[VIM] Old CVE ids, public, but still "RESERVED"
Raphael Geissert
geissert at debian.org
Fri Jan 24 05:21:32 CST 2014
Hi,
Attached are a list of CVE ids which are still marked as RESERVED
(i.e. no description/links/etc have been set) yet our security tracker
knows about them. The tracker only containing public data, it means
that the ids are not embargoed.
Hopefully these lists can be useful to MITRE to catch up on those, or
to anyone else.
I can generate these and other reports regularly if desired.
Notes:
* The year in the file name corresponds to the year in the CVE id, not
necessarily the year of assignment.
* The lists only contain the CVE id, probably a short description, and
one line of data from our tracker. The full data can be obtained
either by going to
https://security-tracker.debian.org/tracker/CVE-YYYY-XXXX or by
looking up on our text database.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
-------------- next part --------------
CVE-2011-4973 [mod_nss FakeBasicAuth authentication bypass]
- libapache2-mod-nss <unfixed> (low; bug #729626)
CVE-2011-4972 [CKEditor module for Drupal access bypass]
NOT-FOR-US: Drupal module
CVE-2011-4970 [Multiple SQL Injection vulnerabilities in Disk Pool Manager (DPM)]
- lcgdm 1.8.6-1 (low; bug #702895)
CVE-2011-4968 [nginx http proxy module does not verify peer identity of https origin server]
- nginx <unfixed> (low; bug #697940)
CVE-2011-4967
NOT-FOR-US: OpenPegasus
CVE-2011-4958 [silverstripe:XSS]
- silverstripe <itp> (bug #528461)
CVE-2011-4955
NOT-FOR-US: wordpress bsuite plugin
CVE-2011-4954
- cobbler <itp> (bug #545583)
CVE-2011-4953
- cobbler <itp> (bug #545583)
CVE-2011-4952
- cobbler <itp> (bug #545583)
CVE-2011-4938
NOT-FOR-US: Ariadne CMS not in Debian
CVE-2011-4937
- joomla <itp> (bug #571794)
CVE-2011-4936
- joomla <itp> (bug #571794)
CVE-2011-4935
- joomla <itp> (bug #571794)
CVE-2011-4934
- joomla <itp> (bug #571794)
CVE-2011-4933
- joomla <itp> (bug #571794)
CVE-2011-4931
- gpw <unfixed> (unimportant; bug #651510)
CVE-2011-4930
- condor <not-affected> (Fixed before initial release)
CVE-2011-4924
- zope2.12 2.12.22-1
CVE-2011-4919 [mpack info disclosure]
- mpack 1.6-8 (low; bug #655971)
CVE-2011-4917
- linux-2.6 <unfixed> (unimportant)
CVE-2011-4915
- linux-2.6 <unfixed> (unimportant)
CVE-2011-4912
NOT-FOR-US: Joomla
CVE-2011-4908
NOT-FOR-US: Joomla
CVE-2011-4907
NOT-FOR-US: Joomla
CVE-2011-4906
NOT-FOR-US: Joomla
CVE-2011-4904
{DSA-2289-1}
CVE-2011-4903
{DSA-2289-1}
CVE-2011-4902
{DSA-2289-1}
CVE-2011-4901
{DSA-2289-1}
CVE-2011-4900
{DSA-2289-1}
CVE-2011-4632
{DSA-2289-1}
CVE-2011-4631
{DSA-2289-1}
CVE-2011-4630
{DSA-2289-1}
CVE-2011-4629
{DSA-2289-1}
CVE-2011-4628
{DSA-2289-1}
CVE-2011-4627
{DSA-2289-1}
CVE-2011-4626
{DSA-2289-1}
CVE-2011-4625 [simplesamlphp xml encryption issues]
{DSA-2330-1}
CVE-2011-4624
NOT-FOR-US: WordPress flash-album-gallery
CVE-2011-4613 [X launcher permission bypass]
{DSA-2364-1}
CVE-2011-4610
- jbossas4 <not-affected> (Only builds a few libraries, not the full application server)
CVE-2011-4600
- libvirt 0.9.9-1 (low)
CVE-2011-4595
NOT-FOR-US: WordPress pretty-link plugin
CVE-2011-4580
NOT-FOR-US: JBoss Enterprise Portal Platform
CVE-2011-4573
NOT-FOR-US: JBoss Operations Network
CVE-2011-4558
- tikiwiki <removed>
CVE-2011-4455
- tikiwiki <removed>
CVE-2011-4454
- tikiwiki <removed>
CVE-2011-4407 [apt-add-repository does not perform ssl verification where it *needs* to]
- software-properties 0.76.7debian2+nmu2
CVE-2011-4406
- accountsservice 0.6.15-3
CVE-2011-4366
NOT-FOR-US: ** REJECT ** duplicate of CVE-2011-4090
CVE-2011-4365
NOTE: duplicate of CVE-2011-4090
CVE-2011-4350
- yaws 1.91-2 (bug #650009)
CVE-2011-4343
NOT-FOR-US: Apache MyFaces
CVE-2011-4338
NOT-FOR-US: Arch-Linux specific tool
CVE-2011-4336
NOT-FOR-US: Tiki Wiki
CVE-2011-4334
NOT-FOR-US: LabWiki
CVE-2011-4333
NOT-FOR-US: LabWiki
CVE-2011-4327
- openssh <not-affected> (Only affects platforms w/o /dev/random)
CVE-2011-4322
NOT-FOR-US: websitebaker
CVE-2011-4310
- cmsms <itp> (bug #608888)
CVE-2011-4195
NOT-FOR-US: Suse kiwi (different from python-kiwi)
CVE-2011-4193
NOT-FOR-US: Suse kiwi (different from python-kiwi)
CVE-2011-4192
NOT-FOR-US: Suse kiwi (different from python-kiwi)
CVE-2011-4121
- ruby1.9.1 <not-affected> (Only affected trunk versions)
CVE-2011-4120 [authentication bypass by pressing ctrl-d]
- yubico-pam 2.10-1
CVE-2011-4117
NOT-FOR-US: perl Batch::BatchRun CPAN module
CVE-2011-4116
- perl <unfixed> (unimportant)
CVE-2011-4115
- libparallel-forkmanager-perl <not-affected> (issue introduced in 0.7.6 upstream, never in Debian)
CVE-2011-4111
- qemu 0.15.1+dfsg-2
CVE-2011-4104
- django-tastypie 0.9.10-1 (bug #647314)
CVE-2011-4103 [YAML deserialization vulnerability in Piston framework]
{DSA-2344-1}
CVE-2011-4099
- libcap2 1:2.22-1 (low)
CVE-2011-4095
NOT-FOR-US: Jara
CVE-2011-4094
NOT-FOR-US: Jara
CVE-2011-4093
- net6 1:1.3.14-1 (low; bug #647318)
CVE-2011-4092
- obby <unfixed> (low; bug #647317)
CVE-2011-4091
[squeeze] - net6 <no-dsa> (Minor issue)
CVE-2011-4090 [serendipity before 1.6 backend XSS in karma plugin]
- serendipity <removed> (bug #650937)
CVE-2011-4089
- bzip2 1.0.6-1 (low; bug #632862)
CVE-2011-4088
NOT-FOR-US: abrt/libreport
CVE-2011-4083
NOT-FOR-US: RedHat sos
CVE-2011-4082
- phpldapadmin 0.9.8-1
CVE-2011-3923
- libstruts1.2-java <not-affected> (Only affects 2.x)
CVE-2011-3642 [flowplayer-core: Arbitrary plugins with remote code execution (XSS)]
- mahara <removed> (low; bug #699230)
CVE-2011-3634
- apt 0.8.11 (low)
CVE-2011-3632 [hardlink has buffer overflows, is unsafe on changing trees]
- hardlink <not-affected> (Only the C version, ours are written in Python)
CVE-2011-3631 [hardlink has buffer overflows, is unsafe on changing trees]
- hardlink <not-affected> (Only the C version, ours are written in Python)
CVE-2011-3630 [hardlink has buffer overflows, is unsafe on changing trees]
- hardlink <not-affected> (Only the C version, ours are written in Python)
CVE-2011-3629
NOT-FOR-US: Joomla
CVE-2011-3628
- pam 1.1.3-7 (low; bug #670076)
CVE-2011-3625 [mplayer SAMI subtitle parsing buffer overflow]
- mplayer 2:1.0~rc4.dfsg1+svn33713-2 (bug #645987)
CVE-2011-3624
- ruby1.8 <unfixed> (low; bug #646020)
CVE-2011-3623 [media-video/vlc-1.0.2: Multiple stack-based buffer overflows in ASF, AVI, MP4 demuxers]
- vlc 1.1.3-1
CVE-2011-3622
NOT-FOR-US: phorum
CVE-2011-3621
NOT-FOR-US: fluxbb
CVE-2011-3618 [atop insecure tempfile handling]
- atop 1.23-1.1 (low; bug #622794)
CVE-2011-3617 [tahoe-lafs: an unauthorized user can delete files]
- tahoe-lafs 1.8.3-1 (bug #641540)
CVE-2011-3614 [vanilla plugin access control]
NOT-FOR-US: Vanilla Forums
CVE-2011-3613 [vanilla forums cookie theft]
NOT-FOR-US: Vanilla Forums
CVE-2011-3612 [HTB22913: Multiple CSRF in UseBB]
NOT-FOR-US: UseBB
CVE-2011-3611 [HTB22914: Local File Inclusion in UseBB]
NOT-FOR-US: UseBB
CVE-2011-3610 [serendipity freetag plugin before 3.30 and probably others]
NOT-FOR-US: Serendipity plugin
CVE-2011-3609 [CSRF in the JBoss AS 7 administration console & HTTP management API]
- jbossas4 <not-affected> (Only builds a few libraries, not the full application server, #581226)
CVE-2011-3606 [DOM based XSS in the JBoss AS 7 administration console]
- jbossas4 <not-affected> (Only builds a few libraries, not the full application server, #581226)
CVE-2011-3605
{DSA-2323-1}
CVE-2011-3604
{DSA-2323-1}
CVE-2011-3603
NOTE: http://seclists.org/oss-sec/2011/q4/30
CVE-2011-3602
{DSA-2323-1}
CVE-2011-3601
{DSA-2323-1}
CVE-2011-3600
- libxmlrpc3-java 3.1.3-1 (low)
CVE-2011-3596
- polipo 1.0.4.1-1.2 (bug #644289)
CVE-2011-3595
- joomla <itp> (bug #571794)
CVE-2011-3592 [phpMyAdmin did not properly sanitize the content of db, table, and column names prior use of their values.]
- phpmyadmin 4:3.4.5-1
CVE-2011-3591 [PMASA-2011-14 XSS]
- phpmyadmin 4:3.4.5-1
CVE-2011-3590 [mkdumprd utility created the final initial ramdisk image with...]
- kexec-tools <not-affected> (The flaw exists in kdump.init and mkdumprd scrits, shipped only with Red Hat and Fedora)
CVE-2011-3589 [mkdumprd utility copied content of certain directories into newly...]
