVED
+CVE-2013-6255
+ RESERVED
+CVE-2013-6254
+ RESERVED
+CVE-2013-6253
+ RESERVED
+CVE-2013-6252
+ RESERVED
+CVE-2013-6251
+ RESERVED
+CVE-2013-6250
+ RESERVED
+CVE-2013-6249
+ RESERVED
+CVE-2013-6248
+ RESERVED
+CVE-2013-6247
+ RESERVED
+CVE-2013-6246 (The Dell Quest One Password Manager, possibly 5.0, allows
remote ...)
+ TODO: check
+CVE-2013-6245 (Unspecified vulnerability in SAP Sybase Adaptive Server
Enterprise ...)
+ TODO: check
+CVE-2013-6244 (The Live Update webdynpro application ...)
+ TODO: check
CVE-2013-XXXX [remote command injection in content_type]
- sup-mail <unfixed> (bug #728232)
NOTE: http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html
-CVE-2013-6289
+CVE-2013-6289 (Cross-site scripting (XSS) vulnerability in the Apache Solr for
TYPO3 ...)
NOT-FOR-US: TYPO3 extension Apache Solr
-CVE-2013-6288
+CVE-2013-6288 (Unspecified vulnerability in the Apache Solr for TYPO3 (solr)
...)
NOT-FOR-US: TYPO3 extension Apache Solr
-CVE-2013-6285
+CVE-2013-6285 (The search component in the Treasurer application in Tyler ...)
NOT-FOR-US: Tyler Technologies TaxWeb
CVE-2013-6275 [CSRF]
+ RESERVED
- php-horde-ingo <unfixed> (bug #727669)
- ingo1 <undetermined>
CVE-2013-6242
@@ -239,10 +324,10 @@
RESERVED
CVE-2013-6130
RESERVED
-CVE-2013-6128
- RESERVED
-CVE-2013-6127
- RESERVED
+CVE-2013-6128 (The KCHARTXYLib.KChartXY ActiveX control in KChartXY.ocx before
...)
+ TODO: check
+CVE-2013-6127 (The SUPERGRIDLib.SuperGrid ActiveX control in SuperGrid.ocx
before ...)
+ TODO: check
CVE-2013-6126
RESERVED
CVE-2013-6125
@@ -373,7 +458,7 @@
TODO: check
CVE-2007-6755 (The NIST SP 800-90A default statement of the Dual Elliptic
Curve ...)
TODO: check
-CVE-2013-6243 [SQL Injection]
+CVE-2013-6243 (SQL injection vulnerability in the Landing Pages plugin 1.2.3,
before ...)
NOT-FOR-US: WordPress Landing Pages Plugin
CVE-2013-6167
RESERVED
@@ -475,28 +560,23 @@
RESERVED
CVE-2013-6021 (Buffer overflow in WGagent in WatchGuard WSM and Fireware
before 11.8 ...)
NOT-FOR-US: WatchGuard WSM and Fireware
-CVE-2013-6020
- RESERVED
+CVE-2013-6020 (passwordRequestPOST.jsp in Tyler Technologies TaxWeb 3.13.3.1
sends ...)
NOT-FOR-US: Tyler Technologies TaxWeb
-CVE-2013-6019
- RESERVED
+CVE-2013-6019 (Cross-site scripting (XSS) vulnerability in Tyler Technologies
TaxWeb ...)
NOT-FOR-US: Tyler Technologies TaxWeb
-CVE-2013-6018
- RESERVED
+CVE-2013-6018 (Cross-site request forgery (CSRF) vulnerability in login.jsp in
Tyler ...)
NOT-FOR-US: Tyler Technologies TaxWeb
CVE-2013-6017
RESERVED
-CVE-2013-6016
- RESERVED
+CVE-2013-6016 (The Traffic Management Microkernel (TMM) in F5 BIG-IP LTM, APM,
ASM, ...)
+ TODO: check
CVE-2013-6015 (Juniper Junos before 10.4S14, 11.4 before 11.4R5-S2, 12.1R
before ...)
NOT-FOR-US: Juniper Junos
-CVE-2013-6014
- RESERVED
+CVE-2013-6014 (Juniper Junos 10.4 before 10.4S15, 11.4 before 11.4R9, 11.4X27
before ...)
NOT-FOR-US: Juniper Junos
CVE-2013-6013 (Buffer overflow in the flow daemon (flowd) in Juniper Junos
10.4 ...)
NOT-FOR-US: Juniper Junos
-CVE-2013-6012
- RESERVED
+CVE-2013-6012 (Juniper Junos 12.1X44 before 12.1.X44-D20 and 12.1X45 before
...)
NOT-FOR-US: Juniper Junos
CVE-2013-6011 (Citrix NetScaler Application Delivery Controller (ADC) 10.0
before ...)
NOT-FOR-US: Citrix NetScaler Application Delivery Controller
@@ -586,8 +666,7 @@
NOT-FOR-US: VMware ESXi and ESX
CVE-2013-5969
RESERVED
-CVE-2013-5968
- RESERVED
+CVE-2013-5968 (Cross-site scripting (XSS) vulnerability in CA SiteMinder 12.0
through ...)
NOT-FOR-US: CA SiteMinder
CVE-2013-5967 (Multiple SQL injection vulnerabilities in AlienVault Open
Source ...)
NOT-FOR-US: AlienVault Open Source Security Information Management
@@ -698,8 +777,7 @@
{DSA-2782-1}
- polarssl 1.3.1-1 (bug #725359)
NOTE:
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05
-CVE-2013-5914 [Buffer overflow in ssl_read_record()]
- RESERVED
+CVE-2013-5914 (Buffer overflow in the ssl_read_record function in ssl_tls.c in
...)
{DSA-2782-1}
- polarssl 1.2.0-1 (bug #725359)
NOTE:
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-04
@@ -1104,8 +1182,7 @@
RESERVED
CVE-2013-5746
RESERVED
-CVE-2013-5744
- RESERVED
+CVE-2013-5744 (Cross-site scripting (XSS) vulnerability in Feng Office
2.3.2-rc and ...)
NOT-FOR-US: Feng Office
CVE-2013-5743
RESERVED
@@ -1113,8 +1190,7 @@
[squeeze] - zabbix 1:1.8.2-1squeeze5
CVE-2013-5742
RESERVED
-CVE-2013-5741
- RESERVED
+CVE-2013-5741 (Triangle Research International (aka Tri) Nano-10 PLC devices
with ...)
NOT-FOR-US: Triangle Research International Nano-10 PLC
CVE-2013-5745 (The vino_server_client_data_pending function in vino-server.c
in GNOME ...)
- vino 3.10.1-1 (low; bug #724545)
@@ -1626,8 +1702,7 @@
RESERVED
CVE-2013-5550 (The fabric-interconnect component in Cisco Unified Computing
System ...)
NOT-FOR-US: Cisco Unified Computing System
-CVE-2013-5549
- RESERVED
+CVE-2013-5549 (Cisco IOS XR 3.8.1 through 4.2.0 does not properly process
fragmented ...)
NOT-FOR-US: Cisco IOS XR
CVE-2013-5548
RESERVED
@@ -1651,10 +1726,10 @@
NOT-FOR-US: Cisco Identity Services Engine
CVE-2013-5538 (The Sponsor Portal in Cisco Identity Services Engine (ISE) uses
weak ...)
NOT-FOR-US: Cisco Identity Services Engine
-CVE-2013-5537
- RESERVED
-CVE-2013-5536
- RESERVED
+CVE-2013-5537 (The web framework on Cisco Web Security Appliance (WSA), Email
...)
+ TODO: check
+CVE-2013-5536 (Cisco Secure Access Control System (ACS) does not properly
implement ...)
+ TODO: check
CVE-2013-5535 (The analytics page on Cisco Video Surveillance 4000 IP cameras
has ...)
NOT-FOR-US: Cisco Video Surveillance 4000 IP cameras
CVE-2013-5534 (Directory traversal vulnerability in the attachment service in
the ...)
@@ -1663,10 +1738,9 @@
NOT-FOR-US: Cisco
CVE-2013-5532 (Buffer overflow in the web-application interface on Cisco 9900
IP ...)
NOT-FOR-US: Cisco
-CVE-2013-5531
- RESERVED
-CVE-2013-5530
- RESERVED
+CVE-2013-5531 (Cisco Identity Services Engine (ISE) 1.x before 1.1.1 allows
remote ...)
+ TODO: check
+CVE-2013-5530 (The web framework in Cisco Identity Services Engine (ISE) 1.0
and ...)
NOT-FOR-US: Cisco Identity Services Engine
CVE-2013-5529 (The deployment module in the server in Cisco WebEx Meeting
Center does ...)
NOT-FOR-US: Cisco WebEx Meetings Server
@@ -1682,10 +1756,10 @@
NOT-FOR-US: Cisco
CVE-2013-5523 (The Sponsor Portal in Cisco Identity Services Engine (ISE) 1.2
and ...)
NOT-FOR-US: Cisco
-CVE-2013-5522
- RESERVED
-CVE-2013-5521
- RESERVED
+CVE-2013-5522 (Cisco IOS on Catalyst 3750X switches has default Service Module
...)
+ TODO: check
+CVE-2013-5521 (Cisco Identity Services Engine does not properly restrict the
creation ...)
+ TODO: check
CVE-2013-5520
RESERVED
CVE-2013-5519 (Cross-site scripting (XSS) vulnerability in the management
interface ...)
@@ -1866,8 +1940,7 @@
RESERVED
CVE-2013-5431
RESERVED
-CVE-2013-5430
- RESERVED
+CVE-2013-5430 (The Jazz Team Server component in IBM Security AppScan
Enterprise 8.x ...)
NOT-FOR-US: IBM Security AppScan Enterprise
CVE-2013-5429
RESERVED
@@ -1879,8 +1952,8 @@
RESERVED
CVE-2013-5425
RESERVED
-CVE-2013-5424
- RESERVED
+CVE-2013-5424 (IBM Flex System Manager (FSM) 1.3.0 allows remote attackers to
bypass ...)
