diff options
Diffstat (limited to 'data/CVE/2015.list')
| -rw-r--r-- | data/CVE/2015.list | 257 |
1 files changed, 142 insertions, 115 deletions
diff --git a/data/CVE/2015.list b/data/CVE/2015.list index 4e4781d964..4456217dd6 100644 --- a/data/CVE/2015.list +++ b/data/CVE/2015.list @@ -1,7 +1,31 @@ +CVE-2015-10002 + RESERVED +CVE-2015-20106 (The ClickBank Affiliate Ads WordPress plugin through 1.20 does not esc ...) + NOT-FOR-US: WordPress plugin +CVE-2015-20105 (The ClickBank Affiliate Ads WordPress plugin through 1.20 does not hav ...) + NOT-FOR-US: WordPress plugin +CVE-2015-10001 (The WP-Stats WordPress plugin before 2.52 does not have CSRF check whe ...) + NOT-FOR-US: WordPress plugin +CVE-2015-20067 (The WP Attachment Export WordPress plugin before 0.2.4 does not have p ...) + NOT-FOR-US: WordPress plugin +CVE-2015-20019 (The Content text slider on post WordPress plugin before 6.9 does not s ...) + NOT-FOR-US: WordPress plugin +CVE-2015-20002 + RESERVED +CVE-2015-20001 (In the standard library in Rust before 1.2.0, BinaryHeap is not panic- ...) + - rustc 1.2.0+dfsg1-1 + [bullseye] - rustc <no-dsa> (Minor issue) + [buster] - rustc <no-dsa> (Minor issue) + NOTE: https://github.com/rust-lang/rust/issues/25842 + NOTE: https://github.com/rust-lang/rust/pull/25856 +CVE-2015-9551 (An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1 ...) + NOT-FOR-US: TOTOLINK +CVE-2015-9550 (An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1 ...) + NOT-FOR-US: TOTOLINK CVE-2015-9549 (A reflected Cross-site Scripting (XSS) vulnerability exists in OcPorta ...) NOT-FOR-US: OcPortal CVE-2015-9548 (An issue was discovered in Mattermost Server before 1.2.0. It allows a ...) - NOT-FOR-US: Mattermost + - mattermost-server <itp> (bug #823556) CVE-2015-9547 (An issue was discovered on Samsung mobile devices with JBP(4.3) and KK ...) NOT-FOR-US: Samsung mobile devices CVE-2015-9546 (An issue was discovered on Samsung mobile devices with KK(4.4) and lat ...) @@ -11,12 +35,13 @@ CVE-2015-9545 (An issue was discovered in xdLocalStorage through 2.0.5. The rece CVE-2015-9544 (An issue was discovered in xdLocalStorage through 2.0.5. The receiveMe ...) NOT-FOR-US: xdLocalStorage CVE-2015-9543 (An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 1 ...) - - nova <unfixed> (bug #951635) + - nova 2:20.1.1-1 (bug #951635) [buster] - nova <no-dsa> (Minor issue) [stretch] - nova <no-dsa> (Minor issue) [jessie] - nova <no-dsa> (Minor issue) NOTE: https://launchpad.net/bugs/1492140 NOTE: https://review.opendev.org/220622 + NOTE: https://www.openwall.com/lists/oss-security/2020/02/19/2 CVE-2015-9542 (add_password in pam_radius_auth.c in pam_radius 1.4.0 does not correct ...) {DLA-2304-1 DLA-2116-1} - libpam-radius-auth 1.4.0-3 (bug #951396) @@ -559,8 +584,9 @@ CVE-2015-9286 (Controllers.outgoing in controllers/index.js in NodeBB before 0.7 CVE-2015-9285 (esoTalk 1.0.0g4 has XSS via the PATH_INFO to the conversations/ URI. ...) NOT-FOR-US: esoTalk CVE-2015-9284 (The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vuln ...) - - ruby-omniauth <unfixed> - [buster] - ruby-omniauth <no-dsa> (Minor issue) + - ruby-omniauth <unfixed> (bug #973384) + [bullseye] - ruby-omniauth <ignored> (Minor issue) + [buster] - ruby-omniauth <ignored> (Minor issue) [stretch] - ruby-omniauth <no-dsa> (Minor issue) [jessie] - ruby-omniauth <no-dsa> (Fix is in additional gem and needs CSRF protection in apps) NOTE: https://github.com/omniauth/omniauth/pull/809 @@ -708,7 +734,7 @@ CVE-2015-9227 (PHP remote file inclusion vulnerability in the get_file function CVE-2015-9226 (Multiple SQL injection vulnerabilities in AlegroCart 1.2.8 allow remot ...) NOT-FOR-US: AlegroCart CVE-2015-9225 - RESERVED + REJECTED CVE-2015-9224 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9223 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) @@ -730,7 +756,7 @@ CVE-2015-9216 (In Android before 2018-04-05 or earlier security patch level on Q CVE-2015-9215 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9214 - RESERVED + REJECTED CVE-2015-9213 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9212 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) @@ -822,7 +848,7 @@ CVE-2015-9170 (In Android before 2018-04-05 or earlier security patch level on Q CVE-2015-9169 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9168 - RESERVED + REJECTED CVE-2015-9167 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9166 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) @@ -848,9 +874,9 @@ CVE-2015-9157 (In Android before 2018-04-05 or earlier security patch level on Q CVE-2015-9156 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9155 - RESERVED + REJECTED CVE-2015-9154 - RESERVED + REJECTED CVE-2015-9153 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9152 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) @@ -908,7 +934,7 @@ CVE-2015-9127 (In Android before 2018-04-05 or earlier security patch level on Q CVE-2015-9126 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9125 - RESERVED + REJECTED CVE-2015-9124 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9123 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) @@ -916,7 +942,7 @@ CVE-2015-9123 (In Android before 2018-04-05 or earlier security patch level on Q CVE-2015-9122 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9121 - RESERVED + REJECTED CVE-2015-9120 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9119 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) @@ -924,7 +950,7 @@ CVE-2015-9119 (In Android before 2018-04-05 or earlier security patch level on Q CVE-2015-9118 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9117 - RESERVED + REJECTED CVE-2015-9116 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9115 (In Android before 2018-04-05 or earlier security patch level on Qualco ...) @@ -969,49 +995,49 @@ CVE-2015-9096 (Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command inje NOTE: https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee NOTE: https://github.com/rubysec/ruby-advisory-db/issues/215 CVE-2015-9095 - RESERVED + REJECTED CVE-2015-9094 - RESERVED + REJECTED CVE-2015-9093 - RESERVED + REJECTED CVE-2015-9092 - RESERVED + REJECTED CVE-2015-9091 - RESERVED + REJECTED CVE-2015-9090 - RESERVED + REJECTED CVE-2015-9089 - RESERVED + REJECTED CVE-2015-9088 - RESERVED + REJECTED CVE-2015-9087 - RESERVED + REJECTED CVE-2015-9086 - RESERVED + REJECTED CVE-2015-9085 - RESERVED + REJECTED CVE-2015-9084 - RESERVED + REJECTED CVE-2015-9083 - RESERVED + REJECTED CVE-2015-9082 - RESERVED + REJECTED CVE-2015-9081 - RESERVED + REJECTED CVE-2015-9080 - RESERVED + REJECTED CVE-2015-9079 - RESERVED + REJECTED CVE-2015-9078 - RESERVED + REJECTED CVE-2015-9077 - RESERVED + REJECTED CVE-2015-9076 - RESERVED + REJECTED CVE-2015-9075 - RESERVED + REJECTED CVE-2015-9074 - RESERVED + REJECTED CVE-2015-9073 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2015-9072 (In all Qualcomm products with Android releases from CAF using the Linu ...) @@ -1504,7 +1530,7 @@ CVE-2015-8919 (The lha_read_file_extended_header function in archive_read_suppor NOTE: Fixed by https://github.com/libarchive/libarchive/commit/e8a2e4d CVE-2015-8918 (The archive_string_append function in archive_string.c in libarchive b ...) - libarchive <not-affected> (Vulnerable code not in a released version) - NOTE: Introduced in https://github.com/libarchive/libarchive/commit/cf8e67ffc8a2227b63fc6d3d1569b0214f160f54 + NOTE: Introduced in https://github.com/libarchive/libarchive/commit/cf8e67ffc8a2227b63fc6d3d1569b0214f160f54 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/b6ba56037f0da44efebfa271cc4b1a736a74c62f NOTE: https://github.com/libarchive/libarchive/issues/506 CVE-2015-8917 (bsdtar in libarchive before 3.2.0 allows remote attackers to cause a d ...) @@ -2701,7 +2727,7 @@ CVE-2015-8663 (The ff_get_buffer function in libavcodec/utils.c in FFmpeg before - ffmpeg 7:2.8.4-1 [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS) - libav <removed> - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=abee0a1c60612e8638640a8a3738fffb65e16dbf + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=abee0a1c60612e8638640a8a3738fffb65e16dbf NOTE: For libav in jessie the patch needs to applied in libavcodec/decode.c in line 1884. CVE-2015-8662 (The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg befor ...) {DLA-1611-1} @@ -2709,13 +2735,13 @@ CVE-2015-8662 (The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS) - libav <removed> [wheezy] - libav <not-affected> (Vulnerable code not present) - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=75422280fbcdfbe9dc56bde5525b4d8b280f1bc5 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=75422280fbcdfbe9dc56bde5525b4d8b280f1bc5 CVE-2015-8661 (The h264_slice_header_init function in libavcodec/h264_slice.c in FFmp ...) {DLA-1611-1} - ffmpeg 7:2.8.3-1 [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS) - libav <removed> - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=4ea4d2f438c9a7eba37980c9a87be4b34943e4d5 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=4ea4d2f438c9a7eba37980c9a87be4b34943e4d5 CVE-2015-8658 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-8657 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.2 ...) @@ -3000,6 +3026,7 @@ CVE-2015-8612 (The EnableNetwork method in the Network class in plugins/mechanis {DSA-3427-1} - blueman 2.0.3-1 [squeeze] - blueman <not-affected> (vulnerable code not present) + NOTE: https://github.com/blueman-project/blueman/security/advisories/GHSA-59mx-cfv4-h4hw NOTE: https://twitter.com/thegrugq/status/677809527882813440 NOTE: https://github.com/blueman-project/blueman/commit/a3845bbed5fdddf14daec436b7e74f62719a71c1 NOTE: https://www.openwall.com/lists/oss-security/2015/12/18/6 @@ -3172,7 +3199,7 @@ CVE-2015-8567 (Memory leak in net/vmxnet3.c in QEMU allows remote attackers to c - qemu-kvm <not-affected> (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html NOTE: https://www.openwall.com/lists/oss-security/2015/12/15/4 -CVE-2015-8559 (The knife bootstrap command in chef leaks the validator.pem private RS ...) +CVE-2015-8559 (The knife bootstrap command in chef Infra client before version 15.4.4 ...) - chef <removed> (low; bug #809670) [buster] - chef <ignored> (Minor issue; workaround using validatorless bootstrapping) [stretch] - chef <ignored> (Minor issue; workaround using validatorless bootstrapping) @@ -3735,7 +3762,7 @@ CVE-2015-8365 (The smka_decode_frame function in libavcodec/smacker.c in FFmpeg - ffmpeg 7:2.8.3-1 (bug #806519) [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS) - libav <removed> - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=4a9af07a49295e014b059c1ab624c40345af5892 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=4a9af07a49295e014b059c1ab624c40345af5892 NOTE: fix for the libav 11.9 branch: https://git.libav.org/?p=libav.git;a=commit;h=v11.9-5-g88762a0 NOTE: fix for the libav 0.8 branch: https://git.libav.org/?p=libav.git;a=commit;h=9fba59f471725e5235d5378e795ebf8b59472817 CVE-2015-8364 (Integer overflow in the ff_ivi_init_planes function in libavcodec/ivi. ...) @@ -3743,14 +3770,14 @@ CVE-2015-8364 (Integer overflow in the ff_ivi_init_planes function in libavcodec - ffmpeg 7:2.8.3-1 (bug #806519) [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS) - libav <removed> - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=df91aa034b82b77a3c4e01791f4a2b2ff6c82066 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=df91aa034b82b77a3c4e01791f4a2b2ff6c82066 CVE-2015-8363 (The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in ...) {DLA-1611-1} - ffmpeg 7:2.8.3-1 (bug #806519) [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS) - libav <removed> [wheezy] - libav <not-affected> (Vulnerable code not present) - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=44a7f17d0b20e6f8d836b2957e3e357b639f19a2 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=44a7f17d0b20e6f8d836b2957e3e357b639f19a2 CVE-2015-8362 (The setUpSubtleUserAccount function in /bin/bw on Harman AMX devices b ...) NOT-FOR-US: Harman AMX CVE-2015-8361 (Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.1 ...) @@ -4231,7 +4258,7 @@ CVE-2015-8215 (net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel before - linux-2.6 <removed> NOTE: Patch for the kernel to harden against invalid MTUs: http://article.gmane.org/gmane.linux.network/351269 NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=77751427a1ff25b27d47a4c36b12c3c8667855ac (v4.0-rc3) -CVE-2015-8214 (Siemens SIMATIC CP 343-1 Advanced devices before 3.0.44, CP 343-1 Lean ...) +CVE-2015-8214 (A vulnerability has been identified in SIMATIC NET CP 342-5 (incl. SIP ...) NOT-FOR-US: Siemens CVE-2015-8213 (The get_format function in utils/formats.py in Django before 1.7.x bef ...) {DSA-3404-1 DLA-349-1} @@ -4555,8 +4582,8 @@ CVE-2015-8104 (The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3. {DSA-3454-1 DSA-3426-1 DSA-3414-1 DLA-479-1} - linux 4.2.6-2 - linux-2.6 <removed> - - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS) + - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - xen <end-of-life> (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-156.html NOTE: Upstream patch: https://lkml.org/lkml/2015/11/10/218 @@ -5000,9 +5027,8 @@ CVE-2015-7944 (The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti NOTE: http://www.ocert.org/advisories/ocert-2015-012.html NOTE: http://git.ganeti.org/?p=ganeti.git;a=commit;h=201fcb916b8164c78f4ed8e0c9cfc0227a78684c CVE-2015-9261 (huft_build in archival/libarchive/decompress_gunzip.c in BusyBox befor ...) - {DLA-1445-1 DLA-337-1} + {DLA-2559-1 DLA-1445-1 DLA-337-1} - busybox 1:1.27.2-1 (bug #803097) - [stretch] - busybox <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2015/10/25/3 NOTE: http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e NOTE: https://git.busybox.net/busybox/commit/archival/libarchive/decompress_gunzip.c?id=6bd3fff51aa74e2ee2d87887b12182a3b09792ef @@ -5016,8 +5042,8 @@ CVE-2015-7995 (The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 d CVE-2015-8982 (Integer overflow in the strxfrm function in the GNU C Library (aka gli ...) - glibc 2.21-1 (bug #803927) [jessie] - glibc 2.19-18+deb8u2 - [wheezy] - eglibc 2.13-38+deb7u9 - eglibc <removed> + [wheezy] - eglibc 2.13-38+deb7u9 [squeeze] - eglibc 2.11.3-4+deb6u8 NOTE: workaround entry for DLA-350-1 until/if CVE assigned NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=16009 @@ -5251,7 +5277,7 @@ CVE-2015-7858 (SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows re CVE-2015-7857 (SQL injection vulnerability in the getListQuery function in administra ...) NOT-FOR-US: Joomla! CVE-2015-7856 (OpenNMS has a default password of rtc for the rtc account, which makes ...) - NOT-FOR-US: OpenNMS + - opennms <itp> (bug #450615) CVE-2015-7855 (The decodenetnum function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3 ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 @@ -5423,18 +5449,23 @@ CVE-2015-7812 (The hypercall_create_continuation function in arch/arm/domain.c i [squeeze] - xen <end-of-life> (not supported in squeeze-lts) NOTE: http://xenbits.xen.org/xsa/advisory-145.html CVE-2015-8011 (Buffer overflow in the lldp_decode function in daemon/protocols/lldp.c ...) + {DSA-4836-1 DLA-2571-1} - lldpd 0.7.19-1 [jessie] - lldpd 0.7.11-2+deb8u1 [wheezy] - lldpd <not-affected> (Vulnerable code not present) [squeeze] - lldpd <not-affected> (Vulnerable code not present) - NOTE: https://github.com/vincentbernat/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2 + - openvswitch 2.15.0~git20210104.def6eb1ea+dfsg1-1 + NOTE: https://github.com/lldpd/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2 NOTE: https://www.openwall.com/lists/oss-security/2015/10/16/2 + NOTE: https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000268.html + NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2020-November/377394.html + NOTE: https://github.com/openvswitch/ovs/commit/bb5a9937fa8e04e71052fb50e23894448d19678f CVE-2015-8012 (lldpd before 0.8.0 allows remote attackers to cause a denial of servic ...) - lldpd 0.7.19-1 [jessie] - lldpd 0.7.11-2+deb8u1 [wheezy] - lldpd <not-affected> (Vulnerable code not present) [squeeze] - lldpd <not-affected> (Vulnerable code not present) - NOTE: https://github.com/vincentbernat/lldpd/commit/793526f8884455f43daecd0a2c46772388417a00 + NOTE: https://github.com/lldpd/lldpd/commit/793526f8884455f43daecd0a2c46772388417a00 NOTE: https://www.openwall.com/lists/oss-security/2015/10/18/2 CVE-2015-XXXX [cakephp: XML class SSRF vulnerability] - cakephp 2.6.7-1 (bug #832283) @@ -5642,8 +5673,8 @@ CVE-2015-7733 RESERVED CVE-2015-7732 (The Avira Mobile Security app before 1.5.11 for iOS sends sensitive lo ...) NOT-FOR-US: Avira Mobile Security app -CVE-2015-7731 - RESERVED +CVE-2015-7731 (SAP Mobile Platform 3.0 SP05 ClientHub allows attackers to obtain the ...) + NOT-FOR-US: SAP CVE-2015-7730 (SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0, and Bus ...) NOT-FOR-US: SAP BusinessObjects CVE-2015-7729 (Eval injection in test-net.xsjs in the Web-based Development Workbench ...) @@ -6445,8 +6476,8 @@ CVE-2015-7497 (Heap-based buffer overflow in the xmlDictComputeFastQKey function NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=756528 (upstream bug not yet open) CVE-2015-7496 (GNOME Display Manager (gdm) before 3.18.2 allows physically proximate ...) - gdm3 3.18.2-1 - [jessie] - gdm3 <not-affected> (Vulnerable code not present, unreproducible) - [wheezy] - gdm3 <not-affected> (Vulnerable code not present, unreproducible) + [jessie] - gdm3 <not-affected> (Vulnerable code not present, unreproducible) + [wheezy] - gdm3 <not-affected> (Vulnerable code not present, unreproducible) [squeeze] - gdm3 <not-affected> (Vulnerable code not present) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=758032 NOTE: https://git.gnome.org/browse/gdm/commit/?id=5ac2246 @@ -6691,9 +6722,9 @@ CVE-2015-7382 (SQL injection vulnerability in install.php in Web Reference Datab CVE-2015-7381 (Multiple PHP remote file inclusion vulnerabilities in install.php in W ...) NOT-FOR-US: Web Reference Database (aka refbase) CVE-2015-7380 - RESERVED + REJECTED CVE-2015-7379 - RESERVED + REJECTED CVE-2015-7378 (Panda Security URL Filtering before 4.3.1.9 uses a weak ACL for the "P ...) NOT-FOR-US: Panda Security CVE-2015-7377 (Cross-site scripting (XSS) vulnerability in pie-register/pie-register. ...) @@ -7238,7 +7269,7 @@ CVE-2015-7183 (Integer overflow in the PL_ARENA_ALLOCATE implementation in Netsc - virtualbox 5.0.10-dfsg-1 [jessie] - virtualbox 4.3.36-dfsg-1+deb8u1 [wheezy] - virtualbox <no-dsa> (Minor issue, will be fixed when included in next CPU) - NOTE: VirtualBox fixed: 4.0.36, 4.1.44, 4.2.36, 4.3.34, 5.0.10 + NOTE: VirtualBox fixed: 4.0.36, 4.1.44, 4.2.36, 4.3.34, 5.0.10 NOTE: http://hg.mozilla.org/projects/nspr/rev/c9c965b2b19c NOTE: http://hg.mozilla.org/projects/nspr/rev/bd8fb4498fa6 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/ @@ -8019,8 +8050,8 @@ CVE-2015-7312 (Multiple race conditions in the Advanced Union Filesystem (aufs) CVE-2015-6855 (hw/ide/core.c in QEMU does not properly restrict the commands accepted ...) {DSA-3362-1 DSA-3361-1} - qemu 1:2.4+dfsg-2 - - qemu-kvm <removed> [squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS) + - qemu-kvm <removed> [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS) NOTE: https://www.openwall.com/lists/oss-security/2015/09/10/1 NOTE: Fix commit: http://git.qemu.org/?p=qemu.git;a=commit;h=d9033e1d3aa666c5071580617a57bd853c5d794a @@ -8048,44 +8079,44 @@ CVE-2015-6826 (The ff_rv34_decode_init_thread_copy function in libavcodec/rv34.c - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS) - libav <removed> - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3197c0aa87a3b7190e17d49e6fbc7b554e4b3f0a + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=3197c0aa87a3b7190e17d49e6fbc7b554e4b3f0a CVE-2015-6825 (The ff_frame_thread_init function in libavcodec/pthread_frame.c in FFm ...) {DLA-1611-1} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS) - libav <removed> [wheezy] - libav <not-affected> (Vulnerable code not present) - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f1a38264f20382731cf2cc75fdd98f4c9a84a626 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f1a38264f20382731cf2cc75fdd98f4c9a84a626 CVE-2015-6824 (The sws_init_context function in libswscale/utils.c in FFmpeg before 2 ...) {DLA-1611-2} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS) - libav <removed> - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a5d44d5c220e12ca0cb7a4eceb0f74759cb13111 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a5d44d5c220e12ca0cb7a4eceb0f74759cb13111 CVE-2015-6823 (The allocate_buffers function in libavcodec/alac.c in FFmpeg before 2. ...) {DLA-1611-2} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS) - libav <removed> - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f7068bf277a37479aecde2832208d820682b35e6 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=f7068bf277a37479aecde2832208d820682b35e6 CVE-2015-6822 (The destroy_buffers function in libavcodec/sanm.c in FFmpeg before 2.7 ...) {DLA-1611-2 DLA-1611-1} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS) - libav <removed> - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=39bbdebb1ed8eb9c9b0cd6db85afde6ba89d86e4 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=39bbdebb1ed8eb9c9b0cd6db85afde6ba89d86e4 CVE-2015-6821 (The ff_mpv_common_init function in libavcodec/mpegvideo.c in FFmpeg be ...) {DLA-1611-1} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS) - libav <removed> - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=b160fc290cf49b516c5b6ee0730fd9da7fc623b1 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=b160fc290cf49b516c5b6ee0730fd9da7fc623b1 CVE-2015-6820 (The ff_sbr_apply function in libavcodec/aacsbr.c in FFmpeg before 2.7. ...) {DLA-1611-1} - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS) - libav <removed> - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=79a98294da6cd85f8c86b34764c5e0c43b09eea3 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=79a98294da6cd85f8c86b34764c5e0c43b09eea3 CVE-2015-6819 (Multiple integer underflows in the ff_mjpeg_decode_frame function in l ...) - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS) @@ -8095,7 +8126,7 @@ CVE-2015-6818 (The decode_ihdr_chunk function in libavcodec/pngdec.c in FFmpeg b - ffmpeg 7:2.7.2-1 [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS) - libav <removed> - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=47f4e2d8960ca756ca153ab8e3e93d80449b8c91 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=47f4e2d8960ca756ca153ab8e3e93d80449b8c91 NOTE: For libav in jessie, the patch needs to go into the decode_frame() function in libavcodec/pngdec.c CVE-2015-6814 RESERVED @@ -8186,13 +8217,14 @@ CVE-2015-6815 (The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4 NOTE: https://www.openwall.com/lists/oss-security/2015/09/04/4 NOTE: Upstream fix: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg01199.html CVE-2015-6816 (ganglia-web before 3.7.1 allows remote attackers to bypass authenticat ...) - - ganglia-web <unfixed> (unimportant; bug #798213) + - ganglia-web 3.7.5+debian-1 (unimportant; bug #798213) - ganglia 3.6.0-1 (unimportant) [squeeze] - ganglia <not-affected> (affected code not present) NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone, #702776 NOTE: starting with 3.6.0-1 the web front is no longer built from src:ganglia so marking this version as fixed NOTE: https://www.openwall.com/lists/oss-security/2015/09/04/2 NOTE: https://github.com/ganglia/ganglia-web/issues/267 + NOTE: https://github.com/ganglia/ganglia-web/commit/f8cc17054270d54f53d92bbe3f7764dc3d9efcc7 CVE-2015-6817 (PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows r ...) - pgbouncer 1.6.1-1 [jessie] - pgbouncer <not-affected> (Introduced in 1.6) @@ -8419,7 +8451,7 @@ CVE-2015-6761 (The update_dimensions function in libavcodec/vp8.c in FFmpeg thro NOTE: https://code.google.com/p/chromium/issues/detail?id=532967 NOTE: Starting with 44.0.2403.157-1 chromium uses the ffmpeg system copy NOTE: It looks like this relates to multithreaded decoding of VPx