- kexec-tools <not-affected> (The flaw exists in kdump.init and mkdumprd scrits, shipped only with Red Hat and Fedora)
CVE-2011-3588 [kdump/mkdumprd: the default value of "StrictHostKeyChecking=no"]
- kexec-tools <not-affected> (The flaw exists in kdump.init and mkdumprd scrits, shipped only with Red Hat and Fedora)
CVE-2011-3586
NOTE: Dupe of CVE-2011-3504, to be rejected
CVE-2011-3585
- samba 2:3.4.7~dfsg-2 (low)
CVE-2011-3584 [TYPO3-SA-2011-003]
- typo3-src 4.5.6+dfsg1-1 (low; bug #641683)
CVE-2011-3583 [TYPO3-SA-2011-002]
- typo3-src 4.5.6+dfsg1-1 (low; bug #641682)
CVE-2011-3582
NOT-FOR-US: Advanced Electron Forums
CVE-2011-3350 [masqmail improper privilege dropping]
- masqmail 0.2.30-1 (low; bug #638002)
CVE-2011-3377 [IcedTea browser plugin Same Origin Policy suffix issue]
{DSA-2420-1}
CVE-2011-3374 [apt-key insecure validation]
- apt <unfixed> (unimportant; bug #642480)
CVE-2011-3373
NOT-FOR-US: Views Bulk Operations module for Drupal
CVE-2011-3370
- statusnet <itp> (bug #491723)
CVE-2011-3355
- evolution-data-server3 3.2.1-1 (bug #641052)
CVE-2011-3352
NOT-FOR-US: Zikula
CVE-2011-3351
- openvas-scanner <unfixed> (bug #641327; low)
CVE-2011-3349 [lightdm denial of service]
- lightdm 0.9.6-1 (bug #639151)
CVE-2011-3346
- qemu-kvm 0.15.1+dfsg-1 (bug #646118)
CVE-2011-3344
NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-3203 [Jcow CMS 4.x:4.2 <= , 5.x:5.2 <= | Arbitrary Code Execution]
NOT-FOR-US: Jcow
CVE-2011-3202 [Jcow CMS 4.2 <= | Cross Site Scripting]
NOT-FOR-US: Jcow
CVE-2011-3199
{DSA-2365-1}
CVE-2011-3198
{DSA-2365-1}
CVE-2011-3197
{DSA-2365-1}
CVE-2011-3196
{DSA-2365-1}
CVE-2011-3195
{DSA-2365-1}
CVE-2011-3183
NOT-FOR-US: Concrete CMS
CVE-2011-3180
NOT-FOR-US: Suse kiwi (different from python-kiwi)
CVE-2011-3154
- update-manager <not-affected> (ubuntu-specific issue)
CVE-2011-3153
- lightdm 1.0.6-2
CVE-2011-3152
- update-manager <not-affected> (ubuntu-specific issue)
CVE-2011-3145
{DSA-2382-1}
CVE-2011-2941
NOT-FOR-US: JBoss Enterprise Portal Platform
CVE-2011-2936
- elgg <itp> (bug #526197)
CVE-2011-2935
- elgg <itp> (bug #526197)
CVE-2011-2934
NOT-FOR-US: WebsiteBaker
CVE-2011-2933
NOT-FOR-US: WebsiteBaker
CVE-2011-2927
NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-2924
- foomatic-filters 4.0.12-1 (low)
CVE-2011-2923
- foomatic-filters <unfixed> (unimportant)
CVE-2011-2922
- ktsuss <removed>
CVE-2011-2921
- ktsuss <removed>
CVE-2011-2920
NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-2919
NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-2916
- qtnx <removed> (low; bug #637439)
CVE-2011-2910
- ax25-tools 0.0.8-13.2 (low; bug #638198)
CVE-2011-2909
{DSA-2303-1}
CVE-2011-2902 [xpdf: insecure tempfile usage]
- xpdf 3.02-19 (low; bug #635849)
CVE-2011-2897
- gdk-pixbuf <not-affected> (This only applies to the old standalone copy shipped until Lenny)
CVE-2011-2765 [pyro: insecure use of temporary pid file]
- pyro 1:3.14-1 (low; bug #631912)
CVE-2011-2727
NOT-FOR-US: Tribiq CMS
CVE-2011-2726 [SA-CORE-2011-003]
- drupal7 7.6-1
CVE-2011-2725 [ark directory traversal]
- kdeutils 4:4.6.5-4 (low; bug #635541)
CVE-2011-2717
NOT-FOR-US: udhcp6c
CVE-2011-2715
NOT-FOR-US: Drupal data module
CVE-2011-2714
NOT-FOR-US: Drupal data module
CVE-2011-2706
NOT-FOR-US: sNews
CVE-2011-2702 [eglibc signedness vulnerability in ssse3 optimizations]
- eglibc 2.13-10
CVE-2011-2684
- foo2zjs 20110722dfsg-1 (low; bug #633870)
CVE-2011-2683
- reseed <removed>
CVE-2011-2538
- plone3 <removed>
CVE-2011-2523
- vsftpd <not-affected> (backdoored version was never in the Debian archive)
CVE-2011-2515
- packagekit 0.6.17-1
CVE-2011-2514
- openjdk-6 6b21~pre1-1
CVE-2011-2513
- openjdk-6 6b21~pre1-1
CVE-2011-2500
- nfs-utils 1:1.2.4-1 (bug #633155)
CVE-2011-2499
NOT-FOR-US: Mambo CMS
CVE-2011-2498
- linux-2.6 2.6.39-1 (low)
CVE-2011-2487
NOT-FOR-US: Apache CXF
CVE-2011-2480 [kfreebsd info disclosure]
- kfreebsd-9 9.0~svn223502-1 (bug #631160)
CVE-2011-2207
- dirmngr <unfixed> (unimportant; bug #627377)
CVE-2011-2187
- xscreensaver 5.14-1 (bug #627382)
CVE-2011-2186
NOTE: Disputed gitweb non-issue: https://bugzilla.redhat.com/show_bug.cgi?id=713298
CVE-2011-2177
- libreoffice <undetermined>
CVE-2011-2198 [vte memory exhaustion]
- vte 1:0.28.1-1 (low; bug #629688)
CVE-2011-2054
NOT-FOR-US: ** REJECT ** CVE-2011-2054 misused as CVE-2011-2524
CVE-2011-1939
- zendframework 1.11.6-1 (low)
CVE-2011-1935 [packet truncation in libpcap]
- libpcap 1.1.1-4 (low; bug #623868)
CVE-2011-1934 [lilo: lilo.conf world-readable]
- lilo 23.1-2 (low; bug #615103)
CVE-2011-1933
- libjifty-dbi-perl 0.68-1 (low; bug #622919)
CVE-2011-1930
- klibc 1.5.22-1 (low)
CVE-2011-1837
{DSA-2382-1}
CVE-2011-1836
- ecryptfs-utils 92-1
CVE-2011-1835
{DSA-2382-1}
CVE-2011-1834
{DSA-2382-1}
CVE-2011-1832
{DSA-2382-1}
CVE-2011-1831
{DSA-2382-1}
CVE-2011-1798
- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1796
- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1795
- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1794
- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1793
- chromium-browser 11.0.696.65~r84435-1
CVE-2011-1773
NOT-FOR-US: virt-v2v
CVE-2011-1749 [nfs-utils: mount.nfs fails to anticipate RLIMIT_FSIZE]
- nfs-utils 1:1.2.3-3 (low; bug #629420)
CVE-2011-1597
NOT-FOR-US: OpenVAS Manager
CVE-2011-1596
NOT-FOR-US: ** REJECT ** (regular bug in gnome-screensaver-dialog)
CVE-2011-1594
NOT-FOR-US: Red Hat Network Satellite server
CVE-2011-1588
- thunar <not-affected> (Introduced in 1.2, only in experimental)
CVE-2011-1490
- rsyslog 5.7.6-1 (low)
CVE-2011-1489
- rsyslog 5.7.6-1 (low)
CVE-2011-1488
- rsyslog 5.7.6-1 (low)
CVE-2011-1474
NOT-FOR-US: PaX hardening patch
CVE-2011-1408 [ikiwiki tty hijacking vulnerability]
- ikiwiki 3.20110608 (low)
CVE-2011-1151
NOT-FOR-US: Joomla!
CVE-2011-1150
NOT-FOR-US: bbPress
CVE-2011-1145 [buffer overflow in unixODBC's SQLDriverConnect()]
- unixodbc 2.2.14p2-3 (low; bug #617655)
CVE-2011-1086
NOT-FOR-US: openfiler
CVE-2011-1085
NOT-FOR-US: smoothwall
CVE-2011-1084
NOT-FOR-US: smoothwall
CVE-2011-1070
- v86d 0.1.10-1 (low; bug #619404)
CVE-2011-1069
NOT-FOR-US: PHPShop
CVE-2011-1028
- smarty3 3.0.8-1
CVE-2011-1009
NOT-FOR-US: Vanilla Forums
CVE-2011-1133 [xinha XSS mode param]
- serendipity <removed> (bug #611661)
CVE-2011-1134 [xinha XSS image manager]
- serendipity <removed> (bug #611661)
CVE-2011-1135 [xinha multiple vulns]
- serendipity <removed> (bug #611661)
CVE-2011-1136 [tesseract tempfile]
- tesseract 2.04-2.1 (low; bug #612032)
CVE-2011-0705 [path traversal in SimpleHTTPServer]
NOTE: Will be rejected
CVE-2011-0704
NOT-FOR-US: 389 Directory Server
CVE-2011-0703
- gksu-polkit <removed> (bug #684489)
CVE-2011-0699
- linux-2.6 2.6.37-2
CVE-2011-0544
- phpbb3 3.0.7-PL1-5 (low; bug #612477)
CVE-2011-0529
- weborf 0.12.5-1
CVE-2011-0528
- puppet 2.6.2-3
CVE-2011-0525
NOT-FOR-US: Batavi
CVE-2011-0460
- kbd <not-affected> (SUSE-specific)
CVE-2011-0428
- ikiwiki 3.20110122
CVE-2011-0068
- xulrunner <not-affected> (Only affects Firefox 4.0, not yet in unstable)
-------------- next part --------------
CVE-2012-6619 [MongoDB memory over-read via incorrect BSON object length]
- mongodb 1:2.4.1-1
CVE-2012-6110 [bcron file descriptors not closed]
- bcron 0.09-13 (low; bug #686650)
CVE-2012-6345
NOT-FOR-US: CyberArk Vault
CVE-2012-6344
NOT-FOR-US: CyberArk Vault
CVE-2012-6342
NOT-FOR-US: Atlassian Confluence
CVE-2012-6146 [Backend History Module Information Disclosure]
{DSA-2574-1}
CVE-2012-6143 [Storable::thaw called on untrusted inputs]
- libspoon-perl <unfixed> (bug #715371; low)
CVE-2012-6142 [Storable::thaw called on untrusted inputs]
NOT-FOR-US: HTML-EP CPAN module
CVE-2012-6141 [Storable::thaw called on untrusted inputs]
NOT-FOR-US: App-Context CPAN module
CVE-2012-6136
NOT-FOR-US: tuned (RH-specific powersaving tool)
CVE-2012-6135
- ruby-passenger <not-affected> (Vulnerable code not present; bug #702219)
CVE-2012-6133 [XSS flaws in ok and error messages]
- roundup 1.4.20-1
CVE-2012-6132 [XSS flaw with the otk parameter]
- roundup 1.4.20-1
CVE-2012-6131 [XSS flaw in @action parameter]
- roundup 1.4.20-1
CVE-2012-6130 [XSS vulnerability when usernames contain HTML]
- roundup 1.4.20-1
CVE-2012-6125
- chicken 4.8.0-1 (low; bug #702410)
CVE-2012-6124
- chicken 4.8.0-1 (low; bug #702410)
CVE-2012-6123
- chicken 4.8.0-1 (low; bug #702410)
CVE-2012-6122
- chicken 4.8.0.3-1 (low; bug #702410)