+ TODO: check
CVE-2013-5423
RESERVED
CVE-2013-5422
@@ -2348,68 +2421,68 @@
RESERVED
CVE-2013-5193
RESERVED
-CVE-2013-5192
- RESERVED
-CVE-2013-5191
- RESERVED
-CVE-2013-5190
- RESERVED
-CVE-2013-5189
- RESERVED
-CVE-2013-5188
- RESERVED
-CVE-2013-5187
- RESERVED
-CVE-2013-5186
- RESERVED
-CVE-2013-5185
- RESERVED
-CVE-2013-5184
- RESERVED
-CVE-2013-5183
- RESERVED
-CVE-2013-5182
- RESERVED
-CVE-2013-5181
- RESERVED
-CVE-2013-5180
- RESERVED
-CVE-2013-5179
- RESERVED
-CVE-2013-5178
- RESERVED
-CVE-2013-5177
- RESERVED
-CVE-2013-5176
- RESERVED
-CVE-2013-5175
- RESERVED
-CVE-2013-5174
- RESERVED
-CVE-2013-5173
- RESERVED
-CVE-2013-5172
- RESERVED
-CVE-2013-5171
- RESERVED
-CVE-2013-5170
- RESERVED
-CVE-2013-5169
- RESERVED
-CVE-2013-5168
- RESERVED
-CVE-2013-5167
- RESERVED
-CVE-2013-5166
- RESERVED
-CVE-2013-5165
- RESERVED
-CVE-2013-5164
- RESERVED
+CVE-2013-5192 (The USB hub controller in Apple Mac OS X before 10.9 allows
local ...)
+ TODO: check
+CVE-2013-5191 (The syslog implementation in Apple Mac OS X before 10.9 allows
local ...)
+ TODO: check
+CVE-2013-5190 (Smart Card Services in Apple Mac OS X before 10.9 does not
properly ...)
+ TODO: check
+CVE-2013-5189 (Apple Mac OS X before 10.9 does not preserve a certain
administrative ...)
+ TODO: check
+CVE-2013-5188 (The Screen Lock implementation in Apple Mac OS X before 10.9,
when ...)
+ TODO: check
+CVE-2013-5187 (The Screen Lock implementation in Apple Mac OS X before 10.9
does not ...)
+ TODO: check
+CVE-2013-5186 (Power Management in Apple Mac OS X before 10.9 does not
properly ...)
+ TODO: check
+CVE-2013-5185 (The ldapsearch command-line program in OpenLDAP in Apple Mac OS
X ...)
+ TODO: check
+CVE-2013-5184 (The kernel in Apple Mac OS X before 10.9 does not properly
check for ...)
+ TODO: check
+CVE-2013-5183 (Mail in Apple Mac OS X before 10.9, when Kerberos
authentication is ...)
+ TODO: check
+CVE-2013-5182 (Mail in Apple Mac OS X before 10.9 allows remote attackers to
spoof ...)
+ TODO: check
+CVE-2013-5181 (The auto-configuration feature in Mail in Apple Mac OS X before
10.9 ...)
+ TODO: check
+CVE-2013-5180 (The srandomdev function in Libc in Apple Mac OS X before 10.9,
when ...)
+ TODO: check
+CVE-2013-5179 (App Sandbox in Apple Mac OS X before 10.9 allows attackers to
bypass ...)
+ TODO: check
+CVE-2013-5178 (LaunchServices in Apple Mac OS X before 10.9 does not properly
...)
+ TODO: check
+CVE-2013-5177 (The kernel in Apple Mac OS X before 10.9 allows local users to
cause a ...)
+ TODO: check
+CVE-2013-5176 (The kernel in Apple Mac OS X before 10.9 does not properly
handle ...)
+ TODO: check
+CVE-2013-5175 (The kernel in Apple Mac OS X before 10.9 allows local users to
obtain ...)
+ TODO: check
+CVE-2013-5174 (Integer signedness error in the kernel in Apple Mac OS X before
10.9 ...)
+ TODO: check
+CVE-2013-5173 (The random-number generator in the kernel in Apple Mac OS X
before ...)
+ TODO: check
+CVE-2013-5172 (The kernel in Apple Mac OS X before 10.9 does not properly
determine ...)
+ TODO: check
+CVE-2013-5171 (CoreGraphics in Apple Mac OS X before 10.9 allows local users
to ...)
+ TODO: check
+CVE-2013-5170 (Buffer underflow in CoreGraphics in Apple Mac OS X before 10.9
allows ...)
+ TODO: check
+CVE-2013-5169 (CoreGraphics in Apple Mac OS X before 10.9, when display-sleep
mode is ...)
+ TODO: check
+CVE-2013-5168 (Console in Apple Mac OS X before 10.9 allows user-assisted
remote ...)
+ TODO: check
+CVE-2013-5167 (CFNetwork in Apple Mac OS X before 10.9 does not properly
support ...)
+ TODO: check
+CVE-2013-5166 (The Bluetooth USB host controller in Apple Mac OS X before 10.9
...)
+ TODO: check
+CVE-2013-5165 (socketfilterfw in Application Firewall in Apple Mac OS X before
10.9 ...)
+ TODO: check
+CVE-2013-5164 (Multiple race conditions in the Phone app in Apple iOS before
7.0.3 ...)
+ TODO: check
CVE-2013-5163 (Directory Services in Apple Mac OS X before 10.8.5 Supplemental
Update ...)
NOT-FOR-US: Apple OS X
-CVE-2013-5162
- RESERVED
+CVE-2013-5162 (Passcode Lock in Apple iOS before 7.0.3 on iPhone devices
allows ...)
+ TODO: check
CVE-2013-5161 (Passcode Lock in Apple iOS before 7.0.2 does not properly
manage the ...)
NOT-FOR-US: Apple iOS
CVE-2013-5160 (Passcode Lock in Apple iOS before 7.0.2 on iPhone devices
allows ...)
@@ -2436,18 +2509,18 @@
NOT-FOR-US: Apple iOS
CVE-2013-5149 (The Push Notifications subsystem in Apple iOS before 7 provides
the ...)