codecs, which is not implemented in the squeeze version. But I'm not sure as the second bug report is still private. - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=dabea74d0e82ea80cd344f630497cafcb3ef872c + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=dabea74d0e82ea80cd344f630497cafcb3ef872c CVE-2015-6760 (The Image11::map function in renderer/d3d/d3d11/Image11.cpp in libANGL ...) {DSA-3376-1} - chromium-browser 46.0.2490.71-1 @@ -11710,8 +11742,8 @@ CVE-2015-5438 REJECTED CVE-2015-5437 REJECTED -CVE-2015-5436 - REJECTED +CVE-2015-5436 (A potential security vulnerability has been identified with HP Integra ...) + NOT-FOR-US: HP CVE-2015-5435 (Unspecified vulnerability in HP Integrated Lights-Out (iLO) firmware 3 ...) NOT-FOR-US: HP CVE-2015-5434 (HPE Networking Products, originally branded as Comware 5, Comware 7, H ...) @@ -11940,7 +11972,7 @@ CVE-2015-5351 (The (1) Manager and (2) Host Manager applications in Apache Tomca CVE-2015-5350 (In Garden versions 0.22.0-0.329.0, a vulnerability has been discovered ...) NOT-FOR-US: Cloud Foundry CVE-2015-5349 (The CSV export in Apache LDAP Studio and Apache Directory Studio befor ...) - NOT-FOR-US: Apache LDAP Studio and Apache Directory Studio + - apache-directory-server <not-affected> (Fixed before initial upload to Debian) CVE-2015-5348 (Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x be ...) NOT-FOR-US: Apache Camel CVE-2015-5347 (Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScrip ...) @@ -12127,8 +12159,8 @@ CVE-2015-5307 (The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3. {DSA-3454-1 DSA-3414-1 DSA-3396-1 DLA-479-1} - linux 4.2.6-1 - linux-2.6 <removed> - - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS) + - xen 4.8.0~rc3-1 (bug #823620) [squeeze] - xen <end-of-life> (Not supported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-156.html - virtualbox 5.0.10-dfsg-1 @@ -12422,6 +12454,9 @@ CVE-2015-5237 (protobuf allows remote authenticated attackers to cause a heap-ba NOTE: Upstream doesn't consider this a real issue in practice. CVE-2015-5236 RESERVED + - icedtea-web <unfixed> (unimportant) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1256403 + NOTE: Negligible impact CVE-2015-5235 (IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly dete ...) - icedtea-web 1.6.1-1 (bug #798467) [jessie] - icedtea-web 1.5.3-1 @@ -12541,8 +12576,8 @@ CVE-2015-5203 (Double free vulnerability in the jasper_image_stop_load function [wheezy] - jasper <no-dsa> (Minor issue) [squeeze] - jasper <no-dsa> (Minor issue) NOTE: Analysis/More information/Fixing commits: https://bugzilla.redhat.com/show_bug.cgi?id=1254242#c11 -CVE-2015-5202 (Red Hat Satellite 6 allows remote authenticated users with privileged ...) - NOT-FOR-US: Satellite6 +CVE-2015-5202 + REJECTED CVE-2015-5201 (VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka ...) NOT-FOR-US: Red Hat vdms CVE-2015-5200 (The trace functionality in libvdpau before 1.1.1, when used in a setui ...) @@ -12608,9 +12643,9 @@ CVE-2015-5186 (Audit before 2.4.4 in Linux does not sanitize escape characters i NOTE: https://fedorahosted.org/audit/changeset/1122 CVE-2015-5185 (The lookupProviders function in providerMgr.c in sblim-sfcb 1.3.4 and ...) - sblim-sfcb <itp> (bug #754493) -CVE-2015-5184 (The Hawtio console in A-MQ allows remote attackers to obtain sensitive ...) +CVE-2015-5184 (Console: CORS headers set to allow all in Red Hat AMQ. ...) NOT-FOR-US: A-MQ's Hawtio console -CVE-2015-5183 (The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes ...) +CVE-2015-5183 (Console: HTTPOnly and Secure attributes not set on cookies in Red Hat ...) NOT-FOR-US: A-MQ's Hawtio console CVE-2015-5182 (Cross-site request forgery (CSRF) vulnerability in the jolokia API in ...) NOT-FOR-US: A-MQ's Hawtio console @@ -13884,8 +13919,8 @@ CVE-2015-4721 (Multiple cross-site scripting (XSS) vulnerabilities in Concrete5 NOT-FOR-US: Concrete5 CVE-2015-4720 REJECTED -CVE-2015-4719 - RESERVED +CVE-2015-4719 (The client API authentication mechanism in Pexip Infinity before 10 al ...) + NOT-FOR-US: Pexip Infinity CVE-2015-4718 (The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x ...) {DSA-3373-1} - owncloud 7.0.6+dfsg-1 @@ -14507,23 +14542,23 @@ CVE-2015-4490 (The nsCSPHostSrc::permits function in dom/security/nsCSPUtils.cpp CVE-2015-4489 (The nsTArray_Impl class in Mozilla Firefox before 40.0, Firefox ESR 38 ...) {DSA-3410-1 DSA-3333-1} - iceweasel 38.2.0esr-1 + [squeeze] - iceweasel <end-of-life> - icedove 38.3.0-1 [squeeze] - icedove <end-of-life> - [squeeze] - iceweasel <end-of-life> NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/ CVE-2015-4488 (Use-after-free vulnerability in the StyleAnimationValue class in Mozil ...) {DSA-3410-1 DSA-3333-1} - iceweasel 38.2.0esr-1 + [squeeze] - iceweasel <end-of-life> - icedove 38.3.0-1 [squeeze] - icedove <end-of-life> - [squeeze] - iceweasel <end-of-life> NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/ CVE-2015-4487 (The nsTSubstring::ReplacePrep function in Mozilla Firefox before 40.0, ...) {DSA-3410-1 DSA-3333-1} - iceweasel 38.2.0esr-1 + [squeeze] - iceweasel <end-of-life> - icedove 38.3.0-1 [squeeze] - icedove <end-of-life> - [squeeze] - iceweasel <end-of-life> NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/ CVE-2015-4486 (The decrease_ref_count function in libvpx in Mozilla Firefox before 40 ...) - libvpx 1.4.0-1 @@ -14586,9 +14621,9 @@ CVE-2015-4474 (Multiple unspecified vulnerabilities in the browser engine in Moz CVE-2015-4473 (Multiple unspecified vulnerabilities in the browser engine in Mozilla ...) {DSA-3410-1 DSA-3333-1} - iceweasel 38.2.0esr-1 + [squeeze] - iceweasel <end-of-life> - icedove 38.3.0-1 [squeeze] - icedove <end-of-life> - [squeeze] - iceweasel <end-of-life> NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/ CVE-2015-4466 RESERVED @@ -15244,7 +15279,7 @@ CVE-2015-4625 (Integer overflow in the authentication_agent_new_cookie function NOTE: http://cgit.freedesktop.org/polkit/commit/?id=fb5076b7c05d01a532d593a4079a29cf2d63a228 CVE-2015-4412 (BSON injection vulnerability in the legal? function in BSON (bson-ruby ...) - ruby-bson <not-affected> (corresponding change in ruby-bson not present) - NOTE: Originating from https://github.com/mongodb/bson-ruby/commit/21141c78d99f23d5f34d32010557ef19d0f77203#diff-8c8558c185bbb548ccb5a6d6ac4bfee5L219 + NOTE: Originating from https://github.com/mongodb/bson-ruby/commit/21141c78d99f23d5f34d32010557ef19d0f77203#diff-8c8558c185bbb548ccb5a6d6ac4bfee5L219 CVE-2015-4411 (The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0 ...) - ruby-bson <not-affected> (corresponding change in ruby-bson not present) NOTE: https://github.com/mongoid/moped/commit/dd5a7c14b5d2e466f7875d079af71ad19774609b#diff-3b93602f64c2fe46d38efd9f73ef5358R24 @@ -17237,7 +17272,6 @@ CVE-2015-3457 (Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE CVE-2015-3456 (The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and ear ...) {DSA-3274-1 DSA-3262-1 DSA-3259-1 DLA-268-1 DLA-249-1 DLA-248-1} - qemu 1:2.3+dfsg-3 - NOTE: qemu 1:2.3+dfsg-3 is pending in the NEW queue [wheezy] - qemu 1.1.2+dfsg-6a+deb7u7 - qemu-kvm <removed> [wheezy] - qemu-kvm 1.1.2+dfsg-6+deb7u7 @@ -18108,12 +18142,13 @@ CVE-2015-3209 (Heap-based buffer overflow in the PCNET controller in QEMU allows {DSA-3286-1 DSA-3285-1 DSA-3284-1} - qemu 1:2.3+dfsg-6 (bug #788460) [wheezy] - qemu 1.1.2+dfsg-6a+deb7u8 + [squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS) - qemu-kvm <removed> + [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS) - xen 4.4.0-1 [squeeze] - xen <end-of-life> (Not supported in Squeeze LTS) + - xen-qemu-dm-4.0 <removed> [squeeze] - xen-qemu-dm-4.0 <end-of-life> (Not supported in Squeeze LTS) - [squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS) - [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS) NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: http://xenbits.xen.org/xsa/advisory-135.html CVE-2015-3208 (XML external entity (XXE) vulnerability in the XPath selector componen ...) @@ -21199,10 +21234,10 @@ CVE-2015-2156 (Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x befor - netty 1:4.0.31-1 (bug #796114) [jessie] - netty <ignored> (Minor issue, invasive patch) [wheezy] - netty <no-dsa> (Minor issue) + [squeeze] - netty <no-dsa> (Minor issue) - netty-3.9 3.9.9.Final-1 (bug #793770) [jessie] - netty-3.9 <ignored> (Minor issue, invasive patch) - playframework <itp> (bug #646523) - [squeeze] - netty <no-dsa> (Minor issue) NOTE: http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html NOTE: https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass NOTE: http://web.archive.org/web/20150925094949/http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156 @@ -21381,12 +21416,12 @@ CVE-2015-2157 (The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in {DSA-3190-1 DLA-173-1} - putty 0.63-10 (bug #779488) NOTE: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html -CVE-2015-2100 - RESERVED -CVE-2015-2099 - RESERVED -CVE-2015-2098 - RESERVED +CVE-2015-2100 (Multiple stack-based buffer overflows in WebGate eDVR Manager and Cont ...) + NOT-FOR-US: eDVR Manager and Control Center +CVE-2015-2099 (Multiple buffer overflows in WebGate Control Center allow remote attac ...) + NOT-FOR-US: WebGate Control Center +CVE-2015-2098 (Multiple stack-based buffer overflows in WebGate eDVR Manager allow re ...) + NOT-FOR-US: WebGate eDVR Manager CVE-2015-2097 (Multiple buffer overflows in WebGate Embedded Standard Protocol (WESP) ...) NOT-FOR-US: WESP SDK CVE-2015-2096 (Use-after-free vulnerability in the Connect function in the WESPMonito ...) @@ -21443,10 +21478,10 @@ CVE-2015-2076 (The Auditing service in SAP BusinessObjects Edge 