CVE-2012-6114 [temp file vulnerability in git-extras]
- git-extras 1.7.0-1.2 (bug #698490)
CVE-2012-6111 [gnome-keyring does not discard stored secrets in some cases]
- gnome-keyring 3.8.2-1 (low; bug #697896)
CVE-2012-6108 [default permissions for /var/log/hp are too open]
- hplip <not-affected> (permissions are 755 on wheezy, sid and experimental)
CVE-2012-6107 [Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate]
- axis2c <unfixed> (bug #697974)
CVE-2012-6094
- cups <not-affected> (systemd patch not applied in Debian, see bug #697584)
CVE-2012-6086 [zabbix insecure curl usage]
- zabbix 1:2.0.7+dfsg-1 (bug #697443)
CVE-2012-6083
- freeciv 2.3.4-1 (low; bug #696306)
CVE-2012-6079
NOT-FOR-US: W3 Total Cache
CVE-2012-6078
NOT-FOR-US: W3 Total Cache
CVE-2012-6077
NOT-FOR-US: W3 Total Cache
CVE-2012-6071 [libnusoap-php: Curl insecure usage]
- nusoap 0.7.3-5 (low; bug #696707)
CVE-2012-6070 [falconpl: Curl insecure usage]
- falconpl 0.9.6.9-git20120606-2 (bug #696681)
CVE-2012-5844
- openjdk-6 <not-affected> (JavaFX not part of OpenJDK)
CVE-2012-5663
NOT-FOR-US: Isearch
CVE-2012-5662
- ibm-3270 <unfixed> (bug #706547)
CVE-2012-5650 [DOM based XSS via Futon UI]
- couchdb 1.2.0-5 (bug #698439)
CVE-2012-5649 [JSONP arbitrary code execution with Adobe Flash]
- couchdb 1.2.0-5 (bug #698439)
CVE-2012-5645
- freeciv 2.3.4-1 (low; bug #696306)
CVE-2012-5644 [(Complete) Information disclosure when moving user's home directory]
- libuser <unfixed> (low; bug #705690)
CVE-2012-5641
- couchdb <not-affected> (Only affects CouchDB on Windows)
CVE-2012-5640 [thttpd: Local DoS vulnerability]
- thttpd <removed> (low)
CVE-2012-5639
- libreoffice <unfixed> (unimportant)
CVE-2012-5631
NOT-FOR-US: FreeIPA
CVE-2012-5630 [TOCTOU race conditions by copying and removing directory trees]
- libuser <unfixed> (low; bug #705690)
CVE-2012-5628
NOT-FOR-US: gofer component of PULP project
CVE-2012-5623
NOT-FOR-US: change_passwd plugin for Squirrelmail
CVE-2012-5621 [Ekiga (x < 4.0.0): DoS (crash) after receiving call from other party with not UTF-8 valid name]
- ekiga 3.2.7-6 (bug #702282; low)
CVE-2012-5620
NOT-FOR-US: Docecot non-issue, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695138#15
CVE-2012-5619
- sleuthkit <unfixed> (unimportant; bug #695097)
CVE-2012-5618
NOT-FOR-US: Ushahidi
CVE-2012-5617 [privilege escalation due to improper authentication settings in policykit configuration file]
- gksu-polkit <removed> (bug #695807)
CVE-2012-5583 [phpcas curl usage]
- php-cas 1.3.1-2
CVE-2012-5582 [opendnssec curl usage]
- opendnssec <not-affected> (eppclient not built in Debian package)
CVE-2012-5580 [libproxy: format string issue]
- libproxy 0.3.1-4 (low)
CVE-2012-5578 [Python keyring insecure permissions on new databases]
- python-keyring 0.9.2-1.1 (bug #696736)
CVE-2012-5577 [Python keyring insecure permissions on migrated files]
- python-keyring 0.9.2-1.1 (bug #696736)
CVE-2012-5572 [Dancer::Cookie: Cookie name CRLF injection]
- libdancer-perl 1.3114+dfsg-1 (low; bug #694279)
CVE-2012-5567
- kronolith2 <not-affected> (Vulnerable code not present in 2.x codebase and later versions not yet packaged in sid)
CVE-2012-5566
- kronolith2 <not-affected> (Vulnerable code not present in 2.x codebase and later versions not yet packaged in sid)
CVE-2012-5565
NOT-FOR-US: This doesn't seem to be packaged in sid's Horde and the imp3 and dimp1 packages from stable do not include the affected code
CVE-2012-5560
NOT-FOR-US: MATE gnome fork
CVE-2012-5535
- gnome-system-log <not-affected> (Fedora-specific issue)
CVE-2012-5527
- claws-mail-extra-plugins 3.8.1-2 (unimportant; bug #693391)
CVE-2012-5524
- gajim 0.15.4-1 (low; bug #693282)
CVE-2012-5521
- quagga <unfixed> (unimportant; bug #693102)
CVE-2012-5518
NOT-FOR-US: ovirt / vsdm
CVE-2012-5508 [ Zope/Plone: PRNG isn't reseeded]
- zope2.12 2.12.26-1 (bug #692899)
CVE-2012-5507 [ Zope/Plone: Timing attack in password validation ]
- zope2.12 2.12.26-1 (bug #692899)
CVE-2012-5506 [ Zope/Plone: DoS through RSS on private folder ]
NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5505 [ Zope/Plone: Attempting to access a view with no name returns an internal data structure ]
- zope2.12 2.12.26-1 (bug #692899)
CVE-2012-5504 [ Zope/Plone: Persistent XSS ]
NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5503 [ Zope/Plone: Users connected through FTP can list hidden folder contents ]
NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5502 [ Zope/Plone: Persistent XSS via filtering bypass ]
NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5501 [ Zope/Plone: Crafted URL allows downloading of BLOBs that are not visible to the user ]
NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5500 [ Zope/Plone: Anonymous users can batch change titles of content items ]
NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5499 [ Zope/Plone: Partial denial of service through internal function ]
NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5498 [ Zope/Plone: Partial denial of service through Collections functionality ]
NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5497 [ Zope/Plone: Anonymous users can list user account names ]
NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5496 [ Zope/Plone: DoS through unsanitised inputs into Kupu ]
NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5495 [ Zope/Plone: Restricted Python injection ]
NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5494 [ Zope/Plone: Reflexive XSS ]
NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5493 [ Zope/Plone: Restricted Python sandbox escape ]
NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5492 [ Zope/Plone: Partial permissions bypass ]
NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5491 [ Zope/Plone: Form detail exposure ]
NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5490 [ Zope/Plone: Reflexive XSS ]
NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5489 [ Zope/Plone: Partial restricted Python sandbox escape ]
- zope2.12 <unfixed> (bug #692899)
CVE-2012-5488 [ Zope/Plone: Restricted Python injection ]
NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5487 [ Zope/Plone: Restricted Python sandbox escape ]
- zope2.12 <unfixed> (unimportant; bug #692899)
CVE-2012-5486 [ Zope/Plone: Reflexive HTTP header injection ]
- zope2.12 2.12.26-1 (bug #692899)
CVE-2012-5485 [ Restricted Python injection ]
NOT-FOR-US: Plone not packaged in Debian, see bug #692899
CVE-2012-5476
- horizon <not-affected> (File is installed with 0700 perms in Debian)
CVE-2012-5474
- horizon 2012.1.1-7
CVE-2012-5395
NOT-FOR-US: Mediawiki extension CentralAuth
CVE-2012-5391
- mediawiki 1:1.19.3-1 (bug #694998)
CVE-2012-5390 [Possible privilege escalation]
- condor <not-affected> (standard universe is disabled in the Debian package, see bug #697936)
CVE-2012-5366
NOT-FOR-US: Mac OS X
CVE-2012-5365
- kfreebsd-8 <removed> (low; bug #690986)
CVE-2012-5364
NOT-FOR-US: Microsoft Windows
CVE-2012-5363
- kfreebsd-8 <removed> (low; bug #690986)
CVE-2012-5362
NOT-FOR-US: Microsoft Windows
CVE-2012-5361
- ffmpeg <removed>
CVE-2012-5360
- ffmpeg <removed>
CVE-2012-5359
- ffmpeg <removed>
CVE-2012-5241
NOT-FOR-US: PEAR module for Twitter
CVE-2012-5236 [Admin can decrypt user files]
- owncloud <unfixed> (low)
CVE-2012-4410
NOTE: to be rejected
CVE-2012-4576 [freebsd privilege escalation]
- kfreebsd-8 8.3-6 (bug #694096)
CVE-2012-4570 [sql injection]
- php-letodms-core 3.3.8-1
CVE-2012-4569 [multiple xss in 3.3.9]
- letodms 3.3.9+dfsg-1
CVE-2012-4568 [csrf]
- letodms 3.3.9+dfsg-1
CVE-2012-4567 [multiple xss in 3.3.8]
- letodms 3.3.9+dfsg-1
CVE-2012-4526 [XSS in password.php, incomplete fix for CVE-2012-4525]
- piwigo <not-affected> (incomplete fix not applied to Debian package)
CVE-2012-4525 [XSS in password.php]
- piwigo <removed>
CVE-2012-4524 [xlockmore bypass]
- xlockmore <removed> (low)
CVE-2012-4519
NOT-FOR-US: Zenphoto
CVE-2012-4512
- kdebase <removed> (unimportant)
CVE-2012-4480
NOT-FOR-US: mom
CVE-2012-4451 [php-ZendFramework: XSS vectors in multiple Zend Framework components ZF2012-03]
- zendframework <not-affected> (Vulnerable code introduced in 2.x, #688946)
CVE-2012-4441 [jenkins XSS in CI game plugin]
- jenkins <not-affected> (Plugin not built in Debian source package)
CVE-2012-4440 [jenkins XSS in Violations plugin]
- jenkins <not-affected> (Plugin not built in Debian source package)
