Author: sectracker Date: 2014-12-06 21:14:12 +0000 (Sat, 06 Dec 2014) New Revision: 30573
Modified: data/CVE/list Log: automatic update Modified: data/CVE/list =================================================================== --- data/CVE/list 2014-12-06 19:32:14 UTC (rev 30572) +++ data/CVE/list 2014-12-06 21:14:12 UTC (rev 30573) @@ -1,3 +1,223 @@ +CVE-2014-9298 + RESERVED +CVE-2014-9297 + RESERVED +CVE-2014-9296 + RESERVED +CVE-2014-9295 + RESERVED +CVE-2014-9294 + RESERVED +CVE-2014-9293 + RESERVED +CVE-2014-9292 (Server-side request forgery (SSRF) vulnerability in proxy.php in the ...) + TODO: check +CVE-2014-9291 + RESERVED +CVE-2014-9290 + RESERVED +CVE-2014-9289 + RESERVED +CVE-2014-9288 + RESERVED +CVE-2014-9287 + RESERVED +CVE-2014-9286 + RESERVED +CVE-2014-9285 + RESERVED +CVE-2014-9284 + RESERVED +CVE-2014-9283 + RESERVED +CVE-2014-9282 + RESERVED +CVE-2014-9268 + RESERVED +CVE-2014-9267 + RESERVED +CVE-2014-9266 + RESERVED +CVE-2014-9265 + RESERVED +CVE-2014-9264 + RESERVED +CVE-2014-9263 + RESERVED +CVE-2014-9262 + RESERVED +CVE-2014-9261 + RESERVED +CVE-2014-9260 + RESERVED +CVE-2014-9259 + RESERVED +CVE-2014-9258 + RESERVED +CVE-2014-9257 + RESERVED +CVE-2014-9256 + RESERVED +CVE-2014-9255 + RESERVED +CVE-2014-9254 + RESERVED +CVE-2014-9253 + RESERVED +CVE-2014-9252 + RESERVED +CVE-2014-9251 + RESERVED +CVE-2014-9250 + RESERVED +CVE-2014-9249 + RESERVED +CVE-2014-9248 + RESERVED +CVE-2014-9247 + RESERVED +CVE-2014-9246 + RESERVED +CVE-2014-9245 + RESERVED +CVE-2014-9244 + RESERVED +CVE-2014-9243 (Multiple cross-site scripting (XSS) vulnerabilities in WebsiteBaker ...) + TODO: check +CVE-2014-9242 (SQL injection vulnerability in admin/pages/modify.php in WebsiteBaker ...) + TODO: check +CVE-2014-9241 (Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka ...) + TODO: check +CVE-2014-9240 (SQL injection vulnerability in member.php in MyBB (aka ...) + TODO: check +CVE-2014-9239 (SQL injection vulnerability in the IPS Connect service ...) + TODO: check +CVE-2014-9238 (D-link IP camera DCS-2103 with firmware 1.0.0 allows remote attackers ...) + TODO: check +CVE-2014-9237 (SQL injection vulnerability in Proticaret E-Commerce 3.0 allows remote ...) + TODO: check +CVE-2014-9236 (Cross-site scripting (XSS) vulnerability in php/edit_photos.php in ...) + TODO: check +CVE-2014-9235 (Multiple SQL injection vulnerabilities in Zoph (aka Zoph Organizes ...) + TODO: check +CVE-2014-9234 (Directory traversal vulnerability in cgi-bin/sddownload.cgi in D-link ...) + TODO: check +CVE-2014-9233 + RESERVED +CVE-2014-9232 + RESERVED +CVE-2014-9231 + RESERVED +CVE-2014-9230 + RESERVED +CVE-2014-9229 + RESERVED +CVE-2014-9228 + RESERVED +CVE-2014-9227 + RESERVED +CVE-2014-9226 + RESERVED +CVE-2014-9225 + RESERVED +CVE-2014-9224 + RESERVED +CVE-2014-9223 + RESERVED +CVE-2014-9222 + RESERVED +CVE-2014-9221 + RESERVED +CVE-2014-9217 + RESERVED +CVE-2014-9216 + RESERVED +CVE-2014-9215 (SQL injection vulnerability in the CheckEmail function in ...) + TODO: check +CVE-2014-9214 + RESERVED +CVE-2014-9213 + RESERVED +CVE-2014-9212 (Multiple cross-site scripting (XSS) vulnerabilities in Altitude uAgent ...) + TODO: check +CVE-2014-9211 + RESERVED +CVE-2014-9210 + RESERVED +CVE-2014-9209 + RESERVED +CVE-2014-9208 + RESERVED +CVE-2014-9207 + RESERVED +CVE-2014-9206 + RESERVED +CVE-2014-9205 + RESERVED +CVE-2014-9204 + RESERVED +CVE-2014-9203 + RESERVED +CVE-2014-9202 + RESERVED +CVE-2014-9201 + RESERVED +CVE-2014-9200 + RESERVED +CVE-2014-9199 + RESERVED +CVE-2014-9198 + RESERVED +CVE-2014-9197 + RESERVED +CVE-2014-9196 + RESERVED +CVE-2014-9195 + RESERVED +CVE-2014-9194 + RESERVED +CVE-2014-9193 + RESERVED +CVE-2014-9192 + RESERVED +CVE-2014-9191 + RESERVED +CVE-2014-9190 + RESERVED +CVE-2014-9189 + RESERVED +CVE-2014-9188 + RESERVED +CVE-2014-9187 + RESERVED +CVE-2014-9186 + RESERVED +CVE-2014-9185 + RESERVED +CVE-2014-9184 (ZTE ZXDSL 831CII allows remote attackers to bypass authentication via ...) + TODO: check +CVE-2014-9183 (ZTE ZXDSL 831CII has a default password of admin for the admin ...) + TODO: check +CVE-2014-9182 (models/comment.php in Anchor CMS 0.9.2 and earlier allows remote ...) + TODO: check +CVE-2014-9181 (Multiple directory traversal vulnerabilities in Plex Media Server ...) + TODO: check +CVE-2014-9180 (Open redirect vulnerability in go.php in Eleanor CMS allows remote ...) + TODO: check +CVE-2014-9179 (Cross-site scripting (XSS) vulnerability in the SupportEzzy Ticket ...) + TODO: check +CVE-2014-9178 (Multiple SQL injection vulnerabilities in classes/ajax.php in the ...) + TODO: check +CVE-2014-9177 (The HTML5 MP3 Player with Playlist Free plugin before 2.7 for ...) + TODO: check +CVE-2014-9176 (Cross-site scripting (XSS) vulnerability in the InstaSqueeze Sexy ...) + TODO: check +CVE-2014-9175 (SQL injection vulnerability in wpdatatables.php in the wpDataTables ...) + TODO: check +CVE-2014-9174 (Cross-site scripting (XSS) vulnerability in the Google Analytics by ...) + TODO: check +CVE-2014-9173 (SQL injection vulnerability in view.php in the Google Doc Embedder ...) + TODO: check CVE-2014-XXXX [buffer overflow in mpfr_strtofr] - mpfr4 <unfixed> (bug #772008) NOTE: https://gforge.inria.fr/scm/viewvc.php?view=rev&root=mpfr&revision=9243 @@ -122,33 +342,40 @@ CVE-2015-0301 RESERVED CVE-2014-9275 [crashes] + RESERVED - unrtf <unfixed> NOTE: https://lists.gnu.org/archive/html/bug-unrtf/2014-11/msg00000.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1170233 CVE-2014-9274 [out-of-bounds memory access] + RESERVED - unrtf <unfixed> NOTE: https://lists.gnu.org/archive/html/bug-unrtf/2014-11/msg00001.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1170233 CVE-2014-9278 [~/.k5users unexpectedly grants remote login] + RESERVED - openssh <not-affected> (patch not applied to Debian) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1169843 NOTE: Patch https://bugzilla.mindrot.org/show_bug.cgi?id=1867 from not applied in Debian CVE-2014-9277 [<cross-domain-policy> mangling allows injection in API format=php] + RESERVED - mediawiki <unfixed> [squeeze] - mediawiki <end-of-life> NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=71478 CVE-2014-9276 [XSS in Special:ExpandTemplates] + RESERVED - mediawiki <unfixed> [squeeze] - mediawiki <end-of-life> NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=71111 -CVE-2014-9220 +CVE-2014-9220 (SQL injection vulnerability in OpenVAS Manager before 4.0.6 and 5.x ...) NOT-FOR-US: OpenVAS Manager CVE-2014-9219 [XSS vulnerability in redirection mechanism] + RESERVED - phpmyadmin <unfixed> NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/9b2479b7216dd91a6cc2f231c0fd6b85d457f6e2 NOTE: http://www.phpmyadmin.net/home_page/security/PMASA-2014-18.php TODO: check older versions CVE-2014-9218 [DoS vulnerability with long passwords] + RESERVED - phpmyadmin <unfixed> NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/1ac863c7573d12012374d5d41e5c7dc5505ea6e1 (master) NOTE: http://www.phpmyadmin.net/home_page/security/PMASA-2014-17.php @@ -205,17 +432,14 @@ RESERVED CVE-2014-9145 RESERVED -CVE-2014-9144 - RESERVED +CVE-2014-9144 (Technicolor Router TD5130 with firmware 2.05.C29GV allows remote ...) NOT-FOR-US: Technicolor routers -CVE-2014-9143 - RESERVED +CVE-2014-9143 (Open redirect vulnerability in Technicolor Router TD5130 with firmware ...) NOT-FOR-US: Technicolor routers -CVE-2014-9142 - RESERVED +CVE-2014-9142 (Cross-site scripting (XSS) vulnerability in Technicolor Router TD5130 ...) NOT-FOR-US: Technicolor routers -CVE-2014-9141 - RESERVED +CVE-2014-9141 (The installer in Thomson Reuters Fixed Assets CS 13.1.4 and earlier ...) + TODO: check CVE-2014-9139 RESERVED CVE-2014-9138 @@ -226,8 +450,8 @@ RESERVED CVE-2014-9135 RESERVED -CVE-2014-9134 - RESERVED +CVE-2014-9134 (Unrestricted file upload vulnerability in Huawei Honor Cube Wireless ...) + TODO: check CVE-2014-9133 RESERVED CVE-2014-9132 @@ -258,8 +482,8 @@ RESERVED CVE-2014-9115 RESERVED -CVE-2014-9113 - RESERVED +CVE-2014-9113 (CCH Wolters Kluwer ProSystem fx Engagement (aka PFX Engagement) 7.1 ...) + TODO: check CVE-2014-9111 RESERVED CVE-2014-9110 @@ -390,7 +614,7 @@ RESERVED CVE-2014-9029 [input sanitization errors] RESERVED - {DSA-3089-1} + {DSA-3089-1 DLA-101-1} - jasper 1.900.1-debian1-2.2 (bug #772036) CVE-2014-9027 (Multiple cross-site request forgery (CSRF) vulnerabilities in ZTE ...) NOT-FOR-US: ZTE ZXDSL 831CII @@ -454,58 +678,61 @@ NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fc3a9157d314 (v2.6.38-rc1) CVE-2014-9156 (The FileField module 6.x-3.x before 6.x-3.13 for Drupal does not ...) NOT-FOR-US: Drupal module FileField -CVE-2014-9129 - RESERVED +CVE-2014-9129 (Cross-site request forgery (CSRF) vulnerability in the CreativeMinds ...) NOT-FOR-US: WordPress plugin cm-download-manager -CVE-2014-8123 [buffer overflow] - RESERVED +CVE-2014-8123 (Buffer overflow in the bGetPPS function in wordole.c in Antiword 0.37 ...) - antiword 0.37-5 (bug #771768) NOTE: http://www.openwall.com/lists/oss-security/2014/12/01/4 NOTE: This actually was fixed long time ago in https://bugs.debian.org/407015 -CVE-2014-8104 [DoS] - RESERVED +CVE-2014-8104 (OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before ...) {DSA-3084-1 DLA-98-1} - openvpn 2.3.4-5 NOTE: https://github.com/OpenVPN/openvpn/commit/c5590a6821e37f3b29735f55eb0c2b9c0924138c NOTE: https://forums.openvpn.net/topic17625.html CVE-2014-9272 [XSS in string_insert_hrefs()] + RESERVED - mantis <removed> [squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts) NOTE: http://github.com/mantisbt/mantisbt/commit/05378e00 NOTE: http://www.mantisbt.org/bugs/view.php?id=17297 CVE-2014-9281 [XSS in admin panel / copy_field.php] + RESERVED - mantis <removed> [squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts) NOTE: http://github.com/mantisbt/mantisbt/commit/e5fc835a NOTE: http://www.mantisbt.org/bugs/view.php?id=17876 CVE-2014-9271 [XSS in file uploads] + RESERVED - mantis <removed> [squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts) NOTE: http://www.mantisbt.org/bugs/view.php?id=17874 NOTE: http://github.com/mantisbt/mantisbt/commit/9fb8cf36f CVE-2014-9270 [XSS in projax_api.php] + RESERVED - mantis <removed> [squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts) NOTE: http://github.com/mantisbt/mantisbt/commit/0bff06ec NOTE: http://www.mantisbt.org/bugs/view.php?id=17583 