Author: carnil
Date: 2013-12-07 23:01:26 +0000 (Sat, 07 Dec 2013)
New Revision: 24620
Modified:
data/CVE/list
Log:
Run a manual update for CVE list
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2013-12-07 16:21:35 UTC (rev 24619)
+++ data/CVE/list 2013-12-07 23:01:26 UTC (rev 24620)
@@ -1,3 +1,245 @@
+CVE-2014-0365
+ RESERVED
+CVE-2014-0364
+ RESERVED
+CVE-2014-0363
+ RESERVED
+CVE-2014-0362
+ RESERVED
+CVE-2014-0361
+ RESERVED
+CVE-2014-0360
+ RESERVED
+CVE-2014-0359
+ RESERVED
+CVE-2014-0358
+ RESERVED
+CVE-2014-0357
+ RESERVED
+CVE-2014-0356
+ RESERVED
+CVE-2014-0355
+ RESERVED
+CVE-2014-0354
+ RESERVED
+CVE-2014-0353
+ RESERVED
+CVE-2014-0352
+ RESERVED
+CVE-2014-0351
+ RESERVED
+CVE-2014-0350
+ RESERVED
+CVE-2014-0349
+ RESERVED
+CVE-2014-0348
+ RESERVED
+CVE-2014-0347
+ RESERVED
+CVE-2014-0346
+ RESERVED
+CVE-2014-0345
+ RESERVED
+CVE-2014-0344
+ RESERVED
+CVE-2014-0343
+ RESERVED
+CVE-2014-0342
+ RESERVED
+CVE-2014-0341
+ RESERVED
+CVE-2014-0340
+ RESERVED
+CVE-2014-0339
+ RESERVED
+CVE-2014-0338
+ RESERVED
+CVE-2014-0337
+ RESERVED
+CVE-2014-0336
+ RESERVED
+CVE-2014-0335
+ RESERVED
+CVE-2014-0334
+ RESERVED
+CVE-2014-0333
+ RESERVED
+CVE-2014-0332
+ RESERVED
+CVE-2014-0331
+ RESERVED
+CVE-2014-0330
+ RESERVED
+CVE-2014-0329
+ RESERVED
+CVE-2014-0328
+ RESERVED
+CVE-2014-0327
+ RESERVED
+CVE-2014-0326
+ RESERVED
+CVE-2013-7001 (The Multimedia Messaging Centre (MMSC) in NowSMS Now SMS &
MMS Gateway ...)
+ TODO: check
+CVE-2013-7000 (The Multimedia Messaging Centre (MMSC) in NowSMS Now SMS &
MMS Gateway ...)
+ TODO: check
+CVE-2013-6999 (** DISPUTED ** The IsHandleEntrySecure function in win32k.sys
in the ...)
+ TODO: check
+CVE-2013-6998
+ RESERVED
+CVE-2013-6997
+ RESERVED
+CVE-2013-6996
+ RESERVED
+CVE-2013-6995
+ RESERVED
+CVE-2013-6994
+ RESERVED
+CVE-2013-6993
+ RESERVED
+CVE-2013-6992
+ RESERVED
+CVE-2013-6991
+ RESERVED
+CVE-2013-6990
+ RESERVED
+CVE-2013-6989
+ RESERVED
+CVE-2013-6988
+ RESERVED
+CVE-2013-6987
+ RESERVED
+CVE-2013-6986
+ RESERVED
+CVE-2013-6984
+ RESERVED
+CVE-2013-6983
+ RESERVED
+CVE-2013-6982
+ RESERVED
+CVE-2013-6981
+ RESERVED
+CVE-2013-6980
+ RESERVED
+CVE-2013-6979
+ RESERVED
+CVE-2013-6978
+ RESERVED
+CVE-2013-6977
+ RESERVED
+CVE-2013-6976
+ RESERVED
+CVE-2013-6975
+ RESERVED
+CVE-2013-6974
+ RESERVED
+CVE-2013-6973
+ RESERVED
+CVE-2013-6972
+ RESERVED
+CVE-2013-6971
+ RESERVED
+CVE-2013-6970
+ RESERVED
+CVE-2013-6969
+ RESERVED
+CVE-2013-6968
+ RESERVED
+CVE-2013-6967
+ RESERVED
+CVE-2013-6966
+ RESERVED
+CVE-2013-6965
+ RESERVED
+CVE-2013-6964
+ RESERVED
+CVE-2013-6963
+ RESERVED
+CVE-2013-6962
+ RESERVED
+CVE-2013-6961
+ RESERVED
+CVE-2013-6960
+ RESERVED
+CVE-2013-6959
+ RESERVED
+CVE-2013-6958
+ RESERVED
+CVE-2013-6957
+ RESERVED
+CVE-2013-6956
+ RESERVED
+CVE-2013-6955
+ RESERVED
+CVE-2013-6954
+ RESERVED
+CVE-2013-6953
+ RESERVED
+CVE-2013-6952
+ RESERVED
+CVE-2013-6951
+ RESERVED
+CVE-2013-6950
+ RESERVED
+CVE-2013-6949
+ RESERVED
+CVE-2013-6948
+ RESERVED
+CVE-2013-6947
+ RESERVED
+CVE-2013-6946
+ RESERVED
+CVE-2013-6945 (The M2M Broker in OSEHRA VistA, as distributed before September
30, ...)
+ TODO: check
+CVE-2013-6944
+ RESERVED
+CVE-2013-6943
+ RESERVED
+CVE-2013-6942
+ RESERVED
+CVE-2013-6941
+ RESERVED
+CVE-2013-6940
+ RESERVED
+CVE-2013-6939
+ RESERVED
+CVE-2013-6938
+ RESERVED
+CVE-2013-6937 (Buffer overflow in VideoCharge Software Watermark Master 2.2.23
allows ...)
+ TODO: check
+CVE-2013-6936 (Multiple SQL injection vulnerabilities in ajaxfs.php in the
Ajax forum ...)
+ TODO: check
+CVE-2013-6935 (Buffer overflow in VideoCharge Software Watermark Master 2.2.23
allows ...)
+ TODO: check
+CVE-2013-6934
+ RESERVED
+CVE-2013-6933
+ RESERVED
+CVE-2013-6932
+ RESERVED
+CVE-2013-6931
+ RESERVED
+CVE-2013-6930
+ RESERVED
+CVE-2013-6929
+ RESERVED
+CVE-2013-6928
+ RESERVED
+CVE-2013-6927
+ RESERVED
+CVE-2013-6926
+ RESERVED
+CVE-2013-6925
+ RESERVED
+CVE-2013-6924
+ RESERVED
+CVE-2013-6923
+ RESERVED
+CVE-2013-6922
+ RESERVED
+CVE-2013-6921
+ RESERVED
+CVE-2012-6612 (The (1) UpdateRequestHandler for XSLT or (2)
XPathEntityProcessor in ...)
+ TODO: check
CVE-2014-0325
RESERVED
CVE-2014-0324
@@ -649,47 +891,48 @@
CVE-2014-0001
RESERVED
CVE-2013-6985
+ RESERVED
NOT-FOR-US: Enorth Webpublisher CMS
-CVE-2013-6920
- RESERVED
+CVE-2013-6920 (Siemens SINAMICS S/G controllers with firmware before 4.6.11 do
not ...)
+ TODO: check
CVE-2013-6919
RESERVED
CVE-2013-6917
RESERVED
-CVE-2013-6916
- RESERVED
-CVE-2013-6915
- RESERVED
-CVE-2013-6914
- RESERVED
-CVE-2013-6913
- RESERVED
-CVE-2013-6912
- RESERVED
-CVE-2013-6911
- RESERVED
-CVE-2013-6910
- RESERVED
-CVE-2013-6909
- RESERVED
-CVE-2013-6908
- RESERVED
-CVE-2013-6907
- RESERVED
-CVE-2013-6906
- RESERVED
-CVE-2013-6905
- RESERVED
-CVE-2013-6904
- RESERVED
-CVE-2013-6903
- RESERVED
-CVE-2013-6902
- RESERVED
-CVE-2013-6901
- RESERVED
-CVE-2013-6900
- RESERVED
+CVE-2013-6916 (Cross-site scripting (XSS) vulnerability in the Yahoo! User
Interface ...)
+ TODO: check
+CVE-2013-6915 (Cross-site scripting (XSS) vulnerability in the
system-administration ...)
+ TODO: check
+CVE-2013-6914 (Cross-site scripting (XSS) vulnerability in a calendar
component in ...)
+ TODO: check
+CVE-2013-6913 (Cross-site scripting (XSS) vulnerability in a search component
in ...)
+ TODO: check
+CVE-2013-6912 (Cross-site scripting (XSS) vulnerability in a calendar
component in ...)
+ TODO: check
+CVE-2013-6911 (Cross-site scripting (XSS) vulnerability in the bulletin-board
...)
+ TODO: check
+CVE-2013-6910 (Cross-site scripting (XSS) vulnerability in Ajax components in
Cybozu ...)
+ TODO: check
+CVE-2013-6909 (Cross-site scripting (XSS) vulnerability in a report component
in ...)
+ TODO: check
+CVE-2013-6908 (Cross-site scripting (XSS) vulnerability in a mail component in
Cybozu ...)
+ TODO: check
+CVE-2013-6907 (Cross-site scripting (XSS) vulnerability in a mail component in
Cybozu ...)
+ TODO: check
+CVE-2013-6906 (Cross-site scripting (XSS) vulnerability in a mail component in
Cybozu ...)
+ TODO: check
+CVE-2013-6905 (Cross-site scripting (XSS) vulnerability in a phone component
in ...)
+ TODO: check
+CVE-2013-6904 (Cross-site scripting (XSS) vulnerability in a note component in
Cybozu ...)
+ TODO: check
+CVE-2013-6903 (Cross-site scripting (XSS) vulnerability in a schedule
component in ...)
+ TODO: check
+CVE-2013-6902 (Cross-site scripting (XSS) vulnerability in the Space function
in ...)
+ TODO: check
+CVE-2013-6901 (Cross-site scripting (XSS) vulnerability in the Space function
in ...)
+ TODO: check
+CVE-2013-6900 (Cross-site scripting (XSS) vulnerability in the
system-administration ...)