CVE-2012-4439 [jenkins XSS]
- jenkins 1.447.2+dfsg-2 (bug #688298)
CVE-2012-4438 [jenkins remote code execution]
- jenkins 1.447.2+dfsg-2 (bug #688298)
CVE-2012-4434 [fwknop 2.0.3: multiple DoS / code execution flaw]
- fwknop 2.0.3-1 (bug #688151)
CVE-2012-4428
- openslp-dfsg <unfixed> (bug #687597; low)
CVE-2012-4420 [Duplicate of CVE-2012-4416]
NOT-FOR-US: Duplicate of CVE-2012-4416
CVE-2012-4385 [letodms CSRF]
- letodms 3.3.7+dfsg-1 (bug #689664)
CVE-2012-4384 [letodms XSS]
- letodms 3.3.7+dfsg-1 (bug #689664)
CVE-2012-4383
NOT-FOR-US: Contao
CVE-2012-4382 [Info leak in user blocks]
- mediawiki 1:1.19.2-1 (bug #686330)
CVE-2012-4381 [Passwords were stored in local DB even if auth systems like LDAP were used]
- mediawiki 1:1.19.2-1 (bug #686330)
CVE-2012-4380 [Insufficient API for account creation block]
- mediawiki 1:1.19.2-1 (bug #686330)
CVE-2012-4379 [CSRF]
- mediawiki 1:1.19.2-1 (bug #686330)
CVE-2012-4378 [DOM-based XSS]
- mediawiki 1:1.19.2-1 (bug #686330)
CVE-2012-4377 [[mediawiki stored XSS]
- mediawiki 1:1.19.2-1 (bug #686330)
CVE-2012-3543
- mono 2.10.8.1-7 (bug #686562)
CVE-2012-3522 [geshi XSS in contrib/langwiz.php]
- geshi <not-affected> (Vulnerable code not present, see bug #685323)
CVE-2012-3521 [geshi information disclosure in contrib/cssgen.php]
- geshi 1.0.8.4-2 (bug #685324)
CVE-2012-3490
- condor 7.8.2~dfsg.1-1+deb7u1 (bug #688210)
CVE-2012-3427
- jbossas4 <not-affected> (Only builds a few libraries, not the full application server)
CVE-2012-3415
- plpupload <itp> (bug #668396)
CVE-2012-3409
- ecryptfs-utils 99-1 (bug #682220)
CVE-2012-3407
NOT-FOR-US: plow
CVE-2012-3406 [glibc formatted printing vulnerabilities]
- eglibc <unfixed> (low; bug #681888)
CVE-2012-3405 [glibc formatted printing vulnerabilities]
- eglibc 2.13-35 (low; bug #681473)
CVE-2012-3404 [glibc formatted printing vulnerabilities]
- eglibc 2.13-35 (low; bug #681473)
CVE-2012-3359
NOT-FOR-US: Red Hat Conga
CVE-2012-2979 [VU#517036: NSD 3.2.13 emergency release]
- nsd3 <not-affected> (Debian version not affected)
CVE-2012-2945
- hadoop <itp> (bug #535861)
CVE-2012-2736 [NetworkManager: creating new WPA-secured wireless network results in insecure network being created instead]
- network-manager 0.9.4.0-1 (low; bug #655972)
CVE-2012-2724
NOT-FOR-US: Drupal module
CVE-2012-2714
NOT-FOR-US: Drupal module
CVE-2012-2663
- iptables <unfixed> (unimportant; bug #675445)
CVE-2012-2656 [XXE vulnerability in Restlet]
- restlet <itp> (bug #596472)
CVE-2012-2350 [pam_shield default configuration does not take any action]
- pam-shield 0.9.2-3.3 (low; bug #658830)
CVE-2012-2328
NOT-FOR-US: sblim
CVE-2012-2312
- jbossas4 <not-affected> (Only affects JBoss 7)
CVE-2012-2301 [Drupal SA-CONTRIB-2012-064 - Ubercart - Arbitrary PHP Execution]
NOT-FOR-US: Drupal addon not packaged
CVE-2012-2250
- tor 0.2.3.24-rc-1 (low)
CVE-2012-2249
- tor 0.2.3.23-rc-1 (low)
CVE-2012-2248 [build-influenced PATH set in dhclient]
- isc-dhcp 4.2.4-3 (bug #690532)
CVE-2012-2238
- tryton-server <not-affected> (only affected 2.4, in experimental)
CVE-2012-2237
{DSA-2540-1}
CVE-2012-2095 [wicd command execution with root privileges]
- wicd 1.7.2.4-1 (low; bug #668397)
CVE-2012-2148
- jbossas4 <not-affected> (Only builds a few libraries, not the full application server)
CVE-2012-2142 [Insufficient sanitization of escape sequences in the error message]
- xpdf <not-affected> (uses poppler's Error.cc)
CVE-2012-2134
NOT-FOR-US: Dynamic LDAP backend plugin for BIND
CVE-2012-2130
- polarssl 1.1.2-1
CVE-2012-2108
- csound 1:5.17.6~dfsg-1 (low; bug #661197)
CVE-2012-2107
- csound 1:5.17.6~dfsg-1 (bug #661197)
CVE-2012-2106
- csound 1:5.17.6~dfsg-1 (bug #661197)
CVE-2012-2092
- cobbler <itp> (bug #545583)
CVE-2012-2079
NOT-FOR-US: Drupal addon module not packaged in Debian
CVE-2012-2078
NOT-FOR-US: Drupal addon module not packaged in Debian
CVE-2012-1637
NOT-FOR-US: Drupal addon module not packaged in Debian
CVE-2012-1622
NOT-FOR-US: Apache OFBiz
CVE-2012-1621
NOT-FOR-US: Apache OFBiz
CVE-2012-1615 [sectool dbus priv escalation]
NOT-FOR-US: sectool
CVE-2012-1600 [XSS from 5.0.4 release]
- phppgadmin 5.0.4-1
CVE-2012-1592
- libstruts1.2-java <not-affected> (Only applies to Struts 2, see bug #657870)
CVE-2012-1577
- dietlibc 0.33~cvs20120325-1 (unimportant)
CVE-2012-1572
- keystone 2012.1~rc2-1
CVE-2012-1567
NOT-FOR-US: LinuxMint
CVE-2012-1566
NOT-FOR-US: LinuxMint
CVE-2012-1563
- joomla <itp> (bug #571794)
CVE-2012-1562
- joomla <itp> (bug #571794)
CVE-2012-1561
NOT-FOR-US: Drupal Finder
CVE-2012-1102 [XML::Atom Perl module XML entity expansion]
{DSA-2424-1}
CVE-2012-1301
NOT-FOR-US: Umbraco
CVE-2012-1257
- pidgin <unfixed> (unimportant)
CVE-2012-1187
- bitlbee 3.0.4+bzr855-1 (low)
CVE-2012-1171 [safemode bypass after RSHUTDOWN]
- php5 <unfixed> (unimportant)
CVE-2012-1170
- moodle <not-affected> (Only affects 2.2)
CVE-2012-1169
- moodle <not-affected> (Only affects 2.0 to 2.2)
CVE-2012-1168
- moodle <not-affected> (Only affects 2.0 to 2.2)
CVE-2012-1166 [ldm (LTSP display manager)]
- ldm 2:2.2.7-1 (bug #663645)
CVE-2012-1161
- moodle <not-affected> (Only affects 2.1 to 2.2)
CVE-2012-1160
- moodle <not-affected> (Only affects 2.1 to 2.2)
CVE-2012-1159
- moodle <not-affected> (Only affects 2.1 to 2.2)
CVE-2012-1158
- moodle <not-affected> (Only affects 2.1 to 2.2)
CVE-2012-1157
- moodle <not-affected> (Only affects 2.0 to 2.2)
CVE-2012-1156
- moodle <not-affected> (Only affects 2.0 to 2.2)
CVE-2012-1155
- moodle 1.9.9.dfsg2-6 (low; bug #668411)
CVE-2012-1124
NOT-FOR-US: phxEventManager not in Debian
CVE-2012-1115
- phpldapadmin 1.2.2-3 (low; bug #662050)
CVE-2012-1114
- phpldapadmin 1.2.2-3 (low; bug #662050)
CVE-2012-1111
- lightdm 1.0.9-1 (bug #658678)
CVE-2012-1109
NOT-FOR-US: mwlib not in Debian
CVE-2012-1105
- moodle 2.2.7.dfsg-1 (low; bug #662945)
CVE-2012-1104
- moodle 2.2.7.dfsg-1 (low; bug #662945)
CVE-2012-1101
- systemd 43-1 (bug #662029)
CVE-2012-1100
NOT-FOR-US: JBoss Operations Network
CVE-2012-1096
- network-manager <unfixed> (low; bug #684259)
CVE-2012-1095
- osc <unfixed> (unimportant)
CVE-2012-1094
NOT-FOR-US: mod_cluster
CVE-2012-1093 [init script x11-common creates directories in insecure manner]
- xorg 1:7.6+12 (bug #661627)
CVE-2012-1088
- iproute 20120319-1 (unimportant)
CVE-2012-0943
- lightdm <not-affected> (Ubuntu-specific script)
CVE-2012-0875 [systemtap invalid read leading to kernel DoS]
- systemtap 1.7-1 (low; bug #660929; bug #660886)
CVE-2012-0871
- systemd 43-1
CVE-2012-0844
- netsurf 2.8-2 (bug #659376)
CVE-2012-0843
- uzbl 0.0.0~git.20111128-2 (bug #659379)
CVE-2012-0842 [surf info leak]
- surf 0.4.1-6 (bug #659296)
CVE-2012-0828
- xchat <not-affected> (Only affects Xchat on Windows and Maemo)
CVE-2012-0824
- gnusound <removed> (low; bug #654270)
CVE-2012-0812 [PostfixAdmin 2.3.4 multiple XSS vulnerabilities]
- postfixadmin 2.3.5-1
CVE-2012-0811 [PostfixAdmin 2.3.4 multiple SQL vulnerabilities]
- postfixadmin 2.3.5-1
CVE-2012-0810
- linux-2.6 3.2.16-1 (bug #672660)
CVE-2012-0803
NOT-FOR-US: Apache CXF
CVE-2012-0694 [SugarCRM CE unserialize PHP code execution in multiple files]
- sugarcrm-ce-5.0 <itp> (bug #457876)
CVE-2012-0270 [csound buffer overflows]
- csound 1:5.16.6~dfsg-1 (low; bug #661197)
CVE-2012-0214 [apt would still trust repository when old InRelease file present]
- apt 0.8.15.10
CVE-2012-0153
NOT-FOR-US: Microsoft
CVE-2012-0140
NOT-FOR-US: Microsoft
CVE-2012-0139
NOT-FOR-US: Microsoft
CVE-2012-0785 [Jenkins and hash collision attack]
- jenkins-winstone 0.9.10-jenkins-31+dfsg-1 (bug #655553)
CVE-2012-0070
NOT-FOR-US: spamdyke not in Debian
CVE-2012-0064 [xorg screen lockers bypassed via key combo]
- xorg-server 2:1.11.3.901-2 (high; bug #656410)
CVE-2012-0063
- tucan <unfixed> (bug #656388)
CVE-2012-0062
NOT-FOR-US: JBoss Operations Network
CVE-2012-0059
NOT-FOR-US: RHN Satellite
CVE-2012-0055
NOT-FOR-US: overlayfs is not (yet) in the Debian kernel
CVE-2012-0052
NOT-FOR-US: JBoss Operations Network
CVE-2012-0051
- tahoe-lafs <not-affected> (Only affects 1.9.0, not uploaded to the archive)
CVE-2012-0049
{DSA-2524-1}
CVE-2012-0046 [mediawiki info leak]
- mediawiki 1:1.15.5-6 (low; bug #655694)
CVE-2012-0033 [znc bouncedcc DoS]
- znc 0.202-2
CVE-2012-0032
NOT-FOR-US: JBoss Operations Network
-------------- next part --------------
CVE-2013-7303 [cross-site scripting]
- spip 3.0.13-1 (bug #736170)
CVE-2013-7302
NOT-FOR-US: Drupal contrib