NOT-FOR-US: Apple iOS
-CVE-2013-5148
- RESERVED
+CVE-2013-5148 (Apple Keynote before 6.0 does not properly handle the
interaction ...)
+ TODO: check
CVE-2013-5147 (Passcode Lock in Apple iOS before 7 does not properly manage
the lock ...)
NOT-FOR-US: Apple iOS
CVE-2013-5146
RESERVED
CVE-2013-5145 (kextd in Kext Management in Apple iOS before 7 does not
properly ...)
NOT-FOR-US: Apple iOS
-CVE-2013-5144
- RESERVED
-CVE-2013-5143
- RESERVED
+CVE-2013-5144 (Passcode Lock in Apple iOS before 7.0.3 on iPhone devices
allows ...)
+ TODO: check
+CVE-2013-5143 (The RADIUS service in Server App in Apple OS X Server before
3.0 ...)
+ TODO: check
CVE-2013-5142 (The kernel in Apple iOS before 7 does not initialize
unspecified ...)
NOT-FOR-US: Apple iOS
CVE-2013-5141 (The kernel in Apple iOS before 7 uses an incorrect data size
for a ...)
@@ -2460,10 +2533,10 @@
NOT-FOR-US: Apple iOS
CVE-2013-5137 (IOKit in Apple iOS before 7 allows attackers to send
user-interface ...)
NOT-FOR-US: Apple iOS
-CVE-2013-5136
- RESERVED
-CVE-2013-5135
- RESERVED
+CVE-2013-5136 (Apple Remote Desktop before 3.7 does not properly use server
...)
+ TODO: check
+CVE-2013-5135 (Format string vulnerability in Screen Sharing Server in Apple
Mac OS X ...)
+ TODO: check
CVE-2013-5134
REJECTED
CVE-2013-5133
@@ -2472,8 +2545,8 @@
NOT-FOR-US: Apple AirPort
CVE-2013-5131 (Cross-site scripting (XSS) vulnerability in WebKit in Apple iOS
before ...)
NOT-FOR-US: Apple iOS
-CVE-2013-5130
- RESERVED
+CVE-2013-5130 (WebKit in Apple Safari before 6.1 disables the Private Browsing
...)
+ TODO: check
CVE-2013-5129 (Multiple cross-site scripting (XSS) vulnerabilities in WebKit
in Apple ...)
NOT-FOR-US: Apple iOS
CVE-2013-5128 (WebKit, as used in Apple iOS before 7, allows remote attackers
to ...)
@@ -2805,8 +2878,8 @@
- puppet <not-affected> (Only affects Puppet Enterprise)
CVE-2013-4966
RESERVED
-CVE-2013-4965
- RESERVED
+CVE-2013-4965 (Puppet Enterprise before 3.1.0 does not properly restrict the
number ...)
+ TODO: check
CVE-2013-4964 (Puppet Enterprise before 3.0.1 does not set the secure flag for
the ...)
- puppet <not-affected> (Only affects Puppet Enterprise)
CVE-2013-4963
@@ -2821,8 +2894,8 @@
- puppet <not-affected> (Only affects Puppet Enterprise)
CVE-2013-4958 (Puppet Enterprise before 3.0.1 does not use a session timeout,
which ...)
- puppet <not-affected> (Only affects Puppet Enterprise)
-CVE-2013-4957
- RESERVED
+CVE-2013-4957 (The dashboard report in Puppet Enterprise before 3.0.1 allows
...)
+ TODO: check
CVE-2013-4956 (Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23
and ...)
{DSA-2761-1}
- puppet 3.2.4-1
@@ -3021,8 +3094,7 @@
RESERVED
CVE-2013-4886
RESERVED
-CVE-2013-4885 [arbitrary file upload flaw in http-domino-enum-passwords NSE
script]
- RESERVED
+CVE-2013-4885 (The http-domino-enum-passwords.nse script in NMap before 6.40,
when ...)
- nmap 6.40-0.1 (low; bug #719289)
[squeeze] - nmap <not-affected> (Vulnerable code not present)
[wheezy] - nmap 6.00-0.3+deb7u1
@@ -3937,6 +4009,7 @@
CVE-2013-4478
RESERVED
CVE-2013-4477 [OpenStack Keystone: Unintentional role granting with Keystone
LDAP backend]
+ RESERVED
- keystone <unfixed> (bug #728233)
NOTE: https://bugs.launchpad.net/keystone/+bug/1242855
CVE-2013-4476
@@ -3977,8 +4050,7 @@
- gnutls28 <not-affected> (libdane is not built)
NOTE: http://www.gnutls.org/security.html#GNUTLS-SA-2013-3
NOTE: Upstream commit for 3.2.x:
https://gitorious.org/gnutls/gnutls/commit/ed51e5e53cfbab3103d6b7b85b7ba4515e4f30c3
-CVE-2013-4465
- RESERVED
+CVE-2013-4465 (Unrestricted file upload vulnerability in the avatar upload ...)
NOT-FOR-US: Simple Machines Forum
CVE-2013-4464
RESERVED
@@ -4050,7 +4122,7 @@
CVE-2013-4444
RESERVED
CVE-2013-4443
- RESERVED
+ REJECTED
CVE-2013-4442 [Silent fallback to insecure entropy]
RESERVED
- pwgen <unfixed> (bug #726578)
@@ -4075,8 +4147,7 @@
CVE-2013-4435
RESERVED
- salt <unfixed> (bug #726480)
-CVE-2013-4434 [dropbear: avoid disclosing existence of valid users through
inconsistent delays]
- RESERVED
+CVE-2013-4434 (Dropbear SSH Server before 2013.59 generates error messages for
a ...)