+ TODO: check
CVE-2013-6918 (The web interface on the Satechi travel router 1.5, when Wi-Fi
is used ...)
NOT-FOR-US: Satechi travel router
CVE-2013-6899
@@ -912,8 +1155,7 @@
RESERVED
CVE-2013-6805
RESERVED
-CVE-2013-6804
- RESERVED
+CVE-2013-6804 (Cross-site scripting (XSS) vulnerability in the Search module
before ...)
NOT-FOR-US: Jamroom Search module
CVE-2013-6803
RESERVED
@@ -950,8 +1192,8 @@
- silverstripe <itp> (bug #528461)
CVE-2013-6788
RESERVED
-CVE-2013-6787
- RESERVED
+CVE-2013-6787 (SQL injection vulnerability in the check_user_password function
in ...)
+ TODO: check
CVE-2013-6786
RESERVED
CVE-2013-6785
@@ -1110,8 +1352,8 @@
RESERVED
CVE-2013-6708
RESERVED
-CVE-2013-6707
- RESERVED
+CVE-2013-6707 (Memory leak in the connection-manager implementation in Cisco
Adaptive ...)
+ TODO: check
CVE-2013-6706 (The Cisco Express Forwarding processing module in Cisco IOS XE
allows ...)
NOT-FOR-US: Cisco IOS XE
CVE-2013-6705 (The IP Device Tracking (IPDT) feature in Cisco IOS and IOS XE
allows ...)
@@ -1120,8 +1362,8 @@
NOT-FOR-US: Cisco
CVE-2013-6703 (The TLS/SSLv3 module on Cisco ONS 15454 controller cards allows
remote ...)
NOT-FOR-US: Cisco
-CVE-2013-6702
- RESERVED
+CVE-2013-6702 (The management implementation on Cisco ONS 15454 controller
cards with ...)
+ TODO: check
CVE-2013-6701
RESERVED
CVE-2013-6700 (The SNMP module in Cisco IOS XR allows remote attackers to
cause a ...)
@@ -1244,35 +1486,28 @@
RESERVED
CVE-2013-6641
RESERVED
-CVE-2013-6640
- RESERVED
+CVE-2013-6640 (The DehoistArrayIndex function in hydrogen-dehoist.cc in Google
V8 ...)
- libv8 <unfixed>
- chromium-browser 31.0.1650.63-1
[squeeze] - chromium-browser <end-of-life>
-CVE-2013-6639
- RESERVED
+CVE-2013-6639 (The DehoistArrayIndex function in hydrogen-dehoist.cc in Google
V8 ...)
- libv8 <unfixed>
- chromium-browser 31.0.1650.63-1
[squeeze] - chromium-browser <end-of-life>
-CVE-2013-6638
- RESERVED
+CVE-2013-6638 (Multiple buffer overflows in runtime.cc in Google V8 before
3.22.24.7, ...)
- libv8 <unfixed>
- chromium-browser 31.0.1650.63-1
[squeeze] - chromium-browser <end-of-life>
-CVE-2013-6637
- RESERVED
+CVE-2013-6637 (Multiple unspecified vulnerabilities in Google Chrome before
...)
- chromium-browser 31.0.1650.63-1
[squeeze] - chromium-browser <end-of-life>
-CVE-2013-6636
- RESERVED
+CVE-2013-6636 (The FrameLoader::notifyIfInitialDocumentAccessed function in
...)
- chromium-browser 31.0.1650.63-1
[squeeze] - chromium-browser <end-of-life>
-CVE-2013-6635
- RESERVED
+CVE-2013-6635 (Use-after-free vulnerability in the editing implementation in
Blink, ...)
- chromium-browser 31.0.1650.63-1
[squeeze] - chromium-browser <end-of-life>
-CVE-2013-6634
- RESERVED
+CVE-2013-6634 (The OneClickSigninHelper::ShowInfoBarIfPossible function in ...)
- chromium-browser 31.0.1650.63-1
[squeeze] - chromium-browser <end-of-life>
CVE-2013-6633
@@ -1779,30 +2014,26 @@
RESERVED
CVE-2013-6418
RESERVED
-CVE-2013-6417 [Unsafe Query Generation]
- RESERVED
+CVE-2013-6417 (actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails
before ...)
- rails-4.0 4.0.2+dfsg-1 (bug #731290)
- ruby-actionpack-3.2 3.2.16-1 (bug #731288)
- ruby-actionpack-2.3 <not-affected> (vulnerable code not present)
- rails 2.3.14.1
NOTE: Starting with 2.3.14.1 rails is a transition package
NOTE: CVE for incomplete fix for CVE-2013-0155
-CVE-2013-6416 [XSS]
- RESERVED
+CVE-2013-6416 (Cross-site scripting (XSS) vulnerability in the simple_format
helper ...)
- rails-4.0 4.0.2+dfsg-1 (bug #731290)
- ruby-actionpack-3.2 <not-affected> (vulnerable code not present)
- ruby-actionpack-2.3 <not-affected> (vulnerable coee not present)
- rails 2.3.14.1
NOTE: Starting with 2.3.14.1 rails is a transition package
-CVE-2013-6415 [XSS]
- RESERVED
+CVE-2013-6415 (Cross-site scripting (XSS) vulnerability in the
number_to_currency ...)
- rails-4.0 4.0.2+dfsg-1 (bug #731290)
- ruby-actionpack-3.2 3.2.16-1 (bug #731288)
- ruby-actionpack-2.3 <unfixed> (bug #731289)
- rails 2.3.14.1
NOTE: Starting with 2.3.14.1 rails is a transition package
-CVE-2013-6414 [Denial of Service Vulnerability]
- RESERVED
+CVE-2013-6414 (actionpack/lib/action_view/lookup_context.rb in Action View in
Ruby on ...)
- rails-4.0 4.0.2+dfsg-1 (bug #731290)
- ruby-actionpack-3.2 3.2.16-1 (bug #731288)
- ruby-actionpack-2.3 <not-affected> (vulnerable code not present)
@@ -1824,21 +2055,17 @@
[squeeze] - openttd <no-dsa> (Minor issue)
[wheezy] - openttd <no-dsa> (Minor issue)
NOTE: http://bugs.openttd.org/task/5820
-CVE-2013-6410 [incorrect parsing of access control file in nbd-server]
- RESERVED
+CVE-2013-6410 (nbd-server in Network Block Device (nbd) before 3.5 does not
properly ...)
{DSA-2806-1}
- nbd 1:3.5-1
NOTE:
http://anonscm.debian.org/gitweb/?p=users/wouter/nbd.git;a=commitdiff;h=0e9bd98c44dd94d9ede92655a36849fbc8cbf5b9
-CVE-2013-6409 [privilege escalation via tty hijacking]
- RESERVED
+CVE-2013-6409 (Debian adequate before 0.8.1, when run by root with the --user
option, ...)
- adequate 0.8.1 (bug #730691)
NOTE:
https://bitbucket.org/jwilk/adequate/commits/94e5fc5d810057bffb673501ed809f7c2dabd9ee
-CVE-2013-6408
- RESERVED
+CVE-2013-6408 (The DocumentAnalysisRequestHandler in Apache Solr before 4.3.1
does ...)
- lucene-solr <unfixed> (bug #731113)
NOTE: https://issues.apache.org/jira/browse/SOLR-4881
-CVE-2013-6407
- RESERVED
+CVE-2013-6407 (The UpdateRequestHandler for XML in Apache Solr before 4.1
allows ...)
- lucene-solr <unfixed> (bug #731113)
NOTE: https://issues.apache.org/jira/browse/SOLR-3895
CVE-2013-6406
@@ -1869,16 +2096,14 @@
RESERVED
CVE-2013-6398
RESERVED
-CVE-2013-6397
- RESERVED
+CVE-2013-6397 (Directory traversal vulnerability in SolrResourceLoader in
Apache Solr ...)
- lucene-solr <unfixed> (bug #731113)
NOTE: https://issues.apache.org/jira/browse/SOLR-4882
CVE-2013-6396 [does not properly verify the server SSL certificates]
RESERVED
- python-swiftclient <unfixed> (bug #730626)
NOTE: https://bugs.launchpad.net/python-swiftclient/+bug/1199783
-CVE-2013-6395 [XSS]
- RESERVED
+CVE-2013-6395 (Cross-site scripting (XSS) vulnerability in header.php in
Ganglia Web ...)
- ganglia-web <unfixed> (bug #730507)
[squeeze] - ganglia <not-affected> (Vulnerable code not present)
[wheezy] - ganglia <no-dsa> (Minor issue)
@@ -1898,8 +2123,7 @@
RESERVED
CVE-2013-6390
RESERVED
-CVE-2013-6389 [Open redirect]
- RESERVED
+CVE-2013-6389 (Open redirect vulnerability in the Overlay module in Drupal 7.x
before ...)
{DSA-2804-1}
- drupal7 7.24-1
CVE-2013-6388 [Cross-site scripting]
@@ -1910,14 +2134,12 @@
RESERVED
{DSA-2804-1}
- drupal7 7.24-1
-CVE-2013-6386 [weakness in pseudorandom number generation using mt_rand()]
- RESERVED
+CVE-2013-6386 (Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand
...)
{DSA-2804-1}
- drupal6 <removed>
- drupal7 7.24-1
NOTE: https://drupal.org/SA-CORE-2013-003
-CVE-2013-6385 [Multiple vulnerabilities due to optimistic cross-site request
forgery protection]
- RESERVED
+CVE-2013-6385 (The form API in Drupal 6.x before 6.29 and 7.x before 7.24,
when used ...)
{DSA-2804-1}
- drupal6 <removed>
- drupal7 7.24-1
@@ -2021,8 +2243,7 @@
RESERVED
CVE-2013-6342 (Cross-site scripting (XSS) vulnerability in the Tweet Blender
plugin ...)
NOT-FOR-US: Tweet Blender plugin for WP
-CVE-2013-6341
- RESERVED
+CVE-2013-6341 (SQL injection vulnerability in Dokeos 2.2 RC2 and earlier
allows ...)
NOT-FOR-US: Dokeos
CVE-2004-XXXX [base-passwd: sets valid shells for system services]
- bass-passwd <unfixed> (low; bug #274229)
@@ -2197,8 +2418,7 @@
RESERVED
CVE-2013-6268
RESERVED
-CVE-2013-6267
- RESERVED
+CVE-2013-6267 (Multiple cross-site scripting (XSS) vulnerabilities in
Claroline ...)
NOT-FOR-US: Claroline
CVE-2013-6266
RESERVED
@@ -2676,8 +2896,7 @@
{DSA-2803-1}
- quagga 0.99.22.4-1 (bug #730513)
[squeeze] - quagga <not-affected> (Only affects 0.99.21)
-CVE-2013-6050
- RESERVED
+CVE-2013-6050 (Integer overflow in Links before 2.8 allows remote attackers to
cause ...)
{DSA-2807-1}
- links2 2.8-1
CVE-2013-6049 [insecure temporary file creation]
@@ -2730,8 +2949,8 @@
RESERVED
CVE-2013-6030
RESERVED
-CVE-2013-6029
- RESERVED
+CVE-2013-6029 (Stack-based buffer overflow in the AT&T Connect Participant
...)
+ TODO: check
CVE-2013-6028
RESERVED
CVE-2013-6027 (Stack-based buffer overflow in the RuntimeDiagnosticPing
function in ...)
@@ -2780,16 +2999,16 @@
RESERVED
CVE-2013-6005
RESERVED
-CVE-2013-6004
- RESERVED
-CVE-2013-6003
- RESERVED
-CVE-2013-6002
- RESERVED
-CVE-2013-6001
- RESERVED
-CVE-2013-6000
- RESERVED
+CVE-2013-6004 (Session fixation vulnerability in Cybozu Garoon before 3.7.2
allows ...)
+ TODO: check
+CVE-2013-6003 (CRLF injection vulnerability in Cybozu Garoon 3.1 through 3.5
SP5, ...)
+ TODO: check
+CVE-2013-6002 (The server in Cybozu Garoon before 3.7 SP1 allows remote
attackers to ...)
+ TODO: check
+CVE-2013-6001 (SQL injection vulnerability in the Space function in Cybozu
Garoon ...)
+ TODO: check
+CVE-2013-6000 (Directory traversal vulnerability in Tattyan HP TOWN before
5_10_1 ...)
+ TODO: check
CVE-2013-5999 (Kingsoft KDrive Personal before 1.21.0.1880 on Windows does not
verify ...)
NOT-FOR-US: Kingsoft KDrive Personal
CVE-2013-5998 (Unspecified vulnerability in the Web manager implementation on
D-Link ...)
@@ -4153,8 +4372,8 @@
NOT-FOR-US: IBM JDK
CVE-2013-5456 (Unspecified vulnerability in IBM Java SDK 7.0.0 before SR6
allows ...)
NOT-FOR-US: IBM JDK
-CVE-2013-5455
- RESERVED
+CVE-2013-5455 (IBM SmartCloud Provisioning 2.1 before FP3 IF0001 allows remote
...)
+ TODO: check
CVE-2013-5454 (IBM WebSphere Portal 6.0 through 6.0.1.7, 6.1.0 through 6.1.0.6
CF27, ...)
NOT-FOR-US: IBM WebSphere
CVE-2013-5453 (IBM Security AppScan Enterprise 5.6 through 8.7.0.1 allows
remote ...)
@@ -4165,8 +4384,8 @@
RESERVED
CVE-2013-5450 (IBM Security AppScan Enterprise 8.5 through 8.7.0.1, when Jazz
...)
NOT-FOR-US: IBM
-CVE-2013-5449
- RESERVED
+CVE-2013-5449 (Cross-site scripting (XSS) vulnerability in workingSet.jsp in
IBM ...)
+ TODO: check
CVE-2013-5448 (Cross-site scripting (XSS) vulnerability in the Right Click
Plugin ...)
NOT-FOR-US: IBM Security QRadar SIEM
CVE-2013-5447
@@ -4862,8 +5081,8 @@
RESERVED
CVE-2013-5109
RESERVED
-CVE-2013-5108
- RESERVED
+CVE-2013-5108 (Multiple cross-site scripting (XSS) vulnerabilities in the xn
function ...)
+ TODO: check
CVE-2013-5107
RESERVED
CVE-2013-5106
@@ -6154,8 +6373,7 @@
CVE-2013-4559 (lighttpd before 1.4.33 does not check the return value of the
(1) ...)
{DSA-2795-1}
- lighttpd 1.4.33-1+nmu1 (bug #729453)
-CVE-2013-4558 [mod_dav_svn assertion when handling certain requests with
autoversioning enabled]
- RESERVED
+CVE-2013-4558 (The get_parent_resource function in repos.c in mod_dav_svn
Apache ...)
- subversion <unfixed>
[squeeze] - subversion <not-affected> (Only affects 1.7.11 through
1.7.13 and 1.8.1 through 1.8.4)
[wheezy] - subversion <not-affected> (Only affects 1.7.11 through
1.7.13 and 1.8.1 through 1.8.4)
@@ -6331,8 +6549,7 @@
NOT-FOR-US: CollectiveAccess
CVE-2013-4506
RESERVED
-CVE-2013-4505
- RESERVED
+CVE-2013-4505 (The is_this_legal function in mod_dontdothat for Apache
Subversion ...)
- subversion <unfixed> (bug #730541; unimportant)
NOTE: Not built in the binary packages
CVE-2013-4504
@@ -6371,10 +6588,9 @@
- xen <unfixed>
CVE-2013-4493
RESERVED
-CVE-2013-4492
- RESERVED
-CVE-2013-4491 [Reflective XSS]
- RESERVED
+CVE-2013-4492 (Cross-site scripting (XSS) vulnerability in exceptions.rb in
the i18n ...)
+ TODO: check
+CVE-2013-4491 (Cross-site scripting (XSS) vulnerability in ...)
- rails-4.0 4.0.2+dfsg-1 (bug #731290)
- ruby-actionpack-3.2 3.2.16-1 (bug #731288)
- ruby-actionpack-2.3 <not-affected> (vulnerable code not present)
@@ -6411,13 +6627,11 @@
NOT-FOR-US: LuCi
CVE-2013-4480 (Red Hat Satellite 5.6 and earlier does not disable the web
interface ...)
NOT-FOR-US: Red Hat Satellite
-CVE-2013-4479 [prevent remote command injection in content_type]
- RESERVED
+CVE-2013-4479 (lib/sup/message_chunks.rb in Sup before 0.13.2.1 and 0.14.x
before ...)
{DSA-2805-1}
- sup-mail <unfixed> (bug #728232)
NOTE:
https://github.com/sup-heliotrope/sup/commit/ca0302e0c716682d2de22e9136400c704cc93e42
-CVE-2013-4478 [shellwords escape attachment file names to prevent remote code
execution]
- RESERVED
+CVE-2013-4478 (Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote
attackers ...)
{DSA-2805-1}
- sup-mail <unfixed> (bug #728232)
NOTE: http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html
@@ -6533,11 +6747,9 @@
RESERVED
CVE-2013-4447 (Cross-site scripting (XSS) vulnerability in the API in the
Simplenews ...)
NOT-FOR-US: Simplenews Drupal contributed module
-CVE-2013-4446
- RESERVED
+CVE-2013-4446 (The _json_decode function in plugins/context_reaction_block.inc
in the ...)
NOT-FOR-US: Context Drupal contributed module
-CVE-2013-4445
- RESERVED
+CVE-2013-4445 (The json rendering functionality in the Context module 6.x-2.x
before ...)
NOT-FOR-US: Context Drupal contributed module
CVE-2013-4444
RESERVED
@@ -7327,8 +7539,7 @@
[squeeze] - nagios3 <not-affected> (html/rss-newsfeed.php not present)
CVE-2013-4213 (Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does
not ...)
- jbossas4 <not-affected> (Only builds a few libraries, not the full
application server, #581226)
-CVE-2013-4212
- RESERVED
+CVE-2013-4212 (Certain getText methods in the ActionSupport controller in
Apache ...)
NOT-FOR-US: Apache Roller
CVE-2013-4211
RESERVED
@@ -7455,8 +7666,7 @@
[squeeze] - xymon <no-dsa> (Not remotely exploitable in Debian default
config)
CVE-2013-4172 (The Red Hat CloudForms Management Engine 5.1 allow remote ...)
NOT-FOR-US: RedHat CloudForms Management Engine
-CVE-2013-4171
- RESERVED
+CVE-2013-4171 (Multiple cross-site scripting (XSS) vulnerabilities in Apache
Roller ...)
NOT-FOR-US: Apache Roller
CVE-2013-4170
RESERVED
@@ -8114,8 +8324,8 @@
NOT-FOR-US: SavySoda WiFi HD Free
CVE-2013-3922 (Directory traversal vulnerability in Gummy Bear Studios FTP
Drive + ...)
NOT-FOR-US: Gummy Bear Studios FTP Drive + HTTP Server
-CVE-2013-3921
- RESERVED
+CVE-2013-3921 (Directory traversal vulnerability in Easytime Studio Easy File
Manager ...)
+ TODO: check
CVE-2013-3920 (Cross-site scripting (XSS) vulnerability in Jahia xCM before
6.6.2 ...)
NOT-FOR-US: Jahia xCM
CVE-2013-3918 (The InformationCardSigninHelper Class ActiveX control in
icardie.dll ...)
@@ -9054,8 +9264,7 @@
RESERVED
CVE-2013-3520 (VMware vCenter Chargeback Manager (aka CBM) before 2.5.1 does
not ...)
NOT-FOR-US: VMware vCenter Chargeback Manager
-CVE-2013-3519
- RESERVED
+CVE-2013-3519 (lgtosync.sys in VMware Workstation 9.x before 9.0.3, VMware
Player 5.x ...)
NOT-FOR-US: VMware
CVE-2013-3518
RESERVED
@@ -10719,8 +10928,8 @@
RESERVED
CVE-2013-2826
RESERVED
-CVE-2013-2825
- RESERVED
+CVE-2013-2825 (The DNP3 service in the Outstation component on Elecsys
Director ...)
+ TODO: check
CVE-2013-2824
RESERVED
CVE-2013-2823 (The (1) Catapult DNP3 I/O driver before 7.2.0.60 and the (2) GE
...)
@@ -12597,8 +12806,7 @@
CVE-2013-2134 (Apache Struts 2 before 2.3.14.3 allows remote attackers to
execute ...)
- libstruts1.2-java <not-affected> (Only affects 2.x)
NOTE: http://struts.apache.org/release/2.3.x/docs/s2-015.html
-CVE-2013-2133
- RESERVED
+CVE-2013-2133 (The EJB invocation handler implementation in Red Hat JBossWS,
as used ...)
- jbossas4 <unfixed>
TODO: check
CVE-2013-2132 (bson/_cbsonmodule.c in the mongo-python-driver (aka. pymongo)
before ...)
@@ -12963,7 +13171,7 @@
NOTE: http://openwall.com/lists/oss-security/2013/05/01/5
CVE-2013-2036 (Cross-site scripting (XSS) vulnerability in the Filebrowser
module ...)
NOT-FOR-US: Drupal module Filebrowser
-CVE-2013-2035
(hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java ...)
+CVE-2013-2035 (Race condition in ...)
- hawtjni <unfixed> (low; bug #708293)
[wheezy] - hawtjni <no-dsa> (Minor issue)
CVE-2013-2034 [jenkins CSRF]
@@ -15841,8 +16049,7 @@
NOT-FOR-US: Novell ZENworks Desktop Management
CVE-2013-1091 (Stack-based buffer overflow in Novell iPrint Client before 5.90
allows ...)
NOT-FOR-US: Novell iPrint Client
-CVE-2013-1090
- RESERVED
+CVE-2013-1090 (The SUSE horde5 package before 5.0.2-2.4.1 sets incorrect
ownership ...)
- php-horde <undetermined>
NOTE: https://bugzilla.novell.com/show_bug.cgi?id=811369
TODO: check if SuSE specific
@@ -16408,107 +16615,91 @@
- ffmpeg <removed>
- libav <unfixed>
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=23318a57358358e7a4dc551e830e4503f0638cfe
-CVE-2013-0859 [libavcodec/tiff.c out of array access:
6d1c5ea04af3e345232aa70c944de961061dab2d]
- RESERVED
+CVE-2013-0859 (The add_doubles_metadata function in libavcodec/tiff.c in
FFmpeg ...)
- ffmpeg <not-affected> (These changes are specific to current ffmpeg
and don't affect ffmpeg 0.5)
- libav <not-affected> ((These changes are specific to ffmpeg and don't
affect libav)
-CVE-2013-0858 [libavcodec/atrac3.c]
- RESERVED
+CVE-2013-0858 (The atrac3_decode_init function in libavcodec/atrac3.c in
FFmpeg ...)
{DSA-2793-1}
- ffmpeg <removed>
- libav 6:9.9-1 (bug #717009)
NOTE: Fix in ffmpeg:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=13451f5520ce6b0afde861b2285dda659f8d4fb4
NOTE: Fix in libav:
http://git.libav.org/?p=libav.git;a=commit;h=50cf5a7fb78846fc39b3ecdaa896a10bcd74da2a
NOTE: Fixed in 0.8.9
-CVE-2013-0857 [libavcodec/iff.c]
- RESERVED
+CVE-2013-0857 (The decode_frame_ilbm function in libavcodec/iff.c in FFmpeg
before ...)
{DSA-2793-1}
- ffmpeg <not-affected> (IFF PBM/ILBM bitmap decoder not present in 0.5
ffmpeg)
- libav 6:9.9-1 (bug #717009)
NOTE: Fix in ffmpeg:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=2fbb37b51bbea891392ad357baf8f3dff00bac05
NOTE: Fix in libav:
http://git.libav.org/?p=libav.git;a=commit;h=7d65e960c72f36b73ae7fe84f8e427d758e61da9
NOTE: Fixed in 0.8.9
-CVE-2013-0856 [libavcodec/alac.c]
- RESERVED
+CVE-2013-0856 (The lpc_prediction function in libavcodec/alac.c in FFmpeg
before 1.1 ...)
- ffmpeg <removed>
- libav 6:9.10-1
NOTE: Fix in ffmpeg:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=fd4f4923cce6a2cbf4f48640b4ac706e614a1594
NOTE: Fix in libav:
http://git.libav.org/?p=libav.git;a=commit;h=78aa2ed620178044a227fbbe48f749c0dc86023f
-CVE-2013-0855 [libavcodec/alac.c out of array accesses]
- RESERVED
+CVE-2013-0855 (Integer overflow in the alac_decode_close function in ...)
- ffmpeg <removed>
- libav 6:9.9-1 (bug #717009)
NOTE: Fix in ffmpeg:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3920d1387834e2bc334aff9f518f4beb24e470bd
NOTE: Fix in libav:
http://git.libav.org/?p=libav.git;a=commit;h=f7c5883126f9440547933eefcf000aa78af4821c
NOTE: Needed in ffmpeg 0.5
-CVE-2013-0854 [libavcodec/mjpegdec.c]
- RESERVED
+CVE-2013-0854 (The mjpeg_decode_scan_progressive_ac function in
libavcodec/mjpegdec.c ...)
