diff options
Diffstat (limited to 'data/CVE/2012.list')
| -rw-r--r-- | data/CVE/2012.list | 89 |
1 files changed, 46 insertions, 43 deletions
diff --git a/data/CVE/2012.list b/data/CVE/2012.list index 354f7d09d8..d986dec88d 100644 --- a/data/CVE/2012.list +++ b/data/CVE/2012.list @@ -1,3 +1,7 @@ +CVE-2012-20001 (PrestaShop before 1.5.2 allows XSS via the "<object data='data:text ...) + NOT-FOR-US: PrestaShop +CVE-2012-10001 (The Limit Login Attempts plugin before 1.7.1 for WordPress does not cl ...) + NOT-FOR-US: Limit Login Attempts plugin for WordPress CVE-2012-6721 (Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) ...) NOT-FOR-US: SocialEngine CVE-2012-6720 (Multiple cross-site scripting (XSS) vulnerabilities in SocialEngine be ...) @@ -46,6 +50,7 @@ CVE-2012-6708 (jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) a NOTE: 1.9 release introduced backwards incompatible changes to fix this, so may be too invasive to fix CVE-2012-6707 (WordPress through 4.8.2 uses a weak MD5-based password hashing algorit ...) - wordpress <unfixed> (bug #880868) + [bullseye] - wordpress <postponed> (Minor issue, can be revisited with upstream has picked a new hashing solution) [buster] - wordpress <postponed> (Minor issue, can be revisited with upstream has picked a new hashing solution) [stretch] - wordpress <postponed> (Minor issue, can be revisited with upstream has picked a new hashing solution) [jessie] - wordpress <postponed> (Minor issue, can be revisited with upstream has picked a new hashing solution) @@ -127,7 +132,7 @@ CVE-2012-6697 (InspIRCd before 2.0.7 allows remote attackers to cause a denial o CVE-2012-6690 RESERVED CVE-2012-6688 - RESERVED + REJECTED CVE-2012-6689 (The netlink_sendmsg function in net/netlink/af_netlink.c in the Linux ...) {DLA-246-1} - linux 3.6.4-1 @@ -236,6 +241,7 @@ CVE-2012-6656 (iconvdata/ibm930.c in GNU C Library (aka glibc) before 2.16 allow NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=6e230d11837f3ae7b375ea69d7905f0d18eb79e5 CVE-2012-6655 (An issue exists AccountService 0.6.37 in the user_change_password_auth ...) - accountsservice <unfixed> (low; bug #757912) + [bullseye] - accountsservice <ignored> (Minor issue) [buster] - accountsservice <ignored> (Minor issue) [stretch] - accountsservice <ignored> (Minor issue) [jessie] - accountsservice <ignored> (Minor issue) @@ -280,7 +286,7 @@ CVE-2012-6639 (An privilege elevation vulnerability exists in Cloud-init before NOTE: http://article.gmane.org/gmane.comp.security.oss.general/12299 CVE-2012-6638 (The tcp_rcv_state_process function in net/ipv4/tcp_input.c in the Linu ...) - linux 3.2.29-1 - - linux-2.6 <removed> + - linux-2.6 <removed> [squeeze] - linux-2.6 2.6.32-47 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fdf5af0daf8019cec2396cdef8fb042d80fe71fa CVE-2012-6637 (Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier ...) @@ -311,13 +317,13 @@ CVE-2012-6618 (The av_probe_input_buffer function in libavformat/utils.c in FFmp - libav 6:9.11-1 - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e74cd2f4706f71da5e9205003c1d8263b54ed3fb + NOTE: Fix in ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=e74cd2f4706f71da5e9205003c1d8263b54ed3fb NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=2115a3597457231a6e5c0527fe0ff8550f64b733 CVE-2012-6617 (The prepare_sdp_description function in ffserver.c in FFmpeg before 1. ...) - libav 6:9.11-1 [wheezy] - libav <not-affected> (Introduced in 0.9 with d77f4afa9814b0433be6fdbfd7d8a113592ba680) - ffmpeg <not-affected> (Introduced in 0.9 with d77f4afa9814b0433be6fdbfd7d8a113592ba680) - NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=9929991da7b843e7d80154fcacc4e80579b86a2d + NOTE: Fix in ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=9929991da7b843e7d80154fcacc4e80579b86a2d NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=82b9799bb211ecd117171115e4a8b832c4942314 CVE-2012-6616 (The mov_text_decode_frame function in libavcodec/movtextdec.c in FFmpe ...) - libav <not-affected> (Vulnerable code not present in libav) @@ -1342,13 +1348,13 @@ CVE-2012-6159 CVE-2012-6158 REJECTED CVE-2012-6157 - RESERVED + REJECTED CVE-2012-6156 - RESERVED + REJECTED CVE-2012-6155 - RESERVED + REJECTED CVE-2012-6154 - RESERVED + REJECTED CVE-2012-6153 (http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient befor ...) {DLA-222-1} - commons-httpclient 3.1-10.2 (bug #692442) @@ -2749,7 +2755,7 @@ CVE-2012-5634 (Xen 4.2.x, 4.1.x, and 4.0, when using Intel VT-d for PCI passthro CVE-2012-5633 (The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6 ...) - jbossas4 <not-affected> (Only builds a few libraries, not the full application server, #581226) CVE-2012-5632 - RESERVED + REJECTED CVE-2012-5631 (ipa 3.0 does not properly check server identity before sending credent ...) NOT-FOR-US: FreeIPA CVE-2012-5630 (libuser 0.56 and 0.57 has a TOCTOU (time-of-check time-of-use) race co ...) @@ -2980,7 +2986,7 @@ CVE-2012-5557 (The User Read-Only module 6.x-1.x before 6.x-1.4 and 7.x-1.x befo CVE-2012-5556 (Multiple cross-site request forgery (CSRF) vulnerabilities in the REST ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5555 - RESERVED + REJECTED CVE-2012-5554 (The default configuration for the Webform CiviCRM Integration module 7 ...) NOT-FOR-US: Drupal contributed-module CVE-2012-5553 (Multiple cross-site scripting (XSS) vulnerabilities in the OM Maximenu ...) @@ -3042,7 +3048,7 @@ CVE-2012-5529 (TraceManager in Firebird 2.5.0 and 2.5.1, when trace is enabled, - firebird2.5 2.5.2~svn+54698.ds4-2 (low; bug #693210) - firebird2.1 <not-affected> (Only affects 2.5.x) CVE-2012-5528 - RESERVED + REJECTED CVE-2012-5527 (Claws Mail vCalendar plugin: credentials exposed on interface ...) - claws-mail-extra-plugins 3.8.1-2 (unimportant; bug #693391) NOTE: More of a plain bug than a security vulnerability @@ -3068,7 +3074,7 @@ CVE-2012-5522 (MantisBT before 1.2.12 does not use an expected default value dur [squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts) NOTE: http://www.mantisbt.org/bugs/view.php?id=14496 CVE-2012-5521 (quagga (ospf6d) 0.99.21 has a DoS flaw in the way the ospf6d daemon pe ...) - - quagga <unfixed> (unimportant; bug #693102) + - quagga <removed> (unimportant; bug #693102) NOTE: Not reproducible so far CVE-2012-5520 (The send_to_sourcefire function in manage_sql.c in OpenVAS Manager 3.x ...) NOT-FOR-US: OpenVAS Manager @@ -3396,7 +3402,7 @@ CVE-2012-5373 (Oracle Java SE 7 and earlier, and OpenJDK 7 and earlier, computes [jessie] - openjdk-7 <ignored> (Minor issue, no icedtea fix, too complex to backport) [wheezy] - openjdk-7 <no-dsa> (Minor issue, no icedtea fix, too complex to backport) CVE-2012-5372 (Rubinius computes hash values without properly restricting the ability ...) - - rubinius <itp> (bug #591817) + - rubinius <itp> (bug #591817) CVE-2012-5371 (Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes ...) {DLA-263-1} - ruby1.8 <not-affected> (Only affects 1.9.x) @@ -4965,9 +4971,9 @@ CVE-2012-4677 (Tunnelblick 3.3beta20 and earlier allows local users to gain priv CVE-2012-4676 (The errorExitIfAttackViaString function in Tunnelblick 3.3beta20 and e ...) NOT-FOR-US: Tunnelblick CVE-2012-4675 (Cross-site scripting (XSS) vulnerability in PluXml 5.1.6 allows remote ...) - NOT-FOR-US: PluXml + - pluxml <undetermined> CVE-2012-4674 (PluXml before 5.1.6 allows remote attackers to obtain the installation ...) - NOT-FOR-US: PluXml + - pluxml <undetermined> CVE-2012-4673 (SQL injection vulnerability in application/controllers/invoice.php in ...) NOT-FOR-US: Neoinvoice CVE-2012-4672 (Apple iChat Server does not verify that a request was made for an XMPP ...) @@ -5362,7 +5368,7 @@ CVE-2012-4510 (cups-pk-helper before 0.2.3 does not properly wrap the (1) cupsGe {DSA-2562-1} - cups-pk-helper 0.2.3-1 CVE-2012-4509 - RESERVED + REJECTED CVE-2012-4508 (Race condition in fs/ext4/extents.c in the Linux kernel before 3.4.16 ...) {DSA-2668-1} - linux 3.2.35-1 @@ -5604,10 +5610,11 @@ CVE-2012-4428 (openslp: SLPIntersectStringList()' Function has a DoS vulnerabili [squeeze] - openslp-dfsg <no-dsa> (Minor issue) [wheezy] - openslp-dfsg <no-dsa> (Minor issue) CVE-2012-4427 (The gnome-shell plugin 3.4.1 in GNOME allows remote attackers to force ...) - - gnome-shell <unfixed> (unimportant) + - gnome-shell 3.34.0-2 (unimportant) NOTE: I don't see much of a problem here, if you install from a repo, you need to trust it NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=684215 - NOTE: As far as I can see there is still a yes/no prompt for the user. I suggest unfixed unimportant. -- helmut + NOTE: Problem with GNOME Shell's NPAPI browser extension which is not shipped + NOTE: anymore since GNOME 3.32. CVE-2012-4426 (Multiple format string vulnerabilities in mcrypt 2.6.8 and earlier mig ...) - mcrypt 2.6.8-1.1 [squeeze] - mcrypt <no-dsa> (minor issue, it doesn't affect libmcrypt) @@ -6098,7 +6105,7 @@ CVE-2012-4232 (SQL injection vulnerability in admin/index.php in jCore before 1. CVE-2012-4231 (Cross-site scripting (XSS) vulnerability in admin/index.php in jCore b ...) NOT-FOR-US: jCore CVE-2012-4230 (The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the TinyM ...) - - tinymce <unfixed> (low; bug #796117) + - tinymce <removed> (low; bug #796117) [buster] - tinymce <no-dsa> (Minor issue) [stretch] - tinymce <no-dsa> (Minor issue) [jessie] - tinymce <no-dsa> (Minor issue) @@ -8340,7 +8347,7 @@ CVE-2012-3378 (The register_application function in atk-adaptor/bridge.c in GNOM CVE-2012-3377 (Heap-based buffer overflow in the Ogg_DecodePacket function in the OGG ...) - vlc 2.0.2-1 (bug #680665) [squeeze] - vlc <end-of-life> (Unsupported in squeeze-lts) - NOTE: http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commitdiff;h=16e9e126333fb7acb47d363366fee3deadc8331e + NOTE: https://git.videolan.org/?p=vlc/vlc-2.0.git;a=commitdiff;h=16e9e126333fb7acb47d363366fee3deadc8331e NOTE: http://securitytracker.com/id/1027224 CVE-2012-3376 (DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens ...) - hadoop <itp> (bug #535861) @@ -9785,7 +9792,7 @@ CVE-2012-2775 (Unspecified vulnerability in the read_var_block_data function in CVE-2012-2774 (The ff_MPV_frame_start function in libavcodec/mpegvideo.c in FFmpeg be ...) - ffmpeg <not-affected> (there is no crash, just a couple uninitialized reads, harmless according to Janne) - libav <not-affected> (there is no crash, just a couple uninitialized reads, harmless according to