- dropbear 2012.55-1.4 (low; bug #726118)
[squeeze] - dropbear <no-dsa> (Minor issue)
[wheezy] - dropbear <no-dsa> (Minor issue)
@@ -4105,8 +4176,7 @@
NOTE:
https://bazaar.launchpad.net/~mahara-release/mahara/1.7_STABLE/revision/5833
NOTE:
https://bazaar.launchpad.net/~mahara-release/mahara/1.5_STABLE/revision/5543
NOTE: https://bugs.launchpad.net/mahara/+bug/1211758
-CVE-2013-4428 [image_download policy not enforced for cached images]
- RESERVED
+CVE-2013-4428 (OpenStack Image Registry and Delivery Service (Glance) Folsom,
Grizzly ...)
- glance <unfixed> (bug #726478)
[wheezy] - glance <not-affected> (does not have the download_image)
CVE-2013-4427 [pyxtrlock Incorrect return value checking]
@@ -4121,11 +4191,9 @@
RESERVED
CVE-2013-4423
RESERVED
-CVE-2013-4422 [SQL injection]
- RESERVED
+CVE-2013-4422 (SQL injection vulnerability in Quassel IRC before 0.9.1, when
Qt 4.8.5 ...)
- quassel <not-affected> (Postgres support not enabled in Debian, see
#552374)
-CVE-2013-4421 [memory exhaustion denial of service]
- RESERVED
+CVE-2013-4421 (The buf_decompress function in packet.c in Dropbear SSH Server
before ...)
- dropbear 2012.55-1.4 (low; bug #726019)
[squeeze] - dropbear <no-dsa> (Minor issue)
[wheezy] - dropbear <no-dsa> (Minor issue)
@@ -4185,8 +4253,7 @@
RESERVED
CVE-2013-4403
RESERVED
-CVE-2013-4402 [infinite recursion in the compressed packet parser]
- RESERVED
+CVE-2013-4402 (GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote
...)
{DSA-2774-1 DSA-2773-1}
- gnupg2 2.0.22-1 (bug #725433)
- gnupg 1.4.15-1 (bug #725439)
@@ -4218,32 +4285,27 @@
CVE-2013-4395
RESERVED
NOT-FOR-US: Simple Machines Forum
-CVE-2013-4394 [systemd: Improper sanitization of invalid XKB layouts
descriptions]
- RESERVED
+CVE-2013-4394 (The SetX11Keyboard function in systemd, when PolicyKit Local
Authority ...)
{DSA-2777-1}
- systemd 204-5 (bug #725357)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=862324
NOTE:
http://cgit.freedesktop.org/systemd/systemd/commit/?id=0b507b17a760b21e33fc52ff377db6aa5086c680
-CVE-2013-4393 [systemd: Possibility of denial of logging service by processing
native messages from file]
- RESERVED
+CVE-2013-4393 (journald in systemd, when the origin of native messages is set
to ...)
- systemd 204-5 (bug #725357)
[wheezy] - systemd <not-affected> (Vulnerable code not present)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=859104
NOTE:
http://cgit.freedesktop.org/systemd/systemd/commit/?id=1dfa7e79a60de680086b1d93fcc3629b463f58bd
-CVE-2013-4392 [systemd: TOCTOU race condition when updating file permissions
and SELinux security contexts]
- RESERVED
+CVE-2013-4392 (systemd, when updating file permissions, allows local users to
change ...)
- systemd <unfixed> (low; bug #725357)
[wheezy] - systemd <not-affected> (/etc/tmpfiles.d not supported in
Wheezy)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=859060
TODO: no useful information available yet, recheck later
-CVE-2013-4391 [systemd: Integer overflow, leading to heap-based buffer
overflow by processing native messages]
- RESERVED
+CVE-2013-4391 (Integer overflow in the valid_user_field function in ...)
{DSA-2777-1}
- systemd 204-5 (bug #725357)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=859051
NOTE:
http://cgit.freedesktop.org/systemd/systemd/commit/?id=505b6a61c22d5565e9308045c7b9bf79f7d0517e
-CVE-2013-4390
- RESERVED
+CVE-2013-4390 (Open redirect vulnerability in the
AbstractAuthenticationFormServlet ...)
NOT-FOR-US: Apache Sling
CVE-2013-4389 (Multiple format string vulnerabilities in log_subscriber.rb
files in ...)
- rails-4.0 <not-affected> (Only affects 3.x)
@@ -4305,8 +4367,7 @@
NOTE: Xen after Wheezy uses qemu-system-x86 from qemu, marking 4.2 as
pseudo fixed
CVE-2013-4374
RESERVED
-CVE-2013-4373
- RESERVED
+CVE-2013-4373 (The storeFiles method in JPADriftServerBean in Red Hat JBoss
...)
NOT-FOR-US: Red Hat JBoss Operations Network
CVE-2013-4372 (Multiple cross-site scripting (XSS) vulnerabilities in Fuse
Management ...)
NOT-FOR-US: JBoss Fuse
@@ -4538,13 +4599,11 @@
- mediawiki 1:1.19.8+dfsg-1 (unimportant)
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=52746
NOTE: IE6 lacks so many security features that this doesn't matter
-CVE-2013-4302 [mediawiki anti CSRF modules could be accessed via JSON]
- RESERVED
+CVE-2013-4302 ((1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php,
(4) ...)
{DSA-2753-1}
- mediawiki 1:1.19.8+dfsg-1
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=49090
-CVE-2013-4301 [mediawiki full path disclosure]
- RESERVED
+CVE-2013-4301 (includes/resourceloader/ResourceLoaderContext.php in MediaWiki
1.19.x ...)
- mediawiki 1:1.19.8+dfsg-1 (unimportant)
NOTE: Full path disclosure irrelevant in Debian
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=46332
@@ -4552,8 +4611,7 @@
- linux 3.11.5-1
[wheezy] - linux <not-affected> (Not exploitable by unprivileged users
in 3.2)
- linux-2.6 <not-affected> (Not exploitable by unprivileged users in
2.6.32)
-CVE-2013-4299 [dm: dm-snapshot data leak]
- RESERVED
+CVE-2013-4299 (Interpretation conflict in drivers/md/dm-snap-persistent.c in
the ...)
- linux-2.6 <removed>
- linux <unfixed>
NOTE: upstream commit:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9c6a182649f4259db704ae15a91ac820e63b0ca
@@ -4570,14 +4628,12 @@
[squeeze] - libvirt <not-affected> (Vulnerable code not present,
introduced by commit 158ba8730e44b7dd07a21ab90499996c5dec080a)
NOTE:
http://libvirt.org/git/?p=libvirt.git;a=commit;h=158ba8730e44b7dd07a21ab90499996c5dec080a
NOTE: Fix:
http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=e7f400a110e2e3673b96518170bfea0855dd82c0
-CVE-2013-4295
- RESERVED
+CVE-2013-4295 (The gadget renderer in Apache Shindig 2.5.0 for PHP allows
remote ...)
NOT-FOR-US: Apache Shindig
CVE-2013-4294 (The (1) mamcache and (2) KVS token backends in OpenStack
Identity ...)
- keystone 2013.1.3-2 (bug #722505)
[wheezy] - keystone <not-affected> (only affects Folsom release and
above)
-CVE-2013-4293
- RESERVED
+CVE-2013-4293 (The server in Red Hat JBoss Operations Network (JON) 3.1.2 logs
...)
NOT-FOR-US: Red Hat JBoss Operations Network
CVE-2013-4292 (libvirt 1.1.0 and 1.1.1 allows local users to cause a denial of
...)
- libvirt 1.1.2~rc2-1 (bug #721325)
@@ -5154,8 +5210,7 @@
[wheezy] - squid3 <not-affected> (Only affects 3.2 onwards)
[squeeze] - squid3 <not-affected> (Only affects 3.2 onwards)
NOTE: http://www.squid-cache.org/Advisories/SQUID-2013_3.txt
-CVE-2013-4122 [cyrus-sasl NULL ptr. dereference]
- RESERVED
+CVE-2013-4122 (Cyrus SASL 2.1.23, 2.1.26, and earlier does not properly handle
when a ...)
- cyrus-sasl2 2.1.25.dfsg1-14 (bug #716835)
[wheezy] - cyrus-sasl2 <not-affected> (Only exploitable with eglibc
2.17 and later)
[squeeze] - cyrus-sasl2 <not-affected> (Only exploitable with eglibc
2.17 and later)
@@ -5503,8 +5558,8 @@
RESERVED
CVE-2013-3990 (Cross-site scripting (XSS) vulnerability in the MIME e-mail ...)
NOT-FOR-US: IBM
-CVE-2013-3989
- RESERVED
+CVE-2013-3989 (IBM Security AppScan Enterprise 8.x before 8.8 sends a
cleartext ...)
+ TODO: check
CVE-2013-3988
RESERVED
CVE-2013-3987
@@ -6140,8 +6195,7 @@
RESERVED
CVE-2013-3705
RESERVED
-CVE-2013-3704
- RESERVED
+CVE-2013-3704 (The RPM GPG key import and handling feature in libzypp 12.15.0
and ...)
NOT-FOR-US: libzypp
CVE-2013-3703
RESERVED
@@ -7075,8 +7129,7 @@
RESERVED
CVE-2013-3281
RESERVED
-CVE-2013-3280
- RESERVED
+CVE-2013-3280 (EMC RSA Authentication Agent 7.1.x before 7.1.2 for Web for
Internet ...)
NOT-FOR-US: RSA Authentication Agent for Web for Internet Information
Services
CVE-2013-3279 (EMC Atmos before 2.1.4 has a blank password for the PostgreSQL
...)
NOT-FOR-US: EMC
@@ -7172,10 +7225,9 @@
NOTE:
http://git.videolan.org/?p=vlc.git;a=commit;h=59c9e8309d5b435a2d85c2c9eaae979ba56ccdd9
NOTE: http://secunia.com/blog/372/
NOTE: http://www.jbkempf.com/blog/post/2013/More-lies-from-Secunia
-CVE-2013-3244
- RESERVED
-CVE-2013-3243
- RESERVED
+CVE-2013-3244 (Multiple unspecified vulnerabilities in the
CJDB_FILL_MEMORY_FROM_PPB ...)
+ TODO: check
+CVE-2013-3243 (Unspecified vulnerability in OpenText/IXOS ECM for SAP
NetWeaver ...)
