diff options
Diffstat (limited to 'data/CVE/2014.list')
| -rw-r--r-- | data/CVE/2014.list | 106 |
1 files changed, 54 insertions, 52 deletions
diff --git a/data/CVE/2014.list b/data/CVE/2014.list index 7c4158e49a..2a1783abae 100644 --- a/data/CVE/2014.list +++ b/data/CVE/2014.list @@ -1,11 +1,13 @@ CVE-2014-10402 (An issue was discovered in the DBI module through 1.643 for Perl. DBD: ...) - - libdbi-perl <unfixed> - [buster] - libdbi-perl <postponed> (Revisit when fixed upstream) + - libdbi-perl 1.643-3 (bug #972180) + [buster] - libdbi-perl 1.642-1+deb10u2 + [stretch] - libdbi-perl <postponed> (Revisit when fixed upstream) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=99508#txn-1911590 CVE-2014-10401 (An issue was discovered in the DBI module before 1.632 for Perl. DBD:: ...) - libdbi-perl 1.633-1 NOTE: https://github.com/perl5-dbi/dbi/commit/caedc0d7d602f5b2ae5efc1b00f39efeafb7b05a NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=99508 + NOTE: Proposed fix: https://github.com/perl5-dbi/dbi/pull/93 CVE-2014-10400 (The session.lua library in CGILua 5.0.x uses sequential session IDs, w ...) - lua-cgi <not-affected> (session generation changed in 5.1.x, cf. CVE-2014-10399) NOTE: https://seclists.org/fulldisclosure/2014/Apr/318 @@ -1383,7 +1385,7 @@ CVE-2014-9904 (The snd_compress_check_input function in sound/core/compress_offl NOTE: Fixed by: https://git.kernel.org/linus/6217e5ede23285ddfee10d2e4ba0cc2d4c046205 (3.17-rc1) NOTE: Introduced by: https://git.kernel.org/linus/b35cc8225845112a616e3a2266d2fde5ab13d3ab (3.7-rc1) CVE-2014-9903 (The sched_read_attr function in kernel/sched/core.c in the Linux kerne ...) - - linux <not-affected> + - linux <not-affected> (Vulnerable code not present in a Debian released version) NOTE: vulnerable code between 3.14-rc1 and 3.14-rc4 CVE-2014-9902 (Buffer overflow in CORE/SYS/legacy/src/utils/src/dot11f.c in the Qualc ...) NOT-FOR-US: Qualcomm driver for Android @@ -1769,8 +1771,8 @@ CVE-2014-9761 (Multiple stack-based buffer overflows in the GNU C Library (aka g {DLA-411-1} - glibc 2.23-1 (bug #813187) [jessie] - glibc <no-dsa> (Minor issue) - [wheezy] - eglibc <no-dsa> (Minor issue) - eglibc <removed> + [wheezy] - eglibc <no-dsa> (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=16962 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e02cabecf0d025ec4f4ddee290bdf7aadb873bb3 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f5e8b01a1da2a207228f2072c934fa5918554b8 @@ -2428,12 +2430,12 @@ CVE-2014-9604 (libavcodec/utvideodec.c in FFmpeg before 2.5.2 does not check for - libav 6:11.3-1 (bug #775593) NOTE: Applies to 0.8, but in different file (utvideo.c) NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=0ce3a0f9d9523a9bcad4c6d451ca5bbd7a4f420d - NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3881606240953b9275a247a1c98a567f3c44890f + NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=3881606240953b9275a247a1c98a567f3c44890f CVE-2014-9603 (The vmd_decode function in libavcodec/vmdvideo.c in FFmpeg before 2.5. ...) - ffmpeg 7:2.5.1-1 [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS) - libav <not-affected> (Vulnerable code not present, reproducer tested with 8, 11 and trunk) - NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3030fb7e0d41836f8add6399e9a7c7b740b48bfd + NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=3030fb7e0d41836f8add6399e9a7c7b740b48bfd CVE-2014-9602 (libavcodec/xface.h in FFmpeg before 2.5.2 establishes certain digits a ...) - ffmpeg 7:2.5.1-1 [squeeze] - ffmpeg <not-affected> (Vulnerable code not present) @@ -3444,33 +3446,32 @@ CVE-2014-9322 (arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does - linux 3.16.7-ckt2-1 [wheezy] - linux 3.2.63-2+deb7u2 - linux-2.6 <removed> - [squeeze] - linux-2.6 2.6.32-48squeeze9 + [squeeze] - linux-2.6 2.6.32-48squeeze9 CVE-2014-9321 RESERVED -CVE-2014-9320 - RESERVED +CVE-2014-9320 (SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_ ...) NOT-FOR-US: SAP Business Objects CVE-2014-9319 (The ff_hevc_decode_nal_sps function in libavcodec/hevc_ps.c in FFMpeg ...) - libav <not-affected> (Vulnerable code not present, reproducer tested with 8, 11 and trunk) - ffmpeg 2.4.4-1 [squeeze] - ffmpeg <not-affected> (Vulnerable code not present) - NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=ea38e5a6b75706477898eb1e6582d667dbb9946c + NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=ea38e5a6b75706477898eb1e6582d667dbb9946c CVE-2014-9318 (The raw_decode function in libavcodec/rawdec.c in FFMpeg before 2.1.6, ...) - libav <not-affected> (Vulnerable code not present, format not supported) - ffmpeg 2.4.4-1 [squeeze] - ffmpeg <not-affected> (Vulnerable code not present) - NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=1d3a3b9f8907625b361420d48fe05716859620ff + NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=1d3a3b9f8907625b361420d48fe05716859620ff CVE-2014-9317 (The decode_ihdr_chunk function in libavcodec/pngdec.c in FFMpeg before ...) {DLA-1611-1} - libav <removed> - ffmpeg 2.4.4-1 [squeeze] - ffmpeg <not-affected> (Vulnerable code not present) - NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=79ceaf827be0b070675d4cd0a55c3386542defd8 + NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=79ceaf827be0b070675d4cd0a55c3386542defd8 CVE-2014-9316 (The mjpeg_decode_app function in libavcodec/mjpegdec.c in FFMpeg befor ...) - libav <not-affected> (Vulnerable code not present, reproducer tested with 8, 11 and trunk) - ffmpeg 2.4.4-1 [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS) - NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=0eecf40935b22644e6cd74c586057237ecfd6844 + NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=0eecf40935b22644e6cd74c586057237ecfd6844 CVE-2014-9315 RESERVED CVE-2014-9314 @@ -4304,8 +4305,8 @@ CVE-2014-9028 (Heap-based buffer overflow in stream_decoder.c in libFLAC before {DSA-3082-1 DLA-99-1} - flac 1.3.0-3 (bug #770918) NOTE: Upstream patches: - NOTE: https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85 - NOTE: https://git.xiph.org/?p=flac.git;a=patch;h=5a365996d739bdf4711af51d9c2c71c8a5e14660 + NOTE: https://github.com/xiph/flac/commit/fcf0ba06ae12ccd7c67cee3c8d948df15f946b85 (1.3.1pre1) + NOTE: https://github.com/xiph/flac/commit/5a365996d739bdf4711af51d9c2c71c8a5e14660 (1.3.1) CVE-2014-9014 (Directory traversal vulnerability in the ajaxinit function in wpmarket ...) NOT-FOR-US: WP Marketplace plugin for WordPress CVE-2014-9013 (The ajaxinit function in wpmarketplace/libs/cart.php in the WP Marketp ...) @@ -4436,7 +4437,7 @@ CVE-2014-8963 CVE-2014-8962 (Stack-based buffer overflow in stream_decoder.c in libFLAC before 1.3. ...) {DSA-3082-1 DLA-99-1} - flac 1.3.0-3 (bug #770918) - NOTE: https://git.xiph.org/?p=flac.git;a=patch;h=5b3033a2b355068c11fe637e14ac742d273f076e + NOTE: https://github.com/xiph/flac/commit/5b3033a2b355068c11fe637e14ac742d273f076e (1.3.1pre1) NOTE: http://lists.xiph.org/pipermail/flac-dev/2014-November/005185.html CVE-2014-8961 (Directory traversal vulnerability in libraries/error_report.lib.php in ...) - phpmyadmin 4:4.2.12-1 @@ -4628,11 +4629,11 @@ CVE-2014-8873 (A .desktop file in the Debian openjdk-7 package 7u79-2.5.5-1~deb8 {DSA-3316-1 DSA-3235-1} - openjdk-8 8u45-b14-1 (high) - openjdk-7 7u79-2.5.5-1 (high) + [wheezy] - openjdk-7 <not-affected> (MIME type setting is harmless on wheezy) + [squeeze] - openjdk-7 <not-affected> (MIME type setting is harmless on this squeeze) - openjdk-6 <removed> (high) - [squeeze] - openjdk-6 <not-affected> (MIME type setting is harmless on squeeze) [wheezy] - openjdk-6 <not-affected> (MIME type setting is harmless on wheezy) - [squeeze] - openjdk-7 <not-affected> (MIME type setting is harmless on this squeeze) - [wheezy] - openjdk-7 <not-affected> (MIME type setting is harmless on wheezy) + [squeeze] - openjdk-6 <not-affected> (MIME type setting is harmless on squeeze) NOTE: Starting with mime-support 3.53, MimeType entries in desktop NOTE: files end up in /etc/mailcap, which introduces the user-initiated NOTE: code execution. @@ -5185,6 +5186,7 @@ CVE-2014-8601 (PowerDNS Recursor before 3.6.2 does not limit delegation chaining CVE-2014-8600 (Multiple cross-site scripting (XSS) vulnerabilities in KDE-Runtime 4.1 ...) - kde-runtime 4:4.14.2-2 (bug #769632) [wheezy] - kde-runtime <no-dsa> (Minor issue) + - kdebase-runtime <removed> [squeeze] - kdebase-runtime <no-dsa> (Minor issue) - webkitkde 1.3.4-2 (unimportant) NOTE: webkitpart: http://quickgit.kde.org/?p=kwebkitpart.git&a=commit&h=641aa7c75631084260ae89aecbdb625e918c6689 @@ -5193,8 +5195,8 @@ CVE-2014-8600 (Multiple cross-site scripting (XSS) vulnerabilities in KDE-Runtim NOTE: webkit not covered by security support CVE-2014-8599 RESERVED -CVE-2014-8597 - RESERVED +CVE-2014-8597 (A reflected cross-site scripting (XSS) vulnerability in PHP-Fusion 7.0 ...) + NOT-FOR-US: PHP-Fusion CVE-2014-8596 (Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow rem ...) NOT-FOR-US: PHP-Fusion CVE-2014-8595 (arch/x86/x86_emulate/x86_emulate.c in Xen 3.2.1 through 4.4.x does not ...) @@ -5377,45 +5379,45 @@ CVE-2014-8549 (libavcodec/on2avc.c in FFmpeg before 2.4.2 does not constrain the [squeeze] - ffmpeg <not-affected> (Vulnerable code not present) - libav 6:11.2-1 (bug #773626) [wheezy] - libav <not-affected> (Vulnerable code not present) - NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=550f3e9df3410b3dd975e590042c0d83e20a8da3 + NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=550f3e9df3410b3dd975e590042c0d83e20a8da3 NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=cee4490b521fd0d02476d46aa2598af24fb8d686 CVE-2014-8548 (Off-by-one error in libavcodec/smc.c in FFmpeg before 2.4.2 allows rem ...) {DSA-3189-1} - ffmpeg 7:2.4.3-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:11.2-1 (bug #773626) - NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=c727401aa9d62335e89d118a5b4e202edf39d905 + NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=c727401aa9d62335e89d118a5b4e202edf39d905 NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=d423dd72be451462c6fb1cbbe313bed0194001ab CVE-2014-8547 (libavcodec/gifdec.c in FFmpeg before 2.4.2 does not properly compute i ...) {DSA-3189-1} - ffmpeg 7:2.4.3-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:11.2-1 (bug #773626) - NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=8f1457864be8fb9653643519dea1c6492f1dde57 + NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=8f1457864be8fb9653643519dea1c6492f1dde57 NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=0b39ac6f54505a538c21fe49a626de94c518c903 