4.0 allows remot NOT-FOR-US: SAP CVE-2015-2075 (SAP BusinessObjects Edge 4.0 allows remote attackers to delete audit e ...) NOT-FOR-US: SAP -CVE-2015-2074 - RESERVED -CVE-2015-2073 - RESERVED +CVE-2015-2074 (The File Repository Server (FRS) CORBA listener in SAP BussinessObject ...) + NOT-FOR-US: SAP +CVE-2015-2073 (The File RepositoRy Server (FRS) CORBA listener in SAP BussinessObject ...) + NOT-FOR-US: SAP CVE-2015-2072 (Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA 73 (1. ...) NOT-FOR-US: SAP CVE-2015-2071 (Directory traversal vulnerability in cm/newui/blog/export.jsp in eTouc ...) @@ -21886,7 +21921,7 @@ CVE-2015-1872 (The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmp [squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS) - libav <removed> [wheezy] - libav <no-dsa> (Minor issue, can be fixed along in a future DSA) - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=fabbfaa095660982cc0bc63242c459561fa37037 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=fabbfaa095660982cc0bc63242c459561fa37037 CVE-2015-1871 RESERVED CVE-2015-1870 (The event scripts in Automatic Bug Reporting Tool (ABRT) uses world-re ...) @@ -22063,13 +22098,13 @@ CVE-2015-1827 (The get_user_grouplist function in the extdom plug-in in FreeIPA - freeipa <not-affected> (Only affects 4.1, see bug #781224) NOTE: https://fedorahosted.org/freeipa/ticket/4908 CVE-2015-1826 - RESERVED + REJECTED CVE-2015-1825 - RESERVED + REJECTED CVE-2015-1824 - RESERVED + REJECTED CVE-2015-1823 - RESERVED + REJECTED CVE-2015-1822 (chrony before 1.31.1 does not initialize the last "next" pointer when ...) {DSA-3222-1 DLA-193-1} - chrony 1.30-2 (bug #782160) @@ -22782,8 +22817,7 @@ CVE-2015-1881 (OpenStack Image Registry and Delivery Service (Glance) 2014.2 thr - glance <not-affected> (Only affects 2014.2.x releases, only present in experimental) [wheezy] - glance <not-affected> (Vulnerable code not present) NOTE: https://review.openstack.org/#/c/156553 -CVE-2015-1877 [command injection vulnerability] - RESERVED +CVE-2015-1877 (The open_generic_xdg_mime function in xdg-open in xdg-utils 1.1.0 rc1 ...) {DSA-3165-1 DLA-217-1} - xdg-utils 1.1.0~rc1+git20111210-7.4 (bug #777722) CVE-2015-1568 (Cross-site request forgery (CSRF) vulnerability in the GD Infinite Scr ...) @@ -24042,12 +24076,12 @@ CVE-2015-1209 (Use-after-free vulnerability in the VisibleSelection::nonBoundary [squeeze] - chromium-browser <end-of-life> CVE-2015-1208 (Integer underflow in the mov_read_default function in libavformat/mov. ...) - ffmpeg 7:2.5.3-1 - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3ebd76a9c57558e284e94da367dd23b435e6a6d0 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=3ebd76a9c57558e284e94da367dd23b435e6a6d0 CVE-2015-1207 (Double-free vulnerability in libavformat/mov.c in FFMPEG in Google Chr ...) {DLA-1654-1} - ffmpeg 7:2.6.1-1 - libav <removed> - NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3859868c75313e318ebc5d0d33baada62d45dd75 + NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=3859868c75313e318ebc5d0d33baada62d45dd75 CVE-2015-1206 (Heap-based buffer overflow in Google Chrome before M40 allows remote a ...) - chromium-browser 40.0.2214.91-1 [wheezy] - chromium-browser <end-of-life> @@ -24112,7 +24146,7 @@ CVE-2015-1161 CVE-2015-1396 (A Directory Traversal vulnerability exists in the GNU patch before 2.7 ...) - patch 2.7.3-1 (bug #775901) [wheezy] - patch <not-affected> (Not affected by CVE-2015-1196 and no incomplete fix applied) - [squeeze] - patch <not-affected> (Not affected by CVE-2015-1196 and no incomplete fix applied) + [squeeze] - patch <not-affected> (Not affected by CVE-2015-1196 and no incomplete fix applied) NOTE: https://www.openwall.com/lists/oss-security/2015/01/24/3 CVE-2015-1353 REJECTED @@ -25775,13 +25809,6 @@ CVE-2015-XXXX [Zoo directory traversal] [wheezy] - zoo <no-dsa> (Minor issue) [squeeze] - zoo <no-dsa> (Minor issue) NOTE: CVE Request: https://marc.info/?l=oss-security&m=142024361327375&w=2 -CVE-2015-XXXX [buffer over-read] - - arc <unfixed> (low; bug #774439) - [buster] - arc <ignored> (Minor issue) - [stretch] - arc <ignored> (Minor issue) - [jessie] - arc <ignored> (Minor issue) - [wheezy] - arc <no-dsa> (Minor issue) - [squeeze] - arc <no-dsa> (Minor issue) CVE-2015-0557 (Open-source ARJ archiver 3.10.22 does not properly remove leading slas ...) {DSA-3213-1 DLA-188-1} - arj 3.10.22-13 (low; bug #774435) @@ -26440,7 +26467,7 @@ CVE-2015-0302 (Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before CVE-2015-0301 (Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0 ...) NOT-FOR-US: Adobe Flash Player CVE-2015-0300 - RESERVED + REJECTED CVE-2015-0299 (Multiple cross-site scripting (XSS) vulnerabilities in Open Source Poi ...) NOT-FOR-US: Open Source Point of Sale CVE-2015-0298 (Cross-site scripting (XSS) vulnerability in the manager web interface ...) |