CVE-2013-7301 [external network interface is used with no access control for reading queued music files]
- cantata <not-affected> (Vulnerable code introduced with 1.2.0; bug #736154)
CVE-2013-7300 [absolute path traversal vulnerability]
- cantata <not-affected> (Vulnerable code introduced with 1.2.0; bug #736154)
CVE-2013-7299 [tntnet: denial of service]
- tntnet <unfixed> (low; bug #735881)
CVE-2013-7298 [cxxtools: denial of service]
- cxxtools 2.2.1-1 (low; bug #735880)
CVE-2013-7296 [DoS]
- poppler <not-affected> (Introduced in a3cee0e7e9dd292c70fe1fa19a92e70bbc1e1b41)
CVE-2013-7285 [remote code execution via deserialization in XStream]
- libxstream-java <unfixed> (bug #734821)
CVE-2013-7284 [libplrpc-perl remote code execution due to Storable]
- libplrpc-perl <unfixed> (high; bug #734789)
CVE-2013-7273 [no prompt anymore after login cancel using disable_user_list]
- gdm3 <unfixed> (low; bug #683338)
CVE-2013-7259
- neo4j-community <itp> (bug #685615)
CVE-2013-7252 [kwallet crypto misuse]
- kde-runtime <unfixed>
CVE-2013-7172
- libiodbc2 <not-affected> (RPATH issue slackware specific)
CVE-2013-7171
- llvm-2.9 <not-affected> (RPATH issue slackware specific)
CVE-2013-7236
NOT-FOR-US: Simple Machines Forum
CVE-2013-7235
NOT-FOR-US: Simple Machines Forum
CVE-2013-7234
NOT-FOR-US: Simple Machines Forum
CVE-2013-7221 [run command dialog visible above screen locker]
- gnome-shell <unfixed>
CVE-2013-7220 [blind command execution via activities search keyboard focus]
- gnome-shell <unfixed>
CVE-2013-7203
- gitolite3 3.5.3.1-1
CVE-2013-7143
- open-xchange <itp> (bug #269329)
CVE-2013-7142
- open-xchange <itp> (bug #269329)
CVE-2013-7141
- open-xchange <itp> (bug #269329)
CVE-2013-7140
- open-xchange <itp> (bug #269329)
CVE-2013-7137
NOT-FOR-US: Burden
CVE-2013-7135
- libproc-daemon-perl 0.14-2 (low; bug #732283)
CVE-2013-7134
NOT-FOR-US: Juvia
CVE-2013-7130 [Live migration can leak root disk into ephemeral storage]
- nova <unfixed> (bug #736465)
CVE-2013-7111
NOT-FOR-US: Bio Basespace SDK Ruby Gem
CVE-2013-7110
- transifex-client <unfixed> (low)
CVE-2013-7066
NOT-FOR-US: Drupal module
CVE-2013-7065
NOT-FOR-US: Drupal module
CVE-2013-7064
NOT-FOR-US: Drupal module
CVE-2013-7063
NOT-FOR-US: Drupal module
CVE-2013-7034
NOT-FOR-US: LiveZilla
CVE-2013-7033
NOT-FOR-US: LiveZilla
CVE-2013-7032
NOT-FOR-US: LiveZilla
CVE-2013-7089 [dbg_printhex possible information leak]
- clamav 0.97.7+dfsg-1
CVE-2013-7088 [buffer overflow]
- clamav 0.97.7+dfsg-1
CVE-2013-7087 [[clamav: WWPack corrupt heap memory]
- clamav 0.97.7+dfsg-1
CVE-2013-7072
NOT-FOR-US: Monitorix
CVE-2013-7071
NOT-FOR-US: Monitorix
CVE-2013-7070
NOT-FOR-US: Monitorix
CVE-2013-7062 [XSS]
- zope2.12 <removed> (low)
CVE-2013-7061 [Privilege escalation through exposed underlying API]
NOT-FOR-US: Plone
CVE-2013-7060 [Filesystem path information leak]
NOT-FOR-US: Plone
CVE-2013-7048 [Nova live snapshots use an insecure local directory]
- nova 2013.2.1-1 (bug #732022)
CVE-2013-7003
NOT-FOR-US: LiveZilla
CVE-2013-7041 [pam_userdb: password hashes aren't compared case-sensitively]
- pam <unfixed> (low; bug #731368)
CVE-2013-7040
- python2.5 <removed> (low)
CVE-2013-6891 [lppasswd vulnerability]
- cups 1.7.1-1
CVE-2013-6889 [Allows reading arbitrary files]
- rush <unfixed> (bug #733505)
CVE-2013-6887
- openjpeg <not-affected> (only affects 1.5, in experimental, see #731237)
CVE-2013-6880
NOT-FOR-US: FlashCanvas
CVE-2013-6879
NOT-FOR-US: MijoSearch
CVE-2013-6878
NOT-FOR-US: MijoSearch
CVE-2013-6838
NOT-FOR-US: IVR Pro/Contact Center (VIP2000)
CVE-2013-6806
NOT-FOR-US: OpenText Exceed onDemand
CVE-2013-6788
NOT-FOR-US: Bitrix Site Manager
CVE-2013-6766
NOT-FOR-US: OpenVAS Administrator (only uploaded to exp 2.5 years ago)
CVE-2013-6765
NOT-FOR-US: OpenVAS Manager (only uploaded to experimental 2.5 years ago)
CVE-2013-6472
- mediawiki 1:1.19.10+dfsg-1
CVE-2013-6461 [DoS while parsing XML entities]
- ruby-nokogiri 1.6.1+ds-1 (bug #734836)
CVE-2013-6460 [DoS while parsing XML documents]
- ruby-nokogiri 1.6.1+ds-1 (bug #734836)
CVE-2013-6458 [job usage issue in several APIs leading to libvirtd crash]
{DSA-2846-1}
CVE-2013-6457 [avoid crashing if calling `virsh numatune' on inactive domain]
- libvirt 1.2.1-1
CVE-2013-6456 [virsh shutdown does not handle symlinks correctly for LXC]
- libvirt <unfixed> (bug #732394)
CVE-2013-6455
- mediawiki <unfixed>
CVE-2013-6454
- mediawiki 1:1.19.10+dfsg-1
CVE-2013-6453
- mediawiki 1:1.19.10+dfsg-1
CVE-2013-6452
- mediawiki 1:1.19.10+dfsg-1
CVE-2013-6451
- mediawiki 1:1.19.10+dfsg-1
CVE-2013-6444 [failure to check certificate hostname]
- pywbem <unfixed> (bug #732594)
CVE-2013-6441 [lxc: sshd template allow privilege escalation on host]
- lxc <unfixed> (unimportant)
CVE-2013-6440 [XML eXternal Entity (XXE) flaw in ParserPool and Decrypter]
- opensaml2 <not-affected> (Debian provides the C-based Shibboleth implementation)
CVE-2013-6437 [DoS through ephemeral disk backing files]
- nova <unfixed>
CVE-2013-6430
- libspring-java <unfixed> (bug #735420)
CVE-2013-6429
- libspring-java <unfixed> (bug #735420)
CVE-2013-6418 [TOCTOU vulnerability in certificate validation]
- pywbem <unfixed> (low; bug #732594)
CVE-2013-6413 [unrealircd: DoS, use after free]
- unrealircd <itp> (bug #515130)
CVE-2013-6396 [does not properly verify the server SSL certificates]
- python-swiftclient <unfixed> (bug #730626)
CVE-2013-6372
- jenkins <not-affected> (Affected plugins are not shipped in Debian, bug #730457)
CVE-2013-6365 [CSRF edit.php]
- php-horde 5.1.5+debian0-1 (bug #730110)
CVE-2013-6364 [XSS and CSRF search.php]
- php-horde <not-affected> (Vulnerable code in turba)
CVE-2013-6275 [CSRF]
- php-horde-ingo 3.1.3-1 (bug #727669)
CVE-2013-6242
- open-xchange <itp> (bug #269329)
CVE-2013-6241
- open-xchange <itp> (bug #269329)
CVE-2013-6236
NOT-FOR-US: Stem Innovations IZON
CVE-2013-6223
NOT-FOR-US: Livezilla
CVE-2013-6117
NOT-FOR-US: Dahua DVR
CVE-2013-6167
- iceweasel <unfixed> (unimportant)
CVE-2013-6166
- chromium-browser 31.0.1650.57-1 (low)
CVE-2013-6053
- openjpeg <not-affected> (only affects 1.5, in experimental, see #731237)
CVE-2013-6049 [insecure temporary file creation]
- apt-listbugs 0.1.10 (low)
CVE-2013-6047 [XSS in site creation interface]
- ikiwiki-hosting 0.20131025
CVE-2013-5984
NOT-FOR-US: Microweber
CVE-2013-5983
NOT-FOR-US: GuppY
CVE-2013-5916
NOT-FOR-US: WordPress plugin wp-e-commerce
CVE-2013-5749
NOT-FOR-US: SimpleRisk
CVE-2013-5748
NOT-FOR-US: SimpleRisk
CVE-2013-5743
- zabbix 1:2.0.8+dfsg-2
CVE-2013-5680 [heap overflow]
- hylafax <not-affected> (Not built with LDAP support)
CVE-2013-5661 [DNS response rate limiting can simplify cache poisoning attacks]
NOTE: DNS protocol flaw
CVE-2013-5675
NOT-FOR-US: Symantec Endpoint Protection
CVE-2013-5671 [Remote Command Injection]
NOT-FOR-US: fog-dragonfly Ruby Gem
CVE-2013-5655
NOT-FOR-US: YingZhi Python for iOS
CVE-2013-5654
NOT-FOR-US: YingZhi Python for iOS
CVE-2013-5640
NOT-FOR-US: Gnew
CVE-2013-5639
NOT-FOR-US: Gnew
CVE-2013-5582
NOT-FOR-US: Ammyy Admin
CVE-2013-5581
NOT-FOR-US: Ammyy Admin
CVE-2013-5350
NOT-FOR-US: OpenPNE
CVE-2013-5212
NOT-FOR-US: easyXDM
CVE-2013-5123 [insecure mirroring]
- python-pip 1.4.1-1 (unimportant)
CVE-2013-4985
NOT-FOR-US: Vivotek IP Cameras
CVE-2013-4982
NOT-FOR-US: AVTECH DVR
CVE-2013-4981
NOT-FOR-US: AVTECH DVR
CVE-2013-4980
NOT-FOR-US: AVTECH DVR
CVE-2013-4979 [Buffer Overflow]
NOT-FOR-US: EPS Viewer
CVE-2013-4978 [Buffer Overflow]
NOT-FOR-US: Aloaha PDF Suite
CVE-2013-4968
- puppet <not-affected> (Only affects Puppet Enterprise)
CVE-2013-4772
NOT-FOR-US: D-Link
CVE-2013-4752
NOT-FOR-US: Symfony HttpFoundation component
CVE-2013-4751
NOT-FOR-US: Symfony Validator component
CVE-2013-4739
- linux <not-affected> (Android-specific camera drivers)
CVE-2013-4738
- linux <not-affected> (Android-specific camera drivers)
CVE-2013-4730
NOT-FOR-US: PCMan FTP Server
CVE-2013-4718 [XSS]
NOT-FOR-US: OTRS ITSM
CVE-2013-4717 [SQL injection]
{DSA-2733-1}
CVE-2013-4593
- ruby-omniauth-facebook <itp> (bug #705766)
CVE-2013-4584 [ssl_outgoing_ciphers not applied to STARTTLS connections]
- perdition <unfixed> (low; bug #729028)
CVE-2013-4583
- gitlab <itp> (bug #651606)
CVE-2013-4582 [Local file inclusion vulnerability]
- gitlab <itp> (bug #651606)
CVE-2013-4581 [Remote code execution vulnerability via Git SSH access]
- gitlab <itp> (bug #651606)
CVE-2013-4580 [Unauthenticated API access to GitLab when using MySQL]