{DSA-2793-1}
- ffmpeg <removed>
- libav 6:0.8.8-1 (bug #717009)
NOTE: Fix in ffmpeg:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=1f41cffe1e3e79620f587545bdfcbd7e6e68ed29
NOTE: Fix in libav:
http://git.libav.org/?p=libav.git;a=commit;h=cfbd98abe82cfcb9984a18d08697251b72b110c8
NOTE: Needed in ffmpeg 0.5
-CVE-2013-0853 [libavcodec/wavpack.c out of array access]
- RESERVED
+CVE-2013-0853 (The wavpack_decode_frame function in libavcodec/wavpack.c in
FFmpeg ...)
{DSA-2793-1}
- ffmpeg <not-affected> (Vulnerability introduced later)
- libav 6:0.8.8-1 (bug #717009)
NOTE: Fix in ffmpeg:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=be818df547c3b0ae4fadb50fd210139a8636706a
NOTE: Fix in libav:
http://git.libav.org/?p=libav.git;a=commit;h=ed50673066956d6f2201a57c3254569f2ab08d9d
-CVE-2013-0852 [libavcodec/pgssubdec.c out of array accesses]
- RESERVED
+CVE-2013-0852 (The parse_picture_segment function in libavcodec/pgssubdec.c in
FFmpeg ...)
- ffmpeg <not-affected> (PGS subtitle decoder not present)
- libav <unfixed>
NOTE: That change seems needed in libav
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=c0d68be555f5858703383040e04fcd6529777061
-CVE-2013-0851 [libavcodec/eamad.c out of array accesses]
- RESERVED
+CVE-2013-0851 (The decode_frame function in libavcodec/eamad.c in FFmpeg
before 1.1 ...)
- ffmpeg <not-affected> (Electronic Arts Madcow Video decoder not
present in ffmpeg 0.5)
- libav <unfixed>
NOTE: looks valid as "if (buf_size < 17) { ... error... }" but at least
buf[21] is used.
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=63ac64864c6e0e84355aa3caa5b92208997a9a8d
-CVE-2013-0850 [libavcodec/h264.c out of array accesses]
- RESERVED
+CVE-2013-0850 (The decode_slice_header function in libavcodec/h264.c in FFmpeg
before ...)
{DSA-2793-1}
- ffmpeg <removed>
- libav 6:0.8.7-1 (bug #717009)
NOTE: Fix in ffmpeg:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d6c184880ee2e09fd68c0ae217173832cee5afc1
NOTE: Fix in libav:
http://git.libav.org/?p=libav.git;a=commit;h=6e5cdf26281945ddea3aaf5eca4d127791f23ca8
-CVE-2013-0849 [libavcodec/roqvideodec.c]
- RESERVED
+CVE-2013-0849 (The roq_decode_init function in libavcodec/roqvideodec.c in
FFmpeg ...)
- ffmpeg <removed>
- libav 6:9.3-1 (bug #717009)
NOTE: Fix in ffmpeg:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3ae610451170cd5a28b33950006ff0bd23036845
NOTE: Fix in libav:
http://git.libav.org/?p=libav.git;a=commit;h=488f87be873506abb01d67708a67c10a4dd29283
NOTE: Needed in ffmpeg 0.5
-CVE-2013-0848 [libavcodec/huffyuv.c out of array accesses]
- RESERVED
+CVE-2013-0848 (The decode_init function in libavcodec/huffyuv.c in FFmpeg
before 1.1 ...)
- ffmpeg <removed>
- libav <unfixed>
NOTE: No related changes in libav git so far
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=6abb9a901fca27da14d4fffbb01948288b5da3ba
NOTE: Needed in ffmpeg 0.5
-CVE-2013-0847 [libavformat/id3v2.c out of array accesses]
- RESERVED
+CVE-2013-0847 (The ff_id3v2_parse function in libavformat/id3v2.c in FFmpeg
before ...)
- ffmpeg <not-affected> (Affected code not present in ffmpeg 0.5)
- libav <not-affected> (Code in libav is different, read_ttag)
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=10416a4d56fa8a89784e4fb62099c3cab17a9952
-CVE-2013-0846 [libavcodec/qdm2.c out of array accesses]
- RESERVED
+CVE-2013-0846 (Array index error in the qdm2_decode_super_block function in
...)
- ffmpeg <removed>
- libav 6:9.3-1 (bug #717009)
NOTE: ffmpeg commit:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed
NOTE: libav commit:
http://git.libav.org/?p=libav.git;a=commit;h=39bec05ed42e505d17877b0c23f16322f9b5883b
NOTE: Needed for ffmpeg 0.5
-CVE-2013-0845 [libavcodec/alsdec.c]
- RESERVED
+CVE-2013-0845 (libavcodec/alsdec.c in FFmpeg before 1.0.4 allows remote
attackers to ...)
- ffmpeg <not-affected> (MPEG-4 ALS decoder not present in ffmpeg/0.5)
- libav <unfixed>
NOTE:
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0ceca269b66ec12a23bf0907bd2c220513cdbf16
NOTE: No change in libav git
-CVE-2013-0844 [libavcodec/adpcm.c out of array access]
- RESERVED
+CVE-2013-0844 (Off-by-one error in the adpcm_decode_frame function in ...)
{DSA-2793-1}
- ffmpeg <removed>
- libav 6:9.10-1
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