CVE-2014-8546 (Integer underflow in libavcodec/cinepak.c in FFmpeg before 2.4.2 allow ...) - ffmpeg 7:2.4.3-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav <not-affected> (Vulnerable code not present, reproducer tested with 8, 11 and trunk) - NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e7e5114c506957f40aafd794e06de1a7e341e9d5 + NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=e7e5114c506957f40aafd794e06de1a7e341e9d5 CVE-2014-8545 (libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the monochrome-blac ...) - ffmpeg 7:2.4.3-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav <not-affected> (Vulnerable code not present) - NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3e2b745020c2dbf0201fe7df3dad9e7e0b2e1bb6 + NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=3e2b745020c2dbf0201fe7df3dad9e7e0b2e1bb6 CVE-2014-8544 (libavcodec/tiff.c in FFmpeg before 2.4.2 does not properly validate bi ...) {DSA-3189-1} - ffmpeg 7:2.4.3-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:11.3-1 (bug #773626) - NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=e1c0cfaa419aa5d320540d5a1b3f8fd9b82ab7e5 + NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=e1c0cfaa419aa5d320540d5a1b3f8fd9b82ab7e5 NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=ae5e1f3d663a8c9a532d89e588cbc61f171c9186 CVE-2014-8543 (libavcodec/mmvideo.c in FFmpeg before 2.4.2 does not consider all line ...) {DSA-3189-1} - ffmpeg 7:2.4.3-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:11.2-1 (bug #773626) - NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e + NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=17ba719d9ba30c970f65747f42d5fbb1e447ca28 CVE-2014-8542 (libavcodec/utils.c in FFmpeg before 2.4.2 omits a certain codec ID dur ...) {DLA-1654-1} @@ -5423,14 +5425,14 @@ CVE-2014-8542 (libavcodec/utils.c in FFmpeg before 2.4.2 omits a certain codec I [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:11.2-1 (bug #773626) [wheezy] - libav <not-affected> (Vulnerable code not present) - NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=105654e376a736d243aef4a1d121abebce912e6b + NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=105654e376a736d243aef4a1d121abebce912e6b NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=88626e5af8d006e67189bf10b96b982502a7e8ad CVE-2014-8541 (libavcodec/mjpegdec.c in FFmpeg before 2.4.2 considers only dimension ...) - ffmpeg 7:2.4.3-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav 6:11.2-1 (bug #773626) [wheezy] - libav <not-affected> (Vulnerable code not present) - NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=5c378d6a6df8243f06c87962b873bd563e58cd39 + NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=5c378d6a6df8243f06c87962b873bd563e58cd39 NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=809c3023b699c54c90511913d3b6140dd2436550 CVE-2014-8539 (Cross-site scripting (XSS) vulnerability in Simple Email Form 1.8.5 an ...) NOT-FOR-US: Simple Email @@ -6037,8 +6039,8 @@ CVE-2014-8317 (Cross-site scripting (XSS) vulnerability in the Webform Validatio CVE-2014-8350 (Smarty before 3.1.21 allows remote attackers to bypass the secure mode ...) {DLA-452-1} - smarty3 3.1.21-1 (bug #765920) - - smarty <not-affected> (Only affects 3.x series) [squeeze] - smarty3 <end-of-life> (Unsupported in squeeze-lts) + - smarty <not-affected> (Only affects 3.x series) NOTE: https://github.com/smarty-php/smarty/commit/279bdbd3521cd717cae6a3ba48f1c3c6823f439d.patch CVE-2014-8399 (The default configuration in systemd-shim 8 enables the Abandon debugg ...) - systemd-shim 8-4 @@ -7199,7 +7201,7 @@ CVE-2014-7937 (Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg be - libav <not-affected> (bug #785326; can't reproduce the issue) [jessie] - libav <not-affected> (Can't reproduce the issue) [wheezy] - libav <not-affected> (Can't reproduce the issue) - NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=8c50704ebf1777bee76772c4835d9760b3721057 + NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=8c50704ebf1777bee76772c4835d9760b3721057 CVE-2014-7936 (Use-after-free vulnerability in the ZoomBubbleView::Close function in ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser <end-of-life> @@ -7220,7 +7222,7 @@ CVE-2014-7933 (Use-after-free vulnerability in the matroska_read_seek function i - ffmpeg 7:2.5.1-1 [squeeze] - ffmpeg <end-of-life> - libav 6:11.3-1 - NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=490a3ebf36821b81f73e34ad3f554cb523dd2682 + NOTE: ffmpeg: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=490a3ebf36821b81f73e34ad3f554cb523dd2682 NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=490a3ebf36821b81f73e34ad3f554cb523dd2682 CVE-2014-7932 (Use-after-free vulnerability in the Element::detach function in core/d ...) - chromium-browser 40.0.2214.91-1 @@ -7472,9 +7474,9 @@ CVE-2014-7858 (The check_login function in D-Link DNR-326 before 2.10 build 03 a CVE-2014-7857 (D-Link DNS-320L firmware before 1.04b12, DNS-327L before 1.03b04 Build ...) NOT-FOR-US: D-Link CVE-2014-7856 - RESERVED + REJECTED CVE-2014-7855 - RESERVED + REJECTED CVE-2014-7854 RESERVED CVE-2014-7853 (The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBo ...) @@ -7620,7 +7622,7 @@ CVE-2014-7821 (OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 al NOTE: Versions up to 2014.1.3 and 2014.2 NOTE: https://launchpad.net/bugs/1378450 CVE-2014-7820 - RESERVED + REJECTED CVE-2014-7819 (Multiple directory traversal vulnerabilities in server.rb in Sprockets ...) - ruby-sprockets 2.12.3-1 [wheezy] - ruby-sprockets <no-dsa> (Minor issue) @@ -10369,9 +10371,9 @@ CVE-2014-6541 (Unspecified vulnerability in the Recovery component in Oracle Dat NOT-FOR-US: Oracle CVE-2014-6540 (Unspecified vulnerability in the Oracle VM VirtualBox component in Ora ...) - virtualbox-guest-additions <removed> + [squeeze] - virtualbox-guest-additions <no-dsa> (Non-free not supported) - virtualbox-guest-additions-iso 4.3.14-1 [wheezy] - virtualbox-guest-additions-iso <no-dsa> (Non-free not supported) - [squeeze] - virtualbox-guest-additions <no-dsa> (Non-free not supported) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html CVE-2014-6539 (Unspecified vulnerability in the Oracle Applications Framework compone ...) NOT-FOR-US: Oracle E-Business Suite @@ -13036,7 +13038,7 @@ CVE-2014-5388 (Off-by-one error in the pci_read function in the ACPI PCI hotplug [squeeze] - qemu-kvm <not-affected> (Introduced in 1.7) [wheezy] - qemu-kvm <not-affected> (Introduced in 1.7) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2014-08/msg03338.html - NOTE: Introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=db4728e6fec0364b866d3106125974eedc00e091 + NOTE: Introduced in http://git.qemu.org/?p=qemu.git;a=commit;h=db4728e6fec0364b866d3106125974eedc00e091 CVE-2014-5382 (Multiple cross-site scripting (XSS) vulnerabilities in the web interfa ...) NOT-FOR-US: Schrack Technik microControl CVE-2014-5381 (Grand MA 300 allows a brute-force attack on the PIN. ...) @@ -13145,7 +13147,7 @@ CVE-2014-5340 (The wato component in Check_MK before 1.2.4p4 and 1.2.5 before 1. NOTE: introduces incompatible changes to older versions, see https://bugzilla.redhat.com/show_bug.cgi?id=1132337#c2 CVE-2014-5339 (Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 allows remote authent ...) - check-mk 1.2.6p4-1 (bug #758883) - [wheezy] - check-mk <not-affected> (Vulnerable code not present) + [wheezy] - check-mk <not-affected> (Vulnerable code not present) NOTE: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=7998aa4d53d2fef7302c0761b9c8f47e2f626e18 CVE-2014-5338 (Multiple cross-site scripting (XSS) vulnerabilities in the multisite c ...) - check-mk 1.2.6p4-1 (bug #758883) @@ -13345,13 +13347,13 @@ CVE-2014-5272 (libavcodec/iff.c in FFMpeg before 1.1.14, 1.2.x before 1.2.8, 2.2 - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - libav <not-affected> (Vulnerable code not present) - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3539d6c63a16e1b2874bb037a86f317449c58770 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=3539d6c63a16e1b2874bb037a86f317449c58770 NOTE: <lu_zero> Does not apply to Libav at all. CVE-2014-5271 (Heap-based buffer overflow in the encode_slice function in libavcodec/ ...) - ffmpeg <not-affected> (Vulnerable code not present) - libav 6:11-1 [wheezy] - libav <not-affected> (Vulnerable code not present) - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=52b81ff4635c077b2bc8b8d3637d933b6629d803 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=52b81ff4635c077b2bc8b8d3637d933b6629d803 NOTE: new ffmpeg now in experimental, CVE fixed in 7:2.4-1 NOTE: https://git.libav.org/?p=libav.git;a=commitdiff;h=45ce880a9b3e50cfa088f111dffaf8685bd7bc6b CVE-2014-5262 (SQL injection vulnerability in the graph settings script (graph_settin ...) @@ -14987,7 +14989,7 @@ CVE-2014-4611 (Integer overflow in the LZ4 algorithm implementation, as used in CVE-2014-4610 (Integer overflow in the get_len function in libavutil/lzo.c in FFmpeg ...) - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - NOTE: Fixed in http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d6af26c55c1ea30f85a7d9edbc373f53be1743ee + NOTE: Fixed in https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d6af26c55c1ea30f85a7d9edbc373f53be1743ee CVE-2014-4609 (Integer overflow in the get_len function in libavutil/lzo.c in Libav b ...) {DSA-2977-1} - libav 6:10.2-1 @@ -16517,7 +16519,7 @@ CVE-2014-3962 (Multiple SQL injection vulnerabilities in Videos Tube 1.0 allow r CVE-2014-3961 (SQL injection vulnerability in the Export CSV page in the Participants ...) NOT-FOR-US: WordPress plugin Participants Database CVE-2014-3960 (Multiple cross-site scripting (XSS) vulnerabilities in OpenNMS before ...) - NOT-FOR-US: OpenNMS + - opennms <itp> (bug #450615) CVE-2014-3980 (libfep 0.0.5 before 0.1.0 does not properly use UNIX domain sockets in ...) - libfep <itp> (bug #658575) CVE-2014-3959 (Cross-site scripting (XSS) vulnerability in list.jsp in the Configurat ...) @@ -16735,10 +16737,10 @@ CVE-2014-3874 RESERVED CVE-2014-3873 (The ktrace utility in the FreeBSD kernel 8.4 before p11, 9.1 before p1 ...) - kfreebsd-8 <removed> - - kfreebsd-9 <removed> (bug #750493) + [wheezy] - kfreebsd-8 <no-dsa> (Non standard kernel, will be fixed in a point update) [squeeze] - kfreebsd-8 <end-of-life> (Unsupported in squeeze-lts) + - kfreebsd-9 <removed> (bug #750493) [wheezy] - kfreebsd-9 <not-affected> (introduced by the merge of r237663) - [wheezy] - kfreebsd-8 <no-dsa> (Non standard kernel, will