NOT-FOR-US: SAP NetWeaver
CVE-2013-3242 (plugins/system/remember/remember.php in Joomla! 2.5.x before
2.5.10 ...)
- joomla <itp> (bug #571794)
@@ -8612,8 +8664,7 @@
CVE-2013-2652
RESERVED
NOT-FOR-US: WebCollab
-CVE-2013-2651
- RESERVED
+CVE-2013-2651 (Multiple cross-site scripting (XSS) vulnerabilities in BoltWire
3.5 ...)
NOT-FOR-US: Boltwire
CVE-2013-2650
RESERVED
@@ -9775,8 +9826,7 @@
- linux-2.6 <removed> (low)
- linux 3.9.4-1 (low)
NOTE:
https://github.com/torvalds/linux/commit/85dfb745ee40232876663ae206cba35f24ab2a40
-CVE-2013-2236 [Quagga OSPF-API stack overrun]
- RESERVED
+CVE-2013-2236 (Stack-based buffer overflow in the new_msg_lsa_change_notify
function ...)
- quagga 0.99.22.4-1 (bug #726724)
NOTE: http://lists.quagga.net/pipermail/quagga-dev/2013-July/010621.html
CVE-2013-2235
@@ -9872,8 +9922,7 @@
NOTE: http://santuario.apache.org/secadv.data/CVE-2013-2210.txt
CVE-2013-2209 (Cross-site scripting (XSS) vulnerability in the auto-complete
widget ...)
NOT-FOR-US: Reviewboard (this was once in experimental, but removed
later on)
-CVE-2013-2208 [arbitrary code execution when processing untrusted TPP template]
- RESERVED
+CVE-2013-2208 (tpp 1.3.1 allows remote attackers to execute arbitrary commands
via a ...)
- tpp 1.3.1-3 (low; bug #706644)
[squeeze] - tpp <no-dsa> (Minor issue)
[wheezy] - tpp <no-dsa> (Minor issue)
@@ -9944,8 +9993,7 @@
- linux <not-affected> (RHEL-specific issue)
CVE-2013-2187
RESERVED
-CVE-2013-2186
- RESERVED
+CVE-2013-2186 (The DiskFileItem class in Apache Commons FileUpload as used in,
Red ...)
- libcommons-fileupload-java <unfixed> (bug #726601)
CVE-2013-2185 [tomcat: arbitrary file upload via deserialization]
RESERVED
@@ -10035,7 +10083,7 @@
{DSA-2737-1}
- swift 1.8.0-6 (low; bug #712202)
[wheezy] - swift 1.4.8-2+deb7u1
-CVE-2013-2160 (Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x
before ...)
+CVE-2013-2160 (The streaming XML parser in Apache CXF 2.5.x before 2.5.10,
2.6.x ...)
NOT-FOR-US: Apache CXF
CVE-2013-2159 [monkey broken authentication]
RESERVED
@@ -10242,8 +10290,7 @@
NOTE: Starting with 2013.1-1 code in keystone/middleware/auth_token.py
moved to python-keystoneclient
CVE-2013-2103
RESERVED
-CVE-2013-2102
- RESERVED
+CVE-2013-2102 (The default configuration of Red Hat JBoss Portal before 6.1.0
enables ...)
NOT-FOR-US: GateIn Portal
CVE-2013-2101
RESERVED
@@ -11461,13 +11508,11 @@
RESERVED
CVE-2013-1744
RESERVED
-CVE-2013-1743 [Cross-Site Scripting]
- RESERVED
+CVE-2013-1743 (Multiple cross-site scripting (XSS) vulnerabilities in
report.cgi in ...)
- bugzilla <not-affected> (Only affects 4.1 to 4.4)
- bugzilla4 <itp> (bug #669643)
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=924932
-CVE-2013-1742 [Cross-Site Scripting]
- RESERVED
+CVE-2013-1742 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
- bugzilla <removed> (low)
[squeeze] - bugzilla <no-dsa> (Minor issue)
- bugzilla4 <itp> (bug #669643)
@@ -11509,14 +11554,12 @@
[squeeze] - icedove <end-of-life>
- iceape <unfixed>
[squeeze] - iceape <end-of-life>
-CVE-2013-1734 [Cross-Site Request Forgery]
- RESERVED
+CVE-2013-1734 (Cross-site request forgery (CSRF) vulnerability in
attachment.cgi in ...)
- bugzilla <removed> (low)
[squeeze] - bugzilla <no-dsa> (Minor issue)
- bugzilla4 <itp> (bug #669643)
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=913904
-CVE-2013-1733 [Cross-Site Request Forgery]
- RESERVED
+CVE-2013-1733 (Cross-site request forgery (CSRF) vulnerability in
process_bug.cgi in ...)
- bugzilla <not-affected> (Only affects 4.4)
- bugzilla4 <itp> (bug #669643)
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=911593
@@ -12525,8 +12568,7 @@
RESERVED
CVE-2013-1446
RESERVED
-CVE-2013-1445 [PRNG not correctly reseeded in some situations]
- RESERVED
+CVE-2013-1445 (The Crypto.Random.atfork function in PyCrypto before 2.6.1 does
not ...)
{DSA-2781-1}
- python-crypto 2.6.1-1
CVE-2013-1444 (A certain Debian patch for txt2man 1.5.5, as used in txt2man
1.5.5-2, ...)