Janne) - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=59a4b73531428d2f420b4dad545172c8483ced0f + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=59a4b73531428d2f420b4dad545172c8483ced0f NOTE: patch proposed: http://patches.libav.org/patch/32644/ CVE-2012-2773 (Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact a ...) - ffmpeg 7:2.4.1-1 @@ -10010,7 +10017,7 @@ CVE-2012-2690 (virt-edit in libguestfs before 1.18.0 does not preserve the permi NOTE: https://www.openwall.com/lists/oss-security/2012/06/11/1 NOTE: https://www.openwall.com/lists/oss-security/2012/06/11/5 CVE-2012-2689 - RESERVED + REJECTED CVE-2012-2688 (Unspecified vulnerability in the _php_stream_scandir function in the s ...) {DSA-2527-1} - php5 5.4.4-4 (low; bug #683274) @@ -10077,8 +10084,8 @@ CVE-2012-2667 (Session fixation vulnerability in lib/user/sfBasicSecurityUser.cl NOTE: http://symfony.com/blog/security-release-symfony-1-4-18-released NOTE: http://trac.symfony-project.org/browser/tags/RELEASE_1_4_18/CHANGELOG NOTE: http://trac.symfony-project.org/changeset/33466?format=diff&new=33466 -CVE-2012-2666 - RESERVED +CVE-2012-2666 (golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/ ...) + NOT-FOR-US: Historic Go issue CVE-2012-2665 (Multiple heap-based buffer overflows in the XML manifest encryption ta ...) {DSA-2520-1} - libreoffice 1:3.5.4-7 @@ -10098,7 +10105,7 @@ CVE-2012-2660 (actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails b - ruby-activerecord-3.2 3.2.6-1 (bug #675429) NOTE: http://seclists.org/oss-sec/2012/q2/449 CVE-2012-2659 - RESERVED + REJECTED CVE-2012-2658 - unixodbc 2.3.6-0.1 (unimportant; bug #675058) NOTE: Only triggerable by trusted input, not a security issue @@ -11327,7 +11334,7 @@ CVE-2012-2143 (The crypt_des (aka DES-based crypt) function in FreeBSD before 9. NOTE: Uses the unaffected system libraries since 5.3.3 CVE-2012-2142 (The error function in Error.cc in poppler before 0.21.4 allows remote ...) - xpdf <not-affected> (uses poppler's Error.cc) - - poppler 0.18.4-7 (unimportant; bug #487773) + - poppler 0.18.4-7 (unimportant; bug #487773) NOTE: poppler upstream patch http://cgit.freedesktop.org/poppler/poppler/commit/?id=71bad47ed6a36d825b0d08992c8db56845c71e40 CVE-2012-2141 (Array index error in the handle_nsExtendOutput2Table function in agent ...) - net-snmp 5.4.3~dfsg-2.5 (low; bug #672492) @@ -12635,7 +12642,7 @@ CVE-2012-1610 (Integer overflow in the GetEXIFProperty function in magick/proper {DSA-2462-1} - imagemagick 8:6.7.4.0-4 (bug #667635) CVE-2012-1609 - RESERVED + REJECTED CVE-2012-1608 (The t3lib_div::RemoveXSS API method in TYPO3 4.4.0 through 4.4.13, 4.5 ...) {DSA-2445-1} - typo3-src 4.5.14+dfsg1-1 @@ -12890,8 +12897,7 @@ CVE-2012-1496 (Local file inclusion in WebCalendar before 1.2.5. ...) - webcalendar <removed> CVE-2012-1495 (install/index.php in WebCalendar before 1.2.5 allows remote attackers ...) - webcalendar <removed> -CVE-2012-1102 [XML::Atom Perl module XML entity expansion] - RESERVED +CVE-2012-1102 (It was discovered that the XML::Atom Perl module before version 0.39 d ...) {DSA-2424-1} - libxml-atom-perl 0.39-1 (medium) CVE-2012-1494 @@ -13515,9 +13521,10 @@ CVE-2012-1193 (The resolver in PowerDNS Recursor (aka pdns_recursor) 3.3 overwri CVE-2012-1192 (The resolver in Unbound before 1.4.11 overwrites cached server names a ...) NOTE: DNS protocol flaw CVE-2012-1191 (The resolver in dnscache in Daniel J. Bernstein djbdns 1.05 overwrites ...) - - djbdns <unfixed> + - djbdns 1:1.05-10 NOTE: DNS protocol flaw NOTE: RH made an update: https://bugzilla.redhat.com/show_bug.cgi?id=838761 + NOTE: https://marc.info/?l=djbdns&m=134269902121506&w=2 CVE-2012-0869 (Cross-site scripting (XSS) vulnerability in fup in Frams' Fast File EX ...) {DSA-2414-1} - fex 20120215-1 (low; bug #660621) @@ -13599,7 +13606,7 @@ CVE-2012-1168 (Moodle before 2.2.2 has a password and web services issue where w CVE-2012-1167 (The JBoss Server in JBoss Enterprise Application Platform 5.1.x before ...) - jbossas4 <not-affected> (Only builds a few libraries, not the full application server) CVE-2012-1166 (The default keybindings for wwm in LTSP Display Manager (ldm) 2.2.x be ...) - - ldm 2:2.2.7-1 (bug #663645) + - ldm 2:2.2.7-1 (bug #663645) [squeeze] - ldm <not-affected> (Introduced in 2.2) NOTE: https://bugs.launchpad.net/ubuntu/+source/ldm/+bug/953340 CVE-2012-1165 (The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL befor ...) @@ -13811,15 +13818,10 @@ CVE-2012-1097 (The regset (aka register set) feature in the Linux kernel before {DSA-2443-1} - linux-2.6 3.2.10-1 (low) CVE-2012-1096 (NetworkManager 0.9 and earlier allows local users to use other users' ...) - - network-manager <unfixed> (low; bug #684259) - [buster] - network-manager <ignored> (Minor issue) - [stretch] - network-manager <ignored> (Minor issue) - [jessie] - network-manager <ignored> (Minor issue) - [wheezy] - network-manager <ignored> (Minor issue) - [squeeze] - network-manager <no-dsa> (Minor issue) - NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=793329 + NOTE: Design limitation, not treated as a security issue by upstream: + NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=793329#c1 CVE-2012-1095 (osc before 0.134 might allow remote OBS repository servers or package ...) - - osc <unfixed> (unimportant) + - osc 0.134.0-1 (unimportant) NOTE: This is ultimately a bug in the respectice terminal emulations and not a vulnerability in osc CVE-2012-1094 (JBoss AS 7 prior to 7.1.1 and mod_cluster do not handle default hostna ...) - libapache2-mod-cluster <itp> (bug #731410) @@ -14127,8 +14129,9 @@ CVE-2012-0957 (The override_release function in kernel/sys.c in the Linux kernel NOTE: https://lkml.org/lkml/2012/10/9/550 CVE-2012-0956 (ubiquity-slideshow-ubuntu before 58.2, during installation, allows rem ...) NOT-FOR-US: ubiquity-slideshow-ubuntu -CVE-2012-0955 - RESERVED +CVE-2012-0955 (software-properties was vulnerable to a person-in-the-middle attack du ...) + - software-properties 0.92.25debian1 + NOTE: https://launchpad.net/bugs/1036839 CVE-2012-0954 (APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-ke ...) - apt 0.7.25 (unimportant) NOTE: net-update is not enabled by default in Debian @@ -14443,7 +14446,7 @@ CVE-2012-0834 (Cross-site scripting (XSS) vulnerability in lib/QueryRender.php i CVE-2012-0833 (The acllas__handle_group_entry function in servers/plugins/acl/acllas. ...) - 389-ds-base <not-affected> (Fixed before initial upload) CVE-2012-0832 - RESERVED + REJECTED CVE-2012-0831 (PHP before 5.3.10 does not properly perform a temporary change to the ...) {DSA-2408-1} - php5 5.3.10-1 @@ -14489,7 +14492,7 @@ CVE-2012-0817 (Memory leak in smbd in Samba 3.6.x before 3.6.3 allows remote att [squeeze] - samba <not-affected> (Only affects 3.6.x) [lenny] - samba <not-affected> (Only affects 3.6.x) CVE-2012-0816 - RESERVED + REJECTED CVE-2012-0815 (The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 al ...) {DLA-140-1} - rpm 4.9.1.3-1 (bug #667031) |