- gitlab <itp> (bug #651606)
CVE-2013-4577 [should set safer permissions even when hashed passwords are found]
- grub2 2.00-20 (unimportant; bug #632598)
CVE-2013-4574
- mediawiki <unfixed>
CVE-2013-4572
- mediawiki 1:1.19.8+dfsg-2.2 (bug #729629)
CVE-2013-4571
- mediawiki <unfixed>
CVE-2013-4570
- mediawiki <unfixed>
CVE-2013-4565 [heap-based buffer overflow]
- xlhtml <unfixed> (bug #729279)
CVE-2013-4562
- ruby-omniauth-facebook <itp> (bug #705766)
CVE-2013-4561
NOT-FOR-US: OpenShift
CVE-2013-4552
NOT-FOR-US: drupalauth module for simpleSAMLphp
CVE-2013-4546 [remote command execution]
- gitlab <itp> (bug #651606)
CVE-2013-4521
NOT-FOR-US: Nuxeo
CVE-2013-4504
NOT-FOR-US: Drupal contrib module
CVE-2013-4503
NOT-FOR-US: Drupal contrib module
CVE-2013-4502
NOT-FOR-US: Drupal contrib module
CVE-2013-4501
NOT-FOR-US: Drupal contrib module
CVE-2013-4500
NOT-FOR-US: Drupal contrib module
CVE-2013-4499
NOT-FOR-US: Drupal contrib module
CVE-2013-4498
NOT-FOR-US: Drupal contrib module
CVE-2013-4490 [Remote code execution vulnerability in the SSH key upload feature]
- gitlab <itp> (bug #651606)
CVE-2013-4489 [Remote code execution vulnerability in the code search feature]
- gitlab <itp> (bug #651606)
CVE-2013-4488
- libgadu <unfixed> (unimportant)
CVE-2013-4472 [Race condition on temporary file]
- poppler <unfixed> (unimportant)
CVE-2013-4471 [password reset vulnerability]
- horizon 2013.2-1
CVE-2013-4468
NOT-FOR-US: VICIDIAL
CVE-2013-4467
NOT-FOR-US: VICIDIAL
CVE-2013-4463 [Compressed disk image DoS]
- nova 2013.2-3 (bug #728605)
CVE-2013-4462
NOT-FOR-US: WordPress plugin
CVE-2013-4455
NOT-FOR-US: Katello
CVE-2013-4454
NOT-FOR-US: WordPress plugin
CVE-2013-4451 [world writable files]
- gitolite <not-affected> (vulnerable code introduced for v3.5.3)
CVE-2013-4449 [slapd segfaults on certain queries with rwm overlay enabled]
- openldap <unfixed> (low; bug #729367)
CVE-2013-4442 [Silent fallback to insecure entropy]
- pwgen <unfixed> (unimportant; bug #726578)
CVE-2013-4441 [Phonemes mode has heavy bias and is enabled by default]
- pwgen <unfixed> (unimportant; bug #726578)
CVE-2013-4440 [non-tty passwords are trivially weak by default]
- pwgen <unfixed> (unimportant; bug #726578)
CVE-2013-4433 [xhprof: unspecified XSS]
- xhprof 0.9.4-1 (bug #726284)
CVE-2013-4432 [a group member with no access rights to folder can still view it]
- mahara <removed> (low; bug #727539)
CVE-2013-4431 [Not checking ownership of blocks before editing them]
- mahara <removed> (low; bug #727552)
CVE-2013-4430
- mahara <removed> (unimportant; bug #727548)
CVE-2013-4429 [Arbitrary image download]
- mahara <removed> (low; bug #727545)
CVE-2013-4427 [pyxtrlock Incorrect return value checking]
NOT-FOR-US: pyxtrlock
CVE-2013-4426 [pyxtrlock mis-spelled variable name]
NOT-FOR-US: pyxtrlock
CVE-2013-4420 [tar_extract_glob and tar_extract_all path prefix directory traversal]
- libtar <unfixed> (bug #731860)
CVE-2013-4413 [arbitrary files read]
NOT-FOR-US: Wicked Ruby Gem
CVE-2013-4412 [NULL ptr dereference]
- slim <unfixed> (bug #725902)
CVE-2013-4411
- reviewboard <itp> (bug #653113)
CVE-2013-4410
- reviewboard <itp> (bug #653113)
CVE-2013-4409 [unsanitized eval() vulnerability]
- djblets <removed> (low; bug #726039)
CVE-2013-4406
NOT-FOR-US: Quick Tabs Drupal contributed module
CVE-2013-4399 [unprivileged user can crash libvirtd when ACLs are enabled]
- libvirt 1.1.4-1
CVE-2013-4395
NOT-FOR-US: Simple Machines Forum
CVE-2013-4383
NOT-FOR-US: Drupal module
CVE-2013-4380
NOT-FOR-US: Drupal module
CVE-2013-4367
NOT-FOR-US: ovirt
CVE-2013-4357 [getaddrinfo() stack overflow]
- eglibc <unfixed>
CVE-2013-4347 [Uses poor PRNG]
- python-oauth2 <unfixed> (low; bug #722657)
CVE-2013-4346 [_check_signature() ignores the nonce value when validating signed urls]
- python-oauth2 <unfixed> (low; bug #722656)
CVE-2013-4337
NOT-FOR-US: Drupal module
CVE-2013-4336
NOT-FOR-US: Drupal module
CVE-2013-4335
NOT-FOR-US: opOpenSocialPlugin
CVE-2013-4334
NOT-FOR-US: opWebAPIPlugin
CVE-2013-4333
NOT-FOR-US: OpenPNE
CVE-2013-4331 [incorrect .Xauthority permissions]
- lightdm 1.6.2-1 (bug #721744)
CVE-2013-4321 [TYPO3 File Abstraction Layer: Remote Code Execution]
- typo3-src <not-affected> (All versions from 6.0.0 up to the development branch of 6.2)
CVE-2013-4320 [TYPO3 Core: Cross-Site Scripting, Remote Code Execution]
- typo3-src <not-affected> (All versions from 6.0.0 up to the development branch of 6.2)
CVE-2013-4318
NOT-FOR-US: Ruby gem Features
CVE-2013-4304 [mediawiki CentralAuth auth bypass]
NOT-FOR-US: Mediawiki CentralAuth extension
CVE-2013-4303 [mediawiki XSS with IE6]
- mediawiki 1:1.19.8+dfsg-1 (unimportant)
CVE-2013-4290 [stack-based buffer overflows]
- openjpeg <unfixed> (bug #722540)
CVE-2013-4289 [heap-based buffer overflows]
- openjpeg <unfixed> (bug #722540)
CVE-2013-4279
- imapsync <removed>
CVE-2013-4275
NOT-FOR-US: Drupal contributed module Zen
CVE-2013-4273
NOT-FOR-US: Drupal contributed module Entity API
CVE-2013-4269
- ajaxplorer <itp> (bug #668381)
CVE-2013-4268
- ajaxplorer <itp> (bug #668381)
CVE-2013-4267
- ajaxplorer <itp> (bug #668381)
CVE-2013-4262 [svnwcsub.py and irkerbridge.py are vulnerable to symlink attack]
- subversion <not-affected> (Optional admin-side utilities in Subversion 1.8.x)
CVE-2013-4251 [weave /tmp and current directory issues]
- python-scipy 0.12.0-3 (bug #726093)
CVE-2013-4250 [Vulnerable subcomponent: Backend File Upload / File Abstraction Layer]
- typo3-src <not-affected> (All versions from 6.0.0 up to the development branch of 6.2)
CVE-2013-4246 [FSFS repository corruption due to editing packed revision properties]
- subversion <not-affected> (only affects 1.8.0 and 1.8.1)
CVE-2013-4241
NOT-FOR-US: WordPress plugin HMS Testimonials
CVE-2013-4240
NOT-FOR-US: WordPress plugin HMS Testimonials
CVE-2013-4228
NOT-FOR-US: Organic Group Drupal contributed module
CVE-2013-4227
NOT-FOR-US: Persona Drupal contributed module
CVE-2013-4226
NOT-FOR-US: Authenticated User Page Caching Drupal contributed module
CVE-2013-4225
NOT-FOR-US: RESTful Web Services (RESTWS) Drupal cotributed module
CVE-2013-4224
NOTE: Dublicate of CVE-2013-4187, thus rejected
CVE-2013-4223 [nullmailer world readable /etc/nullmailer/remotes]
- nullmailer 1:1.11-2 (low; bug #684619)
CVE-2013-4215 [IPXPING_COMMAND uses fixed location in /tmp]
- nagios-plugins <unfixed> (unimportant)
CVE-2013-4211
NOT-FOR-US: OpenX
CVE-2013-4209 [ABRT: (substantially) limited leak of unauthorized information]
NOT-FOR-US: NOT-FOR-US: abrt is Red Hat / Fedora specific
CVE-2013-4201 [Katello: CLI - user without access can call "system remove_deletion" command]
NOT-FOR-US: Katello
CVE-2013-4199 [plone: DoS by decompressing large zip archives (cb_decode.py, linkintegrity.py)]
NOT-FOR-US: Plone
CVE-2013-4198 [plone: Authenticated users able to alter their password despite of policy definition / setting prohibiting it (mail_password.py)]
NOT-FOR-US: Plone
CVE-2013-4197 [plone: Authenticated users able to modify / delete portraits of other users (member_portrait.py)]
NOT-FOR-US: Plone
CVE-2013-4196 [plone: Multiple information exposure flaws via certain object methods (objectmanager.py)]
NOT-FOR-US: Plone
CVE-2013-4195 [plone: Open redirect in the HTTP server implementation (marmoset_patch.py, publish.py, principiaredirect.py)]
NOT-FOR-US: Plone
CVE-2013-4194 [plone: File system path exposure (wysiwyg.py)]
NOT-FOR-US: Plone
CVE-2013-4193 [plone: Anonymous users capable to hide certain fields from content edit forms (typeswidget.py)]
NOT-FOR-US: Plone
CVE-2013-4192 [plone: Ability to spoof emails (sendto.py)]
NOT-FOR-US: Plone
CVE-2013-4191 [plone: Information exposure due improper access control enforcement when generating zip archives (zip.py)]
NOT-FOR-US: Plone
CVE-2013-4190 [plone: Multiple cross-site scripting (XSS) flaws (spamProtect.py, pts.py, request.py)]
NOT-FOR-US: Plone
CVE-2013-4189 [plone: Privilege escalation due improper authorization (dataitems.py, get.py, traverseName.py)]
NOT-FOR-US: Plone
CVE-2013-4188 [plone: DoS (infinite loop) by administrator privilege users when retrieving information for certain resources (traverser.py)]
NOT-FOR-US: Plone
CVE-2013-4187 [Access Bypass]
NOT-FOR-US: Flippy Contributed Drupal module
CVE-2013-4184 [symlink attacks]
- libdata-uuid-perl <unfixed> (low; bug #718949)
CVE-2013-4178
NOT-FOR-US: GA Login Drupal contributed module
CVE-2013-4177
NOT-FOR-US: GA Login Drupal contributed module
CVE-2013-4176 [information disclosure]
NOT-FOR-US: MySecureShell
CVE-2013-4175 [local denial of service]
NOT-FOR-US: MySecureShell
CVE-2013-4168 [start and end time fields not filtered]
- smokeping 2.6.8-2
CVE-2013-4166 [problem in GPG key selection when encrypting mail]
- evolution <unfixed> (unimportant)
CVE-2013-4161
- gksu-polkit <not-affected> (CVE for improperly applied fix for CVE-2012-5617 on Red Hat)
CVE-2013-4158
- smokeping <not-affected> (fix for CVE-2012-0790/DSA-2651-1 uses regexp from 2.6.9 upstream release)
CVE-2013-4152 [XML External Entity (XXE) injection flaw]
{DSA-2842-1}
CVE-2013-4143
NOT-FOR-US: xlockmore
CVE-2013-4133 [memory leak]
- kde-workspace 4:4.10.5-3 (unimportant; bug #717180)
CVE-2013-4119
- freerdp <not-affected> (The server part is not build)
CVE-2013-4118
- freerdp <not-affected> (The server part is not build)
CVE-2013-4116 [npm: predictable temporary filenames when unpacking tarballs]
- npm 1.3.10~dfsg-1 (bug #715325)
CVE-2013-4110
NOT-FOR-US: Cryptocat
CVE-2013-4109
NOT-FOR-US: Cryptocat
CVE-2013-4108
NOT-FOR-US: Cryptocat
CVE-2013-4107
NOT-FOR-US: Cryptocat
CVE-2013-4106
NOT-FOR-US: Cryptocat
CVE-2013-4105
NOT-FOR-US: Cryptocat
CVE-2013-4104
NOT-FOR-US: Cryptocat
CVE-2013-4103
NOT-FOR-US: Cryptocat
CVE-2013-4102
NOT-FOR-US: Cryptocat
CVE-2013-4101
NOT-FOR-US: Cryptocat
CVE-2013-4100
NOT-FOR-US: Cryptocat
CVE-2013-4088 [Information Disclosure]
{DSA-2712-1}
CVE-2013-3843
- monkey <removed>
CVE-2013-3734 [Datasource password visible to administrator]
NOT-FOR-US: Embedded Jopr
CVE-2013-3729
NOT-FOR-US: Kasseler CMS
CVE-2013-3728
NOT-FOR-US: Kasseler CMS
CVE-2013-3727
NOT-FOR-US: Kasseler CMS
CVE-2013-3718 [evince missing check on number of pages]
- evince 3.10.0-1
CVE-2013-3703
NOT-FOR-US: Open Build Service
CVE-2013-3685
NOT-FOR-US: Sprite Software's backup softare for Android
CVE-2013-3587 [BREACH attack against HTTP compression]
TODO: check
CVE-2013-3571 [FD leak]
- socat 1.7.1.3-1.5 (low; bug #709931)
CVE-2013-3565 [XSS in HTTP Interface]
- vlc 2.0.7-1 (unimportant)
CVE-2013-3551
{DSA-2696-1}
CVE-2013-3514
NOT-FOR-US: OpenX
CVE-2013-2764
NOT-FOR-US: Secure Entry Server
CVE-2013-2758
NOT-FOR-US: CloudStack
CVE-2013-2756
NOT-FOR-US: CloudStack
CVE-2013-2745 [SQL Injection]
- minidlna <unfixed> (low; bug #717131)
CVE-2013-2739 [heap-based buffer overflow]
- minidlna <unfixed> (low; bug #717131)
CVE-2013-2738 [SQL Injection]
- minidlna <unfixed> (low; bug #717131)
CVE-2013-2625
- otrs2 3.1.7+dfsg1-8
CVE-2013-2623
NOT-FOR-US: Uebimiau Webmail
CVE-2013-2622
NOT-FOR-US: Uebimiau Webmail
CVE-2013-2621
NOT-FOR-US: Uebimiau Webmail
CVE-2013-2600 [MiniUPnPd information disclosure]
- miniupnpd 1.8.20130730-1 (bug #716936)
CVE-2013-2595
NOT-FOR-US: Qualcomm MSM Camera driver
CVE-2013-2574
NOT-FOR-US: Foscam
CVE-2013-2565
NOT-FOR-US: Mambo CMS
CVE-2013-2564
NOT-FOR-US: Mambo CMS
CVE-2013-2563
NOT-FOR-US: Mambo CMS
CVE-2013-2562
NOT-FOR-US: Mambo CMS
CVE-2013-2298
- boinc 7.0.65+dfsg-1 (low)
CVE-2013-2294
NOT-FOR-US: ViewGit
CVE-2013-2262
NOT-FOR-US: Cryptocat
CVE-2013-2261
NOT-FOR-US: Cryptocat
CVE-2013-2260
NOT-FOR-US: Cryptocat
CVE-2013-2259
NOT-FOR-US: Cryptocat
CVE-2013-2258
NOT-FOR-US: Cryptocat
CVE-2013-2257
NOT-FOR-US: Cryptocat
CVE-2013-2255 [Inconsistent and non-validating HTTPS client]
- cinder <unfixed>
CVE-2013-2233 [not caching SSH host keys]
- ansible 1.3.4+dfsg-1 (bug #714822)
CVE-2013-2228 [RSA exponent of 1]
- salt 0.15.1-1
CVE-2013-2227 [local file inclusion]
- glpi 0.83.91-1 (bug #714720; unimportant)
CVE-2013-2226 [Multiple SQL injections]
- glpi 0.83.91-1 (bug #714720; unimportant)
CVE-2013-2225
- glpi 0.83.91-1 (bug #714720; unimportant)
CVE-2013-2214 [nagios3: information leak]
- nagios3 3.4.1-4 (low)
CVE-2013-2213 [KRandom::random() Small Space of Random Values]
- kdeplasma-addons <not-affected> (only affects if incomplete patch for CVE-2013-2120 is applied)
CVE-2013-2198
NOT-FOR-US: Login Security Drupal contributed module
CVE-2013-2193 [Apache HBase Man in the Middle Vulnerability]
NOT-FOR-US: Apache HBase
CVE-2013-2192 [Apache Hadoop Man in the Middle Vulnerability]
NOT-FOR-US: Apache Hadoop
CVE-2013-2191
NOT-FOR-US: python-bugzilla
CVE-2013-2184 [unsafe use of Storable::thaw]
- movabletype-opensource 5.2.7+dfsg-1 (bug #712602)
CVE-2013-2183
- monkey <removed> (low)
CVE-2013-2182 [monkey security rules bypass]
- monkey <removed> (low)
CVE-2013-2180
NOT-FOR-US: uk-cookie Wordpress plugin, not in Debian
CVE-2013-2167 [middleware memcache signing bypass]
- python-keystoneclient 1:0.2.5-2 (bug #713819)
CVE-2013-2166 [middleware memcache encryption bypass]
- python-keystoneclient 1:0.2.5-2 (bug #713819)
CVE-2013-2163 [monkey denial of service]
- monkey <removed> (low)
CVE-2013-2159 [monkey broken authentication]
- monkey <removed>
CVE-2013-2150 [XSS vulnerability in js/viewer.js]
- owncloud <not-affected> (affects only experimental version)
CVE-2013-2149 [XSS vulnerability in core/js/oc-dialogs.js]
- owncloud 4.0.16debian-1 (bug #711517)
CVE-2013-2131 [format string vulnerability]
- rrdtool <unfixed> (unimportant; bug #708866)
CVE-2013-2130 [null pointer dereference in webadmin]
- znc 1.0-5 (bug #720632)
CVE-2013-2125 [DoS in TLS Support]
- opensmtpd 5.3.3p1-1
CVE-2013-2124 [libguestfs: DoS due to a double-free when inspecting certain guest files]
- libguestfs 1:1.20.8-1 (bug #710290)
CVE-2013-2120 [weak generated passwords]
- kdeplasma-addons <unfixed> (low; bug #710497)
CVE-2013-2111 [DoS (daemon hang) when parsing invalid IMAP APPEND command parameters]
- dovecot <not-affected> (vulnerable code appeared in 2.2)
CVE-2013-2109
NOT-FOR-US: WordPress plugin wp-cleanfix
CVE-2013-2108
NOT-FOR-US: WordPress plugin wp-cleanfix
CVE-2013-2107
NOT-FOR-US: WordPress plugin mail-on-update
CVE-2013-2106 [Authentication credential disclosure]
- webauth <not-affected> (vulnerable code only in 4.4.1 up to 4.5.2)
CVE-2013-2105
NOT-FOR-US: Show In Browser Ruby Gem
CVE-2013-2100
NOT-FOR-US: Gentoo Portage binary package installer
CVE-2013-2097 [zPanel themes remote command execution as root]
NOT-FOR-US: zPanel
CVE-2013-2093
- dolibarr 3.3.4-1 (high)
CVE-2013-2092
- dolibarr 3.3.4-1
CVE-2013-2091
- dolibarr 3.3.4-1
CVE-2013-2090 [Remote command Injection]
NOT-FOR-US: Creme Fraiche Ruby Gem
CVE-2013-2089 [owncloud: oC-SA-2013-026]
- owncloud <not-affected> (Only affects 5.0.x)
CVE-2013-2087 [gallery: multiple xss]
- gallery <not-affected> (Vulnerable code not present)
CVE-2013-2086 [owncloud: oC-SA-2013-027]
- owncloud <not-affected> (Only owncloud 5.0.x)
CVE-2013-2085 [owncloud: oC-SA-2013-020]
- owncloud <not-affected> (Only affects 5.0.x)
CVE-2013-2075
- chicken <not-affected> (Incomplete fix was never applied)
CVE-2013-2074 [prints passwords contained in HTTP URLs in error messages]
- kde4libs 4:4.10.5-1 (low; bug #707776)
CVE-2013-2073 [Does not validate HTTPS server certificate]
- transifex-client 0.9-1 (low)
CVE-2013-2060
NOT-FOR-US: OpenShift
CVE-2013-2057
NOT-FOR-US: YaBB
CVE-2013-2049
NOT-FOR-US: CloudForms Management Engine
CVE-2013-2048 [owncloud: oC-SA-2013-025]
- owncloud <not-affected> (Only affects 5.0.x)
CVE-2013-2047 [owncloud: oC-SA-2013-023]
- owncloud <not-affected> (Only 5.0.x)
CVE-2013-2046 [owncloud: oC-SA-2013-019]
- owncloud <not-affected> (Only affects 4.5.x)
CVE-2013-2045 [owncloud: oC-SA-2013-019]
- owncloud <not-affected> (Only affects 5.0.x)
CVE-2013-2044 [owncloud: oC-SA-2013-022]
- owncloud <not-affected> (Only 5.0.x)
CVE-2013-2043 [owncloud: oC-SA-2013-024]
- owncloud <not-affected> (Only 5.0.x and 4.5.x)
CVE-2013-2042 [owncloud: oC-SA-2013-021]
- owncloud 4.0.15debian-1
CVE-2013-2041 [owncloud: oC-SA-2013-021]
- owncloud <not-affected> (Only affects 5.0.x)
CVE-2013-2040 [owncloud: oC-SA-2013-021]
- owncloud 4.0.15debian-1
CVE-2013-2039 [owncloud: oC-SA-2013-020]
- owncloud 4.0.15debian-1
CVE-2013-2038 [DoS (packet parser crash) in the AIS driver when processing malformed packet]
- gpsd 3.6-5 (bug #706665)
CVE-2013-2034 [jenkins CSRF]
- jenkins 1.509.2+dfsg-1 (bug #706725)
CVE-2013-2033 [jenkins XSS]
- jenkins 1.509.2+dfsg-1 (bug #706725)
CVE-2013-2025
NOT-FOR-US: Ushahidi
CVE-2013-2024 [OS command injection vulnerability in Chicken Scheme]
- chicken 4.8.0.3-1 (bug #706525)
CVE-2013-2019 [stack overflow vulnerabilities in the XML parser]
- boinc 6.13.6+dfsg-1 (low)