CVE-2014-9269 [XSS in extended project browser] + RESERVED - mantis <removed> [squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts) NOTE: http://github.com/mantisbt/mantisbt/commit/511564cc NOTE: http://www.mantisbt.org/bugs/view.php?id=17890 CVE-2014-9280 [PHP Object Injection in MantisBT filter API] + RESERVED - mantis <removed> [squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts) NOTE: http://github.com/mantisbt/mantisbt/commit/599364b2 NOTE: http://www.mantisbt.org/bugs/view.php?id=17875 CVE-2014-9279 [DB credentials disclosure in MantisBT's unattended upgrade script] + RESERVED - mantis <removed> (unimportant) [squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts) NOTE: http://github.com/mantisbt/mantisbt/commit/0826cef8 NOTE: http://www.mantisbt.org/bugs/view.php?id=17877 NOTE: unimportant, source affected but unrelevant for Debian, upgrade_unattended.php removed also in binary package -CVE-2014-9140 [buffer overflow in the PPP dissector] - RESERVED +CVE-2014-9140 (Buffer overflow in the ppp_hdlc function in print-ppp.c in tcpdump ...) {DSA-3086-1} - tcpdump 4.6.2-3 NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/0f95d441e4b5d7512cc5c326c8668a120e048eda @@ -524,8 +751,7 @@ [squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts) NOTE: http://github.com/mantisbt/mantisbt/commit/7bb78e4581ff1092c811ea96582fe602624cdcdd NOTE: https://www.mantisbt.org/bugs/view.php?id=17811 -CVE-2014-9116 [mutt: incorrect use of mutt_substrdup() in write_one_header()] - RESERVED +CVE-2014-9116 (The write_one_header function in mutt 1.5.23 does not properly handle ...) {DSA-3083-1} - mutt 1.5.23-2 (bug #771125) NOTE: Detailed analysis in https://bugzilla.redhat.com/show_bug.cgi?id=1168463#c4 @@ -537,8 +763,7 @@ [wheezy] - util-linux <no-dsa> (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2014/11/26/13 NOTE: https://github.com/karelzak/util-linux/commit/89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc -CVE-2014-9112 [heap-based buffer overflow] - RESERVED +CVE-2014-9112 (Heap-based buffer overflow in the process_copy_in function in GNU Cpio ...) - cpio <unfixed> NOTE: http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio NOTE: https://savannah.gnu.org/bugs/?43709 @@ -551,6 +776,7 @@ NOTE: https://www.mantisbt.org/bugs/view.php?id=17841 NOTE: http://github.com/mantisbt/mantisbt/commit/b0021673 CVE-2014-9273 [does not properly handle small-sized hive files] + RESERVED - hivex 1.3.11-1 (low) [wheezy] - hivex <no-dsa> (Minor issue) [squeeze] - hivex <no-dsa> (Minor issue) @@ -562,8 +788,7 @@ - gnupg2 <not-affected> (Affects only 2.1 and betas) NOTE: http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html NOTE: Upstream commit: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=f715b9e156dfa99ae829fc694e5a0abd23ef97d7 -CVE-2014-9157 [format string vulnerability] - RESERVED +CVE-2014-9157 (Format string vulnerability in the yyerror function in ...) - graphviz <unfixed> NOTE: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081 CVE-2014-XXXX [parse_datetime() bug] @@ -702,8 +927,7 @@ - drupal7 7.32-1+deb8u1 (bug #770469) - drupal6 <not-affected> (Only affects Drupal 7.x) NOTE: https://www.drupal.org/SA-CORE-2014-006 -CVE-2014-9018 [on-connect scripts: icecast can leak output to attentive sources] - RESERVED +CVE-2014-9018 (Icecast before 2.4.1 transmits the output of the on-connect script, ...) - icecast2 2.4.0-1.1 (bug #770222) NOTE: https://trac.xiph.org/ticket/2089 CVE-2015-0300 @@ -1556,14 +1780,13 @@ RESERVED CVE-2014-8878 RESERVED -CVE-2014-8877 - RESERVED +CVE-2014-8877 (The alterSearchQuery function in ...) + TODO: check CVE-2014-8876 RESERVED CVE-2014-8875 RESERVED -CVE-2014-8874 - RESERVED +CVE-2014-8874 (The ke_questionnaire extension 2.5.2 and earlier for TYPO3 uses ...) NOT-FOR-US: TYPO3 Extension ke_questionnaire CVE-2014-8873 RESERVED @@ -1714,8 +1937,8 @@ RESERVED CVE-2014-8801 (Directory traversal vulnerability in services/getfile.php in the Paid ...) NOT-FOR-US: Paid Memberships Pro plugin for WordPress -CVE-2014-8800 - RESERVED +CVE-2014-8800 (Cross-site scripting (XSS) vulnerability in ...) + TODO: check CVE-2014-8799 (Directory traversal vulnerability in the dp_img_resize function in ...) NOT-FOR-US: dp_img_resize function in php/dp-functions.php in the DukaPress plugin for WordPress CVE-2014-8798 @@ -1736,10 +1959,10 @@ NOT-FOR-US: Enalean Tuleap CVE-2014-8790 RESERVED -CVE-2014-8789 - RESERVED -CVE-2014-8788 - RESERVED +CVE-2014-8789 (GleamTech FileVista before 6.1 allows remote authenticated users to ...) + TODO: check +CVE-2014-8788 (GleamTech FileVista before 6.1 allows remote authenticated users to ...) + TODO: check CVE-2014-8787 RESERVED CVE-2014-8786 @@ -1764,16 +1987,16 @@ RESERVED CVE-2014-8776 RESERVED -CVE-2014-8775 - RESERVED -CVE-2014-8774 - RESERVED -CVE-2014-8773 - RESERVED -CVE-2014-8772 - RESERVED -CVE-2014-8771 - RESERVED +CVE-2014-8775 (MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag ...) + TODO: check +CVE-2014-8774 (Cross-site scripting (XSS) vulnerability in manager/index.php in MODX ...) + TODO: check +CVE-2014-8773 (MODX Revolution 2.x before 2.2.15 allows remote attackers to bypass ...) + TODO: check +CVE-2014-8772 (Cross-site scripting (XSS) vulnerability in the search_controller in ...) + TODO: check +CVE-2014-8771 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ...) + TODO: check CVE-2014-8770 (Unrestricted file upload vulnerability in magmi/web/magmi.php in the ...) NOT-FOR-US: Magento CVE-2012-6665 (Directory traversal vulnerability in index.php in phpMoneyBooks 1.0.4 ...) @@ -1845,8 +2068,8 @@ RESERVED CVE-2014-8729 RESERVED -CVE-2014-8728 - RESERVED +CVE-2014-8728 (SQL injection vulnerability in the login page (login/login) in Subex ...) + TODO: check CVE-2014-8727 (Multiple directory traversal vulnerabilities in F5 BIG-IP before ...) NOT-FOR-US: F5 BIG-IP CVE-2014-8726 @@ -2108,8 +2331,7 @@ NOTE: To be REJECTED CVE-2014-8584 (Cross-site scripting (XSS) vulnerability in the Web Dorado Spider ...) NOT-FOR-US: WordPress plugin Web Dorado Spider Video Player (aka WordPress Video Player) -CVE-2013-7416 [canto: feed URL parsing command line injection] - RESERVED +CVE-2013-7416 (canto_curses/guibase.py in Canto Curses before 0.9.0 allows remote ...) - canto <removed> (bug #731582) [wheezy] - canto <not-affected> (Vulnerable code not present) [squeeze] - canto <not-affected> (Vulnerable code not present) @@ -2472,8 +2694,7 @@ RESERVED CVE-2014-8490 RESERVED -CVE-2014-8990 [code execution] - RESERVED +CVE-2014-8990 (default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote ...) - lsyncd <unfixed> (low; bug #767227) [wheezy] - lsyncd <no-dsa> (Minor issue) [squeeze] - lsyncd <no-dsa> (Minor issue) @@ -3056,8 +3277,7 @@ NOT-FOR-US: Panasonic Network Camera CVE-2014-8755 (Panasonic Network Camera View 3 and 4 allows remote attackers to ...) NOT-FOR-US: Panasonic Network Camera -CVE-2014-8754 - RESERVED +CVE-2014-8754 (Open redirect vulnerability in track-click.php in the Ad-Manager ...) NOT-FOR-US: WordPress plugin ad-manager-for-wp CVE-2014-8753 RESERVED @@ -3980,10 +4200,10 @@ NOT-FOR-US: Drupal module Custom Search CVE-2014-7869 (Cross-site scripting (XSS) vulnerability in the configuration UI in ...) NOT-FOR-US: Drupal module Context Form Alteration -CVE-2014-7868 - RESERVED -CVE-2014-7867 - RESERVED +CVE-2014-7868 (Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager ...) + TODO: check +CVE-2014-7867 (SQL injection vulnerability in the ...) + TODO: check CVE-2014-7866 RESERVED CVE-2014-7865 @@ -5329,22 +5549,22 @@ RESERVED CVE-2014-7260 RESERVED -CVE-2014-7259 - RESERVED -CVE-2014-7258 - RESERVED +CVE-2014-7259 (SQUARE ENIX Co., Ltd. Kaku-San-Sei Million Arthur before 2.25 for ...) + TODO: check +CVE-2014-7258 (Cross-site scripting (XSS) vulnerability in KENT-WEB Clip Board 2.91 ...) + TODO: check CVE-2014-7257 RESERVED -CVE-2014-7256 - RESERVED -CVE-2014-7255 - RESERVED -CVE-2014-7254 - RESERVED -CVE-2014-7253 - RESERVED -CVE-2014-7252 - RESERVED +CVE-2014-7256 (The (1) PPP Access Concentrator (PPPAC) and (2) Dial-Up Networking ...) + TODO: check +CVE-2014-7255 (Internet Initiative Japan Inc. SEIL Series routers SEIL/X1 2.50 ...) + TODO: check +CVE-2014-7254 (Unspecified vulnerability in ARROWS Me F-11D allows physically ...) + TODO: check +CVE-2014-7253 (FUJITSU F-12C, ARROWS Tab LTE F-01D, ARROWS Kiss F-03D, and REGZA ...) + TODO: check +CVE-2014-7252 (Multiple unspecified vulnerabilities in the Syslink driver for Texas ...) + TODO: check CVE-2014-7251 RESERVED CVE-2014-7250 @@ -5362,8 +5582,8 @@ RESERVED CVE-2014-7244 RESERVED -CVE-2014-7243 - RESERVED +CVE-2014-7243 (LG Electronics Mobile WiFi router L-09C, L-03E, and L-04D does not ...) + TODO: check CVE-2014-7242 RESERVED CVE-2014-7241 @@ -8212,12 +8432,12 @@ NOT-FOR-US: ManageEngine EventLog Analyzer CVE-2014-6037 (Directory traversal vulnerability in the agentUpload servlet in ZOHO ...) NOT-FOR-US: ZOHO ManageEngine EventLog Analyzer -CVE-2014-6036 - RESERVED -CVE-2014-6035 - RESERVED -CVE-2014-6034 - RESERVED +CVE-2014-6036 (Directory traversal vulnerability in the multipartRequest servlet in ...) + TODO: check +CVE-2014-6035 (Directory traversal vulnerability in the FileCollector servlet in ZOHO ...) + TODO: check +CVE-2014-6034 (Directory traversal vulnerability in the ...) + TODO: check CVE-2014-6033 REJECTED NOT-FOR-US: F5 Networks Big-IP @@ -9398,8 +9618,7 @@ - torrentflux <removed> (bug #759574) [wheezy] - torrentflux <no-dsa> (Minor issue) [squeeze] - torrentflux <no-dsa> (Minor issue) -CVE-2014-6040 [crashes on invalid input in IBM gconv modules] - RESERVED +CVE-2014-6040 (GNU C Library (aka glibc) before 2.20 allows context-dependent ...) {DLA-97-1} - glibc 2.19-12 - eglibc <removed> @@ -9428,10 +9647,10 @@ NOT-FOR-US: HL7 C-CDA CVE-2014-5451 (Cross-site scripting (XSS) vulnerability in ...) NOT-FOR-US: MODX Revolution -CVE-2014-5446 - RESERVED -CVE-2014-5445 - RESERVED +CVE-2014-5446 (Directory traversal vulnerability in the DisplayChartPDF servlet in ...) + TODO: check +CVE-2014-5445 (Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine ...) + TODO: check CVE-2014-5444 (Geary before 0.6.3 does not present the user with a warning when a TLS ...) - geary 0.6.3-1 NOTE: Upstream bugreport: https://bugzilla.gnome.org/show_bug.cgi?id=713247 @@ -9898,8 +10117,7 @@ NOT-FOR-US: Drupal addon CVE-2014-5249 (SQL injection vulnerability in the "Biblio self autocomplete" ...) NOT-FOR-US: Drupal addon -CVE-2012-6656 [iconv() segfaults if the invalid multibyte character 0xffff is input when converting from IBM930] - RESERVED +CVE-2012-6656 (iconvdata/ibm930.c in GNU C Library (aka glibc) before 2.16 allows ...) {DLA-97-1} - glibc 2.17-1 - eglibc <removed> @@ -13041,10 +13259,10 @@ - php-horde-ldap 2.0.6-1 CVE-2014-3998 RESERVED -CVE-2014-3997 - RESERVED -CVE-2014-3996 - RESERVED +CVE-2014-3997 (SQL injection vulnerability in the MetadataServlet servlet in ...) + TODO: check +CVE-2014-3996 (SQL injection vulnerability in the LinkViewFetchServlet servlet in ...) + TODO: check CVE-2014-3993 RESERVED CVE-2014-3992 (Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow ...) @@ -13055,8 +13273,8 @@ RESERVED CVE-2014-3989 RESERVED -CVE-2014-3988 - RESERVED +CVE-2014-3988 (Cross-site scripting (XSS) vulnerability in index.php in SunHater ...) + TODO: check CVE-2014-3987 RESERVED CVE-2014-3984 (Multiple unspecified vulnerabilities in Libav before 0.8.12 allow ...) @@ -14013,8 +14231,7 @@ NOTE: https://issues.apache.org/jira/secure/attachment/12680198/QPID-6218.patch CVE-2014-3628 RESERVED -CVE-2014-3627 - RESERVED +CVE-2014-3627 (The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 ...) NOT-FOR-US: Apache Hadoop CVE-2014-3626 RESERVED @@ -14297,8 +14514,7 @@ NOTE: http://docs.saltstack.com/en/latest/topics/releases/2014.1.10.html CVE-2014-3562 (Red Hat Directory Server 8 and 389 Directory Server, when debugging is ...) - 389-ds-base 1.3.2.21-1 (bug #757437) -CVE-2014-3561 - RESERVED +CVE-2014-3561 (The rhevm-log-collector package in Red Hat Enterprise Virtualization ...) NOT-FOR-US: rhevm-log-collector CVE-2014-3560 (NetBIOS name services daemon (nmbd) in Samba 4.0.x before 4.0.21 and ...) - samba 2:4.1.11+dfsg-1 (bug #756759) @@ -14703,20 +14919,17 @@ CVE-2014-3771 (TeamPass before 2.1.20 allows remote attackers to bypass access ...) - teampass <itp> (bug #730180) NOTE: https://github.com/nilsteampassnet/TeamPass/commit/fd549b245c0f639a8d47bf4f74f92c37c053706f -CVE-2014-4703 [check_dhcp: Race Condition] - RESERVED +CVE-2014-4703 (lib/parse_ini.c in Nagios Plugins 2.0.2 allows local users to obtain ...) - nagios-plugins <removed> (unimportant) NOTE: check_dhcp is not installed with root suid permissions in Debian NOTE: http://seclists.org/fulldisclosure/2014/Jun/141 - monitoring-plugins <undetermined> (unimportant) -CVE-2014-4702 [vulerability in check_icmp] - RESERVED +CVE-2014-4702 (The check_icmp plugin in Nagios Plugins before 2.0.2 allows local ...) - nagios-plugins <removed> (unimportant) NOTE: http://seclists.org/fulldisclosure/2014/May/74 NOTE: check_imcp is not installed with root suid permissions in Debian - monitoring-plugins <undetermined> (unimportant) -CVE-2014-4701 [check_dhcp: arbitray option file read] - RESERVED +CVE-2014-4701 (The check_dhcp plugin in Nagios Plugins before 2.0.2 allows local ...) - nagios-plugins <removed> (unimportant) NOTE: check_dhcp is not installed with root suid permissions in Debian NOTE: http://seclists.org/fulldisclosure/2014/May/74 @@ -17947,8 +18160,8 @@ RESERVED CVE-2014-2274 RESERVED -CVE-2014-2273 - RESERVED +CVE-2014-2273 (The hx170dec device driver in Huawei P2-6011 before V100R001C00B043 ...) + TODO: check CVE-2014-2272 RESERVED CVE-2014-2271 _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits