diff options
Diffstat (limited to 'data/CVE/2013.list')
-rw-r--r-- | data/CVE/2013.list | 157 |
1 files changed, 85 insertions, 72 deletions
diff --git a/data/CVE/2013.list b/data/CVE/2013.list index b76a41dcb3..9fc3286a3f 100644 --- a/data/CVE/2013.list +++ b/data/CVE/2013.list @@ -1,3 +1,11 @@ +CVE-2013-20004 (StarWind iSCSI SAN before 6.0 build 2013-03-20 allows a memory leak. ...) + NOT-FOR-US: StarWind +CVE-2013-20003 (Z-Wave devices from Sierra Designs (circa 2013) and Silicon Labs (usin ...) + NOT-FOR-US: Z-Wave devices +CVE-2013-20002 (Elemin allows remote attackers to upload and execute arbitrary PHP cod ...) + NOT-FOR-US: Elemin +CVE-2013-20001 (An issue was discovered in OpenZFS through 2.0.3. When an NFS share is ...) + NOT-FOR-US: OpenZFS CVE-2013-7491 (An issue was discovered in the DBI module before 1.628 for Perl. Stack ...) - libdbi-perl 1.628-1 NOTE: https://github.com/perl5-dbi/dbi/commit/401f1221311c71f760e21c98772f0f7e3cbead1d @@ -8,12 +16,13 @@ CVE-2013-7490 (An issue was discovered in the DBI module before 1.632 for Perl. NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=86744 CVE-2013-7489 (The Beaker library through 1.11.0 for Python is affected by deserializ ...) - beaker <unfixed> (bug #966197) + [bullseye] - beaker <no-dsa> (Minor issue) [buster] - beaker <no-dsa> (Minor issue) [stretch] - beaker <no-dsa> (Minor issue) NOTE: https://github.com/bbangert/beaker/issues/191 NOTE: https://www.openwall.com/lists/oss-security/2020/05/14/11 CVE-2013-7488 (perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 ...) - - libconvert-asn1-perl <unfixed> (bug #956186) + - libconvert-asn1-perl 0.27-3 (bug #956186) [buster] - libconvert-asn1-perl <no-dsa> (Minor issue) [stretch] - libconvert-asn1-perl <no-dsa> (Minor issue) [jessie] - libconvert-asn1-perl <no-dsa> (Minor issue) @@ -25,10 +34,13 @@ CVE-2013-7486 (Cross-site scripting (XSS) vulnerability in the backend in Open-X CVE-2013-7485 (Cross-site scripting (XSS) vulnerability in the backend in Open-Xchang ...) NOT-FOR-US: Open-Xchange App Suite CVE-2013-7484 (Zabbix before 5.0 represents passwords in the users table with unsalte ...) - - zabbix <unfixed> + - zabbix 1:5.0.0+dfsg-1 [buster] - zabbix <no-dsa> (Minor issue) [stretch] - zabbix <no-dsa> (Minor issue) [jessie] - zabbix <no-dsa> (Minor issue) + NOTE: https://support.zabbix.com/browse/ZBX-16551 + NOTE: https://support.zabbix.com/browse/ZBXNEXT-1898 + NOTE: https://www.zabbix.com/documentation/5.0/manual/introduction/whatsnew500#stronger_cryptography_for_passwords CVE-2013-7483 (The slidedeck2 plugin before 2.3.5 for WordPress has file inclusion. ...) NOT-FOR-US: slidedeck2 plugin for WordPress CVE-2013-7482 (The reflex-gallery plugin before 1.4.3 for WordPress has XSS. ...) @@ -59,7 +71,7 @@ CVE-2013-7470 (cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel - linux 3.11.7-1 NOTE: Fixed by: https://git.kernel.org/linus/f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b CVE-2013-7469 (Seafile through 6.2.11 always uses the same Initialization Vector (IV) ...) - - seafile <unfixed> (bug #923009) + - seafile 7.0.2-1 (bug #923009) [buster] - seafile <ignored> (Minor issue) NOTE: https://github.com/haiwen/seafile/issues/350 CVE-2013-7468 (Simple Machines Forum (SMF) 2.0.4 allows PHP Code Injection via the in ...) @@ -91,7 +103,7 @@ CVE-2013-7459 (Heap-based buffer overflow in the ALGnew function in block_templa NOTE: Fixed by: https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4 NOTE: All users of pycrypto's AES module in Debian that allow the mode NOTE: of operation to be specified from outside check for ECB explicitly - NOTE: and create the objects without specifying an IV. + NOTE: and create the objects without specifying an IV. CVE-2013-7458 (linenoise, as used in Redis before 3.2.3, uses world-readable permissi ...) {DSA-3634-1 DLA-577-1} - redis 2:3.2.1-4 (bug #832460) @@ -148,12 +160,12 @@ CVE-2013-7446 (Use-after-free vulnerability in net/unix/af_unix.c in the Linux k NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ec0d215f9420564fc8286dcf93d2d068bb53a07e (v2.6.26-rc9) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7d267278a9ece963d77eefec61630223fce08c6c (v4.4-rc4) CVE-2013-7445 (The Direct Rendering Manager (DRM) subsystem in the Linux kernel throu ...) - - linux <unfixed> + - linux <unfixed> (bug #1000886) + [bullseye] - linux <ignored> (Minor issue, requires invasive changes) [buster] - linux <ignored> (Minor issue, requires invasive changes) [stretch] - linux <ignored> (Minor issue, requires invasive changes) [jessie] - linux <ignored> (Minor issue, requires invasive changes) [wheezy] - linux <no-dsa> (Minor issue, requires invasive changes) - [jessie] - linux-4.9 <ignored> (Minor issue, requires invasive changes) - linux-2.6 <removed> NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=60533 CVE-2013-7444 (The Special:Contributions page in MediaWiki before 1.22.0 allows remot ...) @@ -280,8 +292,8 @@ CVE-2013-7424 (The getaddrinfo function in glibc before 2.15, when compiled with CVE-2013-7423 (The send_dg function in resolv/res_send.c in GNU C Library (aka glibc ...) {DLA-165-1} - glibc 2.19-1 (bug #722075) - [wheezy] - eglibc 2.13-38+deb7u5 - eglibc <removed> + [wheezy] - eglibc 2.13-38+deb7u5 NOTE: Fix: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f9d2d03254a58d92635a311a42253eeed5a40a47 NOTE: Upstream report: https://sourceware.org/bugzilla/show_bug.cgi?id=15946 NOTE: https://www.openwall.com/lists/oss-security/2015/01/28/16 @@ -1131,9 +1143,8 @@ CVE-2013-7116 REJECTED CVE-2013-7115 REJECTED -CVE-2013-7109 (OpenStack Swift as of 2013-12-15 mishandles PYTHON_EGG_CACHE ...) - - glance 2012.1~e4-1 - NOTE: https://github.com/openstack/glance/commit/804396204e23ebb +CVE-2013-7109 + REJECTED CVE-2013-7105 (Buffer overflow in the Interstage HTTP Server log functionality, as us ...) NOT-FOR-US: Fujitsu Interstage HTTP Server CVE-2013-7104 (McAfee Email Gateway 7.6 allows remote authenticated administrators to ...) @@ -2730,15 +2741,15 @@ CVE-2013-6508 CVE-2013-6507 REJECTED CVE-2013-6506 - RESERVED + REJECTED CVE-2013-6505 - RESERVED + REJECTED CVE-2013-6504 - RESERVED + REJECTED CVE-2013-6503 - RESERVED + REJECTED CVE-2013-6502 - RESERVED + REJECTED CVE-2013-6501 (The default soap.wsdl_cache_dir setting in (1) php.ini-production and ...) - php5 <removed> (unimportant) NOTE: Rendererd unexpoitable by kernel level hardening for tmp races @@ -3151,7 +3162,7 @@ CVE-2013-6396 (The OpenStack Python client library for Swift (python-swiftclient - python-swiftclient 1:2.0.2-1 (bug #730626) NOTE: https://bugs.launchpad.net/python-swiftclient/+bug/1199783 CVE-2013-6395 (Cross-site scripting (XSS) vulnerability in header.php in Ganglia Web ...) - - ganglia-web <unfixed> (unimportant; bug #730507) + - ganglia-web 3.6.1-1 (unimportant; bug #730507) [squeeze] - ganglia <not-affected> (Vulnerable code not present) NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone, #702776 - ganglia 3.6.0-1 @@ -3159,6 +3170,7 @@ CVE-2013-6395 (Cross-site scripting (XSS) vulnerability in header.php in Ganglia NOTE: ganglia-web and ganglia are now two separate source packages NOTE: starting with 3.6.0-1 the web front is no longer built from src:ganglia so marking this version as fixed NOTE: https://github.com/ganglia/ganglia-web/issues/218 + NOTE: https://github.com/ganglia/ganglia-web/commit/fbdf26542510c01931dac7856bb908f651ad05e6 CVE-2013-6394 (Percona XtraBackup before 2.1.6 uses a constant string for the initial ...) - percona-xtrabackup 2.1.6-2 (bug #730544) CVE-2013-6393 (The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0 ...) @@ -3473,8 +3485,8 @@ CVE-2013-6278 RESERVED CVE-2013-6277 (QNAP VioCard 300 has hardcoded RSA private keys. ...) NOT-FOR-US: QNAP -CVE-2013-6276 - RESERVED +CVE-2013-6276 (** UNSUPPORTED WHEN ASSIGNED ** QNAP F_VioCard 2312 and F_VioGate 2308 ...) + NOT-FOR-US: QNAP CVE-2013-6274 RESERVED CVE-2013-6273 @@ -7053,20 +7065,18 @@ CVE-2013-4720 (SQL injection vulnerability in the WEC Discussion Forum extension NOT-FOR-US: WEC Discussion Forum CVE-2013-4719 (SQL injection vulnerability in the SEO Pack for tt_news extension befo ...) NOT-FOR-US: SEO Pack for tt_news extension for TYPO3 -CVE-2013-4718 [XSS] - RESERVED +CVE-2013-4718 (Cross-site scripting (XSS) vulnerability in Open Ticket Request System ...) NOT-FOR-US: OTRS ITSM -CVE-2013-4717 [SQL injection] - RESERVED +CVE-2013-4717 (Multiple SQL injection vulnerabilities in Open Ticket Request System ( ...) {DSA-2733-1} - otrs2 3.2.9-1 NOTE: http://web.archive.org/web/20131023033811/http://www.otrs.com:80/en/open-source/community-news/security-advisories/security-advisory-2013-05/ CVE-2013-4716 (Cross-site scripting (XSS) vulnerability in Tattyan HP TOWN 5_9_3 and ...) NOT-FOR-US: Tattyan HP TOWN CVE-2013-4715 (SQL injection vulnerability in Tiki Wiki CMS Groupware 6 LTS before 6. ...) - NOT-FOR-US: Tiki Wiki + - tikiwiki <removed> CVE-2013-4714 (Cross-site scripting (XSS) vulnerability in Tiki Wiki CMS Groupware 6 ...) - NOT-FOR-US: Tiki Wiki + - tikiwiki <removed> CVE-2013-4713 (Cross-site scripting (XSS) vulnerability in I-O DATA DEVICE RockDisk w ...) NOT-FOR-US: I-O DATA DEVICE RockDisk CVE-2013-4712 (I-O DATA DEVICE HDL-A and HDL2-A devices with firmware 1.07 and earlie ...) @@ -7546,8 +7556,7 @@ CVE-2013-4537 (The ssi_sd_transfer function in hw/sd/ssi-sd.c in QEMU before 1.7 [wheezy] - qemu-kvm <no-dsa> (Minor issue, hardly exploitable in practice) - qemu-kvm <removed> (low) [squeeze] - qemu-kvm <no-dsa> (Minor issue, hardly exploitable in practice) -CVE-2013-4536 - RESERVED +CVE-2013-4536 (An user able to alter the savevm data (either on the disk or over the ...) - qemu 2.1+dfsg-1 (low; bug #739589) [wheezy] - qemu <no-dsa> (Minor issue, hardly exploitable in practice) [squeeze] - qemu <no-dsa> (Minor issue, hardly exploitable in practice) @@ -7995,7 +8004,7 @@ CVE-2013-4421 (The buf_decompress function in packet.c in Dropbear SSH Server be - dropbear 2012.55-1.4 (low; bug #726019) [squeeze] - dropbear <no-dsa> (Minor issue) [wheezy] - dropbear <no-dsa> (Minor issue) - NOTE: https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f + NOTE: https://hg.ucc.asn.au/dropbear/rev/0bf76f54de6f CVE-2013-4420 (Multiple directory traversal vulnerabilities in the (1) tar_extract_gl ...) {DSA-2863-1} - libtar 1.2.20-2 (bug #731860) @@ -8106,7 +8115,7 @@ CVE-2013-4388 (Buffer overflow in the mp4a packetizer (modules/packetizer/mpeg4a {DSA-2973-1} - vlc 2.1.0-1 (bug #726528) [squeeze] - vlc <end-of-life> (Unsupported in squeeze-lts) - NOTE: http://git.videolan.org/?p=vlc.git;a=commitdiff;h=9794ec1cd268c04c8bca13a5fae15df6594dff3e + NOTE: https://git.videolan.org/?p=vlc.git;a=commitdiff;h=9794ec1cd268c04c8bca13a5fae15df6594dff3e CVE-2013-4387 (net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not prop ...) {DLA-0015-1} - linux-2.6 <removed> @@ -8191,7 +8200,7 @@ CVE-2013-4365 (Heap-based buffer overflow in the fcgid_header_bucket_read functi CVE-2013-4364 ((1) oo-analytics-export and (2) oo-analytics-import in the openshift-o ...) NOT-FOR-US: OpenShift CVE-2013-4363 (Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION ...) - - rubygems <removed> (unimportant; bug #722361) + - rubygems 3.2.0~rc.1-1 (unimportant; bug #722361) - libgems-ruby <removed> (unimportant; bug #722361) NOTE: Non-issue, you trust the site providing the gem with installing arbitrary code, allowing NOTE: it a potential elevated CPU consumption doesn't add any extra harm @@ -8481,7 +8490,7 @@ CVE-2013-4288 (Race condition in PolicyKit (aka polkit) allows local users to by [squeeze] - policykit-1 <no-dsa> (The update only deprecates an API and introduces a new option for pkcheck, no src package uses this API) [wheezy] - policykit-1 <no-dsa> (The update only deprecates an API and introduces a new option for pkcheck, no src package uses this API) CVE-2013-4287 (Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN ...) - - rubygems <removed> (unimportant; bug #722361) + - rubygems 3.2.0~rc.1-1 (unimportant; bug #722361) - libgems-ruby <removed> (unimportant; bug #722361) NOTE: Non-issue, you trust the site providing the gem with installing arbitrary code, allowing NOTE: it a potential elevated CPU consumption doesn't add any extra harm @@ -8846,7 +8855,7 @@ CVE-2013-4170 CVE-2013-4169 (GNOME Display Manager (gdm) before 2.21.1 allows local users to change ...) - gdm <removed> (unimportant) - gdm3 <not-affected> (Only affected older gdm < 2.21.1) - NOTE: In Debian /tmp/.X11-unix is created by /etc/init.d/x11-common + NOTE: In Debian /tmp/.X11-unix is created by /etc/init.d/x11-common CVE-2013-4168 (Cross-site scripting (XSS) vulnerability in SmokePing 2.6.9 in the sta ...) {DLA-348-1} - smokeping 2.6.8-2 (low) @@ -10092,7 +10101,7 @@ CVE-2013-3674 (The cdg_decode_frame function in cdgraphics.c in libavcodec in FF {DSA-3003-1} - ffmpeg <not-affected> (CD Graphics Video Decoder not present in 0.5 ffmpeg) - libav 6:10.4-1 - NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7ef2dbd2392e3e4d430e0173e1e5c4df9f18b6dd + NOTE: Fix in ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=7ef2dbd2392e3e4d430e0173e1e5c4df9f18b6dd NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=a1599f3f7ea8478d1f6a95e59e3bc6bc86d5f812 CVE-2013-3673 (The gif_decode_frame function in gifdec.c in libavcodec in FFmpeg befo ...) - ffmpeg <not-affected> (Doesn't affect libav, specific to current ffmpeg) @@ -10102,7 +10111,7 @@ CVE-2013-3672 (The mm_decode_inter function in mmvideo.c in libavcodec in FFmpeg - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:10.4-1 - NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=7fa6db2545643efb4fe2e0bb501fa50af35a6330 + NOTE: Fix in ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=7fa6db2545643efb4fe2e0bb501fa50af35a6330 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=70cd3b8e659c3522eea5c16a65d14b8658894a94 CVE-2013-3671 (The format_line function in log.c in libavutil in FFmpeg before 1.2.1 ...) - ffmpeg <not-affected> (Doesn't affect libav, specific to current ffmpeg) @@ -10112,7 +10121,7 @@ CVE-2013-3670 (The rle_unpack function in vmdav.c in libavcodec in FFmpeg git 20 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:10-1 [wheezy] - libav <not-affected> (Vulnerable code not present in 0.8) - NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=0baa0a5a02e16ef097ed9f72bc8a7d7b585c7652 + NOTE: Fix in ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=0baa0a5a02e16ef097ed9f72bc8a7d7b585c7652 NOTE: [Anton] not present in 0.8, 10 or master; possibly present in 9 CVE-2013-3669 RESERVED @@ -11027,7 +11036,7 @@ CVE-2013-3246 (Stack-based buffer overflow in xnview.exe in XnView before 2.03 a CVE-2013-3245 (** DISPUTED ** plugins/demux/libmkv_plugin.dll in VideoLAN VLC Media P ...) - vlc 2.0.7-1 (unimportant) NOTE: Harmless crasher - NOTE: http://git.videolan.org/?p=vlc.git;a=commit;h=59c9e8309d5b435a2d85c2c9eaae979ba56ccdd9 + NOTE: https://git.videolan.org/?p=vlc.git;a=commit;h=59c9e8309d5b435a2d85c2c9eaae979ba56ccdd9 NOTE: http://secunia.com/blog/372/ NOTE: http://www.jbkempf.com/blog/post/2013/More-lies-from-Secunia CVE-2013-3244 (Multiple unspecified vulnerabilities in the CJDB_FILL_MEMORY_FROM_PPB ...) @@ -12783,8 +12792,8 @@ CVE-2013-2514 RESERVED CVE-2013-2513 RESERVED -CVE-2013-2512 - RESERVED +CVE-2013-2512 (The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitra ...) + NOT-FOR-US: Ruby ftpd gem CVE-2013-2511 RESERVED CVE-2013-2510 @@ -14009,7 +14018,7 @@ CVE-2013-2112 (The svnserve server in Subversion before 1.6.23 and 1.7.x before CVE-2013-2111 (The IMAP functionality in Dovecot before 2.2.2 allows remote attackers ...) - dovecot <not-affected> (vulnerable code appeared in 2.2) [squeeze] - dovecot <not-affected> (vulnerable code appeared in 2.2) - [wheezy] - dovecot <not-affected> (vulnerable code appeared in 2.2) + [wheezy] - dovecot <not-affected> (vulnerable code appeared in 2.2) CVE-2013-2110 (Heap-based buffer overflow in the php_quot_print_encode function in ex ...) - php5 5.5.0~rc3+dfsg-1 [wheezy] - php5 <not-affected> (Vulnerable code not present) @@ -14927,6 +14936,7 @@ CVE-2013-1842 (SQL injection vulnerability in the Extbase Framework in TYPO3 4.5 - typo3-src 4.5.19+dfsg1-5 (bug #702574) CVE-2013-1841 (Net-Server, when the reverse-lookups option