@@ -13402,8 +13444,8 @@
RESERVED
CVE-2013-1068
RESERVED
-CVE-2013-1067
- RESERVED
+CVE-2013-1067 (Apport 2.12.5 and earlier uses weak permissions for core dump
files ...)
+ TODO: check
CVE-2013-1066 (language-selector 0.110.x before 0.110.1, 0.90.x before 0.90.1,
and ...)
NOT-FOR-US: language-selector
CVE-2013-1065 (backend.py in Jockey before 0.9.7-0ubuntu7.11 does not properly
use ...)
@@ -13428,8 +13470,7 @@
RESERVED
CVE-2013-1057
RESERVED
-CVE-2013-1056
- RESERVED
+CVE-2013-1056 (X.org X server 1.13.3 and earlier, when not run as root, allows
local ...)
- xorg-server <not-affected> (Ubuntu-specific patch, see
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1056.html)
CVE-2013-1055
RESERVED
@@ -15728,8 +15769,7 @@
CVE-2013-0338 (libxml2 2.9.0 and earlier allows context-dependent attackers to
cause ...)
{DSA-2652-1}
- libxml2 2.8.0+dfsg1-7+nmu1 (bug #702260)
-CVE-2013-0337 [Directory /var/log/nginx is world readable]
- RESERVED
+CVE-2013-0337 (The default configuration of nginx, possibly 1.3.13 and
earlier, uses ...)
- nginx <unfixed> (low; bug #701112)
[squeeze] - nginx <no-dsa> (Minor issue)
[wheezy] - nginx <no-dsa> (Minor issue)
@@ -16495,8 +16535,7 @@
RESERVED
CVE-2012-6304
RESERVED
-CVE-2012-6303 [WaveSurfer and Snack Sound Toolkit buffer overflows]
- RESERVED
+CVE-2012-6303 (Heap-based buffer overflow in the GetWavHeader function in ...)
- snack 2.2.10-dfsg1-12.1 (low; bug #695614)
[squeeze] - snack 2.2.10-dfsg1-9+squeeze1
- wavesurfer <not-affected> (originally reported in wavesurfer, but
actually a bug in libsnack, see bug #695615)
@@ -21500,8 +21539,7 @@
NOT-FOR-US: Red Hat CloudForms
CVE-2012-4573 (The v1 API in OpenStack Glance Grizzly, Folsom (2012.2), and
Essex ...)
- glance 2012.1.1-2 (bug #692641)
-CVE-2012-4572
- RESERVED
+CVE-2012-4572 (Red Hat JBoss Enterprise Application Platform (EAP) before
6.1.0 and ...)
- jbossas4 <not-affected> (Only builds a few libraries, not the full
application server, #581226)
CVE-2012-4571 (Python Keyring 0.9.1 does not securely initialize the cipher
when ...)
- python-keyring 0.9.2-1 (bug #675379)
@@ -21626,8 +21664,7 @@
- linux 3.2.35-1
- linux-2.6 <removed>
[squeeze] - linux-2.6 2.6.32-48
-CVE-2012-4529
- RESERVED
+CVE-2012-4529 (The org.apache.catalina.connector.Response.encodeURL method in
Red Hat ...)
- jbossas4 <not-affected> (Only builds a few libraries, not the full
application server)
CVE-2012-4528 (The mod_security2 module before 2.7.0 for the Apache HTTP
Server ...)
- modsecurity-apache 2.6.6-5 (bug #691146)
@@ -31089,17 +31126,14 @@
CVE-2012-0828
RESERVED
- xchat <not-affected> (Only affects Xchat on Windows and Maemo)
-CVE-2012-0827
- RESERVED
+CVE-2012-0827 (The File module in Drupal 7.x before 7.11, when using
unspecified ...)
- drupal7 7.11-1
- drupal6 <not-affected>
-CVE-2012-0826
- RESERVED
+CVE-2012-0826 (Cross-site request forgery (CSRF) vulnerability in the
Aggregator ...)
{DSA-2776-1}
- drupal7 7.11-1
- drupal6 6.26-1
-CVE-2012-0825
- RESERVED
+CVE-2012-0825 (Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that
...)
{DSA-2776-1}
- drupal7 7.11-1
- drupal6 6.26-1
@@ -35910,8 +35944,7 @@
- phpmyadmin 4:3.4.7.1-1 (bug #656247)
[lenny] - phpmyadmin <not-affected> (Vulerable code not present)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=751112
-CVE-2011-4106
- RESERVED
+CVE-2011-4106 (TimThumb (timthumb.php) before 2.0 does not validate the entire
source ...)
NOT-FOR-US: wordpress plugin timthumb
CVE-2011-4105 (LightDM before 1.0.6 allows local users to change ownership of
...)
- lightdm 1.0.6-2
@@ -57776,8 +57809,7 @@
- xmail 1.27-1 (low)
[lenny] - xmail <no-dsa> (Minor issue)
NOTE: http://www.xmailserver.org/ChangeLog.html#feb_25__2010_v_1_27
-CVE-2010-1159 [aircrack-ng EAPOL buffer overflow]
- RESERVED
+CVE-2010-1159 (Multiple heap-based buffer overflows in Aircrack-ng before 1.1
allow ...)
- aircrack-ng 1:1.1-1 (low; bug #577758)
[lenny] - aircrack-ng <no-dsa> (low)
[etch] - aircrack-ng <no-dsa> (low)
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