CVE-2013-2018 [SQL injections in the server-side scheduler code]
- boinc 7.0.65+dfsg-1 (low)
CVE-2013-2016 [qemu: virtio: out-of-bounds config space access]
- qemu 1.5.0+dfsg-1 (bug #710822)
CVE-2013-2014 [no limitation for requests and headers size which can cause a crash]
- keystone 2013.1.1-2 (bug #708515)
CVE-2013-2012 [autojump profile will load random stuff from a directory called custom_install]
- autojump <not-affected> (vulnerable code not present for unstable)
CVE-2013-2011
NOT-FOR-US: WP Super Cache
CVE-2013-2010
NOT-FOR-US: W3 Total Cache
CVE-2013-2009
NOT-FOR-US: WP Super Cache
CVE-2013-2008
NOT-FOR-US: WP Super Cache
CVE-2013-1980
- xmp 3.4.0-3 (low; bug #706667)
CVE-2013-1973
NOT-FOR-US: Drupal contributed module
CVE-2013-1967 [mediaelement flashmediaelement XSS]
- owncloud <not-affected> (Vulnerable code not present)
CVE-2013-1963
- owncloud <not-affected> (Vulnerable code not present)
CVE-2013-1951
- mediawiki 1:1.19.5-1
CVE-2013-1946
NOT-FOR-US: RESTful Web Services (RESTWS) Drupal cotributed module
CVE-2013-1941 [Postgre: Insecure database password generator]
- owncloud 5.0.4~rc1+dfsg-1
CVE-2013-1939 [Windows: Local file disclosure]
- owncloud <not-affected> (Windows version only)
CVE-2013-1938
NOT-FOR-US: Zimbra
CVE-2013-1934 [mantis: XSS issue in adm_config_report.php when displaying complex value]
- mantis <removed> (low; bug #717482)
CVE-2013-1932 [mantis: XSS vulnerability on Configuration Report page]
- mantis <not-affected> (affects Mantis 1.2.13 only)
CVE-2013-1931 [mantis: XSS vulnerability when deleting a version]
- mantis <not-affected> (affects Mantis 1.2.14 only)
CVE-2013-1930 [mantis: Close button available to users despite workflow restrictions]
- mantis <not-affected> (affects only Mantis 1.2.12 and later)
CVE-2013-1924
NOT-FOR-US: Commerce Skrill Drupal module
CVE-2013-1916
NOT-FOR-US: WordPress plugin
CVE-2013-1910 [Not removing bad metadata and using it in next run]
- yum <unfixed> (unimportant)
CVE-2013-1904 [roundcube variable overwrite]
- roundcube 0.7.2-9
CVE-2013-1895 [concurrency issue leading to auth bypass]
- python-bcrypt <removed> (bug #704030)
CVE-2013-1893
- owncloud <not-affected> (only affecting 5.0 branch)
CVE-2013-1890
- owncloud <not-affected> (only affecting 5.0 branch)
CVE-2013-1889
- libapache2-mod-ruid2 0.9.8-1 (low; bug #704066)
CVE-2013-1886
NOT-FOR-US: Red Hat Certificate System
CVE-2013-1885
NOT-FOR-US: Red Hat Certificate System
CVE-2013-1883 [mantis: remote DoS]
- mantis <not-affected> (only affects 1.2.12 to 1.2.14)
CVE-2013-1880 [XSS vulnerability in portfolioPublish demo application]
- activemq <not-affected> (portfolio demo app not shipped in Debian package)
CVE-2013-1874 [Chicken Scheme: code execution]
- chicken 4.8.0.3-1 (low; bug #702410)
CVE-2013-1864 [Ekiga billion laughs flaw in ptlib]
NOTE: http://www.openwall.com/lists/oss-security/2013/03/15/6
CVE-2013-1853 [Almanah doesn't encrypt the database]
- almanah 0.9.1-1 (bug #702905)
CVE-2013-1851 [user_migrate: Local file disclosure]
- owncloud 4.0.8debian-1.6 (bug #703094)
CVE-2013-1850 [Contacts: Bypass of file blacklist]
- owncloud 4.0.8debian-1.6 (bug #703094)
CVE-2013-1841 [Reverse lookup issue in Net::Server]
- libnet-server-perl <unfixed> (low; bug #702914)
CVE-2013-1822
- owncloud <not-affected> (owncloud stable4 (4.0.x) is not affected)
CVE-2013-1820
NOT-FOR-US: tuned (RH-specific powersaving tool)
CVE-2013-1818 [mediawiki mwdoc-filter.php information disclosure]
- mediawiki <not-affected> (mwdoc-filter.php introduced in 1.20)
CVE-2013-1817 [mediawiki information disclosure in unblock API]
- mediawiki 1:1.19.4-1 (bug #702305)
CVE-2013-1816 [mediawiki insecure curl usage]
- mediawiki 1:1.19.4-1
CVE-2013-1811 [Reporter can change issue status to 'new']
- mantis <removed> (low; bug #698481)
CVE-2013-1810 [summary.php category/project names XSS vulnerability]
- mantis <not-affected> (only affects MantisBT 1.2.12)
CVE-2013-1809 [Gambas creates hijackable directory in /tmp]
- gambas3 3.5.1-1 (low; bug #702184)
CVE-2013-1771 [monkey: world-readable logdir]
- monkey <removed> (low)
CVE-2013-1770 [XSS issues in views_view.php]
- ganglia <unfixed> (low; bug #700158)
CVE-2013-1764
- packagekit <not-affected> (Zypp backend specific to SuSE)
CVE-2013-1753
- python2.5 <removed> (low)
CVE-2013-1752
- python2.5 <removed> (low)
CVE-2013-1751
- twiki <removed>
CVE-2013-1689
[wheezy] - iceape <end-of-life>
CVE-2013-1666
- foswiki <itp> (bug #509864)
CVE-2013-1470 [XSS in geeklog]
NOTE: There was a RFP long time ago, bug #203818
CVE-2013-1437 [Code execution when gathering version metadata]
- perl 5.18.1-2
CVE-2013-1436 [code injection]
- xmonad-contrib 0.11.2-1 (low)
CVE-2013-1429 [Lintian unsafe symlinks]
- lintian 2.5.10.5 (bug #705553; unimportant)
CVE-2013-1426 [mahara: stored XSS in tinyMCE editor]
- mahara <removed>
CVE-2013-1425 [ldap-git-backup: Incorrect directory permissions exposes password hashes]
- ldap-git-backup 1.0.4-1 (bug #699227)
CVE-2013-0243 [Basic constraints vulnerability]
- haskell-tls-extra 0.4.6.1-1 (bug #698545)
CVE-2013-1376
NOT-FOR-US: Adobe Reader
CVE-2013-0870 [libavcodec/vp3.c: 14c8ee00ffd9d45e6e0c6f11a957ce7e56f7eb3a]
- ffmpeg <not-affected> (No threading support in vp3 from ffmpeg 0.5)
CVE-2013-0350 [writes content from TCP streams to public readable file /tmp/smtp.log]
- pktstat 1.8.5-3 (bug #701211)
CVE-2013-0347 [webfs world-readable logdir]
- webfs 1.21+ds1-9 (low; bug #701638)
CVE-2013-0346 [tomcat world-readable logdir]
- tomcat6 <not-affected> (Log files are owned by tomcat:tomcat)
CVE-2013-0345 [varnish world-readable logdir]
- varnish <not-affected> (Logfiles are owned by varnishlog:varnishlog)
CVE-2013-0342 [CreateID() creates serialized packet IDs for RADIUS]
- pyrad <unfixed> (low; bug #701151)
CVE-2013-0336 [DoS when connecting with a missing username/dn]
- 389-ds-base <unfixed> (bug #704077)
CVE-2013-0326
- nova <unfixed> (low)
CVE-2013-0307 [XSS vulnerability]
- owncloud 4.0.8debian-1.5 (bug #701115)
CVE-2013-0303 [Multiple code executions]
- owncloud 4.0.8debian-1.5 (bug #701115)
CVE-2013-0301 [Multiple CSRF vulnerabilities]
- owncloud 4.0.8debian-1.5 (bug #701115)
CVE-2013-0300 [Multiple CSRF vulnerabilities]
- owncloud <not-affected> (Vulnerably code not present, only affects 4.5 branch)
CVE-2013-0299 [Multiple CSRF vulnerabilities]
- owncloud 4.0.8debian-1.5 (bug #701115)
CVE-2013-0298 [XSS vulnerability]
- owncloud <not-affected> (Vulnerably code not present, only affects 4.5 branch)
CVE-2013-0297 [XSS vulnerability]
- owncloud 4.0.8debian-1.5 (bug #701115)
CVE-2013-0296 [creates temp files with too wide permissions]
- pigz 2.2.4-2 (low; bug #700608)
CVE-2013-0294 [potentially predictable password hashing]
- pyrad 2.0-2 (low; bug #700669)
CVE-2013-0293 [Lock screen accepts F2 to drop to shell]
- ovirt-node <itp> (bug #502024)
CVE-2013-0289 [missing SSL subject verification]
- isync 1.0.4-2.2 (low; bug #701052)
CVE-2013-0267
NOT-FOR-US: Apache VCL
CVE-2013-0264
NOT-FOR-US: Cumin
CVE-2013-0250 [corosync: Remote DoS due improper HMAC initialization]
- corosync <not-affected> (Introduced in v1.99.8-2-ge925f42; bug #699615)
CVE-2013-0234
- elgg <itp> (bug #526197)
CVE-2013-0204 [Code execution in external storage]
- owncloud <not-affected> (Vulnerably code not present, only affects 4.5 branch)
CVE-2013-0203 [XSS vulnerabilities]
- owncloud 4.0.8debian-1.4 (bug #698737)
CVE-2013-0202 [XSS vulnerabilities]
- owncloud 4.0.8debian-1.4 (bug #698737)
CVE-2013-0201 [XSS vulnerabilities]
- owncloud 4.0.8debian-1.4 (bug #698737)
CVE-2013-0199
NOT-FOR-US: FreeIPA
CVE-2013-0197 [XSS vulnerability with match_type filter]
- mantis <not-affected> (This only affects the 1.2.12 version, which isn't present in Debian, bug #698481)
CVE-2013-0195 [Unspecified XSS]
- piwik <itp> (bug #506933)
CVE-2013-0194 [Unspecified XSS]
- piwik <itp> (bug #506933)
CVE-2013-0193 [Unspecified XSS]
- piwik <itp> (bug #506933)
CVE-2013-0192
NOT-FOR-US: Simple Machines Forum
CVE-2013-0191 [pam-pgsql NULL password handling issue]
- pam-pgsql 0.7.3.1-4 (bug #698241)
CVE-2013-0185
NOT-FOR-US: ManageIQ EVM (CloudForms)
CVE-2013-0178 [redis 2.4: Insecure temporary flaw use for redis service's vm swap file]
- redis 2:2.6.0-1 (low)
CVE-2013-0177
NOT-FOR-US: OFBiz
CVE-2013-0161
NOT-FOR-US: Havalite CMS
CVE-2013-0159
NOT-FOR-US: Fedora build script
More information about the VIM
mailing list