is enabled, does not check ...) - libnet-server-perl <unfixed> (low; bug #702914) + [bullseye] - libnet-server-perl <ignored> (Minor issue) [buster] - libnet-server-perl <ignored> (Minor issue) [stretch] - libnet-server-perl <ignored> (Minor issue) [jessie] - libnet-server-perl <ignored> (Minor issue) @@ -14942,7 +14952,7 @@ CVE-2013-1839 (The strHdrAcptLangGetItem function in errorpage.cc in Squid 3.2.x CVE-2013-1838 (OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) ...) - nova 2012.1.1-15 (bug #703064) CVE-2013-1837 - RESERVED + REJECTED CVE-2013-1836 (Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and ...) - moodle 2.5-1 (bug #703870) [squeeze] - moodle <not-affected> (Vulnerable code not present) @@ -15087,7 +15097,7 @@ CVE-2013-1792 (Race condition in the install_user_keyrings function in security/ - linux 3.2.41-1 - linux-2.6 <removed> CVE-2013-1791 - RESERVED + REJECTED CVE-2013-1790 (poppler/Stream.cc in poppler before 0.22.1 allows context-dependent at ...) {DSA-2719-1} - poppler 0.18.4-6 (low; bug #702071) @@ -16402,7 +16412,7 @@ CVE-2013-1430 (An issue was discovered in xrdp before 0.9.1. When successfully l [wheezy] - xrdp <no-dsa> (Minor issue) NOTE: https://github.com/neutrinolabs/xrdp/pull/497 NOTE: When successfully logging in using RDP into a xrdp session, the file - NOTE: ~/.vnc/sesman_${username}_passwd is created. Its content is the + NOTE: ~/.vnc/sesman_${username}_passwd is created. Its content is the NOTE: equivalent of the users clear text password, DES encrypted with a known NOTE: key. CVE-2013-1429 (Lintian before 2.5.12 allows remote attackers to gather information ab ...) @@ -17190,12 +17200,12 @@ CVE-2013-1057 (Untrusted search path vulnerability in maas-import-pxe-files in M NOT-FOR-US: Ubuntu MAAS CVE-2013-1056 (X.org X server 1.13.3 and earlier, when not run as root, allows local ...) - xorg-server <not-affected> (Ubuntu-specific patch, see http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-1056.html) -CVE-2013-1055 - RESERVED -CVE-2013-1054 - RESERVED -CVE-2013-1053 - RESERVED +CVE-2013-1055 (The unity-firefox-extension package could be tricked into dropping a C ...) + NOT-FOR-US: unity-firefox-extension +CVE-2013-1054 (The unity-firefox-extension package could be tricked into destroying t ...) + NOT-FOR-US: unity-firefox-extension +CVE-2013-1053 (In crypt.c of remote-login-service, the cryptographic algorithm used t ...) + NOT-FOR-US: remote-login-service Ubuntu package CVE-2013-1052 (pam-xdg-support, as used in Ubuntu 12.10, does not properly handle the ...) NOT-FOR-US: pam-xdg-support (Ubuntu-specific package) CVE-2013-1051 (apt 0.8.16, 0.9.7, and possibly other versions does not properly handl ...) @@ -17623,7 +17633,7 @@ CVE-2013-0873 (The read_header function in libavcodec/shorten.c in FFmpeg before [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:0.8.6-1 (bug #717009) NOTE: Commit in libav trunk http://git.libav.org/?p=libav.git;a=commit;h=c10da30d8426a1f681d99a780b6e311f7fb4e5c5 - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=4f1279154ee9baf2078241bf5619774970d18b25 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=4f1279154ee9baf2078241bf5619774970d18b25 NOTE: Fix needed for ffmpeg 0.5 CVE-2013-0872 (The swr_init function in libswresample/swresample.c in FFmpeg before 1 ...) - ffmpeg <not-affected> (libswresample not yet present in ffmpeg/0.5) @@ -17640,25 +17650,25 @@ CVE-2013-0869 (The field_end function in libavcodec/h264.c in FFmpeg before 1.1. [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:0.8.5-1 NOTE: libav fix: http://git.libav.org/?p=libav.git;a=commit;h=706acb558a38eba633056773280155d66c2f4b24 - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=695af8eed642ff0104834495652d1ee784a4c14d + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=695af8eed642ff0104834495652d1ee784a4c14d NOTE: Fix needed in ffmpeg 0.5 CVE-2013-0868 (libavcodec/huffyuvdec.c in FFmpeg before 1.1.2 allows remote attackers ...) {DSA-3003-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:10.3-1 - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f67a0d115254461649470452058fa3c28c0df294 - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0dfc01c2bbf4b71bb56201bc4a393321e15d1b31 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f67a0d115254461649470452058fa3c28c0df294 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0dfc01c2bbf4b71bb56201bc4a393321e15d1b31 CVE-2013-0867 (The decode_slice_header function in libavcodec/h264.c in FFmpeg before ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav <not-affected> (Code in libav is different/not affect as per libav h264 maintainer) - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=11c99c78bafa77f679a1a3ba06ad00984b9a4cae + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=11c99c78bafa77f679a1a3ba06ad00984b9a4cae CVE-2013-0866 (The aac_decode_init function in libavcodec/aacdec.c in FFmpeg before 1 ...) {DSA-2793-1} - ffmpeg <not-affected> (Code in 0.5 is different/not affected) - libav 6:0.8.7-1 (bug #717009) - NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=96f452ac647dae33c53c242ef3266b65a9beafb6 + NOTE: Fix in ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=96f452ac647dae33c53c242ef3266b65a9beafb6 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=a943a132f36f4df8fe2f749744677b71984abce7 CVE-2013-0865 (The vqa_decode_chunk function in libavcodec/vqavideo.c in FFmpeg befor ...) {DSA-2855-1} @@ -17678,14 +17688,14 @@ CVE-2013-0862 (Multiple integer overflows in the process_frame_obj function in l CVE-2013-0861 (The avcodec_decode_audio4 function in libavcodec/utils.c in FFmpeg bef ...) - ffmpeg <not-affected> (These changes are specific to current ffmpeg and don't affect ffmpeg 0.5) - libav <not-affected> (Affected code not present in libav 0.8.x) - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d270c3202539e8364c46410e15f7570800e33343 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d270c3202539e8364c46410e15f7570800e33343 NOTE: Affects the libav version in experimental CVE-2013-0860 (The ff_er_frame_end function in libavcodec/error_resilience.c in FFmpe ...) {DSA-3003-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:10.1-1 - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=23318a57358358e7a4dc551e830e4503f0638cfe + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=23318a57358358e7a4dc551e830e4503f0638cfe NOTE: [Vittorio] not present in master and 10, fix pushed to 9 and 0.8 CVE-2013-0859 (The add_doubles_metadata function in libavcodec/tiff.c in FFmpeg befor ...) - ffmpeg <not-affected> (These changes are specific to current ffmpeg and don't affect ffmpeg 0.5) @@ -17695,14 +17705,14 @@ CVE-2013-0858 (The atrac3_decode_init function in libavcodec/atrac3.c in FFmpeg - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:9.9-1 (bug #717009) - NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=13451f5520ce6b0afde861b2285dda659f8d4fb4 + NOTE: Fix in ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=13451f5520ce6b0afde861b2285dda659f8d4fb4 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=50cf5a7fb78846fc39b3ecdaa896a10bcd74da2a NOTE: Fixed in 0.8.9 CVE-2013-0857 (The decode_frame_ilbm function in libavcodec/iff.c in FFmpeg before 1. ...) {DSA-2793-1} - ffmpeg <not-affected> (IFF PBM/ILBM bitmap decoder not present in 0.5 ffmpeg) - libav 6:9.9-1 (bug #717009) - NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=2fbb37b51bbea891392ad357baf8f3dff00bac05 + NOTE: Fix in ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=2fbb37b51bbea891392ad357baf8f3dff00bac05 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=7d65e960c72f36b73ae7fe84f8e427d758e61da9 NOTE: Fixed in 0.8.9 CVE-2013-0856 (The lpc_prediction function in libavcodec/alac.c in FFmpeg before 1.1 ...) @@ -17710,37 +17720,37 @@ CVE-2013-0856 (The lpc_prediction function in libavcodec/alac.c in FFmpeg before [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:9.10-1 [wheezy] - libav <not-affected> (Vulnerable code not present) - NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=fd4f4923cce6a2cbf4f48640b4ac706e614a1594 + NOTE: Fix in ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=fd4f4923cce6a2cbf4f48640b4ac706e614a1594 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=78aa2ed620178044a227fbbe48f749c0dc86023f CVE-2013-0855 (Integer overflow in the alac_decode_close function in libavcodec/alac. ...) - ffmpeg <not-affected> (0.5 series not affected) - libav 6:9.9-1 (bug #717009) [wheezy] - libav <not-affected> (0.8 series not affected) - NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3920d1387834e2bc334aff9f518f4beb24e470bd + NOTE: Fix in ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3920d1387834e2bc334aff9f518f4beb24e470bd NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=f7c5883126f9440547933eefcf000aa78af4821c CVE-2013-0854 (The mjpeg_decode_scan_progressive_ac function in libavcodec/mjpegdec.c ...) {DSA-2793-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:0.8.8-1 (bug #717009) - NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=1f41cffe1e3e79620f587545bdfcbd7e6e68ed29 + NOTE: Fix in ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=1f41cffe1e3e79620f587545bdfcbd7e6e68ed29 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=cfbd98abe82cfcb9984a18d08697251b72b110c8 CVE-2013-0853 (The wavpack_decode_frame function in libavcodec/wavpack.c in FFmpeg be ...) {DSA-2793-1} - ffmpeg <not-affected> (Vulnerability introduced later) - libav 6:0.8.8-1 (bug #717009) - NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=be818df547c3b0ae4fadb50fd210139a8636706a + NOTE: Fix in ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=be818df547c3b0ae4fadb50fd210139a8636706a NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=ed50673066956d6f2201a57c3254569f2ab08d9d CVE-2013-0852 (The parse_picture_segment function in libavcodec/pgssubdec.c in FFmpeg ...) {DSA-3003-1} - ffmpeg <not-affected> (PGS subtitle decoder not present) - libav 6:10.3-1 - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=c0d68be555f5858703383040e04fcd6529777061 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=c0d68be555f5858703383040e04fcd6529777061 CVE-2013-0851 (The decode_frame function in libavcodec/eamad.c in FFmpeg before 1.1 a ...) {DSA-3003-1} - ffmpeg <not-affected> (Electronic Arts Madcow Video decoder not present in ffmpeg 0.5) - libav 6:10.3-1 - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=63ac64864c6e0e84355aa3caa5b92208997a9a8d + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=63ac64864c6e0e84355aa3caa5b92208997a9a8d NOTE: https://git.libav.org/?p=libav.git;a=commit;h=f9204ec56a4cf73843d1e5b8563d3584c2c05b47 (v10) NOTE: https://git.libav.org/?p=libav.git;a=commit;h=e8ff7972064631afbdf240ec6bfd9dec30cf2ce8 (v9) NOTE: https://git.libav.org/?p=libav.git;a=commit;h=187cfd3c13a1deb47661486824a5b8f41e158a7a (v0.8) @@ -17749,39 +17759,39 @@ CVE-2013-0850 (The decode_slice_header function in libavcodec/h264.c in FFmpeg b - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:0.8.7-1 (bug #717009) - NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d6c184880ee2e09fd68c0ae217173832cee5afc1 + NOTE: Fix in ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d6c184880ee2e09fd68c0ae217173832cee5afc1 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=6e5cdf26281945ddea3aaf5eca4d127791f23ca8 CVE-2013-0849 (The roq_decode_init function in libavcodec/roqvideodec.c in FFmpeg bef ...) {DSA-2855-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:9.3-1 (bug #717009) - NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3ae610451170cd5a28b33950006ff0bd23036845 + NOTE: Fix in ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3ae610451170cd5a28b33950006ff0bd23036845 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=488f87be873506abb01d67708a67c10a4dd29283 CVE-2013-0848 (The decode_init function in libavcodec/huffyuv.c in FFmpeg before 1.1 ...) {DSA-3003-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:10.4-1 - NOTE: Fix in ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=6abb9a901fca27da14d4fffbb01948288b5da3ba + NOTE: Fix in ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=6abb9a901fca27da14d4fffbb01948288b5da3ba NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=a7153444df9040bf6ae103e0bbf6104b66f974cb CVE-2013-0847 (The ff_id3v2_parse function in libavformat/id3v2.c in FFmpeg before 1. ...) - ffmpeg <not-affected> (Affected code not present in ffmpeg 0.5) - libav <not-affected> (Code in libav is different, read_ttag) - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=10416a4d56fa8a89784e4fb62099c3cab17a9952 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=10416a4d56fa8a89784e4fb62099c3cab17a9952 CVE-2013-0846 (Array index error in the qdm2_decode_super_block function in libavcode ...) {DSA-2855-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:9.3-1 (bug #717009) - NOTE: ffmpeg commit: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed + NOTE: ffmpeg commit: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed NOTE: libav commit: http://git.libav.org/?p=libav.git;a=commit;h=39bec05ed42e505d17877b0c23f16322f9b5883b NOTE: Needed for ffmpeg 0.5 CVE-2013-0845 (libavcodec/alsdec.c in FFmpeg before 1.0.4 allows remote attackers to ...) {DSA-2855-1} - ffmpeg <not-affected> (MPEG-4 ALS decoder not present in ffmpeg/0.5) - libav 6:9.11-1 - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0ceca269b66ec12a23bf0907bd2c220513cdbf16 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0ceca269b66ec12a23bf0907bd2c220513cdbf16 NOTE: Fixed in revisions: v9-2748-g2a0fb72, v9.10-7-g3f7d890 NOTE: http://git.libav.org/?p=libav.git;a=commitdiff;h=2a0fb72 NOTE: http://git.libav.org/?p=libav.git;a=commitdiff;h=3f7d890 @@ -17790,7 +17800,7 @@ CVE-2013-0844 (Off-by-one error in the adpcm_decode_frame function in libavcodec - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:9.10-1 - NOTE: ffmpeg commit: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f18c873ab5ee3c78d00fdcc2582b39c133faecb4 + NOTE: ffmpeg commit: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f18c873ab5ee3c78d00fdcc2582b39c133faecb4 NOTE: libav commit: https://git.libav.org/?p=libav.git;a=commitdiff;h=12576afe206d35231ccd61f9033c5fdab6a11e NOTE: Fixed in 0.8.9 CVE-2013-0843 (content/renderer/media/webrtc_audio_renderer.cc in Google Chrome befor ...) @@ -19097,7 +19107,7 @@ CVE-2013-0346 (** DISPUTED ** Apache Tomcat 7.x uses world-readable permissions CVE-2013-0345 (varnish 3.0.3 uses world-readable permissions for the /var/log/varnish ...) - varnish <not-affected> (Logfiles are owned by varnishlog:varnishlog) CVE-2013-0344 - RESERVED + REJECTED CVE-2013-0343 (The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux ...) {DSA-2906-1} - linux 3.10.11-1 (low) @@ -19105,6 +19115,7 @@ CVE-2013-0343 (The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the L - linux-2.6 <removed> (low) CVE-2013-0342 (The CreateID function in packet.py in pyrad before 2.1 uses sequential ...) - pyrad <unfixed> (low; bug #701151) + [bullseye] - pyrad <ignored> (Minor issue) [buster] - pyrad <ignored> (Minor issue) [stretch] - pyrad <ignored> (Minor issue) [jessie] - pyrad <no-dsa> (Minor issue) @@ -19114,7 +19125,8 @@ CVE-2013-0342 (The CreateID function in packet.py in pyrad before 2.1 uses seque CVE-2013-0341 [external entity expansion] REJECTED CVE-2013-0340 (expat 2.1.0 and earlier does not properly handle entities expansion un ...) - - expat <unfixed> (unimportant) + [experimental] - expat 2.4.1-1 + - expat 2.4.1-2 (unimportant; bug #1001864) NOTE: Expat provides API to mitigate expansion attacks, ultimately under control of the app using Expat NOTE: https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0340.html CVE-2013-0339 (libxml2 through 2.9.1 does not properly handle external entities expan ...) @@ -19125,6 +19137,7 @@ CVE-2013-0338 (libxml2 2.9.0 and earlier allows context-dependent attackers to c - libxml2 2.8.0+dfsg1-7+nmu1 (bug #702260) CVE-2013-0337 (The default configuration of nginx, possibly 1.3.13 and earlier, uses ...) - nginx <unfixed> (low; bug #701112) + [bullseye] - nginx <ignored> (Minor issue) [buster] - nginx <ignored> (Minor issue) [stretch] - nginx <ignored> (Minor issue) [jessie] - nginx <ignored> (Minor issue) |