be fixed in a point update) CVE-2014-3872 (Multiple SQL injection vulnerabilities in the administration login pag ...) NOT-FOR-US: D-Link firmware CVE-2014-3871 (Multiple SQL injection vulnerabilities in register.php in Geodesic Sol ...) @@ -17148,9 +17150,9 @@ CVE-2014-3690 (arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel befor CVE-2014-3689 (The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local g ...) {DSA-3067-1 DSA-3066-1} - qemu 2.1+dfsg-6 (bug #765496) + [squeeze] - qemu <end-of-life> - qemu-kvm <removed> [squeeze] - qemu-kvm <end-of-life> - [squeeze] - qemu <end-of-life> NOTE: Upstream's quick and easy stopgap for this issue: compile out the hardware acceleration functions which lack sanity checks. NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=83afa38eb20ca27e30683edc7729880e091387fc CVE-2014-3688 (The SCTP implementation in the Linux kernel before 3.17.4 allows remot ...) @@ -17315,9 +17317,9 @@ CVE-2014-3641 (The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder CVE-2014-3640 (The sosendto function in slirp/udp.c in QEMU before 2.1.2 allows local ...) {DSA-3045-1 DSA-3044-1} - qemu 2.1+dfsg-5 (bug #762532) + [squeeze] - qemu <end-of-life> - qemu-kvm <removed> [squeeze] - qemu-kvm <end-of-life> - [squeeze] - qemu <end-of-life> NOTE: http://lists.nongnu.org/archive/html/qemu-devel/2014-09/msg03543.html CVE-2014-3639 (The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not ...) {DSA-3026-1 DLA-87-1} @@ -21215,7 +21217,7 @@ CVE-2014-2263 (The mpegts_write_pmt function in the MPEG2 transport stream (aka {DSA-3003-1} - ffmpeg 7:2.4.1-1 [squeeze] - ffmpeg <end-of-life> (Backports to 0.5.x not useful, too many checks missing) - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=842b6c14bcfc1c5da1a2d288fd65386eb8c158ad + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=842b6c14bcfc1c5da1a2d288fd65386eb8c158ad - libav 6:10.4-1 NOTE: Fix in libav: http://git.libav.org/?p=libav.git;a=commit;h=addbaf134836aea4e14f73add8c6d753a1373257 CVE-2014-2262 (Buffer overflow in the client application in Base SAS 9.2 TS2M3, SAS 9 ...) @@ -21569,7 +21571,7 @@ CVE-2014-2284 (The Linux implementation of the ICMP-MIB in Net-SNMP 5.5 before 5 NOTE: http://sourceforge.net/p/net-snmp/mailman/message/32026655/ NOTE: http://sourceforge.net/p/net-snmp/code/ci/a1fd64716f6794c55c34d77e618210238a73bfa1/ CVE-2014-XXXX [buffer overflow] - - mp3gain <removed> (low; bug #740268) + - mp3gain 1.6.2-1 (low; bug #740268) [squeeze] - mp3gain <no-dsa> (Minor issue) [wheezy] - mp3gain <no-dsa> (Minor issue) NOTE: http://sourceforge.net/p/mp3gain/bugs/36/ @@ -24158,15 +24160,15 @@ CVE-2014-1213 (Sophos Anti-Virus engine (SAVi) before 3.50.1, as used in VDL 4.9 CVE-2014-1212 RESERVED CVE-2014-1211 (Cross-site request forgery (CSRF) vulnerability in VMware vCloud Direc ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2014-1210 (VMware vSphere Client 5.0 before Update 3 and 5.1 before Update 2 does ...) NOT-FOR-US: VMware vSphere Client CVE-2014-1209 (VMware vSphere Client 4.0, 4.1, 5.0 before Update 3, and 5.1 before Up ...) NOT-FOR-US: VMware vSphere Client CVE-2014-1208 (VMware Workstation 9.x before 9.0.1, VMware Player 5.x before 5.0.1, V ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2014-1207 (VMware ESXi 4.0 through 5.1 and ESX 4.0 and 4.1 allow remote attackers ...) - NOT-FOR-US: VMWare + NOT-FOR-US: VMware CVE-2014-1206 (SQL injection vulnerability in the password reset page in Open Web Ana ...) NOT-FOR-US: Open Web Analytics CVE-2014-1205 |